Show Table of Contents
18.2. Setting up the CA on the New Host
After you have exported the data from the existing Directory Server and Certificate System instances in Section 18.1, “Exporting Data from the Previous System”, set up the certificate authority (CA) on the new host:
- Set up Directory Server. See Section 6.4, “Installing Red Hat Directory Server”.
- Enable the Certificate System repository. See Section 6.5, “Enabling the Certificate System Repository”.
- Install the pki-ca package:
# yum install pki-ca
If you require additional features, such as the Certificate System console, install the corresponding packages. For details, see Section 7.2, “Certificate System Packages”. - When setting up the CA on a host that uses an IPv6 address, apply the steps described in Section 11.3, “Enabling IPv6 for a Subsystem”.
- Depending on your environment, this step differs.
- When using a hardware security module (HSM):Create a deployment configuration file, for example
/root/pki-CA-deployment.txt, with the following content:[DEFAULT] pki_instance_name=instance_name pki_admin_password=caadmin_password pki_client_pkcs12_password=pkcs12_file_password pki_ds_password=DS_password pki_hsm_enable=True pki_hsm_libfile=path_to_HSM_library pki_hsm_modulename=HSM_module_name pki_token_name=HSM_token_name pki_token_password=HSM_token_password pki_ds_ldap_port=389 pki_existing=True [CA] pki_ca_signing_csr_path=/tmp/cs_bak/ca_signing.csr pki_ca_signing_cert_path=/tmp/cs_bak/ca_signing.crt pki_ca_signing_nickname=caSigningCert ca-pki-ca pki_ca_signing_token=HSM_token_name pki_ds_base_dn=o=pki-tomcat-CA pki_ds_database=instance_name-CA pki_serial_number_range_start=4e pki_request_number_range_start=30 pki_master_crl_enable=False pki_cert_chain_path=/tmp/cs_bak/rootca_signing.crt pki_cert_chain_nickname=caSigningCert cert-top-rootca pki_ca_signing_record_create=False pki_ca_signing_serial_number=decimal_CA_signing_certificate_serial
For descriptions of the parameters used in the previous example, see Table 18.1, “pkispawn Parameter Descriptions” at the end of this step. - When not using a hardware security module (HSM):
- Verify that the PKCS #12 file contains the CA signing certificate and key. For example:
# pki pkcs12-cert-find --pkcs12-file /tmp/cs_bak/ca.p12 \ --pkcs12-password-file /tmp/cs_bak/pkcs12_password.txt --------------- 1 entries found --------------- Certificate ID: 308b4c7d4b5efc4052aec26e49a2c5e2e14c9e90 Serial Number: 0x1 Nickname: caSigningCert ca-pki-ca Subject DN: CN=CA Signing Certificate,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,O=EXAMPLE Trust Flags: CTu,Cu,Cu Has Key: true # pki pkcs12-key-find --pkcs12-file /tmp/cs_bak/ca.p12 \ --pkcs12-password-file /tmp/cs_bak/pkcs12_password.txt --------------- 1 entries found --------------- Key ID: 308b4c7d4b5efc4052aec26e49a2c5e2e14c9e90 Subject DN: CN=CA Signing Certificate,O=EXAMPLE Algorithm: RSANote that the file can additionally contain other certificates and keys. - Verify the trust flags of the CA signing certificate in the output of the previous step. Reset the flags if they are not set to
CTu,Cu,Cuor if they are missing:# pki pkcs12-cert-mod caSigningCert cert-pki-tomcat CA \ --pkcs12-file /tmp/cs_bak/ca.p12 \ --pkcs12-password-file /tmp/cs_bak/pkcs12_password.txt \ --trust-flags "CTu,Cu,Cu" - Remove all other certificates and keys, except the CA signing certificate and key, from the PKCS #12 file. For example:
# pki pkcs12-cert-del Server-Cert root_CA_nickname \ --pkcs12-file /tmp/cs_bak/ca.p12 \ --pkcs12-password-file /tmp/cs_bak/pkcs12_password.txt # pki pkcs12-cert-del "subsystemCert ca-pki-ca" \ --pkcs12-file /tmp/cs_bak/ca.p12 \ --pkcs12-password-file /tmp/cs_bak/pkcs12_password.txt # pki pkcs12-cert-del "ocspSigningCert ca-pki-ca" \ --pkcs12-file /tmp/cs_bak/ca.p12 \ --pkcs12-password-file /tmp/cs_bak/pkcs12_password.txt # pki pkcs12-cert-del "auditSigningCert ca-pki-ca" \ --pkcs12-file /tmp/cs_bak/ca.p12 \ --pkcs12-password-file /tmp/cs_bak/pkcs12_password.txt - If the CA being migrated is an intermediate CA, remove the root CA certificate from the PKCS #12 file. For example:
# pki pkcs12-cert-del ca-pki-ca \ --pkcs12-file /tmp/cs_bak/ca.p12 \ --pkcs12-password-file /tmp/cs_bak/pkcs12_password.txt - Create a deployment configuration file, for example
/root/pki-CA-deployment.txt, with the following content:[DEFAULT] pki_instance_name=instance_name pki_admin_password=caadmin_password pki_client_pkcs12_password=pkcs12_file_password pki_ds_password=DS_password pki_ds_ldap_port=389 pki_existing=True [CA] pki_ca_signing_nickname=caSigningCert ca-pki-ca pki_ca_signing_csr_path=/tmp/cs_bak/ca_signing.csr pki_pkcs12_path=/tmp/cs_bak//cs_bak/ca.p12 pki_pkcs12_password=pkcs12_file_password pki_ds_base_dn=o=pki-tomcat-CA pki_ds_database=pki-tomcat-CA pki_serial_number_range_start=43 pki_request_number_range_start=30 pki_master_crl_enable=False pki_cert_chain_path=/tmp/cs_bak/rootca_signing.crt pki_cert_chain_nickname=caSigningCert cert-top-rootca pki_ca_signing_record_create=False pki_ca_signing_serial_number=decimal_CA_signing_certificate_serial
For descriptions of the parameters used in the previous example, see Table 18.1, “pkispawn Parameter Descriptions”.
Table 18.1. pkispawn Parameter Descriptions
Parameters and SettingsDescriptionpki_hsm_*andpki_token_*Enables communication with the HSM. Only set these parameters when setting up a CA with HSM.pki_existing=TrueSets to use the existing CA mechanism.pki_ca_signing_nicknameThe CA signing nickname must be exactly the same as used in the previous installation, otherwise the installer cannot find the signing key.pki_ca_signing_*Sets the paths to the certificate signing request (CSR) and the certificate files copied from the existing machine.pki_pkcs12_*Sets the path to the PKCS #12 file and the password used to decrypt the file. Do not set this parameter when deploying a CA with HSM.pki_ds_base_dnSets the Directory Server base distinguished name (DN). The value must be the same as on the previous CA. You can find this value on the previous host in theinternaldb.basednparameter in the/var/lib/instance_name/conf/CS.cfgfile.pki_serial_number_range_startThe serial number is critical. The value must be higher than the last number used in the previous CA. To display which numbers are already used, see the old CA's agent interface. This parameter is set in hex format without the leading0xprefix. The value used in the examples (4e) is78in decimal.pki_request_number_range_startThe request number is critical. The value must be higher than the last number used in the previous CA. To display which numbers are already used, see the old CA's agent interface. The value is set in decimal format.pki_master_crl_enable=FalsePrevents the initial creation and publishing of a certificate revocation list (CRL) during the setup. Instead, the CRL will be imported from the old data during the database migration.pki_cert_chain_pathandpki_cert_chain_nicknameSet these parameters only if the old CA is an intermediate CA. In this case, set the parameters to the path to the root CA certificate file and the nickname to use when storing the certificate in the network security services (NSS) database.pki_ca_signing_record_create=FalseDisables the recreation of the CA signing record at the end of thepkispawnprocess. This enables you to import the old database.pki_ca_signing_serial_numberSets the serial number of the CA signing certificate in decimal.For further details and parameter descriptions, see the pkispawn(8) man page. - Create the new CA using the deployment configuration file. For example:
# pkispawn -s CA -f /root/pki-CA-deployment.txt
- Verify that the CA signing key ID is the same in the existing and in the new CA. For example:
# grep "internal=" /var/lib/instance_name/conf/password.conf | \ awk -F= '{print $2;}' > internal.txt# certutil -K -d /var/lib/instance_name/alias/ -f internal.txt ... < 2> rsa 7bd4dc662670ebe08a35086b054175559608ac20 caSigningCert ca-pki-ca ...
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.