Skip to content

PKI 10.5 Installing CA

Endi S. Dewata edited this page Mar 27, 2024 · 3 revisions

Installing CA

Prepare a deployment configuration file (e.g. ca.cfg):

[CA]
pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin

pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123

pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret.123

pki_security_domain_name=EXAMPLE

Optionally, the certificate nicknames can be specified in the following parameters:

pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
pki_ssl_server_nickname=sslserver  # Same nicknames must be specified manually for other subsystems
pki_subsystem_nickname=subsystem   # Same nicknames must be specified manually for other subsystems

Since sslserver and subsystem system certificates are shared among different subsystem, same nicknames must be provided for all other additional subsystems

To begin the installation, execute the following command:

$ pkispawn -v -f ca.cfg -s CA

Verification

Verify certificates

The NSS database should contain the following certificates:

$ sed -n "/^internal=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/password.conf > password.txt
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca_signing                                                   CTu,Cu,Cu
ca_ocsp_signing                                              u,u,u
sslserver                                                    u,u,u
subsystem                                                    u,u,u
ca_audit_signing                                             u,u,Pu

Verify keys

The NSS database should contain the following keys:

$ certutil -K -d /var/lib/pki/pki-tomcat/conf/alias -f password.txt
< 0> rsa      f4e07b335299c96f0247a6f8dc049e8faa540209   ca_signing
< 1> rsa      0bdf1085474b7542fa30908c2136c518fdedc615   ca_ocsp_signing
< 2> rsa      39473f7309b3354d638940e55398cf500d8411f8   sslserver
< 3> rsa      2235764e98d1b973aa1a231c09aebc8e33133641   subsystem
< 4> rsa      a532c42398cd592b664eafd4c2b0a73e20ee395e   ca_audit_signing

Verifying CA admin

Verify that the CA admin can access the server with the following command:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-find
-----------------
3 entries matched
-----------------
  User ID: CA-pki.example.com-8443
  Full name: CA-pki.example.com-8443

  User ID: caadmin
  Full name: caadmin

  User ID: pkidbuser
  Full name: pkidbuser
----------------------------
Number of entries returned 3
----------------------------
Clone this wiki locally