-
Notifications
You must be signed in to change notification settings - Fork 148
Enabling Signed Audit
By default PKI subsystems are installed with log signing disabled. To enable log signing follow the steps below.
Prior to PKI 11.7 the audit signing certificate is created automatically during installation. Since PKI 11.7 the certificate is no longer created automatically, so it needs to be created manually after installation.
To configure the nickname for audit signing certificate:
$ pki-server ca-config-set ca.audit_signing.nickname ca_audit_signing $ pki-server ca-config-set ca.cert.audit_signing.nickname ca_audit_signing
To generate the CSR:
$ pki-server cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
ca_audit_signing
To issue the certificate:
$ pki \
-n caadmin \
ca-cert-issue \
--profile caAuditSigningCert \
--csr-file /var/lib/pki/pki-tomcat/conf/certs/ca_audit_signing.csr \
--output-file /var/lib/pki/pki-tomcat/conf/certs/ca_audit_signing.crt
To import the certificate:
$ pki-server cert-import ca_audit_signing
To enable signed audit via pki-server CLI, execute the following command:
$ pki-server ca-audit-config-mod \
--logSigning true \
--signingCert ca_audit_signing
Then restart the server.
To enable signed audit via TPS UI, go to System → Audit Logging. Disable logging first, click Edit, change the Signed Logging to true, then reenable the Logging.
Then restart the server.
The signed audit can be configured with the following parameters in /var/lib/pki/<instance>/conf/<subsystem>/CS.cfg:
ca.audit_signing.nickname=ca_audit_signing ca.cert.audit_signing.nickname=ca_audit_signing log.instance.SignedAudit.logSigning=true log.instance.SignedAudit.signedAuditCertNickname=ca_audit_signing
Then restart the server.
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |