Skip to content

Exporting KRA System Certificates

Jump to bottom
Endi S. Dewata edited this page Mar 27, 2024 · 4 revisions

Overview

This page describes the process to export KRA system certificates, the keys, and the CSRs.

Exporting System Certificates and Keys

To export the certificates without their keys into separate files execute the following commands:

$ pki-server cert-export kra_storage --cert-file kra_storage.crt
$ pki-server cert-export kra_transport --cert-file kra_transport.crt
$ pki-server cert-export kra_audit_signing --cert-file kra_audit_signing.crt
$ pki-server cert-export subsystem --cert-file subsystem.crt
$ pki-server cert-export sslserver --cert-file sslserver.crt

To export the certificates with their keys into a PKCS #12 file execute the following command:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    pkcs12-export \
    --pkcs12 kra-certs.p12 \
    --password Secret.123 \
    kra_storage \
    kra_transport \
    kra_audit_signing \
    subsystem \
    sslserver

Exporting System CSRs

In PKI 11.5 or later the CSRs can be obtained directly from the /var/lib/pki/pki-tomcat/conf/certs folder:

  • kra_storage.csr

  • kra_transport.csr

  • kra_audit_signing.csr

  • subsystem.csr

  • sslserver.csr

In older PKI versions the CSRs need to be exported with the following commands:

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > kra_storage.csr
$ sed -n "/^kra.storage.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/kra/CS.cfg >> kra_storage.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> kra_storage.csr

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > kra_transport.csr
$ sed -n "/^kra.transport.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/kra/CS.cfg >> kra_transport.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> kra_transport.csr

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > kra_audit_signing.csr
$ sed -n "/^kra.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/kra/CS.cfg >> kra_audit_signing.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> kra_audit_signing.csr

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > subsystem.csr
$ sed -n "/^kra.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/kra/CS.cfg >> subsystem.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> subsystem.csr

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > sslserver.csr
$ sed -n "/^kra.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/kra/CS.cfg >> sslserver.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> sslserver.csr
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally