Skip to content

Installing KRA with Existing Certificates

Endi S. Dewata edited this page Mar 27, 2024 · 21 revisions

Overview

This page describes the process to install a KRA subsystem with existing system certificates and keys stored in a PKCS #12 file.

Availability: Since PKI 11.6.

Preparing Certificate Chain

Obtain the certificate chain from the CA (e.g. cert_chain.pem). See Exporting CA System Certificates.

Preparing System Certificates

Export KRA system certificates and the keys from an existing KRA subsystem into a PKCS #12 file (e.g. kra-certs.p12) and the CSRs into separate files. See Exporting KRA System Certificates.

For testing, new KRA system certificates can also be created as follows:

To migrate an existing KRA subsystem to a new machine, the existing subsystem and the SSL server certificates should not be added into the PKCS #12 file, or they should be removed from the PKCS #12 file with the following commands:

$ pki pkcs12-cert-del --pkcs12-file kra-certs.p12 --pkcs12-password Secret.123 sslserver
$ pki pkcs12-cert-del --pkcs12-file kra-certs.p12 --pkcs12-password Secret.123 subsystem

Preparing Admin Certificate

To install the new KRA subsystem obtain the admin certificate from the CA or the existing KRA subsystem (e.g. admin.crt). To access the new KRA subsystem obtain the admin certificate with its key in a PKCS #12 file (e.g. ca_admin_cert.p12). See Default CA Admin.

For testing, a new admin certificate can also be created as follows:

Installing KRA Subsystem

Prepare a file that contains the deployment configuration. A sample deployment configuration is available at /usr/share/pki/server/examples/installation/kra.cfg.

Specify the certificate chain with the following parameter:

pki_cert_chain_path=cert_chain.pem

Specify the certificates and their keys with the following parameters:

pki_server_pkcs12_path=kra-certs.p12
pki_server_pkcs12_password=Secret.123

Specify the CSRs with the following parameters:

pki_storage_csr_path=kra_storage.csr
pki_transport_csr_path=kra_transport.csr
pki_audit_signing_csr_path=kra_audit_signing.csr
pki_subsystem_csr_path=subsystem.csr
pki_sslserver_csr_path=sslserver.csr

Specify the admin certificate with the following parameter:

pki_admin_cert_path=admin.crt

Finally, execute the following command:

$ pkispawn -f kra.cfg -s KRA

It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create a server NSS database in /var/lib/pki/pki-tomcat/conf/alias.

Verifying System Certificates

Verify that the server NSS database contains the following certificates:

$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca_signing                                                   CT,C,C
kra_transport                                                u,u,u
kra_storage                                                  u,u,u
subsystem                                                    u,u,u
kra_audit_signing                                            u,u,Pu
sslserver                                                    u,u,u

Verifying Admin Certificate

Import the certificate chain into the client NSS database (e.g. ~/.dogtag/nssdb):

$ pki nss-cert-import \
    --cert cert_chain.pem \
    --trust CT,C,C \
    ca_signing

Import admin key and certificate:

$ pki pkcs12-import \
    --pkcs12 ca_admin_cert.p12 \
    --pkcs12-password Secret.123

Verify that the admin certificate can be used to access the KRA subsystem by executing the following command:

$ pki -n caadmin kra-user-show kraadmin
---------------
User "kraadmin"
---------------
  User ID: kraadmin
  Full name: kraadmin
  Email: [email protected]
  Type: adminType
  State: 1
Clone this wiki locally