Skip to content

Installing KRA with Existing NSS Database

Endi S. Dewata edited this page Mar 27, 2024 · 13 revisions

Overview

This page describes the process to install a KRA subsystem with existing system certificates and keys stored in an NSS database.

Availability: Since PKI 11.6.

Preparing Certificate Chain

Obtain the certificate chain from the CA (e.g. cert_chain.pem). See Exporting CA System Certificates.

Preparing NSS Database

Create a new PKI server instance (default is pki-tomcat) with the following command:

$ pki-server create

Move the existing NSS database into /var/lib/pki/pki-tomcat/conf/alias and store the password in /var/lib/pki/pki-tomcat/conf/password.conf as follows:

internal=<password>

Make sure that the files and folders are owned by pkiuser user and pkiuser group.

For testing, a new NSS database can be created in the server instance with the following command:

$ pki-server nss-create

Then the KRA system certificates can be created as follows:

The CSRs should be stored in /var/lib/pki/pki-tomcat/conf/certs folder.

To migrate an existing KRA subsystem to a new machine, the existing subsystem and the SSL server certificates should not be added into the NSS database, or they should be removed from the NSS database with the following commands:

$ pki-server cert-del sslserver
$ pki-server cert-del subsystem

Preparing Admin Certificate

To install the new KRA subsystem obtain the admin certificate from the CA or the existing KRA subsystem (e.g. admin.crt). To access the new KRA subsystem obtain the admin certificate with its key in a PKCS #12 file (e.g. ca_admin_cert.p12). See Default CA Admin.

For testing, a new admin certificate can also be created as follows:

Installing KRA Subsystem

Prepare a file that contains the deployment configuration. A sample deployment configuration is available at /usr/share/pki/server/examples/installation/kra.cfg.

Specify the certificate chain with the following parameter:

pki_cert_chain_path=cert_chain.pem

Specify the admin certificate with the following parameter:

pki_admin_cert_path=admin.crt

Finally, execute the following command:

$ pkispawn -f kra.cfg -s KRA

It will install a KRA subsystem in the server instance and use the NSS database in /var/lib/pki/pki-tomcat/conf/alias.

Verifying System Certificates

Verify that the server NSS database contains the following certificates:

$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca_signing                                                   CT,C,C
kra_transport                                                u,u,u
kra_storage                                                  u,u,u
subsystem                                                    u,u,u
kra_audit_signing                                            u,u,Pu
sslserver                                                    u,u,u

Verifying Admin Certificate

Import the certificate chain into the client NSS database (e.g. ~/.dogtag/nssdb):

$ pki nss-cert-import \
    --cert cert_chain.pem \
    --trust CT,C,C \
    ca_signing

Import admin key and certificate:

$ pki pkcs12-import \
    --pkcs12 ca_admin_cert.p12 \
    --pkcs12-password Secret.123

Verify that the admin certificate can be used to access the KRA subsystem by executing the following command:

$ pki -n caadmin kra-user-show kraadmin
---------------
User "kraadmin"
---------------
  User ID: kraadmin
  Full name: kraadmin
  Email: [email protected]
  Type: adminType
  State: 1
Clone this wiki locally