Skip to content

Installing KRA with Existing NSS Database

Jump to bottom
Endi S. Dewata edited this page Mar 14, 2024 · 13 revisions

Overview

This page describes the process to install a KRA subsystem with existing system certificates and keys stored in an NSS database.

Availability: Since PKI 11.6.

Preparing Certificate Chain

Obtain the certificate chain from the CA (e.g. cert_chain.pem). See Exporting CA System Certificates.

Preparing NSS Database

Create a new PKI server instance with the following command:

$ pki-server create

Move the existing NSS database into /etc/pki/pki-tomcat/alias or create a new NSS database with the following command:

$ pki-server nss-create

For testing, new KRA system certificates can also be created as follows:

The CSRs should be stored in /etc/pki/pki-tomcat/certs folder.

Preparing Admin Certificate

To install the new KRA subsystem obtain the admin certificate from the CA or the existing KRA subsystem (e.g. admin.crt). To access the new KRA subsystem obtain the admin certificate with its key in a PKCS #12 file (e.g. ca_admin_cert.p12). See Default CA Admin.

For testing, a new admin certificate can also be created as follows:

Installing KRA Subsystem

Prepare a file that contains the deployment configuration. A sample deployment configuration is available at /usr/share/pki/server/examples/installation/kra.cfg.

Specify the certificate chain with the following parameter:

pki_cert_chain_path=cert_chain.pem

Specify the admin certificate with the following parameter:

pki_admin_cert_path=admin.crt

Finally, execute the following command:

$ pkispawn -f kra.cfg -s KRA

It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and use the server NSS database in /etc/pki/pki-tomcat/alias.

Verifying System Certificates

Verify that the server NSS database contains the following certificates:

$ certutil -L -d /etc/pki/pki-tomcat/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca_signing                                                   CT,C,C
kra_transport                                                u,u,u
kra_storage                                                  u,u,u
subsystem                                                    u,u,u
kra_audit_signing                                            u,u,Pu
sslserver                                                    u,u,u

Verifying Admin Certificate

Import the certificate chain into the client NSS database (e.g. ~/.dogtag/nssdb):

$ pki nss-cert-import \
    --cert cert_chain.pem \
    --trust CT,C,C \
    ca_signing

Import admin key and certificate:

$ pki pkcs12-import \
    --pkcs12 ca_admin_cert.p12 \
    --pkcs12-password Secret.123

Verify that the admin certificate can be used to access the KRA subsystem by executing the following command:

$ pki -n caadmin kra-user-show kraadmin
---------------
User "kraadmin"
---------------
  User ID: kraadmin
  Full name: kraadmin
  Email: [email protected]
  Type: adminType
  State: 1
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.

Clone this wiki locally