Skip to content

Installing KRA with Existing NSS Database

Jump to bottom
Endi S. Dewata edited this page Mar 8, 2024 · 13 revisions

Overview

This page describes the process to install a KRA subsystem with an existing NSS database that contains the keys, CSRs, and certificates.

Availability: Since PKI 11.6.

Preparing NSS Database

Export the CA signing certificate from the CA with the following command:

$ pki-server cert-export ca_signing --cert-file ca_signing.crt

Create a new PKI server instance for KRA with NSS database with the following commands:

$ pki-server create
$ pki-server nss-create

New KRA keys, CSRs, and certificates can be created as follows:

The CSRs should be stored in /etc/pki/pki-tomcat/certs folder.

Installing KRA Subsystem

Prepare a file that contains the deployment configuration. A sample deployment configuration is available at /usr/share/pki/server/examples/installation/kra.cfg.

Specify the CA signing certificate with the following parameter:

pki_cert_chain_path=ca_signing.crt

Specify the existing admin certificate with the following parameter:

pki_admin_cert_path=kra_admin.crt

Finally, execute the following command:

$ pkispawn -f kra.cfg -s KRA

It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases:

  • server NSS database: /etc/pki/pki-tomcat/alias

  • admin NSS database: ~/.dogtag/pki-tomcat/kra/alias

Verifying System Certificates

Verify that the server NSS database contains the following certificates:

$ certutil -L -d /etc/pki/pki-tomcat/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca_signing                                                   CT,C,C
kra_transport                                                u,u,u
kra_storage                                                  u,u,u
subsystem                                                    u,u,u
kra_audit_signing                                            u,u,Pu
sslserver                                                    u,u,u

Verifying Admin Certificate

Prepare a client NSS database (e.g. ~/.dogtag/nssdb):

$ pki client-init

Import the CA signing certificate:

$ pki client-cert-import ca_signing --ca-cert ca_signing.crt

Import admin key and certificate:

$ pki pkcs12-import \
    --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
    --pkcs12-password Secret.123

Verify that the admin certificate can be used to access the KRA subsystem by executing the following command:

$ pki -n caadmin kra-user-show kraadmin
---------------
User "kraadmin"
---------------
  User ID: kraadmin
  Full name: kraadmin
  Email: [email protected]
  Type: adminType
  State: 1
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.

Clone this wiki locally