Skip to content

PKI 10.5 Installing CA with Existing Certificates

Endi S. Dewata edited this page Jan 20, 2022 · 2 revisions

Overview (Under Construction)

This document describes the process to install CA with existing system certificates:

  • CA signing certificate

  • OCSP signing certificate

  • audit signing certificate

  • subsystem certificate

  • SSL certificate

This procedure can be used to migrate the system certificates from an existing CA into a new one. Note that this procedure does not handle database migration and upgrade.

Installation using PKCS #12 File

If the existing CA uses internal NSS token, the system certificates and keys can be migrated using a PKCS #12 file. Prepare a password file for the PKCS #12 file:

$ echo Secret.123 > password.txt

Exporting from existing CA

Export the existing NSS database password of the existing CA into a file:

$ grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt

Then export the certificates and keys with the following command:

$ PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p internal.txt -o ca.p12 -w password.txt

This will include the system certificates and keys for CA, and for other subsystems too. The system certificates and keys for other subsystems will need to be removed later.

Export the CSRs with the following commands:

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
$ sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_signing.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr
$ sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_ocsp_signing.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr
$ sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_audit_signing.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr
$ sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> subsystem.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr
$ sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> sslserver.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr

If the existing CA has certificate chain, export it into a file (see Exporting Certificate Chain):

$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "caSigningCert External CA" -a > external.crt

Transfer the PKCS #12 file, the CSRs, and the certificate chain to the new CA.

Installing new CA

Prepare a deployment configuration file for CA, then specify the CSR and the PKCS #12 file in the following properties:

pki_existing=True

pki_ca_signing_csr_path=/tmp/ca_signing.csr
pki_ocsp_signing_csr_path=/tmp/ca_ocsp_signing.csr
pki_audit_signing_csr_path=/tmp/ca_audit_signing.csr
pki_subsystem_csr_path=/tmp/subsystem.csr
pki_ssl_server_csr_path=/tmp/sslserver.csr

pki_pkcs12_path=/tmp/ca.p12
pki_pkcs12_password=Secret.123

If the existing CA has certificate chain, specify it with the following property:

pki_cert_chain_path=/tmp/external.crt

Put the PKCS #12 password into a file (i.e. password.txt), then verify the PKCS #12 contains the CA signing certificate and key (it may include other certificates and keys):

$ pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
5 entries found
---------------
  Certificate ID: 57e9682904353ad737fe672d58d74d389b85a88c
  Serial Number: 0x1
  Nickname: caSigningCert cert-pki-tomcat CA
  Subject DN: CN=CA Signing Certificate,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE
  Trust Flags: CTu,Cu,Cu
  Has Key: true

  Certificate ID: be0d9b0b860495d371ac9791356880728931460f
  Serial Number: 0x2
  Nickname: ocspSigningCert cert-pki-tomcat CA
  Subject DN: CN=CA OCSP Signing Certificate,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 1ffdeacb64ee8e7372ed41eabbf5bccda65a90cd
  Serial Number: 0x5
  Nickname: auditSigningCert cert-pki-tomcat CA
  Subject DN: CN=CA Audit Signing Certificate,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE
  Trust Flags: u,u,Pu
  Has Key: true

  Certificate ID: 9a098453d5e8e6a4840ab4c3abdbcf5ef151a89c
  Serial Number: 0x4
  Nickname: subsystemCert cert-pki-tomcat
  Subject DN: CN=Subsystem Certificate,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: eea6bfd57cca04447065f7a76bcdb19c3e783ea2
  Serial Number: 0x3
  Nickname: Server-Cert cert-pki-tomcat
  Subject DN: CN=pki.example.com,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE
  Trust Flags: u,u,u
  Has Key: true

$ pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
5 entries found
---------------
  Key ID: 57e9682904353ad737fe672d58d74d389b85a88c
  Subject DN: CN=CA Signing Certificate,O=EXAMPLE
  Algorithm: RSA

  Key ID: be0d9b0b860495d371ac9791356880728931460f
  Subject DN: CN=CA OCSP Signing Certificate,O=EXAMPLE
  Algorithm: RSA

  Key ID: 1ffdeacb64ee8e7372ed41eabbf5bccda65a90cd
  Subject DN: CN=CA Audit Signing Certificate,O=EXAMPLE
  Algorithm: RSA

  Key ID: 9a098453d5e8e6a4840ab4c3abdbcf5ef151a89c
  Subject DN: CN=Subsystem Certificate,O=EXAMPLE
  Algorithm: RSA

  Key ID: eea6bfd57cca04447065f7a76bcdb19c3e783ea2
  Subject DN: CN=pki.example.com,O=EXAMPLE
  Algorithm: RSA

Remove the other certificates and keys using the following commands:

$ pki pkcs12-cert-del <nickname> --pkcs12-file ca.p12 --pkcs12-password-file password.txt

Then execute the following command:

$ pkispawn -v -f ca.cfg -s CA

Installation using Certificate Files

If the existing CA uses HSM, the migration can be done by transporting the certificate files. The keys will remain in the HSM.

Exporting from existing CA

Export the system certificates with the following commands:

$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "caSigningCert cert-pki-tomcat CA" -a > ca_signing.crt
$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-tomcat CA" -a > ca_ocsp_signing.crt
$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-tomcat CA" -a > ca_audit_signing.crt
$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "subsystemCert cert-pki-tomcat" -a > subsystem.crt
$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "Server-Cert cert-pki-tomcat" -a > sslserver.crt

Export the CSRs with the following commands:

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
$ grep ca.signing.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> ca_signing.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr
$ grep ca.ocsp_signing.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> ca_ocsp_signing.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr
$ grep ca.audit_signing.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> ca_audit_signing.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr
$ grep ca.subsystem.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> subsystem.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr
$ grep ca.sslserver.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> sslserver.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr

If the existing CA has certificate chain, export it into a file (see Exporting Certificate Chain):

$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "caSigningCert External CA" -a > external.crt

Transfer the certificates, the CSRs, and the certificate chain to the new CA.

Installing new CA

Prepare a deployment configuration file for CA, then specify the certificates and the CSRs in the following properties:

pki_existing=True

pki_ca_signing_csr_path=/tmp/ca_signing.csr
pki_ca_signing_cert_path=/tmp/ca_signing.crt
pki_ocsp_signing_csr_path=/tmp/ca_ocsp_signing.csr
pki_ocsp_signing_cert_path=/tmp/ca_ocsp_signing.crt
pki_audit_signing_csr_path=/tmp/ca_audit_signing.csr
pki_audit_signing_cert_path=/tmp/ca_audit_signing.crt
pki_subsystem_csr_path=/tmp/subsystem.csr
pki_subsystem_cert_path=/tmp/subsystem.crt
pki_ssl_server_csr_path=/tmp/sslserver.csr
pki_ssl_server_cert_path=/tmp/sslserver.crt

If the existing CA has certificate chain, specify it with the following property:

pki_cert_chain_path=/tmp/external.crt

Specify the HSM configuration in the following properties:

pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast

Then execute:

$ pkispawn -v -f ca.cfg -s CA

See Also

Clone this wiki locally