Skip to content

PKI 10.5 Installing CA with Existing Certificates using PKCS12 File

Endi S. Dewata edited this page Sep 14, 2023 · 3 revisions

Overview

The CA installation with existing certificates using PKCS #12 file is part of CA migration procedure without HSM. In this process the existing certificates and keys will be migrated using a PKCS #12 file.

PKI 10.4 or older supports migrating the CA signing certificate only. The other system certificates will be reissued in the new CA. In PKI 10.5 or later all CA’s system certificates can be migrated.

Exporting Existing Certificates and Keys

Prepare a password file for the PKCS #12 file:

$ echo Secret.123 > password.txt

Export the existing NSS database password of the existing CA instance into a file:

$ grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt

Then export all existing certificates and keys with the following command:

$ PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p internal.txt -o ca.p12 -w password.txt

This will include the CA signing certificate and key, other system certificates and keys, and certificate chain (if any).

Transfer the PKCS #12 file to the host where the new CA will be installed.

Export Existing CSRs

Export the CA signing CSR with the following command:

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
$ sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_signing.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr

In PKI 10.5 or later, export the CSRs for the other system certificates as well:

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr
$ sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_ocsp_signing.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr
$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr
$ sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_audit_signing.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr
$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr
$ sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> subsystem.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr
$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr
$ sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> sslserver.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr

Transfer the CSR files to the host where the new CA will be installed.

Installing New CA Instance

On the new host put the PKCS #12 password into a file (i.e. password.txt), then verify that the PKCS #12 contains at least the CA signing certificate and key (it may include other certificates and keys):

$ pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
1 entries found
---------------
  Certificate ID: 308b4c7d4b5efc4052aec26e49a2c5e2e14c9e90
  Serial Number: 0x1
  Nickname: ca_signing
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Trust Flags: CTu,Cu,Cu
  Has Key: true

$ pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
1 entries found
---------------
  Key ID: 308b4c7d4b5efc4052aec26e49a2c5e2e14c9e90
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Algorithm: RSA

In PKI 10.4 or earlier, remove the other system certificates and keys, but keep the certificate chain using the following commands:

$ pki pkcs12-cert-del "ca_ocsp_signing" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
$ pki pkcs12-cert-del "ca_audit_signing" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
$ pki pkcs12-cert-del "subsystem" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
$ pki pkcs12-cert-del "sslserver" --pkcs12-file ca.p12 --pkcs12-password-file password.txt

In PKI 10.5 it is not necessary to remove the other system certificates and keys.

Verify that the trust flags of the CA signing certificate is CTu,Cu,Cu. If it’s different or missing, it can be fixed with the following command:

$ pki pkcs12-cert-mod "ca_signing" --pkcs12-file ca.p12 --pkcs12-password-file password.txt --trust-flags "CTu,Cu,Cu"

Also verify that the trust flags of the certificate chain (if any) is CT,C,C. If it’s different or missing, it can be fixed with the following command:

$ pki pkcs12-cert-mod "external" --pkcs12-file ca.p12 --pkcs12-password-file password.txt --trust-flags "CT,C,C"

Prepare a deployment configuration file for CA, then specify the CA signing certificate nickname and the CSR, and the PKCS #12 file in the following properties:

pki_existing=True

pki_pkcs12_path=ca.p12
pki_pkcs12_password=Secret.123

pki_ca_signing_nickname=ca_signing
pki_ca_signing_csr_path=ca_signing.csr

In PKI 10.5 or later, specify also the nicknames and the CSRs of the other system certificates:

pki_ocsp_signing_nickname=ca_ocsp_signing
pki_ocsp_signing_csr_path=ca_ocsp_signing.csr

pki_audit_signing_nickname=ca_audit_signing
pki_audit_signing_csr_path=ca_audit_signing.csr

pki_subsystem_nickname=subsystem
pki_subsystem_csr_path=subsystem.csr

pki_sslserver_nickname=sslserver
pki_sslserver_csr_path=sslserver.csr

Make sure the nicknames above match the nicknames in the PKCS #12 file.

Then execute the following command:

$ pkispawn -f ca.cfg -s CA

Verification

Verify keys

Verify that the CA signing key ID is the same in the existing and new CA instances. For example:

$ grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt
$ certutil -K -d /var/lib/pki/pki-tomcat/alias -f internal.txt
...
< 2> rsa      7bd4dc662670ebe08a35086b054175559608ac20   ca_signing
...

In PKI 10.4 or earlier, the CA signing key IDs should be the same. All other key IDs will be different.

In PKI 10.5 or later, all key IDs should be the same (except for SSL server key IDs if they are installed on different hosts).

Verifying CA admin

Verify that the CA admin can access the server with the following command:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-find
-----------------
3 entries matched
-----------------
  User ID: CA-pki.example.com-8443
  Full name: CA-pki.example.com-8443

  User ID: caadmin
  Full name: caadmin

  User ID: pkidbuser
  Full name: pkidbuser
----------------------------
Number of entries returned 3
----------------------------
Clone this wiki locally