Skip to content

Setting up KRA Connector

Jump to bottom
Endi S. Dewata edited this page Jun 4, 2025 · 12 revisions

Overview

This page describes the manual process to set up a KRA connector after installing standalone CA and KRA or their containers to support certificate enrollment with key archival.

The process consists of the following steps:

  • Setting up CA subsystem user in KRA

  • Configuring KRA connector in CA

Prerequisites

  • Install standalone CA or its container

  • Install standalone KRA or its container

Setting up CA Subsystem User in KRA

Setting up CA Subsystem User Locally

To set up the CA subsystem user (e.g. CA) in KRA locally, execute the following commands:

$ pki-server kra-user-add \
    --full-name "CA" \
    --type agentType \
    --cert ca_subsystem.crt \
    CA
$ pki-server kra-user-role-add \
    CA \
    "Trusted Managers"

Setting up CA Subsystem User Remotely

To set up the CA subsystem user (e.g. CA) in KRA remotely, execute the following commands:

$ pki \
    -U https://kra.example.com:8443 \
    -n admin \
    kra-user-add \
    --fullName "CA" \
    --type agentType \
    --cert-file ca_subsystem.crt \
    CA
$ pki \
    -U https://kra.example.com:8443 \
    -n admin \
    kra-user-membership-add \
    CA \
    "Trusted Managers"

Configuring KRA Connector in CA

Configuring KRA Connector Locally

To configure KRA connector in the CA locally, execute the following command:

$ pki-server ca-connector-add \
    --url https://kra.example.com:8443 \
    --nickname subsystem \
    --transport-cert kra_transport.crt \
    KRA

Alternative, execute the following commands:

$ pki-server ca-config-set ca.connector.KRA.enable true
$ pki-server ca-config-set ca.connector.KRA.host kra.example.com
$ pki-server ca-config-set ca.connector.KRA.local false
$ pki-server ca-config-set ca.connector.KRA.nickName subsystem
$ pki-server ca-config-set ca.connector.KRA.port 8443
$ pki-server ca-config-set ca.connector.KRA.timeout 30
$ pki-server ca-config-set ca.connector.KRA.uri /kra/agent/kra/connector
$ pki-server ca-config-set ca.connector.KRA.transportCert <base64-encoded KRA transport cert>

Configuring KRA Connector Remotely

To configure KRA connector in the CA remotely, prepare the following file (e.g. kra-connector.json):

{
    "host": "kra.example.com",
    "port": "8443",
    "transportCert": "<base64-encoded KRA transport cert>"
}

Then execute the following command:

$ pki \
    -U https://ca.example.com:8443 \
    -n admin \
    ca-kraconnector-add \
    --input-file kra-connector.json

Note: Make sure the user executing the operation is a member of Enterprise KRA Administrators.

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.

Clone this wiki locally