Red Hat SummitChapter 6. Prerequisites for installation
The Red Hat Certificate System installation process requires some preparation of the environment. This chapter describes the requirements, dependencies, and other prerequisites for installing Certificate System in a Common Criteria environment.
6.1. Installing and subscribing the RHEL machines
Red Hat Certificate System requires Red Hat Enterprise Linux 8.6.
Prerequisites
- You have an installation image of the latest build of RHEL 8.6 x86_64.
Procedure
On both machines, install RHEL 8 with all z-stream updates.
Both BaseOS and AppStream repositories must be enabled (by default, those repositories are part of the full installation image that is available on the Red Hat Customer Portal and already enabled).
For example, to verify that the BaseOS and Appstream repos are enabled for RHEL x86_64:# subscription-manager repos --enable rhel-8-for-x86_64-baseos-rpms# subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpmsBoth machines should be registered and subscribed with a valid RHEL subscription.
For example:# subscription-manager register --username=<customer access portal username>NOTECheck if Simple Content Access (SCA) mode is enabled on your account using:
# subscription-manager statusAfter registering with subscription-manager, if experiencing any issues installing packages from the enabled BaseOS and AppStream repositories, disable SCA in the subscription management page in the Access Portal. If you are not the administrator of your account, you will need to request the administrator to do so. Attach the pool ID containing your Red Hat Enterprise Linux subscription using the same method as outlined in the below step, and then try again to install the packages.
Attach the Red Hat subscriptions to the system. If your system already has a subscription attached that provides Certificate System, or if Simple Content Access (SCA) is set to the default setting enabled, skip to step 3.
List the available subscriptions and note the pool ID providing Red Hat Certificate System. For example:
# subscription-manager list --available --all ... Subscription Name: Red Hat Enterprise Linux Developer Suite Provides: ... Red Hat Certificate System ... Pool ID: 7aba89677a6a38fc0bba7dac673f7993 Available: 1 ...Depending on the number of subscriptions you have, the output can be very long. In this case, you can redirect it to a file:
# subscription-manager list --available --all > /root/subscriptions.txtAttach the Certificate System subscription to the system using the pool ID from the previous step:
# subscription-manager attach --pool=7aba89677a6a38fc0bba7dac673f7993 Successfully attached a subscription for: Red Hat Enterprise Linux Developer Suite
"Pin" the RHEL version to 8.6 by using the
subscription-manager release --setcommand. For example:# subscription-manager release --list# subscription-manager release --set 8.6Verification:
# subscription-manager release --showIn addition, on rhcs10.example.com, install the environment group
Server with GUI:# dnf groupinstall "Server with GUI"
6.2. Enabling the repositories
Before you can install and update Red Hat Certificate System, you must enable the corresponding repositories for Certificate System and Directory Server.
Prerequisites
- You have installed and subscribed both machines (one for Certificate System and one for Directory Server). See Section 6.1, “Installing and subscribing the RHEL machines”.
Enabling online repositories:
If you are installing Red Hat Certificate System with online repositories, follow the below steps on the Certificate System and on the Directory Server machine:
Enable the Certificate System repository on rhcs10.example.com:
# subscription-manager repos --enable certsys-10.x-for-rhel-8-x86_64-rpmsWhere x denotes the latest Certificate System version. For example, to enable the Certificate System repository for Red Hat Certificate System 10.4, please use the below command:
# subscription-manager repos --enable certsys-10.4-for-rhel-8-x86_64-rpms Repository 'certsys-10.4-for-rhel-8-x86_64-rpms' is enabled for this system.Enable the Directory Server repository on rhds11.example.com:
# subscription-manager repos --enable=dirsrv-11-for-rhel-8-x86_64-rpms Repository 'dirsrv-11-for-rhel-8-x86_64-rpms' is enabled for this system.
For compliance, only enable Red Hat approved repositories. You can only enable repositories approved by Red Hat through the subscription-manager utility.
ISO repositories
If you are installing RHCS with ISO repositories, follow the below steps:
On rhcs10.example.com:
Create a repo file in
/etc/yum.repos.d/:# vi /etc/yum.repos.d/redhat.repo[rhcs10] name=rhcs10 baseurl=http://rhcs10.example.com/rhcs10/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release skip_if_unavailable=1Install the Apache web server, if it is not already installed on the system:
# dnf install httpdStart the
httpdservice:# service httpd startCreate a directory that will be used as the web root for hosting the ISO repository. For example:
# mkdir -p /var/www/html/rhcs10Mount the ISO to the directory. For example:
# mount -o loop XXXXXXX-CertificateSystem-x86_64-dvd1.iso /var/www/html/rhcs10
On rhds11.example.com:
Create a repo file in
/etc/yum.repos.d/:# vi /etc/yum.repos.d/redhat.repo[rhds11] name=rhds11 baseurl=http://rhds11.example.com/rhds11/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release skip_if_unavailable=1Install the Apache web server, if it is not already installed on the system:
# dnf install httpdStart the
httpdservice:# service httpd startCreate a directory that will be used as the web root for hosting the ISO repository. For example:
# mkdir -p /var/www/html/rhds11Mount the ISO to the directory. For example:
# mount -o loop XXXXXXX-DirectoryServer-x86_64-dvd1.iso /var/www/html/rhds11
6.3. Setting the FQDN
Make sure the Fully Qualified Domain Name (FQDN) of each host matches how you wish them to be recognized. For example, run the following on both machines:
# hostnameIf a hostname is not what you expect it to be, you can configure the FQDN using
hostnamectl. For example, to update the CS machine’s hostname:# hostnamectl set-hostname rhcs10.example.comTo update the DS machine’s hostname:
# hostnamectl set-hostname rhds11.example.comAdditionally, add both the CS and DS machines' IP addresses and new hostnames as entries in
/etc/hosts:# vi /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.1.111.111 rhcs10.example.com 10.2.222.222 rhds11.example.comVerify the FQDN again after the change:
# hostname
6.4. Enabling FIPS on RHEL 8
FIPS mode must be enabled before you install the Certificate System.
To check whether your system is in FIPS mode, run the following command:
# sysctl crypto.fips_enabledIf the returned value is
1, FIPS mode is enabled.
The following procedure demonstrates how to enable the Federal Information Processing Standard (FIPS) mode on both rhcs10.example.com and rhds11.example.com.
To switch to FIPS mode, use the
fips-mode-setup --enablecommand.# fips-mode-setup --enable Kernel initramdisks are being regenerated. This might take some time. Setting system policy to FIPS Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. FIPS mode will be enabled. Please reboot the system for the setting to take effect.Restart your system to allow the kernel to switch to FIPS mode:
# rebootVerify the current state of FIPS mode after the restart:
# fips-mode-setup --check FIPS mode is enabled.
If an existing directory server is running on a non-FIPS RHEL 8 system that has only just had its FIPS enabled, you will need to reset the Directory Manager password to allow the existing directory server to run properly. For more information, see Managing the Directory Manager Password in the Red Hat Directory Server Administration Guide.
6.5. Setting up fapolicyd (for STIG environments)
The fapolicyd software framework controls the execution of applications based on a user-defined policy. In a STIG environment, installing Certificate System will fail if fapolicyd is not set up properly. The following procedure describes how to add the rules needed to install and run RHCS instances.
Do not follow this section unless you are certain that your system is in a STIG environment. In case you complete the below procedure unnecessarily, and later run into issues when running pkispawn, you will need to revert the changes before proceeding.
Procedure
To add the required fapolicyd rule:
As root, create a file under
/etc/fapolicyd/rules.d/with a unique name. The prefix must contain a number in the 30s range for the priority, such as35-allow-java.rules, or 39.# vi /etc/fapolicyd/35-allow-java.rulesAdd the following rule:
allow perm=open dir=/usr/lib/jvm/ : dir=/usr/share/tomcat/bin/ ftype=application/java-archiveAfter saving the file, restart the
fapolicydservice to recompile the rules:# systemctl restart fapolicyd.service
6.6. Configuring a HSM
To use a Hardware Security Module (HSM), a Federal Information Processing Standard (FIPS) 140-2 validated HSM is required. Red Hat Certificate System supports the nShield Connect XC hardware security module (HSM) and Thales Luna HSM by default (please see Section 4.4, “Supported Hardware Security Modules” for more information on Luna’s limitations). Certificate System-supported HSMs are automatically added to the pkcs11.txt database with the modutil command during the pre-configuration stage of the installation, if the PKCS #11 library modules are in the specified installation paths.
- Configure rhcs10.example.com to be the HSM client machine.
Please follow the instructions provided by your HSM vendor for your specific HSM brand / model / release.
In our example, an nShield Connect XC unit is installed and configured with the latest software and firmware for compliance with FIPS 140-2 (Level 3). As of this writing the RFS software is SecWorld_Lin64-12.71.0, the firmware is nShield firmware 12.72.1 (FIPS certified), image 12.80.5.
6.6.1. FIPS mode on an HSM
To use a Hardware Security Module (HSM), a Federal Information Processing Standard (FIPS) 140-2 validated HSM is required. Certain deployments require to setup their HSM to use FIPS mode. To enable FIPS Mode on HSMs, please refer to your HSM vendor’s documentation.
- nShield Connect XC HSM
-
On a nShield Connect XC HSM, the FIPS mode can only be enabled when generating the Security World, this cannot be changed afterwards. While there is a variety of ways to generate the Security World, the preferred method is always to use the
new-worldcommand.
For guidance on how to generate a FIPS-compliant Security World, please follow the HSM vendor’s documentation. - Luna HSM
-
Similarly, enabling the FIPS mode on a Luna HSM must be done during the initial configuration, since changing this policy zeroizes the HSM as a security measure.
For details, please refer to the Luna HSM vendor’s documentation. Please see Section 4.4, “Supported Hardware Security Modules” for more information on Luna’s limitations.
The below steps help you verify if FIPS mode is enabled for nShield Connect XC and Luna HSMs. For other HSMs, please refer to your HSM manufacturer’s documentation.
nShield Connect XC HSM
To verify if the FIPS mode is enabled on an nShield HSM, enter:
# /opt/nfast/bin/nfkminfo
With older versions of the software, if the StrictFIPS140 is listed in the state flag, the FIPS mode is enabled. In newer versions, it is however better to check the new mode line and look for fips1402level3. In all cases, there should also be an hkfips key present in the nfkminfo output.
Luna HSM
To verify if the FIPS mode is enabled on a Luna HSM:
-
Open the
lunashmanagement console Use the
hsm showcommand and verify that the output contains the textThe HSM is in FIPS 140-2 approved operation mode.:lunash:> hsm show ... FIPS 140-2 Operation: ===================== The HSM is in FIPS 140-2 approved operation mode. ...
Please refer to your HSM vendor’s documentation for complete procedures.
6.6.2. Setting up SELinux for an HSM
Certain HSMs require that you manually update SELinux settings before you can install Certificate System. The following describes nShield and Luna HSMs. For other HSMs, please refer to your HSM manufacturer’s documentation.
- nShield Connect XC
After you have installed the HSM and before you start installing Certificate System:
Reset the context of files in the
/opt/nfast/directory:# restorecon -R /opt/nfast/Restart the
nfastsoftware.# /opt/nfast/sbin/init.d-ncipher restart
- Thales Luna HSM
- No SELinux-related actions are required before you start installing Certificate System.
For details about supported HSMs and their limits, see Section 4.4, “Supported Hardware Security Modules”.
6.6.3. Preparing for installing Certificate System with an HSM
In Chapter 7, Installing and configuring Red Hat Certificate System, you are instructed to use the following parameters in the configuration file you pass to the pkispawn utility when installing Certificate System with an HSM:
...
[DEFAULT]
##########################
# Provide HSM parameters #
##########################
pki_hsm_enable=True
pki_hsm_libfile=hsm_libfile
pki_hsm_modulename=hsm_modulename
pki_token_name=hsm_token_name
pki_token_password=pki_token_password
########################################
# Provide PKI-specific HSM token names #
########################################
pki_audit_signing_token=hsm_token_name
pki_ssl_server_token=hsm_token_name
pki_subsystem_token=hsm_token_name
...-
The values of the
pki_hsm_libfileandpki_token_nameparameter depend on your specific HSM installation. These values allow thepkispawnutility to set up your HSM and enable Certificate System to connect to it. -
The value of the
pki_token_passworddepends upon your particular HSM token’s password. The password gives thepkispawnutility read and write permissions to create new keys on the HSM. -
The value of the
pki_hsm_modulenameis a name used in laterpkispawnoperations to identify the HSM. The string is an identifier you can set as whatever you like. It allowspkispawnand Certificate System to refer to the HSM and configuration information by name in later operations.
The following section provides settings for individual HSMs. If your HSM is not listed, consult your HSM manufacturer’s documentation.
nShield HSM parameters
For a nShield Connect XC, set the following parameters:
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
Note that you can set the value of pki_hsm_modulename to any value. The above is a suggested value.
To identify the token name, run the following command as the root user:
# /opt/nfast/bin/nfkminfo
Module #1 Slot #0 IC 1
generation 1
phystype SmartCard
slotlistflags 0x2 SupportsAuthentication
state 0x5 Operator
flags 0x10000
shareno 1 (`CONNXC-1')
shares LTU(PIN) LTFIPS
error OK
Cardset
name "NHSM-CONN-XC"
k-out-of-n 1/2
flags Persistent PINRecoveryForbidden(disabled) !RemoteEnabled
timeout none
card names "CONNXC-1" "CONNXC-2"
hkltu xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
gentime 2021-11-17 21:19:47
Module #1 Slot #1 IC 0
generation 1
phystype SoftToken
slotlistflags 0x0
state 0x2 Empty
flags 0x0
shareno 0
shares
error OK
No Cardset
No Pre-Loaded Objects
The value of the name field in the Cardset section lists the token name.
Set the token name as follows:
pki_token_name=NHSM-CONN-XCSafeNet / Luna HSM parameters
For a SafeNet / Luna HSM, such as a SafeNet Luna Network HSM, specify the following parameters:
pki_hsm_libfile=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
pki_hsm_modulename=thalesluna
Note that you can set the value of pki_hsm_modulename to any value. The above is a suggested value.
To identify the token name, run the following command as the root user:
# /usr/safenet/lunaclient/bin/vtl verify
The following Luna Slots/Partitions were found:
Slot Serial # Label
=== =============== =====
0 1209461834772 thaleslunaQE
The value in the label column lists the token name.
Set the token name as follows:
pki_token_name=thaleslunaQEPlease see Section 4.4, “Supported Hardware Security Modules” for more information on Luna’s limitations.
6.6.4. Testing the HSM connection
To test the HSM connection:
Create a temporary database:
# mkdir -p /root/tmp1# certutil -N -d /root/tmp1Add the PKCS #11 library module to the database:
nShield Connect XC:
# modutil -dbdir /root/tmp1 -nocertdb -add nfast -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so --- Module "nfast" added to database.Thales Luna:
# modutil -dbdir ~/testLuna -nocertdb -add thalesluna -libfile /usr/safenet/lunaclient/lib/libCryptoki2_64.so --- Module "thalesluna" added to database.
List the modules and note down the HSM name at "token:" for the next step (e.g. NHSM-CONN-XC in the below example):
# modutil -dbdir /root/tmp1 -list 1. NSS Internal PKCS #11 Module … token: NSS FIPS 140-2 Certificate DB … 2. nfast … token: accelerator … token: NHSM-CONN-XC …Display the certificates for this token:
# certutil -L -d /root/tmp1 -h <token name>
6.7. Verifying SELinux enforcement
Security-Enhanced Linux (SELinux) is an implementation of a mandatory access control mechanism in the Linux kernel, checking for allowed operations after standard discretionary access controls are checked. SELinux can enforce rules on files and processes in a Linux system, and on their actions, based on defined policies.
By default, RHEL 8 is installed with SELinux enabled. The SELinux policy must be set to Enforcing.
To verify the current SELinux mode:
# /usr/sbin/getenforce Enforcing# /usr/sbin/sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33Optional: If you need to set the policy to Enforcing:
# /usr/sbin/setenforce 1 Enforcing
6.8. Adding ports to the firewall and with SELinux context
In our examples, Certificate System subsystems use the following ports. You might want to bookmark the following table for ease of reference to selected ports used by the example installations.
| Instance and services | Ports (RSA) | Ports (ECC) |
|---|---|---|
| RootCA | ||
| HTTP / HTTPS | 8080 / 8443 | 20080 / 20443 |
| CRL HTTP | 8085 | 20085 |
| LDAP | 389 / 636 | 1389 / 1636 |
| Tomcat | 8009 / 8005 | 20009 / 20005 |
| SubCA | ||
| HTTP / HTTPS | 31080 / 31443 | 21080 / 21443 |
| CRL HTTP | 31085 | 21085 |
| LDAP | 7389 / 7636 | 8389 / 8636 |
| Tomcat | 31009 / 31005 | 21009 / 21005 |
| OCSP (RootCA) | ||
| HTTP / HTTPS | 33080 / 33443 | 34080 / 34443 |
| LDAP | 6389 / 6636 | 2389 / 2636 |
| Tomcat | 33009 / 33005 | 34009 / 34005 |
| CRL publishing | 12389 / 12636 | 13389 / 13636 |
| OCSP (SubCA) | ||
| HTTP / HTTPS | 32080 / 32443 | 22080 / 22443 |
| LDAP | 11389 / 11636 | 9389 / 9636 |
| Tomcat | 32009 / 32005 | 22009 / 22005 |
| CRL publishing | 5389 / 5636 | 14389 / 14636 |
| KRA | ||
| HTTP / HTTPS | 28080 / 28443 | 23080 / 23443 |
| LDAP | 22389 / 22636 | 4389 / 4636 |
| Tomcat | 28009 / 28005 | 23009 / 23005 |
| TKS | ||
| HTTP / HTTPS | 24080 / 24443 | N/A |
| LDAP | 16389 / 16636 | N/A |
| Tomcat Management | 14009 / 14005 | N/A |
| TPS | ||
| HTTP / HTTPS | 25080 / 25443 | N/A |
| LDAP | 17389 / 17636 | N/A |
| TPS Auth | 9389 / 9636 | N/A |
| Tomcat Management | 14019 / 14015 | N/A |
When you set up Certificate System using the pkispawn utility, you can customize the port numbers. If you use different ports than the ones listed above, open them correspondingly in the firewall as described below.
To enable communication between the clients and Certificate System, open the required ports in your firewall on the machine that will be hosting the corresponding service:
Make sure the
firewalldservice is running.# systemctl status firewalldTo start
firewalldand configure it to start automatically when the system boots:# systemctl start firewalld # systemctl enable firewalld
Adding ports to the firewall
Open the required ports using the
firewall-cmdutility. For example, to open the default ports for the RootCA instance in the default firewall zone:# firewall-cmd --permanent --add-port={8080/tcp,8443/tcp,8009/tcp,8005/tcp}Additionally, to open the default ports for the RootCA’s LDAP instance:
# firewall-cmd --permanent --add-port={389/tcp,636/tcp}Verify that all ports that will be used are successfully added to the firewall:
# firewall-cmd --list-portsReload the firewall configuration to ensure that the change takes place immediately:
# firewall-cmd --reload
Adding ports with SELinux context
If you want to add non-default ports, you will need to add them with SELinux context. If not, you will get an error like the following: Installation failed: port 33080 has invalid selinux context ephemeral_port_t.
For CS instances, add SELinux context to all ports that will be used as type
http_port_t. You can do this quickly using a FOR loop command with all ports you need to add. For example, to add the default RootCA ports:# for port in 8080 8443 8009 8005 31080 31443 31009 31005 33080 33443 33009 33005 32080 32443 32009 32005 28080 28443 28009 28005 24080 24443 14009 14005 25080 25443 14019 14015; do semanage port -a -t http_port_t -p tcp $port; doneFor DS ports, replace the port type option
http_port_twithldap_port_t. For example, for the RootCA’s LDAP ports:# for port in 389 636 7389 7636 6389 6636 12389 12636 11389 11636 5389 5636 22389 22636 16389 16636 17389 17636; do semanage port -a -t ldap_port_t -p tcp $i; doneVerify that all ports that will be used are successfully added with SELinux context:
# semanage port -l
6.9. Installing RHCS and RHDS packages
This section describes the installation of Red Hat Directory Server (RHDS) and Red Hat Certificate System (RHCS) packages and their initial configuration.
When installing the Certificate System packages you can either install them for each subsystem individually or all at once.
The following subsystem packages and components are available in Red Hat Certificate System:
-
pki-ca: Provides the Certificate Authority (CA) subsystem. -
pki-kra: Provides the Key Recovery Authority (KRA) subsystem. -
pki-ocsp: Provides the Online Certificate Status Protocol (OCSP) responder. -
pki-tks: Provides the Token Key Service (TKS). -
pki-tps: Provides the Token Processing Service (TPS). -
pki-serverandredhat-pki-server-theme: Provides the web-based Certificate System interface. Both packages must be installed. This is installed as a dependency if you install one of the following packages:pki-ca,pki-kra,pki-ocsp,pki-tks,pki-tps. -
pki-consoleandredhat-pki-console-theme: Provides the Java-based Red Hat PKI console. Both packages must be installed. -
pki-acmeprovides Automatic Certificate Management Environment (ACME). pki-estis available as Technology Preview, providing Enrollment over Secure Transport (EST).NoteTechnology Preview features provide early access to upcoming product functionality, and are not yet fully supported under subscription agreements.
ACME (Automatic Certificate Management Environment) and (EST) Enrollment over Secure Transport are not evaluated and must not be used in the Common Criteria configuration.
With the redhat-pki module, you can install all Certificate System subsystem packages and components at once on a RHEL 8 system. The redhat-pki module installs the five subsystems of Red Hat Certificate System: in addition to the pki-core module (CA, KRA) which is part of Red Hat Identity Management (IdM), includes the RHCS-specific subsystems (OCSP, TKS and TPS) as well as the pki-deps module that takes care of the required dependencies.
Prerequisites
- You have enabled the corresponding repositories, as described in Section 6.2, “Enabling the repositories”.
Install the packages
Install the Red Hat Certificate System (RHCS) subsystem packages as follows:
On rhcs10.example.com, enable the RHCS module and install the RHCS 10.4 packages:
# dnf module enable redhat-pki# dnf install redhat-pkiThis installs the following packages:
idm-console-framework-1.3.0-1.module+el8pki+14677+1ef79a68.noarch.rpm jss-4.9.10-1.module+el8pki+21949+4b2d0700.x86_64.rpm jss-javadoc-4.9.10-1.module+el8pki+21949+4b2d0700.x86_64.rpm ldapjdk-4.23.0-1.module+el8pki+14677+1ef79a68.noarch.rpm ldapjdk-javadoc-4.23.0-1.module+el8pki+14677+1ef79a68.noarch.rpm python3-redhat-pki-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-10.13.11-1.module+el8pki+21949+4b2d0700.x86_64.rpm redhat-pki-acme-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-base-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-base-java-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-ca-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-console-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-console-theme-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-est-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-javadoc-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-kra-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-ocsp-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-server-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-server-theme-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-symkey-10.13.11-1.module+el8pki+21949+4b2d0700.x86_64.rpm redhat-pki-tks-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm redhat-pki-tools-10.13.11-1.module+el8pki+21949+4b2d0700.x86_64.rpm redhat-pki-tps-10.13.11-1.module+el8pki+21949+4b2d0700.x86_64.rpm tomcatjss-7.7.4-1.module+el8pki+21738+33a5e23b.noarch.rpmIn addition, on rhds11.example.com, install the RHDS module to install all the Red Hat Directory Server 11.5 packages:
# dnf module install redhat-ds:11
Create directories for storing pki files
On rhcs10.example.com:
# mkdir -p /root/pki_rsa# mkdir -p /opt/pki_rsaOn rhds11.example.com:
# mkdir -p /root/pki_rsa/dirsrv# mkdir -p /opt/pki_rsa# mkdir -p /etc/dirsrv/save-rsa
Verifying Certificate System product version
The Red Hat Certificate System product version is stored in the /usr/share/pki/CS_SERVER_VERSION file.
To display the version:
# cat /usr/share/pki/CS_SERVER_VERSION Red Hat Certificate System 10.4.3To display the PKI version:
# cat /usr/share/pki/VERSION Name: pki Specification-Version: 10.13.11 Implementation-Version: 10.13.11-1.module+el8pki+21949+4b2d0700
Future updates will have newer version numbers (that is, 10.4.x).
Once you have a server installed and running, you could find the product version for each instance by accessing the URLs as instructed in Section 7.13.16, “Determining the product version”.
Updating Certificate System packages
To update Certificate System and operating system packages, use the dnf update command.
For example:
# dnf updateThis updates the whole system including the RHCS packages. You can verify the version number before and after updating packages, to confirm they were successfully installed.
Updating Certificate System requires the PKI infrastructure to be restarted. We suggest scheduling a maintenance window during which you can take the PKI infrastructure offline to install the update.
To optionally download updates without installing, use the
--downloadonlyoption in the above procedure:# dnf update --downloadonlyThe downloaded packages are stored in the
/var/cache/yum/directory.
Thednf updatewill later use the packages if they are the latest versions.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}