Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
13.9. Configuration for Server-Side Key Generation for Certificate Enrollment using the CA EE Portal
This section describes how to configure Server-Side Key Generation for Certificate Enrollment using the CA EE Portal.
13.9.1. Installation Configuration
Copiar enlaceEnlace copiado en el portapapeles!
Note
A KRA instance is required in addition to the CA for setting up Server-Side Keygen.
Note
In case the CA and KRA are sharing a Tomcat instance, you do not need to execute the above step to import the transport certificate.
After installing the CA and KRA instances, in case of stand-alone Tomcat web server instances, you would need to add the KRA transport certificate to the nssdb of the CA.
- First, stop the CA:
# systemctl stop pki-tomcatd@ca_instance_name.serviceFor example:# systemctl stop pki-tomcatd@pki-ca.service - Find and export the KRA transport certificate into a file:
# grep "kra.transport.cert=" /var/lib/pki/kra_instance_name/kra/conf/CS.cfg | sed 's/kra.transport.cert=//' > kra transport cert fileFor example:# grep "kra.transport.cert=" /var/lib/pki/pki-kra/kra/conf/CS.cfg | sed 's/kra.transport.cert=//' > /tmp/kraTransport.cert - Import the KRA transport certificate into the nssdb of the CA, using the nickname specified in the CA's
CS.cfgfile:- List the transport certificate nickname:
grep "ca.connector.KRA.transportCertNickname" /var/lib/pki/ca_instance_name/ca/conf/CS.cfgFor example:# grep "ca.connector.KRA.transportCertNickname" /var/lib/pki/pki-ca/ca/conf/CS.cfg ca.connector.KRA.transportCertNickname=KRA transport cert- Import the certificate using the nickname listed from the previous step:
certutil -d /var/lib/pki/ca_instance_name/alias -A -t “,,” -n transportNickName -i kra transport cert fileFor example:# certutil -d /var/lib/pki/pki-ca/alias -A -t “,,” -n "KRA transport cert" -i /tmp/kraTransport.cert - Start the CA:
# systemctl start pki-tomcatd@ca_instance_name.serviceFor example:# systemctl start pki-tomcatd@pki-ca.service
13.9.2. Profile Configuration
Copiar enlaceEnlace copiado en el portapapeles!
Two default profiles,
caServerKeygen_UserCert and caServerKeygen_DirUserCert, are provided by default to allow for certificate enrollments where keys are generated on the server side. However, any profile with the right input, output, and policy set could be turned into a server-side keygen profile.
A Server-Side Keygen profile must contain the following components.
Input
input.i1.class_id=serverKeygenInputImplOutput
output.o1.class_id=pkcs12OutputImplPolicyset
Key type and key size parameters can be configured as exemplified below:
policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
policyset.userCertSet.3.constraint.name=Key Constraint
policyset.userCertSet.3.constraint.params.keyType=-
policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
policyset.userCertSet.3.default.class_id=serverKeygenUserKeyDefaultImpl
policyset.userCertSet.3.default.name=Server-Side Keygen Default
policyset.userCertSet.3.default.params.keyType=RSA
policyset.userCertSet.3.default.params.keySize=2048
policyset.userCertSet.3.default.params.enableArchival=trueAuthentication
The two default server-side keygen enrollment profiles differ in the authentication mechanism, where
- caServerKeygen_UserCert.cfgcontains an empty value to "auth.class_id=", meaning that enrollment requests through this profile will require approval from a CA agent.
- caServerKeygen_DirUserCert.cfgcontains "auth.instance_id=UserDirEnrollment", meaning that the user is required to pass LDAP uid/password authentication; such authentication mechanism is considered as an automatic certificate issuance as it does not require per-request approval from a CA agent.Automatic approval could be configured by setting the auth.instance_id directive to any compatible authentication plugin class, as examplified in the caServerKeygen_DirUserCert.cfg profile mentioned above. Here is an example of such a configuration in the
CS.cfgfile:auths.instance.UserDirEnrollment.dnpattern= auths.instance.UserDirEnrollment.ldap.basedn=ou=People,dc=example,dc=com auths.instance.UserDirEnrollment.ldap.ldapconn.host=host.example.com auths.instance.UserDirEnrollment.ldap.ldapconn.port=389 auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false auths.instance.UserDirEnrollment.ldap.maxConns= auths.instance.UserDirEnrollment.ldap.minConns= auths.instance.UserDirEnrollment.ldapByteAttributes= auths.instance.UserDirEnrollment.ldapStringAttributes=mail auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}