Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 20. Upgrading from Certificate System 9 to Certificate System 10
Users are recommended to upgrade to the most recent version of Red Hat Certificate System to get security and bug fixes through the Errata-Support channel. Currently, the most recent versions are RHCS 9.7 on RHEL 7.9 and RHCS 10.8 on RHEL 8.10.
20.1. Migrating a CA
A Certificate System migration using the existing certificate files requires the following steps:
20.1.1. Exporting data from the previous system
Before you set up the new Certificate System instance, export the data of the current certificate authority (CA) using the steps below. In this example, the CA’s instance name is <pki-rootCA> and is located at /var/lib/pki/<instance_name>.
Export the CA signing certificate and key.
# grep internal= /var/lib/pki/<instance_name>/conf/password.conf | awk -F= '{print $2;}' > internal.txt # echo <Secret.123> > password.txt # PKCS12Export -d /var/lib/pki/<instance_name>/alias -p internal.txt -o ca.p12 -w password.txtExport the Certificate Signing Requests (CSR).
# echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr # sed -n "/^ca.signing.certreq=/ s/[=]*=// p" < /var/lib/pki/<instance_name>/ca/conf/CS.cfg >> ca_signing.csr # echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csrIf the old CA is an intermediate CA (with a single root CA in the chain), extract the root CA from the NSS database:
# certutil -L -d /var/lib/pki/<instance_name>/alias/ -n root_CA_nickname -a > ca_rootca_signing.crtBack up the internal LDAP database:
Find the name of the CA database by checking the value of internaldb.database in the CA’s
CS.cfg:# grep internaldb.database /etc/pki/<instance_name>/ca/CS.cfg internaldb.database=<CS_database_name>Export this database to a
.ldiffile using the instance-specific script generated bysetup-ds.plwhen the instance was created:# cd /usr/lib64/dirsrv/<instance_name> # ./db2ldif -n "<CS_database_name>" -a /tmp/old_ca.ldifThe
db2ldifcommand runs as the DB user, so it needs a destination folder with writing permissions.
-
Transfer the
old_ca.ldif,ca_p12,ca_signing.csrfiles to the new CA machine. If the CA being migrated is also an intermediate CA, transfer theca_rootca_signing.crtas well.
20.1.2. Verifying the PKCS12 file
On the new CA, a new database instance runs on the standard port (389). The PKCS12 file contains all the system certificates for the old system. Verify that the file includes the CA signing certificate and the key.
In FIPS mode, you must run the pki pkcs12 commands with an NSS database. For more information, see the pki-pkcs12 CLI.
Find the CA signing certificate and the key.
$ echo "<Secret.123>" > password.txt $ pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt $ pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txtVerify the presence of the trust flags of the CA signing certificate. If the flags are not "CTu,Cu,Cu" or they are missing, add them.
$ pki pkcs12-cert-mod "<caSigningCert cert-pki-rootCA>" \ --pkcs12-file ca.p12 --pkcs12-password-file password.txt \ --trust-flags "CTu,Cu,Cu"Remove other certificates and keys.
$ pki pkcs12-cert-del "<Server-Cert cert-pki-rootCA>" --pkcs12-file ca.p12 --pkcs12-password-file password.txt $ pki pkcs12-cert-del "<subsystemCert cert-pki-rootCA>" --pkcs12-file ca.p12 --pkcs12-password-file password.txt $ pki pkcs12-cert-del "<ocspSigningCert cert-pki-rootCA>" --pkcs12-file ca.p12 --pkcs12-password-file password.txt $ pki pkcs12-cert-del "<auditSigningCert cert-pki-rootCA>" --pkcs12-file ca.p12 --pkcs12-password-file password.txtIf the CA being migrated is also an intermediate CA, remove the root CA certificate from the PKCS#12 file.
$ pki pkcs12-cert-del "<Top-level Root CA Signing Certificate>" --pkcs12-file ca.p12 --pkcs12-password-file password.txt
20.1.3. Setting up the CA on the new host
After you have exported the data from the existing instance, create and set up the certificate authority (CA) on the new host.
Create a configuration file for
pkispawn, for example CA.cfg, using the parameters of the old CA. This instance runs on the standard port (389).[DEFAULT] pki_instance_name=<new_instance_name> pki_admin_password=<caadmin_password> pki_client_pkcs12_password=<pkcs12_file_password> pki_ds_password=<DS_password> pki_ds_ldap_port=389 pki_existing=True [CA] pki_ca_signing_csr_path=<path/to/ca_signing.csr> pki_ca_signing_cert_path=<path/to/ca_signing.crt> pki_ca_signing_nickname=<caSigningCert cert-nickname> pki_ds_base_dn=<o=pki-tomcat-CA> pki_ds_database=<instance_name-CA> pki_master_crl_enable=FalseIf the old CA is an intermediate CA, add the following two lines to the configuration file. They correspond to the path to the root CA certificate and the nickname to use when storing the certificate in the NSS database.
pki_cert_chain_path=<rootca_signing.crt> pki_cert_chain_nickname=<caSigningCert cert-pki-ca>Run
pkispawnon the new host to create the new CA instance:# pkispawn -s CA -f ca.cfg -vv
For instructions on how to set up a new DS instance for the new CA, see Installing Red Hat Directory Server.
20.1.4. Importing the old data into the new CA
After you have created the new CA instance, import the data into the new CA database:
Stop the CA service.
# systemctl stop pki-tomcatd@<instance_name>.serviceOptional: Back up the CA database on the new host.
# dsctl -v idm-qe-01 db2bakThe backup is stored in the
/var/lib/dirsrv/<instance_name>/bak/<host_name-time_stamp>/directory.Remove the certificate entry for the signing certificate from the new RHEL 8 internal database.
# ldapdelete -x -w <password< -D 'cn=Directory Manager' "cn=<serial_number<,ou=certificateRepository,ou=ca,o=pki-tomcat-CA"The entry is now imported from the old data, so that the CRL attributes in that entry point to the correct entries.
Import the data into the new database:
# ldapmodify -x -W <password> -D 'cn=Directory Manager' -a -c -f <path/to/old_ca.ldif>The
ldapmodifyutility only adds new entries and does not update existing entries, created when you installed the CA.-
Optional: Verify the output in the
import.logfile. You can search for failed actions, such asldap_add: Invalid syntax (21). Remove the directory entry for the old security domain.
# ldapmodify -W <password> -x -D "cn=Directory Manager" dn: cn=<server.example.com:9445>,cn=CAList,ou=Security Domain,<o=pki-tomcat-CA> changetype: deleteEnable the
ca.crl.MasterCRL.enableparameter in the/etc/pki/<instance_name>/ca/CS.cfgfile, to have the CA act as the certificate revocation list (CRL) master:ca.crl.MasterCRL.enable=trueRestart the CA service:
# systemctl start pki-tomcatd@<instance_name>
20.1.5. Reassigning users to default groups
Add members to the default groups manually, using the ldapmodify utility or the pki utility.
Set up the client:
# pki -c <password> client-init Client initialized# pk12util -i ~/.dogtag/<instance_name>/ca_admin_cert.p12 -d ~/.dogtag/nssdb/ Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFULAdd the
useraccount to theAdministratorsandSecurity Domain Administratorsgroups:# pki -n "<PKI Administrator for example.com>" -c <password> \ user-membership-add <user_name> "Certificate Manager Agents"The default (bootstrap) admin users in RHCS 9 and RHCS 10 have the same default roles, that is the same group membership. However, if you have a non-default admin user or have customized the admin roles in RHCS 9, those changes might not be migrated properly. In this case, reconfigure the roles in RHCS 10:
# pki -n "<PKI Administrator for example.com>" -c <password> \ user-membership-add <user> "Administrators" # pki -n "<PKI Administrator for example.com>" -c <password> \ user-membership-add <user> "Security Domain Administrators"
If you want to make sure the certificate has been migrated successfully, check its existence on the new host by running the ca-cert-find command.
20.2. Migrating a KRA
Simple KRA migration requires the following steps:
The KRA located on alpha.example.com contains the data, while the KRA located on omega.example.com does not exist yet.
| Hostname | PKI KRA Version |
|---|---|
| alpha.example.com | PKI KRA 10.5 on RHCS 9.7 |
| omega.example.com | PKI KRA 10.13 on RHCS 10.4 |
20.2.1. Setting up the KRA on the new host
On omega.example.com as the root user:
- Install and configure a new PKI 10.13 KRA on omega.example.com.
Stop the KRA instance.
# systemctl stop pki-tomcatd@<pki-kra>Create a directory to export all required files.
# mkdir -p /export/pkiExport KRA storage certificates to a file. You will need the KRA storage certificate later to re-encrypt the decrypted old data from the KRA on alpha. In the following example, the file is called
omega.crt:# cd /var/lib/pki/<pki-kra>/alias/ # pki-server cert-export kra_storage -i <pki-kra> --cert-file <omega.crt> Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: sha256WithRSAEncryption Issuer: O = example.com Security Domain, OU = topology-02-CA, CN = CA Signing Certificate Validity Not Before: Dec 19 10:58:02 2019 GMT Not After : Dec 8 10:58:02 2021 GMT Subject: O = example.com Security Domain, OU = topology-02-KRA, CN = DRM Storage Certificate Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:99:c1:f6:f4:0d:75:67:ff:58:3a:28:ee:34:f1: 40:0a:e1:5b:f3:9d:f4:c2:5a:1e:d0:d5:0c:62:c1:-
Move the
omega.crtfile to the/export/pkidirectory. Stop the Directory Server.
# systemctl stop dirsrv@omegaNoteIf
db2ldifis missing, install the389-ds-base-legacy-toolspackage.Extract the KRA LDAP database configurations. You will need the new KRA LDAP database configurations for transforming the old data to the new.
# /usr/lib64/dirsrv/slapd-omega/db2ldif -n <pki-kra-KRA> -a /tmp/omega.ldifMove the
/tmp/omega.ldiffile to the/export/pkidirectory.# mv /tmp/omega.ldif /export/pki/
20.2.2. Exporting contents from the previous system
On alpha.example.com as the root user:
Create a common directory:
# mkdir -p /export/pkiStop the Directory Server. In this example, the server is named alpha:
# systemctl stop dirsrv@alphaGenerate the LDIF from the KRA LDAP database:
# /usr/lib64/dirsrv/slapd-alpha/db2ldif -n <pki-kra-KRA> -a /tmp/alpha.ldifMove the
/tmp/alpha.ldiffile to/export/pkidirectory:# mv /tmp/alpha.ldif /export/pki/Copy the KRA NSS security databases to the data area:
# cp -p /var/lib/pki/<pki-kra>/alias/* /export/pki/Go to the
/export/pkidirectory:# cd /export/pkiObtain the flat-file containing the new KRA’s storage certificate from omega.example.com:
sftp root@omega.example.com sftp> cd /export/pki sftp> get omega.crt sftp> quitObtain the internal password:
# cat /var/lib/<instance_name>/conf/password.confRun the
KRAToolon alpha.example.com:# KRATool \ -kratool_config_file /usr/share/pki/java-tools/KRATool.cfg \ -source_ldif_file /export/pki/alpha.ldif \ -target_ldif_file /export/pki/alpha2omega.ldif \ -log_file /tmp/KRATool_26_05_2023.log \ -source_pki_security_database_path /export/pki/ \ -source_storage_token_name "Internal Key Storage Token" \ -source_storage_certificate_nickname "<storageCert cert-pki-tomcat KRA>" \ -target_storage_certificate_file /export/pki/omega.crt \ -source_kra_naming_context alpha.example.com \ -target_kra_naming_context omega.example.com \ -unwrap_algorithm AES \ -process_requests_and_key_records_only PROCESSING KRATOOL CONFIG FILE: ................................... FINISHED. SUCCESSFULLY processed kratool config file! Initializing source PKI security databases in '/export/pki/'. Retrieving token from CryptoManager. Retrieving source storage token called 'Internal Key Storage Token'. Retrieving source storage cert with nickname of 'storageCert cert-pki-tomcat KRA'. BEGIN: Obtaining the private key from the source storage token . . . Enter password for Internal Key Storage Token ** FINISHED: Obtaining the private key from the source storage token. BEGIN: Obtaining the public key from the target storage certificate . . . FINISHED: Obtaining the public key from the target storage certificate. PROCESSING: xxxxxxxxxxxxxxxxxxxxxxxxx...... SUCCESSFULLY converted source LDIF file --> target LDIF file! FINISHED "KRATool -kratool_config_file /usr/share/pki/java-tools/KRATool.cfg -source_ldif_file /export/pki/alpha.ldif -target_ldif_file /export/pki/alpha2omega.ldif -log_file /tmp/DRMTool_20_05_2021.log -source_pki_security_database_path /export/pki/ -source_storage_token_name 'Internal Key Storage Token' -source_storage_certificate_nickname 'storageCert cert-pki-tomcat KRA' -target_storage_certificate_file /export/pki/omega.crt -source_pki_security_database_pwdfile '/export/pki/password.cfg' -source_kra_naming_context 'alpha.example.com' -target_kra_naming_context 'omega.example.com' -process_requests_and_key_records_only"NoteAlternatively, you can create a plain-text file protected from unauthorized access containing one and only password that will be automatically accessed by a certificate or a certificate database. Add this file to
KRAToolwith the-source_pki_security_database_pwdfile <path_to_PKI_password_file>command-line option.Copy the
alpha2omega.ldiffile to omega.example.com:sftp root@omega.example.com sftp> cd /export/pki sftp> put alpha2omega.ldif sftp> quit
20.2.3. Importing the data into the new KRA
On omega.example.com as the root user:
Go to
/export/pkidirectory.# cd /export/pkiConcatenate the
ldiffiles:# cat omega.ldif alpha2omega.ldif > omega_alpha.ldifImport the
omega_alpha.ldiffile into the LDAP database associated with the PKI KRA:# /usr/lib64/dirsrv/slapd-omega/ldif2db -n <pki-kra-KRA> -i /export/pki/omega_alpha.ldifStart the Directory Server:
# systemctl start dirsrv@omegaStart the KRA instance.
# systemctl start pki-tomcatd@<pki-kra>
20.2.4. Validating the presence of migrated keys from the KRA Agent Page
The last step is to perform key recovery of migrated keys from the KRA Agent page.
[root@pki1 pki]# pki -d /root/nssdb/ -p 21080 -n '<PKI Administrator - example.com Security Domain>' kra-key-find
Enter password for Internal Key Storage Token
----------------
3 key(s) matched
----------------
Key ID: 0x1
Algorithm: 1.2.840.113549.1.1.1
Size: 1024
Owner: UID=alpha1
Key ID: 0x2
Algorithm: 1.2.840.113549.1.1.1
Size: 1024
Owner: UID=alpha2
Key ID: 0x3
Algorithm: 1.2.840.113549.1.1.1
Size: 1024
Owner: UID=alpha3
----------------------------
Number of entries returned 3
----------------------------20.2.5. Post-Upgrade Testing
Follow the key recovery operation for user key archived before upgrade.
Procedure 21.1. Key Recovery Test
Display the base64 user certificate created before upgrade.
# <pki -n 'PKI Administrator - example.com>' -c <Secret.123> ca-cert-export <0xd> Serial Number: 0xd Subject DN: UID=alpha Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=example.com Security Domain Status: VALID Not Valid Before: Wed Jun 07 01:49:07 EDT 2023 Not Valid After: Mon Dec 04 01:49: ----BEGIN CERTIFICATE---- MIIDODCCAiCgAwIBAgIBDTANBgkqhkiG9w0BAQsFADBtMTUwMwYDVQQKDCxpZG1xZS5sYWIuZW5n LmJvcy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjETMBEGA1UECwwKcGtpLXRvbWNhdDEfMB0G A1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0yMzA2MDcwNTQ5MDdaFw0yMzEyMDQwNjQ5 [...output truncated...] EJyoMFM+RaAcTh+C3S0JZEoKlAS3UlJOMxk3BFZdWpv7ia+1faV6LFPZSCZ/m8i2c3KZNxFW2xv1 DTIIVc7a1uEDApVDHf5aFcm0nGpEVeK+yvP4r1eD ----END CERTIFICATE----- Use this certificate to generate a key recovery request through KRA Agent UI.
Approve the recovery request.
# pki -c <Secret.123> -n '<PKI Administrator - example.com Security Domain>' -p 8443 -P https kra-key-request-review <0x2> --action approve ----- Result ------ Request ID: 0x2 Type: recovery Status: approved- Download the key from the KRA UI.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}