Red Hat Summit7.6. Installing a KRA clone with keys and certificates stored on an HSM
By default an IdM replica does not have a KRA, unless you specified the --setup-kra option during the IdM client promotion.
Prerequisites
- The token password.
- A KRA server installed.
Procedure
To install a KRA clone, execute the following command on the replica:
# ipa-kra-install -p <Secret.123 >- Specify the token password when prompted.
Verification
Verify that the keys and certificates are stored on the HSM:
certutil -L -d /etc/pki/pki-tomcat/alias - h <HSM-TOKEN> Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Enter Password or Pin for "<HSM-TOKEN>": <HSM-TOKEN>:subsystemCert cert-pki-ca u,u,u <HSM-TOKEN>:ocspSigningCert cert-pki-ca u,u,u <HSM-TOKEN>:caSigningCert cert-pki-ca CTu,Cu,Cu <HSM-TOKEN>:auditSigningCert cert-pki-ca u,u,Pu <HSM-TOKEN>:storageCert cert-pki-kra u,u,u <HSM-TOKEN>:transportCert cert-pki-kra u,u,u <HSM-TOKEN>:auditSigningCert cert-pki-kra u,u,PuThe certificate name is prefixed with the HSM token name, which indicates that the private keys and certificates are stored on the token.
Where the keys are stored does not affect how users obtain or use certificates.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}