7.3. Installing an IdM server with an external CA with keys and certificates stored on an HSM

Procedure

1. Run the install command, ensuring you specify that you are using an external CA.

   # ipa-server-install --external-ca

   During the installation process, the utility prints the location of the certificate signing request (CSR) /root/ipa.csr:

   ...
   
   Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
     [1/8]: creating certificate server user
     [2/8]: configuring certificate server instance
   The next step is to get /root/ipa.csr signed by your CA and re-run /sbin/ipa-server-install as:
   /sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate

2. To complete the certificate process, using the CSR generated by the installation utility, complete the following steps:

   1. Submit the CSR located in /root/ipa.csr to the external CA. The process differs depending on the service to be used as the external CA.

   2. Retrieve the issued certificate and the CA certificate chain for the issuing CA in a base 64-encoded blob (either a PEM file or a Base_64 certificate from a Windows CA). Again, the process differs for every certificate service. Usually, a download link on a web page or in the notification email allows the administrator to download all the required certificates.

      重要

      Obtain the full certificate chain for the CA, not just the CA certificate.

3. Run the ipa-server-install utility again to specify the path and names of the newly-issued CA certificate and the CA chain files and the location of the PKCS #11 library, the token name, and the token password:

   # ipa-server-install --external-cert-file=</tmp/servercert20170601.pem> --external-cert-file=</tmp/cacert.pem> -–token-name=<HSM-TOKEN> --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so

4. Specify the token password when prompted.
5. The installation script now configures the server. Wait for the operation to complete.

Verification

1. Run certutil to display CA certificate information:

   certutil -L -d /etc/pki/pki-tomcat/alias
   
   Certificate Nickname                    Trust Attributes
                                           SSL,S/MIME,JAR/XPI
   
   caSigningCert cert-pki-ca               CT,C,C
   ocspSigningCert cert-pki-ca             ,,
   Server-Cert cert-pki-ca                 u,u,u
   subsystemCert cert-pki-ca               ,,
   auditSigningCert cert-pki-ca            ,,P

   You can see the certificates but the ,, indicates no private keys as they are stored on the token.

2. Verify that the keys and certificates are stored on the HSM:

   certutil -L -d /etc/pki/pki-tomcat/alias - h <HSM-TOKEN>
   
   Certificate Nickname                                Trust Attributes
   	   SSL,S/MIME,JAR/XPI
   
   Enter Password or Pin for "<HSM-TOKEN>":
   <HSM-TOKEN>:subsystemCert cert-pki-ca                  	u,u,u
   <HSM-TOKEN>:ocspSigningCert cert-pki-ca                	u,u,u
   <HSM-TOKEN>:caSigningCert cert-pki-ca                  	CTu,Cu,Cu
   <HSM-TOKEN>:auditSigningCert cert-pki-ca               	u,u,Pu

   The certificate name is prefixed with the HSM token name, which indicates that the private keys and certificates are stored on the token.

   Where the keys are stored does not affect how users obtain or use certificates.