Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 8. Installing and configuring for ECC
This section highlights differences that you would encounter if you want to do an ECC installation, compared to the RSA instructions (chapter 6&7)
8.1. Prerequisites for ECC installation
Prepare your systems in a similar manner to the procedure described in Chapter 6, Prerequisites for installation, making sure you adapt paths, names, and other configuration for ECC.
For example, we will install the following instances:
- rhcs10-ECC-RootCA
- rhcs10-ECC-SubCA
- rhcs10-ECC-OCSP-rootca
- rhcs10-ECC-OCSP-subca
- rhcs10-ECC-KRA
Please note that ECC is not supported for TMS (TPS and TKS).
Create directories for storing pki files
For example, on rhcs10.example.com:
# mkdir -p /root/pki_eccSetup the firewall ports for ECC
Please refer to the table in Section 6.8, “Adding ports to the firewall and with SELinux context” for ports used by ECC.
You can use the following command to open the ports:
# firewall-cmd --permanent --add-port={20080/tcp,20443/tcp,1389/tcp,1636/tcp,20009/tcp,20005/tcp,21080/tcp,21443/tcp,8389/tcp,8636/tcp,21009/tcp,21005/tcp,23080/tcp,23443/tcp,2389/tcp,2636/tcp,23009/tcp,23005/tcp,13389/tcp,13636/tcp,22080/tcp,22443/tcp,9389/tcp,9636/tcp,22009/tcp,22005/tcp,14389/tcp,14636/tcp,23009/tcp,23005/tcp,34080/tcp,34443/tcp,4389/tcp,4636/tcp}Then reload the firewall in order to apply the newly opened ports:
# firewall-cmd --reload
Setup SELinux contexts
For Red Hat Certificate System ports:
# for port in 20080 20443 21080 21443 34080 34443 22080 22443 23080 2343; do semanage port -a -t http_port_t -p tcp $port; doneFor DS ports (replace the port type option
http_port_twithldap_port_t):# for port in 1389 1636 8389 8636 2389 2636 13389 13636 9389 9636 14389 14636 4389 4636; do semanage port -a -t ldap_port_t -p tcp $port; done
Install RHDS instances
Install Red Hat Directory Server instances, e.g.:
- CC-ECC-RootCA-LDAP (LDAP ports: 1389/1636)
- CC-ECC-SubCA-LDAP (LDAP ports: 8389/8636)
- CC-ECC-OCSP-rootca-LDAP (LDAP ports: 2389/2636)
- CC-ECC-OCSP-subca-LDAP (LDAP ports: 9389/9636)
- CC-ECC-KRA-LDAP (LDAP ports: 4389/4636)
Please note that ECC is not supported for TMS (TPS and TKS).
You can use the example script below to install the DS instances. For example for the ECC RootCA:
echo "Setting up ENV VARIABLES"
export BASEDN='dc=example,dc=com'
export PORT=1389
export INSTANCE_NAME=CC-ECC-RootCA-LDAP
export SECURE_PORT=1636
export PASSWORD=SECret.123
echo "Running dscreate create-template..."
dscreate create-template | sed -e 's/;suffix =/suffix = '$BASEDN'/' \
-e 's/;instance_name = localhost/instance_name ='$INSTANCE_NAME'/' \
-e 's/;port = 389/port = '$PORT'/' \
-e 's/;secure_port = 636/secure_port = '$SECURE_PORT'/' \
-e 's/;full_machine_name =/full_machine_name =/' \
-e 's/;create_suffix_entry = False/create_suffix_entry = True/' \
-e 's/;root_password = Directory_Manager_Password/root_password = '$PASSWORD'/' \
-e 's/;self_sign_cert = True/self_sign_cert = True/' > /root/pki_ecc/rootca-ldap.cfg; \
dscreate from-file /root/pki_ecc/rootca-ldap.cfgTesting CRL publishing
Make sure you use the ECC algorithm in the commands.
- For example:
# PKCS10Client -d /root/.dogtag/pki_ecc_bootstrap/certs_db -p SECret.123 -a ec -c nistp256 -n "cn=test user1, uid=user1" -o /root/.dogtag/pki_ecc_bootstrap/certs_db/user1.req
Note a ec -c nistp256 in the above command.
8.2. Installing ECC RHCS instances
Please follow the example installation procedure described in Chapter 7, Installing and configuring Red Hat Certificate System, but make sure you adapt for ECC as relevant. We provide the following reference pkispawn files for an ECC installation:
8.2.1. RootCA
Please refer to Section 7.3, “Create and configure the RootCA (Part I)” for the example installation procedure and adapt for an ECC installation.
Once you have installed the RootCA, you will need to Section 8.2.2, “OCSP (RootCA)”. This is so that the role user certificates and the TLS server certificate of the RootCA will bear AIA extensions pointing to the OCSP instance. You can then finish configuring the RootCA by following Section 7.5, “Create and configure the RootCA (Part II)”.
[DEFAULT]
pki_instance_name=rhcs10-ECC-RootCA
pki_https_port=20443
pki_http_port=20080
### Crypto Token
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=NHSM-CONN-XC
pki_token_password=<YourHSMpassword>
pki_audit_signing_token=NHSM-CONN-XC
pki_audit_signing_key_algorithm=SHA512withEC
pki_audit_signing_key_size=nistp521
pki_audit_signing_key_type=ecc
pki_audit_signing_signing_algorithm=SHA512withEC
pki_subsystem_token=NHSM-CONN-XC
pki_subsystem_key_algorithm=SHA512withEC
pki_subsystem_signing_algorithm=SHA256withEC
pki_subsystem_key_size=nistp521
pki_subsystem_key_type=ecc
pki_sslserver_token=NHSM-CONN-XC
pki_sslserver_key_algorithm=SHA512withEC
pki_sslserver_signing_algorithm=SHA512withEC
pki_sslserver_key_size=nistp521
pki_sslserver_key_type=ecc
### Bootstrap Admin
pki_admin_password=SECret.123
pki_admin_key_type=ecc
pki_admin_key_size=nistp521
pki_admin_key_algorithm=SHA512withEC
### Bootstrap Admin client dir
### by default, if pki_client_dir, pki_client_database_dir,
### and pki_client_admin_cert_p12 are not specified, items will be placed
### under some default directories in /root/.dogtag
pki_client_admin_cert_p12=/opt/pki_ecc/rhcs10-ECC-RootCA/ca_admin_cert.p12
pki_client_database_dir=/opt/pki_ecc/rhcs10-ECC-RootCA/certs_db
pki_client_database_password=SECret.123
pki_client_dir=/opt/pki_ecc/rhcs10-ECC-RootCA
pki_client_pkcs12_password=SECret.123
### Internal LDAP
pki_ds_bind_dn=cn=Directory Manager
pki_ds_ldap_port=1389
pki_ds_ldaps_port=1636
pki_ds_password=SECret.123
pki_ds_remove_data=True
pki_ds_secure_connection=True
pki_ds_secure_connection_ca_pem_file=/opt/pki_ecc/temp-dirsrv-rootca-cert.pem
pki_ds_secure_connection_ca_nickname=DS temp CA certificate
### Security Domain
pki_security_domain_hostname=rhcs10.example.com
pki_security_domain_name=Example-rhcs10-ECC-RootCA
pki_security_domain_password=SECret.123
[Tomcat]
pki_ajp_port=20009
pki_tomcat_server_port=20005
[CA]
pki_import_admin_cert=False
pki_admin_nickname=PKI Bootstrap Administrator for ECC-RootCA
pki_admin_name=caadmin
pki_admin_uid=caadmin
pki_admin_email=caadmin@example.com
pki_ca_signing_token=NHSM-CONN-XC
pki_ca_signing_key_algorithm=SHA512withEC
pki_ca_signing_key_size=nistp384
pki_ca_signing_key_type=ecc
pki_ca_signing_nickname=CA Signing Cert - %(pki_instance_name)s
pki_ca_signing_signing_algorithm=SHA512withEC
pki_ocsp_signing_token=NHSM-CONN-XC
pki_ocsp_signing_key_algorithm=SHA512withEC
pki_ocsp_signing_key_size=nistp384
pki_ocsp_signing_key_type=ecc
pki_ocsp_signing_signing_algorithm=SHA512withEC
pki_ds_hostname=rhds11.example.com
pki_ds_base_dn=dc=ECC-RootCA
pki_ds_database=CC-ECC-RootCA-LDAP
pki_share_db=False
### Enable random serial numbers
pki_random_serial_numbers_enable=True8.2.2. OCSP (RootCA)
Please refer to Section 7.4, “Create and configure the OCSP instance (RootCA)” for the example installation procedure and adapt for an ECC installation.
Once you are done installing the RootCA’s OCSP, do not forget to proceed with the Section 7.5, “Create and configure the RootCA (Part II)”.
[DEFAULT]
pki_instance_name=rhcs10-ECC-OCSP-rootca
pki_https_port=34443
pki_http_port=34080
### Crypto Token
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=NHSM-CONN-XC
pki_token_password=<YourHSMpassword>
pki_audit_signing_token=NHSM-CONN-XC
pki_audit_signing_key_algorithm=SHA512withEC
pki_audit_signing_key_size=nistp521
pki_audit_signing_key_type=ecc
pki_audit_signing_signing_algorithm=SHA512withEC
pki_subsystem_token=NHSM-CONN-XC
pki_subsystem_key_algorithm=SHA512withEC
pki_subsystem_signing_algorithm=SHA256withEC
pki_subsystem_key_size=nistp521
pki_subsystem_key_type=ecc
pki_sslserver_token=NHSM-CONN-XC
pki_sslserver_key_algorithm=SHA512withEC
pki_sslserver_signing_algorithm=SHA512withEC
pki_sslserver_key_size=nistp521
pki_sslserver_key_type=ecc
### CA cert chain concatenated in PEM format
pki_cert_chain_path=/opt/pki_ecc/ca-chain.pem
### Bootstrap Admin
pki_admin_password=SECret.123
pki_admin_key_type=ecc
pki_admin_key_size=nistp521
pki_admin_key_algorithm=SHA512withEC
### Bootstrap Admin client dir
pki_client_admin_cert_p12=/opt/pki_ecc/rhcs10-ECC-OCSP-rootca/ocsp_admin_cert.p12
pki_client_database_dir=/opt/pki_ecc/rhcs10-ECC-OCSP-rootca/certs_db
pki_client_database_password=SECret.123
pki_client_database_purge=False
pki_client_dir=/opt/pki_ecc/rhcs10-ECC-OCSP-rootca
pki_client_pkcs12_password=SECret.123
### Internal LDAP
pki_ds_bind_dn=cn=Directory Manager
pki_ds_ldap_port=2389
pki_ds_ldaps_port=2636
pki_ds_password=SECret.123
pki_ds_remove_data=True
pki_ds_secure_connection=True
pki_ds_secure_connection_ca_pem_file=/opt/pki_ecc/ca-chain.pem
pki_ds_secure_connection_ca_nickname=CA Signing Cert - rhcs10-ECC-RootCA
### Security Domain
pki_security_domain_hostname=rhcs10.example.com
pki_security_domain_https_port=20443
pki_security_domain_password=SECret.123
pki_security_domain_user=caadmin
[Tomcat]
pki_ajp_port=34009
pki_tomcat_server_port=34005
[OCSP]
pki_import_admin_cert=False
pki_ocsp_signing_token=NHSM-CONN-XC
pki_ocsp_signing_key_algorithm=SHA512withEC
pki_ocsp_signing_key_size=nistp384
pki_ocsp_signing_key_type=ecc
pki_ocsp_signing_signing_algorithm=SHA512withEC
pki_admin_nickname=PKI Bootstrap Administrator for ECC-OCSP-rootca
pki_admin_name=ocspadmin
pki_admin_uid=ocspadmin
pki_admin_email=ocspadmin@example.com
pki_ds_hostname=rhds11.example.com
pki_ds_base_dn=dc=ECC-OCSP-rootca
pki_ds_database=CC-ECC-OCSP-rootca-LDAP
pki_share_db=False8.2.3. SubCA
Please refer to Section 7.6, “Create and configure the SubCA (Part I)” for the example installation procedure and adapt for an ECC installation.
Once you have installed the SubCA, you will need to Section 8.2.4, “OCSP (SubCA)”. This is so that the role user certificates and the TLS server certificate of the SubCA will bear AIA extensions pointing to the OCSP instance. You can then finish configuring the SubCA by following Section 7.8, “Create and configure the SubCA (Part II)”.
[DEFAULT]
pki_instance_name=rhcs10-ECC-SubCA
pki_https_port=21443
pki_http_port=21080
### Crypto Token
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=NHSM-CONN-XC
pki_token_password=<YourHSMpassword>
pki_audit_signing_token=NHSM-CONN-XC
pki_audit_signing_key_algorithm=SHA512withEC
pki_audit_signing_key_size=nistp521
pki_audit_signing_key_type=ecc
pki_audit_signing_signing_algorithm=SHA512withEC
pki_subsystem_token=NHSM-CONN-XC
pki_subsystem_key_algorithm=SHA512withEC
pki_subsystem_signing_algorithm=SHA256withEC
pki_subsystem_key_size=nistp521
pki_subsystem_key_type=ecc
pki_sslserver_token=NHSM-CONN-XC
pki_sslserver_key_algorithm=SHA512withEC
pki_sslserver_signing_algorithm=SHA512withEC
pki_sslserver_key_size=nistp521
pki_sslserver_key_type=ecc
### CA cert chain concatenated in PEM format
pki_cert_chain_path=/opt/pki_ecc/ca-chain.pem
### Bootstrap Admin
pki_admin_password=SECret.123
pki_admin_key_type=ecc
pki_admin_key_size=nistp521
pki_admin_key_algorithm=SHA512withEC
### Bootstrap Admin client dir
pki_client_admin_cert_p12=/opt/pki_ecc/rhcs10-ECC-SubCA/ca_admin_cert.p12
pki_client_database_dir=/opt/pki_ecc/rhcs10-ECC-SubCA/certs_db
pki_client_database_password=SECret.123
pki_client_dir=/opt/pki_ecc/rhcs10-ECC-SubCA
pki_client_pkcs12_password=SECret.123
### Internal LDAP
pki_ds_bind_dn=cn=Directory Manager
pki_ds_ldap_port=8389
pki_ds_ldaps_port=8636
pki_ds_password=SECret.123
pki_ds_remove_data=True
pki_ds_secure_connection=True
pki_ds_secure_connection_ca_pem_file=/opt/pki_ecc/temp-dirsrv-subca-cert.pem
pki_ds_secure_connection_ca_nickname=DS temp CA certificate
[Tomcat]
pki_ajp_port=21009
pki_tomcat_server_port=21005
[CA]
pki_subordinate=True
pki_issuing_ca_https_port=20443
pki_issuing_ca_hostname=rhcs10.example.com
pki_issuing_ca=https://rhcs10.example.com:20443
### New Security Domain
pki_security_domain_hostname=rhcs10.example.com
pki_security_domain_https_port=20443
pki_security_domain_password=SECret.123
pki_subordinate_create_new_security_domain=True
pki_subordinate_security_domain_name=Example-rhcs10-ECC-SubCA
pki_import_admin_cert=False
pki_admin_nickname=PKI Bootstrap Administrator for ECC-SubCA
pki_admin_name=caadmin
pki_admin_uid=caadmin
pki_admin_email=caadmin@example.com
pki_ca_signing_token=NHSM-CONN-XC
pki_ca_signing_key_algorithm=SHA512withEC
pki_ca_signing_key_size=nistp384
pki_ca_signing_key_type=ecc
pki_ca_signing_nickname=CA Signing Cert - %(pki_instance_name)s
pki_ca_signing_signing_algorithm=SHA512withEC
pki_ocsp_signing_token=NHSM-CONN-XC
pki_ocsp_signing_key_algorithm=SHA512withEC
pki_ocsp_signing_key_size=nistp384
pki_ocsp_signing_key_type=ecc
pki_ocsp_signing_signing_algorithm=SHA512withEC
pki_ds_hostname=rhds11.example.com
pki_ds_base_dn=dc=ECC-SubCA
pki_ds_database=CC-ECC-SubCA-LDAP
pki_share_db=False
### Enable random serial numbers
pki_random_serial_numbers_enable=True8.2.4. OCSP (SubCA)
Please refer to Section 7.7, “Create and configure the OCSP instance (SubCA)” for the example installation procedure and adapt for an ECC installation.
Once you are done installing the SubCA’s OCSP, do not forget to proceed with the Section 7.8, “Create and configure the SubCA (Part II)”.
[DEFAULT]
pki_instance_name=rhcs10-ECC-OCSP-subca
pki_https_port=22443
pki_http_port=22080
### Crypto Token
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=NHSM-CONN-XC
pki_token_password=<YourHSMpassword>
pki_audit_signing_token=NHSM-CONN-XC
pki_audit_signing_key_algorithm=SHA512withEC
pki_audit_signing_key_size=nistp521
pki_audit_signing_key_type=ecc
pki_audit_signing_signing_algorithm=SHA512withEC
pki_subsystem_token=NHSM-CONN-XC
pki_subsystem_key_algorithm=SHA512withEC
pki_subsystem_signing_algorithm=SHA256withEC
pki_subsystem_key_size=nistp521
pki_subsystem_key_type=ecc
pki_sslserver_token=NHSM-CONN-XC
pki_sslserver_key_algorithm=SHA512withEC
pki_sslserver_signing_algorithm=SHA512withEC
pki_sslserver_key_size=nistp521
pki_sslserver_key_type=ecc
### CA cert chain concatenated in PEM format
pki_cert_chain_path=/opt/pki_ecc/ca-chain.pem
### Bootstrap Admin
pki_admin_password=SECret.123
pki_admin_key_type=ecc
pki_admin_key_size=nistp521
pki_admin_key_algorithm=SHA512withEC
### Bootstrap Admin client dir
pki_client_admin_cert_p12=/opt/pki_ecc/rhcs10-ECC-OCSP-subca/ocsp_admin_cert.p12
pki_client_database_dir=/opt/pki_ecc/rhcs10-ECC-OCSP-subca/certs_db
pki_client_database_password=SECret.123
pki_client_database_purge=False
pki_client_dir=/opt/pki_ecc/rhcs10-ECC-OCSP-subca
pki_client_pkcs12_password=SECret.123
### Internal LDAP
pki_ds_bind_dn=cn=Directory Manager
pki_ds_ldap_port=9389
pki_ds_ldaps_port=9636
pki_ds_password=SECret.123
pki_ds_remove_data=True
pki_ds_secure_connection=True
pki_ds_secure_connection_ca_pem_file=/opt/pki_ecc/ca-chain.pem
pki_ds_secure_connection_ca_nickname=CA Signing Cert - rhcs10-ECC-SubCA
### Security Domain
pki_security_domain_hostname=rhcs10.example.com
pki_security_domain_https_port=21443
pki_security_domain_password=SECret.123
pki_security_domain_user=caadmin
[Tomcat]
pki_ajp_port=22009
pki_tomcat_server_port=22005
[OCSP]
pki_import_admin_cert=False
pki_ocsp_signing_token=NHSM-CONN-XC
pki_ocsp_signing_key_algorithm=SHA512withEC
pki_ocsp_signing_key_size=nistp384
pki_ocsp_signing_key_type=ecc
pki_ocsp_signing_signing_algorithm=SHA512withEC
pki_admin_nickname=PKI Bootstrap Administrator for ECC-OCSP-subca
pki_admin_name=ocspadmin
pki_admin_uid=ocspadmin
pki_admin_email=ocspadmin@example.com
pki_ds_hostname=rhds11.example.com
pki_ds_base_dn=dc=ECC-OCSP-subca
pki_ds_database=CC-ECC-OCSP-subca-LDAP
pki_share_db=False8.2.5. KRA
Please refer to Section 7.9, “Create and configure the KRA instance” for the example installation procedure and adapt for an ECC installation.
[DEFAULT]
pki_instance_name=rhcs10-ECC-KRA
pki_https_port=23443
pki_http_port=23080
### Crypto Token
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=NHSM-CONN-XC
pki_token_password=<YourHSMpassword>
pki_audit_signing_token=NHSM-CONN-XC
pki_audit_signing_key_algorithm=SHA512withEC
pki_audit_signing_key_size=nistp521
pki_audit_signing_key_type=ecc
pki_audit_signing_signing_algorithm=SHA512withEC
pki_subsystem_token=NHSM-CONN-XC
pki_subsystem_key_algorithm=SHA512withEC
pki_subsystem_signing_algorithm=SHA256withEC
pki_subsystem_key_size=nistp521
pki_subsystem_key_type=ecc
pki_sslserver_token=NHSM-CONN-XC
pki_sslserver_key_algorithm=SHA512withEC
pki_sslserver_signing_algorithm=SHA512withEC
pki_sslserver_key_size=nistp521
pki_sslserver_key_type=ecc
### CA cert chain concatenated in PEM format
pki_cert_chain_path=/opt/pki_ecc/ca-chain.pem
### Bootstrap Admin
pki_admin_password=SECret.123
pki_admin_key_type=ecc
pki_admin_key_size=nistp521
pki_admin_key_algorithm=SHA512withEC
### Bootstrap Admin client dir
pki_client_admin_cert_p12=/opt/pki_ecc/rhcs10-ECC-KRA/kra_admin_cert.p12
pki_client_database_dir=/opt/pki_ecc/rhcs10-ECC-KRA/certs_db
pki_client_database_password=SECret.123
pki_client_database_purge=False
pki_client_dir=/opt/pki_ecc/rhcs10-ECC-KRA
pki_client_pkcs12_password=SECret.123
### Internal LDAP
pki_ds_bind_dn=cn=Directory Manager
pki_ds_ldap_port=4389
pki_ds_ldaps_port=4636
pki_ds_password=SECret.123
pki_ds_remove_data=True
pki_ds_secure_connection=True
pki_ds_secure_connection_ca_pem_file=/opt/pki_ecc/ca-chain.pem
pki_ds_secure_connection_ca_nickname=CA Signing Cert - rhcs10-ECC-SubCA
### Security Domain
pki_security_domain_hostname=rhcs10.example.com
pki_security_domain_https_port=21443
pki_security_domain_password=SECret.123
pki_security_domain_user=caadmin
[Tomcat]
pki_ajp_port=23009
pki_tomcat_server_port=23005
[KRA]
pki_import_admin_cert=False
pki_storage_token=NHSM-CONN-XC
pki_storage_key_algorithm=SHA512withEC
pki_storage_key_size=nistp521
pki_storage_key_type=ecc
pki_storage_signing_algorithm=SHA512withEC
pki_transport_token=NHSM-CONN-XC
pki_transport_key_algorithm=SHA512withEC
pki_transport_key_size=nistp521
pki_transport_key_type=ecc
pki_transport_signing_algorithm=SHA512withEC
pki_admin_nickname=PKI Bootstrap Administrator for ECC-KRA
pki_admin_name=kraadmin
pki_admin_uid=kraadmin
pki_admin_email=kraadmin@example.com
pki_ds_hostname=rhds11.example.com
pki_ds_base_dn=dc=ECC-KRA
pki_ds_database=CC-ECC-KRA-LDAP
pki_share_db=False8.3. Post-installation for ECC
Please follow the post-installation configuration described in Section 7.13, “Post-installation”, but when reaching Section 7.13.11, “Update the ciphers list” make sure you apply the following ECC-specific parameters instead. Configure all your CS instances as relevant based on their role.
Configuring ECC ciphers for CS instances:
When a CS instance is acting as a server, add the following ciphers to the SSLHostConfig element in the
server.xmlfile:<SSLHostConfig sslProtocol="TLS" protocols="TLSv1.2" certificateVerification="optional" ciphers="ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384">When a CS instance is acting as a client to its internal LDAP database, add the following line to the
<instance directory>/<instance type>/conf/CS.cfgfile:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384When a CA instance is acting as a client to the KRA, add the following line to the
<instance directory>/ca/conf/CS.cfgfile:ca.connector.KRA.clientCiphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384Once you have configured all your CS instances, restart them in order to apply the new ciphers.
Configuring ECC ciphers for DS instances:
By default, a Directory Server instance inherits the ciphers enabled on the OS.
You can verify the enabled ciphers using the following command (here, for the SubCA’s DS instance):
# dsconf -D "cn=Directory Manager" ldap://rhds11.example.com:8389 security ciphers list --enabledIf you wish to set the cipher list to match the ciphers of Certificate System (here, for the SubCA’s DS instance):
# dsconf -D "cn=Directory Manager" ldap://rhds11.example.com:8389 security ciphers set "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+"Do the same for all other DS instances, then restart the DS instances to apply the ciphers.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}