Este conteúdo não está disponível no idioma selecionado.
7.8. Setting up Subsystems with an External CA
7.8.1. The Difference Between an Internal and External CA
Copiar o linkLink copiado para a área de transferência!
				In Red Hat Certificate System, when the 
pkispawn utility sends subsystem Certificate Signing Requests (CSR) to a previously installed Certificate System, and the resulting issued certificates are received and used by pkispawn, the CA the CSRs were sent to is called an Internal CA.
			
				An 
External CA, by contrast, can be one of the following:
			- A non-Red Hat Certificate System CA that issues the signing certificate for a Certificate System subordinate CA.
- A previously installed Red Hat Certificate System CA that does not allow direct submission of CSRs. For example, this is the case if your environment requires CSRs from a subordinate CA, KRA, OCSP, TKS, or TPS to be in other formats than PKCS #10.
7.8.2. Installing a Subsystem with an External CA
Copiar o linkLink copiado para a área de transferência!
				This section describes how to set up a subordinate CA or other subsystems whose certificate will be signed by an external CA.
			
Preparing the Configuration File for the External CA Installation
				Prepare the configuration file depending on whether you want your subsystem to be integrated into Certificate System or standalone:
			
- If you install a subsystem which is integrated into an existing Certificate System installation but which uses a certificate signed by an external CA:- Create the configuration file for the subsystem. See Section 7.7.3, “Creating the Configuration File for the First Step of the Installation”.
- Add the following settings to your configuration file:- For a CA installation:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- For a KRA installation:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- For an OCSP installation:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
 
 
- If you install a standalone KRA or OCSP, which is not integrated into an existing Certificate System installation, execute the steps described in Section 7.9, “Setting up a Standalone KRA or OCSP”.
Starting the Installation of a Subsystem with an External CA
				To start the installation with the configuration file:
			
- Use thepkispawnutility to start the installation:pkispawn -f /root/config.txt -s subsystem # pkispawn -f /root/config.txt -s subsystemCopy to Clipboard Copied! Toggle word wrap Toggle overflow Replace subsystem with the subsystem you want to install:CA,KRA, orOCSP.During this step, the setup stores the CSRs in the files specified in the configuration.
- Submit the CSRs to the external CA. Proceed after the CA has issued the corresponding certificates.In certain environments, if the external CA is also a Certificate System instance, the CSR in PKCS#10 format needs to be converted into CMC format before being submitted to the CA. See the Issuing Certificates Using CMC section in the Red Hat Certificate System Administration Guide for details about issuing the certificates.
- Optionally, customize the installation. For details, see Section 7.7.5, “Customizing the Configuration Between the Installation Steps”.
- After the external CA has issued the certificates, edit the deployment configuration file:- Set thepki_external_step_twotoTrue:pki_external_step_two=True pki_external_step_two=TrueCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Add the following parameters, based on the subsystem you are installing:- For a CA, set the path to the certificate file. For example:pki_ca_signing_cert_path=/home/user_name/ca_signing.crt pki_ca_signing_cert_path=/home/user_name/ca_signing.crtCopy to Clipboard Copied! Toggle word wrap Toggle overflow If the specified file does not contain the certificate including the certificate chain, additionally specify the path to the certificate chain file and its nickname. For example:pki_cert_chain_path=/home/user_name/cert_chain.p7b pki_cert_chain_nickname=CA Signing Certificate pki_cert_chain_path=/home/user_name/cert_chain.p7b pki_cert_chain_nickname=CA Signing CertificateCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
 - For a KRA, set the paths to the certificate files. For example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow If the specified files do not contain the certificate including the certificate chain, additionally specify the paths to the signing certificate file and the certificate chain file together with their nicknames. For example:pki_ca_signing_nickname=CA Signing Certificate pki_ca_signing_cert_path=/home/user_name/ca_signing.crt pki_cert_chain_nickname=External Certificate Chain pki_cert_chain_path=/home/user_name/cert_chain.p7b pki_ca_signing_nickname=CA Signing Certificate pki_ca_signing_cert_path=/home/user_name/ca_signing.crt pki_cert_chain_nickname=External Certificate Chain pki_cert_chain_path=/home/user_name/cert_chain.p7bCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
 - For an OCSP, set the paths to the certificate files. For example:pki_ocsp_signing_cert_path=/home/user_name/ocsp_signing.crt pki_subsystem_cert_path=/home/user_name/subsystem.crt pki_sslserver_cert_path=/home/user_name/sslserver.crt pki_audit_signing_cert_path=/home/user_name/ocsp_audit_signing.crt pki_admin_cert_path=/home/user_name/ocsp_admin.crt pki_ocsp_signing_cert_path=/home/user_name/ocsp_signing.crt pki_subsystem_cert_path=/home/user_name/subsystem.crt pki_sslserver_cert_path=/home/user_name/sslserver.crt pki_audit_signing_cert_path=/home/user_name/ocsp_audit_signing.crt pki_admin_cert_path=/home/user_name/ocsp_admin.crtCopy to Clipboard Copied! Toggle word wrap Toggle overflow If the specified files do not contain the certificate including the certificate chain, additionally specify the paths to the signing certificate file and the certificate chain file together with their nicknames. For example:pki_ca_signing_nickname=CA Signing Certificate pki_ca_signing_cert_path=/home/user_name/ca_signing.crt pki_cert_chain_nickname=External Certificate Chain pki_cert_chain_path=/home/user_name/cert_chain.p7b pki_ca_signing_nickname=CA Signing Certificate pki_ca_signing_cert_path=/home/user_name/ca_signing.crt pki_cert_chain_nickname=External Certificate Chain pki_cert_chain_path=/home/user_name/cert_chain.p7bCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
 
 
- Optionally, customize the configuration files. For examples, see Section 7.7.5, “Customizing the Configuration Between the Installation Steps”.
- Start the configuration step:pkispawn -f /root/config.txt -s subsystem # pkispawn -f /root/config.txt -s subsystemCopy to Clipboard Copied! Toggle word wrap Toggle overflow Replace subsystem with the subsystem you want to install:CA,KRA, orOCSP.
7.8.3. Post-Installation
Copiar o linkLink copiado para a área de transferência!
				Once you completed the procedures above, follow Section 7.10, “Post-installation Tasks” for additional post-installation actions.