7.5. 创建并配置 RootCA （第二部分）

1. 验证此实例上是否存在 nssdb 密码文件：

   # ls /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/pwdfile.txt

   Copy to Clipboard Toggle word wrap

2. 停止 DS ：

   # dsctl slapd-CC-RSA-RootCA-LDAP stop

   Copy to Clipboard Toggle word wrap

3. 使用 certutil 工具生成 CSR：

   # certutil -R -d /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP -s "CN=rhds11.example.com" -g 2048 -f /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/pwdfile.txt -a -o /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/Server-Cert-rootca.csr -z /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/noise.txt

   Copy to Clipboard Toggle word wrap
   重要

   编辑上面获取的 Server-Cert-rootca.csr 输出文件，以删除"Begin Certificate Request"前的几行。例如：
   

   # vi /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/Server-Cert-rootca.csr

   Copy to Clipboard Toggle word wrap

   CSR 文件必须以"-----BEGIN CERTIFICATE REQUEST-----"行开头，并以"-----END CERTIFICATE REQUEST-----"行结尾。

   1. 启动 DS ：

      # dsctl slapd-CC-RSA-RootCA-LDAP start

      Copy to Clipboard Toggle word wrap

   2. 远程将 Server-Cert-rootca.csr 文件复制到 CA 所在的系统中。例如：

      # scp /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/Server-Cert-rootca.csr root@rhcs10.example.com:/root/.dogtag/pki_rsa_bootstrap/certs_db/Server-Cert-rootca.csr

      Copy to Clipboard Toggle word wrap

1. 生成 CMC 请求：

   1. 创建 CMCRequest 配置文件。例如：

      # vim /root/.dogtag/pki_rsa_bootstrap/certs_db/cmc.dirsrv-rootca_pkcs10.cfg

      Copy to Clipboard Toggle word wrap

      ### numRequests: Total number of PKCS10 requests or CRMF requests.
      numRequests=1
      
      ### input: full path for the PKCS10 request or CRMF request,
      ### The content must be in Base-64 encoded format.
      ### Multiple files are supported. They must be separated by a space.
      ### For input on a different host, specify where to find the CSR.
      input=/root/.dogtag/pki_rsa_bootstrap/certs_db/Server-Cert-rootca.csr
      
      ### output: full path for the CMC request in binary format
      ### For output on a different host, specify the destination.
      output=/root/.dogtag/pki_rsa_bootstrap/certs_db/cmc.dirsrv-rootca_pkcs10.req
      
      ### tokenname: name of the token where the agent signing cert can be found (default is internal)
      tokenname=internal
      
      ### nickname: nickname for the agent certificate that will be used to sign the CMC full request.
      nickname=PKI Bootstrap Administrator for RSA-RootCA
      
      ### dbdir: directory for cert8.db, key3.db and secmod.db
      dbdir=/root/.dogtag/pki_rsa_bootstrap/certs_db
      
      ### password: password for cert8.db that stores the agent certificate
      password=SECret.123
      
      ### format: request format, either pkcs10 or crmf
      format=pkcs10

      Copy to Clipboard Toggle word wrap

   2. 使用 CMCRequest 命令生成请求：

      # CMCRequest /root/.dogtag/pki_rsa_bootstrap/certs_db/cmc.dirsrv-rootca_pkcs10.cfg
      
      cert/key prefix =
      path = /root/.dogtag/pki_rsa_bootstrap/certs_db
      CryptoManger initialized
      token internal logged in...
      got signerCert: PKI Bootstrap Administrator for RSA-RootCA
      createPKIData: begins
      k=0
      createPKIData:  format: pkcs10
      useSharedSecret is false...
      signData: begins:
      getPrivateKey: got signing cert
      signData:  got signer privKey
      createSignedData: begins
      getSigningAlgFromPrivate: begins.
      getSigningAlgFromPrivate: found signingKeyType=RSA
      getSigningAlgFromPrivate: using SignatureAlgorithm: RSASignatureWithSHA256Digest
      createSignedData: digest created for pkidata
      createSignedData: digest algorithm =RSASignatureWithSHA256Digest
      createSignedData: building cert chain
      signData: signed request generated.
      getCMCBlob: begins
      getCMCBlob: generating signed data
      
      The CMC enrollment request in base-64 encoded format:
      
      . . . Output omitted . . .
      
      The CMC enrollment request in binary format is stored in
      /root/.dogtag/pki_rsa_bootstrap/certs_db/cmc.dirsrv-rootca_pkcs10.req

      Copy to Clipboard Toggle word wrap

2. 提交 CMC 请求：

   1. 创建 HttpClient 配置文件。例如：

      # vim /root/.dogtag/pki_rsa_bootstrap/certs_db/HttpClient_dirsrv-rootca.cfg

      Copy to Clipboard Toggle word wrap

      ### host: host name for the http server
      host=rhcs10.example.com
      
      ### port: port number
      port=8443
      
      ### secure: true for secure connection, false for nonsecure connection
      secure=true
      
      ### input: full path for the enrollment request, the content must be in binary format
      input=/root/.dogtag/pki_rsa_bootstrap/certs_db/cmc.dirsrv-rootca_pkcs10.req
      
      ### output: full path for the response in binary format
      output=/root/.dogtag/pki_rsa_bootstrap/certs_db/cmc.dirsrv-rootca_pkcs10.resp
      
      ### tokenname: name of the token where the SSL client authentication cert can be found (default is internal)
      ### This parameter will be ignored if secure=false
      tokenname=internal
      
      ### dbdir: directory for cert8.db, key3.db and secmod.db
      ### This parameter will be ignored if secure=false
      dbdir=/root/.dogtag/pki_rsa_bootstrap/certs_db
      
      ### clientmode: true for client authentication, false for no client authentication
      ### This parameter will be ignored if secure=false
      clientmode=true
      
      ### password: password for cert8.db
      ### This parameter will be ignored if secure=false and clientauth=false
      password=SECret.123
      
      ### nickname: nickname for client certificate
      ### This parameter will be ignored if clientmode=false
      nickname=PKI Bootstrap Administrator for RSA-RootCA
      
      ### servlet: servlet name
      servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCserverCertWithCRLDP

      Copy to Clipboard Toggle word wrap
      注意

      对于 EC 证书，通过设置来使用 ECC 配置集：

      servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCECserverCertWithCRLDP

      Copy to Clipboard Toggle word wrap

   2. 使用 HttpClient 命令提交请求：

      # HttpClient /root/.dogtag/pki_rsa_bootstrap/certs_db/HttpClient_dirsrv-rootca.cfg
      
      Total number of bytes read = 3096
      after SSLSocket created, thread token is NSS FIPS 140-2 User Private Key
      client cert is not null
      handshake happened
      writing to socket
      
      ##Response Headers begin##
      HTTP/1.1 200
      Content-Type: application/pkcs7-mime
      Content-Length: 2492
      Date: Tue, 29 Sep 2020 15:20:21 GMT
      Connection: close
      ##end##
      
      . . . Output omitted . . .
      
      The response in binary format is stored in
      /root/.dogtag/pki_rsa_bootstrap/certs_db/cmc.dirsrv-rootca_pkcs10.resp

      Copy to Clipboard Toggle word wrap

3. 处理 CMC 响应：

   1. 使用 CMCResponse 处理响应，以 PEM 格式单独以链的形式显示所有证书：

      重要

      使用 "-v" 选项运行 CMCResponse 将链中每个证书的 PEM 返回为 Cert:0, Cert:1 等。在所有 PEM 下，输出也会以用户打印格式显示链中的每个证书。由于证书没有以固定顺序显示，因此为了确定其在链中的位置，您必须检查每个 "Certificate" 下的"Subject: "。对应的 PEM 显示在上面的同一位置。

      # CMCResponse -d /root/.dogtag/pki_rsa_bootstrap/certs_db -i /root/.dogtag/pki_rsa_bootstrap/certs_db/cmc.dirsrv-rootca_pkcs10.resp -v
      
      Cert:0
      ...
      ===
      Cert:1
      ...
      ===
      Cert:2
      ...
      ===
      Certificates:
          Certificate:
              Data:
                  Version:  v3
                  Serial Number: 0xA383694
                  Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
                  Issuer: CN=CA Signing Certificate,OU=rhcs10-RSA-RootCA,O=Example-rhcs10-RSA-RootCA
                  Validity:
                      Not Before: Tuesday, April 5, 2022 8:41:36 AM EDT America/New_York
                      Not  After: Monday, March 25, 2024 8:41:36 AM EDT America/New_York
                  Subject: CN=rhds11.example.com
      
      . . . Output omitted . . .
      
          Certificate:
              Data:
                  Version:  v3
                  Serial Number: 0x5C8FAD4
                  Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
                  Issuer: CN=CA Signing Certificate,OU=rhcs10-RSA-RootCA,O=Example-rhcs10-RSA-RootCA
                  Validity:
                      Not Before: Tuesday, April 5, 2022 8:36:21 AM EDT America/New_York
                      Not  After: Saturday, April 5, 2042 8:36:21 AM EDT America/New_York
                  Subject: CN=CA Signing Certificate,OU=rhcs10-RSA-RootCA,O=Example-rhcs10-RSA-RootCA
      
      . . . Output omitted . . .
      
          Certificate:
              Data:
                  Version:  v3
                  Serial Number: 0x80296C3
                  Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
                  Issuer: CN=CA Signing Certificate,OU=rhcs10-RSA-RootCA,O=Example-rhcs10-RSA-RootCA
                  Validity:
                      Not Before: Tuesday, April 5, 2022 8:39:43 AM EDT America/New_York
                      Not  After: Friday, April 5, 2041 8:39:43 AM EDT America/New_York
                  Subject: CN=CA Signing Certificate,OU=rhcs10-RSA-RootCA,O=Example-rhcs10-RSA-RootCA
      
      . . . Output omitted . . .
      
      Number of controls is 1
      Control #0: CMCStatusInfoV2
      OID: {1 3 6 1 5 5 7 7 25}
      BodyList: 1
      Status: SUCCESS
      CMC Full Response.

      Copy to Clipboard Toggle word wrap

   2. 将新 Server-Cert DS 证书保存到 bootstrap 证书目录（例如 /root/.dogtag/pki_rsa_bootstrap/certs_db/）中的文件中。.pem 文件必须以 header -----BEGIN CERTIFICATE----- 开头，并以 footer -----END CERTIFICATE----- 结束。例如：

      # vi /root/.dogtag/pki_rsa_bootstrap/certs_db/Server-Cert-rootca.pem

      Copy to Clipboard Toggle word wrap

      其中 Server-Cert-rootca.pem 是 Directory Server 实例的新 Server-Cert 证书，充当 RootCA 的 internaldb。

      注意

      RootCA 的签名证书应与以下命令的输出匹配：

      # certutil -L -d /var/lib/pki/rhcs10-RSA-RootCA/alias/ -n "CA Signing Cert - rhcs10-RSA-RootCA" -a

      Copy to Clipboard Toggle word wrap

4. 远程将新的 Server-Cert 证书复制到 rhds11.example.com。例如：

   # scp /root/.dogtag/pki_rsa_bootstrap/certs_db/Server-Cert-rootca.pem root@rhds11.example.com:/etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/

   Copy to Clipboard Toggle word wrap

1. 停止 DS ：

   # dsctl slapd-CC-RSA-RootCA-LDAP stop

   Copy to Clipboard Toggle word wrap

2. 将 dirsrv 目录的内容保存到备份目录中：

   # cp -r /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/ /etc/dirsrv/save-rsa/slapd-CC-RSA-RootCA-LDAP/

   Copy to Clipboard Toggle word wrap

3. 删除旧的 DS 证书：

   # certutil -D -d /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/ -f /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/pwdfile.txt -n "Server-Cert"

   Copy to Clipboard Toggle word wrap

   # certutil -D -d /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/ -f /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/pwdfile.txt -n "Self-Signed-CA"

   Copy to Clipboard Toggle word wrap

4. 在链 1 中导入新创建的 DS 证书及其 CA 证书。例如：

   # certutil -d /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/ -f /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/pwdfile.txt -A -t "CT,C,C" -n "CA Signing Cert - rhcs10-RSA-RootCA" -i /opt/pki_rsa/rootCA.pem

   Copy to Clipboard Toggle word wrap

   # certutil -d /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/ -f /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/pwdfile.txt -A -t "u,u,u" -n "Server-Cert" -i /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/Server-Cert-rootca.pem

   Copy to Clipboard Toggle word wrap

5. 列出证书：

   # certutil -L -d /etc/dirsrv/slapd-CC-RSA-RootCA-LDAP/
   
   Certificate Nickname                        Trust Attributes
                                               SSL,S/MIME,JAR/XPI
   CA Signing Cert - rhcs10-RSA-RootCA         CT,C,C
   Server-Cert                                 u,u,u

   Copy to Clipboard Toggle word wrap

6. 在 rhds11.example.com 上，启动 DS：

   # dsctl slapd-CC-RSA-RootCA-LDAP start

   Copy to Clipboard Toggle word wrap

7. 测试以确认 LDAP 服务器已启动并在运行（如果是单独的系统，则在 CA 主机上进行测试）：

   # ldapsearch -x -D "cn=Directory Manager" -H ldaps://rhds11.example.com:636 -b "dc=example,dc=com" -w SECret.123

   Copy to Clipboard Toggle word wrap

   如果在单独的系统上测试，请在 ldapsearch 命令前面包含 CA 证书链，例如：

   # LDAPTLS_CACERT=/opt/pki_rsa/ca-chain.pem ldapsearch -x -D "cn=Directory Manager" -H ldaps://rhds11.example.com:636 -b "dc=example,dc=com" -w SECret.123

   Copy to Clipboard Toggle word wrap

1. 停止 CA：

   # pki-server stop rhcs10-RSA-RootCA

   Copy to Clipboard Toggle word wrap

2. 列出证书：

   # certutil -L -d /var/lib/pki/rhcs10-RSA-RootCA/alias/
   
   Certificate Nickname                Trust Attributes
                                       SSL,S/MIME,JAR/XPI
   DS temp CA certificate              CT,C,C
   ...

   Copy to Clipboard Toggle word wrap

3. 从 nssdb 中删除临时证书：

   # certutil -D -d /var/lib/pki/rhcs10-RSA-RootCA/alias/ -n "DS temp CA certificate"

   Copy to Clipboard Toggle word wrap

1. 要启用证书撤销检查，在相应的 /var/lib/pki/rhcs10-RSA-RootCA/conf/server.xml 文件中：

   1. 将 enableOCSP 或 enableRevocationCheck 设置为 true ：

      enableOCSP=true
      or
      enableRevocationCheck=true

      Copy to Clipboard Toggle word wrap

   2. 另外，删除这两个参数及其分配的值：

      ocspResponderURL
      ocspResponderCertNickname

      Copy to Clipboard Toggle word wrap

2. 通过编辑 CA 的 CS.cfg 文件并将以下内容设置为 false 来禁用旧的撤销检查方法：

   auths.revocationChecking.enabled=false

   Copy to Clipboard Toggle word wrap

3. 启动 RootCA 实例：

   # pki-server start rhcs10-RSA-RootCA

   Copy to Clipboard Toggle word wrap

1. 检查基于文件的 CRL 发布：

   # ls -l /var/lib/pki/rhcs10-RSA-RootCA/crl
   total 8
   -rw-r--r--. 1 pkiuser pkiuser 574 Jun 20 18:08 ServerCertCRL-20240620-180859.der
   -rw-r--r--. 1 pkiuser pkiuser 613 Jun 20 18:09 ServerCertCRL-20240620-180938.der
   lrwxrwxrwx. 1 pkiuser pkiuser  68 Jun 20 18:09 ServerCertCRL.crl -> /var/lib/pki/rhcs10-RSA-RootCA/crl/ServerCertCRL-20240620-180938.der

   Copy to Clipboard Toggle word wrap

2. 显示并验证 CRL 的内容

   # BtoA /var/lib/pki/rhcs10-RSA-RootCA/crl/ServerCertCRL.crl /var/lib/pki/rhcs10-RSA-RootCA/crl/ServerCertCRL.bin
   # PrettyPrintCrl /var/lib/pki/rhcs10-RSA-RootCA/crl/ServerCertCRL.bin
   Certificate Revocation List:
           Data:
               Version:  v2
               Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
               Issuer: CN=CA Signing Certificate,OU=rhcs10-RSA-RootCA,O=Example-rhcs10-RSA-RootCA
               This Update: Thursday, June 20, 2024 6:09:38 PM EDT America/New_York
               Next Update: Thursday, June 20, 2024 9:00:00 PM EDT America/New_York
               Revoked Certificates:
                   Serial Number: 0xF6FDEF3
                   Revocation Date: Thursday, June 20, 2024 6:09:38 PM EDT America/New_York
                   Extensions:
                       Identifier: Revocation Reason - 2.5.29.21
                           Critical: no
                           Reason: Certificate_Hold
           Extensions:
               Identifier: CRL Number - 2.5.29.20
                   Critical: no
                   Number: 21
           Signature:
               Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
               Signature:
                   69:38:47:5D:E4:50:17:C5:6C:60:3F:1B:D8:B4:62:4D:
                   8B:11:FC:31:E4:26:6B:07:B6:BB:2C:7E:48:10:F4:DD:
                   0A:67:17:CB:DF:4E:1A:50:BE:4F:8F:61:B4:91:AE:DA:
                   E5:58:D5:FE:54:D9:94:B3:38:E1:B6:2C:19:C4:93:54:
                   D5:5E:8B:61:4F:89:52:5A:F7:F5:1B:2F:59:19:AD:23:
                   1F:6F:3C:93:17:F3:1A:1C:0B:9A:D2:8F:01:76:08:6E:
                   DA:DD:6F:2D:75:54:D3:D4:40:9A:2B:5D:8B:D5:BB:8B:
                   AF:89:E4:13:A7:F1:8A:AF:0A:72:26:E3:3D:FE:B3:90:
                   2B:F7:88:57:E9:8B:E7:82:B6:D3:F3:80:CD:F7:87:77:
                   69:AF:39:90:5E:46:9C:C2:C4:FA:44:01:77:6D:8F:2D:
                   5A:BD:B9:39:3F:E4:99:E7:F9:FD:2D:CD:FA:87:C1:42:
                   A4:D0:3B:87:0B:28:30:2D:2A:68:F2:68:7C:00:A8:4B:
                   AC:38:49:5A:03:D1:B2:CE:45:D8:C1:6A:3F:42:F0:04:
                   F6:CC:43:83:E8:19:41:6F:0A:64:95:C3:57:8F:54:53:
                   31:40:58:D4:CD:29:0E:0A:D9:15:E9:08:0C:B8:74:F4:
                   82:B4:4E:51:8F:1C:86:A3:2E:BF:BB:F8:4A:DD:17:07:
                   37:27:0F:8B:5C:5E:75:28:B4:0C:DE:F2:38:B9:0E:AE:
                   73:06:A1:3D:36:85:54:74:E6:C3:4B:78:80:9F:76:42:
                   85:D2:94:FF:A0:0C:7D:23:61:AB:4E:7A:D0:5B:EC:CF:
                   91:E9:CB:80:C4:A1:EB:86:FB:D8:E6:65:AC:48:D0:9F:
                   8B:95:07:A9:CA:D7:34:A9:7B:32:25:1E:F4:21:A8:06:
                   44:73:B4:99:79:B5:69:77:D1:18:3B:40:C5:20:AF:5C:
                   8E:D0:65:AE:34:CF:1F:90:82:97:33:7F:90:E6:D9:BC:
                   49:8F:BE:59:22:FE:09:E5:FA:F2:5F:31:77:6D:F8:99

   Copy to Clipboard Toggle word wrap

验证 CA 是否正常工作

1. 列出 CA 中的证书：

   # pki -p 8443 ca-cert-find

   Copy to Clipboard Toggle word wrap

2. 以 bootstrap admin 用户身份，列出 RootCA 中的用户：

   # pki -d /root/.dogtag/pki_rsa_bootstrap/certs_db/ -c SECret.123 -p 8443 -n "PKI Bootstrap Administrator for RSA-RootCA" ca-user-find

   Copy to Clipboard Toggle word wrap