红帽全球峰会此内容没有您所选择的语言版本。
22.2. Setting up the CA on the New Host
After you have exported the data from the existing Directory Server and Certificate System instances in Section 22.1, “Exporting Data from the Previous System”, set up the certificate authority (CA) on the new host:
- Set up Directory Server. See Section 6.5, “Installing Red Hat Directory Server”.
- Enable the Certificate System repository. See Section 6.6, “Attaching a Red Hat Subscription and Enabling the Certificate System Package Repository”.
- Install the pki-ca package:
yum install pki-ca
# yum install pki-caCopy to Clipboard Copied! Toggle word wrap Toggle overflow If you require additional features, such as the Certificate System console, install the corresponding packages. For details, see Section 7.2, “Certificate System Packages”. - When setting up the CA on a host that uses an IPv6 address, apply the steps described in Section 11.2, “Enabling IPv6 for a Subsystem”.
- Depending on your environment, this step differs.
- When using a hardware security module (HSM):Create a deployment configuration file, for example
/root/pki-CA-deployment.txt, with the following content:Copy to Clipboard Copied! Toggle word wrap Toggle overflow For descriptions of the parameters used in the previous example, see Table 22.1, “pkispawn Parameter Descriptions” at the end of this step. - When not using a hardware security module (HSM):
- Verify that the PKCS #12 file contains the CA signing certificate and key. For example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note that the file can additionally contain other certificates and keys. - Verify the trust flags of the CA signing certificate in the output of the previous step. Reset the flags if they are not set to
CTu,Cu,Cuor if they are missing:pki pkcs12-cert-mod caSigningCert cert-pki-tomcat CA \ --pkcs12-file /tmp/cs_bak/ca.p12 \ --pkcs12-password-file /tmp/cs_bak/pkcs12_password.txt \ --trust-flags "CTu,Cu,Cu"# pki pkcs12-cert-mod caSigningCert cert-pki-tomcat CA \ --pkcs12-file /tmp/cs_bak/ca.p12 \ --pkcs12-password-file /tmp/cs_bak/pkcs12_password.txt \ --trust-flags "CTu,Cu,Cu"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Remove all other certificates and keys, except the CA signing certificate and key, from the PKCS #12 file. For example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - If the CA being migrated is an intermediate CA, remove the root CA certificate from the PKCS #12 file. For example:
pki pkcs12-cert-del ca-pki-ca \ --pkcs12-file /tmp/cs_bak/ca.p12 \ --pkcs12-password-file /tmp/cs_bak/pkcs12_password.txt# pki pkcs12-cert-del ca-pki-ca \ --pkcs12-file /tmp/cs_bak/ca.p12 \ --pkcs12-password-file /tmp/cs_bak/pkcs12_password.txtCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Create a deployment configuration file, for example
/root/pki-CA-deployment.txt, with the following content:Copy to Clipboard Copied! Toggle word wrap Toggle overflow For descriptions of the parameters used in the previous example, see Table 22.1, “pkispawn Parameter Descriptions”.
Expand Table 22.1. pkispawn Parameter Descriptions Parameters and SettingsDescriptionpki_hsm_*andpki_token_*Enables communication with the HSM. Only set these parameters when setting up a CA with HSM.pki_existing=TrueSets to use the existing CA mechanism.pki_ca_signing_nicknameThe CA signing nickname must be exactly the same as used in the previous installation, otherwise the installer cannot find the signing key.pki_ca_signing_*Sets the paths to the certificate signing request (CSR) and the certificate files copied from the existing machine.pki_pkcs12_*Sets the path to the PKCS #12 file and the password used to decrypt the file. Do not set this parameter when deploying a CA with HSM.pki_ds_base_dnSets the Directory Server base distinguished name (DN). The value must be the same as on the previous CA. You can find this value on the previous host in theinternaldb.basednparameter in the/var/lib/instance_name/conf/CS.cfgfile.pki_serial_number_range_startThe serial number is critical. The value must be higher than the last number used in the previous CA. To display which numbers are already used, see the old CA's agent interface. This parameter is set in hex format without the leading0xprefix. The value used in the examples (4e) is78in decimal.pki_request_number_range_startThe request number is critical. The value must be higher than the last number used in the previous CA. To display which numbers are already used, see the old CA's agent interface. The value is set in decimal format.pki_master_crl_enable=FalsePrevents the initial creation and publishing of a certificate revocation list (CRL) during the setup. Instead, the CRL will be imported from the old data during the database migration.pki_cert_chain_pathandpki_cert_chain_nicknameSet these parameters only if the old CA is an intermediate CA. In this case, set the parameters to the path to the root CA certificate file and the nickname to use when storing the certificate in the network security services (NSS) database.pki_ca_signing_record_create=FalseDisables the recreation of the CA signing record at the end of thepkispawnprocess. This enables you to import the old database.pki_ca_signing_serial_numberSets the serial number of the CA signing certificate in decimal. This is to delete the initially created signing certificate database record and import it through the ldif data import instead; in a sequential serial number scheme, it should be the decimal representation of the value set in pki_serial_number_range_start. E.g.: pki_serial_number_range_start=100 pki_ca_signing_serial_number=256For further details and parameter descriptions, see the pkispawn(8) man page. - Create the new CA using the deployment configuration file. For example:
pkispawn -s CA -f /root/pki-CA-deployment.txt
# pkispawn -s CA -f /root/pki-CA-deployment.txtCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Verify that the CA signing key ID is the same in the existing and in the new CA. For example:
grep "internal=" /var/lib/instance_name/conf/password.conf | \ awk -F= '{print $2;}' > internal.txt# grep "internal=" /var/lib/instance_name/conf/password.conf | \ awk -F= '{print $2;}' > internal.txtCopy to Clipboard Copied! Toggle word wrap Toggle overflow certutil -K -d /var/lib/instance_name/alias/ -f internal.txt
# certutil -K -d /var/lib/instance_name/alias/ -f internal.txt ... < 2> rsa 7bd4dc662670ebe08a35086b054175559608ac20 caSigningCert ca-pki-ca ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}