红帽全球峰会7.2. Installing an IdM server with an integrated CA with keys and certificates stored on an HSM
The default configuration for the ipa-server-install command is an integrated CA as the root CA.
During the installation, you must supply basic configuration of the system, for example the realm, the administrator’s password and the Directory Manager’s password.
The ipa-server-install installation script creates a log file at /var/log/ipaserver-install.log. If the installation fails, the log can help you identify the problem.
Prerequisites
- A supported networked HSM installed set up according to its vendors instructions. See Supported HSMs.
-
The HSM PKCS #11 library path,
/opt/nfast/toolkits/pkcs11/libcknfast.so. - An available slot, token, and the token password.
Procedure
Run the install command, ensuring you specify the location of the PKCS #11 library, the token name, and the token password:
ipa-server-install -a <password> -p <dmpassword>-r <IDM.EXAMPLE.COM> -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --random-serial-numbers -–token-name=<HSM-TOKEN> --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so- Specify the token password when prompted.
Verification
Run
certutilto display CA certificate information:certutil -L -d /etc/pki/pki-tomcat/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CT,C,C ocspSigningCert cert-pki-ca ,, Server-Cert cert-pki-ca u,u,u subsystemCert cert-pki-ca ,, auditSigningCert cert-pki-ca ,,PNote that where there is no
ulisted under Trust Attributes for a certificate, it indicates the private keys are stored on the token. In this case, only theServer-Cert cert-pki-cahas theuflags as it is not installed on the HSM for performance reasons.Verify that the keys and certificates are stored on the HSM:
certutil -L -d /etc/pki/pki-tomcat/alias -h <HSM-TOKEN> Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Enter Password or Pin for "<HSM-TOKEN>": <HSM-TOKEN>:subsystemCert cert-pki-ca u,u,u <HSM-TOKEN>:ocspSigningCert cert-pki-ca u,u,u <HSM-TOKEN>:caSigningCert cert-pki-ca CTu,Cu,Cu <HSM-TOKEN>:auditSigningCert cert-pki-ca u,u,PuThe certificate name is prefixed with the HSM token name, which indicates that the private keys and certificates are stored on the token.
Where the keys are stored does not affect how users obtain or use certificates.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}