红帽全球峰会10.3. 配置 ACME 颁发者
本节描述了如何为 PKI ACME Responder 配置签发者。ACME Issuer 的配置位于 /etc/pki/pki-tomcat/acme/issuer.conf。
您可以使用 pki-server acme-issuer-mod 命令通过命令行配置签发者。
在没有参数的情况下调用此命令会启动一个互动模式,例如:
pki-server acme-issuer-mod
Copy to clipboardCopied$ pki-server acme-issuer-mod The current value is displayed in the square brackets. To keep the current value, simply press Enter. To change the current value, enter the new value. To remove the current value, enter a blank space. Enter the type of the certificate issuer. Available types: nss, pki. Issuer Type: pki Enter the location of the PKI server (e.g. https://localhost.localdomain:8443). Server URL [https://localhost.localdomain:8443]: Enter the certificate nickname for client authentication. This might be the CA agent certificate. Enter blank to use basic authentication. Client Certificate: Enter the username of the CA agent for basic authentication. Enter blank if a CA agent certificate is used for client authentication. Agent Username [caadmin]: Enter the CA agent password for basic authentication. Enter blank if the password is already stored in a separate property file or if a CA agent certificate is used for client authentication. Agent Password [ ****** ]: Enter the certificate profile for issuing ACME certificates (e.g. acmeServerCert). Certificate Profile [acmeServerCert]:-
使用--
type参数调用 命令会根据指定的类型创建新的配置。 - 使用其他参数调用 命令会更新指定的参数。
10.3.1. 配置 PKI Issuer
您可以配置 PKI ACME Responder,以使用 PKI Issuer 发布证书。示例配置位于 /usr/share/pki/acme/issuer/pki/issuer.conf。
要配置 PKI 签发者,请将此示例
issuer.conf复制到/etc/pki/pki-tomcat/acme目录中,或者执行以下命令来自定义一些参数:pki-server acme-issuer-mod --type pki \ -Dusername=caadmin \ -Dpassword=Secret.123
Copy to clipboardCopied$ pki-server acme-issuer-mod --type pki \ -Dusername=caadmin \ -Dpassword=Secret.123根据需要自定义配置。
issuer.conf文件应类似如下:class=org.example.acme.issuer.PKIIssuer url=https://localhost.localdomain:8443 profile=acmeServerCert username=caadmin password=Secret.123
Copy to clipboardCopiedclass=org.example.acme.issuer.PKIIssuer url=https://localhost.localdomain:8443 profile=acmeServerCert username=caadmin password=Secret.123- url 参数指定 PKI 签发者位置。
- profile 参数指定要使用的证书配置文件。
- 要使用客户端证书身份验证,请在 nickname 参数中指定客户端证书 别名。
- 要使用基本身份验证,请在 username 参数中指定用户名,并在 password 参数中指定密码。
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}