Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

13.9. Configuration for Server-Side Key Generation for Certificate Enrollment using the CA EE Portal

This section describes how to configure Server-Side Key Generation for Certificate Enrollment using the CA EE Portal.

13.9.1. Installation Configuration
复制链接

Note

A KRA instance is required in addition to the CA for setting up Server-Side Keygen.

Note

In case the CA and KRA are sharing a Tomcat instance, you do not need to execute the above step to import the transport certificate.
After installing the CA and KRA instances, in case of stand-alone Tomcat web server instances, you would need to add the KRA transport certificate to the nssdb of the CA.
  1. First, stop the CA: 
    # systemctl stop pki-tomcatd@ca_instance_name.service
    Copy to Clipboard Toggle word wrap
    For example: 
    # systemctl stop pki-tomcatd@pki-ca.service
    Copy to Clipboard Toggle word wrap
  2. Find and export the KRA transport certificate into a file: 
    # grep "kra.transport.cert=" /var/lib/pki/kra_instance_name/kra/conf/CS.cfg | sed 's/kra.transport.cert=//' > kra transport cert file
    Copy to Clipboard Toggle word wrap
    For example: 
    # grep "kra.transport.cert=" /var/lib/pki/pki-kra/kra/conf/CS.cfg | sed 's/kra.transport.cert=//' > /tmp/kraTransport.cert
    Copy to Clipboard Toggle word wrap
  3. Import the KRA transport certificate into the nssdb of the CA, using the nickname specified in the CA's CS.cfg file:
    1. List the transport certificate nickname: 
    grep "ca.connector.KRA.transportCertNickname" /var/lib/pki/ca_instance_name/ca/conf/CS.cfg
    Copy to Clipboard Toggle word wrap
    For example: 
    # grep "ca.connector.KRA.transportCertNickname" /var/lib/pki/pki-ca/ca/conf/CS.cfg
								ca.connector.KRA.transportCertNickname=KRA transport cert
    Copy to Clipboard Toggle word wrap
    • Import the certificate using the nickname listed from the previous step: 
    certutil -d /var/lib/pki/ca_instance_name/alias -A -t “,,” -n transportNickName -i kra transport cert file
    Copy to Clipboard Toggle word wrap
    For example: 
    # certutil -d /var/lib/pki/pki-ca/alias -A -t “,,” -n "KRA transport cert" -i /tmp/kraTransport.cert
    Copy to Clipboard Toggle word wrap
  4. Start the CA: 
    # systemctl start pki-tomcatd@ca_instance_name.service
    Copy to Clipboard Toggle word wrap
    For example: 
    # systemctl start pki-tomcatd@pki-ca.service
    Copy to Clipboard Toggle word wrap

13.9.2. Profile Configuration
复制链接

Two default profiles, caServerKeygen_UserCert and caServerKeygen_DirUserCert, are provided by default to allow for certificate enrollments where keys are generated on the server side. However, any profile with the right input, output, and policy set could be turned into a server-side keygen profile.
A Server-Side Keygen profile must contain the following components.

Input

input.i1.class_id=serverKeygenInputImpl
Copy to Clipboard Toggle word wrap

Output

output.o1.class_id=pkcs12OutputImpl
Copy to Clipboard Toggle word wrap

Policyset

Key type and key size parameters can be configured as exemplified below: 
policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
policyset.userCertSet.3.constraint.name=Key Constraint
policyset.userCertSet.3.constraint.params.keyType=-
policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
policyset.userCertSet.3.default.class_id=serverKeygenUserKeyDefaultImpl
policyset.userCertSet.3.default.name=Server-Side Keygen Default
policyset.userCertSet.3.default.params.keyType=RSA
policyset.userCertSet.3.default.params.keySize=2048
policyset.userCertSet.3.default.params.enableArchival=true
Copy to Clipboard Toggle word wrap

Authentication

The two default server-side keygen enrollment profiles differ in the authentication mechanism, where
  • caServerKeygen_UserCert.cfg
    contains an empty value to "auth.class_id=", meaning that enrollment requests through this profile will require approval from a CA agent.
  • caServerKeygen_DirUserCert.cfg
    contains "auth.instance_id=UserDirEnrollment", meaning that the user is required to pass LDAP uid/password authentication; such authentication mechanism is considered as an automatic certificate issuance as it does not require per-request approval from a CA agent.
    Automatic approval could be configured by setting the auth.instance_id directive to any compatible authentication plugin class, as examplified in the caServerKeygen_DirUserCert.cfg profile mentioned above. Here is an example of such a configuration in the CS.cfg file: 
    auths.instance.UserDirEnrollment.dnpattern=
auths.instance.UserDirEnrollment.ldap.basedn=ou=People,dc=example,dc=com
auths.instance.UserDirEnrollment.ldap.ldapconn.host=host.example.com
auths.instance.UserDirEnrollment.ldap.ldapconn.port=389
auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false
auths.instance.UserDirEnrollment.ldap.maxConns=
auths.instance.UserDirEnrollment.ldap.minConns=
auths.instance.UserDirEnrollment.ldapByteAttributes=
auths.instance.UserDirEnrollment.ldapStringAttributes=mail
auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth
    Copy to Clipboard Toggle word wrap
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat