此内容没有您所选择的语言版本。

14.4. Importing a certificate into an HSM


This procedure describes how to import a certificate into an HSM after gaining a newly issued certificate (such as when a system certificate is renewed) whose keys were generated on the same HSM token as the process of creating a CSR.
Before beginning, please change directories into the NSS DB:
  • cd /path/to/nssdb for example cd /var/lib/pki/pki-ca/alias
Ensure that your web service is taken offline (stopped, disabled, etc.) while performing these steps and ensure no concurrent access to the NSS DB by other processes (such as a browser). Doing so may corrupt the NSS DB or result in improper usage of these certificates.
If you have not imported and trusted the root certificate, see Section 14.2, “Importing a Root Certificate”. If you have not imported and validated the intermediate certificates, see Section 14.3, “Importing an Intermediate Certificate Chain”.
Note that which set of instructions you follow will depend on the usage for the certificate in question.
  • For TLS server certs for all PKI substems, follow the server certificate steps.
  • For any subsystem's audit signing cert, follow the steps below for validating an object Signing certificate.
  • For the CA subsystem's signing cert, follow the steps above for importing and validating an intermediate certificate chain, but do so only with the caSigningCert.
  • For the CA subsystem's OCSP signing cert, follow the steps below for validating an OCSP certificate.
  • For all other system certs of the PKI subsystems, follow the Client Certificate steps.
For more information about the certutil and PKICertImport options used below, see Section 14.1, “About certutil and PKICertImport.

To import a server certificate on the HSM:

  • Execute PKICertImport -d . -h HSM -n "host.name.example.com" -t ",," -a -i service.crt -u V
    This command validates and imports the server certificate onto the HSM. The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. The certificate usually fails to validate due to expiry of a parent certificate or a missing CA trust chain (such as a missing intermediate certificate or a missing CA Root). If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.

To import a client certificate on the HSM:

  • Execute PKICertImport -d . -h HSM -n "client name" -t ",," -a -i client.crt -u C
    This command validates and imports the client certificate onto the HSM. The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.

To import an object signing certificate on the HSM:

  • Execute PKICertImport -d . -h HSM -n "certificate name" -t ",,P" -a -i objectsigning.crt -u J
    This command validates and imports the object signing certificate onto the HSM. The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.

To import an OCSP response signing certificate on the HSM:

  • Execute PKICertImport -d . -h HSM -n "certificate name" -t ",," -a -i ocsp.crt -u O
    This command validates and imports the OCSP responder certificate onto the HSM. The validation succeeds when no error message is printed and the return code is 0. To check the return code, execute echo $? immediately after executing the previous command above. In most cases, a visual error message is printed. If the validation does not succeed, contact the issuer and ensure that all intermediate and root certificates are present on your system.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.