此内容没有您所选择的语言版本。

8.4. Installing a Clone Subsystem Using an HSM


Normally, clone subsystems are created using a PKCS #12 file containing the system keys of the master subsystem. This file is generated during the installation of the master subsystem by setting the pki_backup_keys to True in the configuration file you use for the installation along with the defined value for the pki_backup_password option, or by exporting the keys using the PKCS12Export tool.
You cannot generate a PKCS #12 file using this tool when using an HSM because the keys cannot be retrieved from the HSM. Instead, the clone subsystem should either be pointed to the HSM used by the master subsystem, so that it can access the same keys. Alternatively, if using a separate HSM, clone the keys to this HSM using the utilities provided by the HSM vendor. You must provide access to the master subsystem's key before running the pkispawn utility.
As Certificate System uses no PKCS #12 when installing with an HSM, you do not need to set the parameters in the configuration file for the location of a PKCS #12 file and its password. The following example lists options from the [Tomcat] section of the respective PKI configuration file that are required for generating a CA clone.
For generating a non-HSM CA clone:
  • pki_clone=True
  • pki_clone_pkcs12_password=Secret123
  • pki_clone_pkcs12_path=<path_to_pkcs12_file>
  • pki_clone_replicate_schema=True (default value)
  • pki_clone_uri=https://<master_ca_host_name>:<master_ca_https_port>
For generating a CA clone using an HSM:
  • pki_clone=True
  • pki_clone_replicate_schema=True (default value)
  • pki_clone_uri=https://<master_ca_host_name>:<master_ca_https_port>

Note

In order for the master subsystem to share the same certificates and keys with its clones, the HSM must be on a network that is in shared mode and accessible by all subsystems.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.