红帽全球峰会7.3. Installing an IdM server with an external CA with keys and certificates stored on an HSM
You can install a new Identity Management (IdM) server that uses an external certificate authority (CA) as a root CA.
During the installation, you must supply basic configuration of the system, for example the realm, the administrator’s password and the Directory Manager’s password.
The ipa-server-install installation script creates a log file at /var/log/ipaserver-install.log. If the installation fails, the log can help you identify the problem.
Prerequisites
- A supported networked HSM installed set up according to its vendors instructions. See Supported HSMs.
-
The HSM PKCS #11 library path,
/opt/nfast/toolkits/pkcs11/libcknfast.so. - An available slot, token, and the token password.
If you install a server without an integrated IdM CA, you must request the following certificates from a third-party authority:
- An LDAP server certificate
- An Apache server certificate
- A PKINIT certificate
- Full CA certificate chain of the CA that issued the LDAP and Apache server certificates
Procedure
Run the install command, ensuring you specify that you are using an external CA.
# ipa-server-install --external-caDuring the installation process, the utility prints the location of the certificate signing request (CSR)
/root/ipa.csr:... Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/8]: creating certificate server user [2/8]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run /sbin/ipa-server-install as: /sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificateTo complete the certificate process, using the CSR generated by the installation utility, complete the following steps:
-
Submit the CSR located in
/root/ipa.csrto the external CA. The process differs depending on the service to be used as the external CA. Retrieve the issued certificate and the CA certificate chain for the issuing CA in a base 64-encoded blob (either a PEM file or a Base_64 certificate from a Windows CA). Again, the process differs for every certificate service. Usually, a download link on a web page or in the notification email allows the administrator to download all the required certificates.
重要Obtain the full certificate chain for the CA, not just the CA certificate.
-
Submit the CSR located in
Run the
ipa-server-installutility again to specify the path and names of the newly-issued CA certificate and the CA chain files and the location of the PKCS #11 library, the token name, and the token password:# ipa-server-install --external-cert-file=</tmp/servercert20170601.pem> --external-cert-file=</tmp/cacert.pem> -–token-name=<HSM-TOKEN> --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so- Specify the token password when prompted.
- The installation script now configures the server. Wait for the operation to complete.
Verification
Run
certutilto display CA certificate information:certutil -L -d /etc/pki/pki-tomcat/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CT,C,C ocspSigningCert cert-pki-ca ,, Server-Cert cert-pki-ca u,u,u subsystemCert cert-pki-ca ,, auditSigningCert cert-pki-ca ,,PYou can see the certificates but the
,,indicates no private keys as they are stored on the token.Verify that the keys and certificates are stored on the HSM:
certutil -L -d /etc/pki/pki-tomcat/alias - h <HSM-TOKEN> Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Enter Password or Pin for "<HSM-TOKEN>": <HSM-TOKEN>:subsystemCert cert-pki-ca u,u,u <HSM-TOKEN>:ocspSigningCert cert-pki-ca u,u,u <HSM-TOKEN>:caSigningCert cert-pki-ca CTu,Cu,Cu <HSM-TOKEN>:auditSigningCert cert-pki-ca u,u,PuThe certificate name is prefixed with the HSM token name, which indicates that the private keys and certificates are stored on the token.
Where the keys are stored does not affect how users obtain or use certificates.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}