Skip to content

Commit

Permalink
docs/installation/[ocsp,kra.tks.tps]
Browse files Browse the repository at this point in the history 
replaced .md files with "Converted/moved to" message
  • Loading branch information
@ladycfu
ladycfu committed Jan 17, 2025
1 parent 5370420 commit 48823ce
Show file tree
Hide file tree
Showing 26 changed files with 26 additions and 2,353 deletions.
105 changes: 1 addition & 104 deletions docs/installation/kra/Installing_KRA.md
View file
Original file line number Diff line number Diff line change
@@ -1,104 +1 @@
Installing KRA
==============

Overview
--------

This page describes the process to install a KRA subsystem.

KRA Subsystem Installation
--------------------------

Prepare a file (e.g. kra.cfg) that contains the deployment configuration.
A sample deployment configuration is available at [/usr/share/pki/server/examples/installation/kra.cfg](../../../base/server/examples/installation/kra.cfg).

Then execute the following command:

```
$ pkispawn -f kra.cfg -s KRA
```

It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases:
* server NSS database: /var/lib/pki/pki-tomcat/conf/alias
* admin NSS database: ~/.dogtag/pki-tomcat/kra/alias

**Note**: When KRA is installed on a new system without any other subsystems,
it is necessary to provide the CA's root certificate. Specify the path to
the CA PKCS#7 PEM file in the `pki_cert_chain_path`. This will allow the server
to verify the CA's SSL server certificate when contacting the security domain.
It is up to the administrator to securely transport the CA root certificate
(public key only!) to the system prior to KRA installation.

Verifying System Certificates
-----------------------------

Verify that the server NSS database contains the following certificates:

```
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ca_signing CT,C,C
kra_transport u,u,u
kra_storage u,u,u
subsystem u,u,u
kra_audit_signing u,u,Pu
sslserver u,u,u
```

Verifying Admin Certificate
---------------------------

Prepare a client NSS database (e.g. ~/.dogtag/nssdb):

```
$ pki -c Secret.123 client-init
```

Import the CA signing certificate:

```
$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt
```

Import admin key and certificate:

```
$ pki -c Secret.123 pkcs12-import \
--pkcs12 ca_admin_cert.p12 \
--pkcs12-password Secret.123
```

Verify that the admin certificate can be used to access the KRA subsystem by executing the following command:

```
$ pki -c Secret.123 -n caadmin kra-user-show kraadmin
---------------
User "kraadmin"
---------------
User ID: kraadmin
Full name: kraadmin
Email: [email protected]
Type: adminType
State: 1
```

Verifying KRA Connector
-----------------------

Verify that the KRA connector is configured in the CA subsystem:

```
$ pki -c Secret.123 -n caadmin ca-kraconnector-show
Host: pki.example.com:8443
Enabled: true
Local: false
Timeout: 30
URI: /kra/agent/kra/connector
Transport Cert:
<base-64 certificate>
```
Converted/moved to [Installing_KRA.adoc](../kra/Installing_KRA.adoc)
137 changes: 1 addition & 136 deletions docs/installation/kra/Installing_KRA_Clone.md
View file
Original file line number Diff line number Diff line change
@@ -1,136 +1 @@
Installing KRA Clone
====================

Overview
--------

This page describes the process to install a KRA subsystem as a clone of an existing KRA subsystem.

Before beginning with the installation, please ensure that you have configured the directory
server and added base entries.
The step is described [here](https://github.com/dogtagpki/pki/wiki/DS-Installation).

Additionally, make sure the FQDN has been [configured](../server/FQDN_Configuration.adoc) correctly.

Exporting Existing KRA System Certificates
------------------------------------------

On the existing system, export the KRA system certificates with the following command:

```
$ pki-server kra-clone-prepare \
--pkcs12-file kra-certs.p12 \
--pkcs12-password Secret.123
```

The command will export the following certificates (including the certificate chain) and their keys into a PKCS #12 file:

* KRA storage certificate
* KRA transport certificate
* audit signing certificate
* subsystem certificate

Note that the existing SSL server certificate will not be exported.

If necessary, third-party certificates (e.g. trust anchors) can be added into the same PKCS #12 file with the following command:

```
$ pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/password.conf \
pkcs12-cert-import <nickname> \
--pkcs12-file kra-certs.p12 \
--pkcs12-password Secret.123 \
--append
```

KRA Subsystem Installation
--------------------------

Prepare a deployment configuration (e.g. `kra-clone.cfg`) to deploy KRA subsystem clone.
By default the subsystem will be deployed into a Tomcat instance called `pki-tomcat`.

A sample deployment configuration is available at [/usr/share/pki/server/examples/installation/kra-clone.cfg](../../../base/server/examples/installation/kra-clone.cfg).
It assumes that the primary CA and KRA subsystems are running at https://primary.example.com:8443,
the CA signing certificate has been exported into `ca_signing.crt`,
and the admin certificate and key have been exported into `ca_admin_cert.p12`.
The PKCS #12 password is specified in the `pki_client_pkcs12_password` parameter.
See [Installing CA](../ca/Installing_CA.md) for details.

To start the installation execute the following command:

```
$ pkispawn -f kra-clone.cfg -s KRA
```

KRA System Certificates
-----------------------

After installation the existing KRA system certificates (including the certificate chain)
and their keys will be stored in the server NSS database (i.e. `/var/lib/pki/pki-tomcat/conf/alias`),
and a new SSL server certificate will be created for the new instance:

```
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ca_signing CT,C,C
kra_storage u,u,u
sslserver u,u,u
subsystem u,u,u
kra_audit_signing u,u,Pu
kra_transport u,u,u
```

If necessary, the certificates can be exported into PEM files with the following command:

```
$ pki-server cert-export <cert ID> --cert-file <filename>
```

The valid certificate IDs for KRA are:
* `kra_storage_signing`
* `kra_transport_signing`
* `kra_audit_signing`
* `subsystem`
* `sslserver`

Note that the `pki-server cert-export` command takes a certificate ID instead of a nickname.
For simplicity the nicknames in this example are configured to be the same as the certificate IDs.

Admin Certificate
-----------------

To use the admin certificate from the CA subsystem, prepare a client NSS database (default is `~/.dogtag/nssdb`):

```
$ pki client-init
```

Then import the CA signing certificate into the client NSS database:

```
$ pki client-cert-import ca_signing --ca-cert ca_signing.crt
```

Finally, import admin certificate and key with the following command:

```
$ pki pkcs12-import \
--pkcs12 ca_admin_cert.p12 \
--pkcs12-password Secret.123
```

To verify that the admin certificate can be used to access the KRA subsystem clone, execute the following command:

```
$ pki -n caadmin kra-user-show kraadmin
---------------
User "kraadmin"
---------------
User ID: kraadmin
Full name: kraadmin
Email: [email protected]
Type: adminType
State: 1
```
Converted/moved to [Installing_KRA_Clone.adoc](../kra/Installing_KRA_Clone.adoc)
151 changes: 1 addition & 150 deletions docs/installation/kra/Installing_KRA_Clone_with_HSM.md
View file
Original file line number Diff line number Diff line change
@@ -1,150 +1 @@
Installing KRA Clone with HSM
=============================

Overview
--------

This page describes the process to install a KRA subsystem as a clone of an existing KRA subsystem
where the system certificates and their keys are stored in HSM.

Since the certificates and the keys are already in HSM, it's not necessary to export them into a
PKCS #12 file to create a clone.

KRA Subsystem Installation
--------------------------

Prepare a file (e.g. kra.cfg) that contains the deployment configuration, for example:

```
[DEFAULT]
pki_server_database_password=Secret.123
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so
pki_hsm_modulename=softhsm
pki_token_name=HSM
pki_token_password=Secret.HSM
[KRA]
[email protected]
pki_admin_name=kraadmin
pki_admin_nickname=kraadmin
pki_admin_password=Secret.123
pki_admin_uid=kraadmin
pki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
pki_ds_database=kra
pki_ds_password=Secret.123
pki_security_domain_hostname=pki.example.com
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
pki_security_domain_password=Secret.123
pki_storage_nickname=kra_storage
pki_transport_nickname=kra_transport
pki_audit_signing_nickname=kra_audit_signing
pki_sslserver_nickname=sslserver/replica.example.com
pki_subsystem_nickname=subsystem
pki_clone=True
pki_clone_replicate_schema=True
pki_clone_uri=https://pki.example.com:8443
```

Then execute the following command:

```
$ pkispawn -f kra.cfg -s KRA
```

It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases:
* server NSS database: /var/lib/pki/pki-tomcat/conf/alias
* admin NSS database: ~/.dogtag/pki-tomcat/kra/alias

Verifying System Certificates
-----------------------------

Verify that the internal token contains the following certificates:

```
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ca_signing CT,C,C
kra_audit_signing ,,P
```

Verify that the HSM contains the following certificates:

```
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -h HSM -f HSM.pwd
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
HSM:kra_transport u,u,u
HSM:kra_storage u,u,u
HSM:subsystem u,u,u
HSM:kra_audit_signing u,u,Pu
HSM:sslserver/replica.example.com u,u,u
```

Verifying Admin Certificate
---------------------------

Prepare a client NSS database (e.g. ~/.dogtag/nssdb):

```
$ pki -c Secret.123 client-init
```

Import the CA signing certificate:

```
$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt
```

Import admin key and certificate:

```
$ pki -c Secret.123 pkcs12-import \
--pkcs12 ca_admin_cert.p12 \
--pkcs12-password Secret.123
```

Verify that the admin certificate can be used to access the KRA subsystem by executing the following command:

```
$ pki -c Secret.123 -n caadmin kra-user-show kraadmin
---------------
User "kraadmin"
---------------
User ID: kraadmin
Full name: kraadmin
Email: [email protected]
Type: adminType
State: 1
```

Verifying KRA Connector
-----------------------

Verify that the KRA connector is configured in the CA subsystem:

```
$ pki -c Secret.123 -n caadmin ca-kraconnector-show
Host: pki.example.com:8443
Enabled: true
Local: false
Timeout: 30
URI: /kra/agent/kra/connector
Transport Cert:
<base-64 certificate>
```
Converted/moved to [Installing_KRA_Clone_with_HSM.adoc](../kra/Installing_KRA_Clone_with_HSM.adoc)
Loading

0 comments on commit 48823ce

Please sign in to comment.