Difference between revisions of "Installing CA with External CA Signing Certificate"

From Dogtag
Jump to: navigation, search
(Completing New CA Installation)
m (Completing New CA Installation)
Line 177: Line 177:
 
</pre>
 
</pre>
  
NOTE:  When doing this, I also had to set the additional variable:
+
NOTE:  When installing this on RHEL 7.2 (e. g. - Dogtag 10.2.5), it was also necessary to set the additional variable:
  
 
<pre>
 
<pre>

Revision as of 22:47, 24 March 2016

Overview

This page describes the process to install CA with an externally-signed CA certificate.

Preparing New CA Installation

Download sample configuration file external-step1.cfg and customize it as needed.

pki_external=True
pki_external_step_two=False
pki_external_csr_path=/tmp/ca_signing.csr

Optionally, specify the HSM parameters:

pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast

Then execute:

$ pkispawn -v -f external-step1.cfg -s CA

It will create an NSS database in /var/lib/pki/pki-tomcat/alias and generate a CA certificate CSR in /tmp/ca_signing.csr.

Signing the CSR

Signing using PKI Server 10.3

If the PKI Server being installed is version 10.3, the CA certificate request can be submitted to an existing PKI CA with the following command:

$ pki -U http://ca.example.com:8080 ca-cert-request-submit --profile caCACert --csr-file /tmp/ca_signing.csr

The existing CA admin can approve the request by executing the following command on the existing PKI CA:

$ pki -c Secret123 -n "PKI Administrator example.com" ca-cert-request-review 28 --action approve

The newly signed CA certificate and the existing CA certificate can be downloaded to the installing server with the following commands:

$ pki -U http://ca.example.com:8080 ca-cert-show 0x1c --output /tmp/ca_signing.crt
$ pki -U http://ca.example.com:8080 ca-cert-show 0x1 --output /tmp/external.crt

Signing using PKI Server 10.2.x or older

If the PKI Server being installed is version 10.2.x or older, download the request template from an existing PKI CA with the following command:

$ pki -U http://ca.example.com:8080 ca-cert-request-profile-show caCACert --output caCACert.xml

Insert the CSR into the corresponding request template.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    ...
    <Input id="i1">
        ...
        <Attribute name="cert_request_type">
            <Value>pkcs10</Value>
            ...
        </Attribute>
        <Attribute name="cert_request">
            <Value>
-----BEGIN CERTIFICATE REQUEST-----
MIICtTCCAZ0CAQAwPjEUMBIGA1UECgwLZXhhbXBsZS5jb20xETAPBgNVBAsMCEV4dGVybmFsMRMw
EQYDVQQDDApDQSBTaWduaW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6EyJKwCI
TVJKyD7HGPBHtyXksItrTzj7x3/wXk94W5nT+wyh6KsJ3m/xX3IH5fkl8OpPI+e/IErM/NO7rJam
Zc3lDBmfYefijslnyUEfo4YPcOUX3dUVwPCay9nO9A2rDSoeoQ6podwFB/Ioc1kMh6Rwx+SdVHey
scYUbVTWdfeTLPJYd1Wf6rc0oDjyWPhs7j9AkFdrdLfbULIoNW+2GFm3IIEYJvhXkqps8hblk05z
08IUIIgjaBd6y38j3N9RLhFqqKt8ALiDiRfpqzp7xL0FtjD0puR3ZFGwgrNBER3Q1P56Q2r3IuBF
MuQGeqRKdD9RQQu8zaydrj8sH/LQ7wIDAQABoDIwMAYJKoZIhvcNAQkOMSMwITAPBgNVHRMBAf8E
BTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEAqlPdkR+sLaCEAhcNnzLF
8tN1ql7K5cyuyxLIblBWsBlKqXhHQBxiycUbonytw5Z426RipEFPufkPRxYPIQio5I36TNLxfS17
H2kxoyOELALcoZxKe/kUNcJI1I5afLGMQP2Q89N86znmSgGKbngf/21IGIx70NgdHPCNFcz97TtQ
nem3xEcUQc8H3o4y+wZO91WpaxD8xHQtAxzU11STss5I8iTEXdH3qpXSw428hdCuOtTBSpp3dCS1
q+V4yM+lahTZTC+f30tqzzyXMlmV1tGZn9hAcnB5a6hpkJmZqlJiTgeqBHB8Zf04rMgz2Hpj6SsE
LiIK2gBMZeMD4zSSgg==
-----END CERTIFICATE REQUEST-----
            </Value>
            ...
        </Attribute>
    </Input>
    ...
</CertEnrollmentRequest>

Submit the request to the existing CA with the following command:

$ pki -U http://ca.example.com:8080 ca-cert-request-submit caCACert.xml

The existing CA admin can approve the request by executing the following command on the existing PKI CA:

$ pki -c Secret123 -n "PKI Administrator example.com" ca-cert-request-review 28 --action approve

The newly signed CA certificate and the existing CA certificate can be downloaded to the installing server with the following commands:

$ pki -U http://ca.example.com:8080 ca-cert-show 0x1c --output /tmp/ca_signing.crt
$ pki -U http://ca.example.com:8080 ca-cert-show 0x1 --output /tmp/external.crt

Signing using NSS Database

Create an NSS database:

$ mkdir nssdb
$ echo Secret123 > nssdb/password.txt
$ certutil -N -d nssdb -f nssdb/password.txt

Create an external CA certificate:

$ openssl rand -out nssdb/noise.bin 2048
$ echo -e "y\n\ny\n" | \
 certutil -S \
 -d nssdb \
 -f nssdb/password.txt \
 -z nssdb/noise.bin \
 -n "External CA" \
 -s "CN=External CA,O=EXTERNAL" \
 -x \
 -t "CTu,CTu,CTu" \
 -m $RANDOM\
 -2 \
 --keyUsage certSigning \
 --nsCertType sslCA,smimeCA,objectSigningCA
$ certutil -L -d nssdb -n "External CA" -a > /tmp/external.crt

Sign the CSR:

$ echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \
 certutil -C \
 -d nssdb \
 -f nssdb/password.txt \
 -m $RANDOM \
 -a -i /tmp/ca_signing.csr \
 -o /tmp/ca_signing.crt \
 -c "External CA" \
 -1 -2

Signing using Third-Party CA

Follow the third-party CA's documentation to issue the CA certificate and place it in /tmp/ca_signing.crt. Export the third-party CA certificate as well and place it in /tmp/external.crt.

Exporting Certificate Chain

If there is only a single external CA certificate it can be used directly as a certificate chain. If there are multiple external CA certificates, generate a PKCS #7 file.

Completing New CA Installation

Change the pki_external_step_two to True as shown in external-step2.cfg.

pki_external=True
pki_external_step_two=True

NOTE: When installing this on RHEL 7.2 (e. g. - Dogtag 10.2.5), it was also necessary to set the additional variable:

pki_ca_signing_nickname=caSigningCert External CA

Importing certificate chain

To import a single-certificate chain, specify the certificate file in the following parameter:

pki_external_ca_cert_chain_path=/tmp/external.crt

To import a multi-certificate chain, specify the PKCS #7 file in the following deployment parameter:

pki_external_ca_cert_chain_path=/tmp/cert_chain.p7b

Importing externally-signed CA certificate

To import externally-signed CA certificate, add the following deployment parameter:

pki_external_ca_cert_path=/tmp/ca_signing.crt

Running the installation

Execute:

$ pkispawn -v -f external-step2.cfg -s CA

References