CA Admin Setup

From Dogtag
Jump to: navigation, search

Overview

This document describes the process to setup a new CA admin. See also the Default CA Admin.

Creating Linux User for CA Admin

As a Linux admin create a Linux user for the new CA admin:

$ useradd newcaadmin
$ passwd newaadmin
Changing password for user newcaadmin.
New password: ********
Retype new password: ********
passwd: all authentication tokens updated successfully.

Creating PKI User for CA Admin

As an existing CA admin (e.g. the default CA admin) create a PKI user for the new CA admin:

$ pki -c <CA admin password> -n <CA admin nickname> ca-user-add newcaadmin --fullName "CA Admin"
-----------------------
Added user "newcaadmin"
-----------------------
  User ID: newcaadmin
  Full name: CA Admin

Then add the new user to the "Administrators" group:

$ pki -c <CA admin password> -n <CA admin nickname> ca-group-member-add Administrators newcaadmin
-------------------------------
Added group member "newcaadmin"
-------------------------------
  User: newcaadmin

Requesting CA Admin Certificate

As the new CA admin, prepare a security database:

$ pki -c Secret.123 client-init
------------------
Client initialized
------------------

Then generate and submit a certificate request:

$ pki -c Secret.123 client-cert-request uid=newcaadmin
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 10
  Type: enrollment
  Request Status: pending
  Operation Result: success

Generating CA Admin Certificate

As an existing CA agent (e.g. the default CA admin), approve the request:

$ pki -c <CA agent password> -n <CA agent nickname> ca-cert-request-review 10 --action approve
-------------------------------
Approved certificate request 10
-------------------------------
  Request ID: 10
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0xa

As an existing CA admin (e.g. the default CA admin), assign the certificate to the new user:

$ pki -c <CA admin password> -n <CA admin nickname> ca-user-cert-add newcaadmin --serial 0xa
-----------------------------------------------------------------------------------------------
Added certificate "2;10;CN=CA Signing Certificate,O=example.com Security Domain;UID=newcaadmin"
-----------------------------------------------------------------------------------------------
  Cert ID: 2;10;CN=CA Signing Certificate,O=example.com Security Domain;UID=newcaadmin
  Version: 2
  Serial Number: 0xa
  Issuer: CN=CA Signing Certificate,O=example.com Security Domain
  Subject: UID=newcaadmin

Retrieving CA Admin Certificate

As the new CA admin, import the certificate into security database:

$ pki -c Secret.123 client-cert-import newcaadmin --serial 0xa
---------------------------------
Imported certificate "newcaadmin"
---------------------------------

Verify that the certificate has been imported:

$ pki -c Secret.123 client-cert-find
----------------------
1 certificate(s) found
----------------------
  Serial Number: 0xa
  Nickname: newcaadmin
  Subject DN: UID=newcaadmin
  Issuer DN: CN=CA Signing Certificate,O=example.com Security Domain
----------------------------
Number of entries returned 1
----------------------------

Using CA Admin Certificate

To use the certificate in the CLI, specify the new CA admin certificate nickname:

$ pki -c Secret.123 -n newcaadmin <command>

To use the certificate in Firefox, export the certificate and the private key into a PKCS #12 file, then import it into the browser:

$ pki -c Secret.123 client-cert-show newcaadmin --pkcs12 newcaadmin.p12 --pkcs12-password Secret.123

To use the certificate with Python client, export the certificate and the private key into a PEM file:

$ pki -c Secret.123 client-cert-show newcaadmin --client-cert newcaadmin.pem

Recovering CA Admin Certificate

If all admin certificates for a given instance have been lost, execute the following steps to generate a new admin certificate:

  • Stop PKI server
  • Edit CS.cfg:
ca.Policy.enable=true
cmsgateway.enableAdminEnroll=true

References