DRM Transport Key Rotation Procedures

From Dogtag
Jump to: navigation, search

DRM Transport Key and Certificate Generation

DRM transport key and certificate generation is part DRM Transport Key Rotation process.
Here is the manual process for DRM transport certificate generation and DRM configuration update.

Request DRM Transport Certificate

  1. Stop DRM
    systemctl stop pki-tomcatd@pki-tomcat.service
  2. Go to DRM's NSS DB directory
    cd /etc/pki/pki-tomcat/alias
  3. Create subdirectory
    mkdir saved
    and save all NSS DB files
    cp *.db saved/
  4. Create new request by running the following PKCS10Client command
    PKCS10Client -p <password> -d '.' -o 'req.txt' -n 'CN=DRM Transport 2 Certificate,O=example.com Security Domain'
    or
    certutil -d . -R -k rsa -g 2048 -s 'CN=DRM Transport 2 Certificate,O=example.com Security Domain' -f <password-file> -a -o <transport-certificate-request-file>
  5. Start DRM
    systemctl start pki-tomcatd@pki-tomcat.service
  6. Submit transport certificate request on "Manual Data Recovery Manager Transport Certificate Enrollment" page
    Submit transport certificate request

    Submit transport certificate request

    Submit transport certificate request

    Submit transport certificate request

    Submit transport certificate request
  7. Wait for agent approval of submitted request to retrieve certificate by checking request status on EE retrieval page

DRM Transport Certificate Approval

Approval of transport certificate request

Approval of transport certificate request

Approval of transport certificate request

Approval of transport certificate request

Approval of transport certificate request

Retrieve DRM Transport Certificate

  1. Go to DRM's NSS DB directory
    cd /etc/pki/pki-tomcat/alias
  2. Wait for agent approval of submitted request to retrieve certificate by checking request status on EE retrieval page
    Retrieve DRM Transport Certificate

    Retrieve DRM Transport Certificate

    Retrieve DRM Transport Certificate

    Retrieve DRM Transport Certificate
  3. Once new DRM transport certificate certificate is available then paste its base64 encoded value into a text file
    cert-<serial-number>.txt
    Do not include header
    -----BEGIN CERTIFICATE-----
    or footer
    -----END CERTIFICATE-----

Import DRM Transport Certificate

  1. Go to DRM's NSS DB directory
    cd /etc/pki/pki-tomcat/alias
  2. Stop DRM
    systemctl stop pki-tomcatd@pki-tomcat.service
  3. Import transport certificate into DRM's NSS DB by:
    certutil -d . -A -n 'transportCert-<serial-number> cert-pki-tomcat KRA' -t 'u,u,u' -a -i cert-<serial-number>.txt

Update DRM Transport Certificate Configuration

  1. Go to DRM's NSS DB directory
    cd /etc/pki/pki-tomcat/alias
  2. Stop DRM
    systemctl stop pki-tomcatd@pki-tomcat.service
  3. Verify if new DRM transport certificate is imported by running
    certutil -d . -L
    followed by
    certutil -d . -L -n 'transportCert-<serial-number> cert-pki-tomcat KRA'
  4. Edit
    /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
    to add the following line:
    kra.transportUnit.newNickName=transportCert-<serial-number> cert-pki-tomcat KRA
  5. Start DRM
    systemctl start pki-tomcatd@pki-tomcat.service

Propagate New Transport Key and Certificate to DRM Clones

Here is how to transfer new transport key and certificate to DRM clone:

  • Go to DRM's NSS DB directory
    cd /etc/pki/pki-tomcat/alias
  • Stop DRM
    systemctl stop pki-tomcatd@pki-tomcat.service
  • Verify if new DRM transport certificate is present by running
    certutil -d . -L
    followed by
    certutil -d . -L -n 'transportCert-<serial-number> cert-pki-tomcat KRA'
  • Export DRM's new transport key and certificate by
    pk12util -o transport.p12 -d . -n 'transportCert-021 cert-pki-tomcat KRA'
  • Verify exported DRM's transport key and certificate by
    pk12util -l transport.p12
  • Transport transport.p12 file including transport key and certificate to DRM's clone location.
  • Go to clone's NSS DB directory
    cd /etc/pki/pki-tomcat/alias
  • Stop DRM clone
    systemctl stop pki-tomcatd@pki-tomcat.service
  • Check content of clone's NSS DB by running
    certutil -d . -L
  • Import clone's new transport key and certificate by
    pk12util -i transport.p12 -d .
  • Edit clone's configuration file
    /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
    to add the following line:
    kra.transportUnit.newNickName=transportCert-<serial-number> cert-pki-tomcat KRA
  • Start DRM clone
    systemctl start pki-tomcatd@pki-tomcat.service

Update DRM configuration to use only new transport key and certificate

  • Go to DRM's NSS DB directory
    cd /etc/pki/pki-tomcat/alias
  • Stop DRM
    systemctl stop pki-tomcatd@pki-tomcat.service
  • Verify if new DRM transport certificate is imported by running
    certutil -d . -L
    followed by
    certutil -d . -L -n 'transportCert-<serial-number> cert-pki-tomcat KRA'
  • Edit
    /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
    by replacing nickName included in line
    kra.transportUnit.nickName=transportCert cert-pki-tomcat KRA
    with newNickName included in line
    kra.transportUnit.newNickName=transportCert-<serial-number> cert-pki-tomcat KRA
    to obtain
    kra.transportUnit.nickName=transportCert-<serial-number> cert-pki-tomcat KRA
  • Edit
    /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
    by removing newNickName line
    kra.transportUnit.newNickName=transportCert-<serial-number> cert-pki-tomcat KRA
  • Save updated
    /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
  • Start DRM
    systemctl start pki-tomcatd@pki-tomcat.service

CAs with new DRM Transport Certificates

Update CA Configuration with new DRM Transport Certificate

Here is how to update CA configuration with new DRM transport certificate:

  • Stop CA
    systemctl stop pki-tomcatd@pki-tomcat.service
  • Get the DRM transport certificate file cert-<serial-number>.txt obtained in ticket #734 comment #2
  • Convert base64 encoded certificate included in
    cert-<serial-number>.txt
    to single line file by
    tr -d '\n' < cert-<serial-number>.txt > cert-one-line-<serial-number>.txt
  • Edit
    /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
    by replacing certificate included in line
    ca.connector.KRA.transportCert= . . . 
    with certificate included in
    cert-one-line-<serial-number>.txt
  • Save updated
    /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
  • Start CA
    systemctl start pki-tomcatd@pki-tomcat.service