Overview

This page describes the process to setup KRA agent in IPA.

KRA Agent Setup

After KRA is installed, IPA will execute the following steps to set up KRA agent (see ipaserver/install/krainstance.py).

Create a client security database (i.e. ~/.dogtag/nssdb):

$ pki -c Secret.123 client-init

Import CA certificate:

$ pki -c Secret.123 client-cert-import --pkcs12 /root/kracert.p12 --pkcs12-password <IPA admin password>

Trust CA certificate:

$ pki -c Secret.123 client-cert-mod "Certificate Authority - <IPA realm>" --trust "CT,C,C"

Import CA admin certificate:

$ pki -c Secret.123 client-cert-import --pkcs12 /root/ca-agent.p12 --pkcs12-password <IPA admin password>

Create KRA user:

$ pki -c Secret.123 -n ipa-ca-agent kra-user-add ipakra --fullName "IPA KRA User"

Add KRA user into KRA agents group:

$ pki -c Secret.123 -n ipa-ca-agent kra-user-membership-add ipakra "Data Recovery Manager Agents"

Export IPA cert as DER file:

$ pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt client-cert-show ipaCert --cert ipa.crt

Assign IPA cert to KRA user:

$ pki -c Secret.123 -n ipa-ca-agent kra-user-cert-add ipakra --input ipa.crt

Export IPA cert as PEM file:

$ pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt client-cert-show ipaCert --client-cert /etc/httpd/alias/kra-agent.pem

Set the file ownership and permission:

$ chown root.apache /etc/httpd/alias/kra-agent.pem
$ chmod 660 /etc/httpd/alias/kra-agent.pem

References

• IPA

• IPA PKI Users