IPA PKI Installation

From Dogtag
Jump to: navigation, search

Overview

This page describes the process of PKI installation in IPA.

See also:

CA Installation

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L326.

Creating certificate server user

Create pkiuser user and group with home directory /var/lib.

Configuring certificate server instance

See also:

Exporting Dogtag certificate store PIN

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L661.

Stopping certificate server instance to update CS.cfg

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L168.

Backing up CS.cfg

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L648.

Disabling nonces

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L689:

  • Set ca.enableNonces=false

Set up CRL publishing

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L937.

Enable PKIX certificate path discovery and validation

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L699:

  • Set NSS_ENABLE_PKIX_VERIFY=1

Destroying installation admin user

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L168.

Starting certificate server instance

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L165.

Configure certmonger for renewals

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L246.

Requesting RA certificate from CA

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L828.

Importing RA key

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L738.

Importing RA certificate from PKCS #12 file

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L704.

Setting audit signing renewal to 2 years

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L1096.

Restarting certificate server

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L162.

Publishing the CA certificate

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L802.

Adding RA agent as a trusted user

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L756.

Authorizing RA to modify profiles

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L1541.

Authorizing RA to manage lightweight CAs

See https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L1556.

Configure certmonger for renewals

Configure certificate renewals

Configure RA certificate renewal

Configure Server-Cert certificate renewal

Configure HTTP to proxy connections

Restarting certificate server

Migrating certificate profiles to LDAP

Importing IPA certificate profiles

Adding default CA ACL

KRA Installation

See IPA PKI 10 KRA Installation.

References