Installing CA with Existing DS Database

Overview

Warning	This page is still under development.

This page describes the process to install CA with an existing DS database. The DS database could be set up manually or restored from a backup.

Availability: Since PKI 11.5

Creating CA Subsystem

$ pki-server create
$ pki-server nss-create
$ pki-server ca-create

Configure Connection to CA Database

$ pki-server password-add \
    --password Secret.123 \
    internaldb

$ pki-server ca-db-config-mod \
    --hostname ds.example.com \
    --port 3389 \
    --secure false \
    --auth BasicAuth \
    --bindDN "cn=Directory Manager" \
    --bindPWPrompt internaldb \
    --database userroot \
    --baseDN dc=ca,dc=pki,dc=example,dc=com \
    --multiSuffix false \
    --maxConns 15 \
    --minConns 3

Setting up System Certificates

To create CA signing cert in server’s NSS database:

$ pki-server cert-request \
    --subject "CN=CA Signing Certificate" \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    ca_signing
$ pki-server cert-create \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    ca_signing
$ pki-server cert-import ca_signing

To create CA OCSP signing cert in server’s NSS database:

$ pki-server cert-request \
    --subject "CN=OCSP Signing Certificate" \
    --ext /usr/share/pki/server/certs/ocsp_signing.conf \
    ca_ocsp_signing
$ pki-server cert-create \
    --issuer ca_signing \
    --ext /usr/share/pki/server/certs/ocsp_signing.conf \
    ca_ocsp_signing
$ pki-server cert-import ca_ocsp_signing

To create CA audit signing cert in server’s NSS database:

$ pki-server cert-request \
    --subject "CN=Audit Signing Certificate" \
    --ext /usr/share/pki/server/certs/audit_signing.conf \
    ca_audit_signing
$ pki-server cert-create \
    --issuer ca_signing \
    --ext /usr/share/pki/server/certs/audit_signing.conf \
    ca_audit_signing
$ pki-server cert-import ca_audit_signing

To create subsystem cert in server’s NSS database

$ pki-server cert-request \
    --subject "CN=Subsystem Certificate" \
    --ext /usr/share/pki/server/certs/subsystem.conf \
    subsystem
$ pki-server cert-create \
    --issuer ca_signing \
    --ext /usr/share/pki/server/certs/subsystem.conf \
    subsystem
$ pki-server cert-import subsystem

To create SSL server cert in server’s NSS database:

$ pki pki-server cert-request \
    --subject "CN=pki.example.com" \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    sslserver
$ pki-server cert-create \
    --issuer ca_signing \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    sslserver
$ pki-server cert-import sslserver

Setting up CA Database

Finishing CA Installation

Prepare a deployment configuration (e.g. ca.cfg) to deploy CA subsystem.

A sample deployment configuration is available at /usr/share/pki/server/examples/installation/ca.cfg.

To finish CA installation execute the following command:

$ pkispawn \
    -f /usr/share/pki/server/examples/installation/ca.cfg \
    -s CA \
    -D pki_ds_url=ldap://ds.example.com:389 \
    -D pki_ds_setup=False \
    -D pki_share_db=True \
    -D pki_security_domain_setup=False \
    -D pki_admin_setup=False \
    -v

Tip	To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly