-
Notifications
You must be signed in to change notification settings - Fork 138
Installing CA Clone with Replicated DS
This page describes the process to install CA clone with existing DS instance which has been set up as a replica of the DS instance used by the primary CA.
Availability: Since PKI 11.5
Create the secondary CA with the following commands:
$ pki-server create $ pki-server nss-create $ pki-server ca-create
Export the system certificates and keys from primary CA with the following commands:
$ pki-server ca-clone-prepare \
--pkcs12-file ca-certs.p12 \
--pkcs12-password Secret.123
$ pki-server cert-export ca_signing \
--cert-file ca_signing.crt
Optionally, the CSRs for the above certificates can be exported as well with the following commands:
$ pki-server cert-export ca_signing \
--csr-file ca_signing.csr
$ pki-server cert-export ca_ocsp_signing \
--csr-file ca_ocsp_signing.csr
$ pki-server cert-export ca_audit_signing \
--csr-file ca_audit_signing.csr
$ pki-server cert-export subsystem \
--csr-file subsystem.csr
Import the system certificates and keys into the secondary CA with the following command:
$ pki \
-d /var/lib/pki/pki-tomcat/conf/alias \
-f /var/lib/pki/pki-tomcat/conf/password.conf \
pkcs12-import \
--pkcs12 ca-certs.p12 \
--password Secret.123
First, configure DS connection in the secondary CA with the following commands:
$ pki-server password-add \
--password Secret.123 \
internaldb
$ pki-server ca-db-config-mod \
--hostname secondaryds.example.com \
--port 3389 \
--secure false \
--auth BasicAuth \
--bindDN "cn=Directory Manager" \
--bindPWPrompt internaldb \
--database ca \
--baseDN dc=ca,dc=pki,dc=example,dc=com \
--multiSuffix false \
--maxConns 15 \
--minConns 3
Create a DS backend with the following command:
$ pki-server ca-db-create
Configure replication between the primary DS and the secondary DS.
Once the schema and entries are replicated, create search indexes with the following commands:
$ pki-server ca-db-index-add $ pki-server ca-db-index-rebuild
Create VLV indexes with the following commands:
$ pki-server ca-db-vlv-add $ pki-server ca-db-vlv-reindex
Prepare a deployment configuration (e.g. ca-clone.cfg) to deploy CA subsystem clone.
A sample deployment configuration is available at /usr/share/pki/server/examples/installation/ca-clone.cfg.
It assumes that the primary CA subsystem is running at https://primary.example.com:8443,
the CA signing certificate has been exported into ca_signing.crt,
and the admin certificate and key have been exported into ca_admin_cert.p12.
The PKCS #12 password is specified in the pki_client_pkcs12_password parameter.
To finalize the secondary CA installation execute the following command:
$ pkispawn \
-f /usr/share/pki/server/examples/installation/ca-clone.cfg \
-s CA \
-D pki_cert_chain_path=ca_signing.crt \
-D pki_clone_pkcs12_path=ca-certs.p12 \
-D pki_clone_pkcs12_password=Secret.123 \
-D pki_ds_url=ldap://secondaryds.example.com:389 \
-D pki_ds_setup=False \
-v
If the CSRs are available, they can be specified with the following parameters:
-D pki_ca_signing_csr_path=ca_signing.csr \
-D pki_ocsp_signing_csr_path=ca_ocsp_signing.csr \
-D pki_audit_signing_csr_path=ca_audit_signing.csr \
-D pki_subsystem_csr_path=subsystem.csr \
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |