Skip to content

PKI 10.4 Installing CA with External CA Signing Certificate

Endi S. Dewata edited this page Mar 27, 2024 · 3 revisions

Overview

This page describes the process to install a subordinate CA with an external CA signing certificate.

The process consists of two steps:

  • Step 1: Generate a CSR to be signed by an external CA.

  • Step 2: Import the CA signing certificate issued by the external CA.

Preparing CA Installation

Prepare a deployment configuration file for step 1 (e.g. ca-external-step1.cfg):

[CA]
[email protected]
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin

pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123

pki_ds_base_dn=dc=ca,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret.123

pki_security_domain_name=EXAMPLE
pki_token_password=Secret.123

pki_external=True
pki_external_step_two=False

pki_external_csr_path=ca_signing.csr

Optionally, specify the HSM parameters:

pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast

Then execute the following command:

$ pkispawn -f ca-external-step1.cfg -s CA

It will create an NSS database in /var/lib/pki/pki-tomcat/conf/alias and generate a CA certificate CSR in ca_signing.csr.

Issuing CA Signing Certificate

Submit the CSR to an external CA:

Place the issued CA signing certificate in ca_signing.crt. Export the external CA certificate or certificate chain in external.crt.

Completing CA Installation

Prepare a deployment configuration for step 2 (e.g. ca-external-step2.cfg) by copying it from step 1 (i.e. ca-external-step1.cfg) and make the following changes.

Specify step 2 with the following parameter:

pki_external_step_two=True

Specify the externally-signed CA certificate file with the following parameter:

pki_external_ca_cert_path=ca_signing.crt

The certificate file can contain either a single PEM certificate or a PKCS #7 certificate chain.

If the above certificate file contains a single certificate, the certificate chain can be specified with the following parameters:

pki_cert_chain_nickname=CA Signing Certificate - ROOT

pki_external_ca_cert_chain_path=cert_chain.p7b

The certificate chain file can contain either a single root CA certificate or a PKCS #7 certificate chain.

Finally, execute the following command:

$ pkispawn -f ca-external-step2.cfg -s CA

Verification

Verifying system certificates

If the HSM is used, the internal token will have the following certificates:

$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Signing Certificate - ROOT                                CT,C,C
ca_signing                                                   CT,C,C
ca_audit_signing                                             ,,P

and the HSM will have the following certificates:

$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -h HSM -f password.txt

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

HSM:ca_ocsp_signing                                          u,u,u
HSM:sslserver/pki.example.com                                u,u,u
HSM:ca_signing                                               u,u,u
HSM:subsystem                                                u,u,u
HSM:ca_audit_signing                                         u,u,u

Verifying CA admin

Prepare a client NSS database:

$ pki -c Secret.123 client-init

Import the CA certificate chain:

$ pki -c Secret.123 client-cert-import "CA Signing Certificate - ROOT" --ca-cert cert_chain.crt

Import the subordinate CA signing certificate:

$ pki -c Secret.123 client-cert-import "CA Signing Certificate - EXAMPLE" --ca-cert ca_signing.crt

Import CA admin certificate and key:

$ pki -c Secret.123 client-cert-import \
    --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
    --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf

Execute the following command:

$ pki -c Secret.123 -n caadmin ca-user-find
Clone this wiki locally