diff options
| author | Ade Lee <alee@redhat.com> | 2014-09-09 15:06:31 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2014-10-01 12:43:59 -0400 |
| commit | b644429de7d9649e98737113182d9fcd6912e92a (patch) | |
| tree | 6448bc5712d3f28430870ab9c7b971eded8b7fbc /base/server/man | |
| parent | 67f8c07d29a329f091a6c527f8d0dc9d52439cbd (diff) | |
| download | pki-b644429de7d9649e98737113182d9fcd6912e92a.tar.gz pki-b644429de7d9649e98737113182d9fcd6912e92a.tar.xz pki-b644429de7d9649e98737113182d9fcd6912e92a.zip | |
Fix sub-CA installation with own security domain
Installation code failed to anticipate installation of a subordinate
CA that would host its own security domain. This patch includes changes
to python installation code, java configuration servlet and
changes to man pages.
Ticket 1132
Diffstat (limited to 'base/server/man')
| -rw-r--r-- | base/server/man/man5/pki_default.cfg.5 | 11 | ||||
| -rw-r--r-- | base/server/man/man8/pkispawn.8 | 28 |
2 files changed, 37 insertions, 2 deletions
diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 index 1522cc6f3..a7706656b 100644 --- a/base/server/man/man5/pki_default.cfg.5 +++ b/base/server/man/man5/pki_default.cfg.5 @@ -184,7 +184,7 @@ Name of the back-end database. It is advised that the Certificate Server have i \x'-1'\fBpki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri\fR .IP Hostname and port, or URI of the issuing CA. Required for installations of subordinate CA and non-CA subsystems. This should point to the CA that will issue the relevant system certificates for the subsystem. In a default install, this defaults to the CA subsystem within the same instance. The URI has the format https://<ca_hostname>:<ca_https_port>. - +.PP .SS MISCELLANEOUS PARAMETERS \x'-1'\fBpki_restart_configured_instance\fR .IP @@ -263,6 +263,15 @@ Required for the second step of the external CA signing process. This is the lo \x'-1'\fBpki_subordinate\fR .IP Specifies whether the new CA which will be a subordinate of another CA. The master CA is specified by \fBpki_issuing_ca\fP. Defaults to False. +.TP +.B pki_subordinate_create_new_security_domain +.IP +Set to \fBTrue\fP if the subordinate CA will host its own security domain. Defaults to \fBFalse\fP. +.TP +.B pki_subordinate_security_domain_name +.IP +Used when \fBpki_subordinate_create_security_domain\fP is set to \fBTrue\fP. Specifies the name of the security domain to be hosted on the subordinate CA. + .SS STANDALONE PKI PARAMETERS A stand-alone PKI subsystem is defined as a non-CA PKI subsystem that does not contain a CA as a part of its deployment, and functions as its own security domain. Currently, only stand-alone DRMs are supported. .TP diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 index 1b8f49e4b..fc50fd380 100644 --- a/base/server/man/man8/pkispawn.8 +++ b/base/server/man/man8/pkispawn.8 @@ -304,12 +304,38 @@ pki_security_domain_user=caadmin [CA] pki_subordinate=True pki_issuing_ca=https://<master_ca_hostname>:<master_ca_https_port> -pki_ca_signing_subject_dn=cn=CA Subordinate Signing ,o=example.com +pki_ca_signing_subject_dn=cn=CA Subordinate Signing,o=example.com .fi .PP A sub-CA derives its certificate configuration -- such as allowed extensions and validity periods -- from a superior or root CA. Otherwise, the configuration of the CA is independent of the root CA, so it is its own instance rather than a clone. A sub-CA is configured using the pki_subordinate parameter and a pointer to the CA which issues the sub-CA's certificates. .PP \fBNote:\fP The value of \fBpki_ca_signing_subject_dn\fP of a subordinate CA should be different from the root CA's signing subject DN. +.SS Installing a subordinate CA which hosts its own security domain +\x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR +.PP +where \fImyconfig.txt\fP contains the following text: +.IP +.nf +[DEFAULT] +pki_admin_password=\fIpassword123\fP +pki_client_pkcs12_password=\fIpassword123\fP +pki_ds_password=\fIpassword123\fP +pki_security_domain_password=\fIpassword123\fP +pki_security_domain_hostname=<master CA security domain hostname> +pki_security_domain_https_port=<master CA security domain https port> +pki_security_domain_user=caadmin + +[CA] +pki_subordinate=True +pki_issuing_ca=https://<master ca hostname>:<master ca https port> +pki_ca_signing_subject_dn=cn=CA Subordinate Signing,o=example.com +pki_subordinate_create_new_security_domain=True +pki_subordinate_security_domain_name=Subordinate CA Security Domain +.fi +.PP +In this section, the subordinate CA logs onto and registers with the security domain CA (using parameters \fBpki_security_domain_hostname\fP, \fBpki_security_domain_https_port\fP, \fBpki_security_domain_user\fP and \fBpki_security_domain_password\fP) as in the previous section, but also creates and hosts a new security domain. To do this, \fBpki_subordinate_create_new_security_domain\fP must be set to \fBTrue\fP. The subordinate CA security domain name can also be specified by specifying a value for \fBpki_subordinate_security_domain_name\fP. +.PP +\fBNote:\fP The value of \fBpki_ca_signing_subject_dn\fP of a subordinate CA should be different from the root CA's signing subject DN. .SS Installing an externally signed CA \x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR .PP |