diff options
Diffstat (limited to 'base')
| -rw-r--r-- | base/deploy/config/sample.cfg | 3 | ||||
| -rw-r--r-- | base/deploy/config/sampleCAclone.cfg | 16 | ||||
| -rw-r--r-- | base/deploy/config/sampleExternalSignedCA-step1.cfg | 11 | ||||
| -rw-r--r-- | base/deploy/config/sampleExternalSignedCA-step2.cfg | 13 | ||||
| -rw-r--r-- | base/deploy/config/sampleKRA.cfg | 13 | ||||
| -rw-r--r-- | base/deploy/config/sampleKRAclone.cfg | 17 | ||||
| -rw-r--r-- | base/deploy/config/sampleSubordinateCA.cfg | 14 | ||||
| -rw-r--r-- | base/deploy/man/man8/pkispawn.8 | 17 |
8 files changed, 101 insertions, 3 deletions
diff --git a/base/deploy/config/sample.cfg b/base/deploy/config/sample.cfg index a4a6f68c2..f4b3e523d 100644 --- a/base/deploy/config/sample.cfg +++ b/base/deploy/config/sample.cfg @@ -3,4 +3,5 @@ pki_admin_password= pki_backup_password= pki_client_pkcs12_password= pki_ds_password= -pki_security_domain_password= +##Required for all subsystems that are not root CAs +#pki_security_domain_password= diff --git a/base/deploy/config/sampleCAclone.cfg b/base/deploy/config/sampleCAclone.cfg new file mode 100644 index 000000000..afacc64a2 --- /dev/null +++ b/base/deploy/config/sampleCAclone.cfg @@ -0,0 +1,16 @@ +[DEFAULT] +pki_admin_password= +pki_backup_password= +pki_client_pkcs12_password= +pki_ds_password= +pki_security_domain_password= +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user= + +[CA] +pki_clone=True +pki_clone_pkcs12_password= +pki_clone_pkcs12_path= +pki_clone_replicate_schema= +pki_clone_uri=
\ No newline at end of file diff --git a/base/deploy/config/sampleExternalSignedCA-step1.cfg b/base/deploy/config/sampleExternalSignedCA-step1.cfg new file mode 100644 index 000000000..7b72e5f83 --- /dev/null +++ b/base/deploy/config/sampleExternalSignedCA-step1.cfg @@ -0,0 +1,11 @@ +[DEFAULT] +pki_admin_password= +pki_backup_password= +pki_client_pkcs12_password= +pki_ds_password= +pki_security_domain_password= + +[CA] +pki_external=True +pki_external_csr_path= +pki_ca_signing_subject_dn=
\ No newline at end of file diff --git a/base/deploy/config/sampleExternalSignedCA-step2.cfg b/base/deploy/config/sampleExternalSignedCA-step2.cfg new file mode 100644 index 000000000..b90d301c3 --- /dev/null +++ b/base/deploy/config/sampleExternalSignedCA-step2.cfg @@ -0,0 +1,13 @@ +[DEFAULT] +pki_admin_password= +pki_backup_password= +pki_client_pkcs12_password= +pki_ds_password= +pki_security_domain_password= + +[CA] +pki_external=True +pki_external_ca_cert_chain_path= +pki_external_ca_cert_path= +pki_external_step_two=True +pki_ca_signing_subject_dn=
\ No newline at end of file diff --git a/base/deploy/config/sampleKRA.cfg b/base/deploy/config/sampleKRA.cfg new file mode 100644 index 000000000..9752e1077 --- /dev/null +++ b/base/deploy/config/sampleKRA.cfg @@ -0,0 +1,13 @@ +[DEFAULT] +pki_admin_password= +pki_backup_password= +pki_client_pkcs12_password= +pki_ds_password= +pki_security_domain_password= +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user= +pki_issuing_ca_uri= + +[KRA] +pki_import_admin_cert=
\ No newline at end of file diff --git a/base/deploy/config/sampleKRAclone.cfg b/base/deploy/config/sampleKRAclone.cfg new file mode 100644 index 000000000..3584c41a9 --- /dev/null +++ b/base/deploy/config/sampleKRAclone.cfg @@ -0,0 +1,17 @@ +[DEFAULT] +pki_admin_password= +pki_backup_password= +pki_client_pkcs12_password= +pki_ds_password= +pki_security_domain_password= +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user= + +[KRA] +pki_clone=True +pki_clone_pkcs12_password= +pki_clone_pkcs12_path= +pki_clone_replicate_schema= +pki_clone_uri= +pki_issuing_ca=
\ No newline at end of file diff --git a/base/deploy/config/sampleSubordinateCA.cfg b/base/deploy/config/sampleSubordinateCA.cfg new file mode 100644 index 000000000..e42a42ff8 --- /dev/null +++ b/base/deploy/config/sampleSubordinateCA.cfg @@ -0,0 +1,14 @@ +[DEFAULT] +pki_admin_password= +pki_backup_password= +pki_client_pkcs12_password= +pki_ds_password= +pki_security_domain_password= +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user= + +[CA] +pki_subordinate=True +pki_issuing_ca= +pki_ca_signing_subject_dn=
\ No newline at end of file diff --git a/base/deploy/man/man8/pkispawn.8 b/base/deploy/man/man8/pkispawn.8 index c5361c3b0..b2a0134f3 100644 --- a/base/deploy/man/man8/pkispawn.8 +++ b/base/deploy/man/man8/pkispawn.8 @@ -94,7 +94,6 @@ pki_admin_password=\fIpassword123\fP pki_backup_password=\fIpassword123\fP pki_client_pkcs12_password=\fIpassword123\fP pki_ds_password=\fIpassword123\fP -pki_security_domain_password=\fIpassword123\fP .fi .PP Prior to running this command, a Directory Server instance should be created and running. This command assumes that the Directory Server instance is using its default configuration: @@ -115,7 +114,18 @@ To access the agent pages, first import the CA certificate by accessing the CA E .SS KRA, OCSP, or TKS using default configuration \x'-1'\fBpkispawn -s <subsystem> -f myconfig.txt\fR .PP -where subsystem is KRA, OCSP, or TKS, and \fImyconfig.txt\fP is the same as the one used for the default CA example. This command should be run after a CA is installed. This installs another subsystem within the same default instance using the certificate generated for the CA administrator for the subsystem's administrator. This allows a user to access both subsystems on the browser with a single administrator certificate. To access the new subsystem's functionality, simply point the browser to https://<hostname>:8443 and click the relevant top-level links. +where subsystem is KRA, OCSP, or TKS, and \fImyconfig.txt\fP contains the following text: +.IP +.nf +[DEFAULT] +pki_admin_password=\fIpassword123\fP +pki_backup_password=\fIpassword123\fP +pki_client_pkcs12_password=\fIpassword123\fP +pki_ds_password=\fIpassword123\fP +pki_security_domain_password=\fIpassword123\fP +.fi +.PP +The \fBpki_security_domain_password\fP is the admin password of the CA installed in the same default instance. This command should be run after a CA is installed. This installs another subsystem within the same default instance using the certificate generated for the CA administrator for the subsystem's administrator. This allows a user to access both subsystems on the browser with a single administrator certificate. To access the new subsystem's functionality, simply point the browser to https://<hostname>:8443 and click the relevant top-level links. .SS KRA, OCSP, or TKS connecting to a remote CA \x'-1'\fBpkispawn -s <subsystem> -f myconfig.txt\fR .PP @@ -217,9 +227,12 @@ pki_security_domain_user=caadmin [CA] pki_subordinate=True pki_issuing_ca=https://<master_ca_hostname>:<master_ca_https_port> +pki_ca_signing_subject_dn=cn=CA Subordinate Signing ,o=example.com .fi .PP A sub-CA derives its certificate configuration -- such as allowed extensions and validity periods -- from a superior or root CA. Otherwise, the configuration of the CA is independent of the root CA, so it is its own instance rather than a clone. A sub-CA is configured using the pki_subordinate parameter and a pointer to the CA which issues the sub-CA's certificates. +.PP +\fBNote:\fP The value of \fBpki_ca_signing_subject_dn\fP of a subordinate CA should be different from the root CA's signing subject DN. .SS Installing an externally signed CA \x'-1'\fBpkispawn -s CA -f myconfig.txt\fR .PP |