From b644429de7d9649e98737113182d9fcd6912e92a Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 9 Sep 2014 15:06:31 -0400 Subject: Fix sub-CA installation with own security domain Installation code failed to anticipate installation of a subordinate CA that would host its own security domain. This patch includes changes to python installation code, java configuration servlet and changes to man pages. Ticket 1132 --- base/server/man/man5/pki_default.cfg.5 | 11 ++++++++++- base/server/man/man8/pkispawn.8 | 28 +++++++++++++++++++++++++++- 2 files changed, 37 insertions(+), 2 deletions(-) (limited to 'base/server/man') diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 index 1522cc6f3..a7706656b 100644 --- a/base/server/man/man5/pki_default.cfg.5 +++ b/base/server/man/man5/pki_default.cfg.5 @@ -184,7 +184,7 @@ Name of the back-end database. It is advised that the Certificate Server have i \x'-1'\fBpki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri\fR .IP Hostname and port, or URI of the issuing CA. Required for installations of subordinate CA and non-CA subsystems. This should point to the CA that will issue the relevant system certificates for the subsystem. In a default install, this defaults to the CA subsystem within the same instance. The URI has the format https://:. - +.PP .SS MISCELLANEOUS PARAMETERS \x'-1'\fBpki_restart_configured_instance\fR .IP @@ -263,6 +263,15 @@ Required for the second step of the external CA signing process. This is the lo \x'-1'\fBpki_subordinate\fR .IP Specifies whether the new CA which will be a subordinate of another CA. The master CA is specified by \fBpki_issuing_ca\fP. Defaults to False. +.TP +.B pki_subordinate_create_new_security_domain +.IP +Set to \fBTrue\fP if the subordinate CA will host its own security domain. Defaults to \fBFalse\fP. +.TP +.B pki_subordinate_security_domain_name +.IP +Used when \fBpki_subordinate_create_security_domain\fP is set to \fBTrue\fP. Specifies the name of the security domain to be hosted on the subordinate CA. + .SS STANDALONE PKI PARAMETERS A stand-alone PKI subsystem is defined as a non-CA PKI subsystem that does not contain a CA as a part of its deployment, and functions as its own security domain. Currently, only stand-alone DRMs are supported. .TP diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 index 1b8f49e4b..fc50fd380 100644 --- a/base/server/man/man8/pkispawn.8 +++ b/base/server/man/man8/pkispawn.8 @@ -304,12 +304,38 @@ pki_security_domain_user=caadmin [CA] pki_subordinate=True pki_issuing_ca=https://: -pki_ca_signing_subject_dn=cn=CA Subordinate Signing ,o=example.com +pki_ca_signing_subject_dn=cn=CA Subordinate Signing,o=example.com .fi .PP A sub-CA derives its certificate configuration -- such as allowed extensions and validity periods -- from a superior or root CA. Otherwise, the configuration of the CA is independent of the root CA, so it is its own instance rather than a clone. A sub-CA is configured using the pki_subordinate parameter and a pointer to the CA which issues the sub-CA's certificates. .PP \fBNote:\fP The value of \fBpki_ca_signing_subject_dn\fP of a subordinate CA should be different from the root CA's signing subject DN. +.SS Installing a subordinate CA which hosts its own security domain +\x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR +.PP +where \fImyconfig.txt\fP contains the following text: +.IP +.nf +[DEFAULT] +pki_admin_password=\fIpassword123\fP +pki_client_pkcs12_password=\fIpassword123\fP +pki_ds_password=\fIpassword123\fP +pki_security_domain_password=\fIpassword123\fP +pki_security_domain_hostname= +pki_security_domain_https_port= +pki_security_domain_user=caadmin + +[CA] +pki_subordinate=True +pki_issuing_ca=https://: +pki_ca_signing_subject_dn=cn=CA Subordinate Signing,o=example.com +pki_subordinate_create_new_security_domain=True +pki_subordinate_security_domain_name=Subordinate CA Security Domain +.fi +.PP +In this section, the subordinate CA logs onto and registers with the security domain CA (using parameters \fBpki_security_domain_hostname\fP, \fBpki_security_domain_https_port\fP, \fBpki_security_domain_user\fP and \fBpki_security_domain_password\fP) as in the previous section, but also creates and hosts a new security domain. To do this, \fBpki_subordinate_create_new_security_domain\fP must be set to \fBTrue\fP. The subordinate CA security domain name can also be specified by specifying a value for \fBpki_subordinate_security_domain_name\fP. +.PP +\fBNote:\fP The value of \fBpki_ca_signing_subject_dn\fP of a subordinate CA should be different from the root CA's signing subject DN. .SS Installing an externally signed CA \x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR .PP -- cgit