Skip to content

Migrating PKI Server

Jump to bottom
Endi S. Dewata edited this page Mar 21, 2023 · 36 revisions

Overview

Warning
 This page is still under construction.

This page describes the process to migrate the PKI server in an IPA server to another machine.

This page assumes that the IPA server was already installed in ipa.example.com and the PKI server will be migrated to pki.example.com which has been configured as an IPA client.

Stopping PKI Server

$ pki-server stop --wait

Backing Up PKI Server

Back up PKI server with the following command:

$ tar czvf pki-tomcat.tar.gz \
    -C / \
    etc/pki/pki-tomcat \
    etc/sysconfig/pki-tomcat \
    etc/sysconfig/pki/tomcat/pki-tomcat \
    etc/systemd/system/pki-tomcatd.target.wants/[email protected] \
    var/lib/pki/pki-tomcat \
    var/log/pki/pki-tomcat

Restoring PKI Server

Transfer the pki-tomcat.tar.gz to pki.example.com, then unpack the file:

$ tar xzvf pki-tomcat.tar.gz -C /

Configuring HTTP Proxy Ports

$ pki-server ca-config-unset proxy.securePort
$ pki-server ca-config-unset proxy.unsecurePort

Configuring Plain LDAP Port for Internal Database

$ pki-server ca-config-set internaldb.ldapconn.host ipa.example.com
$ pki-server ca-config-set internaldb.ldapconn.port 389
$ pki-server ca-config-set internaldb.ldapconn.secureConn false

Configuring Basic Authentication for Internal Database

To configure basic authentication:

$ pki-server ca-config-unset internaldb.ldapauth.clientCertNickname
$ pki-server ca-config-set internaldb.ldapauth.authtype BasicAuth
$ pki-server ca-config-set internaldb.ldapauth.bindDN "cn=Directory Manager"
$ pki-server ca-config-set internaldb.ldapauth.bindPWPrompt internaldb

To store the password:

$ pki-server password-add internaldb --password Secret.123

Configuring RSNv3 for Request ID Generator

$ pki-server ca-config-unset dbs.beginRequestNumber
$ pki-server ca-config-unset dbs.endRequestNumber
$ pki-server ca-config-unset dbs.requestIncrement
$ pki-server ca-config-unset dbs.requestLowWaterMark
$ pki-server ca-config-unset dbs.requestCloneTransferNumber
$ pki-server ca-config-unset dbs.requestRangeDN
$ pki-server ca-config-set dbs.request.id.generator random
$ pki-server ca-config-set dbs.request.id.length 128

Configuring RSNv3 for Certificate ID Generator

$ pki-server ca-config-unset dbs.beginSerialNumber
$ pki-server ca-config-unset dbs.endSerialNumber
$ pki-server ca-config-unset dbs.serialIncrement
$ pki-server ca-config-unset dbs.serialLowWaterMark
$ pki-server ca-config-unset dbs.serialCloneTransferNumber
$ pki-server ca-config-unset dbs.serialRangeDN
$ pki-server ca-config-unset dbs.enableRandomSerialNumbers
$ pki-server ca-config-unset dbs.randomSerialNumberCounter
$ pki-server ca-config-set dbs.cert.id.generator random
$ pki-server ca-config-set dbs.cert.id.length 128

Configuring Security Domain

$ pki-server ca-config-set securitydomain.host pki.example.com

Generating New SSL Server Certificate

To remove the old SSL server certificate:

$ certutil -D \
    -d /etc/pki/pki-tomcat/alias \
    -f /etc/pki/pki-tomcat/alias/pwdfile.txt \
    -n "Server-Cert cert-pki-ca"

To generate a new SSL server certificate:

$ pki \
    -d /etc/pki/pki-tomcat/alias \
    -f /etc/pki/pki-tomcat/password.conf \
    nss-cert-request \
    --subject "CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE" \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --csr sslserver.csr
$ pki \
    -d /etc/pki/pki-tomcat/alias \
    -f /etc/pki/pki-tomcat/password.conf \
    nss-cert-issue \
    --issuer "caSigningCert cert-pki-ca" \
    --csr sslserver.csr \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --cert sslserver.crt
$ pki \
    -d /etc/pki/pki-tomcat/alias \
    -f /etc/pki/pki-tomcat/password.conf \
    nss-cert-import \
    --cert sslserver.crt \
    "Server-Cert cert-pki-ca"

Updating SSL Server Certificate in CS.cfg

To update the certificate request:

$ openssl req \
    -outform der \
    -in sslserver.csr \
    -out sslserver.csr.der
$ CSR=$(cat sslserver.csr.der | base64 -w 0)
$ pki-server ca-config-set ca.signing.certreq "$CSR"

To update the certificate:

$ openssl x509 \
    -outform der \
    -in sslserver.crt \
    -out sslserver.crt.der
$ CERT=$(cat sslserver.crt.der | base64 -w 0)
$ pki-server ca-config-set ca.sslserver.cert "$CERT"

Importing SSL Server Certificate into CA Database

To import the certificate request:

$ pki-server ca-cert-request-import \
    --csr sslserver.csr \
    --profile serverCert.profile

To import the certificate:

$ pki-server ca-cert-import \
    --cert sslserver.crt \
    --profile serverCert.profile \
    --request <request ID>

Updating Security Domain Subsystem

To remove the old subsystem:

$ pki-server \
    sd-host-del \
    "CA ipa.example.com 443"

Note: Use port 443 since the old PKI server sits behind IPA HTTP proxy.

To add the new subsystem:

$ pki-server \
    sd-host-add \
    --subsystem CA \
    --hostname pki.example.com \
    --secure-port 8443 \
    --domain-manager \
    "CA pki.example.com 8443"

Note: Use port 8443 since the new PKI server does not sit behind IPA HTTP proxy.

Updating Security Domain Subsystem User

To remove the old user:

$ pki pki-server \
    ca-user-del \
    CA-ipa.example.com-8443

To add the new user:

$ pki-server \
    ca-user-add \
    --full-name "CA-pki.example.com-8443" \
    --type agentType \
    --state 1 \
    CA-pki.example.com-8443

To assign the subsystem certificate to the user:

$ cat subsystem.crt | pki-server \
    ca-user-cert-add \
    CA-pki.example.com-8443

Starting PKI Server

$ systemctl daemon-reload
$ pki-server start --wait

Updating IPA HTTP Proxy

$ sed \
    -i 's/localhost/pki\.example\.com/g' \
    /etc/httpd/conf.d/ipa-pki-proxy.conf
Clone this wiki locally