Skip to content

Migrating PKI Server

Jump to bottom
Endi S. Dewata edited this page Mar 21, 2023 · 36 revisions

Overview

Warning
 This page is still under construction.

This page describes the process to migrate the PKI server in an IPA server to another machine.

This page assumes that the IPA server was already installed in ipa.example.com and the PKI server will be migrated to pki.example.com which has been configured as an IPA client.

Stopping PKI Server

Stop PKI server with the following command:

$ pki-server stop --wait

Backing Up PKI Server

Back up PKI server with the following command:

$ tar czvf pki-tomcat.tar.gz \
    -C / \
    etc/pki/pki-tomcat \
    etc/sysconfig/pki-tomcat \
    etc/sysconfig/pki/tomcat/pki-tomcat \
    etc/systemd/system/pki-tomcatd.target.wants/[email protected] \
    var/lib/pki/pki-tomcat \
    var/log/pki/pki-tomcat

Restoring PKI Server

Transfer the pki-tomcat.tar.gz to pki.example.com, then unpack the file:

$ tar xzvf pki-tomcat.tar.gz -C /

Configuring HTTP Proxy Ports

Remove HTTP proxy ports with the following commands:

$ pki-server ca-config-unset proxy.securePort
$ pki-server ca-config-unset proxy.unsecurePort

Configuring Plain LDAP Port for Internal Database

Configure plain LDAP port with the following commands:

$ pki-server ca-config-set internaldb.ldapconn.host ipa.example.com
$ pki-server ca-config-set internaldb.ldapconn.port 389
$ pki-server ca-config-set internaldb.ldapconn.secureConn false

Configuring Basic Authentication for Internal Database

Configure basic authentication with the following commands:

$ pki-server ca-config-unset internaldb.ldapauth.clientCertNickname
$ pki-server ca-config-set internaldb.ldapauth.authtype BasicAuth
$ pki-server ca-config-set internaldb.ldapauth.bindDN "cn=Directory Manager"
$ pki-server ca-config-set internaldb.ldapauth.bindPWPrompt internaldb

Store the password with the following command:

$ pki-server password-add internaldb --password Secret.123

Configuring RSNv3 for Request ID Generator

Configure request ID generator with the following commands:

$ pki-server ca-config-unset dbs.beginRequestNumber
$ pki-server ca-config-unset dbs.endRequestNumber
$ pki-server ca-config-unset dbs.requestIncrement
$ pki-server ca-config-unset dbs.requestLowWaterMark
$ pki-server ca-config-unset dbs.requestCloneTransferNumber
$ pki-server ca-config-unset dbs.requestRangeDN
$ pki-server ca-config-set dbs.request.id.generator random
$ pki-server ca-config-set dbs.request.id.length 128

Configuring RSNv3 for Certificate ID Generator

Configure certificate ID generator with the following commands:

$ pki-server ca-config-unset dbs.beginSerialNumber
$ pki-server ca-config-unset dbs.endSerialNumber
$ pki-server ca-config-unset dbs.serialIncrement
$ pki-server ca-config-unset dbs.serialLowWaterMark
$ pki-server ca-config-unset dbs.serialCloneTransferNumber
$ pki-server ca-config-unset dbs.serialRangeDN
$ pki-server ca-config-unset dbs.enableRandomSerialNumbers
$ pki-server ca-config-unset dbs.randomSerialNumberCounter
$ pki-server ca-config-set dbs.cert.id.generator random
$ pki-server ca-config-set dbs.cert.id.length 128

Configuring Security Domain

Configure security domain with the following command:

$ pki-server ca-config-set securitydomain.host pki.example.com

Generating New SSL Server Certificate

Remove the old SSL server certificate with the following command:

$ certutil -D \
    -d /etc/pki/pki-tomcat/alias \
    -f /etc/pki/pki-tomcat/alias/pwdfile.txt \
    -n "Server-Cert cert-pki-ca"

Generate a new SSL server certificate with the following commands:

$ pki \
    -d /etc/pki/pki-tomcat/alias \
    -f /etc/pki/pki-tomcat/password.conf \
    nss-cert-request \
    --subject "CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE" \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --csr sslserver.csr
$ pki \
    -d /etc/pki/pki-tomcat/alias \
    -f /etc/pki/pki-tomcat/password.conf \
    nss-cert-issue \
    --issuer "caSigningCert cert-pki-ca" \
    --csr sslserver.csr \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --cert sslserver.crt
$ pki \
    -d /etc/pki/pki-tomcat/alias \
    -f /etc/pki/pki-tomcat/password.conf \
    nss-cert-import \
    --cert sslserver.crt \
    "Server-Cert cert-pki-ca"

Updating SSL Server Certificate in CS.cfg

Update the certificate request with the following commands:

$ openssl req \
    -outform der \
    -in sslserver.csr \
    -out sslserver.csr.der
$ CSR=$(cat sslserver.csr.der | base64 -w 0)
$ pki-server ca-config-set ca.signing.certreq "$CSR"

Update the certificate with the following commands:

$ openssl x509 \
    -outform der \
    -in sslserver.crt \
    -out sslserver.crt.der
$ CERT=$(cat sslserver.crt.der | base64 -w 0)
$ pki-server ca-config-set ca.sslserver.cert "$CERT"

Importing SSL Server Certificate into CA Database

Import the certificate request with the following command:

$ pki-server ca-cert-request-import \
    --csr sslserver.csr \
    --profile serverCert.profile

Import the certificate with the following command:

$ pki-server ca-cert-import \
    --cert sslserver.crt \
    --profile serverCert.profile \
    --request <request ID>

Updating Security Domain Subsystem

Remove the old subsystem with the following command:

$ pki-server \
    sd-host-del \
    "CA ipa.example.com 443"

Note: Use port 443 since the old PKI server sits behind IPA HTTP proxy.

Add the new subsystem with the following command:

$ pki-server \
    sd-host-add \
    --subsystem CA \
    --hostname pki.example.com \
    --secure-port 8443 \
    --domain-manager \
    "CA pki.example.com 8443"

Note: Use port 8443 since the new PKI server does not sit behind IPA HTTP proxy.

Updating Security Domain Subsystem User

Remove the old subsystem user with the following command:

$ pki-server \
    ca-user-del \
    CA-ipa.example.com-8443

Add the new subsystem user with the following command:

$ pki-server \
    ca-user-add \
    --full-name "CA-pki.example.com-8443" \
    --type agentType \
    --state 1 \
    CA-pki.example.com-8443

Assign the subsystem certificate to the new subsystem user with the following command:

$ cat subsystem.crt | pki-server \
    ca-user-cert-add \
    CA-pki.example.com-8443

Starting PKI Server

Start PKI server on the new machine with the following command:

$ systemctl daemon-reload
$ pki-server start --wait

Updating HTTP Proxy

Update IPA’s HTTP proxy with the following command:

$ sed \
    -i 's/localhost/pki\.example\.com/g' \
    /etc/httpd/conf.d/ipa-pki-proxy.conf

Updating PKI Hostname and Port

Update PKI hostname and port in /usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py as follows:

@register()
class ra(rabase.rabase, RestClient):

    ...

    def find(self, options):

        ...

        status, _, data = dogtag.https_request(
            # self.ca_host, 443,
            'pki.example.com', 8443,
            url='/ca/rest/certs/search?size=%d' % (
                 options.get('sizelimit', 0x7fffffff)),
            ...
        )

This change can also be done with this command:

$ sed \
    -i "s/self\.ca_host, 443,/'pki.example.com', 8443,/g" \
    /usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py

Restarting HTTPD Service

Finally, restart IPA’s HTTPD service with the following command:

$ systemctl restart httpd

Verification

Verify PKI server migration with the following command:

$ ipa cert-find

To Do

  • Add missing CLIs

  • Do not hardcode hostname and port

  • Replace AJP with HTTPS

  • Supports other IPA operations (e.g. enrollment, renewal, archival)

  • Support KRA migration

  • Support DS migration

Clone this wiki locally