Quick Start

Overview

This document describes the process to install basic PKI subsystems.

Installing Required Packages

To install the required DS and PKI packages:

$ dnf install 389-ds-base dogtag-pki

Creating DS Instance

See DS Installation.

Creating CA Subsystem

Run pkispawn to create CA subsystem in interactive mode:

$ pkispawn
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]:

Tomcat:
  Instance [pki-tomcat]:
  HTTP port [8080]:
  Secure HTTP port [8443]:
  AJP port [8009]:
  Management port [8005]:

Administrator:
  Username [caadmin]:
  Password: Secret.123
  Verify password: Secret.123
  Import certificate (Yes/No) [N]?
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:

Directory Server:
  Hostname [server.example.com]:
  Port [389]:
  Bind DN [cn=Directory Manager]:
  Password: Secret.123
  Base DN [o=pki-tomcat-CA]:

Security Domain:
  Name [example.com Security Domain]:

Begin installation (Yes/No/Quit)? Y

Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-tomcat/ca_admin_cert.p12

      To check the status of the subsystem:
            systemctl status [email protected]

      To restart the subsystem:
            systemctl restart [email protected]
      The URL for the subsystem is:
            https://server.example.com:8443/ca

    ==========================================================================

See also Installing CA.

Creating KRA Subsystem

Run pkispawn to create KRA subsystem in interactive mode:

$ pkispawn
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: KRA

Tomcat:
  Instance [pki-tomcat]:
  HTTP port [8080]:
  Secure HTTP port [8443]:
  AJP port [8009]:
  Management port [8005]:

Administrator:
  Username [kraadmin]:
  Password: Secret.123
  Verify password: Secret.123
  Import certificate (Yes/No) [Y]?
  Import certificate from [/root/.dogtag/pki-tomcat/ca_admin.cert]:
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:

Directory Server:
  Hostname [server.example.com]:
  Port [389]:
  Bind DN [cn=Directory Manager]:
  Password: Secret.123
  Base DN [o=pki-tomcat-KRA]:

Security Domain:
  Hostname [server.example.com]:
  Secure HTTP port [8443]:
  Name: example.com Security Domain
  Username [caadmin]:
  Password: Secret.123

Begin installation (Yes/No/Quit)? Y

Installing KRA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             kraadmin

      To check the status of the subsystem:
            systemctl status [email protected]

      To restart the subsystem:
            systemctl restart [email protected]
      The URL for the subsystem is:
            https://server.example.com:8443/kra

    ==========================================================================

See also Installing KRA.

Accessing PKI Services

To access PKI services via Web UI open https://server.example.com:8443 with a browser.

To access PKI services via command-line, use the PKI CLI.

By default only the Default CA Admin and end-entities can access PKI services. Follow User Certificate Setup to add additional system users.

Managing PKI Services

To manage PKI services via PKI Console:

$ pkiconsole https://server.example.com:8443/<subsystem>

To manage PKI services via CLI, use the PKI Server CLI.

Common PKI Tasks

• CA Admin Setup

• CA Agent Setup

• User Certificate Setup

• Server Certificate Setup

• Enabling SSL Connection with Internal Database

• Enabling Client Certificate Authentication to Internal Database

Removing PKI Subsystem

$ pkidestroy
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]:
Instance [pki-tomcat]:

Begin uninstallation (Yes/No/Quit)? Y

Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/registry/ca/deployment.cfg.
Uninstalling CA from /var/lib/pki/pki-tomcat.

Uninstallation complete.

References

• Installation Guide