Setting up CA Database

Overview

Note	This page is still under construction.

This document describes the process to set up CA database using DS. It assumes that the DS database has been installed as described in DS Installation.

Initializing CA Database

Configuring DS database

$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f /usr/share/pki/server/database/ds/config.ldif

Configuring DS schema

$ ldapmodify \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f /usr/share/pki/server/database/ds/schema.ldif

Adding DS Base Entry

$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 << EOF
dn: dc=ca,dc=pki,dc=example,dc=com
objectClass: dcObject
dc: ca
EOF

Adding CA Database Entries

$ sed \
    -e 's/{rootSuffix}/dc=ca,dc=pki,dc=example,dc=com/g' \
    /usr/share/pki/ca/database/ds/create.ldif \
    | tee create.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f create.ldif

Adding ACL Resources

$ sed \
    -e 's/{rootSuffix}/dc=ca,dc=pki,dc=example,dc=com/g' \
    /usr/share/pki/ca/database/ds/acl.ldif \
    | tee acl.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f acl.ldif

Adding Search Indexes

Adding Search Indexes with PKI tools

$ pki-server ca-db-index-add

Availability: Since PKI 11.5

Adding Search Indexes with LDAP tools

$ sed \
    -e 's/{database}/userroot/g' \
    /usr/share/pki/ca/database/ds/index.ldif \
    | tee index.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f index.ldif

Rebuilding Search Indexes

Rebuilding Search Indexes with PKI tools

$ pki-server ca-db-index-rebuild

Availability: Since PKI 11.5

Rebuilding Search Indexes with LDAP tools

Start the rebuild task with the following commands:

$ sed \
    -e 's/{database}/userroot/g' \
    /usr/share/pki/ca/database/ds/indextasks.ldif \
    | tee indextasks.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f indextasks.ldif

Wait for the task to complete:

$ ldapsearch \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -b "cn=index1160589770, cn=index, cn=tasks, cn=config" \
    nsTaskExitCode

Verify that nsTaskExitCode is 0.

Adding CA VLV Indexes

Adding CA VLV Indexes with PKI tools

$ pki-server ca-db-vlv-add

Adding CA VLV Indexes with LDAP tools

$ sed \
    -e 's/{instanceId}/pki-tomcat/g' \
    -e 's/{database}/userroot/g' \
    -e 's/{rootSuffix}/dc=ca,dc=pki,dc=example,dc=com/g' \
    /usr/share/pki/ca/database/ds/vlv.ldif \
    | tee vlv.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f vlv.ldif

Rebuilding CA VLV Indexes

Rebuilding CA VLV Indexes with PKI tools

$ pki-server ca-db-vlv-reindex

Rebuilding CA VLV Indexes with LDAP tools

Start the rebuild task with the following commands:

$ sed \
    -e 's/{database}/userroot/g' \
    -e 's/{instanceId}/pki-tomcat/g' \
    /usr/share/pki/ca/database/ds/vlvtasks.ldif \
    | tee vlvtasks.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f vlvtasks.ldif

Wait for the task to complete:

$ ldapsearch \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -b "cn=index1160589769, cn=index, cn=tasks, cn=config" \
    nsTaskExitCode

Verify that nsTaskExitCode is 0.