-
Notifications
You must be signed in to change notification settings - Fork 139
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create Installing_OCSP_Clone_with_HSM.adoc
[skip ci] initial copy/convert from Installing_OCSP_Clone_with_HSM.md
- Loading branch information
Showing
1 changed file
with
150 additions
and
0 deletions.
There are no files selected for viewing
150 changes: 150 additions & 0 deletions
150
docs/installation/ocsp/Installing_OCSP_Clone_with_HSM.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,150 @@ | ||
// This content was initially copied/converted from Installing_OCSP_Clone_with_HSM.md | ||
|
||
= Installing OCSP Clone with HSM = | ||
|
||
== Overview == | ||
|
||
This page describes the process to install an OCSP subsystem as a clone of an existing OCSP subsystem | ||
where the system certificates and their keys are stored in HSM. | ||
|
||
Since the certificates and the keys are already in HSM, it's not necessary to export them into a | ||
PKCS #12 file to create a clone. | ||
|
||
== OCSP Subsystem Installation == | ||
|
||
Prepare a file (e.g. ocsp.cfg) that contains the deployment configuration, for example: | ||
|
||
``` | ||
[DEFAULT] | ||
pki_server_database_password=Secret.123 | ||
|
||
pki_hsm_enable=True | ||
pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so | ||
pki_hsm_modulename=softhsm | ||
pki_token_name=HSM | ||
pki_token_password=Secret.HSM | ||
|
||
[OCSP] | ||
[email protected] | ||
pki_admin_name=ocspadmin | ||
pki_admin_nickname=ocspadmin | ||
pki_admin_password=Secret.123 | ||
pki_admin_uid=ocspadmin | ||
|
||
pki_client_pkcs12_password=Secret.123 | ||
|
||
pki_ds_base_dn=dc=ocsp,dc=pki,dc=example,dc=com | ||
pki_ds_database=ocsp | ||
pki_ds_password=Secret.123 | ||
|
||
pki_security_domain_name=EXAMPLE | ||
pki_security_domain_user=caadmin | ||
pki_security_domain_password=Secret.123 | ||
|
||
pki_ocsp_signing_nickname=ocsp_signing | ||
pki_audit_signing_nickname=ocsp_audit_signing | ||
pki_sslserver_nickname=sslserver/replica.example.com | ||
pki_subsystem_nickname=subsystem | ||
|
||
pki_clone=True | ||
pki_clone_replicate_schema=True | ||
pki_clone_uri=https://pki.example.com:8443 | ||
``` | ||
|
||
Then execute the following command: | ||
|
||
``` | ||
$ pkispawn -f ocsp.cfg -s OCSP | ||
``` | ||
|
||
It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: | ||
|
||
* server NSS database: /var/lib/pki/pki-tomcat/conf/alias | ||
* admin NSS database: ~/.dogtag/pki-tomcat/ocsp/alias | ||
|
||
== Verifying System Certificates == | ||
|
||
Verify that the internal token contains the following certificates: | ||
|
||
``` | ||
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias | ||
|
||
Certificate Nickname Trust Attributes | ||
SSL,S/MIME,JAR/XPI | ||
|
||
ca_signing CT,C,C | ||
ocsp_audit_signing ,,P | ||
``` | ||
|
||
Verify that the HSM contains the following certificates: | ||
|
||
``` | ||
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -h HSM -f HSM.pwd | ||
|
||
Certificate Nickname Trust Attributes | ||
SSL,S/MIME,JAR/XPI | ||
|
||
HSM:ocsp_signing u,u,u | ||
HSM:subsystem u,u,u | ||
HSM:ocsp_audit_signing u,u,Pu | ||
HSM:sslserver/replica.example.com u,u,u | ||
``` | ||
|
||
== Verifying Admin Certificate == | ||
|
||
Prepare a client NSS database (e.g. ~/.dogtag/nssdb): | ||
|
||
``` | ||
$ pki -c Secret.123 client-init | ||
``` | ||
|
||
Import the CA signing certificate: | ||
|
||
``` | ||
$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt | ||
``` | ||
|
||
Import admin key and certificate: | ||
|
||
``` | ||
$ pki -c Secret.123 pkcs12-import \ | ||
--pkcs12 ca_admin_cert.p12 \ | ||
--pkcs12-password Secret.123 | ||
``` | ||
|
||
Verify that the admin certificate can be used to access the OCSP subsystem by executing the following command: | ||
|
||
``` | ||
$ pki -c Secret.123 -n caadmin ocsp-user-show ocspadmin | ||
---------------- | ||
User "ocspadmin" | ||
---------------- | ||
User ID: ocspadmin | ||
Full name: ocspadmin | ||
Email: [email protected] | ||
Type: adminType | ||
State: 1 | ||
``` | ||
|
||
== Verifying OCSP Client == | ||
|
||
Publish the CRL in CA to the directory server as follows: | ||
|
||
* Go to CA Agent UI (https://pki.example.com:8443/ca/agent/ca/). | ||
* Click **Update Directory Server**. | ||
* Select **Update the certificate revocation list to the directory**. | ||
* Click **Update Directory**. | ||
|
||
Verify that the OCSPClient can be used to validate a certificate: | ||
|
||
``` | ||
$ OCSPClient \ | ||
-d /var/lib/pki/pki-tomcat/conf/alias \ | ||
-h pki.example.com \ | ||
-p 8080 \ | ||
-t /ocsp/ee/ocsp \ | ||
-c ca_signing \ | ||
--serial 1 | ||
CertID.serialNumber=1 | ||
CertStatus=Good | ||
``` |