Skip to content

Commit

Permalink
Create Installing_OCSP_Clone_with_HSM.adoc
Browse files Browse the repository at this point in the history
[skip ci]
initial copy/convert from Installing_OCSP_Clone_with_HSM.md
  • Loading branch information
ladycfu authored Dec 23, 2024
1 parent 405b87d commit 6884e60
Showing 1 changed file with 150 additions and 0 deletions.
150 changes: 150 additions & 0 deletions docs/installation/ocsp/Installing_OCSP_Clone_with_HSM.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
// This content was initially copied/converted from Installing_OCSP_Clone_with_HSM.md

= Installing OCSP Clone with HSM =

== Overview ==

This page describes the process to install an OCSP subsystem as a clone of an existing OCSP subsystem
where the system certificates and their keys are stored in HSM.

Since the certificates and the keys are already in HSM, it's not necessary to export them into a
PKCS #12 file to create a clone.

== OCSP Subsystem Installation ==

Prepare a file (e.g. ocsp.cfg) that contains the deployment configuration, for example:

```
[DEFAULT]
pki_server_database_password=Secret.123

pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so
pki_hsm_modulename=softhsm
pki_token_name=HSM
pki_token_password=Secret.HSM

[OCSP]
[email protected]
pki_admin_name=ocspadmin
pki_admin_nickname=ocspadmin
pki_admin_password=Secret.123
pki_admin_uid=ocspadmin

pki_client_pkcs12_password=Secret.123

pki_ds_base_dn=dc=ocsp,dc=pki,dc=example,dc=com
pki_ds_database=ocsp
pki_ds_password=Secret.123

pki_security_domain_name=EXAMPLE
pki_security_domain_user=caadmin
pki_security_domain_password=Secret.123

pki_ocsp_signing_nickname=ocsp_signing
pki_audit_signing_nickname=ocsp_audit_signing
pki_sslserver_nickname=sslserver/replica.example.com
pki_subsystem_nickname=subsystem

pki_clone=True
pki_clone_replicate_schema=True
pki_clone_uri=https://pki.example.com:8443
```

Then execute the following command:

```
$ pkispawn -f ocsp.cfg -s OCSP
```

It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases:

* server NSS database: /var/lib/pki/pki-tomcat/conf/alias
* admin NSS database: ~/.dogtag/pki-tomcat/ocsp/alias

== Verifying System Certificates ==

Verify that the internal token contains the following certificates:

```
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

ca_signing CT,C,C
ocsp_audit_signing ,,P
```

Verify that the HSM contains the following certificates:

```
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -h HSM -f HSM.pwd

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

HSM:ocsp_signing u,u,u
HSM:subsystem u,u,u
HSM:ocsp_audit_signing u,u,Pu
HSM:sslserver/replica.example.com u,u,u
```

== Verifying Admin Certificate ==

Prepare a client NSS database (e.g. ~/.dogtag/nssdb):

```
$ pki -c Secret.123 client-init
```

Import the CA signing certificate:

```
$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt
```

Import admin key and certificate:

```
$ pki -c Secret.123 pkcs12-import \
--pkcs12 ca_admin_cert.p12 \
--pkcs12-password Secret.123
```

Verify that the admin certificate can be used to access the OCSP subsystem by executing the following command:

```
$ pki -c Secret.123 -n caadmin ocsp-user-show ocspadmin
----------------
User "ocspadmin"
----------------
User ID: ocspadmin
Full name: ocspadmin
Email: [email protected]
Type: adminType
State: 1
```

== Verifying OCSP Client ==

Publish the CRL in CA to the directory server as follows:

* Go to CA Agent UI (https://pki.example.com:8443/ca/agent/ca/).
* Click **Update Directory Server**.
* Select **Update the certificate revocation list to the directory**.
* Click **Update Directory**.

Verify that the OCSPClient can be used to validate a certificate:

```
$ OCSPClient \
-d /var/lib/pki/pki-tomcat/conf/alias \
-h pki.example.com \
-p 8080 \
-t /ocsp/ee/ocsp \
-c ca_signing \
--serial 1
CertID.serialNumber=1
CertStatus=Good
```

0 comments on commit 6884e60

Please sign in to comment.