-
Notifications
You must be signed in to change notification settings - Fork 139
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
copied/converted from Installing_OCSP.md
- Loading branch information
Showing
1 changed file
with
106 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
// This page was initially copied/converted from Installing_OCSP.md | ||
|
||
= Installing OCSP = | ||
|
||
== Overview == | ||
|
||
This page describes the process to install an OCSP subsystem. | ||
|
||
== OCSP Subsystem Installation == | ||
|
||
Prepare a file (e.g. ocsp.cfg) that contains the deployment configuration. | ||
A sample deployment configuration is available at link:../../../base/server/examples/installation/ocsp.cfg[/usr/share/pki/server/examples/installation/ocsp.cfg]. | ||
|
||
Then execute the following command: | ||
|
||
``` | ||
$ pkispawn -f ocsp.cfg -s OCSP | ||
``` | ||
|
||
It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: | ||
|
||
* server NSS database: /var/lib/pki/pki-tomcat/conf/alias | ||
* admin NSS database: ~/.dogtag/pki-tomcat/ocsp/alias | ||
|
||
**Note**: When OCSP is installed on a new system without any other subsystems, | ||
it is necessary to provide the CA's root certificate. Specify the path to | ||
the CA PKCS#7 PEM file in the `pki_cert_chain_path`. This will allow the server | ||
to verify the CA's SSL server certificate when contacting the security domain. | ||
It is up to the administrator to securely transport the CA root certificate | ||
(public key only!) to the system prior to OCSP installation. | ||
|
||
== Verifying System Certificates == | ||
|
||
Verify that the server NSS database contains the following certificates: | ||
|
||
``` | ||
$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias | ||
|
||
Certificate Nickname Trust Attributes | ||
SSL,S/MIME,JAR/XPI | ||
|
||
ca_signing CT,C,C | ||
ocsp_signing u,u,u | ||
subsystem u,u,u | ||
ocsp_audit_signing u,u,Pu | ||
sslserver u,u,u | ||
``` | ||
|
||
== Verifying Admin Certificate == | ||
|
||
Prepare a client NSS database (e.g. ~/.dogtag/nssdb): | ||
|
||
``` | ||
$ pki -c Secret.123 client-init | ||
``` | ||
|
||
Import the CA signing certificate: | ||
|
||
``` | ||
$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt | ||
``` | ||
|
||
Import admin key and certificate: | ||
|
||
``` | ||
$ pki -c Secret.123 pkcs12-import \ | ||
--pkcs12 ca_admin_cert.p12 \ | ||
--pkcs12-password Secret.123 | ||
``` | ||
|
||
Verify that the admin certificate can be used to access the OCSP subsystem by executing the following command: | ||
|
||
``` | ||
$ pki -c Secret.123 -n caadmin ocsp-user-show ocspadmin | ||
---------------- | ||
User "ocspadmin" | ||
---------------- | ||
User ID: ocspadmin | ||
Full name: ocspadmin | ||
Email: [email protected] | ||
Type: adminType | ||
State: 1 | ||
``` | ||
|
||
== Verifying OCSP Client == | ||
|
||
Publish the CRL in CA to the directory server as follows: | ||
|
||
* Go to CA Agent UI (https://pki.example.com:8443/ca/agent/ca/). | ||
* Click **Update Directory Server**. | ||
* Select **Update the certificate revocation list to the directory**. | ||
* Click **Update Directory**. | ||
|
||
Verify that the OCSPClient can be used to validate a certificate: | ||
|
||
``` | ||
$ OCSPClient \ | ||
-d /var/lib/pki/pki-tomcat/conf/alias \ | ||
-h pki.example.com \ | ||
-p 8080 \ | ||
-t /ocsp/ee/ocsp \ | ||
-c ca_signing \ | ||
--serial 1 | ||
CertID.serialNumber=1 | ||
CertStatus=Good | ||
``` |