From dd6ca1a0443d1e1fd5e881d31034da19150bda4a Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Mon, 23 Dec 2024 10:29:46 -0800 Subject: [PATCH] Create Installing_OCSP.adoc copied/converted from Installing_OCSP.md --- docs/installation/ocsp/Installing_OCSP.adoc | 106 ++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 docs/installation/ocsp/Installing_OCSP.adoc diff --git a/docs/installation/ocsp/Installing_OCSP.adoc b/docs/installation/ocsp/Installing_OCSP.adoc new file mode 100644 index 00000000000..96684c76274 --- /dev/null +++ b/docs/installation/ocsp/Installing_OCSP.adoc @@ -0,0 +1,106 @@ +// This page was initially copied/converted from Installing_OCSP.md + += Installing OCSP = + +== Overview == + +This page describes the process to install an OCSP subsystem. + +== OCSP Subsystem Installation == + +Prepare a file (e.g. ocsp.cfg) that contains the deployment configuration. +A sample deployment configuration is available at link:../../../base/server/examples/installation/ocsp.cfg[/usr/share/pki/server/examples/installation/ocsp.cfg]. + +Then execute the following command: + +``` +$ pkispawn -f ocsp.cfg -s OCSP +``` + +It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: + +* server NSS database: /var/lib/pki/pki-tomcat/conf/alias +* admin NSS database: ~/.dogtag/pki-tomcat/ocsp/alias + +**Note**: When OCSP is installed on a new system without any other subsystems, +it is necessary to provide the CA's root certificate. Specify the path to +the CA PKCS#7 PEM file in the `pki_cert_chain_path`. This will allow the server +to verify the CA's SSL server certificate when contacting the security domain. +It is up to the administrator to securely transport the CA root certificate +(public key only!) to the system prior to OCSP installation. + +== Verifying System Certificates == + +Verify that the server NSS database contains the following certificates: + +``` +$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias + +Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI + +ca_signing CT,C,C +ocsp_signing u,u,u +subsystem u,u,u +ocsp_audit_signing u,u,Pu +sslserver u,u,u +``` + +== Verifying Admin Certificate == + +Prepare a client NSS database (e.g. ~/.dogtag/nssdb): + +``` +$ pki -c Secret.123 client-init +``` + +Import the CA signing certificate: + +``` +$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt +``` + +Import admin key and certificate: + +``` +$ pki -c Secret.123 pkcs12-import \ + --pkcs12 ca_admin_cert.p12 \ + --pkcs12-password Secret.123 +``` + +Verify that the admin certificate can be used to access the OCSP subsystem by executing the following command: + +``` +$ pki -c Secret.123 -n caadmin ocsp-user-show ocspadmin +---------------- +User "ocspadmin" +---------------- + User ID: ocspadmin + Full name: ocspadmin + Email: ocspadmin@example.com + Type: adminType + State: 1 +``` + +== Verifying OCSP Client == + +Publish the CRL in CA to the directory server as follows: + +* Go to CA Agent UI (https://pki.example.com:8443/ca/agent/ca/). +* Click **Update Directory Server**. +* Select **Update the certificate revocation list to the directory**. +* Click **Update Directory**. + +Verify that the OCSPClient can be used to validate a certificate: + +``` +$ OCSPClient \ + -d /var/lib/pki/pki-tomcat/conf/alias \ + -h pki.example.com \ + -p 8080 \ + -t /ocsp/ee/ocsp \ + -c ca_signing \ + --serial 1 +CertID.serialNumber=1 +CertStatus=Good +```