Manually Adding A New Port To The Ra - Red Hat CERTIFICATE SYSTEM 7.3 - RELEASE NOTES Release Note

4.2. Manually Adding a New Port to the RA

An SSL port must be added to the RA's nss.conf file to allow client authentication. This is is
Bug 229246
described in
The default RA server has an optional port for performing SSL client authentication. It is expected that
the agent and administration users will select the appropriate certificate to perform SSL authentication
when asked, while users will just cancel out of the certificate selection process, if asked. The problem
with this approach is that if an user cancels out of the certificate selection process, and chooses to
(Bug 233274
renew a certificate
causing an error during certificate renewal.
This forces an user who wishes to renew a certificate to select the certificate to be renewed the first
time they are asked to authenticate. This is awkward. To avoid this, provide a second port to handle
only end-entity operations.
1. Open the configuration directory:
cd -/var/lib/rhpki-ra/conf
2. Edit the nss.conf file:
a. At the top, add another Listen line with a different port. For example:
Listen 0.0.0.0:12889
b. Search for an existing <VirtualHost ...> </VirtualHost> container, copy the entire
container and paste it at the end. Change the new container's port number to the new port.
For example:
<VirtualHost _default_:12891>
c. Go to the original <VirtualHost ...> entry, and change the value of NSSVerifyClient
from optional to require.
d. Go to the new <VirtualHost ...> entry, and change the value of NSSVerifyClient
from optional to none.
e. Save and exit.
3. Edit the CS.cfg file:
a. Search for service.securePort and add the following line below it:
service.secureEePort=12891
b. Save and exit.
4. Open the document root directory:
8
https://bugzilla.redhat.com/show_bug.cgi?id=229246
9
https://bugzilla.redhat.com/show_bug.cgi?id=233274
8
.
9
), then the certificate selection process is automatically skipped, thus
Manually Adding a New Port to the RA
15