Red Hat CERTIFICATE SYSTEM 8 - COMMAND-LINE Manual page 21

• The same LDAP base DN and database name, set in the -ldap_* parameters (either the hostname
or the port must be different, since the clone does require a separate Directory Server instance)
This clones an existing CA.
pkisilent ConfigureCA -cs_hostname localhost -cs_port 9445 -subsystem_name "clone-ca2"
-client_certdb_dir /tmp/ -client_certdb_pwd password -preop_pin sYY8er834FG9793fsef7et5
-sd_hostname "domain.example.com" -sd_admin_port 9445 -sd_agent_port 9443 -sd_ssl_port
9444 -sd_admin_name admin -sd_admin_password secret -admin_user admin -admin_email
"admin@example.com" -admin_password secret -clone true -clone_p12_file /export/backup.p12 -
clone_p12_password secret -master_instance_name pki-ca -ca_hostname server.example.com -
ca_non_ssl_port 9180 -ca_ssl_port 9443 -ca_subsystem_cert_subject_name "cn=ca\ subsystem\
cert,o=testca\ domain" -ca_ocsp_cert_subject_name "cn=ocsp\ signing\ cert,o=testca\ domain" -
ca_server_cert_subject_name "cn=ca\ client\ cert,o=testca\ domain" -ca_sign_cert_subject_name
"cn=ca\ signing\ cert,o=testca\ domain" -ca_audit_signing_cert_subject_name "cn=audit\
signing\ cert,o=testca\ domain"
1.2.2.4. Submitting Requests to an External CA
A CA outside of the security domain can be used to generate a subsystem's certificates. It is also
possible to request and submit certificates issued by an external CA using pkisilent.
By default, the pkisilent command assumes that you will request a certificate from a CA within the
security domain, and this CA is identified in the -ca_hostname and other ca_ options. This assumes
that the -external option is false.
To submit the subsystem certificate requests to an external CA, explicitly set the -external option
to true. The generated certificate requests are exported to a file, and then can be submitted to
the external CA. Once they are issued, files which contain the subsystem certificates and the CA
certificate chain for the issuing external CA can be passed using the pkisilent command. This is
set in four parameters:
Submitting certificates to an external CA is a three-step process, two of them involving pkisilent:
1. In the first step, much of the preliminary information is configured for the instance.
Along with this configuration, its certificate requests are generated and written to the file specified
in -ext_csr_file. These certificate requests must be submitted to the external CA.
2. The certificate requests are submitted to the external CA, and the issued certificates are retrieved
and saved to file.
3. The newly issued subsystem certificates are installed in the instance by referencing the saved
certificate file in the -ext_cert_file parameter.
This is also when the final configuration (creating the administrator user) is performed.
...step 1...
pkisilent ConfigureCA -cs_hostname localhost -cs_port 9445 -subsystem_name "pki-ca2" -
client_certdb_dir /tmp/ -client_certdb_pwd password -preop_pin sYY8er834FG9793fsef7et5
-domain_name "testca" -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
"cn=ca\ agent\ cert" -ldap_host server -ldap_port 389 -bind_dn "cn=directory\ manager"
-bind_password password -base_dn "o=pki-ca2" -db_name "server.example.com-pki-ca2"
-key_size 2048 -key_type rsa -save_p12 true -backup_pwd password -backup_fname /
export/backup.p12 -ca_subsystem_cert_subject_name "cn=ca\ subsystem\ cert,o=testca
\ domain" -ca_ocsp_cert_subject_name "cn=ocsp\ signing\ cert,o=testca\ domain" -
ca_server_cert_subject_name "cn=ca\ client\ cert,o=testca\ domain" -ca_sign_cert_subject_name
Usage
9