Red Hat CERTIFICATE SYSTEM 8 Install Manual page 110

Chapter 7. Silent Configuration
TIP
It is recommended that every CA have its own security domain, because each system
within the security domain depends on having the security domain running and
accessible. However, subordinate CAs can only be configured within the root CA's
security domain using the pkisilent script.
• Different numbers and types of SSL ports. The CA, DRM, OCSP, and TKS each have three SSL
ports admin, agents, and users), while the RA and TPS both have two SSL ports (client and non-
client).
• Different numbers and types of certificates.
• Different required subsystems. Every subsystem must, at a minimum, specify which CA will sign and
issue its certificates, while a CA has the option of self-signing its certificates. The TPS also relies on
a TKS and optional DRM, which can also be specified at configuration.
• Different database configuration. The RA uses a SQLite database as its internal databases, while all
other subsystems use an LDAP directory. The TPS uses two separate LDAP directories, one as its
internal database and the other as an authentication directory to help manage its users.
For all of that, the usage of pkisilent is still pretty similar between the subsystems. They use the
same options to identify the instance to configure, back up their keys, and configure their users, and
even though the parameters are slightly different in name, the configuration concepts (like cloning or
generating certificates) are the same.
NOTE
Any spaces in the arguments used with pkisilent must be escaped.
Example 7.2, "Configuring a Root CA"
keys, and self-signs its certificates.
pkisilent ConfigureCA -cs_hostname localhost -cs_port 9445 -subsystem_name "pki-ca2" -
client_certdb_dir /tmp/ -client_certdb_pwd password -preop_pin sYY8er834FG9793fsef7et5 -
domain_name "testca" -admin_user admin -admin_email "admin@example.com" -admin_password
secret -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "cn=ca\ agent\ cert"
-ldap_host server -ldap_port 389 -bind_dn "cn=directory\ manager" -bind_password secret
-base_dn "o=pki-ca2" -db_name "server.example.com-pki-ca2" -key_size 2048 -key_type
rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd password -backup_fname /
export/backup.p12 -ca_subsystem_cert_subject_name "cn=ca\ subsystem\ cert,o=testca
\ domain" -ca_ocsp_cert_subject_name "cn=ocsp\ signing\ cert,o=testca\ domain" -
ca_server_cert_subject_name "cn=ca\ client\ cert,o=testca\ domain" -ca_sign_cert_subject_name
"cn=ca\ signing\ cert,o=testca\ domain" -ca_audit_signing_cert_subject_name "cn=audit\
signing\ cert,o=testca\ domain"
Example 7.2. Configuring a Root CA
A subordinate CA — along with the DRM, OCSP, and TKS — is configured to join an existing security
domain and to have its certificates signed by an existing Certificate System CA (by default; it is also
possible to use an external CA, as in
CA").
100
configures a CA, creates a new security domain, backs up its
Section 7.4, "Performing Silent Configuration Using an External