Red Hat CERTIFICATE SYSTEM 8 Install Manual page 111

pkisilent ConfigureCA -cs_hostname localhost -cs_port 9445 -subsystem_name "pki-ca2" -
client_certdb_dir /tmp/ -client_certdb_pwd password -preop_pin sYY8er834FG9793fsef7et5 -
sd_hostname "domain.example.com" -sd_admin_port 9445 -sd_agent_port 9443 -sd_ssl_port
9444 -sd_admin_name admin -sd_admin_password secret -admin_user admin -admin_email
"admin@example.com" -admin_password secret -agent_key_size 2048 -agent_key_type
rsa -agent_cert_subject "cn=ca\ agent\ cert" -ldap_host server -ldap_port 389 -
bind_dn "cn=directory\ manager" -bind_password secret -base_dn "o=pki-ca2" -db_name
"server.example.com-pki-ca2" -key_size 2048 -key_type rsa -save_p12 true -backup_pwd
password -backup_fname /export/backup.p12 -ca_hostname server.example.com ca_port
9180 -ca_ssl_port 9443 -ca_subsystem_cert_subject_name "cn=ca\ subsystem\ cert,o=testca
\ domain" -ca_ocsp_cert_subject_name "cn=ocsp\ signing\ cert,o=testca\ domain" -
ca_server_cert_subject_name "cn=ca\ client\ cert,o=testca\ domain" -ca_sign_cert_subject_name
"cn=ca\ signing\ cert,o=testca\ domain" -ca_audit_signing_cert_subject_name "cn=audit\
signing\ cert,o=testca\ domain"
Example 7.3. Configuring a Subordinate CA
The RA, unlike the other subsystems, does not use an LDAP database, so it does not specify the
same database parameters as the other subsystems. In this example, the keys for the RA are
not automatically backed up and there is no audit log signing certificate, since the RA is the only
subsystem which does not support signed audit logs.
pkisilent ConfigureRA -cs_hostname localhost -cs_port 9445 -subsystem_name "pki-ra2" -
client_certdb_dir /tmp/ -client_certdb_pwd password -preop_pin sYY8er834FG9793fsef7et5
-sd_hostname "domain.example.com" -sd_admin_port 9445 -sd_agent_port 9443 -sd_ssl_port
9444 -sd_admin_name admin -sd_admin_password secret -admin_user admin -admin_email
"admin@example.com" -admin_password secret -agent_key_size 2048 -agent_key_type rsa -
agent_cert_subject "cn=ra\ agent\ cert" -ca_hostname server.example.com -ca_port 9180
-ca_ssl_port 9443 -key_size 2048 -key_type rsa -ra_subsystem_cert_subject_name "cn=ra\
subsystem\ cert,o=testca\ domain" -ra_server_cert_subject_name "cn=ra\ client\ cert,o=testca\
domain"
Example 7.4. Configuring an RA
A TPS requires the most parameters, since it depends on having a CA, DRM, and TKS configured and
uses two LDAP databases, along with joining an existing security domain. However, since the TPS
cannot be cloned, it is not required to back up its keys to a PKCS #12 file.
pkisilent ConfigureTPS -cs_hostname localhost -cs_port 9445 -subsystem_name "pki-tps2"
-client_certdb_dir /tmp/ -client_certdb_pwd password -preop_pin sYY8er834FG9793fsef7et5
-sd_hostname "domain.example.com" -sd_admin_port 9445 -sd_agent_port 9443 -sd_ssl_port
9444 -sd_admin_name admin -sd_admin_password secret -admin_user admin -admin_email
"admin@example.com" -admin_password secret -agent_key_size 2048 -agent_key_type
rsa -agent_cert_subject "cn=tps\ agent\ cert" -ldap_host server -ldap_port 389 -
bind_dn "cn=directory\ manager" -bind_password secret -base_dn "o=pki-tps2" -db_name
"server.example.com-pki-tps2" -ca_hostname server.example.com -ca_port 9180 -ca_ssl_port
9443 -tks_hostname server.example.com -tks_ssl_port 13443 -drm_hostname server.example.com
-drm_ssl_port 10443 -key_size 2048 -key_type rsa -tps_subsystem_cert_subject_name
"cn=tps\ subsystem\ cert,o=testca\ domain" -tps_server_cert_subject_name "cn=tps\ client\
cert,o=testca\ domain" -tps_audit_signing_cert_subject_name "cn=audit\ signing\ cert,o=testca
\ domain" -ldap_auth_host auth.example.com -ldap_auth_port 389 -ldap_auth_base_dn
"ou=tps,ou=People,dc=example,dc=com"
Example 7.5. Configuring a TPS
Silently Configuring Subsystem
101