Cloning A Subsystem Silently; Performing Silent Configuration Using An External Ca - Red Hat CERTIFICATE SYSTEM 8 Install Manual

Hide thumbs Also See for CERTIFICATE SYSTEM 8:

Manual (86 pages)

Deployment manual (114 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

page of 132

/ 132
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 7. Silent Configuration

7.3. Cloning a Subsystem Silently

IMPORTANT

Only CA instances can be cloned using pkisilent. The other subsystem clones must be

configured using the HTML-based configuration wizard.

When creating a new subsystem, there are options to set the type of keys to generate and to back up

the keys to a PKCS #12 file. For cloning a subsystem, there are no key generation options. Instead,

the parameters contain information pointing to the PKCS #12 file for the master subsystem and the

URL for the subsystem to clone:

• -clone true (which sets that the new instance will be a clone)

• -clone_p12_file and -clone_p12_password, which gives the location of the PKCS #12 key file and

the password to access it

Additionally, a clone must have some configuration in common with its master:

• The same security domain, set in the -sd_* parameters

• The same LDAP base DN and database name, set in the -ldap_* parameters (either the hostname

or the port must be different, since the clone does require a separate Directory Server instance)

• The same issuing CA for its certificates, set in either the -ca_* parameters or possibly self-signed,

for a CA

Aside from the differences in creating the subsystem certificates, the configuration for the clone

(joining the security domain, creating the admin user, setting up the internal LDAP directories) is the

same as with any other subsystem configuration.

For example:

pkisilent ConfigureCA -cs_hostname localhost -cs_port 9445 -subsystem_name "clone-ca2"

-client_certdb_dir /tmp/ -client_certdb_pwd password -preop_pin sYY8er834FG9793fsef7et5

-sd_hostname "domain.example.com" -sd_admin_port 9445 -sd_agent_port 9443 -sd_ssl_port

9444 -sd_admin_name admin -sd_admin_password secret -admin_user admin -admin_email

"admin@example.com" -admin_password secret -clone true -clone_p12_file /export/backup.p12 -

clone_p12_password secret -master_instance_name pki-ca -ca_hostname server.example.com -

ca_non_ssl_port 9180 -ca_ssl_port 9443 -ca_subsystem_cert_subject_name "cn=ca\ subsystem\

cert,o=testca\ domain" -ca_ocsp_cert_subject_name "cn=ocsp\ signing\ cert,o=testca\ domain" -

ca_server_cert_subject_name "cn=ca\ client\ cert,o=testca\ domain" -ca_sign_cert_subject_name

"cn=ca\ signing\ cert,o=testca\ domain" -ca_audit_signing_cert_subject_name "cn=audit\

signing\ cert,o=testca\ domain"

7.4. Performing Silent Configuration Using an External CA

Section 4.1, "Requesting Subsystem Certificates from an External

As described in

of the security domain can be used to generate a subsystem's certificates. It is also possible to request

and submit certificates issued by an external CA using pkisilent.

By default, the pkisilent command assumes that you will request a certificate from a CA within the

security domain, and this CA is identified in the -ca_hostname and other ca_ options. This assumes

that the -external option is false.

102

CA", a CA outside

Table of Contents

This manual is also suitable for:

System 8 - install guide 25-03-2010

Cloning A Subsystem Silently; Performing Silent Configuration Using An External Ca - Red Hat CERTIFICATE SYSTEM 8 Install Manual

7.3. Cloning a Subsystem Silently

7.4. Performing Silent Configuration Using an External CA

Related Manuals for Red Hat CERTIFICATE SYSTEM 8

Related Content for Red Hat CERTIFICATE SYSTEM 8

This manual is also suitable for:

Table of Contents