Red Hat CERTIFICATE SYSTEM 8 Install Manual page 113

To submit the subsystem certificate requests to an external CA, explicitly set the -external option
to true. The generated certificate requests are exported to a file, and then can be submitted to
the external CA. Once they are issued, files which contain the subsystem certificates and the CA
certificate chain for the issuing external CA can be passed using the pkisilent command. This is
set in four parameters:
• -external, which explicitly sets whether to use an external CA
• -ext_csr_file, which gives the path and name of the output file to which to write the certificate
requests for the subsystem
• -ext_ca_cert_file, which gives the input file to use which contains the certificates issued by the
external CA
• -ext_ca_cert_file, which gives the input file to use which contains the CA certificate chain for the
external CA which issued the certificates
Whether it is performed through the HTML wizard or using pkisilent, submitting certificates to an
external CA is a three-step process, two of them involving pkisilent:
1. In the first step, much of the preliminary information is configured for the instance.
Along with this configuration, its certificate requests are generated and written to the file specified
in -ext_csr_file. These certificate requests must be submitted to the external CA.
2. The certificate requests are submitted to the external CA, and the issued certificates are retrieved
and saved to file.
3. The newly issued subsystem certificates are installed in the instance by referencing the saved
certificate file in the -ext_ca_cert_file parameter.
This is also when the final configuration (creating the administrator user) is performed.
For example:
...step 1...
pkisilent ConfigureCA -cs_hostname localhost -cs_port 9445 -subsystem_name "pki-ca2" -
client_certdb_dir /tmp/ -client_certdb_pwd password -preop_pin sYY8er834FG9793fsef7et5
-domain_name "testca" -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
"cn=ca\ agent\ cert" -ldap_host server -ldap_port 389 -bind_dn "cn=directory\ manager"
-bind_password password -base_dn "o=pki-ca2" -db_name "server.example.com-pki-ca2"
-key_size 2048 -key_type rsa -save_p12 true -backup_pwd password -backup_fname /
export/backup.p12 -ca_subsystem_cert_subject_name "cn=ca\ subsystem\ cert,o=testca
\ domain" -ca_ocsp_cert_subject_name "cn=ocsp\ signing\ cert,o=testca\ domain" -
ca_server_cert_subject_name "cn=ca\ client\ cert,o=testca\ domain" -ca_sign_cert_subject_name
"cn=ca\ signing\ cert,o=testca\ domain" -ca_audit_signing_cert_subject_name "cn=audit\
signing\ cert,o=testca\ domain" -external true -ext_csr_file /tmp/cert.req
...step 2...
pkisilent ConfigureCA -cs_hostname localhost -cs_port 9445 -subsystem_name "pki-ca2" -
preop_pin sYY8er834FG9793fsef7et5 -domain_name "testca" -admin_user admin -admin_email
"admin@example.com" -admin_password password -external true -ext_ca_cert_file /tmp/
certs.cer -ext_ca_cert_chain_file /tmp/cachain.cer
Performing Silent Configuration Using an External CA
103