Red Hat CERTIFICATE SYSTEM 8 Install Manual page 78

Chapter 4. Additional Installation Options
service pki-ca start
16. Continue with the CA configuration, with two important configuration settings:
• In the Key Store panel, the ECC module should be listed as an available token. Select that
module for the key store.
• In the Key Pairs panel, ECC should be listed as an option to use to generate the keys used for
the CA's certificates. Select the ECC key type.
17. After completing the configuration, try to log into the subsystem console.
pkiconsole https://server.example.com:9445/ca
This fails, because the console is not yet configure to run in ECC. However, this does create the
security databases for the console, so the ECC module can be loaded.
Load the ECC module into the console security databases.
cd ~/.redhat-idm-console/
modutil -dbdir . -nocertdb -add certicom -libfile /usr/lib/libsbcpgse.so
Now, logging into the console succeeds.
18. The web browser used to access administrative and agent services pages also needs to be
configured to support ECC.
a. Create a user for the browser profile, such as agent-pki.
b. Launch Firefox and create a profile for this user; this automatically creates the required
security databases and directory.
c. Set the root home directory to /home/agent-pki, and make sure the directory is owned by
root.
chown -R root:root /home/agent-pki
d. Copy the ECC module libraries and initpin file to the /home/agent-pki directory. All
these files should be owned by root.
e. Load the ECC module.
modutil -dbdir /home/agent-pki/.mozilla/profile.default -nocertdb -add certicom -
libfile /usr/lib/libsbcpgse.so
f. Run the initpin file. When prompted, enter the Certicom token database directory, /usr/
share/pki/pkiuser, and enter the PIN configured for those databases.
./initpin
g. Change the ownership of the new user's home directory from root to the user. For example:
68