Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 93

Key archival requires two things:
• Having a trusted relationship between a CA and a DRM.
• Having the enrollment form enabled for key archival, meaning it has key archival configured and the
DRM transport certificate stored in the form.
Both of these configuration steps are done automatically when the DRM is configured because
it is configured to have a trusted relationship with a CA. It is also possible to created that trusted
relationship with Certificate Managers outside its security domain by manually configuring the trust
relationships and profile enrollment forms.
1. If necessary, create a trusted manager to establish a relationship between the Certificate Manager
and the DRM.
For the CA to be able to request key archival of the DRM, the two subsystems must be configured
to recognize, trust, and communicate with each other. Verify that the Certificate Manager has been
set up as a privileged user, with an appropriate SSL client authentication certificate, in the internal
database of the DRM. By default, the Certificate Manager uses its subsystem certificate for SSL
client authentication to the DRM.
Follow the instructions in
trusted manager to the DRM.
2. Copy the base-64 encoded transport certificate for the DRM.
The transport certificate is stored in the DRM's certificate database, which can be retrieved using
the certutil utility. If the transport certificate is signed by a Certificate Manager, then a copy of
the certificate is available through the Certificate Manager end-entities page in the Retrieval tab.
3. Add the transport certificate to the CA's CS.cfg file.
ca.connector.KRA.enable=true
ca.connector.KRA.host=server.example.com
ca.connector.KRA.local=false
ca.connector.KRA.nickName=subsystemCert cert-pki-ca
ca.connector.KRA.port=10444
ca.connector.KRA.timeout=30
ca.connector.KRA.transportCert=MIIDbDCCAlSgAwIBAgIBDDANBgkqhkiG9w0BAQUFADA6MRgwFgYDVQQKEw9Eb21haW4gc28
BTsU5A2sRUwNfoZSMs/d5KLuXOHPyGtmC6yVvaY719hr9EGYuv0Sw6jb3WnEKHpjbUO/
vhFwTufJHWKXFN3V4pMbHTkqW/x5fu/3QyyUre/5IhG0fcEmfvYxIyvZUJx+aQBW437ATD99Kuh+I+FuYdW
+SqYHznHY8BqOdJwJ1JiJMNceXYAuAdk+9t70RztfAhBmkK0OOP0vH5BZ7RCwE3Y/6ycUdSyPZGGc76a0HrKOz
+lwVFulFStiuZIaG1pv0NNivzcj0hEYq6AfJ3hgxcC1h87LmCxgRWUCAwEAAaN5MHcwHwYDVR0jBBgwFoAURShCYtSg
+Oh4rrgmLFB/
Fg7X3qcwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vY2x5ZGUucmR1LnJlZGhhdC5jb206OTE4MC9jYS9vY3NwMA
wQEAwIE8DANBgkqhkiG9w0BAQUFAAOCAQEAFYz5ibujdIXgnJCbHSPWdKG0T
+FmR67YqiOtoNlGyIgJ42fi5lsDPfCbIAe3YFqmF3wU472h8LDLGyBjy9RJxBj+aCizwHkuoH26KmPGntIayqWDH/
UGsIL0mvTSOeLqI3KM0IuH7bxGXjlION83xWbxumW/kVLbT9RCbL4216tqq5jsjfOHNNvUdFhWyYdfEOjpp/
UQZOhOM1d8GFiw8N8ClWBGc3mdlADQp6tviodXueluZ7UxJLNx3HXKFYLleewwIFhC82zqeQ1PbxQDL8QLjzca
+IUzq6Cd/t7OAgvv3YmpXgNR0/xoWQGdM1/YwHxtcAcVlskXJw5ZR0Y2zA==
ca.connector.KRA.uri=/kra/agent/kra/connector
4. Then edit the enrollment form and add or replace the transport certificate value in the
keyTransportCert method.
vim /var/lib/pki-ca/webapps/ca/ee/ca/ProfileSelect.template
Section 14.3.2.5, "Setting up a Trusted
Setting up Key Archival
Manager", and set up the CA as a
71