Added docs on CA, KRA, OCSP cloning with HSM

https://bugzilla.redhat.com/show_bug.cgi?id=1806840
dogtagpki · Feb 28, 2020 · 6412284 · 6412284
1 parent 27fd676
commit 6412284
Show file tree

Hide file tree

Showing 9 changed files with 581 additions and 11 deletions.
diff --git a/docs/installation/Installing_CA_Clone_with_HSM.md b/docs/installation/Installing_CA_Clone_with_HSM.md
@@ -0,0 +1,134 @@
+Installing CA Clone with HSM
+============================
+
+Overview
+--------
+
+This page describes the process to install a CA subsystem as a clone of an existing CA subsystem
+where the system certificates and their keys are stored in HSM.
+
+Since the certificates and the keys are already in HSM, it's not necessary to export them into a
+PKCS #12 file to create a clone.
+
+CA Subsystem Installation
+-------------------------
+
+Prepare a file (e.g. ca.cfg) that contains the deployment configuration, for example:
+
+```
+[DEFAULT]
+pki_server_database_password=Secret.123
+
+pki_hsm_enable=True
+pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so
+pki_hsm_modulename=softhsm
+pki_token_name=token
+pki_token_password=Secret.123
+
+[CA]
+[email protected]
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_database=ca
+pki_ds_password=Secret.123
+
+pki_security_domain_hostname=server.example.com
+pki_security_domain_https_port=8443
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_sslserver_nickname=sslserver/replica.example.com
+pki_subsystem_nickname=subsystem
+
+pki_clone=True
+pki_clone_replicate_schema=True
+pki_clone_uri=https://server.example.com:8443
+```
+
+Then execute the following command:
+
+```
+$ pkispawn -f ca.cfg -s CA
+```
+
+It will install CA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases:
+* server NSS database: /etc/pki/pki-tomcat/alias
+* admin NSS database: ~/.dogtag/pki-tomcat/ca/alias
+
+Verifying System Certificates
+-----------------------------
+
+Verify that the internal token contains the following certificates:
+
+```
+$ certutil -L -d /etc/pki/pki-tomcat/alias
+
+Certificate Nickname                                         Trust Attributes
+                                                             SSL,S/MIME,JAR/XPI
+
+ca_signing                                                   CT,C,C
+ca_audit_signing                                             ,,P
+```
+
+Verify that the HSM contains the following certificates:
+
+```
+$ certutil -L -d /etc/pki/pki-tomcat/alias -h token -f token.pwd
+
+Certificate Nickname                                         Trust Attributes
+                                                             SSL,S/MIME,JAR/XPI
+
+token:ca_signing                                             CTu,Cu,Cu
+token:ca_ocsp_signing                                        u,u,u
+token:subsystem                                              u,u,u
+token:ca_audit_signing                                       u,u,Pu
+token:sslserver/replica.example.com                          u,u,u
+```
+
+Verifying Admin Certificate
+---------------------------
+
+Prepare a client NSS database (e.g. ~/.dogtag/nssdb):
+
+```
+$ pki -c Secret.123 client-init
+```
+
+Import the CA signing certificate:
+
+```
+$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt
+```
+
+Import the master's admin key and certificate:
+
+```
+$ pki -c Secret.123 client-cert-import \
+ --pkcs12 ca_admin_cert.p12 \
+ --pkcs12-password-file pkcs12_password.conf
+```
+
+Verify that the admin certificate can be used to access the CA clone by executing the following command:
+
+```
+$ pki -c Secret.123 -n caadmin ca-user-show caadmin
+--------------
+User "caadmin"
+--------------
+  User ID: caadmin
+  Full name: caadmin
+  Email: [email protected]
+  Type: adminType
+  State: 1
+```
diff --git a/docs/installation/Installing_CA_with_HSM.md b/docs/installation/Installing_CA_with_HSM.md
@@ -5,7 +5,7 @@ Overview
 --------
 
 This page describes the process to install a CA subsystem with a self-signed CA signing certificate
-where the keys of the system certificates will be stored in HSM.
+where the system certificates and their keys will be stored in HSM.
 
 CA Subsystem Installation
 -------------------------
@@ -42,7 +42,7 @@ pki_security_domain_name=EXAMPLE
 pki_ca_signing_nickname=ca_signing
 pki_ocsp_signing_nickname=ca_ocsp_signing
 pki_audit_signing_nickname=ca_audit_signing
-pki_sslserver_nickname=sslserver
+pki_sslserver_nickname=sslserver/server.example.com
 pki_subsystem_nickname=subsystem
 ```
 
@@ -83,7 +83,7 @@ token:ca_signing                                             CTu,Cu,Cu
 token:ca_ocsp_signing                                        u,u,u
 token:subsystem                                              u,u,u
 token:ca_audit_signing                                       u,u,Pu
-token:sslserver                                              u,u,u
+token:sslserver/server.example.com                           u,u,u
 ```
 
 Verifying Admin Certificate

diff --git a/docs/installation/Installing_KRA_Clone_with_HSM.md b/docs/installation/Installing_KRA_Clone_with_HSM.md
@@ -0,0 +1,152 @@
+Installing KRA Clone with HSM
+=============================
+
+Overview
+--------
+
+This page describes the process to install a KRA subsystem as a clone of an existing KRA subsystem
+where the system certificates and their keys are stored in HSM.
+
+Since the certificates and the keys are already in HSM, it's not necessary to export them into a
+PKCS #12 file to create a clone.
+
+KRA Subsystem Installation
+--------------------------
+
+Prepare a file (e.g. kra.cfg) that contains the deployment configuration, for example:
+
+```
+[DEFAULT]
+pki_server_database_password=Secret.123
+
+pki_hsm_enable=True
+pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so
+pki_hsm_modulename=softhsm
+pki_token_name=token
+pki_token_password=Secret.123
+
+[KRA]
+[email protected]
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_database=kra
+pki_ds_password=Secret.123
+
+pki_security_domain_hostname=server.example.com
+pki_security_domain_https_port=8443
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_storage_nickname=kra_storage
+pki_transport_nickname=kra_transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_sslserver_nickname=sslserver/replica.example.com
+pki_subsystem_nickname=subsystem
+
+pki_clone=True
+pki_clone_replicate_schema=True
+pki_clone_uri=https://server.example.com:8443
+```
+
+Then execute the following command:
+
+```
+$ pkispawn -f kra.cfg -s KRA
+```
+
+It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases:
+* server NSS database: /etc/pki/pki-tomcat/alias
+* admin NSS database: ~/.dogtag/pki-tomcat/kra/alias
+
+Verifying System Certificates
+-----------------------------
+
+Verify that the internal token contains the following certificates:
+
+```
+$ certutil -L -d /etc/pki/pki-tomcat/alias
+
+Certificate Nickname                                         Trust Attributes
+                                                             SSL,S/MIME,JAR/XPI
+
+ca_signing                                                   CT,C,C
+kra_audit_signing                                            ,,P
+```
+
+Verify that the HSM contains the following certificates:
+
+```
+$ certutil -L -d /etc/pki/pki-tomcat/alias -h token -f token.pwd
+
+Certificate Nickname                                         Trust Attributes
+                                                             SSL,S/MIME,JAR/XPI
+
+token:kra_transport                                          u,u,u
+token:kra_storage                                            u,u,u
+token:subsystem                                              u,u,u
+token:kra_audit_signing                                      u,u,Pu
+token:sslserver/replica.example.com                          u,u,u
+```
+
+Verifying Admin Certificate
+---------------------------
+
+Prepare a client NSS database (e.g. ~/.dogtag/nssdb):
+
+```
+$ pki -c Secret.123 client-init
+```
+
+Import the CA signing certificate:
+
+```
+$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt
+```
+
+Import admin key and certificate:
+
+```
+$ pki -c Secret.123 client-cert-import \
+ --pkcs12 ca_admin_cert.p12 \
+ --pkcs12-password-file pkcs12_password.conf
+```
+
+Verify that the admin certificate can be used to access the KRA subsystem by executing the following command:
+
+```
+$ pki -c Secret.123 -n caadmin kra-user-show kraadmin
+---------------
+User "kraadmin"
+---------------
+  User ID: kraadmin
+  Full name: kraadmin
+  Email: [email protected]
+  Type: adminType
+  State: 1
+```
+
+Verifying KRA Connector
+-----------------------
+
+Verify that the KRA connector is configured in the CA subsystem:
+
+```
+$ pki -c Secret.123 -n caadmin ca-kraconnector-show
+
+Host: server.example.com:8443
+Enabled: true
+Local: false
+Timeout: 30
+URI: /kra/agent/kra/connector
+Transport Cert:
+
+<base-64 certificate>
+```
diff --git a/docs/installation/Installing_KRA_with_HSM.md b/docs/installation/Installing_KRA_with_HSM.md
@@ -5,7 +5,7 @@ Overview
 --------
 
 This page describes the process to install a KRA subsystem
-where the keys of the system certificates will be stored in HSM.
+where the system certificates and their keys will be stored in HSM.
 
 KRA Subsystem Installation
 --------------------------
@@ -45,7 +45,7 @@ pki_security_domain_password=Secret.123
 pki_storage_nickname=kra_storage
 pki_transport_nickname=kra_transport
 pki_audit_signing_nickname=kra_audit_signing
-pki_sslserver_nickname=sslserver
+pki_sslserver_nickname=sslserver/server.example.com
 pki_subsystem_nickname=subsystem
 ```
 
@@ -86,7 +86,7 @@ token:kra_transport                                          u,u,u
 token:kra_storage                                            u,u,u
 token:subsystem                                              u,u,u
 token:kra_audit_signing                                      u,u,Pu
-token:sslserver                                              u,u,u
+token:sslserver/server.example.com                           u,u,u
 ```
 
 Verifying Admin Certificate