[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] cloning man page edits: tickets 852, 853



Simple changes -please review.

Ade
>From 4b18f3d553223b4cd133ccf9c6c5bfa9c76b596a Mon Sep 17 00:00:00 2001
From: Ade Lee <alee redhat com>
Date: Fri, 10 Jul 2015 16:28:52 -0400
Subject: [PATCH] Add details on exporting and importing system certs when
 cloning.

Trac ticket 852, 853
---
 base/server/man/man8/pkispawn.8 | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
index cd8a91ffd19acb8dd0f83c56b53c7f524041b318..5abf69833193f6680e6816ee6b80c62929b58f48 100644
--- a/base/server/man/man8/pkispawn.8
+++ b/base/server/man/man8/pkispawn.8
@@ -309,7 +309,22 @@ pki_clone_uri=https://<master_ca_hostname>:<master_ca_https_port>
 .PP
 A cloned CA is a CA which uses the same signing, OCSP signing, and audit signing certificates as the master CA, but issues certificates within a different serial number range.  It has its own internal database -- separate from the master CA database -- but using the same base DN, that keeps in sync with the master CA through replication agreements between the databases.  This is very useful for load sharing and disaster recovery. To create a clone, the \fImyconfig.txt\fP uses pki_clone-* parameters in its [CA] section which identify the original CA to use as a master template. Additionally, it connects to the master CA as a remote CA and uses its security domain.
 .PP
-Before the clone can be generated, the Directory Server must be created that is separate from the master CA's Directory Server.  The example assumes that the master CA and cloned CA are on different machines, and that their Directory Servers are on port 389.  In addition, the master's system certs and keys have been stored in a PKCS #12 file that is copied over to the clone subsystem in the location specified in <path_to_pkcs12_file>.  This file is created when the master CA is installed; it can also be generated using \fBPKCS12Export\fP.  The file needs to be readable by the user the Certificate Server runs as (by default, pkiuser) and be given the SELinux context pki_tomcat_cert_t.
+Before the clone can be generated, the Directory Server must be created that is separate from the master CA's Directory Server.  The example assumes that the master CA and cloned CA are on different machines, and that their Directory Servers are on port 389.
+.PP
+In addition, the master's system certs and keys have been stored in a PKCS #12 file that is copied over to the clone subsystem in the location specified in <path_to_pkcs12_file>.   This file needs to be readable by the user the Certificate Server runs as (by default, pkiuser) and be given the SELinux context pki_tomcat_cert_t.
+.PP
+The master's system certificates can be exported to a PKCS#12 file when the master is installed if the parameter \fBpki_backup_keys\fP is set to \fBTrue\fP and the \fBpki_backup_password\fP is set.  The PKCS#12 file is then found under \fB/var/lib/pki/<instance_name>/alias\fP.  Alternatively, the PKCS#12 file can be generated at any time post-installation using \fBPKCS12Export\fP.
+.PP
+An example invocation showing the export of the system certificates and keys, copying the keys to the replica subsystem, and setting the relevant SELinux and file permissions is shown below.  \fBpwfile\fP and \fBpkcs12_password_file\fP are text files containing the passwords for the master NSS DB and the generated PKCS12 file respectively.
+.IP
+.nf
+\fBmaster# PKCS12Export -d /etc/pki/pki-tomcat/alias -p pwfile \\
+        -w pkcs12_password_file -o master.p12
+master# scp master.p12 clone:/root/master.p12
+
+clone# chown pkiuser: /root/master.p12
+clone# semanage -a -t pki_tomcat_cert_t /root/,master.p12\fP
+.fi
 .PP
 .SS Installing a KRA or TKS clone (OCSP unsupported as of now)
 \x'-1'\fBpkispawn \-s <subsystem> \-f myconfig.txt\fR
-- 
1.9.3


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]