Install and configure ISC CertAgent for Linux

8min
Perform the following tasks to install and configure the CertAgent and verify that it works properly.
Install and Configure CertAgent
Perform the following tasks:
1 | Unpack the software distribution
The CertAgent package for Linux platforms consists of a zip archive that may be unzipped (with directory structure preserved) into any convenient directory on your server’s hard drive.
2 | Set the LD_LIBRARY_PATH environment variable and run the CertAgent installer
1
In a terminal, navigate to the certagent<version>-install directory. In this directory there should be a file called install.sh.
2
The CertAgent installer requires the location of the Futurex PKCS #11 (FXPKCS11) directory to be specified in the LD_LIBRARY_PATH environment variable. Run the following command to set the LD_LIBRARY_PATH variable and run the CertAgent installer in the same command (Note: The path to the FXPKCS11 library needs to be specific to where it is installed on your system):
Shell
[centos@centos6 certagent.7.0.8-install]$ sudo env LD_LIBRARY_PATH=/usr/local/bin/fxpkcs11 ./install.sh
[centos@centos6 certagent.7.0.8-install]$ sudo env LD_LIBRARY_PATH=/usr/local/bin/fxpkcs11 ./install.sh
﻿
The output should be similar to the following:
Shell
******************************************************************************
CertAgent Installation 7.0.8
Copyright(c) 2020 Information Security Corp. All rights reserved.
******************************************************************************

You are going to install CertAgent 7.0.8.
An HSM is required to be installed. Credentials will be
generated on the HSM during the installation.

The following information is required during the installation process:
- 64-bit Java 8, 11, or above installation directory
- 64-bit HSM library, label, and PIN
- if an existing Oracle, PostgreSQL, or HyperSQL database will be used, 
the location of the JDBC driver, access URL, user name and password for
the Oracle, PostgreSQL, or HyperSQL database; otherwise, an HyperSQL
database will be installed and requires a listening port
- system hostname or IP address
- TLS port for the administrator site
- TLS port for the public site

The following directories must be specified in the LD_LIBRARY_PATH variable:
- the 64-bit HSM libraries
- the Oracle Instant Client libraries (if OCI driver will be used)

LD_LIBRARY_PATH is currently set to:
/usr/local/bin/fxpkcs11

Are the required directories specified in the
LD_LIBRARY_PATH? [yes]:
******************************************************************************
CertAgent Installation 7.0.8
Copyright(c) 2020 Information Security Corp. All rights reserved.
******************************************************************************

You are going to install CertAgent 7.0.8.
An HSM is required to be installed. Credentials will be
generated on the HSM during the installation.

The following information is required during the installation process:
- 64-bit Java 8, 11, or above installation directory
- 64-bit HSM library, label, and PIN
- if an existing Oracle, PostgreSQL, or HyperSQL database will be used, 
the location of the JDBC driver, access URL, user name and password for
the Oracle, PostgreSQL, or HyperSQL database; otherwise, an HyperSQL
database will be installed and requires a listening port
- system hostname or IP address
- TLS port for the administrator site
- TLS port for the public site

The following directories must be specified in the LD_LIBRARY_PATH variable:
- the 64-bit HSM libraries
- the Oracle Instant Client libraries (if OCI driver will be used)

LD_LIBRARY_PATH is currently set to:
/usr/local/bin/fxpkcs11

Are the required directories specified in the
LD_LIBRARY_PATH? [yes]:
﻿
3
Hit Enter to confirm that the required directories are specified in the LD_LIBRARY_PATH variable.
4
Next you'll be required to scroll through the license agreement and then accept it.
The first prompt after the license agreement is particularly important. It will look like this:
Shell
******************************************************************************
Specifying CertAgent installation type...
******************************************************************************

1) NIAP-compliance:
- Require Java 8
- Install Tomcat 8.5.50
- Create a HyperSQL database server or use an existing PostgreSQL database
- Generate HSM-based TLS credential

2) Non-NIAP-compliance:
- Require Java 8, 11, or above
- Install Tomcat 8.5.50
- Create a HyperSQL database or use an existing PostgreSQL, Oracle, 
 or HyperSQL database
- Generate software-based TLS credential

Answer [1]: 
******************************************************************************
Specifying CertAgent installation type...
******************************************************************************

1) NIAP-compliance:
- Require Java 8
- Install Tomcat 8.5.50
- Create a HyperSQL database server or use an existing PostgreSQL database
- Generate HSM-based TLS credential

2) Non-NIAP-compliance:
- Require Java 8, 11, or above
- Install Tomcat 8.5.50
- Create a HyperSQL database or use an existing PostgreSQL, Oracle, 
 or HyperSQL database
- Generate software-based TLS credential

Answer [1]: 
﻿
Make sure that the first option is selected here, because we want Tomcat and HyperSQL database server to be installed automatically, and we want to generate TLS credentials using the  .
For all prompts not specifically mentioned here, the default value can be selected.
5
At the following prompt, be sure to select option number one.
Shell
******************************************************************************
Specifying database...
******************************************************************************
Which database are you going to use?

1) I don't have one. Install and configure a HyperSQL 2.4.0 database for me

2) An existing PostgreSQL database

Answer [1]:
******************************************************************************
Specifying database...
******************************************************************************
Which database are you going to use?

1) I don't have one. Install and configure a HyperSQL 2.4.0 database for me

2) An existing PostgreSQL database

Answer [1]:
﻿
6
The installer will eventually prompt for the location of the FXPKCS11 library. The full path to the libfxpkcs11.so file should be provided.
If using an older version of CertAgent (e.g., CertAgent 6), it will ask for the HSM label. Leave the field blank and proceed with the rest of the installation.
Shell
******************************************************************************
* Specifying HSM info...
******************************************************************************
A CA account (account name: ca7) and an initial set of credentials will be
automatically generated.
System, root CA, and TLS credentials will be generated on the chosen HSM.

64-bit HSM library: /usr/local/bin/fxpkcs11/libfxpkcs11.so
******************************************************************************
* Specifying HSM info...
******************************************************************************
A CA account (account name: ca7) and an initial set of credentials will be
automatically generated.
System, root CA, and TLS credentials will be generated on the chosen HSM.

64-bit HSM library: /usr/local/bin/fxpkcs11/libfxpkcs11.so
﻿
7
The next prompt will display something similar to the following:
Shell
One partition found: 
Label: 10.0.5.223:9100; Slot: 0
Use this partition? [yes]: 
HSM PIN (no echo of input):
One partition found: 
Label: 10.0.5.223:9100; Slot: 0
Use this partition? [yes]: 
HSM PIN (no echo of input):
﻿
Confirm that you want to use the partition that it found, then enter the  identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
8
Next, CertAgent will create several different keys and certificates on the  .
You can simply use the default values for all prompts.
9
You will be prompted to enter passwords for several different items. For each instance, specify a password of your choosing.
10
If the CertAgent installation completes successfully you will see output similar to the following:
Shell
******************************************************************************
Summary
******************************************************************************
CertAgent has been installed.
Installation directory: /usr/local/certagent7

CertAgent service (isc-certagent7) has been installed.
CertAgent restarts automatically upon system startup.

HSQLDB service (isc-certagent7-hsqldb) has been installed.
HSQLDB server restarts automatically upon system startup.

Entering System PIN
===================
An administrator must enter the PIN of the HSM in which the system
credential resided on each time the system is booted.
Run the following command, enter the HSM PIN and press ENTER:
/usr/local/certagent7/certagent.sh setpin

Importing Authorized Users
==========================
Please import the administrator, auditor, and CA operations staff PKCS#12 files:
/usr/local/certagent7/keystore/ca-admin.p12
/usr/local/certagent7/keystore/ca-auditor.p12
/usr/local/certagent7/keystore/ca-operations-staff.p12
and the root certificate file: 
/usr/local/certagent7/keystore/ca-root.der
into your browser's certificate and trust stores and use
these keys to authenticate yourself to the webserver.
NOTE: AES-256 is used to encrypt your private key during the
installation, the PKCS#12 files generated by the installer
can only be imported to compatible browsers (e.g., Firefox 56+)

Accessing CertAgent Sites
==========================
The following URLs may be used to access CertAgent using
Internet Explorer or other supported browsers.

Admin access:
https://centos6.linuxvmimages.local:8443/certagentadmin/admin/login.jsp
CA Account access:
https://centos6.linuxvmimages.local:8443/certagentadmin/ca/login.jsp
Public access:
https://centos6.linuxvmimages.local:443/certagent/main.jsp
-----------------------------------------------------------------------------
The above information has been saved to install.log.

Please run the '/usr/local/certagent7/certagent.sh setpin' command to set the system PIN.
EXIT
******************************************************************************
Summary
******************************************************************************
CertAgent has been installed.
Installation directory: /usr/local/certagent7

CertAgent service (isc-certagent7) has been installed.
CertAgent restarts automatically upon system startup.

HSQLDB service (isc-certagent7-hsqldb) has been installed.
HSQLDB server restarts automatically upon system startup.

Entering System PIN
===================
An administrator must enter the PIN of the HSM in which the system
credential resided on each time the system is booted.
Run the following command, enter the HSM PIN and press ENTER:
/usr/local/certagent7/certagent.sh setpin

Importing Authorized Users
==========================
Please import the administrator, auditor, and CA operations staff PKCS#12 files:
/usr/local/certagent7/keystore/ca-admin.p12
/usr/local/certagent7/keystore/ca-auditor.p12
/usr/local/certagent7/keystore/ca-operations-staff.p12
and the root certificate file: 
/usr/local/certagent7/keystore/ca-root.der
into your browser's certificate and trust stores and use
these keys to authenticate yourself to the webserver.
NOTE: AES-256 is used to encrypt your private key during the
installation, the PKCS#12 files generated by the installer
can only be imported to compatible browsers (e.g., Firefox 56+)

Accessing CertAgent Sites
==========================
The following URLs may be used to access CertAgent using
Internet Explorer or other supported browsers.

Admin access:
https://centos6.linuxvmimages.local:8443/certagentadmin/admin/login.jsp
CA Account access:
https://centos6.linuxvmimages.local:8443/certagentadmin/ca/login.jsp
Public access:
https://centos6.linuxvmimages.local:443/certagent/main.jsp
-----------------------------------------------------------------------------
The above information has been saved to install.log.

Please run the '/usr/local/certagent7/certagent.sh setpin' command to set the system PIN.
EXIT
﻿

3 | Run the post-installation step
Run the following command to set the system PIN:
Shell
[centos@centos6 certagent.7.0.8-install]$ sudo /usr/local/certagent7/certagent.sh setpin
Setting system PIN...
Enter CertAgent system PIN (no echo of input):           
01/21/21 14:57:05 EST: System PIN set successfully
[centos@centos6 certagent.7.0.8-install]$ sudo /usr/local/certagent7/certagent.sh setpin
Setting system PIN...
Enter CertAgent system PIN (no echo of input):           
01/21/21 14:57:05 EST: System PIN set successfully
﻿
Verify the installation
This section verifies that CertAgent is communicating correctly with the .
1
After the installation completes, you can log in to the  web UI to verify the keys have successfully been generated.
2
The Futurex Command Line Interface (FXCLI) can also be used to validate that the CertAgent keys and certificates have been generated and stored on the . Once connected and logged in, run the keytable list command. 
The externalData and pkcs11Attributes fields and associated values were removed to shorten the output of the command.
FXCLI
$ keytable list
result:
 status: success
 statusCode: 0
slots:
 -
     slot: 0
     type: "key"
     name: ""
     kcv: "BFE0"
     algorithm: RSA
     bits: 3072
     usage: Encrypt,Decrypt,Sign,Verify,Wrap,Unwrap
     startValidity: "1971-01-01 00:00:00"
     endValidity: "2999-01-01 00:00:00"
     exportable: false
     clearExportable: false
     passwordExportable: false
     requiresAuth: true
     modifiable: true   
 -
     slot: 1
     type: "key"
     name: ""
     kcv: "7C0E"
     algorithm: RSA
     bits: 3072
     usage: Encrypt,Verify,Wrap
     startValidity: "1971-01-01 00:00:00"
     endValidity: "2999-01-01 00:00:00"
     exportable: true
     clearExportable: false
     passwordExportable: false
     requiresAuth: true
     modifiable: true        
 -
     slot: 2
     type: "certificate"
     name: "/C=US/O=ISC/CN=CertAgent 7.0.8 Root CA 0DB4/CN=CertAgent 7.0.8 System Key 0DB4"
     fingerprint: "27262907210242616B91281FC6405DD82EE91B35"
     algorithm: RSA
     bits: 3072
     usage: Sign,Verify,Wrap,Unwrap
     startValidity: "2021-01-21 19:54:44"
     endValidity: "2026-01-21 19:54:44"
     exportable: true
     clearExportable: false
     passwordExportable: false
     requiresAuth: false
     modifiable: true
 -
     slot: 3
     type: "key"
     name: ""
     kcv: "6840"
     algorithm: RSA
     bits: 3072
     usage: Encrypt,Decrypt,Sign,Verify,Wrap,Unwrap
     startValidity: "1971-01-01 00:00:00"
     endValidity: "2999-01-01 00:00:00"
     exportable: false
     clearExportable: false
     passwordExportable: false
     requiresAuth: true
     modifiable: true       
 -
     slot: 4
     type: "key"
     name: ""
     kcv: "7BDA"
     algorithm: RSA
     bits: 3072
     usage: Encrypt,Verify,Wrap
     startValidity: "1971-01-01 00:00:00"
     endValidity: "2999-01-01 00:00:00"
     exportable: true
     clearExportable: false
     passwordExportable: false
     requiresAuth: true
     modifiable: true        
 -
     slot: 5
     type: "certificate"
     name: "/C=US/O=ISC/CN=CertAgent 7.0.8 Root CA 0DB4/CN=CertAgent 7.0.8 Root CA 0DB4"
     fingerprint: "D7AE7F335BCD02CC3D1433BF60F66113FBB4339E"
     algorithm: RSA
     bits: 3072
     usage: Sign,Verify
     startValidity: "2021-01-21 19:54:46"
     endValidity: "2026-01-21 19:54:46"
     exportable: true
     clearExportable: false
     passwordExportable: false
     requiresAuth: false
     modifiable: true
 -
     slot: 6
     type: "key"
     name: ""
     kcv: "F1FB"
     algorithm: RSA
     bits: 3072
     usage: Encrypt,Decrypt,Sign,Verify,Wrap,Unwrap
     startValidity: "1971-01-01 00:00:00"
     endValidity: "2999-01-01 00:00:00"
     exportable: false
     clearExportable: false
     passwordExportable: false
     requiresAuth: true
     modifiable: true
 -
     slot: 7
     type: "key"
     name: ""
     kcv: "2CBF"
     algorithm: RSA
     bits: 3072
     usage: Encrypt,Verify,Wrap
     startValidity: "1971-01-01 00:00:00"
     endValidity: "2999-01-01 00:00:00"
     exportable: true
     clearExportable: false
     passwordExportable: false
     requiresAuth: true
     modifiable: true
 -
     slot: 8
     type: "certificate"
     name: "/C=US/O=ISC/CN=CertAgent 7.0.8 Root CA 0DB4/CN=centos6.linuxvmimages.local"
     fingerprint: "29E36582281B7029E468E8FA6E4139077996851B"
     algorithm: RSA
     bits: 3072
     usage: Sign,Verify,Wrap,Unwrap
     startValidity: "2021-01-21 19:54:47"
     endValidity: "2026-01-21 19:54:46"
     exportable: true
     clearExportable: false
     passwordExportable: false
     requiresAuth: false
     modifiable: true
$ keytable list
result:
 status: success
 statusCode: 0
slots:
 -
     slot: 0
     type: "key"
     name: ""
     kcv: "BFE0"
     algorithm: RSA
     bits: 3072
     usage: Encrypt,Decrypt,Sign,Verify,Wrap,Unwrap
     startValidity: "1971-01-01 00:00:00"
     endValidity: "2999-01-01 00:00:00"
     exportable: false
     clearExportable: false
     passwordExportable: false
     requiresAuth: true
     modifiable: true   
 -
     slot: 1
     type: "key"
     name: ""
     kcv: "7C0E"
     algorithm: RSA
     bits: 3072
     usage: Encrypt,Verify,Wrap
     startValidity: "1971-01-01 00:00:00"
     endValidity: "2999-01-01 00:00:00"
     exportable: true
     clearExportable: false
     passwordExportable: false
     requiresAuth: true
     modifiable: true        
 -
     slot: 2
     type: "certificate"
     name: "/C=US/O=ISC/CN=CertAgent 7.0.8 Root CA 0DB4/CN=CertAgent 7.0.8 System Key 0DB4"
     fingerprint: "27262907210242616B91281FC6405DD82EE91B35"
     algorithm: RSA
     bits: 3072
     usage: Sign,Verify,Wrap,Unwrap
     startValidity: "2021-01-21 19:54:44"
     endValidity: "2026-01-21 19:54:44"
     exportable: true
     clearExportable: false
     passwordExportable: false
     requiresAuth: false
     modifiable: true
 -
     slot: 3
     type: "key"
     name: ""
     kcv: "6840"
     algorithm: RSA
     bits: 3072
     usage: Encrypt,Decrypt,Sign,Verify,Wrap,Unwrap
     startValidity: "1971-01-01 00:00:00"
     endValidity: "2999-01-01 00:00:00"
     exportable: false
     clearExportable: false
     passwordExportable: false
     requiresAuth: true
     modifiable: true       
 -
     slot: 4
     type: "key"
     name: ""
     kcv: "7BDA"
     algorithm: RSA
     bits: 3072
     usage: Encrypt,Verify,Wrap
     startValidity: "1971-01-01 00:00:00"
     endValidity: "2999-01-01 00:00:00"
     exportable: true
     clearExportable: false
     passwordExportable: false
     requiresAuth: true
     modifiable: true        
 -
     slot: 5
     type: "certificate"
     name: "/C=US/O=ISC/CN=CertAgent 7.0.8 Root CA 0DB4/CN=CertAgent 7.0.8 Root CA 0DB4"
     fingerprint: "D7AE7F335BCD02CC3D1433BF60F66113FBB4339E"
     algorithm: RSA
     bits: 3072
     usage: Sign,Verify
     startValidity: "2021-01-21 19:54:46"
     endValidity: "2026-01-21 19:54:46"
     exportable: true
     clearExportable: false
     passwordExportable: false
     requiresAuth: false
     modifiable: true
 -
     slot: 6
     type: "key"
     name: ""
     kcv: "F1FB"
     algorithm: RSA
     bits: 3072
     usage: Encrypt,Decrypt,Sign,Verify,Wrap,Unwrap
     startValidity: "1971-01-01 00:00:00"
     endValidity: "2999-01-01 00:00:00"
     exportable: false
     clearExportable: false
     passwordExportable: false
     requiresAuth: true
     modifiable: true
 -
     slot: 7
     type: "key"
     name: ""
     kcv: "2CBF"
     algorithm: RSA
     bits: 3072
     usage: Encrypt,Verify,Wrap
     startValidity: "1971-01-01 00:00:00"
     endValidity: "2999-01-01 00:00:00"
     exportable: true
     clearExportable: false
     passwordExportable: false
     requiresAuth: true
     modifiable: true
 -
     slot: 8
     type: "certificate"
     name: "/C=US/O=ISC/CN=CertAgent 7.0.8 Root CA 0DB4/CN=centos6.linuxvmimages.local"
     fingerprint: "29E36582281B7029E468E8FA6E4139077996851B"
     algorithm: RSA
     bits: 3072
     usage: Sign,Verify,Wrap,Unwrap
     startValidity: "2021-01-21 19:54:47"
     endValidity: "2026-01-21 19:54:46"
     exportable: true
     clearExportable: false
     passwordExportable: false
     requiresAuth: false
     modifiable: true
﻿
If all 9 keys are present, the installation was successful.
Access CertAgent sites
The following requires the certificates installed by CertAgent to be added to the trusted list of your web browser.
The following URLs may be used to access CertAgent using Internet Explorer or Firefox.
System Administrative Site
Admin controls over the system and server. Configuration settings can be done here as well. You must connect with the Admin certificate.
﻿https://127.0.0.1:8443/certagentadmin/admin/login.jsp﻿
CA Account Site
Allows the certificate enrollment, management, CRL, and other settings to be set when connected with the Admin certificate.
Allows CSRs to be approved, signed, revoked, and other certificate enrollment tasks to be completed when connected with the Operations certificate.
﻿https://centos6.linuxvmimages.local:8443/certagentadmin/ca/login.jsp﻿
Public Site
Allows users to enroll, upload, and retrieve certificates to and from the  when connected with the Client certificate.
﻿https://centos6.linuxvmimages.local/certagent/main.jsp﻿
Ensure proper communication between CertAgent and the  
1
Using the Public Site, send a certificate signing request (CSR) using the Enroll function. Using either Internet Explorer or Firefox, you can generate a key for a certificate to be signed by the .
2
After sending in a CSR, login to the CA Account Site using the Operations certificate and find the certificate in the pending section and issue it. Proper configuration of the application with the HSM will allow the certificate to be issued and retrieved all from the web.
﻿
Updated 06 Dec 2024
Did this page help you?
Install and configure ISC CertAgent for Windows
Microsoft ADCS