Install and configure ISC CertAgent for Linux
Perform the following tasks to install and configure the CertAgent and verify that it works properly:
- Install and configure CertAgent.
- Verify the installation.
- Access CertAgent sites.
- Ensure proper communication.
Perform the following tasks to install and configure CertAgent:
- Unpack the software distribution.
- Set the LD_LIBRARY_PATH environment variable and run the CertAgent installer.
- Run the post-installation step.
The CertAgent package for Linux platforms consists of a zip archive that you can unzip (with directory structure preserved) into any convenient directory on your server hard drive.
Perform the following steps to set the LD_LIBRARY_PATH environment variable and run the CertAgent installer:
In a terminal, go to the certagent<version>-install directory. This directory should contain the install.sh file.
The CertAgent installer requires the location of the Futurex PKCS #11 (FXPKCS11) directory to be specified in the LD_LIBRARY_PATH environment variable. Run the following command to set the LD_LIBRARY_PATH variable and run the CertAgent installer in the same command:
The path to the FXPKCS11 library needs to be specific to where it is installed on your system.
The output should be similar to the following:
Hit Enter to confirm that the required directories are specified in the LD_LIBRARY_PATH variable.
Next, you must scroll through the license agreement and then accept it.
The first prompt after the license agreement is particularly important. It should look similar to the following example:
Ensure that the first option is selected here because you want Tomcat and HyperSQL database server to be installed automatically, and we want to generate TLS credentials by using the .
For all prompts not specifically mentioned here, select the default value.
At the following prompt, be sure to select option number one.
The installer eventually prompts for the location of the FXPKCS11 library, so provide the full path to the libfxpkcs11.so file.
If using an older version of CertAgent (such as CertAgent 6), it asks for the HSM label. Leave the field blank and proceed with the rest of the installation.
The next prompt display something similar to the following example:
Confirm that you want to use the partition that it found,and enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
Next, CertAgent creates several different keys and certificates on the .
You can use the default values for all prompts.
When prompted to enter passwords for several different items, for each instance, specify a password of your choosing.
If the CertAgent installation completes successfully, you see output similar to the following:
Run the following command to set the system PIN:
This section verifies that CertAgent is communicating correctly with the .
After the installation completes, you can log in to the web UI to verify that the keys have successfully been generated.
You can use the Command Line Interface (FXCLI) to validate that the CertAgent keys and certificates were generated and stored on the . After you connect and log in, run the keytable list command.
The following example removes the externalData and pkcs11Attributes fields and associated values to shorten the command output.
If all nine keys are present, the installation succeeded.
The following requires the certificates installed by CertAgent to be added to the trusted list of your web browser.
The following URLs may be used to access CertAgent using Internet Explorer or Firefox.
System Administrative Site
- Admin controls over the system and server. Configuration settings can be done here as well. You must connect with the Admin certificate.
CA Account Site
- Allows the certificate enrollment, management, CRL, and other settings to be set when connected with the Admin certificate.
- Allows CSRs to be approved, signed, revoked, and other certificate enrollment tasks to be completed when connected with the Operations certificate.
Public Site
- Allows users to enroll, upload, and retrieve certificates to and from the when connected with the Client certificate.
Perform the following steps to ensure proper communication between CertAgent and the :
Using the Public Site, send a certificate signing request (CSR) by using the Enroll function. Using either Internet Explorer or Firefox, you can generate a key for a certificate to be signed by the .
After sending in a CSR, log in to the CA Account Site by using the Operations certificate, find the certificate in the pending section, and issue it. Proper application configuration with the HSM enables you to issue and retrieve the certificate from the web.