Certificate Authority
ISC CertAgent
Install and configure ISC CertAgent for Linux
9 min
perform the following tasks to install and configure the certagent and verify that it works properly install and configure certagent verify the installation access certagent sites ensure proper communication install and configure certagent perform the following tasks to install and configure certagent unpack the software distribution set the ld library path environment variable and run the certagent installer run the post installation step unpack the software distribution the certagent package for linux platforms consists of a zip archive that you can unzip (with directory structure preserved) into any convenient directory on your server hard drive set the environment variable and install perform the following steps to set the ld library path environment variable and run the certagent installer in a terminal, go to the certagent\<version> install directory this directory should contain the install sh file the certagent installer requires the location of the futurex pkcs #11 ( fxpkcs11 ) directory to be specified in the ld library path environment variable run the following command to set the ld library path variable and run the certagent installer in the same command the path to the fxpkcs11 library needs to be specific to where it is installed on your system \[centos\@centos6 certagent 7 0 8 install]$ sudo env ld library path=/usr/local/bin/fxpkcs11 /install sh the output should be similar to the following certagent installation 7 0 8 copyright(c) 2020 information security corp all rights reserved you are going to install certagent 7 0 8 an hsm is required to be installed credentials will be generated on the hsm during the installation the following information is required during the installation process \ 64 bit java 8, 11, or above installation directory \ 64 bit hsm library, label, and pin \ if an existing oracle, postgresql, or hypersql database will be used, the location of the jdbc driver, access url, user name and password for the oracle, postgresql, or hypersql database; otherwise, an hypersql database will be installed and requires a listening port \ system hostname or ip address \ tls port for the administrator site \ tls port for the public site the following directories must be specified in the ld library path variable \ the 64 bit hsm libraries \ the oracle instant client libraries (if oci driver will be used) ld library path is currently set to /usr/local/bin/fxpkcs11 are the required directories specified in the ld library path? \[yes] hit enter to confirm that the required directories are specified in the ld library path variable next, you must scroll through the license agreement and then accept it the first prompt after the license agreement is particularly important it should look similar to the following example specifying certagent installation type 1\) niap compliance \ require java 8 \ install tomcat 8 5 50 \ create a hypersql database server or use an existing postgresql database \ generate hsm based tls credential 2\) non niap compliance \ require java 8, 11, or above \ install tomcat 8 5 50 \ create a hypersql database or use an existing postgresql, oracle, or hypersql database \ generate software based tls credential answer \[1] ensure that the first option is selected here because you want tomcat and hypersql database server to be installed automatically, and we want to generate tls credentials by using the {{ch}} for all prompts not specifically mentioned here, select the default value at the following prompt, be sure to select option number one specifying database which database are you going to use? 1\) i don't have one install and configure a hypersql 2 4 0 database for me 2\) an existing postgresql database answer \[1] the installer eventually prompts for the location of the fxpkcs11 library, so provide the full path to the libfxpkcs11 so file if using an older version of certagent (such as certagent 6), it asks for the hsm label leave the field blank and proceed with the rest of the installation specifying hsm info a ca account (account name ca7) and an initial set of credentials will be automatically generated system, root ca, and tls credentials will be generated on the chosen hsm 64 bit hsm library /usr/local/bin/fxpkcs11/libfxpkcs11 so the next prompt display something similar to the following example one partition found label 10 0 5 223 9100; slot 0 use this partition? \[yes] hsm pin (no echo of input) confirm that you want to use the partition that it found,and enter the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file next, certagent creates several different keys and certificates on the {{ch}} you can use the default values for all prompts when prompted to enter passwords for several different items, for each instance, specify a password of your choosing if the certagent installation completes successfully, you see output similar to the following summary certagent has been installed installation directory /usr/local/certagent7 certagent service (isc certagent7) has been installed certagent restarts automatically upon system startup hsqldb service (isc certagent7 hsqldb) has been installed hsqldb server restarts automatically upon system startup entering system pin \=================== an administrator must enter the pin of the hsm in which the system credential resided on each time the system is booted run the following command, enter the hsm pin and press enter /usr/local/certagent7/certagent sh setpin importing authorized users \========================== please import the administrator, auditor, and ca operations staff pkcs#12 files /usr/local/certagent7/keystore/ca admin p12 /usr/local/certagent7/keystore/ca auditor p12 /usr/local/certagent7/keystore/ca operations staff p12 and the root certificate file /usr/local/certagent7/keystore/ca root der into your browser's certificate and trust stores and use these keys to authenticate yourself to the webserver note aes 256 is used to encrypt your private key during the installation, the pkcs#12 files generated by the installer can only be imported to compatible browsers (e g , firefox 56+) accessing certagent sites \========================== the following urls may be used to access certagent using internet explorer or other supported browsers admin access https //centos6 linuxvmimages local 8443/certagentadmin/admin/login jsp ca account access https //centos6 linuxvmimages local 8443/certagentadmin/ca/login jsp public access https //centos6 linuxvmimages local 443/certagent/main jsp \ the above information has been saved to install log please run the '/usr/local/certagent7/certagent sh setpin' command to set the system pin exit run the post installation run the following command to set the system pin \[centos\@centos6 certagent 7 0 8 install]$ sudo /usr/local/certagent7/certagent sh setpin setting system pin enter certagent system pin (no echo of input) 01/21/21 14 57 05 est system pin set successfully verify the installation this section verifies that certagent is communicating correctly with the {{ch}} after the installation completes, you can log in to the {{ch}} web ui to verify that the keys have successfully been generated you can use the {{futurex}} command line interface (fxcli) to validate that the certagent keys and certificates were generated and stored on the {{ch}} after you connect and log in, run the keytable list command the following example removes the externaldata and pkcs11attributes fields and associated values to shorten the command output fxcli $ keytable list result status success statuscode 0 slots \ slot 0 type "key" name "" kcv "bfe0" algorithm rsa bits 3072 usage encrypt,decrypt,sign,verify,wrap,unwrap startvalidity "1971 01 01 00 00 00" endvalidity "2999 01 01 00 00 00" exportable false clearexportable false passwordexportable false requiresauth true modifiable true \ slot 1 type "key" name "" kcv "7c0e" algorithm rsa bits 3072 usage encrypt,verify,wrap startvalidity "1971 01 01 00 00 00" endvalidity "2999 01 01 00 00 00" exportable true clearexportable false passwordexportable false requiresauth true modifiable true \ slot 2 type "certificate" name "/c=us/o=isc/cn=certagent 7 0 8 root ca 0db4/cn=certagent 7 0 8 system key 0db4" fingerprint "27262907210242616b91281fc6405dd82ee91b35" algorithm rsa bits 3072 usage sign,verify,wrap,unwrap startvalidity "2021 01 21 19 54 44" endvalidity "2026 01 21 19 54 44" exportable true clearexportable false passwordexportable false requiresauth false modifiable true \ slot 3 type "key" name "" kcv "6840" algorithm rsa bits 3072 usage encrypt,decrypt,sign,verify,wrap,unwrap startvalidity "1971 01 01 00 00 00" endvalidity "2999 01 01 00 00 00" exportable false clearexportable false passwordexportable false requiresauth true modifiable true \ slot 4 type "key" name "" kcv "7bda" algorithm rsa bits 3072 usage encrypt,verify,wrap startvalidity "1971 01 01 00 00 00" endvalidity "2999 01 01 00 00 00" exportable true clearexportable false passwordexportable false requiresauth true modifiable true \ slot 5 type "certificate" name "/c=us/o=isc/cn=certagent 7 0 8 root ca 0db4/cn=certagent 7 0 8 root ca 0db4" fingerprint "d7ae7f335bcd02cc3d1433bf60f66113fbb4339e" algorithm rsa bits 3072 usage sign,verify startvalidity "2021 01 21 19 54 46" endvalidity "2026 01 21 19 54 46" exportable true clearexportable false passwordexportable false requiresauth false modifiable true \ slot 6 type "key" name "" kcv "f1fb" algorithm rsa bits 3072 usage encrypt,decrypt,sign,verify,wrap,unwrap startvalidity "1971 01 01 00 00 00" endvalidity "2999 01 01 00 00 00" exportable false clearexportable false passwordexportable false requiresauth true modifiable true \ slot 7 type "key" name "" kcv "2cbf" algorithm rsa bits 3072 usage encrypt,verify,wrap startvalidity "1971 01 01 00 00 00" endvalidity "2999 01 01 00 00 00" exportable true clearexportable false passwordexportable false requiresauth true modifiable true \ slot 8 type "certificate" name "/c=us/o=isc/cn=certagent 7 0 8 root ca 0db4/cn=centos6 linuxvmimages local" fingerprint "29e36582281b7029e468e8fa6e4139077996851b" algorithm rsa bits 3072 usage sign,verify,wrap,unwrap startvalidity "2021 01 21 19 54 47" endvalidity "2026 01 21 19 54 46" exportable true clearexportable false passwordexportable false requiresauth false modifiable true if all nine keys are present, the installation succeeded access certagent sites the following requires the certificates installed by certagent to be added to the trusted list of your web browser the following urls may be used to access certagent using internet explorer or firefox system administrative site admin controls over the system and server configuration settings can be done here as well you must connect with the admin certificate https //127 0 0 1 8443/certagentadmin/admin/login jsp https //centos6 linuxvmimages local 8443/certagentadmin/admin/login jsp ca account site allows the certificate enrollment, management, crl, and other settings to be set when connected with the admin certificate allows csrs to be approved, signed, revoked, and other certificate enrollment tasks to be completed when connected with the operations certificate https //centos6 linuxvmimages local 8443/certagentadmin/ca/login jsp https //centos6 linuxvmimages local 8443/certagentadmin/ca/login jsp public site allows users to enroll, upload, and retrieve certificates to and from the {{ch}} when connected with the client certificate https //centos6 linuxvmimages local/certagent/main jsp https //centos6 linuxvmimages local/certagent/main jsp ensure proper communication perform the following steps to ensure proper communication between certagent and the {{ch}} using the public site, send a certificate signing request (csr) by using the enroll function using either internet explorer or firefox, you can generate a key for a certificate to be signed by the {{ch}} after sending in a csr, log in to the ca account site by using the operations certificate, find the certificate in the pending section, and issue it proper application configuration with the hsm enables you to issue and retrieve the certificate from the web