Install Red Hat Certificate System and deploy the subsystem
This guide assumes the following prerquisites:
- You have already installed Red Hat Enterprise Linux (RHEL).
- The system is subscribed to the Red Hat subscription management service.
- The Red Hat Certificate System subscription is attached.
- The required repositories are enabled.
Refer to the RHCS Get Started article for instructions on performing the preceding actions.
Perform the following tasks to install the Certificate System and deploy the subsystem:
RHCS requires Red Hat Directory Server, which serves as an internal repository for certificate requests, certificates, etc. Install the directory server packages using the following command:
Run the directory server installation script, selecting the defaults or customizing as desired:
By default, Red Hat Directory Server does not automatically run on system startup. Run the following command to ensure that the directory server starts automatically if the computer is rebooted.
Install the certificate system packages:
If you want to deploy an RHCS subsystem by using a HSM (such as ) and SELinux is running in enforcing mode, you must manually update certain SELinux and firewalld settings before deploying the subsystem. The following section describes the required actions.
Run the following commands to reset the context of the fxpkcs11.cfg file and the main fxpkcs11 directory:
Modify the paths to match the locations of the fxpkcs11.cfg file and the main fxpkcs11 directory on your system.
Run the following commands to allow outbound connections to TCP port 2001 (such as the System/Host API port on the ):
The pkispawn command line tool installs and configures a new PKI instance. It eliminates the need for separate installation and configuration steps, and you can run it interactively, as a batch process, or as a combination of both (batch process with prompts for passwords). Refer to the pkispawn man page for detailed information about all supported options by running man pkispawn.
The pkispawn command reads in its default installation and configuration values from a plain text configuration file (/etc/pki/default.cfg). This file consists of name=value pairs divided into [DEFAULT], [Tomcat], [CA], [KRA], [OCSP], [TKS], and [TPS] sections.
We strongly recommend that you read the full documentation to understand the purpose of every parameter in the /etc/pki/default.cfg file. This enables you to customize your PKI environment to your specific needs.
The Red Hat recommended procedure for spawning a subsystem that uses an HSM is to create an override configuration file that contains only the parameters necessary for using the HSM as its token. Any parameter settings in this file overrides the parameter settings in the default.cfg file.
You can spawn any RHCS subsystems (CA, KRA, OCSP, TKS, TPS) to use the HSM, but this integration guide focuses on the Certificate Authority (CA) for brevity.
In a terminal, go to the directory where the Futurex PKCS #11 module is installed on your system (such as /usr/local/bin/fxpkcs11).
Run the following vi command as sudo:
You can use the following example override file for spawning a CA subsystem with the HSM:
You must set all values contained within angle brackets to your specific value. Set all other values exactly as shown.
The pki_ds_password value must match the password set for the directory manager when you installed the Red Hat Directory Server.
Set the pki_token_password value to the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
After you have finished editing, save the file.
In a terminal, run the following command to deploy a CA subsystem by using the .
The full path to the default_futurex.txt file is required if you are not running the command from the same directory where you saved default_futurex.txt.
If the deployment succeeds, an installation summary similar to the following displays after the command completes:
If the pkispawn command fails, you must do the following two things before re-attempting to run the pkispawn command:
Log in to the web UI, go to the Certificate Authorities menu, and confirm whether the CA Signing Certificate certificate container exists. If it does, you must delete it (also deleting all certificates inside it) before running pkispawn again. Otherwise, the command fails.
Delete the partially created CA subsystem instance by running the following pkidestroy command:
The following steps run in the Firefox web browser. There might be some differences when using a different browser, but the process is similar.
In Firefox, go to Settings > Privacy & Security > Certificates and seelct [ View Certificates ].
Under the Your Certificates tab, select [ Import ] to import the CA Administrator PKCS #12 file (ca_admin_cert.p12). When it prompts for a password, enter the value you configured for the pki_client_pkcs12_password define in the default_futurex.txt file.
The location of the ca_admin_cert.p12 file is included in the installation summary for the CA subsystem deployment.
Access the Red Hat Certificate System subsystem console by going to the following URL: https://:8443/pki/ui/
When submitting Certificate Signing Requests (CSRs) in RHCS, the Common Name and UID fields are both required. If you submit a request with only the Common Name field, the request fails, and you receive an error stating that the Subject Name does not match.