Install Red Hat Certificate System and deploy the subsystem

this guide assumes the following prerequisites you have already installed red hat enterprise linux (rhel) the system is subscribed to the red hat subscription management service the red hat certificate system subscription is attached the required repositories are enabled refer to the rhcs get started https //access redhat com/products/red hat certificate system/get started article for instructions on performing the preceding actions perform the following tasks to install the certificate system and deploy the subsystem install rhcs and its prerequisites modify selinux to support subsystem deployment using an hsm run the pkispawn script to create and configure a subsystem instance prepare an override configuration file with the required hsm parameters run the pkispawn utility import the ca administrator pkcs #12 file into your browser access the ca subsystem install rhcs perform the following steps to install rhcs and its prerequisites rhcs requires red hat directory server , which serves as an internal repository for certificate requests, certificates, and so on install the directory server packages by using the following command sudo yum install redhat ds run the directory server installation script, selecting the defaults or customizing as desired sudo /usr/sbin/setup ds admin pl by default, red hat directory server does not automatically run on system startup run the following command to ensure that the directory server starts automatically if the computer is rebooted sudo systemctl enable dirsrv target install the certificate system packages sudo yum install redhat pki modify selinux if you want to deploy an rhcs subsystem by using an hsm (such as {{ch}} ) and selinux is running in enforcing mode, you must manually update certain selinux and firewalld settings before deploying the subsystem perform the following steps to modify selinux to support subsystem deployment using an hsm run the following commands to reset the context of the fxpkcs11 cfg file and the main fxpkcs11 directory sudo /sbin/restorecon v /etc/fxpkcs11 cfg sudo /sbin/restorecon r /usr/local/bin/fxpkcs11/ modify the paths to match the locations of the fxpkcs11 cfg file and the main fxpkcs11 directory on your system run the following commands to allow outbound connections to tcp port 2001 (such as the system/host api port on the {{ch}} ) sudo semanage port m t http port t p tcp 2001 create and a subsystem instance the next step is to run the pkispawn script to create and configure a subsystem instance the pkispawn command line tool installs and configures a new pki instance it eliminates the need for separate installation and configuration steps, and you can run it interactively, as a batch process, or as a combination of both (batch process with prompts for passwords) refer to the pkispawn man page for detailed information about all supported options by running man pkispawn the pkispawn command reads in its default installation and configuration values from a plain text configuration file ( /etc/pki/default cfg ) this file consists of name=value pairs divided into \[default] , \[tomcat] , \[ca] , \[kra] , \[ocsp] , \[tks] , and \[tps] sections we strongly recommend that you read the full documentation to understand the purpose of every parameter in the /etc/pki/default cfg file this enables you to customize your pki environment to your specific needs the red hat recommended procedure for spawning a subsystem that uses an hsm is to create an override configuration file that contains only the parameters necessary for using the hsm as its token any parameter settings in this file override the parameter settings in the default cfg file you can spawn any rhcs subsystems ( ca , kra , ocsp , tks , tps ) to use the hsm, but this integration guide focuses on the certificate authority ( ca ) for brevity prepare a configuration file perform the following steps to prepare an override configuration file with the required hsm parameters in a terminal, go to the directory where the futurex pkcs #11 module is installed on your system (such as /usr/local/bin/fxpkcs11 ) run the following vi command as sudo sudo vi default futurex txt you can use the following example override file for spawning a ca subsystem with the hsm you must set all values contained within angle brackets to your specific value set all other values exactly as shown the pki ds password value must match the password set for the directory manager when you installed the red hat directory server set the pki token password value to the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file \[default] \########################## \# provide hsm parameters # \########################## pki hsm enable=true pki hsm libfile=\<path to fxpkcs11 libfile> pki hsm modulename=fxpkcs11 pki token name=futurex pki token password=\<hsm identity password> \######################################## \# provide pki specific hsm token names # \######################################## pki audit signing token=futurex pki ssl server token=futurex pki subsystem token=futurex \################################## \# provide pki specific passwords # \################################## pki admin password=\<pki admin password> pki client pkcs12 password=\<pki client pkcs12 password> pki ds password=\<pki ds password> \##################################### \# provide non ca specific passwords # \##################################### pki client database password=\<pki client database password> \[ca] \####################################### \# provide ca specific hsm token names # \####################################### pki ca signing token=futurex pki ocsp signing token=futurex after you have finished editing, save the file run the pkispawn utility perform the following steps to run the pkispawn utility in a terminal, run the following command to deploy a ca subsystem by using the {{ch}} the full path to the default futurex txt file is required if you are not running the command from the same directory where you saved default futurex txt sudo pkispawn s ca f default futurex txt vvv if the deployment succeeds, an installation summary similar to the following displays after the command completes ========================================================================== installation summary \========================================================================== administrator's username caadmin administrator's pkcs #12 file /root/ dogtag/pki tomcat/ca admin cert p12 to check the status of the subsystem systemctl status pki tomcatd\@pki tomcat service to restart the subsystem systemctl restart pki tomcatd\@pki tomcat service the url for the subsystem is https //localhost localdomain 8443/ca pki instances will be enabled upon system boot \========================================================================== remedial operation if the pkispawn command fails, you must do the following two things before re attempting to run the pkispawn command log in to the {{ch}} web ui, go to the certificate authorities menu, and confirm whether the ca signing certificate certificate container exists if it does, you must delete it (also deleting all certificates inside it) before running pkispawn again otherwise, the command fails delete the partially created ca subsystem instance by running the following pkidestroy command sudo pkidestroy s ca i pki tomcat import the pkcs #12 file perform the following steps to import the ca administrator pkcs #12 file into your browser the following steps run in the firefox web browser there might be some differences when using a different browser, but the process is similar in firefox, go to settings > privacy & security > certificates and select \[ view certificates ] under the your certificates tab, select \[ import ] to import the ca administrator pkcs #12 file ( ca admin cert p12 ) when it prompts for a password, enter the value you configured for the pki client pkcs12 password define in the default futurex txt file the location of the ca admin cert p12 file is included in the installation summary for the ca subsystem deployment access the ca subsystem perform the following steps to access the new ca subsystem in the browser access the red hat certificate system subsystem console by going to the following url https // 8443/pki/ui/ when submitting certificate signing requests (csrs) in rhcs, the common name and uid fields are both required if you submit a request with only the common name field, the request fails, and you receive an error stating that the subject name does not match