Install RHCS and deploy the subsystem
This section outlines the basic installation method for RHCS. The process assumes you already installed Red Hat Enterprise Linux (RHEL), subscribed the system to the Red Hat subscription management service, attached the Red Hat Certificate System subscription, and enabled the required repositories. Refer to the RHCS Get Started article for instructions on how to perform these prerequisite actions.
RHCS requires the Red Hat Directory Server, which serves as an internal repository for certificate requests, certificates, and so on. Install the directory server packages by using the following command:
Run the following directory server installation script, selecting the defaults or customizing as needed:
By default, Red Hat Directory Server does not automatically run on system startup. Run the following command to ensure that the directory server starts automatically if the computer reboots:
Install the certificate system packages:
If you want to deploy an RHCS subsystem by using an HSM with SELinux running in enforcing mode, you must manually update certain SELinux and firewalld settings before deploying the subsystem. The following section describes the required actions.
Run the following commands to reset the context of the fxpkcs11.cfg file and the main fxpkcs11 directory:
Modify the paths to match the locations of the fxpkcs11.cfg file and the main fxpkcs11 directory on your system.
Run the following commands to allow outbound connections to TCP port 9100 (such as the Excrypt Production TLS port on the HSM):
The pkispawn command-line tool installs and configures a new PKI instance. It eliminates the need for separate installation and configuration steps, and you can run it either interactively, as a hands-off batch process, or as a batch process with prompts for passwords. Refer to the pkispawn man page for detailed information about all supported options by running man pkispawn.
The pkispawn command reads in its default installation and configuration values from a plain text configuration file (/etc/pki/default.cfg). This file consists of name=value pairs divided into [DEFAULT], [Tomcat], [CA], [KRA], [OCSP], [TKS], and [TPS] sections.
We strongly recommend that you read the full documentation to understand the purpose of every parameter in the /etc/pki/default.cfg file. This enables you to customize your PKI environment to your specific needs
The Red Hat recommended procedure for spawning a subsystem that uses an HSM is to create an override configuration file that contains only the parameters necessary for using the HSM as its token. Any parameter settings in this file override the parameter settings in the default.cfg file.
To use the HSM, you can spawn any of the RHCS subsystems (CA, KRA, OCSP, TKS, or TPS), but this integration guide focuses solely on the Certificate Authority (CA) for brevity.
In a terminal, go to the directory where you installed the PKCS #11 module on your system (such as /usr/local/bin/fxpkcs11).
Run the following Vim command as sudo:
You can use the following example override file for spawning a CA subsystem with the HSM:
You must set all values contained within angle brackets to your specific value. Set all other values exactly as shown.
The pki_ds_password value must match the password set for the directory manager when you installed the Red Hat Directory Server.
After you have finished editing, save the file.
In a terminal, run the following command to deploy a CA subsystem by using the HSM:
If you are not running the command from the same directory where you saved default_futurex.txt, you must use the full path to the file.
If the deployment is successful, an installation summary similar to the following displays after the command completes:
If the pkispawn command fails, you need to run the following command to delete the subsystem instance that was only partially created before re-attempting to run pkispawn.
To view the keys and certificates that RHCS created on the HSM, use the PKCS11Manager utility packaged with the PKCS #11 module.
In a terminal, go to the directory where you installed the FXPKCS11 module and run PKCS11Manager by using the following command:
This displays the following main menu:
Enter 8 to log in.
Enter 1.
Enter the password of the identity defined in the FXPKCS11 configuration file.
If successful, you get a confirmation that you are logged in.
Enter 3 to find objects.
Enter 1 to find all objects.
Information prints for all keys and certificates that the connecting identity may access.
Red Hat Certificate System creates 15 objects on the HSM for a CA subsystem deployment.
The following steps assume you're using a Firefox web browser. There might be some differences in the actions taken when using a different browser, but the overall process is similar.
In Firefox, go to Settings > Privacy & Security > Certificates and select [ View Certificates ].
On the Your Certificates tab, select [ Import ] to import the CA Administrator PKCS #12 file (such as ca_ admin_cert.p12). When it prompts for a password, enter the value that you configured for the pki_client_ pkcs12_password define in the default_futurex.txt file.
Access the Red Hat Certificate System subsystem console by going to the following URL:
https://<fully qualified domain name>:8443/pki/ui/
When submitting Certificate Signing Requests (CSRs) in RHCS, the Common Name and UID fields are both required. If you submit a request with only the Common Name field completed, the request fails, and you get an error stating that the Subject Name does not match.