Red Hat Certificate System installation and subsystem deployment
This section outlines the basic installation method for Red Hat Certificate System (RHCS). It is assumed that you already have installed Red Hat Enterprise Linux (RHEL), the system is subscribed to the Red Hat subscription management service, the Red Hat Certificate System subscription is attached, and the required repositories are enabled. Please refer to the RHCS Get Started article for instructions on how to perform the above actions.
RHCS requires Red Hat Directory Server, which serves as an internal repository for certificate requests, certificates, etc. Install the directory server packages using the following command:
Run the directory server installation script, selecting the defaults or customizing as desired:
By default, Red Hat Directory Server does not automatically run on system startup. Run the following command to ensure that the directory server starts automatically if the computer is rebooted.
Install the certificate system packages:
If you want to deploy an RHCS subsystem using a Hardware Security Module (HSM) and SELinux is running in enforcing mode, certain SELinux and firewalld settings must be manually updated before deploying the subsystem. The following section describes the required actions.
Run the following commands to reset the context of the fxpkcs11.cfg file and the main fxpkcs11 directory:
Modify the paths to match the locations of the fxpkcs11.cfg file and the main fxpkcs11 directory on your system.
Run the following commands to allow outbound connections to TCP port 9100 (i.e., the Excrypt Production TLS port on the HSM):
The pkispawn command line tool is used to install and configure a new PKI instance. It eliminates the need for separate installation and configuration steps, and may be run either interactively, as a batch process, or a combination of both (batch process with prompts for passwords). Refer to the pkispawn man page for detailed information about all supported options by running "man pkispawn".
The pkispawn command reads in its default installation and configuration values from a plain text configuration file (/etc/pki/default.cfg). This file consists of name=value pairs divided into [DEFAULT], [Tomcat], [CA], [KRA], [OCSP], [TKS], and [TPS] sections.
It is strongly recommended that you read the full documentation to understand the purpose of every parameter in the /etc/pki/default.cfg file. This will allow you to customize your PKI environment to your specific needs
Red Hat's recommended procedure for spawning a subsystem that uses an HSM is to create an override configuration file that contains only the parameters necessary for using the HSM as its token. Any parameter settings in this file will override the parameter settings in the default.cfg file.
Any of the various RHCS subsystems (CA, KRA, OCSP, TKS, TPS) can be spawned to use the HSM, but this integration guide will focus solely on the Certificate Authority (CA) for brevity.
In a terminal, navigate to the directory where the Futurex PKCS #11 module is installed on your system (e.g., /usr/local/bin/fxpkcs11).
Run the following Vim command as sudo:
The following is an example override file that can be used for spawning a CA subsystem with the HSM:
All values contained within angle brackets need to be set to a specific value by the user. All other values should be set exactly as shown.
The pki_ds_password value must match the password set for the directory manager when Red Hat Directory Server was installed.
After you have finished editing, save the file.
In a terminal, run the following command to deploy a CA subsystem using the Vectera Plus HSM:
The full path to the default_futurex.txt file is required if you are not running the command from the same directory where default_futurex.txt is saved.
If the deployment is successful, an installation summary similar to the following will be presented after the command completes:
If the pkispawn command fails, you need to run the following command to delete the subsystem instance that was only partially created before re-attempting to run pkispawn.
To view the keys and certificates that RHCS created on the HSM, we will use the PKCS11Manager utility packaged with the Futurex PKCS #11 module.
In a terminal, navigate to the directory where the FXPKCS11 module is installed and run PKCS11Manager using the following command:
This will present the following main menu:
Type "8" to login, then press Enter.
Type "1", then press Enter.
Type the password of the identity that is defined in the FXPKCS11 configuration file, then press Enter. If successful, you will receive confirmation that you are logged in.
Type "3" to find objects, then press Enter.
Type "1" to find all objects, then press Enter
Information will be printed for all keys and certificates that the connecting identity has access to.
Red Hat Certificate System creates 15 objects on the HSM for a CA subsystem deployment.
The following steps were completed using a Firefox web browser. There may be some differences in the actions taken when using a different browser, but the overall intent of the process will be the same.
In Firefox, navigate to Settings > Privacy & Security > Certificates and click the View Certificates button.
Under the Your Certificates tab, select Import to import the CA Administrator PKCS #12 file (i.e., ca_ admin_cert.p12). When it prompts for a password, enter the value that was configured for the pki_client_ pkcs12_password define in the default_futurex.txt file.
Access the Red Hat Certificate System subsystem console by navigating to the URL below:
https://<fully qualified domain name>:8443/pki/ui/
When submitting Certificate Signing Requests (CSRs) in Red Hat Certificate System, the Common Name and UID fields are both required. If you submit a request with only the Common Name field completed, the request will fail, and you will receive an error stating that the Subject Name does not match.