forked from freeipa/freeipa
-
Notifications
You must be signed in to change notification settings - Fork 0
PKI 10 CA Installation
Endi S. Dewata edited this page Dec 5, 2024
·
2 revisions
To install CA, IPA calls pkispawn with a configuration file.
-
Create and configure a new CA instance using pkispawn.
-
Create the config file with IPA specific parameters and passes it to the base class to call pkispawn.
In all cases the configuration file contains the following parameters:
[CA] # Server pki_security_domain_name=<security domain name> pki_enable_proxy=True pki_restart_configured_instance=False pki_backup_keys=True pki_backup_password=<admin password> pki_profiles_in_ldap=True pki_default_ocsp_uri=http://ipa-ca.<domain>/ca/ocsp # Client security database # pki_client_database_dir=<agent_db> # pki_client_database_password=<admin password> # pki_client_database_purge=False pki_client_pkcs12_password=<admin password> # Administrator pki_admin_name=admin pki_admin_uid=admin pki_admin_email=root@localhost pki_admin_password=<admin password> pki_admin_nickname=ipa-ca-agent pki_admin_subject_dn=cn=ipa-ca-agent,<subject base> pki_client_admin_cert_p12=/root/ca-agent.p12 # Directory server pki_ds_ldap_port=389 pki_ds_password=<dm password> pki_ds_base_dn=<basedn> pki_ds_database=ipaca pki_ds_ldaps_port=636 pki_ds_secure_connection=True pki_ds_secure_connection_ca_pem_file=<DS CA cert> # Certificate subject DN's pki_subsystem_subject_dn=cn=CA Subsystem,<subject base> pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,<subject base> pki_ssl_server_subject_dn=cn=<FQDN>,<subject base> pki_audit_signing_subject_dn=cn=CA Audit,<subject base> pki_ca_signing_subject_dn=cn=Certificate Authority,<subject base> # Certificate nicknames pki_subsystem_nickname=subsystemCert cert-pki-ca pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca pki_ssl_server_nickname=Server-Cert cert-pki-ca pki_audit_signing_nickname=auditSigningCert cert-pki-ca pki_ca_signing_nickname=caSigningCert cert-pki-ca # CA key algorithm pki_ca_signing_key_algorithm=<ca signing algorithm> pki_pin=<PIN>
For CA clone, IPA adds the following parameters:
# Security domain registration pki_security_domain_hostname=<master host> pki_security_domain_https_port=443 pki_security_domain_user=admin pki_security_domain_password=<admin password> # Clone pki_clone=True pki_clone_pkcs12_path=<TMP_CA_P12> pki_clone_pkcs12_password=<dm password> pki_clone_replication_security=TLS pki_clone_replication_master_port=<master replication port> pki_clone_replication_clone_port=<DS_PORT> pki_clone_replicate_schema=False pki_clone_uri=https://<master host>:443
For external CA step 1, IPA adds the following parameters:
pki_external=True pki_external_csr_path=<csr file>
If it’s a Microsoft CA, IPA adds the following parameters:
# Include MS template name extension in the CSR pki_req_ext_add=True pki_req_ext_oid=1.3.6.1.4.1.311.20.2 pki_req_ext_critical=False pki_req_ext_data=1E0A00530075006200430041
For external CA step 2, IPA adds the following parameters:
pki_external=True pki_external_ca_cert_path=<cert filename> pki_external_ca_cert_chain_path=<cert chain filename> pki_external_step_two=True
After CA installation IPA enables secure LDAP connection with client certificate authenticaton in CS.cfg (see ipaserver/install/dogtaginstance.py):
authz.instance.DirAclAuthz.ldap.ldapauth.authtype=SslClientAuth authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipaca authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=subsystemCert cert-pki-ca authz.instance.DirAclAuthz.ldap.ldapconn.port=<DS_SECURE_PORT> authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=true internaldb.ldapauth.authtype=SslClientAuth internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipaca internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca internaldb.ldapconn.port=<DS_SECURE_PORT> internaldb.ldapconn.secureConn=true
Also IPA removes the internaldb from password.conf.