Firstly let's install the package (it's not currently available in the stable repo yet):
sudo yum --enablerepo=updates-testing install dogtag-pki 389-ds-base
We will use 389 Directory Server to create a new LDAP server instance that Dogtag can use:
sudo setup-ds.pl --silent\
General.FullMachineName=`hostname`\
General.SuiteSpotUserID=nobody\
General.SuiteSpotGroup=nobody\
slapd.ServerPort=389\
slapd.ServerIdentifier=pki-tomcat\
slapd.Suffix=dc=example,dc=com\
slapd.RootDN="cn=Directory Manager"\
slapd.RootDNPwd=yourpassword
and then create our CA subsystem with:
sudo su -
pkispawn
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]:
Tomcat:
Instance [pki-tomcat]:
HTTP port [8080]:
Secure HTTP port [8443]:
AJP port [8009]:
Management port [8005]:
Administrator:
Username [caadmin]:
Password:
Verify password:
Import certificate (Yes/No) [N]?
Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:
Directory Server:
Hostname [YOURVM.LOCAL]:
Use a secure LDAPS connection (Yes/No/Quit) [N]?
LDAP Port [389]:
Bind DN [cn=Directory Manager]:
Password:
Base DN [o=pki-tomcat-CA]:
Security Domain:
Name [LOCAL Security Domain]:
Begin installation (Yes/No/Quit)? Y
Log file: /var/log/pki/pki-ca-spawn.20171108144208.log
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Notice: Trust flag u is set automatically if the private key is present.
Created symlink /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target → /usr/lib/systemd/system/pki-tomcatd.target.
==========================================================================
INSTALLATION SUMMARY
==========================================================================
Administrator's username: caadmin
Administrator's PKCS #12 file:
/root/.dogtag/pki-tomcat/ca_admin_cert.p12
To check the status of the subsystem:
systemctl status pki-tomcatd@pki-tomcat.service
To restart the subsystem:
systemctl restart pki-tomcatd@pki-tomcat.service
The URL for the subsystem is:
https://YOURVM.LOCAL:8443/ca
PKI instances will be enabled upon system boot
==========================================================================
We can now either use the CLI or web-based interface to manage the server - however we will firstly need to ensure that the certificate we generated prior (/root/.dogtag/pki-tomcat/ca_admin.cert) is included in the Firefox certificate store:
Firefox >> Edit >> Preferences >> Advanced >> Certificates >> View Certificates >> 'Your Certificates' >> 'Import...'
Browse to the web ui: https://YOURVM.LOCAL:8443/ca
You should be presented with a certificate dialog like below:
End users can access the following URL in order to request certificates:
https://yourvm.local:8443/ca/ee/ca/
For this purposes of this tutorial we will keep things simple and generate a certificate for use on a Windows machine - so let's firstly select 'Manual Server Certificate Enrolment':
openssl genrsa -out computer.key 2048
openssl req -new -sha256 -key computer.key -out computer.csr
cat computer.csr
and paste the certificate in as below:
Hopefully then (after hitting submit) we'll see:
Now - let's head to the admin section and approve the request:
https://yourvm.local:8443/ca/agent/ca/
List Requests >> Find
Click on the request, check the details etc. and finally hit 'Approve' at the bottom.
Once it has been approved you should see a copy of the (BASE64 encoded) certificate at the bottom of the confirmation page.
Finally we'll want to package this up a long with the corresponding private key:
openssl pkcs12 -inkey computer.key -in computer.pem -export -out computer.pfx
(where 'computer.pem' is the public portion that has just been generated.)
Proceed by importing the PFX file into the Windows Computer certificate store under 'Personal'.
Sources
Fedora Project :: PKI :: Quick Start
Sources
Fedora Project :: PKI :: Quick Start
0 comments:
Post a Comment