From Dogtag
Contents
|
PKI Components
See the PKI Components page for details about all of the PKI subsystems that comprise the Dogtag Certificate System.
Prerequisites
Please make sure you meet all these prerequisites before you start to build a Dogtag Certificate System.
System Prerequisites
The following system prerequisites are required to build PKI subsystems:
Runtime Tools
The following runtime environment is required to build these PKI subsystems:
Directory Server Requirements
The CA, DRM, OCSP, TKS, and TPS require the Fedora Directory Server to be installed, while the RA requires SQLite. Dogtag Certificate System uses the Fedora Directory Server to store information about certificates that it issues. The following page provides more details:
Development Tools
The following development tools are required to build these PKI subsystems:
Additional Packages
Dogtag 9.0
Additionally, the RA and TPS subsystems require the Fortitude mod_nss and mod_revocator Apache plug-ins to be installed and enabled by the system's Apache web server.
For an RA subsystem, become the root user, and install the following packages:
yum install mod_nss mod_perl mod_revocator openldap-clients\
openldap-devel perl-DBD-SQLite perl-HTML-Parser\
perl-HTML-Tagset perl-Parse-RecDescent perl-URI\
perl-XML-NamespaceSupport perl-XML-Parser perl-XML-SAX\
perl-XML-Simple perl-libwww-perl sendmail sqlite
For a TPS subsystem, become the root user, and install the following packages:
yum install mod_nss mod_perl mod_revocator openldap-clients\
openldap-devel pcre-devel perl-HTML-Parser\
perl-HTML-Tagset perl-Parse-RecDescent perl-URI\
perl-XML-NamespaceSupport perl-XML-Parser perl-XML-SAX\
perl-XML-Simple perl-libwww-perl
Dogtag 1.3 and Earlier
Additionally, the RA and TPS subsystems require the Fortitude mod_nss Apache plug-in to be installed and enabled by the system's Apache web server.
For an RA subsystem, become the root user, and install the following packages:
yum install mod_nss mod_perl mozldap perl-DBD-SQLite perl-HTML-Parser\
perl-HTML-Tagset perl-Parse-RecDescent perl-URI\
perl-XML-NamespaceSupport perl-XML-Parser perl-XML-SAX\
perl-XML-Simple perl-libwww-perl sendmail sqlite
For a TPS subsystem, become the root user, and install the following packages:
yum install mod_nss mod_perl mozldap pcre-devel perl-HTML-Parser\
perl-HTML-Tagset perl-Parse-RecDescent perl-URI\
perl-XML-NamespaceSupport perl-XML-Parser\
perl-XML-SAX perl-XML-Simple perl-libwww-perl
Building the Dogtag Certificate System
Download the PKI Yum Repository Configuration File
Follow the instructions to download and install a PKI Yum repository configuration file:
Build the Dogtag Components
PKI components can be built individually or collectively via the subversion repository:
- Building PKI Components Individually via Subversion
- Building PKI Components Collectively via Subversion
Alternatively, if the user does not wish to use the subversion repository, PKI components can be built individually using SRPMS:
PKI Subsystem Instance Installation
Dogtag 9.0
Certificate Authority (CA)
To install a CA subsystem instance, become the root user, and execute the following commands:
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-ca \
-subsystem_type=ca \
-agent_secure_port=9443 \
-ee_secure_port=9444 \
-ee_secure_client_auth_port=9446 \
-admin_secure_port=9445 \
-unsecure_port=9180 \
-tomcat_server_port=9701 \
-user=pkiuser \
-group=pkiuser \
-redirect conf=/etc/pki-ca \
-redirect logs=/var/log/pki-ca \
-verbose
Data Recovery Manager (DRM)
To install a DRM subsystem instance, become the root user, and execute the following commands:
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-ca \
-subsystem_type=ca \
-agent_secure_port=9443 \
-ee_secure_port=9444 \
-ee_secure_client_auth_port=9446 \
-admin_secure_port=9445 \
-unsecure_port=9180 \
-tomcat_server_port=9701 \
-user=pkiuser \
-group=pkiuser \
-redirect conf=/etc/pki-ca \
-redirect logs=/var/log/pki-ca \
-verbose
Online Certificate Status Protocol Manager (OCSP)
To install an OCSP subsystem instance, become the root user, and execute the following commands:
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-ocsp \
-subsystem_type=ocsp \
-agent_secure_port=11443 \
-ee_secure_port=11444 \
-admin_secure_port=11445 \
-unsecure_port=11180 \
-tomcat_server_port=11701 \
-user=pkiuser \
-group=pkiuser \
-redirect conf=/etc/pki-ocsp \
-redirect logs=/var/log/pki-ocsp \
-verbose
Registration Authority (RA)
To install an RA subsystem instance, become the root user, and execute the following commands:
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-ra \
-subsystem_type=ra \
-secure_port=12889 \
-non_clientauth_secure_port=12890 \
-unsecure_port=12888 \
-user=pkiuser \
-group=pkiuser \
-redirect conf=/etc/pki-ra \
-redirect logs=/var/log/pki-ra \
-verbose
Token Key Service (TKS)
To install a TKS subsystem instance, become the root user, and execute the following commands:
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-tks \
-subsystem_type=tks \
-agent_secure_port=13443 \
-ee_secure_port=13444 \
-admin_secure_port=13445 \
-unsecure_port=13180 \
-tomcat_server_port=13701 \
-user=pkiuser \
-group=pkiuser \
-redirect conf=/etc/pki-tks \
-redirect logs=/var/log/pki-tks \
-verbose
Token Processing System (TPS)
To install a TPS subsystem instance, become the root user, and execute the following commands:
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-tps \
-subsystem_type=tps \
-secure_port=7889 \
-non_clientauth_secure_port=7890 \
-unsecure_port=7888 \
-user=pkiuser \
-group=pkiuser \
-redirect conf=/etc/pki-tps \
-redirect logs=/var/log/pki-tps \
-verbose
Dogtag 1.3 and Earlier
Certificate Authority (CA)
Installing the 'pki-ca' RPM will create the first default instance of the subsystem (presuming one doesn't already exist). If this occurs, see the next section for information regarding configuration of this PKI subsystem.
Data Recovery Manager (DRM)
Installing the 'pki-kra' RPM will create the first default instance of the subsystem (presuming one doesn't already exist). If this occurs, see the next section for information regarding configuration of this PKI subsystem.
Online Certificate Status Protocol Manager (OCSP)
Installing the 'pki-ocsp' RPM will create the first default instance of the subsystem (presuming one doesn't already exist). If this occurs, see the next section for information regarding configuration of this PKI subsystem.
Registration Authority (RA)
Installing the 'pki-ra' RPM will create the first default instance of the subsystem (presuming one doesn't already exist). If this occurs, see the next section for information regarding configuration of this PKI subsystem.
Token Key Service (TKS)
Installing the 'pki-tks' RPM will create the first default instance of the subsystem (presuming one doesn't already exist). If this occurs, see the next section for information regarding configuration of this PKI subsystem.
Token Processing System (TPS)
Installing the 'pki-tps' RPM will create the first default instance of the subsystem (presuming one doesn't already exist). If this occurs, see the next section for information regarding configuration of this PKI subsystem.
Configure the PKI Subsystem
Finally, before an instance may be utilized, the user must configure the PKI subsystem instance:
Manage PKI Instances
To create additional instances, the following command can be used:
/usr/bin/pkicreate
Similarly, to remove an existing instance, the following command can be used:
/usr/bin/pkiremove
