From Dogtag

Contents 1 PKI Components 2 Prerequisites 2.1 System Prerequisites 2.2 Runtime Tools 2.3 Directory Server Requirements 3 Running the Dogtag Certificate System 3.1 Using Yum to Download the PKI Packages 3.2 PKI Subsystem Installation 3.2.1 Certificate Authority (CA) 3.2.2 Data Recovery Manager (DRM) 3.2.3 Online Certificate Status Protocol Manager (OCSP) 3.2.4 Registration Authority (RA) 3.2.5 Token Key Service (TKS) 3.2.6 Token Processing System (TPS) 3.3 PKI Subsystem Instance Installation 3.3.1 Dogtag 9.0 3.3.1.1 Certificate Authority (CA) 3.3.1.2 Data Recovery Manager (DRM) 3.3.1.3 Online Certificate Status Protocol Manager (OCSP) 3.3.1.4 Registration Authority (RA) 3.3.1.5 Token Key Service (TKS) 3.3.1.6 Token Processing System (TPS) 3.3.2 Dogtag 1.3 and Earlier 3.3.2.1 Certificate Authority (CA) 3.3.2.2 Data Recovery Manager (DRM) 3.3.2.3 Online Certificate Status Protocol Manager (OCSP) 3.3.2.4 Registration Authority (RA) 3.3.2.5 Token Key Service (TKS) 3.3.2.6 Token Processing System (TPS) 3.4 Configure the PKI Subsystem Instance 3.5 Manage PKI Subsystem Instances 3.6 Additional Information

PKI Components

See the PKI Components page for details about all of the PKI subsystems that comprise the Dogtag Certificate System.

Prerequisites

Please make sure you meet all these prerequisites before you attempt to run a Dogtag Certificate System.

System Prerequisites

The following system prerequisites are required to build PKI subsystems:

• operating systems and tools

Runtime Tools

The following runtime environment is required to build these PKI subsystems:

• runtime tools

Directory Server Requirements

The CA, DRM, OCSP, TKS, and TPS require the Fedora Directory Server to be installed, while the RA requires SQLite. Dogtag Certificate System uses the Fedora Directory Server to store information about certificates that it issues. The following page provides more details:

• data storage requirements

Running the Dogtag Certificate System

Using Yum to Download the PKI Packages

Follow the instructions to use Yum to download and install PKI packages:

• Using Yum to Download and Install PKI Packages

PKI Subsystem Installation

At this stage, a user may choose to install one or more of the following PKI subsystems:

Certificate Authority (CA)

To install a CA subsystem, become the root user, and execute the following commands:

   yum install pki-ca

This will install many dependencies, too.

Data Recovery Manager (DRM)

To install a DRM subsystem, become the root user, and execute the following commands:

   yum install pki-kra

This will install many dependencies, too.

Online Certificate Status Protocol Manager (OCSP)

To install an OCSP subsystem, become the root user, and execute the following commands:

   yum install pki-ocsp

This will install many dependencies, too.

Registration Authority (RA)

To install an RA subsystem, become the root user, and execute the following commands:

   yum install pki-ra

This will install many dependencies, too.

Token Key Service (TKS)

To install a TKS subsystem, become the root user, and execute the following commands:

   yum install pki-tks

This will install many dependencies, too.

Token Processing System (TPS)

To install a TPS subsystem, become the root user, and execute the following commands:

   yum install pki-tps

This will install many dependencies, too.

PKI Subsystem Instance Installation

Dogtag 9.0

Certificate Authority (CA)

To install a CA subsystem instance, become the root user, and execute the following commands:

   pkicreate -pki_instance_root=/var/lib       \
             -pki_instance_name=pki-ca         \
             -subsystem_type=ca                \
             -agent_secure_port=9443           \
             -ee_secure_port=9444              \
             -ee_secure_client_auth_port=9446  \
             -admin_secure_port=9445           \
             -unsecure_port=9180               \
             -tomcat_server_port=9701          \
             -user=pkiuser                     \
             -group=pkiuser                    \
             -redirect conf=/etc/pki-ca        \
             -redirect logs=/var/log/pki-ca    \
             -verbose

Data Recovery Manager (DRM)

To install a DRM subsystem instance, become the root user, and execute the following commands:

   pkicreate -pki_instance_root=/var/lib      \
             -pki_instance_name=pki-kra       \
             -subsystem_type=kra              \
             -agent_secure_port=10443         \
             -ee_secure_port=10444            \
             -admin_secure_port=10445         \
             -unsecure_port=10180             \
             -tomcat_server_port=10701        \
             -user=pkiuser                    \
             -group=pkiuser                   \
             -audit_group=pkiaudit            \
             -redirect conf=/etc/pki-kra      \
             -redirect logs=/var/log/pki-kra  \
             -verbose

Online Certificate Status Protocol Manager (OCSP)

To install an OCSP subsystem instance, become the root user, and execute the following commands:

   pkicreate -pki_instance_root=/var/lib       \
             -pki_instance_name=pki-ocsp       \
             -subsystem_type=ocsp              \
             -agent_secure_port=11443          \
             -ee_secure_port=11444             \
             -admin_secure_port=11445          \
             -unsecure_port=11180              \
             -tomcat_server_port=11701         \
             -user=pkiuser                     \
             -group=pkiuser                    \
             -redirect conf=/etc/pki-ocsp      \
             -redirect logs=/var/log/pki-ocsp  \
             -verbose

Registration Authority (RA)

To install an RA subsystem instance, become the root user, and execute the following commands:

   pkicreate -pki_instance_root=/var/lib        \
             -pki_instance_name=pki-ra          \
             -subsystem_type=ra                 \
             -secure_port=12889                 \
             -non_clientauth_secure_port=12890  \
             -unsecure_port=12888               \
             -user=pkiuser                      \
             -group=pkiuser                     \
             -redirect conf=/etc/pki-ra         \
             -redirect logs=/var/log/pki-ra     \
             -verbose

Token Key Service (TKS)

To install a TKS subsystem instance, become the root user, and execute the following commands:

   pkicreate -pki_instance_root=/var/lib      \
             -pki_instance_name=pki-tks       \
             -subsystem_type=tks              \
             -agent_secure_port=13443         \
             -ee_secure_port=13444            \
             -admin_secure_port=13445         \
             -unsecure_port=13180             \
             -tomcat_server_port=13701        \
             -user=pkiuser                    \
             -group=pkiuser                   \
             -redirect conf=/etc/pki-tks      \
             -redirect logs=/var/log/pki-tks  \
             -verbose

Token Processing System (TPS)

To install a TPS subsystem instance, become the root user, and execute the following commands:

   pkicreate -pki_instance_root=/var/lib       \
             -pki_instance_name=pki-tps        \
             -subsystem_type=tps               \
             -secure_port=7889                 \
             -non_clientauth_secure_port=7890  \
             -unsecure_port=7888               \
             -user=pkiuser                     \
             -group=pkiuser                    \
             -redirect conf=/etc/pki-tps       \
             -redirect logs=/var/log/pki-tps   \
             -verbose

Dogtag 1.3 and Earlier

Certificate Authority (CA)

Installing the 'pki-ca' RPM will create the first default instance of the subsystem (presuming one doesn't already exist). If this occurs, see the next section for information regarding configuration of this PKI subsystem.

Data Recovery Manager (DRM)

Installing the 'pki-kra' RPM will create the first default instance of the subsystem (presuming one doesn't already exist). If this occurs, see the next section for information regarding configuration of this PKI subsystem.

Online Certificate Status Protocol Manager (OCSP)

Installing the 'pki-ocsp' RPM will create the first default instance of the subsystem (presuming one doesn't already exist). If this occurs, see the next section for information regarding configuration of this PKI subsystem.

Registration Authority (RA)

Installing the 'pki-ra' RPM will create the first default instance of the subsystem (presuming one doesn't already exist). If this occurs, see the next section for information regarding configuration of this PKI subsystem.

Token Key Service (TKS)

Installing the 'pki-tks' RPM will create the first default instance of the subsystem (presuming one doesn't already exist). If this occurs, see the next section for information regarding configuration of this PKI subsystem.

Token Processing System (TPS)

Installing the 'pki-tps' RPM will create the first default instance of the subsystem (presuming one doesn't already exist). If this occurs, see the next section for information regarding configuration of this PKI subsystem.

Configure the PKI Subsystem Instance

Finally, before a PKI subsystem instance may be utilized, the user must configure the PKI subsystem instance:

• PKI Subsystem Instance Configuration.

Manage PKI Subsystem Instances

To create additional PKI subsystem instances, the following command can be used:

   /usr/bin/pkicreate

Similarly, to remove an existing PKI subsystem instance, the following command can be used:

   /usr/bin/pkiremove

Additional Information

• PKI Known Issues: Problems and Solutions
• Tech Notes
• How Tos