Chapter 7. Silent Configuration
102
7.3. Cloning a Subsystem Silently
IMPORTANT
Only CA instances can be cloned using
pkisilent
. The other subsystem clones must be
configured using the HTML-based configuration wizard.
When creating a new subsystem, there are options to set the type of keys to generate and to back up
the keys to a PKCS #12 file. For cloning a subsystem, there are no key generation options. Instead,
the parameters contain information pointing to the PKCS #12 file for the master subsystem and the
URL for the subsystem to clone:
• -clone true (which sets that the new instance will be a clone)
• -clone_p12_file and -clone_p12_password, which gives the location of the PKCS #12 key file and
the password to access it
Additionally, a clone must have some configuration in common with its master:
• The same security domain, set in the -sd_* parameters
• The same LDAP base DN and database name, set in the -ldap_* parameters (either the hostname
or the port must be different, since the clone does require a separate Directory Server instance)
• The same issuing CA for its certificates, set in either the -ca_* parameters or possibly self-signed,
for a CA
Aside from the differences in creating the subsystem certificates, the configuration for the clone
(joining the security domain, creating the admin user, setting up the internal LDAP directories) is the
same as with any other subsystem configuration.
For example:
pkisilent ConfigureCA -cs_hostname localhost -cs_port 9445 -subsystem_name "clone-ca2"
-client_certdb_dir /tmp/ -client_certdb_pwd password -preop_pin sYY8er834FG9793fsef7et5
-sd_hostname "domain.example.com" -sd_admin_port 9445 -sd_agent_port 9443 -sd_ssl_port
9444 -sd_admin_name admin -sd_admin_password secret -admin_user admin -admin_email
"[email protected]" -admin_password secret
-clone true
-clone_p12_file /export/backup.p12
-
clone_p12_password secret
-master_instance_name pki-ca
-ca_hostname server.example.com
-
ca_non_ssl_port 9180
-ca_ssl_port 9443
-ca_subsystem_cert_subject_name "cn=ca\ subsystem\
cert,o=testca\ domain" -ca_ocsp_cert_subject_name "cn=ocsp\ signing\ cert,o=testca\ domain" -
ca_server_cert_subject_name "cn=ca\ client\ cert,o=testca\ domain" -ca_sign_cert_subject_name
"cn=ca\ signing\ cert,o=testca\ domain" -ca_audit_signing_cert_subject_name "cn=audit\
signing\ cert,o=testca\ domain"
7.4. Performing Silent Configuration Using an External CA
As described in
Section 4.1, “Requesting Subsystem Certificates from an External CA”
, a CA outside
of the security domain can be used to generate a subsystem's certificates. It is also possible to request
and submit certificates issued by an external CA using
pkisilent
.
By default, the
pkisilent
command assumes that you will request a certificate from a CA within the
security domain, and this CA is identified in the
-ca_hostname
and other
ca_
options. This assumes
that the
-external
option is false.
Summary of Contents for CERTIFICATE SYSTEM 8 - DEPLOYMENT
Page 5: ...v 9 5 7 Shared Certificate System Subsystem File Locations 119 Index 121 ...
Page 6: ...vi ...
Page 18: ...8 ...
Page 32: ...22 ...
Page 70: ...60 ...
Page 104: ...94 ...
Page 114: ...104 ...
Page 118: ...108 ...
Page 132: ...122 ...