Loading the Certicom ECC Module
65
modutil -dbdir . -nocertdb -changepw "
THIRD_PARTY_MODULE_TOKEN
"
7. Change the ownership of the new home directory from
root
to
pkiuser
.
cd /usr/share/pki
chown -R pkiuser:pkiuser pkiuser
8. Add the password for the ECC token to the CA's password file.
vim /etc/pki-ca/password.conf
hardware-
THIRD_PARTY_MODULE_TOKEN
=secret
The
hardware-
prefix is required.
9. Edit the CA configuration and add a line to require signature verification.
ca.requestVerify.token=
THIRD_PARTY_MODULE_TOKEN
10. Start the CA.
service pki-ca start
11. Continue with the CA configuration, with two important configuration settings:
• In the
Key Store
panel, the ECC module should be listed as an available token. Select that
module for the key store.
• In the
Key Pairs
panel, ECC should be listed as an option to use to generate the keys used for
the CA's certificates. Select the ECC key type.
12. After completing the configuration for the CA, try to log into the CA console.
pkiconsole https://server.example.com:9445/ca
This fails, because the console is not yet configured to run with ECC enabled. However, this does
create the security databases for the console, so the ECC module can be loaded.
13. Load the ECC module into the console security databases.
cd ~/.redhat-idm-console/
modutil -dbdir . -nocertdb -add
THIRD_PARTY_MODULE
-libfile /usr/lib/
libYourNewModule
.so
Now, logging into the console succeeds.
4.2.2. Loading the Certicom ECC Module
Certicom's ECC module has a slightly different configuration process than the procedure for loading a
general ECC module.
Summary of Contents for CERTIFICATE SYSTEM 8 - DEPLOYMENT
Page 5: ...v 9 5 7 Shared Certificate System Subsystem File Locations 119 Index 121 ...
Page 6: ...vi ...
Page 18: ...8 ...
Page 32: ...22 ...
Page 70: ...60 ...
Page 104: ...94 ...
Page 114: ...104 ...
Page 118: ...108 ...
Page 132: ...122 ...