Red Hat CERTIFICATE SYSTEM 6.0 - MIGRATION GUIDE Скачать руководство пользователя страница 11

Страница: 11 / 76

migration is complete before starting the migration of the next subsystem.

Setting File Permissions.

• On Linux and UNIX systems, make sure that the file owner (user and group) and the file

permissions are correct when the file is copied between two instances. Also make sure that

the target machine allows the file transfer.

• The

chmod

command used in the examples have the permissions

00600

(octal, no sticky bit

permissions, user read/write permissions, no group permissions, no other permissions).

These are the recommended permissions, but are not required.

Extracting Data from a Hardware Security Module.

While the migration procedure refers to extracting data from a hardware security module (HSM),

no Certificate System tool can extract public/private key pairs from an HSM because of Federal

Information Processing Standard (FIPS) 140-1, which protects the private key portion of an

entry. Contact the HSM vendor for information on how to extract data from an old HSM.

Extracted keys should not have any dependencies, such as nickname prefixes, on the old HSM.

Changing Subsystem Names and Port Numbers.

It is possible to change the names of migrated Certificate System subsystem instances, but

greater care must be taken when extracting and renaming certain portions of the data. Because

port numbers are stored in the

server.xml

file, which is unaffected by subsystem migration,

port numbers can be changed between instances without difficulty.

About Usage Examples.

All examples assume that the new passwords are the same as the old passwords.

Subsystem and Version Related Considerations.

• The default key-splitting scheme used by the DRM subsystem in Certificate System 7.1 and

later is not the scheme required by the DRM subsystem key recovery feature in 6.x versions.

There is no way to migrate from the old key-splitting scheme to the new scheme. Therefore,

DRM instances in Certificate Management System 6.x versions cannot be successfully

migrated to version 7.3.

• The RA subsystem was deprecated in Certificate Management System 7.0 and redesigned in

Red Hat Certificate System 7.3, so it is not possible to migrate RA subsystems into Certificate

System version 7.3. All RA request queues should be processed by the 6.x-version servers

into their existing CAs before beginning any CA migrations.

Considerations before Migration

Содержание CERTIFICATE SYSTEM 6.0 - MIGRATION GUIDE

Страница 1: ...Red Hat Certificate System Migration Guide 6 x to 7 3 6 0 Matthew Harmsen ISBN N A Publication date March 12 2008 ...

Страница 2: ...provides in depth procedures to migrate subsystems user information and certificate and key materials from Netscape Certificate Management System 6 0 6 1 and 6 2 to Red Hat Certificate System 7 3 Red Hat Certificate System ...

Страница 3: ...ibited without the explicit permission of the copyright holder Distribution of the work or derivative of the work in any standard paper book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder Red Hat and the Red Hat Shadow Man logo are registered trademarks of Red Hat Inc in the United States and other countries All other trademarks referenced ...

Страница 4: ...Red Hat Certificate System ...

Страница 5: ...ses Migration 24 2 2 Option 2 Security Databases to HSM Migration 26 2 3 Option 3 HSM to Security Databases Migration 30 2 4 Option 4 HSM to HSM Migration 33 3 Online Certificate Status Protocol Manager OCSP Migration 37 3 1 Option 1 Security Databases to Security Databases Migration 37 3 2 Option 2 Security Databases to HSM Migration 39 3 3 Option 3 HSM to Security Databases Migration 43 3 4 Opti...

Страница 6: ...vi ...

Страница 7: ...on even if the 7 3 installation is on the same machine named delta example com running Red Hat Enterprise Linux This is accomplished simply by supplying a different installation directory for each instance NOTE Throughout this manual all system instances are referred to as Certificate System unless the specific version or product name is required 1 Certificate System Migration Overview The migrati...

Страница 8: ...r example migrating from Certificate Management System 6 01 uses the 60ToTxt program to export data Certificate System migration export utilities are files named versionToTxt For migrating 6 0x 6 1 and 6 2 servers to Certificate System 7 3 there are three files which are used depending on your 6 x version 60ToTxt 61ToTxt and 62ToTxt Each export tool contains the following files Two precompiled Jav...

Страница 9: ...the comments 1 2 Certificate System Subsystems Certificate System installations may exist on different platforms Additionally each Certificate System installation may contain more than one type of subsystem or more than one instance of a type of subsystem The following subsystems may be present in a Certificate System installation Certificate Authority CA Data Recovery Manager DRM Online Certifica...

Страница 10: ... in this table because it is supported on different platforms Table 1 1 Certificate System Subsystem Types and Platforms 2 Considerations before Migration Since all migrations are unique to a deployment it is strongly recommended that the entire migration process be planned in advance Here are some common issues related to migration The Migration Procedure Not all steps in the migration processes ...

Страница 11: ...ubsystem Names and Port Numbers It is possible to change the names of migrated Certificate System subsystem instances but greater care must be taken when extracting and renaming certain portions of the data Because port numbers are stored in the server xml file which is unaffected by subsystem migration port numbers can be changed between instances without difficulty About Usage Examples All examp...

Страница 12: ...6 ...

Страница 13: ...rtificate Management System utility cd usr netscape servers cert instance cmsbackup For more information on using the 6 x backup utility see chapter 8 Backing Up and Restoring Data in the Netscape Certificate Management System 6 x Command Line Tools Guide Additionally RA subsystems in Certificate Management System 6 x cannot be migrated to Certificate System 7 3 The RA subsystem was deprecated in ...

Страница 14: ...8 ...

Страница 15: ...ion wizard For example http server example com 9080 ca admin console config login pin Yc6EuvuY2OeezKeX7REk The configuration wizard will fully configure the new subsystem instance and will generate all required certificates Make sure to have all necessary information when going through this wizard All subsystems require information to an external Red Hat Directory Server including bind information...

Страница 16: ...10 ...

Страница 17: ... System Servers 1 First stop all new Certificate System instances etc init d instance_ID stop 2 Then stop the Directory Server instance used by the Certificate System 7 3 servers cd opt redhat ds slapd DS instance stop slapd Chapter 4 11 ...

Страница 18: ...12 ...

Страница 19: ...uthority CA Migration Section 2 Data Recovery Manager DRM Migration Section 3 Online Certificate Status Protocol Manager OCSP Migration 1 Certificate Authority CA Migration Determine if the migration to be performed involves software security databases an HSM or both and follow the appropriate process for the deployment scenario being migrated Section 1 1 Option 1 Security Databases to Security Da...

Страница 20: ...ance_ID alias 4 Log in as root 5 Set the file user and group to the Certificate System user and group chown user group cert8 db chown user group key3 db 6 Log out as root and log back into the system as the Certificate System user 7 Set the file permissions chmod 00600 cert8 db chmod 00600 key3 db 8 List the contents of the certificate database using the certutil tool In this example L lists the c...

Страница 21: ...lso modify the ca connector KRA nickname attribute ca connector KRA nickname caSigningCert cert old_CA_instance 12 In the same directory edit the serverCertNick conf file to contain the old certificate nickname For example Server Cert cert old_CA_instance 1 2 Option 2 Security Databases to HSM Migration 1 Remove all the security databases in the Certificate System 7 3 which will receive migrated d...

Страница 22: ...ns chmod 00600 cert8 db chmod 00600 key3 db 8 List the certificates stored in the old security databases by using the certutil command L lists the certificates certutil L d Server Cert cert old_CA_instance cu cu cu caSigningCert cert old_CA_instance cu cu cu ocspSigningCert cert old_CA_instance CTu Cu Cu NOTE For Certificate Management System version 6 0x the certificate database is automatically ...

Страница 23: ...12 n ocspSigningCert cert old_CA_instance d Enter Password or Pin for NSS Certificate DB Enter password for PKCS12 file Re enter password pk12util PKCS12 EXPORT SUCCESSFUL NOTE The old security databases may contain additional public private key pairs these can also be extracted using pk12util 10 Delete the old security databases rm cert8 db rm key3 db 11 Register the new HSM in the 7 3 token data...

Страница 24: ... trust bits on the public private key pairs that were imported into the new HSM certutil M n new_HSM_slot_name Server Cert cert old_CA_instance t cu cu cu d h new_HSM_token_name certutil M n new_HSM_slot_name caSigningCert cert old_CA_instance t CTu CTu CTu d h new_HSM_token_name certutil M n new_HSM_slot_name ocspSigningCert cert old_CA_instance t CTu Cu Cu d h new_HSM_token_name 17 Open the CS c...

Страница 25: ... the private key To extract this information contact the HSM vendor The extracted keys should not have any dependencies such as nickname prefixes on the HSM 2 Copy the extracted key pairs from the 6 x server to the 7 3 server cp old_server_root alias ServerCert p12 var lib instance_ID alias ServerCert p12 cp old_server_root alias caSigningCert p12 var lib instance_ID alias caSigningCert p12 cp old...

Страница 26: ...PORT SUCCESSFUL pk12util i ocspSigningCert p12 d Enter Password or Pin for NSS Certificate DB Enter password for PKCS12 file pk12util PKCS12 IMPORT SUCCESSFUL 9 Optionally delete the PKCS 12 files rm ServerCert p12 rm caSigningCert p12 rm ocspSigningCert p12 10 Set the trust bits on the public private key pairs that were imported into the 7 3 security databases certutil M n Server Cert cert old_CA...

Страница 27: ...he pk12util tool provided by Certificate System cannot extract public private key pairs from an HSM because of requirements in the FIPS 140 1 standard which protect the private key To extract this information contact the HSM vendor The extracted keys should not have any dependencies such as nickname prefixes on the HSM 2 Copy the extracted key pairs from the 6 x server to the 7 3 server cp old_ser...

Страница 28: ...certdb list 10 Import the public private key pairs of each entry from the PKCS 12 files into the new HSM pk12util i ServerCert p12 d h new_HSM_slot_name Enter Password or Pin for new_HSM_slot_name Enter password for PKCS12 file pk12util PKCS12 IMPORT SUCCESSFUL pk12util i caSigningCert p12 d h new_HSM_slot_name Enter Password or Pin for new_HSM_slot_name Enter password for PKCS12 file pk12util PKC...

Страница 29: ...nce ca signing cacertnickname new_HSM_slot_name caSigningCert cert old_CA_instance ca ocsp_signing cacertnickname new_HSM_slot_name ocspSigningCert cert old_CA_instance 15 If there is CA DRM connectivity then also modify the ca connector KRA nickname attribute ca connector KRA nickname new_HSM_slot_name caSigningCert cert old_CA_instance 16 In the same directory edit the serverCertNick conf file t...

Страница 30: ...ration 1 Remove all the security databases in the Certificate System 7 3 server which will receive migrated data rm var lib instance_ID alias cert8 db rm var lib instance_ID alias key3 db NOTE On Certificate Management System 6 0x the certificate database is cert7 db not cert8 db 2 Copy the certificate and key security databases from the 6 x server to the 7 3 server cp old_server_root alias cert o...

Страница 31: ...ert old_DRM_instance CT c kraStorageCert cert old_DRM_instance u u u kraTransportCert cert old_DRM_instance u u u NOTE For Certificate Management System version 6 0x the certificate database is automatically converted from cert7 db to cert8 db 9 Open the CS cfg configuration file in the var lib instance_ID conf directory 10 Edit the kra storageUnit nickname and kra transportUnit nickname attribute...

Страница 32: ...e is cert7 db not cert8 db 2 Copy the certificate and key security databases from the 6 x server to the 7 3 server cp old_server_root alias cert old_DRM_instance cert8 db var lib instance_ID alias cert8 db cp old_server_root alias cert old_DRM_instance key3 db var lib instance_ID alias key3 db 3 Open the Certificate System alias directory cd var lib instance_ID alias 4 Log in as root 5 Set the fil...

Страница 33: ...te System databases using the pk12util tool o exports the key pairs to a PKCS 12 file and n sets the name of the certificate and the old database prefix pk12util o ServerCert p12 n Server Cert cert old_DRM_instance d Enter Password or Pin for NSS Certificate DB Enter password for PKCS12 file Re enter password pk12util PKCS12 EXPORT SUCCESSFUL pk12util o kraStorageCert p12 n kraStorageCert cert old...

Страница 34: ...ty databases may contain additional public keys these can also be extracted using certutil 11 Delete the old security databases rm cert8 db rm key3 db 12 Register the new HSM in the 7 3 token database modutil nocertdb dbdir add new_HSM_token_name libfile new_HSM_library_path new_HSM_library 13 Identify the new HSM slot name modutil dbdir nocertdb list 14 Create new security databases certutil N d ...

Страница 35: ...into the new HSM certutil M n new_HSM_slot_name Server Cert cert old_DRM_instance t cu cu cu d h new_HSM_token_name certutil M n new_HSM_slot_name kraStorageCert cert old_DRM_instance t u u u d h new_HSM_token_name certutil M n new_HSM_slot_name kraTransportCert cert old_DRM_instance t u u u d h new_HSM_token_name 18 Import the public key from the base 64 file into the new HSM and set the trust bi...

Страница 36: ... from an HSM because of requirements in the FIPS 140 1 standard which protect the private key To extract this information contact the HSM vendor The extracted keys should not have any dependencies such as nickname prefixes on the HSM 2 Copy the extracted key pairs from the 6 x server to the 7 3 server cp old_server_root alias ServerCert p12 var lib instance_ID alias ServerCert p12 cp old_server_ro...

Страница 37: ...HSM_slot_name caSigningCert cert old_DRM_instance d h old_HSM_token_name a caSigningCert b64 e Copy the key information from the 6 x server to the 7 3 server cp old_server_root alias caSigningCert b64 var lib instance_ID alias caSigningCert b64 4 Open the Certificate System alias directory cd var lib instance_ID alias 5 Log in as root 6 Set the file user and group to the Certificate System user an...

Страница 38: ...ert p12 d Enter Password or Pin for NSS Certificate DB Enter password for PKCS12 file pk12util PKCS12 IMPORT SUCCESSFUL 10 Optionally delete the PKCS 12 files rm ServerCert p12 rm kraStorageCert p12 rm kraTransportCert p12 11 Set the trust bits on the public private key pairs that were imported into the 7 3 security databases certutil M n Server Cert cert old_DRM_instance t cu cu cu d certutil M n...

Страница 39: ...1 Extract the public private key pairs from the HSM The format for the extracted key pairs should be portable such as a PKCS 12 file The pk12util tool provided by Certificate System cannot extract public private key pairs from an HSM because of requirements in the FIPS 140 1 standard which protect the private key To extract this information contact the HSM vendor The extracted keys should not have...

Страница 40: ...Certificate Management System 6 x certutil tool to extract the public key from the security databases and save the base 64 output to a file old_server_root bin cert tools certutil L n old_HSM_slot_name caSigningCert cert old_DRM_instance d h old_HSM_token_name a caSigningCert b64 e Copy the key information from the 6 x server to the 7 3 server cp old_server_root alias caSigningCert b64 var lib ins...

Страница 41: ...rivate key pairs of each entry from the PKCS 12 files into the new HSM pk12util i ServerCert p12 d h new_HSM_slot_name Enter Password or Pin for new_HSM_slot_name Enter password for PKCS12 file pk12util PKCS12 IMPORT SUCCESSFUL pk12util i kraStorageCert p12 d h new_HSM_slot_name Enter Password or Pin for new_HSM_slot_name Enter password for PKCS12 file pk12util PKCS12 IMPORT SUCCESSFUL pk12util i ...

Страница 42: ...ce t CT c d h new_HSM_token_name i caSigningCert b64 15 Optionally delete the base 64 file rm caSigningCert b64 16 Open the CS cfg configuration file in the var lib instance_ID conf directory 17 Edit the kra storageUnit nickname and kra transportUnit nickname attributes to reflect the 7 3 DRM information kra storageUnit nickname new_HSM_slot_name kraStorageCert cert old_DRM_instance kra transportU...

Страница 43: ... is not possible for Certificate Management System 6 0x versions only Certificate Management System 6 1 or 6 2 3 1 Option 1 Security Databases to Security Databases Migration 1 Remove all the security databases in the Certificate System 7 3 server which will receive migrated data rm var lib instance_ID alias cert8 db rm var lib instance_ID alias key3 db NOTE On Certificate Management System 6 0x t...

Страница 44: ...y databases using the certutil command L lists the certificates certutil L d Server Cert cert old_OCSP_instance cu cu cu caSigningCert cert old_OCSP_instance CT c ocspSigningCert cert old_OCSP_instance cu cu cu NOTE For Certificate Management System version 6 0x the certificate database is automatically converted from cert7 db to cert8 db 9 Open the CS cfg configuration file in the var lib instanc...

Страница 45: ...ert8 db rm var lib instance_ID alias key3 db NOTE On Certificate Management System 6 0x the certificate database is cert7 db not cert8 db 2 Copy the certificate and key security databases from the 6 x server to the 7 3 server cp old_server_root alias cert old_OCSP_instance cert8 db var lib instance_ID alias cert8 db cp old_server_root alias cert old_OCSP_instance key3 db var lib instance_ID alias ...

Страница 46: ...abase is automatically converted from cert7 db to cert8 db 9 Export the public private key pairs of each entry in the Certificate System databases using the pk12util tool o exports the key pairs to a PKCS 12 file and n sets the name of the certificate and the old database prefix pk12util o ServerCert p12 n Server Cert cert old_OCSP_instance d Enter Password or Pin for NSS Certificate DB Enter pass...

Страница 47: ...public keys these can also be exported using the certutil tool 11 Delete the old security databases rm cert8 db rm key3 db 12 Register the new HSM in the 7 3 token database modutil nocertdb dbdir add new_HSM_token_name libfile new_HSM_library_path new_HSM_library 13 Identify the new HSM slot name modutil dbdir nocertdb list 14 Create new security databases certutil N d 15 Import the public private...

Страница 48: ...name ocspSigningCert cert old_OCSP_instance t cu cu cu d h new_HSM_token_name 18 Import the public key from the base 64 file into the new HSM and set the trust bits certutil A n new_HSM_slot_name caSigningCert cert old_OCSP_instance t CT c d h new_HSM_token_name i caSigningCert b64 19 Optionally delete the base 64 file rm caSigningCert b64 20 Open the CS cfg configuration file in the var lib insta...

Страница 49: ...the 6 x server to the 7 3 server cp old_server_root alias ServerCert p12 var lib instance_ID alias ServerCert p12 cp old_server_root alias ocspSigningCert p12 var lib instance_ID alias ocspSigningCert p12 3 Extract the public key of the CA signing certificate from the old security databases and save the base 64 encoded output to a file called caSigningCert b64 a Open the Certificate Management Sys...

Страница 50: ...user group ocspSigningCert p12 chown user group caSigningCert b64 7 Log out as root and log back into the system as the Certificate System user 8 Set the file permissions chmod 00600 ServerCert p12 chmod 00600 ocspSigningCert p12 chmod 00600 caSigningCert b64 9 Import the public private key pairs of each entry from the PKCS 12 files into the 7 3 security databases pk12util i ServerCert p12 d Enter...

Страница 51: ... n caSigningCert cert old_OCSP_instance t CT c d i caSigningCert b64 13 Optionally delete the base 64 file rm caSigningCert b64 14 Open the CS cfg configuration file in the var lib instance_ID conf directory 15 Edit the ocsp signing certnickname attribute to reflect the 7 3 OCSP instance ocsp signing certnickname ocspSigningCert cert old_OCSP_instance NOTE The caSigningCert is not referenced in th...

Страница 52: ...refixes on the HSM 2 Copy the extracted key pairs from the 6 x server to the 7 3 server cp old_server_root alias ServerCert p12 var lib instance_ID alias ServerCert p12 cp old_server_root alias ocspSigningCert p12 var lib instance_ID alias ocspSigningCert p12 3 Extract the public key of the CA signing certificate from the old security databases and save the base 64 encoded output to a file called ...

Страница 53: ...e Certificate System alias directory cd var lib instance_ID alias 5 Log in as root 6 Set the file user and group to the Certificate System user and group chown user group ServerCert p12 chown user group ocspSigningCert p12 chown user group caSigningCert b64 7 Log out as root As the Certificate System user set the file permissions chmod 00600 ServerCert p12 chmod 00600 ocspSigningCert p12 chmod 006...

Страница 54: ...new HSM certutil M n new_HSM_slot_name Server Cert cert old_OCSP_instance t cu cu cu d h new_HSM_token_name certutil M n new_HSM_slot_name ocspSigningCert cert old_OCSP_instance t cu cu cu d h new_HSM_token_name 13 Import the public key from the base 64 file into the new HSM and set the trust bits certutil A n new_HSM_slot_name caSigningCert cert old_OCSP_instance t CT c d h new_HSM_token_name i c...

Страница 55: ...ot referenced in the CS cfg file 17 In the same directory edit the serverCertNick conf file to contain the old certificate nickname For example new_HSM_slot_name Server Cert cert old_OCSP_instance Option 4 HSM to HSM Migration 49 ...

Страница 56: ...50 ...

Страница 57: ...tance config 2 Run the PasswordCache tool from the tools directory to retrieve the passwords from the database old_server_root bin cert tools PasswordCache old_passwordcache_password d old_server_root alias P cert old_instance old_hostname c pwcache db list This lists the information stored in the password cache cert key prefix cert old_instance old_hostname path old_server_root alias about to rea...

Страница 58: ...he file user and group to the Certificate System user and group chown user group password conf 7 Log out as root As the Certificate System user change the permissions on the password file chmod 00600 password conf 8 Copy the tags and passwords that were listed from the 6 x pwdcache db file into the password conf file Chapter 6 Step 5 Migrating Password Cache Data 52 ...

Страница 59: ...y usr share rhpki migrate a Open the Certificate System instance directory The migration utilities are in the migrate directory cd usr share rhpki b Package the latest version of the Certificate System migration utility using zip or tar tar cvf migrate tar migrate NOTE Regardless of the packaging tool used the corresponding tool must be present on the 6 x server machine If the platforms are identi...

Страница 60: ...ity package and any additional utilities such as the unzip utility that were copied to the Certificate Management System 6 x server rm migrate tar 2 Log into the Directory Server for the Certificate System 7 3 instance and export the internal database content to LDIF The internal database name for the Certificate System instance is in the internaldb database parameter in the CS cfg file Name the o...

Страница 61: ...n read modify allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read user and group configuration but only administrators are allowed to modify list of ACLs objectClass t...

Страница 62: ...strators uniqueMember uid admin ou People basedn dn cn Enterprise TKS Administrators ou groups basedn description People who are the administrators for the security domain for TKS objectClass top objectClass groupOfUniqueNames cn Enterprise TKS Administrators uniqueMember uid admin ou People basedn dn cn Enterprise RA Administrators ou groups basedn description People who are the administrators fo...

Страница 63: ...LDIF directory and copy the old txt file into the Certificate System 7 3 server instance s internal database LDIF directory You can use any copy tool such as sftp scp and mv cd old_server_root slapd old_instance db ldif cp old_server_root slapd old_instance db ldif old txt opt redhat ds slapd DS instance ldif 7 Log into the 7 3 server as the Certificate System user and open the Certificate System ...

Страница 64: ... into the Certificate System 7 3 server instance s internal database a Open the Certificate System 7 3 database directory cd opt redhat ds slapd DS instance db b Run the ldif2db tool to import the LDIF file into the Certificate System database The internal database name for the Certificate System instance is in the internaldb database parameter in the CS cfg file For example ldif2db n server examp...

Страница 65: ...policyset set1 p1 default params ldap enable true policyset set1 p1 default params ldap searchName uid policyset set1 p1 default params ldapStringAttributes uid mail policyset set1 p1 default params ldap basedn dc example dc com policyset set1 p1 default params ldap maxConns 4 policyset set1 p1 default params ldap minConns 1 policyset set1 p1 default params ldap ldapconn Version 2 policyset set1 p...

Страница 66: ...et1 p1 default params ldap maxConns 4 policyset set1 p1 default params ldap minConns 1 policyset set1 p1 default params ldap ldapconn Version 2 policyset set1 p1 default params ldap ldapconn host ldaphostA example com policyset set1 p1 default params ldap ldapconn port 389 policyset set1 p1 default params ldap ldapconn secureConn false The altered profile serves certificate requests with S MIME su...

Страница 67: ... System 7 3 Instances 1 Restart the Directory Server for the Certificate System 7 3 instance cd opt redhat ds slapd DS instance start slapd 2 Start all of the Certificate System 7 3 instances etc init d instance_ID start Chapter 9 61 ...

Страница 68: ...62 ...

Страница 69: ... example com 9443 ca 3 Select the Configuration tab 4 Select the System Keys and Certificates option from the menu on the left 5 Select the Local Certificates tab on the right 6 Press the Add Renew button to launch the Certificate Setup Wizard 7 Follow the wizard prompts and fill in the appropriate information a In the Type of Operation panel select the Request a certificate option the default b I...

Страница 70: ...tem Console select the Configuration tab 4 In the left menu select the Keys and Certificates option 5 Select the Local Certificates tab on the right 6 Press the Add Renew button to launch the Certificate Setup Wizard 7 Go through the screens in the wizard to request the certificate a In the Type of Operation panel select the Request a Certificate option the default b In the Certificate Selection p...

Страница 71: ... select SSL Server Certificate from the pull down menu c Enter in any necessary information in the Location of Certificate panel d Go through the remaining panels in the Certificate Setup Wizard to install the updated SSL server certificate 11 Restart the Certificate System CA instance etc init d rhpki ca restart 3 Generating a New DRM OCSP or TKS SSL Server Certificate 1 Open the subsystem instan...

Страница 72: ...ts also e Click through the remaining panels in the Certificate Setup Wizard 7 Obtain the SSL server certificate request and store it in a base 64 file 8 Submit the SSL server certificate request to a CA and wait for approval of the request 9 After the SSL server certificate is approved click the Add Renew button to relaunch the Certificate Setup Wizard a In the Type of Operation panel select the ...

Страница 73: ...onsole Use the Console to configure any custom behavior of the different subsystems such as customized plug ins logging and auditing A subsystem may have to be restarted once all configuration changes have been applied Chapter 11 67 ...

Страница 74: ...68 ...

Страница 75: ...7 3 server to ensure that everything is working properly For example http server example com 9080 ca ee ca https server example com 9443 ca agent ca Then log into the Certificate System Console and verify that the new server can be managed through the Console pkiconsole https server example com ca The port numbers for all the agent services interfaces can be found in the server xml in the conf dir...

Страница 76: ...70 ...

Результаты поиска

Содержание CERTIFICATE SYSTEM 6.0 - MIGRATION GUIDE

Отзывы:

Похожие инструкции для CERTIFICATE SYSTEM 6.0 - MIGRATION GUIDE

Бренды по названию

Популярные бренды

Red Hat CERTIFICATE SYSTEM 6.0 - MIGRATION GUIDE, Руководство пользователя

Результаты поиска

Содержание CERTIFICATE SYSTEM 6.0 - MIGRATION GUIDE

Отзывы:

Похожие инструкции для CERTIFICATE SYSTEM 6.0 - MIGRATION GUIDE

Бренды по названию

Популярные бренды