Description of problem: I attempted to use 11.2. Silently Configuring Subsystems from Red_Hat_Certificate_System-8.1-Deploy_and_Install_Guide-en-US to do some silent configurations of RHCS components and ran into some problems. Example 11.3. Configuring a Subordinate CA - Uses ConfigureCA instead of ConfigureSubCA. - Uses ca_hostname, ca_port, ca_ssl_port which don't seem to exist 11.5. Performing Silent Configuration Using an External CA - Has remove_data in both steps. If you do this you run into a really bewildering problem where subsystem certs don't validate properly and the CA won't start up but things look mostly right in the install logs and in NSS dbs. 11.4. Cloning a Subsystem Silently - Doesn't include the clone_uri (it also isn't in the options table) that is required to get past the securitydomain panel. I'm pretty sure I ran into other errors where options where given in examples that weren't appropriate for the type of the config or where options were missing where they were required. These were easy to quickly fix, but the ones above took a closer eye and further troubleshooting. I'd suggest just trying each of the examples verbatim and reviewing and updating Table 11.1. Parameters for pkisilent. Version-Release number of selected component (if applicable): RHCS 8.1 How reproducible: Always Steps to Reproduce: 1. Install a CA 2. Run the clone or subordinate examples 3. Actual results: Various stacktraces or complaints about invalid or pki-silent missing options Expected results: Examples should configure the system correctly. Additional info:
One of the other big ones I forgot to mention is -ca_server_cert_subject_name. In the examples in the docs you set the CN to something other than the hosts FQDN. The issue with this is when other subsystems try to connect to the CA via SSL during their configuration they bomb out if the cert they are given by the CA doesn't have its CN set to its FQDN. Perhaps some syntax checking on at least the CA's server cert would be useful.