Hide Forgot
Description of problem: When attempting to create a 2-step external CA using pkisilent based upon the pki_silent.template, running step 2 results in an error:- Error in CertSubjectPanel(): updateStatus returns failure ERROR: ConfigureCA: CertSubjectPanel() failure ERROR: unable to create CA Version-Release number of selected component (if applicable): pki-silent-9.0.17-1.fc16.noarch How reproducible: Every time Steps to Reproduce: 1. Create new pki-cad instance 2. Use pki_silent.template example step 1 to create a csr for external signing 3. Use pki_silent.template example step 2 to finish creation of CA Actual results: Creation of CA reports and error and does not complete:- Error in CertSubjectPanel(): updateStatus returns failure ERROR: ConfigureCA: CertSubjectPanel() failure ERROR: unable to create CA Expected results: CA created successfully. Additional info: Within pki_silent.template line number 1314 reads:- -external $ca_external} \ which should be:- -external ${ca_external} \ With the line corrected, step 2 completes successfully and the CA instance is configured correctly.
DOGTAG_9_BRANCH: http://git.fedorahosted.org/git/?p=pki.git;a=commit;h=a99a83ccf6741f7361904689ed79b7dafa5f323f author Matthew Harmsen <mharmsen> Mon, 12 Mar 2012 22:29:57 +0000 (15:29 -0700) committer Matthew Harmsen <mharmsen> Mon, 12 Mar 2012 22:29:57 +0000 (15:29 -0700) commit a99a83ccf6741f7361904689ed79b7dafa5f323f Get DOGTAG_9_BRANCH GIT repository in-sync with SVN namesake Migrated the following bugs: - Bugzilla Bug #747381 - After the migration (7.1->8.1) CA agent page displays admin cert request with authtime attribute twice - Bugzilla Bug #747019 - Migrated policy requests from 7.1->8.1 displays issuedcerts and cert_Info params as base 64 blobs. - Bugzilla Bug #757848 - DRM re-key tool: introduces a blank line in the middle of an ldif entry. - Resolved Bugzilla Bug #801840 - pki_silent.template missing opening brace for ca_external variable 16 files changed: pki/CMakeLists.txt diff | blob | history pki/base/common/src/com/netscape/cms/servlet/request/CertReqParser.java diff | blob | history pki/base/java-tools/src/com/netscape/cmstools/DRMTool.java diff | blob | history pki/base/silent/templates/pki_silent.template diff | blob | history pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/processReq.template diff | blob | history pki/scripts/compose_dogtag_pki_theme_packages diff | blob | history pki/scripts/compose_pki_core_packages diff | blob | history pki/scripts/compose_pki_kra_packages diff | blob | history pki/scripts/compose_pki_ocsp_packages diff | blob | history pki/scripts/compose_pki_tks_packages diff | blob | history pki/specs/dogtag-pki-theme.spec diff | blob | history pki/specs/dogtag-pki.spec diff | blob | history pki/specs/pki-core.spec diff | blob | history pki/specs/pki-kra.spec diff | blob | history pki/specs/pki-ocsp.spec diff | blob | history pki/specs/pki-tks.spec diff | blob | history
master: # git add pki/base/silent/templates/pki_silent.template # git commit commit ce69d1c0f83e9dc1d66c58c40ab3b2f5f58cc8fa Author: Matthew Harmsen <mharmsen> Date: Mon Mar 12 18:19:56 2012 -0700 Resolved Bugzilla Bug #801840 - pki_silent.template missing opening brace for ca_external variable # git push Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (7/7), 656 bytes, done. Total 7 (delta 4), reused 2 (delta 1) To ssh://git.fedorahosted.org/git/pki.git 1f759b5..ce69d1c master -> master
Versions: |-------------------------------------------------------------------------------| [root@rhelcs-1 silent]# rpm -qi pki-ca Name : pki-ca Relocations: (not relocatable) Version : 8.1.1 Vendor: Red Hat, Inc. Release : 1.ecc.el5pki Build Date: Tue 19 Feb 2013 02:56:12 PM EST |-------------------------------------------------------------------------------| [root@rhelcs-1 silent]# rpm -qi pki-silent Name : pki-silent Relocations: (not relocatable) Version : 8.1.0 Vendor: Red Hat, Inc. Release : 2.ecc.el5pki Build Date: Tue 19 Feb 2013 03:09:38 PM EST Install Date: Tue 19 Feb 2013 09:28:40 AM EST Build Host: payday.dsdev.sjc.redhat.com Group : System Environment/Shells Source RPM: pki-silent-8.1.0-2.ecc.el5pki.src.rpm |-------------------------------------------------------------------------------| Steps: To reproduce: 1. Configure CA subsystem (This will be external CA subsystem) #!/bin/bash ### script to create ca instance pkicreate -pki_instance_root=/var/lib \ -pki_instance_name=pki-ca1 \ -subsystem_type=ca \ -agent_secure_port=9443 \ -ee_secure_port=9444 \ -ee_secure_client_auth_port=9446 \ -admin_secure_port=9445 \ -unsecure_port=9180 \ -tomcat_server_port=9701 \ -user=pkiuser1 \ -group=pkiuser1 \ -redirect conf=/etc/pki-ca1 \ -redirect logs=/var/log/pki-ca1 \ -verbose |-------------------------------------------------------------------------------| 2. Check the CA status [root@rhelcs-1 scripts]# /etc/init.d/pki-ca1 status pki-ca1 (pid 29326) is running ... Unsecure Port = http://rhelcs-1.example.org:9180/ca/ee/ca Secure Agent Port = https://rhelcs-1.example.org:9443/ca/agent/ca Secure EE Port = https://rhelcs-1.example.org:9444/ca/ee/ca Secure Admin Port = https://rhelcs-1.example.org:9445/ca/services EE Client Auth Port = https://rhelcs-1.example.org:9446/ca/eeca/ca PKI Console Port = pkiconsole https://rhelcs-1.example.org:9445/ca Tomcat Port = 9701 (for shutdown) PKI Instance Name: pki-ca1 PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ======================================== Name: Example Domain URL: https://rhelcs-1.example.org:9445 ======================================== |-------------------------------------------------------------------------------| 3. Configure pki_silent.template , Copy the template as other name $cd /usr/share/pki/silent/ $cp pki_silent.template silent |-------------------------------------------------------------------------------| 4. Issue pkicreate to install the CA installation pkicreate -pki_instance_root=/var/lib \ -pki_instance_name=pki-ca \ -subsystem_type=ca \ -agent_secure_port=19443 \ -ee_secure_port=19444 \ -ee_secure_client_auth_port=19446 \ -admin_secure_port=19445 \ -unsecure_port=19180 \ -tomcat_server_port=19701 \ -user=pkiuser \ -group=pkiuser \ -redirect conf=/etc/pki-ca \ -redirect logs=/var/log/pki-ca \ -verbose |-------------------------------------------------------------------------------| 5. Modify the ca ports in silent to use below ports as the external CA uses defualt ports. Edit /usr/share/pki/silent/silent1 file and specify below CA ports ## CA ports ca_nonssl_port=19180 ca_agent_port=19443 ca_ee_port=19444 ca_admin_port=19445 |-------------------------------------------------------------------------------| 6. Edit /usr/share/pki/silent/silent1 and specify below parameters pki_silent_security_database_repository="/tmp/silent" pki_silent_security_database_password=redhat pki_security_domain_name="Example\ Domain" pki_security_domain_host=`hostname` pki_security_domain_admin_name=admin pki_security_domain_admin_password=redhat pki_ldap_host=localhost pki_ldap_port=389 pki_bind_dn="cn=Directory\ Manager" pki_bind_password="redhat@123" ca_token_name=internal ca_token_password="302616449511" ca_backup_password="302616449511" pki_email_name=root pki_email_company=example pki_email_domain=com pki_silent_admin_user=admin pki_silent_admin_password=redhat pki_silent_admin_email="${pki_email_name}\@${pki_email_company}\.${pki_email_domain}" pki_host=`hostname` ca_subsystem_name="Certificate\ Authority" kra_subsystem_name="Data\ Recovery\ Manager" ocsp_subsystem_name="OCSP\ Responder" tks_subsystem_name="Token\ Key\ Service" ra_subsystem_name="Registration\ Authority" tps_subsystem_name="Token\ Processing\ System" ca_instance_name="pki-ca" ca_nonssl_port=19180 ca_agent_port=19443 ca_ee_port=19444 ca_admin_port=19445 pki_silent_ca_log=/tmp/ca.log ca_external=true ca_ext_csr_file=/tmp/ext_ca.csr |-------------------------------------------------------------------------------| 7. Also edit the pki_silent template file silent1 to uncomment the lines that invokes CA installation to create CSR (step-1) ## Configure CA signed by external CA (step 1) printf "'${pki_silent_script}': First step in configuring '${ca_instance_name}' . . .\n" pkisilent ConfigureCA \ -cs_hostname "${pki_host}" \ -cs_port ${ca_admin_port} \ -client_certdb_dir ${pki_silent_security_database_repository} \ -client_certdb_pwd ${pki_silent_security_database_password} \ -preop_pin ${ca_preop_pin} \ -domain_name "${pki_security_domain_name}" \ -admin_user ${pki_silent_admin_user} \ -admin_password ${pki_silent_admin_password} \ -admin_email "${pki_silent_admin_email}" \ -agent_name ${ca_agent_name} \ -agent_key_size ${ca_agent_key_size} \ -agent_key_type ${ca_agent_key_type} \ -agent_cert_subject "${ca_agent_cert_subject}" \ -ldap_host ${pki_ldap_host} \ -ldap_port ${pki_ldap_port} \ -bind_dn "${pki_bind_dn}" \ -bind_password ${pki_bind_password} \ -base_dn "${ca_base_dn}" \ -db_name "${ca_db_name}" \ -key_size ${ca_key_size} \ -key_type ${ca_key_type} \ -key_algorithm ${ca_key_algorithm} \ -signing_algorithm ${ca_signing_algorithm} \ -signing_signingalgorithm ${ca_signing_signingalgorithm} \ -ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \ -save_p12 ${ca_save_p12} \ -subsystem_name ${ca_subsystem_name} \ -token_name ${ca_token_name} \ -token_pwd ${ca_token_password} \ -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ -ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \ -ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \ -ca_server_cert_subject_name "${ca_server_cert_subject_name}" \ -ca_audit_signing_cert_subject_name \ "${ca_audit_signing_cert_subject_name}" \ -external ${ca_external} \ -ext_csr_file ${ca_ext_csr_file} \ | tee ${pki_silent_ca_log} ## Restart CA #/sbin/service ${ca_instance_name} restart |-------------------------------------------------------------------------------| 8. Run the template /usr/share/pki/silent/silent1 9. The above creates the certificate request /tmp/ext_ca.csr 10. Sign the request with external CA created in Step1. A. Access the EE page: http://<hostname>:9444/ca/ee/ca B. Select the "Manual Certificate Manager Signing Certificate Enrollment" C. Paste the request and submit to CA, D. Go to the Agent page and sign the request. |-------------------------------------------------------------------------------| 11. Copy the signed CA certificate in below file cat /tmp/ca_ext_cert_file.crt -----BEGIN CERTIFICATE----- MIIDqjCCApKgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBLMRcwFQYDVQQKEw5FeGFt cGxlIERvbWFpbjEQMA4GA1UECxMHcGtpLWNhMTEeMBwGA1UEAxMVQ2VydGlmaWNh dGUgQXV0aG9yaXR5MB4XDTEzMDIyMjE2MzM1NloXDTIxMDIyMjE2MzIwNlowOTEX MBUGA1UEChMORXhhbXBsZSBEb21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1 dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN0cukzeEMJD DmEqs8wnWsWwju4vNaF51gKNDKUW4B0VPBQ+JA7t6P1B6K7AaDx62d7NqgrwSIkX rk/1fkTjgaAW/oO4ft8ScgQEa5rEPQ4W4Nkfujfj2wRHhv0+OrzfH74TGEbPba5p USzshZmAOnpm0EZLJ7MIAzp+ls8ZbXnGQJCKT5UBY52z8VP2B20A9MQ70VKVVhiQ 2RkdZs+hLyBCU2ORke/XiRbDw46jTGAcf67ei7dJuCsA7uIYqffKN5iMq1FvlUjg PeZu39h23/yXXxrKlQ4kLmRhd3x7uVJJBXphqvjOox/JFZu9kFoekxx02TT9ighE 5bK5RYfBLO8CAwEAAaOBqjCBpzAfBgNVHSMEGDAWgBRiUP5XoIG+nWV1hBVX3FsF LurMvzAdBgNVHQ4EFgQUrvGmARW6wUkvwwen/8OBvYJB3skwDwYDVR0TAQH/BAUw AwEB/zAOBgNVHQ8BAf8EBAMCAcYwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAB hihodHRwOi8vcmhlbGNzLTEuZXhhbXBsZS5vcmc6OTE4MC9jYS9vY3NwMA0GCSqG SIb3DQEBCwUAA4IBAQCZiP+cwOIvOyaXkTgbN3POmOwvwitdXEMZd9JrIWQTTHBW IWhBMsSSYLkV2yzHD5JIcDpPGcq+NQG2AuG9IvjmETf9s222KVlrWTZvRODUX+On dkN3TFj4wszQfGZXPZ5CdsnCBEXsVsQ+Ib5cyfw8ltc47uPgA9RCEw1ZVCUrGmJ1 fzjTh8PE46R5DhM/R6b0mc/+9s52Bc0qXoCHVjoj6TQZsqBZLP0laUCB+hJX8JxC RbPI/Iu/66o1/K6GYojnSZXkNOleTzS7na6TOQ84uq6zULm8/TTuYUXQBsBgLg9t uUco/oV5NrN5DSCXHQF/1YOWLYau7qaquaHHlenq -----END CERTIFICATE----- |-------------------------------------------------------------------------------| 12 Copy the external CA 's Signing CA cert in below file $ cat /tmp/ca_ext_cert_chain_file.crt -----BEGIN CERTIFICATE----- MIIDvDCCAqSgAwIBAgIBATANBgkqhkiG9w0BAQsFADBLMRcwFQYDVQQKEw5FeGFt cGxlIERvbWFpbjEQMA4GA1UECxMHcGtpLWNhMTEeMBwGA1UEAxMVQ2VydGlmaWNh dGUgQXV0aG9yaXR5MB4XDTEzMDIyMjE2MzIwNloXDTIxMDIyMjE2MzIwNlowSzEX MBUGA1UEChMORXhhbXBsZSBEb21haW4xEDAOBgNVBAsTB3BraS1jYTExHjAcBgNV BAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAKan2yLHOYq99JyDHx8v2lSErWWjnEuApUoCIme58K2mBSPvQ/1E CSzC8dEzoxq37xubVvCbRnWFWqka2ADBvnNi1stQKpp3VA91YJWRf7NqDoFGCN+e qaNORx9a9pxqN5eAR+EIyKu6xOvchQzVikc0bik+iEFyBdX9qNrB7fpfpoLJklSQ Ub+VWKQgQFZ3B4/fPaAciZ8xMV5Uos9bvL8IVM3bMNuW2PKVr19X/pEMK5z3dQ2B qBtyjUr8GpRfelKWTmqozg69cNvPjyjyWAOJhz5rFafA6Cf3eX7T7CzELSNs304g Ek7KqCfsOKg+dvpvz0nYF8sM121Pt5oPnS8CAwEAAaOBqjCBpzAfBgNVHSMEGDAW gBRiUP5XoIG+nWV1hBVX3FsFLurMvzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB /wQEAwIBxjAdBgNVHQ4EFgQUYlD+V6CBvp1ldYQVV9xbBS7qzL8wRAYIKwYBBQUH AQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vcmhlbGNzLTEuZXhhbXBsZS5vcmc6 OTE4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQBZeSvyZkJgGwCOSvOAo9VJ kcmZRekpid//0dyKzQjXbxkd6wEVGCsZzRt/nH5zB++U8L4t5k33EED3amybmxkt Szh6pdHV4JZ7vySD8vZPwnZwkV1/96Zt351/eGRMEyOJ8FGgZj4oymtvwxH+N6g+ qAv3rTy2gs0m4YGrwTdn8d4NDeCJbPdCrUP4t4ZuD3yYDkDlOsycffazc/YuzEc9 Ic/dCUM5I2MB6EXnpigr9FR+gHv6p7sGAAgKFpdP6ojoCPBc4tKhEndY2zPmSKaW /JMaO4snEerb60LxqZPTDdYFDw6K2TM0DaSB2BMdTTvoxilLevBCztbQRb9qIOgg -----END CERTIFICATE----- |-------------------------------------------------------------------------------| 13. Edit the pki_silent template to specify the signed ca cert fiel and External CA chain file , Comment the below parameters #ca_external=true #ca_ext_csr_file=/tmp/ext_ca.csr add below lines: ca_external=true ca_ext_cert_file=/tmp/ca_ext_cert_file.crt ca_ext_cert_chain_file=/tmp/ca_ext_cert_chain_file.crt And uncomment the pkisilent command that invokes the step2 that takes the signed cert and configures the CA. ## Configure an externally signed CA (step 2) printf "'${pki_silent_script}': Step 2 in configuring external signed '${ca_instance_name}' . . .\n" pkisilent ConfigureCA \ -cs_hostname "${pki_host}" \ -cs_port ${ca_admin_port} \ -client_certdb_dir ${pki_silent_security_database_repository} \ -client_certdb_pwd ${pki_silent_security_database_password} \ -preop_pin ${ca_preop_pin} \ -domain_name "${pki_security_domain_name}" \ -admin_user ${pki_silent_admin_user} \ -admin_password ${pki_silent_admin_password} \ -admin_email "${pki_silent_admin_email}" \ -agent_name ${ca_agent_name} \ -agent_key_size ${ca_agent_key_size} \ -agent_key_type ${ca_agent_key_type} \ -agent_cert_subject "${ca_agent_cert_subject}" \ -ldap_host ${pki_ldap_host} \ -ldap_port ${pki_ldap_port} \ -bind_dn "${pki_bind_dn}" \ -bind_password ${pki_bind_password} \ -base_dn "${ca_base_dn}" \ -db_name "${ca_db_name}" \ -key_size ${ca_key_size} \ -key_type ${ca_key_type} \ -key_algorithm ${ca_key_algorithm} \ -signing_algorithm ${ca_signing_algorithm} \ -signing_signingalgorithm ${ca_signing_signingalgorithm} \ -ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \ -save_p12 ${ca_save_p12} \ -subsystem_name ${ca_subsystem_name} \ -token_name ${ca_token_name} \ -token_pwd ${ca_token_password} \ -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ -ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \ -ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \ -ca_server_cert_subject_name "${ca_server_cert_subject_name}" \ -ca_audit_signing_cert_subject_name \ "${ca_audit_signing_cert_subject_name}" \ -external ${ca_external} \ -ext_ca_cert_file ${ca_ext_cert_file} \ -ext_ca_cert_chain_file ${ca_ext_cert_chain_file} \ | tee ${pki_silent_ca_log} ## Restart CA /sbin/service ${ca_instance_name} restart |-------------------------------------------------------------------------------| 9. check /tmp/ca.log file to see the installation status 10. [root@rhelcs-1 tmp]# /etc/init.d/pki-ca status pki-ca (pid 30443) is running ... Unsecure Port = http://rhelcs-1.example.org:19180/ca/ee/ca Secure Agent Port = https://rhelcs-1.example.org:19443/ca/agent/ca Secure EE Port = https://rhelcs-1.example.org:19444/ca/ee/ca Secure Admin Port = https://rhelcs-1.example.org:19445/ca/services EE Client Auth Port = https://rhelcs-1.example.org:19446/ca/eeca/ca PKI Console Port = pkiconsole https://rhelcs-1.example.org:19445/ca Tomcat Port = 19701 (for shutdown) PKI Instance Name: pki-ca PKI Subsystem Type: Subordinate CA (Security Domain) Registered PKI Security Domain Information: ============================================== Name: Example Domain URL: https://rhelcs-1.example.org:19445 ============================================== |-------------------------------------------------------------------------------|
pkisilent configuration for SubCA ================================= 1. Create user pkiuser8 $useradd -d /usr/share/pki/pkiuser8 -s /sbin/nologin -r pkiuser8 #---------------------------------------------------------------------# 2. Copy below certicom libraries and binary "initpin" to home directory of pkiuser8 libsbcpgse.so, libsbgse2.so initpin #---------------------------------------------------------------------# 3. run initpin [root@nocp2 pkiuser8]# ./initpin Security Builder API for PKCS #11 User PIN Initialization Utility This utility can be used to set the Normal User's PIN Please enter the directory where the token databases exist or will be created: /usr/share/pki/pkiuser8 Enter the Normal User's PIN: Re-Enter the Normal User's PIN: The Normal User's PIN has been set! #---------------------------------------------------------------------# 4. change ownership of files /usr/share/pki/pkiuser1 to pkiuser1 user $cd /usr/share/pki/pkiuser8 $chown -R pkiuser8: pkiuser8 #---------------------------------------------------------------------# 5. Create CA instance [root@nocp2 test]# cat ca.bash pkicreate -pki_instance_root=/var/lib \ -pki_instance_name=pki-ca-Apr4-subca-inst2-nocp2 \ -subsystem_type=ca \ -agent_secure_port=39543 \ -ee_secure_port=39544 \ -ee_secure_client_auth_port=39546 \ -admin_secure_port=39545 \ -unsecure_port=39580 \ -tomcat_server_port=39501 \ -user=pkiuser8 \ -group=pkiuser8 \ -redirect conf=/etc/pki-ca-Apr4-subca-inst2-nocp2 \ -redirect logs=/var/log/pki-ca-Apr4-subca-inst2-nocp2 \ -verbose 6. Stop the CA instance [root@nocp2 test]# /sbin/service pki-ca-Apr4-subca-inst2-nocp2 stop Stopping pki-ca-Apr4-subca-inst2-nocp2: .. [ OK ] export HOME=/usr/share/pki/pkiuser8 cd /var/lib/pki-ca-Apr4-subca-inst2-nocp2/alias $modutil -dbdir . -nocertdb -add certicom -libfile /usr/lib64/libsbcpgse.so #---------------------------------------------------------------------# 7. Add the below line in CS.cfg ca.requestVerify.token=Certicom FIPS Cert/Key Services #---------------------------------------------------------------------# 8. Add the environment variable NSS_USE_DECODED_CKA_EC_POINT to /usr/bin/dtomcat5-pki-ca-Apr4-subca-inst2-nocp2 #---------------------------------------------------------------------# 9. Add line "hardware-Certicom\ FIPS\ Cert/Key\ Services=redhat" to password.conf #---------------------------------------------------------------------# 10. Start the instance. #---------------------------------------------------------------------# 11. Login to non-root user which will administer CA. (In this example user test1) #---------------------------------------------------------------------# 12. Check no firefox process are running [root@nocp2 alias]# su - test1 [test1@nocp2 ~]$ ps -ef | grep firefox test1 18751 18722 0 03:54 pts/0 00:00:00 grep firefox #---------------------------------------------------------------------# 13. copy one of the silentEC_ca.template from /usr/share/pki/silent/ directory to browser profile directory under a different script name [test1@nocp2 ~]$ cp /usr/share/pki/silent/silentEC_subca.template .mozilla/firefox/uhn8gnex.default/EC_subca.template #---------------------------------------------------------------------# Note: Make sure Certicom token is added to the [test1@nocp2 ~]$ cd .mozilla/firefox/oz5a7i6i.ECCSilent [test1@nocp2 uhn8gnex.default]$ modutil -dbdir . -list -nocertdb Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. certicom library name: /usr/lib64/libsbcpgse.so slots: 2 slots attached status: loaded slot: FIPS Generic Crypto Services V1.0.1d token: Certicom FIPS Crypto Services slot: FIPS Certificate/Key Services V1.0.1d token: Certicom FIPS Cert/Key Services #---------------------------------------------------------------------# 14. Specify below parameters in EC_subca.template pki_silent_security_database_repository=/home/test1/.mozilla/firefox/uhn8gnex.default pki_silent_security_database_password="redhat" pki_silent_security_token_name="Certicom\ FIPS\ Cert/Key\ Services" pki_security_domain_name="PKI\ Domain1" pki_security_domain_host=`hostname` pki_security_domain_admin_name=admin pki_security_domain_admin_password=redhat pki_ldap_host=localhost pki_ldap_port=389 pki_bind_dn="cn=Directory\ Manager" pki_bind_password=Secret123 subca_token_name=NHSM6000-OCS subca_token_password=redhat123 subca_backup_password=redhat pki_email_name=admin pki_email_company=example pki_email_domain=com pki_silent_admin_user=admin pki_silent_admin_password=redhat pki_silent_admin_email="${pki_email_name}\@${pki_email_company}\.${pki_email_domain}" subca_subsystem_name="Certificate\ Authority\ 2" subca_instance_name="pki-ca-Apr4-subca-inst2-nocp2" ca_nonssl_port=29180 ca_agent_port=29443 ca_ee_port=29444 ca_admin_port=29445 ## Subordinate CA ports subca_nonssl_port=39580 subca_agent_port=39543 subca_ee_port=39544 subca_admin_port=39545 subca_preop_pin=SzTFUBzk4bNwiPzAsWJX #---------------------------------------------------------------------# 15. Execute the script [test1@nocp2 uhn8gnex.default]$ ./EC_subca.template WARNING: At least one of the security databases (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db') required by 'EC_subca.template' exists at the specified location '/home/test1/.mozilla/firefox/oz5a7i6i.ECCSilent'. Continue... Removing old PKI Silent log files: Done. 'EC_subca.template': Configuring 'pki-ca-Apr4-subca-inst2-nocp2' . . . libpath=/usr/lib64 #---------------------------------------------------------------------# 16. After successfull configuration we would see below output: <snip> caHost=nocp2.dsdev.sjc.redhat.com caPort=39545 systemType=ca Certificate System - Subordinate CA Instance Configured. ####################################################################### If configured without errors, ask the OS root user to restart the CS instance: /sbin/service 'pki-ca-Apr4-subca-inst2-nocp2' restart </snip> #---------------------------------------------------------------------# 17. Restart the instance. [root@nocp2 pki-ca-Apr4-extca-inst2-nocp2]# /etc/init.d/pki-ca-Apr4-subca-inst2-nocp2 status pki-ca-Apr4-subca-inst2-nocp2 (pid 9033) is running ... Unsecure Port = http://nocp2.dsdev.sjc.redhat.com:39580/ca/ee/ca Secure Agent Port = https://nocp2.dsdev.sjc.redhat.com:39543/ca/agent/ca Secure EE Port = https://nocp2.dsdev.sjc.redhat.com:39544/ca/ee/ca Secure Admin Port = https://nocp2.dsdev.sjc.redhat.com:39545/ca/services EE Client Auth Port = https://nocp2.dsdev.sjc.redhat.com:39546/ca/eeca/ca PKI Console Port = pkiconsole https://nocp2.dsdev.sjc.redhat.com:39545/ca Tomcat Port = 39501 (for shutdown) PKI Instance Name: pki-ca-Apr4-subca-inst2-nocp2 PKI Subsystem Type: Subordinate CA Registered PKI Security Domain Information: ======================================= Name: PKI Domain1 URL: https://nocp2.dsdev.sjc.redhat.com:29445 =======================================
The comment #6 was wrongly added here. Apologies.