-
Notifications
You must be signed in to change notification settings - Fork 139
Upgrading PKI 10.5 to PKI 10.6
In general PKI 10.5 server can be upgraded to PKI 10.6 with the following procedure:
-
Shutdown PKI server
-
Upgrade PKI packages
-
Follow the database upgrade procedure to upgrade PKI database
-
Restart PKI server
However, if the SSL server certificate is stored in an HSM that does not support key export, or if the server is configured with Nuxwdog, or both, follow the procedure below.
If Nuxwdog is disabled, shutdown the server with the following command:
$ systemctl stop pki-tomcatd@pki-tomcat.service
If Nuxwdog is enabled, shutdown the server with the following command:
$ systemctl stop pki-tomcatd-nuxwdog@pki-tomcat.service
Enable the RPM repository that contains PKI 10.6, then execute the following command:
$ dnf update
Follow the [manual database upgrade] procedure to upgrade PKI database.
If the current SSL server certificate is stored in an HSM that does not support key export, follow this procedure to generate a new SSL server certificate in the internal token. Otherwise, skip to the next section.
Get the CA Key Identifier and OCSP URL from the current SSL server certificate with the following commands:
$ pki-server cert-show sslserver --instance "pki-tomcat" --pretty-print ... Name: Certificate Authority Key Identifier Key ID: 20:bf:45:ce:45:a4:e7:cd:5f:dd:e2:76:99:41:73:00: ae:f8:a4:50 Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://pki.example.com:8080/ca/ocsp" ...
Set AKI and OCSP environment variables based on the above output:
$ AKI="20bf45ce45a4e7cd5fdde27699417300aef8a450" $ OCSP="http://pki.example.com:8080/ca/ocsp"
Generate an SSL server CSR in the internal token with the following commands:
$ cd /var/lib/pki/pki-tomcat/conf $ mkdir -p certs $ openssl rand -out noise.bin 2048 $ certutil -R \ -d alias \ -z noise.bin \ -s "CN=$HOSTNAME,O=EXAMPLE" \ -o certs/sslserver.csr.der \ -k rsa \ -g 2048 \ -Z SHA256 \ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature \ --extKeyUsage serverAuth $ openssl req -inform der -in certs/sslserver.csr.der -out certs/sslserver.csr
If Nuxwdog is not enabled, the internal token password should be available in the password.conf
.
If the server has a CA subsystem, issue the certificate by signing the CSR with the following commands:
$ TOKEN=<token> $ SERIAL=<serial number> $ echo -e "y\n${AKI}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \ certutil -C \ -d alias \ -h ${TOKEN} \ -m ${SERIAL} \ -a \ -i certs/sslserver.csr \ -o certs/sslserver.crt \ -c "${TOKEN}:ca_signing" \ -3 \ --extAIA \ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature \ --extKeyUsage serverAuth
Notes:
-
Select a serial number that do not conflict with existing certificates.
-
If Nuxwdog is not enabled, the HSM password should be available in the password.conf.
If the server does not have a CA subsystem, submit the CSR to the issuing CA to obtain the SSL server certificate, then place it in /var/lib/pki/pki-tomcat/conf/certs/sslserver.crt
.
Remove the token name in /var/lib/pki/pki-tomcat/conf/serverCertNick.conf
:
sslserver
Also remove the token name from the following parameter in /var/lib/pki/pki-tomcat/conf/<subsystem>/CS.cfg
:
<subsystem>.cert.sslserver.nickname=sslserver
Replace the token name in the following parameter in /var/lib/pki/pki-tomcat/conf/<subsystem>/CS.cfg
with internal token:
<subsystem>.sslserver.tokenname=Internal Key Storage Token
Install the SSL server certificate in /var/lib/pki/pki-tomcat/conf/certs/sslserver.crt
into the internal token with the following command:
$ pki-server cert-import sslserver --instance "pki-tomcat"
If Nuxwdog is enabled, follow this procedure to export the SSL Server Certificate from the internal token into a PKCS #12 file. Otherwise, skip to the next section.
Create a password file for PKCS #12 keystore:
$ pki password-generate > "/var/lib/pki/pki-tomcat/conf/keystore.pwd" $ chown pkiuser.pkiuser "/var/lib/pki/pki-tomcat/conf/keystore.pwd" $ chmod 0660 "/var/lib/pki/pki-tomcat/conf/keystore.pwd"
Then export SSL server certificate and key into PKCS #12 keystore:
$ pki-server cert-export sslserver \ --instance "pki-tomcat" \ --pkcs12-file "/var/lib/pki/pki-tomcat/conf/keystore.p12" \ --pkcs12-password-file "/var/lib/pki/pki-tomcat/conf/keystore.pwd" \ --friendly-name "sslserver" \ --cert-encryption "PBE/SHA1/RC2-40" \ --key-encryption "PBE/SHA1/DES3/CBC" $ chown pkiuser.pkiuser "/var/lib/pki/pki-tomcat/conf/keystore.p12" $ chmod 0660 "/var/lib/pki/pki-tomcat/conf/keystore.p12"
If Nuxwdog is disabled, restart the server with the following command:
$ systemctl start pki-tomcatd@pki-tomcat.service
If Nuxwdog is enabled, restart the server with the following command:
$ systemctl start pki-tomcatd-nuxwdog@pki-tomcat.service
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |