Red Hat Certificate System
This guide provides step-by-step instructions for seamlessly integrating Red Hat Certificate System with a Luna HSM device or Luna Cloud HSM service. Red Hat Certificate System is comprehensive security framework that handles user identity management, protects digital communication against threats, and streamlines the integration of essential encryption and authentication technologies.
Red Hat Certificate System utilizes Luna HSMs to safeguard private signing keys, thereby offloading cryptographic tasks from the host server to the HSM. Integration with Red Hat Certificate System relies on the widely adopted PKCS#11 interface. This interface enables Red Hat Certificate System to create RSA/ECDSA keys directly on Luna HSMs. These keys, used for encryption and signing, are crucial for various subsystems within Red Hat Certificate System, including CA, KRA, OCSP, TPS, or TKS. Supported key sizes for RSA and ECC algorithms on Luna HSMs are as follows:
-
RSA: 2048, 3072, 4096 bits
-
ECC: nistp256, nistp384, nistp521
This guide illustrates the integration process by demonstrating the use of a signing key generated on a Luna HSM. The integration of Red Hat Certificate System with Luna HSMs offers the following benefits:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
| HSM Type | Operating System | Red Hat Certificate System | Red Hat Directory Server |
|---|---|---|---|
| Luna HSM f/w v7.8.4 Luna Client v10.7 |
Red Hat Enterprise Linux 8.x (64-bit) | RHCS v10.4 | RHDS v11.7 |
| Luna HSM f/w 7.3.x Luna Client v7.x |
Red Hat Enterprise Linux 7.6 (64-bit) | RHCS v9.5 | RHDS v10.4 |
| Luna Cloud HSM | Red Hat Enterprise Linux 7.6 (64-bit) | RHCS v9.5 | RHDS v10.4 |
This integration been tested using Luna Client in both High Availability (HA) and FIPS-compliant modes.
Prerequisites
The prerequisites for this integration are:
Set up Luna HSM
As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.
Set up On-Premise Luna HSM
Follow these steps to set up your on-premise Luna HSM:
Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.
Create a partition that will be later on used by Red Hat Certificate System.
Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.
Initialize Crypto Officer and Crypto User roles for the registered partition.
Run the following command to verify that the partition has been successfully registered and configured:
/usr/safenet/lunaclient/bin/lunacm
Upon successful execution, you should observe an output similar to the example provided below:
lunacm.exe (64-bit) v10.7.0-255. Copyright (c) 2023 Thales Group. All rights reserved. Available HSMs: Slot Id -> 0 Label -> TPA01 Serial Number -> 1238696044901 Model -> LunaSA 7.8.4 Firmware Version -> 7.8.4 Bootloader Version -> 1.1.5 Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> FM Ready Current Slot Id: 0
Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.
To ensure the correct configuration of a PED-based Luna HSM, make sure that the ProtectedAuthenticationPathFlagStatus is set to 1 within the Misc section of the Chrystoki.conf file.
Configure a PED-authenticated Luna HSM
To configure a PED-authenticated Luna HSM, follow these steps:
Open the Chrystoki.conf file.
Locate the Misc section within the file.
Ensure that the policy ProtectedAuthenticationPathFlagStatus is set to 1 within the Misc section.
Modify the configuration as follows:
Misc = {
ProtectedAuthenticationPathFlagStatus = 1;
}
By setting the ProtectedAuthenticationPathFlagStatus to 1, you enable the Protected Authentication Path (PAP) feature for the Luna HSM, ensuring secure authentication during operations. This step is essential for ensuring the integrity and security of your PED-based Luna HSM configuration.
Set up Luna HSM High-Availability Group
Refer to Luna HSM documentation for HA steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.
Manage User Access to the HSM
By default, access to the HSM device is limited to the root user. If you need to grant access to the HSM for specific non-root users, you can achieve this by including them in the hsmusers group. The hsmusers group is automatically generated during the client software installation process and remains intact even if you uninstall the client software. This design enables you to update your client software without losing your hsmusers group settings.
Add users to the hsmusers group
If you wish to permit non-root users or applications to interact with the HSM device, you must assign these users to the hsmusers group. Make sure that the users you intend to add to the hsmusers group are already established on the client workstation. Only users added to the hsmusers group will be granted access to the HSM device. Follow these steps to add a user to the hsmusers group:
Ensure that you possess sudo privileges on the client workstation.
Add a user to the hsmusers group using the command:
sudo gpasswd --add <username> hsmusers
Replace username with the actual username you want to include in the hsmusers group.
Remove users from the hsmusers group
If you need to withdraw a user's authorization to access the HSM device, you can remove them from the hsmusers group. Carry out the following steps to remove a user from the hsmusers group:
Confirm that you hold sudo privileges on the client workstation.
Eliminate a user from the hsmusers group using the command:
sudo gpasswd --add <username> hsmusers
Replace username with the specific username you want to exclude from the hsmusers group. To observe the changes, you will need to log in again.
Any user you remove will retain access to the HSM device until the client workstation is rebooted.
Set up Luna Cloud HSM
Follow these steps to set up your Luna Cloud HSM:
Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means
This integration has been certified on the RHEL platform.
Extract the .zip file into a directory on your client workstation.
Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.
tar -xvf cvclient-min.tar
Run the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.
source ./setenv
To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.
Run the LunaCM utility and verify that the Cloud HSM service is listed.
If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.
Set up Red Hat Certificate System
To set up Red Hat Certificate System, follow these steps:
Before installing RHCS v10.4, ensure that your system is running on RHEL 8.6 and that the EUS update is enabled by executing the following commands:
# subscription-manager release --set=8.6
# subscription-manager repos --enable rhel-8-for-x86_64-baseos-eus-rpms
# subscription-manager repos --enable rhel-8-for-x86_64-appstream-eus-rpms
Set up a new directory server
Before commencing, ensure you have followed the guidelines outlined in the Red Hat Directory Server Installation Documentation and adhered to the provided instructions. Additionally, enable the necessary repository by executing the following command, replacing dirsrv-11-for-rhel-8-x86_64-rpms with the actual repository name:
# subscription-manager repos –enable=dirsrv-11-for-rhel-8-x86_64-rpms
To set up a new directory server:
Use the following command to install the Red Hat Directory Server module, such as redhat-ds:11, for Red Hat Directory Server 11. This command automatically handles all necessary dependencies:
yum module install redhat-ds:11
Verify that the firewalld service is running.
systemctl status firewalld
Open the required ports using the firewall-cmd utility. For example, to open the default LDAP and LDAPS ports in the default firewall zone, run:
firewall-cmd --permanent --add-port={389/tcp,636/tcp}
Reload the firewall configuration to ensure the change takes effect.
firewall-cmd --reload
Initiate the interactive installer to create a new instance. Follow the on-screen prompts to customize the setup of the Red Hat Directory Server.
dscreate interactive
Install the Red Hat Certificate System
Before proceeding, ensure you have followed the guidelines outlined in the Red Hat Certificate System Documentation and adhered to the provided instructions. Additionally, enable the necessary repository by executing the following command, replacing certsys-10.4-for-rhel-8-x86_64-rpms with the actual repository name:
# subscription-manager repos --enable certsys-10.4-for-rhel-8-x86_64-rpms
To install a Red Hat Certificate System:
Enable FIPS mode on the RHEL host. To verify if FIPS mode is enabled, run the following command:
sysctl crypto.fips_enabled
If the returned value is 1, FIPS mode is enabled. If not, refer to the Red Hat Linux Documentation to enable the FIPS mode.
Check SELinux Status. By default, SELinux is enabled and running in enforcing mode after installing Red Hat Enterprise Linux. To confirm the current SELinux mode, use the following command:
getenforce
Open the required ports using the firewall-cmd utility. For example, to open the certificate system default ports in the default firewall zone, run:
firewall-cmd --permanent --add-port={8080/tcp,8443/tcp,8009/tcp,8005/tcp}
Reload the firewall configuration to ensure that the change takes into effect.
firewall-cmd --reload
Enable and install the Red Hat Certificate System.
# dnf module enable redhat-pki # dnf install redhat-pki
The redhat-pki module installs subsystems of Red Hat Certificate System along with all necessary dependencies. Alternatively, follow the Product Documentation for Red Hat Certificate System to install packages separately.
Integrate Luna HSM with Red Hat Certificate System
To integrate Luna HSM with Red Hat Certificate System, you need to carry out the following tasks:
Add Luna HSM as an external token
Before integrating Luna HSM with Red Hat Certificate System, it's essential to verify that Luna HSM functions properly as an external token. Red Hat Certificate System relies on PKCS#11-compliant external tokens for generating and storing key pairs and certificates. To ensure Luna HSM's compatibility, follow these steps:
Create an empty test database.
mkdir ~/test_nssdb/ certutil -N -d ~/test_nssdb/ --empty-password
Add Luna HSM as a PKCS#11 module to the test database.
modutil -dbdir ~/test_nssdb/ -add LUNAHSM -libfile /usr/safenet/lunaclient/lib/libCryptoki2_64.so
Verify Luna HSM module addition and token information.
modutil -list -dbdir ~/test_nssdb
Delete the test database after verification.
rm -rf ~/test_nssdb
Install and configure Red Hat Certificate System
Follow these steps to install and configure Red Hat Certificate System for Luna HSM integration:
Create the default_luna.txt file by using the template provided below. Ensure to replace all placeholder values such as passwords and HSM parameters with the appropriate values specific to your environment. Passwords and HSM parameter values requiring customization are highlighted using double-asterisks.
By default, the RSA algorithm is used to generate all Subsystem Certificates. If you prefer ECC keys for the Subsystem, you can uncomment the ECC parameters defined in the respective section in default_luna.txt. However, please note that while ECC keys can be used for other certificates, the audit signing certificate must always use an RSA key.
############################################################################# ############################################################################# ############################################################################# ## ## ## EXAMPLE: Configuration File used to override '/etc/pki/default.cfg' ## ## when using a LunaSA Hardware Security Module (HSM): ## ## ## ## # modutil -dbdir . -list ## ## Listing of PKCS #11 Modules ## ## ----------------------------------------------------------- ## ## 1. NSS Internal PKCS #11 Module ## ## slots: 2 slots attached ## ## status: loaded ## ## ## ## slot: NSS Internal Cryptographic Services ## ## token: NSS Generic Crypto Services ## ## ## ## slot: NSS User Private Key and Certificate Services ## ## token: NSS Certificate DB ## ## ## ## 2. lunasa ## ## library name: /usr/safenet/lunaclient/lib/libCryptoki2_64.so ## ## slots: 4 slots attached ## ## status: loaded ## ## ## ## slot: LunaNet Slot ## ## token: rhcs-pki ## ## ## ## slot: Luna UHD Slot ## ## token: ## ## ## ## slot: Luna UHD Slot ## ## token: ## ## ----------------------------------------------------------- ## ## ## ## Based on the example above, substitute all password values, ## ## as well as the following values: ## ## ## ##=/usr/safenet/lunaclient/lib/libCryptoki2_64.so ## ## =lunasa ## ## =rhcs-pki ## ## ## ## Where hsm_modulename is user-defined value for Luna HSM. ## ## ## ############################################################################# ############################################################################# ############################################################################# [DEFAULT] ########################## # Provide HSM parameters # ########################## pki_hsm_enable=True pki_hsm_libfile= pki_hsm_modulename= pki_token_name= pki_token_password= #################################### # Remove Old Directory Server Data # #################################### pki_ds_remove_data=True ######################################## # Provide PKI-specific HSM token names # ######################################## pki_audit_signing_token= pki_ssl_server_token= pki_subsystem_token= ################################## # Provide PKI-specific passwords # ################################## pki_admin_password= pki_client_pkcs12_password= pki_ds_password= ##################################### # Provide non-CA-specific passwords # ##################################### pki_client_database_password= ########################################## # Only required, if ECC keys are desired # ########################################## #pki_admin_key_algorithm=SHA384withEC #pki_admin_key_size=nistp384 #pki_admin_key_type=ecc #pki_admin_signing_algorithm=SHA384withEC #pki_ssl_server_key_algorithm=SHA384withEC #pki_ssl_server_key_size=nistp384 #pki_ssl_server_key_type=ecc #pki_ssl_server_signing_algorithm=SHA384withEC #pki_subsystem_key_algorithm=SHA384withEC #pki_subsystem_key_size=nistp384 #pki_subsystem_key_type=ecc #pki_subsystem_signing_algorithm=SHA384withEC ############################################################### # ONLY required if specifying a non-default PKI instance name # ############################################################### #pki_instance_name= ############################################################## # ONLY required if specifying non-default PKI instance ports # ############################################################## #pki_http_port= #pki_https_port= ###################################################################### # ONLY required if specifying non-default 389 Directory Server ports # ###################################################################### #pki_ds_ldap_port= #pki_ds_ldaps_port= ###################################################################### # ONLY required if PKI is using a Security Domain on a remote system # ###################################################################### #pki_ca_hostname= #pki_issuing_ca_hostname= #pki_issuing_ca_https_port= #pki_security_domain_hostname= #pki_security_domain_https_port= ########################################################### # ONLY required for PKI using an existing Security Domain # ########################################################### # NOTE: pki_security_domain_password == pki_admin_password # of CA Security Domain Instance pki_security_domain_password= [Tomcat] ############################################################## # ONLY required if specifying non-default PKI instance ports # ############################################################## #pki_ajp_port= #pki_tomcat_server_port= [CA] ####################################### # Provide CA-specific HSM token names # ####################################### pki_ca_signing_token= pki_ocsp_signing_token= ################################################# # Include keyflag options for all core CA certs # ################################################# pki_ca_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_subsystem_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_sslserver_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_ocsp_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_audit_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap ###################################################### # Include keyflag mask options for all core CA certs # ###################################################### pki_ca_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_subsystem_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_sslserver_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_ocsp_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_audit_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap ########################################## # Only required, if ECC keys are desired # ########################################## #pki_ca_signing_key_algorithm=SHA384withEC #pki_ca_signing_key_size=nistp384 #pki_ca_signing_key_type=ecc #pki_ca_signing_signing_algorithm=SHA384withEC #pki_ocsp_signing_key_algorithm=SHA384withEC #pki_ocsp_signing_key_size=nistp384 #pki_ocsp_signing_key_type=ecc ########################################################################### # ONLY required if 389 Directory Server for CA resides on a remote system # ########################################################################### #pki_ds_hostname=<389 hostname> [KRA] ######################################## # Provide KRA-specific HSM token names # ######################################## pki_storage_token= pki_transport_token= ################################################## # Include keyflag options for all core KRA certs # ################################################## pki_storage_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_transport_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_audit_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap ####################################################### # Include keyflag mask options for all core KRA certs # ####################################################### pki_storage_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_transport_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_audit_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap ########################################## # Only required, if ECC keys are desired # ########################################## #pki_storage_key_algorithm=SHA384withEC #pki_storage_key_size=nistp384 #pki_storage_key_type=ecc #pki_storage_signing_algorithm=SHA384withEC #pki_transport_key_algorithm=SHA384withEC #pki_transport_key_size=nistp384 #pki_transport_key_type=ecc #pki_transport_signing_algorithm=SHA384withEC ############################################################################ # ONLY required if 389 Directory Server for KRA resides on a remote system # ############################################################################ #pki_ds_hostname=<389 hostname> [OCSP] ######################################### # Provide OCSP-specific HSM token names # ######################################### pki_ocsp_signing_token= ################################################### # Include keyflag options for all core OCSP certs # ################################################### pki_ocsp_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_audit_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap ######################################################## # Include keyflag mask options for all core OCSP certs # ######################################################## pki_ocsp_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_audit_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap ########################################## # Only required, if ECC keys are desired # ########################################## #pki_ocsp_signing_key_algorithm=SHA384withEC #pki_ocsp_signing_key_size=nistp384 #pki_ocsp_signing_key_type=ecc #pki_ocsp_signing_signing_algorithm=SHA384withEC ############################################################################# # ONLY required if 389 Directory Server for OCSP resides on a remote system # ############################################################################# #pki_ds_hostname=<389 hostname> [TKS] ######################################## # Provide TKS-specific HSM token names # ######################################## ################################################## # Include keyflag options for all core TKS certs # ################################################## pki_audit_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap ####################################################### # Include keyflag mask options for all core TKS certs # ####################################################### pki_audit_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap ############################################################################ # ONLY required if 389 Directory Server for TKS resides on a remote system # ############################################################################ #pki_ds_hostname=<389 hostname> [TPS] ################################### # Provide TPS-specific parameters # ################################### pki_authdb_basedn= ######################################## # Provide TPS-specific HSM token names # ######################################## ################################################## # Include keyflag options for all core TPS certs # ################################################## pki_audit_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap ####################################################### # Include keyflag mask options for all core TPS certs # ####################################################### pki_audit_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap ############################################################################# ############################################################################# ############################################################################# ## ## ## EXAMPLE: Configuration File used to override '/etc/pki/default.cfg' ## ## when using a LunaSA Hardware Security Module (HSM): ## ## ## ## # modutil -dbdir . -list ## ## Listing of PKCS #11 Modules ## ## ----------------------------------------------------------- ## ## 1. NSS Internal PKCS #11 Module ## ## slots: 2 slots attached ## ## status: loaded ## ## ## ## slot: NSS Internal Cryptographic Services ## ## token: NSS Generic Crypto Services ## ## ## ## slot: NSS User Private Key and Certificate Services ## ## token: NSS Certificate DB ## ## ## ## 2. lunasa ## ## library name: /usr/safenet/lunaclient/lib/libCryptoki2_64.so ## ## slots: 4 slots attached ## ## status: loaded ## ## ## ## slot: LunaNet Slot ## ## token: rhcs-pki ## ## ## ## slot: Luna UHD Slot ## ## token: ## ## ## ## slot: Luna UHD Slot ## ## token: ## ## ----------------------------------------------------------- ## ## ## ## Based on the example above, substitute all password values, ## ## as well as the following values: ## ## ## ## =/usr/safenet/lunaclient/lib/libCryptoki2_64.so ## ## =lunasa ## ## =rhcs-pki ## ## ## ## Where hsm_modulename is user-defined value for Luna HSM. ## ## ## ############################################################################# ############################################################################# ############################################################################# [DEFAULT] ########################## # Provide HSM parameters # ########################## pki_hsm_enable=True pki_hsm_libfile= pki_hsm_modulename= pki_token_name= pki_token_password= #################################### # Remove Old Directory Server Data # #################################### pki_ds_remove_data=True ######################################## # Provide PKI-specific HSM token names # ######################################## pki_audit_signing_token= pki_ssl_server_token= pki_subsystem_token= ################################## # Provide PKI-specific passwords # ################################## pki_admin_password= pki_client_pkcs12_password= pki_ds_password= ##################################### # Provide non-CA-specific passwords # ##################################### pki_client_database_password= ########################################## # Only required, if ECC keys are desired # ########################################## #pki_admin_key_algorithm=SHA384withEC #pki_admin_key_size=nistp384 #pki_admin_key_type=ecc #pki_admin_signing_algorithm=SHA384withEC #pki_ssl_server_key_algorithm=SHA384withEC #pki_ssl_server_key_size=nistp384 #pki_ssl_server_key_type=ecc #pki_ssl_server_signing_algorithm=SHA384withEC #pki_subsystem_key_algorithm=SHA384withEC #pki_subsystem_key_size=nistp384 #pki_subsystem_key_type=ecc #pki_subsystem_signing_algorithm=SHA384withEC ############################################################### # ONLY required if specifying a non-default PKI instance name # ############################################################### #pki_instance_name= ############################################################## # ONLY required if specifying non-default PKI instance ports # ############################################################## #pki_http_port= #pki_https_port= ###################################################################### # ONLY required if specifying non-default 389 Directory Server ports # ###################################################################### #pki_ds_ldap_port= #pki_ds_ldaps_port= ###################################################################### # ONLY required if PKI is using a Security Domain on a remote system # ###################################################################### #pki_ca_hostname= #pki_issuing_ca_hostname= #pki_issuing_ca_https_port= #pki_security_domain_hostname= #pki_security_domain_https_port= ########################################################### # ONLY required for PKI using an existing Security Domain # ########################################################### # NOTE: pki_security_domain_password == pki_admin_password # of CA Security Domain Instance pki_security_domain_password= [Tomcat] ############################################################## # ONLY required if specifying non-default PKI instance ports # ############################################################## #pki_ajp_port= #pki_tomcat_server_port= [CA] ####################################### # Provide CA-specific HSM token names # ####################################### pki_ca_signing_token= pki_ocsp_signing_token= ################################################# # Include keyflag options for all core CA certs # ################################################# pki_ca_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_subsystem_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_sslserver_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_ocsp_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_audit_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap ###################################################### # Include keyflag mask options for all core CA certs # ###################################################### pki_ca_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_subsystem_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_sslserver_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_ocsp_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_audit_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap ########################################## # Only required, if ECC keys are desired # ########################################## #pki_ca_signing_key_algorithm=SHA384withEC #pki_ca_signing_key_size=nistp384 #pki_ca_signing_key_type=ecc #pki_ca_signing_signing_algorithm=SHA384withEC #pki_ocsp_signing_key_algorithm=SHA384withEC #pki_ocsp_signing_key_size=nistp384 #pki_ocsp_signing_key_type=ecc #pki_ocsp_signing_signing_algorithm=SHA384withEC ########################################################################### # ONLY required if 389 Directory Server for CA resides on a remote system # ########################################################################### #pki_ds_hostname=<389 hostname> [KRA] ######################################## # Provide KRA-specific HSM token names # ######################################## pki_storage_token= pki_transport_token= ################################################## # Include keyflag options for all core KRA certs # ################################################## pki_storage_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_transport_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_audit_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap ####################################################### # Include keyflag mask options for all core KRA certs # ####################################################### pki_storage_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_transport_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_audit_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap ########################################## # Only required, if ECC keys are desired # ########################################## #pki_storage_key_algorithm=SHA384withEC #pki_storage_key_size=nistp384 #pki_storage_key_type=ecc #pki_storage_signing_algorithm=SHA384withEC #pki_transport_key_algorithm=SHA384withEC #pki_transport_key_size=nistp384 #pki_transport_key_type=ecc #pki_transport_signing_algorithm=SHA384withEC ############################################################################ # ONLY required if 389 Directory Server for KRA resides on a remote system # ############################################################################ #pki_ds_hostname=<389 hostname> [OCSP] ######################################### # Provide OCSP-specific HSM token names # ######################################### pki_ocsp_signing_token= ################################################### # Include keyflag options for all core OCSP certs # ################################################### pki_ocsp_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap pki_audit_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap ######################################################## # Include keyflag mask options for all core OCSP certs # ######################################################## pki_ocsp_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap pki_audit_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap ########################################## # Only required, if ECC keys are desired # ########################################## #pki_ocsp_signing_key_algorithm=SHA384withEC #pki_ocsp_signing_key_size=nistp384 #pki_ocsp_signing_key_type=ecc #pki_ocsp_signing_signing_algorithm=SHA384withEC ############################################################################# # ONLY required if 389 Directory Server for OCSP resides on a remote system # ############################################################################# #pki_ds_hostname=<389 hostname> [TKS] ######################################## # Provide TKS-specific HSM token names # ######################################## ################################################## # Include keyflag options for all core TKS certs # ################################################## pki_audit_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap ####################################################### # Include keyflag mask options for all core TKS certs # ####################################################### pki_audit_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap ############################################################################ # ONLY required if 389 Directory Server for TKS resides on a remote system # ############################################################################ #pki_ds_hostname=<389 hostname> [TPS] ################################### # Provide TPS-specific parameters # ################################### pki_authdb_basedn= ######################################## # Provide TPS-specific HSM token names # ######################################## ################################################## # Include keyflag options for all core TPS certs # ################################################## pki_audit_signing_opsFlag=encrypt,decrypt,sign,verify,wrap,unwrap ####################################################### # Include keyflag mask options for all core TPS certs # ####################################################### pki_audit_signing_opsFlagMask=encrypt,decrypt,sign,verify,wrap,unwrap ############################################################################ # ONLY required if 389 Directory Server for TPS resides on a remote system # ############################################################################ #pki_ds_hostname=<389 hostname> ########################################################## # ONLY required if TPS requires a CA on a remote machine # ########################################################## #pki_ca_uri=https:// : ####################################### # ONLY required if TPS requires a KRA # ####################################### #pki_enable_server_side_keygen=True ########################################################### # ONLY required if TPS requires a KRA on a remote machine # ########################################################### #pki_kra_uri=https:// : ########################################################### # ONLY required if TPS requires a TKS on a remote machine # ########################################################### #pki_tks_uri=https:// :
Install the certificate authority:
pkispawn -s CA -f ./default_luna.txt --debug
It is recommended to review the installation summary to confirm the successful execution of the above command and all subsequent commands.
Before proceeding with the installation and configuration of any dependent subsystems, it's imperative to first install and configure the Certificate Authority. This ensures a smooth setup and operation of the Red Hat Certificate System with Luna HSM.
Install the Key Recovery Authority (KRA).
pkispawn -s KRA -f ./default_luna.txt --debug
Install the Online Certificate Responder Service (OCSP).
pkispawn -s OCSP -f ./default_luna.txt --debug
Install the Token Key Service (TKS).
pkispawn -s TKS -f ./default_luna.txt --debug
Install the Token Processing System (TPS).
pkispawn -s TPS -f ./default_luna.txt --debug
Confirm the presence of all Subsystem Certificates in the key database.
# certutil -L -d /etc/pki/pki-tomcat/alias -h
Verify that all keys are created on Luna HSM by checking the partition contents.
/usr/safenet/lunaclient/bin/cmu list
Access the Red Hat Certificate Subsystem console using the following URL:
https://<fully qualified domain name>:8443
