3.6.2. Configuring a DRM, OCSP, or TKS

3.6.2. Configuring a DRM, OCSP, or TKS

  1. Open the configuration wizard. When the instance is installed, the process returns a success message which includes a URL with the login PIN. For example: 

    http://server.example.com:10080/
 kra/admin/console/config/login?pin=kI7E1MByNIUcPJ6RKHmH

    Using this URL skips the login screen.

    Alternatively, log into the setup wizard through admin link on the services page and supply the preop.pin value from the CS.cfg file when prompted. 

    http://server.example.com:10080/kra/services

  2. Join an existing security domain. Supply the hostname and SSL port of the CA which hosts the domain. When the CA is successfully contacted, then supply the admin username and password for the CA so that it can be properly accessed.

  3. Enter a name for the new instance.

  4. Fill in the Directory Server hostname, port, bind DN, and bind password.

  5. Select the key store token; a list of detected hardware tokens and databases is given.

    To determine whether a token is detected by the Certificate System, use the TokenInfo tool. For more information on this tool, see the Certificate System Command-Line Tools Guide.

  6. Set the key size. The default RSA key size is 2048.

  7. Select the CA which will generate the subsystem certificates; to use a Certificate System CA, select the CA from the drop-down menu of the CAs configured within the security domain.

    Optionally, give subject names to the listed certificates.

  8. The next panels generate and show certificate requests, certificates, and key pairs.

    If an external CA is used to issue the certificates, configuration cannot go forward until they are received from the CA. When they are issued, paste the certificates into this panel to add them to the subsystem database, and then proceed with the installation. Click Apply to view the certificates as they are imported.

  9. If the subsystem will every be cloned, or as a protection if keys or certificates are ever lost, back up the keys and certificates when prompted.

  10. Give the information for the new subsystem administrator.

  11. Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration.

  12. When the configuration is complete, restart the subsystem. 

    /etc/init.d/rhpki-kra restart