The Certificate System includes a tool, pkisilent, which can completely create and configure an instance. Normally, adding instances requires running the pkicreate utility to create the instance and then accessing the subsystem HTML page to complete the configuration. The pkisilent utility creates and configures the instance in a single step. The pkisilent tool is downloaded independently from the Certificate System packages. It is available through the Red Hat Certificate System 7.2 Red Hat Network channel.
Run this tool on a system which already has a subsystem installed, since this tool depends on having libraries, JRE, and core jar files already installed.
The silent installation tool has the following format:
perl pkisilent Configuresubsystem_type -options
The options are slightly different between the subsystems; all subsystems except for the CA subsystem require extra options specifying the Certificate Manager to which to submit the certificate requests.
Example 2.1, “Silent Installation of a CA” shows a silent installation script to install a CA subsystem:
perl pkisilent ConfigureCA -cs_hostname localhost -cs_port 9543 -client_certdb_dir /tmp/ -client_certdb_pwd redhat -preop_pin sYY8er834FG9793fsef7et5 -domain_name "testca" -admin_user admin -admin_email "admin@redhat.com" -admin_password redhat -agent_name "rhpki-ca2 agent" -agent_key_size 256 -agent_key_type ecc -agent_cert_subject "ca agent cert" -ldap_host server -ldap_port 389 -bind_dn "cn=directory manager" -bind_password redhat -base_dn "o=rhpki-ca2" -db_name "rhpki-ca2" -key_size 256 -key_type ecc -save_p12 true -backup_pwd redhat
Example 2.1. Silent Installation of a CA
Example 2.2, “Silent Installation of a TKS” shows a silent installation script to install a TKS subsystem; this script has extra options to point to the CA server:
perl pkisilent ConfigureTKS -cs_hostname localhost -cs_port 13543 -ca_hostname server.example.com -ca_port 9080 -ca_ssl_port 9443 -ca_agent_name agent -ca_agent_password redhat -client_certdb_dir /tmp/ -client_certdb_pwd redhat -preop_pin fS44I6SASGF34FD76WKJHIW4 -domain_name "testca" -admin_user admin -admin_email "admin@redhat.com" -admin_password redhat -agent_name "rhpki-tks2 agent" -ldap_host server -ldap_port 389 -bind_dn "cn=directory manager" -bind_password redhat -base_dn "o=rhpki-tks2" -db_name "rhpki-tks2" -key_size 256 -key_type ecc -agent_key_size 256 -agent_key_type ecc -agent_cert_subject "tks agent cert" -backup_pwd redhat
Example 2.2. Silent Installation of a TKS
The ConfigureCA can be used to create a security domain or to add the CA to an existing domain; the other scripts only add the subsystem to an existing security domain.
perl pkisilent ConfigureTPS -cs_hostname localhost -cs_port 7988 -ca_hostname server.example.com -ca_port 9080 -ca_ssl_port 9443 -ca_agent_name agent -ca_agent_password redhat -client_certdb_dir /tmp/ -client_certdb_pwd redhat -preop_pin fS44I6SASGF34FD76WKJHIW4 -domain_name "testca" -admin_user admin -admin_email "admin@redhat.com" -admin_password redhat -agent_name "rhpki-tks2 agent" -ldap_host server -ldap_port 389 -bind_dn "cn=directory manager" -bind_password redhat -base_dn "o=rhpki-tps2" -db_name "rhpki-tks2" -key_size 256 -key_type ecc -agent_key_size 256 -agent_key_type ecc -agent_cert_subject "tps agent cert" -ldap_auth_host server -ldap_auth_port 389 -ldap_auth_base_dn "o=TPS DB,dc=example,dc=com"
Example 2.3. Silent Installation of a TPS
For more information on using this tool, see the Certificate System Command-Line Tools Guide.