Open the configuration wizard. When the instance is installed, the process returns a success message which includes a URL with the login PIN. For example:

http://server.example.com:9080/
 ca/admin/console/config/login?pin=kI7E1MByNIUcPJ6RKHmH

Using this URL skips the login screen.

Alternatively, log into the setup wizard through admin link on the services page and supply the preop.pin value from the CS.cfg file when prompted.

http://server.example.com:9080/ca/services

Create a new security domain.

The default CA instance must create a new security domain; subsequent CAs can create a new domain or join an existing security domain.

Enter a name for the new instance.

Set up the PKI hierarchy. It is recommended that the first CA be a root, or self-signed, CA, meaning that it signs its own CA signing certificate rather than submitting its certificates to a third-party CA for issuance. Subsequent CAs can be subordinate CAs.

Fill in the Directory Server hostname, port, bind DN, and bind password.

Select the key store token; a list of detected hardware tokens and databases is given.

To determine whether a token is detected by the Certificate System, use the TokenInfo tool. For more information on this tool, see the Certificate System Command-Line Tools Guide.

Set the key type and size.

There are two types of encryption supported: RSA and ECC. ECC keys are faster to generate and are smaller than RSA keys of the same strength. The default RSA key size is 2048; the default ECC key size is 256 bits.

Optionally, give subject names for the certificates.

The next panels generate and show certificate requests, certificates, and key pairs.

If an external CA is used to issue the certificates, configuration cannot go forward until they are received from the external CA. When they are issued, paste the certificates into this panel to add them to the CA database, and then proceed with the installation. Click Apply to view the certificates as they are imported.

If the subsystem will ever be cloned, or as a protection if keys or certificates are ever lost, back up the keys and certificates when prompted.

Give the information for the new subsystem administrator.

Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration.

When the configuration is complete, restart the subsystem.

/etc/init.d/rhpki-ca restart

Open the configuration wizard. When the instance is installed, the process returns a success message which includes a URL with the login PIN. For example:

http://server.example.com:10080/
 kra/admin/console/config/login?pin=kI7E1MByNIUcPJ6RKHmH

Using this URL skips the login screen.

Alternatively, log into the setup wizard through admin link on the services page and supply the preop.pin value from the CS.cfg file when prompted.

http://server.example.com:10080/kra/services

Join an existing security domain. Supply the hostname and SSL port of the CA which hosts the domain. When the CA is successfully contacted, then supply the admin username and password for the CA so that it can be properly accessed.

Enter a name for the new instance.

Fill in the Directory Server hostname, port, bind DN, and bind password.

Select the key store token; a list of detected hardware tokens and databases is given.

To determine whether a token is detected by the Certificate System, use the TokenInfo tool. For more information on this tool, see the Certificate System Command-Line Tools Guide.

Set the key type and size.

There are two types of encryption supported: RSA and ECC. ECC keys are faster to generate and are smaller than RSA keys of the same strength. The default RSA key size is 2048; the default ECC key size is 256 bits.

Select the CA which will generate the subsystem certificates; to use a Certificate System CA, select the CA from the drop-down menu of the CAs configured within the security domain.

Optionally, give subject names to the listed certificates.

The next panels generate and show certificate requests, certificates, and key pairs.

If an external CA is used to issue the certificates, configuration cannot go forward until they are received from the CA. When they are issued, paste the certificates into this panel to add them to the subsystem database, and then proceed with the installation. Click Apply to view the certificates as they are imported.

If the subsystem will every be cloned, or as a protection if keys or certificates are ever lost, back up the keys and certificates when prompted.

Give the information for the new subsystem administrator.

Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration.

When the configuration is complete, restart the subsystem.

/etc/init.d/rhpki-kra restart

Open the configuration wizard. When the instance is installed, the process returns a success message which includes a URL with the login PIN. For example:

http://server.example.com:7888/
 tps/admin/console/config/login?pin=kI7E1MByNIUcPJ6RKHmH

Using this URL skips the login screen.

Alternatively, log into the setup wizard through admin link on the services page and supply the preop.pin value from the CS.cfg file when prompted.

http://server.example.com:7888/tps/services

Join an existing security domain. Supply the hostname and SSL port of the CA which hosts the domain. When the CA is successfully contacted, then supply the admin username and password for the CA so that it can be properly accessed.

Enter a name for the new instance.

Supply the CA information for the Certificate System CA which will be used to issue, renew, and revoke certificates for token operations requested through the TPS subsystem.

Supply information about the TKS which will manage the TPS keys. Select the TKS from the drop-down menu of TKS subsystems within the security domain.

There is an option for server-side key generation for tokens enrolled through the TPS. If server-side key generation is selected, supply information about the DRM which will be used to generate keys and archive encryption keys. Key and certificate recovery is initiated automatically through the TPS, which is a DRM agent. Select the DRM from the drop-down menu of DRM subsystems within the security domain.

Fill in the Directory Server hostname, port, bind DN, and bind password.

Select the key store token; a list of detected hardware tokens and databases is given.

To determine whether a token is detected by the Certificate System, use the TokenInfo tool. For more information on this tool, see the Certificate System Command-Line Tools Guide.

Set the key type and size.

There are two types of encryption supported: RSA and ECC. ECC keys are faster to generate and are smaller than RSA keys of the same strength. The default RSA key size is 2048; the default ECC key size is 256 bits.

Select the CA which will generate the subsystem certificates; to use a Certificate System CA, select the CA from the drop-down menu of the CAs configured within the security domain. To select and external CA, select the External CA radio button and supply the appropriate information.

Optionally, give subject names to the listed certificates.

The next panels generate and show certificate requests, certificates, and key pairs.

If an external CA is used to issue the certificates, configuration cannot go forward until they are received from the CA. When they are issued, paste the certificates into this panel to add them to the TPS database, and then proceed with the installation. Click Apply to view the certificates as they are imported.

Give the information for the new subsystem administrator.

Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration.

When the configuration is complete, restart the subsystem.

/etc/init.d/rhpki-tps restart