5.2. Setting up the Auditor's Database
AuditVerify needs access to a set of security databases containing the signed audit log signing certificate and its chain of issuing certificates. One of the CA certificates in the issuance chain must be marked as trusted in the database.
The auditor should import the audit signing certificate into certificate and key databases before running AuditVerify. The auditor should not use the security databases of the Certificate System instance that generated the signed audit log files. If there are no readily accessible certificate and key database, the auditor must create a set of certificate and key databases and import the signed audit log signing certificate chain.
To create the security databases and import the certificate chain, do the following:
Create the security database directory in the filesystem.
mkdir /var/lib/instance_ID/logs/signedAudit/dbdir
Use the certutil tool to create an empty set of certificate databases.
certutil -d /var/lib/instance_ID/logs/signedAudit/dbdir -N
Import the CA certificate and log signing certificate into the databases, marking the CA certificate as trusted. The certificates can be obtained from the CA in ASCII format.
If the CA certificate is in a file called cacert.txt and the log signing certificate is in a file called logsigncert.txt, both in the Certificate System alias/ directory, then the certutil is used to set the trust for the new audit security database directory pointing to those files, as follows:
certutil -d /var/lib/instance_ID/logs/signedAudit/dbdir -A -n "CA Certificate" -t "CT,CT,CT" -a -i /var/lib/instance_ID/alias/cacert.txt certutil -d /var/lib/instance_ID/logs/signedAudit/dbdir -A -n "Log Signing Certificate" -a -i /var/lib/instance_ID/alias/logsigncert.txt