Overview

Overview#

This page describes the process to setup KRA agent in IPA.

KRA Agent Setup#

After KRA is installed, IPA will execute the following steps to set up KRA agent (see ipaserver/install/krainstance.py).

Create a client security database (i.e. ~/.dogtag/nssdb):

$ pki -c Secret.123 client-init

Import CA certificate:

$ pki -c Secret.123 client-cert-import --pkcs12 /root/kracert.p12 --pkcs12-password <IPA admin password>

Trust CA certificate:

$ pki -c Secret.123 client-cert-mod "Certificate Authority - <IPA realm>" --trust "CT,C,C"

Import CA admin certificate:

$ pki -c Secret.123 client-cert-import --pkcs12 /root/ca-agent.p12 --pkcs12-password <IPA admin password>

Create KRA user:

$ pki -c Secret.123 -n ipa-ca-agent kra-user-add ipakra --fullName "IPA KRA User"

Add KRA user into KRA agents group:

$ pki -c Secret.123 -n ipa-ca-agent kra-user-membership-add ipakra "Data Recovery Manager Agents"

Export IPA cert as DER file:

$ pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt client-cert-show ipaCert --cert ipa.crt

Assign IPA cert to KRA user:

$ pki -c Secret.123 -n ipa-ca-agent kra-user-cert-add ipakra --input ipa.crt

Export IPA cert as PEM file:

$ pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt client-cert-show ipaCert --client-cert /etc/httpd/alias/kra-agent.pem

Set the file ownership and permission:

$ chown root.apache /etc/httpd/alias/kra-agent.pem
$ chmod 660 /etc/httpd/alias/kra-agent.pem

References#