Overview#
This page describes the process to setup KRA agent in IPA.
KRA Agent Setup#
After KRA is installed, IPA will execute the following steps to set up KRA agent (see ipaserver/install/krainstance.py).
Create a client security database (i.e. ~/.dogtag/nssdb):
$ pki -c Secret.123 client-init
Import CA certificate:
$ pki -c Secret.123 client-cert-import --pkcs12 /root/kracert.p12 --pkcs12-password <IPA admin password>
Trust CA certificate:
$ pki -c Secret.123 client-cert-mod "Certificate Authority - <IPA realm>" --trust "CT,C,C"
Import CA admin certificate:
$ pki -c Secret.123 client-cert-import --pkcs12 /root/ca-agent.p12 --pkcs12-password <IPA admin password>
Create KRA user:
$ pki -c Secret.123 -n ipa-ca-agent kra-user-add ipakra --fullName "IPA KRA User"
Add KRA user into KRA agents group:
$ pki -c Secret.123 -n ipa-ca-agent kra-user-membership-add ipakra "Data Recovery Manager Agents"
Export IPA cert as DER file:
$ pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt client-cert-show ipaCert --cert ipa.crt
Assign IPA cert to KRA user:
$ pki -c Secret.123 -n ipa-ca-agent kra-user-cert-add ipakra --input ipa.crt
Export IPA cert as PEM file:
$ pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt client-cert-show ipaCert --client-cert /etc/httpd/alias/kra-agent.pem
Set the file ownership and permission:
$ chown root.apache /etc/httpd/alias/kra-agent.pem
$ chmod 660 /etc/httpd/alias/kra-agent.pem