From 3a234e1682d8a9e21bb7b51ba06b51be977d4238 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Mon, 17 Feb 2025 16:29:37 -0800 Subject: [PATCH] [skip ci] remove closing ='s from headers in adoc files under pki/docs/installation --- .../ca/Installing-CA-with-RSA-PSS.adoc | 6 +++--- ...ling-CA-with-Random-Serial-Numbers-v3.adoc | 6 +++--- docs/installation/ca/Installing_CA.adoc | 10 +++++----- docs/installation/ca/Installing_CA_Clone.adoc | 14 ++++++------- .../ca/Installing_CA_Clone_with_HSM.adoc | 12 +++++------ ...Clone_with_Secure_Database_Connection.adoc | 16 +++++++-------- ...talling_CA_with_Custom_CA_Signing_Key.adoc | 14 ++++++------- .../ca/Installing_CA_with_ECC.adoc | 10 +++++----- ...stalling_CA_with_Existing_Keys_in_HSM.adoc | 14 ++++++------- ..._with_Existing_Keys_in_Internal_Token.adoc | 14 ++++++------- ..._with_External_CA_Signing_Certificate.adoc | 14 ++++++------- .../ca/Installing_CA_with_HSM.adoc | 10 +++++----- ...ng_CA_with_Secure_Database_Connection.adoc | 12 +++++------ .../ca/Installing_Subordinate_CA.adoc | 10 +++++----- .../est/Installing-EST-pki-server.adoc | 2 +- .../est/Installing-EST-pkispawn.adoc | 10 +++++----- docs/installation/est/Installing-EST.adoc | 10 +++++----- docs/installation/est/Set-Up-Realm-DB.adoc | 6 +++--- ...ing-KRA-with-Random-Serial-Numbers-v3.adoc | 6 +++--- docs/installation/kra/Installing_KRA.adoc | 12 +++++------ .../kra/Installing_KRA_Clone.adoc | 12 +++++------ .../kra/Installing_KRA_Clone_with_HSM.adoc | 12 +++++------ .../Installing_KRA_on_Separate_Instance.adoc | 12 +++++------ .../kra/Installing_Standalone_KRA.adoc | 12 +++++------ docs/installation/ocsp/Installing_OCSP.adoc | 12 +++++------ .../ocsp/Installing_OCSP_Clone.adoc | 12 +++++------ .../ocsp/Installing_OCSP_Clone_with_HSM.adoc | 12 +++++------ .../Installing_OCSP_with_Custom_Keys.adoc | 14 ++++++------- .../ocsp/Installing_OCSP_with_ECC.adoc | 10 +++++----- ...lling_OCSP_with_External_Certificates.adoc | 14 ++++++------- .../ocsp/Installing_OCSP_with_HSM.adoc | 10 +++++----- ..._OCSP_with_Secure_Database_Connection.adoc | 14 ++++++------- .../ocsp/Installing_Standalone_OCSP.adoc | 12 +++++------ .../others/Creating_DS_instance.adoc | 20 +++++++++---------- .../others/Enabling-SSL-Connection-in-DS.adoc | 12 +++++------ .../others/Exporting-DS-Certificates.adoc | 8 ++++---- .../others/FQDN_Configuration.adoc | 8 ++++---- .../others/Installing_DS_Packages.adoc | 2 +- docs/installation/others/PKI-LDAP-Tree.adoc | 4 ++-- 39 files changed, 210 insertions(+), 210 deletions(-) diff --git a/docs/installation/ca/Installing-CA-with-RSA-PSS.adoc b/docs/installation/ca/Installing-CA-with-RSA-PSS.adoc index 4dc6404993b..cf60ad36975 100644 --- a/docs/installation/ca/Installing-CA-with-RSA-PSS.adoc +++ b/docs/installation/ca/Installing-CA-with-RSA-PSS.adoc @@ -1,8 +1,8 @@ -= Overview = += Overview This page describes the process to install a CA subsystem with RSA/PSS. -= Installation Procedure = += Installation Procedure To install CA subsystem with RSA/PSS, follow the normal link:Installing_CA.adoc[CA installation] procedure, then specify the parameters below. @@ -29,7 +29,7 @@ pki_ocsp_signing_key_algorithm=SHA512withRSA/PSS pki_ocsp_signing_signing_algorithm=SHA512withRSA/PSS ---- -= Verification = += Verification To verify that the CA signing certificate was created with RSA/PSS, execute the following command: diff --git a/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc b/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc index 0e332cfd6cc..c65b05cbae2 100644 --- a/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc +++ b/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc @@ -1,10 +1,10 @@ -= Overview = += Overview This page describes the process to install a CA subsystem with link:https://github.com/dogtagpki/pki/wiki/Random-Certificate-Serial-Numbers-v3[Random Certificate Serial Numbers v3] in PKI 11.2 or later. NOTE: RSNv3 is enabled by default since PKI 11.5. -= Installation Procedure = += Installation Procedure To install CA with random serial numbers v3, follow the normal link:Installing_CA.adoc[CA installation] procedure, then specify the parameters below. @@ -24,7 +24,7 @@ pki_request_id_generator=random The certificate request ID length (in bits) can be specified in the `pki_request_id_length` parameter. The default is `128` bits. -= Verification = += Verification After installation the certificates will have random serial numbers, for example: diff --git a/docs/installation/ca/Installing_CA.adoc b/docs/installation/ca/Installing_CA.adoc index f0d26392f2f..107f560462d 100644 --- a/docs/installation/ca/Installing_CA.adoc +++ b/docs/installation/ca/Installing_CA.adoc @@ -1,11 +1,11 @@ -= Installing CA = += Installing CA -== Overview == +== Overview This page describes the process to install a CA subsystem instance with a self-signed CA signing certificate. It is also known as a "root CA". Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== CA Subsystem Installation == +== CA Subsystem Installation Prepare a deployment configuration (e.g. `ca.cfg`) to deploy CA subsystem. By default the subsystem will be deployed into a Tomcat instance called `pki-tomcat`. @@ -16,7 +16,7 @@ To start the installation execute the following command: ``` $ pkispawn -f ca.cfg -s CA ``` -== CA System Certificates == +== CA System Certificates After installation, the CA system certificates and keys will be stored in the server NSS database (i.e. `/var/lib/pki/pki-tomcat/conf/alias`): @@ -49,7 +49,7 @@ The valid certificate IDs for CA are: Note that the `pki-server cert-export` command takes a certificate ID instead of a nickname. For simplicity the nicknames in this example are configured to be the same as the certificate ID. -== Admin Certificate == +== Admin Certificate After installation the admin certificate and key will be stored in `~/.dogtag/pki-tomcat/ca_admin_cert.p12`. The PKCS #12 password is specified in the `pki_client_pkcs12_password` parameter. diff --git a/docs/installation/ca/Installing_CA_Clone.adoc b/docs/installation/ca/Installing_CA_Clone.adoc index c253ee14bf5..bb003bc5d34 100644 --- a/docs/installation/ca/Installing_CA_Clone.adoc +++ b/docs/installation/ca/Installing_CA_Clone.adoc @@ -1,6 +1,6 @@ -= Installing CA Clone = += Installing CA Clone -== Overview == +== Overview This page describes the process to install a CA subsystem as a clone of an existing CA subsystem. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. @@ -11,7 +11,7 @@ Additional useful tips: - Make sure the firewall on the clone allows external access to LDAP from the master - Not having a `dc=pki,dc=example,dc=com` entry in LDAP will give the same error as not being able to connect to the LDAP server. -== Exporting Existing CA System Certificates == +== Exporting Existing CA System Certificates On the existing system, export the CA system certificates with the following command: @@ -56,7 +56,7 @@ $ pki-server cert-export subsystem \ --csr-file subsystem.csr ``` -== SELinux Permissions == +== SELinux Permissions After copying the `ca-certs.p12` to the clone machine, ensure that appropriate SELinux rules are added: @@ -71,7 +71,7 @@ Also, make sure the `ca-certs.p12` file is owned by the `pkiuser` $ chown pkiuser:pkiuser ca-certs.p12 ---- -== CA Subsystem Installation == +== CA Subsystem Installation Prepare a deployment configuration (e.g. `ca-clone.cfg`) to deploy CA subsystem clone. By default the subsystem will be deployed into a Tomcat instance called `pki-tomcat`. @@ -98,7 +98,7 @@ To start the installation execute the following command: $ pkispawn -f ca-clone.cfg -s CA ``` -== CA System Certificates == +== CA System Certificates After installation the existing CA system certificates (including the certificate chain) and their keys will be stored in the server NSS database (i.e. `/var/lib/pki/pki-tomcat/conf/alias`), @@ -134,7 +134,7 @@ The valid certificate IDs for CA are: Note that the `pki-server cert-export` command takes a certificate ID instead of a nickname. For simplicity the nicknames in this example are configured to be the same as the certificate IDs. -== Admin Certificate == +== Admin Certificate To use the admin certificate from the primary CA subsystem, prepare a client NSS database (default is `~/.dogtag/nssdb`): diff --git a/docs/installation/ca/Installing_CA_Clone_with_HSM.adoc b/docs/installation/ca/Installing_CA_Clone_with_HSM.adoc index cc4fbb20af4..0e6d5bcc384 100644 --- a/docs/installation/ca/Installing_CA_Clone_with_HSM.adoc +++ b/docs/installation/ca/Installing_CA_Clone_with_HSM.adoc @@ -1,13 +1,13 @@ -= Installing CA Clone with HSM = += Installing CA Clone with HSM -== Overview == +== Overview This page describes the process to install a CA subsystem as a clone of an existing CA subsystem where the system certificates and their keys are stored in HSM. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== Exporting Existing System Certificates == +== Exporting Existing System Certificates Since the system certificates and the keys are already in HSM, it's not necessary to export them into a PKCS #12 file to create a clone. @@ -29,7 +29,7 @@ $ pki-server cert-export subsystem \ --csr-file subsystem.csr ``` -== CA Subsystem Installation == +== CA Subsystem Installation Prepare a file (e.g. ca.cfg) that contains the deployment configuration, for example: @@ -101,7 +101,7 @@ It will install CA subsystem in a Tomcat instance (default is pki-tomcat) and cr * server NSS database: /var/lib/pki/pki-tomcat/conf/alias * admin NSS database: ~/.dogtag/pki-tomcat/ca/alias -== Verifying System Certificates == +== Verifying System Certificates Verify that the internal token contains the following certificates: @@ -130,7 +130,7 @@ HSM:ca_audit_signing u,u,Pu HSM:sslserver/replica.example.com u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): diff --git a/docs/installation/ca/Installing_CA_Clone_with_Secure_Database_Connection.adoc b/docs/installation/ca/Installing_CA_Clone_with_Secure_Database_Connection.adoc index 42ec82ca69c..3c386a093e2 100644 --- a/docs/installation/ca/Installing_CA_Clone_with_Secure_Database_Connection.adoc +++ b/docs/installation/ca/Installing_CA_Clone_with_Secure_Database_Connection.adoc @@ -1,12 +1,12 @@ -= Installing CA Clone with Secure Database Connection = += Installing CA Clone with Secure Database Connection -== Overview == +== Overview This page describes the process to install a CA subsystem as clone of an existing CA subsystem with a secure database connection. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== DS Configuration == +== DS Configuration Once the prerequisites listed above are completed on the clone system, go on the existing system and export the DS signing certificate into `ds_signing.p12` and copy the certificate into clone system with the following command: @@ -39,7 +39,7 @@ Some useful tips: not being able to connect to the LDAP server. -== Exporting Existing CA System Certificates == +== Exporting Existing CA System Certificates On the existing system, export the CA system certificates and copy to clone system with the following command: @@ -67,7 +67,7 @@ $ pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/pass --append ``` -== SELinux Permissions == +== SELinux Permissions After copying the `ca-certs.p12` to the clone machine, ensure that appropriate SELinux rules are added: @@ -82,7 +82,7 @@ Also, make sure the `ca-certs.p12` file is owned by the `pkiuser` $ chown pkiuser:pkiuser ca-certs.p12 ---- -== CA Subsystem Installation == +== CA Subsystem Installation Prepare a deployment configuration (e.g. `ca-secure-ds-secondary.cfg`) to deploy CA subsystem clone. By default the subsystem will be deployed into a Tomcat instance called `pki-tomcat`. @@ -99,7 +99,7 @@ To start the installation execute the following command: $ pkispawn -f ca-secure-ds-secondary.cfg -s CA ``` -== CA System Certificates == +== CA System Certificates After installation the existing CA system certificates (including the certificate chain) and their keys will be stored in the server NSS database (i.e. `/var/lib/pki/pki-tomcat/conf/alias`), @@ -135,7 +135,7 @@ The valid certificate IDs for CA are: Note that the `pki-server cert-export` command takes a certificate ID instead of a nickname. For simplicity the nicknames in this example are configured to be the same as the certificate IDs. -== Admin Certificate == +== Admin Certificate To use the admin certificate from the primary CA subsystem, prepare a client NSS database (default is `~/.dogtag/nssdb`): diff --git a/docs/installation/ca/Installing_CA_with_Custom_CA_Signing_Key.adoc b/docs/installation/ca/Installing_CA_with_Custom_CA_Signing_Key.adoc index 0e91487290d..0ba9da8c0de 100644 --- a/docs/installation/ca/Installing_CA_with_Custom_CA_Signing_Key.adoc +++ b/docs/installation/ca/Installing_CA_with_Custom_CA_Signing_Key.adoc @@ -1,11 +1,11 @@ -= Installing CA with Custom CA Signing Key = += Installing CA with Custom CA Signing Key -== Overview == +== Overview This page describes the process to install a CA subsystem with a custom CA signing key, CSR, and certificate. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== Starting CA Subsystem Installation == +== Starting CA Subsystem Installation Prepare a file (e.g. ca-step1.cfg) that contains the deployment configuration step 1, for example: ``` @@ -58,7 +58,7 @@ It will install CA subsystem in a Tomcat instance (default is pki-tomcat) and cr Since there is no CSR path parameter specified, it will not generate the CA signing key by default. -== Generating CA Signing Key, CSR, and Certificate == +== Generating CA Signing Key, CSR, and Certificate Generate a custom CA signing key in the server NSS database, then generate a CSR and store it in a file (e.g. ca_signing.csr). Use the CSR to issue the CA signing certificate: @@ -75,7 +75,7 @@ If the CA signing certificate was issued by an external CA, store the external C // // * link:https://github.com/dogtagpki/pki/wiki/Generating-CA-Signing-Certificate[Generating CA Signing Certificate] -== Finishing CA Subsystem Installation == +== Finishing CA Subsystem Installation Prepare another file (e.g. ca-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. ca-step1.cfg) with additional changes below. Specify step 2 with the following parameter: @@ -109,7 +109,7 @@ Finally, execute the following command: $ pkispawn -f ca-step2.cfg -s CA ``` -== Verifying System Certificates == +== Verifying System Certificates Verify that the server NSS database contains the following certificates: ``` @@ -126,7 +126,7 @@ ca_audit_signing u,u,Pu sslserver u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): ``` diff --git a/docs/installation/ca/Installing_CA_with_ECC.adoc b/docs/installation/ca/Installing_CA_with_ECC.adoc index 8773c61415e..7f401b6abd0 100644 --- a/docs/installation/ca/Installing_CA_with_ECC.adoc +++ b/docs/installation/ca/Installing_CA_with_ECC.adoc @@ -1,6 +1,6 @@ -= Installing CA with ECC = += Installing CA with ECC -== Overview == +== Overview This page describes the process to install a CA subsystem with ECC self-signed CA signing certificate. Supported ECC curves: @@ -17,7 +17,7 @@ Supported ECC key algorithms: Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== CA Subsystem Installation == +== CA Subsystem Installation Prepare a deployment configuration (e.g. `ca-ecc.cfg`) to deploy CA subsystem. By default the subsystem will be deployed into a Tomcat instance called `pki-tomcat`. @@ -30,7 +30,7 @@ To start the installation execute the following command: $ pkispawn -f ca-ecc.cfg -s CA ``` -== CA System Certificates == +== CA System Certificates After installation the CA system certificates and keys will be stored in the server NSS database (i.e. `/var/lib/pki/pki-tomcat/conf/alias`): @@ -65,7 +65,7 @@ The valid certificate IDs for CA are: Note that the `pki-server cert-export` command takes a certificate ID instead of a nickname. For simplicity the nicknames in this example are configured to be the same as the certificate ID. -== Admin Certificate == +== Admin Certificate After installation the admin certificate and key will be stored in `~/.dogtag/pki-tomcat/ca_admin_cert.p12`. diff --git a/docs/installation/ca/Installing_CA_with_Existing_Keys_in_HSM.adoc b/docs/installation/ca/Installing_CA_with_Existing_Keys_in_HSM.adoc index 9bb582f4483..4cbcace250d 100644 --- a/docs/installation/ca/Installing_CA_with_Existing_Keys_in_HSM.adoc +++ b/docs/installation/ca/Installing_CA_with_Existing_Keys_in_HSM.adoc @@ -1,6 +1,6 @@ -= Installing CA with Existing Keys in HSM = += Installing CA with Existing Keys in HSM -== Overview == +== Overview This page describes the process to install a CA subsystem with the system keys, CSRs, and certificates from an existing CA where the keys are stored in HSM. @@ -9,7 +9,7 @@ so they will not be included in the installation process. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== Starting CA Subsystem Installation == +== Starting CA Subsystem Installation Prepare a file (e.g. ca-step1.cfg) that contains the deployment configuration step 1, for example: ``` @@ -68,7 +68,7 @@ It will install CA subsystem in a Tomcat instance (default is pki-tomcat) and cr Since there are no CSR path parameters specified, it will not generate CA system and admin keys. -== Exporting Existing System Certificates and CSRs == +== Exporting Existing System Certificates and CSRs Export the system certificates from the existing CA with the following commands: ``` @@ -93,7 +93,7 @@ $ sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ $ echo "-----END CERTIFICATE REQUEST-----" >> ca_audit_signing.csr ``` -== Finishing CA Subsystem Installation == +== Finishing CA Subsystem Installation Prepare another file (e.g. ca-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. ca-step1.cfg) with additional changes below. @@ -131,7 +131,7 @@ Finally, execute the following command: $ pkispawn -f ca-step2.cfg -s CA ``` -== Verifying System Certificates == +== Verifying System Certificates Verify that the internal token contains the following certificates: ``` @@ -159,7 +159,7 @@ HSM:ca_audit_signing u,u,Pu HSM:sslserver/pki.example.com u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): ``` diff --git a/docs/installation/ca/Installing_CA_with_Existing_Keys_in_Internal_Token.adoc b/docs/installation/ca/Installing_CA_with_Existing_Keys_in_Internal_Token.adoc index 6017a64bb57..0a3a599ad30 100644 --- a/docs/installation/ca/Installing_CA_with_Existing_Keys_in_Internal_Token.adoc +++ b/docs/installation/ca/Installing_CA_with_Existing_Keys_in_Internal_Token.adoc @@ -1,6 +1,6 @@ -= Installing CA with Existing Keys in Internal Token = += Installing CA with Existing Keys in Internal Token -== Overview == +== Overview This page describes the process to install a CA subsystem with the system keys, CSRs, and certificates from an existing CA where the keys are stored in internal token. @@ -10,7 +10,7 @@ so they will not be included in the installation process. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== Starting CA Subsystem Installation == +== Starting CA Subsystem Installation Prepare a file (e.g. ca-existing-certs-step1.cfg) that contains the first deployment configuration. A sample deployment configuration is available at link:../../../base/server/examples/installation/ca-existing-certs-step1.cfg[/usr/share/pki/server/examples/installation/ca-existing-certs-step1.cfg]. @@ -28,7 +28,7 @@ It will install CA subsystem in a Tomcat instance (default is pki-tomcat) and cr Since there are no CSR path parameters specified, it will not generate CA system and admin keys. -== Exporting Existing System Keys, CSRs, Certificates == +== Exporting Existing System Keys, CSRs, Certificates Export the system keys and certificates from the existing CA into a PKCS #12 file with the following command: ``` @@ -55,7 +55,7 @@ $ sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ $ echo "-----END CERTIFICATE REQUEST-----" >> ca_audit_signing.csr ``` -== Finishing CA Subsystem Installation == +== Finishing CA Subsystem Installation Prepare another file (e.g. ca-existing-certs-step2.cfg) that contains the second deployment configuration. The file can be created from the first file (i.e. ca-existing-certs-step1.cfg) with the following changes: @@ -92,7 +92,7 @@ Finally, execute the following command: $ pkispawn -f ca-existing-certs-step2.cfg -s CA ``` -== Verifying System Certificates == +== Verifying System Certificates Verify that the server NSS database contains the following certificates: ``` @@ -108,7 +108,7 @@ ca_audit_signing u,u,Pu sslserver u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): ``` diff --git a/docs/installation/ca/Installing_CA_with_External_CA_Signing_Certificate.adoc b/docs/installation/ca/Installing_CA_with_External_CA_Signing_Certificate.adoc index e92b178b96d..5874c36008b 100644 --- a/docs/installation/ca/Installing_CA_with_External_CA_Signing_Certificate.adoc +++ b/docs/installation/ca/Installing_CA_with_External_CA_Signing_Certificate.adoc @@ -1,11 +1,11 @@ -= Installing CA with External CA Signing Certificate = += Installing CA with External CA Signing Certificate -== Overview == +== Overview This page describes the process to install a CA subsystem with an external CA signing certificate. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== Starting CA Subsystem Installation == +== Starting CA Subsystem Installation Prepare a file (e.g. ca-external-cert-step1.cfg) that contains the first deployment configuration. A sample deployment configuration is available at link:../../../base/server/examples/installation/ca-external-cert-step1.cfg[/usr/share/pki/server/examples/installation/ca-external-cert-step1.cfg] @@ -23,7 +23,7 @@ It will install CA subsystem in a Tomcat instance (default is pki-tomcat) and cr It will also generate the CA signing key in the server NSS database and the CSR in the specified path. -== Generating CA Signing Certificate == +== Generating CA Signing Certificate Use the CSR to issue the CA signing certificate: * for root CA installation, generate a self-signed CA signing certificate @@ -41,7 +41,7 @@ but it should not include the CA signing certificate itself. // // * link:https://github.com/dogtagpki/pki/wiki/Generating-CA-Signing-Certificate[Generating CA Signing Certificate] -== Finishing CA Subsystem Installation == +== Finishing CA Subsystem Installation Prepare another file (e.g. ca-external-cert-step2.cfg) that contains the second deployment configuration. The file can be created from the first file (i.e. ca-external-cert-step1.cfg) with the following changes: @@ -70,7 +70,7 @@ Finally, execute the following command: $ pkispawn -f ca-external-cert-step2.cfg -s CA ``` -== Verifying System Certificates == +== Verifying System Certificates Verify that the server NSS database contains the following certificates: ``` @@ -87,7 +87,7 @@ ca_audit_signing u,u,Pu sslserver u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): diff --git a/docs/installation/ca/Installing_CA_with_HSM.adoc b/docs/installation/ca/Installing_CA_with_HSM.adoc index 78d035978b1..113ab98d687 100644 --- a/docs/installation/ca/Installing_CA_with_HSM.adoc +++ b/docs/installation/ca/Installing_CA_with_HSM.adoc @@ -1,12 +1,12 @@ -= Installing CA with HSM = += Installing CA with HSM -== Overview == +== Overview This page describes the process to install a CA subsystem with a self-signed CA signing certificate where the system certificates and their keys will be stored in HSM. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== CA Subsystem Installation == +== CA Subsystem Installation Prepare a file (e.g. ca.cfg) that contains the deployment configuration, for example: ``` @@ -60,7 +60,7 @@ It will install CA subsystem in a Tomcat instance (default is pki-tomcat) and cr * server NSS database: /var/lib/pki/pki-tomcat/conf/alias * admin NSS database: ~/.dogtag/pki-tomcat/ca/alias -== Verifying System Certificates == +== Verifying System Certificates Verify that the internal token contains the following certificates: ``` @@ -88,7 +88,7 @@ HSM:ca_audit_signing u,u,Pu HSM:sslserver/pki.example.com u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): ``` diff --git a/docs/installation/ca/Installing_CA_with_Secure_Database_Connection.adoc b/docs/installation/ca/Installing_CA_with_Secure_Database_Connection.adoc index 831d0a878e0..4f459ff6f14 100644 --- a/docs/installation/ca/Installing_CA_with_Secure_Database_Connection.adoc +++ b/docs/installation/ca/Installing_CA_with_Secure_Database_Connection.adoc @@ -1,17 +1,17 @@ -== Overview == +== Overview This page describes the process to install a CA subsystem with a secure database connection. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== DS Configuration == +== DS Configuration Once the prerequisites listed above are completed, enable the SSL connection with a self-signed signing certificate as described in link:../others/Enabling-SSL-Connection-in-DS.adoc#enabling-ssl-connection[Enabling SSL Connection]. Then export the signing certificate into `ds_signing.crt` as described in link:../others/Exporting-DS-Certificates.adoc#exporting-ds-signing-certificate[Exporting DS Signing Certificate]. -== CA Subsystem Installation == +== CA Subsystem Installation Prepare a deployment configuration (e.g. `ca-secure-ds.cfg`) to deploy CA subsystem. By default the subsystem will be deployed into a Tomcat instance called `pki-tomcat`. @@ -23,7 +23,7 @@ To start the installation execute the following command: $ pkispawn -f ca-secure-ds.cfg -s CA ``` -== CA System Certificates == +== CA System Certificates After installation the CA system certificates with their keys will be generated and stored in the server NSS database (i.e. `/var/lib/pki/pki-tomcat/conf/alias`), and the DS signing certificate will be imported into the same NSS database: @@ -59,7 +59,7 @@ The valid IDs for CA system certificates are: Note that the `pki-server cert-export` command takes a certificate ID instead of a nickname. For simplicity the nicknames in this example are configured to be the same as the certificate ID. -== CA Database Configuration == +== CA Database Configuration The CA database configuration can be displayed with the following command: ``` @@ -77,7 +77,7 @@ $ pki-server ca-db-config-show Minimum connections: 3 ``` -== Admin Certificate == +== Admin Certificate After installation the admin certificate and key will be stored in `~/.dogtag/pki-tomcat/ca_admin_cert.p12`. The PKCS #12 password is specified in the `pki_client_pkcs12_password` parameter. diff --git a/docs/installation/ca/Installing_Subordinate_CA.adoc b/docs/installation/ca/Installing_Subordinate_CA.adoc index c1812ebcd06..31bb8075fe7 100644 --- a/docs/installation/ca/Installing_Subordinate_CA.adoc +++ b/docs/installation/ca/Installing_Subordinate_CA.adoc @@ -1,12 +1,12 @@ -= Installing Subordinate CA = += Installing Subordinate CA -== Overview == +== Overview This page describes the process to install a subordinate CA subsystem with a signing certificate issued by a root CA. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== Subordinate CA Subsystem Installation == +== Subordinate CA Subsystem Installation Prepare a file (e.g. subca.cfg) that contains the deployment configuration. A sample deployment configuration is available at link:../../../base/server/examples/installation/subca.cfg[/usr/share/pki/server/examples/installation/subca.cfg]. @@ -24,7 +24,7 @@ It will install subordinate CA subsystem in a Tomcat instance (default is pki-to * server NSS database: /var/lib/pki/pki-tomcat/conf/alias * admin NSS database: ~/.dogtag/pki-tomcat/ca/alias -== Verifying System Certificates == +== Verifying System Certificates Verify that the server NSS database contains the following certificates: @@ -41,7 +41,7 @@ ca_audit_signing u,u,Pu sslserver u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): diff --git a/docs/installation/est/Installing-EST-pki-server.adoc b/docs/installation/est/Installing-EST-pki-server.adoc index c637cf19f89..f51d423aff0 100644 --- a/docs/installation/est/Installing-EST-pki-server.adoc +++ b/docs/installation/est/Installing-EST-pki-server.adoc @@ -1,4 +1,4 @@ -= EST installation using `pki-server` = += EST installation using `pki-server` After the prerequisite in xref:../est/Installing-EST.adoc[Installing EST], it is possible to install *EST*. diff --git a/docs/installation/est/Installing-EST-pkispawn.adoc b/docs/installation/est/Installing-EST-pkispawn.adoc index 878a5f3da09..2dff4921a3a 100644 --- a/docs/installation/est/Installing-EST-pkispawn.adoc +++ b/docs/installation/est/Installing-EST-pkispawn.adoc @@ -1,10 +1,10 @@ -= EST installation using `pkispawn` = += EST installation using `pkispawn` After the prerequisite in xref:../est/Installing-EST.adoc[Installing EST], it is possible to install *EST*. -== Installation == +== Installation An example `pkispawn` installation configuration is provided in `/usr/share/pki/server/examples/installation/est.cfg` with the following content: @@ -91,7 +91,7 @@ The `est_realm_custom` is a path to a custom realm configuration for tomcat and if provided it will overwrite all other realm related configurations. -=== Installation on separate instance with certificates === +=== Installation on separate instance with certificates EST can also be installed on a tomcat instance that’s separate from the CA. @@ -170,7 +170,7 @@ Using the generated PKCS#12 bundle, the command to deploy EST is: ---- -=== Installation on separate instance without certificates === +=== Installation on separate instance without certificates If the PKCS#12 bundle certificates are not provided to `pkispawn`, during the installation, the EST server cert will be issued @@ -205,7 +205,7 @@ and configured in the file `/var/lib/pki/pki-tomcat/conf/est/backend.conf`. -== Removing EST == +== Removing EST To remove the EST subsystem it is possible to use the `pkidestroy` command as follow: diff --git a/docs/installation/est/Installing-EST.adoc b/docs/installation/est/Installing-EST.adoc index 4d0b531fa7b..c045e7ec6a7 100644 --- a/docs/installation/est/Installing-EST.adoc +++ b/docs/installation/est/Installing-EST.adoc @@ -1,9 +1,9 @@ // this asciidoc file is converted from Installing_EST.md with needed modifications // -= Installing EST = += Installing EST -== Overview == +== Overview This page describes the process to install an _EST subsystem_. @@ -15,7 +15,7 @@ The *EST subsystem* requires the package `dogtag-pki-est` installed in the serve -== Prerequisite == +== Prerequisite On the CA, create a user group for EST RA accounts (*EST RA Agents*), and an EST RA account (**est-ra-1**). The EST subsystem will use this account to authenticate to @@ -74,7 +74,7 @@ xref:../est/Set-Up-Realm-DB.adoc[Set Up Realm DB]. -== EST Subsystem Installation == +== EST Subsystem Installation There are two options for the installation: @@ -89,7 +89,7 @@ There are two options for the installation: -== Verifying EST == +== Verifying EST Before enrolling certificates EST users must be added in the user database. The user management is not part of EST commands and has to be done outside EST. Guide on how To add user into DS realm is diff --git a/docs/installation/est/Set-Up-Realm-DB.adoc b/docs/installation/est/Set-Up-Realm-DB.adoc index c107f872057..2ca1a8d0aad 100644 --- a/docs/installation/est/Set-Up-Realm-DB.adoc +++ b/docs/installation/est/Set-Up-Realm-DB.adoc @@ -1,6 +1,6 @@ -= Set up realm DB = += Set up realm DB -== Preparing DS DB == +== Preparing DS DB If you have chosen to use an LDAP instance for user management, before adding users, please ensure that you have configured the directory @@ -26,7 +26,7 @@ require to modify the authorization script `/usr/share/pki/est/bin/estauthz`. -== Preparaing PostgreSQL DB == +== Preparaing PostgreSQL DB If you have chosen to use *PostgreSQL* for user management, you first diff --git a/docs/installation/kra/Installing-KRA-with-Random-Serial-Numbers-v3.adoc b/docs/installation/kra/Installing-KRA-with-Random-Serial-Numbers-v3.adoc index 6f48d980ac9..55aa45f0074 100644 --- a/docs/installation/kra/Installing-KRA-with-Random-Serial-Numbers-v3.adoc +++ b/docs/installation/kra/Installing-KRA-with-Random-Serial-Numbers-v3.adoc @@ -1,10 +1,10 @@ -= Overview = += Overview This page describes the process to install a KRA subsystem with random serial numbers in PKI 11.2 or later. NOTE: RSNv3 is enabled by default since PKI 11.5. -= Installation Procedure = += Installation Procedure To install KRA with random serial numbers, follow the normal link:Installing_KRA.md[KRA installation] procedure, then specify the following parameter: @@ -24,7 +24,7 @@ pki_request_id_generator=random The key request ID length (in bits) can be specified in `pki_request_id_length` parameter. The default is `128` bits. -= Verification = += Verification Perform a link:https://github.com/dogtagpki/pki/wiki/Key-Archival[Key Archival] or a link:https://github.com/dogtagpki/pki/wiki/Certificate-Enrollment-with-Key-Archival[Certificate Enrollment with Key Archival]. The keys will have random IDs, for example: diff --git a/docs/installation/kra/Installing_KRA.adoc b/docs/installation/kra/Installing_KRA.adoc index 4fc8f702c69..09cb41e83b7 100644 --- a/docs/installation/kra/Installing_KRA.adoc +++ b/docs/installation/kra/Installing_KRA.adoc @@ -1,12 +1,12 @@ -= Installing KRA = += Installing KRA -== Overview == +== Overview This page describes the process to install a KRA subsystem. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== KRA Subsystem Installation == +== KRA Subsystem Installation Prepare a file (e.g. kra.cfg) that contains the deployment configuration. A sample deployment configuration is available at link:../../../base/server/examples/installation/kra.cfg[/usr/share/pki/server/examples/installation/kra.cfg]. @@ -29,7 +29,7 @@ to verify the CA's SSL server certificate when contacting the security domain. It is up to the administrator to securely transport the CA root certificate (public key only!) to the system prior to KRA installation. -== Verifying System Certificates == +== Verifying System Certificates Verify that the server NSS database contains the following certificates: @@ -47,7 +47,7 @@ kra_audit_signing u,u,Pu sslserver u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): @@ -83,7 +83,7 @@ User "kraadmin" State: 1 ``` -== Verifying KRA Connector == +== Verifying KRA Connector Verify that the KRA connector is configured in the CA subsystem: diff --git a/docs/installation/kra/Installing_KRA_Clone.adoc b/docs/installation/kra/Installing_KRA_Clone.adoc index d1ed39e2dd4..0db5e87121a 100644 --- a/docs/installation/kra/Installing_KRA_Clone.adoc +++ b/docs/installation/kra/Installing_KRA_Clone.adoc @@ -1,12 +1,12 @@ -= Installing KRA Clone = += Installing KRA Clone -== Overview == +== Overview This page describes the process to install a KRA subsystem as a clone of an existing KRA subsystem. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== Exporting Existing KRA System Certificates == +== Exporting Existing KRA System Certificates On the existing system, export the KRA system certificates with the following command: @@ -35,7 +35,7 @@ $ pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/pass --append ``` -== KRA Subsystem Installation == +== KRA Subsystem Installation Prepare a deployment configuration (e.g. `kra-clone.cfg`) to deploy KRA subsystem clone. By default the subsystem will be deployed into a Tomcat instance called `pki-tomcat`. @@ -53,7 +53,7 @@ To start the installation execute the following command: $ pkispawn -f kra-clone.cfg -s KRA ``` -== KRA System Certificates == +== KRA System Certificates After installation the existing KRA system certificates (including the certificate chain) and their keys will be stored in the server NSS database (i.e. `/var/lib/pki/pki-tomcat/conf/alias`), @@ -90,7 +90,7 @@ The valid certificate IDs for KRA are: Note that the `pki-server cert-export` command takes a certificate ID instead of a nickname. For simplicity the nicknames in this example are configured to be the same as the certificate IDs. -== Admin Certificate == +== Admin Certificate To use the admin certificate from the CA subsystem, prepare a client NSS database (default is `~/.dogtag/nssdb`): diff --git a/docs/installation/kra/Installing_KRA_Clone_with_HSM.adoc b/docs/installation/kra/Installing_KRA_Clone_with_HSM.adoc index 32dc05d08b4..fbbc9ef3291 100644 --- a/docs/installation/kra/Installing_KRA_Clone_with_HSM.adoc +++ b/docs/installation/kra/Installing_KRA_Clone_with_HSM.adoc @@ -1,6 +1,6 @@ -= Installing KRA Clone with HSM = += Installing KRA Clone with HSM -== Overview == +== Overview This page describes the process to install a KRA subsystem as a clone of an existing KRA subsystem where the system certificates and their keys are stored in HSM. @@ -10,7 +10,7 @@ PKCS #12 file to create a clone. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== KRA Subsystem Installation == +== KRA Subsystem Installation Prepare a file (e.g. kra.cfg) that contains the deployment configuration, for example: @@ -72,7 +72,7 @@ It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and c * server NSS database: /var/lib/pki/pki-tomcat/conf/alias * admin NSS database: ~/.dogtag/pki-tomcat/kra/alias -== Verifying System Certificates == +== Verifying System Certificates Verify that the internal token contains the following certificates: @@ -101,7 +101,7 @@ HSM:kra_audit_signing u,u,Pu HSM:sslserver/replica.example.com u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): @@ -137,7 +137,7 @@ User "kraadmin" State: 1 ``` -== Verifying KRA Connector == +== Verifying KRA Connector Verify that the KRA connector is configured in the CA subsystem: diff --git a/docs/installation/kra/Installing_KRA_on_Separate_Instance.adoc b/docs/installation/kra/Installing_KRA_on_Separate_Instance.adoc index 3407d95a22c..c25bb67fa52 100644 --- a/docs/installation/kra/Installing_KRA_on_Separate_Instance.adoc +++ b/docs/installation/kra/Installing_KRA_on_Separate_Instance.adoc @@ -1,12 +1,12 @@ -= Installing KRA on Separate Instance = += Installing KRA on Separate Instance -== Overview == +== Overview This page describes the process to install a KRA subsystem on an instance/host separate from the CA. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== KRA Subsystem Installation == +== KRA Subsystem Installation Prepare a file (e.g. kra-separate.cfg) that contains the deployment configuration. @@ -33,7 +33,7 @@ to verify the CA's SSL server certificate when contacting the security domain. It is up to the administrator to securely transport the CA root certificate (public key only!) to the system prior to KRA installation. -== Verifying System Certificates == +== Verifying System Certificates Verify that the server NSS database contains the following certificates: @@ -51,7 +51,7 @@ kra_audit_signing u,u,Pu sslserver u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): @@ -87,7 +87,7 @@ User "kraadmin" State: 1 ``` -== Verifying KRA Connector == +== Verifying KRA Connector Verify that the KRA connector is configured in the CA subsystem: diff --git a/docs/installation/kra/Installing_Standalone_KRA.adoc b/docs/installation/kra/Installing_Standalone_KRA.adoc index da0617f4f44..96260a3f483 100644 --- a/docs/installation/kra/Installing_Standalone_KRA.adoc +++ b/docs/installation/kra/Installing_Standalone_KRA.adoc @@ -1,6 +1,6 @@ -= Installing Standalone KRA = += Installing Standalone KRA -== Overview == +== Overview This page describes the process to install a standalone KRA subsystem. In link:Installing_KRA.md[regular KRA installation] the KRA certificates are issued automatically by the CA and the KRA will join the CA's security domain. @@ -12,7 +12,7 @@ The installation process consists multiple steps: * Issuing the certificates * Completing installation with the certificates -== Generating Certificate Requests == +== Generating Certificate Requests Prepare a file (e.g. kra-standalone-step1.cfg) that contains the first deployment configuration. @@ -26,7 +26,7 @@ $ pkispawn -f kra-standalone-step1.cfg -s KRA It will create an NSS database in /var/lib/pki/pki-tomcat/alias and generate CSRs in the specified paths. -== Issuing Certificates == +== Issuing Certificates Use the CSRs to obtain KRA certificates: @@ -37,7 +37,7 @@ Use the CSRs to obtain KRA certificates: * link:https://github.com/dogtagpki/pki/wiki/Generating-Audit-Signing-Certificate[Generating Audit Signing Certificate] * link:https://github.com/dogtagpki/pki/wiki/Generating-Admin-Certificate[Generating Admin Certificate] -== Completing Installation == +== Completing Installation Prepare another file (e.g. kra-standalone-step2.cfg) that contains the second deployment configuration. The file can be created from the first file (i.e. kra-standalone-step1.cfg) with the following changes: @@ -76,7 +76,7 @@ Finally, execute the following command: $ pkispawn -f kra-standalone-step2.cfg -s KRA ---- -== Verifying Admin Certificate == +== Verifying Admin Certificate Import the CA signing certificate: diff --git a/docs/installation/ocsp/Installing_OCSP.adoc b/docs/installation/ocsp/Installing_OCSP.adoc index 83ee1065638..c1b34305cdf 100644 --- a/docs/installation/ocsp/Installing_OCSP.adoc +++ b/docs/installation/ocsp/Installing_OCSP.adoc @@ -1,12 +1,12 @@ -= Installing OCSP = += Installing OCSP -== Overview == +== Overview This page describes the process to install an OCSP subsystem. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== OCSP Subsystem Installation == +== OCSP Subsystem Installation Prepare a file (e.g. ocsp.cfg) that contains the deployment configuration. A sample deployment configuration is available at link:../../../base/server/examples/installation/ocsp.cfg[/usr/share/pki/server/examples/installation/ocsp.cfg]. @@ -29,7 +29,7 @@ to verify the CA's SSL server certificate when contacting the security domain. It is up to the administrator to securely transport the CA root certificate (public key only!) to the system prior to OCSP installation. -== Verifying System Certificates == +== Verifying System Certificates Verify that the server NSS database contains the following certificates: @@ -46,7 +46,7 @@ ocsp_audit_signing u,u,Pu sslserver u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): @@ -82,7 +82,7 @@ User "ocspadmin" State: 1 ``` -== Verifying OCSP Client == +== Verifying OCSP Client Publish the CRL in CA to the directory server as follows: diff --git a/docs/installation/ocsp/Installing_OCSP_Clone.adoc b/docs/installation/ocsp/Installing_OCSP_Clone.adoc index 49e0f0091b5..9950578e6a0 100644 --- a/docs/installation/ocsp/Installing_OCSP_Clone.adoc +++ b/docs/installation/ocsp/Installing_OCSP_Clone.adoc @@ -1,12 +1,12 @@ -= Installing OCSP Clone = += Installing OCSP Clone -== Overview == +== Overview This page describes the process to install a OCSP subsystem as a clone of an existing OCSP subsystem. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== Exporting Existing OCSP System Certificates == +== Exporting Existing OCSP System Certificates On the existing system, export the existing OCSP system certificates with the following command: @@ -34,7 +34,7 @@ $ pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/pass --append ``` -== OCSP Subsystem Installation == +== OCSP Subsystem Installation Prepare a deployment configuration (e.g. `ocsp-clone.cfg`) to deploy OCSP subsystem clone. By default the subsystem will be deployed into a Tomcat instance called `pki-tomcat`. @@ -52,7 +52,7 @@ To start the installation execute the following command: $ pkispawn -f ocsp-clone.cfg -s OCSP ``` -== OCSP System Certificates == +== OCSP System Certificates After installation the existing OCSP system certificates (including the certificate chain) and their keys will be stored in the server NSS database (i.e. `/var/lib/pki/pki-tomcat/conf/alias`), @@ -87,7 +87,7 @@ The valid certificate IDs for OCSP are: Note that the `pki-server cert-export` command takes a certificate ID instead of a nickname. For simplicity the nicknames in this example are configured to be the same as the certificate ID. -== Admin Certificate == +== Admin Certificate To use the admin certificate from the CA subsystem, prepare a client NSS database (default is `~/.dogtag/nssdb`): diff --git a/docs/installation/ocsp/Installing_OCSP_Clone_with_HSM.adoc b/docs/installation/ocsp/Installing_OCSP_Clone_with_HSM.adoc index d4aef98bcdf..6a9cc7ab147 100644 --- a/docs/installation/ocsp/Installing_OCSP_Clone_with_HSM.adoc +++ b/docs/installation/ocsp/Installing_OCSP_Clone_with_HSM.adoc @@ -1,7 +1,7 @@ -= Installing OCSP Clone with HSM = += Installing OCSP Clone with HSM -== Overview == +== Overview This page describes the process to install an OCSP subsystem as a clone of an existing OCSP subsystem where the system certificates and their keys are stored in HSM. @@ -11,7 +11,7 @@ PKCS #12 file to create a clone. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== OCSP Subsystem Installation == +== OCSP Subsystem Installation Prepare a file (e.g. ocsp.cfg) that contains the deployment configuration, for example: @@ -71,7 +71,7 @@ It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and * server NSS database: /var/lib/pki/pki-tomcat/conf/alias * admin NSS database: ~/.dogtag/pki-tomcat/ocsp/alias -== Verifying System Certificates == +== Verifying System Certificates Verify that the internal token contains the following certificates: @@ -99,7 +99,7 @@ HSM:ocsp_audit_signing u,u,Pu HSM:sslserver/replica.example.com u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): @@ -135,7 +135,7 @@ User "ocspadmin" State: 1 ``` -== Verifying OCSP Client == +== Verifying OCSP Client Publish the CRL in CA to the directory server as follows: diff --git a/docs/installation/ocsp/Installing_OCSP_with_Custom_Keys.adoc b/docs/installation/ocsp/Installing_OCSP_with_Custom_Keys.adoc index dae510ab3b7..a09f4939553 100644 --- a/docs/installation/ocsp/Installing_OCSP_with_Custom_Keys.adoc +++ b/docs/installation/ocsp/Installing_OCSP_with_Custom_Keys.adoc @@ -1,13 +1,13 @@ -= Installing OCSP with Custom Keys = += Installing OCSP with Custom Keys -== Overview == +== Overview This page describes the process to install a OCSP subsystem with custom OCSP system and admin keys, CSRs, and certificates. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== Starting OCSP Subsystem Installation == +== Starting OCSP Subsystem Installation Prepare a file (e.g. ocsp-step1.cfg) that contains the deployment configuration step 1, for example: @@ -62,7 +62,7 @@ It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and Since there are no CSR path parameters specified, it will not generate the OCSP system and admin keys. -== Generating OCSP Keys, CSRs, and Certificates == +== Generating OCSP Keys, CSRs, and Certificates Generate custom OCSP system keys in the server NSS database and admin key in the admin NSS database, then generate the CSRs and store them in files, for example: @@ -92,7 +92,7 @@ See also: * link:https://github.com/dogtagpki/pki/wiki/Generating-Audit-Signing-Certificate[Generating Audit Signing Certificate] * link:https://github.com/dogtagpki/pki/wiki/Generating-Admin-Certificate[Generating Admin Certificate] -== Finishing OCSP Subsystem Installation == +== Finishing OCSP Subsystem Installation Prepare another file (e.g. ocsp-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. ocsp-step1.cfg) with additional changes below. @@ -135,7 +135,7 @@ Finally, execute the following command: $ pkispawn -f ocsp-step2.cfg -s OCSP ``` -== Verifying System Certificates == +== Verifying System Certificates Verify that the server NSS database contains the following certificates: @@ -152,7 +152,7 @@ ocsp_audit_signing u,u,Pu sslserver u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): diff --git a/docs/installation/ocsp/Installing_OCSP_with_ECC.adoc b/docs/installation/ocsp/Installing_OCSP_with_ECC.adoc index 21267a66325..f3c170d5f05 100644 --- a/docs/installation/ocsp/Installing_OCSP_with_ECC.adoc +++ b/docs/installation/ocsp/Installing_OCSP_with_ECC.adoc @@ -1,6 +1,6 @@ -= Installing OCSP with ECC = += Installing OCSP with ECC -== Overview == +== Overview This page describes the process to install a OCSP subsystem with ECC. @@ -18,7 +18,7 @@ Supported ECC key algorithms: Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== OCSP Subsystem Installation == +== OCSP Subsystem Installation Prepare a file (e.g. ocsp.cfg) that contains the deployment configuration, for example: @@ -84,7 +84,7 @@ It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and * server NSS database: /var/lib/pki/pki-tomcat/conf/alias * admin NSS database: ~/.dogtag/pki-tomcat/kra/alias -== Verifying System Certificates == +== Verifying System Certificates Verify that the server NSS database contains the following certificates: @@ -101,7 +101,7 @@ ocsp_signing u,u,u sslserver u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): diff --git a/docs/installation/ocsp/Installing_OCSP_with_External_Certificates.adoc b/docs/installation/ocsp/Installing_OCSP_with_External_Certificates.adoc index a7c89791bd7..43607999408 100644 --- a/docs/installation/ocsp/Installing_OCSP_with_External_Certificates.adoc +++ b/docs/installation/ocsp/Installing_OCSP_with_External_Certificates.adoc @@ -1,11 +1,11 @@ -= Installing OCSP with External Certificates = += Installing OCSP with External Certificates -== Overview == +== Overview This page describes the process to install a OCSP subsystem with external certificates. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== Starting OCSP Subsystem Installation == +== Starting OCSP Subsystem Installation Prepare a file (e.g. ocsp-external-certs-step1.cfg) that contains the first deployment configuration. @@ -26,7 +26,7 @@ It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and It will also generate the system keys in the server NSS database and the CSRs in the specified paths. -== Generating OCSP Certificates == +== Generating OCSP Certificates Submit the CSRs to an external CA to issue the certificates, then store the certificates in files, for example: @@ -40,7 +40,7 @@ The certificates can be specified as single certificates or PKCS #7 certificate Store the external CA certificate chain in a file (e.g. ca_signing.crt). The certificate chain can be specified as a single certificate or PKCS #7 certificate chain in PEM format. The certificate chain should include all CA certificates from the root CA to the external CA that issued the OCSP system and admin certificates. -== Finishing OCSP Subsystem Installation == +== Finishing OCSP Subsystem Installation Prepare another file (e.g. ocsp-external-certs-step2.cfg) that contains the second deployment configuration. The file can be created from the first file (i.e. ocsp-external-certs-step1.cfg) with the following changes: @@ -74,7 +74,7 @@ Finally, execute the following command: $ pkispawn -f ocsp-external-certs-step2.cfg -s OCSP ``` -== Verifying System Certificates == +== Verifying System Certificates Verify that the server NSS database contains the following certificates: @@ -91,7 +91,7 @@ ocsp_audit_signing u,u,Pu sslserver u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): diff --git a/docs/installation/ocsp/Installing_OCSP_with_HSM.adoc b/docs/installation/ocsp/Installing_OCSP_with_HSM.adoc index c2a36d3566f..daebf5f385b 100644 --- a/docs/installation/ocsp/Installing_OCSP_with_HSM.adoc +++ b/docs/installation/ocsp/Installing_OCSP_with_HSM.adoc @@ -1,4 +1,4 @@ -= Installing OCSP with HSM = += Installing OCSP with HSM == Overview This page describes the process to install an OCSP subsystem @@ -6,7 +6,7 @@ where the system certificates and their keys will be stored in HSM. Prior to installation, please ensure that the link:../others/Installation_Prerequisites.adoc[Installation Prerequisites] are configured. -== OCSP Subsystem Installation == +== OCSP Subsystem Installation Prepare a file (e.g. ocsp.cfg) that contains the deployment configuration, for example: @@ -63,7 +63,7 @@ It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and * server NSS database: /var/lib/pki/pki-tomcat/conf/alias * admin NSS database: ~/.dogtag/pki-tomcat/ocsp/alias -== Verifying System Certificates == +== Verifying System Certificates Verify that the internal token contains the following certificates: @@ -91,7 +91,7 @@ HSM:ocsp_audit_signing u,u,Pu HSM:sslserver/pki.example.com u,u,u ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): @@ -127,7 +127,7 @@ User "ocspadmin" State: 1 ``` -== Verifying OCSP Client == +== Verifying OCSP Client Publish the CRL in CA to the directory server as follows: diff --git a/docs/installation/ocsp/Installing_OCSP_with_Secure_Database_Connection.adoc b/docs/installation/ocsp/Installing_OCSP_with_Secure_Database_Connection.adoc index b0f2ca7798d..15ee7a890ee 100644 --- a/docs/installation/ocsp/Installing_OCSP_with_Secure_Database_Connection.adoc +++ b/docs/installation/ocsp/Installing_OCSP_with_Secure_Database_Connection.adoc @@ -1,6 +1,6 @@ -= Installing OCSP with Secure Database Connection = += Installing OCSP with Secure Database Connection -== Overview == +== Overview This page describes the process to install an OCSP subsystem with a secure database connection. @@ -10,7 +10,7 @@ Additional steps: Ensure that the secure connection has been enabled on the directory server, and export the signing certificate for the directory server into ds_signing.crt. This step is described link:https://github.com/dogtagpki/389-ds-base/wiki/Configuring-SSL-Connection[here]. -== OCSP Subsystem Installation == +== OCSP Subsystem Installation Prepare a file (e.g. ocsp.cfg) that contains the deployment configuration, for example: @@ -64,7 +64,7 @@ It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and * server NSS database: /var/lib/pki/pki-tomcat/conf/alias * admin NSS database: ~/.dogtag/pki-tomcat/ocsp/alias -== Verifying System Certificates == +== Verifying System Certificates Verify that the server NSS database contains the following certificates: @@ -82,7 +82,7 @@ ocsp_audit_signing u,u,Pu sslserver u,u,u ``` -== Verifying Database Configuration == +== Verifying Database Configuration Verify that the OCSP database is configured with a secure connection: @@ -101,7 +101,7 @@ $ pki-server ocsp-db-config-show Minimum connections: 3 ``` -== Verifying Admin Certificate == +== Verifying Admin Certificate Prepare a client NSS database (e.g. ~/.dogtag/nssdb): @@ -137,7 +137,7 @@ User "ocspadmin" State: 1 ``` -== Verifying OCSP Client == +== Verifying OCSP Client Publish the CRL in CA to the directory server as follows: diff --git a/docs/installation/ocsp/Installing_Standalone_OCSP.adoc b/docs/installation/ocsp/Installing_Standalone_OCSP.adoc index 444c6e1c91d..475c4cbb431 100644 --- a/docs/installation/ocsp/Installing_Standalone_OCSP.adoc +++ b/docs/installation/ocsp/Installing_Standalone_OCSP.adoc @@ -1,6 +1,6 @@ -= Installing Standalone OCSP = += Installing Standalone OCSP -== Overview == +== Overview This page describes the process to install a standalone OCSP subsystem. In link:Installing_OCSP.adoc[regular OCSP installation] the OCSP certificates are issued automatically by the CA and the OCSP will join the CA's security domain. @@ -12,7 +12,7 @@ The installation process consists multiple steps: * Issuing the certificates * Completing installation with the certificates -== Generating Certificate Requests == +== Generating Certificate Requests Prepare a file (e.g. ocsp-standalone-step1.cfg) that contains the first deployment configuration. @@ -26,7 +26,7 @@ $ pkispawn -f ocsp-standalone-step1.cfg -s OCSP It will create an NSS database in /var/lib/pki/pki-tomcat/alias and generate CSRs in the specified paths. -== Issuing Certificates == +== Issuing Certificates Use the CSRs to obtain OCSP certificates: @@ -36,7 +36,7 @@ Use the CSRs to obtain OCSP certificates: * link:https://github.com/dogtagpki/pki/wiki/Generating-Audit-Signing-Certificate[Generating Audit Signing Certificate] * link:https://github.com/dogtagpki/pki/wiki/Generating-Admin-Certificate[Generating Admin Certificate] -== Completing Installation == +== Completing Installation Prepare another file (e.g. ocsp-standalone-step2.cfg) that contains the second deployment configuration. The file can be created from the first file (i.e. ocsp-standalone-step1.cfg) with the following changes: @@ -74,7 +74,7 @@ Finally, execute the following command: $ pkispawn -f ocsp-standalone-step2.cfg -s OCSP ---- -== Verifying Admin Certificate == +== Verifying Admin Certificate Import the CA signing certificate: diff --git a/docs/installation/others/Creating_DS_instance.adoc b/docs/installation/others/Creating_DS_instance.adoc index f258cfe1a60..942b9a73a65 100644 --- a/docs/installation/others/Creating_DS_instance.adoc +++ b/docs/installation/others/Creating_DS_instance.adoc @@ -1,6 +1,6 @@ // This page is copied and modifed from https://github.com/dogtagpki/pki/wiki/Installing-DS-Server // -= Directory Server Instance Creation = += Directory Server Instance Creation *Note: Prior to installing DS instances, make sure the procedure for link:Installing_DS_Packages.adoc[installing DS packages] has been performed on the host system.* @@ -10,9 +10,9 @@ Normally the DS installation will automatically generate a self-signed signing c In this procedure the certificate generation and the SSL connection will be disabled by default, but it can be enabled after installation if necessary. -== Creating a DS Instance == +== Creating a DS Instance -=== Generate a DS configuration file (e.g. `ds.inf`): === +=== Generate a DS configuration file (e.g. `ds.inf`): ---- $ dscreate create-template ds.inf @@ -39,7 +39,7 @@ where For more information see the parameter descriptions in the DS configuration file itself (i.e. `ds.inf`) and in link:https://directory.fedoraproject.org/docs/389ds/design/dsadm-dsconf.html[DS documentation]. -=== Creating an instance === +=== Creating an instance Finally, create the instance: @@ -47,7 +47,7 @@ Finally, create the instance: $ dscreate from-file ds.inf ---- -== Creating PKI Subtree == +== Creating PKI Subtree Initially the DS instance is empty. Use an LDAP client to add a root entry and PKI base entry, for example: @@ -61,17 +61,17 @@ EOF The subtree for each PKI subsystem will be created when the subsystem is installed. See link:../others/PKI-LDAP-Tree.adoc[PKI LDAP Tree]. -== Enabling SSL Connection == +== Enabling SSL Connection If required, PKI can use SSL connection to DS. To enable SSL connection in DS, see link:../others/Enabling-SSL-Connection-in-DS.adoc[Enabling SSL Connection in DS]. -== Configuring Replication == +== Configuring Replication See link:https://github.com/dogtagpki/389-ds-base/wiki/Configuring-DS-Replication[Configuring DS Replication]. -== Removing DS Instance == +== Removing DS Instance To remove DS instance: @@ -79,7 +79,7 @@ To remove DS instance: $ dsctl localhost remove --do-it ---- -== Log Files == +== Log Files DS log files are available in `/var/log/dirsrv/slapd-localhost`: @@ -87,7 +87,7 @@ DS log files are available in `/var/log/dirsrv/slapd-localhost`: * audit * errors -== See Also == +== See Also * link:https://www.dogtagpki.org/wiki/DS[DS] * link:https://www.dogtagpki.org/wiki/DS_SSL[DS SSL] diff --git a/docs/installation/others/Enabling-SSL-Connection-in-DS.adoc b/docs/installation/others/Enabling-SSL-Connection-in-DS.adoc index 961b1e4bce0..d9df65b8c08 100644 --- a/docs/installation/others/Enabling-SSL-Connection-in-DS.adoc +++ b/docs/installation/others/Enabling-SSL-Connection-in-DS.adoc @@ -1,7 +1,7 @@ // This content was copied and adjusted from https://github.com/dogtagpki/pki/wiki/Enabling-SSL-Connection-in-DS -= Enabling SSL Connection in DS = += Enabling SSL Connection in DS -== Overview == +== Overview This page describes the process to enable SSL connection in DS using a self-signed signing certificate and server certificate @@ -13,7 +13,7 @@ it does not have certificates, and the SSL connection is disabled. *Note:* In newer DS versions the certificates are created and the SSL connection is enabled by default, so it's not necessary to follow this procedure. -== Creating DS Signing Certificate == +== Creating DS Signing Certificate First, generate DS signing CSR with the following command: @@ -72,7 +72,7 @@ $ certutil -L -d /etc/dirsrv/slapd-localhost -n Self-Signed-CA User ---- -== Creating DS Server Certificate == +== Creating DS Server Certificate First, generate DS server CSR with the following command: @@ -124,7 +124,7 @@ $ certutil -L -d /etc/dirsrv/slapd-localhost -n Server-Cert User ---- -== Enabling SSL Connection == +== Enabling SSL Connection To enable SSL connection in the DS instance: @@ -150,7 +150,7 @@ $ LDAPTLS_REQCERT=never ldapsearch \ -s base ---- -== See Also == +== See Also * link:https://www.port389.org/docs/389ds/howto/howto-ssl.html[Configuring TLS/SSL Enabled 389 Directory Server] * link:https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/enabling_tls#doc-wrapper[RHDS 11: Enabling TLS] diff --git a/docs/installation/others/Exporting-DS-Certificates.adoc b/docs/installation/others/Exporting-DS-Certificates.adoc index 81147527650..9b1cb94ec62 100644 --- a/docs/installation/others/Exporting-DS-Certificates.adoc +++ b/docs/installation/others/Exporting-DS-Certificates.adoc @@ -1,7 +1,7 @@ // initial content copied from https://github.com/dogtagpki/pki/wiki/Exporting-DS-Certificates -= Exporting DS Certificates = += Exporting DS Certificates -== Overview == +== Overview This page describes the process to export the signing certificate and the server certificate from the NSS database of a DS instance. @@ -10,7 +10,7 @@ but they can also be created after installation. This page assumes that a DS instance named `localhost` is already created and has the certificates. -== Exporting DS Signing Certificate == +== Exporting DS Signing Certificate To export DS signing certificate: @@ -18,7 +18,7 @@ To export DS signing certificate: $ certutil -L -d /etc/dirsrv/slapd-localhost -n Self-Signed-CA -a > ds_signing.crt ---- -== Exporting DS Server Certificate == +== Exporting DS Server Certificate To export DS server certificate: diff --git a/docs/installation/others/FQDN_Configuration.adoc b/docs/installation/others/FQDN_Configuration.adoc index 60dd51dd5a7..d1107f008ec 100644 --- a/docs/installation/others/FQDN_Configuration.adoc +++ b/docs/installation/others/FQDN_Configuration.adoc @@ -1,15 +1,15 @@ // this content was copied and modified from https://github.com/dogtagpki/pki/wiki // -= FQDN Configuration = += FQDN Configuration -== Overview == +== Overview In order to have a properly functioning PKI system, each machine in the system must have a correct fully qualified domain name. This page describes the process to configure the fully qualified domain name on each machine. -== Verifying FQDN == +== Verifying FQDN To verify the current FQDN, execute the following command: @@ -18,7 +18,7 @@ To verify the current FQDN, execute the following command: pki.example.com ---- -== Configuring FQDN == +== Configuring FQDN If the host name is not what you expect it to be, run hostnamectl to set the hostname. For example, set the hostname of your pki machine as follows: diff --git a/docs/installation/others/Installing_DS_Packages.adoc b/docs/installation/others/Installing_DS_Packages.adoc index 35975acf1d6..e90d2c4a0c1 100644 --- a/docs/installation/others/Installing_DS_Packages.adoc +++ b/docs/installation/others/Installing_DS_Packages.adoc @@ -1,5 +1,5 @@ // This was copied partially from https://github.com/dogtagpki/pki/wiki/Installing-DS-Server -= Installing DS Packages = += Installing DS Packages Prior to installing DS instances, one needs to install the DS packages. To install DS packages: diff --git a/docs/installation/others/PKI-LDAP-Tree.adoc b/docs/installation/others/PKI-LDAP-Tree.adoc index ef2733cf0d3..8b2588da3a8 100644 --- a/docs/installation/others/PKI-LDAP-Tree.adoc +++ b/docs/installation/others/PKI-LDAP-Tree.adoc @@ -1,8 +1,8 @@ // This page is copied from https://github.com/dogtagpki/pki/wiki/PKI-LDAP-Tree // -= PKI LDAP Tree = += PKI LDAP Tree -== Overview == +== Overview When all PKI subsystems are created, the LDAP tree will look like the following: