November 29, 2017

Installing and Testing Dogtag Certificate System 10 on CentOS 7


Dogtag Certificate System is CA and is the upstream project for Red Hat Certificate System.


CentOS 7
# cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 
Check that FQDN is set, otherwise set it with:
# hostnamectl set-hostname
Set firewall rules otherwise disable it.
# systemctl stop firewalld; systemctl disable firewalld
If running in a lab environment without DNS set dns in hosts file.
# ip addr show
    inet brd scope global dynamic eth0

# echo "" >> /etc/hosts

389 Directory Server - Installation of just Base DS

Dogtag Certificate System requires ldap server 389 Directory Server, DS. On CentOS there is a light version (389-ds-base) and the full blown solution (389-ds). Here we stick to the light version.
  • 389-ds-base - 389 Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration.
  • 389-ds - The 389 Directory Server, Administration Server, and Console Suite provide the LDAPv3 server, the httpd daemon used to administer the server, and the console GUI application used for server and user/group administration.
# yum install 389-ds-base -y
The installation rpm creates a default user for 389 DS.
# grep dirsrv /etc/passwd; grep dirsrv /etc/group
dirsrv:x:389:389:user for 389-ds-base:/usr/share/dirsrv:/sbin/nologin
Now configure 389 DS.
# --silent\
  slapd.RootDN="cn=Directory Manager"\
Your new DS instance 'pki-tomcat' was successfully created.
Exiting . . .
Log file is '/tmp/setupKwxW67.log'
Property Comment Default
FullMachineName Specifies the fully qualified domain name of the machine on which you are installing the server. The default is the local host name.
SuiteSpotUserID Specifies the user name as which the Directory Server instance runs. This parameter does not apply to the user as which the Administration Server runs. This should be changed for most deployments. The default is user nobody on Linux and Solaris and daemon on HP-UX.
SuiteSpotGroup Specifies the group as which the servers will run. This should be changed for most deployments. The default is group nobodyon Linux and Solaris and daemon on HP-UX.
ServerPort Specifies the port the server will use for LDAP connections. For information on selecting server port numbers.
ServerIdentifier Specifies the server identifier. This value is used as part of the name of the directory in which the Directory Server instance is installed.
For example, if the machine's hostname is phonebook, then this name is the default, and selecting it installs the Directory Server instance in a directory labeled slapd-phonebook.
Suffix Specifies the suffix under which to store the directory data.
RootDN Specifies the distinguished name used by the Directory Manager.
RootDNPwd Specifies the Directory Manager's password.
And check configuration log file.
# cat /tmp/setupKwxW67.log
[17/11/27:14:20:40] - [Setup] Info Your new DS instance 'pki-tomcat' was successfully created.
[17/11/27:14:20:40] - [Setup] Success Exiting . . .
Log file is '/tmp/setupKwxW67.log'
To start and stop the 389 DS server.
# systemctl status dirsrv@pki-tomcat
And to verify the installation.
# ldapsearch -x -h -p 389 -s base -b "" "objectclass=*" 
# extended LDIF
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL

objectClass: top
defaultnamingcontext: dc=magnuskkarlsson,dc=se
dataversion: 020171127105053
netscapemdsuffix: cn=ldap://dc=dogtag,dc=magnuskkarlsson,dc=se:389

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Dogtag Certificate System

Now when 389 DS is up running continue with the installation of Dogtag.
# yum install pki-ca -y
Then configure it.
# pkispawn 


    Interactive installation currently only exists for very basic deployments!

    For example, deployments intent upon using advanced features such as:

        * Cloning,
        * Elliptic Curve Cryptography (ECC),
        * External CA,
        * Hardware Security Module (HSM),
        * Subordinate CA,
        * etc.,

    must provide the necessary override parameters in a separate
    configuration file.

    Run 'man pkispawn' for details.

Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: 

  Instance [pki-tomcat]: 
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]: 

  Username [caadmin]: 
  Verify password: 
  Import certificate (Yes/No) [N]? 
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: 

Directory Server:
  Hostname []: 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? 
  LDAP Port [389]: 
  Bind DN [cn=Directory Manager]: 
  Base DN [o=pki-tomcat-CA]: 

Security Domain:
  Name [ Security Domain]: 

Begin installation (Yes/No/Quit)? Yes

Log file: /var/log/pki/pki-ca-spawn.20171127145419.log
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Notice: Trust flag u is set automatically if the private key is present.
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/

                                INSTALLATION SUMMARY

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:

      To check the status of the subsystem:
            systemctl status pki-tomcatd@pki-tomcat.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@pki-tomcat.service

      The URL for the subsystem is:

      PKI instances will be enabled upon system boot

Checkout the used configuration for the interactive configuration.
# cat /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
pki_instance_name = pki-tomcat

pki_http_port = 8080
pki_https_port = 8443
pki_ajp_port = 8009
pki_tomcat_server_port = 8005
pki_admin_uid = caadmin
pki_admin_password = XXXXXXXX
pki_backup_password = XXXXXXXX
pki_client_database_password = XXXXXXXX
pki_client_pkcs12_password = XXXXXXXX
pki_import_admin_cert = False
pki_client_admin_cert = /root/.dogtag/pki-tomcat/ca_admin.cert
pki_ds_hostname =
pki_ds_ldap_port = 389
pki_ds_bind_dn = cn=Directory Manager
pki_ds_password = XXXXXXXX
pki_ds_base_dn = o=pki-tomcat-CA
pki_security_domain_name = Security Domain
pki_client_pin = XXXXXXXX
pki_clone_pkcs12_password = XXXXXXXX
pki_external_pkcs12_password = XXXXXXXX
pki_pkcs12_password = XXXXXXXX
pki_one_time_pin = XXXXXXXX
pki_pin = XXXXXXXX
pki_replication_password = XXXXXXXX
pki_security_domain_password = XXXXXXXX
pki_server_pkcs12_password = XXXXXXXX
pki_token_password = XXXXXXXX

Overview of the installed Dogtag instance.

# pkidaemon status pki-tomcat
Status for pki-tomcat: pki-tomcat is running ..

    [CA Status Definitions]
    Unsecure URL        =
    Secure Agent URL    =
    Secure EE URL       =
    Secure Admin URL    =
    PKI Console Command = pkiconsole
    Tomcat Port         = 8005 (for shutdown)

    [CA Configuration Definitions]
    PKI Instance Name:   pki-tomcat

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    Name: Security Domain

Test Dogtag Certificate System

Now lets test it! First copy admin p12 file (/root/.dogtag/pki-tomcat/ca_admin_cert.p12) to your remote test machine and import it to your web browser.
Then we will test the CA by creating a new certificate signing request, but first we need to create a new private key.
$ openssl genrsa -out mynewkey.key.pem 2048
Then create the certificate signing request.
$ openssl req -new -key mynewkey.key.pem -out mynewkey.cert.pem
Now we are ready to sign the request. Open
On the Enrollment/Renewal tab select Manual Server Certificate Enrollment and on that page copy your certificate signing request.
After submitting we need to approve that submitting. Change url to and click on Agent Services.

No comments: