This will setup a subordinate CA using Dogtag 11 on Rocky Linux 9. This will be a subordibate CA to our root CA (another Dogtag install). This CA will be kept online on and be used to issue certificates to devices and users.

It is assumed that a full DNS system is in place already and that A records are setup for the FQDN of the subordinate CA.

This subordinate will default to being valid for 20 years unless you change it in the steps below.

https://www.dogtagpki.org/wiki/PKI_10.5_Installing_CA_with_External_CA_Signing_Certificate

Overview This page describes the process to install a subordinate CA with an external CA signing certificate.

The process consists of two steps:

Step 1: Generate a CSR to be signed by an external CA. Step 2: Import the CA signing certificate issued by the external CA.

1. Install Rocky Linux 9 minimal on virtual guest (20GB drive,1GB for install then reduce to 512MB RAM, 1 CPU, add RNG device), set hostname (such as sub-ca.mydomain.com) and a static IP, enable NTP. You'll need to manually create partition layout as Auto will complain of size, once in manual you can choose to create automatically.
2. Reboot and perform a dnf update + install vim.

dnf update && dnf install vim

Create user with password

useradd sudo_username && passwd sudo_username

Add user to wheel group for sudo privileges

usermod -aG wheel sudo_username

Log out of root and into newly created account.

Disable root login over SSH

sudo vim /etc/ssh/sshd_config

Add line

PermitRootLogin no

Restart sshd

sudo systemctl restart sshd

This will help prevent the baddies from brute forcing your SSH password…

Install epel repo, install fail2ban and enable it

sudo dnf install epel-release
sudo dnf install fail2ban
sudo systemctl enable fail2ban

Create a jail for sshd

sudo vim /etc/fail2ban/jail.d/sshd.local

Add as follows:

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[selinux-ssh]
enabled  = true
port     = ssh
logpath  = %(auditd_log)s

Restart fail2ban

sudo systemctl restart fail2ban

https://github.com/rharmonson/richtech/wiki/OSVDC-Series:-Root-Certificate-Authority-(PKI)-with-Dogtag-10.3-on-CentOS-7.3.1611

Add firewall exceptions for Dogtag web portal

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port=8443/tcp --permanent
sudo firewall-cmd --reload

Add host entry to /etc/hosts with the root-ca IP and FQDN followed by hostname (the example below assumes the sub-ca has an IP of 192.168.10.31 and a fqdn of sub-ca.mydomain.net)

sudo vim /etc/hosts

Add line for root-ca host as shown below:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.31  sub-ca.mydomain.net sub-ca

The solution components are:

• Dogtag PKI Certificate Authority; pki-ca and dependencies
• Dogtag theme; server theme (optional)
• 389, 389-ds-base; Directory Service

389 is a dependency for Dogtag CA.

• Install 389 and Dogtag PKI-CA. Package dogtag-server-theme is optional, however, if you want to explore the web UI, you need the theme package installed prior to configuration of the Dogtag CA instance.

sudo dnf install 389-ds-base pki-ca

The theme package is not available in the CentOS nor EPEL repositories. WTF? Install directly using yum and the URL from the Fedora Project.

sudo dnf install https://rpmfind.net/linux/fedora/linux/releases/32/Everything/x86_64/os/Packages/d/dogtag-pki-server-theme-10.8.3-1.fc32.noarch.rpm

You might need to go to find an current version of the pki-server theme if updates are made, the 10.7.3 package for Fedora core 31 didn't work but the same revision for core 29 did, perhaps stick to that OS release for versions, later this didn't work and I had to use core 32 so it seems it keeps you on your toes…

• Setup 389 Directory Service

Begin setup by executing setup-ds.pl to setup 389. See “Results” for details and note account names and passwords.

sudo dscreate interactive

Results

[sudo] password for sudo_user: 
Install Directory Server (interactive mode)
===========================================

Enter system's hostname [sub-ca.mydomain.net]:

Use strict hostname verification (set to "no" if using GSSAPI behind a load balancer) [yes]:

Enter the instance name [sub-ca]: 

Enter port number [389]: 

Create self-signed certificate database [yes]: 

Enter secure port number [636]: 

Enter Directory Manager DN [cn=Directory Manager]: 

Enter the Directory Manager password: (create a password here and record it as "389 Directory Manager password".

Confirm the Directory Manager Password: 

Enter the database suffix (or enter "none" to skip) [dc=sub-ca,dc=mydomain,dc=net]: 

Create sample entries in the suffix [no]: 

Create just the top suffix entry [no]: 

Do you want to start the instance after the installation? [yes]: 

Are you ready to install? [no]: yes

Note the password you set for the Directory Manager.

• Enable & Start 389

sudo systemctl enable dirsrv.target
sudo systemctl start dirsrv.target
sudo systemctl status dirsrv.target

Dogtag uses pkispawn for component setup where -s specifies the component to configure.

https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/command-line_tools_guide/pkispawn-pkidestroy

Familiarize yourself with the Certifcate Profiles if you want to customize the defaults: https://www.dogtagpki.org/wiki/Certificate_Profiles

If you want to understand more about the variables in /etc/pki/default.cfg see here: https://www.systutorials.com/docs/linux/man/5-pki_default.cfg/

For this part of the install we're interested in the System Certficate Profiles found at /usr/share/pki/ca/conf

Since I'm the sole admin for a lot of stuff I don't want to worry about certificate validity periods so I'm going to lengthen the validity period of some key certificates. This isn't best practice and if you have the support shorter is better…

Files to edit at /usr/share/pki/ca/conf along with their initial values and corresponding changes I'm making:

• rsaServerCert.profile; this is the certificate used by the Dogtag Web UI. Change 2.default.params.range from 720 to 3650
• caAudiSigningCert.profile; dunno what this does… Change 2.default.params.range from 720 to 3650
• rsaAdminCert.profile; this is the certificate that you need to install in your browser to access Web UI. Change 2.default.params.range from 720 to 3650
• caOCSPCert.profile; We run OCSP on http so I don't know what this does for us. Change 2.default.params.range from 720 to 3650
• rsaSubsystemCert.profile; dunno… Change 2.default.params.range from 720 to 3650
• caCert.profile; CA signing cert, default validity is 20 years, leave as is.

Edit root-ca-spawn.cfg

sudo vim /usr/share/pki/server/etc/default.cfg

Replace all instances of 2048 with 4096. Vim can do this with :%s/2048/4096/g

Replace all instances of 3072 with 4096. Vim can do this with :%s/3072/4096/g

Replace all instances of SHA256withRSA with SHA512withRSA. Vim can do this with :%s/SHA256withRSA/SHA512withRSA/g

Prepare a deployment configuration file for step 1 (e.g. ca-external-step1.cfg):

vim ~/ca-external-step1.cfg

[CA]

pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=4096
pki_ca_signing_key_type=rsa
pki_ca_signing_subject_dn=cn=BlueSky Underwear Subordinate CA Signing Cert,ou=Underdevelopment Dept,o=BlueSky Inc

pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin

#pki_client_database_dir, pki_client_database_password
#Location where an NSS token database is created in order to generate a key for the administrative user.
#Usually, the data in this location is removed at the end of the installation, 
#as the keys and certificates are stored in a PKCS #12 file in pki_client_dir.

#The pki_client_pkcs12_password is the password you'll use to import the admin certificate into your browser to use the web ui: /root/.dogtag/pki-tomcat/ca_admin_cert.p12; make note of this if you're going to use the web ui.
pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123

#pki_ds_password should match the Directory Manager password that was create during the 389 install, I think...
pki_ds_base_dn=dc=ca,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret.123

#pki_token_name, pki_token_password
#The token and password where this instance's system certificate and keys are stored. Defaults to the NSS internal software token.
pki_security_domain_name=EXAMPLE
pki_token_password=Secret.123(make something up)

pki_external=True
pki_external_step_two=False

pki_ca_signing_csr_path=ca_signing.csr

Now create the instance based on your config file:

sudo pkispawn -f ca-external-step1.cfg -s CA

Output:

Log file: /var/log/pki/pki-ca-spawn.20190420095728.log
Loading deployment configuration from ca-external-step1.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      The CA subsystem of the 'pki-tomcat' instance is still incomplete.

      NSS database: /etc/pki/pki-tomcat/alias

      A CSR for the CA signing certificate has been generated in:
            ca_signing.csr

      Please obtain the necessary certificate(s) for this subsystem,
      and run installation step two.

    ==========================================================================

It will create an NSS database in /etc/pki/pki-tomcat/alias and generate a CA certificate CSR in ca_signing.csr.

Submit the CSR to an external CA:

Submit the request to the root-ca dogtag server under “Manual Certificate Manager Signing Certificate Enrollment”. During the approval of the request, change the “Not After:” date to a date that expires before the root-ca signing certificate, if you don't do this then the install will fail when you go on to step two. Double check your key length (should be 4096) and Signing Algorithm (should be SHA512withRSA), add additional notes at bottom if needed. Once the certificate is issued, copy the PKCS #7 copy and paste it into ca_signing.crt in the same dir as the ca-external-step1.cfg file.

Place the issued CA signing certificate in ca_signing.crt. Export the external CA certificate or certificate chain in external.crt (this done by going to SSL end user services at the start page, then retrieval then import CA certificate chain, then display in pkcs7 form. You should download the CRL certificate as well.

Prepare a deployment configuration for step 2 (e.g. ca-external-step2.cfg) by copying it from step 1 (i.e. ca-external-step1.cfg) and make the following changes.

Specify step 2 with the following parameter:

pki_external_step_two=True

Specify the externally-signed CA certificate file with the following parameter (its a new line to add, don't rename an existing one)

pki_ca_signing_cert_path=ca_signing.crt

Finally, execute the following command:

sudo pkispawn -f ca-external-step2.cfg -s CA

If you mess up use pkidestroy to remove the failed instance. If you succeeded with step 1 but failed at step 2 you'll need to use pkidestroy to remove the failed instance and start over at step 1 (this includes resubmitting a new CSR)

Output:

Log file: /var/log/pki/pki-ca-spawn.20190420103942.log
Loading deployment configuration from ca-external-step2.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
/tmp/tmpL0IaTo/cert0.crt: CN=Company Name Root CA Signing Cert,OU=IT dept,O=Company Name
/tmp/tmpL0IaTo/cert1.crt: CN=Company Name Subordinate CA Signing Cert,OU=IT,O=Company Name
-------------------------------------------------------------------------------------------
Imported certificate "Company Name Root CA Signing Cert - Company Name"
-------------------------------------------------------------------------------------------
Notice: Trust flag u is set automatically if the private key is present.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-tomcat/ca_admin_cert.p12

      Administrator's certificate nickname:
            caadmin
      Administrator's certificate database:
            /root/.dogtag/pki-tomcat/ca/alias

      To check the status of the subsystem:
            systemctl status pki-tomcatd@pki-tomcat.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@pki-tomcat.service

      The URL for the subsystem is:
            https://sub-ca.domainname.com:8443/ca

      PKI instances will be enabled upon system boot

    ==========================================================================

Copy the installation summary and put it in a document for later reference. This same document should contain all the login info for the Directory Manager, OS user logins, location of machine, details and system certificate info of this root-ca. See end of document for example.

Note the password you set for the caadmin CAAdmin & Dogtab Web UI (optional)

Note: If the DNS name of your CA server isn't a part of any of your other DNS databases, the Web UI might fail when trying to use the fqdn instead of IP. To fix this just replace the fqdn with the IP as needed.

Note: If you want to use the Dogtab web UI, import the user authentication certificate for caadmin. Using CentOS 7 Workstation or Fedora 24 Workstation copy the caadmin certificate to the workstation then add it to Firefox's user certificates. If you receive an authentication error or “You did not provide a valid certificate for this operation” when browsing to “https://host.domain.net:8443/ca” then you have not used caadmin's authentication certificate for privileged access.

The caadmin certificate can be found in /root/.dogtag/pki-tomcat/ca_admin_cert.p12. Copy to an admin workstation using scp root@<ip address or hostname:/root/.dogtag/pki-tomcat/ca_admin_cert.p12. If using sudo then you'll need to copy the p12 file to the sudo users home dir then chown it to the sudo usr and scp it from there.

Import the certificate into Firefox by selecting menu, Preferences, Advanced, View Certificates, Your Certificates, then Import. Once complete, you will find “PKI Administrator” under “Your Certificates.” When it prompts you for the password it will be the password you specified in the ca-external-step1.cfg on line pki_client_pkcs12_password.

Extend the CRL interval:

sudo systemctl stop pki-tomcatd@pki-tomcat.service
sudo vim /etc/pki/pki-tomcat/ca/CS.cfg

find and change

ca.crl.MasterCRL.autoUpdateInterval=240

to

ca.crl.MasterCRL.autoUpdateInterval=5256000

and

ca.crl.MasterCRL.enableDailyUpdates=false

Extend the Other Certificate default period (we use this for Windows domain controllers) https://frasertweedale.github.io/blog-redhat/posts/2019-03-04-dogtag-system-cert-lifetime.html

sudo vim /var/lib/pki/pki-tomcat/ca/profiles/ca/caOtherCert.cfg

find all instances of 720 and change them to 3650

policyset.otherCertSet.2.constraint.params.range=3650
policyset.otherCertSet.2.default.params.range=3650

Do this for the Domain Controller template as well

sudo vim /var/lib/pki/pki-tomcat/ca/profiles/ca/DomainController.cfg

Here you're changing 1825 to 3650.

sudo systemctl start pki-tomcatd@pki-tomcat.service

Download latest CRL: https://ip.add.res:8443/ca/ee/ca/DisplayCRL.html and save it in your documentation folder.

Go to https://ip.add.res:8443/ca/ee/ca/ → Retrieval → Import CA Certificate Chain → download each of the certificate formats and save it to your documentation folder.

Note: as of 04/10/19, after reboot the pki-tomcatd@pki-tomcat service doesn't come back up automatically, start it manually with systemctl start pki-tomcatd@pki-tomcat.service

Or add the crontab entry

@reboot systemctl restart pki-tomcatd@pki-tomcat.service

Role: Offline root certification authority via Dogtag 10.5
OS: CentOS 7
Location: Virtual Guest
IP: 10.254.157.240
user: root | superSecretPasswordA
user: camden | superSecretPasswordB

389 directory server instance: root-ca
389 Directory Manager password: superSecretPasswordW

Certificate administrator account and password: caadmin | superSecretPasswordX

URL: https://root-ca.domainname.com:8443/

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-tomcat/ca_admin_cert.p12

      To check the status of the subsystem:
            systemctl status pki-tomcatd@pki-tomcat.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@pki-tomcat.service

      The URL for the subsystem is:
            https://root-ca.domainname.com:8443/ca

      PKI instances will be enabled upon system boot

    ==========================================================================


System Certificates

Serial  Expires     Certificate
0x1     04/18/2039  CN=Company Name Root CA Signing Cert,OU=IT dept,O=Company Name
0x2     04/15/2029  CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=domainname.com Security Domain
0x3     04/15/2029  CN=root-ca.domainname.com,OU=pki-tomcat,O=domainname.com Security Domain
0x4     04/15/2029  CN=Subsystem Certificate,OU=pki-tomcat,O=domainname.com Security Domain
0x5     04/15/2029  CN=CA Audit Signing Certificate,OU=pki-tomcat,O=domainname.com Security Domain
0x6     04/15/2029  CN=PKI Administrator,E=admin@domainname.com,OU=pki-tomcat,O=domainname Security Domain

Verification
Verifying system certificates
If the HSM is used, the internal token will have the following certificates:

$ certutil -L -d /etc/pki/pki-tomcat/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Signing Certificate - ROOT                                CT,C,C
ca_signing                                                   CT,C,C
ca_audit_signing                                             ,,P
and the HSM will have the following certificates:

$ certutil -L -d /etc/pki/pki-tomcat/alias -h HSM -f password.txt

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

HSM:ca_ocsp_signing                                          u,u,u
HSM:sslserver/server.example.com                             u,u,u
HSM:ca_signing                                               u,u,u
HSM:subsystem                                                u,u,u
HSM:ca_audit_signing                                         u,u,u
Verifying CA admin
Prepare a client NSS database:

$ pki -c Secret.123 client-init
Import the CA certificate chain:

$ pki -c Secret.123 client-cert-import "CA Signing Certificate - ROOT" --ca-cert cert_chain.crt
Import the subordinate CA signing certificate:

$ pki -c Secret.123 client-cert-import "CA Signing Certificate - EXAMPLE" --ca-cert ca_signing.crt
Import CA admin certificate and key:

$ pki -c Secret.123 client-cert-import \
 --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
 --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf
Execute the following command:

$ pki -c Secret.123 -n caadmin ca-user-find



pki -c pass123! client-cert-import \
 --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
 --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf