The following instructions show how to generate the signer certificate, vault certificate, and SCEP certificate. The root CA signs the signer certificate, and then the signer certificate signs the SCEP certificate. The vault certificate is self‑signed.
Generate, and then sign the certificates. For more information, see Configuring OpenXPKI CA manually.
Note: Change the certificate common name so that the user can easily distinguish between different certificates for different realms. You may change DC=CA-ONE to DC=CA-TWO. The certificate files are created in the /etc/certs/openxpki_ca-two/ directory.
Copy the key files to /etc/openxpki/ca/ca-two/.
Note: The key files must be readable by OpenXPKI.
cp /etc/certs/openxpki_ca-two/ca-signer-1.key /etc/openxpki/ca/ca-two/
cp /etc/certs/openxpki_ca-two/vault-1.key /etc/openxpki/ca/ca-two/
cp /etc/certs/openxpki_ca-two/scep-1.key /etc/openxpki/ca/ca-two/
Create the symlink. Also, create a symlink for the root CA certificate.
Note: Symlinks are aliases used by the default configuration.
ln -s /etc/openxpki/ca/ca-one/ca-root-1.crt /etc/openxpki/ca/ca-two/ca-root-1.crt
ln -s /etc/openxpki/ca/ca-two/ca-signer-1.key /etc/openxpki/ca/ca-two/ca-signer-1.pem
ln -s /etc/openxpki/ca/ca-two/scep-1.key /etc/openxpki/ca/ca-two/scep-1.pem
ln -s /etc/openxpki/ca/ca-two/vault-1.key /etc/openxpki/ca/ca-two/vault-1.pem
Import the signer certificate, vault certificate, and SCEP certificate into the database with the appropriate tokens for ca-two.
openxpkiadm certificate import --file /etc/certs/openxpki_ca-two/ca-signer-1.crt --realm ca-two –issuer /etc/openxpki/ca/ca-two/ca-one-1.crt --token certsign
openxpkiadm certificate import --file /etc/certs/openxpki_ca-two/scep-1.crt --realm ca-two --token scep
openxpkiadm certificate import --file /etc/certs/openxpki_ca-two/vault-1.crt --realm ca-two --token datasafe
Check whether the import is successful using openxpkiadm alias --realm ca-two.
Sample output
=== functional token ===
scep (scep):
Alias : scep-1
Identifier: YsBNZ7JYTbx89F_-Z4jn_RPFFWo
NotBefore : 2015-01-30 20:44:40
NotAfter : 2016-01-30 20:44:40
vault (datasafe):
Alias : vault-1
Identifier: lZILS1l6Km5aIGS6pA7P7azAJic
NotBefore : 2015-01-30 20:44:40
NotAfter : 2016-01-30 20:44:40
ca-signer (certsign):
Alias : ca-signer-1
Identifier: Sw_IY7AdoGUp28F_cFEdhbtI9pE
NotBefore : 2015-01-30 20:44:40
NotAfter : 2018-01-29 20:44:40
=== root ca ===
current root ca:
Alias : root-1
Identifier: fVrqJAlpotPaisOAsnxa9cglXCc
NotBefore : 2015-01-30 20:44:39
NotAfter : 2020-01-30 20:44:39
upcoming root ca:
not set
In this instance, the root CA information is the same for ca-one and ca-two.
If you changed the certificate key password during certificate creation, then update nano /etc/openxpki/config.d/realm/ca-two/crypto.yaml.
Generate the CRLs for this realm. For more information, see Generating CRL information.
Publish the CRLs for this realm. For more information, see Configuring CRL accessibility.
Restart the OpenXPKI service using openxpkictl restart.
Sample output
Stopping OpenXPKI
Stopping gracefully, 3 (sub)processes remaining...
DONE.
Starting OpenXPKI...
OpenXPKI Server is running and accepting requests.
DONE.
Do the following to access the OpenXPKI server:
From a web browser, type http://ipaddress/openxpki/.
Log in as Operator. The default password is openxpki.
Note: The Operator login has two preconfigured operator accounts, raop and raop2.