To migrate to a PKI server

Purpose

Use this procedure to migrate from manual TLS configuration to using a PKI server if the deprecated ROOT CA method, which involves generating ca.jks and ca-cert.pem files, has previously been used.

Note: This procedure is to be used if all components in the existing deployment were configured using the deprecated ROOT CA method.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps


1	Copy over the existing ca.jks file, which is the ROOT CA keystore, and the ca-cert.pem file, which is the ROOT CA certificate.
2	Use the existing ca.jks file to create a new ca.key file. Execute the following commands: Note: You must enclose a password that contains a special character in single quotation marks; for example: `-srcstorepass 'MyPa$$word' -deststorepass 'Mypa$$word'` `path/keytool -importkeystore -srckeystore ca.jks -destkeystore keystore.p12 -srcstorepass storePassword -deststorepass storePassword -deststoretype PKCS12` `openssl pkcs12 -in keystore.p12 -passin pass:keyPassword -nocerts -nodes -out ca.key` where path is the path to the keytool utility storePassword is the password to access the contents of the keystore keyPassword is the password that is used to access the private key stored within the keystore
3	Move the new ca.key file to the PKI server location. By default, the PKI server utility is installed in the following location on an NSP deployer host: /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/tools/pki Note: You can run a PKI server from the default location, or from another station that is reachable by all requestors, as may be required when integrating a system such as the NFM-P or WS-NOC. To run the utility from a non-default location, you must first copy the pki-server file from the pki directory to the new location.
4	Copy the existing ca-cert.pem file to the PKI server location.
5	Rename the ca-cert.pem file to ca.pem.
6	Perform one of the following. Enter the following to use the default PKI server port: `#` `./pki-server ↵` Enter the following to specify a port other than the default: `#` `./pki-server -port port ↵` where port is the port to use for receiving and responding to requests Note: If you specify a port other than the default, you must specify the non-default port number when you configure each requestor to use the PKI server.
7	If this is the first time that the PKI server is run on the station, the following message and prompt are displayed. Otherwise, go to Step 12. `******************************************************************************************************` `No Internal Root CA detected on the filesystem.` `******************************************************************************************************` `Creating new Internal Root CA Identity.` `Organization Name (eg, company) []:`
8	Enter your company name. The following prompt is displayed: `Country Name (2 letter code) []:`
9	Enter the two-letter ISO alpha-2 code for your country. The following prompt is displayed: `State or Province Name (full name) []:`
10	Enter your state or province name. The following prompt is displayed: `Validity (days) [3650]:`
11	Enter the length of time, in days, for which the TLS certificate is valid, or press ↵ to accept the default. The following messages are displayed as the PKI server creates a local TLS root CA and begins to poll for TLS certificate requests: `date time Root CA generated successfully.` `date time Using Root CA from disk, and serving requests on port port` The required ca.pem and ca.key files are created in the current working directory.
12	Copy the ca.pem and ca.key files to the following directory on the NSP deployer host: /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/tools/pki
13	Close the console window. End of steps