To migrate to a PKI server

Purpose

Use this procedure to migrate from manual TLS configuration to using a PKI server if the deprecated ROOT CA method, which involves generating ca.jks and ca-cert.pem files, has previously been used.

Note: This procedure is to be used if all components in the existing deployment were configured using the deprecated ROOT CA method.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps
 

Copy over the existing ca.jks file, which is the ROOT CA keystore, and the ca-cert.pem file, which is the ROOT CA certificate.

Use the existing ca.jks file to create a new ca.key file. Execute the following commands:

Note: You must enclose a password that contains a special character in single quotation marks; for example:

-srcstorepass 'MyPa$$word' -deststorepass 'Mypa$$word'

path/keytool -importkeystore -srckeystore ca.jks -destkeystore keystore.p12 -srcstorepass storePassword -deststorepass storePassword -deststoretype PKCS12

openssl pkcs12 -in keystore.p12 -passin pass:keyPassword -nocerts -nodes -out ca.key

where

path is the path to the keytool utility

storePassword is the password to access the contents of the keystore

keyPassword is the password that is used to access the private key stored within the keystore

Move the new ca.key file to the PKI server location. By default, this is the NSP_installer_directory/tools/pki directory, where NSP_installer_directory is the directory where the NSP software bundle was extracted.

Copy the existing ca-cert.pem file to the PKI server location.

Rename the ca-cert.pem file to ca.pem.

Perform one of the following.

  1. Enter the following to use the default PKI server port:

    ./pki-server ↵

  2. Enter the following to specify a port other than the default:

    ./pki-server -port port

    where port is the port to use for receiving and responding to requests

    Note: If you specify a port other than the default, you must specify the non-default port number when you configure each requestor to use the PKI server.

If this is the first time that the PKI server is run on the station, the following message and prompt are displayed. Otherwise, go to Step 12.

********************************************************************************************************

No Internal Root CA detected on the filesystem.

********************************************************************************************************

Creating new Internal Root CA Identity.

Organization Name (eg, company) []:

Enter your company name.

The following prompt is displayed:

Country Name (2 letter code) []:

Enter the two-letter ISO alpha-2 code for your country.

The following prompt is displayed:

State or Province Name (full name) []:

10 

Enter your state or province name.

The following prompt is displayed:

Validity (days) [3650]:

11 

Enter the length of time, in days, for which the TLS certificate is valid, or press ↵ to accept the default.

The following messages are displayed as the PKI server creates a local TLS root CA and begins to poll for TLS certificate requests:

date time Root CA generated successfully.

date time Using Root CA from disk, and serving requests on port port

The required ca.pem and ca.key files are created in the current working directory.

12 

Copy the ca.pem and ca.key files to the following directory on the NSP cluster host:

/opt/nsp/NSP-CN-release-ID/tools/pki

13 

Close the console window.

End of steps