To configure and enable a PKI server

Purpose

The following procedure describes:

how to configure the parameters for TLS certificate generation on a PKI server
how to import an existing TLS certificate to a PKI server for distribution to requestors

A PKI server that you configure and start does the following.

Creates a local private root CA service.
Does one of the following:
- imports a certificate from a file that you provide
- generates a TLS certificate signed by the CA service
Polls for certificate requests
Distributes the certificate to requestors

Note: You require root user privileges to use the PKI server.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps


1	By default, the PKI server utility is installed in the following location on an NSP deployer host: /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/tools/pki Note: You can run a PKI server from the default location, or from another station that is reachable by all requestors, as may be required when integrating a system such as the NFM-P or WS-NOC. To run the utility from a non-default location, you must first copy the pki-server file from the pki directory to the new location.
2	Log in as the root user on the station from which you want to run the PKI server.
3	Open a console window.
4	If you need to use a backed-up PKI-server private key and public certificate from a previous PKI-server instance, copy the files to the directory that contains the pki-server utility. The files must be named: ca.key — private RSA key of the CA ca.pem — X.509 public key certificate signed using ca.key Note: The files must be located in the same directory as the pki-server utility, and the user that invokes the PKI server requires read access to the files.
5	Perform one of the following to start the PKI server. Enter the following to use the default PKI server port: `#` `./pki-server ↵` Enter the following to specify a port other than the default: Note: If you specify a port other than the default, you must specify the non-default port number when you configure each requestor to use the PKI server. `#` `./pki-server -port port ↵` where port is the port to use for receiving and responding to requests
6	If you are using files from a previous PKI-server instance, as described in Step 4, or have previously configured the root CA parameters for the PKI server, go to Step 19.
7	If this is the first time that the PKI server is run on the station, the following message and prompt are displayed: `******************************************************************************************************` `No External Root CA detected on the filesystem.` `******************************************************************************************************` `Create new External Root CA Identity [y/n]?`
8	Enter y ↵. The following prompt is displayed: `Organization Name (eg, company) []:`
9	Enter your company name. The following prompt is displayed: `Country Name (2 letter code) []:`
10	Enter the two-letter ISO alpha-2 code for your country. The following prompt is displayed: `State or Province Name (full name) []:`
11	Enter your state or province name. The following prompt is displayed: `Validity (days) [3650]:`
12	Enter the length of time, in days, for which the TLS certificate is valid, or press ↵ to accept the default. The following messages are displayed as the PKI server creates a local TLS root CA and begins to poll for TLS certificate requests: `date time Root CA generated successfully.`
13	If this is the first time that the PKI server is run on the station, the following message and prompt are displayed. Otherwise, go to Step 19. `******************************************************************************************************` `No Internal Root CA detected on the filesystem.` `******************************************************************************************************` `Creating new Internal Root CA Identity.` `Organization Name (eg, company) []:`
14	Enter your company name. The following prompt is displayed: `Country Name (2 letter code) []:`
15	Enter the two-letter ISO alpha-2 code for your country. The following prompt is displayed: `State or Province Name (full name) []:`
16	Enter your state or province name. The following prompt is displayed: `Validity (days) [3650]:`
17	Enter the length of time, in days, for which the TLS certificate is valid, or press ↵ to accept the default. The following messages are displayed as the PKI server creates a local TLS root CA and begins to poll for TLS certificate requests: `date time Root CA generated successfully.` `date time Using Root CA from disk, and serving requests on port port`
18	Make a backup copy of the following private root CA files, which are in the current directory; store the files in a secure and remote location, such as a separate physical facility: ca.key ca.pem
19	When the PKI server receives a certificate request, the following is displayed: `date time Received request for CA cert from IP_address:port` If the PKI server successfully responds to the request, the following is displayed: `date time Successfully returned a signed certificate valid for IPs: [IP_address_1...IP_address_n] and hostnames: [hostname_1...hostname_n]`
20	The PKI server log is the pki-server.log file in the current directory. View the log to determine when the PKI server has distributed a certificate to each requestor.
21	When the PKI server has distributed a certificate to each requestor, enter Ctrl+C to stop the PKI server. Note: The PKI server must continue to run until the installation of all products and NSP components that use the PKI server is complete. For example, if you are also installing the NFM-P, the PKI server must continue to run until the NFM-P configuration is complete.
22	Close the console window. End of steps