Dogtag PKI is much simpler to set up, and it has a nice web interface that OpenSSL doesn't have. It's available in the normal repositories of Debian/Ubuntu and CentOS, but under different package names. In the Debian/Ubuntu repositories, the package name is dogtag-pki. In the CentOS repositories, the name is pki-ca. (For some reason that I don't understand, you'll never see Red Hat folk use the "Dogtag" name.)
Before we install the Dogtag packages, we need to do a couple of simple chores:
- Set a Fully Qualified Domain Name (FQDN) on the server
- Either create a record in a local DNS server for the Dogtag server, or create an entry for it in its own /etc/hosts file
This procedure should theoretically work on either our Ubuntu or our CentOS virtual machines. But Dogtag relies on having a working Tomcat Java applet server, which I couldn't get to work properly on Ubuntu. So, we'll do this on a CentOS 7 machine instead. (At the time of writing, the Dogtag packages aren't yet in the CentOS 8 repositories.) To access the Dogtag dashboard, we'll use a second Linux VM with a desktop environment installed. With all this out of the way, let's get started:
- On a CentOS virtual machine, set a FQDN, substituting your own for the one that I'm using:
sudo hostnamectl set-hostname donnie-ca.local
- Edit the /etc/hosts file to add a line like the following:
192.168.0.53 donnie-ca.local
Use your virtual machine's own IP address and FQDN.
- Next, increase the number of file descriptors that your system can have open at one time. (Otherwise, you'll get a warning message when you run the directory server installer.) Do that by editing the /etc/security/limits.conf file. At the end of the file, add these two lines:
root hard nofile 4096
root soft nofile 4096
- Reboot the machine so that the new hostname and file descriptor limits can take effect.
- Dogtag stores its certificate and user information in an LDAP database. In this step, we'll install the LDAP server package, along with the Dogtag package. For CentOS 7, run this:
sudo yum install 389-ds-base pki-ca
- Next, create an LDAP Directory Server (DS) instance. Accept the default values, except for when you're prompted to create a password. To start the process, use the following command:
sudo setup-ds.pl
- Finally, it's time to create the CA:
sudo pkispawn
Accept all the defaults until you get to the very end. When it asks Begin Installation?, type Yes. When you get to the DS part, enter the password that you used to create the DS instance in the previous step. Note that you'll be offered the choice to access the LDAP DS instance via a secure port. But since we're setting up LDAP and Dogtag on the same machine, this isn't necessary. Also, by choosing the 2. Typical setup option while running the setup script, you'll be creating a CA that uses a 2048-bit RSA key for its own authentication, as specified in the /etc/pki/default.cfg file. Although 384-bit EC keys are better, this is good enough for most use cases on an internal LAN.
- Next, enable the dirsrv.target and the pki-tomcatd.target so that they'll automatically start when you reboot the server:
sudo systemctl enable dirsrv.target
sudo systemctl enable pki-tomcatd.target
- You'll access the Dogtag web interface via port 8443/tcp. Open that port as follows:
sudo firewall-cmd --permanent --add-port=8443/tcp
sudo firewall-cmd --reload
- On another Linux virtual machine that has a desktop interface, edit the /etc/hosts file to add the same line that you added to the server hosts file in step 2. Then, open the Firefox web browser on that machine and navigate to the Dogtag dashboard. In keeping with the example in this scenario, the URL would be as follows:
https://donnie-ca.local:8443
You'll receive a warning about the certificate being invalid because it's self-signed. That's normal, because every CA has to start with a self-signed certificate, and you haven't yet imported this certificate into your trust store. Temporarily add the exception and continue. (In other words, clear the checkmark from the Add permanently box. You'll see why in the next lab.) Click through the links until you reach this screen:
- Click the SSL End Users Services link. This is where end users can request the various types of certificates. Click the back button to return to the previous screen. This time, click on the Agent Services link. You won't be able to go there because it requires you to install a certificate into your web browser for authentication.
- The certificate that you need to install is in the /root/.dogtag/pki-tomcat directory of your Dogtag VM. Copy this file to the VM on which you're using Firefox to access the Dogtag dashboard. Do the following:
sudo su -
cd /root/.dogtag/pki-tomcat
scp ca_admin_cert.p12 [email protected]:
exit
Of course, substitute your own username and IP address. And note that the file will automatically land in your own X directory, and that its ownership will change from root to your own username.
- On the VM with Firefox, import the certificate into Firefox. From the Firefox menu, choose Preferences, then Privacy and Security. At the very bottom of the screen, click on View Certificates. Click the Import button at the bottom. Navigate to your home directory and choose the certificate that you just sent over from the Dogtag server VM. Once the import operation is complete, you should see the PKI Administrator certificate in the list of imported certificates:
- Now try to access the Agent Services page. You'll be allowed access once you confirm that you want to use the certificate that you just imported.
- End of lab.
When a user needs to request a certificate for their own use, they'll use openssl to create a key and a CSR, as I've already shown you earlier in this chapter. They'll then go to the SSL End User Services page and paste the contents of their CSR into the box for the certificate that they're requesting. An administrator will then go to the Agent Services page to approve the request and issue the certificate. (To help familiarize yourself with Dogtag, I encourage you to click around on the web interface, exploring all the options.)