Skip to content

Configuring on Unix Systems

Start and Stop the Service

The PKI Services Manager service starts automatically after installation. A script is installed, which you can use to start, stop, restart, and check the status of the service.

The following procedures use the installed pkid script. For additional options available using the pkid daemon, see PKI Services Manager Command Reference or refer to the man page: man pkid

To start the service

  • On Linux and Solaris: /etc/init.d/pkid start
  • On AIX: /etc/rc.d/init.d/pkid start

To stop the service

  • On Linux and Solaris: /etc/init.d/pkid stop
  • On AIX: /etc/rc.d/init.d/pkid stop

To check the service status

  • On Linux and Solaris: /etc/init.d/pkid status
  • On AIX: /etc/rc.d/init.d/pkid status

Configure PKI Services Manager

Installing the server on Unix automatically initializes the server and starts the service, however before PKI Services Manager can validate certificates you need to customize the default configuration and map files. Use the following procedures to get started. Many additional variations are possible. For more information, see PKI Services Manager Configuration File Reference and PKI Services Manager Map File Reference.

To set up your configuration and map files

  1. Log in as root on the PKI Services Manager server.
  2. Install PKI Services Manager.
  3. Put a copy of the certificate (or certificates) you want to designate as a trust anchor into your certificate store. The default PKI Services Manager store is in the following location: /opt/microfocus/pkid/local-store
  4. Open the PKI Services Manager configuration file in a text editor. The default name and location is: /opt/microfocus/pkid/config/pki_config
  5. Use the TrustAnchor keyword to identify your trust anchor. For example:

    • TrustAnchor = trustedca.crt

    -or-

    • TrustAnchor = CN=SecureCA,O=Acme,C=US

    !!! Note To configure multiple trust anchors, add additional TrustAnchor lines.

  6. Configure certificate revocation checking. For example,

    To Sample configuration
    Use CRLs stored on an LDAP server RevocationCheckOrder = crlserver CRLServers=ldap://crlserver
    Use an OCSP responder RevocationCheckOrder = ocsp OCSPResponders = http://ocspresponder

    Note

    By default PKI Services Manager looks for CRLs in the local store. If you use this configuration, you need to copy the CRLs to your local store.

  7. If intermediate certificates are required by the chain of trust in your certificates, configure access to these certificates.

    For example: - Use intermediate certificates you have added to your local store - CertSearchOrder=local - Use certificates stored on an LDAP server - CertSearchOrder=certserver CertServers=ldap://ldapserver

  8. Save your changes to the configuration file.

  9. Open the PKI Services Manager map file in a text editor. The default name and location is: /opt/microfocus/pkid/config/pki_mapfile

  10. Add one or more rules to determine how the contents of a certificate determine which identities can authenticate with a valid certificate, and save your changes to the map file. For example:

    RuleType = user {root joe fred susan} UPN.host Equals "acme.com"

    RuleType = host {acme.com} Subject.CN Contains "acme"

    For more sample rules, see Sample PKI Services Manager Mapping Rules.

    Note

    After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.

  11. Test for valid PKI Services Manager configuration:

    /usr/local/sbin/pkid -k
    No errors. Configuration is valid:
    
  12. Restart PKI Services Manager

    /usr/local/sbin/pkid restart

Save, Reload, and Restart

The following settings require a restart:

  • EnforceDODPKIMode
  • FipsMode
  • KeyFilePath
  • ListenAddress
  • LogFacility
  • MaxLogFiles

All other settings changes require a reload.

To reload modified settings

/usr/local/sbin/pkid reload

Note

Reloading the configuration also clears the internal in-memory caches used for downloading certificates and CRLs. Although certificate and CRL lifetimes are honored by the cache, it might be necessary to clear these manually if a certificate or CRL has been updated at its source before it has expired.

To restart the service

/etc/init.d/pkid restart

Check Validity and Mapping on UNIX

You can test whether a user or server certificate is valid and determine which identities are allowed to authenticate with that certificate. To be valid, a certificate must be signed by a trusted CA (one that is a member of a chain of trust that extends to a trust anchor that you have configured) and it must pass all other validation checks (for example, it must not be expired or revoked and all required intermediate certificates must be available).

Tip

The certificate validation test applies only to end-entity certificates, not CA certificates. Valid CA-signed root and intermediate certificates will not pass the validation test.

To test certificates

Use the pki-val command to test certificates. Refer to these examples:

  • Check if the certificate test.crt is valid - pki-val /path/test.crt
  • Check if the certificate is valid and if the server abc.com can authenticate with test.crt - pki-val /path/test.crt -t abc.com
  • Check if the certificate is valid and if the user joe can authenticate with test.crt - pki-val /path/test.crt -u joe
  • See which identities can authenticate with test.crt - pki-val /path/test.crt -w

More information

  • Certificate Attribute Requirements Enforced by PKI Services Manager