Configure the Entrust Certificate Authority
Establish a preload session
The OCS or the Softcard must be preloaded to configure the Certificate Authority.
-
Create an empty file within folder
/opt/nfast/, for example:/opt/nfast/entrustsmtoken. This is the token file.Restrict access permissions to the token file to authorized persons. Otherwise it presents a security risk. -
Edit the file
/opt/nfast/cknfastrcand add the environment variable pointing to the location of the file created above. In addition, add the other variables shown below. The PCKS11 #11 log variables are optional.# cat /opt/nfast/cknfastrc # Softcard CKNFAST_LOADSHARING=1 # Other variables CKNFAST_NO_UNWRAP=1 CKNFAST_FAKE_ACCELERATOR_LOGIN=1 CKNFAST_NO_ACCELERATOR_SLOTS=1 CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none # Preload file location NFAST_NFKM_TOKENSFILE=/opt/nfast/entrustsmtoken # PCKS #11 log level and file location CKNFAST_DEBUG=10 CKNFAST_DEBUGFILE=/opt/nfast/log/pkcs11.logWhen you are using nShield with ePassport CVCA, add the variable CKNFAST_ASSUME_SINGLE_PROCESS=0. If ePassport Document Verifier Certificate requests are canceled, this setting ensures that the associated physical key is deleted in the HSM. For information on environment variables, see the User Guide for the HSM. -
Restart the hardserver:
# /opt/nfast/sbin/init.d-ncipher restart -
Open a separate command window and preload the Card Set:
-
The
preload -ccommand for OCS. -
The
preload -scommand for Softcard.
Do not close this window throughout the Entrust Certificate Authority configuration. Otherwise the configuration will fail. # preload -<c/s> <OCS/Softcard> -f <location of file above> pausePresent the OCS cards and passphrase when prompted. For example:
# preload -c testOCS -f /opt/nfast/entrustsmtoken pause 2023-02-15 16:21:16: [250942]: INFO: Preload running with: -c testOCS -f /opt/nfast/entrustsmtoken pause 2023-02-15 16:21:16: [250942]: INFO: Created a (new) connection to Hardserver 2023-02-15 16:21:16: [250942]: INFO: Modules newly usable: [1]. 2023-02-15 16:21:16: [250942]: INFO: Found a change in the system: an update pass is needed. 2023-02-15 16:21:16: [250942]: INFO: Loading cardset: testOCS in modules: [1] Loading `testOCS': Module 1 slot 0: Admin Card #1 Module 1 slot 2: empty Module 1 slot 3: empty Module 1 slot 4: empty Module 1 slot 5: empty Module 1 slot 2: `testOCS' #1 Module 1 slot 2:- passphrase supplied - reading card Card reading complete. 2023-02-15 16:22:01: [250942]: INFO: Stored Admin key: kfips (4c0b...) in module #1 2023-02-15 16:22:01: [250942]: INFO: Loading cardset: Cardset: testOCS (a165...) in module: 1 2023-02-15 16:22:01: [250942]: INFO: Stored Cardset: testOCS (a165...) in module #1 2023-02-15 16:22:01: [250942]: INFO: Maintaining the cardset testOCS protected key(s)=[]. 2023-02-15 16:22:01: [250942]: INFO: Loading complete. Now pausing...If non-persistent cards are used, then the last card in the quorum must remain inserted in the card reader. If persistent cards are used, then the last card in the quorum can be removed from the card reader. -
-
Confirm the OCS or Softcard has been preloaded by running the following command back on the main window.
# preload -<c/s> <OCS/Softcard> -f <location of file above> nfkminfoFor example:
# preload -c testOCS -f /opt/nfast/entrustsmtoken nfkminfo 2023-10-17 16:48:09: [201880]: INFO: Preload running with: -c testOCS -f /opt/nfast/entrustsmtoken nfkminfo 2023-10-17 16:48:09: [201880]: INFO: Created a (new) connection to Hardserver 2023-10-17 16:48:09: [201880]: INFO: Modules newly usable: [1]. 2023-10-17 16:48:09: [201880]: INFO: Found a change in the system: an update pass is needed. 2023-10-17 16:48:10: [201880]: INFO: Maintaining the cardset testOCS protected key(s)=[]. 2023-10-17 16:48:10: [201880]: INFO: Loading complete. Executing subprocess nfkminfo World generation 2 state 0x373f000c Initialised Usable Recovery !PINRecovery ExistingClient RTC NVRAM FTO AlwaysUseStrongPrimes !DisablePKCS1Padding !PpStrengthCheck !AuditLogging SEEDebug AdminAuthRequired ... Pre-Loaded Objects ( 2): objecthash module objectid generation edb3d45a28e5a6b22b033684ce589d9e198272c2 1 0x80a93202 1 003e04e3c07fb5791f651c992da5527779159f87 1 0x80a93201 1
nShield Edge pre-configuration
The nShield Edge exhibits slower service startup times with respect to operations, which is to be expected.
If you are using an nShield Edge device, you must adjust the .ini file settings for Certificate Authority.
This enables a sufficient timeout duration for the system to initialize properly:
-
Navigate to the
inidirectory. By default, this is/opt/entrust/authority/etc/ini/entMgr.ini. -
Edit the
entMgr.inifile, locate the [login] section, and add the following settings:serviceStartStopWaitSeconds=3600 clusterStartWaitSeconds=1800 clusterStopWaitSeconds=300For more information regarding these settings, refer to Certificate Authority 10.0 Configuration File Management Guide Issue 5.0, which is available on the Entrust TrustedCare Portal.
Configure the Entrust Certificate Authority
The Entrust Certificate Authority configuration is an interactive process to choose certificate algorithms, lifetimes, and other options for your Certification Authority.
-
Preload the OCS or Softcard as described in Establish a preload session if you have not yet done so.
-
Install the OpenLDAP client if you have not yet done so.
-
Make the PCKS11 cryptographical library executable by all:
# chmod +x /opt/nfast/toolkits/pkcs11/libcknfast.so -
Give all permissions to the kmdata/local folder
# chmod 777 /opt/nfast/kmdata/local -
If logging PKCS #11 as defined in
/opt/nfast/cknfastrc, create the following file:# sudo touch /opt/nfast/log/pkcs11.log # sudo chmod 777 /opt/nfast/log/pkcs11.log -
Test access to the directory service from the Certificate Authority server:
# ldapsearch -x -H ldap://<Name_or_IP> -D "cn=EntrustAdmin,ou=CAentry,dc=entrustsm,dc=local" -b "cn=EntrustAdmin,ou=CAentry,dc=entrustsm,dc=local" -s sub -W -
Make sure you are root user
# su -
Navigate to the Certificate Authority’s
\bindirectory:# cd /opt/entrust/certificate_authority/bin -
Invoke the configuration shell script. Enter the information required when prompted as described in the table below.
If you enter a typo, continue. These can be corrected towards the end or by editing the /opt/entrust/authdata/CA/manager/entmgr.inibefore committing.If the configuration fails after all, do as described in Certificate Authority configuration fails. # ./config_authority.shPrompt Value Enter the required database deployment model.
embedded
Enter the installation directory for Certificate Authority CA data (
authdata)Select Enter to accept default value
Enter the full path of the CA data directory
Select Enter to accept default value
Enter the Enterprise licensing information that appears on your Entrust licensing card
Enter Serial Number, Enterprise User Limit, and Enterprise Licensing Code
Enter the Web licensing information that appears on your Entrust licensing card
Enter Web Serial Number, Web User Limit, and Web Licensing Code
Enter the CVCA licensing information for domestic DVs that appears on your Entrust licensing card
Enter the Domestic DV Serial Number or Enter
Enter the CVCA licensing information for foreign DVs that appears on your Entrust licensing card.
Enter the Foreign DV Serial Number or Enter
Enter the DV licensing information for Inspection Systems that appears on your Entrust licensing card
Enter the IS Serial Number or Enter
Enter the type of Directory service
LDAP Directory (default)
Enter the hostname or IP address of the machine that is hosting your Directory service
Enter hostname or IP
Enter the Directory TCP port number
389 (default)
Enter the distinguished name (DN) of your Certification Authority (CA)
ou=CAentry,dc=entrustsm,dc=local
Enter the password for this Certification Authority (CA).
Enter password
Enter the full DN for the First Officer
cn=FirstOfficer,ou=CAentry,dc=entrustsm,dc=local
Enter the distinguished name (DN) of the Directory Administrator
cn=EntrustAdmin,ou=CAentry,dc=entrustsm,dc=local
Enter the password for the Directory Administrator
Entrer password
Please enter the TCP ports for the Certificate Authority communications protocols
Select Enter to accept all defaults: Entrust Proto-PKIX (PKIX) port [709], Entrust Administration Protocol (ASH) port [710], Certificate Management Protocol (PKIX-CMP) port [829], and Entrust XML Administration Protocol (XAP) port [443]:
Is this a Country Signing CA (CSCA) (y/n) ? [n]
n (default)
Are you using a hardware device for the CA keys (y/n) ? [n]
y
Enter the pathname for the CryptokiLibrary
/opt/nfast/toolkits/pkcs11/libcknfast.soChoose one of:
nCipher Corp. Ltd SN : …
Enter the type of key that Certificate Authority will use for signing operations
RSA (default)
Please select RSA type and corresponding key length you wish to use
RSA-2048 (default)
Enter the algorithm that Certificate Authority will use for signing operations
RSA-SHA256 (default)
Enter the type of key pair that will be used for user signing and nonrepudiation keys
RSA (default)
Please select RSA type and corresponding key length you wish to use
RSA-2048 (default)
Enter the type of key pair that will be used for user encryption and dual usage key pairs
RSA (default)
Please select RSA type and corresponding key length you wish to use
RSA-2048 (default)
Do you wish to work with Microsoft ® Windows ® applications? (y/n) ? [n]
n (default)
Enter CDP URL data now (y/n) ? [y]
n
Enter the password for the database user (easm_entrust) for Certificate Authority
Enter password.
Enter the password for the database backup user (easm_entbackup) for Certificate Authority
Enter password.
Enter the algorithm that will be used for database encryption
AES-CBC-256 (default)
Choose the type of CA you wish to configure
Root CA (default)
Is this Root CA a Single Point of Contact (SPOC) CA (y/n) ? [n]
n (default)
Enter the CA certificate lifetime in months (2-3000)
120 (default)
Enter the CA private key usage period (20.0000-100.0000)
100 (default)
Enter the policy certificate lifetime in days (1-3650).
30 (default)
Do you want to enable automatic login (y/n) ? [n]
y
Enter section number to review, or enter 'yes' to finish
Enter number of item to change. Otherwise enter yes.
Would you like to verify the Directory information (y/n) ? [y]
y (default)
Enter the full path of your customized certificate specifications file, or press Enter to use the default
Select Enter to accept default value
Would you like to perform the first time initialization and start the CA now?
Initialize CA using Certificate Authority Control Command Shell
Enter password for CA hardware security module (HSM):
Enter the OCS or Softcard passphrase
Enter new password for Master1, Master2, Master3, and First Officer
Enter password
The following example shows the interactive session of running the shell script.
[Master1@entrust-sm-linux bin]$ ./config_authority.sh
================================================================================
Entrust Certificate Authority 10.1.1 Configuration
================================================================================
Entrust Certificate Authority Configuration log file: /root/log/config_authority.10.1.1.log
================================================================================
OS group name
================================================================================
Entrust Certificate Authority requires that the authdata directory (which
contains CA data) be owned by a dedicated OS group. Please enter the name of
this OS group now. If you have not created the OS group yet, it will be created
at this time.
[eca] >
Looking for OS group [eca]...
OS group [eca] found.
================================================================================
OS user name
================================================================================
Entrust Certificate Authority requires that the authdata directory (which
contains CA data) be owned by a dedicated OS user. Please enter the name of
this OS user now. If you have not created the OS user yet, it will be created
at this time.
[eca] >
Looking for OS user [eca]...
OS user [eca] found.
================================================================================
easm_entrust_pg group check
================================================================================
Checking for OS user [eca] in OS group [easm_entrust_pg]...
OS user [eca] is in OS group [easm_entrust_pg].
================================================================================
/opt/entrust permission check
================================================================================
Checking /opt/entrust permissions for OS user [eca]...
/opt/entrust writable by OS user [eca].
================================================================================
Main configuration
================================================================================
Entrust Certificate Authority Configuration log file: /var/tmp/config_authority.10.1.1.log
This program will ask you for the information necessary to initialize an
Entrust Certification Authority. At the end of the questionnaire, you will
have the opportunity to review the information, make changes, and verify that
the Directory configuration is correct before commencing with the
initialization of the Certification Authority.
Press <Enter> when you are ready to continue.
We have set your environment locale to en_US.iso885915. Please ensure that your
terminal is appropriately configured, and press <Enter> to continue. Note that
your environment locale will revert to its original setting once this script is
complete.
SM_Configure: Found PG Installation - /home/easm_entrust_pg/.pg_installrc.
SM_Configure: Found PG Settings - PGDATA=/var/pgsql/eca_pg_data/15,
PGWAL=/var/pgsql/eca_pg_wal/15, PGDIR=/opt/entrust/easm_postgresql_15.
Detected an existing installation of Entrust Certificate Authority PostgreSQL
Database on this host.
Enter the desired database deployment model.
Select one of the following:
1. embedded
2. customer-supplied
> 1
Checking existing PG version...
You have PostgreSQL database version 11.7 installed.
================================================================================
Authdata Directory
================================================================================
By default, the Certificate Authority CA authdata directory will be
'/opt/entrust/authdata'. You may select a different authdata directory. If the
selected directory is not '/opt/entrust/authdata', a symbolic link
'/opt/entrust/authdata' that points to the selected authdata directory will be
created.
Enter the installation directory for Certificate Authority CA data (authdata).
[/opt/entrust/authdata]
================================================================================
CA Data Directory
================================================================================
Checking for existing CA data directory...
Creating CA data directory...
The CA data directory is for storing CA related data. By default, the CA data
directory will be created as '/opt/entrust/authdata/CA'.
Enter the full path of the CA data directory.
[/opt/entrust/authdata/CA] >
Created the CA data directory /opt/entrust/authdata/CA.
Preparing subdirectories in '/opt/entrust/authdata/CA'...
Updating /home/easm_entrust_pg/sm_pg.sh...
================================================================================
Licensing Information
================================================================================
Enter the Enterprise licensing information that appears on your Entrust
licensing card.
Serial Number: xxxxxxxx
Enterprise User Limit: xxxxxxxx
Enterprise Licensing Code: xxxxxxxx
Enter the Web licensing information that appears on your Entrust licensing
card. This is optional at this time. The information may be added at a later
date through Certificate Authority Administration.
Web Serial Number: xxxxxxxx
Web User Limit: xxxxxxxx
Web Licensing Code: xxxxxxxx
Enter the CVCA licensing information for domestic DVs that appears on your
Entrust licensing card. This is optional at this time. The information may be
added at a later date by modifying the entmgr.ini file.
Domestic DV Serial Number:
Enter the CVCA licensing information for foreign DVs that appears on your
Entrust licensing card. This is optional at this time. The information may be
added at a later date by modifying the entmgr.ini file.
Foreign DV Serial Number:
Enter the DV licensing information for Inspection Systems that appears on your
Entrust licensing card. This is optional at this time. The information may be
added at a later date by modifying the entmgr.ini file.
IS Serial Number:
================================================================================
Directory Communications
================================================================================
Enter the type of Directory service.
Select one of the following:
1. LDAP Directory
2. Microsoft (R) Active Directory (R)
3. Microsoft Active Directory Lightweight Directory Services
[1] >
Enter the hostname or IP address of the machine that is hosting your Directory
service.
[entrust-sm-linux] > 10.194.148.84
Enter the Directory TCP port number.
[389] >
================================================================================
CA Distinguished Names (DNs)
================================================================================
IMPORTANT: The countryName (c) attribute for all distinguished names (DNs) will
be converted to uppercase by Certificate Authority according to ISO/IEC 3166
regardless of the case entered now or the case in the Directory.
Enter the distinguished name (DN) of your Certification Authority (CA) entry in
your Directory. If there isn't already a CA DN entry in the Directory, exit
this program and create one. Enter the CA DN exactly as it appears in the
Directory.
[o=Your Company,c=US] > ou=CAentry,dc=entrustsm,dc=local
Enter the password for this Certification Authority (CA). Use the same password
that was added when the CA's DN entry in the Directory was created. This
password allows Certificate Authority to write certificate information to the
Directory.
>
Enter the full DN for the First Officer.
[cn=First Officer,ou=CAentry,dc=entrustsm,dc=local] > cn=FirstOfficer,ou=CAentry,dc=entrustsm,dc=local
================================================================================
Directory Administrator
================================================================================
Enter the distinguished name (DN) of the Directory Administrator. Security
Manager Administration requires this to log in to the Directory in order to
perform maintenance tasks such as adding and removing users.
The Directory Administrator's DN may look something like this:
cn=diradm or
cn=DirectoryAdministrator,ou=CAentry,dc=entrustsm,dc=local
[cn=diradm] > cn=EntrustAdmin,ou=CAentry,dc=entrustsm,dc=local
Enter the password for the Directory Administrator. Use the same password that
was used when the Directory Administrator was created.
>
================================================================================
TCP Communication Ports
================================================================================
Please enter the TCP ports for the Certificate Authority communications protocols.
Entrust Proto-PKIX (PKIX) port [709] :
Entrust Administration Protocol (ASH) port [710] :
Certificate Management Protocol (PKIX-CMP) port [829] :
Entrust XML Administration Protocol (XAP) port [443] :
================================================================================
CSCA Configuration
================================================================================
Is this a Country Signing CA (CSCA) (y/n) ? [n]
================================================================================
Algorithms
================================================================================
Are you using a hardware device for the CA keys (y/n) ? [n] y
Enter the pathname for the CryptokiLibrary.
> /opt/nfast/toolkits/pkcs11/libcknfast.so
Choose one of:
1. nCipher Corp. Ltd SN : 612e2474f2bad82d SLOT : 761406613
> 1
Enter the type of key that Certificate Authority will use for signing operations.
Select one of the following:
1. RSA
2. DSA
3. EC
[1] >
Please select RSA type and corresponding key length you wish to use.
Select one of the following:
1. RSA-1024
2. RSA-2048
3. RSA-3072
4. RSA-4096
5. RSA-6144
[2] >
Enter the algorithm that Certificate Authority will use for signing operations.
Select one of the following:
1. RSA-SHA1
2. RSA-SHA224
3. RSA-SHA256
4. RSA-SHA384
5. RSA-SHA512
6. RSAPSS-SHA1
7. RSAPSS-SHA224
8. RSAPSS-SHA256
9. RSAPSS-SHA384
10. RSAPSS-SHA512
[3] >
Enter the type of key pair that will be used for user signing and
nonrepudiation keys.
Select one of the following:
1. RSA
2. DSA
3. EC
[1] >
Please select RSA type and corresponding key length you wish to use.
Select one of the following:
1. RSA-1024
2. RSA-2048
3. RSA-3072
4. RSA-4096
5. RSA-6144
[2] >
Enter the type of key pair that will be used for user encryption and dual usage
key pairs.
Select one of the following:
1. RSA
2. EC
[1] >
Please select RSA type and corresponding key length you wish to use.
Select one of the following:
1. RSA-1024
2. RSA-2048
3. RSA-3072
4. RSA-4096
5. RSA-6144
[2] >
================================================================================
Compatibility With Microsoft (R) Windows (R) Applications
================================================================================
If you choose to work with Microsoft (R) Windows (R) applications, this will
affect how Certificate Revocation Lists (CRLs) are issued after CA key update
and how the CRL Distribution Point (CDP) appears in certificates.
In addition, there are other settings that you must manually configure. For
more information consult the Certificate Authority documentation and white papers.
Do you wish to work with Microsoft (R) Windows (R) applications (y/n) ? [n]
================================================================================
CRL Distribution Points (CDP) and Combined CRL
================================================================================
The default CDP (cRLDistributionPoints) extension URL names can be defined now
or later by editing entmgr.ini.
Enter CDP URL data now (y/n) ? [y] n
================================================================================
Database Parameters
================================================================================
Creating ODBC inifile '/opt/entrust/authdata/CA/.odbc.ini'...
Checking PostgreSQL server status ... Server is running.
Enter the password for the database user (easm_entrust) for Certificate Authority.
>
easm_entrust: Successfully connected to PostgreSQL.
The Entrust schema does not exist. Certificate Authority Configuration will now
apply the Entrust schema.
Applying and configuring full DB structure...
easm_entrust: Successfully applied initial DB structure.
easm_entrust: Successfully configured DB structure.
Enter the password for the database backup user (easm_entbackup) for Security
Manager.
>
easm_entbackup: Successfully connected to the database.
Enter the algorithm that will be used for database encryption.
Select one of the following:
1. AES-CBC-128
2. AES-CBC-256
3. AES-GCM-128
4. AES-GCM-256
5. TRIPLEDES-CBC-192
[2] >
================================================================================
CA Parameters
================================================================================
A hierarchy of CAs comprises several CAs linked into a tree structure. There is
a single CA which unites the tree into a single structure. This CA is the "Root
CA". A CA which does not participate in a hierarchy is also referred to as a
"Root CA" since it may have subordinates at some time in the future. Any other
CA in the hierarchy is called a "Subordinate CA".
Choose the type of CA you wish to configure.
Select one of the following:
1. Root CA
2. Subordinate CA
[1] >
Is this Root CA a Single Point of Contact (SPOC) CA (y/n) ? [n]
Enter the CA certificate lifetime in months (2-3000) or to Dec 30 2999 23:59:59
UTC, whichever is shorter.
[120] >
Enter the CA private key usage period (20.0000-100.0000).
[100] >
================================================================================
Policy Certificate Lifetime
================================================================================
Enter the policy certificate lifetime in days (1-3650).
[30] >
1
================================================================================
Automatic Login
================================================================================
Automatic login enables service startup without entering a password. It also
allows some Certificate Authority Control Command Shell commands to be run without a
password.
Do you want to enable automatic login (y/n) ? [n] y
================================================================================
Certificate Authority 10.0.31 Configuration Review
================================================================================
1. Directory Comms: 10.194.148.84+389, LDAPv3, Binary
2. CA DNs, CRLs: ou=CAentry,dc=entrustsm,dc=local;
cn=FirstOfficer,ou=CAentry,dc=entrustsm,dc=local
3. Dir Admin: cn=EntrustAdmin,ou=CAentry,dc=entrustsm,dc=local
4. Country Signing CA (CSCA)
CSCA: no
5. Algorithms:
CA Keys:
Signing: RSA-2048 (hardware)
SignatureAlg: RSA-SHA256
User Keys:
Encryption: RSA-2048
Signing: RSA-2048
6. Certificate Authority TCP ports:
PKIX-CMP: 829 Entrust-proto-PKIX: 709
Admin: 710 XAP: 443
7. CA parameters:
Type: Root
CA Cert Lifetime: 120 (months)
CA Key Usage Period: 100 %
8. Clients: Does not work with Microsoft (R)
Windows (R) applications
9. CDP (cRLDistributionPoints extension), Combined CRL:
Combined CRL: Enabled
No CDPs have been defined
10. Database parameters:
Hostname/IP address: localhost
Port: 5432
Database name: easm_DB
Database user: easm_entrust
Encryption: AES-CBC-256
11. Policy certificate: Lifetime: 30 (days)
12. Licensing Information
Enterprise Serial Number: entrust
Enterprise User Limit: 5000
Enterprise Licensing Code: JWIP3QAS
Web Serial Number: entrust
Web User Limit: 5000
Web Licensing Code: UNTZUKR7
13. Autologin for services and commands:
Autologin: Enabled
Enter section number to review, or enter 'yes' to finish.
[yes] > yes
Created file: /opt/entrust/authdata/CA/manager/entmgr.ini
Created file: /opt/entrust/authdata/CA/manager/initial.certspec
Created file: /opt/entrust/authdata/CA/optional/client_entrust.ini
Created file: /opt/entrust/authdata/CA/manager/entrust.ini
Created file: /opt/entrust/authdata/CA/manager/entDvt.ini
Created file: /opt/entrust/authdata/CA/env_settings.sh
Created file: /opt/entrust/authdata/CA/env_settings.csh
Created file: /opt/entrust/authdata/CA/optional/entrustra.ini
Most configuration problems arise from incorrect Directory settings. It is
recommended that you verify that Certificate Authority can use the Directory
information that you have entered up to this point. If you would like to verify
the Directory information, first ensure that the Directory is running.
Would you like to verify the Directory information (y/n) ? [y]
Starting the Directory Verification Test...
Initializing test program...
Testing directory configuration...
Performing LDAP v3 Test.
This test may take up to 1 minute to complete.
Performing Client Test.
Performing CA Credentials Test.
Performing Diradmin Credentials Test.
Performing CA Entry Schema Test.
Performing CA Entry CA Certificate Test.
Performing CA Entry CRL Test.
Performing CA Entry Cross-Certificate Pair Test.
Performing CA Entry Policy Certificate Test.
Performing CRL Distribution Point Test.
Performing Policy Certificate Distribution Point Test.
Performing First Officer Test.
Performing ASH Entry Test.
Performing Diradmin Test.
Performing Multi-Attribute RDN Test.
Directory testing complete with no notes or errors detected.
Checking PostgreSQL server status ... Server is running.
Stopping PostgreSQL Database server...
Server stopped.
Starting PostgreSQL Database server...
PostgreSQL Database server started.
If you want to use a customized certificate specifications file instead of the
default certificate specifications file, you can provide the full path to the
customized file. The default certificate specifications file at
'/opt/entrust/authdata/CA/manager/initial.certspec' will be renamed to
'initial.certspec.default', and 'initial.certspec' will be a copy of your
customized file.
Enter the full path of your customized certificate specifications file, or
press Enter to use the default.
>
Would you like to perform the first time initialization and start the CA now?
If you need to customize any settings in entmgr.ini or initial.certspec, you
should exit now and follow the procedures in the documentation.
Select one of the following:
1. Initialize CA using Certificate Authority Control Command Shell
2. Exit (do not initialize the CA now)
> 1
executing /opt/entrust/authority/bin/entsh -e "source
"/opt/entrust/authdata/CA/FirstTimeInit.tcl""
Starting first time initialization...
A Hardware Security Module (HSM) will be used for the CA key:
nCipher Corp. Ltd SN : 612e2474f2bad82d
The HSM requires a password.
Enter password for CA hardware security module (HSM):
Enter new password for Master1:
Confirm new password for Master1:
Enter new password for Master2:
Confirm new password for Master2:
Enter new password for Master3:
Confirm new password for Master3:
Enter new password for First Officer:
Confirm new password for First Officer:
Initialization starting; creating ca keys...
Initialization complete.
Starting the services...
Creating CA profile...
Creating First Officer profile...
You are logged in to Certificate Authority Control Command Shell.
Performing database backup...
NOTICE: pg_stop_backup complete, all required WAL segments have been archived
SUCCESS: Full backup completed successfully.
Press return to exit
Entrust CA is initialized and Certificate Authority service is running.