Install the Entrust Certificate Authority

Install the Entrust Authority database

Entrust Certificate Authority requires a database to store information about the Certification Authority, X.509 users, and EAC entities. For a list of supported databases, see the product document PSIC-Entrust Certificate Authority 10.0 on Entrust TrustedCare.

An embedded Certificate Authority PostgreSQL database is used for the purposes of this guide. This database will be installed on the same server that will host Certificate Authority.

Entrust strongly recommends that you install your own supplied database on its own dedicated server. To install and configure (or upgrade) your chosen database, read your database documentation and the Certificate Authority Database Configuration Guide.

Use your own database to install and use Certificate Authority in a cluster. The Entrust supplied Certificate Authority PostgreSQL Database is not supported for a cluster environment.

  1. Download the PostgreSQL Server file Entrust-Certificate-Authority-PostgreSQL-15-15.2.0-9.el8.x86_64.rpm from the Entrust TrustedCare online support site https://trustedcare.entrust.com/MyProductsList. Under PKI, expand Authority. Then select the Certificate Authority version. The PostgreSQL Server file is listed among the available downloads.

  2. Install dependencies:

    % dnf install compat-openssl10.x86_64

  3. Navigate to the directory where you downloaded the rpm file to and start the installation:

    % cd Downloads
% rpm -i Entrust-Certificate-Authority-PostgreSQL-15-15.2.0-9.el8.x86_64.rpm

  4. Run the PostgreSQL setup script

    % cd /opt/entrust/easm_postgresql_15/dbserver/bin
% ./setup_easm_DB.sh

    Accept all defaults during the installation. The installer generates the following log file: /tmp/pg_install.log.

This process creates three users:

  • PostgreSQL user account: easm_entrust_pg

  • PostgreSQL database account: easm_entrust

  • PostgreSQL backup database account: easm_entbackup

Make a note of these users and passwords.

Create Master Users

Master Users are responsible for controlling the Entrust Certificate Authority software through the Certificate Authority Control Command Shell.

There are three predefined Master User roles: Master1, Master2, and Master3. These user names are case-sensitive and cannot be changed. The people chosen for these roles must be present when you initialize Certificate Authority, so they can choose and enter their own unique and private passwords. Also, they must have physical access to the server that hosts Certificate Authority, so that they can maintain the Certificate Authority infrastructure.

Master Users use Certificate Authority Control Command Shell to:

  • Start and stop the Certificate Authority service.

  • Back up and restore the Certificate Authority data files.

  • Maintain the Certification Authority (CA), including updating the CA keys.

The Primary Group for user accounts Master1, Master2, Master3 is easm_entrust_pg. The Secondary Group for user accounts Master1, Master2, Master3 is entrust. These users must also belong to the nfast group.

By default, the Certificate Authority PostgreSQL Database installer creates the easm_entrust_pg group.

Certificate Authority, previously known as Security Manager, in older versions might require an entrust group be created as such:

% sudo groupadd entrust
% sudo usermod -a -G entrust Master1
% sudo usermod -a -G entrust Master2
% sudo usermod -a -G entrust Master3

To create Master Users:

  1. Create the Master Users:

    % sudo useradd -c "Master User 1" -g easm_entrust_pg Master1
% sudo useradd -c "Master User 2" -g easm_entrust_pg Master2
% sudo useradd -c "Master User 3" -g easm_entrust_pg Master3

  2. Add users to groups:

    % sudo usermod -a -G nfast Master1
% sudo usermod -a -G nfast Master2
% sudo usermod -a -G nfast Master3

  3. Set the users passwords:

    % sudo passwd Master1
% sudo passwd Master2
% sudo passwd Master3

Install the Entrust Certificate Authority

To install the Entrust Certificate Authority:

  1. Download Certificate Authority for Linux Entrust-Certificate-Authority-10.1.1-1543.el8.x86_64.rpm from the Entrust TrustedCare online support site.

  2. Install dependencies:

    % yum install libnsl

  3. Run the installer. Use the -e option first to remove the current installation. Then use the -U option to reinstall. This applies whether upgrading an older version, or simply reinstalling the same version. Use the -i option for a new installation.

    # rpm -i /root/Downloads/Entrust-Certificate-Authority-10.1.1-1543.el8.x86_64.rpm
warning: /root/Downloads/security-manager-10.0.31-3.el8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID ac33653e: NOKEY
   Verifying OS support...
   OS is a supported OS.
   Found PG user home directory [/home/easm_entrust_pg]
   Updating /etc/sudoers.d/securitymanager...
%easm_entrust_pg ALL=(easm_entrust_pg) NOPASSWD: /usr/bin/zip
%easm_entrust_pg ALL=(easm_entrust_pg) NOPASSWD: /home/easm_entrust_pg/sm_pg_initd.sh
   Updating archiving settings in /var/pgsql/easm_entrust_pg_data_11/postgresql.conf
   Updated archive settings in /var/pgsql/easm_entrust_pg_data_11/postgresql.conf.
#