Install the Entrust Certificate Authority

Install the Entrust Certificate Authority PostgreSQL

Certificate Authority requires a database to store information about the Certification Authority, X.509 users, and EAC entities. For a list of supported databases, see PSIC-Entrust Authority Security Manager 10.0.

In this guide, an embedded Certificate Authority PostgreSQL database is used. This database will be installed on the same server that will host Certificate Authority.

For information more about installing and configuring Certificate Authority PostgreSQL Database, see the Security Manager Database Configuration Guide.

If you are using your own supplied database, Entrust strongly recommends that you install the database on its own dedicated server. To install and configure (or upgrade) your chosen database, read your database documentation and the Security Manager Database Configuration Guide.

To install and use Certificate Authority in a cluster, you must use your own supplied database. The Entrust-supplied Certificate Authority PostgreSQL Database does not support a clustered environment.

To install PostgreSQL Server on the server machine:

  1. Download the PostgreSQL Server installer for the Windows operating system (EntrustCertificateAuthorityPostgreSQL.15.2.0.22.msi) from the Entrust TrustedCare online support site.

  2. To start installing the PostgreSQL database for Certificate Authority, double-click the setup file EntrustCertificateAuthorityPostgreSQL.15.2.0.22.msi.

    An installation wizard appears.

  3. Select Next.

  4. In the PostgreSQL Database Folders window, accept the default, then select Next.

  5. In the PostgreSQL Windows Account Password window, set the password for easm_entrust_pg account, then select Next.

  6. In the PostgreSQL Databases Accounts window, provide the password for the easm_entrust and easm_entbackup accounts and select Next.

  7. In the PostgreSQL Database Port window, accept the default, select Next.

  8. In the Check Setup Information window, review and select Next.

  9. In the Ready to Install window, select Install.

  10. In the Install Wizard Complete dialog, select Finish.

  11. Close any open windows or dialogs.

  12. If you do not see the setup dialogs when installing PostgreSQL, run the ent_setup.bat file found at: C:\Program Files\Entrust\easm_postgres15\dbserver\bin. Follow the same instructions as above but in CLI format.

For example:

[ent_setup] Logging to 'C:\Users\Administrator\AppData\Roaming\Entrust\postgresql\ent_setup.log'.
[ent_setup]
[ent_setup] *******************************************************
[ent_setup] Starting setup...
[ent_setup] *******************************************************
[ent_setup] Welcome to the Entrust Certificate Authority PostgreSQL Database 15.2 setup.
[ent_setup]
[ent_setup] Checking for a previous version...
[ent_setup]    Registry key [HKLM:\SOFTWARE\Entrust\PostgreSQL\11] does not exist, no installation found.
[ent_setup]
[ent_setup] Checking for current version...
[ent_setup]    Found InstallDir [C:\Program Files\Entrust\easm_postgres15\].
[init]
[init] No upgradeable Entrust Authority Security Manager PostgreSQL Database installation was found.
[init]
[init] Do you wish to initialize Entrust Certificate Authority PostgreSQL Database 15.2 at this time? (y/n): y
[init] Performing a full initialization for installation at [C:\Program Files\Entrust\easm_postgres15]...
[init]
[init] Checking for 'easm_entrust_pg' OS user...
[init]    User was not found, creating OS user 'easm_entrust_pg'...
[init]
[init]    ***NOTE***: Be sure to adhere to any of your organization's password rules as well.
[init]
[init] The following characters cannot be used when choosing the password:
[init]    < > # \ " / | ' ^ ; &  <space> <tab>
[init] Please choose a password for:    'easm_entrust_pg': ***********
[init] Please confirm the password for: 'easm_entrust_pg': ***********
[init]    The 'easm_entrust_pg' user has been successfully created.
[init]    Enabling SeServiceLogonRight for easm_entrust_pg...
[init]
[init] Please choose a listen port for the server [5432]:
[init]
[init] Please choose a location for the PostgreSQL Data directory : [c:\eca_pg_data\15]:
[init] Adding full (inheritable) permission for [easm_entrust_pg] to location [c:\eca_pg_data\15]...
[init] Adding full (inheritable) permission for [Administrators] to location [c:\eca_pg_data\15]...
[init] Adding full (inheritable) permission for [ENTRUST-SM-WIND\Administrator] to location [c:\eca_pg_data\15]...
[init]
[init] Please choose a location for the PostgreSQL Wal directory : [c:\eca_pg_wal\15]:
[init] Adding full (inheritable) permission for [easm_entrust_pg] to location [c:\eca_pg_wal\15]...
[init] Adding full (inheritable) permission for [Administrators] to location [c:\eca_pg_wal\15]...
[init] Adding full (inheritable) permission for [ENTRUST-SM-WIND\Administrator] to location [c:\eca_pg_wal\15]...
[init]
[init] Initializing Database cluster with database super user 'easm_entrust_pg'...
[init]
[init] Calculating the recommended shared_buffers value...
[init] Installing and updating custom pg_easm_DB.conf...
[init]    Setting archive_command path to C:\Program Files\Entrust\easm_postgres15\bin\pg_archwal.bat
[init]    Setting port = 5432
[init]    Setting shared_buffers = 2048
[init] Updating postgresql.conf...
[init]    Setting include = pg_easm_DB.conf
[init]    The database cluster is initialized.
[init] Setting EASMPOSTGRESDIR environment variable...
[init] Setting OPENSSL_CONF environment variable...
[init]
[init] Registering PostgreSQL Server as a Windows service...
[init]
[init] Setting PostgreSQL service display name and description...
[init]
[init] Starting the PostgreSQL service...
[init]
[init] Creating database easm_DB...
[init]
[init] A database user 'easm_entrust' is required.
[init]
[init] The following characters cannot be used when choosing the password:
[init]    < > # \ " / | ' ^ ; &  <space> <tab>
[init] Please choose a password for:    'easm_entrust': ***********
[init] Please confirm the password for: 'easm_entrust': ***********
[init] Creating 'easm_entrust' user...
[init]
[init] A database backup role 'easm_entbackup' is required.
[init]
[init] The following characters cannot be used when choosing the password:
[init]    < > # \ " / | ' ^ ; &  <space> <tab>
[init] Please choose a password for:    'easm_entbackup': ***********
[init] Please confirm the password for: 'easm_entbackup': ***********
[init] Creating 'easm_entbackup' database role...
[init]
[init] Creating easm_entrust schema...
[init] Creating extension pgrowlocks...
[init] Creating extension pg_freespacemap...
[init] Creating extension pgstattuple...
[init] Creating extension pg_buffercache...
[init] Creating extension pageinspect...
[init]
[init] Removing full (inheritable) permission for [ENTRUST-SM-WIND\Administrator] from location [c:\eca_pg_data\15]...
[init] Removing full (inheritable) permission for [ENTRUST-SM-WIND\Administrator] from location [c:\eca_pg_wal\15]...
[init]
[init] Registering PostgreSQL event DLL for [C:\Program Files\Entrust\easm_postgres15]...
[init]
[init] Setting PGPORT environment variable...
[init]
[init] Stopping the PostgreSQL service...
[init]
[init] Starting the PostgreSQL service...
[ent_setup]
[ent_setup] Operation complete!

Make a note of these users and passwords as this information will be needed later in the setup.

Install the Entrust Certificate Authority

To install Entrust Certificate Authority on the server computer:

  1. Download the Certificate Authority for Windows (EntrustCertificateAuthority.10.2.0.119.msi) from the Entrust TrustedCare online support site.

  2. Run the installation program.

    The install wizard will launch and install the software.

    The installation path after the install will be C:\Program Files\Entrust.

  3. Once the installation completes, select Finish in the Install Wizard Complete dialog.

  4. Preload the OCS or Softcard as described in configure-certificate-authority.adoc#establish-preload-session if you have not done this yet.

  5. Install OpenLDAP for Windows on the client if you have not yet done so.

  6. Test access to the directory service from the Certificate Authority server:

    C:\Users\Administrator>C:\OpenLDAP\ClientTools\ldapsearch -x -h <directory_services_server_IP_or_Name> "cn=EntrustAdmin,ou=CAentry,dc=entrustsm,dc=local" -b "cn=EntrustAdmin,ou=CAentry,dc=entrustsm,dc=local" -s sub -W