Link Search Menu Expand Document

Certdog RedHat Installation


Pre-Requisites

  • A RedHat 8 installation. Note that other versions may work but this version is confirmed

  • An account with the permissions to install packages and the certdog system

  • The ability to install mongodb community edition


It is recommended that a separate, dedicated user be created which will run the certdog application, although it can be run under an existing account


Install Mongo DB

Follow the instructions to download and install Mongo DB Community Edition e.g.

https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-red-hat/

At the time of writing, the following was performed:

Create a new yum repo file for mongodb e.g.:

sudo vi /etc/yum.repos.d/mongodb-org-6.0.repo

Populate this file with the following and then save:

[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc

Then run:

sudo yum install -y mongodb-org

And start the database with the following command:

sudo systemctl start mongod


Confirm mongo DB is running by typing:

mongosh

and ensure you connect and get the mongo db prompt. Type exit, to exit the prompt


Note, by default the mongo configuration is here:

/etc/mongo.conf

and mongo database files here:

/var/lib/mongo



Get Certdog

See here for the download locations


Installation

From the location where you wish to locate certdog, copy and extract the installation e.g.

tar xvfz ./certdog_v1200.tar.gz

This will extract all files into ./certdog

Navigate to:

./certdog/install

and run:

./configure.sh

The configuration will start and will take a few seconds to complete:

-------------------------------------------------------------------------------
Configuring Certdog...please wait...
-------------------------------------------------------------------------------

Configuration is complete

If you see any errors or things do not seem to be working, first examine the install log:

./certdog/install/install_log.txt

Other logs, including the application (certdog.log) and startup/shutdown logs are stored here:

./certdog/logs


Starting/Stopping

Navigate to:

./certdog/bin

And run the following to start certdog:

./start-certdog.sh

And this command to stop:

./shutdown-certdog.sh

You may examine these scripts, or configure such that the application starts on boot following standard processes for your OS


To start and stop the mongo database you may use the following commands:

sudo systemctl start mongod
sudo systemctl stop mongod


By default, certdog will be available on 127.0.0.1 on port 1443 e.g.:

https://127.0.0.1:1433/certdog

Note: CRLs and OCSP services will be available on port 1480

Follow the steps below to configure the firewall to forward the standard ports of 443 and 80 to these internal ports

Note that until you configure a trusted SSL certificate you will be presented with browser warnings when navigating to this address. See the Post Install section below to configure this and other items



Port Forwarding

If using the firewall, running the following commands will forward port 443 to the internal port 1443 and port 80 to the internal port 1480

firewall-cmd --add-forward-port=port=443:proto=tcp:toport=1443
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=1480
firewall-cmd --runtime-to-permanent

Note that this port forwarding may not work from the local machine but should be available when calling this machine using its IP address/FQDN



Post Install

Open a browser on the server and navigate to:

https://127.0.0.1:1433/certdog

Login with the initial username and password as displayed at the end of the installer. These are temporary credentials - as soon as you first login you will be forced to set a new password


See the Post Install Steps to continue with the server configuration.



Troubleshooting and Known Issues

To Reset the Database

If an installation has failed, it may have information in the database populated from the previous attempt. To reset this, perform the following:

Start the mongo shell:

mongosh

Then run the following commands:

use certman
show users
db.dropUser("certmanuser")
db.dropDatabase()
exit


CRL Locations

The CA configuration will display the CRL Distribution Points URL as using port 1443. This port must either be updated to the default CRL port (1440). Or (and best practise) once the firewall rules are in place, remove the port entirely as the default port 80 will be the one used by external clients checking CRLs

If the System URL was not set and the URL is defaulting to 127.0.0.1, also update the server name

E.g. If CRL Distribution Points shows:

http://127.0.0.1:1443/certdog/crl/test.crl

Update it as follows:

http://certdog.mysystem.com/certdog/crl/test.crl

This is the value that will be embedded in certificates issued from the CA and the URL clients will therefore follow in order to obtain the CRL.


Also note that when initially accessing CRLs locally, until you forward the ports, the CRL will only be available at the 1440 port and not the 1443 port that may be displayed in the CA configuration

To test the CRL can be downloaded you can run the following command:

wget http://127.0.0.1:1440/certdog/crl/test.crl


When creating a new CA and setting Generate CRLs you may get the error: The CRL filename must be a complete path. The path in the filename specified: [path to CRL file] does not exist

This is because the path is not reported consistently. The correct path should be:

[installation directory]/tomcat/crlwebapps/certdog#crl/[CRL Name].crl

E.g.

/home/pkiuser/certdog/tomcat/crlwebapps/certdog#crl/rootca.crl

But may be displayed as something like the following:

/home/pkiuser/certdog/crlwebapps/certdog#crl/rootca.crl

Just update the to the correct path manually.


OCSP API End Point URL

When creating a new CA , if the Create OCSP Server option was selected but no certificate has been issued to the OCSP server, check the logs

If a Connection refused error such as the following is seen:

Unable to renew OCSP signing certificate for OCSP Server: OCSPServer-test-64143f37f95e3d1466af2316-6735. Error: I/O error on POST request for "https://127.0.0.1/certdog/api/login": Connect to 127.0.0.1:443 [/127.0.0.1] failed: Connection refused (Connection refused); nested exception is org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:443 [/127.0.0.1] failed: Connection refused (Connection refused)

This is because the server assumes the API will be listening on port 443. On RedHat the default internal port will be 1443

To correct, from OCSP Servers, edit the OCSP configuration of the OCSP server in question and alter the URL (under the Signing Certificate Renewal Details section) so that the 1443 port is specified

E.g. change from:

https://127.0.0.1/certdog/api

to:

https://127.0.0.1:1443/certdog/api

Monitor the logs and OCSP server configuration and confirm that a certificate is then generated


Other Troubleshooting

Examine the log files as mentioned above to see if anything obvious appears

Attempt to stop and start certdog using the ./shutdown-certdog.sh and start-certdog.sh scripts

Try restarting the database then restarting certdog


Full Certdog Documentation can be found here: https://krestfield.github.io/docs/certdog/certdog.html