Skip to content

Installing the Certificate Management Service

Installing the Certificate Management Service

Required For

The CMS is REQUIRED for all use cases.

  • Platform Integrity Attestation

  • Application Integrity

  • Workload Confidentiality (both VMs and Containers)

Supported Operating Systems

The Intel® Security Libraries Certificate Management Service supports:

  • Red Hat Enterprise Linux 8.4

  • Ubuntu 20.04

  • 1 vCPUs

  • RAM: 2 GB

  • 10 GB

  • One network interface with network access to all Intel® SecL-DC services

Installation

To install the Intel® SecL-DC Certificate Management Service:

  • Copy the Certificate Management Service installation binary to the /root/ directory.

  • Create the cms.env installation answer file for an unattended installation:

AAS_TLS_SAN=<comma-separated list of IPs and hostnames for the AAS>
AAS_API_URL=https://<Authentication and Authorization Service IP or Hostname>:8444/aas/v1
SAN_LIST=<Comma-separated list of IP addresses and hostnames for the CMS>,127.0.0.1,localhost

The SAN list will be used to authenticate the Certificate Signing Request from the AAS to the CMS. Only a CSR originating from a host matching the SAN list will be honored. Later, in the AAS authservice.env installation answer file, this same SAN list will be provided for the AAS installation. These lists must match, and must be valid for IPs and/or hostnames used by the AAS system. If both the AAS and CMS will be installed on the same system, "127.0.0.1,localhost" may be used. The SAN list variables also accept the wildcards “?” (for single-character wildcards) and "*" (for multiple-character wildcards) to allow address ranges or multiple FQDNs.

The AAS_API_URL represents the URL for the AAS that will exist after the AAS is installed.

For all configuration options and their descriptions, refer to the Intel® SecL Configuration section on the Certificate Management Service.

  • Execute the installer binary.
./cms-v4.1.bin

When the installation completes, the Certificate Management Service is available. The services can be verified by running cms status from the command line.

 cms status

After installation is complete, the CMS will output a bearer token to the console. This token will be used with the AAS during installation to authenticate certificate requests to the CMS. If this token expires or otherwise needs to be recreated, use the following command:

cms setup cms_auth_token --force

In addition, the SHA384 digest of the CMS TLS certificate will be needed for installation of the remaining Intel® SecL services. The digest can be obtained using the following command:

cms tlscertsha384
Back to top