REDHAT CERTIFICATE SYSTEM 8 Install Manual

Download or browse on-line these Install Manual for Red Hat CERTIFICATE SYSTEM 8 Other.

Red Hat CERTIFICATE SYSTEM 8 Manual Information:

This manual for Red Hat CERTIFICATE SYSTEM 8, given in the PDF format, is available for free online viewing and download without logging on. The guide contains 132 pages, and the size of the file at download is 2.24 Mb. The document type is Install Manual.

Download Manual

Summary of Contents:

[Page 1] Red Hat CERTIFICATE SYSTEM 8

Red Hat Certificate System 8 Install Guide Ella Deon Lackey Publication date: July 22, 2009, updated on March 25, 2010 ...

[Page 2] Red Hat CERTIFICATE SYSTEM 8

Install Guide Red Hat Certificate System 8 Install Guide Author Ella Deon Lackey Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attributi...

[Page 3] Red Hat CERTIFICATE SYSTEM 8

iii About This Guide vii 1. Examples and Formatting ...................................................................................

[Page 4] Red Hat CERTIFICATE SYSTEM 8

Install Guide iv 4. Additional Installation Options 61 4.1. Requesting Subsystem Certificates from an External CA .............................................

[Page 5] Red Hat CERTIFICATE SYSTEM 8

v 9.5.7. Shared Certificate System Subsystem File Locations ....................................... 119 Index 121...

[Page 6] Red Hat CERTIFICATE SYSTEM 8

vi ...

[Page 7] Red Hat CERTIFICATE SYSTEM 8

vii About This Guide This guide explains how to install and configure Red Hat Certificate System subsystems, as well as covering some basic administrative tasks and advanced installation techniques. This guide also lists the supported platforms and d...

[Page 8] Red Hat CERTIFICATE SYSTEM 8

About This Guide viii Formatting Style Purpose Italicized text Any text which is italicized is a variable, such as instance_name or hostname. Occasionally, this is also used to emphasize a new term or other phrase. Bolded text Most phrases which are ...

[Page 9] Red Hat CERTIFICATE SYSTEM 8

Giving Feedback ix This manual is intended for Certificate System agents. • Managing Smart Cards with the Enterprise Security Client 5 explains how to install, configure, and use the Enterprise Security Client, the user client application for mana...

[Page 10] Red Hat CERTIFICATE SYSTEM 8

About This Guide x 4. Document History Revision 8.0.10 March 25, 2010 Ella Deon Lackey [email protected] Adding information on new end-entities client authentication port for the CA, related to the MitM resolution in Errata RHBA-2010:0169. Revision ...

[Page 11] Red Hat CERTIFICATE SYSTEM 8

Chapter 1. 1 Overview of Certificate System Subsystems Red Hat Certificate System is a highly configurable set of components which create and manage certificates and keys at every point of the certificate lifecycle. Certificate System is based on ope...

[Page 12] Red Hat CERTIFICATE SYSTEM 8

Chapter 1. Overview of Certificate System Subsystems 2 The core of the Certificate System is the Certificate Manager. This is the only required subsystem and handles the actual certificate management tasks. The other subsystems can be added for addit...

[Page 13] Red Hat CERTIFICATE SYSTEM 8

Certificate Manager 3 7. Revoking the certificate (CA) 8. Checking whether the certificate is revoked or active when an entity tries to use the certificate for authentication (OCSP) All of the subsystems (CA, RA, DRM, and OCSP, as well as the token s...

[Page 14] Red Hat CERTIFICATE SYSTEM 8

Chapter 1. Overview of Certificate System Subsystems 4 NOTE The DRM only archives encryption keys, not signing keys, because that compromises the non-repudiation properties of signing keys. Non-repudiation means that a user cannot deny having perform...

[Page 15] Red Hat CERTIFICATE SYSTEM 8

Token Processing System 5 1.2.1. Token Processing System The Token Processing System (TPS) is the conduit between the user-centered Enterprise Security Client, which interacts with the tokens, and the Certificate System backend subsystems, such as th...

[Page 16] Red Hat CERTIFICATE SYSTEM 8

Chapter 1. Overview of Certificate System Subsystems 6 1.3. Planning the Installation Before beginning to install and configure the Certificate System subsystems, determine what the organization of the PKI is. Q: What types of subsystems do you need ...

[Page 17] Red Hat CERTIFICATE SYSTEM 8

Planning the Installation 7 A: A Certificate Manager can be configured as either a root CA or a subordinate CA. The difference between a root CA and a subordinate CA is who signs the CA signing certificate. A root CA signs its own certificate. A subo...

[Page 18] Red Hat CERTIFICATE SYSTEM 8

8 ...

[Page 19] Red Hat CERTIFICATE SYSTEM 8

Chapter 2. 9 Prerequisites Before Installing Certificate System Before installing the Red Hat Certificate System subsystems, check out the requirements and dependencies for the specific platform, as well as looking at the installed packages. 2.1. Sup...

[Page 20] Red Hat CERTIFICATE SYSTEM 8

Chapter 2. Prerequisites Before Installing Certificate System 10 Platform Agent Services End User Pages Internet Explorer 6 and higher Mac OS 10.x Agent services are not supported for Mac Firefox 2.x Table 2.1. Supported Web Browsers by Platform 2.1....

[Page 21] Red Hat CERTIFICATE SYSTEM 8

Required Programs, Dependencies, and Configuration 11 NOTE This support does not include supporting internationalized domain names, like in email addresses. 2.2. Required Programs, Dependencies, and Configuration To install any Red Hat Certificate Sy...

[Page 22] Red Hat CERTIFICATE SYSTEM 8

Chapter 2. Prerequisites Before Installing Certificate System 12 yum install httpd 2.2.3. Red Hat Directory Server All subsystems require access to Red Hat Directory Server 8.1 on the local machine or a remote machine. This Directory Server instance ...

[Page 23] Red Hat CERTIFICATE SYSTEM 8

Firewall Configuration and iptables 13 gnome-desktop-2.16.0-1.el5 On 64-bit Red Hat Enterprise Linux platforms, be certain that the 64-bit (x86_64) compat-libstdc ++ libraries are installed, and not only the 32-bit (i386) libraries. To confirm this, ...

[Page 24] Red Hat CERTIFICATE SYSTEM 8

Chapter 2. Prerequisites Before Installing Certificate System 14 RPMs for Certificate System Subsystems and Components osutil pki-kra pki-tks pki-setup pki-tps pki-ca pki-migrate pki-common pki-native-tools symkey pki-console pki-ocsp pki-java-tools ...

[Page 25] Red Hat CERTIFICATE SYSTEM 8

Required Information for Subsystem Configuration 15 RPMs for NSS and NSPR nspr nss svrcore 2.4. Required Information for Subsystem Configuration When the Certificate System subsystems are configured, some outside information must be available, as lis...

[Page 26] Red Hat CERTIFICATE SYSTEM 8

Chapter 2. Prerequisites Before Installing Certificate System 16 Information Description default Directory Manager DN is cn=Directory Manager. Certificate and key recovery files (for cloning) If the subsystem being configured is a clone of another su...

[Page 27] Red Hat CERTIFICATE SYSTEM 8

Using Hardware Security Modules with Subsystems 17 Before using external tokens, plan how the external token is going to be used with the subsystem: • All system keys for a subsystem must be generated on the same token. • The subsystem keys must ...

[Page 28] Red Hat CERTIFICATE SYSTEM 8

Chapter 2. Prerequisites Before Installing Certificate System 18 preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module preop.configModules.module2.commonName=lunasa preop.configModules.module2.imagePath=../img/safene...

[Page 29] Red Hat CERTIFICATE SYSTEM 8

Using Hardware Security Modules with Subsystems 19 service subsystem_name start 2. Open the /etc/Chrystoki.conf configuration file. 3. Add this configuration parameter. Misc { NetscapeCustomize=1023; } 4. If they are there, remove these two configura...

[Page 30] Red Hat CERTIFICATE SYSTEM 8

Chapter 2. Prerequisites Before Installing Certificate System 20 cd /var/lib/pki-ca/alias b. The required security module database file, secmod.db, should be created by default when the subsystem is created. If it does not exist, use the modutil util...

[Page 31] Red Hat CERTIFICATE SYSTEM 8

Viewing Tokens 21 2.5.3. Viewing Tokens To view a list of the tokens currently installed for a Certificate System instance, use the modutil utility. 1. Open the instance alias directory. For example: cd /var/lib/pki-ca/alias 2. Show the information a...

[Page 32] Red Hat CERTIFICATE SYSTEM 8

22 ...

[Page 33] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. 23 Installation and Configuration The Certificate System is comprised of subsystems which can be independently installed on different servers, multiple instances installed on a single server, and other flexible configurations for availabil...

[Page 34] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 24 See Section 3.5, “Configuring a DRM, OCSP, or TKS” and Section 3.4, “Configuring an RA” for the process on installing and configuring the OCSP, DRM, TKS, and RA subsystems. 6. Configure the TPS sub...

[Page 35] Red Hat CERTIFICATE SYSTEM 8

Installing the Certificate System Packages 25 3.2. Installing the Certificate System Packages There are two ways to obtain and install the subsystem packages. For all supported platforms, the Certificate System packages can be downloaded as ISO image...

[Page 36] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 26 NOTE yum is used only for the first subsystem instance; any additional subsystem instances are added using pkicreate. subsystem can be any of the Certificate System subsystems: • ca for the Certificate M...

[Page 37] Red Hat CERTIFICATE SYSTEM 8

Installing from an ISO Image 27 3.2.2. Installing from an ISO Image Red Hat Certificate System 8.0 can also be downloaded from Red Hat Network as an ISO image. This ISO image contains an RPMS/ directory which can be used as a local yum repository. 1....

[Page 38] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 28 The default CA instance must create a new security domain. Subsequent CAs can create a new domain or join an existing security domain, but it is recommended that each CA have its own security domain. 4. En...

[Page 39] Red Hat CERTIFICATE SYSTEM 8

Configuring a CA 29 5. Set up the PKI hierarchy. Commonly, the first CA is a root, or self-signed, CA, meaning that it signs its own CA signing certificate rather than submitting its certificates to a third-party CA for issuance. Subsequent CAs can b...

[Page 40] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 30 • Subordinate CA. A subordinate CA receives its CA signing certificate from a root CA. The root CA must be referenced here; it can be another Certificate System CA, but, for the default (i.e., first) CA ...

[Page 41] Red Hat CERTIFICATE SYSTEM 8

Configuring a CA 31 If the Red Hat Directory Server instances is on a different server or network than the Certificate System subsystem, then make sure that the Certificate System host's firewall allows access to whatever LDAP port was set in th...

[Page 42] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 32 • LunaSA: /usr/lunasa/lib/libCryptoki2.so • nCipher: /opt/nfast/toolkits/pkcs11/libcknfast.so 8. Set the key size and the hashing algorithm to use. By default, the settings for the signing key are appl...

[Page 43] Red Hat CERTIFICATE SYSTEM 8

Configuring a CA 33 The hashing algorithms that are available depend on whether RSA or ECC is selected as the key type. For RSA, the available algorithms are as follows: • SHA256withRSA (the default) • SHA1withRSA • SHA256withRSA • SHA512with...

[Page 44] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 34 Having unique certificate nicknames is vital for using an HSM, since any nickname conflicts (even for subsystems on different servers) will cause configuration to fail. 10. The next panels generate and sho...

[Page 45] Red Hat CERTIFICATE SYSTEM 8

Configuring a CA 35 12. Provide the information for the new subsystem administrator. 13. Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration. 14. When the configuration is complete, ...

[Page 46] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 36 service pki-ca restart IMPORTANT The new instance is not active until it is restarted, and weird behaviors can occur if you try to use the instance without restarting it first. 3.4. Configuring an RA Subsy...

[Page 47] Red Hat CERTIFICATE SYSTEM 8

Configuring an RA 37 The hostname for the security domain CA can be the fully-qualified domain name or an IPv4 or IPv6 address, if IPv6 was configured before the packages were installed. 4. Enter a name for the new instance. ...

[Page 48] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 38 5. Select the CA which will issue, renew, and revoke certificates for certificates processed through the RA. All of the CAs configured in the security domain are listed in a dropdown menu. 6. Click Next on...

[Page 49] Red Hat CERTIFICATE SYSTEM 8

Configuring an RA 39 The Certificate System automatically discovers Safenet's LunaSA and nCipher's netHSM hardware security modules. The discovery process assumes that the client software installations for these modules are local to the Cer...

[Page 50] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 40 9. Optionally, change the subject names for the certificates. ...

[Page 51] Red Hat CERTIFICATE SYSTEM 8

Configuring an RA 41 NOTE Certificate nicknames must be unique, and changing the default nicknames is one way to ensure that. Having unique certificate nicknames is vital for using an HSM, since any nickname conflicts (even for subsystems on differen...

[Page 52] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 42 If an external CA is used to issue the certificates, configuration cannot go forward until they are received from the CA. When they are issued, paste the certificates into this panel to add them to the sub...

[Page 53] Red Hat CERTIFICATE SYSTEM 8

Configuring a DRM, OCSP, or TKS 43 12. Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration. 13. When the configuration is complete, restart the subsystem. service pki-ra restart IMPO...

[Page 54] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 44 NOTE A Data Recovery Manager (DRM) is also known as a Key Recovery Agent (KRA). All command-line tools and many files for the DRM use the abbreviation kra for this reason. In the documentation, the subsyst...

[Page 55] Red Hat CERTIFICATE SYSTEM 8

Configuring a DRM, OCSP, or TKS 45 5. Select the CA which will perform the operations processed through the subsystem, such as key archival. 6. Fill in the information for the LDAP server which will be used for the instance's internal database. ...

[Page 56] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 46 The hostname can be the fully-qualified domain name or an IPv4 or IPv6 address. NOTE One thing that can derail subsystem configuration or function is having services that are unable to connect with each ot...

[Page 57] Red Hat CERTIFICATE SYSTEM 8

Configuring a DRM, OCSP, or TKS 47 IMPORTANT Any hardware tokens used with the instance must be configured before configuring the subsystem instance. If the HSM is not properly configured, it may not be listed in the key stores panel or the instance ...

[Page 58] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 48 9. Optionally, change subject names to the listed certificates. NOTE Certificate nicknames must be unique, and changing the default nicknames is one way to ensure that. ...

[Page 59] Red Hat CERTIFICATE SYSTEM 8

Configuring a DRM, OCSP, or TKS 49 Having unique certificate nicknames is vital for using an HSM, since any nickname conflicts (even for subsystems on different servers) will cause configuration to fail. 10. The next panels generate and show certific...

[Page 60] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 50 12. Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration. 13. When the configuration is complete, restart the subsystem. service pki-kra r...

[Page 61] Red Hat CERTIFICATE SYSTEM 8

Configuring a TPS 51 Once the packages are installed, then the installer automatically launches the pkicreate script to create the default subsystem instance automatically. A URL to access the new instance is printed to the screen which gives the sub...

[Page 62] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 52 5. Select the CA which will issue, renew, and revoke certificates for token operations requested through the TPS subsystem. 6. Supply information about the TKS which will manage the TPS keys. Select the TK...

[Page 63] Red Hat CERTIFICATE SYSTEM 8

Configuring a TPS 53 7. There is an option for server-side key generation for tokens enrolled through the TPS. If server- side key generation is selected, supply information about the DRM which will generate keys and archive encryption keys. Key and ...

[Page 64] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 54 The hostname of the LDAP server can be the fully-qualified domain name or an IPv4 or IPv6 address. 9. Fill in the information for the LDAP server which will be used for the instance's internal databas...

[Page 65] Red Hat CERTIFICATE SYSTEM 8

Configuring a TPS 55 The hostname can be the fully-qualified domain name or an IPv4 or IPv6 address. NOTE One thing that can derail subsystem configuration or function is having services that are unable to connect with each other. If servers that nee...

[Page 66] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 56 IMPORTANT Any hardware tokens used with the instance must be configured before configuring the subsystem instance. If the HSM is not properly configured, it may not be listed in the key stores panel or the...

[Page 67] Red Hat CERTIFICATE SYSTEM 8

Configuring a TPS 57 12. Optionally, change subject names to the listed certificates. NOTE Certificate nicknames must be unique, and changing the default nicknames is one way to ensure that. Having unique certificate nicknames is vital for using an H...

[Page 68] Red Hat CERTIFICATE SYSTEM 8

Chapter 3. Installation and Configuration 58 13. The next panels generate and show certificate requests, certificates, and key pairs. If an external CA is used to issue the certificates, configuration cannot go forward until they are received from th...

[Page 69] Red Hat CERTIFICATE SYSTEM 8

Configuring a TPS 59 15. Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration. 16. When the configuration is complete, restart the subsystem. service pki-tps restart IMPORTANT The new...

[Page 70] Red Hat CERTIFICATE SYSTEM 8

60 ...

[Page 71] Red Hat CERTIFICATE SYSTEM 8

Chapter 4. 61 Additional Installation Options The Certificate System default installation, and all subsequent instances created with pkicreate, make certain assumptions about the instances being installed, such as the default signing algorithm to use...

[Page 72] Red Hat CERTIFICATE SYSTEM 8

Chapter 4. Additional Installation Options 62 8. In the Requests and Certificates panel, the CA signing certificate is listed, with an action required label. Once that certificate is generated, the other certificates for the CA will be automatically ...

[Page 73] Red Hat CERTIFICATE SYSTEM 8

Requesting Subsystem Certificates from an External CA 63 9. Click the Step 1: Copy the certificate request link, and copy the certificate request to a file or the clipboard. 10. Submit the request to the external CA. Leave the browser with the config...

[Page 74] Red Hat CERTIFICATE SYSTEM 8

Chapter 4. Additional Installation Options 64 service subsystem_name restart 4.2. Installing a CA with ECC Enabled Elliptic curve cryptography (ECC) is much more secure than the more common RSA-style encryption, which allows it to use much shorter ke...

[Page 75] Red Hat CERTIFICATE SYSTEM 8

Loading the Certicom ECC Module 65 modutil -dbdir . -nocertdb -changepw "THIRD_PARTY_MODULE_TOKEN" 7. Change the ownership of the new home directory from root to pkiuser. cd /usr/share/pki chown -R pkiuser:pkiuser pkiuser 8. Add the passwor...

[Page 76] Red Hat CERTIFICATE SYSTEM 8

Chapter 4. Additional Installation Options 66 1. Copy the third-party libraries to a common directory, like /usr/lib for 32-bit systems or /usr/ lib64 for 64-bit systems. There are two library files for the Certicom ECC modules, libsbcpgse.so and lib...

[Page 77] Red Hat CERTIFICATE SYSTEM 8

Loading the Certicom ECC Module 67 CryptoAes() success CryptoArc4() success CryptoDes() success CryptoDh() success CryptoDsa() success CryptoEcdh() s...

[Page 78] Red Hat CERTIFICATE SYSTEM 8

Chapter 4. Additional Installation Options 68 service pki-ca start 16. Continue with the CA configuration, with two important configuration settings: • In the Key Store panel, the ECC module should be listed as an available token. Select that modul...

[Page 79] Red Hat CERTIFICATE SYSTEM 8

Changing the Hashing Algorithm Used for Subsystem Keys 69 chown -R agent-pki:agent-pki /home/agent-pki h. In the terminal with the /home/agent-pki directory open, export the environment variable that allows ECC support. export NSS_USE_DECODED_CKA_EC_...

[Page 80] Red Hat CERTIFICATE SYSTEM 8

Chapter 4. Additional Installation Options 70 TIP Editing certificate profiles is covered in the Administrator's Guide. Each of the subsystem certificate profiles can be edited: • caInternalAuthOCSPCert.cfg • caInternalAuthTransportCert.cfg ...

[Page 81] Red Hat CERTIFICATE SYSTEM 8

Configuring Separate RA Instances 71 op=var_set name=ca_host value=IPv6 address If a host has both an IPv4 address and an IPv6 name, then an environment variable can be set before the Certificate System packages are installed so that Certificate Syst...

[Page 82] Red Hat CERTIFICATE SYSTEM 8

Chapter 4. Additional Installation Options 72 e. Click OK. 3. Add the new RA authentication instance to the CA: a. Open the CA configuration directory, and edit the CS.cfg file cd /etc/pki-ca vi CS.cfg b. Search for the string raCertAuth. c. Copy tho...

[Page 83] Red Hat CERTIFICATE SYSTEM 8

Configuring Separate RA Instances 73 profile.caDualRA2userCert.config=/var/lib/pki-ca/profiles/ca/caDualRA2userCert.cfg 6. Add a new URI mapping to allow the new RA agent to be registered in the new RA group. a. Open the CA web applications director...

[Page 84] Red Hat CERTIFICATE SYSTEM 8

Chapter 4. Additional Installation Options 74 cd /var/lib/pki-ra2/conf/ vi CS.cfg 10. Change the registerRaUser setting to registerRa2User. conn.ca1.servlet.addagent=/ca/admin/ca/registerRa2User 11. Change the caDualRAuserCert setting to caDualRA2use...

[Page 85] Red Hat CERTIFICATE SYSTEM 8

Chapter 5. 75 Creating Additional Subsystem Instances The number of subsystems that you have is flexible. There can be a single instance, there can be multiple instances on the same machine, or there can be multiple instances on multiple servers. Cre...

[Page 86] Red Hat CERTIFICATE SYSTEM 8

Chapter 5. Creating Additional Subsystem Instances 76 TIP To get full usage examples and syntax for the pkicreate command, run pkicreate -- help. Parameter Description pki_instance_root Gives the full path to the new instance configuration directory....

[Page 87] Red Hat CERTIFICATE SYSTEM 8

Running pkicreate for a Single SSL Port 77 Parameter Description recommended that administrators set this value to make sure there are no conflicts with SELinux labels for other services. tomcat_server_port 1 Sets the port number for the Tomcat web s...

[Page 88] Red Hat CERTIFICATE SYSTEM 8

Chapter 5. Creating Additional Subsystem Instances 78 5.3. Running pkicreate with Port Separation To create an instance with three separate ports for the different subsystem services, run pkicreate with three options which specify the services ports:...

[Page 89] Red Hat CERTIFICATE SYSTEM 8

Chapter 6. 79 Cloning Subsystems When a new subsystem instance is first configured, the Red Hat Certificate System allows subsystems to be cloned, or duplicated, for high availability of the Certificate System. The cloned instances run on different m...

[Page 90] Red Hat CERTIFICATE SYSTEM 8

Chapter 6. Cloning Subsystems 80 Figure 6.1. Cloning Example The load balancer in front of a Certificate System subsystem is what provides the actual failover support in a high availability system. A load balancer can also provide the following advan...

[Page 91] Red Hat CERTIFICATE SYSTEM 8

Cloning for DRMs 81 Cloned CAs do have limits on what operations they can perform. Most important, cloned CAs cannot generate or publish CRLs. Any CRL requests submitted to a cloned CA are immediately redirected to the master CA. Anything related to ...

[Page 92] Red Hat CERTIFICATE SYSTEM 8

Chapter 6. Cloning Subsystems 82 • If the token is network-based, then the keys and certificates simply need to be available to the token; the keys and certificates do not need to be copied. • When using a network-based hardware token, make sure ...

[Page 93] Red Hat CERTIFICATE SYSTEM 8

Cloning a CA 83 4. Copy the exported PKCS#12 file containing the master instance's keys to the clone's alias/ directory. The keys for the master instance could have been exported to a .p12 file when the instance was configured. Alternativel...

[Page 94] Red Hat CERTIFICATE SYSTEM 8

Chapter 6. Cloning Subsystems 84 NOTE When cloning a CA, the master and clone instances have the same CA signing key. 10. The subsystem information is automatically supplied from the master instance to the clone instance once the keys are successfull...

[Page 95] Red Hat CERTIFICATE SYSTEM 8

Cloning OCSP Subsystems 85 ca.crl.IssuingPointId.enableCRLUpdates=false • Enable the clone to redirect CRL requests to the master clone: master.ca.agent.host=master_hostname master.ca.agent.port=master_port 12. Restart the clone instance. service s...

[Page 96] Red Hat CERTIFICATE SYSTEM 8

Chapter 6. Cloning Subsystems 86 The keys for the master instance could have been exported to a .p12 file when the instance was configured. Alternatively, the keys can be exported using the PKCS12Export command, as in Section 6.2, “Exporting Keys f...

[Page 97] Red Hat CERTIFICATE SYSTEM 8

Cloning OCSP Subsystems 87 10. The subsystem information is automatically supplied from the master instance to the clone instance once the keys are successfully restored. Complete the configuration process. NOTE By default, the instance configuration...

[Page 98] Red Hat CERTIFICATE SYSTEM 8

Chapter 6. Cloning Subsystems 88 6.5. Cloning DRM and TKS Subsystems 1. Configure the master subsystem, as described in Section 3.5, “Configuring a DRM, OCSP, or TKS”, and back up the keys. 2. Create the clone subsystem instance. IMPORTANT Do not...

[Page 99] Red Hat CERTIFICATE SYSTEM 8

Cloning DRM and TKS Subsystems 89 8. Give the path and filename of the PKCS #12 backup file which was saved when the master instance was created or that were exported in 3. If the keys are stored on an HSM that is accessible to the clone, then they a...

[Page 100] Red Hat CERTIFICATE SYSTEM 8

Chapter 6. Cloning Subsystems 90 9. The subsystem information is automatically supplied from the master instance to the clone instance once the keys are successfully restored. Complete the configuration process. NOTE By default, the instance configur...