Download or browse on-line these Admin Manual for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Other, Telephone.
This manual for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION, given in the PDF format, is available for free online viewing and download without logging on. The guide contains 564 pages, and the size of the file at download is 6.19 Mb. The document type is Admin Manual.
In case you failed to obtain relevant information in this document, please, look through related operating manuals and user instructions for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION. Just click one of the links below to go to the selected manual:
Pages: 48
[Page 1] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Red Hat Certificate System 8.0 Admin Guide Publication date: July 22, 2009, updated on March 25, 2010 ...
[Page 2] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Admin Guide Red Hat Certificate System 8.0 Admin Guide Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unpor...
[Page 3] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
iii About This Guide xv 1. Recommended Concepts .......................................................................................
[Page 4] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Admin Guide iv 2.3.1. Default RA Profiles .................................................................................. 48 2.3.2. Creating RA Enrollment Forms ................................................................. 48 2.3.3. Configur...
[Page 5] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
v 5.1. Configuring TPS Smart Card Operations ............................................................ 127 5.1.1. Configuring Format Operations ............................................................... 127 5.1.2. Configuring TPS Enrollment ...
[Page 6] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Admin Guide vi 6.4.1. Configuring Extended Updated Intervals for CRLs in the Console .............. 183 6.4.2. Configuring Extended Updated Intervals for CRLs in CS.cfg ...................... 183 6.5. Enabling Automatic Revocation Checking for Agent...
[Page 7] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
vii 9.3. Setting up CMC Enrollment ............................................................................... 244 9.3.1. Setting up the Server for Multiple Requests in a Full CMC Request ............ 245 9.3.2. Testing CMCEnroll ..................
[Page 8] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Admin Guide viii 12.3.1. Configuring the password.conf .............................................................. 286 12.3.2. Protecting the password.conf File .......................................................... 286 12.3.3. Requiring Syst...
[Page 9] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
ix 14.4.2. Managing RA Users ............................................................................. 340 14.5. Creating and Managing Users for a TPS .......................................................... 349 14.5.1. Searching for Users .....
[Page 10] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Admin Guide x 16.1.7. Using an HSM to Store Subsystem Certificates ...................................... 393 16.2. Requesting a Subsystem, Server, or Signing Certificate through the Console ....... 394 16.3. Renewing Subsystem Certificates ...........
[Page 11] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
xi B.1.12. No Default Extension ........................................................................... 440 B.1.13. OCSP No Check Extension Default ...................................................... 440 B.1.14. Policy Constraints Extension ...
[Page 12] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Admin Guide xii C.1. Publisher Plug-in Modules ................................................................................ 483 C.1.1. FileBasedPublisher ................................................................................ 483 C.1.2...
[Page 13] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
xiii D.3.16. certServer.ca.request.profile ................................................................. 504 D.3.17. certServer.ca.requests ......................................................................... 504 D.3.18. certServer.ca.syst...
[Page 14] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Admin Guide xiv D.6.2. certServer.tks.group ............................................................................... 519 D.6.3. certServer.tks.importTransportCert .......................................................... 519 D.6.4. certServe...
[Page 15] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
xv About This Guide This guide explains how to install, configure, and maintain the Red Hat Certificate System and how to use it for issuing and managing certificates to end entities such as web browsers, users, servers, and virtual private network (...
[Page 16] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
About This Guide xvi Concept Related Chapters Archiving keys Chapter 3, Setting up Key Archival and Recovery Publishing certificates Chapter 8, Publishing Certificates and CRLs Revoking certificates Chapter 6, Revoking Certificates and Issuing CRLs O...
[Page 17] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Supported Smart Cards xvii NOTE The only browser that is fully-supported for the HTML-based instance configuration wizard is Mozilla Firefox. Platform Agent Services End User Pages Red Hat Enterprise Linux Firefox 3.x Firefox 3.x Windows Vista Firefo...
[Page 18] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
About This Guide xviii Four fields fully-support UTF-8 characters: • Common name (used in the subject name of the certificate) • Organizational unit (used in the subject name of the certificate) • Requester name • Additional notes (comments a...
[Page 19] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Additional Reading xix Formatting Style Purpose Bolded text Most phrases which are in bold are application names, such as Cygwin, or are fields or options in a user interface, such as a User Name Here: field or Save button. Other formatting styles dr...
[Page 20] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
About This Guide xx • Managing Smart Cards with the Enterprise Security Client 5 explains how to install, configure, and use the Enterprise Security Client, the user client application for managing smart cards, user certificates, and user keys. Th...
[Page 21] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Document History xxi 7. Document History Revision 8.0.16 March 25, 2010 Ella Deon Lackey Adding information on new end-entities client authentication port for the CA, related to the MitM resolution in Errata RHBA-2010:0169. Revision 8.0.15 December 1...
[Page 22] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
About This Guide xxii Adding back in the book index. Revision 8.0.4 August 18, 2009 Ella Deon Lackey Removing the section on SSL/client authentication for the console, related to Bugzilla #512493. Fixing section outline formatting for log chapter. R...
[Page 23] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 1. 1 Overview of Red Hat Certificate System Subsystems Every common PKI operation — issuing, renewing and revoking certificates; archiving and recovering keys; publishing CRLs and verifying certificate status — are carried out by interope...
[Page 24] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 1. Overview of Red Hat Certificate System Subsystems 2 An email message that includes a digital signature provides some assurance that it was sent by the person whose name appears in the message header, thus authenticating the sender. If the ...
[Page 25] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Types of Certificates 3 The objects signed with object signing technology can be applets or other Java code, JavaScript scripts, plug-ins, or any kind of file. The signature is a digital signature. Signed objects and their signatures are typically st...
[Page 26] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 1. Overview of Red Hat Certificate System Subsystems 4 Certificate Type Use Example may be used as both an S/ MIME certificate and an SSL certificate. S/MIME certificates can also be used as part of single sign-on. email that deals with sensi...
[Page 27] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
A Review of Certificate System Subsystems 5 1.1.2.2. Other Signing Certificates Other services, such as the OCSP responder service and CRL publishing, can use signing certificates other than the CA certificate. For example, a separate CRL signing cer...
[Page 28] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 1. Overview of Red Hat Certificate System Subsystems 6 • A certificate authority called a Certificate Manager. The CA is the core of the PKI; it issues and revokes all certificates. The Certificate Manager is also the core of the Certificat...
[Page 29] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Registration Authority 7 1.2.2. Registration Authority The Registration Authority subsystem handles certain certificate issuing tasks locally, such as generating and submitting certificate requests. This effectively makes the RA a load-balancer for t...
[Page 30] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 1. Overview of Red Hat Certificate System Subsystems 8 1.2.6. Token Key Service The Token Key Service (TKS) uses a master key to derive specific, separate keys for every smart card. The TPS uses these secret keys to communicate with each smar...
[Page 31] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
A Look at Managing Certificates 9 Figure 1.2. CA and DRM Another aspect of how the subsystems work together is load balancing. If a site has high traffic, then it is possible to install a lot of CAs, as clones of each other or in a flat hierarchy (wh...
[Page 32] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 1. Overview of Red Hat Certificate System Subsystems 10 Figure 1.4. CA and OCSP Even with all possible subsystems installed, the core of the Certificate System is still the CA (or CAs), since they ultimately process all certificate-related re...
[Page 33] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
A Look at the Token Management System 11 1.4. A Look at the Token Management System Certificate System creates, manages, renews, and revokes certificates, as well as archiving and recovering keys. For organizations which use smart cards, the Certific...
[Page 34] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 1. Overview of Red Hat Certificate System Subsystems 12 are based on the card's unique ID. The keys are formatted on the smart card and are used to encrypt communications, or provide authentication, between the smart card and TPS. • Th...
[Page 35] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Red Hat Certificate System Services 13 After installation, the TPS configuration file, CS.cfg, can have additional CA, DRM, and TKS instances added for provide failover support, so if the primary subsystem is unavailable, the TPS can switch to the ne...
[Page 36] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 1. Overview of Red Hat Certificate System Subsystems 14 Figure 1.6. Certificate System Console The Configuration tab controls all of the setup for the subsystem, as the name implies. The choices available in this tab are different depending o...
[Page 37] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Interfaces for Administrators 15 Figure 1.7. RA Admin Page The TPS only allows operations to manage users for the TPS subsystem. However, the TPS admin page can also list tokens and display all activities (including normally-hidden administrative act...
[Page 38] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 1. Overview of Red Hat Certificate System Subsystems 16 Figure 1.8. TPS Admin Page 1.5.2. Agent Interfaces The agent services pages are where almost all of the certificate and token management tasks are performed. These services are HTML-base...
[Page 39] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
End User Pages 17 Figure 1.9. Certificate Manager's Agent Services Page The operations vary depending on the subsystem: • The Certificate Manager agent services include approving certificate requests (which issues the certificates), revoking c...
[Page 40] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 1. Overview of Red Hat Certificate System Subsystems 18 The end-user services are accessed over standard HTTP using the server's hostname and the standard port number; they can also be accessed over HTTPS using the server's hostname...
[Page 41] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Enterprise Security Client 19 • Supports JavaCard 2.1 or higher cards and Global Platform 2.01-compliant smart cards like Safenet's 330J smart card • Supports Global Platform 2.01-compliant smart cards like Gemalto e-gate 32K and Gemalto TOP...
[Page 42] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
20 ...
[Page 43] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Part I. Setting up Certificate Services ...
[Page 44] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
...
[Page 45] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. 23 Making Rules for Issuing Certificates The Certificate System provides a customizable framework to apply policies for incoming certificate requests and to control the input request types and output certificate types; these are called cer...
[Page 46] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 24 authorized), the information that is included in the certificate content, and how long the certificate is valid. The profile itself is defined in a special .cfg file in the /var/lib/subsystem_name/p...
[Page 47] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Certificate Extensions: Defaults and Constraints 25 output.list=o1 output.o1.class_id=certOutputImpl For caUserCert, the output displays the certificate in pretty print format. This output needs to be specified for any automated enrollment. Once a us...
[Page 48] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 26 Basic Constraints Extension identifies whether a certificate is a CA signing certificate, the maximum number of subordinate CAs that can be configured beneath the CA, and whether the extensions is c...
[Page 49] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Creating Certificate Profiles through the CA Console 27 NOTE The old policy framework for managing certificates was deprecated in Certificate System 7.1 and was removed entirely for Certificate System 7.2, 7.3, and 8.0. Any certificate enrollments or...
[Page 50] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 28 4. Fill in the profile information in the Certificate Profile Instance Editor. • Certificate Profile Instance ID. This is the ID used by the system to identify the profile. • Certificate Profile...
[Page 51] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Creating Certificate Profiles through the CA Console 29 to be processed through the Certificate Manager's certificate profile framework, rather than through the input page for the certificate profile. • Certificate Profile Authentication. This...
[Page 52] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 30 c. Fill in the policy set ID. When issuing dual key pairs, separate policy sets define the policies associated with each certificate. Then fill in the certificate profile policy ID, a name or identi...
[Page 53] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Creating Certificate Profiles through the CA Console 31 Defaults defines attributes that populate the certificate request, which in turn determines the content of the certificate. These can be extensions, validity periods, or other fields contained i...
[Page 54] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 32 b. Choose the input from the list, and click OK. See Section A.1, “Input Reference” for complete details of the default inputs. c. The New Certificate Profile Editor window opens. Set the input ...
[Page 55] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Creating Certificate Profiles through the CA Console 33 Inputs can be added and deleted. It is possible to select edit for an input, but since inputs have no parameters or other settings, there is nothing to configure. To delete an input, select the ...
[Page 56] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 34 Outputs can be added and deleted. It is possible to select edit for an output, but since outputs have no parameters or other settings, there is nothing to configure. a. To add an output, click Add. ...
[Page 57] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Editing Certificate Profiles in the Console 35 https://server.example.com:9445/ca/services b. Click the Manage Certificate Profiles link. This page lists all of the certificate profiles that have been set up by an administrator, both active and inact...
[Page 58] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 36 a profile has already been enabled, it must be disabled by the agent before it can be deleted from the profile list. NOTE Restart the server after editing the profile configuration file for the chan...
[Page 59] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Creating and Editing Certificate Profiles through the Command Line 37 certificate is issued, one set is evaluated, and any other sets in the profile are ignored. When dual key pairs are issued, the first policy set is evaluated with the first certifi...
[Page 60] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 38 2.2.3.2. Modifying Certificate Extensions through the Command Line Changing constraints changes the restrictions on the type of information which can be supplied. Changing the defaults and constrain...
[Page 61] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Defining Key Defaults in Profiles 39 2.2.3.3. Adding Inputs through the Command Line The certificate profile configuration file in the CA's profiles/ca directory contains the input information for the that particular certificate profile form. In...
[Page 62] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 40 by a different CA. Both partner CAs store the other CA signing certificate in its database, so all of the certificates issued within the other PKI are trusted and recognized. Issuing cross-pair cert...
[Page 63] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
List of Certificate Profiles 41 6. As a CA agent, enable the certificate profile. 2.2.6. List of Certificate Profiles The following pre-defined certificate profiles are ready to use when the Certificate System CA is installed. These certificate profi...
[Page 64] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 42 Profile ID Profile Name Description caCACert Manual Certificate Manager Signing Certificate Enrollment Enrolls Certificate Authority certificates. caCMCUserCert Signed CMC-Authenticated User Certifi...
[Page 65] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
List of Certificate Profiles 43 Profile ID Profile Name Description a few examples of these in the default profiles, and they are mostly not enabled by default. caDualCert Manual User Signing & Encryption Certificates Enrollment Enrolls dual user...
[Page 66] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 44 Profile ID Profile Name Description NOTE Renewal profiles can only be used in conjunction with the profile that issued the original certificate. There are two settings that are beneficial: • It is...
[Page 67] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
List of Certificate Profiles 45 Profile ID Profile Name Description caRARouterCert RA Agent-Authenticated Router Certificate Enrollment Enrolls router certificates after agent approval (as opposed to automatic enrollment). caRAserverCert RA Agent-Aut...
[Page 68] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 46 Profile ID Profile Name Description enrollment profile. This defines the amount of time before and after the certificate's expiration date when the user is allowed to renew the certificate. The...
[Page 69] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
List of Certificate Profiles 47 Profile ID Profile Name Description TPS for smart card enrollment operations. caTokenMSLoginEnrollment Token User MS Login Certificate Enrollment Enrolls key to be used by a person for logging into a Windows domain or ...
[Page 70] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 48 2.3. Configuring Custom Enrollment Profiles to Use with an RA The profiles used to submit certificate requests through the RA are created and configured in the CA, as described in Section 2.2, “Se...
[Page 71] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Creating RA Enrollment Forms 49 cp -r user/ example/ 3. Edit the main index file for the end-entities directory to add the new example profile to the list of available profiles: vim index.vm ... snip ... <font size="+1" face="Prima...
[Page 72] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 50 7. Update the descriptions and names in the index.vm file. Update the docroot paths to the example/ directory and, if the related certificate and renewal forms were renamed and are being used for th...
[Page 73] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Configuring the Request Queues 51 Plug-in or Library Location Description PKI::Request::Plug- in::AutoAssign (plug-in) /var/lib/pki-ra/lib/perl/PKI/ Request/Plug-in Automatically assigns a request to a group of agents. PKI::Request::Plug- in::CreateP...
[Page 74] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 52 request.server.create_request.0.assignTo=agents request.server.create_request.0.plugin=PKI::Request::Plugin::AutoAssign [email protected] request.server...
[Page 75] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Managing Smart Card CA Profiles 53 service pki-ra start 2.4. Managing Smart Card CA Profiles The TPS does not generate or approve certificate requests; it sends any requests approved through the Enterprise Security Client to the configured CA to issu...
[Page 76] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 54 2.4.1. Editing Enrollment Profiles for the TPS Administrators have the ability to customize the default smart card enrollment profiles, used with the TPS. For instance, a profile could be edited to ...
[Page 77] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Using the Windows Smart Card Logon Profile 55 op.enroll.userKey.keyGen.signing.ca.profileId=tpsExampleEnrollProfile 5. Restart the CA and TPS after editing the smart card profiles. For example: service pki-ca restart service pki-tps restart 2.4.3. Us...
[Page 78] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 56 pkiconsole https://server.example.com:9445/ca 2. In the Configuration tab, expand the Certificate Manager tree. 3. In the General Settings tab, set the algorithm to use in the Algorithm drop-down me...
[Page 79] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Setting the Signing Algorithm Default in a Profile 57 NOTE Before a profile can be edited, it must first be disabled by an agent. 1. Open the CA console. pkiconsole https://server.example.com:9445/ca 2. In the Configuration tab, expand the Certificat...
[Page 80] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 58 The possible values for the constraint are listed in Section B.2.9, “Signing Algorithm Constraint”. 2.6. Managing CA-Related Profiles Certificate profiles and extensions must be used to set rule...
[Page 81] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Changing the Restrictions for CAs on Issuing Certificates 59 edited in pkiconsole (since it is only available before the instance is configured). It is possible to edit the policies for this profile in the template file before the CA is configured us...
[Page 82] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 60 that certificate. Check the constraints set on the CA signing certificate before changing the issuing rules for a subordinate CA. To change the certificate issuance rules, do the following: 1. Open ...
[Page 83] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Managing Subject Names and Subject Alternative Names 61 Serial number management can be enabled for CAs which are not cloned, if the parameters are set in the CS.cfg file. dbs.beginSerialNumber=1 dbs.enableSerialManagement=true dbs.endReplicaNu...
[Page 84] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 62 policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl policyset.userCertSet.8.default.name=Subject Alt Name Constraint policyset.userCertSet.8.default.params.subjAltNameExtCritical=f...
[Page 85] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Inserting LDAP Directory Attribute Values and Other Information into the Subject Alt Name 63 3. To enable the CA to insert the LDAP attribute value in the certificate extension, edit the profile's configuration file, and insert a policy set para...
[Page 86] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 64 Policy Set Token Description 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0, and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000. $request.reques...
[Page 87] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Changing DN Attributes in CA-Issued Certificates 65 X500Name.NEW_ATTRNAME.oid=n.n.n.n X500Name.NEW_ATTRNAME.class=string_to_DER_value_converter_class The value converter class converts a string to an ASN.1 value; this class must implement the netscap...
[Page 88] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 66 X500Name.attr.MYATTR2.oid=11.22.33.44.55.66 X500Name.attr.MYATTR2.class=netscape.security.x509.IA5StringConverter X500Name.attr.MYATTR3.oid=111.222.333.444.555.666 X500Name.attr.MYATTR3.class=netsca...
[Page 89] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Customizing the Subject DN in a Certificate Request Issued by an RA 67 X500Name.dirEncodingOrder=Printable,BMPString To change the DirectoryString encoding, do the following: 1. Stop the Certificate Manager. service pki-ca stop 2. Open the /var/lib/p...
[Page 90] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 2. Making Rules for Issuing Certificates 68 NOTE There is no graphical interface for performing this customization. To customize the DN: 1. Edit the user.vm file. By default, this is located in the /var/lib/pki-ra/docroot/ee/user/ directory. ...
[Page 91] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 3. 69 Setting up Key Archival and Recovery This chapter explains how to use the Data Recovery Manager (DRM) to archive private keys and to recover these archived keys to restore encrypted data. NOTE Server-side key generation is an option pro...
[Page 92] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 3. Setting up Key Archival and Recovery 70 The archived copy of the key remains wrapped with the DRM's storage key. It can be decrypted, or unwrapped, only by using the corresponding private key pair of the storage certificate. A combina...
[Page 93] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Setting up Key Archival 71 Key archival requires two things: • Having a trusted relationship between a CA and a DRM. • Having the enrollment form enabled for key archival, meaning it has key archival configured and the DRM transport certificate s...
[Page 94] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 3. Setting up Key Archival and Recovery 72 var keyTransportCert = MIIDbDCCAlSgAwIBAgIBDDANBgkqhkiG9w0BAQUFADA6MRgwFgYDVQQKEw9Eb21haW4gc28gbmFtZWQxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wNjExMTQxODI2NDdaFw0wODEwMTQxNzQwNThaMD4xGDAWBgN...
[Page 95] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Testing the Key Archival and Recovery Setup 73 3. Edit the two recovery scheme parameters. kra.noOfRequiredRecoveryAgents=3 kra.recoveryAgentGroup=Data Recovery Manager Agents 4. Restart the server. service pki-kra start The default key agent scheme ...
[Page 96] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 3. Setting up Key Archival and Recovery 74 a. Open the DRM's agent services page, and click the Recover Keys link. Search for the key by the key owner, serial number, or public key. If the key has been archived successfully, the key info...
[Page 97] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 4. 75 Requesting, Enrolling, and Managing Certificates Certificates are requested and used by end users. Although certificate enrollment and renewal are operations that are not limited to administrators, understanding the enrollment and renew...
[Page 98] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 4. Requesting, Enrolling, and Managing Certificates 76 NOTE This configuration is not necessary to use Internet Explorer 7 and 8 on Microsoft Windows 2000, 2003, or XP. 1. Open Internet Explorer. 2. Import the CA certificate chain. a. Open th...
[Page 99] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Requesting and Receiving Certificates 77 4.3. Requesting and Receiving Certificates The first step for getting a certificate is generating the request, which is then submitted to the issuing CA. Some Certificate System profiles allow users to request...
[Page 100] Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Chapter 4. Requesting, Enrolling, and Managing Certificates 78 NOTE The CA certificate request forms support all UTF-8 characters for the common name, organizational unit, and requester name fields. The common name and organization unit fields are in...
Manual (95 pages)
Release note (26 pages)
Release note (22 pages)
Reference manual (268 pages)
Manual (176 pages)
Release note (30 pages)