Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR, CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR Administrator's Manual

Download

Page 1

Administrator’s Guide

Red Hat Certificate System

Version 7.1

September 2005

Page 2

Red Hat, Inc.

1801 Varsity Drive Raleigh NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park NC 27709 USA

© 2001 Sun Microsystems, Inc. Used by permission. © 2005 by Red Hat, Inc. All rights reserved. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).

Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.

Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder.

Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries.

All other trademarks referenced herein are the property of their respective owners.

The GPG fingerprint of the security@redhat.com key is:

CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E

Page 3

Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Who Should Read This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

What You Should Know . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

What’s in This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Conventions Used in This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Subsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Certificate Manager Flexibility and Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Self Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Certificate Issuance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Certificate Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Dual Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

HSMs and Crypto Accelerators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Support for Open Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Page 4

4 Red Hat Certificate System Administrator’s Guide • September 2005

Java SDK Extension Mechanism for Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

How Certificate System Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

CS Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

About the Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

How the Certificate Manager Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

About the Registration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

How the Registration Manager Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Data Recovery Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Online Certificate Status Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Single Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Certificate Manager and Registration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Certificate Manager and Data Recovery Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Certificate Manager, Data Recovery Manager, and Registration Manager . . . . . . . . . . . . . . . . . . . . . . . . . 53

Cloned Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

CS Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

HTTP Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Service Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

JSS and the Java/JNI Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

NSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

PKCS #11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

JRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Internal LDAP Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Administration Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

CS SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Support for Open Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Certificate Management Formats and Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Security and Directory Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Chapter 2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Installation and Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Installation and Configuration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

About the Installation Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Installation Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Installation Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Installing CS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Uninstalling CS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Page 5

Chapter 3 Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Certificate Manager Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Self-Signed Root vs. Subordinate CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Cloned CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Certificate Manager Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Certificate Manager Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Password Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Internal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Installing a Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Installing a Certificate Manager as a Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Installing a Certificate Manager as a Subordinate CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Configuring the Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Configuring Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Managing Certificates and the Certificate Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Changing Ports and IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Changing Subsystem Security Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Changing Passwords or Storage Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Changing Internal Database Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Setting Up a Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Changing the Certificate Issuance Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Setting Up Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Configuring Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Configuring Certificate Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Configuring Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Configuring OCSP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Setting Up CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Setting Up Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Setting Up Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Customizing the End Entity Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Adding Data Recovery Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Setting Up a CMC Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Setting Up the CMCAuth Authentication Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Setting Up the Server for Multiple Requests in a Full CMC Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

How The Certificate Manager Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Federal Bridge CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Issuing Cross-Pair Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Page 6

6 Red Hat Certificate System Administrator’s Guide • September 2005

Importing Cross-Pair Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Publishing Cross-Pair Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Cloning a CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Chapter 4 Registration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Registration Manager Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Registration Managers Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Registration Manager Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Password Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Internal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Signing Key Type and Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Installing a Registration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Configuring a Registration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Setting Up Trust With a CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Configuring Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Managing Certificates and the Certificate Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Changing Ports and IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Changing Subsystem Security Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Changing Passwords or Storage Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Configuring Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Changing Internal Database Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Configuring Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Setting Up a Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Setting Up Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Configuring Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Configuring Certificate Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Setting Up Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Setting Up Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Customizing the End Entity Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Adding Data Recovery Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

How a Registration Manager Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Chapter 5 OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

About OCSP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

How OCSP Services Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

OCSP Response Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Page 7

OCSP Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

CS OCSP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Setting Up a Certificate Manager with OCSP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Online Certificate Status Manager Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Online Certificate Status Manager Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Password Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Internal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Signing Key Type and Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Installing an Online Certificate Status Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Setting Up the OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Configuring the Online Certificate Status Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Configuring Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Managing Certificates and the Certificate Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

OCSP Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Changing Ports and IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Changing Subsystem Security Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Changing Passwords or Storage Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Configuring Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Changing Internal Database Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Configuring Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Setting Up Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Identifying the CA to the OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Configure the Revocation Info Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Testing Your OCSP Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Chapter 6 Data Recovery Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

PKI Setup for Key Archival and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Clients That Can Generate Dual Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Data Recovery Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Forms for Users and Key Recovery Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Key Archival Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Why You Should Archive Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Where the Keys are Stored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

How Key Archival Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Key Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Key Recovery Agents and Their Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

How Agent-Initiated Key Recovery Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Key Recovery Agent Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Installing a Standalone Data Recovery Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Data Recovery Manager’s Key Pairs and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Page 8

8 Red Hat Certificate System Administrator’s Guide • September 2005

Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Internal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Key Type and Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Installing the Data Recovery Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Configuring Key Archival and Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Step 1. Set Up the Key Archival Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Step 2. Set Up the Key Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Step 3. Test Your Key Archival and Recovery Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Chapter 7 Token Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Token Processing Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Token Key Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Enterprise Security Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Chapter 8 Administrative Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

The Administrative Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Red Hat Administration Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Red Hat Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

The CS Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Setting up Certificate Authentication for the CS Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

System Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Password-Quality Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Passwords Stored by the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Starting, Stopping, and Restarting CS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Starting a Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Stopping a Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Restarting a Server Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Subsystem Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Configuring Multiple CS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Removing an Instance From a System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Locating the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Editing the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Guidelines for Editing the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Duplicating Configuration From One Instance to Another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

About Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Services That Are Logged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Log Levels (Message Categories) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Buffered Versus Unbuffered Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Configuring Logs in the CS Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Page 9

Configuring Logs in the CS.cfg File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Monitoring Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Signing Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Registering a Log Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Deleting a Log Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Signed Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Setting Up Signed Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Audit Logging Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Self Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Self Test Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Self Test Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Modifying Self Test Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

About Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Changing a Port Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Changing an IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

The Internal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

About the Internal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Changing the Internal Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Enable SSL Client Authentication with the Internal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Restricting Access to the Internal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Managing the Certificate Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Viewing and Deleting Certificate Database Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Changing the Trust Settings of a CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Installing a New CA Certificate in the Certificate Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Installing a CA Certificate Chain in the Certificate Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Certificate Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Consideration When Getting New Certificates for the Subsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Tokens for Storing CS Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Internal Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

External Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Managing Tokens Used by the Subsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Hardware Cryptographic Accelerators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Configuring the Server’s Security Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Configuring the Server to Use Separate SSL Server Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Getting an SSL Client Certificate for a Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Chapter 9 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

About Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

How Authorization Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Default Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Setting up Administrators, Agents, and Auditors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Creating a User and Assigning Them to a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Page 10

10 Red Hat Certificate System Administrator’s Guide • September 2005

Storing a User’s Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Setting up Agents Using the Automated Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Setting Up a Trusted Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Agent Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

First Agent Certificate for a Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Getting an Agent’s Certificate from a Public CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Getting an Agent’s Certificate from Certificate System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Revocation Status Checking of Agent Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Modifying CS User Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Changing a CS User’s Login Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Changing a CS User’s Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Changing Members in a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Deleting a CS User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Creating a New Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Authorization for CS Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Access Control Instructions (ACIs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Changing Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

How ACIs are Formed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Editing ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

ACL Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

certServer.acl.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

certServer.admin.certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

certServer.admin.request.enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

certServer.auth.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

certServer.ca.certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

certServer.ca.certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

certServer.ca.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

certServer.ca.connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

certServer.ca.clone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

certServer.ca.crl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

certServer.ca.directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

certServer.ca.group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

certServer.ca.ocsp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

certServer.ca.profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

certServer.ca.profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

certServer.ca.requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

certServer.ca.request.enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

certServer.ca.request.profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

certServer.ca.systemstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

certServer.ee.certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

certServer.ee.certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

certServer.ee.certchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Page 11

certServer.ee.crl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

certServer.ee.profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

certServer.ee.profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

certServer.ee.facetofaceenrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

certServer.ee.request.enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

certServer.ee.request.facetofaceenrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

certServer.ee.request.ocsp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

certServer.ee.request.revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

certServer.ee.requestStatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

certServer.general.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

certServer.job.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

certServer.kra.certificate.transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

certServer.kra.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

certServer.kra.connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

certServer.kra.key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

certServer.kra.keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

certServer.kra.request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

certServer.kra.requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

certServer.kra.request.status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

certServer.kra.systemstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

certServer.log.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

certServer.log.configuration.SignedAudit.expirationTime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

certServer.log.configuration.fileName . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

certServer.log.content.SignedAudit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

certServer.log.content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

certServer.ocsp.ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

certServer.ocsp.cas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

certServer.ocsp.certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

certServer.ocsp.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

certServer.ocsp.crl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

certServer.policy.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

certServer.profile.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

certServer.publisher.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

certServer.ra.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

certServer.ra.certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

certServer.ra.connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

certServer.ra.facetofaceenrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

certServer.ra.facetofaceenrollment.enableHosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

certServer.ra.group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

certServer.ra.profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

certServer.ra.profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

certServer.ra.request.enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

certServer.ra.request.profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Page 12

12 Red Hat Certificate System Administrator’s Guide • September 2005

certServer.ra.requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

certServer.registry.configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

certServer.ra.systemstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

certServer.usrgrp.administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Chapter 10 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Enrollment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

How Authentication Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

About Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Dual-Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Agent-Approved Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Setting Up Agent-Approved Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Automated Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Setting Up Directory Based Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Setting Up Pin Based Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Setting Up Portal Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Setting Up CMC Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Agent Initiated End User Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Setting Up Agent Initiated Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Certificate-Based Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

Setting Up Certificate Based Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Issuing and Managing Server Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Renewal of Server Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Getting Certificates for Netscape Version 4.x and Later Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

CEP Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

About CEP Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Setting Up Automated CEP Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Setting Up Publishing of CEP Certificates and CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Certificate Issuance to Routers or VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Testing Your Enrollment Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Managing Authentication Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Generating Files Required By Third-Party Object Signing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Chapter 11 Certificate Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

About Certificate Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

How Certificate Profiles Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Setting Up Certificate Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Modifying a Certificate Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Certificate Profile Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

Input Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Certificate Request Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Page 13

Dual Key Generation Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Key Generation Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Subject Name Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Submitter Information Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Output Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

certOutputImpl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Defaults Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Authority Info Access Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Authority Key Identifier Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

Basic Constraints Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

CRL Distribution Points Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

Extended Key Usage Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Freshest CRL Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

Key Usage Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Name Constraints Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

Red Hat Comment Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Netscape Certificate Type Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

No Default Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

OCSP No Check Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

Policy Constraints Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

Policy Mappers Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Signing Algorithm Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Subject Alternative Name Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Subject Key Identifier Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Subject Name Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Token Supplied Subject Name Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

User Supplied Extension Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

User Supplied Key Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

User Signing Algorithm Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

User Supplied Subject Name Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

User Supplied Validity Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

Validity Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

Constraints Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Basics Constraints Extension Constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Extended Key Usage Extension Constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

Extension Constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

Key Constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

Key Usage Extension Constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

No Constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

Netscape Certificate Type Extension Constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

Signing Algorithm Constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

Subject Name Constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

Validity Constraint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

Page 14

14 Red Hat Certificate System Administrator’s Guide • September 2005

Chapter 12 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

Introduction to Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

About Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

Policy Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Using Predicates in Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Configuring Policy Rules for a Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Modifying Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Deleting Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

Adding New Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

Reordering Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Testing Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Using JavaScript for Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Constraints-Specific Policy Module Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

AttributePresentConstraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

DSAKeyConstraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

IssuerConstraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

KeyAlgorithmConstraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

RenewalConstraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

RenewalValidityConstraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

RevocationConstraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

RSAKeyConstraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

SigningAlgorithmConstraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

SubCANameConstraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

UniqueSubjectNameConstraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

ValidityConstraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Extension-Specific Policy Module Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

AuthInfoAccessExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

AuthorityKeyIdentifierExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

BasicConstraintsExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

CertificatePoliciesExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

CertificateRenewalWindowExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

CertificateScopeOfUseExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

CRLDistributionPointsExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

ExtendedKeyUsageExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

GenericASN1Ext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

IssuerAltNameExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

KeyUsageExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

NameConstraintsExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

NSCCommentExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

NSCertTypeExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

OCSPNoCheckExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530

PolicyConstraintsExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

Page 15

PolicyMappingsExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532

PrivateKeyUsagePeriodExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

RemoveBasicConstraintsExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

SubjectAltNameExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535

SubjectDirectoryAttributesExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

SubjectKeyIdentifierExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

Managing Policy Plug-in Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Registering a Policy Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Deleting a Policy Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

Chapter 13 Automated Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

About Automated Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

Setting Up Automated Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

Types of Automated Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544

Determining End-Entity Email Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545

Setting Up Automated Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545

Configuring Specific Notifications By Editing the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

Testing Your Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

Customizing Notification Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

Notification Message Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

Token Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

Chapter 14 Automated Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553

About Automated Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553

Setting Up Automated Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Types of Automated Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Setting Up the Job Scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555

Frequency Settings for Automated Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555

Enabling and Configuring the Job Scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556

Setting Up Specific Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

Enabling and Configuring Specific Jobs Using the CS Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

Enabling Configuring Specific Jobs By Editing the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . 560

Configuration Parameters of RenewalNotificationJob . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561

Configuration Parameters of RequestInQueueJob . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562

Configuration Parameters of UnpublishExpiredJob . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

Customizing Notification Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

Templates for Summary Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

Token Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566

Managing Job Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Registering or Deleting a Job Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568

Page 16

16 Red Hat Certificate System Administrator’s Guide • September 2005

Chapter 15 Revocation and CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

Authentication of End Users During Certificate Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570

Certificate Revocation Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571

CMCRevocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572

Setting Up CMC Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572

Testing CMC Revoke . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

About CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Reasons for Revoking a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575

Revocation Checking by Red Hat Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576

Publishing of CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576

CRL Issuing Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

Delta CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

How CRLs Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

Setting Up the Issuance of CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

Configuring Issuing Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

Configuring CRLs for Each Issuing Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580

Setting CRL Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582

CRL Extension Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

AuthorityKeyIdentifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

CRLNumber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584

CRLReason . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584

DeltaCRLIndicator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

FreshestCRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

HoldInstruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586

InvalidityDate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587

IssuerAlternativeName . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587

IssuingDistributionPoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589

Chapter 16 Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593

About Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594

About Publishers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594

About Mappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

About Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

About Publishing to Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

About LDAP Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596

About OCSP Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

How Publishing Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

Setting Up Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598

Publishers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600

Configuring Publishers for Publishing to a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601

Configuring Publishers for Publishing to OCSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

Configuring Publishers for LDAP Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605

Page 17

Publisher Plug-in Module Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606

Mappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

Configuring Mappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

Mapper Plug-in Modules Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613

Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621

Modifying Publishing Rules for Certificates and CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622

Rule Instance Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626

Enabling Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628

Testing Publishing to Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630

Configuring the Directory for LDAP Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632

Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Entry for the CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634

Bind DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634

Directory Authentication Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Updating Certificates and CRLs in a Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Manually Updating Certificates in the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636

Manually Updating the CRL in the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

Registering and Deleting Mapper and Publisher Plug-in Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

Chapter 17 Configuring CS for High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641

CS High Availability Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641

Architecture of a Failover System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642

Load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643

Cloning the Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644

Cloning Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644

Cloning the CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646

Testing the CA Cloned-Master Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657

Additional CRL Scheduling Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658

Cloned-Master CA Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

Converting a Master CA into a Cloned CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

Converting a Cloned CA into a Master CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660

Cloning the Online Certificate Status Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662

Preparing to Clone the Online Certificate Status Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663

Cloning the OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664

Testing the OCSP Cloned-Master Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

Cloned-Master OCSP Responder Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

Converting a Master OCSP Responder into a Cloned OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . 667

Converting a Cloned OCSP Responder into a Master OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . 668

Cloning the Data Recovery Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

Preparing to Clone the DRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

Cloning the DRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670

Testing the DRM Cloned-Master Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675

Cloned-Master DRM Responder Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675

Page 18

18 Red Hat Certificate System Administrator’s Guide • September 2005

Appendix A Common Criteria Environment: Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . 677

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Requirements for the IT Environment 677

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Audit (FAU) 678

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cryptographic support (FCS) 681

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Data Protection (FDP) 681

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identification and authentication (FIA) 682

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security management (FMT) 683

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protection of the TSF (FPT) 685

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Trusted path/channels (FTP) 686

CIMC TOE Access Control Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687

Appendix B Common Criteria Environment: Setup and Operations . . . . . . . . . . . . . . . . . . . . . . . . . 689

PKI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689

Security Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689

TOE Security Environment Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690

Security Requirements for the IT Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690

IT Environment Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690

Reliable Timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690

Private and Secret Key Zeroization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690

Password and Certificate Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691

Hardware Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691

Protection of Private and Secret Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691

Supported Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692

Supported Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692

CS Privileged Users and Groups (Roles) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692

CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692

RA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693

DRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694

OCSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694

About Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695

CS Common Criteria Environment Setup and Installation Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696

Understanding Setup of Common Criteria Evaluated Red Hat CS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696

CS Common Criteria Environment Setup and Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696

Appendix C Understanding the Common Criteria Evaluated CS Setup . . . . . . . . . . . . . . . . . . . . . . . 697

Understanding the Common Criteria Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697

Secure Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697

CS Roles Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698

Who Needs to be Present . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698

Understanding Operating System Setup (Users, Groups, and File Permissions) . . . . . . . . . . . . . . . . . . . . 698

Understanding CS Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699

Configuring CS to Use Hardware Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699

Revocation Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699

Page 19

SSL Client Authentication with the Internal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699

CS Administrative Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700

Backup and Restore of a CS Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700

Common Criteria Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700

Features That Are Not Part of the Common Criteria Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701

Understanding Subsystem Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702

CS Role Users and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702

Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703

Certificate Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703

Certificate Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703

CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704

Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704

Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704

Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704

Self Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705

Trust Between Subsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705

Key Archival and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705

OCSP Responder Revocation Information Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706

Common Criteria Environment Setup Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706

Appendix D Common Criteria Environment: Security Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . 707

1.1 Security Objectives for the TOE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707

1.1.1 Authorized Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707

1.1.2 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708

1.1.3 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708

1.1.4 External Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708

1.2 Security Objectives for the Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708

1.2.1 Non-IT security objectives for the environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708

1.2.2 IT security objectives for the environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710

1.3 Security Objectives for both the TOE and the Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711

Appendix E Common Criteria Environment: TOE Security Environment Assumptions . . . . . . . . . 715

1.1 Secure Usage Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715

1.1.1 Personnel Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715

1.1.2 Physical Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717

1.1.3 Connectivity Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717

1.2 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717

1.2.1 Authorized Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717

1.2.2 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718

1.2.3 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718

1.2.4 External Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719

1.3 Organization Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719

Page 20

20 Red Hat Certificate System Administrator’s Guide • September 2005

Appendix F Certificate Download Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

Data Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

Binary Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

Text Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722

Importing Certificate Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722

Importing Certificates into Communicator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723

Importing Certificates into Red Hat Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724

Object Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724

Appendix G Certificate and CRL Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725

Introduction to Certificate Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725

Structure of Certificate Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727

Sample Certificate Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728

Standard X.509 v3 Certificate Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730

Introduction to CRL Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741

Structure of CRL Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742

Sample CRL and CRL Entry Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743

Standard X.509 v3 CRL Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744

Extensions for CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744

CRL Entry Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746

Netscape-Defined Certificate Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748

CA Certificates and Extension Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749

Appendix H Object Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751

What’s an Object Identifier? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751

Registration of Object Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751

Appendix I Distinguished Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753

What Is a Distinguished Name? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753

Distinguished Name Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754

DNs in Certificate System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756

Extending Attribute Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758

Role of Distinguished Names in Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763

Appendix J Introduction to Public-Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767

Internet Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767

Encryption and Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769

Symmetric-Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770

Public-Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771

Key Length and Encryption Strength . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772

Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772

Certificates and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774

Page 21

A Certificate Identifies Someone or Something . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774

Authentication Confirms an Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775

How Certificates Are Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780

Contents of a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784

How CA Certificates Are Used to Establish Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788

Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794

Issuing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795

Certificates and the LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796

Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796

Renewing and Revoking Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797

Registration Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797

Appendix K Introduction to SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799

The SSL Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799

Ciphers Used with SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801

Cipher Suites With RSA Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802

Fortezza Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804

The SSL Handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805

Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807

Man-in-the-Middle Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810

Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829

Page 22

22 Red Hat Certificate System Administrator’s Guide • September 2005

Page 23

About This Guide

This Administrator’s Guide explains how to install, configure, and maintain Red Hat Certificate System (CS), and use it for issuing and managing certificates to various end entities, such as web browsers (users), servers, Virtual Private Network (VPN) clients, and Cisco™ routers.

This preface has the following sections:

• Who Should Read This Guide

• What You Should Know

• What’s in This Guide

• Conventions Used in This Guide

• Documentation

Who Should Read This Guide

This guide is intended for experienced system administrators who are planning to deploy CS. CS agents should refer to CS Agent’s Guide for information on how to perform agent tasks, such as handling certificate requests and revoking certificates.

What You Should Know

This guide assumes the following:

• You understand the concepts of intranet, extranet, and Internet security and the role of digital certificates in a secure enterprise, including the following topics:

❍ Encryption and decryption

Page 24

What’s in This Guide

24 Red Hat Certificate System Administrator’s Guide • September 2005

❍ Public keys, private keys, and symmetric keys

❍ Significance of key lengths

❍ Digital signatures

❍ Digital certificates, including various types of digital certificates

❍ The role of digital certificates in a public-key infrastructure (PKI)

❍ Certificate hierarchies

• You are familiar with LDAP, Red Hat Directory Server, and working with Red Hat Console.

• You are familiar with the basic concepts of public-key cryptography and the Secure Sockets Layer (SSL) protocol including the following:

❍ SSL cipher suites

❍ The purpose of and major steps in the SSL handshake

What’s in This Guide

This guide contains the following elements:

Chapter 1, “Overview” Provides a listing of the features of CS, an overview of how

CS works, an architectural overview of CS, and lists the standards used in the product.

Chapter 2, “Installation” Provides step-by-step installation instructions.

Chapter 3, “Certificate Manager”

Provides information about installing a Certificate Manager, step-by-step instructions for installing a Certificate Manager, an overview of the configuration options for a Certificate Manager, information about Federal Bridge CA, and information on setting up a cloned CA.

Chapter 4, “Registration Manager”

Provides information about installing a Registration Manager, step-by-step instructions for installing a Registration Manager, and an overview of the configuration options for a Registration Manager.

Page 25

What’s in This Guide

About This Guide 25

Chapter 5, “OCSP Responder”

Provides information about installing an Online Certificate Status Manager, step-by-step instructions for installing an Online Certificate Status Manager, and an overview of the configuration options for an Online Certificate Status Manager.

Chapter 6, “Data Recovery Manager”

Provides information about installing a Data Recovery Manager, step-by-step instructions for installing a Data Recovery Manager, and an overview of the configuration options for a Data Recovery Manager.

Chapter 8, “Administrative Basics”

Provides information and procedures for performing configuration that is common to all subsystems including working in the administrative interface; starting and stopping the server; working with logs; working with self-test; managing the database; and managing the certificate database.

Chapter 9, “Authorization”

Provides information and procedures for setting up Access Control Lists that define authorization, creating users, and assigning users to groups to give them the privileges defined by the ACLs for that group.

Chapter 10, “Authentication”

Provides information and procedures for setting up various authentication methods to automate the enrollment process.

Chapter 11, “Certificate Profiles”

Provides information and procedures for configuring the profile feature.

Chapter 12, “Policies” Provides information and procedures for configuring the

policy feature.

Chapter 13, “Automated Notifications”

Provides information and procedures for configuring the notification feature.

Chapter 14, “Automated Jobs”

Provides information and procedures for configuring the jobs feature.

Chapter 15, “Revocation and CRLs”

Provides information and procedures for configuring the crls feature, and revoking certificates.

Chapter 16, “Publishing” Provides information and procedures for configuring the

publishing feature.

Appendix , “” Provides information about clones, failover, and configuring

CS for failover support.

Page 26

Conventions Used in This Guide

26 Red Hat Certificate System Administrator’s Guide • September 2005

Conventions Used in This Guide

The following conventions are used in this guide:

Appendix A, “Common Criteria Environment: Security Requirements”

Provides security requirements for running CS in the Common Criteria Environment.

Appendix B, “Common Criteria Environment: Setup and Operations”

Provides details on setting up CS in the Common Criteria Environment.

Appendix C, “Understanding the Common Criteria Evaluated CS Setup”

Provides information about running CS in the Common Criteria Environment.

Appendix F, “Certificate Download Specification”

Provides information about the certificate download specification.

Appendix G, “Certificate and CRL Extensions”

Provides general information about Certificate and CRL extensions.

Appendix H, “Object Identifiers”

Provides general information about object identifiers.

Appendix I, “Distinguished Names”

Provides general information about distinguished names.

Appendix J, “Introduction to Public-Key Cryptography”

Provides general information about public-key cryptography.

Appendix K, “Introduction to SSL”

Provides introductory information about SSL.

Monospaced font

This typeface is used for any text that appears on the computer screen or text that you should type. It’s also used for filenames, functions, and examples.

Example:

Server Root is the directory where the CS

binaries are kept.

Page 27

Conventions Used in This Guide

About This Guide 27

Notes and Cautions:

Italic Italic type is used for emphasis, book titles, and glossary

terms.

Example: This control depends on the access permissions the super administrator has set up for you.

Boldface Boldface type is used for various UI components such as

captions and field names, and the terminology explained in the glossary.

Example:

Rotation frequency. From the drop-down list, select the interval at which the server should rotate the active error log file. The available choices are Hourly, Daily, Weekly, Monthly, and Yearly. The default selection is Monthly.

Monospaced [ ]

Square brackets enclose commands that are optional.

Example:

PrettyPrintCert <input_file> [<output_file>]

<input_file> specifies the path to the file that contains the

base-64 encoded certificate.

<output_file> specifies the path to the file to write the

certificate. This argument is optional; if you don’t specify an output file, the certificate information is written to the standard output.

Monospaced <>

Angle brackets enclose variables or placeholders. When following examples, replace the angle brackets and their text with text that applies to your situation. For example, when path names appear in angle brackets, substitute the path names used on your computer.

Example: Using Netscape Communicator 4.7 or later, enter the URL for the Red Hat Administration Server:

http://<hostname>:<port_number>

A slash is used to separate directories in a path.

Example: Except for the Security Module Database Tool, you can find all the other command-line utilities at this location:

<server_root>/bin/cert/tools

Page 28

Documentation

28 Red Hat Certificate System Administrator’s Guide • September 2005

Documentation

The document set for Certificate System also contains the following guides:

Managing Servers with Red Hat Console - Provides background information on basic cryptography concepts and the role of Red Hat Console.

CS Administrator’s Guide (this guide) - Describes how to plan for, install, and administer CS.

CS Command-Line Tools Guide - Provides detailed reference information on CS tools.

CS Customization Guide - Provides detailed reference information on customizing the

HTML-based agent and end-entity interfaces.

CS Agent’s Guide - Provides detailed reference information on CS agent interfaces. To access this information from the Agent Services pages, click any help button.

For the latest information about Certificate System, including current release notes, complete product documentation, technical notes, and deployment information, check this site:

http://www.redhat.com/docs/manuals/cert-system/

NOTE A note alerts you to information that may be of interest to you.

CAUTION A caution signals a potential risk of losing data, damaging software or

hardware, or otherwise disrupting system performance.

Page 29

Chapter 1

Overview

This chapter provides an overview of Red Hat Certificate System (CS), a highly configurable set of software components and tools for creating, deploying, and managing certificates. Based on open standards for certificate management, Certificate System provides a complete, customizable, robust, scalable, and high-performance certificate management solution for your public-key infrastructure (PKI), extranets and intranets.

This chapter contains the following sections:

• Features

• How Certificate System Works

• Deployment Scenarios

• System Architecture

• CS SDK

• Support for Open Standards

Features

This section discusses the features of CS.

Subsystems

CS has four subsystems to provide flexibility in setting up your PKI. The subsystems are highly-cofigurable. The four subsystems that comprise CS are as follows:

Page 30

Features

30 Red Hat Certificate System Administrator’s Guide • September 2005

• The Certificate Manager is the subsystem that provides Certificate Authority functionality for issuing, renewing, revoking, and publishing certificates and creating and publishing CRLs. See Chapter 3, “Certificate Manager” for complete details.

• The Registration Manager is an optional subsystem that provides Registration Authority functionality. It establishes a trusted relationship with a Certificate Manager in which its signed requests are processed. See Chapter 4, “Registration Manager” for complete details.

• The Online Certificate Status Manager is an optional subsystem that provides stand-alone OCSP responder services. See Chapter 5, “OCSP Responder” for complete details.

• The Data Recovery Manager is an optional subsystem that provides private encryption key storage and retrieval. See Chapter 6, “Data Recovery Manager” for complete details.

Certificate Manager Flexibility and Scalability

The Certificate Manager can be deployed in several ways to provide flexibility in your PKI. Features include:

• support for multiple registration authorities tied to a single CA

• the ability to act as a root or subordinate CA

• high-availability cloning to allow CAs with identical functionality, keys and certificates to issue certificates with different sets of serial numbers.

Single CA Supports Multiple Registration Authorities

CS lets you separate the registration process from the certificate-signing process with the help of Registration Managers. You can run multiple Registration Managers remotely, all reporting to a single Certificate Manager, to verify user identities and process certificate issuance, renewal, and revocation requests. The remote Registration Managers forward their completed and approved requests to the Certificate Manager for it to sign and issue the certificate automatically.

The Certificate Manager’s ability to support multiple Registration Managers makes it more scalable and also adds an extra layer of security for the CA. For example, you can set a policy that requires all clients to go through a remote Registration Manager, and then have the remote Registration Manager route all client requests to the Certificate Manager located inside a firewall.

Page 31

Features

Chapter 1 Overview 31

Root or Subordinate CA

CS can function as a root CA; in this case, the server signs its own CA signing certificate as well as other CA signing certificates, enabling you to create your own CA hierarchy. You can also install the server to function as a subordinate CA; in this case, the server gets its CA signing key signed by another CA in an existing CA hierarchy. See “Self-Signed Root vs. Subordinate CA,” on page 78 for complete details.

Linked CA

CS can function as a linked CA, chaining up to many third-party or public CAs for validation; this provides cross-company trust, so applications can verify certificate chains outside the company certificate hierarchy. You chain a Certificate Manager to a third-party CA by requesting the Certificate Manager’s CA signing certificate from the third-party CA.

CA Cloning

If you don’t want to create a CA hierarchy comprising root and subordinate CAs, you can create multiple clones of a Certificate Manager and configure each clone to issue certificates that fall within a distinct range of serial numbers. Because clone CAs and original CAs use the same CA signing key and certificate to sign the certificates they issue, the issuer name in all the certificates will be the same. Clone CAs and the original Certificate Managers they are based on issue certificates as if they are a single CA, and can be placed on different hosts for high availability failover support. See “Cloning a CA,” on page 127 for details. Also see Appendix , “” for information on configuring clones for failover in a CS system.

Interfaces

Each of the subsystems contains interfaces allowing interaction with various portions of the subsystem. All four subsystems share a common administrative interface. All four subsystems have an agent interface specific to that subsystem allowing agents to perform the tasks assigned to them. A Certificate Manager and a Registration Manager have an end-entity services interface allowing end-entities to enroll in the PKI.

Logging

CS produces extensive logs that record system events and errors. Logs are configurable, allowing you to create logs for specific types of events, and for the logging level you desire. See “Logs,” on page 255 for complete details.

Page 32

Features

32 Red Hat Certificate System Administrator’s Guide • September 2005

Supports Signing of Logs

CS allows you to sign log files digitally before archiving them or distributing them for audit purposes. This feature enables you to check whether the log files were tampered with after being signed. See “Signing Log Files,” on page 266 for complete details.

Auditing

CS can be configured to produce signed audit logs that record auditable events from the subsystem. The audit log feature is configurable, allowing you to specify the events that are logged. An auditor user is assigned who is the only user who can view the audit logs. This user’s certificate is used to sign and encrypt the logs. See “Signed Audit Log,” on page 268 for complete details.

Self Tests

CS provides the framework for self-tests of the system that are automatically run at startup and can be run on demand. It ships with a set of self tests that are configurable and allows you to create additional self tests using the CS SDK. See “Self Tests,” on page 272 for complete details.

Authorization

CS provides a new authorization framework that allows you to create groups and assign access control to those groups. You can also change the default access control for prebuilt groups, and assign access control to individual users and IP addresses. Access points for authorization have been created for the major portions of the system allowing you to set access control rules for each of these. You can also create additional access points and additional access control lists using the CS SDK. See Chapter 9, “Authorization” for complete details.

Authentication

CS provides authentication options for certificate enrollment including agent-approved enrollment in which an agent processes the request, and several automated enrollments, in which an authentication method is used, and upon successful authentication of the end-entity, the CA automatically issues a certificate. CMC enrollment is also supported

Page 33

Features

Chapter 1 Overview 33

allowing a request signed by an agent to be automatically processed. A set of prebuilt authentication plug-ins are available to enable and configure. You can create additional Authentication plug-in modules using the CS SDK. See Chapter 10, “Authentication” for complete details.

Certificate Issuance

CS supports the enrollment and certificate issuance to a wide variety of end-entities. It can process certificate requests from various end entities, such as web browsers, servers, routers, and virtual private network (VPN) clients, and issue certificates that conform to X.509 version 3 standard.

The Certificate Manager can issue certificates with the following characteristics:

• Certificates that are X.509 version 3 compliant

• Unicode support for certificate subject name and issuer name

• Support for empty certificate subject name

• Support for customized components in subject names

• Support for CEP enrollment

• Support for customized extensions

Certificate Profiles

CS has a new feature called certificate profiles. Certificate Profiles allow you to create a single certificate profile associated with the issuance of a particular type of certificate by configuring the content of the certificate, the constraints put on the issuance of this certificate, the enrollment method used, and the input and output forms associated with this enrollment.

A set of certificate profiles are included for the most common certificate types. You can use these certificate profiles and configure their settings to suit your needs. Certificate Profiles are configured by an administrator, and then sent to the Agent Services Interface for agent approval. Once a certificate profile is approved, it is enabled for use. A dynamically generated HTML form for the certificate profile is used in the end-entity interface for enrollment which triggers this certificate profile. The server will verify that the defaults and constraints set in the certificate profile are met before acting on the request, and will use the certificate profile to determine the content of the issued certificate. You can create additional Certificate Profile plug-in modules using the CS SDK. See Chapter 11, “Certificate Profiles” for complete details.

Page 34

Features

34 Red Hat Certificate System Administrator’s Guide • September 2005

Policy

The policy feature of CS allows you to set policies about certificate issuance, renewal, and revocation. You set policies that either define what is possible, for example the possible values of for the expiration date, and extensions that are used in a particular type of certificate. A set of prebuilt policies is available for you to enable and configure. You can create additional Policy plug-in modules using the CS SDK. See Chapter 12, “Policies” for complete details.

CRLs

CS is capable of creating certificate revocation lists. This configurable framework allows you to define issuing points so a CRL can be created for each issuing point defined. You can issue CRLs for each type of certificate you issue, or for a specific subset of a type of certificate you issue. You can also configure the extensions used in the CRLs, and set up the frequency and intervals that CRLs are published. Delta CRLs can also be created for any issuing point that is defined.

The Certificate Manager can issue X.509 v1 or v2 CRLs. A CRL can be automatically updated whenever a certificate is revoked or at specified intervals. See Chapter 15, “Revocation and CRLs” for complete details.

Publishing

The publishing feature allows you to publish certificates to files and an LDAP directory, and CRLs to files, LDAP directory, and an OCSP responder. The publishing framework provides a robust set of tools that allow you to publish to all three methods, and enables you to create rules that allow you to define a finer granularity of which types of certificates or CRLs are published where. You can enable and configure the default publishing modules, or you can create additional publishing plug-in modules using the CS SDK. See Chapter 16, “Publishing” for complete details.

Notifications

Notifications is a feature that allows you to set up automated messages when a particular event occurs, such as when a certificate is issued or revoked. The notification framework comes with default modules that you can enable and configure. You can create additional notification plug-in modules using the CS SDK. See Chapter 13, “Automated Notifications” for complete details.

Page 35

Features

Chapter 1 Overview 35

Jobs

The Jobs feature allows you to set up automated jobs that run at defined intervals.The jobs framework comes with default jobs that you can enable and configure. You can create additional jobs plug-in modules using the CS SDK. See Chapter 14, “Automated Jobs” for complete details

Dual Key Pairs

CS supports certificate generation for dual key pairs—separate key pairs for signing and encrypting mail messages and other data. To support separate key pairs for signing and encrypting data, CS supports generation of dual certificates for end-entities capable of generating dual key pairs, and supports key archival for encryption keys. If a client makes a certificate request for dual key pairs, the server issues two separate certificates. This feature is only supported for Netscape 7.0 and later browsers.

HSMs and Crypto Accelerators

CS supports Hardware Security Modules and crypto accelerators provided by various third-party vendors of PKCS #11 version 2.01-compliant products.

You can configure the server to use different PKCS #11 modules to generate and store key pairs (and certificates) for the Certificate Manager, Registration Manager, and Data Recovery Manager. Note that PKCS#11 hardware devices also provide key backup and recovery features for backup and recovery of the key material stored on the hardware token. Be sure to refer to the PKCS #11 vendor documentation on this subject.

Support for Open Standards

With its support for open standards, CS gives organizations confidence that they will be able to communicate within a heterogeneous computing environment. CS supports standards in the following ways:

• Formulates, signs, and issues industry-standard X.509 version 3 public-key certificates; version 3 certificates include extensions that make it easy to include organization-defined attributes. This means that you can use these certificates for extranet and Internet authentication as well.

• Supports RSA public-key algorithm for signing and encryption, DSA public-key algorithm for signing, and MD2, MD5, and SHA-1 for hashing.

Page 36

Features

36 Red Hat Certificate System Administrator’s Guide • September 2005

• Supports signature key lengths of up to 1024 bits (DSA) and 4096 (RSA) on both hardware and software tokens.

• Supports multiple message formats, such as KEYGEN/SPAC, CRMF/CMMF, CRS/CEP/SCEP, and PKCS #10 and CMC for certificate requests. All requests are delivered to CS over HTTP or HTTPS; in the case of CRS/CEP/SCEP protocol, the delivery method is always over HTTP.

• Supports certificate formats that encompass certificates for SSL-based client and server authentication, secure Multipurpose Internet Mail Extensions (S/MIME) message signing and encryption, object signing, VPN clients, and Cisco™ routers.

• Supports generation and publication of CRLs conforming to X.509 version 1 and 2.

• Publishes certificates and CRLs to the any LDAP-compliant directory over LDAP and HTTP/HTTPS connections.

• Publishes certificates and CRLs to a flat file for importing into other resources. For example, the sample code for Flat File CRL and certificate publisher can be customized to store certificates and CRLs in an Oracle RDBMS

• Publishes CRLs to an online validation authority (or OCSP responder), enabling real-time verification of certificates by OCSP-compliant clients.

Java SDK Extension Mechanism for Customization

The software development kit (SDK) provided with CS includes APIs and tutorials for customizing different aspects of the system. You can write the following custom modules:

• Authentication

• Authorization

• Logs

• Policy

• Certificate Profiles

• Jobs

• Mapper and publisher classes

Page 37

How Certificate System Works

Chapter 1 Overview 37

How Certificate System Works

CS allows you to manage certificates by providing a flexible, scalable system for issuing, renewing, and publishing certificates; creating and publishing CRLs; and providing key storage and retrieval capabilities.

CS Basics

CS is installed on each host running a CS subsystem. The subsystems that will be run on that host are then installed with a default configuration. The default configuration includes basic administrative tasks like logging, and also contains configurable plug-in modules that are specific to each subsystem. You can set up more than one subsystem on each host, or multiple instances of a subsystem on the same host or on different hosts.

Subsystems

The four subsystems that comprise CS are as follows:

• The Registration Manager is an optional subsystem that provides Registration Authority functionality. It establishes a trusted relationship with a Certificate Manager where its signed requests are processed by the Certificate Manager. See Chapter 4, “Registration Manager” for complete details.

• The Online Certificate Status Manager is an optional subsystem that provides stand-alone OCSP responder services. See Chapter 5, “OCSP Responder” for complete details.

• The Data Recovery Manager is an optional subsystem that provides private encryption key storage and retrieval. See Chapter 6, “Data Recovery Manager” for complete details.

Interfaces

Page 38

How Certificate System Works

38 Red Hat Certificate System Administrator’s Guide • September 2005

• Administrative Interface—The administrative interface is a java application, called Red Hat Console, that provides a GUI interface for performing administrative tasks and configuring plug-in modules and instances of plug-in modules. The area of Red Hat Console that is specific to CS tasks is called the CS console. This interface is similar for all four subsystem. It contains some common configurable features, but also contains different plug-in types that can be configured depending on the kind of subsystem installed. The administrative interface is configured for user ID and password authentication. You can configure it for SSL authentication.

• Agent Services Interface—The agent services interface is a customizable HTML interface that can be used to perform agent tasks, such as editing and approving requests for certificate approval, certificate renewal, and certificate revocation. The agent services interface is almost identical for a Certificate Manager and a Registration Manager. The agent services interface for a Data Recovery Manager and an Online Certificate Status Manager are specific to those subsystem.

• End-Entity Services Interface—The end-entity interface is a customizable HTML interface that can be used for end-entities to enroll in your PKI, renew certificates, revoke their own certificates, and pick up issued certificates. It contains forms for different types of enrollments, and for the enrollment different types of end-entities. The Certificate Manager and the Registration Manager have an end-entity services interface, the Data Recovery Manager and OSCP Manager do not.

Logs

Each subsystem produces extensive system and error logs that record various events and system errors so that you can monitor and debug the system. All log records are stored in your local file system for quick and easy retrieval.

CS allows you to sign log files digitally before archiving them or distributing them for audit purposes. This feature enables you to check whether the log files were tampered with after being signed.

The log feature is configurable, allowing you to select logging levels as well as what is logged. You can also create custom logs so that events can be separated by the categories you choose. See “Logs,” on page 255 for complete details.

Auditing

CS maintains audit trails for all events—certificate requests and issuance, revocation requests, CRL publication, and so on. These audit records enable you to detect any unauthorized access or activity.

CS allows you to set up special users called Auditors who have exclusive access to these logs, allowing independent auditing of your PKI.

Page 39

How Certificate System Works

Chapter 1 Overview 39

You can customize audit logs to include the information you want to include in the audit log. See “Signed Audit Log,” on page 268 for complete details.

Internal Database

Each subsystem has its own internal database where it stores such things as issued certificates, certificate requests, and so on. The internal database is an instance of Netscape Directory Server that is used exclusively as the internal database for this subsystem. See “The Internal Database,” on page 281 for complete details.

Authorization

CS is preconfigured with four types of users who have various access to the system:

• Administrators who can perform any administrative or configuration task.

• Agents who can edit and approve requests.

• Auditors who can view and configure audit logs.

• Trusted Managers which are subsystems that have a trusted relationship with another subsystem.

CS allows you to create users, and assign them the privileges of whichever group in which they are members. A user only has privileges for the instance of the subsystem in which the user is created and the privileges of the group in which the user is a member.

A configurable plug-in framework is provided to tailor authorization in your deployment. You can change the default privileges of the groups that are preconfigured by changing ACLs associated with those groups. You can create new groups, assigning privileges to the group by adding them to ACLs defining permissions. For example, you might create a special kind of administrator who is able to run the basic operations of the subsystem, but is not able to configure any of the features. See Chapter 9, “Authorization” for complete details.

Self Tests

CS contains a new feature called Self Tests that performs certain tests of the system that happen at startup and can also be manual started in the CS console. The tests then report results of the tests that you can view. You can configure which test you want to run, and create customized tests. See “Self Tests,” on page 272 for complete details.

Notifications

Notifications is a feature that allows you to set up automated messages when a particular event occurs, such as when a certificate is issued, or revoked. See Chapter 13, “Automated Notifications” for complete details.

Page 40

How Certificate System Works

40 Red Hat Certificate System Administrator’s Guide • September 2005

Jobs

The Jobs feature allows you to set up automated jobs that run at defined intervals. See Chapter 14, “Automated Jobs” for complete details.

About the Certificate Manager

The Certificate Manager subsystem provides the capability of a Certificate Authority. It can issue, renew, revoke, and publish certificates as well as compiling and publishing CRLs.

The Certificate Manager acts as a Certificate Authority (CA). It can be configured as a self-signing CA, where it is the root CA, or it can act as a subordinate CA, where it obtains its own signing certificate from a public CA.

Scalability

You can configure more than one CA either forming a vertical or horizontal chain of CAs. For example, you can create a root CA for your deployment that is either self-signing or subordinate to a public CA and then have one or more CAs below this root CA. Those CAs can have further CAs below them forming a chain of CA’s. You can also clone a CA so that two CAs are set up in an identical manner and use the same CA signing Certificate, but each uses a different set of serial numbers for the certificates it issues.

Federal Bridge Certificate Authority

CS also allows you to create a trusted relationship between two separate CAs by issuing and storing cross-signed certificates between these two CAs. This feature of the PKI is called Federal Bridge Certificate Authority (FBCA). This feature allows you to trust certificates issued by a CA outside of your PKI that shares a cross-signed certificate with the CA in your PKI.

Certificate Manager Functionality

The Certificate Manager issues, renews, and revokes certificates when it receives signed requests from either its own agents (user’s who are assigned privileges to approve enrollment, renewal, and revocation requests), from a trusted Registration Manager, or from a third-party application that sends a signed request using its agent certificate that is set up for CMC enroll or revoke with the Certificate Manager.

The Certificate Manager also compiles lists of revoked certificates, called Certificate Revocation Lists (CRLs) that it can publish to files, an LDAP directory, or an OCSP service.

The Certificate Manager maintains a database of issued certificates, and of processed requests, so that it can track renewal, expiration, and revocation.

Page 41

How Certificate System Works

Chapter 1 Overview 41

Types of Certificates That are Managed

CS can issue and manage certificates for Certificate Authority signing certificates, cross-signed pair certificates (FBCA), SSL server certificates, router certificates, VPN client certificates, and end user certificates.

Revocation and CRLs

CS provides the framework for revoking certificates which can either be initiated by an agent or by the end user themselves. An administrator can also revoke the certificates of any of the subsystems or agents.

CS also support CMC Revocation. When the

CMCAuth plug-in is enabled, CMC enrollment

and CMC revocation are both enabled. CMC Revocation allows you to send signed revocation requests that are automatically processed.

CS is capable of producing Certificate Revocation Lists (CRLs) that it can publish either to files, an LDAP directory, or to an OCSP responder.

You can also set up CRLs by Certificate Issuing Points allowing you to create more than one CRL defined by the issuing point. For example, you can issue a CRL for just CA Signing certificates, or separate CRLs for California and Florida end user certificates.

Delta CRLs can also be produced allowing you to create CRLs that contain only the revoked certificates since the last CRL was produced.

See Chapter 15, “Revocation and CRLs” for complete details.

How the Certificate Manager Works

This sections details the processes that a Certificate Manager goes through, and the various configuration settings involved in those processes.

Accepting Enrollment Requests

The Certificate Manager contains an end-entity interface with various forms associated with various types of certificates and various types of users. This interface is customizable allowing you to only show the forms that are pertinent to your users, change the look and feel of the pages, or add and delete fields for your particular needs. Certificate requests that come through the Certificate Managers end-entity interface are processed by the Certificate Manager. If it is an agent-approved enrollment, an agent of the Certificate Manager must approve the request. If it is an automated enrollment, the request is considered approved if the end-entity supplies the correct information, and authenticates against the authentication method set up. See the Red Hat Certificate System Customization Guide for information about customizing the end-entity interface.

Page 42

How Certificate System Works

42 Red Hat Certificate System Administrator’s Guide • September 2005

Authentication Methods

CS provides authentication plug-ins that allow you to set up automated enrollment and configure the particular method(s) you set up; it provides agent-approved enrollment, where an agent must approve the request by default. Each end-entity form is associated with a particular authentication method, either one of the automated methods or the agent-approved method. The Certificate Manager processes the request according to the method associated with the form. See Chapter 10, “Authentication” for complete details.

Request Processing

When the Certificate Manager processes requests from its own end-entity interface, it first considers the authentication method. If it is an agent-approved authentication method, the request is queued in the agent services interface where it awaits agent approval. The agent can change some aspects of the certificate that will be issued, and can approve, deny, or change the status of the request. If it is an automated enrollment, it authenticates the user, and then continues processing the request.

The Certificate Manager next evaluates the request to ensure that it meets either the policies set for this type of certificate, or the certificate profile set for this type of enrollment.

Policies are a set of plug-ins that allow you to set constraints on the certificate and define the content and the value of that content in the certificate. You can configure the default policies and associate them with a particular authentication method. You can also create custom policy modules. See Chapter 12, “Policies” for complete details.

Certificate Profiles is a new feature that binds an authentication method and certificate type to a set of constraints and certificate content definitions (defaults). It allows you to configure a single module for a type of certificate that binds to an authentication method and sets constraints for the certificate issued as well as defines the content and values for that content in the certificate. You can configure the default certificate profiles or create custom modules. See Chapter 11, “Certificate Profiles” for complete details.

If the policies from either the Policy or the Certificate Profiles framework are not met, the request is rejected, if they are met, the certificate is issued.

Certificate Creation

The Certificate Manager issues certificates when it receives signed requests from either its own agents (user’s who are assigned privileges to approve enrollment, renewal, and revocation requests), from a trusted Registration Manager, or from a third-party application that sends a signed request that is set up for CMC enroll with the Certificate Manager.

The Certificate Manager creates the certificate using the information in the request and from the policies or certificate profile that are set up that match this kind of request.

Page 43

How Certificate System Works

Chapter 1 Overview 43

Publishing of Certificates

Certificates can be published to a file, an LDAP directory, or OCSP responder. You set up the publishing feature and set up rules that determine which certificates are published using which method, and where exactly they are published. The publishing system is flexible allowing you many options in configuring it. If publishing is set up, a certificate is published to the correct location(s) whenever a certificate is issued. See Chapter 16, “Publishing” for complete details.

Key Archival

If you install a Data Recovery Manager, the private key is requested as part of enrollment and stored in the Data Recover Manager. See Chapter 6, “Data Recovery Manager” for complete details.

Storing Certificate Requests and Certificates

When it issues a certificate, the Certificate Manager stores both the certificate and the certificate request in its internal database.

Renewing Certificates

A Certificate Manager allows end-entities to renew certificates if the policies are set up to allow for renewal. If so, the end-entity submits a renewal request in the end-entity interface, and provides the end-entities’ old certificate. The Certificate Manager will then issue a new certificate according to the policies set.

Revoking Certificates

End-entities can submit certificate revocation requests in the end-entity interface. They might do this if they lose their private key, or if their certificate has been otherwise compromised. When an end-entity requests a revocation, the request is sent to the agent services interface for agent approval.

An agent can also revoke a certificate if the owner of the certificate is unwilling or unable to do so.

When the certificate is revoked, it is marked revoked in the internal database, and is marked revoked in the publishing system. The certificate is also added to the Certificate Revocation List (CRL) produced by the Certificate Manager. See Chapter 15, “Revocation and CRLs” for complete details.

Page 44

How Certificate System Works

44 Red Hat Certificate System Administrator’s Guide • September 2005

CRLs

Whenever a certificate is revoked, any CRLs that are set up are edited and updated in the internal database. It is also published to a file, an LDAP directory, or an OSCP responder, if you have set up these services. You can configure the Certificate Manager to issue CRLs, and also define CRL Issuing Points that define which certificates go into each CRL, such as CA signing certificates, or for a subset of a type of certificates, such as those certificates issued to west coast employees.

The publishing framework allows you the flexibility to define which CRL is published where. It also allows you to define the extensions contained in a CRL, and the frequency and intervals when a CRL are published.

You can also provide delta CRLs allowing you to publish a list of only those certificates have been revoked since a certain date.

See Chapter 15, “Revocation and CRLs” for complete details.

About the Registration Manager

The Registration Manager is an optional subsystem of CS that can act as a Registration Authority (RA). It establishes a trusted relationship with a Certificate Manager in which its signed requests are processed. The Registration Manager is able to accept enrollment, renewal, and revocation requests; process those requests either by agents or through an automated means; provide agent initiated requests for enrollment, renewal, and revocation; send signed requests to a Certificate Manager, and disburse certificates that are created by the Certificate Manager. You can set up a Registration Manager outside a firewall to protect a Certificate Manager behind a firewall, or you can use a Registration Manager to balance the incoming load for a Certificate Manager by off loading the enrollment and approval to one or more Registration Manager.

The Registration Manager cannot issue, renew, or revoke certificate, and does not compile CRLs. It can publish certificates, but it cannot publish CRLs.

It can, however, be configured for authentication, authorization, certificate profiles, policies in an almost identical manner as a Certificate Manager.

How the Registration Manager Works

This sections details the processes that a Registration Manager goes through, and the various configuration settings involved in those processes.

Page 45

How Certificate System Works

Chapter 1 Overview 45

Accepting Enrollment Requests

Similar to the Certificate Manager, the Registration Manager contains an end-entity interface with various forms associated with various types of certificates and various types of users. This interface is fully customizable allowing you to only show the forms that are pertinent to your users, change the look and feel of the forms, or add and delete fields. Certificate requests that come through the Registration Managers end-entity interface are processed by the Registration Manager. If it is an agent-approved enrollment, an agent of the Registration Manager must approve the request. If it is an automated enrollment, the request is considered approved if the end entity supplies the correct information, and authenticates against the authentication method set up. See the Red Hat Certificate System Customization Guide for details about customizing the end-entity interface.

Authentication Methods

CS provides authentication plug-ins that allow you to set up automated enrollment and set configuration settings for that method(s); it provides agent-approved enrollment, where an agent must approve the request by default. The Registration Manager also provides an in-person registration method where an end user appears in person to request the certificate, and the agent enters and approves the request—note that the Certificate Manager does not support in person registration by agents. Each end-entity form is associated with a particular authentication method, either one of the automated methods or the agent-approved method. The Registration Manager processes the request according to the method associated with the form. See Chapter 10, “Authentication” for complete details.

The Registration Manager is in complete control of the authentication of users. No matter how the Certificate Manager is set up for authentication, the Certificate Manager will accept a request sent by the Registration Manager and not apply any authentication of its own.

Request Processing

When the Registration Manager processes requests from its own end-entity interface, it first considers the authentication method. If it is an agent-approved enrollment method, the request is queued in the agent services interface where it awaits agent approval. The agent can change some aspects of the certificate that will be issued, and can approve or deny the request. If it is an automated enrollment, the Registration Manager authenticates the user, and then continues processing the request.

The Registration Manager next evaluates the request to ensure that it meets either the policies set for this type of certificate, or the certificate profile set for this type of enrollment.

Policies are a set of plug-ins that allow you to set constraints on the certificate and define content and values for that content in the certificate. You can configure the default policies and associate them with a particular certificate type. You can also create custom policy modules. See Chapter 12, “Policies” for complete details.

Page 46

How Certificate System Works

46 Red Hat Certificate System Administrator’s Guide • September 2005

Certificate Profiles are a new feature that bind an authentication method and certificate type to a set of constraints and certificate content and values for that content. It allows you to configure a single module for a type of certificate that binds to an authentication method and sets constraints for the certificate issued as well as defines the content and values for that content in the certificate. You can configure the default certificate profiles or create custom modules. See Chapter 11, “Certificate Profiles” for complete details.

If the constraints from either the Policy or the Certificate Profiles framework are not met, the request is rejected, if they are met, the certificate is issued.

Certificate Creation

Approved, signed certificate requests are sent to the Certificate Manager in which a trusted relationship has been established.

The request is next evaluated by the policies or certificate profiles of the Certificate Manager. The request must meet the constraints set by the Certificate Managers in order for a certificate to be issued. For example, the Registration Manager may allow for this type of certificate to be issued with validity period of one year. If the Certificate Manager has a policy set up the constrains this type of certificates to a validity period of six months, the certificate will not be issued.

The Certificate Manager creates the certificate and returns it to the Registration Manager.

Publishing of Certificates

Certificates can be published to a file or an LDAP directory. You set up the publishing feature and set up rules that determine which certificates are published using which method, and where exactly they are published. The publishing system is flexible allowing you many options in configuring it.

The Registration Manager publishes only those certificates that it processes. You can set up publishing in a Registration Manager in order to publish a subset of the certificates issued by a Certificate Manager. A Registration Manager does not publish CRLs. If you set up publishing in both the Certificate Manager and the Registration Manager, certificates will be published to the locations specified and according to the rules specified in both, the publishing systems of each are totally separate, they do not work in tandem. See Chapter 16, “Publishing” for complete details.

Key Archival

If you install a Data Recovery Manager, the private key is requested as part of the enrollment and stored in the Data Recover Manager. See Chapter 6, “Data Recovery Manager” for complete details.

Page 47

How Certificate System Works

Chapter 1 Overview 47

Storing Certificate Requests and Certificates

When it issues a certificate, the Certificate Manager stores both the certificate and the certificate request in it internal database. See “The Internal Database,” on page 281 for complete details.

Renewing Certificates

A Registration Manager allows end-entities to renew certificates if the policies are set up to allow for renewal. If so, the end-entity submits a renewal request in the end-entity interface, and provides their old certificate. The Certificate Manager that has a trusted relationship with this Registration Manager will then issue a new certificate according to the policies set. Note, the Certificate Manager must also be set up to allow for renewal of certificates and the policies set for renewed certificates in the Certificate Manager will also be evaluated when the request is processed.

Revoking Certificates

An end-entity can submit a certificate revocation request in the end-entity interface. They might do this if they lose their private key, or if their certificate has been otherwise compromised. When an end-entity requests a revocation, the request is sent to the agent services interface for agent approval.

An agent can also revoke a certificate. They might do this if someone leaves the company.

Data Recovery Manager

The Data Recovery Manager is an optional subsystem of CS that can act as a Key Recovery Authority. When configured in conjuncture with a Certificate Manager or Registration Manager, the Data Recover Manager stores private encryption keys as part of the certificate enrollment process. The key archival mechanism is triggered when a user enrolls in the PKI and creates the certificate request. Using the CRMF request format, the request generates a request for the users private encryption key. The key is then stored in the Data Recovery Manager. The Data Recovery Manager is configured to store keys in an encrypted format that can only be decrypted by several agents requesting the key at one time, providing for protection of the public encryption keys for the users in your deployment.

Note that the Data Recovery Manager archives encryption keys. It does not archive signing keys, since such archival would undermine nonrepudiation properties of signing keys.

Page 48

Deployment Scenarios

48 Red Hat Certificate System Administrator’s Guide • September 2005

Key Archival

If you have set up a Data Recovery Manager as part of your PKI, the private encryption key for an end-entity is requested and stored when the enrollment request is made.

Key Retrieval

If you have set up a Data Recovery Manager up as part of your PKI, you can retrieve the private encryption keys of your users to decrypt messages or other documents that have been encrypted with the private encryption key. CS provides a key retrieval system that can only be activated by several agents approving the key retrieval at the same time to offer maximum security of the stored keys.

See Chapter 6, “Data Recovery Manager” for complete details.

Online Certificate Status Manager

The Online Certificate Status Manager is an optional subsystem of CS that can act as a stand-alone OCSP service. The Certificate Manager is configured with an internal OCSP service. An external OCSP Responder is offered as a separate subsystem in case you want the OCSP service provided outside a firewall while the Certificate Manager resides inside a firewall, or to take the load of requests off the Certificate Manager.

The Online Certificate Status Manager performs the task of an online certificate validation authority, by enabling OCSP-compliant clients to do real-time verification of certificates. Note that an online certificate-validation authority is often referred to as an OCSP responder. The Online Certificate Status Manager can receive CRLs from multiple Certificate Managers and clients can query the Online Certificate Status Manager for the revocation status of certificates issued by all these Certificate Managers.

When an OCSP Responder is set up with a Certificate Manager, and publishing is set up to the OCSP responder, CRLs are published to it when they are issued or updated.

Deployment Scenarios

Single Certificate Manager

Some deployments may require only a single Certificate Manager that handles all end-entity interactions and provides no key archival and recovery capabilities. This Certificate Manager can use a signing certificate issued by a public certificate authority or its own self-signed CA signing certificate to sign all the certificates it issues.

Page 49

Deployment Scenarios

Chapter 1 Overview 49

Figure 1-1 Single root Certificate Manager

Figure 1-1 shows the relationships among a single Certificate Manager, end entities, and a publishing directory. The Certificate Manager can publish both end-entity certificates and CRLs to a directory.

Certificate Manager and Registration Manager

Figure 1-2 shows a Registration Manager and its Certificate Manager in separate instances on separate machines. All communication between the Certificate Manager and the Registration Manager takes place over HTTPS.

Page 50

Deployment Scenarios

50 Red Hat Certificate System Administrator’s Guide • September 2005

Figure 1-2 Certificate Manager and Registration Manager in different instances

Many organizations need to separate the role of the Registration Manager from the role of the Certificate Manager. This separation can be useful, for example, if different groups of end entities are subject to different authentication policies or work in different geographic locations.

Each group of end entities interacts with a designated Registration Manager that processes requests from end entities and sends them to a Certificate Manager. The Certificate Manager can accept requests from both end entities and Registration Managers. For example, end entities at the home office might deal directly with the Certificate Manager, while end entities at a branch office might deal with their own Registration Manager. Alternatively, the Certificate Manager might be configured to accept requests only from Registration Managers, thus shielding the CA from end entities.

A Registration Manager can be installed in one CS instance and its related Certificate Manager in another CS instance. The separate instances can be located in the same server group, in different server groups on the same machine, or in different server groups on different machines.

Page 51

Deployment Scenarios

Chapter 1 Overview 51

In many organizations, it may be desirable to deploy multiple Registration Managers that all communicate with a single Certificate Manager. Each separate Registration Manager, for example, might handle all end-entity interactions in a particular geographic area or within an organizational group.

Decisions about the number of, locations of, and relationships among Certificate Managers and Registration Managers depend on many factors. These include firewall considerations, the physical security required for each subsystem, the physical location of the end entities that the Registration Manager is intended to serve, and the physical location of the Certificate Manager agent, Registration Manager agent, and other persons responsible for administering the Certificate Manager and Registration Manager.

Certificate Manager and Data Recovery Manager

If an organization requires key archival and recovery capabilities—for example, if encrypted mail is widely used and the organization risks data loss if it is unable to recover encryption keys—it can install a Data Recovery Manager. This can be done without regard for the presence or absence of a separate Registration Manager.

For example, to add key storage and recovery to the scenario sketched in Figure 1-2, a Data Recovery Manager can be installed in a different CS instance; this instance can be located in the same server group on the same machine, in a different server group on the same machine, or on a different machine. Figure 1-3 illustrates a Data Recovery Manager in a separate CS instance. All communication between the Certificate Manager and the Data Recovery Manager takes place over HTTPS.

Page 52

Deployment Scenarios

52 Red Hat Certificate System Administrator’s Guide • September 2005

Figure 1-3 Certificate Manager and Data Recovery Manager in different instances

The Data Recovery Manager is intended for archival and recovery of private encryption keys only. Therefore end entities must be using either a browser that supports dual-key generation or a browser that is using Red Hat Personal Security Manager, which supports dual keys. When determining the location of a Data Recovery Manager, be sure to look into firewall considerations, the physical security required for each subsystem, and the physical location of the Certificate Manager agent, Data Recovery Manager agent, and other persons responsible for administering the Certificate Manager and recovering keys.

Like a Certificate Manager, a Data Recovery Manager has special physical security requirements, since a compromised Data Recovery Manager would have devastating security consequences for your entire PKI. You may therefore want to keep the Data Recovery Manager in a special locked room or building, a choice that can affect your deployment strategy.

Page 53

Deployment Scenarios

Chapter 1 Overview 53

Certificate Manager, Data Recovery Manager, and Registration Manager

The three CS subsystems can be deployed in many different relationships. Figure 1-4 illustrates some of the issues involved in deploying all three subsystems by showing the relationships among a single Certificate Manager, a single Registration Manager, and a single Data Recovery Manager, each installed in a different CS instance on a different machine.

Figure 1-4 Certificate Manager, Registration Manager, and Data Recovery Manager in separate

instances

Page 54

Deployment Scenarios

54 Red Hat Certificate System Administrator’s Guide • September 2005

The Registration Manager handles all end-entity interactions and communicates with the Certificate Manager and the Data Recovery Manager over HTTPS. The Registration Manager is configured to request the end entity’s private encryption key (in encrypted form) and send it to the Data Recovery Manager during the enrollment process. Before the Registration Manager sends the certificate request to the Certificate Manager for processing, the Registration Manager must receive verification from the Data Recovery Manager that the private key has been received and stored and that it corresponds to the end entity’s public key.

Only the Certificate Manager can be configured to enable or disable LDAP publishing or to publish to separate directories. The Certificate Manager also has the complete record of issued certificates, so that it can perform the publishing tasks, as shown in the figure.

Many other combinations are possible. For example, there might be multiple Registration Managers in different instances, all dealing with the same Data Recovery Manager and Certificate Manager; or the Certificate Manager might also handle some end-entity interactions. It’s also possible to set up both Certificate Managers and Registration Managers such that each has a hierarchy of subordinate managers.

Cloned Certificate Manager

A cloned Certificate Manager is a CS server instance that uses the same CA signing key and certificate as another Certificate Manager, identified as the master Certificate Manager. Each Certificate Manager issues certificates with serial numbers in a restricted range so that all of the servers together act as a single Certificate Authority (operating in several server processes).

The advantage of cloning is the ability to distribute the Certificate Manager’s load across several processes or even several physical machines. For a CA that has high enrollment demand, the distribution gained from cloning allows more certificates to be signed and issued in a given time interval.

To create a cloned Certificate Manager, you must first install and configure at least one Certificate Manager and specify a definite upper, but no lower bound for the serial numbers it will use. You then install or create a new instance of a Certificate Manager (but do not configure it). Before configuring the clone, you copy the CS certificate and key database

NOTE The current design of Certificate System assumes that most deployments

will rely on a single Data Recovery Manager (associated with either a Registration Manager or a Certificate Manager). However, it is also possible to write custom policies that support multiple Data Recovery Managers. This might be useful, for example, for subordinate CAs that issue certificates for completely independent organizations.

Page 55

System Architecture

Chapter 1 Overview 55

files from the original Certificate Manager to the new Certificate Manager (

<server_root>/alias directory). If these databases are present, the Configuration

Wizard will recognize that you are creating a clone and confirm that you want to reuse the CA’s signing key and certificate (if the clone is on the same server, you can also reuse the SSL server certificate).

If you store the CA key material on a hardware token, you will have to follow the hardware vendor’s instructions for copying the key material to a hardware device accessible to the clone.

A cloned Certificate Manager will have all the same features, for example, agent gateway functions and end entity gateway functions, that a normal Certificate Manager has. You can then configure Registration Managers that point to different Certificate Manager servers but that appear to be serviced by the same CA.

System Architecture

This section describes the architecture of CS. Figure 1-5 on page 56 shows a graphical representation of that architecture.

Page 56

System Architecture

56 Red Hat Certificate System Administrator’s Guide • September 2005

Figure 1-5 CS Architecture

CS Component

The CS component is the main component in the CS product. CS is a set of pure Java classes. This component provides a secure application platform where subsystems (CA, RA, DRM, and OCSP) can be tightly integrated with a PKI infrastructure. Depending on the installation configuration selection, CS can be easily installed as a CA, RA, DRM, or OCSP Responder, where subsystem-specific HTTP servlets are registered at startup to provide subsystem-specific services.

Page 57

System Architecture

Chapter 1 Overview 57

Within the CS component, a set of common modules (all can be extended with customized JAVA plug-ins) are provided for all subsystems (although some may not be utilized by default setting, they are all available for further customization):

• Authentication where authentication managers can be extended.

• Authorization where authorization managers can be extended—the default is access control list from the Internal LDAP database.

• ACL evaluators where expression evaluators can be extended for Access Control List evaluation—the default user/group evaluators.

• Certificate Profiles where certificate extensions and constraints can be extended.

• Job scheduler where cronical scheduled events can be extended.

• Email notification where email notification can be extended.

• Event listeners where event listeners can be extended.

• Publishing where publisher and its mapper can be extended.

• Logging includes signed audit logs; where logging mechanism can be extended.

• Self-test where CS start-up/on-demand self-tests can be extended.

• Servlets depending on subsystem installation selection; where servlets can be extended.

• Password quality checker where password strength/quality checker can be extended.

HTTP Engine

CS employs the Red Hat Enterprise Server as its HTTP engine. It provides the entry point for users/applications of all types to access CS's functions. As discussed in the System Overview, CS provides three types of entry points, each serving one or more interfaces:

• End-Entity Entry Point— provides entry point for end-entity and server certificate enrollments of all types. A set of customizable HTML forms are provided at this port for CA and RA end-entity users for different types of enrollment, renewal, revocation, or certificate pick-up activities. OCSP responder only takes OCSP request format, while a DRM does not provide any end-entity services. The client applications used to access this entry point must have the capability to act as an SSL client. A common client application is a browser such as the Netscape browser.

Page 58

System Architecture

58 Red Hat Certificate System Administrator’s Guide • September 2005

• Agent Entry Point—provides entry point for agent interface and inter-CIMC_Boundary interface. A set of customizable HTML forms are provided at this port for CA, RA, and DRM agent users to perform agent tasks. The client applications used to access this entry point must have the capability to act as an SSL client. A common client application is a browser such as the Netscape browser.

• Administrators Entry Point—provides entry point for administration configuration interface, and for auditor's audit log viewing. The client applications used to access this entry point must have the capability to act as an SSL client. A common client application is bundled with the CS product is Red Hat Console, a java application that provides a GUI interface and understands the protocol provided by the CS Administration Interface.

Service Interfaces

Each of the subsystems contains interfaces allowing interaction with various portions of the subsystem. All four subsystems share a common administrative interface. All four subsystems have an agent interface that allows for agents to perform the tasks assigned to them. A CA Subsystem and an RA Subsystem have an end-entity services interface allowing end entities to enroll in the PKI. An OCSP responder subsystem has an end-entity services interface allowing end entities and applications to check for current certificate revocation status

While the HTTP Engine provides the connection entry points, CS completes the interfaces by providing the servlets specific to each interface.

End-Entity Services Interface

For the CA subsystem and RA subsystem, the end-entity interface provide JAVA servlets to process HTML form submissions coming from the end-entity entry point. Based on the information received from the form submissions, the end-entity servlets allow end entities to enroll, renew certificates, revoke their own certificates, and pick up issued certificates. The OCSP responder subsystem's end-entity interface provides JAVA servlets to accept and process OCSP requests. The DRM subsystem does not offer any end-entity service.

Page 59

System Architecture

Chapter 1 Overview 59

Agent Services Interface

The agent services interface provides JAVA servlets to process HTML form submissions coming from the agent entry-point. Based on the information given in each form submission, the agent servlets allow agents to perform agent tasks, such as editing and approving requests for certificate approval, certificate renewal, and certificate revocation, and approving certificate profiles. The agent services interface is almost identical for a CA Subsystem and a RA subsystem. The agent services interfaces for a DRM subsystem or an OCSP Responder are specific to the subsystems.

The agent services interface is also used for inter-CIMC_Boundary communication for RA-to-CA and CA-to-DRM trusted connection. These connections are protected by SSL client-authentication, and differentiated by separate trusted roles called Trusted Managers. Like the agent role, the Trusted Managers (pseudo-users created for inter-CIMC_Boundary connection only) are required to be SSL client-authenticated, however, unlike the agent role, they are not offered any agent capability.

Administrative Interface

The administrative interface provides JAVA servlets to process commands coming from the administrative entry-point. Based on the information given at each command, the administration servlets allow administrators to perform administrative tasks and configure plug-in modules and instances of plug-in modules. This interface is similar for all four subsystem. It contains some common configuration types, but also contains different plug-in types that can be configured depending on the kind of subsystem configured. The auditor shares the same interface with the administrator, with the restriction to view all configurations and logs (including audit logs); while administrators are restricted from viewing the audit logs. During setup, the administrator will be directed to configure this interface to accept only SSL client authentication

JSS and the Java/JNI Layer

Java Security Services (JSS) provides a Java interface for security operations performed by NSS. JSS and higher levels of the CS architecture are built with the Java Native Interface (JNI), which provides binary compatibility across different versions of the Java Virtual Machine (JVM). This design allows customized subsystem services to be compiled and built just once and run on a range of platforms. JSS supports most of the security standards and encryption technologies supported by NSS. JSS also provides a pure Java interface for ASN.1 types and BER-DER encoding. JSS documentation can be found on-line at:

http://www.mozilla.org/projects/security/pki/jss/index.html

Page 60

System Architecture

60 Red Hat Certificate System Administrator’s Guide • September 2005

NSS

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled communications applications. Applications built with the NSS libraries support the SSL protocol for authentication, tamper detection, and encryption as well as the PKCS #11 interface for cryptographic token interfaces. Red Hat uses NSS to support these features in a wide range of products, including CS. NSS documentation can be found on-line at:

http://www.mozilla.org/projects/security/pki/nss/overview.html

PKCS #11

Public-Key Cryptography Standard (PKCS) #11 specifies an API used to communicate with devices that hold cryptographic information and perform cryptographic operations. Because it supports PKCS #11, CS works with a wide range of hardware and software devices intended for such purposes.

One or more PKCS #11 modules must be available to any CS subsystem instance. As shown in the figure, a PKCS #11 module (also called a cryptographic module or cryptographic service provider) manages cryptographic services such as encryption and decryption via the PKCS #11 interface. PKCS #11 modules can be thought of as drivers for cryptographic devices that can be implemented in either hardware or software. Red Hat provides a built-in PKCS #11 module with CS.

A PKCS #11 module always has one or more slots, which can be implemented as physical hardware slots in some form of physical reader (for example, for smart cards) or as conceptual slots in software. Each slot for a PKCS #11 module can in turn contain a token, which is the hardware or software device that actually provides cryptographic services and optionally stores certificates and keys.

Red Hat provides two built-in modules with CS:

• Default Internal PKCS #11 Module. This comes with two built-in tokens:

❍ The Internal Crypto Services token performs all cryptographic operations, such as

encryption, decryption, and hashing.

❍ The Internal Key Storage token (“Certificate DB token” in Figure 1-5 on page 56)

handles all communication with the certificate and key database files (called certX.db and keyX.db, respectively, where X is a version number) that store certificates and keys.

Page 61

System Architecture

Chapter 1 Overview 61

• FIPS 140-1 module. This module complies with the FIPS 140-1 government standard for implementations of cryptographic modules. Many products sold to the US government must comply with one or more of the FIPS standards. The FIPS 140-1 module includes a single, built-in FIPS 140-1 Certificate DB token (as shown in Figure 1-5 on page 56), which handles both cryptographic operations and communication with the certX.db and keyX.db files.

Any PKCS #11 module can be used with CS. The server uses a file called secmod.db to keep track of the modules that are available. You can modify this file using the

modutil

tool, which is explained in the following documentation:

http://www.mozilla.org/projects/security/pki/nss/tools/

For example, you need to modify secmod.db if you are installing hardware accelerators for use in signing operations.

Management Tools

Command line tools are provided by CS for occasional management of the CS system:

• backup/restore tool

• password cache tool

• audit log signature verification tool

• enrollment pin generation tool

• mass revocation tool

• (signed) CS request tool

• bulk certificate issuance tool

JRE

JRE (Java Runtime Environment) provides the Java Virtual Machine (JVM) and supporting class libraries needed to run CS.

Page 62

CS SDK

62 Red Hat Certificate System Administrator’s Guide • September 2005

Internal LDAP Database

CS employs Red Hat Directory Server as its internal database for storing information such as certificates, requests, users, roles, ACLs, as well as other miscellaneous internal information. CS communicates with the internal LDAP database securely by means of SSL client authentication.

Administration Server

The Red Hat Administration Server comes with all Red Hat directory and certificate server products, including CS. Together with the Red Hat Console and the configuration LDAP database (another instance of Red Hat Directory Server), it is used for managing Red Hat software and users in an enterprise environment. The configuration LDAP database stores server and application configuration settings as well as user information. This data is used by other servers in the enterprise. Typically, application and server configuration information is stored in one subtree of the configuration LDAP database while user and group entries are stored in another subtree. Except for the creation of a new CS instances, functionalities provided by this component are not fully utilized by CS. Note that although this configuration LDAP database can be used to store Enterprise user records, or configured as a certificate publishing destination, or configured to provide directory-based enrollment authentication mechanism, it is separate from the CS Internal LDAP database, and unlike the CS Internal LDAP database, it is not considered as part of the core CS system.

CS SDK

The CS Software Development Kit (SDK) includes information that is useful for developing new plug-in modules and for customizing various aspects of CS.

The CS SDK contains the following:

• Javadocs—complete javadoc specification of the CS Application Programming Interface (API).

• Samples—sample source code of various plug-in modules that are included in CS. This source code has been included for reference purposes only, and is only used to demonstrate how a particular CS feature was implemented. Since a sample represents the actual code currently present in CS, it does not require it to be recompiled.

Page 63

Support for Open Standards

Chapter 1 Overview 63

• Tutorials—“How To” tutorial to help demonstrate how you can create your own plug-in modules for CS. Each tutorial includes sample Java source code, environment and build script and a detailed “cookbook” describing how to build and install these plug-in modules. Additionally, some tutorials may also contain sample configuration files.

Support for Open Standards

This section summarizes the standard message formats and protocols supported by CS.

Certificate Management Formats and Protocols

CS supports the following certificate management formats and protocols. For more details about the proposed PKIX standards listed here, see

http://www.ietf.org/html.charters/pkix-charter.html (under Internet

Drafts).

• Simple Certificate Enrollment Protocol (SCEP). A certificate management protocol jointly developed by Cisco Systems and VeriSign, Inc. CEP is an early implementation of CMC (described later in this list). CEP specifies how a device communicates with a CA, including how to retrieve the CA’s public key, how to enroll a device with the CA, and how to retrieve a CRL. CEP uses PKCS #7 and PKCS #10.

• Certificate Request Message Format (CRMF). A message format used to convey a request for a certificate to a Registration Manager or Certificate Manager. A standard from the Internet Engineering Task Force (IETF) PKIX working group.

• Certificate Management Message Formats (CMMF). Message formats used to convey certificate requests and revocation requests from end entities to a Registration Manager or Certificate Manager and to send a variety of information to end entities. A proposed standard from the IETF PKIX working group. CMMF is subsumed by another proposed standard, CMC (next item).

• Certificate Management Messages over CS (CMC). A general interface to public-key certification products based on CS and PKCS #10, including a certificate enrollment protocol for DSA-signed certificates with Diffie-Hellman public keys. A standard from the IETF PKIX working group. CMC incorporates CRMF and CMMF.

• Cryptographic Message Syntax (CS). A superset of PKCS #7 syntax used for digital signatures and encryption. A proposed standard from the IETF PKIX working group.

Page 64

Support for Open Standards

64 Red Hat Certificate System Administrator’s Guide • September 2005

• PKIX Certificate and CRL Profile (PKIX Part 1). The first part of the four-part standard under development by the IETF for a public-key infrastructure for the Internet. Part 1 deals with specifications for certificates and CRLs. CS will support the other PKIX parts as they are finalized. For more information about PKIX Part 1, see ftp://ftp.isi.edu/in-notes/rfc2459.txt.

Security and Directory Protocols

CS supports the following security and directory protocols:

• FIPS PUBS 140-1. Federal Information Standards Publications (FIPS PUBS) 140-1 is a US government standard for implementations of cryptographic modules—that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations (such as creating or verifying digital signatures).

• Hypertext Transport Protocol (HTTP) and Hypertext Transport Protocol Secure (HTTPS). Protocols used to communicate with web servers.

• KEYGEN tag. An HTML tag supported by Netscape browsers that generates a key pair for use with a certificate. For more information, see

http://www.netscape.com/eng/security/comm4-keygen.html.

• Lightweight Directory Access Protocol (LDAP) v2, v3. A directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP is a simplified version of Directory Access Protocol (DAP), used to access X.500 directories. LDAP is under IETF change control and has evolved to meet Internet requirements.

• Public-Key Cryptography Standard (PKCS) #7. An encrypted data and message format developed by RSA Data Security to represent digital signatures, certificate chains, and encrypted data. This format is used to deliver certificates to end entities.

• Public-Key Cryptography Standard (PKCS) #10. A message format developed by RSA Data Security for certificate requests. This format is supported by many server products and by Microsoft Internet Explorer.

• Public-Key Cryptography Standard (PKCS) #11. Specifies an API used to communicate with devices such as hardware tokens that hold cryptographic information and perform cryptographic operations.

• X.509 v1, v3. Digital certificate formats recommended by the International Telecommunications Union (ITU).

• Secure Sockets Layer (SSL) 2.0, 3.0. A set of rules governing server authentication, client authentication, and encrypted communication between servers and clients.

Page 65

Chapter 2

Installation

This chapter explains how to install Red Hat Certificate System (CS).

This chapter contains the following sections:

• Installation and Configuration Overview

• Installation Overview

• Installing CS

• Uninstalling CS

Installation and Configuration Overview

You install Red Hat Certificate System (CS) on each host on which you will be setting up a CS subsystem. You then configure the subsystem that will run on that host. Once a subsystem is setup, you can access its end-entity interface, agent services interface, and its administrative interface and further configure the instance to match the needs of your PKI.

Note: To install Red Hat CS and configure it into a Common Criteria Evaluated subsystem, please see Appendix B, “Common Criteria Environment: Setup and Operations.”

You can configure more than one subsystem in an installation of CS. You can also install CS on more than one host, with one or more subsystems configured in each installation. Finally, different instances of CS subsystems can be set up as clones for high availability purposes. To install and configure one or more CS subsystems as clones, please see “Cloning a CA” on page 127.

One of your deployment decisions is which subsystems you will install, how many of each type of subsystem you will configure, and on which hosts they will be installed. Once you decide this, you install CS on each host you will be using, install each subsystem that will be run on that host, and then configure each of the subsystems on each host.

Page 66

Installation Overview

66 Red Hat Certificate System Administrator’s Guide • September 2005

Installation and Configuration Process

The following outlines the process for installing, setting up, and configuring CS:

1. Run the installation program to install Administration Server, Directory Server, and CS

on each host system that will be part of your deployment. See “Installing CS” on page 72 for complete instructions on installing CS.

2. Configure each subsystem that will be running on each host. CS provides an

installation wizard for configuring an instance of each of the subsystems. Complete instructions for configuring each of the subsystems can be found at the following locations:

❍ “Installing a Certificate Manager as a Root CA,” on page 85

❍ “Installing a Certificate Manager as a Subordinate CA,” on page 90

❍ “Installing a Registration Manager,” on page 133

❍ “Installing an Online Certificate Status Manager,” on page 165

❍ “Installing a Standalone Data Recovery Manager,” on page 203

3. Get the first agent certificate for the subsystem. See “Agent Certificates,” on page 324”

for complete instructions.

4. Configure the instance for the particular needs of your PKI. For complete details on

configuring each of the subsystems, see the chapter that describes that subsystem:

❍ Chapter 3, “Certificate Manager”

❍ Chapter 4, “Registration Manager”

❍ Chapter 5, “OCSP Responder”

❍ Chapter 6, “Data Recovery Manager”

Installation Overview

This section provides information about the CS installation, and provides information about things you need to consider and decide when installing CS.

Page 67

Installation Overview

Chapter 2 Installation 67

About the Installation Program

The installation program installs Administration Server, Directory Server, Red Hat Console, and CS in the server root directory you specify. It creates one instance of Administration Server, one instance of Directory Server, and one instance of CS.

The installation program automatically starts Administration Server and Directory Server. Once installation is complete, you can use Red Hat Console to view all your server settings, make changes to those settings, and configure CS instances. See “The Administrative Interface,” on page 236 about accessing and logging into Red Hat Console.

Installation Considerations

This section provides information needed to decide which settings to use when installing CS.

System Requirements

See the Release Notes for the system requirements for this product.

Component Servers

The installation process installs Red Hat Administration Server, Red Hat Console, and Red Hat Directory Server, as well as CS.

You can choose to not install one or more of these servers if you already have one of them installed. Generally, you would install using the default settings, which installs all four products.

Server Groups

A server group is created when you install Administration Server. All servers are then installed in that server group. You can create more than one server group and install servers in each. You must have an Administration Server for each server group. Administration Server can use a local configuration directory or refer to an existing configuration directory installed elsewhere. See Managing Servers with Red Hat Console for more information about server groups.

Server Root

The server root is the directory in which all servers for a particular group are installed. You specify the server root during installation.

Page 68

Installation Overview

68 Red Hat Certificate System Administrator’s Guide • September 2005

Choosing Ports for Directory and Administration Servers

During installation, you choose port numbers for both the directory server used as the configuration directory, and the administration server. The port for the administration server is the port used to log into Red Hat Console. Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your installation:

• The standard Directory Server (LDAP) port number is 389.

• Port 636 is reserved for LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP installation, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.

• Port numbers between 1 and 1024 have been assigned to various services by the Internet Assigned Numbers Authority. Do not use port numbers below 1024 other than 389 or 636 for directory services as they will conflict with other services.

• On UNIX platforms, Directory Server must be run as the UNIX user ID

root if it will

listen on either port 389 or 636.

• Make sure the ports you choose are not already in use. Additionally, if you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical.

Deciding the User and Group for Your Red Hat Servers

For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run the servers with

root privileges. However,

you will have to run Directory Server with root privileges if you are using the default Directory Server ports. If Directory Server is to be started by Administration Server, Administration Server must run either as

root or as the same user as Directory Server.

You must therefore decide what user accounts you will use for the following purposes:

• The user and group under which you will run Directory Server.

If you will not be running the Directory Server as root, it is strongly recommended that you create a user account for all Red Hat servers. You should not use any existing operating system account, and must not use the

nobody account. Also you should

create a common group for the directory server files; again, you must not use the

nobody group.

Page 69

Installation Overview

Chapter 2 Installation 69

• The user and group under which you will run Administration Server.

For installations that use the default port numbers, this must be root. However, if you use ports over 1024, then you should create a user account for all Red Hat servers, and run Administration Server as this account.

As a security precaution, when Administration Server is being run as

root, it should be

shut it down when it is not in use.

You should use a common group for all Red Hat Directory and Certificate servers, such as gid

redhat, to ensure that files can be shared between servers when necessary.

Before you can install Directory Server and Administration Server, you must make sure that the user and group accounts you will use exist on your system.

Defining Authentication Entities

As you install Directory Server and Administration Server, you will be asked for various user names, distinguished names (DN), and passwords. This list of login and bind entities will differ depending on the type of installation that you are performing:

• Directory Manager DN and password.

The Directory Manager DN is the special directory entry to which access control does not apply. Think of the directory manager as your directory's superuser.

The default Directory Manager DN is

cn=Directory Manager. Because the

Directory Manager DN is a special entry, the Directory Manager DN does not have to conform to any suffix configured for your Directory Server. Therefore, you must not manually create an actual Directory Server entry that has the same DN as the directory manager DN.

• Configuration Directory Administrator ID and password.

The configuration directory administrator is the person responsible for managing all the Red Hat servers accessible through Red Hat Console. If you log in with this user ID, then you can administer any Red Hat server that you can see in the server topology area of Red Hat Console.

For security, the configuration directory administrator should not be the same as the directory manager. The default configuration directory administrator ID is

admin. This

is the user ID and password you will use to log into Red Hat Console.

Page 70

Installation Overview

70 Red Hat Certificate System Administrator’s Guide • September 2005

• Administration Server User and password.

You are prompted for this only during custom installations. The Administration Server user is the special user that has all privileges for the local Administration Server. Authentication as this person allows you to administer all the Red Hat servers stored in the local server root.

Administration Server user ID and password is used only when the Directory Server is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting Directory Server, reading log files, and so forth.

Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.

Determining Your Directory Suffix

A directory suffix is the directory entry that represents the first entry in a directory tree. You will need at least one directory suffix for the tree that will contain your enterprise's data. It is common practice to select a directory suffix that corresponds to the DNS host name used by your enterprise. For example, if your organization uses the DNS name example.com, then select a suffix of

dc=example,dc=com.

For the purposes of CS, this suffix usually does not matter, unless you plan to store user information in this configuration directory. Normally you will not store users in this configuration directory. You only use this configuration directory to store configuration settings for the Administration Server that allow you to use Red Hat Console to manage CS.

For more information on planning the suffixes for your directory service, see the Red Hat Directory Server Deployment Guide.

Page 71

Installation Overview

Chapter 2 Installation 71

Installation Worksheet

You can use the following worksheet to specify the information you will be prompted for during the installation. The default setting is indicated in square brackets.

Install location [/usr/netscape/servers] ______________________________________

Computer name [myhost.mydomain.com] ______________________________________

System User [nobody] ______________________________________

System Group [nobody] ______________________________________

Directory Server Port Number ______________________________________

Directory server identifier [myhost] ______________________________________

Red Hat configuration directory server administrator ID [admin] ______________________________________

Suffix [dc=domaincomponent, dc=com] ______________________________________

Directory Manager DN [

cn=Directory Manager] ______________________________________

Administration Domain [mydomain.com] ______________________________________

Administration port [random #] ______________________________________

Run Administration Server as [current login] ______________________________________

Certificate System identifier [certificate] ______________________________________

Page 72

Installing CS

72 Red Hat Certificate System Administrator’s Guide • September 2005

Installing CS

To install CS:

1. Log in to the host system as the user ID you will be running the servers as. Note that

you must be logged into the host locally. Do not install remotely.

See “Deciding the User and Group for Your Red Hat Servers,” on page 68 for more information.

2. Go to the directory on the distribution CD or on your file system containing the CS

installation program (

setup). Untar and/or unzip the distribution files if they are tarred

and or zipped.

3. Type the following command to start the installation program:

./setup

The setup command has the following options:

The installation program launches.

The installation program will prompt you for series of configuration settings detailed in the following steps.

4. Would you like to continue with installation? [Yes]: Press Enter.

-h Prints out the help message.

-s Specifies the silent installation mode.

-f <filename> Specifies a silent installation script.

-b Only install binaries without configuration

-k Saves the installation cache. The cache will be saved to the file

<temp>/install.inf.

NOTE

You can use the following commands during installation:

• Control-B will take you back one screen in the installation.

• Control-C will cancel the installation.

• Most prompts have a default value shown in square brackets. To accept the default value, press Enter.

Page 73

Installing CS

Chapter 2 Installation 73

5. Do you agree to the license terms? [No]: Type yes and press Enter.

6. Select the component you would like to install [1]: Accept the default to install the

Red Hat servers.

7. Choose an installation type [2]: Accept the default for a typical installation.

8. Install location [/usr/netscape/servers]: Enter the full path to the location in which

you want to install the servers. The location that you enter must be different from the directory from which you are running the setup program. You must have write access to the directory. If the directory that you specify does not exist, the setup program creates it for you. This location is the server root for this installation. See “Server Root,” on page 67 for more information.

9. Specify the components you wish to install [All]: Accept the default value, All, to

accept the default server product components.

10. Specify the components you wish to install [1,2,3]: Press Enter to accept the default

components.

11. Specify the components you wish to install [1,2]: Press Enter to accept the default

components.

12. Specify the components you wish to install [1,2]: Press Enter to accept the default

components.

13. Specify the components you wish to install [1,2]: Press Enter to accept the default

components.

14. Computer name [myhost.mydomain.com]: Accept the default value to install on the

local machine. Do not attempt to install remotely.

15. System User [nobody]: Enter the user ID that Directory Server will run as. See

“Deciding the User and Group for Your Red Hat Servers,” on page 68 for more information.

16. System Group [nobody]: Enter the group that Directory Server will run as. See

“Deciding the User and Group for Your Red Hat Servers,” on page 68 for more information.

17. Do you want to register this software with an existing configuration directory

server? [No]: If you accept the default setting, the installation script installs a new

instance of Directory Server for use as a configuration directory.

You can also choose to use a previously installed configuration directory. In this case, select “Use existing configuration directory server,” then fill in the values that identify and provide access to the previously installed directory.

Page 74

Installing CS

74 Red Hat Certificate System Administrator’s Guide • September 2005

18. Do you want to use another directory to store your data? [No]: If you accept the

default setting, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you accepted the default in step 17) or installs a new instance of Directory Server for use as a user/group directory.

You can also choose to use a previously installed user/group directory. In this case, enter Yes, then fill in the values that identify and provide access to the previously installed directory.

19. Directory server network port [random #]: Accept the default, which is either 389 or

a randomly generated number, or enter any port number that is not and will not be used for another purpose.

If you are using an existing configuration directory, enter its port number.

See “Choosing Ports for Directory and Administration Servers,” on page 68 for more information.

20. Directory server identifier [myhost]: Enter a unique identifier for the new instance of

Directory Server.

If you are using an existing configuration directory, enter its identifier.

21. Red Hat configuration directory server administrator ID [admin]: Enter the name

and password of the user ID who will authenticate to Red Hat Console with full privileges. The password must be at least eight characters long.

If you are using an existing configuration directory, enter its administrator ID and password.

See “Defining Authentication Entities,” on page 69 for more information.

22. Suffix [dc=domaincomponent, dc=com]: Accept the default value for the suffix, or

base DN, to be used for the directory tree. See “Determining Your Directory Suffix,” on page 70 for more information.

23. Directory Manager DN [cn=Directory Manager]: Enter the distinguished name

(DN) and password of the directory manager for the configuration directory. The password must be at least eight characters long.

This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory.

See “Defining Authentication Entities,” on page 69 for more information.

24. Administration Domain [mydomain.com]: Accept the default value. This domain

name identifies the collection of servers that use the same configuration directory.

Page 75

Installing CS

Chapter 2 Installation 75

25. Administration port [random #]: Accept the default port number, which is randomly

generated, or enter any port number that is not and will not be used for another purpose. See “Choosing Ports for Directory and Administration Servers,” on page 68 for more information.

26. Run Administration Server as [current login]: Enter the user ID for the

Administration Server process. If you are running as

root, you can accept the default

to run the server as

root.

27. Certificate System identifier [certificate]: Enter a unique identifier for the new

instance of CS.

The script extracts and installs the binaries for all of the servers in the server root directory and creates and starts instances of the Administration Server and Directory Server. For specifics on installing each subsystem, see:

❍ “Installing a Certificate Manager as a Root CA,” on page 85.

❍ “Installing a Certificate Manager as a Subordinate CA,” on page 90.

❍ “Installing a Registration Manager,” on page 133.

❍ “Installing an Online Certificate Status Manager,” on page 165.

❍ “Installing a Standalone Data Recovery Manager,” on page 203.

28. You should note the choices you made for later reference, especially the following:

❍ The server root in which the software was installed. You will need to know this

whenever you need to access any of the files installed for any of the servers, or to manually stop and start any of the servers.

❍ The administration domain and administration port number. You will need both of

these to log into Red Hat Console.

❍ The configuration directory server administrator ID and password. You will log in

as this user ID when logging into Red Hat Console.

29. The installation logs are located in the directory:

<server_root>/cert-<instance_id>/logs

See “Logs,” on page 255 for more information.

Page 76

Uninstalling CS

76 Red Hat Certificate System Administrator’s Guide • September 2005

Uninstalling CS

To remove CS from a host system, run the uninstall program. To remove a specific CS instance, follow the instructions provided in “Removing an Instance From a System” on page 249.

To uninstall CS:

1. Log in as the user account under which the server is running.

2. Go to the server root directory containing the installed software.

3. Type the following command:

/uninstall.

4. Specify the components you wish to uninstall [All]: Accept the default value.

5. Specify the components you wish to uninstall [1,2,3]: Accept the default value.

6. Specify the components you wish to uninstall [1,2]: Accept the default value.

7. Specify the components you wish to uninstall [1,2]: Accept the default value.

8. Specify the components you wish to uninstall [1,2]: Accept the default value.

9. Configuration admin ID or DN [admin]: Accept the default value.

The uninstallation program starts.

Page 77

Chapter 3

Certificate Manager

The Certificate Manager subsystem provides the services of a Certificate Authority (CA) in the PKI. It can issue, renew, and revoke certificates; create and issue CRLs; and publish certificates and CRLs.

This chapter discusses the Certificate Manager subsystem. It provides an overview of the subsystem including the decisions you need to make before installing the subsystem, complete installation instructions, an overview of the Certificate Manager processes including information on configuring those processes, information about FBCA, and details on configuring a cloned CA.

This chapter contains the following sections:

• Certificate Manager Deployment Considerations

• Installing a Certificate Manager

• Configuring the Certificate Manager

• How The Certificate Manager Works

• Federal Bridge CA

• Cloning a CA

Certificate Manager Deployment Considerations

This section describes the decisions you make during installation of the Certificate Manager that will apply to your initial configuration of the subsystem.

Page 78

Certificate Manager Deployment Considerations

78 Red Hat Certificate System Administrator’s Guide • September 2005

Self-Signed Root vs. Subordinate CA

A Certificate Manager can be set up as a self-signing root CA. You set up a self-signing root CA by choosing this option when you install. A self-signing root CA issues and signs its own certificates. The subsystems are then issued certificates by this self-signing CA.

A Certificate Manager can be setup as a subordinate CA. It can either be subordinate to a public CA that signs its certificates, or to another CS CA that signs its certificates. A subordinate CA is restricted in the types of certificates it can issue, and what the content of those certificates are by the contents and settings of the CA signing certificate issued to it.

For the purposes of an initial pilot, it is easiest to make the CA a self-signed root, so that you won’t need to apply to a third party and wait for the certificate to be issued. Before deploying a full-blown PKI, however, you will need to consider this question carefully.

Understanding Certificate Manager Subordination

A Certificate Manager (or CA) is subordinate to another CA because its CA signing certificate, the certificate that allows it to issue certificates, is issued by another CA. The CA that issued the subordinate CA signing certificate controls the CA through the contents of the CA signing certificate. The CA can constrain the subordinate CA through the kinds of certificates that it can issue, the extensions that it is allowed to include in certificates, the number of level of subordinate CAs the subordinate CA can create, and the validity period of certificates it can issue, as well as the validity period of the subordinate CAs signing certificate.

Although a subordinate CA can create certificates that violate these constraints, a client authenticating a certificate that violates those constraints will not accept that certificate.

Subordination to a Public CA

If you want your CA to chain up to a third-party public CA, you must carefully consider the restrictions that public CAs place on the kinds of certificates your CA can issue and the nature of the certificate chain. For example, a CA that chains up to a third-party CA might be restricted to issuing only Secure Multipurpose Internet Mail Extensions (S/MIME) and SSL client authentication certificates; but not SSL server certificates. In addition, a CA that chains up to a third-party CA might not be allowed to have any subordinate CAs and might have to obey certain restrictions on its use of certificate extensions. These and other restrictions may be acceptable for some PKI deployments but not for others.

One benefit of chaining up to a public CA is that the third party is responsible for getting the root CA certificate into the browser or other client software. This can be a major advantage if you are deploying an extranet that involves certificates used by different companies whose browsers you cannot control. Alternatively, if you create your own CA hierarchy from scratch, you are responsible for getting your root certificate into all the browsers used

Page 79

Certificate Manager Deployment Considerations

Chapter 3 Certificate Manager 79

with the certificates you issue. If you are using Netscape Communicator as your client, you can accomplish this task within an intranet by using tools such as Mission Control Desktop or with the aid of Personal Security Manager, but extranet deployments can be more complicated.

Subordination to Another CS CA

If you set up a CA using CS that has subordinate CAs, you control the subordinate CAs by setting policies that control the contents of the CA signing certificate issued. A subordinate CA issues certificates evaluating its own authentication, policy, and certificate profile configuration, it is completely unaware of its parents set up for these configurations.

A Certificate Manager cannot issue a certificate that has a validity period longer than the validity period of the CAs’ CA signing certificate. Any requests that are for a period longer than this will result in certificates issued only to the validity period of the CAs’ CA signing certificate.

Cloned CA

A Certificate Manager can also be cloned so that more than one CA shares the same set of keys and certificates allowing more than one CA issue certificates with the same issuer name and keys. Each clone CA issues a different set of serial numbers. Where the relationship between a self-signed CA and its subordinates is hierarchical, a CA and its clones function together, effectively forming a single Certificate Manager with failover support (and, potentially, load balancing on the front end). For details about a CA, see “Cloning a CA,” on page 127.

Certificate Manager Certificates

When you install the Certificate Manager, the keys for the CA signing certificate, SSL server certificate, and OCSP signing certificate are created and a certificate request is made for the CA signing certificate and the SSL server certificate. The OCSP signing certificate is created by the CA itself.

You submit this request either as a self-signing request to the CA itself which will then issue the certificates, this is how you create a self-signing root CA, or you submit the request to a third party public CA and then install the certificate you receive from the CA during the rest of the installation.

About the CA Key Pairs and Certificates

This section describes the key pairs and certificates associated with the Certificate Manager.

Page 80

Certificate Manager Deployment Considerations

80 Red Hat Certificate System Administrator’s Guide • September 2005

CA Signing Key Pair and Certificate

Every Certificate Manager you install has a Certificate Manager CA signing certificate, whose public key corresponds to the private key the Certificate Manager uses to sign the X.509 certificates and CRLs it issues. This certificate is created and installed when you install the Certificate Manager. The default nickname for the certificate is

caSigningCert

cert-<instance_id>

, where <instance_id> identifies the CS instance in which the Certificate Manager is installed, and the default validity period for the certificate is two years.

The subject name of the CA signing certificate reflects the name of your certificate authority (CA) as specified during the installation. All certificates signed or issued by the Certificate Manager include this name to identify the issuer of the certificate.

The Certificate Manager’s status as a root or subordinate CA is determined by whether its CA signing certificate is self-signed or is signed by another CA.

• If the Certificate Manager is a root CA, its CA signing certificate is self-signed—that

is, the subject name and issuer name of the certificate is the same.

• If the Certificate Manager is a subordinate CA, its CA signing certificate is signed by

another CA, usually the one that is a level above in the CA hierarchy (which may or may not be a root CA). If you have deployed the Certificate Manager as a subordinate CA in a CA hierarchy, you must import your root CA’s signing certificate into individual clients and servers before you can use the Certificate Manager to issue certificates to them.

OCSP Signing Key Pair and Certificate

Irrespective of whether you chose to enable the OCSP service feature, the Installation Wizard transparently generates a key pair and a corresponding certificate identified as the OCSP signing certificate.

The wizard uses the key type, key size, key algorithm, and validity period you provided for the CA signing key pair to generate the OCSP signing key pair. The subject name of the OCSP signing certificate is in the form

CN=OCSP cert-<CS_instance_id>, and it

contains extensions, such as

OCSPSigning and OCSPNoCheck, required for signing OCSP

responses.

NOTE You cannot change the CA name; doing so would make all previously

issued certificates invalid. Similarly, reissuing a Certificate Manager’s CA signing certificate with a new key pair invalidates all certificates that have been signed by the old key pair.

Page 81

Certificate Manager Deployment Considerations

Chapter 3 Certificate Manager 81

The default nickname for the OCSP signing certificate is

ocspSigningCert cert-<instance_id>, where <instance_id> identifies the CS

instance in which the Certificate Manager is installed.

The Certificate Manager uses the private key (that corresponds to the public key used to generate the OCSP signing certificate) to sign the OCSP responses it sends to the OCSP-compliant clients when queried about the revocation status of certificates.

SSL Server Key Pair and Certificate

Every Certificate Manager you install has at least one SSL server certificate. The first time you generated this certificate is when you installed the Certificate Manager. The default nickname for the certificate is

Server-Cert cert-<instance_id>, where <instance_id> identifies the CS

instance in which the Certificate Manager is installed.

The Certificate Manager’s SSL server certificate was issued by the CA to which you submitted the certificate signing request. You might have submitted the request to the Certificate Manager itself, another internally deployed CA, or a public CA.

By default, the Certificate Manager uses a single SSL server certificate for authentication purposes. However, you can request and install additional SSL server certificates for the Certificate Manager. For example, you can configure the Certificate Manager to use separate server certificates for authenticating to the End-Entity Services interface and Agent Services interface. See “Managing Certificates and the Certificate Database” on page 103 for more details.

If you configure the Certificate Manager for SSL-enabled communication with a publishing directory, the Certificate Manager also uses its SSL server certificate for SSL client authentication to the publishing directory. This is the default configuration. You can configure the Certificate Manager to use an alternate certificate for this purpose. See “Managing Certificates and the Certificate Database” on page 103 for more details.

If you configure the Certificate Manager to function as a trusted manager to a Data Recovery Manager, the Certificate Manager also uses its SSL server certificate for SSL client authentication to the Data Recovery Manager. For details on trusted managers, see “Trusted Managers” on page 317. You can also configure the Certificate Manager to use an alternate certificate for this purpose. See “Managing Certificates and the Certificate Database” on page 103 for more details.

Certificate Considerations

This section explains some of the decisions you need to make about the certificates you get for the Certificate Manager when you install the subsystem.

Page 82

Certificate Manager Deployment Considerations

82 Red Hat Certificate System Administrator’s Guide • September 2005

CA’s Distinguished Name

The core elements of a CA consist of a signing unit and the Certificate Manager’s own identity. The signing unit digitally signs certificates requested by end-entities that use a specified enrollment process to establish their identities. Regardless of how related Registration Managers or Data Recovery Managers are configured, any Certificate Manager must have its own distinguished name (DN), which is listed in every certificate it issues.

Like any other X.509 version 3 certificate, a CA certificate binds a DN to a public key. A DN is a series of name-value pairs that in combination uniquely identify an entity. For example, the following DN might be used to identify a hypothetical Certificate Manager for the Engineering department of a corporation named Example Corporation:

cn=demoCA,

o=Example Corporation, ou=Engineering, c=US

Many combinations of name-value pairs are possible for the Certificate Manager’s DN. The DN must be unique and readily identifiable, since any end entity can examine it. For more information about DNs, see Managing Servers with Red Hat Console.

CA Signing Certificate’s Validity Period

Every certificate, including a Certificate Manager signing certificate, must have a validity period. CS does not restrict the validity period you can specify. In general it’s a good idea to specify as long a validity period as possible, depending on your plans for certificate renewal, the place of the CA in the certificate hierarchy, and the requirements of any public CAs that you may want to include in your PKI.

Serial Number Ranges for the CA

You can designate the starting and ending serial numbers that a CA can issue during the configure of the CA. This is especially useful when you are installing cloned CAs. Each cloned CA is given a specific range of serial numbers that it can issue. In this way, none of the cloned CAs can issue the same serial number.

Signing Key Type and Length

If you wish, you can import the signing key and certificate used in a previous version of CS installation rather than generating a new signing key pair. For information on how to do this, check the migration information.

If you decide to generate a new signing key, one of the first decisions you need to make is whether to use the RSA or DSA algorithm. If you use DSA, the software can generate and verify the PQG value. PQG values are used to create the DSA signing key pair. For more information about the way they are used, see the following document:

http://www.itl.nist.gov/div897/pubs/fip186.htm.

In general, longer keys are considered to be cryptographically stronger than shorter keys. However, longer keys also require more time for signing operations.

Page 83

Certificate Manager Deployment Considerations

Chapter 3 Certificate Manager 83

Many people no longer consider an RSA key of length less than 1024 bits to be cryptographically strong. Export and other regulations permitting, it may be a good rule of thumb to start with 1024 bits and consider increasing the length to 4096 bits for certificates that provide access to highly sensitive data or services. However, the question of key length has no simple answers. Every organization must make its own decision based on its own security requirements. For more information on key length and encryption strength, see Appendix D of Managing Servers with Red Hat Console.

Certificate Manager Interfaces

When you install a Certificate Manager, three interfaces are enabled. The installation wizard lets you choose the ports these interfaces listen on. The following interfaces, and associated ports will be created:

• An Administrative interface that is accessible by default only to members of the Administrator and Auditor group. You specify the first administrator when you install the subsystem. Administrators can configure any of the settings of the server. Most basic functionality and subsystem specific configuration to the subsystem can be done using the administrative interface.

The administrative interface listens to requests on the SSL Administration Port. This is the port the CS administrative interface listens to, and that is accessed by administrators and auditors using the Java based CS Console GUI application.

• An Agent Services interface that is accessible by default only to members of the Agent group. You can choose to include the first administrator to also be the first agent when you install the subsystem. Agents are users who can perform tasks associated with the processing of requests and management of certificates. A Certificate Manager Agent can change the status, change the details, reject or approve certificate and revocation requests, revoke certificates, and approve and configure certificate profiles. The agent’s services interface is an HTML interface accessible through HTTPS that authenticates agents using their certificate. The default interface provides all the functionality needed by agents for a Certificate Manager and is completely customizable.

The agent services interface listens to requests and communicates on the SSL Agent Services Port. This is the port that the agent goes to in order to access the agent services interface. The agent services interface is accessible at the following location:

https://<CS_host_dnsname>:<port_number>

For example:

https://services.example.com:7878

Page 84

Certificate Manager Deployment Considerations

84 Red Hat Certificate System Administrator’s Guide • September 2005

• An End-Entity interface that is accessible by anyone who can access that URL. The end-entity interface is an HTML interface accessible through either HTTPS or HTTP (there are two ports set up by default). The default interface provides forms for the various types of enrollment and other tasks an end entity can perform and is completely customizable. The end-entity interface listens for requests on the SSL or Non-SSL End Entity Ports. Both are configured during installation.

https://<CS_host_dnsname>:<port_number>

For example:

https://services.example.com:7878

Password Storage

Each subsystem stores passwords for its internal database, and for the tokens containing its keys and certificates. See “System Passwords,” on page 244 for information on how these passwords are stored.

Internal Database

Each Certificate Manager instance contains an internal database that stores certificates, certificate requests and the like.

During installation, you set up this database by either choosing to create a new database, or use an existing database, providing user IDs and passwords for special users of the database, and the port the database will listen to requests on. You can choose to use the same internal database for more than one subsystem by specifying this when running the installation wizard to configure that subsystem. You should carefully consider whether you want to store this information in a separate internal database for each subsystem or use one internal database for all subsystems installed on the host.

It’s recommended that you do not use this Directory Server instance for any other purposes; the directory schema is configured for storing CS data.

Tokens

You choose either the internal token (if you plan to use the internal/software token) or an external token to store the signing certificate and key pair and the SSL signing certificate and key pair.

Page 85

Installing a Certificate Manager

Chapter 3 Certificate Manager 85

If you are using an external token, you will need to install it before you run the Installation Wizard. In the wizard, you can select from a list of already installed and available tokens. For example,

SmartCard. For installation instructions, see “External Token” on page 306.

Installing a Certificate Manager

You install the subsystems by installing the CS software on each host in which you will install a subsystem, and then creating an instance of CS in that installation for each subsystem you want to configure on that host. CS provides an Installation Wizard that allows you to choose which subsystem you are installing in a particular instance, and allows you to make some configuration choices for the subsystem, and get and install the certificates used by the subsystem. Once the Certificate Manager is installed, it is set up with a default set of configuration settings. You can change the default settings to meet the needs of your PKI.

Installing a Certificate Manager as a Root CA

To configure the Certificate Manager as a root CA:

1. Log into Red Hat Console as the administrator, see “Red Hat Console” on page 237.

2. Select the CS instance and then either click Open, or double click this instance.

The Installation Wizard launches.

3. Installation Wizard Introduction. Click Next to continue.

4. Logon Token. Choose either internal (if you plan to use the internal/software

token) or the name of an external token to store the Certificate Manager signing certificate and key pair. If you have not previously initialized the token’s password, you must do so in this screen. See “Tokens,” on page 84 for more information.

5. Internal Database. Choose to either create a new internal database for this instance or

to use an existing Directory Server instance as the internal database for this instance. Next, specify the information for that Directory Server instance. See “Internal Database,” on page 84 for more information.

Click Next to continue. The wizard sets up the new internal database, which takes some time.

Page 86

Installing a Certificate Manager

86 Red Hat Certificate System Administrator’s Guide • September 2005

6. Administrator. Type the user ID, name, and password for the CS administrator. This

user ID will be set up as the administrator who can access the CS window and control all CS settings.

Allow Multiple Roles for Users. Select if you want to allow users to belong to more than one group, thus assuming more than one role. Deselect if you want to restrict users from being able to belong to more than one role. This setting only applies to the default administrator, agent, auditor, and trusted manager roles.

If you select this, allowing users to assume multiple roles, the administrator you set up in this window will be added to the agents group. This administrator will be both an administrator and an agent.

Click Next to continue.

7. Subsystems. Choose the subsystem you want to install.

Select Certificate Manager.

Click Next to continue.

8. Remote Data Recovery Manager. Select the appropriate options:

❍ Select No if you don’t want to connect the Certificate Manager to a remote Data

Recovery Manager.

❍ Select Yes if you have already installed a remote Data Recovery Manager that you

want the Certificate Manager to use for archiving end users’ encryption private keys. Then, enter the remote Data Recovery Manager’s host name, agent SSL port number, and the Time-out in seconds in the associated fields.

Click Next to continue.

9. CA’s Serial Number Range. Specify the range for the serial numbers for the

certificates that this CA will issue. In the “Starting serial number” field, type the lowest serial number the CA should assign to a certificate. If you plan to only use one CA server, you can leave the “Ending serial number” field blank to indicate no upper limit. If you plan to clone the CA to distribute load, you must specify an upper limit. (For cloned CAs, you must make sure that the range of serial numbers does not overlap with any other CA server.)

Click Next to continue.

10. Internal OCSP Services. Select to enable the internal OCSP services.

See “Setting Up a Certificate Manager with OCSP Service,” on page 161 for more information.

Click Next to continue.

Page 87

Installing a Certificate Manager

Chapter 3 Certificate Manager 87

11. Network Configuration. Type the port numbers for the ports used by this instance, or

accept the defaults.

See “Certificate Manager Interfaces,” on page 83 for more information.

Click Next to continue.

12. CA Signing Certificate. Select the “Create self-signed CA certificate” option.

Click Next to continue.

13. Key-Pair Information for Certificate Manager CA Signing Certificate.

❍ Token. Enter either internal (if you plan to use the internal/software token) or

the name of an external token to store the Certificate Manager signing certificate and key pair. If you have not previously initialized the token’s password, you must do so now. See “Tokens,” on page 84 for more information.

❍ Key Type. Choose RSA or DSA.

❍ Key Length. Available key sizes for RSA are 512, 768, 1024, 2048, 4096, or

Custom. Available key sizes for DSA are 512, 1024, or Custom (which must be in increments of 64 bits only).

See “Signing Key Type and Length” on page 82 for more information.

Click Next to continue.

14. Message Digest Algorithm. Select the algorithm to use for computing the certificate

signature. The choices are: MD2, MD5, or SHA-1.

Click Next to continue.

15. Subject Name for Certificate Manager CA Signing Certificate. Type values for the

subject DN components; these values identify the root CA signing certificate.

A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the CA signing certificate. You are not required to enter all the values.

See “CA’s Distinguished Name” on page 82 for more information.

Click Next to continue.

Page 88

Installing a Certificate Manager

88 Red Hat Certificate System Administrator’s Guide • September 2005

16. Validity Period for Certificate Manager CA Signing Certificate. Select the validity

period for the CA signing certificate. The default validity is two years. The validity period determines how soon you will have to renew the certificate, which can be a complex procedure.

See “CA Signing Certificate’s Validity Period” on page 82 for more information.

Click Next to continue.

17. Certificate Extensions for Certificate Manager CA Signing Certificate. Select the

required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen.

CS provides command-line tools for generating extensions to include in CA and other certificate requests. For details about these tools, check this directory:

<server_root>/bin/cert/tools

Note that the certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the

ExtJoiner program, which is also

provided in the

tools directory. For details on using the ExtJoiner program, see the

CS Command-Line Tools Guide.

For more information about extensions, see Appendix G, “Certificate and CRL Extensions.”

Click Next to continue.

18. Certificate Manager CA Signing Certificate Creation. Click Next to generate and

install the certificate.

19. SSL Server Certificate. Select the “Sign SSL certificate with my CA signing

certificate” option. This option enables the wizard to generate an SSL Server Certificate signed with the local CA signing certificate, the root Certificate Manager’s CA signing certificate you just created.

Click Next to continue.

20. Key-Pair Information for SSL Server Certificate.

❍ Token. Enter either internal (if you plan to use the internal/software token) or

the name of an external token. If you have not previously initialized the token’s password, you must do so in this screen. See “Tokens,” on page 84 for more information.

❍ Key Type. Choose RSA.

Page 89

Installing a Certificate Manager

Chapter 3 Certificate Manager 89

❍ Key Length. Available key sizes for RSA are 512, 768, 1024, 2048, 4096, or

Custom. Available key sizes for DSA are 512, 1024, or Custom (which must be in increments of 64 bits only).

See “Signing Key Type and Length” on page 82 for more information.

Click Next to continue.

21. Message Digest Algorithm. Select the algorithm to use for computing the certificate

signature. The choices are: SHA-1, MD2, or MD5.

Click Next to continue.

22. Subject Name for SSL Server Certificate. Type the values for the subject DN

components; these values identify the root CA’s SSL server certificate. The CN must be the fully-qualified host name of the machine on which you’re installing the Certificate Manager.

Click Next to continue.

23. Validity Period for SSL Server Certificate. Select the validity period for the SSL

server certificate. The validity period determines how soon you will have to renew the certificate.

Click Next to continue.

24. Certificate Extensions for SSL Server Certificate. Select the required extensions.

The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen (see Step 17).

Click Next to continue.

25. SSL Server Certificate Creation. This informational screen tells you that the

configuration wizard has all the required information to generate a key pair and its corresponding certificate.

Click Next to generate the certificate.

26. Single Sign-on Summary. Check the summary and select whether to retain or delete

the

password.conf file. For details, see “Token Password Storage” on page 244.

Click Next to continue.

27. Configuration Status. This screen should indicate that your configuration has been

successful.

Click Done to exit the Installation Wizard.

Page 90

Installing a Certificate Manager

90 Red Hat Certificate System Administrator’s Guide • September 2005

28. You now need to create the first agent user for the Certificate Manager. See “Agent

Certificates,” on page 324 for details.

Installing a Certificate Manager as a Subordinate CA

To install the Certificate Manager as a subordinate CA:

1. Log into Red Hat Console as the administrator, see “Red Hat Console” on page 237.

The main window of Red Hat Console appears.

2. Select the CS instance and then either click Open, or double click this instance.

The Installation Wizard launches.

3. Installation Wizard Introduction. Click Next to continue.

4. Logon Token. Enter either internal (if you plan to use the internal/software token)

or the name of an external token to store the Certificate Manager signing certificate and key pair. If you have not previously initialized the token’s password, you must do so in this screen. See “Tokens,” on page 84 for more information.

5. Internal Database. Choose to either create a new internal database for this instance or

Click Next to continue. The wizard sets up the new internal database, which takes some time.

Click Next to continue.

6. Administrator. Type the user ID, name, and password for the CS administrator. This

user ID will be set up as the administrator who can access the CS window and control all CS settings.

Click Next to continue.

Page 91

Installing a Certificate Manager

Chapter 3 Certificate Manager 91

7. Subsystems. Choose a subsystem you want to install.

Select Certificate Manager.

Click Next to continue.

8. Remote Data Recovery Manager. Select the appropriate options:

❍ Select No if you don’t want to connect the Certificate Manager to a remote Data

Recovery Manager.

❍ Select Yes if you have already installed a remote Data Recovery Manager that you

Click Next to continue.

9. CA’s serial number range. Specify range for the serial numbers for the certificates

that this CA will issue. In the “Starting serial number” field, type the lowest serial number the CA should assign to a certificate. If you only use one CA server, you can leave the “Ending serial number” field blank to indicate no upper limit. If you plan to clone the CA to distribute load, you must specify an upper limit. (For cloned CAs, you must make sure that the range of serial numbers does not overlap with any other CA server.)

Click Next to continue.

10. Internal OCSP Services. Select to enable the internal OCSP services.

See “Setting Up a Certificate Manager with OCSP Service,” on page 161 for more information.

11. Network Configuration. Type the port numbers for the ports to be used by the CS

instance.

See “Certificate Manager Interfaces,” on page 83 for more information.

Click Next to continue.

12. CA Signing Certificate. Select the “Create subordinate CA certificate request” option.

Click Next to continue.

13. Key-Pair Information for Certificate Manager CA signing certificate.

❍ Token. Enter either internal (if you plan to use the internal/software token) or

the name of an external token to store the Certificate Manager signing certificate and key pair. If you have not previously initialized the token’s password, you must do so in this screen. See “Tokens,” on page 84 for more information.

Page 92

Installing a Certificate Manager

92 Red Hat Certificate System Administrator’s Guide • September 2005

❍ Key Type. Choose RSA or DSA.

❍ Key Length. Available key sizes for RSA are 512, 768, 1024, 2048, 4096, or

Custom. Available key sizes for DSA are 512, 1024, or Custom (which must be in increments of 64 bits only).

See “Signing Key Type and Length” on page 82 for more information.

Click Next to continue.

14. Message Digest Algorithm. Select the algorithm to use for computing the certificate

signature. The choices are: MD2, MD5, or SHA-1.

Click Next to continue.

15. Subject Name for Certificate Manager CA Signing Certificate. Type values for the

subject DN components; these values identify the subordinate CA signing certificate.

A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the CA signing certificate. You are not required to enter all the values.

See “CA’s Distinguished Name” on page 82 for more information.

Click Next to continue.

16. Validity Period for Certificate Manager CA Signing Certificate. Select the validity

period for the subordinate CA signing certificate. The default validity is two years. The validity period determines how soon you will have to renew the certificate, which can be a complex procedure.

See “CA Signing Certificate’s Validity Period” on page 82 for more information.

Click Next to continue.

17. Certificate Extensions for Certificate Manager CA Signing Certificate. Select the

required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen.

CS provides command-line tools for generating extensions to include in CA and other certificate requests. For details about these tools, check this directory:

<server_root>/bin/cert/tools

Note that the certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the

ExtJoiner program, which is also

provided in the

tools directory. For details about using the ExtJoiner program, see

Chapter 5, “Extension Joiner Tool” of CS Command-Line Tools Guide.

Page 93

Installing a Certificate Manager

Chapter 3 Certificate Manager 93

For more information about extensions, see Appendix G, “Certificate and CRL Extensions.”

Click Next to continue.

18. Certificate Manager CA Signing Certificate Creation. This is an informational

screen that tells you that the wizard has all the information required to generate the key pair and certificate request. In the previous screen, if you chose to include the Subject Key Identifier extension in the certificate, you’ll be given the choice to select the format for the certificate request. Otherwise, the request format will be PKCS #10.

❍ If you want the wizard to generate the certificate request in PKCS #10 format,

select the “Generate PKCS10 request” option.

❍ If you want the wizard to generate the certificate request in CMC format, select the

“Generate CMC full enrollment request” option.

Click Next to generate the request. The wizard creates a certificate request that you must submit to another CA.

19. Submission of Request. Select whether you want to submit the request manually or

send the request to a remote Certificate Manager automatically.

❍ To automatically submit the request to a remote Certificate Manager (or for

automatic enrollment), follow these steps:

I. Select the “Send the request to a remote CS now” option.

II. Enter the host name and end-entity port number of the remote Certificate

Manager, and select whether this end-entity port is SSL enabled.

III. Click Next to submit the request.

The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.)

Note that the request you submitted gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the other agent to approve your request and issue the certificate.

IV. Open a web browser window.

V. Enter the URL for the remote Certificate Manager’s Agent Services page.

(You must have a valid agent’s certificate.)

Page 94

Installing a Certificate Manager

94 Red Hat Certificate System Administrator’s Guide • September 2005

VI. Select List Requests, then click Show Pending Requests and click Find. The

pending request list is displayed.

VII. Locate your request, click Details to see it, and make any changes. Then,

scroll down to the bottom of the form and click Do It.

VIII.After the certificate is generated, click Show Certificate.

IX. When the certificate is displayed, scroll down to the base-64 encoded version

of the certificate, highlight all the text (including

-----BEGIN

CERTIFICATE -----

and -----END CERTIFICATE-----), and copy it to

the clipboard or to a text file.

Be sure to not make any changes to the certificate. You’re required to paste the encoded certificate into the Installation Wizard screen next. So, once you’ve copied the certificate, go back to the wizard screen (Step 20).

❍ To submit your certificate request manually to a remote Certificate Manager,

follow these steps:

I. Open a web browser window.

II. Go to the end-entity URL for the remote Certificate Manager that will issue

the subordinate CA’s signing certificate.

For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL

http://<hostname>:17006 to bring up the Certificate Manager page for

end entities.

III. Click Manual Certificate Manager Signing Certificate Enrollment.

In the resulting form, choose the request type from the pull down menu, paste the request into the request field, and fill in the other information in the form.

IV. Click Submit.

V. The request gets added to the agent queue of the remote Certificate Manager

for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you’ll have to wait till the remote Certificate Manager’s agent approves your request.

VI. In the web browser window, enter the URL for the remote Certificate

Manager’s Agent Services page. (You must have a valid agent’s certificate.)

VII. Select List Requests, then click Show Pending Requests and click Find.

Page 95

Installing a Certificate Manager

Chapter 3 Certificate Manager 95

VIII.In the pending request list, locate your request, click Details to see the

request, and make any changes. Then, scroll down to the bottom of the form, and click Do It.

IX. After the certificate is generated, click Show Certificate.

X. When the certificate is displayed, scroll down to the base-64 encoded version

of the certificate, highlight all the text (including

-----BEGIN

CERTIFICATE -----

and -----END CERTIFICATE-----), and copy it to

the clipboard or to a text file.

Be sure to not make any changes to the certificate. You’re required to paste the encoded certificate into the Installation Wizard next. So, once you’ve copied the certificate, go back to the wizard screen (Step 20).

❍ To submit your certificate request manually to a third-party CA, follow these

steps:

XI. Make sure that the certificate request (including -----BEGIN NEW

CERTIFICATE REQUEST -----

and -----END NEW CERTIFICATE

REQUEST -----)

is highlighted, and click the Copy to Clipboard button.

I. This action copies the certificate request to the clipboard. In addition to the

copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA’s signing certificate.

II. Submit your certificate request to a third-party CA, following the instructions

provided by that CA.

Click Next when you are ready to proceed.

20. CA Signing Certificate Installation. Depending on whether you have the certificate

ready for pasting into the Installation Wizard screen, click Yes or No.

❍ Select No if you have submitted your request to a third-party CA or to a remote

Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate. Continue as far as you can with the configuration, and resume after you receive the certificate. The default selection is No.

❍ Select Yes if you have the certificate ready in its base-64 encoded format.

Click Next to continue.

❍ If you selected No, you will be presented with the “SSL Server Certificate” screen

(Step 24).

Page 96

Installing a Certificate Manager

96 Red Hat Certificate System Administrator’s Guide • September 2005

❍ If you selected Yes, the “Location of Certificate” screen appears (Step 21).

21. Location of Certificate. Specify the location of the certificate. You can use any of

these options:

❍ If you copied the encoded certificate to a file, select the “The certificate is located

in this file” option and then type the file path, including the filename, in the text field.

❍ If you copied the certificate to the clipboard, select the “The certificate is located

in the text area below” option and then paste in a base-64 encoded certificate (including the header and footer) in the text area provided.

❍ If you noted the request ID of your request and know the host name and end-entity

port number of the remote Certificate Manager that issued the certificate, select the “The certificate is at the CS server where the request was sent” option and then specify the required details.

Click Next to continue.

22. Certificate Details. This is an informational screen that shows the certificate so you

can inspect its contents. Notice the nickname assigned to the certificate and verify that you’re installing the correct certificate.

Click Next to continue.

23. Import Certificate Chain. This screen appears only if you need to import the CA

certificate chain. If the CA that issued the certificate is a Certificate Manager, follow these steps:

a. Go to the end-entity URL for the Certificate Manager that issued the subordinate

CA’s signing certificate.

b. Select the Retrieval tab, and then choose Import CA Certificate Chain.

c. Select the “Display the CA certificate chain in PKCS#7 for importing into a

server” option, and then click Submit.

d. Copy the certificate chain to the clipboard.

e. Return to the Installation Wizard.

f. Paste the certificate chain into the text box.

Click Next to continue.

24. SSL Server Certificate. Select the appropriate option:

❍ If you want to get the SSL server certificate signed by the subordinate CA itself,

select the “Sign SSL certificate with my CA signing certificate” option.

Page 97

Installing a Certificate Manager

Chapter 3 Certificate Manager 97

❍ If you want to submit the SSL server certificate request to another CA, for example

to the CA that signed the subordinate CA’s signing certificate, select the “Create request for submission to another CA” option.

Click Next to continue.

25. Key-Pair Information for SSL Server Certificate.

❍ Token. Enter either internal (if you plan to use the internal/software token) or

the name of an external token. If you have not previously initialized the token’s password, you must do so in this screen. See “Tokens,” on page 84 for more information.

❍ Key Type. Choose RSA.

❍ Key Length. Available key sizes for RSA are 512, 768, 1024, 2048, 4096, or

Custom. Available key sizes for DSA are 512, 1024, or Custom (which must be in increments of 64 bits only).

See “Signing Key Type and Length” on page 82 for more information.

Click Next to continue.

26. Message Digest Algorithm. Select the algorithm to use for computing the certificate

signature. The choices are: SHA-1, MD2, or MD5.

Click Next to continue.

27. Subject Name for SSL Server Certificate. Type the values for the subject DN

components; these values identify the subordinate CA’s SSL server certificate. The CN must be the fully-qualified host name of the machine on which you’re installing the Certificate Manager.

Click Next to continue.

28. Certificate Extensions for SSL Server Certificate. Select the required extensions.

The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. (For details, see Step 17 of this section.)

Click Next to continue.

29. SSL Server Certificate Request Creation. This is an informational screen that tells

you that the wizard has all the information required to generate the key pair and certificate request. In the previous screens, if you chose to generate a certificate request and include the Subject Key Identifier extension in the certificate, you’ll be given the choice to select the format for the certificate request. Otherwise, the request format will be PKCS #10.

Page 98

Installing a Certificate Manager

98 Red Hat Certificate System Administrator’s Guide • September 2005

❍ If you want the wizard to generate the certificate request in PKCS #10 format,

select the “Generate PKCS10 request” option.

❍ If you want the wizard to generate the certificate request in CMC format, select the

“Generate CMC full enrollment request” option.

Click Next to generate the certificate or the request:

❍ If you chose to get the certificate signed by the subordinate CA itself, the wizard

generates the SSL server certificate. You’ll be presented with the “Create Single Sign-on Password” screen (Step 35).

❍ If you chose to generate a request for submission to another CA, the wizard

generates an SSL server certificate request that you must submit to another CA. You’ll be presented with the “Submission of Request” screen (Step 30).

30. Submission of Request. Select whether you want to submit the request manually or

send the request automatically to a remote Certificate Manager.

❍ To automatically submit the request to a remote Certificate Manager (or for

automatic enrollment), follow these steps:

I. Select the “Send the request to a remote CS now” option.

II. Enter the host name and end-entity port number of the remote Certificate

Manager, and specify whether the end-entity port is SSL enabled.

III. Click Next to submit the request.

Note that the request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the remote Certificate Manager’s agent to approve your request and issue the certificate.

IV. Open a web browser window.

V. Enter the URL for the remote Certificate Manager’s Agent Services page.

(You must have a valid agent’s certificate.)

VI. Select List Requests, click Show Pending Requests, and then click Find.

Page 99

Installing a Certificate Manager

Chapter 3 Certificate Manager 99

VII. In the pending request list, locate your request, click Details to see the request,

and make any changes. Then, scroll down to the bottom of the form, and click Do It.

VIII.After the certificate is generated, click Show Certificate.

IX. When the certificate is displayed, scroll down to the base-64 encoded version

of the certificate, highlight all the text (including

-----BEGIN

CERTIFICATE -----

and -----END CERTIFICATE-----), and copy it to

the clipboard or to a text file.

❍ To submit your certificate request manually to a remote Certificate Manager,

follow these steps:

I. Open a web browser window.

II. Go to the end-entity URL for the remote Certificate Manager that will issue

the subordinate CA’s SSL server certificate.

For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL

http://<hostname>:17006 to bring up the Certificate Manager page for

end entities.

III. Click Manual Server Certificate Enrollment, or click Agent-Based Server

Certificate Enrollment if you have an agent certificate. If you choose Agent-Based Server Certificate Enrollment and you have an agent certificate, the certificate will be automatically issued once you submit the request.

In the resulting form, choose the type of request from the pull down menu, paste the request in the request field, and fill in the other fields on the form.

IV. Click Submit.

V. If you used the Agent-Based Server Certificate Enrollment and you have an

agent certificate, the certificate will be automatically issued once you submit the request.

If you used the Manual Server Certificate Enrollment request, the request gets added to the agent queue of that Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you’ll have to wait for the Certificate Manager’s agent to approve your request and issue the certificate.

Page 100

Installing a Certificate Manager

100 Red Hat Certificate System Administrator’s Guide • September 2005

To approve the request, do the following:

In the web browser window, enter the URL for the Certificate Manager’s Agent Services page. (You must have a valid agent’s certificate.)

Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed.

Locate your request, click Details to see it, and make any changes. Then, scroll down to the bottom of the form, select the appropriate action.

VI. After the certificate is generated, click Show Certificate.

VII. When the certificate is displayed, scroll down to the base-64 encoded version

of the certificate, highlight all the text (including

-----BEGIN

CERTIFICATE -----

and -----END CERTIFICATE-----), and copy it to

the clipboard or to a text file.

❍ To submit your certificate request manually to a third-party CA, follow these

steps:

I. Make sure that the certificate request (including -----BEGIN NEW

CERTIFICATE REQUEST -----

and -----END NEW CERTIFICATE

REQUEST -----)

is highlighted, and click the Copy to Clipboard button.

This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA’s SSL server certificate.

II. Submit your certificate request to a third-party CA, following the instructions

provided by that CA.

Click Next when you are ready to proceed to the next screen.

31. SSL Server Certificate Installation. Depending on whether you have the certificate

ready for pasting into the Installation Wizard screen, click Yes or No.

❍ If you have submitted your request to a third-party CA or to a remote Certificate

Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. The default is No. If you selected No, you will be presented with the “Create Single Sign-on Password” screen.

Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR, CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR Administrator's Manual

Specifications and Main Features

Frequently Asked Questions

User Manual