Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual
Red Hat Certificate
System 7.2
Administration Guide
Publication date: November 6, 2006, and updated on August 25, 2009
Administration Guide
Red Hat Certificate System 7.2 Administration Guide
Copyright © 2008 Red Hat, Inc.
Copyright © 2008 Red Hat, Inc..
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons
Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available
at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this
document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,
Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity
Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
All other trademarks are the property of their respective owners.
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
PO Box 13588 Research Triangle Park, NC 27709 USA
This manual covers all aspects of installing, configuring, and managing Certificate System
subsystems. It also covers management tasks such as adding users; requesting and revoking
certificates; publishing CRLs; and managing smart cards. This guide is intended for Certificate System
administrators.
iii
About This Guide xv
1. Who Should Read This Guide ........................................................................................ xv
2. Recommended Knowledge ............................................................................................. xv
3. What Is in This Guide .................................................................................................... xv
4. Examples and Formatting ............................................................................................. xvii
5. Additional Reading ...................................................................................................... xviii
6. Giving Feedback ......................................................................................................... xviii
7. Document History ......................................................................................................... xix
1. Overview 1
1.1. Features ...................................................................................................................... 1
1.1.1. Subsystems ...................................................................................................... 1
1.1.2. Interfaces .......................................................................................................... 2
1.1.3. Logging ............................................................................................................. 2
1.1.4. Auditing ............................................................................................................. 2
1.1.5. Self-Tests .......................................................................................................... 3
1.1.6. Authorization ..................................................................................................... 3
1.1.7. Security-Enhanced Linux Support ....................................................................... 3
1.1.8. Authentication .................................................................................................... 4
1.1.9. Certificate Issuance ........................................................................................... 4
1.1.10. Certificate Profiles ............................................................................................ 4
1.1.11. CRLs ............................................................................................................... 5
1.1.12. Publishing ....................................................................................................... 5
1.1.13. Notifications ..................................................................................................... 5
1.1.14. Jobs ................................................................................................................ 5
1.1.15. Dual Key Pairs ................................................................................................ 5
1.1.16. HSMs and Crypto Accelerators ......................................................................... 5
1.1.17. Support for Open Standards ............................................................................. 6
1.1.18. Java SDK Extension Mechanism for Customization ............................................ 6
1.2. How the Certificate System Works ................................................................................ 7
1.2.1. About the Certificate Manager ............................................................................ 7
1.2.2. How the Certificate Manager Works .................................................................... 9
1.2.3. Data Recovery Manager .................................................................................. 11
1.2.4. Online Certificate Status Manager .................................................................... 11
1.2.5. Token Key Service ........................................................................................... 12
1.2.6. Token Processing System ................................................................................ 12
1.3. Deployment Scenarios ................................................................................................ 12
1.3.1. Single Certificate Manager ............................................................................... 12
1.3.2. Certificate Manager and DRM .......................................................................... 13
1.3.3. Cloned Certificate Manager .............................................................................. 14
1.3.4. Smart Card Enrollment .................................................................................... 15
1.4. System Architecture ................................................................................................... 15
1.4.1. Certificate System Instance .............................................................................. 17
1.4.2. HTTP Engine .................................................................................................. 17
1.4.3. User Interfaces ................................................................................................ 17
1.4.4. JSS and the JNI Layer .................................................................................... 18
1.4.5. NSS ................................................................................................................ 18
1.4.6. PKCS #11 ....................................................................................................... 19
1.4.7. Management Tools .......................................................................................... 19
1.4.8. JRE ................................................................................................................ 20
1.4.9. Internal Database ............................................................................................ 20
1.4.10. SSL/TLS and Supported Cipher Suites ............................................................ 20
Administration Guide
iv
1.5. CS SDK ..................................................................................................................... 21
1.6. Support for Open Standards ....................................................................................... 21
1.6.1. Certificate Management Formats and Protocols ................................................. 21
1.6.2. Security and Directory Protocols ....................................................................... 22
2. Installation and Configuration 23
2.1. Deployment Considerations ......................................................................................... 23
2.1.1. Security Domains ............................................................................................ 24
2.1.2. Cloning a Subsystem ....................................................................................... 24
2.1.3. Self-Signed Root CA or Subordinate CA ........................................................... 24
2.2. Prerequisites .............................................................................................................. 25
2.2.1. Supported Platforms ........................................................................................ 25
2.2.2. Required Programs and Dependencies ............................................................. 26
2.2.3. Packages Installed ........................................................................................... 28
2.3. Configuration Preparation ........................................................................................... 32
2.3.1. Required Information ........................................................................................ 32
2.3.2. Default Settings ............................................................................................... 33
2.4. Configuration Setup Wizard ........................................................................................ 34
2.4.1. Security Domain Panel .................................................................................... 34
2.4.2. Subsystem Type Panel .................................................................................... 35
2.4.3. PKI Hierarchy Panel ........................................................................................ 36
2.4.4. CA Information Panel ....................................................................................... 37
2.4.5. TKS Information Panel ..................................................................................... 37
2.4.6. DRM Information Panel .................................................................................... 38
2.4.7. Authentication Directory Panel .......................................................................... 39
2.4.8. Internal Database Panel ................................................................................... 39
2.4.9. Key Store Panel .............................................................................................. 40
2.4.10. Key Pairs Panel ............................................................................................. 41
2.4.11. Subject Names Panel ..................................................................................... 42
2.4.12. Requests and Certificates Panel ..................................................................... 43
2.4.13. Export Keys and Certificates Panel ................................................................. 44
2.4.14. Administrator Panel ........................................................................................ 45
2.5. Installing the Certificate System ................................................................................. 46
2.5.1. Installing from an ISO Image ............................................................................ 46
2.5.2. Installing through up2date ................................................................................ 48
2.6. Configuring the Default Subsystem Instances ............................................................... 48
2.6.1. Configuring a CA ............................................................................................. 48
2.6.2. Configuring a DRM, OCSP, or TKS ................................................................... 50
2.6.3. Configuring a TPS ........................................................................................... 51
2.7. Creating Additional Subsystem Instances ..................................................................... 52
2.7.1. Cloning a Subsystem ....................................................................................... 53
2.8. Silent Installation ........................................................................................................ 54
2.9. Updating Certificate System Packages ........................................................................ 56
2.9.1. Updating Certificate System on Red Hat Enterprise Linux ................................... 56
2.9.2. Updating Certificate System on Solaris ............................................................. 57
2.10. Uninstalling Certificate System Subsystems ............................................................... 57
2.10.1. Removing a Subsystem Instance .................................................................... 57
2.10.2. Removing Certificate System Subsystems ....................................................... 58
3. Administrative Basics 59
3.1. Administrative Console ............................................................................................... 59
3.2. Enabling SSL Client Authentication for the Certificate System Console ........................... 60
v
3.3. System Passwords ..................................................................................................... 62
3.3.1. Protecting the password.conf File ..................................................................... 62
3.3.2. Password-Quality Checker ............................................................................... 64
3.4. Starting, Stopping, and Restarting Certificate System Subsystems ................................. 64
3.4.1. Starting a Server Instance ................................................................................ 64
3.4.2. Stopping a Server Instance .............................................................................. 64
3.4.3. Restarting a Server Instance ............................................................................ 64
3.4.4. Restarting a Subsystem after a Machine Restart ............................................... 65
3.5. Mail Server ................................................................................................................ 65
3.6. Configuration Files ..................................................................................................... 66
3.6.1. Locating the Configuration File ......................................................................... 66
3.6.2. Editing the Configuration File ........................................................................... 66
3.6.3. Guidelines for Editing the Configuration File ...................................................... 66
3.6.4. Duplicating Configuration from One Instance to Another ..................................... 68
3.6.5. Other File Locations ........................................................................................ 68
3.6.6. Default Server Instance Locations .................................................................... 70
3.7. Using Security-Enhanced Linux ................................................................................... 72
3.8. Using Java Servlets .................................................................................................... 73
3.9. Logs .......................................................................................................................... 73
3.9.1. About Logs ...................................................................................................... 74
3.9.2. Services That Are Logged ................................................................................ 77
3.9.3. Log Levels (Message Categories) ..................................................................... 78
3.9.4. Buffered Versus Unbuffered Logging ................................................................. 80
3.9.5. Log File Rotation ............................................................................................. 80
3.9.6. Configuring Logs in the Console ....................................................................... 81
3.9.7. Configuring Logs in the CS.cfg File ................................................................... 82
3.9.8. Configuring TPS Logs ...................................................................................... 83
3.9.9. Monitoring Logs ............................................................................................... 84
3.9.10. Signing Log Files ........................................................................................... 85
3.9.11. Registering a Log Module ............................................................................... 86
3.9.12. Deleting a Log Module ................................................................................... 86
3.9.13. Signed Audit Log ........................................................................................... 86
3.10. Self-Tests ................................................................................................................. 90
3.10.1. Self-Test Logging ........................................................................................... 91
3.10.2. Self-Test Configuration ................................................................................... 91
3.10.3. Modifying Self-Test Configuration .................................................................... 91
3.11. Ports ........................................................................................................................ 92
3.11.1. About Ports ................................................................................................... 92
3.11.2. Changing a Port Number ................................................................................ 94
3.12. The Internal LDAP Database ..................................................................................... 95
3.12.1. Changing the Internal Database Configuration ................................................. 96
3.12.2. Enabling SSL Client Authentication with the Internal Database .......................... 97
3.12.3. Restricting Access to the Internal Database ..................................................... 98
3.13. Backing up and Restoring Certificate System ............................................................. 98
4. Certificate Manager 101
4.1. How the Certificate Manager Works ........................................................................... 101
4.1.1. Enrollment ..................................................................................................... 101
4.1.2. Revocation .................................................................................................... 102
4.2. Certificate Manager Certificates ................................................................................. 103
4.2.1. CA Signing Key Pair and Certificate ................................................................ 103
4.2.2. OCSP Signing Key Pair and Certificate ........................................................... 104
Administration Guide
vi
4.2.3. SSL Server Key Pair and Certificate ............................................................... 104
4.2.4. Certificate Considerations ............................................................................... 104
4.2.5. Cross-Pair Certificates .................................................................................... 105
4.3. CA Hierarchy ............................................................................................................ 105
4.3.1. Subordination to a Public CA .......................................................................... 106
4.3.2. Subordination to a Certificate System CA ........................................................ 106
4.4. Security Domains ..................................................................................................... 106
4.4.1. The domain.xml File ...................................................................................... 107
4.4.2. Security Domain Roles ................................................................................... 108
4.4.3. Creating a Security Domain ............................................................................ 109
4.4.4. Joining a Security Domain .............................................................................. 110
4.4.5. Additional Security Domain Information ........................................................... 110
4.5. Configuring the Certificate Manager Instance ............................................................. 110
4.6. CA Certificate Reissuance ........................................................................................ 112
4.7. Changing the Rules for Issuing Certificates ................................................................ 112
4.8. Setting Restrictions on CA Certificates through Certificate Extensions .......................... 114
4.9. Creating Certificate Manager Agents and Administrators ............................................. 116
4.10. Checking the Revocation Status of Agent Certificates ............................................... 117
4.11. CRL Signing Key Pair and Certificate ....................................................................... 119
4.12. DNs in the Certificate System .................................................................................. 120
4.12.1. Extending Attribute Support .......................................................................... 121
5. Online Certificate Status Protocol Responder 125
5.1. About OCSP Services .............................................................................................. 125
5.1.1. OCSP Response Signing ............................................................................... 125
5.1.2. OCSP Responses .......................................................................................... 126
5.2. CA OCSP Services .................................................................................................. 126
5.2.1. The Certificate Manager's Internal OCSP Service ............................................ 126
5.2.2. Online Certificate Status Manager ................................................................... 126
5.3. Online Certificate Status Manager Certificates ............................................................ 127
5.3.1. OCSP Signing Key Pair and Certificate ........................................................... 127
5.3.2. SSL Server Key Pair and Certificate ............................................................... 127
5.3.3. Recognizing Online Certificate Status Manager Certificates .............................. 128
5.4. Configuring the Online Certificate Status Manager ...................................................... 128
5.5. Creating Online Certificate Status Manager Agents and Administrators ......................... 129
5.6. Configuring the Certificate Manager's Internal OCSP Service ...................................... 130
5.7. Setting up the OCSP Responder ............................................................................... 131
5.8. Identifying the CA to the OCSP Responder ................................................................ 132
5.8.1. Verify Certificate Manager and Online Certificate Status Manager Connection ..... 133
5.8.2. Configure the Revocation Info Stores .............................................................. 133
5.9. Testing the OCSP Service Setup ............................................................................... 134
5.10. Submitting OCSP Requests Using the GET Method .................................................. 135
5.11. Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier ......... 137
6. Data Recovery Manager 141
6.1. PKI Setup for Archiving and Recovering Keys ............................................................ 141
6.1.1. Clients That Can Generate Dual Key Pairs ...................................................... 141
6.2. Data Recovery Manager Certificates .......................................................................... 141
6.2.1. Transport Key Pair and Certificate .................................................................. 142
6.2.2. Storage Key Pair ........................................................................................... 142
6.2.3. SSL Server Certificate .................................................................................... 142
6.3. Forms for Users and Key Recovery Agents ................................................................ 142
vii
6.4. Overview of Archiving Keys ....................................................................................... 143
6.4.1. Reasons to Archive Keys ............................................................................... 143
6.4.2. Where the Keys Are Stored ............................................................................ 143
6.4.3. How Key Archival Works ................................................................................ 143
6.5. Overview of Key Recovery ........................................................................................ 145
6.5.1. Key Recovery Agents and Their Passwords .................................................... 145
6.5.2. Key Recovery Agent Scheme ......................................................................... 146
6.6. Configuring Key Archival and Recovery Process ........................................................ 146
6.6.1. Setting up Key Archival .................................................................................. 147
6.6.2. Setting up Key Recovery ................................................................................ 147
6.6.3. Testing the Key Archival and Recovery Setup .................................................. 148
6.7. Creating Data Recovery Manager Agents and Administrators ...................................... 149
7. Token Processing System 151
7.1. Working with Multiple Instances of a Subsystem ......................................................... 151
7.1.1. Configuring Failover Support .......................................................................... 152
7.1.2. Configuring Multiple Instances for Different Functions ....................................... 152
7.2. Formatting Smart Cards ............................................................................................ 154
7.3. Resetting the Smart Card PIN ................................................................................... 154
7.4. Applet Upgrade ........................................................................................................ 154
7.5. Enrolling Smart Cards through the Enterprise Security Client ....................................... 155
7.5.1. Enabling SSL in TPS ..................................................................................... 156
7.5.2. Server-Side Key Generation and Archival of Encryption Keys ............................ 157
7.5.3. Smart Card Certificate Enrollment Profiles ....................................................... 159
7.5.4. Automating Encryption Key Recovery .............................................................. 159
7.5.5. Configuring Symmetric Key Changeover ......................................................... 161
7.5.6. Setting Token Types for Specified Smart Cards ............................................... 163
7.6. Configuring LDAP Authentication ............................................................................... 165
7.7. Token Database ....................................................................................................... 166
7.8. Configuring TPS Logging .......................................................................................... 166
7.8.1. Thread Correlation ......................................................................................... 166
7.9. TPS Configuration Parameters .................................................................................. 166
7.9.1. TKS Configuration File Parameters ................................................................. 182
8. Token Key Service 183
8.1. Overview .................................................................................................................. 183
8.2. Using Master Keys ................................................................................................... 183
8.3. Configuring the TKS to Associate the Master Key with Its Version ................................ 184
8.4. Using HSM for Generating Keys ................................................................................ 185
8.5. Creating Token Key Service Agents and Administrators .............................................. 186
9. Enterprise Security Client 189
9.1. Overview .................................................................................................................. 189
10. Managing Certificates 191
10.1. Certificate Overview ................................................................................................ 191
10.1.1. Types of Certificates .................................................................................... 191
10.1.2. Determining Which Certificates to Install ........................................................ 193
10.1.3. Certificate Data Formats ............................................................................... 195
10.1.4. Certificate Setup Wizard ............................................................................... 195
10.2. Requesting and Receiving Certificates ..................................................................... 196
10.2.1. Requesting Certificates ................................................................................. 197
10.2.2. Submitting Certificate Requests .................................................................... 212
Administration Guide
viii
10.2.3. Retrieving Certificates from the End-Entities Page .......................................... 216
10.3. Managing User Certificates .................................................................................... 218
10.3.1. Managing Certificate System User and Agent Certificates ............................... 219
10.3.2. Importing Certificates into Mozilla Firefox ....................................................... 220
10.4. Managing the Certificate Database .......................................................................... 221
10.4.1. Installing Certificates in the Certificate System Database ................................ 221
10.4.2. Viewing Database Content ........................................................................... 225
10.4.3. Deleting Certificates from the Database ......................................................... 227
10.4.4. Changing the Trust Settings of a CA Certificate ............................................. 228
10.5. Configuring the Server Certificate Use Preferences ................................................... 229
11. Managing Tokens 231
11.1. Tokens for Storing Certificate System Keys and Certificates ....................................... 231
11.1.1. Internal Tokens ............................................................................................ 231
11.1.2. External Tokens ........................................................................................... 231
11.1.3. Considerations for External Tokens ............................................................... 231
11.2. Using Hardware Security Modules with Subsystems .................................................. 232
11.2.1. Chrysalis LunaSA HSM ................................................................................ 233
11.2.2. Installing External Tokens and Unsupported HSM ........................................... 233
11.3. Managing Tokens Used by the Subsystems .............................................................. 234
11.3.1. Viewing Tokens ............................................................................................ 234
11.3.2. Changing a Token's Password ...................................................................... 234
11.4. Detecting Tokens .................................................................................................... 234
11.5. Hardware Cryptographic Accelerators ...................................................................... 235
12. Certificate Profiles 237
12.1. About Certificate Profiles ......................................................................................... 237
12.2. How Certificate Profiles Work .................................................................................. 238
12.3. Setting up Certificate Profiles .................................................................................. 239
12.3.1. Modifying Certificate Profiles through the CA Console .................................... 239
12.3.2. Modifying Certificate Profiles through the Command Line ................................ 248
12.3.3. Populating Certificates with Directory Attributes .............................................. 251
12.3.4. Customizing the Enrollment Form ................................................................. 254
12.4. Certificate Profile Reference .................................................................................... 254
12.5. Input Reference ...................................................................................................... 255
12.5.1. Certificate Request Input .............................................................................. 255
12.5.2. CMC Certificate Request Input ...................................................................... 255
12.5.3. Dual Key Generation Input ........................................................................... 255
12.5.4. File-Signing Input ......................................................................................... 255
12.5.5. Image Input ................................................................................................. 256
12.5.6. Key Generation Input ................................................................................... 256
12.5.7. nsHcertificateRequest (Token Key) Input ....................................................... 256
12.5.8. nsNcertificateRequest (Token User Key) Input ............................................... 256
12.5.9. Subject DN Input ......................................................................................... 256
12.5.10. Subject Name Input .................................................................................... 256
12.5.11. Submitter Information Input ......................................................................... 257
12.6. Output Reference ................................................................................................... 257
12.6.1. Certificate Output ......................................................................................... 257
12.6.2. PKCS #7 Output .......................................................................................... 257
12.6.3. CMMF Output .............................................................................................. 257
12.7. Defaults Reference ................................................................................................. 258
12.7.1. Authority Info Access Extension Default ........................................................ 258
ix
12.7.2. Authority Key Identifier Extension Default ...................................................... 259
12.7.3. Basic Constraints Extension Default .............................................................. 260
12.7.4. CRL Distribution Points Extension Default ..................................................... 261
12.7.5. Extended Key Usage Extension Default ........................................................ 263
12.7.6. Freshest CRL Extension Default ................................................................... 264
12.7.7. Issuer Alternative Name Extension Default .................................................... 266
12.7.8. Key Usage Extension Default ....................................................................... 267
12.7.9. Name Constraints Extension Default ............................................................. 268
12.7.10. Netscape Certificate Type Extension Default ................................................ 272
12.7.11. Netscape Comment Extension Default ......................................................... 272
12.7.12. No Default Extension .................................................................................. 272
12.7.13. OCSP No Check Extension Default ............................................................. 272
12.7.14. Policy Constraints Extension Default ........................................................... 273
12.7.15. Policy Mappers Extension Default ............................................................... 274
12.7.16. Signing Algorithm Default ........................................................................... 274
12.7.17. Subject Alternative Name Extension Default ................................................. 275
12.7.18. Subject Directory Attributes Extension Default .............................................. 277
12.7.19. Subject Key Identifier Extension Default ...................................................... 278
12.7.20. Subject Name Default ................................................................................ 278
12.7.21. Token Supplied Subject Name Default ......................................................... 279
12.7.22. User Supplied Extension Default ................................................................. 279
12.7.23. User Supplied Key Default .......................................................................... 280
12.7.24. User Signing Algorithm Default ................................................................... 281
12.7.25. User Supplied Subject Name Default ........................................................... 281
12.7.26. User Supplied Validity Default ..................................................................... 281
12.7.27. Validity Default ........................................................................................... 281
12.8. Constraints Reference ............................................................................................. 282
12.8.1. Basic Constraints Extension Constraint ......................................................... 282
12.8.2. Extended Key Usage Extension Constraint .................................................... 283
12.8.3. Extension Constraint .................................................................................... 283
12.8.4. Key Constraint ............................................................................................. 283
12.8.5. Key Usage Extension Constraint ................................................................... 283
12.8.6. No Constraint .............................................................................................. 285
12.8.7. Netscape Certificate Type Extension Constraint ............................................. 285
12.8.8. Signing Algorithm Constraint ......................................................................... 285
12.8.9. Subject Name Constraint .............................................................................. 285
12.8.10. Unique Subject Name Constraint ................................................................ 286
12.8.11. Validity Constraint ....................................................................................... 286
13. Revocation and CRLs 287
13.1. Revocation ............................................................................................................. 287
13.1.1. SSL Client Authenticated Revocation ............................................................ 287
13.1.2. Certificate Revocation Forms ........................................................................ 287
13.2. CMC Revocation .................................................................................................... 288
13.2.1. Setting up CMC Revocation ......................................................................... 288
13.2.2. Testing CMC Revoke ................................................................................... 289
13.3. About CRLs ............................................................................................................ 289
13.3.1. Reasons for Revoking a Certificate ............................................................... 290
13.3.2. Publishing CRLs .......................................................................................... 291
13.3.3. CRL Issuing Points ...................................................................................... 291
13.3.4. Delta CRLs .................................................................................................. 291
13.3.5. How CRLs Work .......................................................................................... 291
Administration Guide
x
13.4. Issuing CRLs .......................................................................................................... 292
13.4.1. Configuring Issuing Points ............................................................................ 294
13.4.2. Configuring CRLs for Each Issuing Point ....................................................... 295
13.4.3. Setting CRL Extensions ................................................................................ 299
13.5. Setting Full and Delta CRL Schedules ..................................................................... 300
13.5.1. Configuring Extended Updated Intervals for CRLs in the Console .................... 301
13.5.2. Configuring Extended Updated Intervals for CRLs in CS.cfg ............................ 302
14. Publishing 303
14.1. About Publishing ..................................................................................................... 303
14.1.1. About Publishers .......................................................................................... 303
14.1.2. About Mappers ............................................................................................ 303
14.1.3. About Rules ................................................................................................. 304
14.1.4. Publishing to Files ........................................................................................ 304
14.1.5. LDAP Publishing .......................................................................................... 304
14.1.6. OCSP Publishing ......................................................................................... 305
14.1.7. How Publishing Works ................................................................................. 305
14.2. Setting up Publishing .............................................................................................. 306
14.3. Publishers .............................................................................................................. 307
14.3.1. Configuring Publishers for Publishing to a File ............................................... 307
14.3.2. Configuring Publishers for Publishing to OCSP .............................................. 309
14.3.3. Configuring Publishers for LDAP Publishing ................................................... 311
14.4. Mappers ................................................................................................................. 312
14.4.1. Configuring Mappers .................................................................................... 312
14.5. Rules ..................................................................................................................... 316
14.5.1. Modifying Publishing Rules for Certificates and CRLs ..................................... 317
14.6. Enabling Publishing ................................................................................................ 321
14.6.1. Publishing Cross-Pair Certificates ................................................................. 323
14.7. Testing Publishing to Files ....................................................................................... 323
14.8. Viewing Certificates and CRLs Published to File ....................................................... 325
14.9. Configuring the Directory for LDAP Publishing .......................................................... 325
14.9.1. Schema ....................................................................................................... 325
14.9.2. Entry for the CA ........................................................................................... 326
14.9.3. Bind DN ...................................................................................................... 327
14.9.4. Directory Authentication Method .................................................................... 327
14.10. Updating Certificates and CRLs in a Directory ........................................................ 327
14.10.1. Manually Updating Certificates in the Directory ............................................. 328
14.10.2. Manually Updating the CRL in the Directory ................................................. 329
14.11. Registering and Deleting Mapper and Publisher Plug-in Modules .............................. 329
14.12. Module Reference ................................................................................................. 330
14.12.1. Publisher Plug-in Modules .......................................................................... 330
14.12.2. Mapper Plug-in Modules ............................................................................ 333
14.12.3. Rule Instances ........................................................................................... 339
15. Authentication for Enrolling Certificates 343
15.1. Enrollment Overview ............................................................................................... 343
15.1.1. The Authentication Process .......................................................................... 343
15.2. Agent-Approved Enrollment ..................................................................................... 344
15.2.1. Configuring Agent-Approved Enrollment ........................................................ 344
15.3. Automated Enrollment ............................................................................................. 344
15.3.1. Setting up Directory-Based Authentication ..................................................... 345
15.3.2. Setting up PIN-based Enrollment .................................................................. 346
xi
15.4. Setting up CMC Enrollment ..................................................................................... 350
15.4.1. Setting up the Server for Multiple Requests in a Full CMC Request .................. 351
15.4.2. Testing CMCEnroll ....................................................................................... 352
15.5. Certificate-Based Enrollment ................................................................................... 352
15.5.1. Setting up Certificate-Based Enrollment ......................................................... 353
15.6. Testing Enrollment .................................................................................................. 354
15.7. Managing Authentication Plug-ins ............................................................................ 355
16. User and Group Authorization 357
16.1. About Authorization ................................................................................................. 357
16.1.1. How Authorization Works ............................................................................. 357
16.1.2. Default Groups ............................................................................................ 357
16.2. Creating Users ....................................................................................................... 360
16.3. Setting up a Trusted Manager ................................................................................. 361
16.4. Modifying Certificate System User Entries ................................................................ 364
16.4.1. Changing a Certificate System User's Login Information ................................. 364
16.4.2. Changing a Certificate System User's Certificate ............................................ 365
16.4.3. Changing Members in a Group ..................................................................... 365
16.4.4. Deleting a Certificate System User ................................................................ 365
16.5. Creating a New Group ............................................................................................ 366
16.6. Authorization for Certificate System Users ................................................................ 367
16.6.1. Access Control Lists (ACLs) ......................................................................... 367
16.6.2. Access Control Instructions (ACIs) ................................................................ 367
16.6.3. Changing Privileges ..................................................................................... 367
16.6.4. How ACIs Are Formed ................................................................................. 367
16.6.5. Editing ACLs ................................................................................................ 370
16.7. ACL Reference ....................................................................................................... 372
16.7.1. certServer.acl.configuration ........................................................................... 372
16.7.2. certServer.admin.certificate ........................................................................... 373
16.7.3. certServer.admin.request.enrollment .............................................................. 373
16.7.4. certServer.auth.configuration ......................................................................... 374
16.7.5. certServer.ca.certificate ................................................................................ 374
16.7.6. certServer.ca.certificates ............................................................................... 375
16.7.7. certServer.ca.configuration ............................................................................ 375
16.7.8. certServer.ca.connector ................................................................................ 376
16.7.9. certServer.ca.clone ....................................................................................... 376
16.7.10. certServer.ca.crl ......................................................................................... 377
16.7.11. certServer.ca.directory ................................................................................ 377
16.7.12. certServer.ca.group .................................................................................... 377
16.7.13. certServer.ca.ocsp ...................................................................................... 378
16.7.14. certServer.ca.profiles .................................................................................. 378
16.7.15. certServer.ca.profile .................................................................................... 378
16.7.16. certServer.ca.requests ................................................................................ 379
16.7.17. certServer.ca.request.enrollment ................................................................. 379
16.7.18. certServer.ca.request.profile ........................................................................ 380
16.7.19. certServer.ca.systemstatus .......................................................................... 380
16.7.20. certServer.ee.certificate .............................................................................. 380
16.7.21. certServer.ee.certificates ............................................................................. 381
16.7.22. certServer.ee.certchain ............................................................................... 381
16.7.23. certServer.ee.crl ......................................................................................... 382
16.7.24. certServer.ee.profile .................................................................................... 382
16.7.25. certServer.ee.profiles .................................................................................. 382
Administration Guide
xii
16.7.26. certServer.ee.facetofaceenrollment .............................................................. 383
16.7.27. certServer.ee.request.enrollment ................................................................. 383
16.7.28. certServer.ee.request.facetofaceenrollment .................................................. 383
16.7.29. certServer.ee.request.ocsp .......................................................................... 384
16.7.30. certServer.ee.request.revocation ................................................................. 384
16.7.31. certServer.ee.requestStatus ........................................................................ 384
16.7.32. certServer.general.configuration .................................................................. 385
16.7.33. certServer.job.configuration ......................................................................... 385
16.7.34. certServer.kra.certificate.transport ................................................................ 386
16.7.35. certServer.kra.configuration ......................................................................... 386
16.7.36. certServer.kra.connector ............................................................................. 387
16.7.37. certServer.kra.key ....................................................................................... 387
16.7.38. certServer.kra.keys ..................................................................................... 387
16.7.39. certServer.kra.request ................................................................................. 388
16.7.40. certServer.kra.requests ............................................................................... 388
16.7.41. certServer.kra.request.status ....................................................................... 388
16.7.42. certServer.kra.systemstatus ........................................................................ 389
16.7.43. certServer.log.configuration ......................................................................... 389
16.7.44. certServer.log.configuration.SignedAudit.expirationTime ................................ 390
16.7.45. certServer.log.configuration.fileName ........................................................... 390
16.7.46. certServer.log.content.SignedAudit .............................................................. 391
16.7.47. certServer.log.content ................................................................................. 391
16.7.48. certServer.ocsp.ca ...................................................................................... 392
16.7.49. certServer.ocsp.cas .................................................................................... 392
16.7.50. certServer.ocsp.certificate ........................................................................... 392
16.7.51. certServer.ocsp.configuration ...................................................................... 393
16.7.52. certServer.ocsp.crl ...................................................................................... 393
16.7.53. certServer.profile.configuration .................................................................... 393
16.7.54. certServer.publisher.configuration ................................................................ 394
16.7.55. certServer.registry.configuration ................................................................... 395
16.7.56. certServer.usrgrp.administration .................................................................. 395
17. Automated Notifications 397
17.1. About Automated Notifications ................................................................................. 397
17.1.1. Types of Automated Notifications .................................................................. 397
17.1.2. Determining End-Entity Email Addresses ....................................................... 397
17.2. Setting Up Automated Notifications .......................................................................... 398
17.2.1. Configuring Specific Notifications by Editing the Configuration File ................... 399
17.2.2. Testing Configuration .................................................................................... 400
17.3. Customizing Notification Messages .......................................................................... 401
17.3.1. Notification Message Templates .................................................................... 402
17.3.2. Token Definitions .......................................................................................... 403
18. Automated Jobs 405
18.1. About Automated Jobs ............................................................................................ 405
18.1.1. Setting up Automated Jobs ........................................................................... 405
18.1.2. Types of Automated Jobs ............................................................................. 405
18.2. Setting up the Job Scheduler .................................................................................. 406
18.2.1. Enabling and Configuring the Job Scheduler .................................................. 406
18.3. Setting up Specific Jobs .......................................................................................... 407
18.3.1. Configuring Specific Jobs Using the Certificate Manager Console .................... 408
18.3.2. Configuring Jobs by Editing the Configuration File .......................................... 410
xiii
18.3.3. Configuration Parameters of requestInQueueNotifier ...................................... 410
18.3.4. Configuration Parameters of publishCerts ...................................................... 411
18.3.5. Configuration Parameters of unpublishExpiredCerts ....................................... 412
18.3.6. Frequency Settings for Automated Jobs ........................................................ 413
18.4. Managing Job Plug-ins ............................................................................................ 414
18.4.1. Registering or Deleting a Job Module ............................................................ 414
19. Configuring the Certificate System for High Availability 417
19.1. High Availability Overview ....................................................................................... 417
19.1.1. Architecture of a Failover System ................................................................. 417
19.1.2. Load Balancing ............................................................................................ 418
19.2. Cloning Preparation ................................................................................................ 418
19.2.1. Diagnostics .................................................................................................. 419
19.3. Testing the Cloned Configuration ............................................................................. 419
19.4. Clone-Master Conversion ........................................................................................ 420
19.4.1. Converting a Master CA into a Cloned CA ..................................................... 421
19.4.2. Converting a Cloned CA into a Master CA ..................................................... 422
19.4.3. Converting a Master OCSP into a Cloned OCSP .......................................... 423
19.4.4. Converting a Cloned OCSP into a Master OCSP .......................................... 423
A. Certificate and CRL Extensions 425
A.1. Introduction to Certificate Extensions ......................................................................... 425
A.1.1. Structure of Certificate Extensions .................................................................. 426
A.1.2. Sample Certificate Extensions ........................................................................ 427
A.2. Note on Object Identifiers ......................................................................................... 428
A.3. Standard X.509 v3 Certificate Extensions .................................................................. 429
A.3.1. authorityInfoAccess ........................................................................................ 429
A.3.2. The authorityKeyIdentifier ............................................................................... 430
A.3.3. basicConstraints ............................................................................................ 431
A.3.4. certificatePolicies ........................................................................................... 431
A.3.5. CRLDistributionPoints .................................................................................... 431
A.3.6. extKeyUsage ................................................................................................. 432
A.3.7. issuerAltName Extension ............................................................................... 433
A.3.8. keyUsage ...................................................................................................... 433
A.3.9. nameConstraints ........................................................................................... 435
A.3.10. OCSPNocheck ............................................................................................ 435
A.3.11. policyConstraints .......................................................................................... 435
A.3.12. policyMappings ............................................................................................ 436
A.3.13. privateKeyUsagePeriod ................................................................................ 436
A.3.14. subjectAltName ........................................................................................... 436
A.3.15. subjectDirectoryAttributes ............................................................................. 437
A.3.16. subjectKeyIdentifier ...................................................................................... 437
A.4. Introduction to CRL Extensions ................................................................................. 438
A.4.1. Structure of CRL Extensions .......................................................................... 438
A.4.2. Sample CRL and CRL Entry Extensions ......................................................... 439
A.5. Standard X.509 v3 CRL Extensions .......................................................................... 439
A.5.1. Extensions for CRLs ...................................................................................... 440
A.5.2. CRL Entry Extensions .................................................................................... 446
A.6. Netscape-Defined Certificate Extensions ................................................................... 448
A.6.1. netscape-cert-type ......................................................................................... 448
A.6.2. netscape-comment ........................................................................................ 448
B. Introduction to Public-Key Cryptography 449
Administration Guide
xiv
B.1. Internet Security Issues ............................................................................................ 449
B.2. Encryption and Decryption ........................................................................................ 450
B.2.1. Symmetric-Key Encryption ............................................................................. 450
B.2.2. Public-Key Encryption .................................................................................... 451
B.2.3. Key Length and Encryption Strength ............................................................... 452
B.3. Digital Signatures ..................................................................................................... 452
B.4. Certificates and Authentication .................................................................................. 453
B.4.1. A Certificate Identifies Someone or Something ................................................ 453
B.4.2. Authentication Confirms an Identity ................................................................. 454
B.4.3. How Certificates Are Used ............................................................................. 457
B.4.4. Single Sign-on ............................................................................................... 459
B.4.5. Contents of a Certificate ................................................................................ 460
B.4.6. How CA Certificates Establish Trust ............................................................... 462
B.5. Managing Certificates ............................................................................................... 467
B.5.1. Issuing Certificates ........................................................................................ 467
B.5.2. Certificates and the LDAP Directory ................................................................ 468
B.5.3. Key Management .......................................................................................... 468
B.5.4. Revoking Certificates ..................................................................................... 469
Glossary 471
Index 485
xv
About This Guide
This guide explains how to install, configure, and maintain the Red Hat Certificate System and how to
use it for issuing and managing certificates to end entities such as web browsers, users, servers, and
virtual private network (VPN) clients.
1. Who Should Read This Guide
This guide is intended for experienced system administrators planning to deploy the Certificate
System. Certificate System agents should refer to the Certificate System Agent's Guide for information
on how to perform agent tasks, such as handling certificate requests and revoking certificates.
2. Recommended Knowledge
Before reading this guide, be familiar with the following concepts:
• Intranet, extranet, and Internet security and the role of digital certificates in a secure enterprise,
including the following topics:
• Encryption and decryption
• Public keys, private keys, and symmetric keys
• Significance of key lengths
• Digital signatures
• Digital certificates, including different types of digital certificates
• The role of digital certificates in a public-key infrastructure (PKI)
• Certificate hierarchies
• LDAP and Red Hat Directory Server
• Public-key cryptography and the Secure Sockets Layer (SSL) protocol, including the following:
• SSL cipher suites
• The purpose of and major steps in the SSL handshake
3. What Is in This Guide
This guide contains the following elements:
• Chapter 1, Overview lists Certificate System features, an overview of how the Certificate System
works, an architectural overview of Certificate System, and lists the standards used in the product.
• Chapter 2, Installation and Configuration provides step-by-step installation instructions.
• Chapter 3, Administrative Basics provides information and procedures for performing configuration
that is common to all subsystems such as using the administrative console, starting and stopping
the server, viewing and setting logs, and running self-tests.
About This Guide
xvi
• Chapter 4, Certificate Manager provides information and instructions for configuring the Certificate
Manager and an overview of the configuration options.
• Chapter 5, Online Certificate Status Protocol Responder provides information and instructions for
configuring an Online Certificate Status Manager.
• Chapter 6, Data Recovery Manager provides information and an overview of the configuration
options for a Data Recovery Manager.
• Chapter 7, Token Processing System describes managing tokens on smart cards through the Token
Processing System (TPS).
• Chapter 8, Token Key Service provides an overview of the Token Key Service (TKS), which
manages the master keys required set up a secure communication channel between the TPS and
the client.
• Chapter 9, Enterprise Security Client provides an overview of the Enterprise Security Client, a
cross-platform client for end users to register and manage keys and certificates on smart cards and
tokens.
• Chapter 10, Managing Certificates provides information on requesting, installing, and managing
certificates.
• Chapter 11, Managing Tokens provides information on managing user certificates using smart cards.
• Chapter 12, Certificate Profiles provides information and procedures for configuring profiles.
• Chapter 13, Revocation and CRLs provides information and procedures for configuring CRLs and
revoking certificates.
• Chapter 14, Publishing provides information and procedures for publishing certificates.
• Chapter 16, User and Group Authorization provides information and procedures for setting up
access control lists (ACL) that define authorization, creating users, and assigning users to groups to
give them the privileges defined by the group ACLs.
• Chapter 15, Authentication for Enrolling Certificates provides information and procedures for setting
up various authentication methods to automate certificate enrollment.
• Chapter 17, Automated Notifications provides information and procedures for configuring
notifications.
• Chapter 18, Automated Jobs provides information and procedures for configuring jobs.
• Chapter 19, Configuring the Certificate System for High Availability provides information about
clones and configuring the Certificate System for failover support.
• Appendix A, Certificate and CRL Extensions provides general information about certificate and CRL
extensions.
• Appendix B, Introduction to Public-Key Cryptography provides general information about public-key
cryptography.
Examples and Formatting
xvii
4. Examples and Formatting
All of the examples for Red Hat Certificate System commands, file locations, and other usage are
given for Red Hat Enterprise Linux 5 systems. Be certain to use the appropriate commands and files
for your platform.
To start the Red Hat Certificate System:
/etc/init.d/rhpki-ca start
Example 1. Example Command
All of the tools for Red Hat Certificate System are located in the /usr/bin directory. These tools can
be run from any location without specifying the tool location.
There is another important consideration with the LDAP utilities. The LDAP tools referenced in
this guide are Mozilla LDAP, installed with Red Hat Certificate System in the /usr/dir/mozldap
directory on Red Hat Enterprise Linux.
However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the /usr/
bin directory. It is possible to use the OpenLDAP commands as shown in the examples, but you must
use the -x argument to disable SASL, which OpenLDAP tools use by default.
Certain words are represented in different fonts, styles, and weights. Different character formatting is
used to indicate the function or purpose of the phrase being highlighted.
Formatting Style Purpose
Monospace font Monospace is used for commands, package names, files and
directory paths, and any text displayed in a prompt.
Monospace
with a
background
This type of formatting is used for anything entered or returned
in a command prompt.
Italicized text Any text which is italicized is a variable, such as
instance_name or hostname. Occasionally, this is also used to
emphasize a new term or other phrase.
Bolded text Most phrases which are in bold are application names, such as
Cygwin, or are fields or options in a user interface, such as a
User Name Here: field or Save button.
Other formatting styles draw attention to important text.
NOTE
A note provides additional information that can help illustrate the behavior of the system or
provide more detail for a specific issue.
IMPORTANT
Important information is necessary, but possibly unexpected, such as a configuration
change that will not persist after a reboot.
About This Guide
xviii
WARNING
A warning indicates potential data loss, as may happen when tuning hardware for
maximum performance.
5. Additional Reading
The Certificate System Administrator's Guide describes how to set up, configure, and administer the
Certificate System subsystems and how to configure backend certificate management functions, such
as publishing and logging. The Administrator's Guide also describes how to configure subsystems to
relate to one another to manage certificates and tokens and how to manage certificates and tokens;
this guide is targeted for Certificate System administrators.
The Certificate System Agent's Guide describes how agents — users responsible for processing
certificate requests and managing other aspects of certificate management — can use the Certificate
System subsystems web services pages to process certificate requests, key recovery, OCSP requests
and CRLs, and other functions.
The documentation for Certificate System includes the following guides:
• Certificate System Administrator's Guide explains all administrative functions for the Certificate
System, such as adding users, creating and renewing certificates, managing smart cards, publishing
CRLs, and modifying subsystem settings like port numbers.
• Certificate System Agent's Guide details how to perform agent operations for the CA, RA, DRM, and
TPS subsystems through the Certificate System agent services interfaces.
• Certificate System Command-Line Tools Guide covers the command-line scripts supplied with Red
Hat Certificate System.
• Managing Smart Cards with the Enterprise Security Client explains how to install, configure, and use
the Enterprise Security Client, the user client application for managing smart cards, user certificates,
and user keys.
• Certificate System Migration Guides cover version-specific procedures for migrating from older
versions of Certificate System to Red Hat Certificate System 7.2.
• Release Notes contains important information on new features, fixed bugs, known issues and
workarounds, and other important deployment information for Red Hat Certificate System 7.2.
Additional Certificate System information is provided in the Certificate System SDK, an online
reference to HTTP interfaces, javadocs, samples, and tutorials related to Certificate System. A
downloadable zip file of this material is available for user interaction with the tutorials.
For the latest information about Red Hat Certificate System, including current release notes, complete
product documentation, technical notes, and deployment information, see http://www.redhat.com/docs/
manuals/cert-system/.
6. Giving Feedback
If there is any error in this Administrator's Guide or there is any way to improve the documentation,
please let us know. Bugs can be filed against the documentation for Red Hat Certificate System
Document History
xix
through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so
we can be more effective in correcting any issues:
• Select the Red Hat Certificate System product.
• Set the component to Doc - administration-guide.
• Set the version number to 7.2.
• For errors, give the page number (for the PDF) or URL (for the HTML), and give a succinct
description of the problem, such as incorrect procedure or typo.
For enhancements, put in what information needs to be added and why.
• Give a clear title for the bug. For example, "Incorrect command example for setup
script options" is better than "Bad example".
We appreciate receiving any feedback — requests for new sections, corrections, improvements,
enhancements, even new ways of delivering the documentation or new styles of docs. You are
welcome to contact Red Hat Content Services directly at docs@redhat.com.
7. Document History
Revision 7.2.7 August 25, 2009 Ella Deon Lackey
Rewrote the section on issuing delta and full CRLs, per Bugzilla #510132.
Changed PK12Export to pk12util in the cloning configuration overview, per Bugzilla #519058.
Revision 7.2.5 February 22, 2009 Ella Deon Lackey dlackey@redhat.com
Removed all references to certificate renewal, per Bugzilla #325361 and #433360.
Corrected error about custom logs, per Bugzilla #449847.
Minor edits for the term "policy," per Bugzilla #472598.
Revision 7.2.6 February 27, 2009 Ella Deon Lackey dlackey@redhat.com
Removed incorrect note about useing certutil to process a certificate request, per Bugzilla #241972.
Revision 7.2.5 February 22, 2009 Ella Deon Lackey dlackey@redhat.com
Removed all references to certificate renewal, per Bugzilla #325361 and #433360.
Corrected error about custom logs, per Bugzilla #449847.
Minor edits for the term "policy," per Bugzilla #472598.
Revision 7.2.4 January 14, 2009 Ella Deon Lackey dlackey@redhat.com
Updates per Errata RHSA 2000:0006.
Added information for using the GET method to post OCSP requests and a section for debug logging
for Errata RHSA 2008:0577.
Expanding and clarifying the process for configuring symmetric key changeover and adding a new
parameter to use to configure it, per Bugzilla 245267.
Added information for sending OCSP request information to the debug log; added new debug log
description, per Bugzilla 243939.
Added information for sending OCSP requests through GET, per Bugzilla 238514, 308161, and
249229.
Changing URI parameter for certificate extensions to URINAME.
Removed an incorrect reference to a plug-in for the Enterprise Security Client.
Revision 7.2.3 August 11, 2008 Ella Deon Lackey dlackey@redhat.com
About This Guide
xx
Edited to token management sections per Bugzilla 455345.
Revision 7.2.2 July 3, 2008 Ella Deon Lackey dlackey@redhat.com
Added information for configuring client authentication, per Bugzilla 236253.
Added information that there can be CRLs can be updated at multiple preset times, per Bugzilla
439547.
Revision 7.2.1 July 1, 2008 Ella Deon Lackey dlackey@redhat.com
Changes to the User Supplied Extension Default section for Erratum RHSA 2008:0500.
Corrected TPS logging levels and clarified the log levels section, per Bugzilla 248370.
Clarified regular expression description.
Corrected TPS delimiter example, per Bugzilla 246031.
Corrected uninstall example, per Bugzilla 224453.
Removed references to DSA and changed them to RSA, per Bugzilla 224697.
Removed references to ECC, per Bugzilla 304141.
Revision 7.2.0 November 7, 2006 Ella Deon Lackey dlackey@redhat.com
Initial draft.
Chapter 1.
1
Overview
This chapter provides an overview of Red Hat Certificate System, a highly configurable set of software
components and tools for creating, deploying, and managing certificates. Based on open standards for
certificate management, Certificate System provides a complete, customizable, robust, scalable, and
high-performance certificate management solution for public-key infrastructure (PKI), extranets, and
intranets.
1.1. Features
This section discusses the Certificate System features.
1.1.1. Subsystems
The Certificate System is installed on each host running a Certificate System subsystem. The
subsystems on that host are then installed with a default configuration covering basic administrative
tasks like logging and containing configurable, subsystem-specific plug-in modules. More than one
subsystem can be installed on each host, or multiple instances of one subsystem can be installed on
the same host or on different hosts.
The Certificate System has five highly-configurable subsystems, which provide flexibility in designing
the PKI. The five subsystems that comprise Certificate System are as follows:
• The Certificate Manager is the subsystem that provides Certificate Authority functionality for issuing,
revoking, and publishing certificates and creating and publishing CRLs. See Chapter 4, Certificate
Manager for details.
• The Online Certificate Status Manager is an optional subsystem that provides OCSP responder
services, which means it stored CRLs for CAs and can distribute the load for verifying certificate
status. See Chapter 5, Online Certificate Status Protocol Responder for details.
• The Data Recovery Manager (DRM) is an optional subsystem that provides private encryption key
storage and retrieval. See Chapter 6, Data Recovery Manager for details.
• The Token Key Service (TKS) manages one or more master keys required to set up secure
channels directly to the token management system. The privileged operations such as key
generation can only be requested on the tokens through a secure channel.
• The Token Processing System (TPS) provides the registration authority functionality in the token
management infrastructure and establishes secure channels between the Enterprise Security Client
and the back-end subsystems. See Chapter 7, Token Processing System for more information on
using the TPS to manage tokens.
The subsystems are highly integrated with each other depending on the deployment scenario and use.
OCSP and CA instances work together for CRL publishing and certificate verification. CA and DRM
instances work together for key recovery and archival. Smart card tokens, which processed through
a user interface called the Enterprise Security Client, are managed by the TPS. The TPS, however,
is configured to work with at least two essential subsystem instances, a TKS to generate keys and
a CA to process token operations. A TPS can also be configured to use a DRM for server-side key
generation and key archival and recovery.
Chapter 1. Overview
2
1.1.2. Interfaces
Each of the subsystems contains interfaces for interaction with various portions of the subsystem. The
CA, DRM, OCSP, and TKS subsystems have an administrative console to manage and configure the
subsystem itself, such as adding users and certificates and viewing logs. The CA, OCSP, DRM, and
TPS subsystems have an agent interface specific to that subsystem which allows agents to perform
the tasks assigned to them. A Certificate Manager has an end-entity services interface for end entities
to enroll in the PKI.
Note
Not all subsystems have all types of interfaces. The TKS subsystem does not have an
agent interface. The TPS subsystem does not have an administrative console, but rather
has administrative functions that are accessible through the HTML agent services page.
Only a CA has an end-entities page.
The three types of interfaces are described as follows:
• Administrative Interface - The administrative interface, a Java™ application called the Console,
provides a GUI interface for performing administrative tasks and configuring plug-in modules. This
interface is similar for subsystems. The administrative interface requires user ID and password
authentication and can be configured for SSL certificate-based authentication.
• Agent Services Interface - The agent services interface is a customizable HTML interface used to
perform agent tasks, such as editing and approving requests for issuing or revoking certificates. The
agent services interface for a CA, DRM, OCSP, and TPS are specific to those subsystems.
• End-Entity Services Interface - The end-entity interface is a customizable HTML interface used
by end entities to enroll in the PKI, request certificates, revoke certificates, and pick up issued
certificates. It contains forms for different types of enrollments and for enrolling different types of end
entities. The Certificate Manager has an end-entity services interface; the other subsystems do not.
1.1.3. Logging
The Certificate System and each subsystem produce extensive system and error logs that record
system events so that the systems can be monitored and debugged. All log records are stored in
the local file system for quick retrieval. Logs are configurable, so logs can be created for specific
types of events and at the desired logging level. Custom logs can be created using the CS SDK. See
Section 3.9, “Logs” for details.
1.1.3.1. Signing Logs
Certificate System allows logs to be signed digitally before archiving them or distributing them
for auditing. This feature enables log files to be checked for tampering after being signed. See
Section 3.9.10, “Signing Log Files” for details.
1.1.4. Auditing
The Certificate System maintains audit logs for all events, such as requesting, issuing and revoking
certificates and publishing CRLs. These logs are then signed. This allows authorized access or activity
to be detected. An outside auditor can then audit the system if required. The assigned auditor user
account is the only account which can view the signed audit logs. This user's certificate is used to
Self-Tests
3
sign and encrypt the logs. Audit logging is configured to specify the events that are logged. See
Section 3.9.13, “Signed Audit Log” for details.
1.1.5. Self-Tests
The Certificate System provides the framework for system self-tests that are automatically run at
startup and can be run on demand. A set of configurable self-tests are already included with the
Certificate System, and additional self-tests can be created through the CS SDK. See Section 3.10,
“Self-Tests” for details.
1.1.6. Authorization
Certificate System users can be assigned to groups, and they then have the privileges of whichever
group they are members. A user only has privileges for the instance of the subsystem in which the
user is created and the privileges of the group to which the user is a member.
The Certificate System provides an authorization framework for creating groups and assigning access
control to those groups. The default access control on preexisting groups can be modified, and access
control can be assigned to individual users and IP addresses. Access points for authorization have
been created for the major portions of the system, and access control rules can be set for each point.
Additional access points and access control lists (ACLs) can be created through the CS SDK.
The Certificate System is configured by default with four user types with different access levels to the
system:
• Administrators , who can perform any administrative or configuration task.
• Agents , who can edit and approve requests.
• Auditors , who can view and configure audit logs.
• Trusted managers , which are subsystems with trusted relationship with another subsystem.
Additionally, when a security domain is created, the CA subsystem which hosts the domain is
automatically granted the role of Security Domain Administrator, which gives the subsystem the
ability to manage the security domain and the subsystem instances within it. Other security domain
administrator roles can be created for the different subsystem instances. These roles are described in
Section 4.4.2, “Security Domain Roles”.
1.1.7. Security-Enhanced Linux Support
Security-enhanced Linux, or SELinux, is a collection of mandatory access control rules which are
enforced across a system to restrict unauthorized access and tampering. These mandatory access
controls limit users and applications to the lowest amount of access possible for them to operate.
Processes or applications, such as CGIs, may have special policies in place to enable them to run
under the restricted access rules.
The Certificate System is able to run under SELinux configuration, which enhances the security of
the information created and maintained by the Certificate System. All Certificate System subsystems
can be installed and run with SELinux policies fully enforced. By default, the Certificate System
subsystems run unconfined by SELinux policies.
Chapter 1. Overview
4
1.1.8. Authentication
Certificate System provides authentication options for certificate enrollment. These include agentapproved enrollment, in which an agent processes the request, and automated enrollment, in which
an authentication method is used to authenticate the end entity and then the CA automatically issues
a certificate. CMC enrollment is also supported, which automatically processes a request approved by
an agent.
1.1.9. Certificate Issuance
The Certificate System supports enrolling and issuing certificates and processing certificate requests
from a variety of end entities, such as web browsers, servers, and virtual private network (VPN)
clients. Issued certificates conform to X.509 version 3 standards.
The Certificate Manager can issue certificates with the following characteristics:
• Certificates that are X.509 version 3-compliant
• Unicode support for the certificate subject name and issuer name
• Support for empty certificate subject names
• Support for customized subject name components
• Support for customized extensions
Additionally, smart cards can have certificates enrolled and maintained through the Enterprise Security
Client. The Enterprise Security Client communicates directly with the TPS system, which, in turn,
processes requests through the CA and DRM subsystems. Certificates are generated automatically
when the token is first formatted, and all additional certificates belonging to the user can be imported
onto the token. For more information about certificates being issued through the Enterprise Security
Client, see the Certificate System Enterprise Security Client Guide, which is available at http://
redhat.com/docs/manuals/cert-system/. For information about configuring subsystems to manage
smart cards, see Chapter 7, Token Processing System.
1.1.10. Certificate Profiles
The Certificate System uses certificate profiles to configure the content of the certificate, the
constraints for issuing the certificate, the enrollment method used, and the input and output forms for
that enrollment. A single certificate profile is associated with issuing a particular type of certificate.
A set of certificate profiles is included for the most common certificate types; the profile settings
can be modified. Certificate profiles are configured by an administrator, and then sent to the agent
services page for agent approval. Once a certificate profile is approved, it is enabled for use. A
dynamically-generated HTML form for the certificate profile is used in the end-entities page for
certificate enrollment, which calls on the certificate profile. The server verifies that the defaults and
constraints set in the certificate profile are met before acting on the request and uses the certificate
profile to determine the content of the issued certificate.
Additional certificate profile plug-in modules can be created using the CS SDK. See Chapter 12,
Certificate Profiles for details.
CRLs
5
1.1.11. CRLs
The Certificate System can create certificate revocation lists (CRLs) from a configurable framework
which allows user-defined issuing points so a CRL can be created for each issuing point. Delta
CRLs can also be created for any issuing point that is defined. CRLs can be issued for each type of
certificate or for a specific subset of a type of certificate. The extensions used and the frequency and
intervals when CRLs are published can all be configured.
The Certificate Manager issues X.509-standard CRLs. A CRL can be automatically updated whenever
a certificate is revoked or at specified intervals. See Chapter 13, Revocation and CRLs for details.
1.1.12. Publishing
Certificates can be published to files and an LDAP directory, and CRLs to files, an LDAP directory, and
an OCSP responder. The publishing framework provides a robust set of tools to publish to all three
places and to set rules to define with more detail which types of certificates or CRLs are published
where. The default publishing modules can be enabled and configured, or additional publishing plug-in
modules can be created using the CS SDK. See Chapter 14, Publishing for details.
1.1.13. Notifications
The notification feature sets up automated messages when a particular event occurs, such as when
a certificate is issued or revoked. The notification framework comes with default modules that can be
enabled and configured, or additional notification plug-in modules can be created using the CS SDK.
See Chapter 17, Automated Notifications for details.
1.1.14. Jobs
The jobs feature sets up automated jobs that run at defined intervals. The default jobs can be enabled
and configured, or additional jobs plug-in modules can be created using the CS SDK. See Chapter 18,
Automated Jobs for details.
1.1.15. Dual Key Pairs
The Certificate System supports generating dual key pairs, separate key pairs for signing and
encrypting email messages and other data. To support separate key pairs for signing and encrypting
data, dual certificates are generated for end entities, and the encryption keys are archived. If a client
makes a certificate request for dual key pairs, the server issues two separate certificates.
1.1.16. HSMs and Crypto Accelerators
The Certificate System supports hardware security modules (HSMs) and crypto accelerators provided
by third-party vendors of PKCS #11-compliant tokens.
The server can be configured to use different PKCS #11 modules to generate and store key pairs
(and certificates) for all Certificate System subsystems � CA, DRM, OCSP, TKS, and TPS. PKCS #11
hardware devices also provide key backup and recovery features for the information stored on the
hardware token. Refer to the PKCS #11 vendor documentation for information on retrieving keys from
the tokens.
Chapter 1. Overview
6
1.1.17. Support for Open Standards
The Certificate System supports open standards and protocols so that its subsystems can
communicate across a heterogeneous computing environment. Some of the standards and areas
which the Certificate System supports include the following:
• Formulates, signs, and issues industry-standard X.509 version 3 public-key certificates; version 3
certificates include extensions that make it easy to include organization-defined attributes. These
certificates are used for extranet and Internet authentication.
• Supports the RSA public-key algorithm for signing and encryption, and the MD2, MD5, SHA-1,
SHA-256, and SHA-512 algorithms for hashing.
• Supports signature key lengths of up to 4096 bits for RSA.
• Supports multiple message formats, such as KEYGEN/SPAC, CRMF/CMMF, and PKCS #10 and
CMC for certificate requests. All requests are delivered to the Certificate System over HTTP or
HTTPS.
• Supports certificate formats for SSL-based client and server authentication, secure Multipurpose
Internet Mail Extensions (S/MIME) message signing and encryption, and VPN clients.
• Supports generating and publishing CRLs conforming to X.509 version 1 and 2.
• Publishes certificates and CRLs to any LDAP-compliant directory over LDAP and HTTP/HTTPS
connections.
• Publishes certificates and CRLs to a flat file for importing into other resources. For example, the
sample code for Flat File CRL and certificate publisher can be customized to store certificates and
CRLs in an Oracle RDBMS.
• Publishes CRLs to an online validation authority (or OCSP responder) for real-time certificate
verification by OCSP-compliant clients.
1.1.18. Java SDK Extension Mechanism for Customization
The Java™ software development kit (SDK) provided with the Certificate System includes APIs and
tutorials for customizing different aspects of the system. The following modules can be customized
and created:
• Authentication
• Authorization
• Logs
• Certificate Profiles
• Jobs
• Mapper and publisher classes
How the Certificate System Works
7
1.2. How the Certificate System Works
The Certificate System manages certificates through a flexible, scalable system for issuing and
publishing certificates; creating and publishing CRLs; and providing key storage and retrieval
capabilities.
The Certificate Manager is the central point of the Certificate System; this subsystem accepts
requests, generates and manages certificates, and generates and manages CRLs and revoked
certificates. The Online Certificate Status Manager handles validity requests for certificates issued by
the Certificate Manager, informing clients whether the certificate is still in effect and valid or has been
revoked or expired. The Data Recovery Manager (DRM) stores keys and certificates and can recover
the keys if a token is lost or damaged, so that encrypted information can still be accessed. The Token
Key Service and Token Processing System work together to manage tokens which contain the userspecific keys and certificates.
The following sections describe the subsystems in more detail.
1.2.1. About the Certificate Manager
The Certificate Manager subsystem provides the capability of a Certificate Authority (CA). It can issue,
revoke, and publish certificates, as well as compile and publish CRLs. Since the Certificate Manager
acts as a CA, it can be configured as a self-signing CA, where it is the root CA, or it can act as a
subordinate CA, where it obtains its signing certificate from another CA.
1.2.1.1. Certificate Manager Flexibility and Scalability
Multiple CAs can be configured to form a vertical or horizontal chain of CAs. A vertical hierarchy
has a root CA (that is either self-signing or subordinate to a public CA) and then one or more CAs
subordinate to this root CA. The subordinate CAs can have more CAs below them, forming a chain of
CAs. A horizontal arrangement has a CA which is duplicated, or cloned, so that two CAs are set up in
an identical manner and use the same CA signing certificate but issue certificates from a different set
of serial numbers.
The different possible Certificate Manager deployments provide flexibility to the PKI through the
following features:
• Configuration as either a root or subordinate CA
• High-availability cloning to allow CAs with identical functionality, keys, and certificates to issue
certificates with different sets of serial numbers.
1.2.1.1.1. Root or Subordinate CA
The Certificate System CA can function as a root CA, meaning that the server signs its own CA
signing certificate as well as other CA signing certificates, creating an organization-specific CA
hierarchy. The server can alternatively be configured as a subordinate CA, meaning the server's CA
signing key is signed by another CA in an existing CA hierarchy. See Section 2.1.3, “Self-Signed Root
CA or Subordinate CA” for details.
1.2.1.1.2. Linked CA
The Certificate System Certificate Manager can function as a linked CA, chaining up to many thirdparty or public CAs for validation; this provides cross-company trust, so applications can verify
Chapter 1. Overview
8
certificate chains outside the company certificate hierarchy. A Certificate Manager is chained to a thirdparty CA by requesting the Certificate Manager's CA signing certificate from the third-party CA.
1.2.1.1.3. CA Cloning
Instead of creating a hierarchy of root and subordinate CAs, it is possible to create multiple clones of
a Certificate Manager and configure each clone to issue certificates that fall within a distinct range of
serial numbers. Because clone CAs and original CAs use the same CA signing key and certificate to
sign the certificates they issue, the issuer name in all the certificates is the same. Clone CAs and the
original Certificate Managers issue certificates as if they are a single CA. These servers can be placed
on different hosts for high availability failover support. See Chapter 19, Configuring the Certificate
System for High Availability for information on configuring clones for failover in a Certificate System
system.
1.2.1.2. Cross-Pair Certificates
It is possible to create a trusted relationship between two separate CAs by issuing and storing crosssigned certificates between these two CAs. By using cross-signed certificate pairs, certificates issued
outside the organization's PKI can be trusted within the system.
1.2.1.3. Certificate Manager Functionality
The Certificate Manager issues and revokes certificates when it receives signed requests. These
requests can come from its own agents (users who are assigned privileges to approve enrollment
and revocation requests) or from a third-party application that uses its agent certificate (this agent
certificate must be set up for CMC enroll or revoke with the Certificate Manager).
The Certificate Manager also compiles lists of revoked certificates, called certificate revocation lists
(CRLs), that it can publish to files, an LDAP directory, or an OCSP service.
The Certificate Manager maintains a database of issued certificates and processed requests, so that it
can track expiration and revocation.
1.2.1.4. Types of Certificates
Certificate System can issue and manage the following certificates:
• CA signing certificates
• OCSP signing certificates
• Cross-signed pair certificates
• SSL server certificates
• VPN client certificates
• End user certificates
This list is not comprehensive; many other types of certificates can be issued by the Certificate
System.
How the Certificate Manager Works
9
1.2.1.5. Revocation and CRLs
Revoking certificates can be initiated either by an agent or by the end user. An administrator can also
revoke the certificates of any of the subsystems or agents.
The Certificate System also supports CMC revocation. When the CMCAuth plug-in is enabled, CMC
enrollment and CMC revocation are both enabled. CMC revocation sends signed revocation requests
that are automatically processed.
The Certificate System can create certificate revocation lists (CRLs) that it can publish to files, an
LDAP directory, or to an OCSP responder. It is also possible to create CRLs through certificate issuing
points, which allows more than one CRL to be defined by the issuing point. Lastly, creating delta CRLs
creates a list which contains only the certificates that were revoked since the last CRL was produced.
See Chapter 13, Revocation and CRLs for details.
1.2.2. How the Certificate Manager Works
The next sections describe the different operations of the Certificate Manager and the associated
processes and configuration settings.
1.2.2.1. Accepting Enrollment Requests
The Certificate Manager server has an end-entities page with the forms for different types of
certificates and users. This interface can be customized to limit the forms that are available, change
the appearance of the pages, or add or delete fields. Certificate requests that come through the
Certificate Managers end-entities page are processed by the Certificate Manager. If it is an agentapproved enrollment, an agent of the Certificate Manager must approve the request. If it is an
automated enrollment, the request is approved if the end entity supplies the correct information and
authenticates successfully.
1.2.2.2. Authentication Methods
Authentication plug-ins set up automated enrollment and configure the methods for the end entity
to authenticate itself. For agent-approved enrollment, the agent approves the request by default.
Each end-entity form is associated with a particular authentication method which is configured in the
certificate profile, either one of the automated methods or the agent-approved method. The Certificate
Manager processes the request according to the method associated with the form.
1.2.2.3. Processing Requests
When the Certificate Manager processes requests from its end-entities page, it first considers the
authentication method. If it is an agent-approved authentication method, the request is queued in
the agent services interface where it awaits agent approval. The agent can change some aspects of
the certificate that will be issued and can approve, deny, or change the status of the request. For an
automated enrollment, the CA authenticates the user and continues processing the request.
The Certificate Manager next evaluates the request to ensure that it meets the certificate profile set for
this type of enrollment.
Certificate profiles connect an authentication method and certificate type to a set of constraints and
certificate content definitions (defaults). A single module can be configured for a type of certificate
to use a specific authentication method and set constraints for the certificate, as well as defining the
Chapter 1. Overview
10
certificate content. The default certificate profiles can be modified and new custom modules created.
See Chapter 12, Certificate Profiles for details.
If the policies in the certificate profile are not met, the request is rejected. If they are met, the certificate
is issued.
1.2.2.4. Creating Certificates
The Certificate Manager issues certificates when it receives signed requests either from agents (users
who are assigned privileges to approve enrollment and revocation requests) or from a third-party
application that is set up for CMC enroll with the Certificate Manager.
The Certificate Manager creates the certificate using the information in the request and from the
certificate profile that are set.
1.2.2.5. Publishing Certificates
Certificates can be published to a file, an LDAP directory, or OCSP responder. Configuring publishing
sets rules to determine which certificates are published using which method and where they are
published. See Chapter 14, Publishing for details.
1.2.2.6. Key Archival
If a CA is configured with a DRM, then the private keys are archived in the DRM during certificate
enrollment. See Chapter 6, Data Recovery Manager for details.
1.2.2.7. Storing Certificate Requests and Certificates
When it issues a certificate, the Certificate Manager stores both the certificate and the certificate
request in its internal database.
1.2.2.8. Revoking Certificates
End entities can submit certificate revocation requests in the end-entities page if they lose their private
key or if their certificate has been compromised. When an end entity requests a revocation, the
request is sent to the agent services interface for agent approval.
An agent can revoke a certificate if the owner of the certificate is unwilling or unable to do so.
When the certificate is revoked, it is marked revoked in the internal database and in the publishing
system. The certificate is added to the certificate revocation list (CRL) produced by the Certificate
Manager. See Chapter 13, Revocation and CRLs for details.
1.2.2.9. CRLs
Whenever a certificate is revoked, any CRLs that are set up are edited and updated in the internal
database. It is published to a file, an LDAP directory, or an OCSP responder, if these services have
been set up. The CA can be configured to issue CRLs and define CRL issuing points that define which
certificates go into each CRL.
CRL configuration grants flexibility to define which CRL is published where, the extensions contained
in a CRL, and the frequency and intervals when a CRL are published. Publishing delta CRLs
publishes a list of only those certificates that have been revoked since a certain date. See Chapter 13,
Revocation and CRLs for details.
Loading...