How it Works
Red Hat
Loading...
#
A
B
C
D
Loading...
Loading...
CERTIFICATE SYSTEM 7.2 - AGENT GUIDE
User Manual
73 pgs1.52 Mb0

Red Hat CERTIFICATE SYSTEM 7.2 - AGENT GUIDE, CERTIFICATE SYSTEM 7.2 User Manual

Red Hat Certificate System Agent Guide
7.2
Red Hat Certificate System Agent Guide 7.2:
Copyright © 2006 Red Hat, Inc. This manual is for agents of Certificate System subsystems. This guide explains the different agent services interfaces for
the Certificate System subsystems and details the agent operations which can be performed. This information is used to manage and maintain certificates and keys for users in the PKI deployment.
Red Hat, Inc.
1801 Varsity Drive Raleigh, NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park, NC 27709 USA
Documentation-Deployment Copyright © 2006 by Red Hat, Inc. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License,
V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is ob-
tained from the copyright holder. Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries. All other trademarks referenced herein are the property of their respective owners. The GPG fingerprint of the security@redhat.com key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E
Table of Contents
About This Guide ............................................................................................................................... vi
1. Who Should Read This Guide ................................................................................................... vi
2. Required Concepts .................................................................................................................. vi
3. What Is in This Guide .............................................................................................................. vi
4. Conventions Used in This Guide ................................................................................................ vi
5. Documentation ...................................................................................................................... vii
1. Agent Services ................................................................................................................................ 1
1. Overview of Certificate System .................................................................................................. 1
2. Agent Tasks ............................................................................................................................ 3
2.1. Certificate Manager Agent Services .................................................................................. 3
2.2. Data Recovery Manager Agent Services ............................................................................ 5
2.3. Online Certificate Status Manager Agent Services ............................................................... 5
2.4. TPS Agent Services ....................................................................................................... 6
3. Forms for Performing Agent Operations ....................................................................................... 8
4. Accessing Agent Services .........................................................................................................10
2. CA: Working with Certificate Profiles ................................................................................................12
1. About Certificate Profiles .........................................................................................................12
1.1. Profile Definition .........................................................................................................12
1.2. Categories of Certificate Profiles .....................................................................................12
2. Basic Profile Operations for an Agent .........................................................................................12
3. List of Certificate Profiles ........................................................................................................13
3.1. Example Profile ...........................................................................................................14
4. How Certificate Profiles Work ..................................................................................................16
5. Enabling and Disabling Certificate Profiles ..................................................................................17
5.1. Getting Certificate Profile Information .............................................................................17
5.2. End User Certificate Profile ............................................................................................17
5.3. Policy Information ........................................................................................................17
5.4. Approving a Certificate Profile .......................................................................................17
5.5. Disapproving a Certificate Profile ....................................................................................17
3. CA: Handling Certificate Requests .....................................................................................................19
1. Managing Requests .................................................................................................................19
2. Listing Certificate Requests ......................................................................................................20
2.1. Selecting a Request .......................................................................................................22
2.2. Searching Requests .......................................................................................................23
3. Approving Requests ................................................................................................................24
4. Sending an Issued Certificate to the Requester ..............................................................................25
4. CA: Finding and Revoking Certificates ...............................................................................................28
1. Basic Certificate Listing ...........................................................................................................28
2. Advanced Certificate Search .....................................................................................................29
3. Examining Certificates .............................................................................................................33
4. Revoking Certificates ..............................................................................................................34
4.1. Searching for Certificates to Revoke ................................................................................34
4.2. Revoking One or More Certificates ..................................................................................35
4.2.1. Revoking One Certificate ....................................................................................35
4.2.2. Revoking Multiple Certificates .............................................................................36
4.2.3. Confirming a Revocation ....................................................................................36
5. Managing the Certificate Revocation List ....................................................................................38
5.1. Viewing or Examining CRLs ..........................................................................................38
5.2. Updating the CRL ........................................................................................................38
5. CA: Publishing to a Directory ...........................................................................................................40
1. Automatic Directory Updates ....................................................................................................40
2. Manual Directory Updates ........................................................................................................40
6. DRM: Recovering Encrypted Data .....................................................................................................42
1. List Requests .........................................................................................................................42
2. Finding and Recovering Keys ...................................................................................................43
2.1. Finding Archived Keys ..................................................................................................43
2.2. Recovering Keys ..........................................................................................................46
7. OCSP: Agent Services .....................................................................................................................49
1. Listing CAs Identified by the OCSP ...........................................................................................49
2. Identifying a CA to the OCSP ...................................................................................................49
3. Adding a CRL to the OCSP ......................................................................................................51
4. Checking the Revocation Status of a Certificate ............................................................................52
iv
8. TPS: Agent Services ........................................................................................................................54
1. Basic Operations for an Agent and Administrator ..........................................................................54
2. Adding Tokens .......................................................................................................................54
3. Managing Tokens ...................................................................................................................55
3.1. Changing Token Status ..................................................................................................56
3.2. Editing the Token .........................................................................................................58
3.3. Listing Token Certificates ..............................................................................................58
3.4. Conflicting Token Certificate Status Information ................................................................59
3.5. Showing Token Activities ..............................................................................................59
4. Listing and Searching Certificates ..............................................................................................60
5. Searching Token Activities .......................................................................................................61
6. Administrator Operations .........................................................................................................62
6.1. Showing Token Activities ..............................................................................................63
6.2. Editing the Token .........................................................................................................63
6.3. Deleting the Token .......................................................................................................64
Index ...............................................................................................................................................65
Red Hat Certificate System Agent Guide
7.2
v
About This Guide
This guide describes the agent services interfaces used by Red Hat Certificate System agents to administer subsystem cer­tificates and keys and other management operations.
1. Who Should Read This Guide
This guide is intended for Certificate System agents, privileged users designated by the Certificate System administrator to manage requests from end entities for certificate-related services. Each installed Certificate System subsystem # Certificate Manager, Data Recovery Manager (DRM), Online Certificate Status Manager, Token Key Service (TKS), and Token Pro­cessing System (TPS) # can have multiple agents.
2. Required Concepts
Before reading this guide, be familiar with the basic concepts of public-key cryptography and the Secure Sockets Layer (SSL) protocol, including the following topics:
Encryption and decryption
Public keys, private keys, and symmetric keys
Digital signatures
The role of digital certificates in a public-key infrastructure (PKI)
Certificate hierarchies
SSL cipher suites
The purpose of and major steps in the SSL handshake
3. What Is in This Guide
This guide describes the duties of the agents for the different Certificate System subsystems and explains basic usage and tasks.
Chapter 1, Agent Services Chapter 2, CA: Working with Certificate Profiles Chapter 3, CA: Handling Certificate Requests Chapter 4, CA: Finding and Revoking Certificates Chapter 5, CA: Publishing to a Directory Chapter 6, DRM: Recovering Encrypted Data Chapter 7, OCSP: Agent Services Chapter 8, TPS: Agent Services
Table 1. List of Chapters
4. Conventions Used in This Guide
The following conventions are used in this guide:
Monospaced font is used for any text that appears on the computer screen, commands that the user inputs, file­names, functions, and examples. For example:
vi
cd /var/lib/rhpki-ca/
Italics are used for emphasis, variables, book titles, glossary terms, and when a phrase is first used. For example: This control depends on the access permissions the super user has set for the user.
Square brackets ([]) enclose commands that are optional. For example:
PrettyPrintCert input_file [output_file] input_file specifies the path to the file that contains the base-64 encoded certificate. output_file specifies the path to the
file to write the certificate. This argument is optional; if an output file is not specified, the certificate information is written to the standard output.
A forward slash (/) is used to separate directories in a path. For example: Almost all command-line utilities are in the /usr/bin directory.
Notes and Cautions Note and Caution boxes indicate important information to be considered before performing tasks.
Note
A note contains information that may be of interest.
Caution
A caution signals a potential risk of losing data, damaging software or hardware, or otherwise disrupting system performance.
5. Documentation
The Certificate System documentation also contains the following manuals:
Certificate System Administration Guide explains all administrative functions for the Certificate System, such as adding users, creating and renewing certificates, managing smart cards, publishing CRLs, and modifying subsystem settings like port numbers.
Certificate System Command-Line Tools Guide provides detailed information on Certificate System tools such as pkicreate, tksTool, and other Certificate System-specific utilities used to manage Certificate System instances.
Certificate System Enterprise Security Client Guide explains how to install, configure, and use the Enterprise Security Client, the user client application for managing smart cards, user certificates, and user keys.
Certificate System Migration Guide provides detailed migration information for migrating all parts and subsystems of previous versions of Certificate System to Red Hat Certificate System 7.2.
Additional Certificate System information is provided in the CS SDK, which contains an online reference to HTTP inter­faces, javadocs, samples, and tutorials related to the Certificate System. A downloadable zip file of this material is avail­able for user interaction with the tutorials.
For the latest information about the Certificate System, including current release notes, complete product documentation, technical notes, and deployment information, visit the Red Hat Certificate System documentation page:
http://www.redhat.com/docs/manuals/cert-system/
5. Documentation
vii
Chapter 1. Agent Services
This chapter describes the role of the privileged users, agents, in managing Certificate System subsystems. It also intro­duces the tools that agents use to administer service requests.
1. Overview of Certificate System
Certificate System is a highly configurable set of software components and tools for creating, deploying, and managing certificates. The standards and services that facilitate the use of public-key cryptography and X.509 version 3 certificates in a networked environment are collectively called the public-key infrastructure (PKI) for that environment. In any PKI, a certificate authority (CA) is a trusted entity that issues, renews, and revokes certificates. An end entity is a person, server, or other entity that uses a certificate to identify itself.
To participate in a PKI, an end entity must enroll, or register, in the system. The end entity typically initiates enrollment by giving the CA some form of identification and a newly generated public key. The CA uses the information provided to au- thenticate, or confirm, the identity, then issues the end entity a certificate that associates that identity with the public key and signs the certificate with the CA's own private signing key.
End entities and CAs may be in different geographic or organizational areas or in completely different organizations. CAs may include third parties that provide services through the Internet as well as the root CAs and subordinate CAs for indi­vidual organizations. Policies and certificate content may vary from one organization to another. End-entity enrollment for some certificates may require physical verification, such as an interview or notarized documents, while enrollment for oth­ers may be fully automated.
To meet the widest possible range of configuration requirements, the Certificate System permits independent installation of five separate subsystems, or managers, that play distinct roles:
Certificate Manager. A Certificate Manager functions as a root or subordinate CA. This subsystem issues, renews, and revokes certificates and generates certificate revocation lists (CRLs). It can publish certificates, files, and CRLs to an LDAP directory, to files, and to an Online Certificate Status Protocol (OCSP) responder. The Certificate Manager can process requests manually (with agent action) or automatically (based on customizable profiles). Publishing tasks can be performed by the Certificate Manager only. The Certificate Manager also has a built-in OCSP service, enabling OC­SP-compliant clients to query the Certificate Manager directly about the revocation status of a certificate that it has is­sued. In certain PKI deployments, it might be convenient to use the Certificate Manager's built-in OCSP service, in­stead of an Online Certificate Status Manager.
Since CAs can delegate some responsibilities to subordinate CAs, a Certificate Manager might share its load among one or more levels of subordinate Certificate Managers. Additionally, subsystems can be cloned; the clone uses the same keys and certificates as the master, so, essentially, the master and clones all function as a single CA. Many com­plex deployment scenarios are possible.
Data Recovery Manager. A Data Recovery Manager (DRM) oversees the long-term archival and recovery of private encryption keys for end entities. A Certificate Manager or a Token Processing System (TPS) can be configured to archive end entities' private encryption keys with a DRM as part of the process of issuing new certificates.
The DRM is useful only if end entities are encrypting data, using applications such as S/MIME email, that the organiz­ation may need to recover someday. It can be used only with client software that supports dual key pairs - two separate key pairs, one for encryption and one for digital signatures. Also, it is possible to do server-side key generation using the TPS server when enrolling smart cards.
NOTE
The DRM archives encryption keys. It does not archive signing keys, since archiving signing keys would under­mine the non-repudiation properties of dual-key certificates.
Online Certificate Status Manager. An Online Certificate Status Manager works as an online certificate validation au­thority and allows OCSP-compliant clients to verify certificates' current status. The Online Certificate Status Manager can receive CRLs from multiple Certificate Managers; clients then query the Online Certificate Status Manager for the revocation status of certificates issued by all the Certificate Managers. For example, in a PKI comprising multiple CAs (a root CA and many subordinate CAs), each CA can be configured to publish its CRL to the Online Certificate Status Manager, allowing all clients in the PKI deployment to verify the revocation status of a certificate by querying a single Online Certificate Status Manager.
NOTE
1 Chapter 1. Agent Services
An online certificate-validation authority is often referred to as an OCSP responder.
Token Key Service. The Token Key Service (TKS) manages the master and transport keys required to generate and dis­tribute keys for smart cards. The TKS provides security between tokens and the TPS because it protects the integrity of the master key and token keys.
Token Processing System. The Token Processing System (TPS) acts as a registration authority for authenticating and processing smart card enrollment requests, PIN reset requests, and formatting requests from the Enterprise Security Client.
Three kinds of users can access Certificate System subsystems: administrators, agents, and end entities. Administrators are responsible for the initial setup and ongoing maintenance of the subsystems. Administrators can designate users with spe­cial privileges, agents, for each subsystem. Agents manage day-to-day interactions with end entities, which can be users or servers and clients, and other aspects of the PKI. End entities must access a Certificate Manager subsystem to enroll for certificates in a PKI deployment and for certificate maintenance, such as renewal or revocation.
Figure 1.1, “The Certificate System and Users” shows the ports used by administrators, agents, and end entities. All agent and administrator interactions with Certificate System subsystems occur over HTTPS. End-entity interactions can take place over HTTP or HTTPS.
Figure 1.1. The Certificate System and Users
2. Agent Tasks
2 Chapter 1. Agent Services
2. Agent Tasks
The designated agents for each subsystem are responsible for the everyday management of end-entity requests and other aspects of the PKI:
Certificate Manager agents manage certificate requests received by the Certificate Manager subsystem, maintain and revoke certificates as necessary, and maintain global information about certificates.
DRM agents initiate the recovery of lost keys and can obtain information about key service requests and archived keys.
NOTE
Recovering lost or archived key information is done automatically in smart card deployments because the TPS server is a DRM agent. Smart cards are marked as lost in the TPS agent page, and then another smart card is later used to recover the old encryption keys automatically during certificate enrollment.
Online Certificate Status Manager agents can perform tasks such as checking which CAs are currently configured to publish their CRLs to the Online Certificate Status Manager, identifying a Certificate Manager to the Online Certific­ate Status Manager, adding CRLs directly to the Online Certificate Status Manager, and viewing the status of OCSP service requests submitted by OCSP-compliant clients.
TPS agents can view smart card enrollment and formatting activities, list tokens from the token database, edit token in­formation, delete tokens from the token database, and mark tokens as permanently lost, temporarily lost, or damaged.
There is no direct TKS agent interface for TKS agents to interact with the system. However, configured TKS agents are capable of providing the secure communications channel through the TPS server required for smart card operations through the token management system. The allowed smart card operations are similar to those for TPS agents.
The privileged operations of an agent are performed through the Certificate System agent services pages. For a user to ac­cess these pages, the user must have a personal SSL client certificate and have been identified as a privileged user in the user database by the Certificate System administrator. For more information on creating privileged users, see the Certific- ate System Administration Guide.
Section 2.1, “Certificate Manager Agent Services”
Section 2.2, “Data Recovery Manager Agent Services”
Section 2.3, “Online Certificate Status Manager Agent Services”
Section 2.4, “TPS Agent Services”
2.1. Certificate Manager Agent Services
The default entry page for Certificate Manager agent services is shown in Figure 1.2, “Certificate Manager Agent Services Page”. Only designated Certificate Manager agents, with a valid certificate in their client software, are allowed to access these pages.
2.1. Certificate Manager Agent Services
3 Chapter 1. Agent Services
Figure 1.2. Certificate Manager Agent Services Page
A Certificate Manager agent performs the following tasks:
Handling certificate requests. An agent can list the certificate service requests received by the Certificate Manager subsystem, assign requests, reject
or cancel requests, and approve requests for certificate enrollment. See Chapter 3, CA: Handling Certificate Requests.
Finding certificates. Certificates can be searched individually or searched and listed by different criteria. The details for all returned certific-
ates are then displayed. See Chapter 4, CA: Finding and Revoking Certificates.
Revoking certificates. If a user's key is compromised, the certificate must be revoked to ensure that the key is not misused. Certificates be-
longing to users who have left the organization may also need revoked. Certificate Manager agents can find and revoke a specific certificate or a set of certificates. Users can also request that their own certificates be revoked. See Section 4, “Revoking Certificates”.
Updating the CRL. The Certificate Manager maintains a public list of revoked certificates, called the certificate revocation list (CRL). The
list is usually maintained automatically, but, when necessary, the Certificate Manager agent services page can be used to update the list manually. See Section 5.2, “Updating the CRL”.
Publishing certificates to a directory. The Certificate System can be configured to publish certificates and and CRLs to an LDAP directory. This information
is usually published automatically, but the Certificate Manager agent services page can be used to update the directory manually. See Section 2, “Manual Directory Updates”.
Managing certificate profiles. The agent can enable and disable certificate profiles. A profile must be temporarily disabled for an administrator can
make changes to the profile itself through the administrative interface. Once the changes have been made, the agent can re-enable the profile for regular use. See Chapter 2, CA: Working with Certificate Profiles.
2.2. Data Recovery Manager Agent Services
4 Chapter 1. Agent Services
2.2. Data Recovery Manager Agent Services
The default entry page to the DRM agent services is shown in Figure 1.3, “Data Recovery Manager Agent Services Page”. Only designated DRM agents, with a valid certificate in their client software, are allowed to access these pages.
Figure 1.3. Data Recovery Manager Agent Services Page
A DRM agent performs the following tasks:
Listing key recovery requests from end entities.
Listing or searches for archived keys.
Recovering private data-encryption keys.
Authorizing and approving key recovery requests. Key recovery requires the authorization of one or more recovery agents. The DRM administrator designates recovery
agents. Typically, several recovery agents are required to approve key recovery requests in the DRM, so DRM admin­istrators should designate more than one agent.
For more information on these tasks, see Chapter 6, DRM: Recovering Encrypted Data.
2.3. Online Certificate Status Manager Agent Services
The default entry page to the Online Certificate Status Manager agent services is shown in Figure 1.4, “Online Certificate Status Manager Agent Services Page”. Only designated Online Certificate Status Manager agents, with a valid certificate in their client software, are allowed to access these pages.
2.3. Online Certificate Status Man­ager Agent Services
5 Chapter 1. Agent Services
Figure 1.4. Online Certificate Status Manager Agent Services Page
An Online Certificate Status Manager agent performs the following tasks:
Checking CAs are currently configured to publish their CRLs to the Online Certificate Status Manager.
Identifying a Certificate Manager to the Online Certificate Status Manager.
Adding CRLs manually to the Online Certificate Status Manager.
Submitting requests for the revocation status of a certificate to the Online Certificate Status Manager. For more information on these tasks, see Chapter 7, OCSP: Agent Services.
2.4. TPS Agent Services
The TPS agent services page allows operations by two types of users, both agents and administrators. The default entry page to the TPS agent services is shown in Figure 1.5, “TPS Agent Services Page”. Only designated TPS
agents, with a valid certificate in their client software, are allowed to access these pages.
2.4. TPS Agent Services
6 Chapter 1. Agent Services
Figure 1.5. TPS Agent Services Page
A TPS agent performs the following tasks:
Listing and searching enrolled tokens by user ID or token CUID.
Listing and searching certificates associated with enrolled tokens.
Searching token operations by CUID.
Editing token information.
Setting the token status. The TPS agent services page also has a tab to allow operations from TPS administrators.
2.4. TPS Agent Services
7 Chapter 1. Agent Services
Figure 1.6. TPS Administrator Operations Tab
A TPS administrator can perform the following tasks:
Listing and searching enrolled tokens by user ID or token CUID.
Editing token information, including the token owner's user ID.
Adding tokens.
Deleting tokens. For more information about TPS agent and administrator tasks, see Chapter 8, TPS: Agent Services.
3. Forms for Performing Agent Operations
The agent services interfaces are form-based HTML pages that are part of the Certificate System installation. The Certific­ate System administrator designates users as agents for each installed subsystem (Certificate Manager, Data Recovery Manager, Online Certificate Status Manager, and TPS). Only a designated agent for a subsystem can use that subsystem's agent services interface. Additionally, the designated agents must have personal client SSL certificates loaded into their client software to access the agent services interface.
A subsystem agent with the proper certificates can access agent services forms through the agent services page to manage certificates. Table 1.1, “Forms Used for Agent Operations”, describes each of these HTML forms.
Form name Description
List Requests (Certificate Manager) Used by Certificate Managers agents to examine, select,
and process requests for certificate services. For instruc­tions on using this form, see Section 2, “Listing Certificate Requests”.
List Certificates (Certificate Manager) Used by Certificate Manager agents to list certificates
within a range of serial numbers; the list of returned certi­ficates can be limited to valid certificates. For instructions on using this form, see Section 1, “Basic Certificate List­ing”.
Search for Certificates (Certificate Manager) Used by Certificate Manager agents to search for and list
Certificate System-issued certificates by subject name, cer­tificate type, the state of the certificate (such as expired or revoked), and the dates when the certificate was issued, re­voked, expired, or valid. For instructions on using this form, see Section 2, “Advanced Certificate Search”.
Revoke Certificates (Certificate Manager) Used by Certificate Manager agents to search for and re-
voke certificates issued by the Certificate System. For in­structions on using this form, see Section 4, “Revoking Certificates”.
Update Revocation List (Certificate Manager) Used by Certificate Manager agents for manual updates of
the published CRL. For instructions on using this form, see Section 5.2, “Updating the CRL”.
Update the Directory Server (Certificate Manager) Used by Certificate Manager agents to update the LDAP
publishing directory with changes in certificate information like newly issued certificates and updated CRLs. For in­structions on using this form, see Section 2, “Manual Dir­ectory Updates”.
Search for Requests Used to search for requests filed by end-entities with the
Certificate System. Searched criteria include request ID range, request type, request status, and request owner. Searches are limited by two factors: the total time allowed for the search operation (in seconds) and maximum num-
3. Forms for Performing Agent Operations
8 Chapter 1. Agent Services
Form name Description
ber of results to display.
Display Revocation List Used to view the current CRL. The display can be custom-
ized by the issuing point and display type. Clicking on the CRL number will display the time taken to generate this CRL, known as the CRL split time.
List Requests (DRM) Used by DRM agents to find and examine requests for key
services. For instructions on using this form, see Section 1, “List Requests”.
Search for Keys (DRM) Used by DRM agents to find and list specific archived
keys. For instructions on using this form, see Section 2, “Finding and Recovering Keys”.
Recover Keys (DRM) Used by DRM agents to find and recover specific archived
keys. A key in the list returned by a search is selected and its recovery is initiated; the recovery must be authorized by designated key recovery agents. For instructions on using this form, see Section 2.2, “Recovering Keys”.
Authorize Recovery (DRM) Used to authorize a key recovery request remotely that was
initiated by another DRM agent. For instructions on using this form, see Section 2.2, “Recovering Keys”.
List Certificate Authorities (Online Certificate Status Man­ager)
Used to list Certificate Managers that are currently con­figured to publish their CRLs to the Online Certificate Status Manager. For instructions, see Section 1, “Listing CAs Identified by the OCSP”.
Add Certificate Authority (Online Certificate Status Man­ager)
Used to identify a Certificate Manager to the Online Certi­ficate Status Manager. For instructions, see Section 2, “Identifying a CA to the OCSP”.
Add Certificate Revocation List (Online Certificate Status Manager)
Used to add a CRL to the Online Certificate Status Man­ager's internal database. For instructions, see Section 3, “Adding a CRL to the OCSP”.
Check Certificate Status (Online Certificate Status Man­ager)
Used to check the status of OCSP service requests sent by OCSP-compliant clients. For instructions, see Section 4, “Checking the Revocation Status of a Certificate”.
Manage Certificate Profiles (CA) Used to enable and disable supported certificate profiles.
Once a profile is disabled, the administrator can make changes to the profile by editing the profile configuration files or through the Console.
OCSP Service (CA) Used to manage the operation of the CA's internal OCSP
service.
List Tokens (TPS) Used to list all the enrolled tokens, which shows all of the
tokens enrolled by the TPS and basic information about the token. See Section 3, “Managing Tokens”.
Search Tokens (TPS) Used to search for the tokens by either user ID for the user
issued the token or by the contextually unique ID (CUID) of the token. See Section 3, “Managing Tokens”.
List Certificates (TPS) Used to list all certificates on the token. See Section 4,
“Listing and Searching Certificates”.
Search Certificates (TPS) Used to search for certificates stored on the tokens by
either user ID for the user issued the certificate or by the contextually unique ID (CUID) of the token. See Section 4, “Listing and Searching Certificates”.
List Activities (TPS) Used to list all operations performed through the TPS. See
Section 5, “Searching Token Activities”.
Search Activities (TPS) Used to search for operations performed through the TPS.
3. Forms for Performing Agent Operations
9 Chapter 1. Agent Services
Form name Description
The operations are only searched by the contextually unique ID (CUID) of the token. See Section 5, “Searching Token Activities”.
Table 1.1. Forms Used for Agent Operations
4. Accessing Agent Services
Access to the agent services forms requires certificate-based authentication. Only users who authenticate with the correct certificate and who have been granted the proper access privilege can access and use the forms. Operations are performed over SSL, so the server connection uses HTTPS on the SSL agent port. The agent services URLs have the following format:
https://hostname:port/subsystem_type/agent/subsystem_type
If a CA is installed on a host named server.example.com running on port 9443, the agent services interface is opened using the following URL:
https://server.example.com:9443/ca/agent/ca
There is also a services page for each subsystem. The URL for the services page would be like the following:
https://server.example.com:9443/ca/services
The services page has links to the all of the HTML pages for the subsystem, such as agent and end-entities, as well as the admin page if the subsystem has not yet been configured.
Figure 1.7. Certificate Manager Services Page
NOTE
The services pages are written in HTML and are intended to be customized. This document describes the default pages. If an administrator has customized the agent services pages, those pages may differ from those described
4. Accessing Agent Services
10 Chapter 1. Agent Services
here. Check with the Certificate System administrator for information on the local installation.
4. Accessing Agent Services
11 Chapter 1. Agent Services
Chapter 2. CA: Working with Certificate Profiles
A Certificate Manager agent is responsible for approving certificate profiles that have been configured by a Certificate System administrator. Certificate Manager agents also manage and approve certificate requests that come from profile­based enrollments.
1. About Certificate Profiles
1.1. Profile Definition
A certificate profile defines everything associated with issuing a certificate, including the authentication method, the certi­ficate content (defaults), constraints for content values in the requested certificate type, and the contents of the input and output forms associated with the certificate profile.
1.2. Categories of Certificate Profiles
There are three categories of information that constitute a certificate profile:
Profile inputs. Profile inputs are parameters and values that are submitted to the CA when a certificate is requested. Profile inputs include public keys for the certificate request and the certificate subject name requested by the end entity for the certificate.
Profile policy sets. A certificate profile can have one or more policy sets, which are each defined by a set of defaults and constraints.
Profile defaults. Profile defaults are parameters and values defined by the CA administrator. Profile defaults in-
clude the authentication mechanism for the end-entity, how long the certificate is valid, and what certificate exten­sions appear for each type of certificate issued.
Profile constraints. Profile constraints are parameters and values that form the rules or policies for issuing certific-
ates. Profile constraints include rules like requiring the certificate subject name to have at least one CN component, setting the validity of a certificate to a maximum of 360 days, or requiring that the subjectaltname extension always be set to true.
Profile outputs. Profile outputs are parameters and values that specify the format in which to issue the certificate to the end entity. Profile outputs include base-64 encoded files, CMMF responses, and PKCS #7 output, which also includes the CA chain.
2. Basic Profile Operations for an Agent
A CA agent reviews profile requests and takes any of the following actions:
Approves the certificate request, so the certificate is issued. The end entity then retrieves and uses the certificate.
Rejects the certificate request, so no certificate is issued. The end entity is notified that the request was rejected for whatever reasons are specified by the agent. The end entity can also view the request status on the CA's end-entities page.
Cancels the certificate request, so no certificate is issued. The end entity is notified that the request was rejected for whatever reasons are specified by the agent. The end entity can also view the request status on the CA's end-entities page.
Updates the certificate request. The agent has the authority to change the certificate request to ensure that the request follows the policies that have been set. For example, the agent may change the values for certificate extensions.
Validates the certificate request. Validation tests that the output of the request conforms to the constraints defined in the profile.
Assigns the certificate request, so that the certificate request is transferred from agent to another for approval.
12 Chapter 2. CA: Working with Certificate
Unassigns the certificate request, which removes the certificate request from an agent's queue.
Enrollment requests are submitted to a certificate profile and are subject to the defaults and constraints set up in that certi­ficate profile, regardless of whether the request was created from the input form associated with the certificate profile or the request was created elsewhere and submitted preformatted.
3. List of Certificate Profiles
The certificate profiles described here have been pre-defined and are ready to use when the Certificate System is installed. This set of certificate profiles have been pre-built for the most common types of certificates and provide standard defaults and constraints, the authentication methods, and inputs and outputs common for these certificate profiles. It is possible to add more profiles or edit these profiles. An administrator can set up additional defaults and constraints using the CS SDK.
Profile ID Profile Name Description
caUserCert Manual User Dual-Use Certificate En-
rollment
This certificate profile is for enrolling user certificates.
caDualCert Manual User Signing and Encryption
Certificates Enrollment
This certificate profile is for enrolling dual user certificates.
caLogCert Manual Log Signing Certificate En-
rollment
This profile is for enrolling audit log signing certificates
caTPSCert Manual TPS Server Certificate Enroll-
ment
This certificate profile is for enrolling TPS server certificates.
caServerCert Manual Server Certificate Enrollment This certificate profile is for enrolling
server certificates.
caCAcert Manual Certificate Manager Signing
Certificate Enrollment
This certificate profile is for enrolling Certificate Manager certificates (CA signing certificates).
caOCSPCert Manual OCSP Manager Signing Certi-
ficate Enrollment
This certificate profile is for enrolling OCSP Manager certificates (OCSP signing certificates).
caTransportCert Manual Data Recovery Manager
Transport Certificate Enrollment
This certificate profile is for enrolling DRM transport certificates.
caDirAuthCert Directory-Authenticated User Dual-
Use Certificate Enrollment
This certificate profile is for enrolling user certificates with directory-based authentication (LDAP authentication).
caAgentServerCert Agent-Authenticated Server Certific-
ate Enrollment
This certificate profile is for enrolling server certificates with agent authen­tication.
caAgentFileSigning Agent-Authenticated File Signing This certificate profile is for file sign-
ing with agent authentication.
caFullCMCCert Signed CMC-Authenticated User Cer-
tificate Enrollment
This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC signature authentication; a full CMC request conforming to the RFC is expected.
caSimpleCMCCert Simple CMC Enrollment Request for
User Certificate
This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC signature authentication; a simple CMC request conforming to the RFC is expected.
caTokenUserEncryptionKeyEnroll­ment
Token User Encryption Certificate En­rollment
This certificate profile is for perform­ing smart card-based enrollments initi­ated through the TPS server for en­cryption certificates.
caTokenUserSigningKeyEnrollment Token User Signing Certificate Enroll- This certificate profile is for perform-
3. List of Certificate Profiles
13 Chapter 2. CA: Working with Certificate
Profile ID Profile Name Description
ment ing smart card-based enrollments initi-
ated through the TPS server for sign­ing certificates.
Table 2.1. List of Certificate Profiles
3.1. Example Profile
An example caUserCert profile, as shipped with the server, is described here. A profile usually contains inputs, policy sets, and outputs. The default caUserCert certificate profile contains the following:
Profile description. This profile is for issuing user, or client, certificates.
Profile inputs.
Key generation. This sets that the key pair generation during the request submission is CRMF-based and 1024-bit.
This is a read-only field.
Subject name. The subject name input is used when distinguished name (DN) parameters need to be collected from
the user; the user DN can be used to create the subject name in the certificate. This input uses the following form fields:
UID. The user ID of the user in the LDAP directory.
Email. The email address of the user.
Common name. The name of the user.
Organizational unit. The organizational unit to which the user belongs.
Organization. The organization name.
Country. The country where the user is located.
Requester. This input uses the following form fields:
Requester name. The name of the certificate requester.
Requester email. The email address of the certificate requester.
Requester phone. The phone number of the certificate requester.
Profile policy sets. The different policy sets that are set by default on caUserCert are listed in Table 2.2, “caUserCert - Profile Policy
Sets”.
Profile Policy Set Defaults Constraints
set1 - SubjectName No defaults Subject name should match the
regular expression of the form uid=.*.
set2 - Validity range = 180 days The range is less than 365 days.
The notbefore and notafter date checks are turned off.
set3 - Key No defaults
keytype = RSA
3.1. Example Profile
14 Chapter 2. CA: Working with Certificate
Profile Policy Set Defaults Constraints
The keytype should be RSA.
keyminLength = 512
keymaxLength = 4096
The key length should be between
512 and 4096. set4 - Authority Key Identifier No defaults No constraints set5 - AIA extension
authinfoaccesscritical = false
authinfoaccessADMeth­od_0= OID
authinfoaccessADLoca­tionType_0=URIName
authinfoaccessADE­nable_0=true
authinfoaccessADLoca­tion_0=
No constraints
set6 - Key Usage
Populates a Key Usage extension (2.5.29.15) to the request. The default values are as follows:
Criticality=true
Digital Signature=true
Non-Repudiation=true
Key Encipherment=true
Data Encipherment=false
Key Agreement=false
Key Certificate Sign=false
Key CRL Sign=false
Encipher Only=false
Decipher Only=false
Accepts the Key Usage extension,
if present, only when the default
values are set.
set7 - Extended Key Usage Populates an Extended Key Usage
extension to the request. The de­fault values are Critical-
ity=false and OIDs=1.3.6.1.5.5.7.3.2,
1.3.6.1.5.5.7.3.4.
No constraints
set8 - Subject Alt Name Constraint Populates a Subject Alternative
Name extension (2.5.29.17) to the request. The default values are
Criticality=false and Re­cord #0{Pattern:$request.req uester_email$,Pattern
No constraints
3.1. Example Profile
Profiles
Loading...
+ 51 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use