How it Works
Red Hat
Loading...
#
A
B
C
D
Loading...
Loading...
CERTIFICATE SYSTEM 7.3 - ADMINISTRATION
Administration Manual
554 pgs6.87 Mb0

Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Red Hat Certificate
System 7.3
Administration Guide
Publication date: May 2007, updated March 25, 2010
Administration Guide
Red Hat Certificate System 7.3 Administration Guide
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
All other trademarks are the property of their respective owners.
1801 Varsity Drive Raleigh, NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park, NC 27709 USA
This manual covers all aspects of installing, configuring, and managing Certificate System subsystems. It also covers management tasks such as adding users; requesting and revoking certificates; publishing CRLs; and managing smart cards. This guide is intended for Certificate System administrators.
iii
About This Guide xvii
1. Recommended Knowledge ........................................................................................... xvii
2. What Is in This Guide .................................................................................................. xvii
3. Examples and Formatting .............................................................................................. xix
3.1. File Locations for Examples and Commands ....................................................... xix
3.2. Using Mozilla LDAP Tools .................................................................................. xix
3.3. Default Port Numbers ......................................................................................... xix
3.4. Guide Formatting ............................................................................................... xix
4. Additional Reading ........................................................................................................ xx
5. Giving Feedback ........................................................................................................... xxi
6. Document History ......................................................................................................... xxi
1. Overview 1
1.1. Features ...................................................................................................................... 1
1.1.1. Subsystems ...................................................................................................... 1
1.1.2. Interfaces .......................................................................................................... 2
1.1.3. Logging ............................................................................................................. 2
1.1.4. Auditing ............................................................................................................. 2
1.1.5. Self-Tests .......................................................................................................... 3
1.1.6. Authorization ..................................................................................................... 3
1.1.7. Security-Enhanced Linux Support ....................................................................... 3
1.1.8. Authentication .................................................................................................... 3
1.1.9. Registration Authority ......................................................................................... 4
1.1.10. SCEP .............................................................................................................. 4
1.1.11. Certificate Issuance .......................................................................................... 4
1.1.12. Certificate Profiles ............................................................................................ 5
1.1.13. CRLs .............................................................................................................. 5
1.1.14. Publishing ....................................................................................................... 5
1.1.15. Notifications ..................................................................................................... 5
1.1.16. Jobs ................................................................................................................ 5
1.1.17. Dual Key Pairs ................................................................................................ 6
1.1.18. HSMs and Crypto Accelerators ......................................................................... 6
1.1.19. Support for Open Standards ............................................................................. 6
1.2. How the Certificate System Works ................................................................................ 7
1.2.1. About the Certificate Manager ............................................................................ 7
1.2.2. How the Certificate Manager Works .................................................................... 9
1.2.3. Data Recovery Manager .................................................................................. 11
1.2.4. Online Certificate Status Manager .................................................................... 11
1.2.5. Token Key Service ........................................................................................... 12
1.2.6. Token Processing System ................................................................................ 12
1.3. Deployment Scenarios ................................................................................................ 12
1.3.1. Single Certificate Manager ............................................................................... 12
1.3.2. Certificate Manager and DRM .......................................................................... 13
1.3.3. Cloned Certificate Manager .............................................................................. 14
1.3.4. Smart Card Enrollment .................................................................................... 15
1.4. System Architecture ................................................................................................... 15
1.4.1. Certificate System Instance .............................................................................. 17
1.4.2. HTTP Engine .................................................................................................. 17
1.4.3. User Interfaces ................................................................................................ 17
1.4.4. JSS and the JNI Layer .................................................................................... 18
1.4.5. NSS ................................................................................................................ 18
1.4.6. PKCS #11 ....................................................................................................... 19
Administration Guide
iv
1.4.7. Management Tools .......................................................................................... 19
1.4.8. JRE ................................................................................................................ 20
1.4.9. Internal Database ............................................................................................ 20
1.4.10. SSL/TLS and Supported Cipher Suites ............................................................ 20
1.5. Support for Open Standards ....................................................................................... 21
1.5.1. Certificate Management Formats and Protocols ................................................. 21
1.5.2. Security and Directory Protocols ....................................................................... 21
2. Installation and Configuration 23
2.1. Deployment Considerations ......................................................................................... 23
2.1.1. Security Domains ............................................................................................ 24
2.1.2. Cloning a Subsystem ....................................................................................... 24
2.1.3. Self-Signed Root CA or Subordinate CA ........................................................... 24
2.2. Prerequisites .............................................................................................................. 25
2.2.1. Supported Platforms ........................................................................................ 25
2.2.2. Required Programs and Dependencies ............................................................. 26
2.2.3. Packages Installed ........................................................................................... 28
2.3. Configuration Preparation ........................................................................................... 32
2.3.1. Required Information ........................................................................................ 32
2.3.2. Default Settings ............................................................................................... 33
2.4. Configuration Setup Wizard ........................................................................................ 34
2.4.1. Security Domain Panel .................................................................................... 34
2.4.2. Subsystem Type Panel .................................................................................... 35
2.4.3. PKI Hierarchy Panel ........................................................................................ 36
2.4.4. CA Information Panel ....................................................................................... 37
2.4.5. TKS Information Panel ..................................................................................... 37
2.4.6. DRM Information Panel .................................................................................... 38
2.4.7. Authentication Directory Panel .......................................................................... 39
2.4.8. Internal Database Panel ................................................................................... 39
2.4.9. Key Store Panel .............................................................................................. 40
2.4.10. Key Pairs Panel ............................................................................................. 41
2.4.11. Subject Names Panel ..................................................................................... 42
2.4.12. Requests and Certificates Panel ..................................................................... 43
2.4.13. Export Keys and Certificates Panel ................................................................. 44
2.4.14. Administrator Panel ........................................................................................ 45
2.5. Installing the Certificate System ................................................................................. 46
2.5.1. Installing from an ISO Image ............................................................................ 46
2.5.2. Installing through up2date ................................................................................ 48
2.6. Configuring the Default Subsystem Instances ............................................................... 48
2.6.1. Configuring a CA ............................................................................................. 48
2.6.2. Configuring a DRM, OCSP, or TKS ................................................................... 50
2.6.3. Configuring a TPS ........................................................................................... 51
2.7. Creating Additional Subsystem Instances ..................................................................... 52
2.7.1. Running pkicreate ............................................................................................ 52
2.7.2. Running pkicreate with Port Separation ............................................................. 53
2.8. Cloning a Subsystem .................................................................................................. 53
2.9. Silent Installation ........................................................................................................ 55
2.10. Updating Certificate System Packages ....................................................................... 56
2.10.1. Updating Certificate System on Red Hat Enterprise Linux ................................. 57
2.10.2. Updating Certificate System on Solaris ............................................................ 57
2.11. Uninstalling Certificate System Subsystems ................................................................ 59
2.11.1. Removing a Subsystem Instance .................................................................... 59
v
2.11.2. Removing Certificate System Subsystems ....................................................... 59
3. Administrative Basics 61
3.1. Administrative Console ............................................................................................... 61
3.2. Enabling SSL Client Authentication for the Certificate System Console ........................... 62
3.3. System Passwords ..................................................................................................... 64
3.3.1. Protecting the password.conf File ..................................................................... 64
3.3.2. Password-Quality Checker ............................................................................... 66
3.4. Starting, Stopping, and Restarting Certificate System Subsystems ................................. 66
3.4.1. Starting a Server Instance ................................................................................ 66
3.4.2. Stopping a Server Instance .............................................................................. 66
3.4.3. Restarting a Server Instance ............................................................................ 66
3.4.4. Restarting a Subsystem after a Machine Restart ............................................... 67
3.5. Mail Server ................................................................................................................ 67
3.6. Configuration Files ..................................................................................................... 67
3.6.1. Locating the Configuration File ......................................................................... 68
3.6.2. Editing the Configuration File ........................................................................... 68
3.6.3. Guidelines for Editing the Configuration File ...................................................... 68
3.6.4. Duplicating Configuration from One Instance to Another ..................................... 70
3.6.5. Other File Locations ........................................................................................ 70
3.6.6. Default Server Instance Locations .................................................................... 72
3.7. Using Security-Enhanced Linux ................................................................................... 74
3.8. Using Java Servlets .................................................................................................... 75
3.9. Logs .......................................................................................................................... 75
3.9.1. About Logs ...................................................................................................... 76
3.9.2. Services That Are Logged ................................................................................ 79
3.9.3. Log Levels (Message Categories) ..................................................................... 79
3.9.4. Buffered Versus Unbuffered Logging ................................................................. 81
3.9.5. Log File Rotation ............................................................................................. 81
3.9.6. Configuring Logs in the Console ....................................................................... 82
3.9.7. Configuring Logs in the CS.cfg File ................................................................... 83
3.9.8. Configuring TPS Logs ...................................................................................... 84
3.9.9. Monitoring Logs ............................................................................................... 85
3.9.10. Signing Log Files ........................................................................................... 86
3.9.11. Registering a Log Module ............................................................................... 87
3.9.12. Deleting a Log Module ................................................................................... 87
3.9.13. Signed Audit Log ........................................................................................... 87
3.10. Self-Tests ................................................................................................................. 91
3.10.1. Self-Test Logging ........................................................................................... 92
3.10.2. Self-Test Configuration ................................................................................... 92
3.10.3. Modifying Self-Test Configuration .................................................................... 92
3.11. Ports ........................................................................................................................ 93
3.11.1. About Ports ................................................................................................... 93
3.11.2. Changing a Port Number ................................................................................ 96
3.11.3. Configuring Port Separation ............................................................................ 96
3.11.4. Redirecting Subsystem Communications to Secure End-Entities Port ................. 99
3.12. The Internal LDAP Database ................................................................................... 103
3.12.1. Changing the Internal Database Configuration ............................................... 104
3.12.2. Enabling SSL Client Authentication with the Internal Database ........................ 105
3.12.3. Restricting Access to the Internal Database ................................................... 106
3.13. Backing up and Restoring Certificate System ........................................................... 106
Administration Guide
vi
4. Certificate Manager 109
4.1. How the Certificate Manager Works ........................................................................... 109
4.1.1. Enrollment ..................................................................................................... 109
4.1.2. Revocation .................................................................................................... 110
4.2. Certificate Manager Certificates ................................................................................. 111
4.2.1. CA Signing Key Pair and Certificate ................................................................ 111
4.2.2. OCSP Signing Key Pair and Certificate ........................................................... 112
4.2.3. SSL Server Key Pair and Certificate ............................................................... 112
4.2.4. Certificate Considerations ............................................................................... 112
4.2.5. Cross-Pair Certificates .................................................................................... 113
4.3. CA Hierarchy ............................................................................................................ 113
4.3.1. Subordination to a Public CA .......................................................................... 114
4.3.2. Subordination to a Certificate System CA ........................................................ 114
4.4. Security Domains ..................................................................................................... 114
4.4.1. The domain.xml File ...................................................................................... 115
4.4.2. Security Domain Roles ................................................................................... 116
4.4.3. Creating a Security Domain ............................................................................ 117
4.4.4. Joining a Security Domain .............................................................................. 118
4.4.5. Additional Security Domain Information ........................................................... 118
4.5. Configuring the Certificate Manager Instance ............................................................. 118
4.6. CA Certificate Reissuance ........................................................................................ 120
4.7. Changing the Rules for Issuing Certificates ................................................................ 120
4.8. Setting Restrictions on CA Certificates through Certificate Extensions .......................... 122
4.9. Creating Certificate Manager Agents and Administrators ............................................. 124
4.10. Checking the Revocation Status of Agent Certificates ............................................... 125
4.11. CRL Signing Key Pair and Certificate ....................................................................... 127
4.12. DNs in the Certificate System .................................................................................. 128
4.12.1. Extending Attribute Support .......................................................................... 129
5. Registration Authority 133
5.1. Introduction .............................................................................................................. 133
5.1.1. What is a Registration Authority? .................................................................... 133
5.1.2. Enrollment Types ........................................................................................... 133
5.1.3. Roles ............................................................................................................ 134
5.1.4. Interfaces ...................................................................................................... 134
5.2. Installation and Configuration .................................................................................... 135
5.2.1. Configuration ................................................................................................. 136
5.2.2. Directory Structure ......................................................................................... 140
5.2.3. Configuration Parameters ............................................................................... 140
5.2.4. RA Request Queue Plugins ............................................................................ 142
5.2.5. Libraries ........................................................................................................ 143
5.3. Working With the Registration Authority ..................................................................... 143
5.3.1. Configuring Additional RA Instances ............................................................... 143
5.3.2. Customizing the Subject DN in the CSR .......................................................... 147
5.3.3. Using the End Users Services Interface .......................................................... 148
5.3.4. Using the Agent Services Interface ................................................................. 153
5.3.5. Using the Administrator Interface .................................................................... 153
5.3.6. Command-line Operations .............................................................................. 155
6. Online Certificate Status Protocol Responder 157
6.1. About OCSP Services .............................................................................................. 157
6.1.1. OCSP Response Signing ............................................................................... 157
vii
6.1.2. OCSP Responses .......................................................................................... 158
6.2. CA OCSP Services .................................................................................................. 158
6.2.1. The Certificate Manager's Internal OCSP Service ............................................ 158
6.2.2. Online Certificate Status Manager ................................................................... 158
6.3. Online Certificate Status Manager Certificates ............................................................ 159
6.3.1. OCSP Signing Key Pair and Certificate ........................................................... 159
6.3.2. SSL Server Key Pair and Certificate ............................................................... 159
6.3.3. Recognizing Online Certificate Status Manager Certificates .............................. 160
6.4. Configuring the Online Certificate Status Manager ...................................................... 160
6.5. Creating Online Certificate Status Manager Agents and Administrators ......................... 161
6.6. Configuring the Certificate Manager's Internal OCSP Service ...................................... 162
6.7. Setting up the OCSP Responder ............................................................................... 163
6.8. Identifying the CA to the OCSP Responder ................................................................ 164
6.8.1. Verify Certificate Manager and Online Certificate Status Manager Connection ..... 165
6.8.2. Configure the Revocation Info Stores .............................................................. 165
6.9. Testing the OCSP Service Setup ............................................................................... 166
6.10. Submitting OCSP Requests Using the GET Method .................................................. 167
6.11. Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier ......... 169
7. Data Recovery Manager 173
7.1. PKI Setup for Archiving and Recovering Keys ............................................................ 173
7.2. Data Recovery Manager Certificates .......................................................................... 173
7.2.1. Transport Key Pair and Certificate .................................................................. 174
7.2.2. Storage Key Pair ........................................................................................... 174
7.2.3. SSL Server Certificate .................................................................................... 174
7.3. Forms for Users and Key Recovery Agents ................................................................ 174
7.4. Overview of Archiving Keys ....................................................................................... 175
7.4.1. Reasons to Archive Keys ............................................................................... 175
7.4.2. Where the Keys Are Stored ............................................................................ 175
7.4.3. How Key Archival Works ................................................................................ 175
7.5. Overview of Key Recovery ........................................................................................ 177
7.5.1. Key Recovery Agents and Their Passwords .................................................... 177
7.5.2. Key Recovery Agent Scheme ......................................................................... 178
7.6. Configuring Key Archival and Recovery Process ........................................................ 178
7.6.1. Setting up Key Archival .................................................................................. 178
7.6.2. Setting up Key Recovery ................................................................................ 179
7.6.3. Testing the Key Archival and Recovery Setup .................................................. 180
7.7. Creating Data Recovery Manager Agents and Administrators ...................................... 181
8. Token Processing System 183
8.1. Working with Multiple Instances of a Subsystem ......................................................... 183
8.1.1. Configuring Failover Support .......................................................................... 184
8.1.2. Configuring Multiple Instances for Different Functions ....................................... 184
8.2. Formatting Smart Cards ............................................................................................ 186
8.3. Resetting the Smart Card PIN ................................................................................... 186
8.4. Applet Upgrade ........................................................................................................ 186
8.5. Enrolling Smart Cards through the Enterprise Security Client ....................................... 187
8.5.1. Enabling SSL in the TPS ............................................................................... 188
8.5.2. Configuring Server-Side Key Generation and Archival of Encryption Keys .......... 189
8.5.3. Looking at Smart Card Certificate Enrollment Profiles ....................................... 191
8.5.4. Automating Encryption Key Recovery .............................................................. 192
8.5.5. Configuring Symmetric Key Changeover ......................................................... 194
Administration Guide
viii
8.5.6. Setting Token Types for Specified Smart Cards ............................................... 196
8.6. Configuring LDAP Authentication ............................................................................... 198
8.7. Token Database ....................................................................................................... 199
8.8. Configuring TPS Logging .......................................................................................... 199
8.8.1. Thread Correlation ......................................................................................... 199
8.9. TPS Configuration Parameters .................................................................................. 199
8.9.1. TKS Configuration File Parameters ................................................................. 215
9. Token Key Service 217
9.1. Overview .................................................................................................................. 217
9.2. Using Master Keys ................................................................................................... 217
9.3. Configuring the TKS to Associate the Master Key with Its Version ................................ 219
9.4. Using HSM for Generating Keys ................................................................................ 219
9.5. Creating Token Key Service Agents and Administrators .............................................. 220
10. Enterprise Security Client 223
11. Managing Certificates 225
11.1. Certificate Overview ................................................................................................ 225
11.1.1. Types of Certificates ..................................................................................... 225
11.1.2. Determining Which Certificates to Install ........................................................ 227
11.1.3. Certificate Data Formats ............................................................................... 229
11.1.4. Certificate Setup Wizard ............................................................................... 229
11.2. Requesting and Receiving Certificates ..................................................................... 230
11.2.1. Requesting Certificates ................................................................................. 231
11.2.2. Submitting Certificate Requests ..................................................................... 245
11.2.3. Retrieving Certificates from the End-Entities Page .......................................... 249
11.3. Managing User Certificates .................................................................................... 251
11.3.1. Managing Certificate System User and Agent Certificates ............................... 252
11.3.2. Importing Certificates into Mozilla Firefox ....................................................... 253
11.4. Managing the Certificate Database .......................................................................... 254
11.4.1. Installing Certificates in the Certificate System Database ................................. 254
11.4.2. Viewing Database Content ............................................................................ 258
11.4.3. Deleting Certificates from the Database ......................................................... 260
11.4.4. Changing the Trust Settings of a CA Certificate .............................................. 261
11.5. Configuring the Server Certificate Use Preferences ................................................... 262
12. Managing Tokens 265
12.1. Tokens for Storing Certificate System Keys and Certificates ....................................... 265
12.1.1. Internal Tokens ............................................................................................ 265
12.1.2. External Tokens ........................................................................................... 265
12.1.3. Considerations for External Tokens ............................................................... 265
12.2. Using Hardware Security Modules with Subsystems ................................................. 266
12.2.1. Chrysalis LunaSA HSM ................................................................................ 267
12.2.2. Installing External Tokens and Unsupported HSM .......................................... 267
12.3. Managing Tokens Used by the Subsystems ............................................................. 268
12.3.1. Viewing Tokens ............................................................................................ 268
12.3.2. Changing a Token's Password ...................................................................... 268
12.4. Detecting Tokens .................................................................................................... 268
12.5. Hardware Cryptographic Accelerators ...................................................................... 269
13. Certificate Profiles 271
13.1. About Certificate Profiles ......................................................................................... 271
13.2. How Certificate Profiles Work .................................................................................. 272
ix
13.3. Setting up Certificate Profiles .................................................................................. 273
13.3.1. Modifying Certificate Profiles through the CA Console .................................... 273
13.3.2. Modifying Certificate Profiles through the Command Line ................................ 282
13.3.3. Populating Certificates with Directory Attributes .............................................. 285
13.3.4. Customizing the Enrollment Form ................................................................. 288
13.4. Certificate Profile Reference .................................................................................... 288
13.5. Input Reference ...................................................................................................... 289
13.5.1. Certificate Request Input .............................................................................. 289
13.5.2. CMC Certificate Request Input ...................................................................... 289
13.5.3. Dual Key Generation Input ........................................................................... 289
13.5.4. File-Signing Input ......................................................................................... 289
13.5.5. Image Input ................................................................................................. 290
13.5.6. Key Generation Input ................................................................................... 290
13.5.7. nsHcertificateRequest (Token Key) Input ....................................................... 290
13.5.8. nsNcertificateRequest (Token User Key) Input ............................................... 290
13.5.9. Subject DN Input ......................................................................................... 290
13.5.10. Subject Name Input .................................................................................... 290
13.5.11. Submitter Information Input ......................................................................... 291
13.6. Output Reference ................................................................................................... 291
13.6.1. Certificate Output ......................................................................................... 291
13.6.2. PKCS #7 Output .......................................................................................... 291
13.6.3. CMMF Output .............................................................................................. 291
13.7. Defaults Reference ................................................................................................. 292
13.7.1. Authority Info Access Extension Default ........................................................ 292
13.7.2. Authority Key Identifier Extension Default ...................................................... 293
13.7.3. Basic Constraints Extension Default .............................................................. 294
13.7.4. CRL Distribution Points Extension Default ..................................................... 295
13.7.5. Extended Key Usage Extension Default ........................................................ 297
13.7.6. Freshest CRL Extension Default ................................................................... 298
13.7.7. Issuer Alternative Name Extension Default .................................................... 300
13.7.8. Key Usage Extension Default ....................................................................... 301
13.7.9. Name Constraints Extension Default ............................................................. 302
13.7.10. Netscape Certificate Type Extension Default ................................................ 306
13.7.11. Netscape Comment Extension Default ......................................................... 306
13.7.12. No Default Extension .................................................................................. 306
13.7.13. OCSP No Check Extension Default ............................................................. 306
13.7.14. Policy Constraints Extension Default ........................................................... 307
13.7.15. Policy Mappers Extension Default ............................................................... 308
13.7.16. Signing Algorithm Default ........................................................................... 308
13.7.17. Subject Alternative Name Extension Default ................................................. 309
13.7.18. Subject Directory Attributes Extension Default .............................................. 311
13.7.19. Subject Key Identifier Extension Default ...................................................... 312
13.7.20. Subject Name Default ................................................................................ 312
13.7.21. Token Supplied Subject Name Default ......................................................... 313
13.7.22. User Supplied Extension Default ................................................................. 313
13.7.23. User Supplied Key Default .......................................................................... 314
13.7.24. User Signing Algorithm Default ................................................................... 315
13.7.25. User Supplied Subject Name Default ........................................................... 315
13.7.26. User Supplied Validity Default ..................................................................... 315
13.7.27. Validity Default ........................................................................................... 315
13.8. Constraints Reference ............................................................................................. 316
Administration Guide
x
13.8.1. Basic Constraints Extension Constraint ......................................................... 316
13.8.2. Extended Key Usage Extension Constraint .................................................... 317
13.8.3. Extension Constraint .................................................................................... 317
13.8.4. Key Constraint ............................................................................................. 317
13.8.5. Key Usage Extension Constraint ................................................................... 317
13.8.6. No Constraint .............................................................................................. 319
13.8.7. Netscape Certificate Type Extension Constraint ............................................. 319
13.8.8. Signing Algorithm Constraint ......................................................................... 319
13.8.9. Subject Name Constraint .............................................................................. 319
13.8.10. Unique Subject Name Constraint ................................................................ 320
13.8.11. Validity Constraint ....................................................................................... 320
14. Revocation and CRLs 321
14.1. Revocation ............................................................................................................. 321
14.1.1. SSL Client Authenticated Revocation ............................................................ 321
14.1.2. Certificate Revocation Forms ........................................................................ 321
14.2. CMC Revocation .................................................................................................... 322
14.2.1. Setting up CMC Revocation ......................................................................... 322
14.2.2. Testing CMC Revoke ................................................................................... 323
14.3. About CRLs ............................................................................................................ 323
14.3.1. Reasons for Revoking a Certificate ............................................................... 324
14.3.2. Publishing CRLs .......................................................................................... 325
14.3.3. CRL Issuing Points ...................................................................................... 325
14.3.4. Delta CRLs .................................................................................................. 325
14.3.5. How CRLs Work .......................................................................................... 325
14.4. Issuing CRLs .......................................................................................................... 326
14.4.1. Configuring Issuing Points ............................................................................ 328
14.4.2. Configuring CRLs for Each Issuing Point ....................................................... 329
14.4.3. Setting CRL Extensions ................................................................................ 333
14.5. Setting Full and Delta CRL Schedules ..................................................................... 334
14.5.1. Configuring Extended Updated Intervals for CRLs in the Console .................... 335
14.5.2. Configuring Extended Updated Intervals for CRLs in CS.cfg ............................ 336
15. Publishing 337
15.1. About Publishing ..................................................................................................... 337
15.1.1. About Publishers .......................................................................................... 337
15.1.2. About Mappers ............................................................................................ 337
15.1.3. About Rules ................................................................................................. 338
15.1.4. Publishing to Files ........................................................................................ 338
15.1.5. LDAP Publishing .......................................................................................... 338
15.1.6. OCSP Publishing ......................................................................................... 339
15.1.7. How Publishing Works ................................................................................. 339
15.2. Setting up Publishing .............................................................................................. 340
15.3. Configuring Publishers ............................................................................................ 341
15.3.1. Configuring Publishers for Publishing to a File ............................................... 341
15.3.2. Configuring Publishers for Publishing to OCSP .............................................. 343
15.3.3. Configuring Publishers for LDAP Publishing ................................................... 345
15.4. Configuring Mappers ............................................................................................... 346
15.5. Rules ..................................................................................................................... 350
15.5.1. Modifying Publishing Rules for Certificates and CRLs ..................................... 351
15.5.2. Predicates Used in Publishing Rules ............................................................. 355
15.6. Enabling Publishing ................................................................................................ 355
xi
15.7. Publishing Cross-Pair Certificates ............................................................................ 357
15.8. Testing Publishing to Files ....................................................................................... 357
15.9. Viewing Certificates and CRLs Published to File ....................................................... 359
15.10. Configuring the Directory for LDAP Publishing ........................................................ 359
15.10.1. Schema ..................................................................................................... 360
15.10.2. Entry for the CA ......................................................................................... 360
15.10.3. Bind DN .................................................................................................... 361
15.10.4. Directory Authentication Method .................................................................. 361
15.11. Updating Certificates and CRLs in a Directory ........................................................ 361
15.11.1. Manually Updating Certificates in the Directory ............................................. 362
15.11.2. Manually Updating the CRL in the Directory ................................................. 363
15.12. Registering and Deleting Mapper and Publisher Plug-in Modules ............................. 363
15.13. Module Reference ................................................................................................. 364
15.13.1. Publisher Plug-in Modules .......................................................................... 364
15.13.2. Mapper Plug-in Modules ............................................................................ 367
15.13.3. Configuring Rule Instances ......................................................................... 373
16. Authentication for Enrolling Certificates 377
16.1. Enrollment Overview ............................................................................................... 377
16.1.1. The Authentication Process .......................................................................... 377
16.2. Agent-Approved Enrollment ..................................................................................... 378
16.2.1. Configuring Agent-Approved Enrollment ........................................................ 378
16.3. Automated Enrollment ............................................................................................. 378
16.3.1. Setting up Directory-Based Authentication ..................................................... 379
16.3.2. Setting up PIN-based Enrollment .................................................................. 380
16.4. Setting up CMC Enrollment ..................................................................................... 384
16.4.1. Setting up the Server for Multiple Requests in a Full CMC Request .................. 385
16.4.2. Testing CMCEnroll ....................................................................................... 385
16.5. Certificate-Based Enrollment ................................................................................... 386
16.5.1. Setting up Certificate-Based Enrollment ......................................................... 387
16.6. Testing Enrollment .................................................................................................. 388
16.7. Managing Authentication Plug-ins ............................................................................ 389
17. User and Group Authorization 391
17.1. About Authorization ................................................................................................. 391
17.1.1. How Authorization Works ............................................................................. 391
17.1.2. Default Groups ............................................................................................ 391
17.2. Creating Users ....................................................................................................... 394
17.3. Setting up a Trusted Manager ................................................................................. 395
17.4. Modifying Certificate System User Entries ................................................................ 398
17.4.1. Changing a Certificate System User's Login Information ................................. 398
17.4.2. Changing a Certificate System User's Certificate ............................................ 399
17.4.3. Changing Members in a Group ..................................................................... 399
17.4.4. Deleting a Certificate System User ................................................................ 399
17.5. Creating a New Group ............................................................................................ 400
17.6. Authorization for Certificate System Users ................................................................ 401
17.6.1. Access Control Lists (ACLs) ......................................................................... 401
17.6.2. Access Control Instructions (ACIs) ................................................................ 401
17.6.3. Changing Privileges ..................................................................................... 401
17.6.4. How ACIs Are Formed ................................................................................. 401
17.6.5. Editing ACLs ................................................................................................ 404
17.7. ACL Reference ....................................................................................................... 406
Administration Guide
xii
17.7.1. certServer.acl.configuration ........................................................................... 406
17.7.2. certServer.admin.certificate ........................................................................... 407
17.7.3. certServer.admin.request.enrollment .............................................................. 407
17.7.4. certServer.auth.configuration ......................................................................... 408
17.7.5. certServer.ca.certificate ................................................................................ 408
17.7.6. certServer.ca.certificates ............................................................................... 409
17.7.7. certServer.ca.configuration ............................................................................ 409
17.7.8. certServer.ca.connector ................................................................................ 410
17.7.9. certServer.ca.clone ....................................................................................... 410
17.7.10. certServer.ca.crl ......................................................................................... 411
17.7.11. certServer.ca.directory ................................................................................ 411
17.7.12. certServer.ca.group .................................................................................... 411
17.7.13. certServer.ca.ocsp ...................................................................................... 412
17.7.14. certServer.ca.profiles .................................................................................. 412
17.7.15. certServer.ca.profile .................................................................................... 412
17.7.16. certServer.ca.requests ................................................................................ 413
17.7.17. certServer.ca.request.enrollment ................................................................. 413
17.7.18. certServer.ca.request.profile ........................................................................ 414
17.7.19. certServer.ca.systemstatus .......................................................................... 414
17.7.20. certServer.ee.certificate .............................................................................. 414
17.7.21. certServer.ee.certificates ............................................................................. 415
17.7.22. certServer.ee.certchain ............................................................................... 415
17.7.23. certServer.ee.crl ......................................................................................... 416
17.7.24. certServer.ee.profile .................................................................................... 416
17.7.25. certServer.ee.profiles .................................................................................. 416
17.7.26. certServer.ee.facetofaceenrollment .............................................................. 417
17.7.27. certServer.ee.request.enrollment ................................................................. 417
17.7.28. certServer.ee.request.facetofaceenrollment .................................................. 417
17.7.29. certServer.ee.request.ocsp .......................................................................... 418
17.7.30. certServer.ee.request.revocation ................................................................. 418
17.7.31. certServer.ee.requestStatus ........................................................................ 418
17.7.32. certServer.general.configuration .................................................................. 419
17.7.33. certServer.job.configuration ......................................................................... 419
17.7.34. certServer.kra.certificate.transport ................................................................ 420
17.7.35. certServer.kra.configuration ......................................................................... 420
17.7.36. certServer.kra.connector ............................................................................. 421
17.7.37. certServer.kra.key ....................................................................................... 421
17.7.38. certServer.kra.keys ..................................................................................... 421
17.7.39. certServer.kra.request ................................................................................. 422
17.7.40. certServer.kra.requests ............................................................................... 422
17.7.41. certServer.kra.request.status ....................................................................... 422
17.7.42. certServer.kra.systemstatus ........................................................................ 423
17.7.43. certServer.log.configuration ......................................................................... 423
17.7.44. certServer.log.configuration.SignedAudit.expirationTime ................................ 424
17.7.45. certServer.log.configuration.fileName ........................................................... 424
17.7.46. certServer.log.content.SignedAudit .............................................................. 425
17.7.47. certServer.log.content ................................................................................. 425
17.7.48. certServer.ocsp.ca ...................................................................................... 426
17.7.49. certServer.ocsp.cas .................................................................................... 426
17.7.50. certServer.ocsp.certificate ........................................................................... 426
17.7.51. certServer.ocsp.configuration ...................................................................... 427
xiii
17.7.52. certServer.ocsp.crl ...................................................................................... 427
17.7.53. certServer.profile.configuration .................................................................... 427
17.7.54. certServer.publisher.configuration ................................................................ 428
17.7.55. certServer.registry.configuration ................................................................... 429
17.7.56. certServer.usrgrp.administration .................................................................. 429
18. Automated Notifications 431
18.1. About Automated Notifications ................................................................................. 431
18.1.1. Types of Automated Notifications .................................................................. 431
18.1.2. Determining End-Entity Email Addresses ....................................................... 431
18.2. Setting Up Automated Notifications .......................................................................... 432
18.2.1. Configuring Specific Notifications by Editing the Configuration File ................... 433
18.2.2. Testing Configuration .................................................................................... 434
18.3. Customizing Notification Messages .......................................................................... 435
18.3.1. Notification Message Templates .................................................................... 435
18.3.2. Token Definitions .......................................................................................... 437
19. Automated Jobs 439
19.1. About Automated Jobs ............................................................................................ 439
19.1.1. Setting up Automated Jobs ........................................................................... 439
19.1.2. Types of Automated Jobs ............................................................................. 439
19.2. Setting up the Job Scheduler .................................................................................. 440
19.2.1. Enabling and Configuring the Job Scheduler .................................................. 440
19.3. Setting up Specific Jobs .......................................................................................... 441
19.3.1. Configuring Specific Jobs Using the Certificate Manager Console .................... 442
19.3.2. Configuring Jobs by Editing the Configuration File .......................................... 444
19.3.3. Configuration Parameters of requestInQueueNotifier ...................................... 444
19.3.4. Configuration Parameters of publishCerts ...................................................... 445
19.3.5. Configuration Parameters of unpublishExpiredCerts ....................................... 446
19.3.6. Frequency Settings for Automated Jobs ........................................................ 447
19.4. Managing Job Plug-ins ............................................................................................ 448
19.4.1. Registering or Deleting a Job Module ............................................................ 448
20. Configuring the Certificate System for High Availability 451
20.1. High Availability Overview ....................................................................................... 451
20.1.1. Architecture of a Failover System ................................................................. 451
20.1.2. Load Balancing ............................................................................................ 452
20.2. Cloning Preparation ................................................................................................ 452
20.2.1. Diagnostics .................................................................................................. 453
20.3. Testing the Cloned Configuration ............................................................................. 453
20.4. Clone-Master Conversion ........................................................................................ 454
20.4.1. Converting a Master CA into a Cloned CA ..................................................... 455
20.4.2. Converting a Cloned CA into a Master CA ..................................................... 456
20.4.3. Converting a Master OCSP into a Cloned OCSP .......................................... 457
20.4.4. Converting a Cloned OCSP into a Master OCSP .......................................... 457
A. Certificate and CRL Extensions 459
A.1. Introduction to Certificate Extensions ......................................................................... 459
A.1.1. Structure of Certificate Extensions .................................................................. 460
A.1.2. Sample Certificate Extensions ........................................................................ 461
A.2. Note on Object Identifiers ......................................................................................... 462
A.3. Standard X.509 v3 Certificate Extensions .................................................................. 463
A.3.1. authorityInfoAccess ........................................................................................ 464
Administration Guide
xiv
A.3.2. The authorityKeyIdentifier ............................................................................... 464
A.3.3. basicConstraints ............................................................................................ 465
A.3.4. certificatePolicies ........................................................................................... 465
A.3.5. CRLDistributionPoints .................................................................................... 466
A.3.6. extKeyUsage ................................................................................................. 466
A.3.7. issuerAltName Extension ............................................................................... 467
A.3.8. keyUsage ...................................................................................................... 467
A.3.9. nameConstraints ........................................................................................... 469
A.3.10. OCSPNocheck ............................................................................................ 469
A.3.11. policyConstraints .......................................................................................... 469
A.3.12. policyMappings ............................................................................................ 470
A.3.13. privateKeyUsagePeriod ................................................................................ 470
A.3.14. subjectAltName ........................................................................................... 471
A.3.15. subjectDirectoryAttributes ............................................................................. 471
A.3.16. subjectKeyIdentifier ...................................................................................... 471
A.4. Introduction to CRL Extensions ................................................................................. 472
A.4.1. Structure of CRL Extensions .......................................................................... 472
A.4.2. Sample CRL and CRL Entry Extensions ......................................................... 473
A.5. Standard X.509 v3 CRL Extensions .......................................................................... 474
A.5.1. Extensions for CRLs ...................................................................................... 474
A.5.2. CRL Entry Extensions .................................................................................... 480
A.6. Netscape-Defined Certificate Extensions ................................................................... 482
A.6.1. netscape-cert-type ......................................................................................... 482
A.6.2. netscape-comment ........................................................................................ 482
B. Introduction to Public-Key Cryptography 485
B.1. Internet Security Issues ............................................................................................ 485
B.2. Encryption and Decryption ........................................................................................ 486
B.2.1. Symmetric-Key Encryption ............................................................................. 486
B.2.2. Public-Key Encryption .................................................................................... 487
B.2.3. Key Length and Encryption Strength ............................................................... 488
B.3. Digital Signatures ..................................................................................................... 488
B.4. Certificates and Authentication .................................................................................. 489
B.4.1. A Certificate Identifies Someone or Something ................................................ 489
B.4.2. Authentication Confirms an Identity ................................................................. 490
B.4.3. How Certificates Are Used ............................................................................. 493
B.4.4. Single Sign-on ............................................................................................... 495
B.4.5. Contents of a Certificate ................................................................................ 495
B.4.6. How CA Certificates Establish Trust ............................................................... 498
B.5. Managing Certificates ............................................................................................... 503
B.5.1. Issuing Certificates ........................................................................................ 503
B.5.2. Certificates and the LDAP Directory ................................................................ 504
B.5.3. Key Management .......................................................................................... 504
B.5.4. Revoking Certificates ..................................................................................... 505
C. Enrolling a Certificate in a Cisco Router 507
C.1. Preparation .............................................................................................................. 507
C.2. Configuration ........................................................................................................... 507
C.2.1. Working with chained (subordinate) CAs ......................................................... 509
C.2.2. DEBUGGING: ............................................................................................... 510
Glossary 511
xv
Index 525
xvi
xvii
About This Guide
This guide explains how to install, configure, and maintain the Red Hat Certificate System and how to use it for issuing and managing certificates to end entities such as web browsers, users, servers, and virtual private network (VPN) clients.
This guide is intended for experienced system administrators planning to deploy the Certificate System. Certificate System agents should refer to the Certificate System Agent's Guide for information on how to perform agent tasks, such as handling certificate requests and revoking certificates.
1. Recommended Knowledge
Before reading this guide, be familiar with the following concepts:
• Intranet, extranet, and Internet security and the role of digital certificates in a secure enterprise, including the following topics:
• Encryption and decryption
• Public keys, private keys, and symmetric keys
• Significance of key lengths
• Digital signatures
• Digital certificates, including different types of digital certificates
• The role of digital certificates in a public-key infrastructure (PKI)
• Certificate hierarchies
• LDAP and Red Hat Directory Server
• Public-key cryptography and the Secure Sockets Layer (SSL) protocol, including the following:
• SSL cipher suites
• The purpose of and major steps in the SSL handshake
2. What Is in This Guide
This guide contains the following elements:
Chapter 1, Overview lists Certificate System features, an overview of how the Certificate System works, an architectural overview of Certificate System, and lists the standards used in the product.
Chapter 2, Installation and Configuration provides step-by-step installation instructions.
Chapter 3, Administrative Basics provides information and procedures for performing configuration that is common to all subsystems such as using the administrative console, starting and stopping the server, viewing and setting logs, and running self-tests.
Chapter 4, Certificate Manager provides information and instructions for configuring the Certificate Manager and an overview of the configuration options.
About This Guide
xviii
Chapter 6, Online Certificate Status Protocol Responder provides information and instructions for configuring an Online Certificate Status Manager.
Chapter 7, Data Recovery Manager provides information and an overview of the configuration options for a Data Recovery Manager.
Chapter 8, Token Processing System describes managing tokens on smart cards through the Token Processing System (TPS).
Chapter 9, Token Key Service provides an overview of the Token Key Service (TKS), which manages the master keys required set up a secure communication channel between the TPS and the client.
Chapter 10, Enterprise Security Client provides an overview of the Enterprise Security Client, a cross-platform client for end users to register and manage keys and certificates on smart cards and tokens.
Chapter 11, Managing Certificates provides information on requesting, installing, and managing certificates.
Chapter 12, Managing Tokens provides information on managing user certificates using smart cards.
Chapter 13, Certificate Profiles provides information and procedures for configuring profiles.
Chapter 14, Revocation and CRLs provides information and procedures for configuring CRLs and revoking certificates.
Chapter 15, Publishing provides information and procedures for publishing certificates.
Chapter 17, User and Group Authorization provides information and procedures for setting up access control lists (ACL) that define authorization, creating users, and assigning users to groups to give them the privileges defined by the group ACLs.
Chapter 16, Authentication for Enrolling Certificates provides information and procedures for setting up various authentication methods to automate certificate enrollment.
Chapter 18, Automated Notifications provides information and procedures for configuring notifications.
Chapter 19, Automated Jobs provides information and procedures for configuring jobs.
Chapter 20, Configuring the Certificate System for High Availability provides information about clones and configuring the Certificate System for failover support.
Appendix A, Certificate and CRL Extensions provides general information about certificate and CRL extensions.
Appendix B, Introduction to Public-Key Cryptography provides general information about public-key cryptography.
Examples and Formatting
xix
3. Examples and Formatting
3.1. File Locations for Examples and Commands
All of the examples for Red Hat Certificate System commands, file locations, and other usage are given for Red Hat Enterprise Linux 4 (32 bit) systems. Be certain to use the appropriate commands and files for your platform.
To start the Red Hat Certificate System:
/etc/init.d/rhpki-ca start
Example 1. Example Command
All of the tools for Red Hat Certificate System are located in the /usr/bin directory. These tools can be run from any location without specifying the tool location.
3.2. Using Mozilla LDAP Tools
There is another important consideration with the LDAP utilities. The LDAP tools referenced in this guide are Mozilla LDAP, installed with Red Hat Certificate System in the /usr/dir/mozldap directory on Red Hat Enterprise Linux.
However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the /usr/ bin directory. It is possible to use the OpenLDAP commands as shown in the examples, but you must use the -x argument to disable SASL, which OpenLDAP tools use by default.
3.3. Default Port Numbers
After Errata RHSA-2009:0007, Certificate System 7.3 supports port separation. Port separation means that the different subsystem services for administrators, agents, and end entities run on different, user­defined ports.
The default subsystem instances, however, are configured to use a single secure port for all services. Therefore, any example commands or files reference these default ports.
Susbsystem SSL Port Non-SSL Port
CA 9443 9080
RA 12889 12888
DRM 10443 10080
OCSP 11443 11080
TKS 13443 13080
TPS 7889 7888
Table 1. Default Subsystem Ports
3.4. Guide Formatting
Certain words are represented in different fonts, styles, and weights. Different character formatting is used to indicate the function or purpose of the phrase being highlighted.
About This Guide
xx
Formatting Style Purpose
Monospace font Monospace is used for commands, package names, files and
directory paths, and any text displayed in a prompt.
Monospace with a background
This type of formatting is used for anything entered or returned in a command prompt.
Italicized text Any text which is italicized is a variable, such as
instance_name or hostname. Occasionally, this is also used to
emphasize a new term or other phrase.
Bolded text Most phrases which are in bold are application names, such as
Cygwin, or are fields or options in a user interface, such as a User Name Here: field or Save button.
Other formatting styles draw attention to important text.
NOTE
A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue.
IMPORTANT
Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot.
WARNING
A warning indicates potential data loss, as may happen when tuning hardware for maximum performance.
4. Additional Reading
The Certificate System Administrator's Guide describes how to set up, configure, and administer the Certificate System subsystems and how to configure backend certificate management functions, such as publishing and logging. The Administrator's Guide also describes how to configure subsystems to relate to one another to manage certificates and tokens and how to manage certificates and tokens; this guide is targeted for Certificate System administrators.
The Certificate System Agent's Guide describes how agents — users responsible for processing certificate requests and managing other aspects of certificate management — can use the Certificate System subsystems web services pages to process certificate requests, key recovery, OCSP requests and CRLs, and other functions.
The documentation for Certificate System includes the following guides:
Certificate System Administrator's Guide explains all administrative functions for the Certificate System, such as adding users, creating and renewing certificates, managing smart cards, publishing CRLs, and modifying subsystem settings like port numbers.
Giving Feedback
xxi
Certificate System Agent's Guide details how to perform agent operations for the CA, RA, DRM, and TPS subsystems through the Certificate System agent services interfaces.
Certificate System Command-Line Tools Guide covers the command-line scripts supplied with Red Hat Certificate System.
Managing Smart Cards with the Enterprise Security Client explains how to install, configure, and use the Enterprise Security Client, the user client application for managing smart cards, user certificates, and user keys.
Certificate System Migration Guides cover version-specific procedures for migrating from older versions of Certificate System to Red Hat Certificate System 7.3.
Release Notes contains important information on new features, fixed bugs, known issues and workarounds, and other important deployment information for Red Hat Certificate System 7.3.
For the latest information about Red Hat Certificate System, including current release notes, complete product documentation, technical notes, and deployment information, see http://www.redhat.com/docs/
manuals/cert-system/.
5. Giving Feedback
If there is any error in this Administrator's Guide or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Certificate System through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues:
• Select the Red Hat Certificate System product.
• Set the component to Doc - administration-guide.
• Set the version number to 7.3.
• For errors, give the page number (for the PDF) or URL (for the HTML), and give a succinct description of the problem, such as incorrect procedure or typo.
For enhancements, put in what information needs to be added and why.
• Give a clear title for the bug. For example, "Incorrect command example for setup script options" is better than "Bad example".
We appreciate receiving any feedback — requests for new sections, corrections, improvements, enhancements, even new ways of delivering the documentation or new styles of docs. You are welcome to contact Red Hat Content Services directly at docs@redhat.com.
6. Document History
Revision
7.3.15
March 25, 2010 Ella Deon Lackey
Added a section on updating subsystem configuration and updated pkicreate usage examples for changes related to Errata RHBA-2010:0170.
Revision
7.3.14
August 25, 2009 Ella Deon Lackey
About This Guide
xxii
Rewrote the section on issuing delta and full CRLs, per Bugzilla #510132. Changed PK12Export to pk12util in the cloning configuration overview, per Bugzilla #519058.
Revision
7.3.13
June 13, 2009 Ella Deon Lackey dlackey@redhat.com
Removing references to the CS SDK and Java SDK, per Bugzilla #491405.
Revision
7.3.12
March 7, 2009 Ella Deon Lackey dlackey@redhat.com
Corrected parameter examples for policyset.set1.p6.default.params.userExtOID, per Bugzilla #476321.
Revision
7.3.11
February 27, 2009 Ella Deon Lackey dlackey@redhat.com
Removed incorrect note about useing certutil to process a certificate request, per Bugzilla #241972.
Revision
7.3.10
February 22, 2009 Ella Deon Lackey dlackey@redhat.com
Removed all references to certificate renewal, per Bugzilla #325361 and #433360. Corrected error about custom logs, per Bugzilla #449847. Minor edits for the term "policy," per Bugzilla #472598.
Revision 7.3.9 February 21, 2009 Ella Deon Lackey dlackey@redhat.com
Fixed Bugzilla #443534, updating key size recommendations in the SSL/TLS section of the overview. Fixed Bugzilla #446718, correcting some typos in the key archival section.
Revision 7.3.8 February 7, 2009 Ella Deon Lackey dlackey@redhat.com
Removed section on renewing certificates through the console, since this is not supported.
Revision 7.3.7 January 29, 2009 Ella Deon Lackey dlackey@redhat.com
Added small note on the new LDAP publishing password configuration parameter to the "Enabling Publishing" section. Added information on configuring port separation. Updated pkicreate example to include a port separation example. Updated examples and formatting section to define default ports used in examples.
Revision 7.3.6 November 4, 2008 Ella Deon Lackey dlackey@redhat.com
Corrected the CRL Issuing Points Extension Default parameter descriptions for IssuerName_ and IssuerType_ per Bugzilla #442405.
Revision 7.3.5 September 10, 2008 Ella Deon Lackey dlackey@redhat.com
Expanding and clarifying the process for configuring symmetric key changeover and adding a new parameter to use to configure it, per Bugzilla #245267.
Revision 7.3.4 July 24, 2008 Ella Deon Lackey dlackey@redhat.com
Edits to token management sections per Bugzilla 455345.
Revision 7.3.3 July 16, 2008 Ella Deon Lackey dlackey@redhat.com
Added information for using the GET method to post OCSP requests and a section for debug logging for Errata RHSA 2008:0577.
Revision 7.3.2 July 1, 2008 Ella Deon Lackey dlackey@redhat.com
Changes to the User Supplied Extension Default section for Erratum RHSA 2008:0500.
Revision 7.3.1 Sun Aug 19 2007 David O'Brien
Resolves Bugzilla 247209
Chapter 1.
1
Overview
This chapter provides an overview of Red Hat Certificate System, a highly configurable set of software components and tools for creating, deploying, and managing certificates. Based on open standards for certificate management, Certificate System provides a complete, customizable, robust, scalable, and high-performance certificate management solution for public-key infrastructure (PKI), extranets, and intranets.
1.1. Features
This section discusses the Certificate System features.
1.1.1. Subsystems
The Certificate System is installed on each host running a Certificate System subsystem. The subsystems on that host are then installed with a default configuration covering basic administrative tasks like logging and containing configurable, subsystem-specific plug-in modules. More than one subsystem can be installed on each host, or multiple instances of one subsystem can be installed on the same host or on different hosts.
The Certificate System has five highly-configurable subsystems, which provide flexibility in designing the PKI. The five subsystems that comprise Certificate System are as follows:
• The Certificate Manager is the subsystem that provides Certificate Authority functionality for issuing, revoking, and publishing certificates and creating and publishing CRLs. See Chapter 4, Certificate
Manager for details.
• The Online Certificate Status Manager is an optional subsystem that provides OCSP responder services, which means it stored CRLs for CAs and can distribute the load for verifying certificate status. See Chapter 6, Online Certificate Status Protocol Responder for details.
• The Data Recovery Manager (DRM) is an optional subsystem that provides private encryption key storage and retrieval. See Chapter 7, Data Recovery Manager for details.
• The Token Key Service (TKS) manages one or more master keys required to set up secure channels directly to the token management system. The privileged operations such as key generation can only be requested on the tokens through a secure channel.
• The Token Processing System (TPS) provides the registration authority functionality in the token management infrastructure and establishes secure channels between the Enterprise Security Client and the back-end subsystems. See Chapter 8, Token Processing System for more information on using the TPS to manage tokens.
The subsystems are highly integrated with each other depending on the deployment scenario and use. OCSP and CA instances work together for CRL publishing and certificate verification. CA and DRM instances work together for key recovery and archival. Smart card tokens, which processed through a user interface called the Enterprise Security Client, are managed by the TPS. The TPS, however, is configured to work with at least two essential subsystem instances, a TKS to generate keys and a CA to process token operations. A TPS can also be configured to use a DRM for server-side key generation and key archival and recovery.
Chapter 1. Overview
2
1.1.2. Interfaces
Each of the subsystems contains interfaces for interaction with various portions of the subsystem. The CA, DRM, OCSP, and TKS subsystems have an administrative console to manage and configure the subsystem itself, such as adding users and certificates and viewing logs. The CA, OCSP, DRM, and TPS subsystems have an agent interface specific to that subsystem which allows agents to perform the tasks assigned to them. A Certificate Manager has an end-entity services interface for end entities to enroll in the PKI.
NOTE
Not all subsystems have all types of interfaces. The TKS subsystem does not have an agent interface. The TPS subsystem does not have an administrative console, but rather has administrative functions that are accessible through the HTML agent services page. Only a CA has an end-entities page.
The three types of interfaces are described as follows:
Administrative Interface - The administrative interface, a Java application called the Console,
provides a GUI interface for performing administrative tasks and configuring plug-in modules. This interface is similar for subsystems. The administrative interface requires user ID and password authentication and can be configured for SSL certificate-based authentication.
Agent Services Interface - The agent services interface is a customizable HTML interface used to perform agent tasks, such as editing and approving requests for issuing or revoking certificates. The agent services interface for a CA, DRM, OCSP, and TPS are specific to those subsystems.
End-Entity Services Interface - The end-entity interface is a customizable HTML interface used by end entities to enroll in the PKI, request certificates, revoke certificates, and pick up issued certificates. It contains forms for different types of enrollments and for enrolling different types of end entities. The Certificate Manager has an end-entity services interface; the other subsystems do not.
1.1.3. Logging
The Certificate System and each subsystem produce extensive system and error logs that record system events so that the systems can be monitored and debugged. All log records are stored in the local file system for quick retrieval. Logs are configurable, so logs can be created for specific types of events and at the desired logging level. See Section 3.9, “Logs” for details.
1.1.3.1. Signing Logs
Certificate System allows logs to be signed digitally before archiving them or distributing them for auditing. This feature enables log files to be checked for tampering after being signed. See
Section 3.9.10, “Signing Log Files” for details.
1.1.4. Auditing
The Certificate System maintains audit logs for all events, such as requesting, issuing and revoking certificates and publishing CRLs. These logs are then signed. This allows authorized access or activity to be detected. An outside auditor can then audit the system if required. The assigned auditor user account is the only account which can view the signed audit logs. This user's certificate is used to sign and encrypt the logs. Audit logging is configured to specify the events that are logged. See
Section 3.9.13, “Signed Audit Log” for details.
Self-Tests
3
1.1.5. Self-Tests
The Certificate System provides the framework for system self-tests that are automatically run at startup and can be run on demand. A set of configurable self-tests are already included with the Certificate System. See Section 3.10, “Self-Tests” for details.
1.1.6. Authorization
Certificate System users can be assigned to groups, and they then have the privileges of whichever group they are members. A user only has privileges for the instance of the subsystem in which the user is created and the privileges of the group to which the user is a member.
The Certificate System provides an authorization framework for creating groups and assigning access control to those groups. The default access control on preexisting groups can be modified, and access control can be assigned to individual users and IP addresses. Access points for authorization have been created for the major portions of the system, and access control rules can be set for each point.
The Certificate System is configured by default with four user types with different access levels to the system:
Administrators, who can perform any administrative or configuration task.
Agents, who can edit and approve requests.
Auditors, who can view and configure audit logs.
Trusted managers, which are subsystems with trusted relationship with another subsystem.
Additionally, when a security domain is created, the CA subsystem which hosts the domain is automatically granted the role of Security Domain Administrator, which gives the subsystem the ability to manage the security domain and the subsystem instances within it. Other security domain administrator roles can be created for the different subsystem instances. These roles are described in
Section 4.4.2, “Security Domain Roles”.
1.1.7. Security-Enhanced Linux Support
Security-enhanced Linux, or SELinux, is a collection of mandatory access control rules which are enforced across a system to restrict unauthorized access and tampering. These mandatory access controls limit users and applications to the lowest amount of access possible for them to operate. Processes or applications, such as CGIs, may have special policies in place to enable them to run under the restricted access rules.
The Certificate System is able to run under SELinux configuration, which enhances the security of the information created and maintained by the Certificate System. All Certificate System subsystems can be installed and run with SELinux policies fully enforced. By default, the Certificate System subsystems run unconfined by SELinux policies.
1.1.8. Authentication
Certificate System provides authentication options for certificate enrollment. These include agent­approved enrollment, in which an agent processes the request, and automated enrollment, in which an authentication method is used to authenticate the end entity and then the CA automatically issues a certificate. CMC enrollment is also supported, which automatically processes a request approved by an agent.
Chapter 1. Overview
4
1.1.9. Registration Authority
A Registration Authority (RA) is a subsystem that accepts enrollment requests and authenticates them in a local context (e.g., a department of an organization, or an organization within an association). Upon the successful authentication, the RA then forwards the enrollment request to the designated Certificate Authority (CA) to generate the certificate.
Depending on the type of enrollment, an RA can be set up with the appropriate authentication plugin to authenticate the request in an automated fashion. Alternatively, the RA has a local request queue where requests can be stored and reviewed by local RA agents for manual authentication.
1.1.10. SCEP
SCEP (Simple Certificate Enrollment Protocol) is a protocol designed by Cisco. It is designed to specify a way for a router to communicate with an RA/CA for enrollment.
Normally, a router installer enters the RA's URL and a Challenge password (sometimes referred as a one-time PIN) into the router and issues a command to initiate the enrollment. The router then communicates with the RA using the SCEP protocol to:
• Retrieve CA requests
• Submit a PKCS#10 request
• Retrieve the issued certificate
• Queries the request status if the request is pending
SCEP suggests two modes of operation: RA mode; and CA mode. In the RA mode, the enrollment request is encrypted with the RA signing certificate. In the CA mode, the request is encrypted with the CA signing certificate.
The current implementation of RA and CA only supports the CA mode.
1.1.11. Certificate Issuance
The Certificate System supports enrolling and issuing certificates and processing certificate requests from a variety of end entities, such as web browsers, servers, and virtual private network (VPN) clients. Issued certificates conform to X.509 version 3 standards.
The Certificate Manager can issue certificates with the following characteristics:
• Certificates that are X.509 version 3-compliant
• Unicode support for the certificate subject name and issuer name
• Support for empty certificate subject names
• Support for customized subject name components
• Support for customized extensions
Additionally, smart cards can have certificates enrolled and maintained through the Enterprise Security Client. The Enterprise Security Client communicates directly with the TPS system, which, in turn, processes requests through the CA and DRM subsystems. Certificates are generated automatically
Certificate Profiles
5
when the token is first formatted, and all additional certificates belonging to the user can be imported onto the token. For more information about certificates being issued through the Enterprise Security Client, see the Certificate System Enterprise Security Client Guide, which is available at http://
redhat.com/docs/manuals/cert-system/. For information about configuring subsystems to manage
smart cards, see Chapter 8, Token Processing System.
1.1.12. Certificate Profiles
The Certificate System uses certificate profiles to configure the content of the certificate, the constraints for issuing the certificate, the enrollment method used, and the input and output forms for that enrollment. A single certificate profile is associated with issuing a particular type of certificate.
A set of certificate profiles is included for the most common certificate types; the profile settings can be modified. Certificate profiles are configured by an administrator, and then sent to the agent services page for agent approval. Once a certificate profile is approved, it is enabled for use. A dynamically-generated HTML form for the certificate profile is used in the end-entities page for certificate enrollment, which calls on the certificate profile. The server verifies that the defaults and constraints set in the certificate profile are met before acting on the request and uses the certificate profile to determine the content of the issued certificate.
See Chapter 13, Certificate Profiles for details.
1.1.13. CRLs
The Certificate System can create certificate revocation lists (CRLs) from a configurable framework which allows user-defined issuing points so a CRL can be created for each issuing point. Delta CRLs can also be created for any issuing point that is defined. CRLs can be issued for each type of certificate or for a specific subset of a type of certificate. The extensions used and the frequency and intervals when CRLs are published can all be configured.
The Certificate Manager issues X.509-standard CRLs. A CRL can be automatically updated whenever a certificate is revoked or at specified intervals. See Chapter 14, Revocation and CRLs for details.
1.1.14. Publishing
Certificates can be published to files and an LDAP directory, and CRLs to files, an LDAP directory, and an OCSP responder. The publishing framework provides a robust set of tools to publish to all three places and to set rules to define with more detail which types of certificates or CRLs are published where. The default publishing modules can be enabled, disabled, and configured. See Chapter 15,
Publishing for details.
1.1.15. Notifications
The notification feature sets up automated messages when a particular event occurs, such as when a certificate is issued or revoked. The notification framework comes with default modules that can be enabled and configured. See Chapter 18, Automated Notifications for details.
1.1.16. Jobs
The jobs feature sets up automated jobs that run at defined intervals. See Chapter 19, Automated
Jobs for details.
Chapter 1. Overview
6
1.1.17. Dual Key Pairs
The Certificate System supports generating dual key pairs, separate key pairs for signing and encrypting email messages and other data. To support separate key pairs for signing and encrypting data, dual certificates are generated for end entities, and the encryption keys are archived. If a client makes a certificate request for dual key pairs, the server issues two separate certificates.
1.1.18. HSMs and Crypto Accelerators
The Certificate System supports hardware security modules (HSMs) and crypto accelerators provided by third-party vendors of PKCS #11-compliant tokens.
The server can be configured to use different PKCS #11 modules to generate and store key pairs (and certificates) for all Certificate System subsystems � CA, DRM, OCSP, TKS, and TPS. PKCS #11 hardware devices also provide key backup and recovery features for the information stored on the hardware token. Refer to the PKCS #11 vendor documentation for information on retrieving keys from the tokens.
1.1.19. Support for Open Standards
The Certificate System supports open standards and protocols so that its subsystems can communicate across a heterogeneous computing environment. Some of the standards and areas which the Certificate System supports include the following:
• Formulates, signs, and issues industry-standard X.509 version 3 public-key certificates; version 3 certificates include extensions that make it easy to include organization-defined attributes. These certificates are used for extranet and Internet authentication.
• Supports the RSA public-key algorithm for signing and encryption, and the MD2, MD5, SHA-1, SHA-256, and SHA-512 algorithms for hashing.
• Supports signature key lengths of up to 4096 bits for RSA.
• Supports multiple message formats, such as KEYGEN/SPAC, CRMF/CMMF, and PKCS #10 and CMC for certificate requests. All requests are delivered to the Certificate System over HTTP or HTTPS.
• Supports certificate formats for SSL-based client and server authentication, secure Multipurpose Internet Mail Extensions (S/MIME) message signing and encryption, and VPN clients.
• Supports generating and publishing CRLs conforming to X.509 version 1 and 2.
• Publishes certificates and CRLs to any LDAP-compliant directory over LDAP and HTTP/HTTPS connections.
• Publishes certificates and CRLs to a flat file for importing into other resources. For example, the sample code for Flat File CRL and certificate publisher can be customized to store certificates and CRLs in an Oracle RDBMS.
• Publishes CRLs to an online validation authority (or OCSP responder) for real-time certificate verification by OCSP-compliant clients.
How the Certificate System Works
7
1.2. How the Certificate System Works
The Certificate System manages certificates through a flexible, scalable system for issuing and publishing certificates; creating and publishing CRLs; and providing key storage and retrieval capabilities.
The Certificate Manager is the central point of the Certificate System; this subsystem accepts requests, generates and manages certificates, and generates and manages CRLs and revoked certificates. The Online Certificate Status Manager handles validity requests for certificates issued by the Certificate Manager, informing clients whether the certificate is still in effect and valid or has been revoked or expired. The Data Recovery Manager (DRM) stores keys and certificates and can recover the keys if a token is lost or damaged, so that encrypted information can still be accessed. The Token Key Service and Token Processing System work together to manage tokens which contain the user­specific keys and certificates.
The following sections describe the subsystems in more detail.
1.2.1. About the Certificate Manager
The Certificate Manager subsystem provides the capability of a Certificate Authority (CA). It can issue, revoke, and publish certificates, as well as compile and publish CRLs. Since the Certificate Manager acts as a CA, it can be configured as a self-signing CA, where it is the root CA, or it can act as a subordinate CA, where it obtains its signing certificate from another CA.
1.2.1.1. Certificate Manager Flexibility and Scalability
Multiple CAs can be configured to form a vertical or horizontal chain of CAs. A vertical hierarchy has a root CA (that is either self-signing or subordinate to a public CA) and then one or more CAs subordinate to this root CA. The subordinate CAs can have more CAs below them, forming a chain of CAs. A horizontal arrangement has a CA which is duplicated, or cloned, so that two CAs are set up in an identical manner and use the same CA signing certificate but issue certificates from a different set of serial numbers.
The different possible Certificate Manager deployments provide flexibility to the PKI through the following features:
• Configuration as either a root or subordinate CA
• High-availability cloning to allow CAs with identical functionality, keys, and certificates to issue certificates with different sets of serial numbers.
1.2.1.1.1. Root or Subordinate CA
The Certificate System CA can function as a root CA, meaning that the server signs its own CA signing certificate as well as other CA signing certificates, creating an organization-specific CA hierarchy. The server can alternatively be configured as a subordinate CA, meaning the server's CA signing key is signed by another CA in an existing CA hierarchy. See Section 2.1.3, “Self-Signed Root
CA or Subordinate CA” for details.
1.2.1.1.2. Linked CA
The Certificate System Certificate Manager can function as a linked CA, chaining up to many third­party or public CAs for validation; this provides cross-company trust, so applications can verify
Chapter 1. Overview
8
certificate chains outside the company certificate hierarchy. A Certificate Manager is chained to a third­party CA by requesting the Certificate Manager's CA signing certificate from the third-party CA.
1.2.1.1.3. CA Cloning
Instead of creating a hierarchy of root and subordinate CAs, it is possible to create multiple clones of a Certificate Manager and configure each clone to issue certificates that fall within a distinct range of serial numbers. Because clone CAs and original CAs use the same CA signing key and certificate to sign the certificates they issue, the issuer name in all the certificates is the same. Clone CAs and the original Certificate Managers issue certificates as if they are a single CA. These servers can be placed on different hosts for high availability failover support. See Chapter 20, Configuring the Certificate
System for High Availability for information on configuring clones for failover in a Certificate System
system.
1.2.1.2. Cross-Pair Certificates
It is possible to create a trusted relationship between two separate CAs by issuing and storing cross­signed certificates between these two CAs. By using cross-signed certificate pairs, certificates issued outside the organization's PKI can be trusted within the system.
1.2.1.3. Certificate Manager Functionality
The Certificate Manager issues and revokes certificates when it receives signed requests. These requests can come from its own agents (users who are assigned privileges to approve enrollment and revocation requests) or from a third-party application that uses its agent certificate (this agent certificate must be set up for CMC enroll or revoke with the Certificate Manager).
The Certificate Manager also compiles lists of revoked certificates, called certificate revocation lists (CRLs), that it can publish to files, an LDAP directory, or an OCSP service.
The Certificate Manager maintains a database of issued certificates and processed requests, so that it can track expiration and revocation.
1.2.1.4. Types of Certificates
Certificate System can issue and manage the following certificates:
• CA signing certificates
• OCSP signing certificates
• Cross-signed pair certificates
• SSL server certificates
• VPN client certificates
• End user certificates
This list is not comprehensive; many other types of certificates can be issued by the Certificate System.
Loading...
+ 524 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use