Red Hat Certificate System 7.2

Red Hat Certificate System 7.2

Administration Guide

Copyright © 2008 Red Hat, Inc.

Legal Notice

Updated August 26, 2008

Abstract

This manual covers all aspects of installing, configuring, and managing Certificate System subsystems. It also covers management tasks such as adding users; requesting, renewing, and revoking certificates; publishing CRLs; and managing smart cards. This guide is intended for Certificate System administrators.

About This Guide
1. Who Should Read This Guide
2. Recommended Knowledge
3. What Is in This Guide
4. Document Conventions
5. Documentation
1. Overview
1.1. Features
1.1.1. Subsystems
1.1.2. Interfaces
1.1.3. Logging
1.1.4. Auditing
1.1.5. Self-Tests
1.1.6. Authorization
1.1.7. Security-Enhanced Linux Support
1.1.8. Authentication
1.1.9. Certificate Issuance
1.1.10. Certificate Profiles
1.1.11. CRLs
1.1.12. Publishing
1.1.13. Notifications
1.1.14. Jobs
1.1.15. Dual Key Pairs
1.1.16. HSMs and Crypto Accelerators
1.1.17. Support for Open Standards
1.1.18. Java SDK Extension Mechanism for Customization
1.2. How the Certificate System Works
1.2.1. About the Certificate Manager
1.2.2. How the Certificate Manager Works
1.2.3. Data Recovery Manager
1.2.4. Online Certificate Status Manager
1.2.5. Token Key Service
1.2.6. Token Processing System
1.3. Deployment Scenarios
1.3.1. Single Certificate Manager
1.3.2. Certificate Manager and DRM
1.3.3. Cloned Certificate Manager
1.3.4. Smart Card Enrollment
1.4. System Architecture
1.4.1. Certificate System Instance
1.4.2. HTTP Engine
1.4.3. User Interfaces
1.4.4. JSS and the JNI Layer
1.4.5. NSS
1.4.6. PKCS #11
1.4.7. Management Tools
1.4.8. JRE
1.4.9. Internal Database
1.4.10. SSL/TLS and Supported Cipher Suites
1.5. CS SDK
1.6. Support for Open Standards
1.6.1. Certificate Management Formats and Protocols
1.6.2. Security and Directory Protocols
2. Installation and Configuration
2.1. Deployment Considerations
2.1.1. Security Domains
2.1.2. Cloning a Subsystem
2.1.3. Self-Signed Root CA or Subordinate CA
2.2. Prerequisites
2.2.1. Supported Platforms
2.2.2. Required Programs and Dependencies
2.2.3. Packages Installed
2.3. Configuration Preparation
2.3.1. Required Information
2.3.2. Default Settings
2.4. Configuration Setup Wizard
2.4.1. Security Domain Panel
2.4.2. Subsystem Type Panel
2.4.3. PKI Hierarchy Panel
2.4.4. CA Information Panel
2.4.5. TKS Information Panel
2.4.6. DRM Information Panel
2.4.7. Authentication Directory Panel
2.4.8. Internal Database Panel
2.4.9. Key Store Panel
2.4.10. Key Pairs Panel
2.4.11. Subject Names Panel
2.4.12. Requests and Certificates Panel
2.4.13. Export Keys and Certificates Panel
2.4.14. Administrator Panel
2.5. Installing the Certificate System
2.5.1. Installing from an ISO Image
2.5.2. Installing through up2date
2.6. Configuring the Default Subsystem Instances
2.6.1. Configuring a CA
2.6.2. Configuring a DRM, OCSP, or TKS
2.6.3. Configuring a TPS
2.7. Creating Additional Subsystem Instances
2.7.1. Cloning a Subsystem
2.8. Silent Installation
2.9. Updating Certificate System Packages
2.9.1. Updating Certificate System on Red Hat Enterprise Linux
2.9.2. Updating Certificate System on Solaris
2.10. Uninstalling Certificate System Subsystems
2.10.1. Removing a Subsystem Instance
2.10.2. Removing Certificate System Subsystems
3. Administrative Basics
3.1. Administrative Console
3.2. Enabling SSL Client Authentication for the Certificate System Console
3.3. System Passwords
3.3.1. Protecting the password.conf File
3.3.2. Password-Quality Checker
3.4. Starting, Stopping, and Restarting Certificate System Subsystems
3.4.1. Starting a Server Instance
3.4.2. Stopping a Server Instance
3.4.3. Restarting a Server Instance
3.4.4. Restarting a Subsystem after a Machine Restart
3.5. Mail Server
3.6. Configuration Files
3.6.1. Locating the Configuration File
3.6.2. Editing the Configuration File
3.6.3. Guidelines for Editing the Configuration File
3.6.4. Duplicating Configuration from One Instance to Another
3.6.5. Other File Locations
3.6.6. Default Server Instance Locations
3.7. Using Security-Enhanced Linux
3.8. Using Java Servlets
3.9. Logs
3.9.1. About Logs
3.9.2. Services That Are Logged
3.9.3. Log Levels (Message Categories)
3.9.4. Buffered Versus Unbuffered Logging
3.9.5. Log File Rotation
3.9.6. Configuring Logs in the Console
3.9.7. Configuring Logs in the CS.cfg File
3.9.8. Configuring TPS Logs
3.9.9. Monitoring Logs
3.9.10. Signing Log Files
3.9.11. Registering a Log Module
3.9.12. Deleting a Log Module
3.9.13. Signed Audit Log
3.10. Self-Tests
3.10.1. Self-Test Logging
3.10.2. Self-Test Configuration
3.10.3. Modifying Self-Test Configuration
3.11. Ports
3.11.1. About Ports
3.11.2. Changing a Port Number
3.12. The Internal LDAP Database
3.12.1. Changing the Internal Database Configuration
3.12.2. Enabling SSL Client Authentication with the Internal Database
3.12.3. Restricting Access to the Internal Database
3.13. Backing up and Restoring Certificate System
4. Certificate Manager
4.1. How the Certificate Manager Works
4.1.1. Enrollment
4.1.2. Renewal
4.1.3. Revocation
4.2. Certificate Manager Certificates
4.2.1. CA Signing Key Pair and Certificate
4.2.2. OCSP Signing Key Pair and Certificate
4.2.3. SSL Server Key Pair and Certificate
4.2.4. Certificate Considerations
4.2.5. Cross-Pair Certificates
4.3. CA Hierarchy
4.3.1. Subordination to a Public CA
4.3.2. Subordination to a Certificate System CA
4.4. Security Domains
4.4.1. The domain.xml File
4.4.2. Security Domain Roles
4.4.3. Creating a Security Domain
4.4.4. Joining a Security Domain
4.4.5. Additional Security Domain Information
4.5. Configuring the Certificate Manager Instance
4.6. CA Certificate Renewal or Reissuance
4.7. Changing the Rules for Issuing Certificates
4.8. Setting Restrictions on CA Certificates through Certificate Extensions
4.9. Creating Certificate Manager Agents and Administrators
4.10. Checking the Revocation Status of Agent Certificates
4.11. CRL Signing Key Pair and Certificate
4.12. DNs in the Certificate System
4.12.1. Extending Attribute Support
5. Online Certificate Status Protocol Responder
5.1. About OCSP Services
5.1.1. OCSP Response Signing
5.1.2. OCSP Responses
5.2. CA OCSP Services
5.2.1. The Certificate Manager's Internal OCSP Service
5.2.2. Online Certificate Status Manager
5.3. Online Certificate Status Manager Certificates
5.3.1. OCSP Signing Key Pair and Certificate
5.3.2. SSL Server Key Pair and Certificate
5.3.3. Recognizing Online Certificate Status Manager Certificates
5.4. Configuring the Online Certificate Status Manager
5.5. Creating Online Certificate Status Manager Agents and Administrators
5.6. Configuring the Certificate Manager's Internal OCSP Service
5.7. Setting up the OCSP Responder
5.8. Identifying the CA to the OCSP Responder
5.8.1. Verify Certificate Manager and Online Certificate Status Manager Connection
5.8.2. Configure the Revocation Info Stores
5.9. Testing the OCSP Service Setup
6. Data Recovery Manager
6.1. PKI Setup for Archiving and Recovering Keys
6.1.1. Clients That Can Generate Dual Key Pairs
6.2. Data Recovery Manager Certificates
6.2.1. Transport Key Pair and Certificate
6.2.2. Storage Key Pair
6.2.3. SSL Server Certificate
6.3. Forms for Users and Key Recovery Agents
6.4. Overview of Archiving Keys
6.4.1. Reasons to Archive Keys
6.4.2. Where the Keys Are Stored
6.4.3. How Key Archival Works
6.5. Overview of Key Recovery
6.5.1. Key Recovery Agents and Their Passwords
6.5.2. Key Recovery Agent Scheme
6.6. Configuring Key Archival and Recovery Process
6.6.1. Setting up Key Archival
6.6.2. Setting up Key Recovery
6.6.3. Testing the Key Archival and Recovery Setup
6.7. Creating Data Recovery Manager Agents and Administrators
7. Token Processing System
7.1. Working with Multiple Instances of a Subsystem
7.1.1. Configuring Failover Support
7.1.2. Configuring Multiple Instances for Different Functions
7.2. Formatting Smart Cards
7.3. Resetting the Smart Card PIN
7.4. Applet Upgrade
7.5. Enrolling Smart Cards through the Enterprise Security Client
7.5.1. Enabling SSL in TPS
7.5.2. Server-Side Key Generation and Archival of Encryption Keys
7.5.3. Smart Card Certificate Enrollment Profiles
7.5.4. Automating Encryption Key Recovery
7.5.5. Symmetric Key Changeover
7.5.6. Setting Token Types for Specified Smart Cards
7.6. Configuring LDAP Authentication
7.7. Token Database
7.8. Configuring TPS Logging
7.8.1. Thread Correlation
7.9. TPS Configuration Parameters
7.9.1. TKS Configuration File Parameters
8. Token Key Service
8.1. Overview
8.2. Using Master Keys
8.3. Using HSM for Generating Keys
8.4. Creating Token Key Service Agents and Administrators
9. Enterprise Security Client
9.1. Overview
10. Managing Certificates
10.1. Certificate Overview
10.1.1. Types of Certificates
10.1.2. Determining Which Certificates to Install
10.1.3. Certificate Data Formats
10.1.4. Certificate Setup Wizard
10.2. Requesting and Receiving Certificates
10.2.1. Requesting Certificates
10.2.2. Submitting Certificate Requests
10.2.3. Retrieving Certificates from the End-Entities Page
10.3. Managing User Certificates
10.3.1. Managing Certificate System User and Agent Certificates
10.3.2. Importing Certificates into Mozilla Firefox
10.4. Managing the Certificate Database
10.4.1. Installing Certificates in the Certificate System Database
10.4.2. Viewing Database Content
10.4.3. Deleting Certificates from the Database
10.4.4. Changing the Trust Settings of a CA Certificate
10.5. Renewing Certificates
10.5.1. Renewing Certificates through the Console
10.5.2. Renewing Certificates using certutil
10.6. Configuring the Server Certificate Use Preferences
11. Managing Tokens
11.1. Tokens for Storing Certificate System Keys and Certificates
11.1.1. Internal Tokens
11.1.2. External Tokens
11.1.3. Considerations for External Tokens
11.2. Using Hardware Security Modules with Subsystems
11.2.1. Chrysalis LunaSA HSM
11.2.2. Installing External Tokens and Unsupported HSM
11.3. Managing Tokens Used by the Subsystems
11.3.1. Viewing Tokens
11.3.2. Changing a Token's Password
11.4. Detecting Tokens
11.5. Hardware Cryptographic Accelerators
12. Certificate Profiles
12.1. About Certificate Profiles
12.2. How Certificate Profiles Work
12.3. Setting up Certificate Profiles
12.3.1. Modifying Certificate Profiles through the CA Console
12.3.2. Modifying Certificate Profiles through the Command Line
12.3.3. Populating Certificates with Directory Attributes
12.3.4. Customizing the Enrollment Form
12.4. Certificate Profile Reference
12.5. Input Reference
12.5.1. Certificate Request Input
12.5.2. CMC Certificate Request Input
12.5.3. Dual Key Generation Input
12.5.4. File-Signing Input
12.5.5. Image Input
12.5.6. Key Generation Input
12.5.7. nsHcertificateRequest (Token Key) Input
12.5.8. nsNcertificateRequest (Token User Key) Input
12.5.9. Subject DN Input
12.5.10. Subject Name Input
12.5.11. Submitter Information Input
12.6. Output Reference
12.6.1. Certificate Output
12.6.2. PKCS #7 Output
12.6.3. CMMF Output
12.7. Defaults Reference
12.7.1. Authority Info Access Extension Default
12.7.2. Authority Key Identifier Extension Default
12.7.3. Basic Constraints Extension Default
12.7.4. CRL Distribution Points Extension Default
12.7.5. Extended Key Usage Extension Default
12.7.6. Freshest CRL Extension Default
12.7.7. Issuer Alternative Name Extension Default
12.7.8. Key Usage Extension Default
12.7.9. Name Constraints Extension Default
12.7.10. Netscape Certificate Type Extension Default
12.7.11. Netscape Comment Extension Default
12.7.12. No Default Extension
12.7.13. OCSP No Check Extension Default
12.7.14. Policy Constraints Extension Default
12.7.15. Policy Mappers Extension Default
12.7.16. Signing Algorithm Default
12.7.17. Subject Alternative Name Extension Default
12.7.18. Subject Directory Attributes Extension Default
12.7.19. Subject Key Identifier Extension Default
12.7.20. Subject Name Default
12.7.21. Token Supplied Subject Name Default
12.7.22. User Supplied Extension Default
12.7.23. User Supplied Key Default
12.7.24. User Signing Algorithm Default
12.7.25. User Supplied Subject Name Default
12.7.26. User Supplied Validity Default
12.7.27. Validity Default
12.8. Constraints Reference
12.8.1. Basic Constraints Extension Constraint
12.8.2. Extended Key Usage Extension Constraint
12.8.3. Extension Constraint
12.8.4. Key Constraint
12.8.5. Key Usage Extension Constraint
12.8.6. No Constraint
12.8.7. Netscape Certificate Type Extension Constraint
12.8.8. Signing Algorithm Constraint
12.8.9. Subject Name Constraint
12.8.10. Unique Subject Name Constraint
12.8.11. Validity Constraint
13. Revocation and CRLs
13.1. Revocation
13.1.1. SSL Client Authenticated Revocation
13.1.2. Certificate Revocation Forms
13.2. CMC Revocation
13.2.1. Setting up CMC Revocation
13.2.2. Testing CMC Revoke
13.3. About CRLs
13.3.1. Reasons for Revoking a Certificate
13.3.2. Publishing CRLs
13.3.3. CRL Issuing Points
13.3.4. Delta CRLs
13.3.5. How CRLs Work
13.4. Issuing CRLs
13.4.1. Configuring Issuing Points
13.4.2. Configuring CRLs for Each Issuing Point
13.4.3. Setting CRL Extensions
13.5. Additional CRL Scheduling Information
14. Publishing
14.1. About Publishing
14.1.1. About Publishers
14.1.2. About Mappers
14.1.3. About Rules
14.1.4. Publishing to Files
14.1.5. LDAP Publishing
14.1.6. OCSP Publishing
14.1.7. How Publishing Works
14.2. Setting up Publishing
14.3. Publishers
14.3.1. Configuring Publishers for Publishing to a File
14.3.2. Configuring Publishers for Publishing to OCSP
14.3.3. Configuring Publishers for LDAP Publishing
14.4. Mappers
14.4.1. Configuring Mappers
14.5. Rules
14.5.1. Modifying Publishing Rules for Certificates and CRLs
14.6. Enabling Publishing
14.6.1. Publishing Cross-Pair Certificates
14.7. Testing Publishing to Files
14.8. Viewing Certificates and CRLs Published to File
14.9. Configuring the Directory for LDAP Publishing
14.9.1. Schema
14.9.2. Entry for the CA
14.9.3. Bind DN
14.9.4. Directory Authentication Method
14.10. Updating Certificates and CRLs in a Directory
14.10.1. Manually Updating Certificates in the Directory
14.10.2. Manually Updating the CRL in the Directory
14.11. Registering and Deleting Mapper and Publisher Plug-in Modules
14.12. Module Reference
14.12.1. Publisher Plug-in Modules
14.12.2. Mapper Plug-in Modules
14.12.3. Rule Instances
15. Authentication for Enrolling Certificates
15.1. Enrollment Overview
15.1.1. The Authentication Process
15.2. Agent-Approved Enrollment
15.2.1. Configuring Agent-Approved Enrollment
15.3. Automated Enrollment
15.3.1. Setting up Directory-Based Authentication
15.3.2. Setting up PIN-based Enrollment
15.4. Setting up CMC Enrollment