Most certificates are enrolled through the CA. This is useful for certificates enrolled through an application such as a web browser or web server. For managing smart cards, or tokens, there is an additional Certificate System client, Enterprise Security Client, which manages all maintenance operations for certificates and keys stored on smart cards.

The Enterprise Security Client communicates directly with a TPS instance. The TPS subsystem handles token-based certificate functions, and the TKS manages keys which protect the secure communication between the TPS subsystem and the Enterprise Security Client. The TKS and TPS subsystems work together to support all token operations, such as enrollment, through the Enterprise Security Client. Additionally, the TPS subsystem can be configured to use the DRM subsystem to handle server-side key generation and key archival and recovery. The interactions between the TPS, TKS, DRM, and CA subsystems to process token operations through the Enterprise Security Client are shown in Figure 2.3, “Token Management Configuration”.

For more information on managing subsystems for smart card tokens, see Chapter 8, Token Processing System. For more information on performing token operations for users, see the Certificate System Enterprise Security Client Guide, which is available at http://redhat.com/docs/manuals/cert-system/.