Within the Certificate System component, a set of common modules, which can all be extended with custom Java™ plug-ins, are provided for all subsystems. Although some may not be used in the default setting, they are available for further customization.

The Certificate System employs Red Hat Fortitude as its HTTP engine; this runs secure Tomcat for the CA, OCSP, TKS, and DRM subsystems and secure Apache for TPS. Fortitude supports the subsystem instance HTTP interfaces and provides the entry point for all users and applications to access Certificate System subsystem functions through the different user interfaces: administrative console, agent services, and end-entities pages. The subsystem pages are accessed over HTTP, but they are created by subsystem-specific servlets contained in the Certificate System. While the HTTP engine provides the connection entry points, Certificate System completes the interfaces by providing the servlets specific to each interface. These servlets can return data in HTML or XML formats, making it easier for system administrators to write scripts which interact with these servlets. For more information, see Section 3.8, “Using Java Servlets”.

Each of the subsystems contains interfaces for interacting with other parts of the subsystem. Four subsystems (CA, DRM, OCSP, and TPS) have an agent interface for agents to perform the tasks assigned to them; four subsystems (CA, DRM, OCSP, and TKS) also have an administrative console for managing that instance, such as adding users and viewing logs. A CA subsystem also has an end-entity services interface for users to enroll in the PKI.

These servlets can return data in HTML or XML formats, making it easier for system administrators to write scripts which interact with these servlets. For more information, see Section 3.8, “Using Java Servlets”.

JSS provides a Java™ interface for security operations performed by NSS. JSS and higher levels of the Certificate System architecture are built with the Java™ Native Interface (JNI), which provides binary compatibility across different versions of the Java™ Virtual Machine (JVM). This design allows customized subsystem services to be compiled and built once and run on a range of platforms. JSS supports most of the security standards and encryption technologies supported by NSS. JSS also provides a pure Java™ interface for ASN.1 types and BER-DER encoding. JSS documentation is available on-line at http://www.mozilla.org/projects/security/pki/jss/index.html.

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled communications applications. Applications built with the NSS libraries support the SSL protocol for authentication, tamper detection, and encryption, as well as PKCS #11 for cryptographic token interfaces. Red Hat uses NSS to support these features in a wide range of products, including Certificate System. NSS documentation is available on-line at http://www.mozilla.org/projects/security/pki/nss/overview.html.

Public-Key Cryptography Standard (PKCS) #11 specifies an API used to communicate with devices that hold cryptographic information and perform cryptographic operations. Because it supports PKCS #11, Certificate System is compatible with a wide range of hardware and software devices.

At least one PKCS #11 module must be available to any Certificate System subsystem instance. As shown in Figure 1.4, “Certificate System Architecture”, a PKCS #11 module (also called a cryptographic module or cryptographic service provider) manages cryptographic services such as encryption and decryption. PKCS #11 modules are analogous to drivers for cryptographic devices that can be implemented in either hardware or software. Red Hat provides a built-in PKCS #11 module with the Certificate System.

A PKCS #11 module always has one or more slots which can be implemented as physical hardware slots in a physical reader such as smart cards or as conceptual slots in software. Each slot for a PKCS #11 module can in turn contain a token, which is the hardware or software device that actually provides cryptographic services and optionally stores certificates and keys.

Two cryptographics modules are included in the Certificate System:

Any PKCS #11 module can be used with the Certificate System. The server uses a file called secmod.db to track modules that are available. This file can be modified using the modutil tool. This file needs to be modified when there are changes to the system like installing hardware accelerators to use for signing operations. For more information on modutil, see http://www.mozilla.org/projects/security/pki/nss/tools/.

The following command-line tools are provided with the Certificate System to help manage the system:

For more information about Certificate System command-line tools, see the Certificate System Command-Line Tools Guide, which is available at http://redhat.com/docs/manuals/cert-system/.

The Java™ Runtime Environment (JRE) provides the Java™ Virtual Machine (JVM) and supporting class libraries needed to run the Certificate System.

The Certificate System uses Red Hat Directory Server as its database for storing information such as certificates, requests, users, roles, ACLs, and other internal information. The Certificate System communicates with the internal LDAP database securely through SSL client authentication.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are universally accepted standards for authenticated and encrypted communication between clients and servers. Both client and server authentication occur over SSL/TLS. SSL/TLS uses a combination of public key and symmetric-key encryption. Symmetric-key encryption is much faster than public-key encryption, but public-key encryption provides better authentication techniques. An SSL/TLS session always begins with an exchange of messages called the SSL handshake, initial communication between the server and client. The handshake allows the server to authenticate itself to the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows.

Both of these protocols support using a variety of different cryptographic algorithms, or ciphers, for operations such as authenticating the server and client, transmitting certificates, and establishing session keys. Clients and servers may support different cipher suites, or sets of ciphers. Among other functions, the SSL handshake determines how the server and client negotiate which cipher suite they will use to authenticate each other, to transmit certificates, and to establish session keys.

Key-exchange algorithms such as RSA govern the way the server and client determine the symmetric keys to use during an SSL session. The most common SSL cipher suites use RSA key exchange, and Certificate System supports RSA public-key systems.

Longer RSA keys are required to provide security as computing capabilities increase. The recommended RSA key-length is 2048 bits. However, though a 2048-bit RSA key length is more secure than the common 1024-bit length, it is also slower and can affect server performance. Most web servers can continue to use 1024-bit RSA keys without negatively affecting security for normal operations. All CA servers, however, should use 2048-bit RSA keys.

Certificate System supports several different cipher suites with the RSA key exchange: