Product SiteDocumentation Site

Red Hat Certificate System 7.3

Administration Guide

Edition 7.3.14

Copyright © 2009 Red Hat, Inc.

Legal Notice

Copyright © 2009 Red Hat, Inc..
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
All other trademarks are the property of their respective owners.


1801 Varsity Drive
RaleighNC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
PO Box 13588 Research Triangle ParkNC 27709 USA

May 2007, updated August 25, 2009
Abstract
This manual covers all aspects of installing, configuring, and managing Certificate System subsystems. It also covers management tasks such as adding users; requesting and revoking certificates; publishing CRLs; and managing smart cards. This guide is intended for Certificate System administrators.
About This Guide
1. Recommended Knowledge
2. What Is in This Guide
3. Examples and Formatting
3.1. File Locations for Examples and Commands
3.2. Using Mozilla LDAP Tools
3.3. Default Port Numbers
3.4. Guide Formatting
4. Additional Reading
5. Giving Feedback
6. Document History
1. Overview
1.1. Features
1.1.1. Subsystems
1.1.2. Interfaces
1.1.3. Logging
1.1.4. Auditing
1.1.5. Self-Tests
1.1.6. Authorization
1.1.7. Security-Enhanced Linux Support
1.1.8. Authentication
1.1.9. Registration Authority
1.1.10. SCEP
1.1.11. Certificate Issuance
1.1.12. Certificate Profiles
1.1.13. CRLs
1.1.14. Publishing
1.1.15. Notifications
1.1.16. Jobs
1.1.17. Dual Key Pairs
1.1.18. HSMs and Crypto Accelerators
1.1.19. Support for Open Standards
1.2. How the Certificate System Works
1.2.1. About the Certificate Manager
1.2.2. How the Certificate Manager Works
1.2.3. Data Recovery Manager
1.2.4. Online Certificate Status Manager
1.2.5. Token Key Service
1.2.6. Token Processing System
1.3. Deployment Scenarios
1.3.1. Single Certificate Manager
1.3.2. Certificate Manager and DRM
1.3.3. Cloned Certificate Manager
1.3.4. Smart Card Enrollment
1.4. System Architecture
1.4.1. Certificate System Instance
1.4.2. HTTP Engine
1.4.3. User Interfaces
1.4.4. JSS and the JNI Layer
1.4.5. NSS
1.4.6. PKCS #11
1.4.7. Management Tools
1.4.8. JRE
1.4.9. Internal Database
1.4.10. SSL/TLS and Supported Cipher Suites
1.5. Support for Open Standards
1.5.1. Certificate Management Formats and Protocols
1.5.2. Security and Directory Protocols
2. Installation and Configuration
2.1. Deployment Considerations
2.1.1. Security Domains
2.1.2. Cloning a Subsystem
2.1.3. Self-Signed Root CA or Subordinate CA
2.2. Prerequisites
2.2.1. Supported Platforms
2.2.2. Required Programs and Dependencies
2.2.3. Packages Installed
2.3. Configuration Preparation
2.3.1. Required Information
2.3.2. Default Settings
2.4. Configuration Setup Wizard
2.4.1. Security Domain Panel
2.4.2. Subsystem Type Panel
2.4.3. PKI Hierarchy Panel
2.4.4. CA Information Panel
2.4.5. TKS Information Panel
2.4.6. DRM Information Panel
2.4.7. Authentication Directory Panel
2.4.8. Internal Database Panel
2.4.9. Key Store Panel
2.4.10. Key Pairs Panel
2.4.11. Subject Names Panel
2.4.12. Requests and Certificates Panel
2.4.13. Export Keys and Certificates Panel
2.4.14. Administrator Panel
2.5. Installing the Certificate System
2.5.1. Installing from an ISO Image
2.5.2. Installing through up2date
2.6. Configuring the Default Subsystem Instances
2.6.1. Configuring a CA
2.6.2. Configuring a DRM, OCSP, or TKS
2.6.3. Configuring a TPS
2.7. Creating Additional Subsystem Instances
2.7.1. Running pkicreate
2.7.2. Running pkicreate with Port Separation
2.8. Cloning a Subsystem
2.9. Silent Installation
2.10. Updating Certificate System Packages
2.10.1. Updating Certificate System on Red Hat Enterprise Linux
2.10.2. Updating Certificate System on Solaris
2.11. Uninstalling Certificate System Subsystems
2.11.1. Removing a Subsystem Instance
2.11.2. Removing Certificate System Subsystems
3. Administrative Basics
3.1. Administrative Console
3.2. Enabling SSL Client Authentication for the Certificate System Console
3.3. System Passwords
3.3.1. Protecting the password.conf File
3.3.2. Password-Quality Checker
3.4. Starting, Stopping, and Restarting Certificate System Subsystems
3.4.1. Starting a Server Instance
3.4.2. Stopping a Server Instance
3.4.3. Restarting a Server Instance
3.4.4. Restarting a Subsystem after a Machine Restart
3.5. Mail Server
3.6. Configuration Files
3.6.1. Locating the Configuration File
3.6.2. Editing the Configuration File
3.6.3. Guidelines for Editing the Configuration File
3.6.4. Duplicating Configuration from One Instance to Another
3.6.5. Other File Locations
3.6.6. Default Server Instance Locations
3.7. Using Security-Enhanced Linux
3.8. Using Java Servlets
3.9. Logs
3.9.1. About Logs
3.9.2. Services That Are Logged
3.9.3. Log Levels (Message Categories)
3.9.4. Buffered Versus Unbuffered Logging
3.9.5. Log File Rotation
3.9.6. Configuring Logs in the Console
3.9.7. Configuring Logs in the CS.cfg File
3.9.8. Configuring TPS Logs
3.9.9. Monitoring Logs
3.9.10. Signing Log Files
3.9.11. Registering a Log Module
3.9.12. Deleting a Log Module
3.9.13. Signed Audit Log
3.10. Self-Tests
3.10.1. Self-Test Logging
3.10.2. Self-Test Configuration
3.10.3. Modifying Self-Test Configuration
3.11. Ports
3.11.1. About Ports
3.11.2. Changing a Port Number
3.11.3. Configuring Port Separation
3.12. The Internal LDAP Database
3.12.1. Changing the Internal Database Configuration
3.12.2. Enabling SSL Client Authentication with the Internal Database
3.12.3. Restricting Access to the Internal Database
3.13. Backing up and Restoring Certificate System
4. Certificate Manager
4.1. How the Certificate Manager Works
4.1.1. Enrollment
4.1.2. Revocation
4.2. Certificate Manager Certificates
4.2.1. CA Signing Key Pair and Certificate
4.2.2. OCSP Signing Key Pair and Certificate
4.2.3. SSL Server Key Pair and Certificate
4.2.4. Certificate Considerations
4.2.5. Cross-Pair Certificates
4.3. CA Hierarchy
4.3.1. Subordination to a Public CA
4.3.2. Subordination to a Certificate System CA
4.4. Security Domains
4.4.1. The domain.xml File
4.4.2. Security Domain Roles
4.4.3. Creating a Security Domain
4.4.4. Joining a Security Domain
4.4.5. Additional Security Domain Information
4.5. Configuring the Certificate Manager Instance
4.6. CA Certificate Reissuance
4.7. Changing the Rules for Issuing Certificates
4.8. Setting Restrictions on CA Certificates through Certificate Extensions
4.9. Creating Certificate Manager Agents and Administrators
4.10. Checking the Revocation Status of Agent Certificates
4.11. CRL Signing Key Pair and Certificate
4.12. DNs in the Certificate System
4.12.1. Extending Attribute Support
5. Registration Authority
5.1. Introduction
5.1.1. What is a Registration Authority?
5.1.2. Enrollment Types
5.1.3. Roles
5.1.4. Interfaces
5.2. Installation and Configuration
5.2.1. Configuration
5.2.2. Directory Structure
5.2.3. Configuration Parameters
5.2.4. RA Request Queue Plugins
5.2.5. Libraries
5.3. Working With the Registration Authority
5.3.1. Configuring Additional RA Instances
5.3.2. Customizing the Subject DN in the CSR
5.3.3. Using the End Users Services Interface
5.3.4. Using the Agent Services Interface
5.3.5. Using the Administrator Interface
5.3.6. Command-line Operations
6. Online Certificate Status Protocol Responder
6.1. About OCSP Services
6.1.1. OCSP Response Signing
6.1.2. OCSP Responses
6.2. CA OCSP Services
6.2.1. The Certificate Manager's Internal OCSP Service
6.2.2. Online Certificate Status Manager
6.3. Online Certificate Status Manager Certificates
6.3.1. OCSP Signing Key Pair and Certificate
6.3.2. SSL Server Key Pair and Certificate
6.3.3. Recognizing Online Certificate Status Manager Certificates
6.4. Configuring the Online Certificate Status Manager
6.5. Creating Online Certificate Status Manager Agents and Administrators
6.6. Configuring the Certificate Manager's Internal OCSP Service
6.7. Setting up the OCSP Responder
6.8. Identifying the CA to the OCSP Responder
6.8.1. Verify Certificate Manager and Online Certificate Status Manager Connection
6.8.2. Configure the Revocation Info Stores
6.9. Testing the OCSP Service Setup
6.10. Submitting OCSP Requests Using the GET Method
6.11. Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier
7. Data Recovery Manager
7.1. PKI Setup for Archiving and Recovering Keys
7.2. Data Recovery Manager Certificates
7.2.1. Transport Key Pair and Certificate
7.2.2. Storage Key Pair
7.2.3. SSL Server Certificate
7.3. Forms for Users and Key Recovery Agents
7.4. Overview of Archiving Keys
7.4.1. Reasons to Archive Keys
7.4.2. Where the Keys Are Stored
7.4.3. How Key Archival Works
7.5. Overview of Key Recovery
7.5.1. Key Recovery Agents and Their Passwords
7.5.2. Key Recovery Agent Scheme
7.6. Configuring Key Archival and Recovery Process
7.6.1. Setting up Key Archival
7.6.2. Setting up Key Recovery
7.6.3. Testing the Key Archival and Recovery Setup
7.7. Creating Data Recovery Manager Agents and Administrators
8. Token Processing System
8.1. Working with Multiple Instances of a Subsystem
8.1.1. Configuring Failover Support
8.1.2. Configuring Multiple Instances for Different Functions
8.2. Formatting Smart Cards
8.3. Resetting the Smart Card PIN
8.4. Applet Upgrade
8.5. Enrolling Smart Cards through the Enterprise Security Client
8.5.1. Enabling SSL in the TPS
8.5.2. Configuring Server-Side Key Generation and Archival of Encryption Keys
8.5.3. Looking at Smart Card Certificate Enrollment Profiles
8.5.4. Automating Encryption Key Recovery
8.5.5. Configuring Symmetric Key Changeover
8.5.6. Setting Token Types for Specified Smart Cards
8.6. Configuring LDAP Authentication
8.7. Token Database
8.8. Configuring TPS Logging
8.8.1. Thread Correlation
8.9. TPS Configuration Parameters
8.9.1. TKS Configuration File Parameters
9. Token Key Service
9.1. Overview
9.2. Using Master Keys
9.3. Configuring the TKS to Associate the Master Key with Its Version
9.4. Using HSM for Generating Keys
9.5. Creating Token Key Service Agents and Administrators
10. Enterprise Security Client
11. Managing Certificates
11.1. Certificate Overview
11.1.1. Types of Certificates
11.1.2. Determining Which Certificates to Install
11.1.3. Certificate Data Formats
11.1.4. Certificate Setup Wizard
11.2. Requesting and Receiving Certificates
11.2.1. Requesting Certificates
11.2.2. Submitting Certificate Requests
11.2.3. Retrieving Certificates from the End-Entities Page
11.3. Managing User Certificates
11.3.1. Managing Certificate System User and Agent Certificates
11.3.2. Importing Certificates into Mozilla Firefox
11.4. Managing the Certificate Database
11.4.1. Installing Certificates in the Certificate System Database
11.4.2. Viewing Database Content
11.4.3. Deleting Certificates from the Database
11.4.4. Changing the Trust Settings of a CA Certificate
11.5. Configuring the Server Certificate Use Preferences
12. Managing Tokens
12.1. Tokens for Storing Certificate System Keys and Certificates
12.1.1. Internal Tokens
12.1.2. External Tokens
12.1.3. Considerations for External Tokens
12.2. Using Hardware Security Modules with Subsystems
12.2.1. Chrysalis LunaSA HSM
12.2.2. Installing External Tokens and Unsupported HSM
12.3. Managing Tokens Used by the Subsystems
12.3.1. Viewing Tokens
12.3.2. Changing a Token's Password
12.4. Detecting Tokens
12.5. Hardware Cryptographic Accelerators
13. Certificate Profiles
13.1. About Certificate Profiles
13.2. How Certificate Profiles Work
13.3. Setting up Certificate Profiles
13.3.1. Modifying Certificate Profiles through the CA Console
13.3.2. Modifying Certificate Profiles through the Command Line
13.3.3. Populating Certificates with Directory Attributes
13.3.4. Customizing the Enrollment Form
13.4. Certificate Profile Reference
13.5. Input Reference
13.5.1. Certificate Request Input
13.5.2. CMC Certificate Request Input
13.5.3. Dual Key Generation Input
13.5.4. File-Signing Input
13.5.5. Image Input
13.5.6. Key Generation Input
13.5.7. nsHcertificateRequest (Token Key) Input
13.5.8. nsNcertificateRequest (Token User Key) Input
13.5.9. Subject DN Input
13.5.10. Subject Name Input
13.5.11. Submitter Information Input
13.6. Output Reference
13.6.1. Certificate Output
13.6.2. PKCS #7 Output
13.6.3. CMMF Output
13.7. Defaults Reference
13.7.1. Authority Info Access Extension Default
13.7.2. Authority Key Identifier Extension Default
13.7.3. Basic Constraints Extension Default
13.7.4. CRL Distribution Points Extension Default
13.7.5. Extended Key Usage Extension Default
13.7.6. Freshest CRL Extension Default
13.7.7. Issuer Alternative Name Extension Default
13.7.8. Key Usage Extension Default
13.7.9. Name Constraints Extension Default
13.7.10. Netscape Certificate Type Extension Default
13.7.11. Netscape Comment Extension Default
13.7.12. No Default Extension
13.7.13. OCSP No Check Extension Default
13.7.14. Policy Constraints Extension Default
13.7.15. Policy Mappers Extension Default
13.7.16. Signing Algorithm Default
13.7.17. Subject Alternative Name Extension Default
13.7.18. Subject Directory Attributes Extension Default
13.7.19. Subject Key Identifier Extension Default
13.7.20. Subject Name Default
13.7.21. Token Supplied Subject Name Default
13.7.22. User Supplied Extension Default
13.7.23. User Supplied Key Default
13.7.24. User Signing Algorithm Default
13.7.25. User Supplied Subject Name Default
13.7.26. User Supplied Validity Default
13.7.27. Validity Default
13.8. Constraints Reference
13.8.1. Basic Constraints Extension Constraint
13.8.2. Extended Key Usage Extension Constraint
13.8.3. Extension Constraint
13.8.4. Key Constraint
13.8.5. Key Usage Extension Constraint
13.8.6. No Constraint
13.8.7. Netscape Certificate Type Extension Constraint
13.8.8. Signing Algorithm Constraint
13.8.9. Subject Name Constraint
13.8.10. Unique Subject Name Constraint
13.8.11. Validity Constraint
14. Revocation and CRLs
14.1. Revocation
14.1.1. SSL Client Authenticated Revocation
14.1.2. Certificate Revocation Forms
14.2. CMC Revocation
14.2.1. Setting up CMC Revocation
14.2.2. Testing CMC Revoke
14.3. About CRLs
14.3.1. Reasons for Revoking a Certificate
14.3.2. Publishing CRLs
14.3.3. CRL Issuing Points
14.3.4. Delta CRLs
14.3.5. How CRLs Work
14.4. Issuing CRLs
14.4.1. Configuring Issuing Points
14.4.2. Configuring CRLs for Each Issuing Point
14.4.3. Setting CRL Extensions
14.5. Setting Full and Delta CRL Schedules
14.5.1. Configuring Extended Updated Intervals for CRLs in the Console
14.5.2. Configuring Extended Updated Intervals for CRLs in CS.cfg
15. Publishing
15.1. About Publishing
15.1.1. About Publishers
15.1.2. About Mappers
15.1.3. About Rules
15.1.4. Publishing to Files
15.1.5. LDAP Publishing
15.1.6. OCSP Publishing
15.1.7. How Publishing Works
15.2. Setting up Publishing
15.3. Configuring Publishers
15.3.1. Configuring Publishers for Publishing to a File
15.3.2. Configuring Publishers for Publishing to OCSP
15.3.3. Configuring Publishers for LDAP Publishing
15.4. Configuring Mappers
15.5. Rules
15.5.1. Modifying Publishing Rules for Certificates and CRLs
15.5.2. Predicates Used in Publishing Rules
15.6. Enabling Publishing
15.7. Publishing Cross-Pair Certificates
15.8. Testing Publishing to Files
15.9. Viewing Certificates and CRLs Published to File
15.10. Configuring the Directory for LDAP Publishing
15.10.1. Schema
15.10.2. Entry for the CA
15.10.3. Bind DN
15.10.4. Directory Authentication Method
15.11. Updating Certificates and CRLs in a Directory
15.11.1. Manually Updating Certificates in the Directory
15.11.2. Manually Updating the CRL in the Directory
15.12. Registering and Deleting Mapper and Publisher Plug-in Modules
15.13. Module Reference
15.13.1. Publisher Plug-in Modules
15.13.2. Mapper Plug-in Modules
15.13.3. Configuring Rule Instances
16. Authentication for Enrolling Certificates
16.1. Enrollment Overview
16.1.1. The Authentication Process
16.2. Agent-Approved Enrollment
16.2.1. Configuring Agent-Approved Enrollment
16.3. Automated Enrollment
16.3.1. Setting up Directory-Based Authentication
16.3.2. Setting up PIN-based Enrollment
16.4. Setting up CMC Enrollment
16.4.1. Setting up the Server for Multiple Requests in a Full CMC Request
16.4.2. Testing CMCEnroll
16.5. Certificate-Based Enrollment
16.5.1. Setting up Certificate-Based Enrollment
16.6. Testing Enrollment
16.7. Managing Authentication Plug-ins
17. User and Group Authorization
17.1. About Authorization
17.1.1. How Authorization Works
17.1.2. Default Groups
17.2. Creating Users
17.3. Setting up a Trusted Manager
17.4. Modifying Certificate System User Entries
17.4.1. Changing a Certificate System User's Login Information
17.4.2. Changing a Certificate System User's Certificate
17.4.3. Changing Members in a Group
17.4.4. Deleting a Certificate System User
17.5. Creating a New Group
17.6. Authorization for Certificate System Users
17.6.1. Access Control Lists (ACLs)
17.6.2. Access Control Instructions (ACIs)
17.6.3. Changing Privileges
17.6.4. How ACIs Are Formed
17.6.5. Editing ACLs
17.7. ACL Reference
17.7.1. certServer.acl.configuration
17.7.2. certServer.admin.certificate
17.7.3. certServer.admin.request.enrollment
17.7.4. certServer.auth.configuration
17.7.5. certServer.ca.certificate
17.7.6. certServer.ca.certificates
17.7.7. certServer.ca.configuration
17.7.8. certServer.ca.connector
17.7.9. certServer.ca.clone
17.7.10. certServer.ca.crl
17.7.11. certServer.ca.directory
17.7.12. certServer.ca.group
17.7.13. certServer.ca.ocsp
17.7.14. certServer.ca.profiles
17.7.15. certServer.ca.profile
17.7.16. certServer.ca.requests
17.7.17. certServer.ca.request.enrollment
17.7.18. certServer.ca.request.profile
17.7.19. certServer.ca.systemstatus
17.7.20. certServer.ee.certificate
17.7.21. certServer.ee.certificates
17.7.22. certServer.ee.certchain
17.7.23. certServer.ee.crl
17.7.24. certServer.ee.profile
17.7.25. certServer.ee.profiles
17.7.26. certServer.ee.facetofaceenrollment
17.7.27. certServer.ee.request.enrollment
17.7.28. certServer.ee.request.facetofaceenrollment
17.7.29. certServer.ee.request.ocsp
17.7.30. certServer.ee.request.revocation
17.7.31. certServer.ee.requestStatus
17.7.32. certServer.general.configuration
17.7.33. certServer.job.configuration
17.7.34. certServer.kra.certificate.transport
17.7.35. certServer.kra.configuration
17.7.36. certServer.kra.connector
17.7.37. certServer.kra.key
17.7.38. certServer.kra.keys
17.7.39. certServer.kra.request
17.7.40. certServer.kra.requests
17.7.41. certServer.kra.request.status
17.7.42. certServer.kra.systemstatus
17.7.43. certServer.log.configuration
17.7.44. certServer.log.configuration.SignedAudit.expirationTime
17.7.45. certServer.log.configuration.fileName
17.7.46. certServer.log.content.SignedAudit
17.7.47. certServer.log.content
17.7.48. certServer.ocsp.ca
17.7.49. certServer.ocsp.cas
17.7.50. certServer.ocsp.certificate
17.7.51. certServer.ocsp.configuration
17.7.52. certServer.ocsp.crl
17.7.53. certServer.profile.configuration
17.7.54. certServer.publisher.configuration
17.7.55. certServer.registry.configuration
17.7.56. certServer.usrgrp.administration
18. Automated Notifications
18.1. About Automated Notifications
18.1.1. Types of Automated Notifications
18.1.2. Determining End-Entity Email Addresses
18.2. Setting Up Automated Notifications
18.2.1. Configuring Specific Notifications by Editing the Configuration File
18.2.2. Testing Configuration
18.3. Customizing Notification Messages
18.3.1. Notification Message Templates
18.3.2. Token Definitions
19. Automated Jobs
19.1. About Automated Jobs
19.1.1. Setting up Automated Jobs
19.1.2. Types of Automated Jobs
19.2. Setting up the Job Scheduler
19.2.1. Enabling and Configuring the Job Scheduler
19.3. Setting up Specific Jobs
19.3.1. Configuring Specific Jobs Using the Certificate Manager Console
19.3.2. Configuring Jobs by Editing the Configuration File
19.3.3. Configuration Parameters of requestInQueueNotifier
19.3.4. Configuration Parameters of publishCerts
19.3.5. Configuration Parameters of unpublishExpiredCerts
19.3.6. Frequency Settings for Automated Jobs
19.4. Managing Job Plug-ins
19.4.1. Registering or Deleting a Job Module
20. Configuring the Certificate System for High Availability
20.1. High Availability Overview
20.1.1. Architecture of a Failover System
20.1.2. Load Balancing
20.2. Cloning Preparation
20.2.1. Diagnostics
20.3. Testing the Cloned Configuration
20.4. Clone-Master Conversion
20.4.1. Converting a Master CA into a Cloned CA
20.4.2. Converting a Cloned CA into a Master CA
20.4.3. Converting a Master OCSP into a Cloned OCSP
20.4.4. Converting a Cloned OCSP into a Master OCSP
A. Certificate and CRL Extensions
A.1. Introduction to Certificate Extensions
A.1.1. Structure of Certificate Extensions
A.1.2. Sample Certificate Extensions
A.2. Note on Object Identifiers
A.3. Standard X.509 v3 Certificate Extensions
A.3.1. authorityInfoAccess
A.3.2. The authorityKeyIdentifier
A.3.3. basicConstraints
A.3.4. certificatePolicies
A.3.5. CRLDistributionPoints
A.3.6. extKeyUsage
A.3.7. issuerAltName Extension
A.3.8. keyUsage
A.3.9. nameConstraints
A.3.10. OCSPNocheck
A.3.11. policyConstraints
A.3.12. policyMappings
A.3.13. privateKeyUsagePeriod
A.3.14. subjectAltName
A.3.15. subjectDirectoryAttributes
A.3.16. subjectKeyIdentifier
A.4. Introduction to CRL Extensions
A.4.1. Structure of CRL Extensions
A.4.2. Sample CRL and CRL Entry Extensions
A.5. Standard X.509 v3 CRL Extensions
A.5.1. Extensions for CRLs
A.5.2. CRL Entry Extensions
A.6. Netscape-Defined Certificate Extensions
A.6.1. netscape-cert-type
A.6.2. netscape-comment
B. Introduction to Public-Key Cryptography
B.1. Internet Security Issues
B.2. Encryption and Decryption
B.2.1. Symmetric-Key Encryption
B.2.2. Public-Key Encryption
B.2.3. Key Length and Encryption Strength
B.3. Digital Signatures
B.4. Certificates and Authentication
B.4.1. A Certificate Identifies Someone or Something
B.4.2. Authentication Confirms an Identity
B.4.3. How Certificates Are Used
B.4.4. Single Sign-on
B.4.5. Contents of a Certificate
B.4.6. How CA Certificates Establish Trust
B.5. Managing Certificates
B.5.1. Issuing Certificates
B.5.2. Certificates and the LDAP Directory
B.5.3. Key Management
B.5.4. Revoking Certificates
C. Enrolling a Certificate in a Cisco Router
C.1. Preparation
C.2. Configuration
C.2.1. Working with chained (subordinate) CAs
C.2.2. DEBUGGING:
Glossary
Index