Red Hat Certificate System 7.3

Red Hat Certificate System 7.3

Administration Guide

Copyright © 2008 Red Hat, Inc.

Legal Notice
Abstract

This manual covers all aspects of installing, configuring, and managing Certificate System subsystems. It also covers management tasks such as adding users; requesting, renewing, and revoking certificates; publishing CRLs; and managing smart cards. This guide is intended for Certificate System administrators.

1. About This Guide
1.1. Who Should Read This Guide
1.2. Recommended Knowledge
1.3. What Is in This Guide
1.4. Document Conventions
1.5. Documentation
2. Overview
2.1. Features
2.1.1. Subsystems
2.1.2. Interfaces
2.1.3. Logging
2.1.4. Auditing
2.1.5. Self-Tests
2.1.6. Authorization
2.1.7. Security-Enhanced Linux Support
2.1.8. Authentication
2.1.9. Registration Authority
2.1.10. SCEP
2.1.11. Certificate Issuance
2.1.12. Certificate Profiles
2.1.13. CRLs
2.1.14. Publishing
2.1.15. Notifications
2.1.16. Jobs
2.1.17. Dual Key Pairs
2.1.18. HSMs and Crypto Accelerators
2.1.19. Support for Open Standards
2.1.20. Java™ SDK Extension Mechanism for Customization
2.2. How the Certificate System Works
2.2.1. About the Certificate Manager
2.2.2. How the Certificate Manager Works
2.2.3. Data Recovery Manager
2.2.4. Online Certificate Status Manager
2.2.5. Token Key Service
2.2.6. Token Processing System
2.3. Deployment Scenarios
2.3.1. Single Certificate Manager
2.3.2. Certificate Manager and DRM
2.3.3. Cloned Certificate Manager
2.3.4. Smart Card Enrollment
2.4. System Architecture
2.4.1. Certificate System Instance
2.4.2. HTTP Engine
2.4.3. User Interfaces
2.4.4. JSS and the JNI Layer
2.4.5. NSS
2.4.6. PKCS #11
2.4.7. Management Tools
2.4.8. JRE
2.4.9. Internal Database
2.4.10. SSL/TLS and Supported Cipher Suites
2.5. CS SDK
2.6. Support for Open Standards
2.6.1. Certificate Management Formats and Protocols
2.6.2. Security and Directory Protocols
3. Installation and Configuration
3.1. Deployment Considerations
3.1.1. Security Domains
3.1.2. Cloning a Subsystem
3.1.3. Self-Signed Root CA or Subordinate CA
3.2. Prerequisites
3.2.1. Supported Platforms
3.2.2. Required Programs and Dependencies
3.2.3. Packages Installed
3.3. Configuration Preparation
3.3.1. Required Information
3.3.2. Default Settings
3.4. Configuration Setup Wizard
3.4.1. Security Domain Panel
3.4.2. Subsystem Type Panel
3.4.3. PKI Hierarchy Panel
3.4.4. CA Information Panel
3.4.5. TKS Information Panel
3.4.6. DRM Information Panel
3.4.7. Authentication Directory Panel
3.4.8. Internal Database Panel
3.4.9. Key Store Panel
3.4.10. Key Pairs Panel
3.4.11. Subject Names Panel
3.4.12. Requests and Certificates Panel
3.4.13. Export Keys and Certificates Panel
3.4.14. Administrator Panel
3.5. Installing the Certificate System
3.5.1. Installing from an ISO Image
3.5.2. Installing through up2date
3.6. Configuring the Default Subsystem Instances
3.6.1. Configuring a CA
3.6.2. Configuring a DRM, OCSP, or TKS
3.6.3. Configuring a TPS
3.7. Creating Additional Subsystem Instances
3.7.1. Cloning a Subsystem
3.8. Silent Installation
3.9. Updating Certificate System Packages
3.9.1. Updating a Red Hat Enterprise Linux system using rpm
3.9.2. Updating a Solaris 9 system using pkgrm and pkgadd
3.9.3. Updating through up2date
3.10. Uninstalling Certificate System Subsystems
3.10.1. Removing a Subsystem Instance
3.10.2. Removing Certificate System Subsystems
4. Administrative Basics
4.1. Administrative Console
4.2. Enabling SSL Client Authentication for the Certificate System Console
4.3. System Passwords
4.3.1. Protecting the password.conf File
4.3.2. Password-Quality Checker
4.4. Starting, Stopping, and Restarting Certificate System Subsystems
4.4.1. Starting a Server Instance
4.4.2. Stopping a Server Instance
4.4.3. Restarting a Server Instance
4.4.4. Restarting a Subsystem after a Machine Restart
4.5. Mail Server
4.6. Configuration Files
4.6.1. Locating the Configuration File
4.6.2. Editing the Configuration File
4.6.3. Guidelines for Editing the Configuration File
4.6.4. Duplicating Configuration from One Instance to Another
4.6.5. Other File Locations
4.6.6. Default Server Instance Locations
4.7. Using Security-Enhanced Linux
4.8. Using Java Servlets
4.9. Logs
4.9.1. About Logs
4.9.2. Services That Are Logged
4.9.3. Log Levels (Message Categories)
4.9.4. Buffered Versus Unbuffered Logging
4.9.5. Configuring Logs in the Console
4.9.6. Configuring Logs in the CS.cfg File
4.9.7. Monitoring Logs
4.9.8. Signing Log Files
4.9.9. Registering a Log Module
4.9.10. Deleting a Log Module
4.9.11. TPS Logs
4.10. Signed Audit Log
4.10.1. Setting up Signed Audit Logs
4.10.2. Audit Logging Failures
4.11. Self-Tests
4.11.1. Self-Test Logging
4.11.2. Self-Test Configuration
4.11.3. Modifying Self-Test Configuration
4.12. Ports
4.12.1. About Ports
4.12.2. Changing a Port Number
4.13. The Internal LDAP Database
4.13.1. Changing the Internal Database Configuration
4.13.2. Enabling SSL Client Authentication with the Internal Database
4.13.3. Restricting Access to the Internal Database
4.14. Backing up and Restoring Certificate System
5. Certificate Manager
5.1. How the Certificate Manager Works
5.1.1. Enrollment
5.1.2. Renewal
5.1.3. Revocation
5.2. Certificate Manager Certificates
5.2.1. CA Signing Key Pair and Certificate
5.2.2. OCSP Signing Key Pair and Certificate
5.2.3. SSL Server Key Pair and Certificate
5.2.4. Certificate Considerations
5.2.5. Cross-Pair Certificates
5.3. CA Hierarchy
5.3.1. Subordination to a Public CA
5.3.2. Subordination to a Certificate System CA
5.4. Security Domains
5.4.1. The domain.xml File
5.4.2. Security Domain Roles
5.4.3. Creating a Security Domain
5.4.4. Joining a Security Domain
5.4.5. Additional Security Domain Information
5.5. Configuring the Certificate Manager Instance
5.6. CA Certificate Renewal or Reissuance
5.7. Changing the Rules for Issuing Certificates
5.8. Setting Restrictions on CA Certificates through Certificate Extensions
5.9. Creating Certificate Manager Agents and Administrators
5.10. Checking the Revocation Status of Agent Certificates
5.11. CRL Signing Key Pair and Certificate
5.12. DNs in the Certificate System
5.12.1. Extending Attribute Support
6. Online Certificate Status Protocol Responder
6.1. About OCSP Services
6.1.1. OCSP Response Signing
6.1.2. OCSP Responses
6.2. CA OCSP Services
6.2.1. The Certificate Manager's Internal OCSP Service
6.2.2. Online Certificate Status Manager
6.3. Online Certificate Status Manager Certificates
6.3.1. OCSP Signing Key Pair and Certificate
6.3.2. SSL Server Key Pair and Certificate
6.3.3. Recognizing Online Certificate Status Manager Certificates
6.4. Configuring the Online Certificate Status Manager
6.5. Creating Online Certificate Status Manager Agents and Administrators
6.6. Configuring the Certificate Manager's Internal OCSP Service
6.7. Setting up the OCSP Responder
6.8. Identifying the CA to the OCSP Responder
6.8.1. Verify Certificate Manager and Online Certificate Status Manager Connection
6.8.2. Configure the Revocation Info Stores
6.9. Testing the OCSP Service Setup
7. Data Recovery Manager
7.1. PKI Setup for Archiving and Recovering Keys
7.1.1. Clients That Can Generate Dual Key Pairs
7.2. Data Recovery Manager Certificates
7.2.1. Transport Key Pair and Certificate
7.2.2. Storage Key Pair
7.2.3. SSL Server Certificate
7.3. Forms for Users and Key Recovery Agents
7.4. Overview of Archiving Keys
7.4.1. Reasons to Archive Keys
7.4.2. Where the Keys Are Stored
7.4.3. How Key Archival Works
7.5. Overview of Key Recovery
7.5.1. Key Recovery Agents and Their Passwords
7.5.2. Key Recovery Agent Scheme
7.6. Configuring Key Archival and Recovery Process
7.6.1. Setting up Key Archival
7.6.2. Setting up Key Recovery
7.6.3. Testing the Key Archival and Recovery Setup
7.7. Creating Data Recovery Manager Agents and Administrators
8. Token Processing System
8.1. Working with Multiple Instances of a Subsystem
8.1.1. Configuring Failover Support
8.1.2. Configuring Multiple Instances for Different Functions
8.2. Formatting Smart Cards
8.3. Resetting the Smart Card PIN
8.4. Applet Upgrade
8.5. Enrolling Smart Cards through the Enterprise Security Client
8.5.1. Enabling SSL in TPS
8.5.2. Server-Side Key Generation and Archival of Encryption Keys
8.5.3. Smart Card Certificate Enrollment Profiles
8.5.4. Automating Encryption Key Recovery
8.5.5. Symmetric Key Changeover
8.5.6. Setting Token Types for Specified Smart Cards
8.6. Configuring LDAP Authentication
8.7. Token Database
8.8. Configuring TPS Logging
8.8.1. Thread Correlation
8.9. TPS Configuration Parameters
8.9.1. TKS Configuration File Parameters
9. Token Key Service
9.1. Overview
9.2. Using Master Keys
9.3. Using HSM for Generating Keys
9.4. Creating Token Key Service Agents and Administrators
10. Enterprise Security Client
10.1. Overview
11. Managing Certificates
11.1. Certificate Overview
11.1.1. Types of Certificates
11.1.2. Determining Which Certificates to Install
11.1.3. Certificate Data Formats
11.1.4. Certificate Setup Wizard
11.2. Requesting and Receiving Certificates
11.2.1. Requesting Certificates
11.2.2. Submitting Certificate Requests
11.2.3. Retrieving Certificates from the End-Entities Page
11.3. Managing User Certificates
11.3.1. Managing Certificate System User and Agent Certificates
11.3.2. Importing Certificates into Mozilla Firefox
11.4. Managing the Certificate Database
11.4.1. Installing Certificates in the Certificate System Database
11.4.2. Viewing Database Content
11.4.3. Deleting Certificates from the Database
11.4.4. Changing the Trust Settings of a CA Certificate
11.5. Renewing Certificates
11.5.1. Renewing Certificates through the Console
11.5.2. Renewing Certificates using certutil
11.6. Configuring the Server Certificate Use Preferences
12. Managing Tokens
12.1. Tokens for Storing Certificate System Keys and Certificates
12.1.1. Internal Tokens
12.1.2. External Tokens
12.1.3. Considerations for External Tokens
12.2. Using Hardware Security Modules with Subsystems
12.2.1. Chrysalis LunaSA HSM
12.2.2. Installing External Tokens and Unsupported HSM
12.3. Managing Tokens Used by the Subsystems
12.3.1. Viewing Tokens
12.3.2. Changing a Token's Password
12.4. Detecting Tokens
12.5. Hardware Cryptographic Accelerators
13. Certificate Profiles
13.1. About Certificate Profiles
13.1.1. How Certificate Profiles Work
13.2. Setting up Certificate Profiles
13.2.1. Modifying Certificate Profiles through the CA Console
13.2.2. Modifying Certificate Profiles through the Command Line
13.2.3. Populating Certificates with Directory Attributes
13.2.4. Customizing the Enrollment Form
13.3. Certificate Profile Reference
13.4. Input Reference
13.4.1. Certificate Request Input
13.4.2. CMC Certificate Request Input
13.4.3. Dual Key Generation Input
13.4.4. File-Signing Input
13.4.5. Image Input
13.4.6. Key Generation Input
13.4.7. nsHcertificateRequest (Token Key) Input
13.4.8. nsNcertificateRequest (Token User Key) Input
13.4.9. Subject DN Input
13.4.10. Subject Name Input
13.4.11. Submitter Information Input
13.5. Output Reference
13.5.1. Certificate Output
13.5.2. PKCS #7 Output
13.5.3. CMMF Output
13.6. Defaults Reference
13.6.1. Authority Info Access Extension Default
13.6.2. Authority Key Identifier Extension Default
13.6.3. Basic Constraints Extension Default
13.6.4. CRL Distribution Points Extension Default
13.6.5. Extended Key Usage Extension Default
13.6.6. Freshest CRL Extension Default
13.6.7. Issuer Alternative Name Extension Default
13.6.8. Key Usage Extension Default
13.6.9. Name Constraints Extension Default
13.6.10. Netscape Certificate Type Extension Default
13.6.11. Netscape Comment Extension Default
13.6.12. No Default Extension
13.6.13. OCSP No Check Extension Default
13.6.14. Policy Constraints Extension Default
13.6.15. Policy Mappers Extension Default
13.6.16. Signing Algorithm Default
13.6.17. Subject Alternative Name Extension Default
13.6.18. Subject Directory Attributes Extension Default
13.6.19. Subject Key Identifier Extension Default
13.6.20. Subject Name Default
13.6.21. Token Supplied Subject Name Default
13.6.22. User Supplied Extension Default
13.6.23. User Supplied Key Default
13.6.24. User Signing Algorithm Default
13.6.25. User Supplied Subject Name Default
13.6.26. User Supplied Validity Default
13.6.27. Validity Default
13.7. Constraints Reference
13.7.1. Basics Constraints Extension Constraint
13.7.2. Extended Key Usage Extension Constraint
13.7.3. Extension Constraint
13.7.4. Key Constraint
13.7.5. Key Usage Extension Constraint
13.7.6. No Constraint
13.7.7. Netscape Certificate Type Extension Constraint
13.7.8. Signing Algorithm Constraint
13.7.9. Subject Name Constraint
13.7.10. Unique Subject Name Constraint
13.7.11. Validity Constraint
14. Revocation and CRLs
14.1. Revocation
14.1.1. SSL Client Authenticated Revocation
14.1.2. Certificate Revocation Forms
14.2. CMC Revocation
14.2.1. Setting up CMC Revocation
14.2.2. Testing CMC Revoke
14.3. About CRLs
14.3.1. Reasons for Revoking a Certificate
14.3.2. Publishing CRLs
14.3.3. CRL Issuing Points
14.3.4. Delta CRLs
14.3.5. How CRLs Work
14.4. Issuing CRLs
14.4.1. Configuring Issuing Points
14.4.2. Configuring CRLs for Each Issuing Point
14.4.3. Setting CRL Extensions
14.5. Additional CRL Scheduling Information
15. Publishing
15.1. About Publishing
15.1.1. About Publishers
15.1.2. About Mappers
15.1.3. About Rules
15.1.4. Publishing to Files
15.1.5. LDAP Publishing
15.1.6. OCSP Publishing
15.1.7. How Publishing Works
15.2. Setting up Publishing
15.3. Publishers
15.3.1. Configuring Publishers for Publishing to a File
15.3.2. Configuring Publishers for Publishing to OCSP
15.3.3. Configuring Publishers for LDAP Publishing
15.4. Mappers
15.4.1. Configuring Mappers
15.5. Rules
15.5.1. Modifying Publishing Rules for Certificates and CRLs
15.6. Enabling Publishing
15.6.1. Publishing Cross-Pair Certificates
15.7. Testing Publishing to Files
15.8. Viewing Certificates and CRLs Published to File
15.9. Configuring the Directory for LDAP Publishing
15.9.1. Schema
15.9.2. Entry for the CA
15.9.3. Bind DN
15.9.4. Directory Authentication Method
15.10. Updating Certificates and CRLs in a Directory
15.10.1. Manually Updating Certificates in the Directory
15.10.2. Manually Updating the CRL in the Directory
15.11. Registering and Deleting Mapper and Publisher Plug-in Modules
15.12. Module Reference
15.12.1. Publisher Plug-in Modules
15.12.2. Mapper Plug-in Modules
15.12.3. Rule Instances
16. Authentication for Enrolling Certificates
16.1. Enrollment Overview
16.1.1. The Authentication Process
16.2. Agent-Approved Enrollment
16.2.1. Configuring Agent-Approved Enrollment
16.3. Automated Enrollment
16.3.1. Setting up Directory-Based Authentication
16.3.2. Setting up PIN-based Enrollment
16.4. Setting up CMC Enrollment
16.4.1. Setting up the Server for Multiple Requests in a Full CMC Request
16.4.2. Testing CMCEnroll
16.5. Certificate-Based Enrollment
16.5.1. Setting up Certificate-Based Enrollment
16.6. Testing Enrollment
16.7. Managing Authentication Plug-ins
17. Registration Authority
17.1. Introduction
17.1.1. What is a Registration Authority?
17.1.2. Enrollment Types
17.1.3. Roles
17.1.4. Interfaces
17.2. Installation and Configuration
17.2.1. Configuration
17.2.2. Directory Structure
17.2.3. Configuration Parameters
17.2.4. RA Request Queue Plugins
17.2.5. Libraries
17.3. Working With the Registration Authority
17.3.1. Configuring Additional RA Instances
17.3.2. Customizing the Subject DN in the CSR
17.3.3. Using the End Users Services Interface
17.3.4. Using the Agent Services Interface
17.3.5. Using the Administrator Interface
17.3.6. Command-line Operations
18. User and Group Authorization
18.1. About Authorization
18.1.1. How Authorization Works
18.1.2. Default Groups
18.2. Creating Users
18.3. Setting up a Trusted Manager
18.4. Modifying Certificate System User Entries
18.4.1. Changing a Certificate System User's Login Information
18.4.2. Changing a Certificate System User's Certificate
18.4.3. Changing Members in a Group
18.4.4. Deleting a Certificate System User
18.5. Creating a New Group
18.6. Authorization for Certificate System Users
18.6.1. Access Control Lists (ACLs)
18.6.2. Access Control Instructions (ACIs)
18.6.3. Changing Privileges
18.6.4. How ACIs Are Formed
18.6.5. Editing ACLs
18.7. ACL Reference
18.7.1. certServer.acl.configuration
18.7.2. certServer.admin.certificate
18.7.3. certServer.admin.request.enrollment
18.7.4. certServer.auth.configuration
18.7.5. certServer.ca.certificate
18.7.6. certServer.ca.certificates
18.7.7. certServer.ca.configuration
18.7.8. certServer.ca.connector
18.7.9. certServer.ca.clone
18.7.10. certServer.ca.crl
18.7.11. certServer.ca.directory
18.7.12. certServer.ca.group
18.7.13. certServer.ca.ocsp
18.7.14. certServer.ca.profiles
18.7.15. certServer.ca.profile
18.7.16. certServer.ca.requests
18.7.17. certServer.ca.request.enrollment
18.7.18. certServer.ca.request.profile
18.7.19. certServer.ca.systemstatus