Administrator's Guide
Red Hat Certificate System                                                            
Previous
 Contents
 Index
 Next

Contents

About This Guide

Who Should Read This Guide
What You Should Know
What's in This Guide
Conventions Used in This Guide
Documentation

Overview

Features
Subsystems
Certificate Manager Flexibility and Scalability
Interfaces
Logging
Auditing
Self Tests
Authorization
Authentication
Certificate Issuance
Certificate Profiles
Policy
CRLs
Publishing
Notifications
Jobs
Dual Key Pairs
HSMs and Crypto Accelerators
Support for Open Standards
Java SDK Extension Mechanism for Customization
How Certificate System Works
CS Basics
About the Certificate Manager
How the Certificate Manager Works
About the Registration Manager
How the Registration Manager Works
Data Recovery Manager
Online Certificate Status Manager
Deployment Scenarios
Single Certificate Manager
Certificate Manager and Registration Manager
Certificate Manager and Data Recovery Manager
Certificate Manager, Data Recovery Manager, and Registration Manager
Cloned Certificate Manager
System Architecture
CS Component
HTTP Engine
Service Interfaces
JSS and the Java/JNI Layer
NSS
PKCS #11
Management Tools
JRE
Internal LDAP Database
Administration Server
CS SDK
Support for Open Standards
Certificate Management Formats and Protocols
Security and Directory Protocols

Installation

Installation and Configuration Overview
Installation and Configuration Process
Installation Overview
About the Installation Program
Installation Considerations
Installation Worksheet
Installing CS
Uninstalling CS

Certificate Manager

Certificate Manager Deployment Considerations
Self-Signed Root vs. Subordinate CA
Cloned CA
Certificate Manager Certificates
Certificate Manager Interfaces
Password Storage
Internal Database
Tokens
Installing a Certificate Manager
Installing a Certificate Manager as a Root CA
Installing a Certificate Manager as a Subordinate CA
Configuring the Certificate Manager
Adding Users
Configuring Authorization
Managing Certificates and the Certificate Database
Changing Ports and IP Addresses
Changing Subsystem Security Setting
Changing Passwords or Storage Settings
Configuring Logs
Changing Internal Database Settings
Configuring Self Test
Setting Up a Mail Server
Changing the Certificate Issuance Rules
Setting Up Authentication
Configuring Policies
Configuring Certificate Profiles
Configuring Publishing
Configuring OCSP Services
Setting Up CRLs
Setting Up Notifications
Setting Up Jobs
Customizing the End Entity Interface
Adding Data Recovery Services
Setting Up a CMC Client
Setting Up the CMCAuth Authentication Plug-in
Setting Up the Server for Multiple Requests in a Full CMC Request
How The Certificate Manager Works
Enrollment
Renewal
Revocation
Federal Bridge CA
Issuing Cross-Pair Certificates
Importing Cross-Pair Certificates
Publishing Cross-Pair Certificates
Cloning a CA

Registration Manager

Registration Manager Deployment Considerations
Registration Managers Certificates
Registration Manager Interfaces
Password Storage
Internal Database
Signing Key Type and Length
Tokens
Installing a Registration Manager
Configuring a Registration Manager
Setting Up Trust With a CA
Adding Users
Configuring Authorization
Managing Certificates and the Certificate Database
Changing Ports and IP Addresses
Changing Subsystem Security Setting
Changing Passwords or Storage Settings
Configuring Logs
Changing Internal Database Settings
Configuring Self Test
Setting Up a Mail Server
Setting Up Authentication
Configuring Policies
Configuring Certificate Profiles
CRLs
Setting Up Notifications
Setting Up Jobs
Customizing the End Entity Interface
Adding Data Recovery Services
How a Registration Manager Works
Enrollment
Renewal
Revocation

OCSP Responder

About OCSP Services
How OCSP Services Work
OCSP Response Signing
OCSP Responses
CS OCSP Services
Setting Up a Certificate Manager with OCSP Service
Online Certificate Status Manager Deployment Considerations
Online Certificate Status Manager Certificates
Interfaces
Password Storage
Tokens
Internal Database
Signing Key Type and Length
Installing an Online Certificate Status Manager
Setting Up the OCSP Responder
Configuring the Online Certificate Status Manager
Adding Users
Configuring Authorization
Managing Certificates and the Certificate Database
OCSP Certificates
Changing Ports and IP Addresses
Changing Subsystem Security Setting
Changing Passwords or Storage Settings
Configuring Logs
Changing Internal Database Settings
Configuring Self Test
Setting Up Jobs
Identifying the CA to the OCSP Responder
Configure the Revocation Info Stores
Testing Your OCSP Setup

Data Recovery Manager

PKI Setup for Key Archival and Recovery
Clients That Can Generate Dual Key Pairs
Data Recovery Manager
Forms for Users and Key Recovery Agents
Key Archival Process
Why You Should Archive Keys
Where the Keys are Stored
How Key Archival Works
Key Recovery Process
Key Recovery Agents and Their Passwords
How Agent-Initiated Key Recovery Works
Key Recovery Agent Scheme
Installing a Standalone Data Recovery Manager
Data Recovery Manager's Key Pairs and Certificates
Tokens
Internal Database
Key Type and Length
Installing the Data Recovery Manager
Configuring Key Archival and Recovery Process
Step 1. Set Up the Key Archival Process
Step 2. Set Up the Key Recovery Process
Step 3. Test Your Key Archival and Recovery Setup

Token Management System

Token Processing Service
Token Key Service
Enterprise Security Client

Administrative Basics

The Administrative Interface
Red Hat Administration Server
Red Hat Console
The CS Console
Setting up Certificate Authentication for the CS Console
System Passwords
Password-Quality Checker
Passwords Stored by the Server
Starting, Stopping, and Restarting CS Instances
Starting a Server Instance
Stopping a Server Instance
Restarting a Server Instance
Subsystem Configuration Overview
Configuring Multiple CS Instances
Removing an Instance From a System
Mail Server
Configuration Files
Locating the Configuration File
Editing the Configuration File
Guidelines for Editing the Configuration File
Duplicating Configuration From One Instance to Another
Logs
About Logs
Services That Are Logged
Log Levels (Message Categories)
Buffered Versus Unbuffered Logging
Configuring Logs in the CS Console
Configuring Logs in the CS.cfg File
Monitoring Logs
Signing Log Files
Registering a Log Module
Deleting a Log Module
Signed Audit Log
Setting Up Signed Audit Logs
Audit Logging Failures
Self Tests
Self Test Logging
Self Test Configuration
Modifying Self Test Configuration
Ports
About Ports
Changing a Port Number
Changing an IP Addresses
The Internal Database
About the Internal Database
Changing the Internal Database Configuration
Enable SSL Client Authentication with the Internal Database
Restricting Access to the Internal Database
Managing the Certificate Database
Viewing and Deleting Certificate Database Content
Changing the Trust Settings of a CA Certificate
Installing a New CA Certificate in the Certificate Database
Installing a CA Certificate Chain in the Certificate Database
Certificate Setup Wizard
Consideration When Getting New Certificates for the Subsystems
Tokens for Storing CS Keys and Certificates
Internal Token
External Token
Managing Tokens Used by the Subsystems
Hardware Cryptographic Accelerators
Configuring the Server's Security Preferences
Configuring the Server to Use Separate SSL Server Certificates
Getting an SSL Client Certificate for a Subsystem

Authorization

About Authorization
How Authorization Works
Default Groups
Setting up Administrators, Agents, and Auditors
Creating a User and Assigning Them to a Group
Storing a User's Certificate
Setting up Agents Using the Automated Process
Setting Up a Trusted Manager
Agent Certificates
First Agent Certificate for a Certificate Manager
Getting an Agent's Certificate from a Public CA
Getting an Agent's Certificate from Certificate System
Revocation Status Checking of Agent Certificates
Modifying CS User Entries
Changing a CS User's Login Information
Changing a CS User's Certificate
Changing Members in a Group
Deleting a CS User
Creating a New Group
Authorization for CS Users
Access Control Lists (ACLs)
Access Control Instructions (ACIs)
Changing Privileges
How ACIs are Formed
Editing ACLs
ACL Reference
certServer.acl.configuration
certServer.admin.certificate
certServer.admin.request.enrollment
certServer.auth.configuration
certServer.ca.certificate
certServer.ca.certificates
certServer.ca.configuration
certServer.ca.connector
certServer.ca.clone
certServer.ca.crl
certServer.ca.directory
certServer.ca.group
certServer.ca.ocsp
certServer.ca.profiles
certServer.ca.profile
certServer.ca.requests
certServer.ca.request.enrollment
certServer.ca.request.profile
certServer.ca.systemstatus
certServer.ee.certificate
certServer.ee.certificates
certServer.ee.certchain
certServer.ee.crl
certServer.ee.profile
certServer.ee.profiles
certServer.ee.facetofaceenrollment
certServer.ee.request.enrollment
certServer.ee.request.facetofaceenrollment
certServer.ee.request.ocsp
certServer.ee.request.revocation
certServer.ee.requestStatus
certServer.general.configuration
certServer.job.configuration
certServer.kra.certificate.transport
certServer.kra.configuration
certServer.kra.connector
certServer.kra.key
certServer.kra.keys
certServer.kra.request
certServer.kra.requests
certServer.kra.request.status
certServer.kra.systemstatus
certServer.log.configuration
certServer.log.configuration.SignedAudit.expirationTime
certServer.log.configuration.fileName
certServer.log.content.SignedAudit
certServer.log.content
certServer.ocsp.ca
certServer.ocsp.cas
certServer.ocsp.certificate
certServer.ocsp.configuration
certServer.ocsp.crl
certServer.policy.configuration
certServer.profile.configuration
certServer.publisher.configuration
certServer.ra.configuration
certServer.ra.certificate
certServer.ra.connector
certServer.ra.facetofaceenrollment
certServer.ra.facetofaceenrollment.enableHosts
certServer.ra.group
certServer.ra.profile
certServer.ra.profiles
certServer.ra.request.enrollment
certServer.ra.request.profile
certServer.ra.requests
certServer.registry.configuration
certServer.ra.systemstatus
certServer.usrgrp.administration

Authentication

Enrollment Overview
How Authentication Works
About Renewal
Dual-Key Pairs
Agent-Approved Enrollment
Setting Up Agent-Approved Enrollment
Automated Enrollment
Setting Up Directory Based Enrollment
Setting Up Pin Based Enrollment
Setting Up Portal Enrollment
Setting Up CMC Enrollment
Agent Initiated End User Enrollment
Setting Up Agent Initiated Enrollment
Certificate-Based Enrollment
Setting Up Certificate Based Enrollment
Issuing and Managing Server Certificates
Renewal of Server Certificates
Getting Certificates for Netscape Version 4.x and Later Servers
CEP Enrollment
About CEP Enrollment
Setting Up Automated CEP Enrollment
Setting Up Publishing of CEP Certificates and CRLs
Certificate Issuance to Routers or VPN Clients
Example
Testing Your Enrollment Setup
Managing Authentication Plug-ins
Generating Files Required By Third-Party Object Signing Tools

Certificate Profiles

About Certificate Profiles
How Certificate Profiles Work
Setting Up Certificate Profiles
Modifying a Certificate Profile
Certificate Profile Reference
Input Reference
Certificate Request Input
Dual Key Generation Input
Key Generation Input
Subject Name Input
Submitter Information Input
Output Reference
certOutputImpl
Defaults Reference
Authority Info Access Extension Default
Authority Key Identifier Extension Default
Basic Constraints Extension Default
CRL Distribution Points Extension Default
Extended Key Usage Extension Default
Freshest CRL Extension Default
Key Usage Extension Default
Name Constraints Extension Default
Red Hat Comment Extension Default
Netscape Certificate Type Extension Default
No Default Extension
OCSP No Check Extension Default
Policy Constraints Extension Default
Policy Mappers Extension Default
Signing Algorithm Default
Subject Alternative Name Extension Default
Subject Key Identifier Extension Default
Subject Name Default
Token Supplied Subject Name Default
User Supplied Extension Default
User Supplied Key Default
User Signing Algorithm Default
User Supplied Subject Name Default
User Supplied Validity Default
Validity Default
Constraints Reference
Basics Constraints Extension Constraint
Extended Key Usage Extension Constraint
Extension Constraint
Key Constraint
Key Usage Extension Constraint
No Constraint
Netscape Certificate Type Extension Constraint
Signing Algorithm Constraint
Subject Name Constraint
Validity Constraint

Policies

Introduction to Policy
About Policy
Policy Rules
Policy Processor
Using Predicates in Policy Rules
Configuring Policy Rules for a Subsystem
Modifying Policy Rules
Deleting Policy Rules
Adding New Policy Rules
Reordering Policy Rules
Testing Policy Configuration
Using JavaScript for Policies
Constraints-Specific Policy Module Reference
AttributePresentConstraints
DSAKeyConstraints
IssuerConstraints
KeyAlgorithmConstraints
RenewalConstraints
RenewalValidityConstraints
RevocationConstraints
RSAKeyConstraints
SigningAlgorithmConstraints
SubCANameConstraints
UniqueSubjectNameConstraints
ValidityConstraints
Extension-Specific Policy Module Reference
AuthInfoAccessExt
AuthorityKeyIdentifierExt
BasicConstraintsExt
CertificatePoliciesExt
CertificateRenewalWindowExt
CertificateScopeOfUseExt
CRLDistributionPointsExt
ExtendedKeyUsageExt
GenericASN1Ext
IssuerAltNameExt
KeyUsageExt
NameConstraintsExt
NSCCommentExt
NSCertTypeExt
OCSPNoCheckExt
PolicyConstraintsExt
PolicyMappingsExt
PrivateKeyUsagePeriodExt
RemoveBasicConstraintsExt
SubjectAltNameExt
SubjectDirectoryAttributesExt
SubjectKeyIdentifierExt
Managing Policy Plug-in Modules
Registering a Policy Module
Deleting a Policy Module

Automated Notifications

About Automated Notifications
Setting Up Automated Notifications
Types of Automated Notifications
Determining End-Entity Email Addresses
Setting Up Automated Notifications
Configuring Specific Notifications By Editing the Configuration File
Testing Your Configuration
Customizing Notification Messages
Notification Message Templates
Token Definitions

Automated Jobs

About Automated Jobs
Setting Up Automated Jobs
Types of Automated Jobs
Setting Up the Job Scheduler
Frequency Settings for Automated Jobs
Enabling and Configuring the Job Scheduler
Setting Up Specific Jobs
Enabling and Configuring Specific Jobs Using the CS Console
Enabling Configuring Specific Jobs By Editing the Configuration File
Configuration Parameters of RenewalNotificationJob
Configuration Parameters of RequestInQueueJob
Configuration Parameters of UnpublishExpiredJob
Customizing Notification Messages
Templates for Summary Notifications
Token Definitions
Managing Job Plug-ins
Registering or Deleting a Job Module

Revocation and CRLs

Revocation
Authentication of End Users During Certificate Revocation
Certificate Revocation Forms
CMCRevocation
Setting Up CMC Revocation
Testing CMC Revoke
About CRLs
Reasons for Revoking a Certificate
Revocation Checking by Red Hat Servers
Publishing of CRLs
CRL Issuing Points
Delta CRLs
How CRLs Work
Setting Up the Issuance of CRLs
Configuring Issuing Points
Configuring CRLs for Each Issuing Point
Setting CRL Extensions
CRL Extension Reference
AuthorityKeyIdentifier
CRLNumber
CRLReason
DeltaCRLIndicator
FreshestCRL
HoldInstruction
InvalidityDate
IssuerAlternativeName
IssuingDistributionPoint

Publishing

About Publishing
About Publishers
About Mappers
About Rules
About Publishing to Files
About LDAP Publishing
About OCSP Publishing
How Publishing Works
Setting Up Publishing
Publishers
Configuring Publishers for Publishing to a File
Configuring Publishers for Publishing to OCSP
Configuring Publishers for LDAP Publishing
Publisher Plug-in Module Reference
Mappers
Configuring Mappers
Mapper Plug-in Modules Reference
Rules
Modifying Publishing Rules for Certificates and CRLs
Rule Instance Reference
Enabling Publishing
Testing Publishing to Files
Configuring the Directory for LDAP Publishing
Schema
Entry for the CA
Bind DN
Directory Authentication Method
Updating Certificates and CRLs in a Directory
Manually Updating Certificates in the Directory
Manually Updating the CRL in the Directory
Registering and Deleting Mapper and Publisher Plug-in Modules

Configuring CS for High Availability

CS High Availability Overview
Architecture of a Failover System
Load balancing
Cloning the Certificate Manager
Cloning Preparation
Cloning the CA
Testing the CA Cloned-Master Connection
Additional CRL Scheduling Information
Cloned-Master CA Conversion
Converting a Master CA into a Cloned CA
Converting a Cloned CA into a Master CA
Cloning the Online Certificate Status Manager
Preparing to Clone the Online Certificate Status Manager
Cloning the OCSP Responder
Testing the OCSP Cloned-Master Connection
Cloned-Master OCSP Responder Conversion
Converting a Master OCSP Responder into a Cloned OCSP Responder
Converting a Cloned OCSP Responder into a Master OCSP Responder
Cloning the Data Recovery Manager
Preparing to Clone the DRM
Cloning the DRM
Testing the DRM Cloned-Master Connection
Cloned-Master DRM Responder Conversion

Common Criteria Environment: Security Requirements

Security Requirements for the IT Environment
Security Audit (FAU)
Cryptographic support (FCS)
User Data Protection (FDP)
Identification and authentication (FIA)
Security management (FMT)
Protection of the TSF (FPT)
Trusted path/channels (FTP)
CIMC TOE Access Control Policy

Common Criteria Environment: Setup and Operations

PKI Overview
Security Objectives
TOE Security Environment Assumptions
Security Requirements for the IT Environment
IT Environment Assumptions
Reliable Timestamp
Private and Secret Key Zeroization
Password and Certificate Storage
Hardware Token
Protection of Private and Secret Keys
Supported Operating Systems
Supported Browsers
CS Privileged Users and Groups (Roles)
CA
RA
DRM
OCSP
About Roles
CS Common Criteria Environment Setup and Installation Guide
Understanding Setup of Common Criteria Evaluated Red Hat CS
CS Common Criteria Environment Setup and Installation Process

Understanding the Common Criteria Evaluated CS Setup

Understanding the Common Criteria Environment
Secure Environment
CS Roles Assignment
Who Needs to be Present
Understanding Operating System Setup (Users, Groups, and File Permissions)
Understanding CS Installation
Configuring CS to Use Hardware Tokens
Revocation Checking
SSL Client Authentication with the Internal Database
CS Administrative Console
Backup and Restore of a CS Subsystem
Common Criteria Deployment Scenarios
Features That Are Not Part of the Common Criteria Environment
Understanding Subsystem Setup
CS Role Users and Authorization
Audit Logs
Certificate Profiles
Certificate Policies
Authentication
CRLs
Jobs
Notifications
Publishing
Self Tests
Trust Between Subsystems
Key Archival and Recovery
OCSP Responder Revocation Information Store
Common Criteria Environment Setup Procedures

Common Criteria Environment: Security Objectives

1.1 Security Objectives for the TOE
1.1.1 Authorized Users
1.1.2 System
1.1.3 Cryptography
1.1.4 External Attacks
1.2 Security Objectives for the Environment
1.2.1 Non-IT security objectives for the environment
1.2.2 IT security objectives for the environment
1.3 Security Objectives for both the TOE and the Environment

Common Criteria Environment: TOE Security Environment Assumptions

1.1 Secure Usage Assumptions
1.1.1 Personnel Assumptions
1.1.2 Physical Assumptions
1.1.3 Connectivity Assumptions
1.2 Threats
1.2.1 Authorized Users
1.2.2 System
1.2.3 Cryptography
1.2.4 External Attacks
1.3 Organization Security Policies

Certificate Download Specification

Data Formats
Binary Formats
Text Formats
Importing Certificate Chains
Importing Certificates into Communicator
Importing Certificates into Red Hat Servers
Object Identifiers

Certificate and CRL Extensions

Introduction to Certificate Extensions
Structure of Certificate Extensions
Sample Certificate Extensions
Standard X.509 v3 Certificate Extensions
Introduction to CRL Extensions
Structure of CRL Extensions
Sample CRL and CRL Entry Extensions
Standard X.509 v3 CRL Extensions
Extensions for CRLs
CRL Entry Extensions
Netscape-Defined Certificate Extensions
CA Certificates and Extension Interactions

Object Identifiers

What's an Object Identifier?
Registration of Object Identifiers

Distinguished Names

What Is a Distinguished Name?
Distinguished Name Components
DNs in Certificate System
Extending Attribute Support
Role of Distinguished Names in Certificates

Introduction to Public-Key Cryptography

Internet Security Issues
Encryption and Decryption
Symmetric-Key Encryption
Public-Key Encryption
Key Length and Encryption Strength
Digital Signatures
Certificates and Authentication
A Certificate Identifies Someone or Something
Authentication Confirms an Identity
How Certificates Are Used
Contents of a Certificate
How CA Certificates Are Used to Establish Trust
Managing Certificates
Issuing Certificates
Certificates and the LDAP Directory
Key Management
Renewing and Revoking Certificates
Registration Authorities

Introduction to SSL

The SSL Protocol
Ciphers Used with SSL
Cipher Suites With RSA Key Exchange
Fortezza Cipher Suites
The SSL Handshake
Server Authentication
Man-in-the-Middle Attack
Client Authentication

Glossary

Index




Previous
 Contents
 Index
 Next
© 2001 Sun Microsystems, Inc. Used by permission. © 2005 Red Hat, Inc. All rights reserved.
Read the Full Copyright and Third-Party Acknowledgments.

 last updated September 26, 2005