United States (change)

Shortcuts: Downloads | Fedora | Red Hat Network

Account Links: Cart | Register | Log In

Main Site Links:

• Home
• Solutions
• Services & Products
• Partners
• Developers
• Training
• Support
• Store

Evaluation Guidelines: Red Hat Certificate System 7.1

This page provides links and other information relevant to evaluating Red Hat Certificate System 7.1.

For links to all documentation available online, including release notes, see the entries listed at the top of this page: Red Hat Certificate System Documentation.

Background Information and Other Useful Documentation

Red Hat Certificate System Administrators' Guide: This PDF document has not yet been updated for the most recent hardware-token-related features (see below). However, much of the content is still useful for evaluation purposes, including the the following chapters:

• Chapter 1, Overview
• Chapter 2, Installation
• Appendix J, Introduction to Public Key Cryptography

 

New Features in Red Hat Certificate System 7.1

The most important new features in this release involve integrated token management. For detailed documentation on these features, see the following:

• Red Hat Certificate System Administrator's Guide Addendum
• Enterprise Security Client Guide

Token-related features avaiable in this release include the following:

1. Token Management support for key archival and recovery: If a token is lost, stolen, or broken, end users can now get a usable, permanent replacement. Similarly, users can get a temporary replacement if they leave a token at home.
   
   Two broad areas have been improved in this release to meet these requirements:
    
   
   • Key archival and recovery: With this release, an administrator can:
     • Specify the location where each private encryption key is generated (either on the token or on the server)
     • Set up policies for automatic archival of private encryption keys
     • Set up policies for automatic generation of new signing keys (on the token) for a new or replacement token
     • Approve or reject key recovery requests from users, with the assurance that new token enrollment will be blocked for a given user until approval occurs
   • Enrollment Authentication Framework: Customers can now leverage their existing authentication infrastructure to support token management operations such as enrollment, key recovery, and PIN reset. To support this requirement, this release provides:
     • A flexible TPS API for authentication plugins
     • Enterprise Security Client (ESC) that supports the new authentication API
        
       
2. ACL-Based Recovery Approval: This release supports the following:
   • A recovery approval process based on certificate-based SSL client authentication and Access Control Lists (ACLs) that permits n of m administrators to approve key recovery according to their membership in an appropriate group.
   
   
3. Client Software: This release includes the following desktop software for clients. Note: For this release only, ESC will not be supported for RHEL 3. In addition, for this release only, administrators will need to repackage ESC installer to indicate the URL for the TPS that ESC will communicate with. For future releases, we will develop a more generic solution that doesn't require repackaging.
   • Windows XP Client installer using an Installer wizard that:
     • Installs and registers Axalto device drivers.
     • Installs ESC client along with security libraries.
   • Windows XP ESC that can:
     • Recover private key and insert it into a new token
     • Install a PKCS#11 module for use with Windows versions of Firefox and Mozilla
   • RHEL 4 RPM that
     • Installs and registers Axalto device drivers.
     • Installs ESC along with security libraries.
   • RHEL 4 ESC that can:
     • Support key archival for recovery
     • Support digitally signed and encrypted email within Thunderbird from the token
     • Install a PKCS#11 module for testing RHEL versions of Firefox and Mozilla
   • Mac OS X ESC installer that can mount a standard Mac installation volume
   • Mac OS X ESC that can:
     • Support key archival for recovery
     • Support digitally signed and encrypted email within Thunderbird from the token
        
       
4. Applet on token: The applet on the token supports communication via the Global Platform protocol with TPS via the ESC.
   • To support private key archival and recovery, the applet on the token supports injection of a wrapped private key from the DRM during enrollment and key recovery.
   
   
5. SHA-256 and SHA-512: To address the recently discovered SHA-1 vulnerability, this release supplements SHA-1 support with support for SHA-256 and SHA-512.