Red Hat Certificate System 7.3 Administrator's Guide

Red Hat Certificate System 7.3 Administrator's Guide

Copyright © 2008 Red Hat, Inc.

Legal Notice

Updated September 10, 2008

Abstract

This manual covers all aspects of installing, configuring, and managing Certificate System subsystems. It also covers management tasks such as adding users; requesting, renewing, and revoking certificates; publishing CRLs; and managing smart cards. This guide is intended for Certificate System administrators.

About This Guide
1. Recommended Knowledge
2. What Is in This Guide
3. Examples and Formatting
4. Additional Reading
5. Giving Feedback
6. Revision History
1. Overview
1.1. Features
1.1.1. Subsystems
1.1.2. Interfaces
1.1.3. Logging
1.1.4. Auditing
1.1.5. Self-Tests
1.1.6. Authorization
1.1.7. Security-Enhanced Linux Support
1.1.8. Authentication
1.1.9. Registration Authority
1.1.10. SCEP
1.1.11. Certificate Issuance
1.1.12. Certificate Profiles
1.1.13. CRLs
1.1.14. Publishing
1.1.15. Notifications
1.1.16. Jobs
1.1.17. Dual Key Pairs
1.1.18. HSMs and Crypto Accelerators
1.1.19. Support for Open Standards
1.1.20. Java™ SDK Extension Mechanism for Customization
1.2. How the Certificate System Works
1.2.1. About the Certificate Manager
1.2.2. How the Certificate Manager Works
1.2.3. Data Recovery Manager
1.2.4. Online Certificate Status Manager
1.2.5. Token Key Service
1.2.6. Token Processing System
1.3. Deployment Scenarios
1.3.1. Single Certificate Manager
1.3.2. Certificate Manager and DRM
1.3.3. Cloned Certificate Manager
1.3.4. Smart Card Enrollment
1.4. System Architecture
1.4.1. Certificate System Instance
1.4.2. HTTP Engine
1.4.3. User Interfaces
1.4.4. JSS and the JNI Layer
1.4.5. NSS
1.4.6. PKCS #11
1.4.7. Management Tools
1.4.8. JRE
1.4.9. Internal Database
1.4.10. SSL/TLS and Supported Cipher Suites
1.5. CS SDK
1.6. Support for Open Standards
1.6.1. Certificate Management Formats and Protocols
1.6.2. Security and Directory Protocols
2. Installation and Configuration
2.1. Deployment Considerations
2.1.1. Security Domains
2.1.2. Cloning a Subsystem
2.1.3. Self-Signed Root CA or Subordinate CA
2.2. Prerequisites
2.2.1. Supported Platforms
2.2.2. Required Programs and Dependencies
2.2.3. Packages Installed
2.3. Configuration Preparation
2.3.1. Required Information
2.3.2. Default Settings
2.4. Configuration Setup Wizard
2.4.1. Security Domain Panel
2.4.2. Subsystem Type Panel
2.4.3. PKI Hierarchy Panel
2.4.4. CA Information Panel
2.4.5. TKS Information Panel
2.4.6. DRM Information Panel
2.4.7. Authentication Directory Panel
2.4.8. Internal Database Panel
2.4.9. Key Store Panel
2.4.10. Key Pairs Panel
2.4.11. Subject Names Panel
2.4.12. Requests and Certificates Panel
2.4.13. Export Keys and Certificates Panel
2.4.14. Administrator Panel
2.5. Installing the Certificate System
2.5.1. Installing from an ISO Image
2.5.2. Installing through up2date
2.6. Configuring the Default Subsystem Instances
2.6.1. Configuring a CA
2.6.2. Configuring a DRM, OCSP, or TKS
2.6.3. Configuring a TPS
2.7. Creating Additional Subsystem Instances
2.7.1. Cloning a Subsystem
2.8. Silent Installation
2.9. Updating Certificate System Packages
2.9.1. Updating Certificate System on Red Hat Enterprise Linux
2.9.2. Updating Certificate System on Solaris
2.10. Uninstalling Certificate System Subsystems
2.10.1. Removing a Subsystem Instance
2.10.2. Removing Certificate System Subsystems
3. Administrative Basics
3.1. Administrative Console
3.2. Enabling SSL Client Authentication for the Certificate System Console
3.3. System Passwords
3.3.1. Protecting the password.conf File
3.3.2. Password-Quality Checker
3.4. Starting, Stopping, and Restarting Certificate System Subsystems
3.4.1. Starting a Server Instance
3.4.2. Stopping a Server Instance
3.4.3. Restarting a Server Instance
3.4.4. Restarting a Subsystem after a Machine Restart
3.5. Mail Server
3.6. Configuration Files
3.6.1. Locating the Configuration File
3.6.2. Editing the Configuration File
3.6.3. Guidelines for Editing the Configuration File
3.6.4. Duplicating Configuration from One Instance to Another
3.6.5. Other File Locations
3.6.6. Default Server Instance Locations
3.7. Using Security-Enhanced Linux
3.8. Using Java Servlets
3.9. Logs
3.9.1. About Logs
3.9.2. Services That Are Logged
3.9.3. Log Levels (Message Categories)
3.9.4. Buffered Versus Unbuffered Logging
3.9.5. Log File Rotation
3.9.6. Configuring Logs in the Console
3.9.7. Configuring Logs in the CS.cfg File
3.9.8. Configuring TPS Logs
3.9.9. Monitoring Logs
3.9.10. Signing Log Files
3.9.11. Registering a Log Module
3.9.12. Deleting a Log Module
3.9.13. Signed Audit Log
3.10. Self-Tests
3.10.1. Self-Test Logging
3.10.2. Self-Test Configuration
3.10.3. Modifying Self-Test Configuration
3.11. Ports
3.11.1. About Ports
3.11.2. Changing a Port Number
3.12. The Internal LDAP Database
3.12.1. Changing the Internal Database Configuration
3.12.2. Enabling SSL Client Authentication with the Internal Database
3.12.3. Restricting Access to the Internal Database
3.13. Backing up and Restoring Certificate System
4. Certificate Manager
4.1. How the Certificate Manager Works
4.1.1. Enrollment
4.1.2. Renewal
4.1.3. Revocation
4.2. Certificate Manager Certificates
4.2.1. CA Signing Key Pair and Certificate
4.2.2. OCSP Signing Key Pair and Certificate
4.2.3. SSL Server Key Pair and Certificate
4.2.4. Certificate Considerations
4.2.5. Cross-Pair Certificates
4.3. CA Hierarchy
4.3.1. Subordination to a Public CA
4.3.2. Subordination to a Certificate System CA
4.4. Security Domains
4.4.1. The domain.xml File
4.4.2. Security Domain Roles
4.4.3. Creating a Security Domain
4.4.4. Joining a Security Domain
4.4.5. Additional Security Domain Information
4.5. Configuring the Certificate Manager Instance
4.6. CA Certificate Renewal or Reissuance
4.7. Changing the Rules for Issuing Certificates
4.8. Setting Restrictions on CA Certificates through Certificate Extensions
4.9. Creating Certificate Manager Agents and Administrators
4.10. Checking the Revocation Status of Agent Certificates
4.11. CRL Signing Key Pair and Certificate
4.12. DNs in the Certificate System
4.12.1. Extending Attribute Support
5. Registration Authority
5.1. Introduction
5.1.1. What is a Registration Authority?
5.1.2. Enrollment Types
5.1.3. Roles
5.1.4. Interfaces
5.2. Installation and Configuration
5.2.1. Configuration
5.2.2. Directory Structure
5.2.3. Configuration Parameters
5.2.4. RA Request Queue Plugins
5.2.5. Libraries
5.3. Working With the Registration Authority
5.3.1. Configuring Additional RA Instances
5.3.2. Customizing the Subject DN in the CSR
5.3.3. Using the End Users Services Interface
5.3.4. Using the Agent Services Interface
5.3.5. Using the Administrator Interface
5.3.6. Command-line Operations
6. Online Certificate Status Protocol Responder
6.1. About OCSP Services
6.1.1. OCSP Response Signing
6.1.2. OCSP Responses
6.2. CA OCSP Services
6.2.1. The Certificate Manager's Internal OCSP Service
6.2.2. Online Certificate Status Manager
6.3. Online Certificate Status Manager Certificates
6.3.1. OCSP Signing Key Pair and Certificate
6.3.2. SSL Server Key Pair and Certificate
6.3.3. Recognizing Online Certificate Status Manager Certificates
6.4. Configuring the Online Certificate Status Manager
6.5. Creating Online Certificate Status Manager Agents and Administrators
6.6. Configuring the Certificate Manager's Internal OCSP Service
6.7. Setting up the OCSP Responder
6.8. Identifying the CA to the OCSP Responder
6.8.1. Verify Certificate Manager and Online Certificate Status Manager Connection
6.8.2. Configure the Revocation Info Stores
6.9. Testing the OCSP Service Setup
6.10. Submitting OCSP Requests Using the GET Method
6.11. Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier
7. Data Recovery Manager
7.1. PKI Setup for Archiving and Recovering Keys
7.1.1. Clients That Can Generate Dual Key Pairs
7.2. Data Recovery Manager Certificates
7.2.1. Transport Key Pair and Certificate
7.2.2. Storage Key Pair
7.2.3. SSL Server Certificate
7.3. Forms for Users and Key Recovery Agents
7.4. Overview of Archiving Keys
7.4.1. Reasons to Archive Keys
7.4.2. Where the Keys Are Stored
7.4.3. How Key Archival Works
7.5. Overview of Key Recovery
7.5.1. Key Recovery Agents and Their Passwords
7.5.2. Key Recovery Agent Scheme
7.6. Configuring Key Archival and Recovery Process
7.6.1. Setting up Key Archival
7.6.2. Setting up Key Recovery
7.6.3. Testing the Key Archival and Recovery Setup
7.7. Creating Data Recovery Manager Agents and Administrators
8. Token Processing System
8.1. Working with Multiple Instances of a Subsystem
8.1.1. Configuring Failover Support
8.1.2. Configuring Multiple Instances for Different Functions
8.2. Formatting Smart Cards
8.3. Resetting the Smart Card PIN
8.4. Applet Upgrade
8.5. Enrolling Smart Cards through the Enterprise Security Client
8.5.1. Enabling SSL in the TPS
8.5.2. Server-Side Key Generation and Archival of Encryption Keys
8.5.3. Smart Card Certificate Enrollment Profiles
8.5.4. Automating Encryption Key Recovery
8.5.5. Configuring Symmetric Key Changeover
8.5.6. Setting Token Types for Specified Smart Cards
8.6. Configuring LDAP Authentication
8.7. Token Database
8.8. Configuring TPS Logging
8.8.1. Thread Correlation
8.9. TPS Configuration Parameters
8.9.1. TKS Configuration File Parameters
9. Token Key Service
9.1. Overview
9.2. Using Master Keys
9.3. Configure the TKS to Associate the Master Key with Its Version
9.4. Using HSM for Generating Keys
9.5. Creating Token Key Service Agents and Administrators
10. Enterprise Security Client
11. Managing Certificates
11.1. Certificate Overview
11.1.1. Types of Certificates
11.1.2. Determining Which Certificates to Install
11.1.3. Certificate Data Formats
11.1.4. Certificate Setup Wizard
11.2. Requesting and Receiving Certificates
11.2.1. Requesting Certificates
11.2.2. Submitting Certificate Requests
11.2.3. Retrieving Certificates from the End-Entities Page
11.3. Managing User Certificates
11.3.1. Managing Certificate System User and Agent Certificates
11.3.2. Importing Certificates into Mozilla Firefox
11.4. Managing the Certificate Database
11.4.1. Installing Certificates in the Certificate System Database
11.4.2. Viewing Database Content
11.4.3. Deleting Certificates from the Database
11.4.4. Changing the Trust Settings of a CA Certificate
11.5. Renewing Certificates
11.5.1. Renewing Certificates through the Console
11.5.2. Renewing Certificates Using certutil
11.6. Configuring the Server Certificate Use Preferences
12. Managing Tokens
12.1. Tokens for Storing Certificate System Keys and Certificates
12.1.1. Internal Tokens
12.1.2. External Tokens
12.1.3. Considerations for External Tokens
12.2. Using Hardware Security Modules with Subsystems
12.2.1. Chrysalis LunaSA HSM
12.2.2. Installing External Tokens and Unsupported HSM
12.3. Managing Tokens Used by the Subsystems
12.3.1. Viewing Tokens
12.3.2. Changing a Token's Password
12.4. Detecting Tokens
12.5. Hardware Cryptographic Accelerators
13. Certificate Profiles
13.1. About Certificate Profiles
13.2. How Certificate Profiles Work
13.3. Setting up Certificate Profiles
13.3.1. Modifying Certificate Profiles through the CA Console
13.3.2. Modifying Certificate Profiles through the Command Line
13.3.3. Populating Certificates with Directory Attributes
13.3.4. Customizing the Enrollment Form
13.4. Certificate Profile Reference
13.5. Input Reference
13.5.1. Certificate Request Input
13.5.2. CMC Certificate Request Input
13.5.3. Dual Key Generation Input
13.5.4. File-Signing Input
13.5.5. Image Input
13.5.6. Key Generation Input
13.5.7. nsHcertificateRequest (Token Key) Input
13.5.8. nsNcertificateRequest (Token User Key) Input
13.5.9. Subject DN Input
13.5.10. Subject Name Input
13.5.11. Submitter Information Input
13.6. Output Reference
13.6.1. Certificate Output
13.6.2. PKCS #7 Output
13.6.3. CMMF Output
13.7. Defaults Reference
13.7.1. Authority Info Access Extension Default
13.7.2. Authority Key Identifier Extension Default
13.7.3. Basic Constraints Extension Default
13.7.4. CRL Distribution Points Extension Default
13.7.5. Extended Key Usage Extension Default
13.7.6. Freshest CRL Extension Default
13.7.7. Issuer Alternative Name Extension Default
13.7.8. Key Usage Extension Default
13.7.9. Name Constraints Extension Default
13.7.10. Netscape Certificate Type Extension Default
13.7.11. Netscape Comment Extension Default
13.7.12. No Default Extension
13.7.13. OCSP No Check Extension Default
13.7.14. Policy Constraints Extension Default
13.7.15. Policy Mappers Extension Default
13.7.16. Signing Algorithm Default
13.7.17. Subject Alternative Name Extension Default
13.7.18. Subject Directory Attributes Extension Default
13.7.19. Subject Key Identifier Extension Default
13.7.20. Subject Name Default
13.7.21. Token Supplied Subject Name Default
13.7.22. User Supplied Extension Default
13.7.23. User Supplied Key Default
13.7.24. User Signing Algorithm Default
13.7.25. User Supplied Subject Name Default
13.7.26. User Supplied Validity Default
13.7.27. Validity Default
13.8. Constraints Reference
13.8.1. Basic Constraints Extension Constraint
13.8.2. Extended Key Usage Extension Constraint
13.8.3. Extension Constraint
13.8.4. Key Constraint
13.8.5. Key Usage Extension Constraint
13.8.6. No Constraint
13.8.7. Netscape Certificate Type Extension Constraint
13.8.8. Signing Algorithm Constraint
13.8.9. Subject Name Constraint
13.8.10. Unique Subject Name Constraint
13.8.11. Validity Constraint
14. Revocation and CRLs
14.1. Revocation
14.1.1. SSL Client Authenticated Revocation
14.1.2. Certificate Revocation Forms
14.2. CMC Revocation
14.2.1. Setting up CMC Revocation
14.2.2. Testing CMC Revoke
14.3. About CRLs
14.3.1. Reasons for Revoking a Certificate
14.3.2. Publishing CRLs
14.3.3. CRL Issuing Points
14.3.4. Delta CRLs
14.3.5. How CRLs Work
14.4. Issuing CRLs
14.4.1. Configuring Issuing Points
14.4.2. Configuring CRLs for Each Issuing Point
14.4.3. Setting CRL Extensions
14.5. Additional CRL Scheduling Information
15. Publishing
15.1. About Publishing
15.1.1. About Publishers
15.1.2. About Mappers
15.1.3. About Rules
15.1.4. Publishing to Files
15.1.5. LDAP Publishing
15.1.6. OCSP Publishing
15.1.7. How Publishing Works
15.2. Setting up Publishing
15.3. Publishers
15.3.1. Configuring Publishers for Publishing to a File
15.3.2. Configuring Publishers for Publishing to OCSP
15.3.3. Configuring Publishers for LDAP Publishing
15.4. Mappers
15.4.1. Configuring Mappers
15.5. Rules
15.5.1. Modifying Publishing Rules for Certificates and CRLs
15.6. Enabling Publishing
15.6.1. Publishing Cross-Pair Certificates
15.7. Testing Publishing to Files
15.8. Viewing Certificates and C