Red Hat Certificate System 8.0 Admin Guide Installing, configuring, and managing Red Hat Certificate System 8.0 subsystems Edition 8.0.22 Landmann Red Hat Certificate System 8.0 Admin Guide Installing, configuring, and managing Red Hat Certificate System 8.0 subsystems Edition 8.0.22 Landmann [email protected] Legal Notice Copyright © 2009 Red Hat, Inc.. This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project. The OpenStack ® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. All other trademarks are the property of their respective owners. Abstract This manual covers all aspects of installing, configuring, and managing Certificate System subsystems. It also covers management tasks such as adding users; requesting, renewing, and revoking certificates; publishing CRLs; and managing smart cards. This guide is intended for Certificate System administrators. Table of Contents Table of Contents .A . b. o. .u .t . T. .h . i.s . G. . u. i.d . e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 .6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. Recommended Concepts 16 2. What Is in This Guide 16 3. Supported Platforms, Hardware, and Programs 17 3.1. Supported Platforms 17 3.2. Supported Web Browsers 18 3.3. Supported Smart Cards 18 3.4. Supported HSM 19 3.5. Supported Charactersets 19 4. Examples and Formatting 19 4.1. Formatting for Examples and Commands 19 4.2. Tool Locations 20 4.3. Guide Formatting 20 5. Additional Reading 21 6. Giving Feedback 21 7. Document History 22 .C . h. a. .p . t.e . r. .1 .. . O. .v .e . r. v. i.e . w. . o. f. .R . e. d. . H. .a . t. C. . e. r. t. i.f i.c . a. t. e. . S. y. .s .t .e .m . . S. .u .b . s. y. s. .t e. .m . s. . . . . . . . . . . . . . . . . . . . . . . . . . .2 .5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1. How Certificates Are Used 25 1.1.1. Uses for Certificates 25 1.1.1.1. SSL 25 1.1.1.2. Signed and Encrypted Email 25 1.1.1.3. Single Sign-on 26 1.1.1.4. Object Signing 26 1.1.2. Types of Certificates 26 1.1.2.1. CA Signing Certificates 29 1.1.2.2. Other Signing Certificates 29 1.1.2.3. SSL Server and Client Certificates 29 1.1.2.4. User Certificates 29 1.1.2.5. Dual-Key Pairs 29 1.1.2.6. Cross-Pair Certificates 30 1.2. A Review of Certificate System Subsystems 30 1.2.1. Certificate Manager 30 1.2.2. Registration Authority 31 1.2.3. Data Recovery Manager 31 1.2.4. Online Certificate Status Manager 31 1.2.5. Token Processing System 31 1.2.6. Token Key Service 32 1.2.7. Enterprise Security Client 32 1.3. A Look at Managing Certificates 32 1.4. A Look at the Token Management System 34 1.5. Red Hat Certificate System Services 36 1.5.1. Interfaces for Administrators 36 1.5.1.1. The Java Administrative Console for CA, OCSP, DRM, and TKS Subsystems 36 1.5.1.2. The Administrative Interface for the RA and TPS 37 1.5.2. Agent Interfaces 38 1.5.3. End User Pages 39 1.5.4. Enterprise Security Client 40 .P . a. r. t. .I .. S. .e . t.t .i n. .g . u. .p . .C . e. r. t. i.f i. c. a. t. e. . S. .e .r .v .i c. .e .s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4. .2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C . h. a. .p . t.e . r. .2 .. . M. .a . k. i.n . g. .R . u. .l e. s. . f.o . r. .I s. s. u. .i n. .g . C. . e. r. t. i.f i.c . a. t. e. s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 . 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Red Hat Certificate System 8.0 Admin Guide 2.1. About Certificate Profiles 43 2.1.1. The Profile 43 2.1.2. Certificate Extensions: Defaults and Constraints 46 2.1.3. Inputs and Outputs 47 2.2. Setting up Certificate Profiles 47 2.2.1. Creating Certificate Profiles through the CA Console 47 2.2.2. Editing Certificate Profiles in the Console 53 2.2.3. Creating and Editing Certificate Profiles through the Command Line 54 2.2.3.1. Profile Configuration Parameters 54 2.2.3.2. Modifying Certificate Extensions through the Command Line 57 2.2.3.3. Adding Inputs through the Command Line 58 2.2.4. Defining Key Defaults in Profiles 58 2.2.5. Configuring Cross-Pair Profiles 59 2.2.6. List of Certificate Profiles 60 2.3. Configuring Custom Enrollment Profiles to Use with an RA 66 2.3.1. Default RA Profiles 67 2.3.2. Creating RA Enrollment Forms 67 2.3.3. Configuring the Request Queues 69 2.3.3.1. Overview of Request Queue Plug-ins 69 2.3.3.2. Creating the Profile Entry 70 2.4. Managing Smart Card CA Profiles 72 2.4.1. Editing Enrollment Profiles for the TPS 73 2.4.2. Creating Custom TPS Profiles 74 2.4.3. Using the Windows Smart Card Logon Profile 75 2.5. Setting the Signing Algorithms for Certificates 75 2.5.1. Setting the CA's Default Signing Algorithm 75 2.5.2. Setting the Signing Algorithm Default in a Profile 76 2.6. Managing CA-Related Profiles 77 2.6.1. Setting Restrictions on CA Certificates 77 2.6.2. Changing the Restrictions for CAs on Issuing Certificates 78 2.7. Managing Subject Names and Subject Alternative Names 80 2.7.1. Inserting LDAP Directory Attribute Values and Other Information into the Subject Alt Name 2.7.2. Changing DN Attributes in CA-Issued Certificates 84 81 2.7.2.1. Adding New or Custom Attributes 85 2.7.2.2. Changing the DER-Encoding Order 86 2.7.3. Customizing the Subject DN in a Certificate Request Issued by an RA 87 2.7.3.1. Customizing the Subject DN in a Certificate Request for Firefox 87 2.7.3.2. Customizing the Subject DN in a Certificate Request for Internet Explorer 88 .C . h. a. .p . t.e . r. .3 .. .S . e. .t t. i.n . g. . u. p. . K. .e .y . .A . r.c . h. i.v . a. l. a. .n . d. .R . e. .c .o . v. e. r. y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 .9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1. About Key Archival and Recovery 89 3.2. Setting up Key Archival 90 3.3. Setting up Agent-Approved Key Recovery Schemes 92 3.4. Testing the Key Archival and Recovery Setup 93 .C . h. a. .p . t.e . r. .4 . .. R. .e .q . u. e. .s .t .i n. .g ., . E. n. .r .o .l l. i.n .g . ,. a. .n .d . .M . a. .n . a. g. .i n. g. . C. .e . r. t.i f. i.c .a . t. e. s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 .5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1. About Enrolling and Renewing Certificates 95 4.2. Configuring Internet Explorer to Enroll Certificates 95 4.3. Requesting and Receiving Certificates 96 4.3.1. Requesting and Receiving a User or Agent Certificate through the End-Entities Page 96 4.3.2. Requesting Certificates Using certutil 99 4.4. Enrolling a Certificate on a Cisco Router 103 4.4.1. Enabling SCEP Enrollments 104 4.4.2. Configuring Security Settings for SCEP 104 4.4.3. Configuring a Router for SCEP Enrollment 105 4.4.4. Generating the SCEP Certificate for a Router 105 2 Table of Contents 4.4.5. Working with Subordinate CAs 109 4.4.6. Re-enrolling a Router 110 4.4.7. Enabling Debugging 110 4.5. Performing Bulk Issuance 110 4.6. Configuring and Using the Auto Enrollment Proxy 112 4.6.1. About Auto Enrollment 112 4.6.1.1. Looking at How the Auto Enrollment Proxy Works on Windows 112 4.6.1.2. Planning the Auto Enrollment Configuration 114 4.6.2. Installing and Setting up the Auto Enrollment Proxy 116 4.6.2.1. Requirements for the Windows Environment 116 4.6.2.2. Configuring the Microsoft Management Console to Use with the Auto Enrollment Proxy 4.6.2.3. Setting up the Auto Enrollment Proxy 119 116 4.6.2.4. Troubleshooting and Diagnostic Tips 124 4.6.3. Managing Auto Enrollment Proxy Settings 125 4.6.3.1. Auto Enrollment Proxy Registry Settings 125 4.6.3.2. Listing and Adding CAs in the Windows Domain 126 4.6.3.3. Mapping Certificate System Enrollment Profiles to Windows Profiles 127 4.6.4. Manually Requesting Domain Certificates 128 4.6.4.1. Requesting Certificates through MMC 128 4.6.4.2. Requesting Certificates Using certreq 129 4.7. Renewing Certificates 130 4.7.1. About Renewal 131 4.7.1.1. The Renewal Process 131 4.7.1.2. Renewal Types in Certificate System 133 4.7.2. Creating Custom Renewal Profiles 133 4.7.2.1. Default Renewal Profiles 133 4.7.2.2. Creating an Enrollment Profile 134 4.7.2.3. Creating the Renewal Profile 134 4.7.3. Renewing Certificates 136 4.7.3.1. Renewing Certificates through the End User Pages 136 4.7.3.1.1. Agent-Approved or Directory-Based Renewals 136 4.7.3.1.2. Certificate-Based Renewal 137 4.7.3.2. Renewing Certificates Using certutil 138 .C . h. a. .p . t.e . r. .5 .. . U. s. .i n. g. . a. .n .d . .C . o. .n .f .i g. u. .r .i n. g. . t. h. e. . T. .o . k. e. n. . M. . a. n. .a .g . e. m. . e. n. .t . S. .y .s .t .e . m. .: .T . P. .S . ,. T. .K . S. ., .a . n. d. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enterprise Security Client 140 5.1. Configuring TPS Smart Card Operations 140 5.1.1. Configuring Format Operations 140 5.1.2. Configuring TPS Enrollment Operations 141 5.1.3. Configuring TPS Renewal Operations 148 5.1.4. Configuring the PIN Reset Operation 149 5.1.5. Configuring the Applet Update Operation 150 5.2. Allowing Token Renewal 151 5.3. Changing the Token Policy 152 5.4. Setting Token Types for Specified Smart Cards 154 5.4.1. Default Token Types 154 5.4.2. Mapping Token Types to Smart Card Operation Profiles 155 5.4.3. Example: Token Mapping with Two Different Token Types 156 5.5. Setting Token Status Transitions 159 5.6. Automating Encryption Key Recovery 161 5.6.1. Configuring Enrollment for Replacement Tokens 162 5.6.2. Configuring Key Generation for Temporary Tokens 163 5.7. Managing Shared Keys 164 5.7.1. Generating Master Keys 164 5.7.2. Generating and Transporting Wrapped Master Keys 165 5.7.3. Using HSM for Generating Keys 169 3 Red Hat Certificate System 8.0 Admin Guide 5.7.4. Updating Master Key Versions and Associating the Master Key with Its Version 171 5.7.5. Configuring Symmetric Key Changeover 172 5.8. Configuring the TPS 174 5.8.1. Enabling SSL for TPS-Enterprise Security Client Connections 174 5.8.1.1. Default TPS SSL Configuration 174 5.8.1.2. Configuring the Enterprise Security Client to Use SSL 176 5.8.2. Configuring the Channels between the TPS and Tokens 177 5.8.3. Configuring or Disabling LDAP Authentication 177 5.8.4. Configuring the Token Database 179 5.8.5. Configuring Server-Side Key Generation and Archival of Encryption Keys 182 5.8.5.1. Step 1: Configuring the DRM to Perform Server-Side Key Generation for Tokens 182 5.8.5.2. Step 2: Adding the TPS as a DRM Recovery Agent 182 5.8.5.3. Step 3: Importing the DRM Transport Key into the TKS 183 5.8.5.4. Step 4: Configuring the TPS to Generate and Archive Keys 184 5.8.6. Configuring IPv6 Support 184 5.9. Scaling the TPS and Its Support Subsystems 184 5.9.1. Configuring Failover Support 185 5.9.2. Configuring Multiple Support Subsystem Instances for Different Functions 187 5.10. Potential Token Operation Errors 189 .C . h. a. .p . t.e . r. .6 .. . R. e. .v .o . k. i.n . g. . C. .e .r .t .i f.i c. .a .t .e . s. .a . n. d. . I.s .s . u. i.n . g. . C. .R . L. s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. .9 .0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1. About Revoking Certificates 190 6.1.1. User-Initiated Revocation 191 6.1.2. Reasons for Revoking a Certificate 192 6.1.3. CRL Issuing Points 192 6.1.4. Delta CRLs 193 6.1.5. Publishing CRLs 193 6.1.6. Certificate Revocation Pages 193 6.2. CMC Revocation 193 6.2.1. Setting up CMC Revocation 193 6.2.1.1. About the revoker Utility 193 6.2.2. Testing CMC Revoke 194 6.3. Issuing CRLs 194 6.3.1. Configuring Issuing Points 195 6.3.2. Configuring CRLs for Each Issuing Point 196 6.3.3. Setting CRL Extensions 199 6.3.4. Setting a CA to Use a Different Certificate to Sign CRLs 200 6.4. Setting Full and Delta CRL Schedules 201 6.4.1. Configuring Extended Updated Intervals for CRLs in the Console 202 6.4.2. Configuring Extended Updated Intervals for CRLs in CS.cfg 203 6.5. Enabling Automatic Revocation Checking for Agent Certificates 203 .C . h. a. .p . t.e . r. .7 .. . U. s. .i n. g. . t. h. e. . O. . n. l.i n. .e . .C . e. r. t. i.f i. c. a. t. e. . S. .t a. .t .u .s . .P . r.o . t. o. c. o. .l .R . e. .s .p . o. n. .d .e . r. . . . . . . . . . . . . . . . . . . . . 2. .0 .5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1. Setting up the OCSP Responder 205 7.2. Identifying the CA to the OCSP Responder 205 7.2.1. Verify Certificate Manager and Online Certificate Status Manager Connection 206 7.2.2. Configure the Revocation Info Stores 206 7.2.3. Testing the OCSP Service Setup 207 7.3. Enabling the Certificate Manager's Internal OCSP Service 208 7.4. Enabling Revocation Checking for the TPS and RA 209 7.5. Enabling Certificate Revocation Checking for DRM and TKS Users 211 7.6. Submitting OCSP Requests Using the GET Method 213 7.7. Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier 215 .P . a. r. t. .I I.. .A . d. .d .i t. i.o . n. a. .l .C . o. .n . f.i g. .u .r .a . t.i o. .n . .t o. . M. . a. n. .a .g . e. . C. .A . .S . e. r. v. i.c . e. s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. .1 .9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Table of Contents .C . h. a. .p . t.e . r. .8 .. . P. u. .b . l.i s. h. .i n. g. . C. .e . r. t.i f. i.c .a . t. e. s. . a. n. .d . C. . R. L. .s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. .2 .0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1. About Publishing 220 8.1.1. Publishers 221 8.1.2. Mappers 222 8.1.3. Rules 222 8.1.4. Publishing to Files 222 8.1.5. OCSP Publishing 222 8.1.6. LDAP Publishing 222 8.2. Setting up Publishing 223 8.2.1. Configuring Publishing to a File 224 8.2.2. Configuring Publishing to an OCSP 226 8.2.3. Configuring Publishing to an LDAP Directory 228 8.2.3.1. Configuring the LDAP Directory 228 8.2.3.2. Configuring LDAP Publishers 230 8.2.3.3. Creating Mappers 230 8.2.3.4. Creating Rules 233 8.2.4. Creating Rules 233 8.2.5. Enabling Publishing 236 8.3. Publishing CRLs over HTTP 238 8.3.1. Configuring CRL Publishing to Resume after Interrupted Downloads 238 8.3.2. Retrieving CRLs Using wget 242 8.3.3. Retrieving Partial CRLs 243 8.4. Publishing Cross-Pair Certificates 243 8.5. Testing Publishing to Files 244 8.6. Viewing Certificates and CRLs Published to File 245 8.7. Updating Certificates and CRLs in a Directory 245 8.7.1. Manually Updating Certificates in the Directory 246 8.7.2. Manually Updating the CRL in the Directory 247 8.8. Registering and Deleting Mapper and Publisher Plug-in Modules 247 .C . h. a. .p . t.e . r. .9 .. . A. u. .t .h .e . n. t. i.c . a. t. i.o . n. .f .o .r . E. .n . r.o . l.l i.n . g. . C. .e .r .t .i f.i c. .a .t .e . s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. 4. .8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.1. Configuring Agent-Approved Enrollment 248 9.2. Automated Enrollment 248 9.2.1. Setting up Directory-Based Authentication 249 9.2.2. Setting up PIN-Based Enrollment 250 9.2.3. Using Certificate-Based Authentication 253 9.2.4. Configuring Flat File Authentication 253 9.2.4.1. Configuring the flatFileAuth Module 254 9.2.4.2. Editing flatfile.txt 255 9.3. Setting up CMC Enrollment 256 9.3.1. Setting up the Server for Multiple Requests in a Full CMC Request 257 9.3.2. Testing CMCEnroll 257 9.4. Testing Enrollment 258 9.5. Managing Authentication Plug-ins 258 .C . h. a. .p . t.e . r. .1 .0 . .. U. .s .i n. .g . .A . u. t. o. m. . a. t. e. .d . N. .o . t. i.f i.c . a. t. i.o . n. s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. .6 .0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.1. About Automated Notifications for the CA 260 10.1.1. Types of Automated Notifications 260 10.1.2. Determining End-Entity Email Addresses 260 10.1.3. About RA Notifications 260 10.2. Setting up Automated Notifications for the CA 261 10.2.1. Setting up Automated Notifications in the Console 261 10.2.2. Configuring Specific Notifications by Editing the CS.cfg File 262 10.2.3. Testing Configuration 263 10.3. Customizing Notification Messages 263 10.3.1. Customizing CA Notification Messages 263 5 Red Hat Certificate System 8.0 Admin Guide 10.3.2. Customizing RA Notification Messages 266 10.4. Configuring a Mail Server for Certificate System Notifications 268 10.5. Creating Custom Notifications for the CA 268 .C . h. a. .p . t.e . r. .1 .1 . .. S. .e . t.t .i n. .g . A. .u . t. o. m. . a. t. e. d. . J. o. .b . s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. .6 .9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1. About Automated Jobs 269 11.1.1. Setting up Automated Jobs 269 11.1.2. Types of Automated Jobs 269 11.1.2.1. certRenewalNotifier 269 11.1.2.2. requestInQueueNotifier 269 11.1.2.3. publishCerts 269 11.1.2.4. unpublishExpiredCerts 270 11.2. Setting up the Job Scheduler 270 11.3. Setting up Specific Jobs 271 11.3.1. Configuring Specific Jobs Using the Certificate Manager Console 271 11.3.2. Configuring Jobs by Editing the Configuration File 272 11.3.3. Configuration Parameters of certRenewalNotifier 273 11.3.4. Configuration Parameters of requestInQueueNotifier 274 11.3.5. Configuration Parameters of publishCerts 275 11.3.6. Configuration Parameters of unpublishExpiredCerts 276 11.3.7. Frequency Settings for Automated Jobs 277 11.4. Registering or Deleting a Job Module 278 .P . a. r. t. .I I.I .. M. . a. n. .a . g. i.n . g. . t.h . e. . S. u. .b . s. y. s. t. e. .m . .I n. .s .t .a . n. c. e. .s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. .8 .0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C . h. a. .p . t.e . r. .1 .2 . .. E. .d . i.t i. n. g. . C. .o . n. f. i.g .u . r. a. t. i.o . n. .i n. . t. h. e. . C. .S . ..c . f.g . .F .i l. e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. .8 .1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.1. Default File and Directory Locations for Certificate System Subsystems 281 12.1.1. Default CA Instance Information 281 12.1.2. Default RA Instance Information 282 12.1.3. Default DRM Instance Information 283 12.1.4. Default OCSP Instance Information 284 12.1.5. Default TKS Instance Information 285 12.1.6. Default TPS Instance Information 286 12.1.7. Shared Certificate System Subsystem File Locations 288 12.2. CS.cfg Files 290 12.2.1. Locating the CS.cfg File 290 12.2.2. Overview of the CS.cfg Configuration File 290 12.2.2.1. Basic Subsystem Settings 292 12.2.2.2. Logging Settings 292 12.2.2.3. Authorization and Authentication Settings 293 12.2.2.4. Security Domain Settings 294 12.2.2.5. Subsystem Certificate Settings 294 12.2.2.6. Settings for Required Subsystems 295 12.2.2.7. Database Settings 295 12.2.2.8. Settings for PKI Tasks 295 12.2.3. Editing the Configuration File 296 12.3. System Passwords 296 12.3.1. Configuring the password.conf 297 12.3.2. Protecting the password.conf File 297 12.3.3. Requiring System Password Prompts 298 12.3.3.1. Configuring New Instances to Prompt for Passwords 299 12.3.3.2. Configuring Existing CA, DRM, TKS, and OCSP Instances to Prompt for Passwords 12.3.3.3. Configuring Existing TPS Instances to Prompt for Passwords 301 299 12.3.4. Changing System Passwords 303 12.3.5. Password-Quality Checker 304 12.4. Configuration Files for Web Services 304 6 Table of Contents .C . h. a. .p . t.e . r. .1 .3 . .. B. .a . s. i.c . S. .u . b. s. .y .s .t .e . m. . M. . a. n. .a .g . e. m. . e. n. .t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. .0 .6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.1. Starting and Stopping Subsystem Instances 306 13.1.1. Starting and Stopping a Subsystem Server Instance 306 13.1.2. Restarting a Subsystem after a Machine Restart 306 13.1.3. Checking the Subsystem Instance Status 306 13.1.4. Managing Subsystem Processes with chkconfig 307 13.2. Opening Subsystem Consoles and Services 309 13.2.1. Finding the Subsystem Web Services Pages 309 13.2.2. Starting the Certificate System Administrative Console 311 13.3. Customizing Web Services Pages 312 13.3.1. Customizing CA End-Entities Pages 312 13.3.2. Customizing RA End-Entities Pages 313 13.3.3. Setting Limits on Searches through the CA End-Entities Pages 315 13.4. Configuring Ports 316 13.4.1. Changing a Port Number 318 13.4.2. Using a Single SSL Port 319 13.4.3. Updating Existing CAs to Use End-Entity Client Authentication Ports (Avoiding TLS- Related Man-in-the-Middle Attacks) 319 13.5. Configuring the LDAP Database 323 13.5.1. Changing the Internal Database Configuration 324 13.5.2. Enabling SSL Client Authentication with the Internal Database 324 13.5.3. Restricting Access to the Internal Database 328 13.6. Searching the SQLite Database 328 13.7. Viewing Security Domain Configuration 329 13.8. Managing the SELinux Policies for Subsystems 330 13.8.1. About SELinux 330 13.8.2. Viewing SELinux Policies for Subsystems 331 13.9. Backing up and Restoring Certificate System 332 13.10. Self-Tests 333 13.10.1. Self-Test Logging 334 13.10.2. Configuring Self-Tests 334 13.10.3. Modifying Self-Test Configuration 334 .C . h. a. .p . t.e . r. .1 .4 . .. M. . a. n. .a . g. i.n . g. . C. .e .r .t .i f.i c. .a .t .e . .S . y. s. t. e. m. . .U . s. e. .r s. . a. n. .d . .G . r. o. u. .p . s. . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 .3 .6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.1. About Authorization 336 14.2. Default Groups 336 14.2.1. Administrators 337 14.2.2. Auditors 338 14.2.3. Agents 338 14.2.4. Enterprise Groups 338 14.3. Managing Users and Groups for a CA, OCSP, DRM, or TKS 339 14.3.1. Managing Groups 339 14.3.1.1. Creating a New Group 339 14.3.1.2. Changing Members in a Group 340 14.3.2. Managing Users 340 14.3.2.1. Creating Users 340 14.3.2.2. Changing a Certificate System User's Certificate 341 14.3.2.3. Renewing Administrator and Agent Certificates 341 14.3.2.4. Deleting a Certificate System User 342 14.3.2.5. Setting up a Trusted Manager 342 14.4. Creating and Managing Users and Groups for an RA 344 14.4.1. Managing RA Groups 345 14.4.1.1. Listing Groups for an RA 345 14.4.1.2. Creating a New Group for an RA 345 14.4.1.3. Adding and Removing Users in an RA Group 346 7