ebook img

Red Hat Certificate System 8.1 Admin Guide - Red Hat Customer PDF

711 Pages·2014·7.98 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Red Hat Certificate System 8.1 Admin Guide - Red Hat Customer

Red Hat Certificate System 8.1 Admin Guide for administrators Edition 8.1.1 Ella Deon Ballard Red Hat Certificate System 8.1 Admin Guide for administrators Edition 8.1.1 Ella Deon Ballard [email protected] Legal Notice Copyright © 2009 Red Hat, Inc.. This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project. The OpenStack ® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. All other trademarks are the property of their respective owners. Abstract This manual covers all aspects of installing, configuring, and managing Certificate System subsystems. It also covers management tasks such as adding users; requesting, renewing, and revoking certificates; publishing CRLs; and managing smart cards. This guide is intended for Certificate System administrators. Table of Contents Table of Contents .A .b .o . u. t. .T .h . i.s . G. .u .i d. e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠1. Recommended Concepts 5 ⁠2. What Is in This Guide 5 ⁠3. Supported Platforms, Hardware, and Programs 6 ⁠4. Additional Reading 8 ⁠5. Giving Feedback 9 ⁠6. Document History 10 .⁠C .h .a .p . t.e .r . 1. .. O. .v .e .r v. i.e .w . .o .f . R. e. d. . H. a. t. .C .e .r .t i.f .i c. a. t.e . S. .y .s .t e. m. . S. .u .b .s .y .s .t .e .m . s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠1.1. How Certificates Are Used 12 ⁠1.2. A Review of Certificate System Subsystems 17 ⁠1.3. A Look at Managing Certificates (Non-TMS) 19 ⁠1.4. A Look at the Token Management System (TMS) 22 ⁠1.5. Red Hat Certificate System Services 24 .⁠P .a .r t. .I .. S. e. t. t. i.n .g . u. .p . C. e. r. t.i f. i.c .a .t e. .S . e. r.v .i c. e. s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .⁠C .h .a .p . t.e .r . 2. .. M. .a .k .i n. g. .R . u. l.e .s . f. o. r. I.s .s .u . i.n .g . C. .e .r t. i.f i.c .a .t .e .s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠2.1. About Certificate Profiles 33 ⁠2.2. Setting up Certificate Profiles 36 ⁠2.3. Configuring Custom Enrollment Profiles to Use with an RA 58 ⁠2.4. Configuring Renewal Profiles 64 ⁠2.5. Managing Smart Card CA Profiles 69 ⁠2.6. Setting the Signing Algorithms for Certificates 72 ⁠2.7. Managing CA-Related Profiles 75 ⁠2.8. Managing Subject Names and Subject Alternative Names 80 .⁠C .h .a .p . t.e .r . 3. .. S. e. t. t.i n. .g . u. p. . K. e. y. .A .r .c .h .i v. a. l. a. n. d. . R. e. c. o. .v .e .r y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. 0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠3.1. About Key Archival and Recovery 90 ⁠3.2. Manually Setting up Key Archival 93 ⁠3.3. Updating CA-DRM Connector Information After Cloning 95 ⁠3.4. Setting up Agent-Approved Key Recovery Schemes 96 ⁠3.5. Testing the Key Archival and Recovery Setup 98 ⁠3.6. Rewrapping Keys in a New Private Storage Key 99 .⁠C .h .a .p . t.e .r . 4. .. R. .e .q .u .e .s .t .i n. g. ., .E .n .r .o .l l.i n. g. ., .a .n .d . M. .a .n . a. g. i.n .g . .C .e .r t. i.f i.c .a .t .e .s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 . 0. 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠4.1. About Enrolling and Renewing Certificates 104 ⁠4.2. Configuring Internet Explorer to Enroll Certificates 104 ⁠4.3. Requesting and Receiving Certificates 106 ⁠4.4. Signing Files with Certificates 115 ⁠4.5. Performing Bulk Issuance 117 ⁠4.6. Enrolling a Certificate on a Cisco Router 119 ⁠4.7. Configuring and Using the Auto Enrollment Proxy 126 ⁠4.8. Renewing Certificates 150 .⁠C .h .a .p . t.e .r . 5. .. U. s. i.n . g. .a .n .d . .C .o .n . f.i g. u. .r i.n .g . .t h. .e . T. o. .k e. n. . M. .a .n .a .g .e .m . e. n. .t .S . y. s. t.e .m . :. T. .P .S . ,. T. K. .S ., .a .n .d . .E .n .t .e .r p. .r i.s .e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Client 155 ⁠5.1. Configuring TPS Smart Card Operation Policies 155 ⁠5.2. Mapping Token Types and Policies to Specified Smart Cards 171 ⁠5.3. Creating Custom User Token Profiles 179 ⁠5.4. Allowing Token Renewal 181 ⁠5.5. Changing the Token Policy 183 ⁠5.6. Defining Specific Certificates to Add or Recover on a Token 185 ⁠5.7. Setting Token Status Transitions 193 1 Red Hat Certificate System 8.1 Admin Guide ⁠5.7. Setting Token Status Transitions 193 ⁠5.8. Automating Encryption Key Recovery 198 ⁠5.9. Routing Revocation Requests to Different CAs 201 ⁠5.10. Managing Shared Keys 203 ⁠5.11. Configuring the TPS 214 ⁠5.12. Configuring Connections to Other Subsystems 234 ⁠5.13. Potential Token Operation Errors 241 .⁠C .h .a .p . t.e .r . 6. .. R. .e .v .o .k .i n. g. .C . e. r.t .i f.i c. a. t. e. s. .a .n .d . I.s .s .u . i.n .g . C. .R .L .s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 . 4. 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠6.1. About Revoking Certificates 242 ⁠6.2. Performing a CMC Revocation 245 ⁠6.3. Issuing CRLs 247 ⁠6.4. Setting Full and Delta CRL Schedules 257 ⁠6.5. Enabling Revocation Checking 263 ⁠6.6. Using the Online Certificate Status Protocol Responder 271 .⁠P .a .r t. .I I.. .A .d . d. i.t .i o. n. a. l. C. .o .n .f .i g. u. r. a. t.i o. .n . t. o. .M . a. n. a. g. .e . C. A. .S . e. r.v .i c. e. s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. 8. 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .⁠C .h .a .p . t.e .r . 7. .. P. u. .b .l i.s .h .i n. .g . C. e. r. t.i f. i.c .a .t e. s. .a .n . d. .C .R . L. s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 . 8. 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠7.1. About Publishing 286 ⁠7.2. Configuring Publishing to a File 289 ⁠7.3. Configuring Publishing to an OCSP 292 ⁠7.4. Configuring Publishing to an LDAP Directory 296 ⁠7.5. Creating Rules 303 ⁠7.6. Enabling Publishing 307 ⁠7.7. Enabling a Publishing Queue 309 ⁠7.8. Setting up Resumable CRL Downloads 311 ⁠7.9. Publishing Cross-Pair Certificates 317 ⁠7.10. Testing Publishing to Files 317 ⁠7.11. Viewing Certificates and CRLs Published to File 319 ⁠7.12. Updating Certificates and CRLs in a Directory 319 ⁠7.13. Registering Custom Mapper and Publisher Plug-in Modules 321 .⁠C .h .a .p . t.e .r . 8. .. A. u. .t h. .e .n .t .i c. a. t.i o. .n . f.o . r. E. n. .r o. l.l i.n . g. .C .e .r .t i.f .i c. a. t.e .s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. 2. 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠8.1. Configuring Agent-Approved Enrollment 323 ⁠8.2. Automated Enrollment 323 ⁠8.3. Using CMC Enrollment 332 ⁠8.4. Testing Enrollment 335 ⁠8.5. Registering Custom Authentication Plug-ins 335 .⁠C .h .a .p . t.e .r . 9. .. U. .s .i n. g. .A . u. t. o. m. .a .t .e .d . N. .o .t .i f.i c. a. t. i.o .n .s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. 3. 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠9.1. About Automated Notifications for the CA 338 ⁠9.2. Setting up Automated Notifications for the CA 339 ⁠9.3. Customizing Notification Messages 342 ⁠9.4. Configuring a Mail Server for Certificate System Notifications 346 ⁠9.5. Creating Custom Notifications for the CA 347 .⁠C .h .a .p . t.e .r . 1. 0. .. S. .e .t t. i.n .g . .A .u .t .o .m . a. t. e. d. .J .o .b . s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. 4. 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠10.1. About Automated Jobs 348 ⁠10.2. Setting up the Job Scheduler 349 ⁠10.3. Setting up Specific Jobs 350 ⁠10.4. Registering a Job Module 357 .⁠P .a .r t. .I I.I .. M. .a .n .a .g . i.n .g . t. h. e. .S . u. b. s. y. s. t. e. m. . I.n .s .t .a .n .c .e .s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. 5. 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .⁠C .h .a .p . t.e .r . 1. 1. .. T. .h .e . C. .e .r t. i.f i.c .a .t .e . S. y. s. t. e. m. . C. o. n. .f i.g .u . r.a .t .i o. n. .F .i l.e .s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. 6. 0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Table of Contents ⁠11.1. File and Directory Locations for Certificate System Subsystems 360 ⁠11.2. CS.cfg Files 367 ⁠11.3. Managing System Passwords 375 ⁠11.4. Configuration Files for Web Services 383 ⁠11.5. Removing Unused Interfaces from web.xml (CA Only) 384 ⁠11.6. Restoring Configuration in web.xml 386 .⁠C .h .a .p . t.e .r . 1. 2. .. B. .a .s .i c. .S .u . b. s. y. s. t. e. m. . M. .a .n .a .g .e .m . e. n. .t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. 8. 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠12.1. Starting and Stopping Subsystem Instances 387 ⁠12.2. Opening Subsystem Consoles and Services 391 ⁠12.3. Customizing Web Services 396 ⁠12.4. Running Subsystems under a Java Security Manager 406 ⁠12.5. Configuring Ports 407 ⁠12.6. Configuring the LDAP Database 411 ⁠12.7. Searching the SQLite Database 419 ⁠12.8. Viewing Security Domain Configuration 419 ⁠12.9. Managing the SELinux Policies for Subsystems 420 ⁠12.10. Backing up and Restoring Certificate System 424 ⁠12.11. Running Self-Tests 426 ⁠12.12. Configuring POSIX System ACLs 430 .⁠C .h .a .p . t.e .r . 1. 3. .. M. .a .n .a .g . i.n .g . C. .e .r t. i.f i.c .a .t .e . S. y. s. t. e. m. . U. s. e. r. s. .a .n .d . G. .r .o .u .p . s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4. 3. 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠13.1. About Authorization 435 ⁠13.2. Default Groups 435 ⁠13.3. Disabling Multi-Roles Support 438 ⁠13.4. Managing Users and Groups for a CA, OCSP, DRM, or TKS 439 ⁠13.5. Creating and Managing Users and Groups for an RA 444 ⁠13.6. Creating and Managing Users for a TPS 456 ⁠13.7. Configuring Access Control for Users for the CA, OCSP, DRM, and TKS 461 .⁠C .h .a .p . t.e .r . 1. 4. .. C. .o .n .f .i g. u. r. i.n .g . S. .u .b .s .y .s .t .e .m . .L .o .g . s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 . 6. 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠14.1. About Certificate System Logs 467 ⁠14.2. Managing Logs for the Java Subsystems 472 ⁠14.3. Managing TPS Logs 488 ⁠14.4. Configuring RA Logging 501 .⁠C .h .a .p . t.e .r . 1. 5. .. M. .a .n .a .g . i.n .g . S. .u .b .s .y .s .t .e .m . .C .e .r .t i.f .i c. a. t.e .s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5. 0. 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠15.1. Required Subsystem Certificates 504 ⁠15.2. Requesting Certificates through the Console 512 ⁠15.3. Renewing Subsystem Certificates 530 ⁠15.4. Changing the Names of Subsystem Certificates 533 ⁠15.5. Using Cross-Pair Certificates 536 ⁠15.6. Managing the Certificate Database 536 ⁠15.7. Changing the Trust Settings of a CA Certificate 543 ⁠15.8. Managing Tokens Used by the Subsystems 544 .⁠P .a .r t. .I V. .. R. .e .f e. r. e. n. c. e. s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5. 4. 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C .e .r t. i.f i.c .a .t .e . P. r. o. f.i l.e . I.n . p. u. t. .a .n .d . .O . u. t. p. u. t. .R . e. f.e .r e. n. .c .e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5. 4. 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠A.1. Input Reference 547 ⁠A.2. Output Reference 551 .D .e .f .a .u .l t. s. ,. C. o. n. .s .t r. a. i.n .t .s ., .a .n .d . E. .x .t e. n. .s .i o. n. s. .f .o .r .C . e. r.t .i f.i c. a. t. e. s. .a .n .d . C. .R .L .s . . . . . . . . . . . . . . . . . . . . . . . . . . . 5. 5. 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠B.1. Defaults Reference 552 ⁠B.2. Constraints Reference 584 ⁠B.3. Standard X.509 v3 Certificate Extension Reference 593 3 Red Hat Certificate System 8.1 Admin Guide ⁠B.3. Standard X.509 v3 Certificate Extension Reference 593 ⁠B.4. CRL Extensions 602 .P .u .b . l.i s. h. i.n .g . .M . o. d. u. .l e. .R .e .f .e .r e. n. c. e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 . 1. 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠C.1. Publisher Plug-in Modules 617 ⁠C.2. Mapper Plug-in Modules 620 ⁠C.3. Rule Instances 627 .A .C .L . R. .e .f e. r. e. n. c. e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. 3. 0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ⁠D.1. About ACL Configuration Files 630 ⁠D.2. Common ACLs 631 ⁠D.3. Certificate Manager-Specific ACLs 637 ⁠D.4. Data Recovery Manager-Specific ACLs 650 ⁠D.5. Online Certificate Status Manager-Specific ACLs 655 ⁠D.6. Token Key Service-Specific ACLs 659 .⁠C .h .a .p . t.e .r . 1. 6. .. T. .r o. .u .b .l e. s. h. .o .o .t .i n. g. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 . 6. 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .⁠G . l.o .s .s .a .r y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. 6. 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .⁠I n. d. e. x. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 . 8. 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 About This Guide About This Guide This guide explains how to install, configure, and maintain the Red Hat Certificate System and how to use it for issuing and managing certificates to end entities such as web browsers, users, servers, and virtual private network (VPN) clients. This guide is intended for experienced system administrators planning to deploy the Certificate System. Certificate System agents should refer to the Certificate System Agent's Guide for information on how to perform agent tasks, such as handling certificate requests and revoking certificates. 1. Recommended Concepts Before reading this guide, be familiar with the following concepts: Intranet, extranet, and Internet security and the role of digital certificates in a secure enterprise, including the following topics: Encryption and decryption Public keys, private keys, and symmetric keys Significance of key lengths Digital signatures Digital certificates, including different types of digital certificates The role of digital certificates in a public-key infrastructure (PKI) Certificate hierarchies LDAP and Red Hat Directory Server Public-key cryptography and the Secure Sockets Layer (SSL) protocol, including the following: SSL cipher suites The purpose of and major steps in the SSL handshake 2. What Is in This Guide Administering certificates relates to the setup and configuration of the individual subsystems, the processes for issuing certificates, and the ways certificates are stored (in software databases or in tokens). This administration guide, then, is divided into several functional areas, listed in Table 1, “Content Overview”. Table 1. Content Overview Concept Related Chapters Overviews of important concepts Chapter 1, Overview of Red Hat Certificate System Subsystems Section 1.5, “Red Hat Certificate System Services” 5 Red Hat Certificate System 8.1 Admin Guide Concept Related Chapters Issuing certificates Chapter 2, Making Rules for Issuing Certificates Chapter 4, Requesting, Enrolling, and Managing Certificates Managing certificates on tokens Chapter 5, Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client Archiving keys Chapter 3, Setting up Key Archival and Recovery Publishing certificates Chapter 7, Publishing Certificates and CRLs Revoking certificates Chapter 6, Revoking Certificates and Issuing CRLs Options for issuing certificates Section 6.6, “Using the Online Certificate Status Protocol Responder” Chapter 8, Authentication for Enrolling Certificates Chapter 9, Using Automated Notifications Configuring and managing Certificate System Chapter 11, The Certificate System Configuration subsystems Files Chapter 12, Basic Subsystem Management Chapter 13, Managing Certificate System Users and Groups Chapter 14, Configuring Subsystem Logs Chapter 15, Managing Subsystem Certificates Chapter 10, Setting Automated Jobs References for Subsystem Components Appendix A, Certificate Profile Input and Output Reference Appendix B, Defaults, Constraints, and Extensions for Certificates and CRLs Appendix C, Publishing Module Reference 3. Supported Platforms, Hardware, and Programs 3.1. Supported Platforms The Certificate System subsystems (CA, RA, DRM, OCSP, RA, TKS, and TPS) are supported on the following platforms: Red Hat Enterprise Linux 5.7 (x86, 32-bit) Red Hat Enterprise Linux 5.7 (x86_64, 64-bit) 6

Description:
Jul 25, 2011 Admin Guide for administrators. Edition 8.1.0. Ella Deon Lackey dlackey@redhat. com. Red Hat Certificate System 8.1 Admin Guide. 1
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.