manualshive.com logo in svg

Red Hat CERTIFICATE 7.1 ADMINISTRATOR, Administrator'S Manual

Share
Download
Red Hat CERTIFICATE 7.1 ADMINISTRATOR Administrator'S Manual Download Page 79

Certificate Manager Deployment Considerations

Chapter 3

Certificate Manager

79

with the certificates you issue. If you are using Netscape Communicator as your client, you 
can accomplish this task within an intranet by using tools such as Mission Control Desktop 
or with the aid of Personal Security Manager, but extranet deployments can be more 
complicated.

Subordination to Another CS CA

If you set up a CA using CS that has subordinate CAs, you control the subordinate CAs by 
setting policies that control the contents of the CA signing certificate issued. A subordinate 
CA issues certificates evaluating its own authentication, policy, and certificate profile 
configuration, it is completely unaware of its parents set up for these configurations. 

A Certificate Manager cannot issue a certificate that has a validity period longer than the 
validity period of the CAs’ CA signing certificate. Any requests that are for a period longer 
than this will result in certificates issued only to the validity period of the CAs’ CA signing 
certificate. 

Cloned CA

A Certificate Manager can also be cloned so that more than one CA shares the same set of 
keys and certificates allowing more than one CA issue certificates with the same issuer 
name and keys. Each clone CA issues a different set of serial numbers. Where the 
relationship between a self-signed CA and its subordinates is hierarchical, a CA and its 
clones function together, effectively forming a single Certificate Manager with failover 
support (and, potentially, load balancing on the front end). For details about a CA, see 
“Cloning a CA,” on page 127. 

Certificate Manager Certificates

When you install the Certificate Manager, the keys for the CA signing certificate, SSL 
server certificate, and OCSP signing certificate are created and a certificate request is made 
for the CA signing certificate and the SSL server certificate. The OCSP signing certificate is 
created by the CA itself. 

You submit this request either as a self-signing request to the CA itself which will then 
issue the certificates, this is how you create a self-signing root CA, or you submit the 
request to a third party public CA and then install the certificate you receive from the CA 
during the rest of the installation.

About the CA Key Pairs and Certificates

This section describes the key pairs and certificates associated with the Certificate Manager.

Summary of Contents for CERTIFICATE 7.1 ADMINISTRATOR

Page 1: ...Administrator s Guide Red Hat Certificate System Version7 1 September 2005 ...

Page 2: ...org openpub Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder Distribution of the work or derivative of the work in any standard paper book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder Red Hat and the Red Hat Shadow Man logo are registered trademarks of R...

Page 3: ...ter 1 Overview 29 Features 29 Subsystems 29 Certificate Manager Flexibility and Scalability 30 Interfaces 31 Logging 31 Auditing 32 Self Tests 32 Authorization 32 Authentication 32 Certificate Issuance 33 Certificate Profiles 33 Policy 34 CRLs 34 Publishing 34 Notifications 34 Jobs 35 Dual Key Pairs 35 HSMs and Crypto Accelerators 35 Support for Open Standards 35 ...

Page 4: ...ery Manager 51 Certificate Manager Data Recovery Manager and Registration Manager 53 Cloned Certificate Manager 54 System Architecture 55 CS Component 56 HTTP Engine 57 Service Interfaces 58 JSS and the Java JNI Layer 59 NSS 60 PKCS 11 60 Management Tools 61 JRE 61 Internal LDAP Database 62 Administration Server 62 CS SDK 62 Support for Open Standards 63 Certificate Management Formats and Protocol...

Page 5: ...urity Setting 108 Changing Passwords or Storage Settings 108 Configuring Logs 108 Changing Internal Database Settings 108 Configuring Self Test 109 Setting Up a Mail Server 109 Changing the Certificate Issuance Rules 109 Setting Up Authentication 110 Configuring Policies 112 Configuring Certificate Profiles 113 Configuring Publishing 113 Configuring OCSP Services 114 Setting Up CRLs 114 Setting Up...

Page 6: ...5 Configuring Authorization 145 Managing Certificates and the Certificate Database 146 Changing Ports and IP Addresses 147 Changing Subsystem Security Setting 148 Changing Passwords or Storage Settings 148 Configuring Logs 148 Changing Internal Database Settings 148 Configuring Self Test 149 Setting Up a Mail Server 149 Setting Up Authentication 149 Configuring Policies 151 Configuring Certificate...

Page 7: ...urity Setting 180 Changing Passwords or Storage Settings 180 Configuring Logs 180 Changing Internal Database Settings 180 Configuring Self Test 180 Setting Up Jobs 181 Identifying the CA to the OCSP Responder 181 Configure the Revocation Info Stores 182 Testing Your OCSP Setup 184 Chapter 6 Data Recovery Manager 187 PKI Setup for Key Archival and Recovery 187 Clients That Can Generate Dual Key Pai...

Page 8: ...S Console 239 Setting up Certificate Authentication for the CS Console 241 System Passwords 244 Password Quality Checker 244 Passwords Stored by the Server 244 Starting Stopping and Restarting CS Instances 246 Starting a Server Instance 246 Stopping a Server Instance 247 Restarting a Server Instance 248 Subsystem Configuration Overview 248 Configuring Multiple CS Instances 249 Removing an Instance...

Page 9: ...wing and Deleting Certificate Database Content 285 Changing the Trust Settings of a CA Certificate 286 Installing a New CA Certificate in the Certificate Database 288 Installing a CA Certificate Chain in the Certificate Database 288 Certificate Setup Wizard 289 Consideration When Getting New Certificates for the Subsystems 303 Tokens for Storing CS Keys and Certificates 305 Internal Token 306 Exte...

Page 10: ...tion for CS Users 334 Access Control Lists ACLs 334 Access Control Instructions ACIs 334 Changing Privileges 334 How ACIs are Formed 335 Editing ACLs 338 ACL Reference 339 certServer acl configuration 339 certServer admin certificate 340 certServer admin request enrollment 340 certServer auth configuration 341 certServer ca certificate 341 certServer ca certificates 342 certServer ca configuration...

Page 11: ... certServer kra systemstatus 355 certServer log configuration 355 certServer log configuration SignedAudit expirationTime 356 certServer log configuration fileName 357 certServer log content SignedAudit 357 certServer log content 357 certServer ocsp ca 358 certServer ocsp cas 358 certServer ocsp certificate 359 certServer ocsp configuration 359 certServer ocsp crl 359 certServer policy configurati...

Page 12: ...lment 389 Certificate Based Enrollment 390 Setting Up Certificate Based Enrollment 391 Issuing and Managing Server Certificates 392 Renewal of Server Certificates 393 Getting Certificates for Netscape Version 4 x and Later Servers 393 CEP Enrollment 395 About CEP Enrollment 395 Setting Up Automated CEP Enrollment 396 Setting Up Publishing of CEP Certificates and CRLs 400 Certificate Issuance to Ro...

Page 13: ...xtension Default 444 Policy Constraints Extension Default 444 Policy Mappers Extension Default 446 Signing Algorithm Default 447 Subject Alternative Name Extension Default 447 Subject Key Identifier Extension Default 449 Subject Name Default 450 Token Supplied Subject Name Default 450 User Supplied Extension Default 450 User Supplied Key Default 451 User Signing Algorithm Default 451 User Supplied...

Page 14: ...5 DSAKeyConstraints 477 IssuerConstraints 479 KeyAlgorithmConstraints 479 RenewalConstraints 480 RenewalValidityConstraints 481 RevocationConstraints 481 RSAKeyConstraints 482 SigningAlgorithmConstraints 483 SubCANameConstraints 484 UniqueSubjectNameConstraints 485 ValidityConstraints 487 Extension Specific Policy Module Reference 489 AuthInfoAccessExt 489 AuthorityKeyIdentifierExt 492 BasicConstr...

Page 15: ...ng Notification Messages 548 Notification Message Templates 549 Token Definitions 551 Chapter 14 Automated Jobs 553 About Automated Jobs 553 Setting Up Automated Jobs 554 Types of Automated Jobs 554 Setting Up the Job Scheduler 555 Frequency Settings for Automated Jobs 555 Enabling and Configuring the Job Scheduler 556 Setting Up Specific Jobs 558 Enabling and Configuring Specific Jobs Using the C...

Page 16: ...ng Issuing Points 579 Configuring CRLs for Each Issuing Point 580 Setting CRL Extensions 582 CRL Extension Reference 583 AuthorityKeyIdentifier 583 CRLNumber 584 CRLReason 584 DeltaCRLIndicator 585 FreshestCRL 585 HoldInstruction 586 InvalidityDate 587 IssuerAlternativeName 587 IssuingDistributionPoint 589 Chapter 16 Publishing 593 About Publishing 594 About Publishers 594 About Mappers 595 About ...

Page 17: ...w 641 Architecture of a Failover System 642 Load balancing 643 Cloning the Certificate Manager 644 Cloning Preparation 644 Cloning the CA 646 Testing the CA Cloned Master Connection 657 Additional CRL Scheduling Information 658 Cloned Master CA Conversion 659 Converting a Master CA into a Cloned CA 659 Converting a Cloned CA into a Master CA 660 Cloning the Online Certificate Status Manager 662 Pr...

Page 18: ...able Timestamp 690 Private and Secret Key Zeroization 690 Password and Certificate Storage 691 Hardware Token 691 Protection of Private and Secret Keys 691 Supported Operating Systems 692 Supported Browsers 692 CS Privileged Users and Groups Roles 692 CA 692 RA 693 DRM 694 OCSP 694 About Roles 695 CS Common Criteria Environment Setup and Installation Guide 696 Understanding Setup of Common Criteri...

Page 19: ...up Procedures 706 Appendix D Common Criteria Environment Security Objectives 707 1 1 Security Objectives for the TOE 707 1 1 1 Authorized Users 707 1 1 2 System 708 1 1 3 Cryptography 708 1 1 4 External Attacks 708 1 2 Security Objectives for the Environment 708 1 2 1 Non IT security objectives for the environment 708 1 2 2 IT security objectives for the environment 710 1 3 Security Objectives for...

Page 20: ...mple CRL and CRL Entry Extensions 743 Standard X 509 v3 CRL Extensions 744 Extensions for CRLs 744 CRL Entry Extensions 746 Netscape Defined Certificate Extensions 748 CA Certificates and Extension Interactions 749 Appendix H Object Identifiers 751 What s an Object Identifier 751 Registration of Object Identifiers 751 Appendix I Distinguished Names 753 What Is a Distinguished Name 753 Distinguishe...

Page 21: ...94 Issuing Certificates 795 Certificates and the LDAP Directory 796 Key Management 796 Renewing and Revoking Certificates 797 Registration Authorities 797 Appendix K Introduction to SSL 799 The SSL Protocol 799 Ciphers Used with SSL 801 Cipher Suites With RSA Key Exchange 802 Fortezza Cipher Suites 804 The SSL Handshake 805 Server Authentication 807 Man in the Middle Attack 810 Client Authenticati...

Page 22: ...22 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 23: ...hat s in This Guide Conventions Used in This Guide Documentation Who Should Read This Guide This guide is intended for experienced system administrators who are planning to deploy CS CS agents should refer to CS Agent s Guide for information on how to perform agent tasks such as handling certificate requests and revoking certificates What You Should Know This guide assumes the following You unders...

Page 24: ...ke What s in This Guide This guide contains the following elements Chapter 1 Overview Provides a listing of the features of CS an overview of how CS works an architectural overview of CS and lists the standards used in the product Chapter 2 Installation Provides step by step installation instructions Chapter 3 Certificate Manager Provides information about installing a Certificate Manager step by ...

Page 25: ...ation Provides information and procedures for setting up Access Control Lists that define authorization creating users and assigning users to groups to give them the privileges defined by the ACLs for that group Chapter 10 Authentication Provides information and procedures for setting up various authentication methods to automate the enrollment process Chapter 11 Certificate Profiles Provides info...

Page 26: ...Certificate Download Specification Provides information about the certificate download specification Appendix G Certificate and CRL Extensions Provides general information about Certificate and CRL extensions Appendix H Object Identifiers Provides general information about object identifiers Appendix I Distinguished Names Provides general information about distinguished names Appendix J Introducti...

Page 27: ...nput_file output_file input_file specifies the path to the file that contains the base 64 encoded certificate output_file specifies the path to the file to write the certificate This argument is optional if you don t specify an output file the certificate information is written to the standard output Monospaced Angle brackets enclose variables or placeholders When following examples replace the an...

Page 28: ...n Guide Provides detailed reference information on customizing the HTML based agent and end entity interfaces CS Agent s Guide Provides detailed reference information on CS agent interfaces To access this information from the Agent Services pages click any help button For the latest information about Certificate System including current release notes complete product documentation technical notes ...

Page 29: ...st scalable and high performance certificate management solution for your public key infrastructure PKI extranets and intranets This chapter contains the following sections Features How Certificate System Works Deployment Scenarios System Architecture CS SDK Support for Open Standards Features This section discusses the features of CS Subsystems CS has four subsystems to provide flexibility in set...

Page 30: ... provide flexibility in your PKI Features include support for multiple registration authorities tied to a single CA the ability to act as a root or subordinate CA high availability cloning to allow CAs with identical functionality keys and certificates to issue certificates with different sets of serial numbers Single CA Supports Multiple Registration Authorities CS lets you separate the registrat...

Page 31: ...ertificates that fall within a distinct range of serial numbers Because clone CAs and original CAs use the same CA signing key and certificate to sign the certificates they issue the issuer name in all the certificates will be the same Clone CAs and the original Certificate Managers they are based on issue certificates as if they are a single CA and can be placed on different hosts for high availa...

Page 32: ...ships with a set of self tests that are configurable and allows you to create additional self tests using the CS SDK See Self Tests on page 272 for complete details Authorization CS provides a new authorization framework that allows you to create groups and assign access control to those groups You can also change the default access control for prebuilt groups and assign access control to individu...

Page 33: ...alled certificate profiles Certificate Profiles allow you to create a single certificate profile associated with the issuance of a particular type of certificate by configuring the content of the certificate the constraints put on the issuance of this certificate the enrollment method used and the input and output forms associated with this enrollment A set of certificate profiles are included for...

Page 34: ...any issuing point that is defined The Certificate Manager can issue X 509 v1 or v2 CRLs A CRL can be automatically updated whenever a certificate is revoked or at specified intervals See Chapter 15 Revocation and CRLs for complete details Publishing The publishing feature allows you to publish certificates to files and an LDAP directory and CRLs to files LDAP directory and an OCSP responder The pu...

Page 35: ...ided by various third party vendors of PKCS 11 version 2 01 compliant products You can configure the server to use different PKCS 11 modules to generate and store key pairs and certificates for the Certificate Manager Registration Manager and Data Recovery Manager Note that PKCS 11 hardware devices also provide key backup and recovery features for backup and recovery of the key material stored on ...

Page 36: ...s Supports generation and publication of CRLs conforming to X 509 version 1 and 2 Publishes certificates and CRLs to the any LDAP compliant directory over LDAP and HTTP HTTPS connections Publishes certificates and CRLs to a flat file for importing into other resources For example the sample code for Flat File CRL and certificate publisher can be customized to store certificates and CRLs in an Orac...

Page 37: ...tes and creating and publishing CRLs See Chapter 3 Certificate Manager for complete details The Registration Manager is an optional subsystem that provides Registration Authority functionality It establishes a trusted relationship with a Certificate Manager where its signed requests are processed by the Certificate Manager See Chapter 4 Registration Manager for complete details The Online Certific...

Page 38: ... end entity interface is a customizable HTML interface that can be used for end entities to enroll in your PKI renew certificates revoke their own certificates and pick up issued certificates It contains forms for different types of enrollments and for the enrollment different types of end entities The Certificate Manager and the Registration Manager have an end entity services interface the Data ...

Page 39: ... the instance of the subsystem in which the user is created and the privileges of the group in which the user is a member A configurable plug in framework is provided to tailor authorization in your deployment You can change the default privileges of the groups that are preconfigured by changing ACLs associated with those groups You can create new groups assigning privileges to the group by adding...

Page 40: ...e same CA signing Certificate but each uses a different set of serial numbers for the certificates it issues Federal Bridge Certificate Authority CS also allows you to create a trusted relationship between two separate CAs by issuing and storing cross signed certificates between these two CAs This feature of the PKI is called Federal Bridge Certificate Authority FBCA This feature allows you to tru...

Page 41: ...California and Florida end user certificates Delta CRLs can also be produced allowing you to create CRLs that contain only the revoked certificates since the last CRL was produced See Chapter 15 Revocation and CRLs for complete details How the Certificate Manager Works This sections details the processes that a Certificate Manager goes through and the various configuration settings involved in tho...

Page 42: ...g ins that allow you to set constraints on the certificate and define the content and the value of that content in the certificate You can configure the default policies and associate them with a particular authentication method You can also create custom policy modules See Chapter 12 Policies for complete details Certificate Profiles is a new feature that binds an authentication method and certif...

Page 43: ...e request in its internal database Renewing Certificates A Certificate Manager allows end entities to renew certificates if the policies are set up to allow for renewal If so the end entity submits a renewal request in the end entity interface and provides the end entities old certificate The Certificate Manager will then issue a new certificate according to the policies set Revoking Certificates ...

Page 44: ...tem of CS that can act as a Registration Authority RA It establishes a trusted relationship with a Certificate Manager in which its signed requests are processed The Registration Manager is able to accept enrollment renewal and revocation requests process those requests either by agents or through an automated means provide agent initiated requests for enrollment renewal and revocation send signed...

Page 45: ...pport in person registration by agents Each end entity form is associated with a particular authentication method either one of the automated methods or the agent approved method The Registration Manager processes the request according to the method associated with the form See Chapter 10 Authentication for complete details The Registration Manager is in complete control of the authentication of u...

Page 46: ...pe of certificate to be issued with validity period of one year If the Certificate Manager has a policy set up the constrains this type of certificates to a validity period of six months the certificate will not be issued The Certificate Manager creates the certificate and returns it to the Registration Manager Publishing of Certificates Certificates can be published to a file or an LDAP directory...

Page 47: ...services interface for agent approval An agent can also revoke a certificate They might do this if someone leaves the company When the certificate is revoked it is marked revoked in the internal database and is marked revoked in the publishing system The certificate is also added to the Certificate Revocation List CRL produced by the Certificate Manager See Chapter 15 Revocation and CRLs for compl...

Page 48: ...t the OCSP service provided outside a firewall while the Certificate Manager resides inside a firewall or to take the load of requests off the Certificate Manager The Online Certificate Status Manager performs the task of an online certificate validation authority by enabling OCSP compliant clients to do real time verification of certificates Note that an online certificate validation authority is...

Page 49: ...nd a publishing directory The Certificate Manager can publish both end entity certificates and CRLs to a directory Certificate Manager and Registration Manager Figure 1 2 shows a Registration Manager and its Certificate Manager in separate instances on separate machines All communication between the Certificate Manager and the Registration Manager takes place over HTTPS ...

Page 50: ...m end entities and sends them to a Certificate Manager The Certificate Manager can accept requests from both end entities and Registration Managers For example end entities at the home office might deal directly with the Certificate Manager while end entities at a branch office might deal with their own Registration Manager Alternatively the Certificate Manager might be configured to accept reques...

Page 51: ...nd other persons responsible for administering the Certificate Manager and Registration Manager Certificate Manager and Data Recovery Manager If an organization requires key archival and recovery capabilities for example if encrypted mail is widely used and the organization risks data loss if it is unable to recover encryption keys it can install a Data Recovery Manager This can be done without re...

Page 52: ...he location of a Data Recovery Manager be sure to look into firewall considerations the physical security required for each subsystem and the physical location of the Certificate Manager agent Data Recovery Manager agent and other persons responsible for administering the Certificate Manager and recovering keys Like a Certificate Manager a Data Recovery Manager has special physical security requir...

Page 53: ...ps Figure 1 4 illustrates some of the issues involved in deploying all three subsystems by showing the relationships among a single Certificate Manager a single Registration Manager and a single Data Recovery Manager each installed in a different CS instance on a different machine Figure 1 4 Certificate Manager Registration Manager and Data Recovery Manager in separate instances ...

Page 54: ...uch that each has a hierarchy of subordinate managers Cloned Certificate Manager A cloned Certificate Manager is a CS server instance that uses the same CA signing key and certificate as another Certificate Manager identified as the master Certificate Manager Each Certificate Manager issues certificates with serial numbers in a restricted range so that all of the servers together act as a single C...

Page 55: ... key material on a hardware token you will have to follow the hardware vendor s instructions for copying the key material to a hardware device accessible to the clone A cloned Certificate Manager will have all the same features for example agent gateway functions and end entity gateway functions that a normal Certificate Manager has You can then configure Registration Managers that point to differ...

Page 56: ...is a set of pure Java classes This component provides a secure application platform where subsystems CA RA DRM and OCSP can be tightly integrated with a PKI infrastructure Depending on the installation configuration selection CS can be easily installed as a CA RA DRM or OCSP Responder where subsystem specific HTTP servlets are registered at startup to provide subsystem specific services ...

Page 57: ...s signed audit logs where logging mechanism can be extended Self test where CS start up on demand self tests can be extended Servlets depending on subsystem installation selection where servlets can be extended Password quality checker where password strength quality checker can be extended HTTP Engine CS employs the Red Hat Enterprise Server as its HTTP engine It provides the entry point for user...

Page 58: ...nteraction with various portions of the subsystem All four subsystems share a common administrative interface All four subsystems have an agent interface that allows for agents to perform the tasks assigned to them A CA Subsystem and an RA Subsystem have an end entity services interface allowing end entities to enroll in the PKI An OCSP responder subsystem has an end entity services interface allo...

Page 59: ...nistrative entry point Based on the information given at each command the administration servlets allow administrators to perform administrative tasks and configure plug in modules and instances of plug in modules This interface is similar for all four subsystem It contains some common configuration types but also contains different plug in types that can be configured depending on the kind of sub...

Page 60: ...1 module also called a cryptographic module or cryptographic service provider manages cryptographic services such as encryption and decryption via the PKCS 11 interface PKCS 11 modules can be thought of as drivers for cryptographic devices that can be implemented in either hardware or software Red Hat provides a built in PKCS 11 module with CS A PKCS 11 module always has one or more slots which ca...

Page 61: ... called secmod db to keep track of the modules that are available You can modify this file using the modutil tool which is explained in the following documentation http www mozilla org projects security pki nss tools For example you need to modify secmod db if you are installing hardware accelerators for use in signing operations Management Tools Command line tools are provided by CS for occasiona...

Page 62: ...uration LDAP database while user and group entries are stored in another subtree Except for the creation of a new CS instances functionalities provided by this component are not fully utilized by CS Note that although this configuration LDAP database can be used to store Enterprise user records or configured as a certificate publishing destination or configured to provide directory based enrollmen...

Page 63: ...ith a CA including how to retrieve the CA s public key how to enroll a device with the CA and how to retrieve a CRL CEP uses PKCS 7 and PKCS 10 Certificate Request Message Format CRMF A message format used to convey a request for a certificate to a Registration Manager or Certificate Manager A standard from the Internet Engineering Task Force IETF PKIX working group Certificate Management Message ...

Page 64: ...ficate For more information see http www netscape com eng security comm4 keygen html Lightweight Directory Access Protocol LDAP v2 v3 A directory service protocol designed to run over TCP IP and across multiple platforms LDAP is a simplified version of Directory Access Protocol DAP used to access X 500 directories LDAP is under IETF change control and has evolved to meet Internet requirements Publ...

Page 65: ...t CS and configure it into a Common Criteria Evaluated subsystem please see Appendix B Common Criteria Environment Setup and Operations You can configure more than one subsystem in an installation of CS You can also install CS on more than one host with one or more subsystems configured in each installation Finally different instances of CS subsystems can be set up as clones for high availability ...

Page 66: ...g locations Installing a Certificate Manager as a Root CA on page 85 Installing a Certificate Manager as a Subordinate CA on page 90 Installing a Registration Manager on page 133 Installing an Online Certificate Status Manager on page 165 Installing a Standalone Data Recovery Manager on page 203 3 Get the first agent certificate for the subsystem See Agent Certificates on page 324 for complete ins...

Page 67: ...e Notes for the system requirements for this product Component Servers The installation process installs Red Hat Administration Server Red Hat Console and Red Hat Directory Server as well as CS You can choose to not install one or more of these servers if you already have one of them installed Generally you would install using the default settings which installs all four products Server Groups A s...

Page 68: ...he UNIX user ID root if it will listen on either port 389 or 636 Make sure the ports you choose are not already in use Additionally if you are using both LDAP and LDAPS communications make sure the port numbers chosen for these two types of access are not identical Deciding the User and Group for Your Red Hat Servers For security reasons it is always best to run UNIX based production servers with ...

Page 69: ...es will differ depending on the type of installation that you are performing Directory Manager DN and password The Directory Manager DN is the special directory entry to which access control does not apply Think of the directory manager as your directory s superuser The default Directory Manager DN is cn Directory Manager Because the Directory Manager DN is a special entry the Directory Manager DN...

Page 70: ...ord should be identical to the configuration directory administrator ID and password Determining Your Directory Suffix A directory suffix is the directory entry that represents the first entry in a directory tree You will need at least one directory suffix for the tree that will contain your enterprise s data It is common practice to select a directory suffix that corresponds to the DNS host name ...

Page 71: ...__ Directory Server Port Number ______________________________________ Directory server identifier myhost ______________________________________ Red Hat configuration directory server administrator ID admin ______________________________________ Suffix dc domaincomponent dc com ______________________________________ Directory Manager DN cn Directory Manager ______________________________________ A...

Page 72: ...stallation program setup The setup command has the following options The installation program launches The installation program will prompt you for series of configuration settings detailed in the following steps 4 Would you like to continue with installation Yes Press Enter h Prints out the help message s Specifies the silent installation mode f filename Specifies a silent installation script b O...

Page 73: ...mponents you wish to install 1 2 Press Enter to accept the default components 12 Specify the components you wish to install 1 2 Press Enter to accept the default components 13 Specify the components you wish to install 1 2 Press Enter to accept the default components 14 Computer name myhost mydomain com Accept the default value to install on the local machine Do not attempt to install remotely 15 ...

Page 74: ... Server If you are using an existing configuration directory enter its identifier 21 Red Hat configuration directory server administrator ID admin Enter the name and password of the user ID who will authenticate to Red Hat Console with full privileges The password must be at least eight characters long If you are using an existing configuration directory enter its administrator ID and password See...

Page 75: ...installing each subsystem see Installing a Certificate Manager as a Root CA on page 85 Installing a Certificate Manager as a Subordinate CA on page 90 Installing a Registration Manager on page 133 Installing an Online Certificate Status Manager on page 165 Installing a Standalone Data Recovery Manager on page 203 28 You should note the choices you made for later reference especially the following ...

Page 76: ...ver root directory containing the installed software 3 Type the following command uninstall 4 Specify the components you wish to uninstall All Accept the default value 5 Specify the components you wish to uninstall 1 2 3 Accept the default value 6 Specify the components you wish to uninstall 1 2 Accept the default value 7 Specify the components you wish to uninstall 1 2 Accept the default value 8 ...

Page 77: ...tallation instructions an overview of the Certificate Manager processes including information on configuring those processes information about FBCA and details on configuring a cloned CA This chapter contains the following sections Certificate Manager Deployment Considerations Installing a Certificate Manager Configuring the Certificate Manager How The Certificate Manager Works Federal Bridge CA C...

Page 78: ...ertificates that it can issue the extensions that it is allowed to include in certificates the number of level of subordinate CAs the subordinate CA can create and the validity period of certificates it can issue as well as the validity period of the subordinate CAs signing certificate Although a subordinate CA can create certificates that violate these constraints a client authenticating a certif...

Page 79: ... cloned so that more than one CA shares the same set of keys and certificates allowing more than one CA issue certificates with the same issuer name and keys Each clone CA issues a different set of serial numbers Where the relationship between a self signed CA and its subordinates is hierarchical a CA and its clones function together effectively forming a single Certificate Manager with failover s...

Page 80: ...s self signed that is the subject name and issuer name of the certificate is the same If the Certificate Manager is a subordinate CA its CA signing certificate is signed by another CA usually the one that is a level above in the CA hierarchy which may or may not be a root CA If you have deployed the Certificate Manager as a subordinate CA in a CA hierarchy you must import your root CA s signing ce...

Page 81: ...ever you can request and install additional SSL server certificates for the Certificate Manager For example you can configure the Certificate Manager to use separate server certificates for authenticating to the End Entity Services interface and Agent Services interface See Managing Certificates and the Certificate Database on page 103 for more details If you configure the Certificate Manager for ...

Page 82: ... Manager signing certificate must have a validity period CS does not restrict the validity period you can specify In general it s a good idea to specify as long a validity period as possible depending on your plans for certificate renewal the place of the CA in the certificate hierarchy and the requirements of any public CAs that you may want to include in your PKI Serial Number Ranges for the CA ...

Page 83: ...ion to the subsystem can be done using the administrative interface The administrative interface listens to requests on the SSL Administration Port This is the port the CS administrative interface listens to and that is accessed by administrators and auditors using the Java based CS Console GUI application An Agent Services interface that is accessible by default only to members of the Agent group...

Page 84: ...nternal Database Each Certificate Manager instance contains an internal database that stores certificates certificate requests and the like During installation you set up this database by either choosing to create a new database or use an existing database providing user IDs and passwords for special users of the database and the port the database will listen to requests on You can choose to use t...

Page 85: ... settings You can change the default settings to meet the needs of your PKI Installing a Certificate Manager as a Root CA To configure the Certificate Manager as a root CA 1 Log into Red Hat Console as the administrator see Red Hat Console on page 237 2 Select the CS instance and then either click Open or double click this instance The Installation Wizard launches 3 Installation Wizard Introductio...

Page 86: ...e appropriate options Select No if you don t want to connect the Certificate Manager to a remote Data Recovery Manager Select Yes if you have already installed a remote Data Recovery Manager that you want the Certificate Manager to use for archiving end users encryption private keys Then enter the remote Data Recovery Manager s host name agent SSL port number and the Time out in seconds in the ass...

Page 87: ...ns on page 84 for more information Key Type Choose RSA or DSA Key Length Available key sizes for RSA are 512 768 1024 2048 4096 or Custom Available key sizes for DSA are 512 1024 or Custom which must be in increments of 64 bits only See Signing Key Type and Length on page 82 for more information Click Next to continue 14 Message Digest Algorithm Select the algorithm to use for computing the certif...

Page 88: ...cert tools Note that the certificate extension text field accepts a single extension blob If you want to add multiple extensions you should use the ExtJoiner program which is also provided in the tools directory For details on using the ExtJoiner program see the CS Command Line Tools Guide For more information about extensions see Appendix G Certificate and CRL Extensions Click Next to continue 18...

Page 89: ...te Select the validity period for the SSL server certificate The validity period determines how soon you will have to renew the certificate Click Next to continue 24 Certificate Extensions for SSL Server Certificate Select the required extensions The default settings should work for most deployments If necessary you can add an additional extension by pasting its base 64 encoding in the space provi...

Page 90: ...ormation 5 Internal Database Choose to either create a new internal database for this instance or to use an existing Directory Server instance as the internal database for this instance Next specify the information for that Directory Server instance See Internal Database on page 84 for more information Click Next to continue The wizard sets up the new internal database which takes some time Click ...

Page 91: ...e the Ending serial number field blank to indicate no upper limit If you plan to clone the CA to distribute load you must specify an upper limit For cloned CAs you must make sure that the range of serial numbers does not overlap with any other CA server Click Next to continue 10 Internal OCSP Services Select to enable the internal OCSP services See Setting Up a Certificate Manager with OCSP Servic...

Page 92: ...ontinue 16 Validity Period for Certificate Manager CA Signing Certificate Select the validity period for the subordinate CA signing certificate The default validity is two years The validity period determines how soon you will have to renew the certificate which can be a complex procedure See CA Signing Certificate s Validity Period on page 82 for more information Click Next to continue 17 Certifi...

Page 93: ...ubmit the request manually or send the request to a remote Certificate Manager automatically To automatically submit the request to a remote Certificate Manager or for automatic enrollment follow these steps I Select the Send the request to a remote CS now option II Enter the host name and end entity port number of the remote Certificate Manager and select whether this end entity port is SSL enabl...

Page 94: ...wser window II Go to the end entity URL for the remote Certificate Manager that will issue the subordinate CA s signing certificate For example if you assigned the port number 17006 to the non SSL end entity port for your root CA you would go to the URL http hostname 17006 to bring up the Certificate Manager page for end entities III Click Manual Certificate Manager Signing Certificate Enrollment ...

Page 95: ...tton I This action copies the certificate request to the clipboard In addition to the copy on the clipboard the screen informs you that the certificate request has been saved to a file You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA s signing certificate II Submit your certificate request to a third party CA...

Page 96: ... the required details Click Next to continue 22 Certificate Details This is an informational screen that shows the certificate so you can inspect its contents Notice the nickname assigned to the certificate and verify that you re installing the correct certificate Click Next to continue 23 Import Certificate Chain This screen appears only if you need to import the CA certificate chain If the CA th...

Page 97: ... the certificate signature The choices are SHA 1 MD2 or MD5 Click Next to continue 27 Subject Name for SSL Server Certificate Type the values for the subject DN components these values identify the subordinate CA s SSL server certificate The CN must be the fully qualified host name of the machine on which you re installing the Certificate Manager Click Next to continue 28 Certificate Extensions fo...

Page 98: ...submit the request to a remote Certificate Manager or for automatic enrollment follow these steps I Select the Send the request to a remote CS now option II Enter the host name and end entity port number of the remote Certificate Manager and specify whether the end entity port is SSL enabled III Click Next to submit the request The Certificate Request Result screen appears confirming that the requ...

Page 99: ...06 to the non SSL end entity port for your root CA you would go to the URL http hostname 17006 to bring up the Certificate Manager page for end entities III Click Manual Server Certificate Enrollment or click Agent Based Server Certificate Enrollment if you have an agent certificate If you choose Agent Based Server Certificate Enrollment and you have an agent certificate the certificate will be au...

Page 100: ...llow these steps I Make sure that the certificate request including BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST is highlighted and click the Copy to Clipboard button This action copies the certificate request to the clipboard In addition to the copy on the clipboard the screen informs you that the certificate request has been saved to a file You can use either the copy on the cli...

Page 101: ...nd end entity port number of the remote Certificate Manager that issued the certificate select the The certificate is at the CS server where the request was sent option and then specify the required details Click Next to continue 33 Certificate Details This is an informational screen that displays the certificate so you can inspect its contents Notice the nickname assigned to the certificate and v...

Page 102: ...tificate Manager is installed you need to add users and assign them to the administrator agent or auditor roles If you selected the option to have the administrator created during installation also act as an agent then the administrator is your first agent If you did not you need to create an agent user who can access the agent services interface See Chapter 9 Authorization for details on adding u...

Page 103: ...nfiguration settings but cannot perform any other operations on configuration settings and do not have access to the agent services interface Members of the Certificate Manager Agent group can view configuration settings in the administrative interface but cannot perform any other operations on the configuration settings They can perform all operations for all tasks associated with the agent servi...

Page 104: ...hat a Certificate Manager s CRL signing certificate must be signed or issued by itself make sure you submit the request to the Certificate Manager itself To enable a Certificate Manager to sign CRLs with a separate key pair 1 Request and install a CRL signing certificate for the Certificate Manager To do this you may use either of these options Use the Certificate Setup Wizard available within the...

Page 105: ...named CRLSignCertKeyUsageExt which is an instance of KeyUsageExt plug in g Approve the request h Once you have the CRL signing certificate ready restart the wizard and install the certificate in the Certificate Manager s database 2 Stop the Certificate Manager 3 Update the Certificate Manager s configuration to recognize the new key pair and certificate a In the Certificate Manager host machine go...

Page 106: ...ge 127 By default the Certificate Manager uses a single SSL server certificate for authentication purposes However you can request and install additional SSL server certificates for the Certificate Manager For example you can configure the Certificate Manager to use separate server certificates for authenticating to the End Entity Services interface and Agent Services interface For instructions se...

Page 107: ...ate expires this approach allows certificates issued under the old CA certificate to continue working for the full duration of their validity periods Reissuing a CA certificate involves issuing a new CA certificate with a new name public and private key material and validity period This approach avoids some of the problems associated with renewing a CA certificate but it requires more work for bot...

Page 108: ...ng its keys and certificates See System Passwords on page 244 for information on how these passwords are stored Configuring Logs Each subsystem creates a number of logs that detail various events and errors Each subsystem also has the ability to create signed audit logs that create audit trails that can only be read by a user with auditor privileges The log feature is configurable allowing you to ...

Page 109: ...d that are for validity periods longer than the Certificate Managers CA signing certificate the default is to not allow The serial number range the CA is able to use to issue certificates The signing algorithm used to sign certificates To change the certificate issuance rules 1 In the CS window select the Configuration tab 2 In the navigation tree select Certificate Manager The General Setting tab...

Page 110: ...ng cloned CAs Also note that when a CA exhausts all its serial numbers you can revive it by changing the values in the Next serial number and Ending serial number fields followed by restarting the Certificate Manager Default Signing Algorithm section Specifies the signing algorithm the Certificate Manager should use for signing certificates The choices are MD2 with RSA MD5 with RSA and SHA1 with R...

Page 111: ...ies that require manual approval and whose requests have been sent to the agent services interface for processing Agent approved certificate profile enrollments are also sent to the agent services interface for processing Automated Enrollment You set up enrollment by configuring instances of the authentication plug ins The plug ins allow you to set up the kind of authentication you will use for au...

Page 112: ... are applicable to this type of request Any policy that has no predicate is evaluated against all certificate requests Those with predicates are evaluated against certificates requests that match the predicate value of the policy The predicate value can be a certificate type like a CA certificate or an SSL signing certificate in which case all requests for that type of certificate are evaluated by...

Page 113: ...s set in the certificate profile Each certificate profile that will be used is configured by an administrator The administrator configures defaults and constraints inputs outputs and specifies the authentication method for each certificate profile The certificate profiles that have been configured are listed in the agent services interface where the agent has to approve the certificate profile to ...

Page 114: ...re issued on a periodic basis You can also define issuing points so that a CRL from that issuing point contains only the list of revoked certificates associated with that issuing point You can also create delta CRLS When you install the CRL feature is setup but the creation of CRLs is disabled You need to enable it and configure issuing points to issue CRLs For detailed information on setting up C...

Page 115: ...ge which policies are associated with the form Adding Data Recovery Services You can set up a trusted relationship between a Data Recovery Manager and a Certificate Manager so that the end entities private encryption keys are archived during the certificate request See Chapter 6 Data Recovery Manager Setting Up a CMC Client This section describes some utilities that demonstrate how to write a CMC ...

Page 116: ...tput cmc nickname Nickname of the agent certificate used to sign the full CMC request This is a required parameter Example nickname CS Agent 102504a s 102504a ID dbdir Full path to the directory where cert8 db key3 db and secmod db are located This is a required parameter Example dbdir u smith db password Password for cert8 db which stores the agent certificate This is a required parameter Example...

Page 117: ...interpreted as false Example dataReturn enable false dataReturn data Data contained in the dataReturn control Example dataReturn data test transactionMgt enable If true then the request will contain this control Absence of this parameter is interpreted as false Example transactionMgt enable true transactionMgt id Transaction identifier for transactionMgt control VeriSign recommends that the transa...

Page 118: ...he revocation request Example revRequest comment human readable comment revRequest invalidityDatePresent If true the current time will be the invalidity date for the revoked certificate If false no invalidity date is present Example revRequest invalidityDatePresent false identityProof enable If true then the request will contain this control attribute Absence of this parameter is interpreted as fa...

Page 119: ... server Example port 1028 secure true for an HTTPS connection false for an HTTP connection Example secure true input Full path including filename for the enrollment request which must be in binary format Example input cmcReqCRMFBin output The full path including the filename for the response in binary format Example output cmcResp dbdir Full path to the directory where cert8 db key3 db and secmod ...

Page 120: ...cluding filename to CMC response in binary format The parsed output is printed to the screen Sending a Simple CMC Request To send a simple CMC request that is a plain PKCS 10 request follow these steps 1 Use the AtoB tool in server_root bin cert tools to convert the base 64 encoded PKCS 10 request to binary form 2 Use the HTTP Client Utility to send the request By default the URI of the servlet th...

Page 121: ...p and enabled Setting Up the Server for Multiple Requests in a Full CMC Request CMC supports multiple CRMF or PKCS 10 requests in a single full CMC request If the numRequests parameter in the cfg file 1 you need to modify the server s certificate profile To do so follow these steps 1 By default the servlet processing a full CMC request uses the profile caFullCMCUserCert Currently this profile hand...

Page 122: ...he End Entity Interface on page 115 for information on the default forms See the Red Hat Certificate System Customization Guide for information on customizing these forms You can also do this by creating certificate profiles for each with a dynamically generated form associated with each certificate profile You customize the dynamically created certificate profile forms by configuring the inputs a...

Page 123: ...e form can collect information about the end entity from an LDAP directory when the form is submitting You can set up policies using predicates that request this information from the LDAP directory when the user authenticates using an LDAP user ID and password For certificate profile based enrollment you set up defaults that are used to collect this information The policies or certificate profile ...

Page 124: ...p the internal OCSP service which checks the status of certificates in the internal database when a certificate status request is received The end entity interface provides forms that allow for searches of certificates that have been issued and for the CA certificate chain Renewal The Certificate Manager allows for the renewal of certificates Certificates can be renewed if the policies associated ...

Page 125: ...rvice the service determines the status of certificates by looking them up in the internal database and reporting on the status of the certificate You can set up an automated notifications that send an email message to the end entity when their certificate is revoked You set this up by enabling and configuring the Certificate Revoked notification message and customizing the email template associat...

Page 126: ...ertificates CS provides the capability to import the cross pair certificates from each of the CAs You use the Certificate Setup wizard to import both certificates When both certificates have been imported into the database a crossCertificatePair is formed and stored in the database The original certificates are deleted once the crossCertificatePair is formed You can search for and view a crossCert...

Page 127: ... range of serial numbers Because clone CAs and original CAs use the same CA signing key and certificate to sign the certificates they issue the issuer name in all the certificates in such a setup will be the same Clone CAs and the Certificate Managers they clone issue certificates as if they are a single CA and can be placed on different hosts for high availability failover support When you setup ...

Page 128: ...Cloning a CA 128 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 129: ...tion describes the decisions you make during installation that will apply to your initial configuration of the subsystem Registration Managers Certificates When you install the Registration Manager the keys for the Registration Manager signing certificate and SSL server certificate are created and a certificate request is made for the signing certificate and the SSL server certificate You submit t...

Page 130: ...ckname for the certificate is raSigningCert cert instance_id where instance_id identifies the CS instance in which the Registration Manager is installed The Registration Manager s signing certificate was issued by the CA to which you submitted the certificate signing request If you configure the Registration Manager to function as a trusted manager to another subsystem the Registration Manager use...

Page 131: ...that authenticates agents using their certificates The default interface provides all the functionality needed by agents for a Registration Manager and is completely customizable The agent services interface listens to requests and communicates on the SSL Agent Services Port This is the port that the agent goes to in order to access the agent services interface The agent services interface is acce...

Page 132: ...ation rather than generating a new signing key pair For information on how to do this check the migration information If you decide to generate a new signing key one of the first decisions you need to make is whether to use the RSA or DSA algorithm If you use DSA the software can generate and verify the PQG value PQG values are used to create the DSA signing key pair For more information about the...

Page 133: ... name of an external token to store the Registration Manager signing certificate and key pair If you have not previously initialized the token s password you must do so in this screen See Tokens on page 133 for more information 5 Internal Database Choose to either create a new internal database for this instance or to use an existing Directory Server instance as the internal database for this inst...

Page 134: ...e 10 Network Configuration Type the numbers for the ports to be used by the CS instance See Registration Manager Interfaces on page 130 for more information Click Next to continue 11 Key Pair Information for Registration Manager Signing Certificate Token Enter either internal if you plan to use the internal software token or the name of an external token to store the Registration Manager signing c...

Page 135: ...ails on using the ExtJoiner program see Chapter 5 Extension Joiner Tool of CS Command Line Tools Guide For more information about extensions see Appendix G Certificate and CRL Extensions Click Next to continue 15 Registration Manager Signing Certificate Request Creation This informational screen tells you that the wizard has all the information required to generate the key pair and certificate req...

Page 136: ...instructions below to issue the certificate Otherwise you should wait for the remote Certificate Manager s agent to approve your request IV Open a web browser window V Enter the URL for the remote Certificate Manager s Agent Services page You must have a valid agent s certificate VI Select List Requests click Show Pending Requests and click Find VII In the pending request list locate your request ...

Page 137: ...approves your request VI In the web browser window enter the URL for the remote Certificate Manager s Agent Services page You must have a valid agent s certificate VII Select List Requests click Show Pending Requests and click Find VIII In the pending request list locate your request click Details to see it After checking the certificate request and making required changes scroll down to the last ...

Page 138: ...y CA following the instructions provided by that CA Click Next when you are ready to proceed 17 Registration Manager Signing Certificate Installation Depending on whether you have the certificate ready for pasting into the Installation Wizard screen click Yes or No Select No if you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent pr...

Page 139: ...s only if you need to import the CA certificate chain If the CA that issued the certificate is a Certificate Manager follow these steps a Go to the end entity URL for the remote Certificate Manager that issued the Registration Manager s signing certificate b Select the Retrieval tab and in the left hand frame click Import CA Certificate Chain c In the resulting form select the Display the CA certi...

Page 140: ... by pasting its base 64 encoding in the space provided on this screen For details see Step 14 of this section Click Next to continue 25 SSL Server Certificate Request Creation This is an informational screen that tells you that the wizard has all the information required to generate the key pair and certificate request In the previous screen if you chose to include the Subject Key Identifier exten...

Page 141: ... a valid agent s certificate V Select List Requests click Show Pending Requests and click Find VI In the pending request list locate your request click Details to see it and make any changes Then scroll down to the bottom of the form and click Do It VII After the certificate is generated click Show Certificate VIII When the certificate is displayed scroll down to the base 64 encoded version of the...

Page 142: ...you ll have to wait for the Certificate Manager s agent to approve your request and issue the certificate To approve the request do the following In the web browser window enter the URL for the Certificate Manager s Agent Services page You must have a valid agent s certificate Select List Requests then click Show Pending Requests and click Find The pending request list is displayed Locate your req...

Page 143: ...e as far as you can with the configuration and resume after you receive the certificate The default is No Select Yes if you have the certificate ready in its base 64 encoded format Click Next to continue If you selected Yes the Location of Certificate screen appears Step 28 If you selected No you will be presented with the Create Single Signon Password screen Step 31 28 Location of Certificate Spe...

Page 144: ...eval tab and in the left hand frame click Import CA Certificate Chain d Select the Display the CA certificate chain in PKCS 7 for importing into a server option and then click Submit e In the resulting page locate the CA certificate chain in its base 64 encoded format and copy it to the clipboard f Return to the Installation Wizard g Paste the CA certificate chain into the text box Click Next to c...

Page 145: ...on Manager is installed you need to add users and assign them to the administrator agent and auditor roles If you selected the option to have the administrator created during installation also act as an agent then the administrator is your first agent If you did not you need to create an agent user who can access the agent services interface See Chapter 9 Authorization for details on adding users ...

Page 146: ... tasks associated with the agent services interface They are allowed to communicate with the RA via the agent services port Members of the Trusted Manager group are allowed to communicate with the Certificate Manager Managing Certificates and the Certificate Database The signing certificate and SSL encryption certificate are created and installed during the installation of the Registration Manager...

Page 147: ...310 If you configure the Registration Manager for SSL enabled communication with a publishing directory the Registration Manager also uses its SSL server certificate for SSL client authentication to the publishing directory This is the default configuration You can configure the Registration Manager to use an alternate certificate for this purpose see Getting an SSL Client Certificate for a Subsys...

Page 148: ...its keys and certificates See System Passwords on page 244 for information on how these passwords are stored Configuring Logs Each subsystem creates a number of logs that detail various events and errors Each subsystem also has the ability to create signed audit logs that create audit trails that can only be read by a user with auditor privileges The log feature is configurable allowing you to cha...

Page 149: ...s LDAP authentication You have two classes of employees permanent and temporary You want to issue both classes of employees certificates using LDAP authentication but you want to issue each of these classes certificates with different validity periods and different extensions You can create two different forms both using LDAP authentication but each having different policies associated with the fo...

Page 150: ... will use for enrollment All of the authentication plug ins also enable an automated enrollment when they are enabled You can enable one of the authentication plug ins and configure it to be able to authenticate Once you have set up an authentication instance end entities use a form associated with this method when enrolling You must provide the necessary fields to collect the information required...

Page 151: ...he policies you want to be evaluated for this certificate request Some of the policies can be configured to collect other information about an end entity from an LDAP directory and place that information in the certificate A default set of policies is created Some of these are enabled and some are disabled You need to configure the policy feature by configuring the existing policies deleting unwan...

Page 152: ...When an end entity submits a request using a particular certificate profile the certificate profile is processed according to the authentication mechanism associated with that certificate profile and thus the enrollment method and the certificate is issued following the constraints and extensions set in that certificate profile If the certificate profile is associated with the agent approved authe...

Page 153: ...face and are preconfigured for various types of interaction with the end entity You can customize this interface by changing which forms are available and by changing the forms themselves You might change the look and feel of the form to fit in with your intranet you might change what method of authentication is associated with a form and you might change which policies are associated with the for...

Page 154: ...vents in the approximate order they occur The end entity provides the information and submits a request The information gathered from the end entity is customizable in the form depending on the information you want to collect or you need to collect to store in the certificate that is issued or to authenticate against the authentication method associated with the form The form creates a request tha...

Page 155: ... end entity The certificate request is either rejected at some point in the process either by an agent because it did not meet the policy certificate profile or authentication requirements or the request is signed and sent to the Certificate Manager for issuance of the certificate The Certificate Manager will evaluate the request against its own policies or certificate profiles If the request does...

Page 156: ...ificate is issued with the validity period set up in the renewal policies The Registration Manager does not send automated renewal notifications the Certificate Manager that issues the certificate must have this feature set up for renewal messages to be sent to end entities Revocation An end entity can request that their own certificate is revoked When an end entity makes the request they are aske...

Page 157: ...r with OCSP Service Online Certificate Status Manager Deployment Considerations Installing an Online Certificate Status Manager Setting Up the OCSP Responder Configuring the Online Certificate Status Manager Testing Your OCSP Setup About OCSP Services CS supports the Online Certificate Status Protocol OCSP as defined in the PKIX standard RFC 2560 see http www ietf org rfc rfc2560 txt The OCSP prot...

Page 158: ...t processes the request and sends back a report stating the status of the certificate See OCSP Responses on page 159 for details on the responses sent by an OCSP service OCSP Response Signing Every response that the client receives including a rejection notification is digitally signed by the responder the client is expected to verify the signature to ensure that the response came from the respond...

Page 159: ...tus of the certificate as determined by the OCSP responder The response could be any of the following Good or Verified specifying a positive response to the status inquiry At a minimum this positive response indicates that the certificate has not been revoked but it does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the cert...

Page 160: ...he built in OCSP service feature the Certificate Manager can also publish CRLs to an OCSP compliant online validation authority If you install the CS OCSP responder Online Certificate Status Manager you can configure one or more Certificate Managers to publish their CRLs to the Online Certificate Status Manager The Online Certificate Status Manager stores each Certificate Manager s CRL in its inte...

Page 161: ... OCSP compliant clients in order to be able to use the OCSP service 1 Make sure the OCSP service for the CA is enabled 2 Set up CRLs You need to configure the Certificate Manager to issue CRLs See Chapter 15 Revocation and CRLs for details on configuring CRLs 3 You must configure your policies or certificate profiles to include the Authority Information Access extension pointing to the location at...

Page 162: ... certificate identified as the Online Certificate Status Manager signing certificate whose public key corresponds to the private key the Online Certificate Status Manager uses to sign OCSP responses before sending them to OCSP compliant clients The Online Certificate Status Manager s signature provides persistent proof to an OCSP compliant client that the Online Certificate Status Manager has proc...

Page 163: ...es listen on The following interfaces and associated ports will be created An Administrative interface that is accessible by default only to members of the Administrator and Auditor group Administrators can configure any of the settings of the server Most basic functionality and subsystem specific configuration to the subsystem can be done using the administrative interface The administrative inte...

Page 164: ...gning certificate and key pair If you are using an external token you will need to install it before you run the Installation Wizard In the wizard you can select from a list of already installed and available tokens For example HSM For installation instructions see External Token on page 306 Internal Database Each subsystem uses an internal database to store information such as certificates and ce...

Page 165: ...hically strong Export and other regulations permitting it may be a good rule of thumb to start with 1024 bits and consider increasing the length to 4096 bits for certificates that provide access to highly sensitive data or services CS signing keys up to 2048 bits in length are not subject to export restrictions However the question of key length has no simple answers Every organization must make i...

Page 166: ... role This setting only applies to the default administrator agent auditor roles Click Next to continue 7 Subsystems Choose a subsystem you want to install Select Online Certificate Status Manager Click Next to continue 8 Network Configuration Type the numbers for the ports to be used by the CS instance The OCSP compliant clients will use this port to communicate with the Online Certificate Status...

Page 167: ...nd the request to a remote CS now option II Enter the host name for example host domain com and end entity port number of the Certificate Manager then specify whether this end entity port uses SSL III Click Next to submit the request The Certificate Request Result screen appears confirming that the request has been submitted Note the request ID provided in the response message You can use it later...

Page 168: ...er window II Go to the end entity URL for the Certificate Manager that will issue the Online Certificate Status Manager s signing certificate For example if you assigned the port number 17006 to the non SSL end entity port for your CA you would go to the URL http hostname 17006 to bring up the Certificate Manager page for end entities III Click Manual OCSP Manager Signing Certificate Enrollment IV...

Page 169: ...CATE REQUEST is highlighted and click the Copy to Clipboard button This action copies the certificate request to the clipboard In addition to the copy on the clipboard the screen informs you that the certificate request has been saved to a file You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the Online Certificate Status Manag...

Page 170: ...he request was sent option and supply the host name end entity port number and request ID Click Next to continue 15 Certificate Details This is an informational screen that displays the certificate so you can inspect its contents Notice the nickname assigned to the certificate and verify that you re installing the correct certificate Click Next to continue 16 Import Certificate Chain This screen a...

Page 171: ... to store the SSL server certificate and key pair If you have not previously initialized the token s password you must do so in this screen See Tokens on page 164 for more information Key Type Choose RSA Key Length Available key sizes for RSA are 512 768 1024 2048 4096 or Custom Available key sizes for DSA are 512 1024 or Custom which must be in increments of 64 bits only See Signing Key Type and ...

Page 172: ...0 request option If you want the wizard to generate the certificate request in CMC format select the Generate CMC full enrollment request option Click Next The wizard generates the certificate request that you must submit to a CA 21 Submission of Request Select whether you want to submit the request manually or send the request to a remote CS server Certificate Manager or Registration Manager auto...

Page 173: ...d the certificate go back to the wizard screen Step 22 To submit your certificate request manually to a Certificate Manager follow these steps I Open a web browser window II Go to the end entity URL for the Certificate Manager that will issue the SSL server certificate For example if you assigned the port number 17006 to the non SSL end entity port for your root CA you would go to the URL http hos...

Page 174: ...r the Certificate Manager s Agent Services page You must have a valid agent s certificate VII Select List Requests then click Show Pending Requests and click Find The pending request list is displayed VIII Locate your request click Details to see it and make any changes Then scroll down to the bottom of the form and click Approve Request 22 SSL Server Certificate Installation Depending on whether ...

Page 175: ...he certificate and verify that you re installing the correct certificate Click Next to continue 25 Import Certificate Chain This screen appears only if you need to import the CA certificate chain Follow these steps to import the CA chain of a Certificate Manager a Go to the web browser window b Enter the end entity URL for the Certificate Manager that issued the SSL server certificate c Select the...

Page 176: ...3 You must configure your policies or certificate profiles for every CA that will publish to the OCSP Responder to include the Authority Information Access extension pointing to the location at which the Certificate Manager listens for OCSP service requests identified as the AuthInfoAccessExt instance in the policy framework in certificates that are issued This extension is necessary to identify t...

Page 177: ...ate Status Manager is installed you need to add users and assign them to the administrator agent and auditor roles See Chapter 9 Authorization for details on adding users and assigning them to groups Configuring Authorization Each subsystem has a set of predefined groups that are assigned a default set of privileges You create users in the CS database and then assign them to that group to give the...

Page 178: ...perform all operations for all tasks associated with the agent services interface Trusted Managers all allowed to communicate with the Online Certificate Status Manager Managing Certificates and the Certificate Database The signing certificate and SSL encryption certificate are created and installed during the installation of the Online Certificate Status Manager See OCSP Certificates on page 179 ...

Page 179: ...ordinate Certificate Manager s certificate database If the Online Certificate Status Manager s SSL server certificate is signed by a different root CA then you need to import the root CA certificate into the subordinate Certificate Manager s certificate database and mark it as a trusted CA For general information about the OCSPs Certificates see OCSP Certificates on page 179 Changing Ports and IP ...

Page 180: ...audit logs that create audit trails that can only be read by a user with auditor privileges The log feature is configurable allowing you to change the settings for some of the logs See Logs on page 255 for complete information about the logs and details of the configuration options for logs Changing Internal Database Settings You can change the configuration of the internal database after installa...

Page 181: ...ture against the stored certificate 1 Get the Certificate Manager s CA signing certificate in base 64 encoded format You should be able to get this from the end entity interface of the CA that issued the certificate or the end entity interface of the Certificate Manager if the certificate is self signed 2 Go to the Online Certificate Status Manager s Agent interface The URL is https hostname port ...

Page 182: ...d communicate with the Online Certificate Status Manager The Requests Served Since Startup field should show a value of zero 0 indicating that no OCSP compliant client has queried the Online Certificate Status Manager yet for revocation status of a certificate Configure the Revocation Info Stores The Online Certificate Status Manager stores each Certificate Manager s CRL in its internal database a...

Page 183: ... return an OCSP response of GOOD if the certificate in question cannot be found in any of the CRLs If you deselect the option the response will be UNKNOWN which when encountered by an OCSP compliant client results in an error message includeNextUpdate The Online Certificate Status Manager can include the time stamp of next CRL update a future update time for the CRL or the revocation information i...

Page 184: ...n question cannot be found in any of the CRLs If you deselect the option the response will be UNKNOWN which when encountered by Red Hat Personal Security Manager an OCSP compliant client results in an error message includeNextUpdate The Online Certificate Status Manager can include the time stamp of next CRL update a future update time for the CRL or the revocation information in the OCSP response...

Page 185: ...te Status Manager The page also summarizes the Online Certificate Status Manager s activity since it was last started 8 Revoke the certificate 9 Verify the certificate in the browser or client Once verified you should see that the certificate has been revoked 10 Check the Certificate Manager s OCSP Service Status internal OCSP again Check the Certificate Manager s OCSP service status again to veri...

Page 186: ...ystem Administrator s Guide September 2005 The Online Certificate Status Manager sent an OCSP response to the browser The browser used that response to validate the certificate and informed you of its status that the certificate could not be verified ...

Page 187: ...r explains how to use the Data Recovery Manager to archive end entity s encryption private keys and how to use the archived keys later in place of missing encryption keys to recover encrypted data This chapter contains the following sections Data Recovery Manager s Key Pairs and Certificates PKI Setup for Key Archival and Recovery Key Archival Process Key Recovery Process Installing a Standalone D...

Page 188: ...ients that can generate dual key pairs use one private key for encrypting data and the other for signing data Because the encryption private key is separate you can archive it In addition to generating dual key pairs your end entity s clients must also support the encryption key archival option in certificate requests This option triggers the key archival process at the time encryption private key...

Page 189: ...this form see Step D Customize the Key Recovery Form on page 225 Key Archival Process If your certificate infrastructure has been set up for key archival the Data Recovery Manager automatically archives end entity s encryption private keys For general information on the type of PKI setup needed for archiving keys see PKI Setup for Key Archival and Recovery on page 187 For specific instructions on ...

Page 190: ...t to decrypt and recover an archived key For details on how this process works see Key Recovery Agents and Their Passwords on page 193 The Data Recovery Manager indexes stored keys by key number or ID owner name and a hash of the public key allowing for highly efficient searching by name or by public key The key recovery agents have the privilege to insert delete and search for key records The sea...

Page 191: ...pable of generating dual key pairs to access the certificate enrollment form served by the Registration Manager fills in all the information and submits the request The client detects the JavaScript option and exports only the end entity s encryption private key not the signing private key The Registration Manager detects the key archival option in the end entity s request and asks the client for ...

Page 192: ... successfully stored the Data Recovery Manager uses the private key of its transport key pair to sign a token confirming that the key has been successfully stored the Data Recovery Manager then sends the token to the Registration Manager 5 After the Registration Manager receives and verifies the signed token it sends the certificate request to the Certificate Manager for issuance 6 The Certificate...

Page 193: ...ng the installation of the Data Recovery Manager However you can change the number of recovery agents and their passwords later by modifying it in the Data Recovery Manager configuration see Changing Key Recovery Agents Passwords on page 201 Secret Sharing of Storage Key Password The Data Recovery Manager uses the private key of its storage key pair to encrypt the end entity s encryption private k...

Page 194: ...ation on Data Recovery Manager agents see Agents on page 316 Your organization s PKI policy may require that the key recovery process be restricted to authorized recovery agents only preventing any Data Recovery Manager agent from being involved If so you should ask all key recovery agents to get client certificates and set them up as Data Recovery Manager agents For instructions see Setting up Ad...

Page 195: ...ference number and authorizes key recovery separately The Data Recovery Manager informs the agent who initiated the key recovery process of the status of the authorizations When all of the authorizations are entered the Data Recovery Manager checks the information If the information presented is correct it retrieves the requested key and returns it along with the corresponding certificate in the f...

Page 196: ...ption private key needs to be recovered and submits the request The request is submitted to the Data Recovery Manager over HTTPS 2 The Data Recovery Manager subjects the key recovery request to its policy checks 3 If the request passes all the policy rules the Data Recovery Manager sends a confirmation HTML page to the web browser the agent used If the request fails any of the policy checks the se...

Page 197: ... agents passwords to construct the PIN required to access the private key repository 6 The Data Recovery Manager then retrieves the end entity s private key from its key repository and decrypts it by using the private component of the storage key pair 7 The Data Recovery Manager packages the end entity s certificate and the corresponding private key as a PKCS 12 package and encrypts it with the PK...

Page 198: ... entity s keys The Data Recovery Manager tracks the key recovery agent password for each agent and allows you to facilitate changing agents passwords you do not have direct access to these passwords or the actual storage key password Each password retrieves only a part of the private storage key You first specified the key recovery agent scheme when you installed the Data Recovery Manager Changing...

Page 199: ...ocess Chapter 6 Data Recovery Manager 199 3 In the navigation tree select the Data Recovery Manager and in the right pane click the Scheme Management tab The Scheme Management tab shows the current key recovery scheme ...

Page 200: ... a key recovery process The number cannot be zero and must be equal to or less than the total number of recovery agents Total number of recovery agents Specify the total number of key recovery agents The number cannot be less than one and must be equal to or greater than the number of agents required to authorize the key recovery operation 6 Click Next 7 For each agent enter a user name and passwo...

Page 201: ...hange their passwords periodically This way you will be sure that the required number of agents are available if a key needs to be recovered If key recovery agents routinely change their passwords they are less likely to forget them The CS window allows you to view the list of currently designated key recover agents and if necessary change an agent s password To change key recovery agents password...

Page 202: ...ficate System Administrator s Guide September 2005 The tab shows current key recovery agents in the Available Agents list 4 Select the agent whose password needs to be changed and click Change Password The Change Password dialog box appears ...

Page 203: ...sword for the key repository New Password Type the new password for the key repository Confirm Password Retype the new password exactly as you typed it in the previous field 6 Click OK You are returned to the Recovery Agent Password tab Installing a Standalone Data Recovery Manager Data Recovery Manager s Key Pairs and Certificates The Data Recovery Manager uses the following key pairs and certifi...

Page 204: ...to decrypt or unwrap the archived key during the recovery operation That is the public key is used to encrypt the key repository the server uses to store end entity s encryption private keys For more information on how this key pair is used see Chapter 6 Data Recovery Manager Note that the public component of the storage key pair is not certified there is no certificate that corresponds to the pub...

Page 205: ...e the signing certificate and key pair and the SSL signing certificate and key pair If you are using an external token you will need to install it before you run the Installation Wizard In the wizard you can select from a list of already installed and available tokens For example SmartCard For installation instructions see External Token on page 306 Internal Database Each subsystem uses an interna...

Page 206: ... no longer consider an RSA key of length less than 1024 bits to be cryptographically strong Export and other regulations permitting it may be a good rule of thumb to start with 1024 bits and consider increasing the length to 4096 bits for certificates that provide access to highly sensitive data or services However the question of key length has no simple answers Every organization must make its o...

Page 207: ...gent auditor and trusted manager roles Click Next to continue 7 Subsystems Choose a subsystem you want to install Select Data Recovery Manager Click Next to continue 8 Network Configuration Type the numbers for the ports to be used by the CS instance Click Next to continue 9 Key Pair Information for Data Recovery Manager Transport Certificate Select the token to store the transport certificate and...

Page 208: ...s Guide Click Next to continue 12 Data Recovery Manager Transport Certificate Request Creation This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request In the previous screen if you chose to include the Subject Key Identifier extension in the certificate you ll be given the choice to select the format for the certificate ...

Page 209: ...make any changes Then scroll down to the bottom of the form and click Approve request VIII When the certificate is displayed scroll down to the base 64 encoded version of the certificate highlight all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be sure to not make any changes to the certificate You re required to paste the encoded certifi...

Page 210: ...IFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be sure to not make any changes to the certificate You re required to paste the encoded certificate into the Installation Wizard next So once you ve copied the certificate go back to the wizard screen Step 14 To submit the transport certificate request manually to a third party CA follow these steps I Make sure that the cer...

Page 211: ...d then type the file path including the filename in the text field If you copied the certificate to the clipboard select the The certificate is located in the text area below option and then paste in a base 64 encoded certificate including the header and footer in the text area provided If you noted the request ID of your request and know the host name and end entity port number of the remote Cert...

Page 212: ...eme 1 Type both the required number of recovery agents and the total number of recovery agents Click Next to continue 20 Data Recovery Key Scheme 2 The number of table rows correspond to the total number of agents you specified in the previous screen Type the user ID and password for each agent in the table Click Next to continue The screens that follow let you request an SSL server certificate fo...

Page 213: ...the wizard has all the information required to generate the key pair and certificate request In the previous screen if you chose to include the Subject Key Identifier extension in the certificate you ll be given the choice to select the format for the certificate request Otherwise the request format will be PKCS 10 If you want the wizard to generate the certificate request in PKCS 10 format select...

Page 214: ...ts click Show Pending Requests and click Find VI In the pending request list locate your request click Details to see the request and make any changes Then scroll down to the bottom of the form and click Do It VII After the certificate is generated click Show Certificate VIII When the certificate is displayed scroll down to the base 64 encoded version of the certificate highlight all the text incl...

Page 215: ...e to wait for the Certificate Manager s agent to approve your request and issue the certificate To approve the request do the following In the web browser window enter the URL for the Certificate Manager s Agent Services page You must have a valid agent s certificate Select List Requests then click Show Pending Requests and click Find The pending request list is displayed Locate your request click...

Page 216: ...should click No continue as far as you can with the configuration and resume after you receive the certificate The default is No Select Yes only if you have the certificate ready in its base 64 encoded format Click Next to continue If you selected Yes the Location of Certificate screen appears Step 28 If you selected No you will be presented with the Create Single Signon Password screen Step 31 28...

Page 217: ...isplay the CA certificate chain in PKCS 7 for importing into a server option and click Submit e In the resulting page locate the CA certificate chain in its base 64 encoded format and copy it to the clipboard f Return to the Installation Wizard g Paste the CA certificate chain into the text box Click Next to continue 31 Single Sign on Summary Check the summary and select whether to retain or delet...

Page 218: ...ge 190 To set up the key archival process follow these steps Step A Deploy Clients That Can Generate Dual Key Pairs Step B Connect the Enrollment Authority and the Data Recovery Manager Step C Customize the Certificate Enrollment Form Step D Configure Key Archival Policies Step A Deploy Clients That Can Generate Dual Key Pairs You can use the Data Recovery Manager to archive and recover keys only ...

Page 219: ...l database of the Data Recovery Manager By default the Certificate Manager uses its SSL server certificate for SSL client authentication whereas the Registration Manager uses its signing certificate for this purpose Otherwise follow the instructions in Setting Up a Trusted Manager on page 321 and set up the enrollment authority as a trusted front end to the Data Recovery Manager Step C Customize t...

Page 220: ... its base 64 encoded format The transport certificate is stored in the Data Recovery Manager s certificate database If the transport certificate is signed by a Certificate Manager then a copy of the certificate is also available with the Certificate Manager Follow the instructions as appropriate To copy the transport certificate information from a Certificate Manager s database a Open a web browse...

Page 221: ...IhvcNAQEEBQAwdzELMAkGA1UEBhMCV VMxLDAqBgNVBAoTI0 5ldHNjYXBlIENvbW11bmljYXRpb25zIENvcnBvcmF0aW9uMREwDwYDVQQLEwh IYXJkY29yZTEnMCUG A1UEAxMeSGFyZGNvcmUgQ2VydGlmaWNhdGUgU2VydmVyIElJMB4XDTk4MTExO TIzNDIxOVoXDTk5MD UxODIzNDIxOVowLjELMAkGA1UEBhMCVVMxETAPBgNVBAoTCG5ldHNjYXBlMQw wCgYDVQQDEwNLUmEw XDANBgkqhkiG9w0BAQEFAANLADBIAkEArrbDiYUI5SCdlCKKa0bEBn1m83kX6 bdhytRYNkdHB9 To copy the transport certificate i...

Page 222: ...EGIN CERTIFICATE and END CERTIFICATE to a text file The copied information should look like the example below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCV VMxLDAqBgNVBAoTI0 5ldHNjYXBlIENvbW11bmljYXRpb25zIENvcnBvcmF0aW9uMREwDwYDVQQLEwh IYXJkY29yZTEnMCUG A1UEAxMeSGFyZGNvcmUgQ2VydGlmaWNhdGUgU2VydmVyIElJMB4XDTk4MTExO TIzNDIxOVoXDTk5MD UxODIzNDIxOVowLjELMAkGA1UEBhMCVVMxETAPBgNVBAoTCG5l...

Page 223: ...hdGUgU2Vy dmVyIEl JMB4XDTk4MTExOTIzNDIxOVoXDTk5MDUxODIzNDIxOVowLjELMAkGA1UEBhMC VVMxETA PBgNVBAoTCG5ldHNjYXBlMQwwCgYDVQQDEwNLUmEwXDANBgkqhkiG9w0BAQEF AANLADB IAkEArrbDiYUI5SCdlCKKa0bEBn1m83kX6bdhytRYNkdHB95Bp85SR g Pass the kraTransportCert variable to the JavaScript method Replace null the fourth line in the method with kraTransportCert h Specify the key algorithm and key type see generateCRMFReq...

Page 224: ... Recovery Manager supports agent initiated key recovery process in which end entity s encryption private keys are recovered by designated key recovery agents This section explains how to set up the key recovery process To set up agent initiated key recovery process follow these steps Step A Verify the m of n Scheme Step B Facilitate the Key Recovery Agents to Change the Passwords Step C Determine ...

Page 225: ...ption private key locally or remotely The default configuration is local authorization It is important that you evaluate both the authorization modes and choose the one that is appropriate for your organization For more information about this see Local Versus Remote Key Recovery Authorization on page 194 If want the key recovery agents to authorize key recovery remotely be sure to set them up as D...

Page 226: ...archive a key follow these instructions 1 Enroll for dual certificates To do this a Open a web browser window b Go to the end entity interface for the enrollment authority The default URL is as follows https hostname end_entity_HTTPS_port or http hostname end_entity_HTTP_port c In the end entity interface open the enrollment form you customized in Step C Customize the Certificate Enrollment Form o...

Page 227: ...serial numbers c Download the certificates to the web browser d Go to the security information window of the browser from the Communicator menu choose Edit and then choose Tools and then choose Security Info e Click Certificates and then click Manage Certificates f Verify that the test certificates have been stored in the browser s certificate database 4 Check whether the key has been archived To ...

Page 228: ...e you downloaded previously and click Delete 4 When prompted confirm the delete action 5 Check your email again This time you should not be able to verify the email message because you have deleted the certificates from the client s certificate database Step D Test Your Key Recovery Setup To test whether you can successfully recover an archived key 1 Go to the Data Recovery Manager s Agent Service...

Page 229: ...y by providing the base 64 encoded certificate in step 4 then you don t have to provide this information The key recovery agents passwords 7 Click Recover If you entered the correct information the Data Recovery Manager returns the private key packaged as a PKCS 12 blob it contains the recovered key pair and the corresponding certificate and prompts you to save it Specify the path and filename for...

Page 230: ...Configuring Key Archival and Recovery Process 230 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 231: ... supports the use of tokens with user s computers This chapter briefly introduces these three components For more details see the HTML document Setting Up a Token Key Infrastructure available on the CS CD Token Processing Service The Token Processing Service TPS is a CS component that acts as a Registration Authority for authenticating and processing enrollment requests PIN reset requests and form...

Page 232: ...Security Client ESC is the CS component that provides the user facing portion of the Token Management System The end user can be issued security tokens containing certificates and keys required for signing encryption and other cryptographic functions To make use of the tokens TPS must be able to recognize and communicate with them ESC provides the means by which tokens can be taken through the enr...

Page 233: ...pes of tokens The UserKey type allows the use of the key on a token to identify a specific individual The simpler DeviceKey can be used only to identify the key itself without verifying an individual s identity Provides information about the current status of the token or tokens being managed ...

Page 234: ...Enterprise Security Client 234 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 235: ...internal database This chapter contains the following sections The Administrative Interface System Passwords Starting Stopping and Restarting CS Instances Subsystem Configuration Overview Mail Server Configuration Files Logs Signed Audit Log Self Tests Ports Changing an IP Addresses The Internal Database Managing the Certificate Database Tokens for Storing CS Keys and Certificates Hardware Cryptog...

Page 236: ... configure CS through Red Hat Console You access Administration Server by entering its URL in the Red Hat Console login screen and providing the user ID and password of the administrative user Administration Server must be running before you can access Red Hat Console For complete details about Red Hat Administration Server see Managing Servers with Red Hat Console Starting Administration Server T...

Page 237: ... providing a unified administration interface to the user directory You can accomplish various CS specific tasks from the Console tab Launch the CS console Install instances of CS Remove an instance of CS Clone an instance of CS Set access permissions for CS For complete details about Red Hat Console see Managing Servers with Red Hat Console Logging Into Red Hat Console You can launch and use Red ...

Page 238: ... with Directory Server but does not allow you to create CS server instances Password Type the password for this user ID Administration URL Specify the URL for the Administration Server you want to log into This URL has the following format http machine_name your_domain domain port_number For example if your domain name is example com and you installed Administration Server on a host machine called...

Page 239: ...pecifics of setting these configuration settings is contained in the appropriate section of this guide Status Tab The Status tab allows you to monitor the server by viewing the contents of various logs maintained by CS See Logs on page 255 for more information Logging Into the CS Console To log into the CS console 1 Log into Red Hat Console see Logging Into Red Hat Console on page 237 2 Double cli...

Page 240: ...ssword entry dialog 4 The CS console opens Viewing Information About a CS instance You can view some of the basic information about a CS instance To view information pertaining to a CS instance 1 Log in to Red Hat Console see Logging Into Red Hat Console on page 237 2 In the Console tab select the CS instance you want to view The right pane shows information about the selected CS instance The info...

Page 241: ...igured properly 3 To change the name of the instance or its description Select the instance and click Edit Details about the selected CS instance appear in the right pane Specify the appropriate information Server Name Type a name for the server Description Type any additional description for the server For example you may want to type information that will help you identify this instance of CS Se...

Page 242: ...ot lib LD_LIBRARY_PATH 2 Use certutil in bin cert tools to initialize the cert8 db and key3 db files in home_directory mcc To do this a Go to the following directory server_root bin cert tools b Issue the command certutil N d home_directory mcc 3 Request the client certificate Go to the end entity interface for the CA that will issue the certificate and click on the Enrollment tab 4 Select the Man...

Page 243: ...he clientauth off attribute to clientauth on in the SSLPARAMS section of the LS id admin LS id admin ip 0 0 0 0 port 8206 security on acceptorthreads 1 blocking no CONNECTIONGROUP id admin_default matchingip default servername buster mcom com defaultvs admin vs SSLPARAMS servercertnickname Server Cert cert buster ssl2 off ssl2ciphers rc4 rc4export rc2 rc2export des desede3 ssl3 on ssl3tlsciphers f...

Page 244: ...hat creates and manages the password In an LDAP directory access the remote directory that you authenticate to enforces the quality of the password you used because it is created and managed by the directory To enable you to customize the quality of passwords the plug in for the password quality checker is included as a sample in the CS SDK Passwords Stored by the Server CS stores passwords in two...

Page 245: ...sword Cache Passwords for the internal database and other database related passwords for optional features are stored in the file pwcache db located in the server_root cert instance_id config directory The password cache is triple DES encrypted with a symmetric key which is generated and stored in the cryptographic module This file is opened using the single sign on password and the passwords stor...

Page 246: ...igation tab and then right click your mouse selecting the Start Server option from the pop up menu Alternatively 1 Log in to Red Hat Console see Logging Into Red Hat Console on page 237 2 Double click the CS instance you want to open from the Red Hat Console navigation tab or select the instance and click Open 3 Go to the Tasks Tab and select Start Server Starting From the Command Line To start a ...

Page 247: ... From Red Hat Console To stop a CS instance from Red Hat Console 1 Log in to Red Hat Console see Logging Into Red Hat Console on page 237 2 Select the CS instance you want to stop from the Red Hat Console navigation tab and then right click your mouse selecting the Stop Server option from the pop up menu Alternatively 1 Log in to Red Hat Console see Logging Into Red Hat Console on page 237 2 Doubl...

Page 248: ...rver s user account 2 Go to the following directory server_root cert instance_id 3 Type the following command restart cert Subsystem Configuration Overview Once you install CS on a host you are ready to configure any subsystems that will run on that host You can configure multiple subsystems on a host or multiple instances of a single subsystem As part of your deployment planning you should decide...

Page 249: ...f Certificate System The Create Server Instance dialog opens 4 Type a unique name or identifier for the new instance You can use any combination of letters aA to zZ digits 0 to 9 an underscore _ and a hyphen other characters and spaces are not allowed For example you can type Pilot_root CA as the instance name but not Pilot root CA 5 Click OK The instance you created appears in the navigation tree...

Page 250: ...oup Mail Server The notifications and jobs features use the mail server set up in the CS instance to send its notification messages You set up a mail server using the following procedure 1 In the CS window select the Configuration tab and then in the right pane select the SMTP tab 2 Identify the mail server by providing the following details Server name Type the fully qualified DNS host name of th...

Page 251: ...ile Each instance of CS has its own configuration file CS cfg The file for the subsystem is different depending on your installation choices and on which subsystem is installed in that instance The CS cfg file is located in the following directory server_root cert instance_id config where Editing the Configuration File To modify the configuration file server_root Specifies the directory in which C...

Page 252: ...ctory server_root cert instance_id config 3 Open the file CS cfg in a text editor 4 Edit the parameters in the file and save your changes 5 Start CS see Starting Stopping and Restarting CS Instances on page 246 Guidelines for Editing the Configuration File The following are guidelines for editing the configuration file The format for parameters is as follows comment parameter value Comment lines b...

Page 253: ...modules and any configured instances appears in the Authentication section of the configuration file Each registered authentication plug in module is identified by its implementation name and the corresponding Java class Each configured instance of an authentication module is identified by the name or ID you specified when creating it You can create multiple instances from an implementation each i...

Page 254: ...d when the rule was created You can create multiple rules out of an implementation each rule must have a unique name To do this you would copy all of the parameters belonging to the module used to create the instance Change the name of each of these parameters to the new name for this instance and then change the value of all the parameters as is appropriate for your needs Duplicating Configuratio...

Page 255: ...ver supports and various other processes employed by the subsystems the server manages While CS is running it keeps a log of information and error messages on all the components it manages Log plug in modules are listeners which are implemented as Java classes and are registered in the CS policy framework Each instance of Red Hat Certificate System CS maintains its own log files All the log files ...

Page 256: ...nstallation and Setup Logs The following logs are created when the CS instance is installed the information about logs in this section does not pertain to these logs config_cgi log Created by config_cgi cgi that forwards configuration daemon client Java UI requests to the configuration daemon daemon err Created by the start_daemon cgi captures the standard error of the start_daemon cgi daemon out ...

Page 257: ...og settings accordingly For details see Monitoring Logs on page 265 Table 8 1 Services Logged Service Description ACLs Specifies logged events related to access control lists Administration Specifies logged events related to this server s administration activities that is HTTPS communication between the CS console and CS All Specifies logged events related to all the services Authentication Specif...

Page 258: ...o OCSP Others Specifies logged events related to other activities of this server such as command line utilities and other processes Registration Authority Specifies logged events related to the Registration Manager Request Queue Specifies logged events related to the request queue activity of this server User and Group Specifies logged events related to users and groups managed by this server Tabl...

Page 259: ...fered logging 3 Failure default selection for system and error logs These messages indicate errors and failures that prevent the server from operating normally Examples of messages that fall into this category include failures to perform a certificate service operation User authentication failed or Certificate revoked and unexpected situations that can cause irrevocable errors The server cannot se...

Page 260: ...files are rotated when either of the following occur The size limit for the corresponding file is reached the size of the corresponding log file is equal to or greater than the value specified by the maxFileSize configuration parameter The default value for this parameter is 100 KB The age limit for the corresponding file is reached the corresponding log file is equal to or older than the interval...

Page 261: ...sole on page 239 2 In the navigation tree select Logs On the right pane the Log Event Listener Management tab appears It lists the currently configured listeners 3 Either create a new log instance delete an existing instance or modify an existing instance To create a new log instance a Click Add in the Log Event Listener Management tab The Select Log Event Listener Plug in Implementation window ap...

Page 262: ...to write messages Make sure that the server has read write permission to the file bufferSize Type the buffer size in kilobytes KB for the log The default size is 512 KB For more information see Buffered Versus Unbuffered Logging on page 259 Once the buffer reaches this size the contents of the buffer are flushed out and copied to the log file flushInterval Type the interval in seconds to flush the...

Page 263: ...private key for this certificate must be accessible to the subsystem in order for it to sign the log events Specifies which events will be logged to the audit log Lists each event separated by a comma with no spaces You can remove events from the list See Table 8 3 on page 269 for a complete list of auditable logging events 5 Click OK You are returned to the Log Event Listener Management tab 6 Cli...

Page 264: ...buffer are flushed out and added to the log file level Specify a log level The choices are 0 for Debug 1 for Information 2 for Warning 3 for Failure 4 for Misconfiguration 5 for Catastrophe and 6 for Security The default selection is 1 For more information see Log Levels Message Categories on page 258 maxFileSize Specify the file size in kilobytes KB for the error log The default size is 100 KB Th...

Page 265: ...quest If you enter zero 0 no messages are returned If you leave the field blank the server returns every matching entry no limit regardless of the number found Source Select the CS component or service for which log messages are to be displayed from the drop down list If you choose All messages logged by all components that log to this file are displayed For more information see Services That Are ...

Page 266: ... signing log files you use a command line utility called Red Hat Signing Tool signtool For details about this utility check this site http www mozilla org projects security pki nss tools The utility uses information in the certificate key and security module databases of CS When you are ready with all this information follow the procedure below to sign the log directories 1 Go to the CS instance i...

Page 267: ...e on page 239 2 Select the Configuration tab 3 In the navigation tree select Logs and then in the right pane select the Log Event Listener Plug in Registration tab 4 Click Register The Register Log Event Listener Plug in Implementation window appears 5 Specify information as appropriate Plugin name Type a name for the plug in module Class name Type the full name of the class for this module that i...

Page 268: ...is log The signed audit log feature is disabled by default You can also set this audit log up as a signed audit log You enable this by setting the logSigning parameter to enable and providing the nickname of the certificate that will be used to sign this log When this log is setup as a signed audit log only a user with auditor privileges can access and view the log Auditors can use the AuditVerify...

Page 269: ...er words any of the settings for CRLs including extensions frequency and CRL format CONFIG_OCSP_PROFILE A change is made to the configuration settings for the Online Certificate Status Manager CONFIG_AUTH A change is made to the configuration settings for the authentication framework CONFIG_ROLE A change is made to the configuration settings for roles including changes made to users or groups CONF...

Page 270: ...PROCESSED A key recovery has been processed KEY_GEN_ASYMMETRIC Asymmetric keys are generated NON_PROFILE_CERT_REQUEST A certificate request is made that is not through the certificate profile framework PROFILE_CERT_REQUEST A certificate request is made through the certificate profile framework CERT_REQUEST_PROCESSED A certificate request is being processed CERT_STATUS_CHANGE_REQUEST The request is...

Page 271: ...on Manager 3 Use the Certificate Setup Wizard to obtain a certificate request for the private keys and certificates that will be used to sign the log files When running the certificate wizard specify that the request is of type Other and request that the output be a certificate request in PKCS 10 format See Certificate Setup Wizard on page 289 for information about using the Certificate Setup Wiza...

Page 272: ...vents that could cause the audit logging function to fail In other words events cannot be written to the log For example when the file system containing the audit log file is full or when the file permissions for the log file is accidentally changed If audit logging fails CS will shut down in the following manner Servlets are disabled and will not processes new requests All pending and new request...

Page 273: ...reports for both the start up self tests and the on demand self tests You can configure this log by changing the setting for the log in the CS cfg file See Modifying Self Test Configuration on page 274 for details Self Test Configuration The self tests feature and individual self tests are registered and configured in the CS cfg file Self tests can either be enable or disable meaning that a partic...

Page 274: ...ts of the buffer are flushed out and copied to the log file enable Specify true to enable false to disable Only enabled logs actually record events expirationTime Specify in seconds the age limit for deleting the rotated log files The default value is 0 seconds which indicates that the rotated log files should not be deleted If you provide a value the rotated log will be deleted from your system a...

Page 275: ...ctions fileName rolloverInterval Specify the frequency at which the server should rotate the active error log file The available choices are Hourly Daily Weekly Monthly and Yearly The default selection is Monthly For more information see Log File Rotation on page 260 type Set to transaction don t change this 4 To edit the order in which the self test are run specify the order by listing any of the...

Page 276: ...choose ports that are unique on the host system To verify that a port is available for use check the appropriate file for your operating system port numbers for network accessible services are usually maintained in a file named services On Unix if you are not running as root or superuser when you install or start the server you will have to use a port number higher than 1024 ...

Page 277: ...m number greater than 1024 as the agent port number and prompts you to change it if necessary the port number can be any number between 1 and 65535 The number you choose for the agent port affects your agent users all agents access CS by specifying the name of the server the CS instance and the agent port number in the URL For example if you choose port number 4430 the URL would look like this htt...

Page 278: ...authentication providing a secure transfer of data to this port Similar to the HTTP port you can enable or disable the HTTPS port For example if you don t want end entity interaction with a Certificate Manager you can disable the HTTPS port For details see Changing a Port Number on page 278 If this CS instance is for a Certificate Manager and if the Certificate Manager is configured to service OCS...

Page 279: ...and delete them LS id ee_nonSSL ip 0 0 0 0 port 80 security off acceptorthreads 1 blocking no CONNECTIONGROUP id ee_nonSSL_default matchingip default servername hostname domainname defaultvs ee vs II Locate the following line VS id ee vs state on urlhosts hostname domainname mime mime1 aclids acl1 connections eeSSL_default ee_nonSSL_default and change it to VS id ee vs state on urlhosts hostname d...

Page 280: ...e server xml file in a text editor and edit the appropriate IP addresses To change the administration ip address locate this line and edit the value of the ip attribute LS id admin ip 0 0 0 0 port 8200 security on acceptorthreads 1 blocking no To change the agent ip address locate this line and edit the value of the ip attribute LS id agent ip 0 0 0 0 port 8100 security on acceptorthreads 1 blocki...

Page 281: ...ring of CRLs Storing of ACLs Storing of privileged user and role information Storing and retrieving of end users encryption private key records To fulfill these functions CS maintains a persistent store a preconfigured Red Hat Directory Server referred to as the internal database or local database The internal database is installed automatically as a part of the CS installation It is used as an em...

Page 282: ...ect the Configuration tab and then in the right pane select the Internal Database tab 3 Change a Directory Server instance by changing the following fields Host name Type the fully qualified host name of the machine on which Red Hat Directory Server is installed CS uses this name to access the directory The format for the host name is as follows machine_name your_domain domain By default the host ...

Page 283: ... Database 1 Stop CS 2 Go to the directory server root cert id config 3 Open the file CS cfg in a text editor 4 Edit the following lines to the indicated values internaldb ldapauth authtype SslClientAuth internaldb ldapauth bindDN CN Directory Manager internaldb ldapauth bindPWPrompt Internal LDAP Database internaldb ldapconn host ldap_hostname internaldb ldapconn port ldap_httpsport internaldb lda...

Page 284: ...o access Red Hat Console That is this person can open the Directory Server console for the internal database and make changes to the data stored there For example this person can make changes to the CS administrators group such as deleting existing users and adding entries for self If you are concerned about this you can restrict access to the internal database to only those users who know its Dir...

Page 285: ...n or an external token for generating and storing key pairs CS always maintains its list of trusted and untrusted CA certificates in its internal token You may need to add new certificates to the database remove unwanted certificates from the database or change the trust settings of CA certificates in the database This section explains how to view the contents of the certificate database delete un...

Page 286: ...Specifies whether the CA is trusted or untrusted To change the trust setting see Changing the Trust Settings of a CA Certificate on page 286 list is a table with each certificate occupying a row 4 To delete a certificate a select the CA certificate you want to delete and click Delete b When prompted confirm the delete action c Click Close 5 To save your changes click Save Changing the Trust Settin...

Page 287: ...ate Database Management window appears The window lists the certificates currently installed for the selected CS instance the list is a table with each certificate occupying a row 4 Select the CA certificate whose trust setting you want to modify and click Edit The Certificate Information window appears The window shows detailed information about the selected certificate including serial number va...

Page 288: ... find the CA listed in its trust database as a trusted CA so it rejects the Registration Manager s service request The Certificate Setup Wizard built into the CS window automates the process of installing trusted CA certificates in the certificate database For instructions on using the wizard see Using the Wizard to Install a Certificate or Certificate Chain on page 299 Installing a CA Certificate...

Page 289: ...A certificate chains in the certificate database of a CS instance When you start the wizard which you do by clicking the Certificate Setup Wizard button in the Encryption tab of the CS window you are asked to specify whether you want to request or install a certificate The wizard presents you with the screens appropriate to your choice and walks you through the entire process For installing certif...

Page 290: ...2 Choose the Certificate Choose the certificate by name that you want to request The drop down list shows various certificates used by the currently selected CS instance Choose the one you want to request which certificates you see in the list depends on the subsystems installed in the currently selected CS instance You may see a combination of the following options If a Certificate Manager is ins...

Page 291: ...rtificate choose this option if you want to generate an SSL server certificate request for the CS manager Other choose this option if you want to generate a certificate request for a certificate that is not generated by a CS manager by default For example in a Certificate Manager you can use this option to request a CRL signing certificate or a separate SSL client certificate exclusively for authe...

Page 292: ...sponds to the certificate you chose in the previous step If you want a new certificate use a new key pair for generating the request For example you may want to get a new SSL server certificate or may want to replace an existing certificate whose private key has been compromised To generate a certificate request based on a new key pair select the token that can generate the key pair you want to us...

Page 293: ...g certificate as Registration Authority for North America For a SSL server certificate the name must be the fully qualified host name of CS in this form machine_name your_domain domain To determine the machine and domain names go to Red Hat Console and locate the CS host in the navigation tree Organizational unit enter the organizational unit the server belongs to For example Marketing Organizatio...

Page 294: ...nstraints select this option if you want to set any of the basic constraints extension bits in the certificate you are requesting When you select the option the associated fields are enabled You should select the ones you want to set Netscape certificate type select this option if you want to set any of the Netscape Certificate Type extension bits in the certificate you are requesting When you sel...

Page 295: ... format and is bounded by the marker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST An example is show below BEGIN NEW CERTIFICATE REQUEST MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBC6SAwHgYDVQQKExdOZXRz Y2FwZSBDb21tdW5pY2 F0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwM FoXDTk5MDIyMzE5MDA wMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYD VQQLEwZ...

Page 296: ...n the CA s enrollment form Sending the CSR Automatically to a CS Manager To send the certificate signing request CSR automatically to a Certificate Manager 1 Type the appropriate values in the following fields Send the request to a remote CS now Select this option Host name Type the fully qualified host name in the machine_name your_domain domain format of the Certificate Manager to which you want...

Page 297: ...rd to Install a Certificate or Certificate Chain on page 299 Sending the CSR Manually to an Internal CA The following instructions assume that your internally deployed CA is a Certificate Manager and that you are using the default HTML forms provided for end entity enrollment If you have customized these forms you should follow the appropriate instructions To send the certificate signing request C...

Page 298: ...llowing the instructions in Using the Wizard to Install a Certificate or Certificate Chain on page 299 Sending the CSR to an External CA An external CA is any public or third party CA Before sending the CSR to a public CA make sure that the CA can issue the certificate you want to request Also it is a good idea to read the policy statement published by a CA to see whether the CA imposes any restri...

Page 299: ...s a collection of certificates the subject certificate the trusted root CA certificate and any intermediate CA certificates needed to link the subject certificate to the trusted root However the certificate chain the wizard allows you to import must include only CA certificates none of the certificates can be a user certificate In a certificate chain each certificate in the chain is encoded as a s...

Page 300: ... certificate In particular the signature and the contents are ignored The PKCS 7 format allows multiple certificates to be downloaded at once DER encoded certificates These are DER encoded certificates that may or may not be wrapped in a base 64 encoding package surrounded by the delimiters BEGIN CERTIFICATE and END CERTIFICATE Red Hat Certificate Sequence This is a simpler format for downloading ...

Page 301: ... install a CA signing certificate for the Certificate Manager installed in the currently selected CS instance OCSP Signing Certificate choose this option if you want to install an OCSP signing certificate for the Certificate Manager installed in the currently selected CS instance Registration Manager Signing Certificate choose this option if you want to install a request signing certificate for th...

Page 302: ...where exit from the wizard copy the file to the local disk and restart the wizard Copying the certificate or certificate chain to the text area on the wizard screen you can paste the certificate or certificate chain into the text area provided by the wizard This is a text input field so you can paste the certificate or certificate chain in text format only For example if you are installing a certi...

Page 303: ...a certificate chain the wizard adds to the local trust database the first certificate in the chain as a trusted CA certificate and any subsequent certificates as untrusted CA certificates For more information on how the wizard installs a certificate chain see Using the Wizard to Install a Certificate or Certificate Chain on page 299 Step 6 Verify the Certificate Status This step is applicable only...

Page 304: ...ample if the CA has issued certificates to subordinate Certificate Managers Registration Managers Data Recovery Managers Online Certificate Status Managers and agents all those certificates will become invalid the subsystems will fail to function and agents will fail to access agent interfaces Before getting a new self signed certificate for the Certificate Manager therefore you must address issue...

Page 305: ...ficate Also determine whether the Certificate Manager is configured to publish certificates and CRLs to an LDAP directory and whether it uses the SSL server certificate for SSL client authentication to the directory If it does you will have to request the certificate with the appropriate extensions and after installing the certificate you will have to configure the publishing directory to use this...

Page 306: ...o an external hardware device such as a smart card FORTEZZA card or other crypto card that Certificate System uses to generate and store its key pairs and certificates Certificate System supports any hardware tokens that are compliant with PKCS 11 version 2 01 If you haven t already done so consider using external tokens for generating and storing the key pairs and certificates used by Certificate...

Page 307: ...sing the command line utility named modutil Both the methods are documented below To install the PKCS 11 module using Red Hat Console a Log in to the CS window see Logging Into the CS Console on page 239 b From the Console menu choose Manage PKCS 11 The PKCS 11 Management window appears c Click Add The Add PKCS 11 Module window appears d Enter information as appropriate If you choose JAR as your f...

Page 308: ... tokens used by Certificate System Viewing Tokens Changing a Token s Password Viewing Tokens To view a list of the tokens currently installed for a CS instance 1 Log in to the CS window see Logging Into the CS Console on page 239 2 Select the Configuration tab and then in the right pane select the Encryption tab 3 In the Map To section check the Token drop down list It shows the names as specified...

Page 309: ...nections speed is important if you want your Certificate Manager Registration Manager or Data Recovery Manager to be able to accommodate a high number of simultaneous enrollment or service requests Hardware protection of private keys these devices behave like smart cards in that they do not allow the private keys to be copied or removed from the hardware token This is important if you are concerne...

Page 310: ...Certificates Step 2 Update the Configuration Step 1 Get the Required SSL Server Certificates You must first request and install the required number of SSL server certificates for the particular CS instance For instructions see Consideration When Getting New Certificates for the Subsystems on page 303 Once you have installed the certificates you should be able to see them in the list of SSL server ...

Page 311: ... directory If you want the Certificate Manager to use another certificate for authenticating to the publishing directory you can do so This section provides instructions for requesting and installing an SSL client certificate for a Certificate Manager and configuring it to use that certificate for SSL client authentication to the publishing directory 1 Log in the CS console see Logging Into the CS...

Page 312: ... instance_id where instance_id identifies the CS instance in which the Certificate Manager is installed 9 After you ve installed the certificate successfully go to the Tasks tab and stop the Certificate Manager 10 Configure the Certificate Manager to use this certificate After you install the certificate configure the Certificate Manager to use the new certificate for SSL client authentication to ...

Page 313: ...tion is the process of allowing access to certain tasks associated with Red Hat Certificate System CS The authorization model is very flexible allowing you to configure it to your needs In order to authorize users you create users in CS These users are specific to the subsystem in which you create them each subsystem has its own set of users independent of any other subsystem you may have installe...

Page 314: ... one stored in the database With certificate based authentication the server also checks that the certificate is valid and finds the group membership of the user by associating the DN of the certificate with a user and determining the user s group membership With password based authentication the server checks the password against the user ID and then finds the group membership of the user by asso...

Page 315: ...tor and adding them to the group called Administrators every member of this group has administrative privileges for this instance of CS At least one administrator must be defined for each CS instance there is no limit to the number of administrators an instance can have You specify the user ID and password of the first administrator during installation Authentication of Administrators Administrato...

Page 316: ...wn agents whose role is defined by the subsystem Each subsystem installed in a CS instance must have at least one agent and there is no limit to the number of agents a subsystem can have Authentication of Agents CS identifies and authenticates a user with agent privileges by checking the user s SSL client certificate in its internal database See Agent Certificates on page 324 For information on ob...

Page 317: ...usted Relationships The Registration Manager and Certificate Manager can function as a trusted manager the Data Recovery Manager and Online Certificate Status Manager cannot function as a trusted manager The following trusted relationships can be created A Registration Manager or a Certificate Manager as a trusted manager to a Certificate Manager This would usually be a Registration Manager but a ...

Page 318: ... create any user and assign them to any group There is also an automated process for creating an agent See Setting up Agents Using the Automated Process on page 320 for information about this process To set up a trusted manager see Setting Up a Trusted Manager on page 321 The process for setting up trusted managers varies somewhat from this process To create a CS user and assign them to a group 1 ...

Page 319: ...on page 319 for details about storing a user s certificate Storing a User s Certificate To store the certificate of a user 1 Log in to the CS console see Logging Into the CS Console on page 239 2 In the navigation tree select Users and Groups The Users tab appears 3 In the Users tab click Certificates The Manage User Certificates dialog opens 4 Click Import The Import Certificate dialog opens 5 Cl...

Page 320: ...ote This process will not work if you create a custom agents group If you want to test this feature follow these steps 1 Have the agent access the end entity interface 2 In the Enrollment tab under Browser they select Manual 3 In the enrollment form that appears have the agent enter the data and submit the request 4 You then access the Certificate Manager Agent Services interface 5 Click List Requ...

Page 321: ... a subsystem a trusted manager when the subsystem gets its certificate Once the subsystem has been designated a trusted manager in the certificate request and the request has been approved the Certificate Manager automatically creates a user ID for the subsystem adds this user ID to the Trusted Managers group copies the certificate to the database and associates the certificate with the subsystem ...

Page 322: ... information as appropriate The information you enter here is to help you keep track of the Registration Manager or Certificate Manager the subsystem never uses it The subsystem relies solely on the Registration Manager s signing certificate or Certificate Manager s SSL client certificate for authentication User ID Type the Registration Manager s or Certificate Manager s instance ID The ID can be ...

Page 323: ...ilize the agent port to communicate with the subsystem Note that during the installation of a Certificate Manager you were prompted to specify the host name and port number of the Data Recovery Manager to which the Certificate Manager will be connected If you specified this information the connection has already been made you do not need to perform the rest of this procedure 11 Log in to the CS co...

Page 324: ...sed to sign all requests made by the agent This section details the procedure for getting agent certificates and turning on the revocation status checking of agents certificates There is a special form for an administrator to get the first agent certificate from CS for the Certificate Manager administrator set up during installation to be able to access the agent s services interface See First Age...

Page 325: ... the Administrator Agent Certificate Enrollment form Authentication Information User ID Type the ID you entered for the CS administrator during installation Password Type the password you specified for the CS administrator during installation Subject Name The subject name is the distinguished name DN that identifies the certified owner of the certificate Full name Type the name of the administrato...

Page 326: ...rtificate allows you to access the Agent Services pages Important After you submit the initial Administrative Enrollment form and the certificate is issued the form is no longer available from the administration port If something goes wrong and you are unable to obtain the administrator agent certificate you must reset a parameter in the configuration file to make the initial administrative enroll...

Page 327: ...he certificate from the public CA have them import the certificate into the web browser used to access the subsystem It is a good idea to ask the user to inform you that the certificate has been installed 3 Ask the user to send you the certificate information sent by the public CA In the information that you receive locate the user s certificate in base 64 encoded form You can also get the user s ...

Page 328: ...icy checks the server automatically issues the client certificate to the user 3 When the user receives the certificate the user must import the certificate into the web browser they will use to access the subsystem It is a good idea to ask the user to inform you that the certificate has been installed After the user imports the certificate into the web browser you need to copy the certificate in b...

Page 329: ...checking and if it should at what interval Note that the revocation status verification works for only those agent certificates that have been issued by the Certificate Manager and not by any third party CAs To configure a Certificate Manager or Registration Manager to verify the revocation status of its agents certificates 1 Stop the CS instance see Starting Stopping and Restarting CS Instances o...

Page 330: ...pecifies whether revocation checking is enabled or disabled To enable the feature enter true to disable the feature enter false By default the feature is enabled revocationChecking unknownStateInterval The default interval is 0 seconds revocationChecking validityInterval Specifies how long in seconds the cached certificates are considered valid Be judicious when choosing the interval especially wh...

Page 331: ... User Information dialog opens 4 Make the appropriate modifications 5 Click OK You are returned to the Users tab 6 Click Refresh to view the updated configuration Changing a CS User s Certificate To change a CS user s certificate 1 Log in to the CS console see Logging Into the CS Console on page 239 2 In the navigation tree select Users and Groups The Users tab appears in the right pane 3 In the U...

Page 332: ...ne user entry To change a group s members 1 Log in to the CS console see Logging Into the CS Console on page 239 2 In the navigation tree select Users and Groups The Users tab appears in the right pane 3 Click the Groups tab 4 In the Group Name list select the group you want to change and click Edit The Edit Group Information dialog opens 5 Make the appropriate changes To change the group descript...

Page 333: ...ppears in the right pane 3 In the User ID list select the user you want to delete and click Delete 4 When prompted confirm your action If you click YES the user entry is deleted from the internal database Creating a New Group To create a new group 1 Log in to the CS console for CS instance see Logging Into the CS Console on page 239 2 In the navigation tree select Users and Groups 3 Select the Gro...

Page 334: ...an define additional operations to a ACL or additional sets of operations by adding this checking to that resource using the CS SDK Access Control Instructions ACIs The ACL contains Access Control Instructions ACIs which specifically allow or deny operations such as read or modify for this set of operations The ACI also contains an evaluator expression The default implementation of ACLs specifies ...

Page 335: ...rators are separated with a comma with no space on either side For example allow read modify group Administrators An ACI can have more than one group user or IP address by separating them with two pipe symbols with a space on either side For example allow read group Administrators group Auditors In the CS console interface you create or modify ACIs in an editor that allows you to do this in a grap...

Page 336: ...him to be able to change some resource Since you do want to allow the Administrators group access to this resource you could specifically deny access to BrianC by creating an ACI that denies this user access Operations When you are creating an ACI you specify the operation that this ACI is allowing or denying To allow or deny access to more than one operator in a single ACI select the first operat...

Page 337: ...not permitted ipaddress ipaddress to specify that any IP address except for the IP address specified is to be allowed or denied access to the operation specified An IP address is specified using its numeric value DNS values are not permitted For example ipaddress 12 33 45 99 ipaddress 23 99 09 88 Stringing Values You can create a string with more than one value You do this by separating each value...

Page 338: ...description of this ACL You can change the text in this field 4 To delete an ACI select it in the ACI Entries list and click Delete 5 To add an ACI click Add in the ACI Entries field The ACI Editor opens To create the ACI a Select Allow or Deny from the Access field to allow or deny the operation specified in this ACI to the group s user s or IP address es specified For more information about allo...

Page 339: ...Click OK 7 Click Refresh when you are done ACL Reference This section lists all ACL resources defined for all subsystems describes what each resource controls lists the possible operations describing the outcome of those operations and provides the default ACIs for each ACL resource defined Each subsystem you install will contain only those ACLs that are relevant to that subsystem certServer acl c...

Page 340: ...ntry is associated with the CA administration interface and is ONLY available during the setup configuration of the target of evaluation TOE it is unavailable after the CA is up and running Allow or deny submit read or execute operations for an administrator enrollment request Operations Default ACIs allow submit user anybody allow read execute group Certificate Manager Agents Anyone can submit an...

Page 341: ...icates in the agents services interface Operations Default ACIs allow import unrevoke revoke read group Certificate Manager Agents Certificate Manager Agents can import unrevoke revoke and read a certificate read Viewing authentication plug ins authentication type configured authentication manager plug ins and authentication instances Listing authentication manager plug ins and authentication mana...

Page 342: ...on only administrators are allowed to modify CA configuration revoke Revoking certificates or approving certificate revocation requests list Listing certificates based on a search Retrieving details about a range of certificates based on providing a range of serial numbers read Viewing CRL plug in information general CA configuration CA connector configuration CRL Issuing Points configuration CRL ...

Page 343: ...ned CA Operations Default ACIs allow submit group Certificate Manager Agents Trusted Manager can submit requests to this interface certServer ca crl Allow or deny a read or update operation for CRLs in the agent services interface Operations Default ACIs allow read update group Certificate Manager Agents Certificate Manager agents can read or update CRLs submit Submitting requests from remote trus...

Page 344: ...ault ACIs allow add group Administrators Only administrators are allowed to add group certServer ca ocsp Allow or deny a read operation for OCSP information in the agent services interface Operations Default ACIs allow read group Certificate Manager Agents Only Certificate Manager Agents can read OCSP usage statistics certServer ca profiles Allow or deny a list operation for certificate profiles i...

Page 345: ...te Manager Agents Certificate Manager agents can view and approve certificate profiles certServer ca requests Allow or deny a list operation for requests in the agents services interface Operations Default ACIs allow list group Certificate Manager Agents Only Certificate Manager Agents can list requests certServer ca request enrollment Allow or deny a submit read execute assign or unassign operati...

Page 346: ...ult ACIs allow approve read group Certificate Manager Agents Only Certificate Manager agents can view or modify the approval state of certificate profile based requests certServer ca systemstatus Allow or deny an approve or read operation from viewing statistics submit Submitting an enrollment request read Viewing an enrollment request execute Modifying the approval state of a request assign Assig...

Page 347: ...ver ee certificates Allow or deny a revoke or list operation in the end entity interface Operations Default ACIs allow revoke list user anybody Anyone can revoke and list certificates read Viewing statistics renew Submitting a certificate for a renewal of an existing certificate revoke Submitting a revocation for a user s own certificate read Retrieving and viewing certificates based on certificat...

Page 348: ...rface Operations Default ACIs allow read add user anybody Anyone can add or read a CRL certServer ee profile Allow or deny a submit or read operation for certificate profiles in the end entity interface Operations Default ACIs allow submit read user anybody Anyone can read and submit certificate profiles download Downloading the CA s certificate chain read Viewing the CA s certificate chain read R...

Page 349: ...face enrollment pages Operations Default ACIs allow read user anybody Anyone can read face to face enrollment page certServer ee request enrollment Allow or deny a submit operation for certificate enrollment in the end entity interface Operations Default ACIs allow submit user anybody Anyone can submit an enrollment request certServer ee request facetofaceenrollment Allow or deny to submit face to...

Page 350: ...ients can submit OCSP requests certServer ee request revocation Allow or deny a submit operation for certificate revocation requests in the end entity interface Operations Default ACIs allow submit user anybody Anyone can submit a revocation request certServer ee requestStatus Allow or deny a read operation for the request status available from the end entity interface submit Submiting face to fac...

Page 351: ...obs configuration read Retrieving the status of a request and serial numbers of any certificates that have been issued against that request read Viewing operating environment LDAP configuration SMTP configuration server statistics encryption token names subject name of certificates certificate nicknames all subsystems that have been loaded by the server get CA certificates and get all certificates...

Page 352: ...ators are allowed to modify job configuration certServer kra certificate transport Allow or deny a read operation to display the key transport certificate Operations Default ACIs allow read user anybody Anyone can view the key transport certificate certServer kra configuration Allow or deny a read or modify operation to the Data Recovery Manager configuration read Viewing basic job settings job in...

Page 353: ...allowed to modify Data Recovery Manager configuration certServer kra connector Allow or deny to submit requests Operations Default ACIs allow submit group Trusted Managers Only Trusted Managers can submit requests certServer kra key Allow or deny a read recover or download operation for the Data Recovery Manager read Viewing automatic key recovery automatic configuration key recovery archive confi...

Page 354: ... or deny a read operation for a Data Recovery Manager request Operations Default ACIs allow read group Data Recovery Manager Agents Data Recovery Manager Agents can read requests certServer kra requests Allow or deny a list operation for a Data Recovery Manager request read Displaying a key recovery request recover Indicating that a Data Recovery Manager has approved the key recovery Finalizing a ...

Page 355: ...Manager Agents can get the status of key archival requests certServer kra systemstatus Allow or deny a read operation to display the system status of a Data Recovery Manager Operations Default ACIs allow read group Data Recovery Manager Agents Only Data Recovery Manager agents can read system status certServer log configuration Allow or deny a read or modify operation to the log configuration list...

Page 356: ...irationTime parameter of a log instance Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents deny modify user anybody Administrators auditors and agents can read the value of the expirationTime parameter no one is allowed to modify t...

Page 357: ...SignedAudit Allow or deny a read operation to the signed audit log Operations Default ACIs deny read group Administrators group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents Only an auditor is allowed to view the audit log Note All other groups need to be specifically denied access to this log since th...

Page 358: ...nager Operations Default ACIs allow add group Online Certificate Status Manager Agents Online Certificate Status Manager agents can add Certificate Authority certServer ocsp cas Allow or deny a list operation for listing the CAs that publish to an Online Certificate Status Manager responder Operations Default ACIs allow list group Online Certificate Status Manager Agents Online Certificate Status ...

Page 359: ...Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators Agents and auditors are allowed to read OCSP configuration only administrators are allowed to modify OCSP configuration certServer ocsp crl Allow or deny an add operation for posting CRL to an OCSP validat...

Page 360: ...nts group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators agents and auditors are allowed to read policy configuration only administrators are allowed to modify policy configuration certServer profile configuration Allow or deny a read or modify operation to the certificate profile configuration add Submitt...

Page 361: ...icate profile output certificate profile input configuration certificate profile output configuration default configuration policy constraints configuration and certificate profile instance configuration Listing certificate profile plug ins and certificate profile instances modify Adding modifying and deleting certificate profile defaults and constraints certificate profile input certificate profi...

Page 362: ...r Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators auditors and agents are allowed to read RA configuration only administrators are allowed to modify RA configuration certServer ra certificate Allow or deny an import unrevoke revoke or read operation concerning certificates in the agent services interface of a Registration Manage...

Page 363: ...llow or deny to read face to face enrollment page Operations Default ACIs allow enable disable group Registration Manager Agents Registration Manager Agents may enable disable face to face enrollment import Retrieving a certificate by serial number unrevoke Removing the revoked status from a certificate revoke Revoking certificates or approving certificate revocation requests read Retrieving certi...

Page 364: ... adding groups Operations Default ACIs allow add group Administrators Only administrators are allowed to add group certServer ra profile Allow or deny a read or approve operation to certificate profiles in the agent services interface of a Registration Manager Operations Default ACIs allow read approve group Registration Manager Agents Registration Manager agents can read and approve certificate p...

Page 365: ...ns Default ACIs allow submit user anybody allow read execute assign unassign group Registration Manager Agents Anyone can submit an enrollment request only Registration Manager Agents can read or execute requests certServer ra request profile Allow or deny an approve or read operation to a certificate profile based request in the agent services interface of a Registration Manager list Displaying a...

Page 366: ...ration registry the file that is used to register plug in modules Currently only used to register certificate profile plug ins Operations Default ACIs allow read group Administrators group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators audi...

Page 367: ...ead group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read user and group configuration only administrators are allowed to modify user and group configuration read Providing statist...

Page 368: ...ACL Reference 368 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 369: ...ent Automated Enrollment Agent Initiated End User Enrollment Certificate Based Enrollment Issuing and Managing Server Certificates CEP Enrollment Testing Your Enrollment Setup Managing Authentication Plug ins Generating Files Required By Third Party Object Signing Tools Enrollment Overview The process of enrolling end entities involves the end entity submitting a request or an agent submitting the...

Page 370: ...using the CS SDK You configure authentication in the subsystem that actually processes end entity requests If you have set up a Registration Manager to process requests you configure authentication in that Registration Manager The Registration Manager does all of the authentication processing The Registration Manager then sends a signed request to the Certificate Manager via a trusted connection T...

Page 371: ...nd entity submits the request along with whatever information is needed to authenticate the user Upon successful authentication of the user the request is then processed without being sent to the agent s queue If the request passes the policy or certificate profile configuration of the Certificate Manager the request is processed and the certificate is issued If the subsystem where the request is ...

Page 372: ...configured intervals before the expiration of their current certificate See Chapter 14 Automated Jobs for details Dual Key Pairs Dual key pairs are a set of two private and public keys where one set is used for signing and one for encryption CS supports dual key pairs allowing you to create them during enrollment and allowing you to create two certificates one for the signing key and one for the e...

Page 373: ...To set up agent approved enrollment you do the following Set any policies for certificate extensions or for constraints on certificates see Chapter 12 Policies for information about policies Alternatively you can enroll users through the certificate profile functionality specifying agent approved enrollment and setting policies for specific certificates in the certificate profile see Chapter 11 Ce...

Page 374: ...This plug in is enabled by default and has no parameters This plug in can only be used in the certificate profile framework You can associate this automated authentication method with the certificate profile for enrolling for server certificates You cannot use this plug in outside the certificate profile framework You can create custom plug in modules for other methods of authentication using the ...

Page 375: ... with a third party tool Setting Up the UidPwdDirAuth or UdnPwdDirAuth Authentication To set up one of these two methods of authentication 1 In the CS window of the Certificate Manager or Registration Manager that processes certificate requests select the Configuration tab 2 Select Authentication in the navigation tree The right pane shows the Authentication Instance tab listing currently configur...

Page 376: ...ory You could develop a policy plug in that adds users pictures to their certificates as extensions Entering values for this parameter is optional ldap ldapconn host Specifies the fully qualified DNS host name of the authentication directory ldap ldapconn port Specifies the TCP IP port on which the authentication directory listens to requests from CS ldap ldapconn secureConn Specifies the type SSL...

Page 377: ... can enroll users through the certificate profile functionality setting policies for specific certificates in the certificate profile see Chapter 11 Certificate Profiles for information about policies Create an instance of the UidPwdPinDirAuth Authentication plug in module and configure the instance See Setting Up the UidPwdPinDirAuth Authentication on page 379 for details Customize the HTML enrol...

Page 378: ...changes Typically you will need to update the Directory Server s host name Directory Manager s bind password and PIN manager s password 4 Run the setpin command with its optfile option pointing to the setpin conf file setpin optfile setpin conf The tool modifies the schema with a new attribute by default pin and a new object class by default pinPerson creates a pinmanager user and sets the ACI to ...

Page 379: ...anager to check the master directory before issuing the certificate If the Registration Manager uses a Directory Server replica to authenticate users and the user successfully authenticates to a replica that still contains the pin the Certificate Manager will reject the request when this policy is enabled since the Certificate Manager checks the master directory in which the pin has been removed S...

Page 380: ...ctAltNameExt on page 535 Entering values for this parameter is optional ldapByteAttributes Specifies the list of LDAP byte binary attributes that should be considered authentic for the end entity If specified the values corresponding to these attributes will be copied from the authentication directory into the authentication token for use by other modules that is values retrieved from this paramet...

Page 381: ...gured to correctly map the certificate to a DN in the directory This is needed for PIN removal only ldap ldapauth authtype Specifies the authentication type basic authentication or SSL client authentication required in order to remove PINs from the authentication directory BasicAuth specifies basic authentication If you choose this option be sure to enter the correct values for ldap ldapauth bindD...

Page 382: ...on eliminating the need for users to use separate forms to register for an online service and to request a certificate the module enables deployment of certificates along with registration in an LDAP compliant directory Verifies the uniqueness of the new user s chosen user name against an LDAP compliant user directory and uses the user name as the only authentication token required to obtain a cer...

Page 383: ...tion on customizing the enrollment forms see the CS Customization Guide In the case of certificate profile based enrollments customize the enrollment forms by configuring the inputs in the certificate profile Make sure you include the information that will be needed by the plug in to authenticate the user If the default inputs do not contain all of the information that needs to be collected you ca...

Page 384: ...rectory password Specifies the password associated with the DN specified by the ldap ldapauthbindDN parameter when you save your changes the server stores the password in the single sign on password cache and uses it for subsequent start ups ldap ldapauth clientCertNickname Specifies the nickname name of the certificate to be used for SSL client authentication to the authentication directory in or...

Page 385: ...nd then send the signed request to the Certificate Manager When this method is setup the Certificate Manager will automatically issue certificates when a valid request signed with the agent certificate is received The CMCAuth authentication plug in also activates CMC Revoke CMC Revoke allows you to set up your own revocation client sign the certificate request with your agent certificate and then ...

Page 386: ...ect Authentication Plug in Implementation window appears 4 Select the CMCAuth plug in module 5 Click Next The Authentication Instance Editor window appears 6 If you don t want to use the default instance name in the Authentication Instance ID field type a unique name for this instance that will help you identify it If you chose to use a different name be sure to edit the default name in the enroll...

Page 387: ... interface of a Certificate Manager 1 Go to the directory server root cert instance web apps ee ra 2 Open the file CMCEnrollment html 3 Find the following line form method post action enrollment onSubmit return validate document forms 0 4 Add the following line below the line you just found input type hidden name authenticator value CMCAuth To enable the CMC Enrollment form for the end entity inte...

Page 388: ...le p certificate_DB_passwd For example if the input file created in step 3 is called request34 txt your agent s certificate is stored in the directory netscape certs the certificate common name of your agent s certificate for this CA is CertificateManagerAgentsCert and your password for the certificate database is 1234pass the command would look as follows CMCEnroll d netscape certs n CertificateM...

Page 389: ...er goes to the Registration Manager agent who then processes the enrollment request The Registration Manager agent authenticates the user through some physical means such as a passport or drivers licence and then the agent fills in the enrollment form for the end user and processes the request This method of enrollment is called agent initiated end user enrollment face to face enrollment or in per...

Page 390: ...nitialize hardware tokens in bulk and preload them with dual certificates issued by CS for dual key pairs You generate these certificates with some generic looking common names for example hardwaretoken1234 This way there s no one to one relation between users and the hardware tokens initially Once the tokens are ready you make them available to users by some means Basically a user can get and use...

Page 391: ... the CA that has issued the certificate the user uses for authentication uses the configured directory to formulate the subject name for the new certificate and issues the certificate CertBasedSingleEnroll html this form is provided as a sample It enables end users to request signing certificates by submitting pre issued certificates as authentication tokens when a user enrolls for a certificate t...

Page 392: ...be sure to take a look at the default certificate based enrollment forms Also check the customizing related information for the enrollment forms in CS Customization Guide Issuing and Managing Server Certificates CS can issue SSL server certificates to servers Servers use these certificates to authenticate themselves to other servers and end users and to encrypt data In order to issue SSL server ce...

Page 393: ...ee ValidityConstraints on page 487 To be valid beyond its expiration date it must be renewed Otherwise the certificate becomes invalid and the entity owning the certificate will no longer be able to use it Also the expired certificate will take up space in your publishing directory and in the internal database of CS CS allows server administrators to renew their certificates by using the server en...

Page 394: ...port you want to use either of the following URL http CA s_hostname end_entity_port enrollment or https CA s_hostname end_entity_SSL_port enrollment Note that the request submitted to the CA s URL gets queued for approval by the Certificate Manager agent To submit the server certificate request to CS manually 1 Open a web browser window 2 Go to the End Entity Services interface of the Certificate ...

Page 395: ...encryption For an overview of certificate authority support for IPSec see the information available at this URL http www cisco com warp public cc cisco mkt security encryp prodlit 821_pp htm You can issue certificates to routers and CEP compliant Virtual Private Network VPN clients using CS Routers use certificates to authenticate each other and to establish an encrypted IPSec channel between them...

Page 396: ...ile and register and configure the plug in See Authentication Token File on page 396 and Setting Up the CEP Plug In on page 397 Authentication Token File You create a text file with CEP enrollee information that is used by the plug in to authenticate the entity The format of the authentication token file is as follows attribute value attribute value attribute value attribute value Each enrolling u...

Page 397: ...to do to it 2 Register the plug in the CS authentication framework See the CS SDK for details on registering plug ins 3 Register the plug in in the CS console See Managing Authentication Plug ins on page 407 for instructions 4 Create an instance of the plug in and configure it a In the CS window of the Certificate Manager or Registration Manager that processes certificate requests select the Confi...

Page 398: ... the authentication token file The list of attributes you specify here must be contained in the authentication token file and they must be present in the request The plugin then verifies the attributes provided in the request against those contained in the authentication token file Your choices for this value are UNSTRUCTUREDNAME UNSTRUCTUREDADDRESS and SERIALNUMBER authAttributes Specifies a comm...

Page 399: ...s in the configuration file auths instance flatfile_router fileName full_path_to_the_authentication_file auths instance flatfile_router authAttributes pwd auths instance flatfile_router keyAttributes UNSTRUCTUREDNAME auths instance flatfile_router pluginName flatfile auths instance flatfile_router deferOnFailure true VPN authentication parameters in the configuration file auths instance flatfile_V...

Page 400: ...rectory documentation for instructions on changing the schema The Directory Server port must be 389 To find out the port number assigned to Directory Server check it s configuration file which is at server_root slapd slapd oc conf Alternatively you can also find and change the port number from Red Hat Console You will need publish certificates and CRLs to the same tree in the directory you may cus...

Page 401: ...the DN component appended to the DN the router requests You must have a constant component in the DN which exists in the certificate to be able to publish createEntry Specifies whether to create an entry in the directory before publishing the certificate Note that to publish a certificate an entry must already exist for the DN in the directory Enter true if you want the Certificate Manager to crea...

Page 402: ...ter Based on that information determine the signing algorithm and the key length for the certificate you want to request 3 Find out the password that enables you to access the router in privileged mode 4 In your router documentation locate instructions for requesting certificates You will be required to run the appropriate commands using this documentation 5 Generate the Key Pair for the Router Ru...

Page 403: ...clude the router s serial number in the request If you choose to include the serial number it will be included in the certificate s subject name Whether you want to include the router s IP address in the request If you choose to include the IP address it will be included in the certificate s subject name 9 If the CA to which the router submitted the request employs automatic enrollment or authenti...

Page 404: ...odulus greater than 512 may take a few minutes How many bits in the modulus 512 Generating RSA keys OK router config crypto ca identity test ca router ca identity enrollment url http ca hostname domain com cgi bin pkiclient exe router ca identity exit router config crypto ca authenticate test ca Certificate has the following attributes Fingerprint 24D34656 EB830C39 DD9E8179 0A4EBA98 Do you accept ...

Page 405: ... Name Name redhat mcom com IP Address 208 12 63 193 Serial Number 08342063 Status Pending Key Usage General Purpose Fingerprint 91D70D7F D8BF0DFA E13F00B0 6EA706A0 00000000 Testing Your Enrollment Setup This section provides a procedure for testing your enrollment setup in the legacy enrollment If you want to do it through profiles please read the instructions in Chapter 11 Certificate Profiles To...

Page 406: ...irectory For example you can point your browser to the portal directory and find out if an entry for the user for whom you requested the certificate exists In the URL field type ldap hostname port base_dn sub uid user_id substituting hostname with the fully qualified host name of the Directory Server port_number with the port number at which the Directory Server is listening to authentication requ...

Page 407: ...r The Register Authentication Plug in Implementation window appears 6 Specify which module you want to register Plugin name Type a name for the module Class name Type the full name of the class for this module that is the path to the implementing Java class If this class is part of a package be sure to include the package name For example if you are registering a class named customAuth and if this...

Page 408: ...the filename to the directory in which you want the private key file created for example C myKey PVK Be sure to use the PVK extension and to enclose the path in double quotes 7 Optionally you may further edit the form to include a text field for entering the file path 8 Save your changes 9 Now use the form to issue an object signing certificate If your users need to generate Software Publishing Fi...

Page 409: ...he marker lines BEGIN CERTIFICATE and END CERTIFICATE to the file 7 Convert the text based certificate to its DER encoded format using the ASCII to Binary tool explained in CS Command Line Tools Guide For example the command server_root bin cert tools AtoB cert b64 cert der converts the base 64 encoded certificate in the cert b64 file to its DER encoded format and writes the DER encoded certificat...

Page 410: ...Generating Files Required By Third Party Object Signing Tools 410 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 411: ... content that can be contained in this type of certificate and the contents of the input and output forms associated with the certificate profile Enrollments requests are submitted to a particular certificate profile and are then subject to the defaults and constraints set up in that certificate profile whether the request is submitted via the input form associated with the certificate profile or ...

Page 412: ... create other certificate profiles either for other types of certificates or for creating more than one certificate profile for a type of certificate You might create more than one certificate profile for a particular type of certificate when you want to issue the same type of certificate with either a different authentication method or different definitions for the defaults and constraints For ex...

Page 413: ...ars containing an enrollment form specific to that certificate profile The enrollment page for this certificate profile in the end entity interface is dynamically generated from the inputs defined for this certificate profile If an authentication plug in is configured additional fields may be added that are needed to authenticate the user with that authentication method When the end entity submits...

Page 414: ...h the Registration Manager and the Certificate Manager should have the same certificate profile implemented with the same policies The profile in the Certificate Manager will have the final authority Setting Up Certificate Profiles You set up certificate profiles by configuring the existing certificate profiles deleting an existing certificate profile or adding another certificate profile and conf...

Page 415: ...ew ones using the CS SDK Modifying a Certificate Profile Note that you cannot edit any certificate profile that has been approved by an agent The agent must disapprove or disable the certificate profile before the administrator can edit that certificate profile To add a certificate profile and modify an existing or new certificate profile 1 Log in to the CS window See Logging Into the CS Console o...

Page 416: ... Certificate Manager or Registration Authority Enrollment Profile if this is a Registration Manager c Click Next The Certificate Profile Instances window appears d Fill in the following fields in this window Certificate Profile Instance ID Specify the instance ID of the certificate profile This name or number will be used by the system to identify the instance Certificate Profile Name Specify a na...

Page 417: ... allowing a signed request to be processed through the Certificate Manager s Certificate Profile framework rather than through the input page for this certificate profile Certificate Profile Authentication Specify the authentication method Specify an automated authentication by providing the instance ID for the authentication instance that will be used If this field is left blank the request is au...

Page 418: ...nstance Certificate Profile Description Provide a description to identify the use of this certificate profile End User Certificate Profile Specifies whether or not the request must be made to the input form associated with this certificate profile Generally you will set this to true If you have set up a Registration Manager you will set this to false in the certificate profile you set up in the Ce...

Page 419: ...the request queue of the agent services interface Policies Tab See Step 8 Input Tab See Step 9 Output Tab See Step 10 8 Set up Policies in the Policies tab of the Certificate Profile Rule Editor window The policies tab lists policies that have been set up for this certificate profile To add a policy a Click Add The Certificate Profile Policy Editor window appears b Choose the default you want to a...

Page 420: ...te sets to define the policies associated with each certificate Certificate Profile Policy ID Type a name or identifier for this certificate profile policy d Configure any parameters in the Default or Constraint tab See Defaults Reference on page 428 and Constraints Reference on page 453 for complete details for each default or constraint e Click Ok To modify an existing policy a Select a policy a...

Page 421: ...lts tab to change the value of a parameter Change the values in the Constraints tab to change the value of the constraint applied to this policy Some values can be edited by clicking into the value field and changing the entry others have pull down menus associated with them where you can pick the values available from the pull down menu See Defaults Reference on page 428 and Constraints Reference...

Page 422: ...tab You can edit it to provide values to the parameters in this input To delete an input a Select the input b Click delete 10 Set up outputs in the Outputs tab of the Certificate Profile Rule Editor window You need to set up outputs for any certificate profile that uses an automated authentication method you do not need to set up outputs for any certificate profile that uses an agent approved auth...

Page 423: ...tificates that are usually issued by a RA and a CA All certificate profiles are installed with a CA only those certificate profiles beginning with ra are installed with and RA The default certificate profiles include the following caUserCert Configured for end user enrollments in a Certificate Manager caDualCert Configured for enrollments for dual key pairs in a Certificate Manager Two keys will b...

Page 424: ... Configured for enrollments for server certificates allowing for automatic issuance of the server certificate with the validation of an agent s certificate in a Certificate Manager raUserCert Configured for end user enrollments When installed in an RA the value of the End User Certificate Profile field is set to true when installed in a CA the value of the End User Certificate Profile field is set...

Page 425: ...Certificate Profile field is set to false In a CA you set this certificate profile up to match the certificate profile set up in the RA the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere other than the certificate profile enrollment form raRACert Configured for enrollments for an RA signing certificate When ins...

Page 426: ...ate request type of the request they are submitting from the drop down menu The choices include PKCS 10 CRMF and CMC Certificate Request This field allows the user to paste a request into the supplied input field Dual Key Generation Input The Dual Key Geneneration Input input is used for enrollments in which dual key pairs will be generated and thus two certificates issued one for the signing cert...

Page 427: ...ficate This input puts the following fields into the enrollment form UID This field is for the user ID of this user as specified for this user in the LDAP directory Email This field is for entering the email address of the user Common Name This field is for entering the name of the user Organizational Unit This field is for entering the organizational unit to which the user belongs Organization Th...

Page 428: ...uest id in the end entity interface there is no output page associated with agent approved enrollment Defaults Reference Defaults are used to define the contents of a certificate and the values associated with that content This section lists the pre built defaults with complete definitions of each Authority Info Access Extension Default This default populates the Authority Info Access extension Th...

Page 429: ...1 5 5 7 48 2 renewal or 2 16 840 1 113730 16 1 LocationType_ n Specifies the general name type for the location that contains additional information about the CA that has issued the certificate in which this extension appears Select one of the following types from the drop down menu DirectoryName DNSName EDIPartyName IPAddress OID RFC822Name or URI Location_ n Specifies the address or location to ...

Page 430: ...address with netmask is separated by a comma FOr Example 0 0 0 0 0 0 13 1 68 3 and FF01 43 and 0 0 0 0 0 0 13 1 68 3 FFFF FFFF FFFF FFFF FFFF FFFF 255 255 255 0 and FF01 43 FFFF FFFF FFFF FFFF FFFF FFFF FF0 0 0000 If you selected OID the value must be a unique valid OID specified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 If you selected RFC822Name the value must be ...

Page 431: ...Specifies whether the certificate subject is a CA If you select true the server checks the PathLen parameter and sets the specified path length in the certificate If you select false the server treats the certificate subject as a non CA and ignores the value specified for the PathLen parameter PathLen Specifies the path length the maximum number of CA certificates that may be chained below subordi...

Page 432: ...s at the most n subordinate CA certificates are allowed below the subordinate CA certificate being used If you leave the field blank the path length defaults to a value that is determined by the path length set in the Basic Constraints extension in the issuer s certificate If the issuer s path length is unlimited the path length in the subordinate CA certificate will also be unlimited If the issue...

Page 433: ...te must be RelativeToIssuer Reasons_ n Specifies revocation reasons covered by the CRL maintained at the distribution point Provide a comma separated list of the following constants unused keyCompromise cACompromise affiliationChanged superseded cessationOfOperation certificateHold IssuerName_ n Specifies the name of the issuer that has signed the CRL maintained at the distribution point the name ...

Page 434: ... only IssuerType_ n Specifies the general name type of the CRL issuer that has signed the CRL maintained at distribution point Permissible values DirectoryName or URIName The value you specify for this parameter must correspond to the value in the issuerName field Select DirectoryName if the value in the issuerName field is an X 500 directory name Select URIName if the value in the issuerName fiel...

Page 435: ... Extension Constraint on page 454 Extension Constraint see Extension Constraint on page 454 No Constraints see No Constraint on page 456 Table 11 5 Extended Key Usage Extension Default Configuration Parameters Parameter Description Critical Select true to mark this extension critical select false to mark the extension noncritical OIDs Specifies the OID that identifies a key usage purpose Permissib...

Page 436: ...cription Critical Select true to mark this extension critical select false to mark the extension noncritical PointEnable_ n Select true to enable this point select false to disable this point PointType_ n Specifies the type of issuing point Select from DirectoryName and URIName PointName_ n If pointType is set to directoryName the value must be a string form of X 500 name similar to the subject na...

Page 437: ...e type of the CRL issuer that signed the CRL maintained at distribution point Permissible values DirectoryName or URIName The value you specify for this parameter must correspond to the value in the issuerName field Table 11 7 Key Usage Extension Default Configuration Parameters Parameter Description critical Select true to mark this extension critical select false to mark the extension noncritica...

Page 438: ...r certificates and S MIME encryption certificates Select true to set select false to not set dataEncipherment Specifies whether to set the extension when the subjects s public key is used to encipher user data as opposed to key material Select true to set select false to not set keyAgreement Specifies whether to set the extension whenever the subject s public key is used for key agreement Select t...

Page 439: ...greater than zero It specifies at the most n subtrees are allowed PermittedSubtree NameChoice_ n Specifies the general name type for the permitted subtree you want to include in the extension Permissible values RFC822Name DirectoryName DNSName EDIPartyName URIName IPAddress OIDName or OtherName PermittedSubtree NameValue_ n Specifies the general name value for the permitted subtree you want to inc...

Page 440: ...D specified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 If you selected OtherName the value must be the absolute path to the file that contains the base 64 encoded string of the subtree For example usr netscape servers ext nc othername txt PermittedSubtree Enable_ n Select true to enable this permitted subtree entry select false to disable this permitted subtree entry...

Page 441: ...you selected EDIPartyName the value must be a IA5String For example Example Corporation If you selected URIName the value must be a non relative universal resource identifier URI following the URL syntax and encoding rules The name must include both a scheme for example http and a fully qualified domain name or IP address of the host For example http testCA example com If you selected IPAddress th...

Page 442: ...he extension identifies the certificate type for example it identifies whether the certificate is a CA certificate server SSL certificate client SSL certificate object signing certificate or S MIME certificate and thus enables you to restrict the usage of a certificate to predetermined purposes If you selected OtherName the value must be the absolute path to the file that contains the base 64 enco...

Page 443: ...include this capability SSLServer Specifies that the certificate can be used by servers for authentication during SSL connections Select true to include this capability select false to not include this capability CertEmail Specifies that the certificate can be used to send secure email messages Select true to include this capability select false to not include this capability CertObjectSigning Spe...

Page 444: ... Constraint on page 456 Extension Constraint see Extension Constraint on page 454 No Constraints see No Constraint on page 456 Policy Constraints Extension Default This default populates a policy constraints extension in the certificate request The extension which can be used in CA certificates only constrains path validation in two ways either to prohibit policy mapping or to require that each ce...

Page 445: ... It specifies at the most n subordinate CA certificates are allowed in the path before an explicit policy is required Note that the number you specify affects the number of CA certificates to be used during certificate validation The chain starts with the end entity certificate being validated and moving up the chain The parameter has no effect if the extension is set in end entity certificates in...

Page 446: ...equivalent to the subjectDomainPolicy of the subject CA The issuing CA s users may accept an issuerDomainPolicy for certain applications The policy mapping tells these users which policies associated with the subject CA are equivalent to the policy they accept For general information about this extension see policyMappings on page 739 You can define the following constraints with this default Exte...

Page 447: ...ame on page 740 The standard suggests that if the certificate subject field contains an empty sequence then the subject alternative name extension must contain the subject s alternative name and that the extension be marked critical If you re using any of the directory based authentication methods you can configure CS to retrieve values for any string and byte attributes from the directory and set...

Page 448: ...ificates contains all the configured attributes You can define the following constraints with this default Extension Constraint see Extension Constraint on page 454 No Constraints see No Constraint on page 456 Table 11 15 Subject Alternative Name Extension Default Configuration Parameters Parameter Description Critical Select true to mark this extension critical select false to mark the extension ...

Page 449: ...rameters If used this extension will be included in the certificate with the public key information You can define the following constraints with this default Extension Constraint see Extension Constraint on page 454 No Constraints see No Constraint on page 456 Select DNSName if the request attribute value is a DNS name For example corpDirectory example com Select EDIPartyName if the request attri...

Page 450: ...Password The directory based authentication manager will check if the given UID and password are correct In addition the directory based authentication manager will formulate the subject name of the issuing certificate It will forms the subject name by using the dnPattern attribute and it will place the subject name into an internal data structured called AuthToken This default is responsible for ...

Page 451: ... key into the certificate request This is a required default Keys are part of the enrollment request You can define the following constraints with this default Key Constraint see Key Constraint on page 454 No Constraints see No Constraint on page 456 User Signing Algorithm Default This default implements an enrollment default policy that populates a user supplied signing algorithm into the certifi...

Page 452: ...rofile allows a user to supply the validity period subject to the constraints set No inputs are provided to add user supplied validity date to the enrollment form You can create an input for this purpose using the CS SDK You can also submit a request that contains this information You can define the following constraints with this default Validity Constraint see Validity Constraint on page 458 No ...

Page 453: ...eter select false to disallow a value of true for this parameter select to indicate no constraints are placed for this parameter PathLen Specifies the maximum allowable path length the maximum number of CA certificates that may be chained below subordinate to the subordinate CA certificate being issued Note that the path length you specify affects the number of CA certificates to be used during ce...

Page 454: ...rtificate will also be unlimited If the issuer s path length is an integer greater than zero the path length in the subordinate CA certificate will be set to a value that s one less than the issuer s path length for example if the issuer s path length is 4 the path length in the subordinate CA certificate will be set to 3 Table 11 19 Extended Key Usage Extension Constraint Configuration Parameters...

Page 455: ...certificates and object signing certificates Select true to allow this to be set select false to not allow this to be set select to indicate no constraints are placed for this parameter nonRepudiation Specifies whether some S MIME signing certificates and object signing certificates Note however that the use of this bit is controversial You should carefully consider the legal consequences of its u...

Page 456: ...allow this to be set select to indicate no constraints are placed for this parameter cRLSign Specifies whether to set the extension for CA signing certificates that are used to sign CRLs Select true to allow this to be set select false to not allow this to be set select to indicate no constraints are placed for this parameter encipherOnly Specifies whether to set the extension if the public key is...

Page 457: ...rtEmail Specifies that the certificate can be used to send secure email messages Select true to allow this capability select false to not allow this capability select to indicate no constraints are placed for this parameter CertObjectSigning Specifies that the certificate can be used for signing objects such as Java applets and plug ins Select true to allow this capability select false to not allo...

Page 458: ...e Specify any or all of the following MD2withRSA MD5withRSA SHA1withRSA Table 11 24 Subject Name Constraint Configuration Parameters Parameter Description Pattern Specifies a regular expression specified as a string all regular expression constructs listed in http java sun com j2se 1 4 1 docs api jav a util regex Pattern html are supported For example if you have the pattern of the subject name co...

Page 459: ...ints Reference Chapter 11 Certificate Profiles 459 Table 11 25 Validity Constraint Configuration Parameters Parameter Description range The range parameter is of type integer And the unit of this value is day ...

Page 460: ...Constraints Reference 460 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 461: ...efault certificate enrollment feature Certificate Enrollment Profiles see Chapter 11 Certificate Profiles The policies feature will be discontinued in the future release s To enable the feature you need to copy all the files under serverRoot bin cert forms ee subsystem policyEnrollment to serverRoot cert instanceID web apps ee subsystem where subsystem is either ca or ra This chapter contains the ...

Page 462: ...ocation key archival and key recovery requests For example in the case of a certificate issuance request the outcome would be the certificate content A Certificate Manager s policy can include rules for evaluating certificate formulation signing renewal and revocation requests For example you can configure a Certificate Manager s policy to impose restrictions on validity length key type key length...

Page 463: ...range say between 6 and 24 months A subsystem s policy configuration can consist of one or more policy rules each performing one or more of the following operations Validate the request content by comparing it with configured criteria reject modify or defer for agent approval the request if any of the request parameters are invalid Build certificate content for example set common extensions and th...

Page 464: ...in Policy Rules on page 465 Note that the policy processor applies only the enabled policy rules in the order in which they are configured before determining the final outcome Each rule the processor executes returns a PolicyResult object Three return values are possible PolicyResult REJECTED indicates that the request failed the rule PolicyResult DEFERRED indicates that the request requires agent...

Page 465: ... following are sample predicates HTTP_PARAMS certType client AND HTTP_PARAMS ou Engineering HTTP_PARAMS certType server AND HTTP_PARAMS o Netscape OR HTTP_PARAMS certType ca Expression Support for Predicates You form an expression using an attribute its value and one or more of the operators listed in Table 12 1 For a list of attributes see Attributes for Predicates on page 467 Note that the expre...

Page 466: ... passwords should or shouldn t be stored in the request Note that all data related to an end entity is gathered at the servlet level and set on the request before the request is passed to the policy subsystem The policy subsystem applies configured policy rules on the request determines whether the request needs agent approval performs constraint and extension specific checks on the request attrib...

Page 467: ...service can add certain attributes to the end entity request Policy processor what the policy subsystem returns after subjecting the end entity request to policy checking For example an extension based policy can set an appropriate extension in the certificate Table 12 2 lists default attributes that are supported by various request object implementations Table 12 2 Attributes supported by request...

Page 468: ...te server SSL server certificate Enrollment doSslAuth Specifies whether the client is required to do SSL client authentication during enrollment Default values include the following on off Enrollment certauthEnroll Specifies whether it is a certificate based enrollment Default values include the following on off Enrollment certauthEnrollType Specifies the number of keys to be generated for a certi...

Page 469: ...N name attribute_name value attribute_value Enrollment cepsubstore Specifies the name of the CEP service for example cep1 and cep2 When setting up multiple CEP services you can use predicates to differentiate one service for another see CEP Enrollment on page 395 Enrollment Renewal and Revocation requestStatus Specifies when or the phase in which a request gets subjected to policy processing begin...

Page 470: ...lidity period to 180 days defined the predicate expression as HTTP_PARAMS certType client AND HTTP_PARAMS orgunit Sales This expression specifies that the policy be applied to only client certificate requests from users in the organizational unit named Sales A sample of the resulting configuration entries in the CS configuration file would be as follows ca Policy rule ValidityRule1 enable true ca ...

Page 471: ...ms of CS CS the Certificate Manager Registration Manager and Data Recovery Manager to apply certain organizational policies on end entities certificate enrollment renewal and revocation requests before servicing them This section explains how to configure a subsystem to evaluate end entity requests based on a set of policy rules Modifying Policy Rules To modify existing policy rules 1 Log in to th...

Page 472: ...y Rules Management tab select the rule you want to delete and click Delete 2 When prompted confirm the delete action The CS configuration is modified If the changes you made require you to restart the server you will be prompted accordingly Don t restart the server yet you can do so after you ve made all the required changes Adding New Policy Rules Adding a policy rule to the CS configuration invo...

Page 473: ...ropriate information 5 Click OK You are returned to the Policy Rules Management tab 6 Repeat steps 1 through 5 and create additional rules if required Reordering Policy Rules For maintaining priority levels CS supports a linear list of policy rules in increasing order of priority This means that for a given policy category in the configuration file a policy configuration with a lower priority prec...

Page 474: ... click Refresh Testing Policy Configuration To make sure that you ve configured the server correctly request a certificate and check the certificate for details such as for validity period key type and size and extensions 1 Enroll for a Certificate 2 Approve the Request 3 Check the Certificate Details Verify that the certificate contains the required details Be sure to check the Extension section ...

Page 475: ...onfigure the Certificate Manager and Registration Manager to reject a request if an LDAP attribute for example pin is not present in the enrolling user s directory entry or if the attribute does not have a specified value If you enable the policy and configure it correctly it first searches for the user under the base specified in the ldap ldapconn basedn parameter with the filter uid HTTP_PARAMS ...

Page 476: ...s on page 465 ldap ldapconn host Specifies the host name of the LDAP directory to connect to Permissible values The name must be fully qualified host name in the machine_name your_domain domain form Example corpDirectory example com ldap ldapconn port Specifies the TCP IP port at which the LDAP directory listens to requests from CS Permissible values Any valid port number The default is 389 use 63...

Page 477: ...t the ldap ldapconn secureConn parameter and set the value of the ldap ldapauth clientCertNickname parameter to the nickname of the certificate to be used for SSL client authentication ldap ldapconn basedn Specifies the base DN for searching the LDAP directory the plug in uses the value of the uid field from the HTTP input what a user enters in the enrollment from and the base DN to construct an L...

Page 478: ...ll certificate requests leave the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 465 minSize Specifies the minimum length in bits for the key the length of the modulus in bits The value must be smaller than or equal to the one specified by the maxSize parameter Permissible values 512 or 1024 You may also enter a custom key size that is between 512 a...

Page 479: ...the algorithms such as RSA and DSA supported by CS In other words this policy allows you to set restrictions on the types of public keys certified by CS You may apply this policy to end entity certificate enrollment and renewal requests For example if you want your CA to certify only those public keys that comply with the PKCS 1 RSA Encryption Standard you can configure the server for that using t...

Page 480: ...o be applied to all certificate requests leave the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 465 algorithms Specifies the key type the server should certify The default is RSA Permissible values RSA or RSA Table 12 7 RenewalConstraints Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select...

Page 481: ...om revoking expired certificates You may apply this policy to end entity certificate revocation requests During installation CS automatically creates an instance of the revocation constraints policy named RevocationConstraintsRule that is enabled by default Table 12 9 describes the configuration parameters of the RevocationConstraints policy Table 12 8 RenewalValidityConstraints Configuration Para...

Page 482: ...KeyConstraints policy Table 12 9 RevocationConstraints Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable default deselect to disable predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the field blank default To form a predicate expression see Using Pr...

Page 483: ...g installation CS automatically creates an instance of the signing algorithm constraints policy named SigningAlgRule that is enabled by default minSize Specifies the minimum length in bits for the key the length of the modulus in bits The value must be smaller than or equal to the one specified by the maxSize parameter Permissible values 512 1024 2048 or 4096 You may also enter a custom key size t...

Page 484: ...nt and renewal requests During installation CS automatically creates an instance of the subordinate CA name constraints policy named SubCANameConstraints that is enabled by default Table 12 11 SigningAlgorithmConstraintsConfiguration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable default deselect to disable predicate Specifies the predica...

Page 485: ... same subject name you can do so easily using the enableKeyUsageExtensionChecking parameter defined in this policy This parameter makes the server check whether the key usages specified in the certificate request being processed is different than those specified in the existing certificates that have the same subject names and accordingly issue or deny the certificate Keep in mind that the server ...

Page 486: ...certificate request must be checked for the Key Usage extension Note that the policy can check the certificate request for the Key Usage extension only if you deselect the enablePreAgentApprovalChecking parameter The reason for this is that extensions are set on the request after agent approval so this checking can be done after an agent approves the request Select if you want the server to check ...

Page 487: ...bility to configure the value of the leadTime parameter in the policy rule allows you to prohibit end entities from requesting certificates whose validity starts too far in the future and yet allows some amount of toleration of clock skew problems For example if the current date and time is 01 15 2000 mm dd YYYY and 1 30 p m the value of the notBefore attribute is set to 3 00 p m and that the lead...

Page 488: ...ture relative to the time when the policy rule is run The notBefore attribute value specifies the date on which the certificate validity begins validity dates through the year 2049 are encoded as UTCTime dates in 2050 or later are encoded as GeneralizedTime lagTime Specifies the lag time in minutes for certificates For a certificate renewal request to pass the renewal validity constraints policy t...

Page 489: ... not understand your extension By default only noncritical extensions are added to certificates This ensures that the resulting certificates can be used with all clients If you add a critical extension the resulting certificate can only be used by clients that support that extension Additionally the server also provides a module for adding any custom ASN 1 type extensions If you determine that the...

Page 490: ...nfoAccessExt Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 465 critical Spec...

Page 491: ...cation to get additional information about the CA that has issued the certificate in which this extension appears Specifying the information based on the following If you selected rfc822Name the value must be a valid Internet mail address in the local part domain format You may use upper and lower case letters in the mail address no significance is attached to the case For example ocspResponder ex...

Page 492: ...fied in dot separated numeric component notation The syntax for specifying the IP address is as follows IPv4 address must be in the n n n n format for example 128 21 39 40 IPv4 address with netmask must be in the n n n n m m m m format For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form with netmask separated by a comma Examples of IPv6 addresses with no...

Page 493: ...e the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 465 critical Specifies whether the extension should be marked critical or noncritical Select to mark critical deselect to mark noncritical default AltKeyIdType Specifies what should be done if the CA certificate does not have a Subject Key Identifier extension Select either of the following Select...

Page 494: ...ubordinate CA certificate being issued Note that the path length you specify affects the number of CA certificates to be used during certificate validation The chain starts with the end entity certificate being validated and moving up the chain The maxPathLen parameter has no effect if the extension is set in end entity certificates Permissible values 0 or n Make sure that the value you choose is ...

Page 495: ...ted next in this table For example it might identify the organization as Example Corporation and notice number 1 2 3 4 5 6 99 Typically applications validating the certificate will have a notice file containing the current set of notices for your company these application will interpret the number in the certificate by extracting the notice text that corresponds to the number from the file and dis...

Page 496: ...es the textual statement to be included in certificates this parameter corresponds to the explicitText field of the user notice If you want to embed a textual statement for example your company s legal notice in certificates then add that statement here The text you enter here will be displayed to a relying party when the certificate is used or viewed Note that certain applications may not have th...

Page 497: ...the time period in seconds minutes hours days or months Use the following suffixes to indicate the time unit s seconds m minutes h hours D days M months For example if you re issuing certificates with a validity period of two years and want the renewal window to begin a month before the certificates expire and want to specify the interval in months you would enter 23M in this field To specify the ...

Page 498: ...ecifies a past or future time in seconds by which the certificate must be renewed the endTime field of the extension will be set to the specified time since certificate issuance You can specify the time period in seconds minutes hours days or months Use the following suffixes to indicate the time unit s seconds m minutes h hours D days M months For example if you re issuing certificates with a val...

Page 499: ...on policy during installation If you want the server to add this extension to certificates you must create an instance of the CertificateScopeOfUseExt module and configure it Table 12 20 CertificateScopeOfUseExt Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predicate expression fo...

Page 500: ...Internet mail address in the local part domain format You may use upper and lower case letters in the mail address no significance is attached to the case For example webSite example com If you selected directoryName the value must be a string form of X 500 name For example CN corpDirectory OU IS O example com C US If you selected dNSName the value must be a valid domain name You may use upper and...

Page 501: ... n n n m m m m format For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form with netmask separated by a comma Examples of IPv6 addresses with no netmask are 0 0 0 0 0 0 13 1 68 3 and FF01 43 Examples of IPv6 addresses with netmask are 0 0 0 0 0 0 13 1 68 3 FFFF FFFF FFFF FFFF FFFF FFFF 255 255 255 0 and FF01 43 FFFF FFFF FFFF FFFF FFFF FFFF FF00 0000 If yo...

Page 502: ...figuration parameters and you must specify appropriate values for each of those parameters otherwise the policy rule will return an error Each set of configuration parameters is distinguished by n which is an integer derived from the value you assign in this field For example if you set the numPoints parameter to 2 n would be 0 and 1 pointName n Specifies the name of the CRL distribution point the...

Page 503: ...oint Provide a comma separated list of the following constants unused keyCompromise cACompromise affiliationChanged superseded cessationOfOperation certificateHold issuerName n Specifies the name of the issuer that has signed the CRL maintained at distribution point the name can be in any of the following formats An X 500 directory name in the RFC 2253 syntax For example CN CA Central OU Research ...

Page 504: ... creates two instances of the extended key usage extension policy named CODESigningExt for object signing certificates and OCSPSigningExt for an OCSP responder certificate both are enabled by default Note that the CODESigningExt policy rule must remain enabled if you want CS to issue object signing certificates with the correct extended key usage extension Note that the OCSPSigningExt policy rule ...

Page 505: ... key usage purposes can be contained in the extension or n specifies the total number of key usage purposes to be included in the extension it must be an integer greater than zero The default value is 10 Note that for any number other than O in this field a id n field will be created for each key usage purpose you must specify a valid OID otherwise the policy rule will return an error Configuratio...

Page 506: ...ration the extnID field is defined by the oid parameter the critical field is defined by the critical parameter and the extnValue field is defined by evaluating the expression in the pattern parameter which in turn is defined by the attribute parameters See Table 12 24 on page 507 for details on individual parameters Typically the application receiving the certificate checks the extension ID to de...

Page 507: ...B0 C0 D0 E0 F0 449 30 37 SEQUENCE 451 17 13 UTCTime 000406070000Z 466 30 8 SEQUENCE 468 01 1 BOOLEAN TRUE 471 06 3 OBJECT IDENTIFIER 2 4 5 100 476 04 10 OCTET STRING 11 22 33 44 A0 B0 C0 D0 E0 F0 Table 12 24 GenericASN1Ext Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable predicate n specifies the total numb...

Page 508: ...tribure 0 value parameters No default value is assigned to this parameter Example 012 34 attribute n type Specifies the data type for attribute n where n is an identifier assigned to identify parameters pertaining to a specific attribute The value of n can be 0 to 9 Permissible values Integer IA5String OctetString PrintableString UTCtime OID or Boolean Select Integer for extensions that have ASN 1...

Page 509: ...n where n is an identifier assigned to identify parameters pertaining to a specific attribute The value of n can be 0 to 9 Permissible values Depends on the data type and source you selected If the data type is Integer enter an integer in decimal notation as value For example 1234567890 If the data type is IA5String enter a normal string as value For example Test of IA5String If the data type is O...

Page 510: ...licy during installation If you want the server to add this extension to certificates you must create an instance of the IssuerAltNameExt module and configure it For instructions see section Step 4 Add New Policy Rules in Chapter 18 Setting Up Policies of CS Administrator s Guide Table 12 25 IssuerAltNameExt Configuration Parameters Parameter Description enable Specifies whether the rule is enable...

Page 511: ...dentities can be contained in the extension default n specifies the total number of identities to be included in the extension it must be an integer greater than zero The default value is 8 Example 2 generalName n general NameChoice Specifies the general name type for the alternative name you want to include in the extension Permissible values rfc822Name directoryName dNSName ediPartyName URL iPAd...

Page 512: ...rg rfc rfc2253 txt Note that RFC 2253 replaces RFC 1779 For example CN CA Corp OU Research Dept O Example Corporation C US If you selected dNSName the value must be a valid domain name in the preferred name syntax as specified by RFC 1034 http www ietf org rfc rfc1034 txt You may use upper and lower case letters in the domain name no significance is attached to the case Do not use the string for t...

Page 513: ... format for example 128 21 39 40 IPv4 address with netmask must be in the n n n n m m m m format For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form described in RFC 1884 http www ietf org rfc rfc1884 txt with netmask separated by a comma Examples of IPv6 addresses with no netmask are 0 0 0 0 0 0 13 1 68 3 and FF01 43 Examples of IPv6 addresses with netm...

Page 514: ...d in the key usage extension policy On the client side bits set in the key usage extension are formed from pre defined HTTP input variables that can be embedded as hidden values in the enrollment forms You specify which bits are to be set by adding the appropriate HTTP variables to the enrollment forms Table 12 27 lists the HTTP input variables that correspond to key usage extension bits The defau...

Page 515: ...lows CMCertKeyUsageExt This rule is for setting the appropriate key usage bits in Certificate Manager CA signing certificates and is enabled by default The server is configured to set digitalSignature nonRepudiation keyCertsign and cRLSign bits in CA signing certificates Notice that the key usage bits specified in the default policy rule match the bits specified in the enrollment form ManCAEnroll ...

Page 516: ...ule is for setting the appropriate key usage bits in object signing certificates and is enabled by default The server is configured to set digitalSignature and keyCertsign bits in object signing certificates Notice that the key usage bits specified in the default policy rule match the bits specified in the enrollment form ManObjSignEnroll html for requesting object signing certificates CRLSignCert...

Page 517: ...ermissible values true false or HTTP_INPUT Select true if you want the server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corresponding to the nonRepudiation bit and set the bit accordingly If the variable is set to true the server sets the bit If the variable d...

Page 518: ...lect true if you want the server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corresponding to the keyAgreement bit and set the bit accordingly If the variable is set to true the server sets the bit If the variable doesn t exist or if it is set to false or any ot...

Page 519: ...f the key usage extension in certificates specified by the predicate parameter Permissible values true false or HTTP_INPUT Select true if you want the server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corresponding to the encipherOnly bit and set the bit accord...

Page 520: ... each of these parameters otherwise the policy rule will return an error You can change the total number of permitted subtrees by changing the value in this field there s no restriction on the total number of permitted subtrees you can include in the extension Each set of configuration parameters is distinguished by n which is an integer derived from the value you assign in this field For example ...

Page 521: ...Select OID if the subtree is an object identifier Select otherName if the subtree is in any other name form Example directoryName permittedSubtrees n base generalNameValue Specifies the general name value for the permitted subtree you want to include in the extension Permissible values Depends on the general name type you selected in the permittedSubtrees n base generalNameChoice field If you sele...

Page 522: ...Pv4 the address should be in the form specified in RFC 791 http www ietf org rfc rfc0791 txt IPv4 address must be in the n n n n format for example 128 21 39 40 IPv4 address with netmask must be in the n n n n m m m m format For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form described in RFC 1884 http www ietf org rfc rfc1884 txt with netmask separated ...

Page 523: ... are allowed excludedSubtrees n base generalNameChoice Specifies the general name type for the excluded subtree you want to include in the extension Permissible values rfc822Name directoryName dNSName ediPartyName URL iPAddress OID or otherName Select rfc822Name if the subtree is an Internet mail address Select directoryName if the subtree is an X 500 directory name Select dNSName if the subtree i...

Page 524: ... example CN SubCA OU Research Dept O Example Corporation C US If you selected dNSName the value must be a valid domain name in the preferred name syntax as specified by RFC 1034 http www ietf org rfc rfc1034 txt You may use upper and lower case letters in the domain name no significance is attached to the case Do not use the string for the DNS name Also don t use the DNS representation for Interne...

Page 525: ...F FFFF FFFF FFFF FFFF FFFF FF00 0000 If you selected OID the value must be a unique valid OID specified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 If you selected otherName the value must be the absolute path to the file that contains the base 64 encoded string of the subtree For example usr netscape servers ext nc othername txt excludedSubtrees n min Specifies the m...

Page 526: ...ection Using Predicates in Policy Rules in Chapter 18 Setting Up Policies of CS Administrator s Guide Example HTTP_PARAMS certType client critical Specifies whether the extension should be marked critical or noncritical Select to mark critical deselect to mark noncritical default inputType Specifies whether to embed a textual statement or to include a pointer to file that contains the textual stat...

Page 527: ...tement that should be included in certificates If you want to embed a textual statement for example your company s legal notice in certificates then add that statement here The text you enter here will be displayed to a relying party when the certificate is used or viewed Permissible values A string with up to 200 characters Example Example Corporation s CPS incorp by reference liab ltd c 2002 Exa...

Page 528: ... extension policy and which bits are to be set by adding the appropriate HTTP variables to the enrollment forms Bits set in the Netscape certificate type extension are formed from pre defined input variables that you can embed as hidden values in the default enrollment forms Table 12 32 lists the HTTP input variables that correspond to Netscape certificate type extension bits 2 S MIME Specifies th...

Page 529: ...mail_ca ssl_ca and object_signing_ca variables In general the forms are set up so that you don t have to make any modifications However if there is a need to modify the bit settings be sure to add or remove the corresponding variable Also when adding a new variable make sure that the HTML input format is as follows input type HIDDEN value true name variable_name where variable_name can be any of t...

Page 530: ... if you want the server to add the extension with default bits to certificates If you select and if no bits are requested from the HTTP input the server adds the Netscape certificate type extension to certificates with the following bits set ssl client bit 0 email bit 2 Deselect if you don t want the server to add the extension with default bits If you deselect and if no bits are requested from th...

Page 531: ...deselect to disable predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 465 critical Select to mark critical deselect to mark noncritical default reqExplicit Policy Specifies the total number of certificates permitted in th...

Page 532: ...s associated with the subject CA are equivalent to the policy they accept For general information about this extension see policyMappings on page 739 During installation CS automatically creates an instance of the policy mappings extension policy named PolicyMappingsExt that is enabled by default inhibitPolicy Mapping Specifies the total number of certificates permitted in the path before policy m...

Page 533: ...ues 0 or n 0 specifies that no policy pairs can be contained in the extension n specifies the total number of policy pairs to be included in the extension it must be a integer greater than zero The default value is 1 policyMap n issuerDomainPolicy Specifies the OID assigned to the policy statement n of the issuing CA that you want to map with the policy statement of another CA Permissible values A...

Page 534: ...and remove it For general information about the Basic Constraints extension see basicConstraints on page 732 Table 12 37 PrivateKeyUsagePeriodExt Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate...

Page 535: ...l and set on the request before the request is passed to the policy subsystem In general you can configure which attributes should or shouldn t be stored in the request for example you can exclude sensitive attributes such as passwords from getting stored in the request with the help of the parameter named dontSaveHttpParams defined in the CS configuration file For details on using this parameter ...

Page 536: ...tAttr and generalName n generalNameChoice and you must specify appropriate values for each of those parameters otherwise the policy rule will return an error You can change the total number of identities by changing the value of this parameter there s no restriction on the total number of identities you can include in the extension Each set of configuration parameters is distinguished by n which i...

Page 537: ...ess OID or otherName Select rfc822Name if the request attribute value is an Internet mail address in the local part domain format default For example jdoe example com Select directoryName if the request attribute value is an X 500 directory name similar to the subject name in a certificate For example CN Jane Doe OU Sales Dept O Example Corporation C US Select dNSName if the request attribute valu...

Page 538: ...ibute values for the subject of the certificate For general information about this extension see subjectDirectoryAttributes on page 740 The subject directory attributes extension policy in CS allows you to include up to three directory attributes in the extension For each attribute that you want to include in the extension you need to specify the attribute name and its value the name must be the X...

Page 539: ...the numAttributes parameter to 2 n would be 0 and 1 attribute n attrib uteName Specifies the name of the directory attribute whose value is to be included in the extension Permissible values TITLE O OU L E C GIVENNAME DC UID CN UNSTRUCTUREDNAME GENERATIONQUALIFIER ST DNQUALIFIER SN MAIL UNSTRUCTUREDADDRESS STREET SERIALNUMBER and INITIALS The list may show any additional attributes that you may ha...

Page 540: ...any Subject Key Identifier Extension that is already there During installation CS automatically creates an instance of the subject key identifier extension policy named SubjectKeyIdentifierExt that is enabled by default Table 12 41 SubjectKeyIdentifierExt Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable pre...

Page 541: ...ion must be on the class path To register a policy module in a subsystem s policy framework 1 Log in to the CS window see Logging Into the CS Console on page 239 2 Select the Configuration tab 3 In the navigation tree select the subsystem that will use the module you want to register 4 Select Policies and then in the right pane select the Policy Plugin Registration tab The Policy Plugin Registrati...

Page 542: ...s that are based on this module To delete a policy module from a subsystem s policy framework 1 Log in to the CS window see Logging Into the CS Console on page 239 2 Select the Configuration tab 3 In the navigation tree select the subsystem that registers the module you want to delete 4 Select Policies and then in the right pane select the Policy Plugin Registration tab The Policy Plugin Registrat...

Page 543: ... driven system that sends email notifications when the specified event occurs The system uses listeners that monitor the system to determine when a particular event has occurred and then trigger the notification system when the event does occur Each type of notification is associated with a template in either plain text or HTML format that is used to construct the notification message The template...

Page 544: ...Request In Queue Certificate Revocation Certificate Issued A notification message is automatically sent to users who have been issued certificates A rejection message is sent if the user s certificate request is rejected Request in Queue A notification message is automatically sent to one or more agents when a request enters the agent request queue using the email address es you set up for the age...

Page 545: ...und the notification is sent to the email address specified in the Sender s Email Address field specified when you set up this notifications as undeliverable notification You can customize the email resolver using the ReqCertSANameEmailResolver java class included as a sample with the CS SDK Setting Up Automated Notifications To configure a Certificate Manager or Registration Manager to send autom...

Page 546: ...s the email address of the person who is notified of any delivery problems Subject Type the subject title for the notification Recipient s E Mail Address Type the recipient s full email address this is the email address of the agent or agents who will check the queue You can specify more than one recipient separate email addresses by commas Content Template path Type the path including the filenam...

Page 547: ...ar notification message are explained in the procedure in the section Setting Up Automated Notifications on page 545 5 Save the file 6 Restart the server instance 7 If you set up a job that sends automated messages check that your have correctly set up a mail server See Mail Server on page 250 8 If you set up a job that sends automated messages you can customize those messages See Customizing Noti...

Page 548: ...HTML templates Tokens are variables identified with the dollar sign character in the message that are replaced by the current value when the message is constructed See Token Definitions on page 551 for a list of available tokens You can modify the contents of any message type by making changes to the text and tokens contained in the template for that message type You can modify the appearance of H...

Page 549: ...lates Notification message templates are located in the following directory server_root cert instance_id emails You can change the name of these files as applicable or their location be sure to make the appropriate changes when configuring the notification All template names can be changed except for the certificate rejected templates whose name must remain the same The templates associated with c...

Page 550: ... certificate is revoked certRequestRevoked_RA Template for the Registration Manager to send plain text notifications to end entities when their certificate is revoked certRequestRevoked_RA html Template for the Registration Manager to send HTML based notifications to end entities when their certificate is revoked reqInQueue_CA Template for the Certificate Manager or Registration Manager to send pl...

Page 551: ...cate Manager or Registration Manager to which end entities should connect to retrieve their certificates HttpPort Specifies the port number at which the Certificate Manager or Registration Manager is listening to end entity requests InstanceID Specifies the ID assigned to the subsystem that sent this notification If the notification is sent by a Certificate Manager this will be ca If the notificat...

Page 552: ...ate subject SummaryItemList Specifies the list of items in the summary notification Each item corresponds to a certificate the job detects for renewal or for removal from the publishing directory SummaryTotalFailure Specifies the total number of items in the summary report that failed SummaryTotalNum Specifies the total number of items certificate requests that are pending in the queue in the summ...

Page 553: ...ecific jobs at specified times The job scheduler functions similar to a traditional Unix cron daemon in that it takes registered cron jobs and executes them at a preconfigured date and time If configured the scheduler checks at specified intervals for jobs waiting to be executed if the specified execution time has arrived the scheduler initiates the job automatically Jobs are implemented as Java c...

Page 554: ... job checks for certificates that are about to expire in the internal database When it finds one it automatically emails the certificate s owner and continues sending email reminders for a configured period of time or until the certificate is renewed The job also collects a summary of all such renewal notifications and mails the summary to one or more agents or administrators The job determines th...

Page 555: ...anager and Registration Manager can execute a job only if the Job Scheduler is turned on or enabled As a part of turning the Job Scheduler on you also specify the frequency at which the Job Scheduler daemon should check if any of the configured jobs need to be executed Frequency Settings for Automated Jobs The Job Scheduler uses a variation of the Unix crontab entry format to specify dates and tim...

Page 556: ... of the week to be valid For example the following entry specifies a job execution time of midnight on the first and fifteenth of every month and on every Monday 0 0 1 15 1 To specify one day type without the other use an asterisk in the other day field For example the following entry specifies a job execution time of 3 15 a m on every weekday morning 15 3 1 5 Enabling and Configuring the Job Sche...

Page 557: ... Type the frequency at which the Job Scheduler daemon thread should wake up and call the configured jobs that meet the cron specification By default it is set to one minute See Frequency Settings for Automated Jobs on page 555 The window for entering this information may appear too small Drag the corners of the CS console window to enlarge the entire CS console window and this field will increase ...

Page 558: ...le directory We recommend that you make these changes using the CS console Enabling and Configuring Specific Jobs Using the CS Console To enable and configure an automated job using the CS console 1 Ensure that the Jobs Scheduler is enabled and configured see Setting Up the Job Scheduler on page 555 for more information 2 Log in to the CS console see Logging Into the CS Console on page 239 3 Selec...

Page 559: ...e select that instance and click delete If you want to add a job instance click Add then select the module you want to add To enable and configure an existing job instance or modify the configuration of a job go to the next step 5 In the Instance Name list select a job that you want to enable and configure 6 Click Edit View The Job Instance Editor window appears showing how this job is currently c...

Page 560: ...565 for details Enabling Configuring Specific Jobs By Editing the Configuration File 1 Ensure that the Jobs Scheduler is enabled and configured see Setting Up the Job Scheduler on page 555 for more information 2 Stop the server instance whose configuration file you will be editing 3 Open the CS cfg file for that server instance in a text editor 4 Edit all of the configuration parameters for the jo...

Page 561: ...pecify the value of this parameter as false to disable cron Specifies the cron string specifying the schedule of when this job should be run In other words it specifies the time at which the Job Scheduler daemon thread should check the certificates for sending renewal notifications Permissible values Must follow the convention specified in Frequency Settings for Automated Jobs on page 555 Example ...

Page 562: ... of user certificates You can specify more than one recipient by separating each email address with a comma summary senderEmail Specifies the email address of the sender of the summary message summary emailSubject Specifies the subject line of the summary message summary itemTemplate Specifies the path including the filename to the directory that contains the template to be used to create the cont...

Page 563: ...accomplished should be compiled and sent Specify the value of this parameter as true to enable specify the value of this parameter as false to disable If you enabled be sure to set the remaining parameters these are required by the server to send the summary report summary emailSubject Specifies the subject line of the summary message summary emailTemplate Specifies the path including the filename...

Page 564: ...e value of this parameter as false to disable If you enabled be sure to set the remaining parameters these are required by the server to send the summary report summary emailSubject Specifies the subject line of the summary message summary emailTemplate Specifies the path including the filename to the directory that contains the template to be used for formulating the summary report summary itemTe...

Page 565: ...Templates for Summary Notifications Notification message templates are located in the following directory server_root cert instance_id emails Table 14 5 lists the default template provided for creating notification messages You can change the name of these files as applicable be sure to make the appropriate changes when configuring the job Table 14 5 Notification Templates Filename Description Unp...

Page 566: ...ion job s summary report Token Description CertType Specifies the type of certificate whether SSL client client SSL server server Registration Manager s signing certificate ra Certificate Manager s CA signing certificate ca router certificate Cisco router or other other ExecutionTime Specifies the time the job instance was run HexSerialNumber Specifies the serial number of the certificate that has...

Page 567: ...ies the email address of the sender SerialNumber Specifies the serial number of the certificate the serial number will be displayed as a hexadecimal value in the resulting message Status Specifies whether the operation failed or succeeded SubjectDN Specifies the distinguished name of the certificate subject SummaryItemList Specifies the list of items in the summary notification Each item correspon...

Page 568: ... Jobs The Job Instance tab appears It lists any currently configured jobs 4 Select the Job Plugin Registration tab The Job Plugin Registration tab appears 5 To delete a module select the module you want to delete and click Delete When prompted confirm the delete action 6 To register a module click Register The Register Job Scheduler Plugin Implementation window appears Specify information as appro...

Page 569: ... a Certificate Manager agent End users can revoke certificates by using the Revocation form provided in the end entity services interface Agents can revoke end entity certificates by using the appropriate form in the Agent Services interface Certificate based SSL client authentication or challenge password based authentication is required in both cases An end user can revoke only those certificate...

Page 570: ...st step in the revocation process is for the Certificate Manager or Registration Manager to identify and authenticate the end user to verify that the user is attempting to revoke his or her own certificate not a certificate belonging to someone else Both the Certificate Manager and Registration Manager support the SSL Client Authenticated Revocation and the Challenge Password Based Revocation SSL ...

Page 571: ...et up with the agent approved authentication method The form associated with the agent approved authentication is the only form that contains this capability The server revokes the certificate only if the certificate maps successfully to a valid or expired certificates in its internal database If the server detects a valid or expired certificate with a matching serial number and challenge password...

Page 572: ...anager will automatically issue certificates when a valid certificate request signed with the agent s certificate is received and will automatically revoke a certificate when a valid revocation request signed with the agent s certificate is received Setting Up CMC Revocation To set up CMC revoke you do the following Set up an instance of the CMCAuth Authentication plug in module An instance is ena...

Page 573: ...ntCert and the serial number of the certificate is 22 the command would look like this d The directory where cert8 db key3 db and secmod db containing the agent certificate are located n The nickname of the agent s certificate i The issuer name of the certificate being revoked s The serial number of the certificate being revoked in decimal value m The reason the certificate is being revoked Specif...

Page 574: ...te if any of the certificate assertions becomes false Make the revoked certificate status available to parties or applications that need to verify its validity status Whenever a certificate is revoked the Certificate Manager automatically updates the status of the certificate in its internal database it marks the copy of the certificate in its internal database as revoked and removes the revoked c...

Page 575: ...to create another key pair for the Certificate Manager and use it exclusively for signing the CRLs it generates See Getting a CRL Signing Key Pair and Certificate on page 104 for details on setting this up Reasons for Revoking a Certificate A Certificate Manager can revoke any certificate it has issued There are generally accepted reason codes for revoking a certificate that are often included in ...

Page 576: ...s internal database and when configured it makes the revoked list of certificates public by publishing it to a central repository to notify other users that the certificates in the list are no longer valid Revocation Checking by Red Hat Servers Because Red Hat servers currently cannot check the revocation status of a certificate you should use other forms of access control For example you can remo...

Page 577: ...th certificates by setting the CRLDistributionPoint extension in them By default the Certificate Manager only generates and publishes a single CRL identified as the master CRL You can also define an issuing point for CA signing certificates and an issuing point that includes all revoked certificate information including expired certificates Delta CRLs You can issue Delta CRLs for any issuing point...

Page 578: ...ond full CRL that is created and all subsequent full CRLs that are created The internal database stores only the latest CRL and delta CRL As each new CRL is created the old one is overwritten When you publish CRLs each update to the CRL and delta CRL is published to the locations specified in the publishing set up The method of publishing determines how many CRLs are stored For file publishing eac...

Page 579: ...ns if you turned on extensions when you configured the issuing point See Setting CRL Extensions on page 582 for complete details 5 If you want to set up Delta CRLs for a particular issuing point you need to enable extensions for that issuing point and enable and configure the DeltaCRLIndicator or CRLNumber 6 Setting up the CRLDistributionPoint extension in certificates you issue if you want to inc...

Page 580: ...d to close the CS console and log back into it When you log back in the new issuing point will appear below the CRL Issuing Points entry in the navigation tree All the CRLs you created will appear on the Update Revocation List page of the Agent Services pages 8 You need to configure this new issuing point and set up any CRL extensions that will be used in this CRL See Configuring CRLs for Each Iss...

Page 581: ... results of revocation immediately for example when testing whether the server publishes the CRL to a flat file Update at this frequency Select this option if you want the Certificate Manager to generate CRLs at regular intervals In this case the server publishes the CRL to the configured directory at the interval you specify In the adjoining text field type the interval in minutes at which the Ce...

Page 582: ...ust be turned on in order to create delta CRLs Revocation list signing algorithm Select the algorithm the server should use to sign the CRL If the Certificate Manager s signing key type is RSA select MD2 with RSA MD5 with RSA or SHA 1 with RSA If the Certificate Manager s signing key type is DSA select SHA 1 with DSA 4 To save your changes click Save 5 If you selected Allow extensions for this iss...

Page 583: ...pplications support version 2 CRLs Among the applications that do support extensions not all applications will recognize every extension For general guidelines on using these extensions in CRLs see Appendix G Certificate and CRL Extensions AuthorityKeyIdentifier The AuthorityKeyIdentifier rule enables you to configure a Certificate Manager to set the Authority Key Identifier Extension in CRLs The ...

Page 584: ...evocation of a certificate included in the CRL For general guidelines on setting the CRL reason code in CRL entries see reasonCode on page 747 For a list of reason codes see Reasons for Revoking a Certificate on page 575 Table 15 1 AuthorityKeyIdentifierExt Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable d...

Page 585: ...e Specifies whether the rule is enabled or disabled Select to enable default deselect to disable critical Select if you want the server to mark the extension critical deselect if you want the server to mark the extension noncritical default Table 15 4 DeltaCRL Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disabl...

Page 586: ...in and the fields to set these points will be present in the interface pointType n Specifies the type of issuing point for the n issuing point For each number specified in numPoints there will be an equivalent number of numbered pointType parameters Select DirectoryName or URI pointName n If pointType is set to directoryName the value must be a string in the form of X 500 name similar to the subje...

Page 587: ...ce indicator URI with the issuer of the CRL instruction Specifies the action a validating application must take when it encounters a certificate that has been put on hold Permissible values none callissuer or reject none specifies that the validating application need not do anything the PKIX standard says that this is semantically equivalent to the absence of a holdInstructionCode default callissu...

Page 588: ...r of identities you can include in the extension Each set of configuration parameters is distinguished by n which is an integer derived from the value you assign in this field For example if you set the numNames parameter to 2 n would be 0 and 1 nameType n Specifies the general name type Select from the following Select rfc822Name if the name is an Internet mail address Select directoryName if the...

Page 589: ... be a valid domain name in the DNS format For example testCA example com If the type is ediPartyName the name must be an IA5String For example Example Corporation If the type is URL the value must be a non relative universal resource identifier URI For example http testCA example com If the type is iPAddress the value must be a valid IP address specified in dot separated numeric component notation...

Page 590: ...ryName the name must be an X 500 Name For example CN CRLCentral OU Research Dept O Example Corporation C US If the pointType attribute is set to URI the name must be a URI the URI must be an absolute pathname and must specify the host For example http testCA example com get your crls here Note that the CRL may be stored in the directory entry corresponding to the CRL issuing point which may be dif...

Page 591: ...rtificates only deselect if the distribution point contains all types of certificates default indirectCRL Select if the distribution point contains an indirect CRL deselect if the distribution point doesn t contain an indirect CRL default Table 15 9 IssuingDistributionPoint Configuration Parameters Continued Parameter Description ...

Page 592: ...CRL Extension Reference 592 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 593: ...ine validation authority using the appropriate protocol This chapter explains how to configure the Certificate Manager or Registration Manager to publish certificates and CRLs to a file to a directory and to the Online Certificate Status Manager This chapter contains the following sections About Publishing Setting Up Publishing Publishers Mappers Rules Enabling Publishing Testing Publishing to Fil...

Page 594: ...aces in a directory For example you can identify a type of user for example ones from the west coast division of the company and publish those user certificates in one branch of the directory while publishing certificates for users from the east coast division of the company in another branch of the directory You can set up publishing in a Certificate Manager or a Registration Manager The Certific...

Page 595: ...er provides a formula for converting the information available to either a DN or some unique information that can be searched in the directory to obtain a DN for the entry About Rules You set up Rules for file LDAP and OCSP publishing which tell the server whether or not a certificate or CRL matches that rule and if so how it is to be published A rule first defines what is to be published a certif...

Page 596: ...d the publishing directory For each certificate the server issues it creates a blob that contains the certificate in its DER encoded format in the specified attribute of the user s entry The certificate is published as a DER encoded binary blob Every time the server generates a CRL it creates a blob that contains the new CRL in its DER encoded format in the specified attribute of the entry for the...

Page 597: ...t coast user certificates To use predicates a value needs to be entered in the predicate field of the publishing rule and a corresponding value although formatted somewhat differently needs to be contained in the certificate or certificate request itself in order for a match to occur The value in the certificate or certificate request may be derived from information in the certificate such as the ...

Page 598: ...rtain the correct DN for the entry When you revoke a certificate the server uses the publishing rules to locate and delete the corresponding certificate from the LDAP directory or from the file system When a certificate expires the server can remove that certificate from the configured directory Note that the server doesn t do this automatically You need to configure the server to run the appropri...

Page 599: ...e Publishers for LDAP publishing For more information see Configuring Publishers for LDAP Publishing on page 605 4 For LDAP publishing you need to set up Mappers to enable an entries DN to be derived from the certificate s subject name Generally you will need to set one up for the CA certificate CRLs and for user certificates You can also set more than one up for a particular type You might do thi...

Page 600: ...ers Mappers and Rules Once it is enabled the server will start publishing If you have not finished setting up publishing may not work correctly or at all For complete details see Enabling Publishing on page 628 Publishers Publishers allow you to specify the location where you want a particular object published In the case of publishing to a file a publisher specifies a particular location in which...

Page 601: ... for CRLs and one for CA certificates or it can contain a subset of an object type say west coast user certificates in one location and east coast certificates in another location Creating a Publisher for File Publishing To create publishers for publishing to files 1 Log in to the CS console for the Certificate Manager see Logging Into the CS Console on page 239 2 Select the Configuration tab 3 In...

Page 602: ...k Next The Publisher Editor window appears 7 Fill in the following fields in this window Publisher ID Type a name for the rule Be sure to use an alphanumeric string with no spaces For example PublishCertsToFile directory Type the complete path to the directory in which the Certificate Manager should create the DER encoded files the path can be an absolute path or can be relative to the CS instance...

Page 603: ...hing all CRLs to one location you can create one publisher If you are publishing to different locations you need to create one for each location you will be publishing to Each location can contain a different kind of CRL Creating a Publisher for File Publishing To create publishers for publishing to files 1 Log in to the CS console for the Certificate Manager see Logging Into the CS Console on pag...

Page 604: ... Publisher Plug in Implementation window appears It lists registered publisher modules 5 Select the module named OCSPPublisher This is the only Publisher module that enables the Certificate Manager to publish CRLs to the Online Certificate Status Manager 6 Click Next The Publisher Editor window appears ...

Page 605: ...s end entity SSL port number For example 443 path Make sure this field shows the default path ocsp addCRL If necessary type it in 8 Click OK You are returned to the Publishers Management tab It should now list the publisher you just created 9 Repeat this procedure creating all the publishers you will need Configuring Publishers for LDAP Publishing The Certificate Manager creates configures and ena...

Page 606: ...erence on page 606 for more information about publishers Publisher Plug in Module Reference This section describes the publisher modules provided for the Certificate Manager You can use these modules to configure a Certificate Manager to enable and configure specific Publisher instances The available Publisher plug in modules include the following FileBasedPublisher LdapCaCertPublisher LdapUserCer...

Page 607: ...lisher plug in module enables you to configure a Certificate Manager to publish or unpublish a user certificate to the userCertificate binary attribute of the user s directory entry Table 16 1 FileBasedPublisher Configuration Parameters Parameter Description Publisher ID Specifies a name for the publisher You can use an alphanumeric string with no spaces For example PublishCertsToFile directory Sp...

Page 608: ...alled a publisher of the LdapCrlPublisher module for publishing CRLs to the directory LdapDeltaCrlPublisher The LdapDeltaCrlPublisher plug in module enables you to configure a Certificate Manager to publish or unpublish a delta CRL to the deltaRevocationList binary attribute of a directory entry During installation the Certificate Manager automatically creates an instance of the LdapDeltaCrlPublis...

Page 609: ...ross signed certificates to the directory that is already enabled and configured OCSPPublisher The OCSPPublisher plug in module enables you to configure a Certificate Manager to publish its CRLs to an Online Certificate Status Manager During installation the Certificate Manager does not create any instances of the OCSPPublisher module Table 16 5 LdapDeltaCrlPublisher Configuration Parameters Param...

Page 610: ...he search criteria Configuring Mappers During installation the Certificate Manager automatically creates a set of mappers defining the most common relationships The default mappers are as follows LdapUserCertMap for locating the correct attribute of user entries in the directory in order to publish user certificates LdapCrlMap for locating the correct attribute of the CA s entry in the directory i...

Page 611: ... Plug in Modules Reference on page 613 Modifying or Creating Mappers To modify a mapper 1 Log in to the CS console for the Certificate Manager see Logging Into the CS Console on page 239 2 Select the Configuration tab 3 In the navigation tree select Publishing and then select Mappers The right pane shows the Mappers Management tab which lists configured mappers 4 To modify an existing mapper a In ...

Page 612: ...e information about these modules see Mapper Plug in Modules Reference on page 613 c Click Next The Mapper Editor window appears Go to step 6 6 Make the necessary changes to the field in the instance you chose and click OK See Mapper Plug in Modules Reference on page 613 for detailed information about each mapper 7 Repeat the procedure configuring all of the mappers you will need 8 Click Refresh t...

Page 613: ...n AVAs check the directory documentation The CA certificate mapper allows you to specify whether to create an entry for the CA or to just map the certificate to an existing entry or to do both Note that if you already have one CA entry created in the publishing directory and if you change the value assigned to the dnPattern parameter of this mapper to something different but with the same UID and ...

Page 614: ...ificate to the entry If you don t select the entry must already be present in order to publish to it dnPattern Specifies the DN pattern the Certificate Manager should use to construct the DN in order to search for the CA s entry in the publishing directory The value of dnPattern can be a list of AVAs separated by commas An AVA can be a variable such as CN subj cn that the Certificate Manager can d...

Page 615: ...entry in the directory By default the mapper is configured to create an entry for the CA in the directory and the default DN pattern for locating the CA s entry is as follows UID subj cn OU people O subj o LdapDNExactMap The LdapDNExactMap plug in module enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by searching for the LDAP entry DN that matches th...

Page 616: ...a constant such as O Example Corporation The examples below illustrate how you can use AVAs to form the DN pattern Example 1 uid CertMgr o Example Corporation Example 2 CN subj cn OU subj ou O subj o C US Example 3 uid req HTTP_PARAMS uid E ext SubjectAlternativeName RFC822Name ou subj ou In the above examples req means take the attribute from the certificate request subj means take the attribute ...

Page 617: ...ctory for publishing the CA certificate and the CRL End entity entries in the directory for publishing end entity certificates In general the mapper takes DN components to build the search DN The mapper also takes an optional root search DN The server uses the DN components to form an LDAP entry to begin a subtree search and the filter components to form a search filter for the subtree If none of ...

Page 618: ...s of components that help identify the entry for details see Appendix I Distinguished Names The following components are commonly used in DNs UID which represents the user ID of a user in the directory CN which represents the common name of a user in the directory OU which represents an organizational unit in the directory O which represents an organization in the directory L which represents a lo...

Page 619: ...you should enter those DN components that the Certificate Manager can use to form the LDAP DN exactly In certain situations however the subject name in a certificate may match more than one entry in the directory Then the Certificate Manager might not get a single distinct matching entry from the DN For example the subject name CN Jane Doe OU Sales O Example Corporation C US might match two users ...

Page 620: ...ation Parameters Parameter Description baseDN Specifies the DN to start searching for an entry in the publishing directory If you leave the dnComps field blank the server uses the base DN value to start its search in the directory dnComps Specifies where in the publishing directory the Certificate Manager should start searching for an LDAP entry that matches the CA s or the end entity s informatio...

Page 621: ...ation Manager can only publish certificates It cannot publish CRLs filterComps Specifies components the Certificate Manager should use to filter entries from the search result The server uses the filterComps values to form an LDAP search filter for the subtree The server constructs the filter by gathering values for these attributes from the certificate subject name it uses the filter to search fo...

Page 622: ... for each type of certificate the Certificate Manager issues To modify publishing rules 1 Log in to the CS console for the Certificate Manager see Logging Into the CS Console on page 239 2 Select the Configuration tab 3 In the navigation tree select Certificate Manager select Publishing and then select Rules The right pane displays the Rules Management tab which lists any configured publishing rul...

Page 623: ...le a Click Add The Select Rule Plugin Implementation window appears b Select the module named Rule This is the only module If you have registered any custom modules they too will be available for selection c Click Next The Rule Editor window appears ...

Page 624: ... value for the type of certificate or CRL issuing point this rule applies The predicate value for each type of certificate is listed in Table 16 11 on page 625 The predicate value for CRL issuing points and delta CRLs is listed in Table 16 12 on page 625 enable Select to enable this rule mapper Mappers are not necessary when publishing to a file they are only needed for LDAP publishing If this rul...

Page 625: ...te certs HTTP_PARAMS certType objSignClient Certificate Manager signing certificate cacert HTTP_PARAMS certType ca Registration Manager signing certificate certs HTTP_PARAMS certType ra OCSP responder certificate certs HTTP_PARAMS certType ocspResponder Router certificate certs HTTP_PARAMS certType CEP Router Cross signed certificate certs HTTP_PARAMS certType fbca Table 16 12 CRL Predicate Expres...

Page 626: ...ecifies the type of certificate that will be published Select from the pull down menu predicate Specifies a predicate for this publisher enable yes Select to enable mapper LdapCaCertMap Specifies the mapper used with this rule See LdapCaCertMap on page 615 for details on this mapper publisher LdapCaCertPublisher Specifies the publisher used with this rule See LdapCaCertPublisher on page 607 for de...

Page 627: ...n this publisher Table 16 15 LdapXCert Rule Configuration Parameters Parameter Value Description type certs Specifies the type of certificate that will be published Select from the pull down menu predicate Specifies a predicate for this publisher enable yes Select to enable mapper LdapUserCertMap Specifies the mapper used with this rule See LdapSimpleMap on page 616 for details on this mapper publ...

Page 628: ...vigation tree of the CS window select Certificate Manager and then select Publishing The right pane shows the publishing details necessary for the server to publish to an LDAP compliant directory 2 To enable publishing to a file only select Enable Publishing Table 16 16 LdapCRL Rule Configuration Parameters Parameter Value Description type crl Specifies the type of certificate that will be publish...

Page 629: ...te permission to the entire directory tree the root DN You could also create another DN that has limited read write permissions for only those attributes that the publishing system actually needs to write Password Type the password for this DN The Certificate Manager saves this password in the single sign on password cache and uses it during startup If you change the password the server updates th...

Page 630: ...s and CRLs correctly to files follow these steps 1 Go to the end entity interface and request a certificate 2 Go to the agent services interface and approve the request if you have an agent approved enrollment configuration If you set up automatic enrollment you can skip this step 3 Download the certificate into your browser 4 Check whether the server generated the DER encoded file containing the ...

Page 631: ...gjjgmkgjkgmjg fjfgjjjgfyjfyj9ucyBDb3Jwb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyh gdfhbfdpffjphotoo gdhkBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0Wj BXMQswCQYDVQQGEwJ VUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yY2F0 aW9ucyBDb3Jwb3Jhd GlvbjpMEaMBgGA1UECxMRSXNzdWluZyBBdXRob3JpdHkwHh END CERTIFICATE 6 Convert the base 64 encoded certificate to a human readable form using the Prett...

Page 632: ...CRL as a binary blob to the specified directory go to the directory you specified for the server to publish CRLs You should find a file with its name in the crl this_update der format where this_update specifies the value derived from the time dependent variable named This Update of the CRL contained in the file If you don t see the file check your configuration 10 Convert the DER encoded CRL to i...

Page 633: ...chema table of the corresponding Directory Server while publishing or unpublishing end entity certificates If the directory object that it finds does not allow the userCertificate binary attribute the addition or removal of that specific certificate fails If you have created user entries as inetOrgPerson the userCertificate binary attribute already exists in the directory Otherwise you must add th...

Page 634: ...ame begins with the CN component create a new person entry for the CA If you select a different type of entry the interface may not allow you to specify a value for the CN component If your CA s distinguished name begins with the OU component create a new organizational unit entry for the CA Note that the entry you create doesn t have to be in the certificationAuthority object class The Certificat...

Page 635: ...restrict this user s rights For instructions on giving write access to the Certificate Manager s entry see your LDAP directory documentation Directory Authentication Method Depending on how you want the Certificate Manager to authenticate to the directory you must set up Directory Server for one of the following methods of communication Publishing With Basic Authentication Publishing Over SSL With...

Page 636: ...a range of certificates based on serial numbers from serial number xx to serial number yy Normally you do not need to manually update the directory with certificate related information if configured properly the Certificate Manager handles the updates automatically However a situation might arise in which you need to update the directory manually For example Directory Server might be down for a wh...

Page 637: ...plays a status report If for some reason the process gets interrupted the server logs an error message Be sure to check logs if that happens Note that if the Certificate Manager is installed as a root CA when using the agent interface to update the directory with valid certificates the CA signing certificate may get published using the publishing rule set up for user certificates and you may get a...

Page 638: ...nces for example if the CRL is large updating the directory may take considerable time During this period any changes made to the CRL for example any new certificates revoked may not be included in the update When the directory is updated the Certificate Manager will display a status report If the process gets interrupted for some reason the server logs an error message Be sure to check logs if th...

Page 639: ...up window that appears 6 To register a plug in click Register 7 Specify information as appropriate Plugin name Type a name for the plug in module Class name Type the full name of the class for this module that is the path to the implementing Java class If this class is part of a package be sure to include the package name For example if you are registering a class named customMapper and if this cl...

Page 640: ...Registering and Deleting Mapper and Publisher Plug in Modules 640 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 641: ...oning the Data Recovery Manager CS High Availability Overview High availability systems reduce unplanned outages and other problems by making one or more subsystem clones available for failover When a host machine goes down in an unplanned outage high availability systems can handle requests and perform services from an alternate system in a seemless uninterrupted way High availability configurati...

Page 642: ...ficate requests in a seemless way The following subsystems can be cloned and run on different hosts Certificate Manager CA see Certificate Manager on page 77 Data Recovery Manager DRM see Data Recovery Manager on page 187 Online Certificate Status Manager see OCSP Responder on page 157 Architecture of a Failover System The diagram in Figure 17 1 shows one way to set up a cloned CS system In this s...

Page 643: ...e CRLs See Cloned Master CA Conversion on page 659 for more information about configuring a clone for CRL generation during failover Load balancing The load balancer in front of a CS system is what provides the actual failover support in a high availability system A load balancer can also provide the following advantages as part of a CS system ...

Page 644: ...reate a clone you must make sure that the instance you are cloning has been properly installed and configured since some of that configuration data is copied over to the new instance In particular you must verify the following aspects of the master CA 1 The master CA must have been fully configured with the installation wizard To review this configuration process for the master CA see Configuring ...

Page 645: ...nt serial numbers for its own certificates such as the CA signing certificate SSL server certificate agent s certificate and so on The master Certificate Manager will also need distinct serial numbers when you renew its certificates in the future Any subsequent cloned Certificate Manager does not need such a provision its serial numbers only need to not overlap with the ones assigned to the previo...

Page 646: ...ation and therefore is not recommended Cloning the CA To setup cloning for a Certificate Manager CA subsystem 1 From the Object menu in the Red Hat Console choose Create Instance Of then choose Red Hat Certificate System Alternatively you can right click the Server Group node and choose Create Instance Of Red Hat Certificate System The admin console asks you to provide a name for the new instance ...

Page 647: ... the Certificate Manager Chapter 17 Configuring CS for High Availability 647 3 The Installation Wizard asks you to copy the key and certificates from the master CA to the clone if you have not already done so ...

Page 648: ...ificate Manager available to the Certificate Manager clone If the master Certificate Manager s keys and certificates are stored in the internal software token you need to copy the certificate and key database files from the master Certificate Manager to Certificate Manager clone Here s how you do this I On the master Certificate Manager s host machine go to this directory server_root alias II Loca...

Page 649: ...ou must also copy the keys and certificates following the instructions provided by the hardware token vendor 5 Open the Server Group item select the cloned CA and click Open again to resume configuration where you left off in the installation wizard Click Next in the Clone Feature dialog once you have followed the instructions in Step 4 and copied over the key and certificate material 6 Designate ...

Page 650: ...ate System Administrator s Guide September 2005 8 In the Local Consumer Database dialog specify what type of database you are creating a Either select Create a local consumer database to create a new clone database local to the cloned Certificate Manager ...

Page 651: ...the existing LDAP server as the internal database for the cloned Certificate Manager instance If you select the remote database make sure that you have already created an LDAP server containing a base suffix of o CertificateServer on the host whose host name and port number you specify in the fields in the lower portion of the Installation Wizard ...

Page 652: ...oning the Certificate Manager 652 Red Hat Certificate System Administrator s Guide September 2005 9 Configure replication between the cloned CA database and the master CA database in the following dialog ...

Page 653: ...ion Manager role in the Master database the password for the Replication Manager role in the Consumer database and the agreement names between the master and clone s databases See Configuring the Certificate Manager on page 102 for more information 10 In the following dialog enter the certificate and request number ranges for the cloned Certificate Manager ...

Page 654: ... Ending certificate number field specify the highest serial number available for this CA For both the fields you can enter the number in decimal or hexadecimal 0xnn CA s request number range On this screen specify the lowest request number the CA should accept for requests that it receives in the Starting request number field In the Ending request number field specify the highest request number ac...

Page 655: ...ield so that the clone can redirect Update CRL requests to the master CA see About CRLs on page 574 for more information about CRLs 12 Choose the cloned CA s signing certificate the OCSP s signing certificate and the SSL server certificate from the pull down menus provided in the Clone Key and Certificate Materials for CA Subsystem dialog ...

Page 656: ... in the pull down menus follow the instructions in Step 4 above to copy the key and certificate database material over correctly 13 Configure the master CA s CRL cache to accept changes from the new clone Once the Installation Wizard creates the instance you have to take one last step to make sure that the CRL cache in the master CA reflects revocation data in the cloned CA To do this a Go to the ...

Page 657: ...nally for the purpose of high availability it is strongly encouraged that CRL publishing is enabled in this cloned CA presuming that CRL publishing has been enabled in the master CA Also it should be understood that any configurations made to a master CA will also need to be setup in each cloned CA The only two exceptions to this rule are the Users and Groups and the Access Control Lists both of w...

Page 658: ...and delta CRLs By default for full CRLs this field indicates the generation time of the next full CRL However full CRLs can be generated every n deltas By adding the following parameter the user is able to control the contents of the next update field Setting this parameter will cause the next update field to be set to the time of the next delta CRL generation 1 Go to the master CA directory at th...

Page 659: ... Since only one master CA can exist for a CS installation the offline master must first be converted into a cloned CA since one of the cloned CAs will become the new master CA see Converting a Cloned CA into a Master CA First ensure that the existing master CA is not running 1 Go to the existing master CA configuration directory at the command line cd serverRoot cert masterID config 2 Open the CS ...

Page 660: ...eration requests redirection add the following two lines master ca agent host hostname master ca agent port port number 3 Close and save the CS cfg file Converting a Cloned CA into a Master CA Having already converted the existing offline master CA into an offline cloned CA see Converting a Master CA into a Cloned CA and since only one master CA can and should exist for a CS installation one of th...

Page 661: ...value for the master CS This value can be changed to any other non zero number ca certStatusUpdateInterval 600 d To enable monitoring database replication changes modify the following line changing false to true ca listenToCloneModifications true e To enable maintenance of the CRL cache modify all of the enableCRLCache lines changing false to true ca crl IssuingPointId enableCRLCache true f To ena...

Page 662: ...d instance of this Online Certificate Status Manager subsystem to handle status requests based on CRLs published to it by one or more Certificate Managers see Publishing of CRLs on page 576 for more about the CRL publishing feature The OCSP database to which CRLs are published is replicated in the cloned OCSP database and requests to the Online Certificate Status Manager are or can be sent to a lo...

Page 663: ...ases the cloned Online Certificate Status Manager will need to generate a new signing key and certificate consequently it will not be a clone OCSP s SSL server key and certificate This depends on the way in which you have deployed the clone environment If you are using a load balancer regardless of whether or not the host machines are different you do not need to generate a new SSL server certific...

Page 664: ...nline Certificate Status Manager you need to make the keys and certificates used by the master available to the Online Certificate Status Manager clone If the master Online Certificate Status Manager s keys and certificates are stored in the internal software token you need to copy the certificate and key database files from the master to the Online Certificate Status Manager clone Here s how you ...

Page 665: ...base make sure that you have already created an LDAP server containing a base suffix of o CertificateServer on the host whose host name and port number you specify in the fields in the lower portion of the Installation Wizard 9 Configure replication between the cloned OCSP Responder database and the master OCSP Responder database Follow the instructions on screen to create the password for the Rep...

Page 666: ... over correctly Once the configuration for the clone is done the cloned Online Certificate Status Manager will be available in the Red Hat Console Follow the instructions in the next section to verify that the clone and the master Online Certificate Status Managers have been properly configured to work together Also it should be understood that any configurations made to a master OCSP Responder wi...

Page 667: ...ng cloned OCSP Responder into a new master OCSP Responder e g a catastrophic failure of the existing master OCSP Responder one needs to first convert the master existing offline master OCSP Responder into a clone followed by converting one of the current existing online cloned OCSP Responders into the new online master OCSP Responder The difference between a master OCSP Responder and a cloned OCSP...

Page 668: ... the new online master OCSP Responder First ensure that the master master OCSP Responder is no longer running and has already been converted into an offline cloned OCSP Responder 1 Go to one of the cloned OCSP Responders directories at the command line cd serverRoot cert cloneID 2 Stop this online cloned OCSP Responder server by issuing the following command in that directory stop cert 3 Go to thi...

Page 669: ... Manager s key number range The Ending key number field must not be blank The key number range of the cloned Data Recovery Manager must be unique and must not overlap with that of the master Data Recovery Manager b Check the master Data Recovery Manager s request number range The Ending request number field must not be blank The request number range of the cloned Data Recovery Manager must be uniq...

Page 670: ...anual configuration and therefore is not recommended Cloning the DRM The following are the steps to setup cloning for a DRM subsystem 1 From the Object menu in the Red Hat Console choose Create Instance Of then choose Red Hat Certificate System Alternatively you can right click the Server Group node and choose Create Instance Of Red Hat Certificate System The admin console asks you to provide a na...

Page 671: ...you need to make the configuration files used by the master available to the Data Recovery Manager clone If the master Data Recovery Manager s configuration files are stored in the internal software token you need to copy the and configuration files from the master to the Data Recovery Manager clone Here s how you do this I In the master Data Recovery Manager s host machine go to this directory se...

Page 672: ...for the cloned Data Recovery Manager instance If you select the remote database make sure that you have already created an LDAP server containing a base suffix of o CertificateServer on the host whose host name and port number you specify in the fields in the lower portion of the Installation Wizard 10 Configure replication between the cloned DRM database and the master DRM database Follow the ins...

Page 673: ...creates in the Starting key number field In the Ending key number field specify the highest key number available for this DRM DRM s request number range On this screen specify the lowest request number the DRM should accept for requests that it receives in the Starting request number field In the Ending request number field specify the highest request number acceptable to be received by this DRM 1...

Page 674: ...aterial and configuration files over correctly 13 Once the configuration for the cloned DRM instance is done the cloned DRM instance will be available for data recovery Follow the instructions in the next section to verify that the clone and the master Data Recovery Managers have been properly configured to work together Also it should be understood that any configurations made to a master DRM wil...

Page 675: ...tional 1 Go to the DRM agent page 2 Click List Requests 3 Select Show all requests from the pull down menu for Request type Select Show all requests from the pull down menu from Request status 4 Click Submit 5 Compare the results from the cloned DRM and the master DRM The results ought to be identical Cloned Master DRM Responder Conversion No configurable differences exist between a master DRM and...

Page 676: ...Cloning the Data Recovery Manager 676 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 677: ...Components Security Audit FAU FAU_GEN 1 Audit data generation iteration 1 FAU_GEN 2 User identity association iteration 1 FAU_SAR 1 Audit Review FAU_SAR 3 Selectable audit review FAU_SEL 1 Selective audit iteration 1 FAU_STG 1 Protected audit trail storage iteration 1 FAU_STG 4 Prevention of audit data loss iteration 1 Cryptographic support FCS FCS_CKM 1 Cryptographic key generation FCS_CKM 4 Cryp...

Page 678: ...binding iteration 1 Security management FMT FMT_MOF 1 Management of security functions behavior iteration 1 FMT_MSA 1 Management of security attributes FMT_MSA 2 Secure security attributes FMT_MSA 3 Static attribute initialization FMT_MTD 1 Management of TSF data FMT_SMR 2 Restrictions on security roles Protection of the TSF FPT FPT_AMT 1 Abstract machine testing FPT_ITC 1 Inter TSF confidentialit...

Page 679: ... Additional Details Security Audit FAU_GEN 1 Audit data generation iteration 1 Any changes to the audit parameters e g audit frequency type of event audited Any attempt to delete the audit log Identification and Authentication FIA_ATD 1 User attribute definition Successful and unsuccessful attempts to assume a role FIA_AFL 1 Authentication failure handling The value of maximum authentication attem...

Page 680: ... the event and as specified in Table A 3 below FAU_SEL 1 Selective audit iteration 1 FAU_SEL 1 1 The IT environment shall be able to include or exclude auditable events from the set of audited events based on the following attributes a event type FAU_STG 1 Protected audit trail storage iteration 1 FAU_STG 1 1 The IT environment shall protect the stored audit records from unauthorized deletion FAU_...

Page 681: ...ess control iteration 1 FDP_ACC 1 1 The IT environment shall enforce the CIMC IT Environment Access Control Policy specified in CIMC TOE Access Control Policy on page 687 on users files and access to files FDP_ACF 1 Security attribute based access control iteration 1 FDP_ACF 1 1 The IT environment shall enforce the CIMC IT Environment Access Control Policy specified in CIMC TOE Access Control Poli...

Page 682: ... disclosure Identification and authentication FIA FIA_AFL 1 Authentication failure handling FIA_AFL 1 1 If authentication is not performed in a cryptographic module that has been FIPS 140 1 validated to an overall Level of 2 or higher with Level 3 or higher for Roles and Services the IT environment shall detect when an Administrator configurable maximum authentication attempts unsuccessful authent...

Page 683: ...ing on behalf of that user Security management FMT FMT_MOF 1 Management of security functions behavior iteration 1 FMT_MOF 1 1 The IT environment shall restrict the ability to modify the behavior of the functions listed in Table 4 to the authorized roles as specified in Table A 4 FMT_MSA 1 Management of security attributes Table A 4 Authorized Roles for Management of Security Functions Behavior Se...

Page 684: ...itial values to override the default values when an object or information is created FMT_MTD 1 Management of TSF data FMT_MTD 1 1 The IT environment shall restrict the ability to view read or delete the audit logs to Auditors FMT_SMR 2 Restrictions on security roles FMT_SMR 2 1 The IT environment shall maintain the roles Administrator Auditor and Officer FMT_SMR 2 2 The IT environment shall be abl...

Page 685: ...fication when it is transmitted between separate parts of the IT environment FPT_ITT 1 Basic internal TSF data transfer protection iteration 2 FPT_ITT 1 1 The IT environment shall protect confidential IT environment data from disclosure when it is transmitted between separate parts of the IT environment FPT_RVM 1 Non bypassability of the TSP iteration 1 FPT_RVM 1 1 Each operating system in the IT ...

Page 686: ...ed authentication technique e g an authentication code keyed hash or digital signature algorithm shall be applied to all security relevant software and firmware that can be externally loaded into the CIMC FPT_TST_CIMC 3 2 The IT environment shall verify the authentication code keyed hash or digital signature whenever the software or firmware is externally loaded into the CIMC If verification fails...

Page 687: ...he subject is authorized to assume 3 Type of access requested 4 Content of the access request and 5 Possession of a secret or private key if required Subject identification includes Individuals with different access authorizations Roles with different access authorizations Individuals assigned to one or more roles with different access authorizations Access type with explicit allow or deny Read Wr...

Page 688: ...Security Requirements for the IT Environment 688 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 689: ...r contains the following sections PKI Overview Security Objectives TOE Security Environment Assumptions Security Requirements for the IT Environment IT Environment Assumptions CS Privileged Users and Groups Roles CS Common Criteria Environment Setup and Installation Guide PKI Overview For an overview of PKI see Appendix J Introduction to Public Key Cryptography Security Objectives For information ...

Page 690: ...fied Implement automated notification or other responses to the TSF discovered attacks in order to identify attacks and create an attack deterrent Require inspection for downloads Respond to possible loss of stored audit records Reliable Timestamp CS relies on the operating system to provide reliable timestamps To ensure that the certificates signed by the CA contain accurate timestamps and the au...

Page 691: ... keys are to be generated and stored in a FIPS 140 1 level 3 certified hardware cryptographic token The CS private asymmetric keys are Private key associated with the CA signing certificate Private key associated with the RA to CA SSL client certificate Private key associated with the OCSP Responder signing certificate Private key associated with the CA to DRM SSL client certificate Private key as...

Page 692: ...at maps to the user with the corresponding role i e authorization The following sections show the default roles that are created with each subsystem and the main privileges of each CA Administrators Can start stop the server from the command line Can perform all configuration management for CA unless assigned otherwise including the configuration of certificate profiles specifying the set of accep...

Page 693: ...n setting up the RA All communications between the RA and CA are then made through this special user with the RA s certificate over SSL client authentication and the Trusted Manager role authorization via Inter CIMC_boundary interface connectors RA Administrators Can start stop server from the command line Can perform all configuration management for the RA unless assigned otherwise including the ...

Page 694: ...ify tool from the IT environment Trusted Manager The Trusted Manager role is a special role that is not for privileged users It is created for inter CIMC_boundary communication The trust of this communication is established using the role authentication authorization mechanism Conceptually this role is not an actual privileged role that a user can be assigned to Rather the Trusted Manager role is ...

Page 695: ...m the IT environment About Roles Of all privileged roles supported by CS the Certificate Manager Agents role the Registration Manager Agents role and the DRM Agent Role are the ones that map directly to the Officer role defined in the ST and the CIMC PP The Online Certificate Status Manager Agents are a sub group of the Administrator role defined in the CIMC PP The following further specifies this...

Page 696: ... level description of the steps for setup installation and configuration of Red Hat CS in an IT environment of the kind described in IT Environment Assumptions on page 690 It gives administrators an idea of what s ahead before starting them on the exact setup steps involved in installation and setup CS Common Criteria Environment Setup and Installation Process Step by step instructions to install ...

Page 697: ...ained in the document CS Common Criteria Setup Procedure Understanding the Common Criteria Environment This section describes the environment before CS is installed and configured Secure Environment This section describes the secure environment you will be instructed to setup before installing and configuring CS Network Environment It is important to make sure that only those users that are part o...

Page 698: ...ample the user Joe cannot be both the CA Administrator and Agent for the same CA subsystem See CS Privileged Users and Groups Roles on page 692 for a description of the various CS privileged roles Who Needs to be Present During the installation and configuration the CS audit function is not operational so it is crucial that all CS roles be present to witness the installation and make necessary ope...

Page 699: ...m is installed You can set up the environment with all subsystems installed on the same host or with some or all subsystems on separate hosts but every host must have CS Configuring CS to Use Hardware Tokens You will be instructed to configure each CS installation to use a FIPS 140 1 Level 3 certified hardware token after installing CS on the host but before installing and configuring any subsyste...

Page 700: ... command line utilities however you should know when it s necessary to backup or restore a CS subsystem running in Common Criteria evaluated environment you should following the instructions for these utilities in the Backing Up and Restoring Data chapter of the CS Tools Guide and the instructions on how to sign and verify the data Note All secure information that needs encryption component secret...

Page 701: ...d certificates Using the remote startup plain text password cache password conf Using the administrative interface CS console in non SSL client authentication mode Cloning a Certificate Manager Connecting a Data Recovery Manager to a Registration Manager Running the internal database or any publishing LDAP database in non SSL client authentication mode Using the non profile Policy feature for enro...

Page 702: ...a certificate and the certificates for those role users will need to be stored with their role user entries It is recommended that you have the auditor role users administrator role users and agent role users use their hardware tokens to submit requests to the end entity interface of the Certificate Manager or Registration Manager that will process the request You can also configure new groups and...

Page 703: ...that only the CS CA RA administrators are allowed to configure the certificate enrollment profiles setting ranges for fields enabling extensions etc and it is the CS CA RA agents responsibility to approve the fields and extensions in the certificate profiles enabled by the Administrators You will be instructed on how to perform these operations See the Chapter 11 Certificate Profiles for complete ...

Page 704: ...turn on and configure any jobs that are provided by default If you want notifications to be sent be cautious on the email addresses you provide and make sure they belong to appropriate roles For complete information on jobs see Chapter 14 Automated Jobs Notifications Automated email notifications are event driven tasks that send out an email via SMTP when a specified event occurs You can set up an...

Page 705: ...r this Certificate Manager The first scenario involves setting up a user in the Certificate Manager for the Registration Manager This user is assigned to the trusted managers group and its certificate is stored in the database for the Certificate Manager You can then set up the Registration Manager to communicate with the Certificate Manager The second scenario involves setting up a user in the Da...

Page 706: ...ted to configure the Online Certificate Status Manager revocation store If you setup the Online Certificate Status Manager to use the ldapstore option the LDAP store you use must be configured for SSL authentication For complete information about the OCSP responder see Chapter 5 OCSP Responder Common Criteria Environment Setup Procedures Step by step instructions for installing and setting up CS i...

Page 707: ...ves including security objectives for the TOE security objectives for the environment and security objectives for both the TOE and environment 1 1 Security Objectives for the TOE This section includes the security objectives for the TOE divided among four categories authorized users system cryptography and external attacks 1 1 1 Authorized Users O Certificates The TSF must ensure that certificates...

Page 708: ...udiation Prevent user from avoiding accountability for sending a message by providing evidence that the user sent the message 1 1 4 External Attacks O Control unknown source communication traffic Control e g reroute or discard communication traffic from an unknown source to prevent potential damage 1 2 Security Objectives for the Environment This section specifies the security objectives for the e...

Page 709: ...security O Competent Administrators Operators Officers and Auditors Provide capable management of the TOE by assigning competent Administrators Operators Officers and Auditors to manage the TOE and the security of the information it contains O CPS All Administrators Operators Officers and Auditors shall be familiar with the certificate policy CP and the certification practices statement CPS under ...

Page 710: ...tasks that require a secure IT environment and information managed by the TOE O Lifecycle security Provide tools and techniques used during the development phase to ensure security is designed into the CIMC Detect and resolve flaws during the operational phase O Repair identified security flaws The vendor repairs security flaws that have been identified by a user 1 2 2 IT security objectives for t...

Page 711: ...n specifies the security objectives that are jointly addressed by the TOE and the environment O Configuration Management Implement a configuration management plan Implement configuration management to assure identification of system connectivity software hardware and firmware and components software hardware and firmware auditing of configuration data and controlling changes to configuration items...

Page 712: ...ty O Manage behavior of security functions Provide management functions to configure operate and maintain the security mechanisms O Object and data recovery free from malicious code Recover to a viable state after malicious code is introduced and damage occurs That state must be free from the original malicious code O Procedures for preventing malicious code Incorporate malicious code prevention p...

Page 713: ...nt functions and other security relevant configuration data to ensure they are consistent with organizational security policies O Time stamps Provide time stamps to ensure that the sequencing of events can be verified O User authorization management Manage and update user authorization and privilege data to ensure they are consistent with organizational security and personnel policies O React to d...

Page 714: ...1 3 Security Objectives for both the TOE and the Environment 714 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 715: ...on Security Policies 1 1 Secure Usage Assumptions The usage assumptions are organized in three categories personnel assumptions about administrators and users of the system as well as any threat agents physical assumptions about the physical location of the TOE or any attached peripheral devices and connectivity assumptions about other IT systems that are necessary for the secure operation of the ...

Page 716: ...S under which the TOE is operated A Disposal of Authentication Data Proper disposal of authentication data and associated privileges is performed after access has been removed e g job termination change in responsibility A Malicious Code Not Signed Malicious code destined for the TOE is not signed by a trusted entity A Notify Authorities of Security Issues Administrators Operators Officers Auditor...

Page 717: ...by this CIMC to counter the perceived threats for the appropriate Security Level identified in this family of PPs This assumption has been copied directly from the CIMC PP In the context of this ST appropriate Security Level identified in this family of PPs reflects Security Level 3 as represented by this ST 1 2 Threats The threats are organized in four categories authorized users system cryptogra...

Page 718: ... of one or more system components results in the loss of system critical functionality T Malicious code exploitation An authorized user IT system or hacker downloads and executes malicious code which causes abnormal processes that violate the integrity availability or confidentiality of the system assets T Message content modification A hacker modifies information that is intercepted from a commun...

Page 719: ...s undetected access to a system due to missing weak and or incorrectly implemented access control causing potential violations of integrity confidentiality or availability T Hacker physical access A hacker physically interacts with the system to exploit vulnerabilities in the physical environment resulting in arbitrary security compromises T Social engineering A hacker uses social engineering tech...

Page 720: ...1 3 Organization Security Policies 720 Red Hat Certificate System Administrator s Guide September 2005 ...

Page 721: ...ge 721 Importing Certificate Chains Importing Certificates into Communicator on page 723 Importing Certificates into Red Hat Servers on page 724 Object Identifiers on page 724 Data Formats Red Hat products can accept certificates in several formats Although the format can vary the certificates themselves are X 509 version 1 2 or 3 Binary Formats The Red Hat certificate loader recognizes several bi...

Page 722: ... SEQUENCE OF Certificate This format allows multiple certificates to be downloaded at once See Importing Certificate Chains on page 722 for more information about handling multiple certificates Text Formats Any of the above binary formats can also be imported in text form The text form begins with the following line BEGIN CERTIFICATE Following this line is the certificate data which can be in any ...

Page 723: ...nd any subsequent certificates will be added as untrusted CA certificates to the local database application x x509 ca cert The certificate being downloaded represents a certificate authority When it is downloaded a sequence of dialogs guides the user through the process of accepting the Certificate Authority and deciding whether to trust sites certified by the CA If a certificate chain is being im...

Page 724: ...f certificate being imported is specified by the server administrator by selections made on the administration pages If a certificate chain is being imported then the first certificate in the chain must be the server or CA certificate and the server adds any subsequent certificates to the local database as untrusted CA certificates Object Identifiers The base of all Red Hat object IDs is redhat OB...

Page 725: ...Extensions Netscape Defined Certificate Extensions CA Certificates and Extension Interactions Introduction to Certificate Extensions An X 509 v3 certificate contains an extensions field that permits any number of additional fields to be added to the certificate Certificate extensions provide a way of adding information such as alternative subject names and usage restrictions to certificates Older ...

Page 726: ... possible to check a certificate s revocation status against a directory or with the original certificate authority it is useful for certificates to include information about where to check CRLs Eventually the X 509 v3 specification addressed many of these issues by amending the certificate format to include additional information within a certificate the version 3 format defines a general format ...

Page 727: ...rds These proposed standards further refine the X 509 v3 approach to extensions for use on the Internet The recommendations for certificates and CRLs have reached proposed standard status and are in a document often referred to as PKIX Part 1 Some explanations in this appendix also make reference to Abstract Syntax Notation One ASN 1 and Distinguished Encoding Rules DER These are specified in the ...

Page 728: ...9 v3 standard include the following Authority Key Identifier Extension an extension for identifying the certificate authority s public key the key used to sign the certificate Subject Key Identifier Extension an extension for identifying the subject s public key the key being certified Note that not all applications support certificates with version 3 extensions Applications that do support these ...

Page 729: ...E4 93 68 83 00 BB 4F C0 47 03 67 F1 30 79 43 08 1C 28 A8 97 70 40 CA 64 FA 9E 42 DF 35 3D 0E 75 C6 B9 F2 47 0B D5 CE 24 DD 0A F7 84 4E FA 16 29 3B 91 D3 EE 24 E9 AF F6 A1 49 E1 96 70 DE 6F B2 BE 3A 07 1A 0B FD FE 2F 75 FD F9 FC 63 69 36 B6 5B 09 C6 84 92 17 9C 3E 64 C3 C4 C9 Extensions Identifier Netscape Certificate Type 2 16 840 1 113730 1 1 Critical no Certificate Usage SSL CA Secure Email CA O...

Page 730: ...ons This section summarizes the extension types that are defined as part of the Internet X 509 Version 3 standard as of September 1998 and indicates which types are recommended by the PKIX working group This section summarizes important information about each certificate For complete details see both the X 509 v3 standard available from the ITU and the Internet X 509 Public Key Infrastructure Cert...

Page 731: ...od specifies by an OID the type and format of information about the issuer found at the accessLocation PKIX Part 1 defines one accessMethod id ad caIssuers to get a list of CAs that have issued certificates higher in the CA chain than the issuer of the certificate using the extension The accessLocation field then typically contains a URL indicating the location and protocol LDAP HTTP FTP used to r...

Page 732: ... issuer and serialNumber If this extension is not present then the issuer name alone is used to identify the issuer certificate PKIX Part 1 requires this extension for all certificates except self signed root CA certificates Where a key identifier has not been previously established PKIX recommends that the authorityCertIssuer and authorityCertSerialNumber fields be specified These fields permit c...

Page 733: ...ent See CA Certificates and Extension Interactions on page 749 regarding the interaction of the this extension with the Netscape Certificate Type extension CS Version Support Supported since CS 4 1 Refer to BasicConstraintsExt on page 493 certificatePolicies OID 2 5 29 32 Criticality This extension may be critical or noncritical Discussion The Certificate Policies extension defines one or more pol...

Page 734: ... Refer to CRLDistributionPointsExt on page 501 extKeyUsage OID 2 5 29 37 Criticality If this extension is marked critical the certificate must be used for one of the indicated purposes only If it is not marked critical it is treated as an advisory field that may be used to identify keys but does not restrict the use of the certificate to the indicated purposes Discussion The Extended Key Usage ext...

Page 735: ... Refer to ExtendedKeyUsageExt on page 503 issuerAltName OID 2 5 29 18 Table G 1 PKIX Extended Key Usage Extension Uses Use OID Server authentication 1 3 6 1 5 5 7 3 1 Client authentication 1 3 6 1 5 5 7 3 2 Code signing 1 3 6 1 5 5 7 3 3 Email 1 3 6 1 5 5 7 3 4 Timestamping 1 3 6 1 5 5 7 3 8 OCSP Signing 1 3 6 1 5 5 7 3 9 Table G 2 Private Extended Key Usage Extension Uses Use OID Certificate trus...

Page 736: ...ether to specify the purposes for which a certificate can be used For more information on interactions between these extensions in CA certificates see CA Certificates and Extension Interactions on page 749 If this extension is included at all set the bits as follows digitalSignature 0 for SSL client certificates S MIME signing certificates and object signing certificates nonRepudiation 1 for some ...

Page 737: ...ot critical all types of usage are allowed If the keyUsage extension is present critical or not it is used to select from multiple certificates for a given operation For example it is used to distinguish separate signing and encryption certificates for users who have separate certificates and key pairs for these operations CS Version Support Supported since CS 4 1 Refer to KeyUsageExt on page 513 ...

Page 738: ...responder since the reply would again be signed by the OCSP responder and the client would again request the validity status of the signing certificate This extension is null valued its meaning is determined by its presence or absence Since the presence of this extension in a certificate will cause OCSP clients to trust responses signed with that certificate use of this extension should be managed...

Page 739: ...is used in CA certificates only It lists one or more pairs of OIDs used to indicate that the corresponding policies of one CA are equivalent to policies of another CA It may be useful in the context of cross certification This extension may be supported by CAs and or applications CS Version Support Supported since CS 4 2 Refer to PolicyMappingsExt on page 532 privateKeyUsagePeriod OID 2 5 29 16 Di...

Page 740: ... for the relationship between this extension and the subject field Email addresses may be provided either in the Subject Alternative Name extension the certificate subject name field or both If the email address is provided as part of the subject name it must be in the form of the EmailAddress attribute defined by PKCS 9 Software that supports S MIME must be able to read an email address from eith...

Page 741: ... Authority Key Identifier extension of the certificate being verified should match the key identifier of the CA s Subject Key Identifier extension It is not necessary for the verifier to recompute the key identifier in this case PKIX Part 1 requires this extension for all CA certificates and recommends it for all other certificates CS Version Support Supported since CS 4 1 Refer to SubjectKeyIdent...

Page 742: ... examples in Sample Certificate Extensions on page 728 A flag or boolean field called critical The true or false value assigned to this field indicates whether the extension is critical true or noncritical false to the CRL If the extension is critical and the CRL is sent to an application that does not understand the extension based on the extension s ID the application must reject the CRL If the ...

Page 743: ...Extensions Identifier Authority Key Identifier Critical no Key Identifier 2c 22 c6 ae 4e 4b 91 c7 fb 4c cc ae 84 e8 aa 5b 46 6a a0 ad Revoked Certificates Serial Number 0x12 Revocation Date Tuesday December 15 1998 5 20 42 AM Extensions Identifier Revocation Reason 2 5 29 21 Critical no Reason Key_Compromise Serial Number 0x11 Revocation Date Wednesday December 16 1998 4 51 54 AM Extensions Identi...

Page 744: ...Ls The sections that follow describe the CRL extension types that are defined as part of the Internet X 509 v3 Public Key Infrastructure proposed standard as of September 1998 These are the CRL extensions described in the sections that follow authorityKeyIdentifier CRLNumber deltaCRLIndicator issuerAltName issuingDistributionPoint authorityKeyIdentifier OID 2 5 29 35 Discussion The Authority Key I...

Page 745: ... page 584 deltaCRLIndicator OID 2 5 29 27 Criticality PKIX requires that this extension be critical if it exists Discussion The Delta CRL Indicator extension identifies a delta CRL The use of delta CRLs allows changes to be added to the local database while ignoring unchanged information that is already in the local database This can significantly improve processing time for applications that stor...

Page 746: ...e extensions at issuerAltName CS Version Support Supported since CS 4 2 Refer to IssuerAlternativeName on page 587 issuingDistributionPoint OID 2 5 29 28 Criticality PKIX requires that this extension be critical if it exists Discussion The Issuing Distribution Point CRL extension identifies the CRL distribution point for a particular CRL and indicates what kinds of revocation it covers PKIX Part I...

Page 747: ...nstruction Code extension indicates the action to be taken after encountering a certificate that has been placed on hold CS Version Support Supported since CS 4 2 Refer to HoldInstruction on page 586 invalidityDate OID 2 5 29 24 Discussion The Invalidity Date extension provides the date on which the private key was compromised or that the certificate otherwise became invalid CS Version Support Sup...

Page 748: ... netscape cert type and netscape comment need to be supported to maintain compatibility with Navigator 3 x Therefore only these two Red Hat certificate extensions are described here netscape cert type OID 2 16 840 1 113730 1 Discussion The Netscape Certificate Type extension can be used to limit the purposes for which a certificate can be used It has been replaced by the X 509 v3 extensions extKey...

Page 749: ... basicConstraints extension as this is the standard way to identify a CA certificate In addition to ensure support for Navigator 3 x CAs should also use redhat cert type These two extensions can interact with each other The following table describes what different combinations of the two extensions mean Extensions Present Description Only basicConstraints The certificate is a CA certificate if the...

Page 750: ...ape cert type extension with one or more CA bits set or both as described above If CAs issue multiple certificates for the same identity for example for separate signing and encryption keys they must include the keyUsage extension in the subject certificates If CAs ever intend to generate new keys for their CA they must add the authorityKeyIdentifier extension to all subject certificates If the ke...

Page 751: ...certificate extension or a company s certificate practice statement OIDs are controlled by the International Standards Organization ISO registration authority In some cases this authority is delegated by ISO to regional registration authorities For example in the United States the American National Standards Institute ANSI manages this registration Registration of Object Identifiers To promote int...

Page 752: ...a company arc http www isi edu cgi bin iana enterprise pl To understand why you need to have a company arc check the information at this site http www alvestrand no objectid 2 16 840 1 113730 1 13 html The site contains information on Red Hat defined OID for an extension named Netscape Certificate Comment Note that the OID assigned to this extension is hierarchical and it includes the Red Hat comp...

Page 753: ...For the most part the information presented in this appendix is specific to Red Hat Directory Server an LDAP compliant directory What Is a Distinguished Name Distinguished names DNs are string representations that uniquely identify users systems and organizations In general DNs are used in LDAP compliant directories such as Red Hat Directory Server In Certificate System you use DNs to identify the...

Page 754: ...org rfc rfc2253 txt Note that if used in conjunction with an LDAP compliant directory Certificate System by default recognizes components that are listed in Table I 2 Table I 1 Definitions of standard DN components Component Name Definition CN Common name A required component that identifies the person or object defined by the entry For example CN Jane Doe CN corpDirectory example com E deprecated...

Page 755: ...the search base For example if you specify a base DN of OU people O example com for a client the LDAP search operation initiated by the client examines only the OU people subtree in the O example com directory tree L Locality Identifies the place where the entry resides The locality can be a city county township or other geographic region For example L Mountain View L Pacific Northwest L Anoka Cou...

Page 756: ...e Certificate System uses DN components in the certificate s subject name to construct the base DN so that it can search the directory in order to publish to or update the appropriate directory entry Typically when you configure Certificate System for LDAP publishing you set the base DN value to Directory Manager so that it can use the publishing directory s root entry to start searching see secti...

Page 757: ...IA5String 0 9 2342 19200300 100 1 2 25 SERIALNUMBER for CEP support Printable String 2 5 4 5 UNSTRUCTUREDNAME for CEP support IA5String 1 2 840 113549 1 9 2 UNSTRUCTUREDADDRESS for CEP support Printable String 1 2 840 113549 1 9 8 Table I 3 Explanation of character sets for DNs Value type Character set allowed Printable String A Z a z 0 9 space IA5String Any 7 bit US ASCII character Table I 2 Allo...

Page 758: ...String Representation of Distinguished Names see http www ietf org rfc rfc2253 txt Certificate System conforms to all of this standard including support of using hex numbers to escape characters The special characters are as follows They can be escaped by either a backslash before the character or by surrounding the value in double quotes A few examples are shown below Example Corp Ltd Example Cor...

Page 759: ... IA5String BMPString Universal String For example X500Name MY_ATTR oid 1 2 3 4 5 6 X500Name MY_ATTR class redhat security x509 DirStrConverter Adding New or Proprietary Attributes To add a new or proprietary attribute that s not supported by Certificate System by default 1 Stop the Certificate Manager 2 Go to this directory server_root cert instance_id config 3 Open the configuration file CS cfg i...

Page 760: ...ok for them in the subject name MYATTR1 a_value MYATTR2 a Value MYATTR3 aValue CN John Doe O Example Corporation 10 Go to the agent interface and approve your request 11 When you receive the certificate check the subject name The certificate should show the new attribute values in the subject name Adding Attributes to an Enrollment Form The steps below explain how to add an attribute or component ...

Page 761: ... Save your changes and close the file 5 Go to this directory server_root cert instance_id web apps ee 6 Open the CS funcs js file in a text editor 7 Find the line with form OU null or the component that the new component will follow and add the if block For example if the new component is DC and comes after OU you need to add the lines shown in bold if form OU null if OU value if doubleQuotes OU v...

Page 762: ...e value Changing the DER Encoding Order You can also change the DER encoding order of a DirectoryString The reason for allowing this to be configurable is that different clients support different encodings for historical reasons The syntax for changing the DER encoding order of a DirectoryString is as follows X500Name dirStringEncodingOrder encoding_list_separated_by_commas Possible encoding value...

Page 763: ... a UniversalString 9 Repeat Steps 6 through 8 above but use John Smith for CN this time The CN component of the subject name should be encoded as a PrintableString Role of Distinguished Names in Certificates In certificates issued by Certificate System DNs are used to identify the entity that owns the certificate In all cases if you are using Certificate System with a directory the format of the D...

Page 764: ...t of the certificate s subject to be corpDirectory example com If the CN component has a different value for example corpDir example com Navigator notifies the user that the certificate s subject name does not match the host name in the URL DNs in CA Certificates In CA certificates issued by Certificate System for both root and subordinate CAs DNs are used to identify the authority who owns the ce...

Page 765: ...U people O example com LDAP attributes cn Jane Doe LDAP attributes mail jdoe example com The subject name formulated will be as follows E jdoe example com CN Jane Doe OU people O example com C US E the first mail LDAP attribute value in user s entry CN the first cn LDAP attribute value in the user s entry OU the second ou value in the user s entry DN O the first o value in the user s entry DN C th...

Page 766: ...O example com C US CN the first cn LDAP attribute value in the user s entry followed by the second RDN in the user s entry DN O the first o value in the user s entry DN C the string US Example 4 If the configured DN pattern is CN attr cn OU dn ou 2 OU dn ou 1 O dn o C US LDAP entry dn UID jdoe OU IS OU people O example org LDAP attributes cn Jane Doe LDAP attributes mail jdoe example org The subje...

Page 767: ... communication over the Internet uses the Transmission Control Protocol Internet Protocol TCP IP TCP IP allows information to be sent from one computer to another through a variety of intermediate computers and separate networks before it reaches its destination The great flexibility of TCP IP has led to its worldwide acceptance as the basic Internet and intranet communications protocol At the sam...

Page 768: ...ly passes through their machines However many sensitive personal and business communications over the Internet require precautions that address the threats listed above Fortunately a set of well established techniques and standards known as public key cryptography make it relatively easy to take such precautions Public key cryptography facilitates the following tasks Encryption and decryption allo...

Page 769: ... are employed one for encryption and the other for decryption With most modern cryptography the ability to keep encrypted information secret is based not on the cryptographic algorithm which is widely known but on a number called a key that must be used with the algorithm to produce an encrypted result or to decrypt previously encrypted information Decryption with the correct key is simple Decrypt...

Page 770: ...r symmetric key Thus as long as the symmetric key is kept secret by the two parties using it to encrypt communications each party can be sure that it is communicating with the other as long as the decrypted messages continue to make sense Symmetric key encryption is effective only if the symmetric key is kept secret by the two parties involved If anyone else discovers the key it affects both confi...

Page 771: ...data with that person s public key and the person receiving the encrypted data decrypts it with the corresponding private key Compared with symmetric key encryption public key encryption requires more computation and is therefore not always appropriate for large amounts of data However it s possible to use public key encryption to send a symmetric key which can then be used to encrypt additional d...

Page 772: ...e nature of the mathematical problem on which it is based Other ciphers such as those used for symmetric key encryption can use all possible values for a key of a given length rather than a subset of those values Thus a 128 bit key for use with a symmetric key encryption cipher would provide stronger encryption than a 128 bit key for use with the RSA public key encryption cipher This difference ex...

Page 773: ...of encrypting the data itself the signing software creates a one way hash of the data then uses your private key to encrypt the hash The encrypted hash along with other information such as the hashing algorithm is known as a digital signature Figure J 3 shows a simplified view of the way a digital signature can be used to validate the integrity of signed data Figure J 3 Using a Digital Signature t...

Page 774: ...en signature Once you have signed some data it is difficult to deny doing so later assuming that the private key has not been compromised or out of the owner s control This quality of digital signatures provides a high degree of nonrepudiation that is digital signatures make it difficult for the signer to deny having signed the data In some situations a digital signature may be as legally binding ...

Page 775: ... procedures for that type of certificate to ensure that an entity requesting a certificate is in fact who it claims to be The certificate issued by the CA binds a particular public key to the name of the entity the certificate identifies such as the name of an employee or a server Certificates help prevent the use of fake public keys for impersonation Only the public key certified by the certifica...

Page 776: ...iation that is a digital signature makes it difficult for the signer to claim later not to have sent the email or the form Client authentication is an essential element of network security within most intranets or extranets The sections that follow contrast two forms of client authentication Password Based Authentication Almost all server software permits client authentication by means of a name a...

Page 777: ...ooks up the name and password in its local password database and if they match accepts them as evidence authenticating the user s identity 4 The server determines whether the identified user is permitted to access the requested resource and if so allows the client to access it With this arrangement the user must supply a new password for each server and the administrator must keep track of the nam...

Page 778: ... server has requested client authentication in the process of evaluating whether to grant access to the requested resource Figure J 5 Using a Certificate to Authenticate a Client to a Server Unlike the process shown in Figure J 4 the process shown in Figure J 5 requires the use of SSL Figure J 5 also assumes that the client has a valid certificate that can be used to identify the client to the ser...

Page 779: ...nst the signed data which is unique to the SSL session 3 The client sends both the user s certificate and the evidence the randomly generated piece of data that has been digitally signed across the network 4 The server uses the certificate and the evidence to authenticate the user s identity For a detailed discussion of the way this works see Appendix K Introduction to SSL 5 At this point the serv...

Page 780: ...at products Client SSL certificates Used to identify clients to servers via SSL client authentication Typically the identity of the client is assumed to be the same as the identity of a human being such as an employee in an enterprise See Certificate Based Authentication which begins on page 778 for a description of the way client SSL certificates are used for client authentication Client SSL cert...

Page 781: ...mail and client SSL authentication but not encrypted email Another company issues S MIME certificates solely for the purpose of both signing and encrypting email that deals with sensitive financial or legal matters Object signing certificates Used to identify signers of Java code JavaScript scripts or other signed files For more information see Object Signing which begins on page 784 Example A sof...

Page 782: ...ntication over SSL and how it differs from password based authentication see Authentication Confirms an Identity which begins on page 775 For more detailed information about SSL see Appendix K Introduction to SSL Signed and Encrypted Email Some email programs including Messenger which is part of Communicator support digitally signed and encrypted email using a widely accepted protocol known as Sec...

Page 783: ...orm signing a dialog box appears that displays the exact text to be signed The form designer can either specify the certificate that should be used or allow the user to select a certificate from among the client SSL and S MIME certificates that are installed in Communicator When the user clicks OK the text is signed and both the text and the digital signature are submitted to the server The server...

Page 784: ...ed object signing Object signing uses standard techniques of public key cryptography to let users get reliable information about code they download in much the same way they can get reliable information about shrink wrapped software Most importantly object signing helps users and network administrators implement decisions about software distributed over intranets or the Internet for example whethe...

Page 785: ...he Lightweight Directory Access Protocol LDAP The rules governing the construction of DNs can be quite complex and are beyond the scope of this document For comprehensive information about DNs see A String Representation of Distinguished Names at the following URL http www ietf org rfc rfc1485 txt A Typical Certificate Every X 509 certificate consists of two sections The data section includes the ...

Page 786: ...cates the type of certificate that is whether it is a client SSL certificate a server SSL certificate a certificate for signing email and so on Certificate extensions can also be used for a variety of other purposes The signature section includes the following information The cryptographic algorithm or cipher used by the issuing CA to create its own digital signature For more information about cip...

Page 787: ...98 ce 7f 47 50 2c 93 36 7c 01 6e cb 89 06 41 72 b5 e9 73 49 38 76 ef b6 8f ac 49 bb 63 0f 9b ff 16 2a e3 0e 9d 3b af ce 9a 3e 48 65 de 96 61 d5 0a 11 2a a2 80 b0 7d d8 99 cb 0c 99 34 c9 ab 25 06 a8 31 ad 8c 4b aa 54 91 f4 15 Public Exponent 65537 0x10001 Extensions Identifier Certificate Type Critical no Certified Usage SSL Client Identifier Authority Key Identifier Critical no Key Identifier f2 f...

Page 788: ... certificate to be part of a chain of CA certificates each issued by the CA above it in a certificate hierarchy The sections that follow explains how certificate hierarchies and certificate chains determine what certificates software can trust CA Hierarchies Certificate Chains Verifying a Certificate Chain BEGIN CERTIFICATE MIICKzCCAZSgAwIBAgIBAzANBgkqhkiG9w0BAQQFADA3MQswCQYDVQQGEwJVUzER MA8GA1UEC...

Page 789: ...ponsibilities to subordinate CAs The X 509 standard includes a model for setting up a hierarchy of CAs like that shown in Figure J 6 Figure J 6 Example of a Hierarchy of Certificate Authorities In this model the root CA is at the top of the hierarchy The root CA s certificate is a self signed certificate that is the certificate is digitally signed by the same entity the root CA that the certificat...

Page 790: ...ntity through two subordinate CA certificates to the CA certificate for the root CA based on the CA hierarchy shown in Figure J 6 Figure J 7 Example of a Certificate Chain A certificate chain traces a path of certificates from a branch in the hierarchy to the root of the hierarchy In a certificate chain the following occur Each certificate is followed by the certificate of its issuer Each certific...

Page 791: ...ed Hat software uses the following procedure for forming and verifying a certificate chain starting with the certificate being presented for authentication 1 The certificate validity period is checked against the current time provided by the verifier s system clock 2 The issuer s certificate is located The source can be either the verifier s local certificate database on that client or server or t...

Page 792: ...ficate Chain All the Way to the Root CA Figure J 8 shows what happens when only Root CA is included in the verifier s local database If a certificate for one of the intermediate CAs shown in Figure J 8 such as Engineering CA is found in the verifier s local database verification stops with that certificate as shown in Figure J 9 ...

Page 793: ...te CA Expired validity dates an invalid signature or the absence of a certificate for the issuing CA at any point in the certificate chain causes authentication to fail For example Figure J 10 shows how verification fails if neither the Root CA certificate nor any of the intermediate CA certificates are included in the verifier s local database ...

Page 794: ...ication process in the context of SSL client and server authentication see Appendix K Introduction to SSL Managing Certificates The set of standards and services that facilitate the use of public key cryptography and X 509 v3 certificates in a network environment is called the public key infrastructure PKI PKI management is complex topic beyond the scope of this document The sections that follow i...

Page 795: ...ents are much more stringent If you live in some other state or country the requirements for various kinds of licenses will differ Similarly different CAs have different procedures for issuing different kinds of certificates In some cases the only requirement may be your email address In other cases your UNIX or NT login and password may be sufficient At the other end of the scale for certificates...

Page 796: ...ate management solution Key Management Before a certificate can be issued the public key it contains and the corresponding private key must be generated Sometimes it may be useful to issue a single person one certificate and key pair for signing operations and another certificate and key pair for encryption operations Separate signing and encryption certificates make it possible to keep the privat...

Page 797: ...tomatically removed from the directory and subsequent authentication attempts with that certificate will fail even though the certificate remains valid in every other respect Another approach involves publishing a certificate revocation list CRL that is a list of revoked certificates to the directory at regular intervals and checking the list as part of the authentication process For some organiza...

Page 798: ...eceiving end entity requests authenticating them and forwarding them to the CA After receiving a response from the CA the RA notifies the end entity of the results RAs can be helpful in scaling an PKI across different departments geographical areas or other operational units with varying policies and authentication requirements ...

Page 799: ...ocol in future versions This document is primarily intended for administrators of Red Hat server products but the information it contains may also be useful for developers of applications that support SSL The document assumes that you are familiar with the basic concepts of public key cryptography as summarized in Appendix J Introduction to Public Key Cryptography The SSL Protocol The Transmission...

Page 800: ...e important if the user for example is sending a credit card number over the network and wants to check the receiving server s identity SSL client authentication allows a server to confirm a user s identity Using the same techniques as those used for server authentication SSL enabled server software can check that a client s certificate and public ID are valid and have been issued by a certificate...

Page 801: ...s and establishing session keys Clients and servers may support different cipher suites or sets of ciphers depending on factors such as the version of SSL they support company policies regarding acceptable encryption strength and government restrictions on export of SSL enabled software Among its other functions the SSL handshake protocol determines how the server and client negotiate which cipher...

Page 802: ...th an international server or client it will negotiate the use of those ciphers that are permitted under U S export regulations However since 40 bit ciphers can be broken relatively quickly administrators whose user communities can use stronger ciphers without violating export restrictions should disable the 40 bit ciphers if they are concerned about access to data by eavesdroppers RC4 with 128 bi...

Page 803: ...ciphers have 128 bit encryption they are the second strongest next to Triple DES Data Encryption Standard with 168 bit encryption RC4 and RC2 128 bit encryption permits approximately 3 4 1038 possible keys making them very difficult to crack RC4 ciphers are the fastest of the supported ciphers Both SSL 2 0 and SSL 3 0 support this cipher suite Red Hat Console supports only the SSL 3 0 version of t...

Page 804: ...the supported ciphers Both SSL 2 0 and SSL 3 0 support this cipher Red Hat Console supports only the SSL 3 0 version of this cipher suite RC2 With 40 Bit Encryption and MD5 Message Authentication RC2 40 bit encryption permits approximately 1 1 1012 a trillion possible keys RC2 ciphers are slower than the RC4 ciphers Both SSL 2 0 and SSL 3 0 support this cipher Red Hat Console supports only the SSL...

Page 805: ...ication this cipher is one of the second strongest ciphers after Triple DES It permits approximately 3 4 1038 possible keys making it very difficult to crack This cipher suite is supported by SSL 3 0 but not by SSL 2 0 RC4 With SKIPJACK 80 Bit Encryption and SHA 1 Message Authentication The SKIPJACK cipher is a classified symmetric key cryptographic algorithm implemented in Fortezza compliant hard...

Page 806: ...blem and informed that an encrypted and authenticated connection cannot be established If the server can be successfully authenticated the client goes on to Step 4 4 Using all data generated in the handshake so far the client with the cooperation of the server depending on the cipher being used creates the premaster secret for the session encrypts it with the server s public key obtained from the ...

Page 807: ...it with the other key In the case of server authentication the client encrypts the premaster secret with the server s public key Only the corresponding private key can correctly decrypt the secret so the client has some assurance that the identity associated with the public key is in fact the server with which the client is connected Otherwise the server cannot decrypt the premaster secret and can...

Page 808: ...o support this requirement which provides some assurance of the server s identity and thus helps protect against a form of security attack known as man in the middle Figure K 2 Authentication of a Client Certificate An SSL enabled client goes through these steps to authenticate a server s identity 1 Is today s date within the validity period The client checks the server certificate s validity peri...

Page 809: ...icate is valid It is the client s responsibility to take Step 4 before Step 5 4 Does the domain name in the server s certificate match the domain name of the server itself This step confirms that the server is actually located at the same network address specified by the domain name in the server certificate Although step 4 is not technically part of the SSL protocol it provides the only protectio...

Page 810: ...ain name in the server certificate corresponds to the domain name of the server with which a client is attempting to communicate in addition to checking the validity of the certificate by performing the other steps described in Server Authentication Client Authentication SSL enabled servers can be configured to require client authentication or cryptographic validation by the server of the client s...

Page 811: ...ublic key in the certificate If so the server has established that the public key asserted to belong to John Doe matches the private key used to create the signature and that the data has not been tampered with since it was signed At this point however the binding between the public key and the DN specified in the certificate has not yet been established The certificate might have been created by ...

Page 812: ...d since it was signed by the CA or if the public key in the CA certificate doesn t correspond to the private key used by the CA to sign the certificate the server won t authenticate the user s identity If the CA s digital signature can be validated the server treats the user s certificate as a valid letter of introduction from that CA and proceeds At this point the SSL protocol allows the server t...

Page 813: ... rules to be evaluated when a server receives a request for access to a particular resource See access control instructions ACI administrator The person who installs and configures one or more CS managers and sets up privileged users or agents for them See also agent agent A user who belongs to a group authorized to manage agent services for a CS manager See also Certificate Manager agent Registra...

Page 814: ...dule A set of rules implemented as a Java class for authenticating an end entity agent administrator or any other entity that needs to interact with a CS manager In the case of typical end user enrollment after the user has supplied the information requested by the enrollment form the enrollment servlet uses an authentication module associated with that form to validate the information and authent...

Page 815: ...trusted by other entities enrolled in the PKI certificate authority CA A trusted entity that issues a certificate after verifying the identity of the person or entity the certificate is intended to identify A CA also renews and revokes certificates and generates CRLs The entity named in the issuer field of a certificate is always a CA Certificate authorities can be independent third parties or a p...

Page 816: ...ingle character the same function produces a different number Certificate fingerprints can therefore be used to verify that certificates have not been tampered with Certificate Management Messages over Cryptographic Message Syntax CMC Message format used to convey a request for a certificate to a Registration Manager or Certificate Manager A proposed standard from the Internet Engineering Task For...

Page 817: ... certificates by serial number generated and signed by a certificate authority CA chain of trust See certificate chain chained CA See linked CA cipher See cryptographic algorithm client authentication The process of identifying a client to a server for example with a name and password or with a certificate and some digitally signed data See certificate based authentication password based authentic...

Page 818: ...s to form a circle of trust The two CAs issue certificates to each other and then store both cross pair certificates as a certificate pair CRMF See Certificate Request Message Format CRMF cross certification The exchange of certificates by two CAs in different certification hierarchies or chains Cross certification extends the chain of trust so that it encompasses both hierarchies See also certifi...

Page 819: ...ntity s encryption key after it has been decrypted with the Data Recovery Manager s private transport key The storage key never leaves the Data Recovery Manager Data Recovery Manager transport certificate Certifies the public key used by an end entity to encrypt the entity s encryption key for transport to the Data Recovery Manager The Data Recovery Manager uses the private key corresponding to th...

Page 820: ...sed for CRLs to define a set of certificates Each distribution point is defined by a set of certificates that are issued A CRL can be created for a particular distribution point distinguished name DN A series of AVAs that identify the subject of a certificate See attribute value assertion AVA DSA See Digital Signature Algorithm DSA dual key pair Two public private key pairs four keys altogether co...

Page 821: ... of systems that enforces a boundary between two or more networks impersonation The act of posing as the intended recipient of information sent over a network Impersonation can take two forms spoofing and misrepresentation input In the context of the certificate profile feature it defines the enrollment form for a particular certificate profile You set up each input which then dynamically creates ...

Page 822: ...th use during an SSL session Key Exchange Algorithm KEA An algorithm used for key exchange by the US Government Lightweight Directory Access Protocol LDAP A directory service protocol designed to run over TCP IP and across multiple platforms LDAP is a simplified version of Directory Access Protocol DAP used to access X 500 directories LDAP is under IETF change control and has evolved to meet Inter...

Page 823: ...nd of file and allows users to identify the signers and control access by signed code to local system resources object signing certificate A certificate whose associated private key is used to sign objects using the technology known as object signing OCSP Online Certificate Status Protocol one way hash A number of fixed length generated from data of arbitrary length with the aid of a hashing algor...

Page 824: ...e to be issued private key One of a pair of keys used in public key cryptography The private key is kept secret and is used to decrypt data encrypted with the corresponding public key proof of Archival POA Data signed with the private Data Recovery Manager transport key that contains information about an archived end entity key including key serial number name of the Data Recovery Manager subject ...

Page 825: ... to process requests and approve them either manually that is with the aid of a human being or automatically based entirely on customizable policies and procedures After the Registration Manager approves requests it typically forwards them to the Certificate Manager which processes them and returns the issued certificates to the Registration Manager The Registration Manager then distributes the ce...

Page 826: ...handles a particular kind of interaction with end entities on behalf of a CS manager For example certificate enrollment renewal revocation and key recovery requests are each handled by separate servlets SHA 1 Secure Hash Algorithm a hash function used by the US Government signature algorithm A cryptographic algorithm used to create digital signatures Certificate System supports the MD5 and SHA 1 s...

Page 827: ...ontains a microprocessor and is capable of storing cryptographic information such as keys and certificates and performing cryptographic operations Smart cards implement some or all of the PKCS 11 interface spoofing The act of pretending to be someone else For example a person can pretend to have the email address jdoe example com or a computer can identify itself as a site called www redhat com wh...

Page 828: ...on or other entity In a public key infrastructure PKI trust refers to the relationship between the user of a certificate and the certificate authority CA that issued the certificate If you trust a CA you can generally trust valid certificates issued by that CA virtual private network VPN A way of connecting geographically distant divisions of an enterprise The VPN allows the divisions to communica...

Page 829: ...eting 333 modifying group membership 332 port used for operations 277 See also ports tools provided CMS console 239 Netscape Console 237 Agent Services interface URL for 277 AgentDirEnrollment instance 389 agents authorizing remote key recovery 195 deleting 333 enrolling users in person 390 572 modifying group membership 332 port used for operations 277 See also ports role defined 316 setting up a...

Page 830: ...rust settings of 286 deleting 285 getting a new one 289 303 nickname 80 renewing 289 viewing details of 286 CEP 63 CEP enrollment 395 setting up multiple services 398 certificate chains installing in the certificate database 299 why you should install 288 certificate database how to manage 285 what it contains 285 where it s maintained 285 Certificate Database tool 303 Certificate Enrollment Proto...

Page 831: ...talling 721 724 issuing of 795 and LDAP Directory 796 management formats and protocols 64 object signing 781 publishing to files 595 publishing to LDAP directory required schema 633 overview of renewal 797 revocation reasons 575 revoking 797 S MIME 781 self signed 789 serial numbers what to do when a CA exhausts all 110 verifying a certificate chain 791 X 509 specification 64 changing CMS instance...

Page 832: ...r 584 CRLReason 436 584 585 HoldInstruction 586 InvalidityDate 587 IssuerAlternativeName 587 IssuingDistributionPoint 589 CRL publisher 608 CRL signing certificate 575 nickname 312 cRLDistributionPoints 733 CRLNumber 745 CRLs Certificate Manager support for 34 defined 574 extensions for 744 extension specific modules 741 issuing or distribution points 577 publishing of 574 publishing to files 595 ...

Page 833: ...d entity certificates 763 root DN 755 DN character support in CMS 756 DN components mapper 617 documentation conventions followed 26 downloading certificates 721 724 DSA 82 132 165 206 E email resolver 545 email signed and encrypted 782 encrypted file system EFS 435 504 encryption defined 769 public key 771 symmetric key 770 end entities port used for operations 277 See also ports end entity certi...

Page 834: ...ncing 643 failover architecture 642 file based publisher 606 FIPS PUBS 140 1 64 flush interval for logs 259 fonts used in this book 26 form signing defined 783 G getting new certificates for subsystems 303 groups changing members 332 H hardware accelerators 309 hardware tokens See external tokens HashAuth authentication plug in 389 high availability 641 holdInstructionCode 747 host name for mail s...

Page 835: ... 132 165 206 key recovery 192 designated agents See key recovery agents how to set up 224 interface for agents 194 local vs remote 194 key recovery agents passwords 193 significance 193 when specified the first time 193 responsibilities 193 role defined 193 KEYGEN tag 64 keys defined 769 management and recovery 796 keyUsage 736 L LDAP 64 LDAP publishing defined 596 manual updates 636 when to do 63...

Page 836: ...le how to launch 237 introduction 237 relationship to Administration Server 236 viewing CMS instance information 240 netscape cert type 748 nickname for CA signing certificate 80 for CRL signing certificate 312 for OCSP signing certificate 81 for signing certificate 130 162 for SSL server certificate 81 130 162 204 for transport certificate 204 for wTLS signing certificate 80 notifications configu...

Page 837: ...ific modules 726 how to write custom plug ins 489 managing 471 managing from CMS window 471 processor 464 how it applies rules 464 JavaScript 474 result of processing 464 when used 464 what can you use it for 462 policy modules deleting 542 registering new ones 541 policy rules adding new 472 defined 463 deleting 472 how policy processor applies them 464 naming convention 472 predicates in 465 reo...

Page 838: ...egistration Manager Certificate Manager and 50 51 Certificate Manager and Data Recovery Manager and 53 55 configuring to use separate SSL server certificates 310 key pairs and certificates getting new ones 303 remote admin server certificate 203 signing certificate 130 SSL server certificate 130 specifying IP address for 280 Remote admin server certificate 203 Remove Basic Constraints extension po...

Page 839: ...ment System from the command line 246 Netscape Console 237 Status tab 239 storage key pair 204 secret sharing 193 subjectAltName 740 subjectDirectoryAttributes 740 subjectKeyIdentifier 741 subordinate CA 31 support for DN characters in CMS 756 T Tasks tab 239 tasks you can accomplish 239 TCP IP defined 767 templates for notifications 549 565 timing log rotation 260 Token KeyService TKS 232 Token M...

Page 840: ...ng CMS instance information 240 VPN clients getting certificates for 395 W when the server was installed 241 why should you revoke certificates 575 wireless CA certificate 86 91 wireless certificates 86 91 wizard See Certificate Setup Wizard writing policies in JavaScript 474 wTLS CA signing certificate 80 nickname 80 wTLS certificates 86 91 X X 509 certificates 64 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands