manualshive.com logo in svg

Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE, Administration Manual, Page: 172 / 512

Share
Download
Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Administration Manual Download Page 172

Chapter 7. Token Processing System

152

To perform different operations under different policies.

 The TPS can route its jobs to different

subsystem instances when there are different types of tokens or operations. For example,
enrollment requests for temporary tokens can be sent to one CA with one set of policies while
enrollments for regular tokens are sent to a different CA. This is described in 

Section 7.1.2,

“Configuring Multiple Instances for Different Functions”

.

7.1.1. Configuring Failover Support

The subsystem instance to which the TPS connects is set in the 

conn.

subsystem#

.hostport

parameter of the 

CS.cfg

 configuration file. For example, the CA instance is set in the following

parameter:

conn.ca1.hostport=aCA.example.com:9443

To configure failover support, list multiple instances in the 

conn.

subsystem#

.hostport

 parameter,

separated by spaces. For example:

conn.ca1.hostport=aCA.example.com:9443 bCA.example.com:9543 cCA.example.com:9643

For failover support to be properly configured, all of the subsystem instances must have the same
policies and configuration; this means all of the subsystems must be clones. For example, if the TPS
is configured to communicate with three CAs, the three CAs must be clones of each other. This means
that the values of the other configuration parameters are the same between the instances.

The CA configuration parameters are listed in 

Table 7.2, “CA Connection Settings”

. The TKS

configuration parameters are listed in 

Table 7.3, “TKS Connection Settings”

. The DRM configuration

parameters are listed in 

Table 7.4, “DRM Connection Settings”

.

7.1.2. Configuring Multiple Instances for Different Functions

Along with configuring multiple instances for failover support, the TPS can be configured to use
multiple instances of a subsystem to perform different functions for different TPS profiles. For instance,
the TPS can be configured to use CA1 to enroll temporary tokens (type 

userKeyTemporary

) and

CA2 to enroll regular tokens (type 

userKey

).

1. Open the TPS 

CS.cfg

 file.

2. Create additional instance entries.

Each subsystem configured for the TPS has its own set of parameters, beginning with

conn.

subsystem#

. To configure multiple instances of a subsystem, create a new set of

connection parameters, and increment the 

#

. For example:

conn.ca1.clientNickname=subsystemCert cert-rhpki-tps
conn.ca1.hostport=aCA.example.com:9443
conn.ca1.keepAlive=true
conn.ca1.retryConnect=3
conn.ca1.servlet.enrollment=/ca/ee/ca/profileSubmitSSLClient
conn.ca1.servlet.revoke=/ca/subsystem/ca/doRevoke
conn.ca1.servlet.unrevoke=/ca/subsystem/ca/doUnrevoke
conn.ca1.timeout=100

conn.ca2.clientNickname=subsystemCert cert-rhpki-tps
conn.ca2.hostport=bCA.example.com:9543

Summary of Contents for CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Page 1: ...Red Hat Certificate System 7 2 Administration Guide Publication date November 6 2006 and updated on August 25 2009 ...

Page 2: ...est extent permitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United States and other countries All other trademarks are the property of their respective owners 1801 Varsity Drive...

Page 3: ...ators 5 1 1 17 Support for Open Standards 6 1 1 18 Java SDK Extension Mechanism for Customization 6 1 2 How the Certificate System Works 7 1 2 1 About the Certificate Manager 7 1 2 2 How the Certificate Manager Works 9 1 2 3 Data Recovery Manager 11 1 2 4 Online Certificate Status Manager 11 1 2 5 Token Key Service 12 1 2 6 Token Processing System 12 1 3 Deployment Scenarios 12 1 3 1 Single Certif...

Page 4: ...nternal Database Panel 39 2 4 9 Key Store Panel 40 2 4 10 Key Pairs Panel 41 2 4 11 Subject Names Panel 42 2 4 12 Requests and Certificates Panel 43 2 4 13 Export Keys and Certificates Panel 44 2 4 14 Administrator Panel 45 2 5 Installing the Certificate System 46 2 5 1 Installing from an ISO Image 46 2 5 2 Installing through up2date 48 2 6 Configuring the Default Subsystem Instances 48 2 6 1 Conf...

Page 5: ...Buffered Versus Unbuffered Logging 80 3 9 5 Log File Rotation 80 3 9 6 Configuring Logs in the Console 81 3 9 7 Configuring Logs in the CS cfg File 82 3 9 8 Configuring TPS Logs 83 3 9 9 Monitoring Logs 84 3 9 10 Signing Log Files 85 3 9 11 Registering a Log Module 86 3 9 12 Deleting a Log Module 86 3 9 13 Signed Audit Log 86 3 10 Self Tests 90 3 10 1 Self Test Logging 91 3 10 2 Self Test Configur...

Page 6: ...CSP Services 126 5 2 1 The Certificate Manager s Internal OCSP Service 126 5 2 2 Online Certificate Status Manager 126 5 3 Online Certificate Status Manager Certificates 127 5 3 1 OCSP Signing Key Pair and Certificate 127 5 3 2 SSL Server Key Pair and Certificate 127 5 3 3 Recognizing Online Certificate Status Manager Certificates 128 5 4 Configuring the Online Certificate Status Manager 128 5 5 C...

Page 7: ...r Side Key Generation and Archival of Encryption Keys 157 7 5 3 Smart Card Certificate Enrollment Profiles 159 7 5 4 Automating Encryption Key Recovery 159 7 5 5 Configuring Symmetric Key Changeover 161 7 5 6 Setting Token Types for Specified Smart Cards 163 7 6 Configuring LDAP Authentication 165 7 7 Token Database 166 7 8 Configuring TPS Logging 166 7 8 1 Thread Correlation 166 7 9 TPS Configura...

Page 8: ...1 Viewing Tokens 234 11 3 2 Changing a Token s Password 234 11 4 Detecting Tokens 234 11 5 Hardware Cryptographic Accelerators 235 12 Certificate Profiles 237 12 1 About Certificate Profiles 237 12 2 How Certificate Profiles Work 238 12 3 Setting up Certificate Profiles 239 12 3 1 Modifying Certificate Profiles through the CA Console 239 12 3 2 Modifying Certificate Profiles through the Command Li...

Page 9: ...ject Name Default 279 12 7 22 User Supplied Extension Default 279 12 7 23 User Supplied Key Default 280 12 7 24 User Signing Algorithm Default 281 12 7 25 User Supplied Subject Name Default 281 12 7 26 User Supplied Validity Default 281 12 7 27 Validity Default 281 12 8 Constraints Reference 282 12 8 1 Basic Constraints Extension Constraint 282 12 8 2 Extended Key Usage Extension Constraint 283 12...

Page 10: ... Modifying Publishing Rules for Certificates and CRLs 317 14 6 Enabling Publishing 321 14 6 1 Publishing Cross Pair Certificates 323 14 7 Testing Publishing to Files 323 14 8 Viewing Certificates and CRLs Published to File 325 14 9 Configuring the Directory for LDAP Publishing 325 14 9 1 Schema 325 14 9 2 Entry for the CA 326 14 9 3 Bind DN 327 14 9 4 Directory Authentication Method 327 14 10 Upda...

Page 11: ... 16 6 2 Access Control Instructions ACIs 367 16 6 3 Changing Privileges 367 16 6 4 How ACIs Are Formed 367 16 6 5 Editing ACLs 370 16 7 ACL Reference 372 16 7 1 certServer acl configuration 372 16 7 2 certServer admin certificate 373 16 7 3 certServer admin request enrollment 373 16 7 4 certServer auth configuration 374 16 7 5 certServer ca certificate 374 16 7 6 certServer ca certificates 375 16 ...

Page 12: ... certServer ocsp ca 392 16 7 49 certServer ocsp cas 392 16 7 50 certServer ocsp certificate 392 16 7 51 certServer ocsp configuration 393 16 7 52 certServer ocsp crl 393 16 7 53 certServer profile configuration 393 16 7 54 certServer publisher configuration 394 16 7 55 certServer registry configuration 395 16 7 56 certServer usrgrp administration 395 17 Automated Notifications 397 17 1 About Autom...

Page 13: ... A 1 Introduction to Certificate Extensions 425 A 1 1 Structure of Certificate Extensions 426 A 1 2 Sample Certificate Extensions 427 A 2 Note on Object Identifiers 428 A 3 Standard X 509 v3 Certificate Extensions 429 A 3 1 authorityInfoAccess 429 A 3 2 The authorityKeyIdentifier 430 A 3 3 basicConstraints 431 A 3 4 certificatePolicies 431 A 3 5 CRLDistributionPoints 431 A 3 6 extKeyUsage 432 A 3 ...

Page 14: ...d Authentication 453 B 4 1 A Certificate Identifies Someone or Something 453 B 4 2 Authentication Confirms an Identity 454 B 4 3 How Certificates Are Used 457 B 4 4 Single Sign on 459 B 4 5 Contents of a Certificate 460 B 4 6 How CA Certificates Establish Trust 462 B 5 Managing Certificates 467 B 5 1 Issuing Certificates 467 B 5 2 Certificates and the LDAP Directory 468 B 5 3 Key Management 468 B ...

Page 15: ... private keys and symmetric keys Significance of key lengths Digital signatures Digital certificates including different types of digital certificates The role of digital certificates in a public key infrastructure PKI Certificate hierarchies LDAP and Red Hat Directory Server Public key cryptography and the Secure Sockets Layer SSL protocol including the following SSL cipher suites The purpose of ...

Page 16: ...aging user certificates using smart cards Chapter 12 Certificate Profiles provides information and procedures for configuring profiles Chapter 13 Revocation and CRLs provides information and procedures for configuring CRLs and revoking certificates Chapter 14 Publishing provides information and procedures for publishing certificates Chapter 16 User and Group Authorization provides information and ...

Page 17: ...o disable SASL which OpenLDAP tools use by default Certain words are represented in different fonts styles and weights Different character formatting is used to indicate the function or purpose of the phrase being highlighted Formatting Style Purpose Monospace font Monospace is used for commands package names files and directory paths and any text displayed in a prompt Monospace with a background ...

Page 18: ...orm agent operations for the CA RA DRM and TPS subsystems through the Certificate System agent services interfaces Certificate System Command Line Tools Guide covers the command line scripts supplied with Red Hat Certificate System Managing Smart Cards with the Enterprise Security Client explains how to install configure and use the Enterprise Security Client the user client application for managi...

Page 19: ...references to certificate renewal per Bugzilla 325361 and 433360 Corrected error about custom logs per Bugzilla 449847 Minor edits for the term policy per Bugzilla 472598 Revision 7 2 6 February 27 2009 Ella Deon Lackey dlackey redhat com Removed incorrect note about useing certutil to process a certificate request per Bugzilla 241972 Revision 7 2 5 February 22 2009 Ella Deon Lackey dlackey redhat...

Page 20: ...8 Ella Deon Lackey dlackey redhat com Changes to the User Supplied Extension Default section for Erratum RHSA 2008 0500 Corrected TPS logging levels and clarified the log levels section per Bugzilla 248370 Clarified regular expression description Corrected TPS delimiter example per Bugzilla 246031 Corrected uninstall example per Bugzilla 224453 Removed references to DSA and changed them to RSA per...

Page 21: ...er is an optional subsystem that provides OCSP responder services which means it stored CRLs for CAs and can distribute the load for verifying certificate status See Chapter 5 Online Certificate Status Protocol Responder for details The Data Recovery Manager DRM is an optional subsystem that provides private encryption key storage and retrieval See Chapter 6 Data Recovery Manager for details The T...

Page 22: ...issuing or revoking certificates The agent services interface for a CA DRM OCSP and TPS are specific to those subsystems End Entity Services Interface The end entity interface is a customizable HTML interface used by end entities to enroll in the PKI request certificates revoke certificates and pick up issued certificates It contains forms for different types of enrollments and for enrolling diffe...

Page 23: ...four user types with different access levels to the system Administrators who can perform any administrative or configuration task Agents who can edit and approve requests Auditors who can view and configure audit logs Trusted managers which are subsystems with trusted relationship with another subsystem Additionally when a security domain is created the CA subsystem which hosts the domain is auto...

Page 24: ... token is first formatted and all additional certificates belonging to the user can be imported onto the token For more information about certificates being issued through the Enterprise Security Client see the Certificate System Enterprise Security Client Guide which is available at http redhat com docs manuals cert system For information about configuring subsystems to manage smart cards see Cha...

Page 25: ...s when a certificate is issued or revoked The notification framework comes with default modules that can be enabled and configured or additional notification plug in modules can be created using the CS SDK See Chapter 17 Automated Notifications for details 1 1 14 Jobs The jobs feature sets up automated jobs that run at defined intervals The default jobs can be enabled and configured or additional ...

Page 26: ...tificate System over HTTP or HTTPS Supports certificate formats for SSL based client and server authentication secure Multipurpose Internet Mail Extensions S MIME message signing and encryption and VPN clients Supports generating and publishing CRLs conforming to X 509 version 1 and 2 Publishes certificates and CRLs to any LDAP compliant directory over LDAP and HTTP HTTPS connections Publishes cer...

Page 27: ...e it obtains its signing certificate from another CA 1 2 1 1 Certificate Manager Flexibility and Scalability Multiple CAs can be configured to form a vertical or horizontal chain of CAs A vertical hierarchy has a root CA that is either self signing or subordinate to a public CA and then one or more CAs subordinate to this root CA The subordinate CAs can have more CAs below them forming a chain of ...

Page 28: ...s by issuing and storing cross signed certificates between these two CAs By using cross signed certificate pairs certificates issued outside the organization s PKI can be trusted within the system 1 2 1 3 Certificate Manager Functionality The Certificate Manager issues and revokes certificates when it receives signed requests These requests can come from its own agents users who are assigned privi...

Page 29: ...it is an agent approved enrollment an agent of the Certificate Manager must approve the request If it is an automated enrollment the request is approved if the end entity supplies the correct information and authenticates successfully 1 2 2 2 Authentication Methods Authentication plug ins set up automated enrollment and configure the methods for the end entity to authenticate itself For agent appr...

Page 30: ...issues a certificate the Certificate Manager stores both the certificate and the certificate request in its internal database 1 2 2 8 Revoking Certificates End entities can submit certificate revocation requests in the end entities page if they lose their private key or if their certificate has been compromised When an end entity requests a revocation the request is sent to the agent services inte...

Page 31: ...ovided by the underlying hardware token In the new scheme CS uses its existing access control scheme to ensure recovery agents are appropiately authenticated via SSL and ensures that the agent belongs to the specific recovery agent group The recovery request is executed only when m of n recovery agents have granted authorization to the request By default the DRM sets up a 1 of 1 ACL based recovery...

Page 32: ...S also generates transport keys which wrap or encrypt the user s private keys to secure them during transit 1 2 6 Token Processing System The Token Processing System TPS is the conduit between the Enterprise Security Client the user interface for end users to manage their smart cards and the other subsystems in the Certificate System It automatically initiates certificate enrollments with the CA a...

Page 33: ...ires key archival and recovery capabilities along with the CA for example when encrypted mail is widely used the organization risks data loss if it is unable to recover encryption keys In this case the Certificate System deployment has both the Certificate Manager and a DRM To add key storage and recovery a DRM can be installed on the same machine or on a different machine Figure 1 2 Certificate M...

Page 34: ... compromised DRM has devastating security consequences for the entire PKI Consider keeping the DRM in a special locked room or building this consideration can affect the deployment strategy 1 3 3 Cloned Certificate Manager A cloned Certificate Manager uses the same CA signing key and certificate as another Certificate Manager the master Certificate Manager Since each Certificate Manager issues cer...

Page 35: ...rity Client The TKS and TPS subsystems work together to support all token operations such as enrollment through the Enterprise Security Client Additionally the TPS subsystem can be configured to use the DRM subsystem to handle server side key generation and key archival and recovery The interactions between the TPS TKS DRM and CA subsystems to process token operations through the Enterprise Securi...

Page 36: ...Chapter 1 Overview 16 Figure 1 4 Certificate System Architecture ...

Page 37: ...or all users and applications to access Certificate System subsystem functions through the different user interfaces administrative console agent services and end entities pages The subsystem pages are accessed over HTTP but they are created by subsystem specific servlets contained in the Certificate System While the HTTP engine provides the connection entry points Certificate System completes the...

Page 38: ...nd logs including audit logs administrators cannot view audit logs NOTE The TPS subsystem does not have an administrative console administrator tasks are performed through an HTML interface accessed through the agent services URL These servlets can return data in HTML or XML formats making it easier for system administrators to write scripts which interact with these servlets For more information ...

Page 39: ...ionally stores certificates and keys Two cryptographics modules are included in the Certificate System The default internal PKCS 11 module which comes with two tokens The internal crypto services token which performs all cryptographic operations such as encryption decryption and hashing The internal key storage token Certificate DB token in Figure 1 4 Certificate System Architecture which handles ...

Page 40: ...session that follows Both of these protocols support using a variety of different cryptographic algorithms or ciphers for operations such as authenticating the server and client transmitting certificates and establishing session keys Clients and servers may support different cipher suites or sets of ciphers Among other functions the SSL handshake determines how the server and client negotiate whic...

Page 41: ...this code is currently present in the Certificate System it does not need to be recompiled Tutorials A tutorial to demonstrate how to create custom plug in modules for the Certificate System Each tutorial includes sample Java source code environment build script and a detailed instructions for building and installing the plug in modules Some tutorials also contain sample configuration files 1 6 Su...

Page 42: ...eight Directory Access Protocol LDAP v2 v3 A directory service protocol designed to run over TCP IP and across multiple platforms LDAP is a simplified version of Directory Access Protocol DAP used to access X 500 directories LDAP is under IETF change control and has evolved to meet Internet requirements Public Key Cryptography Standard PKCS 7 An encrypted data and message format developed by RSA D...

Page 43: ... as follows 1 Install a Red Hat Directory Server This can be on a different machine from the Certificate System which is the recommended scenario for most deployments 2 Download the Certificate System packages from the Red Hat Network channel Each subsystem has its own packages as well as dependencies and related packages These are listed in Section 2 2 3 Packages Installed 3 Install the Certifica...

Page 44: ... subsystem can be configured in an installation of Certificate System There can be multiple instances of a type of subsystem on a host or across different hosts For failover support one configuration option is to duplicate or clone an instance so that more than one instance has the same configuration information Clones and masters share the same set of keys and certificates Cloned CAs issue certif...

Page 45: ...ry to apply to a third party and wait for the certificate to be issued Before deploying the full PKI however consider whether to have a root CA how many to have and where both root and subordinate CAs will be located 2 2 Prerequisites This section covers required information such as the supported platforms the packages installed and dependencies and programs Section 2 2 1 Supported Platforms Secti...

Page 46: ... 0 RPM packages available through the IBM download site are packaged in a format which is incompatible with Certificate System 7 2 For 64 bit Solaris 9 SPARC platforms the user must download and install the latest version of the 64 bit Sun J2SE Java Runtime Environment 5 0 Update 9 available from the Sun download site http java sun com javase downloads index jsp IMPORTANT The 64 bit Solaris versio...

Page 47: ...ailable for 64 bit Red Hat Enterprise Linux 4 platforms This package is available through either the Red Hat Enterprise Linux AS v 4 for AMD64 EM64T Extras Red Hat Network channel or the Red Hat Enterprise Linux ES v 4 for AMD64 EM64T Extras Red Hat Network channel After installing the JDK run usr sbin alternatives config javac as root to insure that a JDK is available Solaris 9 systems do not req...

Page 48: ...on 2 2 3 1 Red Hat Enterprise Linux RPMs Section 2 2 3 2 Solaris Packages 2 2 3 1 Red Hat Enterprise Linux RPMs RPMs have the format package_name version_number release_number architecture rpm only the package name is shown in the tables RPMs for Certificate System subsystems and components osutil rhpki kra rhpki tks pkisetup rhpki manage rhpki tps rhpki ca rhpki migrate rhpki util rhpki common rh...

Page 49: ...a commons collections ldapjdk xml commons jakarta commons daemon log4j xml commons apis jakarta commons dbcp mx4j xml commons resolver jakarta commons digester oldjdom xmlbeans Table 2 3 RPMs for Fortitude Web Services fortitude web mod_nss mod_revocator Table 2 4 RPMs for Apache Web Services pdksh perl XML NamespaceSupport perl HTML Parser perl XML Parser perl HTML Tagset perl XML SAX perl Parse ...

Page 50: ...ude RHATdirsec nssx 3 11 3 1 sparcv9 pkg and RHATdirsec nssx tools 3 11 3 1 sparcv9 pkg Packages for Certificate System RHATosutilx RHATrhpki krax RHATrhpki tksx RHATpkisetupx RHATrhpki managex RHATrhpki tpsx RHATrhpki cax RHATrhpki migratex RHATrhpki utilx RHATrhpki commonx RHATrhpki native toolsx RHATsymkeyx RHATrhpki consolex RHATrhpki ocspx RHATtomcatjssx RHATrhpki java toolsx Table 2 9 Packag...

Page 51: ...ude Web Services RHATfortitude webx RHATmod nssx RHATmod revocatorx Table 2 11 Packages for Apache Web Services RHATapr utilx RHATmod perlx RHATperl XML Parserx RHATaprx RHATpcrex RHATperl XML SAXx RHATdb4x RHATperl HTML Parserx RHATperl XML Simplex RHATdb4x utils RHATperl HTML Tagsetx RHATperl libwww perlx RHATexpatx RHATperl Parse RecDescentx RHATperlx RHAThttpdx RHATperl URIx RHAThttpdx manual ...

Page 52: ...ct a CA from a drop down menu or add an external CA If a Certificate System CA is selected then supply the CA agent username and password Subsystem information When installing a TPS the CA and TKS subsystems must be installed and configured before installing the TPS a DRM subsystem must also be installed and configured if server side key generation is selected When configuring the TPS the TKS and ...

Page 53: ...080 var lib rhpki tks TPS 7889 7888 var lib rhpki tps Table 2 16 Default Subsystem Instance Ports and File Locations The following certificates are created by default when any of the following subsystem instances are installed Certificate Manager CA signing certificate OCSP signing certificate for the CA s internal OCSP service SSL server certificate Subsystem certificate The subsystem certificate...

Page 54: ...ection 2 4 2 Subsystem Type Panel Section 2 4 3 PKI Hierarchy Panel Section 2 4 4 CA Information Panel Section 2 4 5 TKS Information Panel Section 2 4 6 DRM Information Panel Section 2 4 7 Authentication Directory Panel Section 2 4 8 Internal Database Panel Section 2 4 9 Key Store Panel Section 2 4 10 Key Pairs Panel Section 2 4 11 Subject Names Panel Section 2 4 12 Requests and Certificates Panel...

Page 55: ... Figure 2 1 Security Domain If the subsystem is being added to an existing domain provide the security domain URL and the administrator UID and password for the domain Figure 2 2 Supplying the Security Domain Bind Information For more information on security domains see Section 4 4 Security Domains 2 4 2 Subsystem Type Panel This panel creates a master subsystem or clones an existing subsystem Cre...

Page 56: ...of the subsystem information based on the master s configuration and regenerates the master s certificates 2 4 3 PKI Hierarchy Panel This option is only available to CAs this creates the overall arrangement of CAs CAs can be arranged in a hierarchy with root CAs which sign CA signing certificates and set certificate policies and layers of subordinate CAs which have CA signing certificates signed b...

Page 57: ... and be approved before configuration can be completed 2 4 4 CA Information Panel This panel appears only during TPS configuration This identifies the CA which will work with the TPS to issue and revoke certificates stored on the smart card The TPS must be associated with a CA within the security domain which can perform the token operations the CA is selected from a drop down list of all CAs with...

Page 58: ...nel is only available when configuring a TPS subsystem The TPS can be associated with an existing DRM subsystem to enable server side key generation Similarly to setting the CA information the DRM is selected from a list of all configured DRM subsystems within the security domain Figure 2 7 Selecting the DRM ...

Page 59: ...lied in this panel and the appropriate database and suffix must be created before the TPS is configured these are not created by the configuration wizard but are accessed by it Only Red Hat Directory Server 7 1 or higher is supported 2 4 8 Internal Database Panel This panel collects information for the internal directory service used for storing certificate requests and certificates Directory Serv...

Page 60: ...base and the new clone s internal database 2 4 9 Key Store Panel This panel displays a list of automatically discovered tokens that can be used to store certificates and keys The Certificate System automatically discovers Safenet s LunaSA and nCipher s netHSM hardware security modules HSM and returns them on this screen The discovery process assumes that the client software installations for these...

Page 61: ...is updated with this information by default The status field in this panel describes the status of the token Found The token was discovered by Certificate System and added to secmod db Not Found The Certificate System was unable to find the supported HSMs Logged In The login attempt to the slot was successful Not Logged In The subsystem is not logged into the slot yet The login button correspondin...

Page 62: ...ames for all of the certificates issued for the subsystem being installed This panel also sets which CA will issue these certificates If the certificates for the subsystem including certificates for a subordinate CA will be issued by an external CA such as VeriSign or a Certificate System CA which is outside the security domain select External CA from the list ...

Page 63: ...t except the Server Certificate name field because the server certificate is regenerated 2 4 12 Requests and Certificates Panel This panel has links to the certificate requests and the issued certificates if the certificates were issued successfully The generated certificate requests are stored in the instance s CS cfg configuration file for retrieval later ...

Page 64: ...ceed past this panel until the new certificates are pasted into the fields In this case the Requests and Certificates panel appears as shown 2 4 13 Export Keys and Certificates Panel This panel offers the option to export the new certificate to a p12 file A p12 backup file of a master subsystem s certificates and keys is required when configuring the clone these files can also be used to restore t...

Page 65: ...ator user for the instance This user also has agent privileges so the agent certificates and keys for the agent certificate are generated on the browser used to go through the configuration wizard This administrator agent user can use this agent certificate to access the agent interface for managing requests Figure 2 15 CA Administrator ...

Page 66: ...loaded and installed on Red Hat Enterprise Linux systems using the up2date command Whether downloading and installing the Certificate System from an ISO image or through up2date several packages are also installed for related applications and dependencies not only for the subsystem packages These packages are listed in Section 2 2 3 1 Red Hat Enterprise Linux RPMs and Section 2 2 3 2 Solaris Packa...

Page 67: ...m tps installs the Token Processing System esc installs the Enterprise Security Client The force option bypasses any confirmation prompts that may otherwise appear during the installation For example to install the CA and then the DRM use the following commands rhpki install pki_subsystem ca pki_package_path media cdrom RedHat RPMS force rhpki install pki_subsystem drm pki_package_path media cdrom...

Page 68: ...e up2date command run a command like the following for each subsystem up2date rhpki subsystem subsystem can be ca for the CA kra for the DRM ocsp for the OCSP tks for the TKS and tps for the TPS up2date is used only for the first subsystem instance any additional subsystem instances should be added using pkicreate To install the client using up2date run the following up2date esc 2 6 Configuring th...

Page 69: ...and databases is given To determine whether a token is detected by the Certificate System use the TokenInfo tool For more information on this tool see the Certificate System Command Line Tools Guide 7 Set the key size The default RSA key size is 2048 8 Optionally give subject names for the certificates 9 The next panels generate and show certificate requests certificates and key pairs If an extern...

Page 70: ...cate System use the TokenInfo tool For more information on this tool see the Certificate System Command Line Tools Guide 6 Set the key size The default RSA key size is 2048 7 Select the CA which will generate the subsystem certificates to use a Certificate System CA select the CA from the drop down menu of the CAs configured within the security domain Optionally give subject names to the listed ce...

Page 71: ...side key generation is selected supply information about the DRM which will be used to generate keys and archive encryption keys Key and certificate recovery is initiated automatically through the TPS which is a DRM agent Select the DRM from the drop down menu of DRM subsystems within the security domain 7 Fill in the Directory Server hostname port bind DN and bind password 8 Select the key store ...

Page 72: ...existing subsystems Cloning can be used for load balancing for heavily trafficked servers and for failover support Clones are installed the same as other subsystems with slight differences in the subsequent configuration For more information on using cloning as part of a deployment strategy see Chapter 19 Configuring the Certificate System for High Availability 1 Run the pkicreate command Through ...

Page 73: ...ystems it is possible to clone an existing CA DRM TKS or OCSP subsystem To clone a subsystem do the following 1 Create a new instance using pkicreate 2 Open the configuration wizard 3 In the Security Domain panel add the clone to the same security domain to which the master belongs 4 The Subsystem Type panel sets whether to create a new instance or a clone select the clone radio button Figure 2 16...

Page 74: ... Installation The Certificate System includes a tool pkisilent which can completely create and configure an instance Normally adding instances requires running the pkicreate utility to create the instance and then accessing the subsystem HTML page to complete the configuration The pkisilent utility creates and configures the instance in a single step The pkisilent tool is downloaded independently ...

Page 75: ...ent_certdb_pwd redhat preop_pin fS44I6SASGF34FD76WKJHIW4 domain_name testca admin_user admin admin_email admin redhat com admin_password redhat agent_name rhpki tks2 agent ldap_host server ldap_port 389 bind_dn cn directory manager bind_password redhat base_dn o rhpki tks2 db_name rhpki tks2 key_size 2048 key_type rsa agent_key_size 2048 agent_key_type rsa agent_cert_subject tks agent cert backup_...

Page 76: ...the up2date command NOTE All Certificate System instances must be stopped before beginning any updates Section 2 9 1 Updating Certificate System on Red Hat Enterprise Linux Section 2 9 2 Updating Certificate System on Solaris 2 9 1 Updating Certificate System on Red Hat Enterprise Linux For Red Hat Enterprise Linux and individual package can up updated either by installing the specific RPM or by r...

Page 77: ...te System instances etc init d instance_ID start NOTE The Solaris Certificate System version has the same directory structure and configuration as the Red Hat Enterprise Linux version of Certificate System 2 10 Uninstalling Certificate System Subsystems It is possible to remove individual subsystem instances or to uninstall all packages associated with an entire subsystem Instances and subsystems ...

Page 78: ...ance and any related files such as the certificate databases certificates keys and associated users It does not uninstall the subsystem 2 10 2 Removing Certificate System Subsystems To uninstall an individual Certificate System subsystem do the following 1 Remove all the associated subsystem instances using pkiremove For example pkiremove pki_instance_root var lib pki_instance_name rhpki ca 2 Run ...

Page 79: ...anually editing the CS cfg file The Console is launched using the pkiconsole utility with the hostname subsystem SSL port and subsystem type specified pkiconsole https hostname SSLport subsystemType For a Certificate Manager running a a host named host example com on the default CA SSL port 9443 the console command would be as follows pkiconsole https host example com 9443 ca When the command is r...

Page 80: ...tion To enable SSL client authentication both the client and the server need configured to run over SSL First setup the Certificate System server to use SSL client authentication 1 Store the certificates for any administrator using this system The certificate should be either from the CA itself or from whichever CA signed the certificate for the subsystem a Open the subsystem console b Select the ...

Page 81: ...serverCertNick conf passwordFile var lib rhpki ca conf password conf passwordClass org apache tomcat util net jss PlainPasswordFile certdbDir var lib rhpki ca alias 9 Start the subsystem etc init d instance_ID start After setting up the server then configure the client to use SSL client authentication The Console must have access to the administrator certificate and keys used for SSL client authen...

Page 82: ...y The bind password used by the subsystem to access and update the LDAP directory this is required only if the Certificate System instance is configured for publishing certificates and CRLs to an LDAP compliant directory For a TPS instance the bind password used to access and update the token database The password conf file also contains the token passwords needed to open the private keys of the s...

Page 83: ...ile for password conf is called password bak run cat password bak password conf Repeat this command until the server is fully started this is apparent in the debug log This process still uses a clear text password file password bak but this moves the password store so that it is external to the Certificate System instance and can be stored anywhere such as a smart card This only requires a utility...

Page 84: ... created and managed by the directory To customize the required quality of passwords use the plug in for the password quality checker included as a sample in the CS SDK 3 4 Starting Stopping and Restarting Certificate System Subsystems Each Certificate System subsystem instance is started stopped and restarted separately This section describes how to start stop and restart a subsystem instance 3 4...

Page 85: ...stance_ID start slapd 3 Restart the Certificate System subsystem instance etc init d instance_ID start 3 5 Mail Server The notifications and jobs features use the mail server set in the Certificate System CA instances to send notification messages Set up a mail server by doing the following 1 Open the CA subsystem administrative console For example pkiconsole https host example com 9443 ca 2 In th...

Page 86: ...system type is installed The CS cfg file is located in the var lib instance_ID conf directory 3 6 2 Editing the Configuration File WARNING Do not edit the configuration file directly without being familiar with the configuration parameters or without being sure that the changes are acceptable to the server The Certificate System fails to start if the configuration file is modified incorrectly Inco...

Page 87: ...ation file The configuration file supports the UNIX style file separator the forward slash If the backward slash file separator is required use two backward slashes instead of one Authentication parameters CA only All authentication specific information such as names of registered authentication plug in modules and any configured instances appears in the authentication section of the configuration...

Page 88: ... configuration file for the original instance contains instance specific parameters If the new instance s configuration file is directly replaced with that of the first instance the new instance will fail to start properly if the instance specific parameters are not adjusted to those required by the new instance The recommended way to create duplicate instances is to clone the instances when the s...

Page 89: ...Enterprise Linux AS and ES x86_64 machines only usr lib64 java dirsec JNI security Java archive files shared by the CA DRM OCSP and TKS subsystems For 64 bit Red Hat Enterprise Linux AS and ES x86_64 machines only usr share doc LICENSE and README text files shared by the Certificate System subsystems usr share java rhpki Java archive files shared by the CA DRM OCSP and TKS subsystems usr share jav...

Page 90: ...The Certificate System server instances are created by the pkicreate utility Although Certificate System server instances are relocatable the following are the default instance locations Section 3 6 6 1 CA Default Instance Location Section 3 6 6 2 DRM Default Instance Location Section 3 6 6 3 OCSP Default Instance Location Section 3 6 6 4 TKS Default Instance Location Section 3 6 6 5 TPS Default I...

Page 91: ...ning the configuration steps performed to create the DRM instance var run rhpki kra pid File A file containing the active process ID of the running DRM instance Table 3 3 DRM Default Instance Location 3 6 6 3 OCSP Default Instance Location Default Location Type of Object Description etc init d rhpki ocsp File The script used to start stop or restart the OCSP instance etc rhpki ocsp Directory Conta...

Page 92: ...c init d rhpki tps File The script used to start stop or restart the TPS instance etc rhpki tps conf Directory Contains the configuration file for the TPS instance var lib rhpki tps Directory Contains the user specific default and customized forms and data for the TPS instance var log rhpki tps Directory Contains the log files for the TPS instance var log rhpki tps install log File A log file cont...

Page 93: ...rns by default all of the subsystem interfaces like the agent services page or the end entities page returns data in HTML Setting the xml with a value of true returns XML data This XML information is useful for writing scripts that interact with the server The xml parameter is appended to the end of the interface link For example the server returns an HTML page when the following link is accessed ...

Page 94: ...for audit logs are located in the var lib instance_id logs directory Audit logs signed and regular are located in the var lib instance_id logs signedAudit directory The default location for logs can be changed by modifying the configuration 3 9 1 1 System Log This log system records information about requests to the server all HTTP and HTTPS requests and the responses from the server Information r...

Page 95: ...r24 ProfileSubmitServlet key request requeststatus value begin 06 Jun 2008 14 59 38 http 9443 Processor24 ProfileSubmitServlet key request auth_token user value uid RA test4 redbudcomputer local 4747 ou People dc test4 redbudcomputer local pki ca 06 Jun 2008 14 59 38 http 9443 Processor24 ProfileSubmitServlet key request req_key value MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDreuEsBWq9WuZ2MaBwtNYxvkL...

Page 96: ... Self Tests Log The self tests log records information obtained during the self tests run when the server starts or when the self tests are manually run The tests can be viewed by opening this log This log is not configurable through the Console This log can only be configured by changing settings in the CS cfg file The information about logs in this section does not pertain to this log See Sectio...

Page 97: ...to access control lists Administration Logs events related to administration activities such as HTTPS communication between the Console and the instance All Logs events related to all the services Authentication Logs events related to activity with the authentication module Certificate Authority Logs events related to the Certificate Manager Database Logs events related to activity with the intern...

Page 98: ...ogging to be performed by the server The level sets how detailed the logging should be A higher priority level means less detail because only events of high priority are logged the highest priority log level is 0 A lower priority level means greater detail because more kinds of events are recorded in the log file the lowest priority log level is 6 10 for TPS Log level Message category Description ...

Page 99: ...ntify occurrences that affect the security of the server For example Privileged access attempted by user with revoked or unlisted certificate Table 3 9 Log Levels and Corresponding Log Messages There are an additional four log levels available for TPS subsystem logs Log level Message category Description 7 PDU related events debugging These messages contain debugging information for PDU events Thi...

Page 100: ...reater than the value specified by the flushInterval configuration parameter The default value for this parameter is 5 seconds When current logs are read from Console The server retrieves the latest log when it is queried for current logs If the server is configured for unbuffered logging the server flushes out messages as they are generated to the log files Because the server performs an I O oper...

Page 101: ...list in the Select Log Event Listener Plug in Implementation window To delete a log instance select a listener to delete in the Log Event Listener list Click Delete To modify an existing log instance select a listener to modify in the Log Event Listener list Click Edit View 4 Change the fields in the Log Event Listener Editor window Log Event Listener ID The unique name that identifies the listene...

Page 102: ...3 9 1 6 Signed Audit Log for more information about signed audit logs signedAuditCertNickname The nickname of the certificate used to sign audit logs The private key for this certificate must be accessible to the subsystem in order for it to sign the log events Specifies which events are logged to the audit log Lists each event separated by a comma with no spaces Events can be removed from the lis...

Page 103: ...e is set to false the default value the self test messages are only logged to the log file specified by selftests container logger fileName If this variable is set to true then the self test messages are written to both the log file specified by selftests container logger fileName as well as to the log file specified by log instance Transactions fileName rolloverInterval Specify the frequency at w...

Page 104: ... the error or informational messages that the server has logged Examining the log files can also monitor many aspects of the server s operation Some log files can be viewed through the Console or by opening the files directly See Section 3 9 1 About Logs for information on the location of logs and the log files available To view the contents of an active or rotated system log file 1 Log into the C...

Page 105: ...hived or distributed for audit purposes This feature allows files to be checked for tampering This is an alternative to the signed audit logs feature The signed audit log feature creates audit logs that are automatically signed this tool manually signs archived logs See Section 3 9 1 6 Signed Audit Log for details about signed audit logs For signing log files use a command line utility called the ...

Page 106: ...ll path to the implementing Java class If this class is part of a package include the package name For example registering a class named customLog in a package named com customplugins the class name would be com customplugins customLog 5 Click OK 3 9 12 Deleting a Log Module Unwanted log plug in modules can be deleted through the Console Before deleting a module delete all the listeners based on t...

Page 107: ...t from the list Log events are separated by commas with no spaces Logging Event Type of Log Messages Generated AUDIT_LOG_STARTUP The start of the subsystem and thus the start of the audit function AUDIT_LOG_SHUTDOWN The shutdown of the subsystem and thus the shutdown of the audit function ROLE_ASSUME A user assuming a role A user assumes a role after passing through authentication and authorizatio...

Page 108: ...ystem should not allow such a change PRIVATE_KEY_ARCHIVE Shows when an encryption private key is requested during enrollment PRIVATE_KEY_ARCHIVE_PROCESSED Shows when a private encryption key is archived in the DRM KEY_RECOVERY_REQUEST Shows when a request is made to recover a private encryption key stored in the DRM KEY_RECOVERY_AGENT_LOGIN Shows when DRM agents log in as recovery agents to approv...

Page 109: ... when the audit buffer is signed and flushed to disk Table 3 11 Signed Audit Log Events 3 9 13 1 Setting up Signed Audit Logs To set up signed audit logs 1 Set up the caAuditCert certificate profile See Section 12 3 Setting up Certificate Profiles for information about setting up certificate profiles 2 Approve the caAuditCert certificate profile by approving it in the agent services interface If t...

Page 110: ...down When this happens administrators and auditors should work together with the operating system administrator to resolve the disk space or file permission issues When the IT problem is resolved the auditor should make sure that the last audit log entries are signed If not they should be preserved by manual signing Section 3 9 10 Signing Log Files archived and removed to prevent audit verificatio...

Page 111: ...he self tests that are registered and configured are those associated with the subsystem type Self tests are turned off or the criticality is changed by changing those setting in the CS cfg file To turn a self test off remove is from the list of self tests 3 10 3 Modifying Self Test Configuration To modify the configuration settings for self tests 1 Stop the subsystem instance 2 Open the CS cfg fi...

Page 112: ...frequency at which the server rotates the active error log file The choices are hourly daily weekly monthly and yearly The default selection is monthly For more information see Section 3 9 5 Log File Rotation type Set to transaction do not change this 4 To edit the order in which the self test are run specify the order by listing any of the self test as the value of the following parameters separa...

Page 113: ...ble to use those ports directly Also since the Certificate System is installed as root yet it runs as a non root user the subsystems may not be able to access the restricted ports It is possible to direct traffic to non restricted ports while still using the default port numbers by configuring the iptables settings For example sbin iptables A FORWARD p tcp destination port 443 j ACCEPT sbin iptabl...

Page 114: ...tem administrative console pkiconsole https server example com 4430 ca If the port number is ever changed the agents must be informed 3 11 1 4 End Entity Ports For requests from end entities the Certificate System listens on both the SSL encrypted port and non SSL port End entities make requests through the end entities page Both the HTTP port and HTTPS port can be used to service end entity initi...

Page 115: ...ce_ID conf 3 Open the httpd conf file and edit the non SSL port number For example Listen 0 0 0 0 7888 4 Open the nss conf file and edit the SSL port numbers For example Listen 0 0 0 0 7889 VirtualHost _default_ 7889 5 Open the CS cfg file and edit the both the SSL and non SSL port numbers For example service securePort 7889 service unsecurePort 7888 op format tokenKey issuerinfo value http server...

Page 116: ...he data certificate requests certificates CRLs and related information while a DRM only stores key records and related data WARNING The internal database schema are configured to store only Certificate System data Do not make any changes to it or configure the Certificate System to use any other LDAP directory Doing so can result in data loss Additionally do not use the internal LDAP database for ...

Page 117: ...iguration directory 3 Open the CS cfg file 4 Edit the following lines to the indicated values internaldb ldapAuthentication authtype SslClientAuth internaldb ldapAuthentication bindDN CN Directory Manager internaldb ldapAuthentication bindPWPrompt Internal LDAP Database internaldb ldapconn host ldap_hostname internaldb ldapconn port ldap_httpsport internaldb ldapconn secureConn true internaldb lda...

Page 118: ...lect the Certificate System internal database entry and click Open 3 Select the Configuration tab 4 In the navigation tree expand Plug ins and select Pass Through Authentication 5 In the right pane deselect the Enable plugin checkbox 6 Click Save The server prompts to restart the server 7 Click the Tasks tab and click Restart the Directory Server 8 Close the Directory Server Console 9 When the ser...

Page 119: ...ubsystem instance etc init d instance_ID stop 2 Save the directory to a compressed file For example cd var lib rhpki ca tar cvf export archives ca alias tar alias 3 Restart the subsystem instance etc init d instance_ID start NOTE Stop the subsystem instance before backing up the instance or the security databases The Directory Server database can be restored using Directory Server specific tools s...

Page 120: ...s to the directory For example restore the alias directory cp r export archives ca alias var lib rhpki ca alias 4 Restart the subsystem instance etc init d instance_ID start NOTE Stop the subsystem instance before restoring the instance or the security databases ...

Page 121: ...ed by creating certificate profiles for each enrollment type Certificate profiles dynamically generate forms which are customized by configuring the inputs associated with the certificate profile 4 1 1 1 The Certificate Enrollment Process When an end entity enrolls in a PKI by requesting a certificate the following events can occur depending on the configuration of the PKI and the subsystems insta...

Page 122: ...t did not meet the certificate profile or authentication requirements or a certificate is issued 9 The certificate is delivered to the end entity In automated enrollment the certificate is delivered to the user immediately Since the enrollment is normally through an HTML page the certificate is returned as a response on another HTML page In agent approved enrollment the certificate can be retrieve...

Page 123: ...ate Manager has a CA signing certificate with a public key corresponding to the private key the Certificate Manager uses to sign the certificates and CRLs it issues This certificate is created and installed when the Certificate Manager is installed The default nickname for the certificate is caSigningCert cert instance_ID where instance_ID identifies the Certificate Manager instance The default va...

Page 124: ...quested to use for different operations such as configuring the Certificate Manager to use separate server certificates for authenticating to the end entity services interface and agent services interface If the Certificate Manager is configured for SSL enabled communication with a publishing directory it uses its SSL server certificate for client authentication to the publishing directory by defa...

Page 125: ...r Ranges for the CA The starting and ending serial numbers that a CA can issue can be set in the Certificate System Console This is useful when installing cloned CAs each cloned CA is given a specific range of serial numbers that it can issue so that none of the cloned CAs can issue the same serial number The serial number range is not set during installation or configuration of the subsystem but ...

Page 126: ...he Certificate System CA to a third party public CA introduces the restrictions that public CAs place on the kinds of certificates the subordinate CA can issue and the nature of the certificate chain For example a CA that chains to a third party CA might be restricted to issuing only Secure Multipurpose Internet Mail Extensions S MIME and SSL client authentication certificates but not SSL server c...

Page 127: ... xml file is created when the CA is configured as the security domain host and every subsystem which is added to the domain is added as an entry to the registry The domain xml file looks like the following example xml version 1 0 encoding UTF 8 DomainInfo Name Example Domain Name KRAList KRA SubsystemName rhpki kra SubsystemName Host server example com Host SecurePort 10443 SecurePort DomainManage...

Page 128: ... and browsers The information available in the security domain is used during configuration of a new subsystem which makes the configuration process streamlined and automated For example when a TPS needs to connect to a CA it can consult the security domain to get a list of available CAs A subsystem retrieves information in the security domain through XML messages over HTTPS The subsystem authenti...

Page 129: ...s Automatically approve any server and subsystem certificate from any CA in the domain Register and unregister TPS subsystem information in the security domain Table 4 1 Security Domain User Roles As necessary the security domain administrator can manage access controls on the security domain and on the individual subsystems For example the security domain administrator can restrict access so that...

Page 130: ...guration the configuration registers the subsystem information to the security domain 4 4 5 Additional Security Domain Information The following information can be considered when planning the security domain The CA hosting the security domain can be signed by an external authority Multiple security domains can be set up within an organization However each subsystem can belong to only one security...

Page 131: ...trusted CA Section 10 4 1 3 About CA Certificate Chains Managing hardware security module HSM tokens Section 11 1 Tokens for Storing Certificate System Keys and Certificates Setting up trusted managers Section 16 1 2 5 Trusted Managers Changing the subsystem security settings Section 10 5 Configuring the Server Certificate Use Preferences Changing subsystem passwords Section 3 3 System Passwords M...

Page 132: ...loyment NOTE Correct use of extensions for example the authorityKeyIdentifier extension can affect the transition from an old CA certificate to a new one 4 7 Changing the Rules for Issuing Certificates The restrictions on the certificates issued are set by default after the subsystem is configured These include Whether certificates can be issued with validity periods longer than the CA signing cer...

Page 133: ... serial number in the Next serial number field to the next certificate it issues and the number in the Ending serial number to the last certificate it issues The serial number range allows multiple CAs to be deployed and balances the number of certificates each CA issues The combination of an issuer name and a serial number uniquely identifies a certificate To ensure that two distinct certificates...

Page 134: ... have constraints for the types of extensions which they can attach to a certificate It is possible for a subordinate CA to issue certificates that violate these constraints but a client authenticating a certificate that violates those constraints will not accept that certificate All CA certificates should contain the basicConstraints extension as this is the standard way to identify a CA certific...

Page 135: ...le pkiconsole https server example com 9443 ca 3 In the left navigation tree of the Configuration tab select Certificate Manager then Certificate Profiles 4 Select caCACert or the appropriate CA signing certificate profile from the right window and click Edit View 5 In the Policies tab of the Certificate Profile Rule Editor select and edit the Key Usage or Extended Key Usage Extension Default if i...

Page 136: ...vices page To create an additional administrator agent or auditor create a user in the Certificate System instance where the user will have privileges and assign the user to the appropriate group An agent or auditor must have a certificate stored in the subsystem s internal database If the Console is configured for SSL client authentication all administrators must also have an SSL client certifica...

Page 137: ...e to a local file or to the clipboard c Select the new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate For more information on editing user entries and managing user certificates see Section 16 4 Modifying Certificate System User Entries 4 10 Checking the Revocation Status of Agent Certificates A Certificate Manager can be configured to check the revoc...

Page 138: ...he following parameters revocationChecking bufferSize Sets the total number of last checked certificates the server should maintain in its cache For example if the buffer size is 2 the server retains the last two certificates checked in its cache By default the server caches the last 50 certificates revocationChecking subsystem Gives the name of the Certificate System instance subsystem indicates ...

Page 139: ...l see http www mozilla org projects security pki nss tools 2 When the certificate request has been created submit it through the Certificate Manager end entities page The page has a URL in the following format https hostname port ca ee ca 3 After the request is submitted log into the agent services page 4 Check the request for required extensions The CRL signing certificate must contain the Key Us...

Page 140: ...tificate System is connected with a Directory Server the format of the DNs in the certificates should match the format of the DNs in the directory It is not necessary that the names match exactly certificate mapping allows the subject DN in a certificate to be different from the one in the directory In the Certificate System the DN is based on the components or attributes defined in the X 509 stan...

Page 141: ...wing netscape security x509 PrintableConverter converts a string to a PrintableString value The string must have only printable characters netscape security x509 IA5StringConverter converts a string to an IA5String value The string must have only IA5String characters netscape security x509 DirStrConverter converts a string to a DirectoryString The string is expected to be in DirectoryString format...

Page 142: ...s the new attributes should show up in the form 8 To verify that the new attributes are in effect request a certificate using the manual enrollment form Enter values for the new attributes so that it can be verified that they appear in the certificate subject names For example enter the following values for the new attributes and look for them in the subject name MYATTR1 a_value MYATTR2 a Value MY...

Page 143: ... end of the configuration file X500Name directoryStringEncodingOrder PrintableString UniversalString 5 Save the changes and close the file 6 Start the Certificate Manager etc init d rhpki ca start 7 To verify that the encoding orders are in effect enroll for a certificate using the manual enrollment form Use John_Doe for the cn 8 Open the agent services page and approve the request 9 When the cert...

Page 144: ...124 ...

Page 145: ...rmation Access extension in the certificate being validated 5 The OCSP responder determines if the request contains all the information required to process it If it does not or if it is not enabled for the requested service a rejection notice is sent If it does have enough information it processes the request and sends back a report stating the status of the certificate 5 1 1 OCSP Response Signing...

Page 146: ...voked 5 2 CA OCSP Services There are two ways to set up OCSP services The OCSP built into the Certificate Manager The Online Certificate Status Manager 5 2 1 The Certificate Manager s Internal OCSP Service The Certificate Manager has a built in OCSP service which can be used by OCSP compliant clients to query the Certificate Manager directly about the revocation status of the certificate When the ...

Page 147: ...sts can be submitted either to a Certificate Manager or to a third party public CA If the certificate is sent to a third party CA then the certificate must be installed when it is received If the OCSP signing certificate is made when the subsystem is configured and it issued by a Certificate Manager the certificate is installed immediately if the Certificate Setup Wizard is used the request is sub...

Page 148: ...the certificate chain is imported and marked when the Online Certificate Status Manager is configured No other configuration is required However if the server certificate is signed by an external CA the certificate chain has to be imported for the configuration to be completed NOTE Not every CA within the security domain is automatically trusted by the OCSP Manager when it is configured Every CA i...

Page 149: ...ng certificates Chapter 13 Revocation and CRLs Configuring cloning Chapter 19 Configuring the Certificate System for High Availability Table 5 1 General Subsystem Configuration Links 5 5 Creating Online Certificate Status Manager Agents and Administrators When the subsystem is configured there is a default user created with both administrator and agent privileges This user can perform both adminis...

Page 150: ...ted b Copy the base 64 encoded certificate to a local file or to the clipboard c Select the new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate For more information on editing user entries and managing user certificates see Section 16 4 Modifying Certificate System User Entries 5 6 Configuring the Certificate Manager s Internal OCSP Service Every CA s ...

Page 151: ...utomatically and its signing certificate is automatically added and trusted in the Online Certificate Status Manager s certificate database However if a non security domain CA is selected then the OCSP service must be manually configured after the Online Certificate Status Manager is configured NOTE Not every CA within the security domain to which the OCSP Manager belongs is automatically trusted ...

Page 152: ...rifies the signature against the stored certificate NOTE If a CA within the security domain is selected when the Online Certificate Status Manager is configured there is no extra step required to configure the Online Certificate Status Manager to recognize the CA the CA signing certificate is automatically added and trusted in the Online Certificate Status Manager s certificate database However if...

Page 153: ...tamps of the CA s last communication with the Online Certificate Status Manager The Requests Served Since Startup field should still show a value of zero 0 since no client has tried to query the OCSP service for certificate revocation status 5 8 2 Configure the Revocation Info Stores The Online Certificate Status Manager stores each Certificate Manager s CRL in its internal database and uses it as...

Page 154: ...rtificate binary as it is It is the attribute to which the Certificate Manager publishes its CA signing certificate crlAttr Leave the default value certificateRevocationList binary as it is It is the attribute to which the Certificate Manager publishes CRLs notFoundAsGood Sets the OCSP service to return an OCSP response of GOOD if the certificate in question cannot be found in any of the CRLs If t...

Page 155: ...the CRL to the Online Certificate Status Manager The browser sent an OCSP response to the Online Certificate Status Manager The Online Certificate Status Manager sent an OCSP response to the browser The browser used that response to validate the certificate and returned its status that the certificate could not be verified 5 10 Submitting OCSP Requests Using the GET Method OCSP requests which are ...

Page 156: ... pmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE no check certificate 16 34 34 https server example com 11443 ocsp ee ocsp MEIwQDA MDwwOjAJBgUrDgMCGgUABBT4cyABky iCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE MEIwQDA MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE Resolving server example com 192 168 123 224 Connecting to server example com 192 168 123 224...

Page 157: ...es NOTE Setting the redirect is only required to manage certificates issued by a 7 1 CA with the Authority Information Access extension If the certificates are issued by a later version Certificate Manager or do not contain the Authority Information Access extension then this configuration is not necessary 1 Stop the OCSP Responder For example etc init d rhpki ocsp stop 2 Open the OCSP s web appli...

Page 158: ...l the web xml file in the ROOT directory For example xml version 1 0 encoding ISO 8859 1 web app display name Welcome to Tomcat display name description Welcome to Tomcat description servlet servlet name ocspProxy servlet name servlet class com netscape cms servlet base ProxyServlet servlet class init param param name destContext param name param value ocsp2 param value init param init param param...

Page 159: ...am param name appendPathInfoOnNoMatch param name param value ocsp param value init param servlet servlet mapping servlet name ocspProxy servlet name url pattern ocsp url pattern servlet mapping servlet mapping servlet name ocspOther servlet name url pattern ocsp url pattern servlet mapping web app 12 Edit the var lib rhpki ocsp conf context xml changing the following line Context to Context crossC...

Page 160: ...140 ...

Page 161: ...he PKI configuration must include the following elements Clients that can generate dual keys and that support the key archival option using the CRMF CMMF protocol An installed and configured DRM HTML forms with which end entities can request dual certificates based on dual keys and key recovery agents can request key recovery 6 1 1 Clients That Can Generate Dual Key Pairs Only keys that are used e...

Page 162: ...by authorized key recovery agents For details see Section 6 5 1 Key Recovery Agents and Their Passwords 6 2 3 SSL Server Certificate Every Certificate System DRM has at least one SSL server certificate The first SSL server certificate is generated when the DRM is configured The default nickname for the certificate is Server Cert cert instance_id where instance_id identifies the DRM instance is ins...

Page 163: ...database each key is encrypted and stored as a key record and is given a unique key identifier The archived copy of the key remains wrapped with the DRM s storage key It can be decrypted or unwrapped only by using the corresponding private key pair of the storage certificate A combination of one or more key recovery or DRM agents certificates authorizes the DRM to complete the key recovery to retr...

Page 164: ...tificate Manager detects the key archival option in the request and asks the client for the private encryption key d The client encrypts the private encryption key with the public key from the DRM s transport certificate embedded in the enrollment form 2 After approving the certificate request and issuing the certificate the Certificate Manager sends it to the DRM for storage along with the public...

Page 165: ...overy agents need to do the following Be added to the Data Recovery Manager Agents group Obtain a client certificate identifying themselves The DRM administrator needs to add that user certificate to the DRM s internal database Be available to retrieve private encryption keys It is not necessary for all key recovery agents to be available for the key recovery operation the required number to autho...

Page 166: ...ecovery process WARNING The PKCS 12 package contains the private key To minimize the risk of key compromise the recovery agent must use a secure method to deliver the PKCS 12 package and password to the key recipient The agent should use a good password to encrypt the PKCS 12 package and set up an appropriate delivery mechanism 6 5 2 Key Recovery Agent Scheme The key recovery agent scheme configur...

Page 167: ...t MIIDbDCCAlSgAwIBAgIBDDANBgkqhkiG9w0BAQUFADA6MRgwFgYDVQQKEw9E b21haW4gc28gbmFtZWQxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wNjExMTQxODI2NDdaFw0wODEwMTQxNzQwNThaMD4 BTsU5A2sRUwNfoZSMs d5KLuXOHPyGtmC6yVvaY719hr9EGYuv0Sw6jb3WnEKHpjbUO vhFwTufJHWKXFN3V4pMbHTkqW x5fu 3QyyUre 5IhG0fcEmfvYxIyvZUJx aQBW437ATD99Kuh I FuYdW SqYHznHY8BqOdJwJ1JiJMNceXYAuAdk 9t70RztfAhBmkK0OOP0vH5BZ7RCwE3Y 6ycUdSyPZGGc7...

Page 168: ... numbers 4 Import the certificates into the web browser 5 Confirm that the key has been archived In the DRM s agent services page select Show completed requests If the key has been archived successfully there will be information about that key If the key is not shown check the logs and correct the problem If the key has been successfully archived close the browser window 6 Verify the key Send a si...

Page 169: ...e 9 Restore the key to the browser s database Import the p12 file into the browser and mail client 10 Open the test email The message should be shown again 6 7 Creating Data Recovery Manager Agents and Administrators When the subsystem is configured there is a default user created with both administrator and agent privileges This user can perform both administrator and agent operations and access ...

Page 170: ...certificate a Request and approve an SSL client certificate for the user if one has not already been generated b Copy the base 64 encoded certificate to a local file or to the clipboard c Select the new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate For more information on editing user entries and managing user certificates see Section 16 4 Modifying ...

Page 171: ...th a DRM instance which will perform server side key generation and key archival and recovery for the keys and certificates stored on the smart cards After the TPS is configured Section 2 6 3 Configuring a TPS it is operational It is possible to further customize the TPS for specific deployments This chapter explains how to customize the TPS instance NOTE Unlike the other subsystems the TPS does n...

Page 172: ... means that the values of the other configuration parameters are the same between the instances The CA configuration parameters are listed in Table 7 2 CA Connection Settings The TKS configuration parameters are listed in Table 7 3 TKS Connection Settings The DRM configuration parameters are listed in Table 7 4 DRM Connection Settings 7 1 2 Configuring Multiple Instances for Different Functions Al...

Page 173: ...en userKey but also the type of certificate encryption It would be possible in this case to use different CAs for signing and encryption certificate enrollments The DRM parameters also specify the types of keys being generated and archived op enroll userKey keyGen encryption serverKeygen drm conn drm1 op enroll tokenKey keyGen encryption serverKeygen drm conn drm2 The format operation parameters a...

Page 174: ...en automatically by setting the appropriate parameters in the CS cfg file The TPS can also be configured with other options such as requiring LDAP authentication and setting which subsystem instances will process the formatting operations The parameters are listed in Table 7 10 Format Operation Preferences 7 3 Resetting the Smart Card PIN The PIN is the password which protects the certificates and...

Page 175: ...the actual name of the file as well as the update applet requiredVersion parameter The TPS queries the applet version on the smart card before trying to execute any operations If the update feature is enabled and the applet version from the client is different from the one specified by the update applet requiredVersion parameter the TPS updates the applet automatically NOTE The TPS audit log shows...

Page 176: ...add to the default virtual host configuration ScriptAlias and DocumentRoot Additionally the NSSVerifyClient parameter is reset to none and the port numbers should be reset to the TPS secure port For example Listen 0 0 0 0 7890 VirtualHost _default_ 7890 ScriptAlias cgi bin var lib rhpki tps cgi bin DocumentRoot var lib rhpki tps docroot ErrorLog var lib rhpki tps logs error1_log TransferLog var li...

Page 177: ...y to back up the key material for later recovery which means the keys should be generated outside the smart card and then imported The keys are generated in the DRM subsystem where the keys can also be archived The TPS TKS and DRM must all be configured to generate and archive encryption keys To configure server side key generation for the TPS do the following 1 Set up the TPS subsystem as one of ...

Page 178: ... the TPS to generate and archive keys a Stop the TPS etc init d instance_ID stop b Edit the following parameters in the TPS CS cfg file to use the appropriate DRM connection information conn drm totalConns 1 conn drm1 hostport DRM_HOST DRM_SSLPORT conn drm1 clientNickname Server Cert conn drm1 servlet GenerateKeyPair kra GenerateKeyPair conn drm1 servlet TokenKeyRecovery kra TokenKeyRecovery conn ...

Page 179: ...ccess change the following parameters in the profile files with the appropriate directory information policyset set1 p1 default params dnpattern UID request uid O Token Key User policyset set1 p1 default params ldap enable true policyset set1 p1 default params ldap basedn ou people dc host dc example dc com policyset set1 p1 default params ldapStringAttributes uid mail policyset set1 p1 default pa...

Page 180: ... and temporary certificates created The definition for which keys should be regenerated and which keys should be recovered is set in the following TPS CS cfg parameters For damaged tokens op enroll userKey keyGen recovery destroyed keyType num 2 op enroll userKey keyGen recovery destroyed keyType value 0 signing op enroll userKey keyGen recovery destroyed keyType value 1 encryption op enroll userK...

Page 181: ...1 3 Terminating a Smart Card If the user of the token has been terminated or has left the company then the administrator can disassociate the user from the token The TPS agent can change the status to This token has been terminated which terminates the certificates and keys on the token and breaks the association between the token and the user The physical token can still be formated and reused af...

Page 182: ... defKeySet mk_mappings 02 01 token_name nickname The values for the token_name and nickname follow the parameters outlined in Table 7 13 TKS Configuration Parameters for Key Update Mapping master keys in the TKS configuration is described in more detail in Section 8 3 Configuring the TKS to Associate the Master Key with Its Version 5 Start the TKS instance etc init d rhpki tks start 6 Stop the TPS...

Page 183: ...E If the mapping order parameter contains more than one mapping ID then each mapping ID is processed in sequential order until a target is determined or an error is returned If the mapping order parameter is missing then the code returns an error Each mapping ID references a series of parameters called filters Each filter may contain a specific value for the request to be tested against Empty or m...

Page 184: ...ate applet encryption true op format qaKey update symmetricKeys enable false op format qaKey update symmetricKeys requiredVersion 1 op format qaKey revokeCert true op format qaKey ca conn ca1 op format qaKey loginRequest enable true op format qaKey tks conn tks1 op format qaKey auth id ldap qa op format qaKey auth enable true LDAP Connection settings for devKey auth instance 0 type LDAP_Authentica...

Page 185: ...ntication 4 The format operation completes When the token is selected in the Enterprise Security Client the Enterprise Security Client sends in the applet version CUID ATR and other information about the token to the TPS server TPS server checks the op format mapping section in the CS cfg file and figures out which tokenType to use for the token either devKey or qaKey It then uses the appropriate ...

Page 186: ...t verbose 10 is most verbose For example 2005 04 29 13 47 08 b65b9828 Upgradeop applet_upgrade app_ver 1 2 416DA155 new_app_ver 1 3 42659461 2005 04 29 13 47 08 b65b9828 Formatstatus success app_ver 1 3 42659461 key_ver 0 cuid 40900062FF02000065C5 msn FFFFFFFF uid time 45389 msec 2005 04 29 15 56 06 b65b9828 Enrollmentstatus success app_ver 1 3 42659461 key_ver 0101 cuid 40900062FF020000649D msn F...

Page 187: ...l logging logging audit enable Enables audit logging The valid values are true false logging audit filename The full path to the audit log file name For example tmp tps audit log logging audit level The audit log level The levels range from 0 to 10 0 No logging 4 LL_PER_SERVER Messages that happen only during startup or shutdown 6 LL_PER_CONNECTION Messages that happen per connection 8 LL_PER_PDU ...

Page 188: ...n hostport The Certificate Authority hostname and port number The format is hostname port This should be the CA s end entity SSL port conn can clientNickname The client certificate nickname This certificate is used by the TPS when connecting to the CA This client certificate should be trusted by the CA and the client should be a configured CA agent conn can servlet enrollment The servlet that perf...

Page 189: ... connection to the TKS This value must be true conn tksn keepAlive Sets whether to keep the connection to the TKS alive or terminate it after every operation The valid values are true false conn tksn serverKeygen Sets where key generation happens When set to true key generation happens on the server When set to false key generation happens on the client or token conn tks1 servlet computeSessionKey...

Page 190: ... n attributes The LDAP attributes of the user entry to be retrieved if attributes are present such as auth instance 0 attributes mail cn uid Once retrieved these attributes can be used in other parameter entries as auth attr name For example op enroll userKey keyGen tokenName userid auth cn auth instance n type The authentication type to use This must be LDAP_Authentication auth instance n library...

Page 191: ...on Parameter Description channel encryption Sets whether the data being transmitted between the TPS and the token is to be encrypted The valid values are true false Table 7 6 Encrypted Channels Between the TPS and Tokens Operation can be enroll PIN reset or format n is an integer Parameter Description op Operation mapping order The order of the mappings The format is n n n For example 0 1 2 These ...

Page 192: ...okenType to select for this mapping For example userKey Table 7 7 Mapping and Filters Parameter Description op enroll tokenType temporaryToken tokenType The tokenType to use for temporary tokens tokenType typically refers to the profile defining how many certificates should be generated how keys should be recovered and what format should be used op enroll tokenType keyGen recovery destroyed keyTyp...

Page 193: ...mised 2 CA key compromised 3 Affiliation changed 4 Certificate superseded 5 Cessation of operation 6 Certificate is on hold op enroll tokenType keyGen recovery keyCompromise keyType num The number of key types for recovery for the tokens whose keys are compromised op enroll tokenType keyGen recovery keyCompromise keyType value n Specifies keyType The default values are signing encryption op enroll...

Page 194: ...promised 2 CA key compromised 3 Affiliation changed 4 Certificate superseded 5 Cessation of operation 6 Certificate is on hold op enroll tokenType keyGen recovery onHold keyType num The number of key types for the tokens to put on hold for temporary loss reasons The valid values are integers The default is 2 op enroll tokenType keyGen recovery onHold keyType value n Specifies keyType The default v...

Page 195: ... default value is 0 The valid values are as follows 0 Unspecified 1 Key compromised 2 CA key compromised 3 Affiliation changed 4 Certificate superseded 5 Cessation of operation 6 Certificate is on hold op enroll tokenType keyGen tokenName The name of the token to use The TPS can substitute some special strings For example if using cuid the tokenName is substituted with the CUID of the token if usi...

Page 196: ...nType keyGen signing private keyCapabilities signRecover op enroll tokenType keyGen signing private keyCapabilities decrypt op enroll tokenType keyGen signing private keyCapabilities derive op enroll tokenType keyGen signing private keyCapabilities unwrap op enroll tokenType keyGen signing private keyCapabilities wrap op enroll tokenType keyGen signing private keyCapabilities verifyRecover op enro...

Page 197: ... op enroll tokenType keyGen encryption public keyCapabilities verifyRecover op enroll tokenType keyGen encryption public keyCapabilities verify op enroll tokenType keyGen encryption public keyCapabilities sensitive op enroll tokenType keyGen encryption public keyCapabilities private op enroll tokenType keyGen encryption public keyCapabilities token op enroll tokenType keyGen encryption private key...

Page 198: ...ecifies if applet upgrade is turned on The valid values are true false op enroll tokenType update applet requiredVersion The version of the applet to use It should be the filename of the applet without the ijc extension op enroll tokenType update applet directory The local filesystem directory where the applets are located op enroll tokenType update symmetricKeys enable Specifies if the key change...

Page 199: ...icKeys requiredVersion op pinReset tokenType update symmetricKeys requiredVersion The required key version op pinReset tokenType loginRequest enable Specifies if the login request should be sent to the token This parameter enables authentication The valid values are true false op pinReset tokenType pinReset pin minLen The minimum number of characters for the PIN op pinReset tokenType pinReset pin ...

Page 200: ...uth id The LDAP authentication instance to use The default value is ldap1 op format tokenType auth enable Specifies whether to authenticate the user information The valid values are true false op format tokenType issuerinfo enable Specifies whether the Phone Home information for the Enterprise Security Client is set The valid values are true false op format tokenType issuerinfo value Sets the Phon...

Page 201: ...seDN Change these templates only to change the appearance of the TPS agent page tokendb indexTemplate tokendb indexAdminTemplate tokendb newTemplate tokendb showTemplate tokendb showCertTemplate tokendb errorTemplate tokendb searchTemplate tokendb searchResultTemplate tokendb searchCertificateResultTemplate tokendb editTemplate tokendb editResultTemplate tokendb addResultTemplate tokendb deleteTem...

Page 202: ...Generation and Table 7 13 TKS Configuration Parameters for Key Update Parameter Description tks drm_transport_cert_nickname DRM Transport nickname The DRM transport certificate nickname This needs to be set to enable server side key generation Table 7 12 TKS Configuration Parameters for Key Generation Parameter Description tks mk_mappings 01 01 tokenname nickname The version 1 master key nickname ...

Page 203: ...security relies on the relationship between the master key and the token keys The functions provided by the TKS include the following Helps establish a secure channel signed and encrypted between the token and TPS Provides proof of presence for the security token during enrollment Supports key changeover when the master key changes on the TKS Tokens with older keys get new token keys NOTE Because ...

Page 204: ...a and resident master key KCV from the file called file wrapped data 47C0 06DB 7D3F D9ED FE91 7E6F A7E5 91B9 master key KCV CED9 4A7B pre computed KCV of the master key residing inside the wrapped data Using the transport key to temporarily unwrap the master key to recompute its KCV value to check against its pre computed KCV value master key KCV CED9 4A7B computed KCV of the master key residing i...

Page 205: ...llowing 1 Install the TKS subsystem 2 After the TKS instance is configured generate the TKS master key on the HSM using the tksTool By default during installation the TKS master key is generated on the software token For example tksTool M n new_master d var lib rhpki tks alias h nethsm This generates a master key named new_master on the nethsm token for the rhpki tks instance For more information ...

Page 206: ...ey Service Agents and Administrators When the subsystem is configured there is a default user created with both administrator and agent privileges This user can perform both administrator and agent operations and access the Console and the agent services page To create an additional administrator agent or auditor create a user in the Certificate System instance where the user will have privileges ...

Page 207: ...the user s certificate a Request and approve an SSL client certificate for the user if one has not already been generated b Copy the base 64 encoded certificate to a local file or to the clipboard c Select the new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate For more information on editing user entries and managing user certificates see Section 16 4...

Page 208: ...188 ...

Page 209: ...m Enterprise Security Client is the method for the tokens to be enrolled Enterprise Security Client communicates over an SSL HTTP channel to the backend of the TPS It is based on an extensible Mozilla XULRunner framework for the user interface while retaining a legacy web browser container for a simple HTML based UI After a token is properly enrolled web browsers can be configured to recognize the...

Page 210: ...190 ...

Page 211: ...pes of certificates for different uses and in different formats Planning which certificates are required and planning how to manage them are important to manage both the PKI and the Certificate System instances Section 10 1 1 Types of Certificates Section 10 1 2 Determining Which Certificates to Install Section 10 1 3 Certificate Data Formats Section 10 1 4 Certificate Setup Wizard 10 1 1 Types of...

Page 212: ...icate Manager has a CA signing certificate with a public private key pair it uses to sign the certificates and CRLs it issues This certificate is created and installed when the Certificate Manager is installed The Certificate Manager s status as a root or subordinate CA is determined by whether its CA signing certificate is self signed or is signed by another CA Self signed root CAs set the polici...

Page 213: ... is one of the standard forms listed in the end entities page of the Certificate Manager When generating dual key pairs set the certificate profiles to work correctly when generating separate certificates for signing and encryption 10 1 1 6 Cross Pair Certificates The Certificate System can issue import and publish cross pair CA certificates With cross pair certificates one CA signs and issues a c...

Page 214: ...on occurs if a subordinate CA s CA certificate is replaced by one with a new key pair all certificates issued by that CA are invalidated and will no longer work If the CA is configured to publish to the OCSP and it has a new CA signing certificate or a new CRL signing certificate the CA must be identified again to the OCSP If a new transport certificate is created for the DRM the DRM information m...

Page 215: ...equence while the content field has the following structure CertificateSequence SEQUENCE OF Certificate This format allows multiple certificates to be downloaded at once 10 1 3 2 Text Any of the binary formats can be imported in text form The text form begins with the following line BEGIN CERTIFICATE Following this line is the certificate data which can be in any of the binary formats described Th...

Page 216: ...ificate System CA the certificate must be issued and retrieved before it can be installed through the wizard 10 2 Requesting and Receiving Certificates The process of receiving a certificate is simple 1 An end entity requests a certificate 2 The certificate request is submitted to the CA 3 The request is verified by authenticating the entity which requested it and by confirming that it meets the c...

Page 217: ...end entities pages can be accessed by any user Those enrollment forms can be used to request user and agent certificates See Section 10 2 1 1 Requesting a User or Agent Certificate through the End Entities Page Certificate Wizard Server and Subsystem Certificates The administrative console can only be accessed by administrators The Console can be used to create requests for CA OCSP and CRL signing...

Page 218: ... the request process generates a private key on the local machine If location independence is required the user can also use a hardware token such as a smart card to store the key pair and the certificate To create a user certificate do the following 1 Open the Certificate Manager s end entities page https server example com 9443 ca ee ca 2 Select the user certificate enrollment form from the list...

Page 219: ... NOTE It is important that the agent or user generate and submit the client request from the computer that will be used later to access the subsystem because part of the request process generates a private key on the local machine If location independence is required the user can also use a hardware token such as a smart card to store the key pair and the certificate To create a certificate reques...

Page 220: ...certificate type to request The types of certificates that can be requested varies depending on the subsystem For a CA CA signing certificate OCSP signing SSL server certificates Other certificate For a DRM Transport certificate OCSP signing SSL server certificates Other certificate For an OCSP or TKS OCSP signing SSL server certificates ...

Page 221: ...certificate NOTE If selecting to create an other certificate the Certificate Type field becomes active Fill in the type of certificate to create either caCrlSigning for the CRL signing certificate or client for an SSL client certificate ...

Page 222: ...Certificate Manager after selecting the type of certificate select which type of CA will sign the request For a CA signing certificate the options are to use a root CA or a subordinate CA For all other certificates the options are to use the local CA signing certificate or to create a request to submit to another CA ...

Page 223: ...y database directory internal or one of the listed external tokens Generate a new key pair Set the key algorithm and size The key algorithm must be RSA The recommended length for an RSA key is 2048 bits or higher to be crytpographically strong 9 Select the message digest algorithm the choices are MC2 MD5 SHA1 SHA256 and SHA512 ...

Page 224: ...Chapter 10 Managing Certificates 204 Figure 10 5 Setting the Hashing Algorithm 10 Give the subject name Either enter values for individual DN attributes to build the subject DN or enter the full string ...

Page 225: ...he Certificate System in the format machine_name domain domain 11 Only when requesting a certificate through the Certificate Manager Console and submitting the request to the Certificate Manager automatically Specify the start and end dates of the validity period for the certificate and the time at which the validity period will start and end on those dates ...

Page 226: ...en requesting a certificate through the Certificate Manager Console submitting the request to the Certificate Manager automatically Set the standard extensions for the certificate The required extensions are chosen by default To change the default choices read the guidelines explained in Appendix A Certificate and CRL Extensions ...

Page 227: ...them as either a subordinate SSL CA which allows them to issue certificates for SSL or a subordinate email CA which allows them to issue certificates for secure email Disabling certificate extensions means that CA hierarchies cannot be set up Basic Constraints The associated fields are CA setting and a numeric setting for the certification path length Extended Key Usage Authority Key Identifier Su...

Page 228: ...C 2459 See http www ietf org rfc rfc2459 txt for a description of the Key Usage extension Base 64 SEQUENCE of extensions This is for custom extensions Paste the extension in MIME 64 DER encoded format into the text field To add multiple extensions use the ExtJoiner program For information on using the tools see the Certificate System Command Line Tools Guide 13 The wizard generates the key pairs a...

Page 229: ...t The request is in base 64 encoded PKCS 10 format and is bounded by the marker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST For example BEGIN NEW CERTIFICATE REQUEST MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBC6SAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pY2 ...

Page 230: ...rtificates such as Certificate Manager CRL signing certificate or SSL client certificate Table 10 2 Files Created for Certificate Signing Requests Do not modify the certificate request before sending it to the CA The request can either be submitted automatically through the wizard or copied to the clipboard and manually submitted to the CA through its end entities page NOTE The wizard s auto submi...

Page 231: ...e output file to which to save the certificate request v The validity period in months d Certificate database directory this is the directory for the subsystem instance numbers 1 8 These set the available certificate extensions Only eight can be specified through the certutil tool Key Usage 1 Basic Constraints 2 Certificate Authority Key ID 3 CRL Distribution Point 4 Netscape Certificate Type 5 Ex...

Page 232: ...ment forms for submitting certificate requests depending on the subsystem and purpose of the certificate Certificates created through the Console or through the certutil command line utility can be submitted through an enrollment form Through a third party CA Outside CAs such as VeriSign have online or other types of certificate request enrollments the requests created by the Certificate System ad...

Page 233: ...m CA EE port number The end entity port number Yes it s the SSL secure server port Indicates that the end entity port number specified is the SSL port The certificate wizard returns a request ID for the request which can be used in the end entities page later and the request is queued for agent approval When the request is approved the CA signs the ...

Page 234: ...he Certificate Manager https ca example com 9443 ca ee ca 3 In Certificate Profiles of the Enrollment tab click on the appropriate form to submit the request Some of the common forms are as follows For user certificates including agent certificates Manual User Dual Use Certificate Enrollment Manual User Signing Encryption Certificates Enrollment For server certificates Manual Server Certificate En...

Page 235: ...ICATE REQUEST marker lines Requester Name This is the common name of the person requesting the certificate Requester Email This is the email address of the requester The agent or CA system will use this address to contact the requester when the certificate is issued For example jdoe someCompany com Requester Phone This is the contact phone number of the requester The submitted request is queued fo...

Page 236: ...ng the marker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST to a text file or the clipboard 2 Open the external CA s home page in a web browser submit the certificate request in the appropriate form for the certificate type 3 When the CA responds save the information in a text file 4 When the certificate is retrieved from the CA install it following the instructions in Sectio...

Page 237: ...icate request was submitted and click Submit 4 The next page shows the status of the certificate request If the status is complete then there is a link to the certificate Click the Issued certificate link Figure 10 13 New Certificate Link 5 The new certificate information is shown in pretty print format in base 64 encoded format and in PKCS 7 format ...

Page 238: ...coded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file Save the text file and use it to store a copy of the certificate in a subsystem s internal database See Section 16 2 Creating Users 10 3 Managing User Certificates User certificates have to be imported into the appropriate applications for users and agents to be able to perform certain operations For ...

Page 239: ...t a user and click Certificates A list of certificates installed for that user is shown Add users certificates by doing the following 1 Log into the subsystem console pkiconsole https hostname SSLport subsystem 2 In the Configuration tab select Users and Groups 3 In the Users tab select a user and click Certificates 4 In the Manage User Certificates dialog click Import 5 In the text area of the Im...

Page 240: ...ate chain is imported the first certificate in the chain must be the CA certificate Any subsequent certificates in the chain are added to the local database as untrusted CA certificates application x x509 email cert The certificate being downloaded is a user certificate belonging to another user for use with S MIME If a certificate chain is imported the first certificate in the chain must be the u...

Page 241: ...ormation on adding certificates to the database see Section 10 4 1 Installing Certificates in the Certificate System Database NOTE The Certificate System command line utility certutil can be used to manage the certificate database by editing trust settings and adding and deleting certificates For details about this tool see http www mozilla org projects security pki nss tools Administrators should...

Page 242: ...e local certificate database the wizard replaces the existing certificates with the ones in the chain If the chain includes intermediate CA certificates the wizard adds them to the certificate database as untrusted CA certificates The subsystem console uses the same wizard to install certificates and certificate chains To install certificates in the local security database do the following 1 Open ...

Page 243: ...ngerprint to make sure this is the correct certificate or use the Back button to go back and submit a different one Give a nickname for the certificate The wizard installs the certificate 6 Any CA that signed the certificate must be trusted by the subsystem Make sure that this CA s certificate exists in the subsystem s certificate database internal or external and that it is trusted If the CA cert...

Page 244: ... Hat servers it depends upon the options selected in the server administration interface Subsequent certificates are all treated the same If the certificates contain the SSL CA bit in the Netscape Certificate Type certificate extension and do not already exist in the local certificate database they are added as untrusted CAs They can be used for certificate chain validation as long as there is a t...

Page 245: ...subsystem operations User certificates are stored with the user entries in the LDAP internal database To view user certificates see Section 10 3 1 Managing Certificate System User and Agent Certificates 10 4 2 1 Viewing Database Content through the Console To view the contents of the database through the administrative console do the following 1 Open the Certificate System Console pkiconsole https...

Page 246: ...in the database this is internal To view more detailed information about the certificate select the certificate and click View This opens a window which shows the serial number validity period subject name issuer name and certificate fingerprint of the certificate 10 4 2 2 Viewing Database Content Using certutil To view the certificates in the subsystem database using certutil open the instance s ...

Page 247: ...If in doubt leave the certificates in the database as untrusted CA certificates see Section 10 4 4 Changing the Trust Settings of a CA Certificate Section 10 4 3 1 Deleting Certificates through the Console Section 10 4 3 2 Deleting Certificates Using certutil 10 4 3 1 Deleting Certificates through the Console To delete a certificate through the Console do the following 1 Open the Certificate Syste...

Page 248: ...uring an SSL enabled communication It can be necessary to change the trust settings on a CA stored in the certificate database temporarily or permanently For example if there is a problem with access or compromised certificates marking the CA certificate as untrusted prevents entities with certificates signed by that CA from authenticating to the Certificate System When the problem is resolved the...

Page 249: ...certificate by running the certutil with the M option certutil M n cert_nickname t trust d For example certutil M n Certificate Authority Example Domain t TCu TCu TCu d 4 List the certificates again to confirm that the certificate trust was changed certutil L d Certificate Authority Example Domain CTu CTu CTu subsystemCert cert subsystem u u u Server Cert cert example u u u For information about u...

Page 250: ...30 The version of SSL used during SSL communication The latest version is SSL version 3 but many older clients use SSL version 2 Because client authentication is required for performing privileged operations enable SSL version 3 ciphers ...

Page 251: ...ase is named key3 db These files are located in the instanceID alias directory 11 1 2 External Tokens An external token refers to an external hardware device such as a smart card or hardware security module HSM that the Certificate System uses to generate and store its key pairs and certificates The Certificate System supports any hardware tokens that are compliant with PKCS 11 PKCS 11 is a standa...

Page 252: ...ted show a status of Found and is individually marked as either Logged in or Not logged in If a token is found but not logged in it is possible to log in using the Login under Operations If the administrator can log into a token successfully the password is stored in a configuration file At the next start or restart of the Certificate System instance the passwords in the password store are used to...

Page 253: ...w the vendor s instructions When installing a hardware token there is an opportunity to name it Use a name that will help identify the token later 2 Install the PKCS 11 module The PKCS 11 module is installed using the modutil command line utility a Open the alias directory for the subsystem which is being configured with the PKCS 11 module For example cd var lib rhpki ca alias b The required secur...

Page 254: ... certificates for the subsystems is protected encrypted by a password To decrypt the key pairs or to gain access to them enter the token password This password is set when the token is first accessed usually during Certificate System installation It is good security practice to change the password that protects the server s keys and certificates periodically Changing the password minimizes the ris...

Page 255: ...tographic accelerators with external tokens Many of the accelerators provide the following security features Fast SSL connections Speed is important to accommodate a high number of simultaneous enrollment or service requests Hardware protection of private keys These devices behave like smart cards by not allowing private keys to be copied or removed from the hardware token This is important as a p...

Page 256: ...236 ...

Page 257: ...four years the request is rejected since the constraints allow a maximum of two years validity period for this type of certificate A set of certificate profiles have been predefined for the most common certificates issued These certificate profiles define defaults and constraints associate the authentication method and define the needed inputs and outputs for the certificate profile Additional def...

Page 258: ... approved manual enrollment an enrollment where no authentication plug in is configured the certificate request is queued in the agent services interface The agent can change some aspects of the enrollment request validate it cancel it reject it update it or approve it The agent is able to update the request without submitting it or validate that the request adheres to the profile s defaults and c...

Page 259: ... constraints that control the certificate content Changing the constraints set up by changing the value of the parameters Changing the authentication method Changing the inputs by adding or deleting inputs in the certificate profile which control the fields on the input page Adding or deleting the output It is possible to modify existing defaults constraints inputs and outputs and create new ones ...

Page 260: ...a new certificate profile click Add In the Select Certificate Profile Plugin Implementation window select the type of certificate for which the profile is being created Figure 12 2 Certificate Profile Plugin Implementation Window 4 Fill in the profile information in the Certificate Profile Instance Editor ...

Page 261: ...s usually set to true Setting this to false allows a signed request to be processed through the Certificate Manager s certificate profile framework rather than through the input page for the certificate profile Certificate Profile Authentication This sets the authentication method An automated authentication is set by providing the instance ID for the authentication instance If this field is blank...

Page 262: ... policies in the Policies tab of the Certificate Profile Rule Editor window The Policies tab lists policies that are already set by default for the profile type a To add a policy click Add Figure 12 4 Certificate Profile Policy Editor b Choose the default from the Default field choose the constraints associated with that policy in the Constraints field and click OK ...

Page 263: ...lts Tab c Fill in the policy set ID When issuing dual key pairs separate policy sets define the policies associated with each certificate Then fill in the certificate profile policy ID a name or identifier for the certificate profile policy d Configure any parameters in the Defaults and Constraints tabs ...

Page 264: ...Constraints defines valid values for the defaults See Section 12 7 Defaults Reference and Section 12 8 Constraints Reference for complete details for each default or constraint To modify an existing policy select a policy and click Edit Then edit the default and constraints for that policy To delete a policy select the policy and click Delete 8 Set inputs in the Inputs tab of the Certificate Profi...

Page 265: ...nsole 245 Figure 12 7 Certificate Profile Inputs b Choose the input from the list and click OK See Section 12 5 Input Reference for complete details of the default inputs c The New Certificate Profile Editor window opens Set the input ID and click OK ...

Page 266: ...delete an input select the input and click Delete 9 Set up outputs in the Outputs tab of the Certificate Profile Rule Editor window Outputs must be set for any certificate profile that uses an automated authentication method no output needs to be set for any certificate profile that uses agent approved authentication The Certificate Output type is set by default for all profiles and is added autom...

Page 267: ...ose the output from the list and click OK c Give a name or identifier for the output and click OK This output will be listed in the output tab You can edit it to provide values to the parameters in this output To delete an output select the output from list and click Delete 10 To modify an existing certificate profile select a certificate profile click Edit View The Certificate Profile Rule Editor...

Page 268: ...directory instance_directory profiles ca such as var lib rhpki ca profiles ca The file is named profile_name cfg All of the parameters for profile rules set or modified through the Console such as defaults inputs outputs and constraints are written to the profile configuration file NOTE Restart the server after editing the profile configuration file for the changes to take effect Section 12 3 2 1 ...

Page 269: ... i1 i2 input input_id class_id Gives the java class name for the input by input ID the name of the input listed in input list For example input i1 class_id certReqInputImpl output list Lists the possible output formats for the profile by name For example output list o1 output output_id class_id Gives the java class name for the output format named in output list For example output o1 class_id cert...

Page 270: ...class_id keyUsageExtConstraintImpl policyset cmcUserCertSet 6 constraint name Key Usage Extension Constraint policyset cmcUserCertSet 6 constraint params keyUsageCritical true policyset cmcUserCertSet 6 constraint params keyUsageCrlSign false policyset cmcUserCertSet 6 constraint params keyUsageDataEncipherment false policyset cmcUserCertSet 6 constraint params keyUsageDecipherOnly false policyset...

Page 271: ...he that particular certificate profile form Inputs are the fields in the end entities page enrollment forms There is a parameter input list which lists the inputs included in that profile Other parameters define the inputs these are identified by the format input ID For example this adds a generic input to a profile input list i1 i2 i3 i4 input i4 class_id genericInputImpl input i4 params gi_displ...

Page 272: ...rollment ldap minConns auths instance UserDirEnrollment ldap ldapconn host localhost auths instance UserDirEnrollment ldap ldapconn port 389 auths instance UserDirEnrollment ldap ldapconn secureConn false The ldapStringAttributes parameter instructs the authentication plug in to read the value of the mail attribute from the user s LDAP entry and put that value in the certificate request When the v...

Page 273: ...cn attribute of the suer who requested the certificate request auth_token uid This inserts the LDAP user ID uid attribute of the user who requested the certificate request bodyPartId request profileApprovedBy This inserts the name of the Certificate System agent who approved the certificate request auth_token authMgrImplName This inserts the type of authentication plug in which authenticated the u...

Page 274: ...to the CA s end entities directory instance_directory webapps ca ee ca directory 5 Customize the form as desired 6 The form can be accessed by going to https server example com 9443 ca ee ca MyServerEnrollment html 12 4 Certificate Profile Reference A set of certificate profiles have been predefined for the types of certificates that are usually issued by a CA All certificate profiles are installe...

Page 275: ...tificate Request Input The CMC Certificate Request input is used for enrollments using a Certificate Message over CMS CMC certificate request is submitted in the request form The request type is preset to CMC and the only field is the Certificate Request text area in which to paste the request 12 5 3 Dual Key Generation Input The Dual Key Generation input is for enrollments in which dual key pairs...

Page 276: ... form Token Key CUID This field gives the CUID contextually unique user ID for the token device Token Key User Public Key This field gives the path and name of the file containing the token user s public key 12 5 8 nsNcertificateRequest Token User Key Input The Token User Key input is used to enroll keys for the user of a hardware token for agents to use the token later for certificate based authe...

Page 277: ... changed It does not display anything other than the certificate in pretty print format This output needs to be specified for any automated enrollment Once a user successfully authenticates using the automated enrollment method the certificate is automatically generated and this output page is returned to the user In an agent approved enrollment the user can get the certificate once it is issued b...

Page 278: ...should not be used to point directly to the CRL location maintained by a CA the CRL Distribution Points extension Section 12 7 4 CRL Distribution Points Extension Default provides references to CRL locations For general information about this extension see Section A 3 1 authorityInfoAccess The following constraints can be defined with this default Extension Constraint see Section 12 8 3 Extension ...

Page 279: ...entifier extension to the certificate The extension identifies the public key that corresponds to the private key used by a CA to sign certificates This default has no parameters If used this extension is included in the certificate with the public key information This default takes the following constraint No Constraints see Section 12 8 6 No Constraint For general information about this extensio...

Page 280: ...ification process to identify CA certificates and to apply certificate chain path length constraints For general information about this extension see Section A 3 3 basicConstraints The following constraints can be defined with this default Basic Constraints Extension Constraint see Section 12 8 1 Basic Constraints Extension Constraint Extension Constraint see Section 12 8 3 Extension Constraint No...

Page 281: ...n obtain the CRL information to verify the revocation status of the certificate For general information about this extension see Section A 3 5 CRLDistributionPoints The following constraints can be defined with this default Extension Constraint see Section 12 8 3 Extension Constraint No Constraints see Section 12 8 6 No Constraint This default defines up to five locations with parameters for each ...

Page 282: ...Chapter 12 Certificate Profiles 262 Parameter IssuerName_n IssuerType_n ...

Page 283: ...ay be used For example if the key usage extension identifies a signing key the Extended Key Usage extension can narrow the usage of the key for only signing OCSP responses or only Java applets Usage Server authentication Client authentication Code signing Email IPsec end system IPsec tunnel IPsec user Timestamping Table 12 6 PKIX Usage Definitions for the Extended Key Usage Extension Windows 2000 ...

Page 284: ...y Usage Extension Constraint Extension Constraint see Section 12 8 3 Extension Constraint No Constraints see Section 12 8 6 No Constraint Parameter Critical OIDs Table 12 7 Extended Key Usage Extension Default Configuration Parameters 12 7 6 Freshest CRL Extension Default This default attaches the Freshest CRL extension to the certificate The following constraints can be defined with this default ...

Page 285: ...Freshest CRL Extension Default 265 Parameter PointName_n PointIssuerName_n ...

Page 286: ...tive Name extension is used to associate Internet style identities with the certificate issuer The following constraints can be defined with this default Extension Constraint see Section 12 8 3 Extension Constraint No Constraints see Section 12 8 6 No Constraint This default defines five locations with parameters for each location The parameters are marked with an n in the table to show with which...

Page 287: ... certificate should be used such as data signing key encryption or data encryption which restricts the usage of a key pair to predetermined purposes For general information about this extension see Section A 3 8 keyUsage The following constraints can be defined with this default Key Usage Constraint see Section 12 8 5 Key Usage Extension Constraint Extension Constraint see Section 12 8 3 Extension...

Page 288: ...ject alternative names in subsequent certificates in a certificate chain should be located For general information about this extension see Section A 3 9 nameConstraints The following constraints can be defined with this default Extension Constraint see Section 12 8 3 Extension Constraint No Constraints see Section 12 8 6 No Constraint This default defines up to five locations for both the permitt...

Page 289: ...Name Constraints Extension Default 269 Parameter PermittedSubtreesmax_n PermittedSubtreeNameChoice_n PermittedSubtreeNameValue_n ...

Page 290: ...Chapter 12 Certificate Profiles 270 Parameter PermittedSubtreeEnable_n ExcludedSubtreesn min ExcludedSubtreeMax_n ExcludedSubtreeNameChoice_n ...

Page 291: ...Name Constraints Extension Default 271 Parameter ExcludedSubtreeNameValue_n ExcludedSubtreeEnable_n Table 12 11 Name Constraints Extension Default Configuration Parameters ...

Page 292: ...te is used or viewed For general information about this extension see Section A 6 2 netscape comment The following constraints can be defined with this default Extension Constraint see Section 12 8 3 Extension Constraint No Constraints see Section 12 8 6 No Constraint Parameter critical CommentContent Table 12 12 Netscape Comment Extension Configuration Parameters 12 7 12 No Default Extension This...

Page 293: ...alidation in two ways either to prohibit policy mapping or to require that each certificate in a path contain an acceptable policy identifier The default can specify both ReqExplicitPolicy and InhibitPolicyMapping PKIX standard requires that if present in a CA certificate the extension must never consist of a null sequence At least one of the two specified fields must be present For general inform...

Page 294: ...jectDomainPolicy The pairing indicates that the issuing CA considers the issuerDomainPolicy equivalent to the subjectDomainPolicy of the subject CA The issuing CA s users may accept an issuerDomainPolicy for certain applications The policy mapping tells these users which policies associated with the subject CA are equivalent to the policy they accept For general information about this extension se...

Page 295: ...tes fields defined in the automated enrollment modules If authenticated attributes need to be part of this extension use values from the request token For example to enable the Subject Alternative Name extension in the caDirUserCert profile for the mail LDAP attribute for the user to authenticate against to obtain a certificate use the following configuration policyset serverCertSet 9 constraint n...

Page 296: ...t contains an attribute the profile reads its value and sets it in the extension The extension added to the certificates contain all the configured attributes Multiple attributes can be set for a single extension Up to five subject alternative names can be set the subjAltNameNumGNs parameter controls how many of the listed attributes are required to be added to the certificate This parameter must ...

Page 297: ... default attaches a Subject Directory Attributes extension to the certificate The Subject Directory Attributes extension conveys any desired directory attribute values for the subject of the certificate The following constraints can be defined with this default Extension Constraint see Section 12 8 3 Extension Constraint No Constraints see Section 12 8 6 No Constraint Parameter Critical Name Patte...

Page 298: ... key information The following constraints can be defined with this default Extension Constraint see Section 12 8 3 Extension Constraint No Constraints see Section 12 8 6 No Constraint 12 7 20 Subject Name Default This default attaches a server side configurable subject name to the certificate request A static subject name is used as the subject name in the certificate The following constraints ca...

Page 299: ...ore enrolling a certificate The user defined extension is validated against whatever constraint is set so it is possible to restrict the kind of extension through the Extension Constraint or to set rules for the key and other basic constraints such as whether this is a CA certificate NOTE If this extension is set on a profile with a corresponding OID Extension Constraint then any certificate reque...

Page 300: ...n 12 8 6 No Constraint This example adds the User Supplied Extension Default to a profile with the Basic Constraints Extension Constraint The OID specified in the userExtOID parameter is for the Basic Constraints Extension Constraint policyset set1 p5 default params keyUsageNonRepudiation true policyset set1 p6 constraint class_id basicConstraintsExtConstraintImpl policyset set1 p6 constraint name...

Page 301: ...he certificate is issued The following constraints can be defined with this default Subject Name Constraint see Section 12 8 9 Subject Name Constraint Unique Subject Name Constraint see Section 12 8 10 Unique Subject Name Constraint No Constraints see Section 12 8 6 No Constraint 12 7 26 User Supplied Validity Default This default attaches a user supplied validity to the certificate request If inc...

Page 302: ...le contents of a certificate and the values associated with that content This section lists the predefined constraints with complete definitions of each 12 8 1 Basic Constraints Extension Constraint The Basic Constraints extension constraint checks if the basic constraint in the certificate request satisfies the criteria set in this constraint Parameter Critical IsCA PathLen ...

Page 303: ...xtended Key Usage Extension Constraint Configuration Parameters 12 8 3 Extension Constraint This constraint implements the general extension constraint It checks if the extension is present 12 8 4 Key Constraint This constraint checks the key length Parameter keyType keyMinLength keyMaxLength Table 12 23 Key Constraint Configuration Parameters 12 8 5 Key Usage Extension Constraint The Key Usage ex...

Page 304: ...apter 12 Certificate Profiles 284 Parameter keyEncipherment dataEncipherment keyAgreement keyCertsign cRLSign encipherOnly decipherOnly Table 12 24 Key Usage Extension Constraint Configuration Parameters ...

Page 305: ... in the certificate request satisfies the criteria set in this constraint Parameter signingAlgsAllowed Table 12 25 Signing Algorithms Constraint Configuration Parameters 12 8 9 Subject Name Constraint The Subject Name constraint checks if the subject name in the certificate request satisfies the criteria Parameter Pattern Table 12 26 Subject Name Constraint Configuration Parameters The Subject Nam...

Page 306: ...either ou engineering ou people or ou engineering o Example Corp the pattern is ou engineering ou people ou engineering o Example Corp NOTE For constructing a pattern which uses a special character such as a period escape the character with a back slash For example to search for the string o Example Inc set the pattern to o Example Inc 12 8 10 Unique Subject Name Constraint The Unique Subject Name...

Page 307: ...r marks the corresponding certificate records in its internal database as revoked and if configured to do so removes the revoked certificates from the publishing directory and updates the CRL in the publishing directory 13 1 1 SSL Client Authenticated Revocation When an end user submits a certificate revocation request the first step in the revocation process is for the Certificate Manager to iden...

Page 308: ...certificates do the following Set up an instance of the CMCAuth Authentication plug in module An instance is enabled and configured by default Use the agent certificate to sign revocation requests 13 2 1 1 revoker Utility The CMC revocation utility revoker is used to sign a revocation request with an agent s certificate This utility has the following syntax revoker d instance alias n cert_nickname...

Page 309: ...ick Submit 8 The returned page should confirm that correct certificate was been revoked 13 3 About CRLs Server and client applications that use public key certificates as ID tokens need access to information about the validity of a certificate Because one of the factors that determines the validity of a certificate is its revocation status these applications need to know whether the certificate be...

Page 310: ...ager can revoke any certificate it has issued There are generally accepted reason codes for revoking a certificate that are often included in the CRL such as the following 0 Unspecified no particular reason is given 1 The private key associated with the certificate was compromised 2 The private key associated with the CA that issued the certificate was compromised 3 The owner of the certificate is...

Page 311: ...onPoint extension 13 3 4 Delta CRLs Delta CRLs can be issued for any defined issuing point A delta CRL contains information about any certificates revoked since the last update to the full CRL Delta CRLs for an issuing point are created by enabling the DeltaCRLIndicator extension 13 3 5 How CRLs Work CRLs are generated when issuing points are defined and configured and any CRL extensions are enabl...

Page 312: ...the old CRL in the attribute containing the CRL in the directory entry By default CRLs do not contain information about revoked expired certificates The server can include revoked expired certificates by enabling that option for the issuing point If expired certificates are included information about revoked certificates is not removed from the CRL when the certificate expires If expired certifica...

Page 313: ...ired in the CRL CRL from certificate profiles which determines the revoked certificates to include based on the profiles used to create the certificates originally 3 Configure the CRLs for each issuing point See Section 13 4 2 Configuring CRLs for Each Issuing Point for details 4 Set up the CRL extensions which are configured for the issuing point See Section 13 4 3 Setting CRL Extensions for deta...

Page 314: ...d an issuing point click Add The CRL Issuing Point Editor window opens Figure 13 2 CRL Issuing Point Editor NOTE If some fields do not appear large enough to read the content expand the window by dragging one of the corners Fill in the following fields Enable Enables the issuing point if selected deselect to disable CRL Issuing Point name Gives the name for the issuing point spaces are not allowed...

Page 315: ...icate Manager and then select CRL Issuing Points 3 Select the issuing point name below the Issuing Points entry 4 Configure how and how often the CRLs are updated by supplying information in the Update tab for the issuing point This tab has two sections Update Schema and Update Frequency The Update Schema section has the following options Enable CRL generation This checkbox sets whether CRLs are g...

Page 316: ...lation This option should be selected to test revocation immediately such as testing whether the server publishes the CRL to a flat file Update the CRL at This field sets a daily time when the CRL should be updated To specify multiple times enter a comma separate list of times such as 01 50 04 55 06 55 Update the CRL every This checkbox enables generating and publishing CRLs at the interval set in...

Page 317: ...n about the cache see Section 13 3 5 How CRLs Work Update cache every This field sets how frequently the cache is written to the internal database Set to 0 to have the cache written to the database every time a certificate is revoked Enable cache recovery This checkbox allows the cache to be restored 6 The Format tab sets the formatting and contents of the CRLs that are created There are two secti...

Page 318: ...ch set what types of certificates to include in the CRL Include expired certificates This includes revoked certificates that have expired If this is enabled information about revoked certificates remains in the CRL after the certificate expires If this is not enabled information about revoked certificates is removed when the certificate expires CA certificates only This includes only CA certificat...

Page 319: ...lidityDate and CRLNumber Other extensions are available but are disabled by default These can be enabled and modified For more information about the available CRL extensions see Section A 5 Standard X 509 v3 CRL Extensions To configure CRL extensions do the following 1 Open the CA Console pkiconsole https hostname SSLport ca 2 In the navigation tree select Certificate Manager and then select CRL I...

Page 320: ...s for Each Issuing Point First CRLs are issued according to a time based schedule CRLs can be issued every single time a certificate is revoked at a specific time of day or once every so many minutes However this time based publishing schedule applies to every CRL that is generated There are two kinds of CRLs however The full CRL has a record of every single revoked certificate However the Certifi...

Page 321: ...ll and delta CRL again In other words every third publishing interval has both a full CRL and a delta CRL Interval 1 2 3 4 5 6 7 Full CRL 1 4 7 Delta CRL 1 2 3 4 5 6 7 NOTE For delta CRLs to be published independent of full CRLs the CRL cache must be enabled 13 5 1 Configuring Extended Updated Intervals for CRLs in the Console 1 Open the console pkiconsole https server example com 9443 ca 2 In the...

Page 322: ...sterCRL updateSchema 1 Stop the CA server etc init d rhpki ca stop 2 Open the CA configuration directory cd var lib subsystem_name conf 3 Edit the CS cfg file and add two lines to set the extended updated interval ca crl extendedNextUpdate false ca crl MasterCRL updateSchema 3 The default interval is 1 meaning a full CRL is published every time a CRL is published The updateSchema interval can be s...

Page 323: ...cates and different types of CRLs can be published to different places in a directory For example certificates for users from the West Coast division of a company can be published in one branch of the directory while certificates for users in the East Coast division can be published to another branch in the directory Setting up publishing involves configuring publishers mappers and rules 14 1 1 Ab...

Page 324: ...ate variable of the CRL contained in the file For example the filename for a CRL with This Update Friday January 28 15 36 00 PST 2008 is crl 94 3696899 der 14 1 5 LDAP Publishing In LDAP publishing the server publishes the certificates CRLs and other certificate related objects to a directory using LDAP or LDAPS The branch of the directory to which it publishes is called the publishing directory F...

Page 325: ... rule if CRL is set as the type Every rule that is matched publishes the certificate or CRL according to the method and location specified in that rule A given certificate or CRL can match no rules one rule more than one rule or all rules The publishing system attempts to match every certificate and CRL issued against all rules When a rule is matched the certificate or CRL is published according t...

Page 326: ...or details about setting up publishers see Section 14 3 2 Configuring Publishers for Publishing to OCSP 3 For LDAP publishing there are three steps a Configure the Directory Server to which certificates will be published Refer to Section 14 9 Configuring the Directory for LDAP Publishing b Configure a publisher for each type of object published CA certificates cross pair certificates CRLs and user...

Page 327: ...re a particular object is published There can be a single publisher to publish everything to a single location or multiple publishers for multiple destinations When publishing to a file a publisher sets the directory where the files are published For OCSP publishing a publisher specifies a particular Online Certificate Status Manager to which to publish a CRL For LDAP publishing a publisher specif...

Page 328: ... the Select Publisher Plug in Implementation window which lists registered publisher modules Figure 14 2 Select Publisher Plug in Implementation Window 4 Select the FileBasedPublisher module then open the editor window This is the module that enables the Certificate Manager to publish certificates and CRLs to files ...

Page 329: ... export CS certificates 14 3 2 Configuring Publishers for Publishing to OCSP A publisher must be created and configured for each publishing location publishers are not automatically created for publishing to the OCSP responder Create a single publisher to publish everything to s single location or create a publisher for every location to which CRLs will be published Each location can contain a dif...

Page 330: ...nd then Publishers The Publishers Management tab which lists configured publisher instances opens on the right Figure 14 4 Publishers Management Tab 3 Click Add to open the Select Publisher Plug in Implementation window which lists registered publisher modules Figure 14 5 Select Publisher Plug in Implementation Window 4 Select the OCSPPublisher module then open the editor window ...

Page 331: ...alified domain name such as ocspResponder example com and port number of the Online Certificate Status Manager and the default path ocsp addCRL 14 3 3 Configuring Publishers for LDAP Publishing The Certificate Manager creates configures and enables a set of publishers that are associated with LDAP publishing as shown in Table 14 1 LDAP Publishers Publisher Description LdapCaCertPublisher Used to p...

Page 332: ...put information This relationship can derive the exact DN of the entry or set a search for the directory to find the DN of the entry 14 4 1 Configuring Mappers During installation the Certificate Manager automatically creates a set of mappers defining the most common relationships The default mappers are listed in Table 14 2 Default Mappers Mapper Description LdapUserCertMap Locates the correct at...

Page 333: ...avigation tree on the left Select Publishing and then Mappers The Mappers Management tab which lists configured mappers opens on the right Figure 14 7 Mappers Management Tab 3 In the mapper list select a mapper to modify 4 To edit an existing mapper click Edit View The editor window opens ...

Page 334: ...ndow 5 To create a new mapper instance click Add The Select Mapper Plugin Implementation window opens which lists registered mapper modules Select a module and edit it For complete information about these modules see Section 14 12 2 Mapper Plug in Modules ...

Page 335: ...Configuring Mappers 315 Figure 14 9 Selecting a New Mapper Type 6 Edit the mapper instance and click OK ...

Page 336: ...tificate or CRL can be published to a file to an Online Certificate Status Manager and to an LDAP directory by matching a file based rule an OCSP rule and matching a directory based rule Rules can be set for each object type CA certificates CRLs user certificates and cross pair certificates The rules can be more detailed for different kinds of certificates or different kinds of CRLs The rule first...

Page 337: ...following 1 Log into the Certificate Manager Console pkiconsole https server example com 9443 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Publishing and then Rules The Rules Management tab which lists configured rules opens on the right Figure 14 11 Rules Management Tab 3 To edit an existing rule select that rule from the list and click Edit...

Page 338: ...Chapter 14 Publishing 318 Figure 14 12 Using the Rule Editor Window to Edit an Existing Rule 4 To create a rule click Add This opens the Select Rule Plug in Implementation window ...

Page 339: ... for Certificates and CRLs 319 Figure 14 13 Select Rule Plugin Implementation Window Select the Rule module This is the only default module If any custom modules have been been registered they are also available 5 Edit the rule ...

Page 340: ...cate value for the type of certificate or CRL issuing point to which this rule applies The predicate values for CRL issuing points delta CRLs and certificates are listed in Table 14 3 Predicate Expressions enable mapper Mappers are not necessary when publishing to a file they are only needed for LDAP publishing If this rule is associated with a publisher that publishes to an LDAP directory select ...

Page 341: ...ServerCert Table 14 3 Predicate Expressions 14 6 Enabling Publishing Publishing can be enabled for only files only LDAP or both Publishing should be enabled after setting up publishers rules and mappers Once enabled the server will attempt to begin publishing If publishing was not configured correctly before being enabled publishing may exhibit undesirable behavior or may fail Enable publishing by...

Page 342: ...ted read write permissions for only those attributes that the publishing system actually needs to write Password The Certificate Manager saves this password in the single sign on password cache and uses it during startup If the password is changed the server updates the single sign on password cache with the new password Client certificate This sets the certificate the Certificate Manager uses for...

Page 343: ...en disabled select the enable checkbox If the rule has been deleted then click Add and create a new rule a Select xcerts from the type drop down menu b Make sure the enable checkbox is selected c Select LdapCaCertMap from the mapper drop down menu d Select LdapCrossCertPairPublisher from the publisher drop down menu The mapper and publisher specified in the publishing rule are both listed under Ma...

Page 344: ...ob3JpdHkwHh END CERTIFICATE 7 Convert the base 64 encoded certificate to a readable form using the Pretty Print Certificate tool For more information on this tool refer to the Certificate System Command Line Tools Guide PrettyPrintCert input_file output_file input_file sets the path to the ASCII file that contains the base 64 encoded certificate and output_file optionally sets the path to the file...

Page 345: ...rt Alternatively the dumpasn1 can be used to convert a binary certificate or CRL to pretty print format The dumpasn1 tool can be downloaded at http fedoraproject org extras 4 i386 repodata repoview dumpasn1 0 20050404 1 fc4 html To view the content of a DER encoded file simply run the dumpasn1 PrettyPrintCert or PrettyPrintCRL tool with the DER encoded file For example PrettyPrintCRL example der e...

Page 346: ... for Publishing CRLs The Certificate Manager publishes the updated CRL to the CA s directory object under the certificateRevocationList binary attribute This attribute is an attribute of the certificationAuthority object class The value of the attribute is the DER encoded binary X 509 CRL The CA s entry must already contain the certificationAuthority object class 14 9 2 Entry for the CA The Certif...

Page 347: ... Server for one of the following methods of communication Publishing with basic authentication Publishing over SSL without client authentication Publishing over SSL with client authentication See the Red Hat Directory Server documentation for instructions on setting up these methods of communication with the server 14 10 Updating Certificates and CRLs in a Directory The Certificate Manager and the...

Page 348: ...e Manager starts updating the directory with the certificate information in its internal database If the changes are substantial updating the directory can take considerable time During this period any changes made through the Certificate Manager including any certificates issued or any certificates revoked may not be included in the update If any certificates are issued or revoked while the direc...

Page 349: ...g in modules can be registered in a Certificate Manager s publishing framework Unwanted mapper or publisher plug in modules can be deleted Before deleting a module delete all the rules that are based on this module 1 Log into the Certificate Manager Console pkiconsole https server example com 9443 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select ...

Page 350: ... CS SDK 14 12 1 1 FileBasedPublisher The FileBasedPublisher plug in module configures a Certificate Manager to publish certificates and CRLs to file This mapper can publish base 64 encoded files DER encoded files or both depending on the checkboxes selected when the publisher is configured The certificate and CRL content can be viewed by converting the files using the PrettyPrintCert and PrettyPri...

Page 351: ...ublish a user certificate to the userCertificate binary attribute of the user s directory entry This module is used to publish any end entity certificate to an LDAP directory Types of end entity certificates include SSL client S MIME SSL server and OCSP responder During installation the Certificate Manager automatically creates an instance of the LdapUserCertPublisher module for publishing end ent...

Page 352: ...ilarly it also removes the certificationAuthority object class when unpublishing if the CA has no other certificates During installation the Certificate Manager automatically creates an instance of the LdapCertificatePairPublisher module named LdapCrossCertPairPublisher for publishing the cross signed certificates to the directory Parameter Description crossCertPairAttr Specifies the LDAP director...

Page 353: ...apper specifies whether to create an entry for the CA to map the certificate to an existing entry or to do both If a CA entry already exists in the publishing directory and the value assigned to the dnPattern parameter of this mapper is changed but the uid and o attributes are the same the mapper fails to create the second CA entry For example if the directory already has a CA entry for uid CA ou ...

Page 354: ...ificate Manager can derive from the certificate subject name or a constant such as o Example Corporation If the CA certificate does not have the cn component in its subject name adjust the CA certificate mapping DN pattern to reflect the DN of the entry in the directory where the CA certificate is to be published For example if the CA certificate subject DN is o Example Corporation and the CA s en...

Page 355: ... searching for the LDAP entry DN that matches the certificate subject name To use this mapper each certificate subject name must exactly match a DN in a directory entry For example if the certificate subject name is uid jdoe o Example Corporation c US when searching the directory for the entry the Certificate Manager only searches for an entry with the DN uid jdoe o Example Corporation c US If no ...

Page 356: ...the specified LDAP attribute is certSubjectDN and the certificate subject name is uid jdoe o Example Corporation c US the Certificate Manager searches the directory for entries that have the attribute certSubjectDN uid jdoe o Example Corporation c US If no matching entries are found the server returns an error and writes it to the log 14 12 2 4 1 Configuration Parameters of LdapSubjAttrMap Table 1...

Page 357: ...nizational unit in the directory o which represents an organization in the directory l which represents a locality city st which represents a state c which represents a country For example the following DN represents the user named Jane Doe who works for the Sales department at Example Corporation which is located in Mountain View California United States cn Jane Doe ou Sales o Example Corporation...

Page 358: ...her entry s uid is janedoe2 the subject names of certificates can be set to include the uid component NOTE The e l and st components are not included in the standard set of certificate request forms provided for end entities These components can be added to the forms or the issuing agents can be required to insert these components when editing the subject name in the certificate issuance forms 14 ...

Page 359: ... filter to search for and match entries in the LDAP directory If the server finds more than one entry in the directory that matches the information gathered from the certificate the search is successful and the server optionally performs a verification For example if filterComps is set to use the email and user ID attributes filterComps e uid the server searches the directory for an entry whose va...

Page 360: ...ed to publish cross pair certificates to an LDAP directory Parameter Value Description type xcert Specifies the type of certificate that will be published predicate Specifies a predicate for the publisher enable yes Enables the rule mapper LdapCaCertMap Specifies the mapper used with the rule See Section 14 12 2 1 1 LdapCaCertMap for details on the mapper publisher LdapCrossCertPairPublisher Speci...

Page 361: ... 16 LdapUserCert Rule Configuration Parameters 14 12 3 4 LdapCRLRule The LdapCRLRule is used to publish CRLs to an LDAP directory Parameter Value Description type crl Specifies the type of certificate that will be published predicate Specifies a predicate for the publisher enable yes Enables the rule mapper LdapCrlMap Specifies the mapper used with the rule See Section 14 12 2 1 2 LdapCrlMap for d...

Page 362: ...342 ...

Page 363: ...It is also possible to create custom authentication plug ins using the CS SDK for automatic enrollment using other forms of authentication such as a secure ID card or a relational database More than one authentication method can be configured in a single instance of a subsystem The HTML registration pages contain hidden values specifying the method used With certificate profiles the end entity enr...

Page 364: ...onfigurable If a Certificate Manager is not configured for any other enrollment method the server automatically sends all certificate related requests to a queue where they await agent approval This ensures that all requests that lack authentication credentials are sent to the request queue for agent approval 15 2 1 Configuring Agent Approved Enrollment To configure agent approved enrollment do th...

Page 365: ...Auth plug in modules implement directory based authentication End users enroll for a certificate by providing their user IDs or DN and password to authenticate to an LDAP directory Set up directory based authentication by doing the following 1 Create an instance of either the UidPwdDirAuth or UdnPwdDirAuth authentication plug in module and configure the instance a Open the CA Console pkiconsole ht...

Page 366: ...ther 2 or 3 The default is 3 since all Directory Servers later than version 3 x are LDAPv3 ldap basedn Specifies the base DN for searching the authentication directory The server uses the value of the uid field from the HTTP input what a user enters in the enrollment form and the base DN to construct an LDAP search filter ldap minConns Specifies the minimum number of connections permitted to the a...

Page 367: ...dd PINs to the user entries and then distribute the PINs to users a Open the usr lib rhpki native tools directory b Open the setpin conf file in a text editor c Follow the instructions outlined in the file and make the appropriate changes Usually the parameters which need updated are the Directory Server s host name Directory Manager s bind password and PIN manager s password d Run the setpin comm...

Page 368: ... instances c Click Add The Select Authentication Plug in Implementation window appears d Select the UidPwdPinDirAuth plug in module e Fill in the following fields in the Authentication Instance Editor window Authentication Instance ID Accept the default instance name or enter a new name removePin Sets whether to remove PINs from the authentication directory after end users successfully authenticat...

Page 369: ...tores the password in the single sign on password cache and uses it for subsequent start ups This parameter needs set only if the removePin checkbox is selected ldap ldapAuthentication clientCertNickname Specifies the nickname of the certificate to use for SSL client authentication to the authentication directory to remove PINs Make sure that the certificate is valid and has been signed by a CA th...

Page 370: ...nt signs the request with the agent certificate and then sends the signed request to the Certificate Manager When this method is set up the Certificate Manager automatically revokes certificates when a valid request signed with the agent certificate is received To set up CMC enrollment do the following 1 Set up the certificate profile to use to enroll users by setting policies for specific certifi...

Page 371: ...ut the request Table 15 1 CMCEnroll Usage Options NOTE Surround values that include spaces in quotation marks 15 4 1 Setting up the Server for Multiple Requests in a Full CMC Request CMC supports multiple CRMF or PKCS 10 requests in a single full CMC request If the numRequests parameter in the cfg file is larger than 1 modify the server s certificate profile by doing the following 1 By default the...

Page 372: ...in a file with the same filename with out appended to the filename 5 Submit the signed certificate through the end entities page a Open the end entities page https server example com 9443 ca ee ca b Select the CMC enrollment form from the list of certificate profiles c Paste the content of the output file into the Certificate Request text area of this form d Remove BEGIN NEW CERTIFICATE REQUEST an...

Page 373: ...do the following 1 Customize the enrollment form to use 2 Enable the appropriate enrollment option such as directory based enrollment or certificate based enrollment Configure the authentication module to compose the desired DN pattern 3 Three enrollment forms are provided for the certificate based enrollment CertBasedDualEnroll html This form enables end users to request dual certificates one for...

Page 374: ... is for dual certificates single specifies that the enrollment request is for a signing certificate and encryption specifies that the enrollment request is for an encryption certificate NOTE Choosing dual requires a client that is capable of generating dual key pairs doSslAuth This variable specifies whether the server requests SSL client authentication Set the value of this parameter to on and ma...

Page 375: ...deleted through the CA Console Before deleting a module delete instances that are based on that module To register or delete a module do the following 1 Log into the Console pkiconsole https server example com 9443 ca 2 In the Configuration tab click Authentication in the navigation tree 3 In the right pane click the Authentication Plug in Registration tab The tab lists modules that are already re...

Page 376: ...356 ...

Page 377: ...1 How Authorization Works Authorization goes through the following process 1 The users authenticate to the interface using either the Certificate System user ID and password or a certificate 2 The server authenticates the user either by matching the user ID and password with the one stored in the database or by checking the certificate against one stored in the database With certificate based auth...

Page 378: ...hentication method to SSL client authentication See Section 3 2 Enabling SSL Client Authentication for the Certificate System Console for more information 16 1 2 2 Auditors An auditor can view the signed audit logs and is created to audit the operation of the system The auditor cannot administer the server in any way An auditor is created by adding a user to the Auditors group and storing the audi...

Page 379: ...the domain DRMs to push KRA connector information and CAs to approve certificates generated within the CA automatically Enterprise subsystem administrators are given enough privileges to perform operations on the subsystems in the domain Each subsystem has its own security domain role Enterprise CA Administrators Enterprise DRM Administrators Enterprise OCSP Administrators Enterprise TKS Administr...

Page 380: ...ystem which trusts it as a trusted manager using its SSL server certificate for SSL client authentication 16 2 Creating Users To create an administrator agent or auditor create a user in the Certificate System instance where the user will have privileges and assign the user to the appropriate group An agent or auditor must have a certificate stored in the subsystem s internal database If the Conso...

Page 381: ... new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate 16 3 Setting up a Trusted Manager Trusted relationships are set up automatically during subsystem configuration All subsystems within the same security domain are automatically trusted the security domain manager issues each member of the security domain a subsystem certificate which the subsystem us...

Page 382: ...manager entry the subsystem never uses it The subsystem relies solely on the trusted manager s SSL client certificate for authentication Figure 16 2 Creating the Trusted Manager Account The full name must be the fully qualified host name of the Certificate Manager The group must be set to Trusted Managers do that the CA has trusted manager privileges 4 Store the Certificate Manager s SSL client ce...

Page 383: ...nector settings of the Certificate Manager This enables the Certificate Manager to utilize the agent port to communicate with the subsystem 1 Log into the administrative console for the Certificate Manager 2 In the navigation tree select Certificate Manager 3 Select the Connectors tab Figure 16 3 The Connector Tab 4 Select the connector from the list and click Edit 5 Select the Enable checkbox to ...

Page 384: ... System User Entries This section describes how to change a user entry delete the user or change the certificate associated with the user 16 4 1 Changing a Certificate System User s Login Information Change a Certificate System user s login information by doing the following 1 Log into the administrative console ...

Page 385: ...ATE and END CERTIFICATE marker lines 16 4 3 Changing Members in a Group Members can be added or deleted from all groups The group for administrators must have at least one user entry To change a group s members do the following 1 Log into the administrative console 2 Select Users and Groups from the navigation tree on the left 3 Click the Groups tab 4 Select the group from the list of names and cl...

Page 386: ...Create a new group by doing the following 1 Log into the administrative console 2 Select Users and Groups from the navigation menu on the left 3 Select the Groups tab 4 Click Edit and fill in the group information Figure 16 5 Creating a New Group It is only possible to add users who already exist in the internal database 5 Edit the ACLs to grant the group privileges See Section 16 6 5 Editing ACLs...

Page 387: ...operation 16 6 3 Changing Privileges The privileges of Certificate System users are changed by changing the access control lists ACL that are associated with the group in which the user is a member for the users themselves or for the IP address of the user New groups are assigned access control by adding that group to the access control lists For example a new group for administrators who are only...

Page 388: ...ul to specify one For example JohnB a member of the Administrators group has just been fired It may be necessary to deny access specifically to JohnB if the user cannot be deleted immediately Another situation is that a user BrianC is an administrator but he should not have the ability to change some resource Since the Administrators group must access this resource BrianC can be specifically denie...

Page 389: ...om j2se 1 4 2 docs api java util regex Pattern html sum 16 6 4 3 3 IP Address Syntax The syntax to include an IP address in the ACL is ipaddress ipaddress The syntax to exclude an ID address from the ACL is ipaddress ipaddress An IP address is specified using its numeric value DNS values are not permitted For example ipaddress 12 33 45 99 ipaddress 23 99 09 88 It is also possible to use regular ex...

Page 390: ...rative console To edit the existing ACLs do the following 1 Log into the administrative console 2 Select Access Control List in the left navigation menu Figure 16 6 Default ACL List 3 Select the ACL to edit from the list and click Edit See Section 16 7 ACL Reference for information about each ACL The ACL opens in the Access Control Editor window ...

Page 391: ... ACLs 371 Figure 16 7 The ACL Editor Window 4 To add an ACI click Add and supply the ACI information To edit an ACI select the ACI from the list in the ACI entries text area of the ACL Editor window Click Edit ...

Page 392: ...both use the Ctrl or Shift buttons c Specify the user group or IP address that will be granted or denied access in the Syntax field See Section 16 6 4 3 Syntax for details on syntax 16 7 ACL Reference This section lists all ACL resources defined for all subsystems describes what each resource controls lists the possible operations describing the outcome of those operations and provides the default...

Page 393: ...try is associated with the CA administration interface and is only available during the configuration of the target of evaluation TOE it is unavailable after the CA is running 16 7 2 1 Operations Operations import 16 7 2 2 Default ACIs allow import user anybody Anyone can import a certificate 16 7 3 certServer admin request enrollment This entry is associated with the CA administration interface a...

Page 394: ...ations Operations read modify 16 7 4 2 Default ACIs allow read group Administrators group Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators agents and auditors are allowed to read authentication configuration administrators are allowed to modify authentication configuration 16...

Page 395: ...tServer ca certificates Controls revoke or list operations for certificates in the agent services interface 16 7 6 1 Operations Operations revoke list 16 7 6 2 Default ACIs allow revoke list group Certificate Manager Agents Only Certificate Manager agents can revoke or list certificates 16 7 7 certServer ca configuration Controls operations on the general configuration for a Certificate Manager 16...

Page 396: ...and agents are allowed to read CA configuration only administrators are allowed to modify CA configuration 16 7 8 certServer ca connector Controls submit operations for a connection to the CA 16 7 8 1 Operations Operations submit 16 7 8 2 Default ACIs allow submit group Trusted Managers A trusted manager can submit requests to this interface 16 7 9 certServer ca clone Controls submit operations fo...

Page 397: ... read update 16 7 10 2 Default ACIs allow read update group Certificate Manager Agents Certificate Manager agents can read or update CRLs 16 7 11 certServer ca directory Controls update operations to the directory 16 7 11 1 Operations Operations update 16 7 11 2 Default ACIs allow update group Certificate Manager Agents Certificate Manager agents can update the directory 16 7 12 certServer ca grou...

Page 398: ...ead group Certificate Manager Agents Only Certificate Manager agents can read OCSP usage statistics 16 7 14 certServer ca profiles Controls list operations for certificate profiles in the agent services interface 16 7 14 1 Operations Operations list 16 7 14 2 Default ACIs allow list group Certificate Manager Agents Certificate Manager agents can list certificate profiles 16 7 15 certServer ca prof...

Page 399: ...ices interface 16 7 16 1 Operations Operations list 16 7 16 2 Default ACIs allow list group Certificate Manager Agents Only Certificate Manager agents can list requests 16 7 17 certServer ca request enrollment Controls submit read execute assign and unassign operations for enrollment requests 16 7 17 1 Operations Operations submit read execute assign unassign 16 7 17 2 Default ACIs allow submit us...

Page 400: ...e Manager Agents Only Certificate Manager agents can view or modify the approval state of certificate profile based requests 16 7 19 certServer ca systemstatus Controls approve or read operations for viewing statistics 16 7 19 1 Operations Operations read 16 7 19 2 Default ACIs allow read group Certificate Manager Agents Only Certificate Manager agents may view statistics 16 7 20 certServer ee cer...

Page 401: ...e 16 7 21 certServer ee certificates Controls revoke or list operations in the end entities page 16 7 21 1 Operations Operations revoke list 16 7 21 2 Default ACIs allow revoke list user anybody Anyone can revoke and list certificates 16 7 22 certServer ee certchain Controls download or read operations for the CA s certificate chain in the end entities page 16 7 22 1 Operations Operations download...

Page 402: ... 24 certServer ee profile Controls submit and read operations for certificate profiles in the end entities page 16 7 24 1 Operations Operations submit read 16 7 24 2 Default ACIs allow submit read user anybody Anyone can read and submit requests through certificate profiles 16 7 25 certServer ee profiles Controls list operations for certificate profiles in the end entities page 16 7 25 1 Operation...

Page 403: ...ybody Anyone can read the face to face enrollment page 16 7 27 certServer ee request enrollment Controls submit operations for certificate enrollment in the end entities page 16 7 27 1 Operations Operations submit 16 7 27 2 Default ACIs allow submit user anybody Anyone can submit an enrollment request 16 7 28 certServer ee request facetofaceenrollment Controls submitting face to face enrollments 1...

Page 404: ...n submit OCSP requests 16 7 30 certServer ee request revocation Controls submit operations for certificate revocation requests in the end entities page 16 7 30 1 Operations Operations submit 16 7 30 2 Default ACIs allow submit user anybody Anyone can submit a revocation request 16 7 31 certServer ee requestStatus Controls read operations for the request status available from the end entities page ...

Page 405: ... Administrators group Auditors group Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read Certificate System general configuration only administrators are allowed to modify Certificate System general configuration 16 7 33 certServer job configuration Cont...

Page 406: ...o read job configuration only administrators are allowed to modify job configuration 16 7 34 certServer kra certificate transport Controls actions to display the key transport certificate 16 7 34 1 Operations Operations read 16 7 34 2 Default ACIs allow read user anybody Anyone can view the key transport certificate 16 7 35 certServer kra configuration Controls operations on the DRM configuration ...

Page 407: ...er kra connector Controls request submissions 16 7 36 1 Operations Operations submit 16 7 36 2 Default ACIs allow submit group Trusted Managers Only trusted managers can submit requests 16 7 37 certServer kra key Controls read recover and download operations for the DRM 16 7 37 1 Operations Operations read recover download 16 7 37 2 Default ACIs allow read recover download group Data Recovery Mana...

Page 408: ...quest 16 7 39 1 Operations Operations read 16 7 39 2 Default ACIs allow read group Data Recovery Manager Agents DRM agents can read requests 16 7 40 certServer kra requests Controls list operations for a DRM request 16 7 40 1 Operations Operations list 16 7 40 2 Default ACIs allow list group Data Recovery Manager Agents Only DRM agents can list key archival requests 16 7 41 certServer kra request ...

Page 409: ...ations to display the system status of a DRM 16 7 42 1 Operations Operations read 16 7 42 2 Default ACIs allow read group Data Recovery Manager Agents Only DRM agents can read system status 16 7 43 certServer log configuration Controls operations on the log configuration 16 7 43 1 Operations Operations read modify 16 7 43 2 Default ACIs allow read group Administrators group Auditors group Certific...

Page 410: ...ministrators group Auditors group Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents deny modify user anybody Administrators auditors and agents can read the value of the expirationTime parameter no one is allowed to modify the value of the expirationTime parameter for the signed audit log 16 7 45 certServer log configuration fileName Contr...

Page 411: ...er Agents group Online Certificate Status Manager Agents Only an auditor is allowed to view the audit log NOTE All other groups need to be specifically denied access to this log since they are given access to all logs in the certServer log content ACL 16 7 47 certServer log content Controls read operations to all logs 16 7 47 1 Operations Operations Description read View log content List all logs ...

Page 412: ...ager agents can add CAs 16 7 49 certServer ocsp cas Controls list operations for listing the CAs that publish to an Online Certificate Status Manager 16 7 49 1 Operations Operations list 16 7 49 2 Default ACIs allow list group Online Certificate Status Manager Agents Only Online Certificate Status Manager agents can list CAs 16 7 50 certServer ocsp certificate Controls validate operation for check...

Page 413: ...very Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators agents and auditors are allowed to read OCSP configuration only administrators are allowed to modify OCSP configuration 16 7 52 certServer ocsp crl Controls add operations for posting CRLs to an OCSP 16 7 52 1 Operations Operations add 16 7 52 2 Default ACIs allow add ...

Page 414: ...ger Agents group Auditors allow modify group Administrators Administrators agents and auditors are allowed to read certificate profile configuration only administrators are allowed to modify certificate profile configuration 16 7 54 certServer publisher configuration Controls read and modify operation for the publishing configuration 16 7 54 1 Operations Operations read modify 16 7 54 2 Default AC...

Page 415: ...ug in modules Currently this is only used to register certificate profile plug ins 16 7 55 1 Operations Operations read modify 16 7 55 2 Default ACIs allow read group Administrators group Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators auditors and agents are allowed to view...

Page 416: ... Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read user and group configuration only administrators are allowed to modify user and group configuration ...

Page 417: ...s The HTML templates can also be customized for different appearances and formatting 17 1 1 Types of Automated Notifications There are three types of automated notifications Certificate Issued A notification message is automatically sent to users who have been issued certificates A rejection message is sent to a user if the user s certificate request is rejected Certificate Revocation A notificati...

Page 418: ...iconsole https server example com 9443 ca 2 Open the Configuration tab 3 Open the Certificate Manager heading in the navigation tree on the left Then select Notification The Notification tabs appear in the right side of the window Figure 17 1 Notification Tabs 4 To enable issued certificate notifications go to the Certificate Issued tab select the enable checkbox and specify information in the fol...

Page 419: ...e go to the Request in Queue tab select the enable checkbox and specify information in the following fields Enable Request in Queue notification Select this checkbox to enable request in queue notifications Sender s E Mail Address Type the sender s full email address of the user who is notified of any delivery problems Subject Type the subject title for the notification Recipient s E Mail Address ...

Page 420: ...lSubject ca notification requestInQ emailTemplate ca notification requestInQ enabled ca notification requestInQ recipientEmail ca notification requestInQ senderEmail The parameters for the notification messages are explained in Section 17 2 Setting Up Automated Notifications 4 Save the file 5 Restart the CA instance etc init d rhpki ca start 6 If a job has been created to send automated messages c...

Page 421: ...The contents of any message type can be modified by changing the text and tokens in the message template The appearance of the HTML messages can be changed by modifying the HTML commands in the HTML message template The default text version of the certificate issuance notification message is as follows Your certificate request has been processed successfully SubjectDN SubjectDN IssuerDN IssuerDN n...

Page 422: ...end entities when certificate requests are rejected certRequestRevoked_CA Template for plain text notification emails to end entities when a certificate is revoked certRequestRevoked_CA html Template for HTML based notification emails to end entities when a certificate is revoked reqInQueue_CA Template for plain text notification emails to agents when a request enters the queue reqInQueue_CA html ...

Page 423: ... in the notification message templates Token Description CertType Specifies the type of certificate these can be any of the following SSL client client SSL server server CA signing certificate ca other other ExecutionTime Gives the time the job was run HexSerialNumber Gives the serial number of the certificate that was issued in hexadecimal format HttpHost Gives the fully qualified host name of th...

Page 424: ...in the resulting message Status Gives the request status SubjectDN Gives the DN of the certificate subject SummaryItemList Lists the items in the summary notification Each item corresponds to a certificate the job detects for removal from the publishing directory SummaryTotalFailure Gives the total number of items in the summary report that failed SummaryTotalNum Gives the total number of certific...

Page 425: ... Jobs The automated jobs feature is set up by doing the following Enabling and configuring the Job Scheduler see Section 18 2 Setting up the Job Scheduler for more information Enabling and configuring the job modules and setting preferences for those job modules see Section 18 3 Setting up Specific Jobs for more information Customizing the email notification messages sent with these jobs by changi...

Page 426: ... administrators specified by the configuration NOTE This job automates removing expired certificates from the directory Expired certificates can also be removed manually for more information on this see Section 14 10 Updating Certificates and CRLs in a Directory 18 2 Setting up the Job Scheduler The Certificate Manager can execute a job only if the Job Scheduler is enabled The job settings such as...

Page 427: ...emon thread wakes up and calls the configured jobs that meet the cron specification By default it is set to one minute NOTE The window for entering this information may be too small to see the input Drag the corners of the Certificate Manager Console to enlarge the entire window 5 Click Save 18 3 Setting up Specific Jobs Automated jobs can be configured through the Certificate Manager Console or b...

Page 428: ...e pkiconsole https server example com 9443 ca 2 Confirm that the Jobs Scheduler is enabled See Section 18 2 Setting up the Job Scheduler for more information 3 In the Configuration tab select Job Scheduler from the navigation tree Then select Jobs 4 This opens the Job Instance tab Figure 18 2 Job Instance Tab Select the job instance from the list and click Edit View The Job Instance Editor opens s...

Page 429: ...or this dialog For requestInQueueNotifier see Section 18 3 3 Configuration Parameters of requestInQueueNotifier For publishCerts see Section 18 3 4 Configuration Parameters of publishCerts For unpublishExpiredCerts see Section 18 3 5 Configuration Parameters of unpublishExpiredCerts For more information about setting the cron time frequencies see Section 18 3 6 Frequency Settings for Automated Job...

Page 430: ... requestInQueueNotifier see Section 18 3 3 Configuration Parameters of requestInQueueNotifier To configure the publishCerts job edit all parameters that begin with jobsScheduler job publishCerts see Section 18 3 4 Configuration Parameters of publishCerts To configure the unpublishExpiredCerts job edit all parameters that begin with jobsScheduler job unpublishExpiredCerts see Section 18 3 5 Configu...

Page 431: ...ecifies the path including the filename to the directory containing the template to use to create the summary report summary senderEmail Specifies the sender of the notification message who will be notified of any delivery problems summary recipientEmail Specifies the recipients of the summary message These can be agents who need to process pending requests or other users More than one recipient c...

Page 432: ...ies the sender of the summary message who will be notified of any delivery problems summary recipientEmail Specifies the recipients of the summary message These can be agents who need to know the status of user certificates or other users More than one recipient can be set by separating each email address with a comma Table 18 2 publishCerts Parameters 18 3 5 Configuration Parameters of unpublishE...

Page 433: ...ertificates or other users More than one recipient can be set by separating each email address with a comma Table 18 3 unpublishExpiredCerts Parameters 18 3 6 Frequency Settings for Automated Jobs The Job Scheduler uses a variation of the Unix crontab entry format to specify dates and times for checking the job queue and executing jobs As shown in Table 18 4 Time Values for Scheduling Jobs and Fig...

Page 434: ...er new job plug ins and delete existing plug ins 18 4 1 Registering or Deleting a Job Module Custom job plug ins can be registered through the Certificate Manager Console Registering a new module involves specifying the name of the module and the full name of the Java class that implements the module It is also possible to delete job modules but this is not recommended To register or delete a job ...

Page 435: ...in module Class name Type the full name of the class for this module this is the path to the implementing Java class If this class is part of a package include the package name For example to register a class named customJob that is in a package named com customplugins type com customplugins customJob 5 Click OK ...

Page 436: ...416 ...

Page 437: ...ter and cloned instances are installed on different machines and those machines are placed behind a load balancer The load balancer accepts HTTP and HTTPS requests made to the Certificate System system and directs those requests appropriately between the two machines In the event that one machine fails the load balancer will transparently redirect all requests to the machine that is still running ...

Page 438: ...lancer can also provide the following advantages as part of a Certificate System system DNS round robin a feature for managing network congestion that distributes load across several different servers Sticky SSL which makes it possible for a user returning to the system to be routed the same host used previously Consult the documentation for the load balancer for more information about the feature...

Page 439: ... the required keys and certificates except the SSL server key and certificate to the clone instance Keep the nicknames for those certificates the same Additionally copy all the necessary trusted root from the master instance to the clone instance If the token is network based then the keys and certificates simply need to be available to the token the keys and certificates do not need to be copied ...

Page 440: ...er Conversion At times an existing cloned subsystem may need converted into a new master subsystem such as after catastrophic failure of the existing master First convert the existing offline master subsystem into a clone then convert one of the current existing online cloned subsystems into the new online master subsystem The differences between the master and the clone of the different subsystem...

Page 441: ...aster CA if it is still running 2 Open the existing master CA configuration directory cd var lib master_ID conf 3 Edit the CS cfg file and change the following Disable control of the database maintenance thread by changing the value of the following line to 0 add the line if it does not already exist ca certStatusUpdateInterval 0 Disable monitoring database replication changes by changing the valu...

Page 442: ... which begins with the ca crl prefix b Copy each line beginning with the ca crl prefix from the former master CA CS cfg file into the cloned CA s CS cfg file c Enable control of the database maintenance thread by changing the value of the following line to 600 600 is the default value for the master Certificate System This value can be changed to any other non zero number ca certStatusUpdateInterv...

Page 443: ...y cd var lib master_ID conf 3 Edit the CS cfg and add the following line 21600 is the default value for a cloned OCSP This value can be changed to any other non zero number OCSP Responder store defStore refreshInSec 21600 19 4 4 Converting a Cloned OCSP into a Master OCSP After converting the existing offline master OCSP responder into an offline cloned OCSP one of the online cloned OCSP responder...

Page 444: ...Chapter 19 Configuring the Certificate System for High Availability 424 4 Start the new master OCSP responder server etc init d instance_ID start ...

Page 445: ...d extranets and directory lookups could not always be performed problem areas emerged that were not covered by the original specification Trust The X 500 specification establishes trust by means of a strict directory hierarchy By contrast Internet and extranet deployments frequently involve distributed trust models that do not conform to the hierarchical X 500 approach Certificate use Some organiz...

Page 446: ...applications such as Netscape Navigator and Enterprise Server supported an extension known as the Netscape Certificate Type Extension that specifies the type of certificate issued such as client server or email To maintain compatibility with older versions of browsers that were released before the X 509 v3 specification was finalized certain kinds of certificates should include some of these Netsc...

Page 447: ...e of the extension Typically the application receiving the certificate checks the extension ID to determine if it can recognize the ID If it can it uses the extension ID to determine the type of value used Some of the standard extensions defined in the X 509 v3 standard include the following Authority Key Identifier extension which identifies the CA s public key the key used to sign the certificat...

Page 448: ...Key Identifier 2 5 29 14 Critical no Key Identifier 3B 46 83 85 27 BC F5 9D 8E 63 E3 BE 79 EF AF 79 9C 37 85 84 Identifier Authority Key Identifier 2 5 29 35 Critical no Key Identifier 3B 46 83 85 27 BC F5 9D 8E 63 E3 BE 79 EF AF 79 9C 37 85 84 Identifier Key Usage 2 5 29 15 Critical yes Key Usage Digital Signature Key CertSign Crl Sign Signature Algorithm SHA1withRSA 1 2 840 113549 1 1 5 Signatur...

Page 449: ...nd includes the former Netscape company arc 2 16 840 1 http www alvestrand no objectid 2 16 840 1 113730 1 13 html If an OID extension exists in a certificate and is marked critical the application validating the certificate must be able to interpret the extension including any optional qualifiers or it must reject the certificate Since it is unlikely that all applications will be able to interpre...

Page 450: ... 5 29 35 A 3 2 2 Criticality This extension is always noncritical and is always evaluated A 3 2 3 Discussion The Authority Key Identifier extension identifies the public key corresponding to the private key used to sign a certificate This extension is useful when an issuer has multiple signing keys The extension consists of one or both of the following An explicit key identifier set in the keyIden...

Page 451: ... than the number of CA certificates that have been processed so far starting with the end entity certificate and moving up the chain If pathLenConstraint is omitted then all of the higher level CA certificates in the chain must not include this component when the extension is present A 3 4 certificatePolicies A 3 4 1 OID 2 5 29 32 A 3 4 2 Criticality This extension may be critical or noncritical A...

Page 452: ...poses only If it is not marked critical it is treated as an advisory field that may be used to identify keys but does not restrict the use of the certificate to the indicated purposes A 3 6 3 Discussion The Extended Key Usage extension indicates the purposes for which the certified public key may be used These purposes may be in addition to or in place of the basic purposes indicated in the Key Us...

Page 453: ...ticality PKIX Part 1 recommends that this extension be marked noncritical A 3 7 3 Discussion The Issuer Alternative Name extension is used to associate Internet style identities with the certificate issuer Names must use the forms defined for the Subject Alternative Name extension A 3 8 keyUsage A 3 8 1 OID 2 5 29 15 A 3 8 2 Criticality This extension may be critical or noncritical PKIX Part 1 rec...

Page 454: ...ublic key is used only for enciphering data If this bit is set keyAgreement should also be set decipherOnly 8 if the public key is used only for deciphering data If this bit is set keyAgreement should also be set Table A 3 Certificate Uses and Corresponding Key Usage Bits summarizes the guidelines for typical certificate uses Purpose of Certificate CA Signing SSL Client SSL Server S MIME Signing S...

Page 455: ...uerying the OCSP responder since the reply would again be signed by the OCSP responder and the client would again request the validity status of the signing certificate This extension is null valued its meaning is determined by its presence or absence Since the presence of this extension in a certificate will cause OCSP clients to trust responses signed with that certificate use of this extension ...

Page 456: ...sion is used in CA certificates only It lists one or more pairs of OIDs used to indicate that the corresponding policies of one CA are equivalent to policies of another CA It may be useful in the context of cross pair certificates This extension may be supported by CAs and applications A 3 13 privateKeyUsagePeriod A 3 13 1 OID 2 5 29 16 A 3 13 2 Discussion The Private Key Usage Period extension al...

Page 457: ... it must be in the form of the EmailAddress attribute defined by PKCS 9 Software that supports S MIME must be able to read an email address from either the Subject Alternative Name extension or from the subject name field A 3 15 subjectDirectoryAttributes A 3 15 1 OID 2 5 29 9 A 3 15 2 Criticality PKIX Part 1 requires that this extension be marked noncritical A 3 15 3 Discussion The Subject Direct...

Page 458: ... to validate CRLs that contain private critical extensions so it is not recommended that custom extensions be used in a general context NOTE Abstract Syntax Notation One ASN 1 and Distinguished Encoding Rules DER standards are specified in the CCITT Recommendations X 208 and X 209 For a quick summary of ASN 1 and DER see A Layman s Guide to a Subset of ASN 1 BER and DER which is available at RSA L...

Page 459: ...4e 4b 91 c7 fb 4c cc ae 84 e8 aa 5b 46 6a a0 ad Revoked Certificates Serial Number 0x12 Revocation Date Tuesday December 15 1998 5 20 42 AM Extensions Identifier Revocation Reason 2 5 29 21 Critical no Reason Key_Compromise Serial Number 0x11 Revocation Date Wednesday December 16 1998 4 51 54 AM Extensions Identifier Revocation Reason 2 5 29 21 Critical no Reason CA_Compromise Serial Number 0x10 R...

Page 460: ...fies the public key corresponding to the private key used to sign the CRL For details see the discussion under certificate extensions at Section A 3 2 The authorityKeyIdentifier The PKIX standard recommends that the CA must include this extension in all CRLs it issues because a CA s public key can change for example when the key gets updated or the CA may have multiple signing keys because of mult...

Page 461: ... 29 27 A 5 1 3 2 Criticality PKIX requires that this extension be critical if it exists A 5 1 3 3 Discussion The deltaCRLIndicator extension generates a delta CRL a list only of certificates that have been revoked since the last CRL it also includes a reference to the base URL This updates the local database while ignoring unchanged information already in the local database This can significantly ...

Page 462: ...s to an integer other than 0 set the number and then click OK to close the window Re open the edit window for the rule and the fields to set these points will be present pointTypen Specifies the type of issuing point for the n issuing point For each number specified in numPoints there is an equal number of pointType parameters The options are either DirectoryName or URIName pointNamen If pointType...

Page 463: ...th the issuer of the CRL like binding attributes such as a mail address a DNS name an IP address and a uniform resource indicator URI with the issuer of the CRL For details see the discussion under certificate extensions at Section A 3 7 issuerAltName Extension A 5 1 5 3 Parameters Parameter enable critical numNames nameTypen namen ...

Page 464: ...nd CRL Extensions 444 Parameter Table A 8 IssuerAlternativeName Configuration Parameters A 5 1 6 issuingDistributionPoint A 5 1 6 1 OID 2 5 29 28 A 5 1 6 2 Criticality PKIX requires that this extension be critical if it exists ...

Page 465: ...as revocation of end entity certificates only CA certificates only or revoked certificates that have a limited set of reason codes The rule can be modified to support any name form by making the appropriate changes to the sample code provided for more information see the CS SDK PKIX Part I does not require this extension A 5 1 6 4 Parameters Parameter enable critical pointType pointName onlySomeRe...

Page 466: ...re noncritical A 5 2 1 certificateIssuer A 5 2 1 1 OID 2 5 29 29 A 5 2 1 2 Discussion The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL This extension is used only with indirect CRLs which are not supported by the Certificate System A 5 2 2 holdInstructionCode A 5 2 2 1 OID 2 5 29 23 A 5 2 2 2 Discussion The Hold Instruction Code extensi...

Page 467: ...h the private key was compromised or that the certificate otherwise became invalid A 5 2 3 3 Parameters Parameter enable critical Table A 11 InvalidityDate Configuration Parameters A 5 2 4 CRLReason A 5 2 4 1 OID 2 5 29 21 A 5 2 4 2 Discussion The Reason Code extension identifies the reason for certificate revocation A 5 2 4 3 Parameters Parameter enable critical Table A 12 CRLReason Configuration...

Page 468: ...rposes for which a certificate can be used It has been replaced by the X 509 v3 extensions Section A 3 6 extKeyUsage and Section A 3 3 basicConstraints If the extension exists in a certificate it limits the certificate to the uses specified in it If the extension is not present the certificate can be used for all applications The value is a bit string where the individual bit positions when set ce...

Page 469: ...ins intact but its privacy is compromised For example someone could gather credit card numbers record a sensitive conversation or intercept classified information Tampering Information in transit is changed or replaced and then sent to the recipient For example someone could alter an order for goods or change a person s resume Impersonation Information passes to a person who poses as the intended ...

Page 470: ...ction used for encryption or decryption Usually two related functions are used one for encryption and the other for decryption With most modern cryptography the ability to keep encrypted information secret is based not on the cryptographic algorithm which is widely known but on a number called a key that must be used with the algorithm to produce an encrypted result or to decrypt previously encryp...

Page 471: ...lic key encryption Public key encryption also called asymmetric encryption involves a pair of keys a public key and a private key associated with an entity Each public key is published and the corresponding private key is kept secret For more information about the way public keys are published see Section B 4 Certificates and Authentication Data encrypted with a public key can be decrypted only wi...

Page 472: ... The RSA cipher can use only a subset of all possible values for a key of a given length due to the nature of the mathematical problem on which it is based Other ciphers such as those used for symmetric key encryption can use all possible values for a key of a given length Thus a 128 bit key with a symmetric key encryption cipher provides stronger encryption than a 128 bit key with the RSA public ...

Page 473: ...ic key used to decrypt the digital signature corresponds to the private key used to create the digital signature Confirming the identity of the signer also requires some way of confirming that the public key belongs to a particular entity For more information on authenticating users see Section B 4 Certificates and Authentication A digital signature is similar to a handwritten signature Once data ...

Page 474: ...role of CAs see Section B 4 6 How CA Certificates Establish Trust B 4 2 Authentication Confirms an Identity Authentication is the process of confirming an identity For network interactions authentication involves the identification of one party by another party There are many ways to use authentication over networks Certificates are one of those way Network interactions typically take place betwee...

Page 475: ...s 1 When the server requests authentication from the client the client displays a dialog box requesting the username and password for that server 2 The client sends the name and password across the network either in plain text or over an encrypted SSL connection 3 The server looks up the name and password in its local password database and if they match accepts them as evidence authenticating the ...

Page 476: ...re B 4 Using a Password to Authenticate a Client to a Server the authentication process in Figure B 5 Using a Certificate to Authenticate a Client to a Server requires SSL Figure B 5 Using a Certificate to Authenticate a Client to a Server also assumes that the client has a valid certificate that can be used to identify the client to the server Certificate based authentication is preferred to pass...

Page 477: ...s the certificate and the signed data to authenticate the user s identity 5 The server may perform other authentication tasks such as checking that the certificate presented by the client is stored in the user s entry in an LDAP directory The server then evaluates whether the identified user is permitted to access the requested resource This evaluation process can employ a variety of standard auth...

Page 478: ... to establish an encrypted SSL session and to assure customers that they are dealing with the web site identified with the company The encrypted SSL session ensures that personal information sent over the network such as credit card numbers cannot easily be intercepted S MIME certificates Used for signed and encrypted email As with SSL client certificates the identity of the client is assumed to b...

Page 479: ...S MIME Using S MIME to sign or encrypt email messages requires the sender of the message to have an S MIME certificate An email message that includes a digital signature provides some assurance that it was sent by the person whose name appears in the message header thus authenticating the sender If the digital signature cannot be validated by the email software the user is alerted The digital sign...

Page 480: ...cate The contents of certificates are organized according to the X 509 v3 certificate specification which has been recommended by the International Telecommunications Union ITU an international standards body Users do not usually need to be concerned about the exact contents of a certificate However system administrators working with certificates may need some familiarity with the information cont...

Page 481: ...te its own digital signature For more information about ciphers see Section 1 4 10 SSL TLS and Supported Cipher Suites The CA s digital signature obtained by hashing all of the data in the certificate together and encrypting it with the CA s private key Here are the data and signature sections of a certificate shown in the readable pretty print format Certificate Data Version v3 0x2 Serial Number ...

Page 482: ...oxeuZc zYmyTANBgkqhkiG9w0BAQQFAAOBgQBt I6 z07Z635DfzX4XbAFpjlRl AYwQzTSYx8GfcNAqCqCwaSDKvsuj vwbf91o3j3 UkdGYpcd2cYRCgKi4MwqdWyLtpuHAH18hHZ5uvi00mJYw8W2wUOsY0RC a IDy84 hW3WWehBUqVK5SY4 zJ4oTjx7dwNMdGwbWfpRqjd1A END CERTIFICATE B 4 6 How CA Certificates Establish Trust CAs validate identities and issue certificates They can be either independent third parties or organizations running their own cer...

Page 483: ...ntity that the certificate identifies The CAs that are directly subordinate to the root CA have CA certificates signed by the root CA CAs under the subordinate CAs in the hierarchy have their CA certificates signed by the higher level subordinate CAs Organizations have a great deal of flexibility in how CA hierarchies are set up Figure B 6 Example of a Hierarchy of Certificate Authorities shows ju...

Page 484: ...at issued that certificate USA CA s DN is also the subject name of the next certificate in the chain Each certificate is signed with the private key of its issuer The signature can be verified with the public key in the issuer s certificate which is the next certificate in the chain In Figure B 7 Example of a Certificate Chain the public key in the certificate for the USA CA can be used to verify ...

Page 485: ...tops successfully here Otherwise the issuer s certificate is checked to make sure it contains the appropriate subordinate CA indication in the certificate type extension and chain verification starts over with this new certificate Figure B 8 Verifying a Certificate Chain to the Root CA presents an example of this process Figure B 8 Verifying a Certificate Chain to the Root CA Figure B 8 Verifying ...

Page 486: ...invalid signature or the absence of a certificate for the issuing CA at any point in the certificate chain causes authentication to fail Figure B 10 A Certificate Chain That cannot Be Verified shows how verification fails if neither the root CA certificate nor any of the intermediate CA certificates are included in the verifier s local database ...

Page 487: ...e management issues involved in managing the PKI Section B 5 1 Issuing Certificates Section B 5 2 Certificates and the LDAP Directory Section B 5 3 Key Management Section B 5 4 Revoking Certificates B 5 1 Issuing Certificates The process for issuing a certificate depends on the CA that issues it and the purpose for which it will be used Issuing nondigital forms of identification varies in similar ...

Page 488: ...ups Issuing certificates and other certificate management tasks can be an integral part of user and group management High performance directory services are an essential ingredient of any certificate management strategy For the Certificate System to function there must be a Red Hat Directory Server installed to support the LDAP directory services B 5 3 Key Management Before a certificate can be is...

Page 489: ... or moves to a new job in a different unit within the company Certificate revocation can be handled in several different ways Servers can be configured so that the authentication process checks the directory for the presence of the certificate being presented When an administrator revokes a certificate the certificate can be automatically removed from the directory and subsequent authentication at...

Page 490: ...470 ...

Page 491: ...ent An enrollment that requires an agent to approve the request before the certificate is issued agent services 1 Services that can be administered by a Certificate System agent through HTML pages served by the Certificate System subsystem for which the agent has been assigned the necessary privileges 2 The HTML pages for administering such services attribute value assertion AVA An assertion of th...

Page 492: ...dentifies a certificate authority See also certificate authority CA subordinate CA root CA CA hierarchy A hierarchy of CAs in which a root CA delegates the authority to issue certificates to subordinate CAs Subordinate CAs can also expand the hierarchy by delegating issuing status to other CAs See also certificate authority CA subordinate CA root CA CA server key The SSL server key of the server p...

Page 493: ...ertificate changes even by a single character the same function produces a different number Certificate fingerprints can therefore be used to verify that certificates have not been tampered with Certificate Management Messages over Cryptographic Message Syntax CMC Message format used to convey a request for a certificate to a Certificate Manager A proposed standard from the Internet Engineering Ta...

Page 494: ... Layer SSL CMC See Certificate Management Messages over Cryptographic Message Syntax CMC CMC Enrollment Features that allow either signed enrollment or signed revocation requests to be sent to a Certificate Manager using an agent s signing certificate These requests are then automatically processed by the Certificate Manager CMMF See Certificate Management Message Formats CMMF Certificate System S...

Page 495: ...ger before issuing new certificates The Data Recovery Manager is useful only if end entities are encrypting data such as sensitive email that the organization may need to recover someday It can be used only with end entities that support dual key pairs two separate key pairs one for encryption and one for digital signatures Data Recovery Manager agent A user who belongs to a group authorized to ma...

Page 496: ...er See also nonrepudiation encryption distribution points Used for CRLs to define a set of certificates Each distribution point is defined by a set of certificates that are issued A CRL can be created for a particular distribution point distinguished name DN A series of AVAs that identify the subject of a certificate See attribute value assertion AVA dual key pair Two public private key pairs four...

Page 497: ...set which then dynamically creates the enrollment form from all inputs configured for this enrollment intermediate CA A CA whose certificate is located between the root CA and the issued certificate in a certificate chain IP spoofing The forgery of client IP addresses J JAR file A digital envelope for a compressed collection of files organized according to the Java archive JAR format Java archive ...

Page 498: ...500 directories LDAP is under IETF change control and has evolved to meet Internet requirements linked CA An internally deployed certificate authority CA whose certificate is signed by a public third party CA The internal CA acts as the root CA for certificates it issues and the third party CA acts as the root CA for certificates issued by other CAs that are linked to the same third party root CA ...

Page 499: ...ciated private key is used to sign objects using the technology known as object signing OCSP Online Certificate Status Protocol one way hash 1 A number of fixed length generated from data of arbitrary length with the aid of a hashing algorithm The number also called a message digest is unique to the hashed data Any change in the data even deleting or altering a single character results in a differ...

Page 500: ... name of the Data Recovery Manager subject name of the corresponding certificate and date of archival The signed proof of archival data are the response returned by the Data Recovery Manager to the Certificate Manager after a successful key archival operation See also Data Recovery Manager transport certificate public key One of a pair of keys used in public key cryptography The public key is dist...

Page 501: ...ts a Certificate System instance both when the instance starts up and on demand server authentication The process of identifying a server to a client See also client authentication server SSL certificate A certificate used to identify a server to a client using the Secure Sockets Layer SSL protocol servlet Java code that handles a particular kind of interaction with end entities on behalf of a Cer...

Page 502: ...d performs cryptographic operations Smart cards implement some or all of the PKCS 11 interface spoofing Pretending to be someone else For example a person can pretend to have the email address jdoe example com or a computer can identify itself as a site called www redhat com when it is not Spoofing is one form of impersonation See also misrepresentation SSL See Secure Sockets Layer SSL subject The...

Page 503: ...rity CA that issued the certificate If a CA is trusted then valid certificates issued by that CA can be trusted V virtual private network VPN A way of connecting geographically distant divisions of an enterprise The VPN allows the divisions to communicate over an encrypted channel allowing authenticated confidential transactions that would normally be restricted to a private network ...

Page 504: ...484 ...

Page 505: ...gh the Console 345 348 350 password based 455 455 See also client authentication 455 See also server authentication 455 authentication modules agent initiated user enrollment 288 352 deleting 355 registering new ones 355 authorityKeyIdentifier 115 430 440 B backing up the Certificate System 99 backups 99 base 64 encoded file viewing content 325 basicConstraints 114 431 buffered logging 80 C CA cer...

Page 506: ...nfiguring authentication 345 348 350 Certificate System data where it is stored 95 certificate based authentication defined 455 certificate based enrollment 353 forms for 353 what you need 353 when to use 353 certificateIssuer 446 certificatePolicies 431 certificates and LDAP Directory 468 authentication using 455 CA certificate 459 chains 464 contents of 460 extensions for 115 425 how to revoke 2...

Page 507: ...eating 149 360 agents creating 149 360 key pairs and certificates list of 142 storage key pair 142 transport certificate 142 setting up key archival 147 key recovery 147 deleting authentication modules 355 log modules 86 mapper modules 329 privileged users 366 publisher modules 329 deltaCRLIndicator 441 deployment planning CA decisions CA reissuance 112 distinguished name 104 root versus subordina...

Page 508: ...1 installing 233 extKeyUsage 432 F failover 417 failover and load balancing 418 failover architecture 417 file based publisher 330 FIPS PUBS 140 1 22 flush interval for logs 80 G groups changing members 365 H hardware accelerators 235 hardware tokens See external tokens 231 231 high availability 417 holdInstructionCode 446 host name for mail server used for notifications 65 how to revoke certifica...

Page 509: ...gories 78 significance of choosing the right level 80 what it means 78 managing from Certificate System console 84 services that are logged 77 types of logs 74 Audit 74 Error 76 M mail server used for notifications 65 managing certificate database 221 mapper modules deleting 329 registering new ones 329 mappers created during installation 312 333 336 mappers that use CA certificate 333 DN componen...

Page 510: ... privileged users deleting 366 modifying privileges group membership 365 types agents 358 public key cryptography 449 defined 451 infrastructure 467 management 468 publisher modules deleting 329 registering new ones 329 publishers created during installation 311 331 331 332 publishers that can publish to CA s entry in the directory 331 331 332 files 330 OCSP responder 332 users entries in the dire...

Page 511: ...227 getting a new one 196 nickname 104 127 requesting 199 viewing details of 225 starting subsystem instance 64 Status tab 60 stopping subsystem instance 64 storage key pair 142 storing user s certificates 219 subjectAltName 436 subjectDirectoryAttributes 437 subjectKeyIdentifier subjectKeyIdentifier 437 subordinate CA 7 T TCP IP defined 449 templates for notifications 402 timing log rotation 80 T...

Page 512: ...uffered logging 80 user certificate 193 requesting 197 users creating 116 129 149 186 360 storing certificates 219 W why to revoke certificates 290 wTLS CA signing certificate 104 nickname 104 X X 509 certificates 22 ...

Reviews:

No comments