Chapter 1.
1
Overview
This chapter provides an overview of Red Hat Certificate System, a highly configurable set of software
components and tools for creating, deploying, and managing certificates. Based on open standards for
certificate management, Certificate System provides a complete, customizable, robust, scalable, and
high-performance certificate management solution for public-key infrastructure (PKI), extranets, and
intranets.
1.1. Features
This section discusses the Certificate System features.
1.1.1. Subsystems
The Certificate System is installed on each host running a Certificate System subsystem. The
subsystems on that host are then installed with a default configuration covering basic administrative
tasks like logging and containing configurable, subsystem-specific plug-in modules. More than one
subsystem can be installed on each host, or multiple instances of one subsystem can be installed on
the same host or on different hosts.
The Certificate System has five highly-configurable subsystems, which provide flexibility in designing
the PKI. The five subsystems that comprise Certificate System are as follows:
• The Certificate Manager is the subsystem that provides Certificate Authority functionality for issuing,
revoking, and publishing certificates and creating and publishing CRLs. See
Chapter 4, Certificate
Manager
for details.
• The Online Certificate Status Manager is an optional subsystem that provides OCSP responder
services, which means it stored CRLs for CAs and can distribute the load for verifying certificate
status. See
Chapter 6, Online Certificate Status Protocol Responder
for details.
• The Data Recovery Manager (DRM) is an optional subsystem that provides private encryption key
storage and retrieval. See
Chapter 7, Data Recovery Manager
for details.
• The Token Key Service (TKS) manages one or more master keys required to set up secure
channels directly to the token management system. The privileged operations such as key
generation can only be requested on the tokens through a secure channel.
• The Token Processing System (TPS) provides the registration authority functionality in the token
management infrastructure and establishes secure channels between the Enterprise Security Client
and the back-end subsystems. See
Chapter 8, Token Processing System
for more information on
using the TPS to manage tokens.
The subsystems are highly integrated with each other depending on the deployment scenario and use.
OCSP and CA instances work together for CRL publishing and certificate verification. CA and DRM
instances work together for key recovery and archival. Smart card tokens, which processed through
a user interface called the
Enterprise Security Client
, are managed by the TPS. The TPS, however,
is configured to work with at least two essential subsystem instances, a TKS to generate keys and
a CA to process token operations. A TPS can also be configured to use a DRM for server-side key
generation and key archival and recovery.
Summary of Contents for CERTIFICATE SYSTEM 7.3 - ADMINISTRATION
Page 15: ...xv Index 525 ...
Page 16: ...xvi ...
Page 38: ...Chapter 1 Overview 16 Figure 1 4 Certificate System Architecture ...
Page 82: ...Chapter 2 Installation and Configuration 60 rpm ev rhpki manage ...
Page 154: ...132 ...
Page 194: ...172 ...
Page 238: ...216 ...
Page 244: ...222 ...
Page 246: ...224 ...
Page 286: ...264 ...
Page 292: ...270 ...
Page 318: ...Chapter 13 Certificate Profiles 296 Parameter IssuerType_n IssuerName_n ...
Page 321: ...Freshest CRL Extension Default 299 Parameter PointName_n PointIssuerName_n ...
Page 398: ...376 ...
Page 412: ...390 ...
Page 472: ...450 ...
Page 506: ...484 ...
Page 528: ...506 ...
Page 546: ...524 ...