Chapter 1. Overview
10
certificate content. The default certificate profiles can be modified and new custom modules created.
See
Chapter 13, Certificate Profiles
for details.
If the policies in the certificate profile are not met, the request is rejected. If they are met, the certificate
is issued.
1.2.2.4. Creating Certificates
The Certificate Manager issues certificates when it receives signed requests either from agents (users
who are assigned privileges to approve enrollment and revocation requests) or from a third-party
application that is set up for CMC enroll with the Certificate Manager.
The Certificate Manager creates the certificate using the information in the request and from the
certificate profile that are set.
1.2.2.5. Publishing Certificates
Certificates can be published to a file, an LDAP directory, or OCSP responder. Configuring publishing
sets rules to determine which certificates are published using which method and where they are
published. See
Chapter 15, Publishing
for details.
1.2.2.6. Key Archival
If a CA is configured with a DRM, then the private keys are archived in the DRM during certificate
enrollment. See
Chapter 7, Data Recovery Manager
for details.
1.2.2.7. Storing Certificate Requests and Certificates
When it issues a certificate, the Certificate Manager stores both the certificate and the certificate
request in its internal database.
1.2.2.8. Revoking Certificates
End entities can submit certificate revocation requests in the end-entities page if they lose their private
key or if their certificate has been compromised. When an end entity requests a revocation, the
request is sent to the agent services interface for agent approval.
An agent can revoke a certificate if the owner of the certificate is unwilling or unable to do so.
When the certificate is revoked, it is marked revoked in the internal database and in the publishing
system. The certificate is added to the certificate revocation list (CRL) produced by the Certificate
Manager. See
Chapter 14, Revocation and CRLs
for details.
1.2.2.9. CRLs
Whenever a certificate is revoked, any CRLs that are set up are edited and updated in the internal
database. It is published to a file, an LDAP directory, or an OCSP responder, if these services have
been set up. The CA can be configured to issue CRLs and define CRL issuing points that define which
certificates go into each CRL.
CRL configuration grants flexibility to define which CRL is published where, the extensions contained
in a CRL, and the frequency and intervals when a CRL are published. Publishing delta CRLs
publishes a list of only those certificates that have been revoked since a certain date. See
Chapter 14,
Revocation and CRLs
for details.
Summary of Contents for CERTIFICATE SYSTEM 7.3 - ADMINISTRATION
Page 15: ...xv Index 525 ...
Page 16: ...xvi ...
Page 38: ...Chapter 1 Overview 16 Figure 1 4 Certificate System Architecture ...
Page 82: ...Chapter 2 Installation and Configuration 60 rpm ev rhpki manage ...
Page 154: ...132 ...
Page 194: ...172 ...
Page 238: ...216 ...
Page 244: ...222 ...
Page 246: ...224 ...
Page 286: ...264 ...
Page 292: ...270 ...
Page 318: ...Chapter 13 Certificate Profiles 296 Parameter IssuerType_n IssuerName_n ...
Page 321: ...Freshest CRL Extension Default 299 Parameter PointName_n PointIssuerName_n ...
Page 398: ...376 ...
Page 412: ...390 ...
Page 472: ...450 ...
Page 506: ...484 ...
Page 528: ...506 ...
Page 546: ...524 ...