manualshive.com logo in svg

Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION, Administration Manual

The "Red Hat Certificate System 7.3 - Administration" manual is a comprehensive guide designed to help users effortlessly manage this powerful certificate authority software. This manual is available for free download at manualshive.com, providing users with the essential resources to master the administration of this cutting-edge product.

Share
Download
background image

Chapter 14.

321

Revocation and CRLs

The Certificate System provides methods for revoking certificates and for producing lists of revoked
certificates, called certificate revocation lists (CRLs). This chapter describes the methods for revoking
a certificate, describes CMC revocation, and provides details about CRLs and setting up CRLs.

14.1. Revocation

Certificates can be revoked by an end user (the original owner of the certificate) or by a Certificate
Manager agent. End users can revoke certificates by using the revocation form provided in the end-
entities page. Agents can revoke end-entity certificates by using the appropriate form in the agent
services interface. Certificate-based (SSL client authentication) is required in both cases.

An end user can revoke only certificates that contain the same subject name as the certificate
presented for authentication. After successful authentication, the server lists the certificates belonging
to the end user. The end user can then select the certificate to be revoked or can revoke all certificates
in the list. The end user can also specify additional details, such as the date of revocation and
revocation reason for each certificate or for the list as a whole.

Agents can revoke certificates based on a range of serial numbers or based on subject name
components. When the revocation request is submitted, agents receive a list of certificates from which
they can pick the ones to be revoked. For instructions on how agents revoke end-entity certificates,
see the 

Certificate System Agent's Guide

.

When it receives the CRL, the Certificate Manager marks the corresponding certificate records in its
internal database as revoked, and, if configured to do so, removes the revoked certificates from the
publishing directory and updates the CRL in the publishing directory.

14.1.1. SSL Client Authenticated Revocation

When an end user submits a certificate revocation request, the first step in the revocation process
is for the Certificate Manager to identify and authenticate the end user to verify that the user is
attempting to revoke his own certificate, not a certificate belonging to someone else.

In SSL client authentication, the server expects the end user to present a certificate that has the same
subject name as the one to be revoked and uses that for authentication purposes. The server verifies
the authenticity of a revocation request by mapping the subject name in the certificate presented for
client authentication to certificates in its internal database. The server revokes the certificate only if the
certificate maps successfully to one or more valid or expired certificates in its internal database.

After successful authentication, if the server detects only one valid or expired certificate matching
the subject name of the one presented for client authentication, it revokes the certificate. If the server
detects more than one valid or expired certificate with a matching subject name, it lists all those
certificates. The user can then either select the certificate to be revoked or revoke all certificates in the
list.

14.1.2. Certificate Revocation Forms

The end-entities page of the Certificate Manager includes default HTML forms for SSL client
authenticated revocation. The forms are accessible from the 

Revocation

 tab. The form for SSL client

authenticated-revocation is shown by clicking the 

User Certificate

 link.

Summary of Contents for CERTIFICATE SYSTEM 7.3 - ADMINISTRATION

Page 1: ...Red Hat Certificate System 7 3 Administration Guide Publication date May 2007 updated March 25 2010 ...

Page 2: ...est extent permitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United States and other countries All other trademarks are the property of their respective owners 1801 Varsity Drive...

Page 3: ...e 4 1 1 12 Certificate Profiles 5 1 1 13 CRLs 5 1 1 14 Publishing 5 1 1 15 Notifications 5 1 1 16 Jobs 5 1 1 17 Dual Key Pairs 6 1 1 18 HSMs and Crypto Accelerators 6 1 1 19 Support for Open Standards 6 1 2 How the Certificate System Works 7 1 2 1 About the Certificate Manager 7 1 2 2 How the Certificate Manager Works 9 1 2 3 Data Recovery Manager 11 1 2 4 Online Certificate Status Manager 11 1 2 ...

Page 4: ...KS Information Panel 37 2 4 6 DRM Information Panel 38 2 4 7 Authentication Directory Panel 39 2 4 8 Internal Database Panel 39 2 4 9 Key Store Panel 40 2 4 10 Key Pairs Panel 41 2 4 11 Subject Names Panel 42 2 4 12 Requests and Certificates Panel 43 2 4 13 Export Keys and Certificates Panel 44 2 4 14 Administrator Panel 45 2 5 Installing the Certificate System 46 2 5 1 Installing from an ISO Imag...

Page 5: ...nhanced Linux 74 3 8 Using Java Servlets 75 3 9 Logs 75 3 9 1 About Logs 76 3 9 2 Services That Are Logged 79 3 9 3 Log Levels Message Categories 79 3 9 4 Buffered Versus Unbuffered Logging 81 3 9 5 Log File Rotation 81 3 9 6 Configuring Logs in the Console 82 3 9 7 Configuring Logs in the CS cfg File 83 3 9 8 Configuring TPS Logs 84 3 9 9 Monitoring Logs 85 3 9 10 Signing Log Files 86 3 9 11 Regi...

Page 6: ...s on CA Certificates through Certificate Extensions 122 4 9 Creating Certificate Manager Agents and Administrators 124 4 10 Checking the Revocation Status of Agent Certificates 125 4 11 CRL Signing Key Pair and Certificate 127 4 12 DNs in the Certificate System 128 4 12 1 Extending Attribute Support 129 5 Registration Authority 133 5 1 Introduction 133 5 1 1 What is a Registration Authority 133 5 ...

Page 7: ...r Certificates 173 7 2 1 Transport Key Pair and Certificate 174 7 2 2 Storage Key Pair 174 7 2 3 SSL Server Certificate 174 7 3 Forms for Users and Key Recovery Agents 174 7 4 Overview of Archiving Keys 175 7 4 1 Reasons to Archive Keys 175 7 4 2 Where the Keys Are Stored 175 7 4 3 How Key Archival Works 175 7 5 Overview of Key Recovery 177 7 5 1 Key Recovery Agents and Their Passwords 177 7 5 2 K...

Page 8: ... from the End Entities Page 249 11 3 Managing User Certificates 251 11 3 1 Managing Certificate System User and Agent Certificates 252 11 3 2 Importing Certificates into Mozilla Firefox 253 11 4 Managing the Certificate Database 254 11 4 1 Installing Certificates in the Certificate System Database 254 11 4 2 Viewing Database Content 258 11 4 3 Deleting Certificates from the Database 260 11 4 4 Cha...

Page 9: ...efault 293 13 7 3 Basic Constraints Extension Default 294 13 7 4 CRL Distribution Points Extension Default 295 13 7 5 Extended Key Usage Extension Default 297 13 7 6 Freshest CRL Extension Default 298 13 7 7 Issuer Alternative Name Extension Default 300 13 7 8 Key Usage Extension Default 301 13 7 9 Name Constraints Extension Default 302 13 7 10 Netscape Certificate Type Extension Default 306 13 7 ...

Page 10: ...RLs 325 14 3 5 How CRLs Work 325 14 4 Issuing CRLs 326 14 4 1 Configuring Issuing Points 328 14 4 2 Configuring CRLs for Each Issuing Point 329 14 4 3 Setting CRL Extensions 333 14 5 Setting Full and Delta CRL Schedules 334 14 5 1 Configuring Extended Updated Intervals for CRLs in the Console 335 14 5 2 Configuring Extended Updated Intervals for CRLs in CS cfg 336 15 Publishing 337 15 1 About Publ...

Page 11: ...78 16 3 1 Setting up Directory Based Authentication 379 16 3 2 Setting up PIN based Enrollment 380 16 4 Setting up CMC Enrollment 384 16 4 1 Setting up the Server for Multiple Requests in a Full CMC Request 385 16 4 2 Testing CMCEnroll 385 16 5 Certificate Based Enrollment 386 16 5 1 Setting up Certificate Based Enrollment 387 16 6 Testing Enrollment 388 16 7 Managing Authentication Plug ins 389 1...

Page 12: ...25 certServer ee profiles 416 17 7 26 certServer ee facetofaceenrollment 417 17 7 27 certServer ee request enrollment 417 17 7 28 certServer ee request facetofaceenrollment 417 17 7 29 certServer ee request ocsp 418 17 7 30 certServer ee request revocation 418 17 7 31 certServer ee requestStatus 418 17 7 32 certServer general configuration 419 17 7 33 certServer job configuration 419 17 7 34 certS...

Page 13: ...Console 442 19 3 2 Configuring Jobs by Editing the Configuration File 444 19 3 3 Configuration Parameters of requestInQueueNotifier 444 19 3 4 Configuration Parameters of publishCerts 445 19 3 5 Configuration Parameters of unpublishExpiredCerts 446 19 3 6 Frequency Settings for Automated Jobs 447 19 4 Managing Job Plug ins 448 19 4 1 Registering or Deleting a Job Module 448 20 Configuring the Cert...

Page 14: ...482 A 6 1 netscape cert type 482 A 6 2 netscape comment 482 B Introduction to Public Key Cryptography 485 B 1 Internet Security Issues 485 B 2 Encryption and Decryption 486 B 2 1 Symmetric Key Encryption 486 B 2 2 Public Key Encryption 487 B 2 3 Key Length and Encryption Strength 488 B 3 Digital Signatures 488 B 4 Certificates and Authentication 489 B 4 1 A Certificate Identifies Someone or Someth...

Page 15: ...xv Index 525 ...

Page 16: ...xvi ...

Page 17: ...rtificates including different types of digital certificates The role of digital certificates in a public key infrastructure PKI Certificate hierarchies LDAP and Red Hat Directory Server Public key cryptography and the Secure Sockets Layer SSL protocol including the following SSL cipher suites The purpose of and major steps in the SSL handshake 2 What Is in This Guide This guide contains the follo...

Page 18: ...rovides information and procedures for configuring profiles Chapter 14 Revocation and CRLs provides information and procedures for configuring CRLs and revoking certificates Chapter 15 Publishing provides information and procedures for publishing certificates Chapter 17 User and Group Authorization provides information and procedures for setting up access control lists ACL that define authorizatio...

Page 19: ...inux However Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the usr bin directory It is possible to use the OpenLDAP commands as shown in the examples but you must use the x argument to disable SASL which OpenLDAP tools use by default 3 3 Default Port Numbers After Errata RHSA 2009 0007 Certificate System 7 3 supports port separation Port separation means that the differ...

Page 20: ...ntial data loss as may happen when tuning hardware for maximum performance 4 Additional Reading The Certificate System Administrator s Guide describes how to set up configure and administer the Certificate System subsystems and how to configure backend certificate management functions such as publishing and logging The Administrator s Guide also describes how to configure subsystems to relate to o...

Page 21: ... there is any error in this Administrator s Guide or there is any way to improve the documentation please let us know Bugs can be filed against the documentation for Red Hat Certificate System through Bugzilla http bugzilla redhat com bugzilla Make the bug report as specific as possible so we can be more effective in correcting any issues Select the Red Hat Certificate System product Set the compo...

Page 22: ...com Removed section on renewing certificates through the console since this is not supported Revision 7 3 7 January 29 2009 Ella Deon Lackey dlackey redhat com Added small note on the new LDAP publishing password configuration parameter to the Enabling Publishing section Added information on configuring port separation Updated pkicreate example to include a port separation example Updated examples...

Page 23: ...er is an optional subsystem that provides OCSP responder services which means it stored CRLs for CAs and can distribute the load for verifying certificate status See Chapter 6 Online Certificate Status Protocol Responder for details The Data Recovery Manager DRM is an optional subsystem that provides private encryption key storage and retrieval See Chapter 7 Data Recovery Manager for details The T...

Page 24: ...ces interface for a CA DRM OCSP and TPS are specific to those subsystems End Entity Services Interface The end entity interface is a customizable HTML interface used by end entities to enroll in the PKI request certificates revoke certificates and pick up issued certificates It contains forms for different types of enrollments and for enrolling different types of end entities The Certificate Manag...

Page 25: ...e CA subsystem which hosts the domain is automatically granted the role of Security Domain Administrator which gives the subsystem the ability to manage the security domain and the subsystem instances within it Other security domain administrator roles can be created for the different subsystem instances These roles are described in Section 4 4 2 Security Domain Roles 1 1 7 Security Enhanced Linux...

Page 26: ...rieve CA requests Submit a PKCS 10 request Retrieve the issued certificate Queries the request status if the request is pending SCEP suggests two modes of operation RA mode and CA mode In the RA mode the enrollment request is encrypted with the RA signing certificate In the CA mode the request is encrypted with the CA signing certificate The current implementation of RA and CA only supports the CA...

Page 27: ...e to determine the content of the issued certificate See Chapter 13 Certificate Profiles for details 1 1 13 CRLs The Certificate System can create certificate revocation lists CRLs from a configurable framework which allows user defined issuing points so a CRL can be created for each issuing point Delta CRLs can also be created for any issuing point that is defined CRLs can be issued for each type...

Page 28: ...nd areas which the Certificate System supports include the following Formulates signs and issues industry standard X 509 version 3 public key certificates version 3 certificates include extensions that make it easy to include organization defined attributes These certificates are used for extranet and Internet authentication Supports the RSA public key algorithm for signing and encryption and the ...

Page 29: ...e it obtains its signing certificate from another CA 1 2 1 1 Certificate Manager Flexibility and Scalability Multiple CAs can be configured to form a vertical or horizontal chain of CAs A vertical hierarchy has a root CA that is either self signing or subordinate to a public CA and then one or more CAs subordinate to this root CA The subordinate CAs can have more CAs below them forming a chain of ...

Page 30: ...s by issuing and storing cross signed certificates between these two CAs By using cross signed certificate pairs certificates issued outside the organization s PKI can be trusted within the system 1 2 1 3 Certificate Manager Functionality The Certificate Manager issues and revokes certificates when it receives signed requests These requests can come from its own agents users who are assigned privi...

Page 31: ...it is an agent approved enrollment an agent of the Certificate Manager must approve the request If it is an automated enrollment the request is approved if the end entity supplies the correct information and authenticates successfully 1 2 2 2 Authentication Methods Authentication plug ins set up automated enrollment and configure the methods for the end entity to authenticate itself For agent appr...

Page 32: ...issues a certificate the Certificate Manager stores both the certificate and the certificate request in its internal database 1 2 2 8 Revoking Certificates End entities can submit certificate revocation requests in the end entities page if they lose their private key or if their certificate has been compromised When an end entity requests a revocation the request is sent to the agent services inte...

Page 33: ...ovided by the underlying hardware token In the new scheme CS uses its existing access control scheme to ensure recovery agents are appropiately authenticated via SSL and ensures that the agent belongs to the specific recovery agent group The recovery request is executed only when m of n recovery agents have granted authorization to the request By default the DRM sets up a 1 of 1 ACL based recovery...

Page 34: ...S also generates transport keys which wrap or encrypt the user s private keys to secure them during transit 1 2 6 Token Processing System The Token Processing System TPS is the conduit between the Enterprise Security Client the user interface for end users to manage their smart cards and the other subsystems in the Certificate System It automatically initiates certificate enrollments with the CA a...

Page 35: ...ires key archival and recovery capabilities along with the CA for example when encrypted mail is widely used the organization risks data loss if it is unable to recover encryption keys In this case the Certificate System deployment has both the Certificate Manager and a DRM To add key storage and recovery a DRM can be installed on the same machine or on a different machine Figure 1 2 Certificate M...

Page 36: ... compromised DRM has devastating security consequences for the entire PKI Consider keeping the DRM in a special locked room or building this consideration can affect the deployment strategy 1 3 3 Cloned Certificate Manager A cloned Certificate Manager uses the same CA signing key and certificate as another Certificate Manager the master Certificate Manager Since each Certificate Manager issues cer...

Page 37: ...rity Client The TKS and TPS subsystems work together to support all token operations such as enrollment through the Enterprise Security Client Additionally the TPS subsystem can be configured to use the DRM subsystem to handle server side key generation and key archival and recovery The interactions between the TPS TKS DRM and CA subsystems to process token operations through the Enterprise Securi...

Page 38: ...Chapter 1 Overview 16 Figure 1 4 Certificate System Architecture ...

Page 39: ...or all users and applications to access Certificate System subsystem functions through the different user interfaces administrative console agent services and end entities pages The subsystem pages are accessed over HTTP but they are created by subsystem specific servlets contained in the Certificate System While the HTTP engine provides the connection entry points Certificate System completes the...

Page 40: ...nd logs including audit logs administrators cannot view audit logs NOTE The TPS subsystem does not have an administrative console administrator tasks are performed through an HTML interface accessed through the agent services URL These servlets can return data in HTML or XML formats making it easier for system administrators to write scripts which interact with these servlets For more information ...

Page 41: ...ionally stores certificates and keys Two cryptographics modules are included in the Certificate System The default internal PKCS 11 module which comes with two tokens The internal crypto services token which performs all cryptographic operations such as encryption decryption and hashing The internal key storage token Certificate DB token in Figure 1 4 Certificate System Architecture which handles ...

Page 42: ...session that follows Both of these protocols support using a variety of different cryptographic algorithms or ciphers for operations such as authenticating the server and client transmitting certificates and establishing session keys Clients and servers may support different cipher suites or sets of ciphers Among other functions the SSL handshake determines how the server and client negotiate whic...

Page 43: ...ring Task Force IETF PKIX working group Certificate Management Message Formats CMMF Message formats to send certificate requests and revocation requests from end entities to a CA and to return information to end entities A proposed standard from the IETF PKIX working group CMMF has been subsumed by another standard CMC Certificate Management Messages over CS CMC A general interface to public key c...

Page 44: ...ncrypted data This format is used to deliver certificates to end entities Public Key Cryptography Standard PKCS 10 A message format developed by RSA Data Security for certificate requests This format is supported by many server products Public Key Cryptography Standard PKCS 11 Specifies an API used to communicate with devices such as hardware tokens that hold cryptographic information and perform ...

Page 45: ... as follows 1 Install a Red Hat Directory Server This can be on a different machine from the Certificate System which is the recommended scenario for most deployments 2 Download the Certificate System packages from the Red Hat Network channel Each subsystem has its own packages as well as dependencies and related packages These are listed in Section 2 2 3 Packages Installed 3 Install the Certifica...

Page 46: ... subsystem can be configured in an installation of Certificate System There can be multiple instances of a type of subsystem on a host or across different hosts For failover support one configuration option is to duplicate or clone an instance so that more than one instance has the same configuration information Clones and masters share the same set of keys and certificates Cloned CAs issue certif...

Page 47: ...y to a third party and wait for the certificate to be issued Before deploying the full PKI however consider whether to have a root CA how many to have and where both root and subordinate CAs will be located 2 2 Prerequisites This section covers required information such as the supported platforms the packages installed and dependencies and programs Section 2 2 1 Supported Platforms Section 2 2 2 R...

Page 48: ... Hat Network channel A similar package is available for 64 bit Red Hat Enterprise Linux 4 platforms This package is available through either the Red Hat Enterprise Linux AS v 4 for AMD64 EM64T Extras Red Hat Network channel or the Red Hat Enterprise Linux ES v 4 for AMD64 EM64T Extras Red Hat Network channel As root run usr sbin alternatives config java to insure that the IBM Java 1 5 0 JRE is sel...

Page 49: ...shtm for more information While almost any JDK is sufficient installing one of these JDKs is recommended For 32 bit Red Hat Enterprise Linux 4 platforms a pre packaged binary distribution of the 32 bit version of the IBM JDK 1 5 0 the java 1 5 0 ibm devel rpm package is available through either the Red Hat Enterprise Linux AS v 4 for x86 Extras Red Hat Network channel or the Red Hat Enterprise Lin...

Page 50: ... qa queryformat compat libstdc VERSION RELEASE ARCH rpm n grep x86_64 Numerous libraries should be displayed 2 2 3 Packages Installed Multiple packages are installed with the Certificate System in addition to the core Certificate System components Section 2 2 3 1 Red Hat Enterprise Linux RPMs Section 2 2 3 2 Solaris Packages 2 2 3 1 Red Hat Enterprise Linux RPMs RPMs have the format package_name v...

Page 51: ...ken xpath geronimo specs jdom wsdl4j gnu crypto sasl jdk1 4 jms xalan j2 jakarta commons beanutils jpackage utils xerces j2 jakarta commons collections ldapjdk xml commons jakarta commons daemon log4j xml commons apis jakarta commons dbcp mx4j xml commons resolver jakarta commons digester oldjdom xmlbeans RPMs for Fortitude Web Services fortitude web mod_nss mod_revocator RPMs for Apache Web Servi...

Page 52: ...condary subpackage name For example the 64 bit packages for dirsec nss include RHATdirsec nssx 3 11 3 1 sparcv9 pkg and RHATdirsec nssx tools 3 11 3 1 sparcv9 pkg Packages for Certificate System RHATosutilx RHATrhpki krax RHATrhpki tksx RHATpkisetupx RHATrhpki managex RHATrhpki tpsx RHATrhpki cax RHATrhpki migratex RHATrhpki utilx RHATrhpki commonx RHATrhpki native toolsx RHATsymkeyx RHATrhpki con...

Page 53: ...mons discoveryx RHATorox Packages for Fortitude Web Services RHATfortitude webx RHATmod nssx RHATmod revocatorx Packages for Apache Web Services RHATapr utilx RHATmod perlx RHATperl XML Parserx RHATaprx RHATpcrex RHATperl XML SAXx RHATdb4x RHATperl HTML Parserx RHATperl XML Simplex RHATdb4x utils RHATperl HTML Tagsetx RHATperl libwww perlx RHATexpatx RHATperl Parse RecDescentx RHATperlx RHAThttpdx...

Page 54: ...add an external CA If a Certificate System CA is selected then supply the CA agent username and password Subsystem information When installing a TPS the CA and TKS subsystems must be installed and configured before installing the TPS a DRM subsystem must also be installed and configured if server side key generation is selected When configuring the TPS the TKS and DRM to connect with the TPS are s...

Page 55: ... tks TPS 7889 7888 var lib rhpki tps Table 2 1 Default Subsystem Instance Ports and File Locations The following certificates are created by default when any of the following subsystem instances are installed Certificate Manager CA signing certificate OCSP signing certificate for the CA s internal OCSP service SSL server certificate Subsystem certificate The subsystem certificate is always issued ...

Page 56: ...ection 2 4 2 Subsystem Type Panel Section 2 4 3 PKI Hierarchy Panel Section 2 4 4 CA Information Panel Section 2 4 5 TKS Information Panel Section 2 4 6 DRM Information Panel Section 2 4 7 Authentication Directory Panel Section 2 4 8 Internal Database Panel Section 2 4 9 Key Store Panel Section 2 4 10 Key Pairs Panel Section 2 4 11 Subject Names Panel Section 2 4 12 Requests and Certificates Panel...

Page 57: ... Figure 2 1 Security Domain If the subsystem is being added to an existing domain provide the security domain URL and the administrator UID and password for the domain Figure 2 2 Supplying the Security Domain Bind Information For more information on security domains see Section 4 4 Security Domains 2 4 2 Subsystem Type Panel This panel creates a master subsystem or clones an existing subsystem Cre...

Page 58: ...of the subsystem information based on the master s configuration and regenerates the master s certificates 2 4 3 PKI Hierarchy Panel This option is only available to CAs this creates the overall arrangement of CAs CAs can be arranged in a hierarchy with root CAs which sign CA signing certificates and set certificate policies and layers of subordinate CAs which have CA signing certificates signed b...

Page 59: ... and be approved before configuration can be completed 2 4 4 CA Information Panel This panel appears only during TPS configuration This identifies the CA which will work with the TPS to issue and revoke certificates stored on the smart card The TPS must be associated with a CA within the security domain which can perform the token operations the CA is selected from a drop down list of all CAs with...

Page 60: ...nel is only available when configuring a TPS subsystem The TPS can be associated with an existing DRM subsystem to enable server side key generation Similarly to setting the CA information the DRM is selected from a list of all configured DRM subsystems within the security domain Figure 2 7 Selecting the DRM ...

Page 61: ...lied in this panel and the appropriate database and suffix must be created before the TPS is configured these are not created by the configuration wizard but are accessed by it Only Red Hat Directory Server 7 1 or higher is supported 2 4 8 Internal Database Panel This panel collects information for the internal directory service used for storing certificate requests and certificates Directory Serv...

Page 62: ...base and the new clone s internal database 2 4 9 Key Store Panel This panel displays a list of automatically discovered tokens that can be used to store certificates and keys The Certificate System automatically discovers Safenet s LunaSA and nCipher s netHSM hardware security modules HSM and returns them on this screen The discovery process assumes that the client software installations for these...

Page 63: ...is updated with this information by default The status field in this panel describes the status of the token Found The token was discovered by Certificate System and added to secmod db Not Found The Certificate System was unable to find the supported HSMs Logged In The login attempt to the slot was successful Not Logged In The subsystem is not logged into the slot yet The login button correspondin...

Page 64: ...ames for all of the certificates issued for the subsystem being installed This panel also sets which CA will issue these certificates If the certificates for the subsystem including certificates for a subordinate CA will be issued by an external CA such as VeriSign or a Certificate System CA which is outside the security domain select External CA from the list ...

Page 65: ...t except the Server Certificate name field because the server certificate is regenerated 2 4 12 Requests and Certificates Panel This panel has links to the certificate requests and the issued certificates if the certificates were issued successfully The generated certificate requests are stored in the instance s CS cfg configuration file for retrieval later ...

Page 66: ...ceed past this panel until the new certificates are pasted into the fields In this case the Requests and Certificates panel appears as shown 2 4 13 Export Keys and Certificates Panel This panel offers the option to export the new certificate to a p12 file A p12 backup file of a master subsystem s certificates and keys is required when configuring the clone these files can also be used to restore t...

Page 67: ...ator user for the instance This user also has agent privileges so the agent certificates and keys for the agent certificate are generated on the browser used to go through the configuration wizard This administrator agent user can use this agent certificate to access the agent interface for managing requests Figure 2 15 CA Administrator ...

Page 68: ...loaded and installed on Red Hat Enterprise Linux systems using the up2date command Whether downloading and installing the Certificate System from an ISO image or through up2date several packages are also installed for related applications and dependencies not only for the subsystem packages These packages are listed in Section 2 2 3 1 Red Hat Enterprise Linux RPMs and Section 2 2 3 2 Solaris Packa...

Page 69: ...the Token Key System tps installs the Token Processing System esc installs the Enterprise Security Client The force option bypasses any confirmation prompts that may otherwise appear during the installation For example to install the CA and then the DRM use the following commands rhpki install pki_subsystem ca pki_package_path media cdrom RedHat RPMS force rhpki install pki_subsystem drm pki_packa...

Page 70: ...te command run a command like the following for each subsystem up2date rhpki subsystem subsystem can be ca for the CA ra for the RA kra for the DRM ocsp for the OCSP tks for the TKS and tps for the TPS up2date is used only for the first subsystem instance any additional subsystem instances should be added using pkicreate To install the client using up2date run the following up2date esc 2 6 Configu...

Page 71: ... and a corresponding base directory entry base DN to use for the subsystem s entries 6 Select the key store token a list of detected hardware tokens and databases is given To determine whether a token is detected by the Certificate System use the TokenInfo tool For more information on this tool see the Certificate System Command Line Tools Guide 7 Set the key size The default RSA key size is 2048 ...

Page 72: ... subsystem s entries 5 Select the key store token a list of detected hardware tokens and databases is given To determine whether a token is detected by the Certificate System use the TokenInfo tool For more information on this tool see the Certificate System Command Line Tools Guide 6 Set the key size The default RSA key size is 2048 7 Select the CA which will generate the subsystem certificates t...

Page 73: ...e key generation for tokens enrolled through the TPS If server side key generation is selected supply information about the DRM which will be used to generate keys and archive encryption keys Key and certificate recovery is initiated automatically through the TPS which is a DRM agent Select the DRM from the drop down menu of DRM subsystems within the security domain 7 Fill in the information for t...

Page 74: ...figuration wizard All additional CA RA DRM OCSP TKS and TPS instances are installed by running a special tool pkicreate After that they are configured through the HTML based administration page For more information on pkicreate see the Certificate System Command Line Tools Guide NOTE Additional subsystems can be duplicates or clones of existing subsystems Cloning can be used for load balancing for...

Page 75: ...client authentication ee_secure_client_auth_port 1 Run the pkicreate command For example pkicreate pki_instance_root var lib pki ca2 subsystem_type ca pki_instance_name pki ca2 admin_secure_port 9545 agent_secure_port 9544 ee_secure_port 9543 ee_secure_client_auth_port 9546 unsecure_port 9180 tomcat_server_port 1802 verbose 2 When the instance is successfully created the process returns a URL for ...

Page 76: ... Type panel sets whether to create a new instance or a clone select the clone radio button Figure 2 16 Selecting the Subsystem to Clone 5 Give the path and filename of the PKCS 12 backup file which was saved when the master instance was created If a backup was not created at that time use the pk12util utility to create a PKCS 12 file Figure 2 17 Supplying the Key and Certificate Information ...

Page 77: ...Red Hat Certificate System 7 3 Red Hat Network channel NOTE Run this tool on a system which already has a subsystem installed since this tool depends on having libraries JRE and core jar files already installed The silent installation tool has the following format perl pkisilent Configuresubsystem_type options The options are slightly different between the subsystems all subsystems except for the ...

Page 78: ...rtdb_dir tmp client_certdb_pwd redhat preop_pin fS44I6SASGF34FD76WKJHIW4 domain_name testca admin_user admin admin_email admin redhat com admin_password redhat agent_name rhpki tks2 agent ldap_host server ldap_port 389 bind_dn cn directory manager bind_password redhat base_dn o rhpki tps2 db_name rhpki tks2 key_size 2048 key_type rsa agent_key_size 2048 agent_key_type rsa agent_cert_subject tps ag...

Page 79: ...ample rpm Uvh rhpki java tools 7 3 0 4 noarch rpm 4 Restart the Certificate System instances etc init d instance_ID start Alternatively using the up2date command 1 Stop all Certificate System instances etc init d instance_ID stop 2 Log in as root 3 Run up2date for the package For example up2date rhpki java tools 7 3 0 4 noarch 4 Restart the Certificate System instances etc init d instance_ID start...

Page 80: ... uninstall pki_subsystem all 5 Remove the actual install and uninstall scripts pkgrm RHATrhpki managex To install the new CA 1 Install the install and uninstall scripts pkgadd d RHATrhpki managex 7 3 0 12 sol9 noarch pkg 2 Use the install script to install the CA rhpki install pki_subsystem ca pki_package_path IMPORTANT Ensure that the current directory contains all the Solaris packages 3 For the ...

Page 81: ... dir var lib rhpki ca1 Removing file var log rhpki ca1 install log Removing file etc init d rhpki ca1 Removing file usr share applications rhpki ca1 config desktop Removing file usr bin dtomcat5 rhpki ca1 Example 2 4 Removing a CA Instance pkiremove removes the instance and any related files such as the certificate databases certificates keys and associated users It does not uninstall the subsyste...

Page 82: ...Chapter 2 Installation and Configuration 60 rpm ev rhpki manage ...

Page 83: ...anually editing the CS cfg file The Console is launched using the pkiconsole utility with the hostname subsystem SSL port and subsystem type specified pkiconsole https hostname SSLport subsystemType For a Certificate Manager running a a host named host example com on the default CA SSL port 9443 the console command would be as follows pkiconsole https host example com 9443 ca When the command is r...

Page 84: ...tion To enable SSL client authentication both the client and the server need configured to run over SSL First setup the Certificate System server to use SSL client authentication 1 Store the certificates for any administrator using this system The certificate should be either from the CA itself or from whichever CA signed the certificate for the subsystem a Open the subsystem console b Select the ...

Page 85: ...serverCertNick conf passwordFile var lib rhpki ca conf password conf passwordClass org apache tomcat util net jss PlainPasswordFile certdbDir var lib rhpki ca alias 9 Start the subsystem etc init d instance_ID start After setting up the server then configure the client to use SSL client authentication The Console must have access to the administrator certificate and keys used for SSL client authen...

Page 86: ...ry The bind password used by the subsystem to access and update the LDAP directory this is required only if the Certificate System instance is configured for publishing certificates and CRLs to an LDAP compliant directory For a TPS instance the bind password used to access and update the token database The password conf file also contains the token passwords needed to open the private keys of the ...

Page 87: ...ile for password conf is called password bak run cat password bak password conf Repeat this command until the server is fully started this is apparent in the debug log This process still uses a clear text password file password bak but this moves the password store so that it is external to the Certificate System instance and can be stored anywhere such as a smart card This only requires a utility...

Page 88: ...ectory enforces the quality of the password because it is created and managed by the directory 3 4 Starting Stopping and Restarting Certificate System Subsystems Each Certificate System subsystem instance is started stopped and restarted separately This section describes how to start stop and restart a subsystem instance 3 4 1 Starting a Server Instance A subsystem instance is started like other s...

Page 89: ...rver The notifications and jobs features use the mail server set in the Certificate System CA instances to send notification messages Set up a mail server by doing the following 1 Open the CA subsystem administrative console For example pkiconsole https host example com 9443 ca 2 In the Configuration tab highlight the instance name at the top and select the SMTP tab 3 Supply the server name and po...

Page 90: ... Do not edit the configuration file directly without being familiar with the configuration parameters or without being sure that the changes are acceptable to the server The Certificate System fails to start if the configuration file is modified incorrectly Incorrect configuration can also result in data loss To modify the configuration file 1 Stop the subsystem instance The configuration file is ...

Page 91: ...slashes instead of one Authentication parameters CA only All authentication specific information such as names of registered authentication plug in modules and any configured instances appears in the authentication section of the configuration file Each registered authentication plug in module is identified by its implementation name and the corresponding Java class Each configured instance of an ...

Page 92: ...c parameters are not adjusted to those required by the new instance The recommended way to create duplicate instances is to clone the instances when the subsystem instance is configured For more information on cloning see Chapter 20 Configuring the Certificate System for High Availability 3 6 5 Other File Locations Certificate System servers consist of subsystems and instances Server subsystems ar...

Page 93: ...ES x86_64 machines only usr share doc LICENSE and README text files shared by the Certificate System subsystems usr share java rhpki Java archive files shared by the CA RA DRM OCSP and TKS subsystems usr share java rhpki subsystem_type Java archive files shared by all instances of a subsystem type For example usr share java rhpki ca contains files shared by all CA subsystem instances usr share rhp...

Page 94: ... following are the default instance locations Section 3 6 6 1 CA Default Instance Location Section 3 6 6 2 DRM Default Instance Location Section 3 6 6 3 OCSP Default Instance Location Section 3 6 6 4 TKS Default Instance Location Section 3 6 6 5 TPS Default Instance Location 3 6 6 1 CA Default Instance Location Default Location Type of Object Description etc init d rhpki ca File The script used to...

Page 95: ...CSP Default Instance Location Default Location Type of Object Description etc init d rhpki ocsp File The script used to start stop or restart the OCSP instance etc rhpki ocsp Directory Contains the configuration file for the OCSP instance var lib rhpki ocsp Directory Contains the user specific default and customized forms and data for the OCSP instance var log rhpki ocsp Directory Contains the log...

Page 96: ... TPS instance var log rhpki tps install log File A log file containing the configuration steps performed to create the TPS instance var log rhpki tps rhpki tps pid File A file containing the active process ID of the running TPS instance Table 3 6 TPS Default Instance Location 3 7 Using Security Enhanced Linux Security enhanced Linux or SELinux is a collection of mandatory access control rules whic...

Page 97: ...s an HTML page when the following link is accessed https server example com 9443 ca ee ca displayBySerial op displayBySerial serialNumber 0x1 Appending xml true to the end of the link returns the same page in XML https server example com 9443 ca ee ca displayBySerial op displayBySerial serialNumber 0x1 xml true 3 9 Logs This section explains how to use the Console to configure logs maintained by t...

Page 98: ...rations performed such as search add and edit and the result of the access such as the number of entries returned This log is on by default 3 9 1 2 Transactions Log This log transactions records messages specific to the certificate service such as certificate requests revocation requests and CRL publication and can detect any unauthorized access or activity This log is on by default 3 9 1 3 Debug ...

Page 99: ...43 Processor24 ProfileSubmitServlet key request auth_token uid value RA test4 redbudcomputer local 4747 06 Jun 2008 14 59 38 http 9443 Processor24 ProfileSubmitServlet key request auth_token userid value RA test4 redbudcomputer local 4747 06 Jun 2008 14 59 38 http 9443 Processor24 ProfileSubmitServlet key request requestor_name value 06 Jun 2008 14 59 38 http 9443 Processor24 ProfileSubmitServlet ...

Page 100: ...cords for events that have been set up as recordable events If the logSigning attribute is set to true the audit log is signed with a log signing certificate belonging to the server This certificate can be used by auditors to verify that the log has not been tampered with See Section 3 9 13 Signed Audit Log 3 9 1 7 Apache and Tomcat Error and Access Logs The CA RA DRM OCSP and TKS subsystems use a...

Page 101: ... to the HTTP activity of the server NOTE HTTP events are actually logged to the errors log belonging to the Apache server incorporated with the Certificate System to provide HTTP services Key Recovery Authority Logs events related to the DRM LDAP Logs events related to activity with the LDAP directory which is used for publishing certificates and CRLs OCSP Logs events related to OCSP such as OCSP ...

Page 102: ...hese messages are warnings only and do not indicate any failure in the normal operation of the server 3 Failure the default selection for system and error logs These messages indicate errors and failures that prevent the server from operating normally including failures to perform a certificate service operation User authentication failed or Certificate revoked and unexpected situations that can c...

Page 103: ...red logging is configured the server creates buffers for the corresponding logs and holds the messages in the buffers for as long as possible The server flushes out the messages to the log files only when one of the following conditions occurs The buffer gets full The buffer is full when the buffer size is equal to or greater than the value specified by the bufferSize configuration parameter The d...

Page 104: ...ed audit logs feature Signed audit logs creates audit logs that are automatically signed using signtool manually signs archived logs See Section 3 9 1 6 Signed Audit Log for details about signed audit logs By default rotated log files are not deleted 3 9 6 Configuring Logs in the Console This procedure describes how to configure system transaction and audit logs To configure logs for a Certificate...

Page 105: ...ction 3 9 5 Log File Rotation rolloverInterval Sets the frequency at which the server rotates the active error log file The available choices are hourly daily weekly monthly and yearly The default selection is monthly For more information see Section 3 9 5 Log File Rotation The signed audit log has these additional settings logSigning Enables signed logging When this parameter is enabled provide a...

Page 106: ...e Specify the file size in kilobytes KB for the error log The default size is 100 KB The maxFileSize determines how large a log file can become before it is rotated Once it reaches this size the file is copied to a rotated file and the log file is started anew For more information see Section 3 9 5 Log File Rotation register If this variable is set to false the default value the self test messages...

Page 107: ...audit level 10 logging debug enable true logging debug filename var lib rhpki tps logs tps debug log logging debug level 7 logging error enable true logging error filename var lib rhpki tps logs tps error log logging error level 10 3 9 9 Monitoring Logs To troubleshoot the subsystem check the error or informational messages that the server has logged Examining the log files can also monitor many a...

Page 108: ...on which the entry was logged Time The time at which the entry was logged Details A brief description of the log 6 To view a full entry double click it or select the entry and click View 3 9 10 Signing Log Files The Certificate System can digitally sign log files before they are archived or distributed for audit purposes This feature allows files to be checked for tampering This is an alternative ...

Page 109: ... path to the implementing Java class If this class is part of a package include the package name For example registering a class named customLog in a package named com customplugins the class name would be com customplugins customLog 5 Click OK 3 9 12 Deleting a Log Module Unwanted log plug in modules can be deleted through the Console Before deleting a module delete all the listeners based on thi...

Page 110: ...emove it from the list Log events are separated by commas with no spaces Logging Event Type of Log Messages Generated AUDIT_LOG_STARTUP The start of the subsystem and thus the start of the audit function AUDIT_LOG_SHUTDOWN The shutdown of the subsystem and thus the shutdown of the audit function ROLE_ASSUME A user assuming a role A user assumes a role after passing through authentication and autho...

Page 111: ...ould not allow such a change PRIVATE_KEY_ARCHIVE Shows when an encryption private key is requested during enrollment PRIVATE_KEY_ARCHIVE_PROCESSED Shows when a private encryption key is archived in the DRM KEY_RECOVERY_REQUEST Shows when a request is made to recover a private encryption key stored in the DRM KEY_RECOVERY_AGENT_LOGIN Shows when DRM agents log in as recovery agents to approve key re...

Page 112: ...G Shows when the audit buffer is signed and flushed to disk Table 3 11 Signed Audit Log Events 3 9 13 1 Setting up Signed Audit Logs To set up signed audit logs 1 Set up the caAuditCert certificate profile See Section 13 3 Setting up Certificate Profiles for information about setting up certificate profiles 2 Approve the caAuditCert certificate profile by approving it in the agent services interfa...

Page 113: ...n this happens administrators and auditors should work together with the operating system administrator to resolve the disk space or file permission issues When the IT problem is resolved the auditor should make sure that the last audit log entries are signed If not they should be preserved by manual signing Section 3 9 10 Signing Log Files archived and removed to prevent audit verification failur...

Page 114: ... changed by changing those setting in the CS cfg file To turn a self test off remove is from the list of self tests 3 10 3 Modifying Self Test Configuration To modify the configuration settings for self tests 1 Stop the subsystem instance 2 Open the CS cfg file located in the instance s conf directory 3 To edit the settings for the self test log edit the entries that begin with selftests container...

Page 115: ...thly and yearly The default selection is monthly For more information see Section 3 9 5 Log File Rotation type Set to transaction do not change this 4 To edit the order in which the self test are run specify the order by listing any of the self test as the value of the following parameters separated by a comma and a space To mark a self test critical add a colon and the word critical to the name o...

Page 116: ... be desirable to use those ports directly Also since the Certificate System is installed as root yet it runs as a non root user the subsystems may not be able to access the restricted ports It is possible to direct traffic to non restricted ports while still using the default port numbers by configuring the iptables settings For example sbin iptables A FORWARD p tcp destination port 443 j ACCEPT s...

Page 117: ...mber is also used to open the subsystem administrative console pkiconsole https server example com 4430 ca If the port number is ever changed the agents must be informed 3 11 1 4 End Entity Ports For requests from end entities the Certificate System listens on both the SSL encrypted port and non SSL port End entities make requests through the end entities page Both the HTTP port and HTTPS port can...

Page 118: ...ectory cd var lib instance_ID conf 3 Open the httpd conf file and edit the non SSL port number For example Listen 0 0 0 0 7888 4 Open the nss conf file and edit the SSL port numbers For example Listen 0 0 0 0 7889 VirtualHost _default_ 7889 5 Open the CS cfg file and edit the both the SSL and non SSL port numbers For example service securePort 7889 service unsecurePort 7888 op format tokenKey issu...

Page 119: ...t and an Host appBase entry to identify the location of the web directory for the service The appBase directory should be something like webapps admin and located in the subsystem s instance directory default entry used as the agent service Service name Catalina Connector port 9080 the insecure port definition which is used by all services Connector port 9444 Engine name Catalina defaultHost local...

Page 120: ...localhost Realm className org apache catalina realm UserDatabaseRealm resourceName UserDatabase Host name localhost appBase webapps ee unpackWARs true autoDeploy false xmlValidation false xmlNamespaceAware false Valve className org apache catalina valves AccessLogValve directory logs prefix localhost_access_log suffix txt pattern common resolveHosts false Host Engine Service 4 Go up into the insta...

Page 121: ...sion not the local version is used by the service cd lib mv osutil jar osutil jar orig Do this for all three services 10 Move the osutil jar symlink from common lib to the shared lib directory cd var lib pki ca shared lib cp d var lib pki ca common lib osutil jar rm var lib pki ca common lib osutil jar 11 Restart the subsystem etc init d rhpki ca restart 3 11 4 Redirecting Subsystem Communications...

Page 122: ...on port for end entities to use and reconfigure client connections for subsystems like the RA TPS and SCEP services to use the new ports IMPORTANT In Certificate System 7 3 no port is configured to require client authentication at the initial connection The workaround here configures the agent secure port to require client authentication and directs requests for profiles that require client authen...

Page 123: ...ferenced in the ProfileSelect template file mkdir p var lib instance_name webapps ca ee ca cp var lib instance_name webapps ee ca ee ca ProfileSubmit template var lib instance_name webapps ca ee ca cp var lib instance_name webapps ee ca ee ca ProfileSubmit html var lib instance_name webapps ca ee ca ProfileSubmit html chown R pkiuser var lib instance_name webapps ca ee 8 Restart the CA For example...

Page 124: ...tive in the agent connector to true For example Connector name Agent port 11443 maxHttpHeaderSize 8192 maxThreads 150 minSpareThreads 25 maxSpareThreads 75 enableLookups false disableUploadTimeout true acceptCount 100 scheme https secure true clientAuth true sslProtocol SSL 4 Restart the subsystem For example etc init d rhpki ocsp restart 3 11 4 4 Updating the TPS 1 Update the NSS packages by inst...

Page 125: ...instance_name 3 Remove the line LD_PRELOAD usr lib64 dirsec libssl3 so LD_PRELOAD Replace it with the following LD_PRELOAD usr lib64 libssl3 so LD_PRELOAD On 32 bit systems the path is usr lib 4 Restart the subsystem For example etc init d rhpki ra restart 3 12 The Internal LDAP Database The Certificate System performs certificate and key management functions in response to the requests it receive...

Page 126: ... System to use any other LDAP directory Doing so can result in data loss Additionally do not use the internal LDAP database for any other purpose 3 12 1 Changing the Internal Database Configuration To change the Directory Server instance that a subsystem instance uses as its internal database 1 Log into the subsystem administrative console pkiconsole https hostname SSLport subsystemType 2 In the C...

Page 127: ...l LDAP Database internaldb ldapconn host ldap_hostname internaldb ldapconn port ldap_httpsport internaldb ldapconn secureConn true internaldb ldapAuthentication clientCertNickname Server Cert cert instance_name 5 Open the Directory Server Console 6 Create an entry for the suffix which matches the subject DN of the Certificate System subsystem certificate for the subsystem using this internal datab...

Page 128: ...ckbox 6 Click Save The server prompts to restart the server 7 Click the Tasks tab and click Restart the Directory Server 8 Close the Directory Server Console 9 When the server is restarted open the Directory Server Console for the internal database instance The Login to Directory dialog box appears the Distinguished Name field displays the Directory Manager DN enter the password The Directory Serv...

Page 129: ...ing up the instance or the security databases The Directory Server database can be restored using Directory Server specific tools see the Directory Server documentation for more information on restoring the LDAP database The Certificate System backup files both the alias database backups and the full instance directory backups can be used to replace the current directories if the data are corrupte...

Page 130: ...Chapter 3 Administrative Basics 108 etc init d instance_ID start NOTE Stop the subsystem instance before restoring the instance or the security databases ...

Page 131: ...ed by creating certificate profiles for each enrollment type Certificate profiles dynamically generate forms which are customized by configuring the inputs associated with the certificate profile 4 1 1 1 The Certificate Enrollment Process When an end entity enrolls in a PKI by requesting a certificate the following events can occur depending on the configuration of the PKI and the subsystems insta...

Page 132: ...t did not meet the certificate profile or authentication requirements or a certificate is issued 9 The certificate is delivered to the end entity In automated enrollment the certificate is delivered to the user immediately Since the enrollment is normally through an HTML page the certificate is returned as a response on another HTML page In agent approved enrollment the certificate can be retrieve...

Page 133: ...ate Manager has a CA signing certificate with a public key corresponding to the private key the Certificate Manager uses to sign the certificates and CRLs it issues This certificate is created and installed when the Certificate Manager is installed The default nickname for the certificate is caSigningCert cert instance_ID where instance_ID identifies the Certificate Manager instance The default va...

Page 134: ...quested to use for different operations such as configuring the Certificate Manager to use separate server certificates for authenticating to the end entity services interface and agent services interface If the Certificate Manager is configured for SSL enabled communication with a publishing directory it uses its SSL server certificate for client authentication to the publishing directory by defa...

Page 135: ...or the CA The starting and ending serial numbers that a CA can issue can be set in the Certificate System Console This is useful when installing cloned CAs each cloned CA is given a specific range of serial numbers that it can issue so that none of the cloned CAs can issue the same serial number The serial number range is not set during installation or configuration of the subsystem but can be con...

Page 136: ...he Certificate System CA to a third party public CA introduces the restrictions that public CAs place on the kinds of certificates the subordinate CA can issue and the nature of the certificate chain For example a CA that chains to a third party CA might be restricted to issuing only Secure Multipurpose Internet Mail Extensions S MIME and SSL client authentication certificates but not SSL server c...

Page 137: ... xml file is created when the CA is configured as the security domain host and every subsystem which is added to the domain is added as an entry to the registry The domain xml file looks like the following example xml version 1 0 encoding UTF 8 DomainInfo Name Example Domain Name KRAList KRA SubsystemName rhpki kra SubsystemName Host server example com Host SecurePort 10443 SecurePort DomainManage...

Page 138: ... and browsers The information available in the security domain is used during configuration of a new subsystem which makes the configuration process streamlined and automated For example when a TPS needs to connect to a CA it can consult the security domain to get a list of available CAs A subsystem retrieves information in the security domain through XML messages over HTTPS The subsystem authenti...

Page 139: ...s Automatically approve any server and subsystem certificate from any CA in the domain Register and unregister TPS subsystem information in the security domain Table 4 1 Security Domain User Roles As necessary the security domain administrator can manage access controls on the security domain and on the individual subsystems For example the security domain administrator can restrict access so that...

Page 140: ...guration the configuration registers the subsystem information to the security domain 4 4 5 Additional Security Domain Information The following information can be considered when planning the security domain The CA hosting the security domain can be signed by an external authority Multiple security domains can be set up within an organization However each subsystem can belong to only one security...

Page 141: ...trusted CA Section 11 4 1 3 About CA Certificate Chains Managing hardware security module HSM tokens Section 12 1 Tokens for Storing Certificate System Keys and Certificates Setting up trusted managers Section 17 1 2 5 Trusted Managers Changing the subsystem security settings Section 11 5 Configuring the Server Certificate Use Preferences Changing subsystem passwords Section 3 3 System Passwords M...

Page 142: ...on from an old CA certificate to a new one 4 7 Changing the Rules for Issuing Certificates The restrictions on the certificates issued are set by default after the subsystem is configured These include Whether certificates can be issued with validity periods longer than the CA signing certificate The default is to disallow this The serial number range the CA is able to use to issue certificates Th...

Page 143: ...cate expires Certificate Serial Number These fields set the serial number range for certificates issued by the Certificate Manager The server assigns the serial number in the Next serial number field to the next certificate it issues and the number in the Ending serial number to the last certificate it issues NOTE The serial number range cannot be updated manually through the console if the CA is ...

Page 144: ...s on CA Certificates through Certificate Extensions When a subordinate CA is created the root CA can generate a CA signing certificate with restrictions on the types of certificates that the subordinate CA can sign with that signing certificate These restrictions are set by setting the constraints in the CA signing certificate profile The default CA signing certificate request profile is the caCAC...

Page 145: ...ificates If the key ID is anything other than the SHA 1 hash of the CA certificates subjectPublicKeyInfo field then the CA certificate should contain the Subject Key Identifier extension This will allow for a smooth transition when the new issuing certificate becomes active These extensions can be configured through the certificate profile enrollment pages To set the default in the CA signing cert...

Page 146: ...on on modifying certificate profiles see Section 13 3 Setting up Certificate Profiles and the Certificate System Agent s Guide 4 9 Creating Certificate Manager Agents and Administrators When the subsystem is configured there is a default user created with both administrator and agent privileges This user can perform both administrator and agent operations and access the Console and the agent servi...

Page 147: ...e to a local file or to the clipboard c Select the new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate For more information on editing user entries and managing user certificates see Section 17 4 Modifying Certificate System User Entries 4 10 Checking the Revocation Status of Agent Certificates A Certificate Manager can be configured to check the revoc...

Page 148: ...he following parameters revocationChecking bufferSize Sets the total number of last checked certificates the server should maintain in its cache For example if the buffer size is 2 the server retains the last two certificates checked in its cache By default the server caches the last 50 certificates revocationChecking subsystem Gives the name of the Certificate System instance subsystem indicates ...

Page 149: ...l see http www mozilla org projects security pki nss tools 2 When the certificate request has been created submit it through the Certificate Manager end entities page The page has a URL in the following format https hostname port ca ee ca 3 After the request is submitted log into the agent services page 4 Check the request for required extensions The CRL signing certificate must contain the Key Us...

Page 150: ...tificate System is connected with a Directory Server the format of the DNs in the certificates should match the format of the DNs in the directory It is not necessary that the names match exactly certificate mapping allows the subject DN in a certificate to be different from the one in the directory In the Certificate System the DN is based on the components or attributes defined in the X 509 stan...

Page 151: ...wing netscape security x509 PrintableConverter converts a string to a PrintableString value The string must have only printable characters netscape security x509 IA5StringConverter converts a string to an IA5String value The string must have only IA5String characters netscape security x509 DirStrConverter converts a string to a DirectoryString The string is expected to be in DirectoryString format...

Page 152: ...s the new attributes should show up in the form 8 To verify that the new attributes are in effect request a certificate using the manual enrollment form Enter values for the new attributes so that it can be verified that they appear in the certificate subject names For example enter the following values for the new attributes and look for them in the subject name MYATTR1 a_value MYATTR2 a Value MY...

Page 153: ... end of the configuration file X500Name directoryStringEncodingOrder PrintableString UniversalString 5 Save the changes and close the file 6 Start the Certificate Manager etc init d rhpki ca start 7 To verify that the encoding orders are in effect enroll for a certificate using the manual enrollment form Use John_Doe for the cn 8 Open the agent services page and approve the request 9 When the cert...

Page 154: ...132 ...

Page 155: ... then forwards the enrollment request to the designated Certificate Authority CA to generate the certificate Depending on the type of enrollment an RA can be set up with the appropriate authentication plugin to authenticate the request in an automated fashion Alternatively the RA has a local request queue where requests can be stored and reviewed by local RA agents for manual authentication The RA...

Page 156: ...nstaller enters the URL to the RA and provides the one time PIN The enrollment can then be initiated Enrolling a Server Certificate In a server certificate enrollment scenario a server administrator provides site information and the server certificate request in the enrollment form The RA Agent is notified of the request and after validating the requestor approves it The request is then forwarded ...

Page 157: ...al of Requests Approval of certificate requests Cancellation of Requests Cancellation of certificate requests Listing of Certificates Provide a listing of current certificates Addition of Further Certificate Information Addition of further information to certificate requests 5 1 4 3 Administrative Interface The Administrative interface provides the following features Listing and Creating New Users...

Page 158: ...all and configure a CA that is capable of issuing certificates Refer to the following sections for further information Section 2 5 Installing the Certificate System Section 2 6 Configuring the Default Subsystem Instances You can install the RA from the Red Hat Network RHN or by using the rpm command For example rpm ivh rhpki ra 7 3 0 27 el4 Procedure 5 1 Configuring an RA The following procedure d...

Page 159: ... up to the root certificate Click Next to move to the Security Domain Login page 4 The Security Domain Login page registers the RA subsystem with the Security Domain Enter the CA Administrator UID and Password to authenticate against the Security Domain Click Next to move to the Subsystem Type page 5 If this is the first RA that you are configuring select Configure this Instance as new Registratio...

Page 160: ...on page that indicates the type of security modules that have been recognized by the system This includes both hardware and software modules Refer to the help text on the page for more information about the supported security modules Click Next to move to the Key Pairs page 9 Use the Key Pairs page to specify information about the key pairs that you want to generate Unless you have a special reaso...

Page 161: ...mation that the Administrator will use to access the system Click Next to create the Administrator s Certificate and to move to the Import Administrator Certificate page 13 The Import Administrator Certificate page is an information page which indicates that the Administrator s Certificate was created and imported into the browser Click Next to move to the final page of the wizard 14 The final pag...

Page 162: ...var lib rhpki ra alias NSS security database where keys and certificates are stored var lib rhpki ra docroot ee CGIs and templates for end users EE var lib rhpki ra docroot agent CGIs and templates for agents var lib rhpki ra docroot admin CGIs and templates for administrators Table 5 1 Principle RA Directories File Description etc init d rhpki ra Start stop script var lib rhpki ra conf CS cfg Mai...

Page 163: ...ebug enable Specifies whether or not to enable debug logging Valid values are true and false logging debug filename Specifies the filename of the debug log file logging debug level Specifies the level to which debug logging should occur logging error enable Specifies whether or not to enable debug logging Valid values are true and false logging error filename Specifies the filename of the error lo...

Page 164: ...ficate signing request The following variables are currently available request request_type approve_request Specifies which plugins to call when a request is approved request request_type cancel_request Specifies which plugins to call when a request is canceled request request_type create_request Specifies which plugins to call when a request is created For example you may see the following for SC...

Page 165: ...le for creating enrollment work flow In the RA the CGI that handles the SCEP request is running at http example com 12888 ee scep pkiclient cgi Note The RA only supports CA mode over SCEP 5 3 Working With the Registration Authority The following sections describe how to work with the Registration Authority including listing adding and deleting users and groups and associating users with groups The...

Page 166: ...rs and Groups and then click Groups c Click Add to display the Edit Group Information dialog box d Enter the group name and description for example Registration Manager2 Agents e Click OK 2 Add the new RA authentication instance in the CA a Change to the CA configuration directory and edit the CS cfg file cd var lib rhpki ca conf vi CS cfg b Search for the lines containing the string raCertAuth c ...

Page 167: ...e Save and close the file 5 Add a new URI mapping to allow registering the new RA agent with the new RA group for example Registration Manager2 Agent a Change to the CA Web Applications directory and edit the web xml file cd var lib rhpki ca webapps ca WEB INF vi web xml b Search for caRegisterRaUser c Copy everything between the servlet and servlet tags and paste it immediately after the existing...

Page 168: ..._instance_root var lib subsystem_type ra pki_instance_name rhpki ra2 secure_port 12899 unsecure_port 12898 verbose user pkiuser group pkiuser 2 Edit the configuration file for the new RA instance cd var lib rhpki ra2 conf vi CS cfg 3 Locate the registerRaUser string and change it to registerRa2User Refer to the example below conn ca1 servlet addagent ca admin ca registerRa2User 4 Update the CS con...

Page 169: ... is no graphical interface for performing this customization Procedure 5 4 Customizing the DN 1 Edit the instance_root docroot ee user user vm file This is typically var lib rhpki ra docroot ee user user vm 2 Locate the validate function and formulate your preferred DN in the var dn statement The default value is var dn uid x e e where x is the UID and e is the email from the user input 3 When you...

Page 170: ...bmitted CSRs 5 3 3 1 Cisco Router Certificate Enrollment on an RA Using SCEP This section describes the process of using a Cisco router to enroll a certificate on an RA using SCEP 1 Simple Certificate Enrollment Protocol This protocol was designed by Cisco to provide a way for a router to communicate with an RA or a CA for certificate enrollment purposes Normally the Router Administrator enters th...

Page 171: ...is approved and stored in the SQLite database Consequently no configuration is required Procedure 5 5 Submitting the certificate request After the CA and the RA have been installed and appropriately configured the Router Administrator submits the certificate request 1 On the RA navigate to the SSL End Users Services page and then click SCEP Enrollment 2 Click Request Submission Manager 3 Enter the...

Page 172: ...sword that you need to enter when performing the Crypto CA enroll CA step on the router Procedure 5 7 Retrieving the Certificate and Enrolling After the certificate request has been approved and the RA has provided the one time PIN the Router Administrator needs to go to the provided URL to complete the certificate enrollment 1 On the RA navigate to the End User interface Click SCEP Enrollment and...

Page 173: ...submit a new CSR i Click Request Submission User ii Enter the required details for the UID Site ID and email address and then click Submit This sends the CSR to the RA b To submit a certificate renewal request i Click Renewal User ii On the User Renewal Interface click Renewal to submit the current certificate to the RA for renewal 3 When the RA has approved the request the User receives an email ...

Page 174: ...the Agent Interface 2 Click List Requests The PIN request should be listed in a table with a status of OPEN 3 Click the Request ID to display the details of the request 4 If required you can add an explanatory note in the text box at the bottom of the screen Click Add Note to save the note with the request 5 Click Approve to approve the request This generates the PIN that the new Agent requires to...

Page 175: ...e The following sections describe the functionality provided by the Administrator Interface This includes the basic procedures for working with users and groups in the Certificate System such as adding and deleting users and groups associating users with groups etc Note These procedures require Administrator access to the Certificate System Listing Users and Groups You can use the Administrator in...

Page 176: ...rs and groups as described below Procedure 5 16 To delete a user 1 Navigate to the Certificate System Services page and click Administrator Services 2 On the Administrator interface click List Users to display the list of existing users 3 Click the UID of the user that you want to delete 4 Scroll to the bottom of the User Information page and click Delete Procedure 5 17 To delete a group 1 Navigat...

Page 177: ...d above 2 Add the new user to the required group as described above Note If you create a new group ensure that you modify the admin authorized_groups and agent authorized_groups parameters in CS cfg to include the new group to reflect the required authorization levels for the new group 5 3 6 Command line Operations Most of the day to day RA operations can be performed using the browser based inter...

Page 178: ...splay all user information use the following command sqlite select from users To display all request information use the following command sqlite select from requests To display a list of available tables use the following command sqlite tables ...

Page 179: ...rmation Access extension in the certificate being validated 5 The OCSP responder determines if the request contains all the information required to process it If it does not or if it is not enabled for the requested service a rejection notice is sent If it does have enough information it processes the request and sends back a report stating the status of the certificate 6 1 1 OCSP Response Signing...

Page 180: ...voked 6 2 CA OCSP Services There are two ways to set up OCSP services The OCSP built into the Certificate Manager The Online Certificate Status Manager 6 2 1 The Certificate Manager s Internal OCSP Service The Certificate Manager has a built in OCSP service which can be used by OCSP compliant clients to query the Certificate Manager directly about the revocation status of the certificate When the ...

Page 181: ...sts can be submitted either to a Certificate Manager or to a third party public CA If the certificate is sent to a third party CA then the certificate must be installed when it is received If the OCSP signing certificate is made when the subsystem is configured and it issued by a Certificate Manager the certificate is installed immediately if the Certificate Setup Wizard is used the request is sub...

Page 182: ...the certificate chain is imported and marked when the Online Certificate Status Manager is configured No other configuration is required However if the server certificate is signed by an external CA the certificate chain has to be imported for the configuration to be completed NOTE Not every CA within the security domain is automatically trusted by the OCSP Manager when it is configured Every CA i...

Page 183: ...ng certificates Chapter 14 Revocation and CRLs Configuring cloning Chapter 20 Configuring the Certificate System for High Availability Table 6 1 General Subsystem Configuration Links 6 5 Creating Online Certificate Status Manager Agents and Administrators When the subsystem is configured there is a default user created with both administrator and agent privileges This user can perform both adminis...

Page 184: ...ted b Copy the base 64 encoded certificate to a local file or to the clipboard c Select the new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate For more information on editing user entries and managing user certificates see Section 17 4 Modifying Certificate System User Entries 6 6 Configuring the Certificate Manager s Internal OCSP Service Every CA s ...

Page 185: ...utomatically and its signing certificate is automatically added and trusted in the Online Certificate Status Manager s certificate database However if a non security domain CA is selected then the OCSP service must be manually configured after the Online Certificate Status Manager is configured NOTE Not every CA within the security domain to which the OCSP Manager belongs is automatically trusted ...

Page 186: ...rifies the signature against the stored certificate NOTE If a CA within the security domain is selected when the Online Certificate Status Manager is configured there is no extra step required to configure the Online Certificate Status Manager to recognize the CA the CA signing certificate is automatically added and trusted in the Online Certificate Status Manager s certificate database However if...

Page 187: ...tamps of the CA s last communication with the Online Certificate Status Manager The Requests Served Since Startup field should still show a value of zero 0 since no client has tried to query the OCSP service for certificate revocation status 6 8 2 Configure the Revocation Info Stores The Online Certificate Status Manager stores each Certificate Manager s CRL in its internal database and uses it as...

Page 188: ...rtificate binary as it is It is the attribute to which the Certificate Manager publishes its CA signing certificate crlAttr Leave the default value certificateRevocationList binary as it is It is the attribute to which the Certificate Manager publishes CRLs notFoundAsGood Sets the OCSP service to return an OCSP response of GOOD if the certificate in question cannot be found in any of the CRLs If t...

Page 189: ...the CRL to the Online Certificate Status Manager The browser sent an OCSP response to the Online Certificate Status Manager The Online Certificate Status Manager sent an OCSP response to the browser The browser used that response to validate the certificate and returned its status that the certificate could not be verified 6 10 Submitting OCSP Requests Using the GET Method OCSP requests which are ...

Page 190: ... pmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE no check certificate 16 34 34 https server example com 11443 ocsp ee ocsp MEIwQDA MDwwOjAJBgUrDgMCGgUABBT4cyABky iCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE MEIwQDA MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE Resolving server example com 192 168 123 224 Connecting to server example com 192 168 123 224...

Page 191: ...es NOTE Setting the redirect is only required to manage certificates issued by a 7 1 CA with the Authority Information Access extension If the certificates are issued by a later version Certificate Manager or do not contain the Authority Information Access extension then this configuration is not necessary 1 Stop the OCSP Responder For example etc init d rhpki ocsp stop 2 Open the OCSP s web appli...

Page 192: ...l the web xml file in the ROOT directory For example xml version 1 0 encoding ISO 8859 1 web app display name Welcome to Tomcat display name description Welcome to Tomcat description servlet servlet name ocspProxy servlet name servlet class com netscape cms servlet base ProxyServlet servlet class init param param name destContext param name param value ocsp2 param value init param init param param...

Page 193: ...am param name appendPathInfoOnNoMatch param name param value ocsp param value init param servlet servlet mapping servlet name ocspProxy servlet name url pattern ocsp url pattern servlet mapping servlet mapping servlet name ocspOther servlet name url pattern ocsp url pattern servlet mapping web app 12 Edit the var lib rhpki ocsp conf context xml changing the following line Context to Context crossC...

Page 194: ...172 ...

Page 195: ...e PKI configuration must include the following elements Clients that can generate dual keys and that support the key archival option using the CRMF CMMF protocol An installed and configured DRM HTML forms with which end entities can request dual certificates based on dual keys and key recovery agents can request key recovery Only keys that are used exclusively for encrypting data should be archive...

Page 196: ...Server Certificate Every Certificate System DRM has at least one SSL server certificate The first SSL server certificate is generated when the DRM is configured The default nickname for the certificate is Server Cert cert instance_id where instance_id identifies the DRM instance is installed The DRM s SSL server certificate was issued by the CA to which the certificate request was submitted which ...

Page 197: ...emains wrapped with the DRM s storage key It can be decrypted or unwrapped only by using the corresponding private key pair of the storage certificate A combination of one or more key recovery or DRM agents certificates authorizes the DRM to complete the key recovery to retrieve its private storage key and use it to decrypt recover an archived private key For details on how this process works see ...

Page 198: ...e embedded in the enrollment form 2 After approving the certificate request and issuing the certificate the Certificate Manager sends it to the DRM for storage along with the public key The Certificate Manager waits for verification from the DRM that the private key has been received and stored and that it corresponds to the public encryption key 3 The DRM decrypts it with the private key After co...

Page 199: ...nfigured by the administrator See Section 7 5 2 Key Recovery Agent Scheme However the specified number of key recovery agents must all present their certificates to authorize the recovery of the specific private key 7 5 1 1 Interface for the Key Recovery Process With the key recovery form provided in the DRM agent services page key recovery agents can collectively authorize and retrieve private en...

Page 200: ...riate delivery mechanism 7 5 2 Key Recovery Agent Scheme The key recovery agent scheme configures the DRM to recognize to which group the key recovery agents belong and specifies how many of these agents are required to authorize a key recovery request before the archived key is restored These parameters set in the CS cfg configuration file determine which group of users and how many users recover...

Page 201: ...C6yVvaY719hr9EGYuv0Sw6jb3WnEKHpjbUO vhFwTufJHWKXFN3V4pMbHTkqW x5fu 3QyyUre 5IhG0fcEmfvYxIyvZUJx aQBW437ATD99Kuh I FuYdW SqYHznHY8BqOdJwJ1JiJMNceXYAuAdk 9t70RztfAhBmkK0OOP0vH5BZ7RCwE3Y 6ycUdSyPZGGc76a0HrKOz lwVFulFStiuZIaG1pv0NNivzcj0hEYq6AfJ3hgxcC1h87LmCxgRWUCAwEAAaN5MHcwHwYDVR0jBBgwFoAURShCYtSg Oh4rrgmLFB Fg7X3qcwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vY2x5ZGUucmR1LnJlZGhhdC5jb206OTE4MC9j...

Page 202: ...en successfully archived close the browser window 6 Verify the key Send a signed and encrypted email When the email is received open it and check the message to see if it is signed and encrypted There should be a security icon at the top right corner of the message window that indicates that the message is signed and encrypted 7 Delete the certificate Check the encrypted email again the mail clien...

Page 203: ...e subsystem is configured there is a default user created with both administrator and agent privileges This user can perform both administrator and agent operations and access the Console and the agent services page To create an additional administrator agent or auditor create a user in the Certificate System instance where the user will have privileges and assign the user to the appropriate group...

Page 204: ...certificate a Request and approve an SSL client certificate for the user if one has not already been generated b Copy the base 64 encoded certificate to a local file or to the clipboard c Select the new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate For more information on editing user entries and managing user certificates see Section 17 4 Modifying ...

Page 205: ...th a DRM instance which will perform server side key generation and key archival and recovery for the keys and certificates stored on the smart cards After the TPS is configured Section 2 6 3 Configuring a TPS it is operational It is possible to further customize the TPS for specific deployments This chapter explains how to customize the TPS instance NOTE Unlike the other subsystems the TPS does n...

Page 206: ... means that the values of the other configuration parameters are the same between the instances The CA configuration parameters are listed in Table 8 2 CA Connection Settings The TKS configuration parameters are listed in Table 8 3 TKS Connection Settings The DRM configuration parameters are listed in Table 8 4 DRM Connection Settings 8 1 2 Configuring Multiple Instances for Different Functions Al...

Page 207: ...en userKey but also the type of certificate encryption It would be possible in this case to use different CAs for signing and encryption certificate enrollments The DRM parameters also specify the types of keys being generated and archived op enroll userKey keyGen encryption serverKeygen drm conn drm1 op enroll tokenKey keyGen encryption serverKeygen drm conn drm2 The format operation parameters a...

Page 208: ...en automatically by setting the appropriate parameters in the CS cfg file The TPS can also be configured with other options such as requiring LDAP authentication and setting which subsystem instances will process the formatting operations The parameters are listed in Table 8 10 Format Operation Preferences 8 3 Resetting the Smart Card PIN The PIN is the password which protects the certificates and...

Page 209: ...the actual name of the file as well as the update applet requiredVersion parameter The TPS queries the applet version on the smart card before trying to execute any operations If the update feature is enabled and the applet version from the client is different from the one specified by the update applet requiredVersion parameter the TPS updates the applet automatically NOTE The TPS audit log shows...

Page 210: ... parameters to add to the default virtual host configuration ScriptAlias and DocumentRoot Additionally the NSSVerifyClient parameter is reset to none and the port numbers should be reset to the TPS secure port For example Listen 0 0 0 0 7890 VirtualHost _default_ 7890 ScriptAlias cgi bin var lib rhpki tps cgi bin DocumentRoot var lib rhpki tps docroot ErrorLog var lib rhpki tps logs error1_log Tra...

Page 211: ...port information For example https server example com 7890 cgi bin home index cgi 8 5 2 Configuring Server Side Key Generation and Archival of Encryption Keys The global platform environment prevents removing private keys from the smart card For encryption keys it is often necessary to back up the key material for later recovery which means the keys should be generated outside the smart card and t...

Page 212: ...y delivers the session key in two different forms to the TPS The session key wrapped with server transport key which the DRM uses to wrap the generated private key for token The session key wrapped with token s KEK which the token uses to unwrap the private key generated on DRM The TPS then forwards the session key to the DRM wrapped with the KEK and the server transport key along with the server ...

Page 213: ...e following parameters to enable server side key generation and to archive keys op enroll userKey keyGen encryption serverKeygen enable true op enroll userKey keyGen encryption serverKeygen drm conn drm1 op enroll userKey keyGen encryption serverKeygen archive true op enroll userKey keyGen encryption serverKeygen encryptPrivKey true 4 Restart the TPS subsystem etc init d instance_ID restart 8 5 3 ...

Page 214: ...ive token The token status in the database must be changed to lost This action is performed through the TPS agent services page The TPS agent after affirmatively identifying the user can search for the user s ID in the Search tokens link The TPS agent select the active token and update the status with the appropriate reason to recover the key This token has been physically damaged Used if the toke...

Page 215: ... op enroll userKey keyGen signing recovery onHold revokeCert reason 6 op enroll userKey keyGen signing recovery onHold scheme GenerateNewKey op enroll soKey keyGen encryption recovery onHold revokeCert true op enroll soKey keyGen encryption recovery onHold revokeCert reason 6 op enroll soKey keyGen encryption recovery onHold scheme GenerateNewKey Set revokeCert true to revoke certificates if a tok...

Page 216: ...he company then the administrator can disassociate the user from the token The TPS agent can change the status to This token has been terminated which terminates the certificates and keys on the token and breaks the association between the token and the user The physical token can still be formated and reused afterward but this change of status will mark a record of the termination event 8 5 5 Con...

Page 217: ...s for the token_name and nickname follow the parameters outlined in Table 8 13 TKS Configuration Parameters for Key Update Mapping master keys in the TKS configuration is described in more detail in Section 9 3 Configuring the TKS to Associate the Master Key with Its Version 5 Start the TKS instance etc init d rhpki tks start 6 Stop the TPS instance to edit its configuration etc init d rhpki tps s...

Page 218: ...r parameter contains more than one mapping ID then each mapping ID is processed in sequential order until a target is determined or an error is returned If the mapping order parameter is missing then the code returns an error Each mapping ID references a series of parameters called filters Each filter may contain a specific value for the request to be tested against Empty or missing filters act as...

Page 219: ...mmetricKeys requiredVersion 1 op format qaKey revokeCert true op format qaKey ca conn ca1 op format qaKey loginRequest enable true op format qaKey tks conn tks1 op format qaKey auth id ldap qa op format qaKey auth enable true LDAP Connection settings for devKey auth instance 0 type LDAP_Authentication auth instance 0 libraryName usr lib libldapauth so auth instance 0 libraryFactory GetAuthenticati...

Page 220: ...hen the token is selected in the Enterprise Security Client the Enterprise Security Client sends in the applet version CUID ATR and other information about the token to the TPS server TPS server checks the op format mapping section in the CS cfg file and figures out which tokenType to use for the token either devKey or qaKey It then uses the appropriate op format section to perform LDAP authentica...

Page 221: ...10 is most verbose For example 2005 04 29 13 47 08 b65b9828 Upgradeop applet_upgrade app_ver 1 2 416DA155 new_app_ver 1 3 42659461 2005 04 29 13 47 08 b65b9828 Formatstatus success app_ver 1 3 42659461 key_ver 0 cuid 40900062FF02000065C5 msn FFFFFFFF uid time 45389 msec 2005 04 29 15 56 06 b65b9828 Enrollmentstatus success app_ver 1 3 42659461 key_ver 0101 cuid 40900062FF020000649D msn FFFFFFFF ui...

Page 222: ...All logging logging audit enable Enables audit logging The valid values are true false logging audit filename The full path to the audit log file name For example tmp tps audit log logging audit level The audit log level The levels range from 0 to 10 0 No logging 4 LL_PER_SERVER Messages that happen only during startup or shutdown 6 LL_PER_CONNECTION Messages that happen per connection 8 LL_PER_PD...

Page 223: ...ostport The Certificate Authority hostname and port number The format is hostname port This should be the CA s end entity SSL port conn can clientNickname The client certificate nickname This certificate is used by the TPS when connecting to the CA This client certificate should be trusted by the CA and the client should be a configured CA agent conn can servlet enrollment The servlet that perform...

Page 224: ...he connection to the TKS This value must be true conn tksn keepAlive Sets whether to keep the connection to the TKS alive or terminate it after every operation The valid values are true false conn tksn serverKeygen Sets where key generation happens When set to true key generation happens on the server When set to false key generation happens on the client or token conn tks1 servlet computeSessionK...

Page 225: ... attributes The LDAP attributes of the user entry to be retrieved if attributes are present such as auth instance 0 attributes mail cn uid Once retrieved these attributes can be used in other parameter entries as auth attr name For example op enroll userKey keyGen tokenName userid auth cn auth instance n type The authentication type to use This must be LDAP_Authentication auth instance n libraryNa...

Page 226: ...ation Parameter Description channel encryption Sets whether the data being transmitted between the TPS and the token is to be encrypted The valid values are true false Table 8 6 Encrypted Channels Between the TPS and Tokens Operation can be enroll PIN reset or format n is an integer Parameter Description op Operation mapping order The order of the mappings The format is n n n For example 0 1 2 The...

Page 227: ...nType to select for this mapping For example userKey Table 8 7 Mapping and Filters Parameter Description op enroll tokenType temporaryToken tokenType The tokenType to use for temporary tokens tokenType typically refers to the profile defining how many certificates should be generated how keys should be recovered and what format should be used op enroll tokenType keyGen recovery destroyed keyType n...

Page 228: ...promised 2 CA key compromised 3 Affiliation changed 4 Certificate superseded 5 Cessation of operation 6 Certificate is on hold op enroll tokenType keyGen recovery keyCompromise keyType num The number of key types for recovery for the tokens whose keys are compromised op enroll tokenType keyGen recovery keyCompromise keyType value n Specifies keyType The default values are signing encryption op enr...

Page 229: ...mised 2 CA key compromised 3 Affiliation changed 4 Certificate superseded 5 Cessation of operation 6 Certificate is on hold op enroll tokenType keyGen recovery onHold keyType num The number of key types for the tokens to put on hold for temporary loss reasons The valid values are integers The default is 2 op enroll tokenType keyGen recovery onHold keyType value n Specifies keyType The default valu...

Page 230: ...The default value is 0 The valid values are as follows 0 Unspecified 1 Key compromised 2 CA key compromised 3 Affiliation changed 4 Certificate superseded 5 Cessation of operation 6 Certificate is on hold op enroll tokenType keyGen tokenName The name of the token to use The TPS can substitute some special strings For example if using cuid the tokenName is substituted with the CUID of the token if ...

Page 231: ...ype keyGen signing private keyCapabilities signRecover op enroll tokenType keyGen signing private keyCapabilities decrypt op enroll tokenType keyGen signing private keyCapabilities derive op enroll tokenType keyGen signing private keyCapabilities unwrap op enroll tokenType keyGen signing private keyCapabilities wrap op enroll tokenType keyGen signing private keyCapabilities verifyRecover op enroll...

Page 232: ...ap op enroll tokenType keyGen encryption public keyCapabilities verifyRecover op enroll tokenType keyGen encryption public keyCapabilities verify op enroll tokenType keyGen encryption public keyCapabilities sensitive op enroll tokenType keyGen encryption public keyCapabilities private op enroll tokenType keyGen encryption public keyCapabilities token op enroll tokenType keyGen encryption private k...

Page 233: ...fies if applet upgrade is turned on The valid values are true false op enroll tokenType update applet requiredVersion The version of the applet to use It should be the filename of the applet without the ijc extension op enroll tokenType update applet directory The local filesystem directory where the applets are located op enroll tokenType update symmetricKeys enable Specifies if the key changeove...

Page 234: ...checks to see the key version sent by the token matches symmetricKeys requiredVersion op pinReset tokenType update symmetricKeys requiredVersion The required key version op pinReset tokenType loginRequest enable Specifies if the login request should be sent to the token This parameter enables authentication The valid values are true false op pinReset tokenType pinReset pin minLen The minimum numbe...

Page 235: ...be sent to the token This parameter enables authentication The valid values are true false op format tokenType tks conn The TKS connection to use op format tokenType auth id The LDAP authentication instance to use The default value is ldap1 op format tokenType auth enable Specifies whether to authenticate the user information The valid values are true false op format tokenType issuerinfo enable Sp...

Page 236: ...n based activities should be recorded by the TPS The default value is ou Activities baseDN tokendb certBaseDN The LDAP suffix where the certificate entries should be added by the TPS The default value is ou certificates baseDN Change these templates only to change the appearance of the TPS agent page tokendb indexTemplate tokendb indexAdminTemplate tokendb newTemplate tokendb showTemplate tokendb ...

Page 237: ...These are listed in Table 8 12 TKS Configuration Parameters for Key Generation and Table 8 13 TKS Configuration Parameters for Key Update Parameter Description tks drm_transport_cert_nickname DRM Transport nickname The DRM transport certificate nickname This needs to be set to enable server side key generation Table 8 12 TKS Configuration Parameters for Key Generation Parameter Description tks mk_...

Page 238: ...216 ...

Page 239: ...TKS provides the security between tokens and the TPS since the security relies on the relationship between the master key and the token keys The functions provided by the TKS include the following Helps establish a secure channel signed and encrypted between the token and TPS Provides proof of presence for the security token during enrollment Supports key changeover when the master key changes on ...

Page 240: ...1B9 master key KCV CED9 4A7B computed KCV of the master key residing inside the wrapped data 6 Use the transport key to unwrap a master key called new_master stored in a file called file tksTool U d n new_master t transport i file Enter Password or Pin for NSS Certificate DB Retrieving the transport key from the specified token for unwrapping Reading in the wrapped data and resident master key KCV...

Page 241: ...efault developer key set where all keys are set to 404142434445464748494a4b4c4d4e4f TKS has this key built in and it is referred to with the master key set 01 TKS uses key set 01 by default 9 4 Using HSM for Generating Keys By default the TKS is configured to use the internal software token to generate and store its master keys but some deployments may require using a hardware security module HSM ...

Page 242: ... specified in the mk_mappings parameter of TKS s CS cfg op enroll userKey update symmetricKeys enable true op enroll userKey update symmetricKeys requiredVersion 2 6 Restart the TPS instance etc init d rhpki tps restart 9 5 Creating Token Key Service Agents and Administrators When the subsystem is configured there is a default user created with both administrator and agent privileges This user can...

Page 243: ...the user s certificate a Request and approve an SSL client certificate for the user if one has not already been generated b Copy the base 64 encoded certificate to a local file or to the clipboard c Select the new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate For more information on editing user entries and managing user certificates see Section 17 4...

Page 244: ...222 ...

Page 245: ...rprise Security Client is the method for the tokens to be enrolled Enterprise Security Client communicates over an SSL HTTP channel to the backend of the TPS It is based on an extensible Mozilla XULRunner framework for the user interface while retaining a legacy web browser container for a simple HTML based UI After a token is properly enrolled web browsers can be configured to recognize the token...

Page 246: ...224 ...

Page 247: ...pes of certificates for different uses and in different formats Planning which certificates are required and planning how to manage them are important to manage both the PKI and the Certificate System instances Section 11 1 1 Types of Certificates Section 11 1 2 Determining Which Certificates to Install Section 11 1 3 Certificate Data Formats Section 11 1 4 Certificate Setup Wizard 11 1 1 Types of...

Page 248: ...icate Manager has a CA signing certificate with a public private key pair it uses to sign the certificates and CRLs it issues This certificate is created and installed when the Certificate Manager is installed The Certificate Manager s status as a root or subordinate CA is determined by whether its CA signing certificate is self signed or is signed by another CA Self signed root CAs set the polici...

Page 249: ... is one of the standard forms listed in the end entities page of the Certificate Manager When generating dual key pairs set the certificate profiles to work correctly when generating separate certificates for signing and encryption 11 1 1 6 Cross Pair Certificates The Certificate System can issue import and publish cross pair CA certificates With cross pair certificates one CA signs and issues a c...

Page 250: ...on occurs if a subordinate CA s CA certificate is replaced by one with a new key pair all certificates issued by that CA are invalidated and will no longer work If the CA is configured to publish to the OCSP and it has a new CA signing certificate or a new CRL signing certificate the CA must be identified again to the OCSP If a new transport certificate is created for the DRM the DRM information m...

Page 251: ...ownloaded at once 11 1 3 2 Text Any of the binary formats can be imported in text form The text form begins with the following line BEGIN CERTIFICATE Following this line is the certificate data which can be in any of the binary formats described This data should be base 64 encoded as described by RFC 1113 The certificate information is followed by this line END CERTIFICATE 11 1 4 Certificate Setup...

Page 252: ...new certificate The Certificate System provides three ways to request a certificate Through the enrollment forms of the Certificate Manager end entity pages Through the subsystems administrative console By using the certutil command line tool There are also three ways that the request is submitted the CA to generate a certificate and to add it to the certificate database Through the enrollment for...

Page 253: ...ertificates client certificates and DRM transport certificates See Section 11 2 1 2 Requesting a Subsystem Server or Signing Certificate through the Console certutil All Certificates The certutil utility can be used by administrators or users to generate any certificate 11 2 1 1 Requesting a User or Agent Certificate through the End Entities Page End entities can use the HTML enrollment forms on t...

Page 254: ...com 9443 ca ee ca 2 Select the user certificate enrollment form from the list of certificate profiles 3 Fill in the user information Figure 11 1 User Certificate Request Form 4 Click Submit 5 The key pairs for the user certificate are generated and the certificate request is sent to the agent queue Alternatively if automatic enrollment is configured the certificate is approved or rejected by the s...

Page 255: ... the client request from the computer that will be used later to access the subsystem because part of the request process generates a private key on the local machine If location independence is required the user can also use a hardware token such as a smart card to store the key pair and the certificate To create a certificate request using the subsystem administrative console do the following 1 ...

Page 256: ... OCSP signing SSL server certificates Other certificate For a DRM Transport certificate OCSP signing SSL server certificates Other certificate For an OCSP or TKS OCSP signing SSL server certificates Other certificate NOTE If selecting to create an other certificate the Certificate Type field becomes active Fill in the type of certificate to create either caCrlSigning for the CRL signing certificat...

Page 257: ...ficate Manager after selecting the type of certificate select which type of CA will sign the request For a CA signing certificate the options are to use a root CA or a subordinate CA For all other certificates the options are to use the local CA signing certificate or to create a request to submit to another CA ...

Page 258: ...curity database directory internal or one of the listed external tokens Generate a new key pair Set the key algorithm and size The key algorithm must be RSA The recommended length for an RSA key is 2048 bits or higher to be crytpographically strong 9 Select the message digest algorithm the choices are MC2 MD5 SHA1 SHA256 and SHA512 ...

Page 259: ...Requesting Certificates 237 Figure 11 5 Setting the Hashing Algorithm 10 Give the subject name Either enter values for individual DN attributes to build the subject DN or enter the full string ...

Page 260: ... of the Certificate System in the format machine_name domain domain 11 Only when requesting a certificate through the Certificate Manager Console and submitting the request to the Certificate Manager automatically Specify the start and end dates of the validity period for the certificate and the time at which the validity period will start and end on those dates ...

Page 261: ...equesting a certificate through the Certificate Manager Console submitting the request to the Certificate Manager automatically Set the standard extensions for the certificate The required extensions are chosen by default To change the default choices read the guidelines explained in Appendix A Certificate and CRL Extensions ...

Page 262: ...ying them as either a subordinate SSL CA which allows them to issue certificates for SSL or a subordinate email CA which allows them to issue certificates for secure email Disabling certificate extensions means that CA hierarchies cannot be set up Basic Constraints The associated fields are CA setting and a numeric setting for the certification path length Extended Key Usage Authority Key Identifi...

Page 263: ...59 See http www ietf org rfc rfc2459 txt for a description of the Key Usage extension Base 64 SEQUENCE of extensions This is for custom extensions Paste the extension in MIME 64 DER encoded format into the text field To add multiple extensions use the ExtJoiner program For information on using the tools see the Certificate System Command Line Tools Guide 13 The wizard generates the key pairs and d...

Page 264: ...quest The request is in base 64 encoded PKCS 10 format and is bounded by the marker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST For example BEGIN NEW CERTIFICATE REQUEST MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBC6SAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pY2 ...

Page 265: ...icates such as Certificate Manager CRL signing certificate or SSL client certificate Table 11 2 Files Created for Certificate Signing Requests Do not modify the certificate request before sending it to the CA The request can either be submitted automatically through the wizard or copied to the clipboard and manually submitted to the CA through its end entities page NOTE The wizard s auto submissio...

Page 266: ... o The output file to which to save the certificate request v The validity period in months d Certificate database directory this is the directory for the subsystem instance numbers 1 8 These set the available certificate extensions Only eight can be specified through the certutil tool Key Usage 1 Basic Constraints 2 Certificate Authority Key ID 3 CRL Distribution Point 4 Netscape Certificate Type...

Page 267: ... The Certificate Manager end entities services page has a list of different enrollment forms for submitting certificate requests depending on the subsystem and purpose of the certificate Certificates created through the Console or through the certutil command line utility can be submitted through an enrollment form Through a third party CA Outside CAs such as VeriSign have online or other types of...

Page 268: ...m CA EE port number The end entity port number Yes it s the SSL secure server port Indicates that the end entity port number specified is the SSL port The certificate wizard returns a request ID for the request which can be used in the end entities page later and the request is queued for agent approval When the request is approved the CA signs the ...

Page 269: ...he Certificate Manager https ca example com 9443 ca ee ca 3 In Certificate Profiles of the Enrollment tab click on the appropriate form to submit the request Some of the common forms are as follows For user certificates including agent certificates Manual User Dual Use Certificate Enrollment Manual User Signing Encryption Certificates Enrollment For server certificates Manual Server Certificate En...

Page 270: ...FICATE REQUEST marker lines Requester Name This is the common name of the person requesting the certificate Requester Email This is the email address of the requester The agent or CA system will use this address to contact the requester when the certificate is issued For example jdoe someCompany com Requester Phone This is the contact phone number of the requester The submitted request is queued f...

Page 271: ...t including the marker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST to a text file or the clipboard 2 Open the external CA s home page in a web browser submit the certificate request in the appropriate form for the certificate type 3 When the CA responds save the information in a text file 4 When the certificate is retrieved from the CA install it following the instructions ...

Page 272: ...uest was submitted and click Submit 4 The next page shows the status of the certificate request If the status is complete then there is a link to the certificate Click the Issued certificate link Figure 11 13 New Certificate Link 5 The new certificate information is shown in pretty print format in base 64 encoded format and in PKCS 7 format ...

Page 273: ...ed certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file Save the text file and use it to store a copy of the certificate in a subsystem s internal database See Section 17 2 Creating Users 11 3 Managing User Certificates User certificates have to be imported into the appropriate applications for users and agents to be able to perform certain operations For sub...

Page 274: ... click Certificates A list of certificates installed for that user is shown Add users certificates by doing the following 1 Log into the subsystem console pkiconsole https hostname SSLport subsystem 2 In the Configuration tab select Users and Groups 3 In the Users tab select a user and click Certificates 4 In the Manage User Certificates dialog click Import 5 In the text area of the Import Certifi...

Page 275: ...tificate chain is imported the first certificate in the chain must be the CA certificate Any subsequent certificates in the chain are added to the local database as untrusted CA certificates application x x509 email cert The certificate being downloaded is a user certificate belonging to another user for use with S MIME If a certificate chain is imported the first certificate in the chain must be ...

Page 276: ...ormation on adding certificates to the database see Section 11 4 1 Installing Certificates in the Certificate System Database NOTE The Certificate System command line utility certutil can be used to manage the certificate database by editing trust settings and adding and deleting certificates For details about this tool see http www mozilla org projects security pki nss tools Administrators should...

Page 277: ...icate database as untrusted CA certificates The subsystem console uses the same wizard to install certificates and certificate chains To install certificates in the local security database do the following 1 Open the Console pkiconsole https hostname SSLport ca 2 In the Configuration tab select System Keys and Certificates from the left navigation tree 3 There are two tabs where certificates can b...

Page 278: ...rd installs the certificate 6 Any CA that signed the certificate must be trusted by the subsystem Make sure that this CA s certificate exists in the subsystem s certificate database internal or external and that it is trusted If the CA certificate is not listed add the certificate to the certificate database as a trusted CA If the CA s certificate is listed but untrusted change the trust setting t...

Page 279: ...ration interface Subsequent certificates are all treated the same If the certificates contain the SSL CA bit in the Netscape Certificate Type certificate extension and do not already exist in the local certificate database they are added as untrusted CAs They can be used for certificate chain validation as long as there is a trusted CA somewhere in the chain 11 4 1 4 Importing Cross Pair Certifica...

Page 280: ... the user entries in the LDAP internal database To view user certificates see Section 11 3 1 Managing Certificate System User and Agent Certificates 11 4 2 1 Viewing Database Content through the Console To view the contents of the database through the administrative console do the following 1 Open the Certificate System Console pkiconsole https hostname SSLport subsystemType 2 In the Configuration...

Page 281: ...he database this is internal To view more detailed information about the certificate select the certificate and click View This opens a window which shows the serial number validity period subject name issuer name and certificate fingerprint of the certificate 11 4 2 2 Viewing Database Content Using certutil To view the certificates in the subsystem database using certutil open the instance s cert...

Page 282: ...in doubt leave the certificates in the database as untrusted CA certificates see Section 11 4 4 Changing the Trust Settings of a CA Certificate Section 11 4 3 1 Deleting Certificates through the Console Section 11 4 3 2 Deleting Certificates Using certutil 11 4 3 1 Deleting Certificates through the Console To delete a certificate through the Console do the following 1 Open the Certificate System C...

Page 283: ...ceived during an SSL enabled communication It can be necessary to change the trust settings on a CA stored in the certificate database temporarily or permanently For example if there is a problem with access or compromised certificates marking the CA certificate as untrusted prevents entities with certificates signed by that CA from authenticating to the Certificate System When the problem is reso...

Page 284: ...te by running the certutil with the M option certutil M n cert_nickname t trust d For example certutil M n Certificate Authority Example Domain t TCu TCu TCu d 4 List the certificates again to confirm that the certificate trust was changed certutil L d Certificate Authority Example Domain CTu CTu CTu subsystemCert cert subsystem u u u Server Cert cert example u u u For information about using the ...

Page 285: ...erences 263 The version of SSL used during SSL communication The latest version is SSL version 3 but many older clients use SSL version 2 Because client authentication is required for performing privileged operations enable SSL version 3 ciphers ...

Page 286: ...264 ...

Page 287: ...ase is named key3 db These files are located in the instanceID alias directory 12 1 2 External Tokens An external token refers to an external hardware device such as a smart card or hardware security module HSM that the Certificate System uses to generate and store its key pairs and certificates The Certificate System supports any hardware tokens that are compliant with PKCS 11 PKCS 11 is a standa...

Page 288: ...ted show a status of Found and is individually marked as either Logged in or Not logged in If a token is found but not logged in it is possible to log in using the Login under Operations If the administrator can log into a token successfully the password is stored in a configuration file At the next start or restart of the Certificate System instance the passwords in the password store are used to...

Page 289: ...w the vendor s instructions When installing a hardware token there is an opportunity to name it Use a name that will help identify the token later 2 Install the PKCS 11 module The PKCS 11 module is installed using the modutil command line utility a Open the alias directory for the subsystem which is being configured with the PKCS 11 module For example cd var lib rhpki ca alias b The required secur...

Page 290: ... certificates for the subsystems is protected encrypted by a password To decrypt the key pairs or to gain access to them enter the token password This password is set when the token is first accessed usually during Certificate System installation It is good security practice to change the password that protects the server s keys and certificates periodically Changing the password minimizes the ris...

Page 291: ...tographic accelerators with external tokens Many of the accelerators provide the following security features Fast SSL connections Speed is important to accommodate a high number of simultaneous enrollment or service requests Hardware protection of private keys These devices behave like smart cards by not allowing private keys to be copied or removed from the hardware token This is important as a p...

Page 292: ...270 ...

Page 293: ...od of four years the request is rejected since the constraints allow a maximum of two years validity period for this type of certificate A set of certificate profiles have been predefined for the most common certificates issued These certificate profiles define defaults and constraints associate the authentication method and define the needed inputs and outputs for the certificate profile The para...

Page 294: ...te request is queued in the agent services interface The agent can change some aspects of the enrollment request validate it cancel it reject it update it or approve it The agent is able to update the request without submitting it or validate that the request adheres to the profile s defaults and constraints This validation procedure is only for verification and does not result in the request bein...

Page 295: ...the values of the parameters set in the defaults or the constraints that control the certificate content Changing the constraints set up by changing the value of the parameters Changing the authentication method Changing the inputs by adding or deleting inputs in the certificate profile which control the fields on the input page Adding or deleting the output Section 13 3 1 Modifying Certificate Pr...

Page 296: ...a new certificate profile click Add In the Select Certificate Profile Plugin Implementation window select the type of certificate for which the profile is being created Figure 13 2 Certificate Profile Plugin Implementation Window 4 Fill in the profile information in the Certificate Profile Instance Editor ...

Page 297: ...s usually set to true Setting this to false allows a signed request to be processed through the Certificate Manager s certificate profile framework rather than through the input page for the certificate profile Certificate Profile Authentication This sets the authentication method An automated authentication is set by providing the instance ID for the authentication instance If this field is blank...

Page 298: ... policies in the Policies tab of the Certificate Profile Rule Editor window The Policies tab lists policies that are already set by default for the profile type a To add a policy click Add Figure 13 4 Certificate Profile Policy Editor b Choose the default from the Default field choose the constraints associated with that policy in the Constraints field and click OK ...

Page 299: ...lts Tab c Fill in the policy set ID When issuing dual key pairs separate policy sets define the policies associated with each certificate Then fill in the certificate profile policy ID a name or identifier for the certificate profile policy d Configure any parameters in the Defaults and Constraints tabs ...

Page 300: ...Constraints defines valid values for the defaults See Section 13 7 Defaults Reference and Section 13 8 Constraints Reference for complete details for each default or constraint To modify an existing policy select a policy and click Edit Then edit the default and constraints for that policy To delete a policy select the policy and click Delete 8 Set inputs in the Inputs tab of the Certificate Profi...

Page 301: ...nsole 279 Figure 13 7 Certificate Profile Inputs b Choose the input from the list and click OK See Section 13 5 Input Reference for complete details of the default inputs c The New Certificate Profile Editor window opens Set the input ID and click OK ...

Page 302: ...delete an input select the input and click Delete 9 Set up outputs in the Outputs tab of the Certificate Profile Rule Editor window Outputs must be set for any certificate profile that uses an automated authentication method no output needs to be set for any certificate profile that uses agent approved authentication The Certificate Output type is set by default for all profiles and is added autom...

Page 303: ...ose the output from the list and click OK c Give a name or identifier for the output and click OK This output will be listed in the output tab You can edit it to provide values to the parameters in this output To delete an output select the output from list and click Delete 10 To modify an existing certificate profile select a certificate profile click Edit View The Certificate Profile Rule Editor...

Page 304: ...directory instance_directory profiles ca such as var lib rhpki ca profiles ca The file is named profile_name cfg All of the parameters for profile rules set or modified through the Console such as defaults inputs outputs and constraints are written to the profile configuration file NOTE Restart the server after editing the profile configuration file for the changes to take effect Section 13 3 2 1 ...

Page 305: ... i1 i2 input input_id class_id Gives the java class name for the input by input ID the name of the input listed in input list For example input i1 class_id certReqInputImpl output list Lists the possible output formats for the profile by name For example output list o1 output output_id class_id Gives the java class name for the output format named in output list For example output o1 class_id cert...

Page 306: ...class_id keyUsageExtConstraintImpl policyset cmcUserCertSet 6 constraint name Key Usage Extension Constraint policyset cmcUserCertSet 6 constraint params keyUsageCritical true policyset cmcUserCertSet 6 constraint params keyUsageCrlSign false policyset cmcUserCertSet 6 constraint params keyUsageDataEncipherment false policyset cmcUserCertSet 6 constraint params keyUsageDecipherOnly false policyset...

Page 307: ...hat particular certificate profile form Inputs are the fields in the end entities page enrollment forms There is a parameter input list which lists the inputs included in that profile Other parameters define the inputs these are identified by the format input ID For example this adds a generic input to a profile input list i1 i2 i3 i4 input i4 class_id genericInputImpl input i4 params gi_display_n...

Page 308: ...rollment ldap minConns auths instance UserDirEnrollment ldap ldapconn host localhost auths instance UserDirEnrollment ldap ldapconn port 389 auths instance UserDirEnrollment ldap ldapconn secureConn false The ldapStringAttributes parameter instructs the authentication plug in to read the value of the mail attribute from the user s LDAP entry and put that value in the certificate request When the v...

Page 309: ...cn attribute of the suer who requested the certificate request auth_token uid This inserts the LDAP user ID uid attribute of the user who requested the certificate request bodyPartId request profileApprovedBy This inserts the name of the Certificate System agent who approved the certificate request auth_token authMgrImplName This inserts the type of authentication plug in which authenticated the u...

Page 310: ...to the CA s end entities directory instance_directory webapps ca ee ca directory 5 Customize the form as desired 6 The form can be accessed by going to https server example com 9443 ca ee ca MyServerEnrollment html 13 4 Certificate Profile Reference A set of certificate profiles have been predefined for the types of certificates that are usually issued by a CA All certificate profiles are installe...

Page 311: ...tificate Request Input The CMC Certificate Request input is used for enrollments using a Certificate Message over CMS CMC certificate request is submitted in the request form The request type is preset to CMC and the only field is the Certificate Request text area in which to paste the request 13 5 3 Dual Key Generation Input The Dual Key Generation input is for enrollments in which dual key pairs...

Page 312: ... form Token Key CUID This field gives the CUID contextually unique user ID for the token device Token Key User Public Key This field gives the path and name of the file containing the token user s public key 13 5 8 nsNcertificateRequest Token User Key Input The Token User Key input is used to enroll keys for the user of a hardware token for agents to use the token later for certificate based authe...

Page 313: ... changed It does not display anything other than the certificate in pretty print format This output needs to be specified for any automated enrollment Once a user successfully authenticates using the automated enrollment method the certificate is automatically generated and this output page is returned to the user In an agent approved enrollment the user can get the certificate once it is issued b...

Page 314: ...should not be used to point directly to the CRL location maintained by a CA the CRL Distribution Points extension Section 13 7 4 CRL Distribution Points Extension Default provides references to CRL locations For general information about this extension see Section A 3 1 authorityInfoAccess The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension ...

Page 315: ...entifier extension to the certificate The extension identifies the public key that corresponds to the private key used by a CA to sign certificates This default has no parameters If used this extension is included in the certificate with the public key information This default takes the following constraint No Constraints see Section 13 8 6 No Constraint For general information about this extensio...

Page 316: ...ification process to identify CA certificates and to apply certificate chain path length constraints For general information about this extension see Section A 3 3 basicConstraints The following constraints can be defined with this default Basic Constraints Extension Constraint see Section 13 8 1 Basic Constraints Extension Constraint Extension Constraint see Section 13 8 3 Extension Constraint No...

Page 317: ...n obtain the CRL information to verify the revocation status of the certificate For general information about this extension see Section A 3 5 CRLDistributionPoints The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint This default defines up to five locations with parameters for each ...

Page 318: ...Chapter 13 Certificate Profiles 296 Parameter IssuerType_n IssuerName_n ...

Page 319: ...ay be used For example if the key usage extension identifies a signing key the Extended Key Usage extension can narrow the usage of the key for only signing OCSP responses or only Java applets Usage Server authentication Client authentication Code signing Email IPsec end system IPsec tunnel IPsec user Timestamping Table 13 6 PKIX Usage Definitions for the Extended Key Usage Extension Windows 2000 ...

Page 320: ...y Usage Extension Constraint Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint Parameter Critical OIDs Table 13 7 Extended Key Usage Extension Default Configuration Parameters 13 7 6 Freshest CRL Extension Default This default attaches the Freshest CRL extension to the certificate The following constraints can be defined with this default ...

Page 321: ...Freshest CRL Extension Default 299 Parameter PointName_n PointIssuerName_n ...

Page 322: ...tive Name extension is used to associate Internet style identities with the certificate issuer The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint This default defines five locations with parameters for each location The parameters are marked with an n in the table to show with which...

Page 323: ... certificate should be used such as data signing key encryption or data encryption which restricts the usage of a key pair to predetermined purposes For general information about this extension see Section A 3 8 keyUsage The following constraints can be defined with this default Key Usage Constraint see Section 13 8 5 Key Usage Extension Constraint Extension Constraint see Section 13 8 3 Extension...

Page 324: ...ject alternative names in subsequent certificates in a certificate chain should be located For general information about this extension see Section A 3 9 nameConstraints The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint This default defines up to five locations for both the permitt...

Page 325: ...Name Constraints Extension Default 303 Parameter PermittedSubtreesmax_n PermittedSubtreeNameChoice_n PermittedSubtreeNameValue_n ...

Page 326: ...Chapter 13 Certificate Profiles 304 Parameter PermittedSubtreeEnable_n ExcludedSubtreesn min ExcludedSubtreeMax_n ExcludedSubtreeNameChoice_n ...

Page 327: ...Name Constraints Extension Default 305 Parameter ExcludedSubtreeNameValue_n ExcludedSubtreeEnable_n Table 13 11 Name Constraints Extension Default Configuration Parameters ...

Page 328: ...te is used or viewed For general information about this extension see Section A 6 2 netscape comment The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint Parameter critical CommentContent Table 13 12 Netscape Comment Extension Configuration Parameters 13 7 12 No Default Extension This...

Page 329: ...alidation in two ways either to prohibit policy mapping or to require that each certificate in a path contain an acceptable policy identifier The default can specify both ReqExplicitPolicy and InhibitPolicyMapping PKIX standard requires that if present in a CA certificate the extension must never consist of a null sequence At least one of the two specified fields must be present For general inform...

Page 330: ...jectDomainPolicy The pairing indicates that the issuing CA considers the issuerDomainPolicy equivalent to the subjectDomainPolicy of the subject CA The issuing CA s users may accept an issuerDomainPolicy for certain applications The policy mapping tells these users which policies associated with the subject CA are equivalent to the policy they accept For general information about this extension se...

Page 331: ...tes fields defined in the automated enrollment modules If authenticated attributes need to be part of this extension use values from the request token For example to enable the Subject Alternative Name extension in the caDirUserCert profile for the mail LDAP attribute for the user to authenticate against to obtain a certificate use the following configuration policyset serverCertSet 9 constraint n...

Page 332: ... contains an attribute the profile reads its value and sets it in the extension The extension added to the certificates contain all the configured attributes Multiple attributes can be set for a single extension Up to five subject alternative names can be set the subjAltNameNumGNs parameter controls how many of the listed attributes are required to be added to the certificate This parameter must b...

Page 333: ... default attaches a Subject Directory Attributes extension to the certificate The Subject Directory Attributes extension conveys any desired directory attribute values for the subject of the certificate The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint Parameter Critical Name Patte...

Page 334: ... key information The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint 13 7 20 Subject Name Default This default attaches a server side configurable subject name to the certificate request A static subject name is used as the subject name in the certificate The following constraints ca...

Page 335: ...enrolling a certificate The user defined extension is validated against whatever constraint is set so it is possible to restrict the kind of extension through the Extension Constraint or to set rules for the key and other basic constraints such as whether this is a CA certificate NOTE If this extension is set on a profile with a corresponding OID Extension Constraint then any certificate request p...

Page 336: ... User Supplied Extension Default to a profile with the Basic Constraints Extension Constraint The OID specified in the userExtOID parameter is for the Basic Constraints Extension Constraint policyset set1 p5 default params keyUsageNonRepudiation true policyset set1 p6 constraint class_id basicConstraintsExtConstraintImpl policyset set1 p6 constraint name Basic Constraint Extension Constraint polic...

Page 337: ...he certificate is issued The following constraints can be defined with this default Subject Name Constraint see Section 13 8 9 Subject Name Constraint Unique Subject Name Constraint see Section 13 8 10 Unique Subject Name Constraint No Constraints see Section 13 8 6 No Constraint 13 7 26 User Supplied Validity Default This default attaches a user supplied validity to the certificate request If inc...

Page 338: ...le contents of a certificate and the values associated with that content This section lists the predefined constraints with complete definitions of each 13 8 1 Basic Constraints Extension Constraint The Basic Constraints extension constraint checks if the basic constraint in the certificate request satisfies the criteria set in this constraint Parameter Critical IsCA PathLen ...

Page 339: ...xtended Key Usage Extension Constraint Configuration Parameters 13 8 3 Extension Constraint This constraint implements the general extension constraint It checks if the extension is present 13 8 4 Key Constraint This constraint checks the key length Parameter keyType keyMinLength keyMaxLength Table 13 23 Key Constraint Configuration Parameters 13 8 5 Key Usage Extension Constraint The Key Usage ex...

Page 340: ...apter 13 Certificate Profiles 318 Parameter keyEncipherment dataEncipherment keyAgreement keyCertsign cRLSign encipherOnly decipherOnly Table 13 24 Key Usage Extension Constraint Configuration Parameters ...

Page 341: ... in the certificate request satisfies the criteria set in this constraint Parameter signingAlgsAllowed Table 13 25 Signing Algorithms Constraint Configuration Parameters 13 8 9 Subject Name Constraint The Subject Name constraint checks if the subject name in the certificate request satisfies the criteria Parameter Pattern Table 13 26 Subject Name Constraint Configuration Parameters The Subject Nam...

Page 342: ...either ou engineering ou people or ou engineering o Example Corp the pattern is ou engineering ou people ou engineering o Example Corp NOTE For constructing a pattern which uses a special character such as a period escape the character with a back slash For example to search for the string o Example Inc set the pattern to o Example Inc 13 8 10 Unique Subject Name Constraint The Unique Subject Name...

Page 343: ...r marks the corresponding certificate records in its internal database as revoked and if configured to do so removes the revoked certificates from the publishing directory and updates the CRL in the publishing directory 14 1 1 SSL Client Authenticated Revocation When an end user submits a certificate revocation request the first step in the revocation process is for the Certificate Manager to iden...

Page 344: ...certificates do the following Set up an instance of the CMCAuth Authentication plug in module An instance is enabled and configured by default Use the agent certificate to sign revocation requests 14 2 1 1 revoker Utility The CMC revocation utility revoker is used to sign a revocation request with an agent s certificate This utility has the following syntax revoker d instance alias n cert_nickname...

Page 345: ...ick Submit 8 The returned page should confirm that correct certificate was been revoked 14 3 About CRLs Server and client applications that use public key certificates as ID tokens need access to information about the validity of a certificate Because one of the factors that determines the validity of a certificate is its revocation status these applications need to know whether the certificate be...

Page 346: ...ager can revoke any certificate it has issued There are generally accepted reason codes for revoking a certificate that are often included in the CRL such as the following 0 Unspecified no particular reason is given 1 The private key associated with the certificate was compromised 2 The private key associated with the CA that issued the certificate was compromised 3 The owner of the certificate is...

Page 347: ...onPoint extension 14 3 4 Delta CRLs Delta CRLs can be issued for any defined issuing point A delta CRL contains information about any certificates revoked since the last update to the full CRL Delta CRLs for an issuing point are created by enabling the DeltaCRLIndicator extension 14 3 5 How CRLs Work CRLs are generated when issuing points are defined and configured and any CRL extensions are enabl...

Page 348: ...the old CRL in the attribute containing the CRL in the directory entry By default CRLs do not contain information about revoked expired certificates The server can include revoked expired certificates by enabling that option for the issuing point If expired certificates are included information about revoked certificates is not removed from the CRL when the certificate expires If expired certifica...

Page 349: ...ired in the CRL CRL from certificate profiles which determines the revoked certificates to include based on the profiles used to create the certificates originally 3 Configure the CRLs for each issuing point See Section 14 4 2 Configuring CRLs for Each Issuing Point for details 4 Set up the CRL extensions which are configured for the issuing point See Section 14 4 3 Setting CRL Extensions for deta...

Page 350: ...d an issuing point click Add The CRL Issuing Point Editor window opens Figure 14 2 CRL Issuing Point Editor NOTE If some fields do not appear large enough to read the content expand the window by dragging one of the corners Fill in the following fields Enable Enables the issuing point if selected deselect to disable CRL Issuing Point name Gives the name for the issuing point spaces are not allowed...

Page 351: ...icate Manager and then select CRL Issuing Points 3 Select the issuing point name below the Issuing Points entry 4 Configure how and how often the CRLs are updated by supplying information in the Update tab for the issuing point This tab has two sections Update Schema and Update Frequency The Update Schema section has the following options Enable CRL generation This checkbox sets whether CRLs are g...

Page 352: ...lation This option should be selected to test revocation immediately such as testing whether the server publishes the CRL to a flat file Update the CRL at This field sets a daily time when the CRL should be updated To specify multiple times enter a comma separate list of times such as 01 50 04 55 06 55 Update the CRL every This checkbox enables generating and publishing CRLs at the interval set in...

Page 353: ...n about the cache see Section 14 3 5 How CRLs Work Update cache every This field sets how frequently the cache is written to the internal database Set to 0 to have the cache written to the database every time a certificate is revoked Enable cache recovery This checkbox allows the cache to be restored 6 The Format tab sets the formatting and contents of the CRLs that are created There are two secti...

Page 354: ...ch set what types of certificates to include in the CRL Include expired certificates This includes revoked certificates that have expired If this is enabled information about revoked certificates remains in the CRL after the certificate expires If this is not enabled information about revoked certificates is removed when the certificate expires CA certificates only This includes only CA certificat...

Page 355: ...lidityDate and CRLNumber Other extensions are available but are disabled by default These can be enabled and modified For more information about the available CRL extensions see Section A 5 Standard X 509 v3 CRL Extensions To configure CRL extensions do the following 1 Open the CA Console pkiconsole https hostname SSLport ca 2 In the navigation tree select Certificate Manager and then select CRL I...

Page 356: ...s for Each Issuing Point First CRLs are issued according to a time based schedule CRLs can be issued every single time a certificate is revoked at a specific time of day or once every so many minutes However this time based publishing schedule applies to every CRL that is generated There are two kinds of CRLs however The full CRL has a record of every single revoked certificate However the Certifi...

Page 357: ...ll and delta CRL again In other words every third publishing interval has both a full CRL and a delta CRL Interval 1 2 3 4 5 6 7 Full CRL 1 4 7 Delta CRL 1 2 3 4 5 6 7 NOTE For delta CRLs to be published independent of full CRLs the CRL cache must be enabled 14 5 1 Configuring Extended Updated Intervals for CRLs in the Console 1 Open the console pkiconsole https server example com 9443 ca 2 In the...

Page 358: ...sterCRL updateSchema 1 Stop the CA server etc init d rhpki ca stop 2 Open the CA configuration directory cd var lib subsystem_name conf 3 Edit the CS cfg file and add two lines to set the extended updated interval ca crl extendedNextUpdate false ca crl MasterCRL updateSchema 3 The default interval is 1 meaning a full CRL is published every time a CRL is published The updateSchema interval can be s...

Page 359: ...cates and different types of CRLs can be published to different places in a directory For example certificates for users from the West Coast division of a company can be published in one branch of the directory while certificates for users in the East Coast division can be published to another branch in the directory Setting up publishing involves configuring publishers mappers and rules 15 1 1 Ab...

Page 360: ...ate variable of the CRL contained in the file For example the filename for a CRL with This Update Friday January 28 15 36 00 PST 2009 is crl 94 3696899 der 15 1 5 LDAP Publishing In LDAP publishing the server publishes the certificates CRLs and other certificate related objects to a directory using LDAP or LDAPS The branch of the directory to which it publishes is called the publishing directory F...

Page 361: ... rule if CRL is set as the type Every rule that is matched publishes the certificate or CRL according to the method and location specified in that rule A given certificate or CRL can match no rules one rule more than one rule or all rules The publishing system attempts to match every certificate and CRL issued against all rules When a rule is matched the certificate or CRL is published according t...

Page 362: ...For details about setting up publishers see Section 15 3 2 Configuring Publishers for Publishing to OCSP 3 For LDAP publishing there are three steps a Configure the Directory Server to which certificates will be published Refer to Section 15 10 Configuring the Directory for LDAP Publishing b Configure a publisher for each type of object published CA certificates cross pair certificates CRLs and us...

Page 363: ...s Publishers specify the location where a particular object is published There can be a single publisher to publish everything to a single location or multiple publishers for multiple destinations When publishing to a file a publisher sets the directory where the files are published For OCSP publishing a publisher specifies a particular Online Certificate Status Manager to which to publish a CRL F...

Page 364: ... the Select Publisher Plug in Implementation window which lists registered publisher modules Figure 15 2 Select Publisher Plug in Implementation Window 4 Select the FileBasedPublisher module then open the editor window This is the module that enables the Certificate Manager to publish certificates and CRLs to files ...

Page 365: ...ystem instance directory For example export CS certificates 15 3 2 Configuring Publishers for Publishing to OCSP A publisher must be created and configured for each publishing location publishers are not automatically created for publishing to the OCSP responder Create a single publisher to publish everything to s single location or create a publisher for every location to which CRLs will be publi...

Page 366: ...nd then Publishers The Publishers Management tab which lists configured publisher instances opens on the right Figure 15 4 Publishers Management Tab 3 Click Add to open the Select Publisher Plug in Implementation window which lists registered publisher modules Figure 15 5 Select Publisher Plug in Implementation Window 4 Select the OCSPPublisher module then open the editor window ...

Page 367: ...alified domain name such as ocspResponder example com and port number of the Online Certificate Status Manager and the default path ocsp addCRL 15 3 3 Configuring Publishers for LDAP Publishing The Certificate Manager creates configures and enables a set of publishers that are associated with LDAP publishing as shown in Table 15 1 LDAP Publishers Publisher Description LdapCaCertPublisher Used to p...

Page 368: ...e entry or set a search for the directory to find the DN of the entry During installation the Certificate Manager automatically creates a set of mappers defining the most common relationships The default mappers are listed in Table 15 2 Default Mappers Mapper Description LdapUserCertMap Locates the correct attribute of user entries in the directory in order to publish user certificates LdapCrlMap ...

Page 369: ...Configuring Mappers 347 Figure 15 7 Mappers Management Tab 3 In the mapper list select a mapper to modify 4 To edit an existing mapper click Edit View The editor window opens ...

Page 370: ...ndow 5 To create a new mapper instance click Add The Select Mapper Plugin Implementation window opens which lists registered mapper modules Select a module and edit it For complete information about these modules see Section 15 13 2 Mapper Plug in Modules ...

Page 371: ...Configuring Mappers 349 Figure 15 9 Selecting a New Mapper Type 6 Edit the mapper instance and click OK ...

Page 372: ...tificate or CRL can be published to a file to an Online Certificate Status Manager and to an LDAP directory by matching a file based rule an OCSP rule and matching a directory based rule Rules can be set for each object type CA certificates CRLs user certificates and cross pair certificates The rules can be more detailed for different kinds of certificates or different kinds of CRLs The rule first...

Page 373: ...following 1 Log into the Certificate Manager Console pkiconsole https server example com 9443 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Publishing and then Rules The Rules Management tab which lists configured rules opens on the right Figure 15 11 Rules Management Tab 3 To edit an existing rule select that rule from the list and click Edit...

Page 374: ...Chapter 15 Publishing 352 Figure 15 12 Using the Rule Editor Window to Edit an Existing Rule 4 To create a rule click Add This opens the Select Rule Plug in Implementation window ...

Page 375: ... for Certificates and CRLs 353 Figure 15 13 Select Rule Plugin Implementation Window Select the Rule module This is the only default module If any custom modules have been been registered they are also available 5 Edit the rule ...

Page 376: ...cate value for the type of certificate or CRL issuing point to which this rule applies The predicate values for CRL issuing points delta CRLs and certificates are listed in Table 15 3 Predicate Expressions enable mapper Mappers are not necessary when publishing to a file they are only needed for LDAP publishing If this rule is associated with a publisher that publishes to an LDAP directory select ...

Page 377: ...h as caServerCert Table 15 3 Predicate Expressions 15 6 Enabling Publishing Publishing can be enabled for only files only LDAP or both Publishing should be enabled after setting up publishers rules and mappers Once enabled the server will attempt to begin publishing If publishing was not configured correctly before being enabled publishing may exhibit undesirable behavior or may fail Enable publis...

Page 378: ...his DN determines whether the Certificate Manager can perform publishing It is possible to create another DN that has limited read write permissions for only those attributes that the publishing system actually needs to write Password The Certificate Manager saves this password in its password conf file For example CA LDAP Publishing password The parameter name which identifies the publishing pass...

Page 379: ...e following 1 Open the CA Console pkiconsole https server example com 9443 ca 2 In the Configuration tab select the Certificate Manager link in the left pane then the Publishing link 3 Click the Rules link under Publishing This opens the Rules Management pane on the right 4 If the rule exists and has been disabled select the enable checkbox If the rule has been deleted then click Add and create a ...

Page 380: ...JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0WjBXMQswCQYDVQQGEwJ VUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yY2F0aW9ucyBDb3Jwb3Jhd GlvbjpMEaMBgGA1UECxMRSXNzdWluZyBBdXRob3JpdHkwHh END CERTIFICATE 7 Convert the base 64 encoded certificate to a readable form using the Pretty Print Certificate tool For more information on this tool refer to the Certificate System Command Line Tools Guid...

Page 381: ...mple bin 2 Use the PrettyPrintCert or PrettyPrintCRL tool to convert the binary file to pretty print format For example PrettyPrintCert example bin example cert Alternatively the dumpasn1 can be used to convert a binary certificate or CRL to pretty print format The dumpasn1 tool can be downloaded at http fedoraproject org extras 4 i386 repodata repoview dumpasn1 0 20050404 1 fc4 html To view the c...

Page 382: ... class to the directory entry for the CA if it can find the CA s directory entry 15 10 1 3 Required Schema for Publishing CRLs The Certificate Manager publishes the updated CRL to the CA s directory object under the certificateRevocationList binary attribute This attribute is an attribute of the certificationAuthority object class The value of the attribute is the DER encoded binary X 509 CRL The ...

Page 383: ...y Server for one of the following methods of communication Publishing with basic authentication Publishing over SSL without client authentication Publishing over SSL with client authentication See the Red Hat Directory Server documentation for instructions on setting up these methods of communication with the server 15 11 Updating Certificates and CRLs in a Directory The Certificate Manager and th...

Page 384: ...e Manager starts updating the directory with the certificate information in its internal database If the changes are substantial updating the directory can take considerable time During this period any changes made through the Certificate Manager including any certificates issued or any certificates revoked may not be included in the update If any certificates are issued or revoked while the direc...

Page 385: ...g in modules can be registered in a Certificate Manager s publishing framework Unwanted mapper or publisher plug in modules can be deleted Before deleting a module delete all the rules that are based on this module 1 Log into the Certificate Manager Console pkiconsole https server example com 9443 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select ...

Page 386: ...dPublisher plug in module configures a Certificate Manager to publish certificates and CRLs to file This mapper can publish base 64 encoded files DER encoded files or both depending on the checkboxes selected when the publisher is configured The certificate and CRL content can be viewed by converting the files using the PrettyPrintCert and PrettyPrintCRL tools For details on viewing the content in...

Page 387: ...ublish a user certificate to the userCertificate binary attribute of the user s directory entry This module is used to publish any end entity certificate to an LDAP directory Types of end entity certificates include SSL client S MIME SSL server and OCSP responder During installation the Certificate Manager automatically creates an instance of the LdapUserCertPublisher module for publishing end ent...

Page 388: ...ilarly it also removes the certificationAuthority object class when unpublishing if the CA has no other certificates During installation the Certificate Manager automatically creates an instance of the LdapCertificatePairPublisher module named LdapCrossCertPairPublisher for publishing the cross signed certificates to the directory Parameter Description crossCertPairAttr Specifies the LDAP director...

Page 389: ...e certificate to an existing entry or to do both If a CA entry already exists in the publishing directory and the value assigned to the dnPattern parameter of this mapper is changed but the uid and o attributes are the same the mapper fails to create the second CA entry For example if the directory already has a CA entry for uid CA ou Marketing o example com and a mapper is configured to create an...

Page 390: ...ate does not have the cn component in its subject name adjust the CA certificate mapping DN pattern to reflect the DN of the entry in the directory where the CA certificate is to be published For example if the CA certificate subject DN is o Example Corporation and the CA s entry in the directory is cn Certificate Authority o Example Corporation the pattern is cn Certificate Authority o subj o Exa...

Page 391: ...id jdoe o Example Corporation c US when searching the directory for the entry the Certificate Manager only searches for an entry with the DN uid jdoe o Example Corporation c US If no matching entries are found the server returns an error and does not publish the certificate This mapper does not require any values for any parameters because it obtains all values from the certificate 15 13 2 3 LdapS...

Page 392: ...tion Parameters of LdapSubjAttrMap Table 15 12 LdapSubjAttrMap Parameters describes these parameters Parameter Description certSubjNameAttr Specifies the name of the LDAP attribute that contains a certificate subject name as its value The default is certSubjectName but this can be configured to any LDAP attribute searchBase Specifies the base DN for starting the attribute search The permissible va...

Page 393: ...rks for the Sales department at Example Corporation which is located in Mountain View California United States cn Jane Doe ou Sales o Example Corporation l Mountain View st California c US The Certificate Manager can use some or all of these components cn ou o l st and c to build a DN for searching the directory When creating a mapper rule these components can be specified for the server to use to...

Page 394: ...uid component NOTE The e l and st components are not included in the standard set of certificate request forms provided for end entities These components can be added to the forms or the issuing agents can be required to insert these components when editing the subject name in the certificate issuance forms 15 13 2 5 1 Configuration Parameters of LdapDNCompsMap With this configuration a Certificat...

Page 395: ... from the certificate the search is successful and the server optionally performs a verification For example if filterComps is set to use the email and user ID attributes filterComps e uid the server searches the directory for an entry whose values for email and user ID match the information gathered from the certificate The permissible values are valid directory attributes in the certificate DN s...

Page 396: ...sher Specifies the publisher used with the rule See Section 15 13 1 6 LdapCertificatePairPublisher for details on this publisher Table 15 15 LdapXCert Rule Configuration Parameters 15 13 3 3 LdapUserCertRule The LdapUserCertRule is used to publish user certificates to an LDAP directory Parameter Value Description type certs Specifies the type of certificate that will be published predicate Specifi...

Page 397: ...apCrlMap Specifies the mapper used with the rule See Section 15 13 2 1 2 LdapCrlMap for details on the mapper publisher LdapCrlPublisher Specifies the publisher used with the rule See Section 15 13 1 4 LdapCrlPublisher for details on the publisher Table 15 17 LdapCRL Rule Configuration Parameters ...

Page 398: ...376 ...

Page 399: ...More than one authentication method can be configured in a single instance of a subsystem The HTML registration pages contain hidden values specifying the method used With certificate profiles the end entity enrollment pages are dynamically generated for each enabled profile The authentication method associated with this certificate profile is specified in the dynamically generated enrollment page...

Page 400: ... they await agent approval This ensures that all requests that lack authentication credentials are sent to the request queue for agent approval 16 2 1 Configuring Agent Approved Enrollment To configure agent approved enrollment 1 Set up the certificate profiles to use to enroll users such as specifying agent approved enrollment and setting policies for specific certificates in the certificate prof...

Page 401: ...le and configure the instance a Open the CA Console pkiconsole https server example com 9443 ca b In the Configuration tab select Authentication in the navigation tree The right pane shows the Authentication Instance tab which lists the currently configured authentication instances NOTE The UidPwdDirAuth plug in is enabled by default c Click Add The Select Authentication Plug in Implementation win...

Page 402: ...nimum number of connections permitted to the authentication directory The permissible values are 1 to 3 ldap maxConns Specifies the maximum number of connections permitted to the authentication directory The permissible values are 3 to 10 f Click OK The authentication instance is set up and enabled 2 Set the certificate profiles to use to enroll users by setting policies for specific certificates ...

Page 403: ...re the Directory Server s host name Directory Manager s bind password and PIN manager s password d Run the setpin command with its optfile option pointing to the setpin conf file setpin optfile usr lib rhpki native tools setpin conf The tool modifies the schema with a new attribute by default pin and a new object class by default pinPerson creates a pinmanager user and sets the ACI to allow only t...

Page 404: ...ce Editor window Authentication Instance ID Accept the default instance name or enter a new name removePin Sets whether to remove PINs from the authentication directory after end users successfully authenticate Removing PINs from the directory restricts users from enrolling more than once and thus prevents them from getting more than one certificate pinAttr Specifies the authentication directory a...

Page 405: ...to use for SSL client authentication to the authentication directory to remove PINs Make sure that the certificate is valid and has been signed by a CA that is trusted in the authentication directory s certificate database and that the authentication directory s certmap conf file has been configured to map the certificate correctly to a DN in the directory This is needed for PIN removal only ldap ...

Page 406: ...ate is received To set up CMC enrollment 1 Set up the certificate profile to use to enroll users by setting policies for specific certificates in the certificate profile See Chapter 13 Certificate Profiles for information about profile policies 2 If necessary set up the CMCAuth authentication plug in An instance of this plug in module is created and enabled by default It has no configuration param...

Page 407: ...he Server for Multiple Requests in a Full CMC Request CMC supports multiple CRMF or PKCS 10 requests in a single full CMC request If the numRequests parameter in the cfg file is larger than 1 modify the server s certificate profile by doing the following 1 By default the servlet processing a full CMC request uses the caFullCMCUserCert profile This profile only handles a single request 2 To use the...

Page 408: ... ca ee ca b Select the CMC enrollment form from the list of certificate profiles c Paste the content of the output file into the Certificate Request text area of this form d Remove BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST from the pasted content e Fill in the contact information and submit the form 6 The certificate is immediately processed and returned 7 Use the agent page to...

Page 409: ...ern 3 Three enrollment forms are provided for the certificate based enrollment CertBasedDualEnroll html This form enables end users to request dual certificates one for signing another for encryption by submitting preissued certificates as authentication tokens when a user enrolls for a certificate the server verifies the CA that has issued the certificate used for authentication uses the configur...

Page 410: ... of generating dual key pairs doSslAuth This variable specifies whether the server requests SSL client authentication Set the value of this parameter to on and make sure that the port number specified in the authentication instance is an SSL port 4 Before modifying a form look at the default certificate based enrollment forms 16 6 Testing Enrollment For information on testing enrollment through th...

Page 411: ...e https server example com 9443 ca 2 In the Configuration tab click Authentication in the navigation tree 3 In the right pane click the Authentication Plug in Registration tab The tab lists modules that are already registered 4 To delete a registered module select that module and click Delete 5 To register a plug in click Register The Register Authentication Plug in Implementation window appears 6...

Page 412: ...390 ...

Page 413: ...1 How Authorization Works Authorization goes through the following process 1 The users authenticate to the interface using either the Certificate System user ID and password or a certificate 2 The server authenticates the user either by matching the user ID and password with the one stored in the database or by checking the certificate against one stored in the database With certificate based auth...

Page 414: ...hentication method to SSL client authentication See Section 3 2 Enabling SSL Client Authentication for the Certificate System Console for more information 17 1 2 2 Auditors An auditor can view the signed audit logs and is created to audit the operation of the system The auditor cannot administer the server in any way An auditor is created by adding a user to the Auditors group and storing the audi...

Page 415: ...the domain DRMs to push KRA connector information and CAs to approve certificates generated within the CA automatically Enterprise subsystem administrators are given enough privileges to perform operations on the subsystems in the domain Each subsystem has its own security domain role Enterprise CA Administrators Enterprise DRM Administrators Enterprise OCSP Administrators Enterprise TKS Administr...

Page 416: ...ystem which trusts it as a trusted manager using its SSL server certificate for SSL client authentication 17 2 Creating Users To create an administrator agent or auditor create a user in the Certificate System instance where the user will have privileges and assign the user to the appropriate group An agent or auditor must have a certificate stored in the subsystem s internal database If the Conso...

Page 417: ... new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate 17 3 Setting up a Trusted Manager Trusted relationships are set up automatically during subsystem configuration All subsystems within the same security domain are automatically trusted the security domain manager issues each member of the security domain a subsystem certificate which the subsystem us...

Page 418: ...manager entry the subsystem never uses it The subsystem relies solely on the trusted manager s SSL client certificate for authentication Figure 17 2 Creating the Trusted Manager Account The full name must be the fully qualified host name of the Certificate Manager The group must be set to Trusted Managers do that the CA has trusted manager privileges 4 Store the Certificate Manager s SSL client ce...

Page 419: ...nector settings of the Certificate Manager This enables the Certificate Manager to utilize the agent port to communicate with the subsystem 1 Log into the administrative console for the Certificate Manager 2 In the navigation tree select Certificate Manager 3 Select the Connectors tab Figure 17 3 The Connector Tab 4 Select the connector from the list and click Edit 5 Select the Enable checkbox to ...

Page 420: ... System User Entries This section describes how to change a user entry delete the user or change the certificate associated with the user 17 4 1 Changing a Certificate System User s Login Information Change a Certificate System user s login information by doing the following 1 Log into the administrative console ...

Page 421: ...ATE and END CERTIFICATE marker lines 17 4 3 Changing Members in a Group Members can be added or deleted from all groups The group for administrators must have at least one user entry To change a group s members do the following 1 Log into the administrative console 2 Select Users and Groups from the navigation tree on the left 3 Click the Groups tab 4 Select the group from the list of names and cl...

Page 422: ...Create a new group by doing the following 1 Log into the administrative console 2 Select Users and Groups from the navigation menu on the left 3 Select the Groups tab 4 Click Edit and fill in the group information Figure 17 5 Creating a New Group It is only possible to add users who already exist in the internal database 5 Edit the ACLs to grant the group privileges See Section 17 6 5 Editing ACLs...

Page 423: ...eges The privileges of Certificate System users are changed by changing the access control lists ACL that are associated with the group in which the user is a member for the users themselves or for the IP address of the user New groups are assigned access control by adding that group to the access control lists For example a new group for administrators who are only authorized to view logs LogAdmi...

Page 424: ...ul to specify one For example JohnB a member of the Administrators group has just been fired It may be necessary to deny access specifically to JohnB if the user cannot be deleted immediately Another situation is that a user BrianC is an administrator but he should not have the ability to change some resource Since the Administrators group must access this resource BrianC can be specifically denie...

Page 425: ...om j2se 1 4 2 docs api java util regex Pattern html sum 17 6 4 3 3 IP Address Syntax The syntax to include an IP address in the ACL is ipaddress ipaddress The syntax to exclude an ID address from the ACL is ipaddress ipaddress An IP address is specified using its numeric value DNS values are not permitted For example ipaddress 12 33 45 99 ipaddress 23 99 09 88 It is also possible to use regular ex...

Page 426: ...rative console To edit the existing ACLs do the following 1 Log into the administrative console 2 Select Access Control List in the left navigation menu Figure 17 6 Default ACL List 3 Select the ACL to edit from the list and click Edit See Section 17 7 ACL Reference for information about each ACL The ACL opens in the Access Control Editor window ...

Page 427: ... ACLs 405 Figure 17 7 The ACL Editor Window 4 To add an ACI click Add and supply the ACI information To edit an ACI select the ACI from the list in the ACI entries text area of the ACL Editor window Click Edit ...

Page 428: ...both use the Ctrl or Shift buttons c Specify the user group or IP address that will be granted or denied access in the Syntax field See Section 17 6 4 3 Syntax for details on syntax 17 7 ACL Reference This section lists all ACL resources defined for all subsystems describes what each resource controls lists the possible operations describing the outcome of those operations and provides the default...

Page 429: ...try is associated with the CA administration interface and is only available during the configuration of the target of evaluation TOE it is unavailable after the CA is running 17 7 2 1 Operations Operations import 17 7 2 2 Default ACIs allow import user anybody Anyone can import a certificate 17 7 3 certServer admin request enrollment This entry is associated with the CA administration interface a...

Page 430: ...ations Operations read modify 17 7 4 2 Default ACIs allow read group Administrators group Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators agents and auditors are allowed to read authentication configuration administrators are allowed to modify authentication configuration 17...

Page 431: ...tServer ca certificates Controls revoke or list operations for certificates in the agent services interface 17 7 6 1 Operations Operations revoke list 17 7 6 2 Default ACIs allow revoke list group Certificate Manager Agents Only Certificate Manager agents can revoke or list certificates 17 7 7 certServer ca configuration Controls operations on the general configuration for a Certificate Manager 17...

Page 432: ...and agents are allowed to read CA configuration only administrators are allowed to modify CA configuration 17 7 8 certServer ca connector Controls submit operations for a connection to the CA 17 7 8 1 Operations Operations submit 17 7 8 2 Default ACIs allow submit group Trusted Managers A trusted manager can submit requests to this interface 17 7 9 certServer ca clone Controls submit operations fo...

Page 433: ... read update 17 7 10 2 Default ACIs allow read update group Certificate Manager Agents Certificate Manager agents can read or update CRLs 17 7 11 certServer ca directory Controls update operations to the directory 17 7 11 1 Operations Operations update 17 7 11 2 Default ACIs allow update group Certificate Manager Agents Certificate Manager agents can update the directory 17 7 12 certServer ca grou...

Page 434: ...ead group Certificate Manager Agents Only Certificate Manager agents can read OCSP usage statistics 17 7 14 certServer ca profiles Controls list operations for certificate profiles in the agent services interface 17 7 14 1 Operations Operations list 17 7 14 2 Default ACIs allow list group Certificate Manager Agents Certificate Manager agents can list certificate profiles 17 7 15 certServer ca prof...

Page 435: ...ices interface 17 7 16 1 Operations Operations list 17 7 16 2 Default ACIs allow list group Certificate Manager Agents Only Certificate Manager agents can list requests 17 7 17 certServer ca request enrollment Controls submit read execute assign and unassign operations for enrollment requests 17 7 17 1 Operations Operations submit read execute assign unassign 17 7 17 2 Default ACIs allow submit us...

Page 436: ...e Manager Agents Only Certificate Manager agents can view or modify the approval state of certificate profile based requests 17 7 19 certServer ca systemstatus Controls approve or read operations for viewing statistics 17 7 19 1 Operations Operations read 17 7 19 2 Default ACIs allow read group Certificate Manager Agents Only Certificate Manager agents may view statistics 17 7 20 certServer ee cer...

Page 437: ...e 17 7 21 certServer ee certificates Controls revoke or list operations in the end entities page 17 7 21 1 Operations Operations revoke list 17 7 21 2 Default ACIs allow revoke list user anybody Anyone can revoke and list certificates 17 7 22 certServer ee certchain Controls download or read operations for the CA s certificate chain in the end entities page 17 7 22 1 Operations Operations download...

Page 438: ... 24 certServer ee profile Controls submit and read operations for certificate profiles in the end entities page 17 7 24 1 Operations Operations submit read 17 7 24 2 Default ACIs allow submit read user anybody Anyone can read and submit requests through certificate profiles 17 7 25 certServer ee profiles Controls list operations for certificate profiles in the end entities page 17 7 25 1 Operation...

Page 439: ...ybody Anyone can read the face to face enrollment page 17 7 27 certServer ee request enrollment Controls submit operations for certificate enrollment in the end entities page 17 7 27 1 Operations Operations submit 17 7 27 2 Default ACIs allow submit user anybody Anyone can submit an enrollment request 17 7 28 certServer ee request facetofaceenrollment Controls submitting face to face enrollments 1...

Page 440: ...n submit OCSP requests 17 7 30 certServer ee request revocation Controls submit operations for certificate revocation requests in the end entities page 17 7 30 1 Operations Operations submit 17 7 30 2 Default ACIs allow submit user anybody Anyone can submit a revocation request 17 7 31 certServer ee requestStatus Controls read operations for the request status available from the end entities page ...

Page 441: ... Administrators group Auditors group Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read Certificate System general configuration only administrators are allowed to modify Certificate System general configuration 17 7 33 certServer job configuration Cont...

Page 442: ...o read job configuration only administrators are allowed to modify job configuration 17 7 34 certServer kra certificate transport Controls actions to display the key transport certificate 17 7 34 1 Operations Operations read 17 7 34 2 Default ACIs allow read user anybody Anyone can view the key transport certificate 17 7 35 certServer kra configuration Controls operations on the DRM configuration ...

Page 443: ...er kra connector Controls request submissions 17 7 36 1 Operations Operations submit 17 7 36 2 Default ACIs allow submit group Trusted Managers Only trusted managers can submit requests 17 7 37 certServer kra key Controls read recover and download operations for the DRM 17 7 37 1 Operations Operations read recover download 17 7 37 2 Default ACIs allow read recover download group Data Recovery Mana...

Page 444: ...quest 17 7 39 1 Operations Operations read 17 7 39 2 Default ACIs allow read group Data Recovery Manager Agents DRM agents can read requests 17 7 40 certServer kra requests Controls list operations for a DRM request 17 7 40 1 Operations Operations list 17 7 40 2 Default ACIs allow list group Data Recovery Manager Agents Only DRM agents can list key archival requests 17 7 41 certServer kra request ...

Page 445: ...ations to display the system status of a DRM 17 7 42 1 Operations Operations read 17 7 42 2 Default ACIs allow read group Data Recovery Manager Agents Only DRM agents can read system status 17 7 43 certServer log configuration Controls operations on the log configuration 17 7 43 1 Operations Operations read modify 17 7 43 2 Default ACIs allow read group Administrators group Auditors group Certific...

Page 446: ...ministrators group Auditors group Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents deny modify user anybody Administrators auditors and agents can read the value of the expirationTime parameter no one is allowed to modify the value of the expirationTime parameter for the signed audit log 17 7 45 certServer log configuration fileName Contr...

Page 447: ...er Agents group Online Certificate Status Manager Agents Only an auditor is allowed to view the audit log NOTE All other groups need to be specifically denied access to this log since they are given access to all logs in the certServer log content ACL 17 7 47 certServer log content Controls read operations to all logs 17 7 47 1 Operations Operations Description read View log content List all logs ...

Page 448: ...ager agents can add CAs 17 7 49 certServer ocsp cas Controls list operations for listing the CAs that publish to an Online Certificate Status Manager 17 7 49 1 Operations Operations list 17 7 49 2 Default ACIs allow list group Online Certificate Status Manager Agents Only Online Certificate Status Manager agents can list CAs 17 7 50 certServer ocsp certificate Controls validate operation for check...

Page 449: ...very Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators agents and auditors are allowed to read OCSP configuration only administrators are allowed to modify OCSP configuration 17 7 52 certServer ocsp crl Controls add operations for posting CRLs to an OCSP 17 7 52 1 Operations Operations add 17 7 52 2 Default ACIs allow add ...

Page 450: ...ger Agents group Auditors allow modify group Administrators Administrators agents and auditors are allowed to read certificate profile configuration only administrators are allowed to modify certificate profile configuration 17 7 54 certServer publisher configuration Controls read and modify operation for the publishing configuration 17 7 54 1 Operations Operations read modify 17 7 54 2 Default AC...

Page 451: ...ug in modules Currently this is only used to register certificate profile plug ins 17 7 55 1 Operations Operations read modify 17 7 55 2 Default ACIs allow read group Administrators group Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators auditors and agents are allowed to view...

Page 452: ... Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read user and group configuration only administrators are allowed to modify user and group configuration ...

Page 453: ...be customized for different appearances and formatting 18 1 1 Types of Automated Notifications There are three types of automated notifications Certificate Issued A notification message is automatically sent to users who have been issued certificates A rejection message is sent to a user if the user s certificate request is rejected Certificate Revocation A notification message is automatically se...

Page 454: ...he window Figure 18 1 Notification Tabs 4 To enable issued certificate notifications go to the Certificate Issued tab select the enable checkbox and specify information in the following fields Enable Certificate Issued notification Select this checkbox to enable notifications when a certificate is issued or rejected Sender s E mail Address Type the sender s full email address of the user who is no...

Page 455: ...his checkbox to enable request in queue notifications Sender s E Mail Address Type the sender s full email address of the user who is notified of any delivery problems Subject Type the subject title for the notification Recipient s E Mail Address Type the recipient s full email address these are the email addresses of the agents who will check the queue To list more than one recipient separate the...

Page 456: ...he parameters for the notification messages are explained in Section 18 2 Setting Up Automated Notifications 4 Save the file 5 Restart the CA instance etc init d rhpki ca start 6 If a job has been created to send automated messages check that the mail server is correctly configured See Section 3 5 Mail Server 7 The messages that are sent automatically can be customized see Section 18 3 Customizing...

Page 457: ...e HTML commands in the HTML message template The default text version of the certificate issuance notification message is as follows Your certificate request has been processed successfully SubjectDN SubjectDN IssuerDN IssuerDN notAfter NotAfter notBefore NotBefore Serial Number 0x HexSerialNumber To get your certificate please follow this URL https HttpHost HttpPort displayBySerial op displayBySe...

Page 458: ...s to end entities when a certificate is revoked certRequestRevoked_CA html Template for HTML based notification emails to end entities when a certificate is revoked reqInQueue_CA Template for plain text notification emails to agents when a request enters the queue reqInQueue_CA html Template for HTML based notification emails to agents when a request enters the queue Table 18 1 Notification Templa...

Page 459: ...pe of certificate these can be any of the following SSL client client SSL server server CA signing certificate ca other other ExecutionTime Gives the time the job was run HexSerialNumber Gives the serial number of the certificate that was issued in hexadecimal format HttpHost Gives the fully qualified host name of the Certificate Manager to which end entities should connect to retrieve their certi...

Page 460: ...tatus Gives the request status SubjectDN Gives the DN of the certificate subject SummaryItemList Lists the items in the summary notification Each item corresponds to a certificate the job detects for removal from the publishing directory SummaryTotalFailure Gives the total number of items in the summary report that failed SummaryTotalNum Gives the total number of certificate requests that are pend...

Page 461: ...s The automated jobs feature is set up by doing the following Enabling and configuring the Job Scheduler see Section 19 2 Setting up the Job Scheduler for more information Enabling and configuring the job modules and setting preferences for those job modules see Section 19 3 Setting up Specific Jobs for more information Customizing the email notification messages sent with these jobs by changing t...

Page 462: ... administrators specified by the configuration NOTE This job automates removing expired certificates from the directory Expired certificates can also be removed manually for more information on this see Section 15 11 Updating Certificates and CRLs in a Directory 19 2 Setting up the Job Scheduler The Certificate Manager can execute a job only if the Job Scheduler is enabled The job settings such as...

Page 463: ...emon thread wakes up and calls the configured jobs that meet the cron specification By default it is set to one minute NOTE The window for entering this information may be too small to see the input Drag the corners of the Certificate Manager Console to enlarge the entire window 5 Click Save 19 3 Setting up Specific Jobs Automated jobs can be configured through the Certificate Manager Console or b...

Page 464: ...e pkiconsole https server example com 9443 ca 2 Confirm that the Jobs Scheduler is enabled See Section 19 2 Setting up the Job Scheduler for more information 3 In the Configuration tab select Job Scheduler from the navigation tree Then select Jobs 4 This opens the Job Instance tab Figure 19 2 Job Instance Tab Select the job instance from the list and click Edit View The Job Instance Editor opens s...

Page 465: ...or this dialog For requestInQueueNotifier see Section 19 3 3 Configuration Parameters of requestInQueueNotifier For publishCerts see Section 19 3 4 Configuration Parameters of publishCerts For unpublishExpiredCerts see Section 19 3 5 Configuration Parameters of unpublishExpiredCerts For more information about setting the cron time frequencies see Section 19 3 6 Frequency Settings for Automated Job...

Page 466: ... requestInQueueNotifier see Section 19 3 3 Configuration Parameters of requestInQueueNotifier To configure the publishCerts job edit all parameters that begin with jobsScheduler job publishCerts see Section 19 3 4 Configuration Parameters of publishCerts To configure the unpublishExpiredCerts job edit all parameters that begin with jobsScheduler job unpublishExpiredCerts see Section 19 3 5 Configu...

Page 467: ...ecifies the path including the filename to the directory containing the template to use to create the summary report summary senderEmail Specifies the sender of the notification message who will be notified of any delivery problems summary recipientEmail Specifies the recipients of the summary message These can be agents who need to process pending requests or other users More than one recipient c...

Page 468: ...ies the sender of the summary message who will be notified of any delivery problems summary recipientEmail Specifies the recipients of the summary message These can be agents who need to know the status of user certificates or other users More than one recipient can be set by separating each email address with a comma Table 19 2 publishCerts Parameters 19 3 5 Configuration Parameters of unpublishE...

Page 469: ...ertificates or other users More than one recipient can be set by separating each email address with a comma Table 19 3 unpublishExpiredCerts Parameters 19 3 6 Frequency Settings for Automated Jobs The Job Scheduler uses a variation of the Unix crontab entry format to specify dates and times for checking the job queue and executing jobs As shown in Table 19 4 Time Values for Scheduling Jobs and Fig...

Page 470: ...er new job plug ins and delete existing plug ins 19 4 1 Registering or Deleting a Job Module Custom job plug ins can be registered through the Certificate Manager Console Registering a new module involves specifying the name of the module and the full name of the Java class that implements the module It is also possible to delete job modules but this is not recommended To register or delete a job ...

Page 471: ...in module Class name Type the full name of the class for this module this is the path to the implementing Java class If this class is part of a package include the package name For example to register a class named customJob that is in a package named com customplugins type com customplugins customJob 5 Click OK ...

Page 472: ...450 ...

Page 473: ...ter and cloned instances are installed on different machines and those machines are placed behind a load balancer The load balancer accepts HTTP and HTTPS requests made to the Certificate System system and directs those requests appropriately between the two machines In the event that one machine fails the load balancer will transparently redirect all requests to the machine that is still running ...

Page 474: ...lancer can also provide the following advantages as part of a Certificate System system DNS round robin a feature for managing network congestion that distributes load across several different servers Sticky SSL which makes it possible for a user returning to the system to be routed the same host used previously Consult the documentation for the load balancer for more information about the feature...

Page 475: ... the required keys and certificates except the SSL server key and certificate to the clone instance Keep the nicknames for those certificates the same Additionally copy all the necessary trusted root from the master instance to the clone instance If the token is network based then the keys and certificates simply need to be available to the token the keys and certificates do not need to be copied ...

Page 476: ...er Conversion At times an existing cloned subsystem may need converted into a new master subsystem such as after catastrophic failure of the existing master First convert the existing offline master subsystem into a clone then convert one of the current existing online cloned subsystems into the new online master subsystem The differences between the master and the clone of the different subsystem...

Page 477: ...aster CA if it is still running 2 Open the existing master CA configuration directory cd var lib master_ID conf 3 Edit the CS cfg file and change the following Disable control of the database maintenance thread by changing the value of the following line to 0 add the line if it does not already exist ca certStatusUpdateInterval 0 Disable monitoring database replication changes by changing the valu...

Page 478: ... which begins with the ca crl prefix b Copy each line beginning with the ca crl prefix from the former master CA CS cfg file into the cloned CA s CS cfg file c Enable control of the database maintenance thread by changing the value of the following line to 600 600 is the default value for the master Certificate System This value can be changed to any other non zero number ca certStatusUpdateInterv...

Page 479: ...y cd var lib master_ID conf 3 Edit the CS cfg and add the following line 21600 is the default value for a cloned OCSP This value can be changed to any other non zero number OCSP Responder store defStore refreshInSec 21600 20 4 4 Converting a Cloned OCSP into a Master OCSP After converting the existing offline master OCSP responder into an offline cloned OCSP one of the online cloned OCSP responder...

Page 480: ...Chapter 20 Configuring the Certificate System for High Availability 458 4 Start the new master OCSP responder server etc init d instance_ID start ...

Page 481: ...ication was originally designed to bind public keys to names in an X 500 directory As certificates began to be used on the Internet and extranets and directory lookups could not always be performed problem areas emerged that were not covered by the original specification Trust The X 500 specification establishes trust by means of a strict directory hierarchy By contrast Internet and extranet deplo...

Page 482: ...d was finalized Netscape and other companies had to address some of the most pressing issues with their own extension definitions For example applications such as Netscape Navigator and Enterprise Server supported an extension known as the Netscape Certificate Type Extension that specifies the type of certificate issued such as client server or email To maintain compatibility with older versions o...

Page 483: ...tension and accept the certificate An octet string containing the DER encoding of the value of the extension Typically the application receiving the certificate checks the extension ID to determine if it can recognize the ID If it can it uses the extension ID to determine the type of value used Some of the standard extensions defined in the X 509 v3 standard include the following Authority Key Ide...

Page 484: ...sage SSL CA Secure Email CA ObjectSigning CA Identifier Basic Constraints 2 5 29 19 Critical yes Is CA yes Path Length Constraint UNLIMITED Identifier Subject Key Identifier 2 5 29 14 Critical no Key Identifier 3B 46 83 85 27 BC F5 9D 8E 63 E3 BE 79 EF AF 79 9C 37 85 84 Identifier Authority Key Identifier 2 5 29 35 Critical no Key Identifier 3B 46 83 85 27 BC F5 9D 8E 63 E3 BE 79 EF AF 79 9C 37 85...

Page 485: ...Netscape defined OID for an extension named Netscape Certificate Comment The OID assigned to this extension is hierarchical and includes the former Netscape company arc 2 16 840 1 http www alvestrand no objectid 2 16 840 1 113730 1 13 html If an OID extension exists in a certificate and is marked critical the application validating the certificate must be able to interpret the extension including ...

Page 486: ...efines an accessMethod id ad ocsp for using OCSP to verify certificates The accessLocation field then contains a URL indicating the location and protocol used to access an OCSP responder that can validate the certificate A 3 2 The authorityKeyIdentifier A 3 2 1 OID 2 5 29 35 A 3 2 2 Criticality This extension is always noncritical and is always evaluated A 3 2 3 Discussion The Authority Key Identi...

Page 487: ... apply certificate chain path length constraints The cA component should be set to true for all CA certificates PKIX recommends that this extension should not appear in end entity certificates If the pathLenConstraint component is present its value must be greater than the number of CA certificates that have been processed so far starting with the end entity certificate and moving up the chain If ...

Page 488: ...xtKeyUsage A 3 6 1 OID 2 5 29 37 A 3 6 2 Criticality If this extension is marked critical the certificate must be used for one of the indicated purposes only If it is not marked critical it is treated as an advisory field that may be used to identify keys but does not restrict the use of the certificate to the indicated purposes A 3 6 3 Discussion The Extended Key Usage extension indicates the pur...

Page 489: ...ension Uses Use Certificate trust list signing Microsoft Server Gated Crypto SGC Microsoft Encrypted File System Netscape SGC Table A 2 Private Extended Key Usage Extension Uses A 3 7 issuerAltName Extension A 3 7 1 OID 2 5 29 18 A 3 7 2 Criticality PKIX Part 1 recommends that this extension be marked noncritical A 3 7 3 Discussion The Issuer Alternative Name extension is used to associate Interne...

Page 490: ... is used to encrypt user data instead of key material keyAgreement 4 when the subject s public key is used for key agreement keyCertSign 5 for all CA signing certificates cRLSign 6 for CA signing certificates that are used to sign CRLs encipherOnly 7 if the public key is used only for enciphering data If this bit is set keyAgreement should also be set decipherOnly 8 if the public key is used only ...

Page 491: ...0 3 Discussion The extension is meant to be included in an OCSP signing certificate The extension tells an OCSP client that the signing certificate can be trusted without querying the OCSP responder since the reply would again be signed by the OCSP responder and the client would again request the validity status of the signing certificate This extension is null valued its meaning is determined by ...

Page 492: ...oncritical A 3 12 3 Discussion The Policy Mappings extension is used in CA certificates only It lists one or more pairs of OIDs used to indicate that the corresponding policies of one CA are equivalent to policies of another CA It may be useful in the context of cross pair certificates This extension may be supported by CAs and applications A 3 13 privateKeyUsagePeriod A 3 13 1 OID 2 5 29 16 A 3 1...

Page 493: ...e relationship between this extension and the subject field Email addresses may be provided in the Subject Alternative Name extension the certificate subject name field or both If the email address is part of the subject name it must be in the form of the EmailAddress attribute defined by PKCS 9 Software that supports S MIME must be able to read an email address from either the Subject Alternative...

Page 494: ...80 txt recommends a set of extensions to be used in CRLs These extensions are called standard CRL extensions The standard also allows custom extensions to be created and included in CRLs These extensions are called private proprietary or custom CRL extensions and carry information unique to an organization or business Applications may not able to validate CRLs that contain private critical extensi...

Page 495: ...sion may appear per CRL for example a CRL may contain only one Authority Key Identifier extension However CRL entry extensions appear in appropriate entries in the CRL Certificate Revocation List Data Version v2 Extensions Identifier Authority Key Identifier Critical no Key Identifier 2c 22 c6 ae 4e 4b 91 c7 fb 4c cc ae 84 e8 aa 5b 46 6a a0 ad Revoked Certificates Serial Number 0x12 Revocation Dat...

Page 496: ...suerAltName Section A 5 1 6 issuingDistributionPoint A 5 1 1 authorityKeyIdentifier A 5 1 1 1 OID 2 5 29 35 A 5 1 1 2 Discussion The Authority Key Identifier extension for a CRL identifies the public key corresponding to the private key used to sign the CRL For details see the discussion under certificate extensions at Section A 3 2 The authorityKeyIdentifier The PKIX standard recommends that the ...

Page 497: ...r Configuration Parameters A 5 1 3 deltaCRLIndicator A 5 1 3 1 OID 2 5 29 27 A 5 1 3 2 Criticality PKIX requires that this extension be critical if it exists A 5 1 3 3 Discussion The deltaCRLIndicator extension generates a delta CRL a list only of certificates that have been revoked since the last CRL it also includes a reference to the base URL This updates the local database while ignoring uncha...

Page 498: ...s Indicates the number of issuing points for the delta CRL from 0 to any positive integer the default is 0 When setting this to an integer other than 0 set the number and then click OK to close the window Re open the edit window for the rule and the fields to set these points will be present pointTypen Specifies the type of issuing point for the n issuing point For each number specified in numPoin...

Page 499: ... Issuer Alternative Name extension allows additional identities to be associated with the issuer of the CRL like binding attributes such as a mail address a DNS name an IP address and a uniform resource indicator URI with the issuer of the CRL For details see the discussion under certificate extensions at Section A 3 7 issuerAltName Extension A 5 1 5 3 Parameters Parameter enable critical numNames...

Page 500: ...Appendix A Certificate and CRL Extensions 478 Parameter namen Table A 8 IssuerAlternativeName Configuration Parameters ...

Page 501: ...tribution Point CRL extension identifies the CRL distribution point for a particular CRL and indicates what kinds of revocation it covers such as revocation of end entity certificates only CA certificates only or revoked certificates that have a limited set of reason codes PKIX Part I does not require this extension A 5 1 6 4 Parameters Parameter enable critical pointType pointName onlySomeReasons...

Page 502: ...xtensions are noncritical A 5 2 1 certificateIssuer A 5 2 1 1 OID 2 5 29 29 A 5 2 1 2 Discussion The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL This extension is used only with indirect CRLs which are not supported by the Certificate System A 5 2 2 holdInstructionCode A 5 2 2 1 OID 2 5 29 23 A 5 2 2 2 Discussion The Hold Instruction C...

Page 503: ...n The Invalidity Date extension provides the date on which the private key was compromised or that the certificate otherwise became invalid A 5 2 3 3 Parameters Parameter enable critical Table A 11 InvalidityDate Configuration Parameters A 5 2 4 CRLReason A 5 2 4 1 OID 2 5 29 21 A 5 2 4 2 Discussion The Reason Code extension identifies the reason for certificate revocation ...

Page 504: ...A 6 1 1 OID 2 16 840 1 113730 1 A 6 1 2 Discussion The Netscape Certificate Type extension can be used to limit the purposes for which a certificate can be used It has been replaced by the X 509 v3 extensions Section A 3 6 extKeyUsage and Section A 3 3 basicConstraints If the extension exists in a certificate it limits the certificate to the uses specified in it If the extension is not present the...

Page 505: ...netscape comment 483 A 6 2 2 Discussion The value of this extension is an IA5String It is a comment that can be displayed to the user when the certificate is viewed ...

Page 506: ...484 ...

Page 507: ...ins intact but its privacy is compromised For example someone could gather credit card numbers record a sensitive conversation or intercept classified information Tampering Information in transit is changed or replaced and then sent to the recipient For example someone could alter an order for goods or change a person s resume Impersonation Information passes to a person who poses as the intended ...

Page 508: ...ction used for encryption or decryption Usually two related functions are used one for encryption and the other for decryption With most modern cryptography the ability to keep encrypted information secret is based not on the cryptographic algorithm which is widely known but on a number called a key that must be used with the algorithm to produce an encrypted result or to decrypt previously encryp...

Page 509: ...lic key encryption Public key encryption also called asymmetric encryption involves a pair of keys a public key and a private key associated with an entity Each public key is published and the corresponding private key is kept secret For more information about the way public keys are published see Section B 4 Certificates and Authentication Data encrypted with a public key can be decrypted only wi...

Page 510: ... The RSA cipher can use only a subset of all possible values for a key of a given length due to the nature of the mathematical problem on which it is based Other ciphers such as those used for symmetric key encryption can use all possible values for a key of a given length Thus a 128 bit key with a symmetric key encryption cipher provides stronger encryption than a 128 bit key with the RSA public ...

Page 511: ...ic key used to decrypt the digital signature corresponds to the private key used to create the digital signature Confirming the identity of the signer also requires some way of confirming that the public key belongs to a particular entity For more information on authenticating users see Section B 4 Certificates and Authentication A digital signature is similar to a handwritten signature Once data ...

Page 512: ...role of CAs see Section B 4 6 How CA Certificates Establish Trust B 4 2 Authentication Confirms an Identity Authentication is the process of confirming an identity For network interactions authentication involves the identification of one party by another party There are many ways to use authentication over networks Certificates are one of those way Network interactions typically take place betwee...

Page 513: ...s 1 When the server requests authentication from the client the client displays a dialog box requesting the username and password for that server 2 The client sends the name and password across the network either in plain text or over an encrypted SSL connection 3 The server looks up the name and password in its local password database and if they match accepts them as evidence authenticating the ...

Page 514: ...re B 4 Using a Password to Authenticate a Client to a Server the authentication process in Figure B 5 Using a Certificate to Authenticate a Client to a Server requires SSL Figure B 5 Using a Certificate to Authenticate a Client to a Server also assumes that the client has a valid certificate that can be used to identify the client to the server Certificate based authentication is preferred to pass...

Page 515: ...s the certificate and the signed data to authenticate the user s identity 5 The server may perform other authentication tasks such as checking that the certificate presented by the client is stored in the user s entry in an LDAP directory The server then evaluates whether the identified user is permitted to access the requested resource This evaluation process can employ a variety of standard auth...

Page 516: ...certificates to determine what other certificates can be trusted For more information see Section B 4 6 How CA Certificates Establish Trust The cert corp eac Table B 1 Common Certificates B 4 3 2 SSL The Secure Sockets Layer SSL protocol governs server authentication client authentication and encrypted communication between servers and clients SSL is widely used on the Internet especially for inte...

Page 517: ...services they use like logging onto the network collecting email using directory services using the corporate calendar program and accessing servers Users have difficulty keeping track of different passwords tend to choose poor ones and tend to write them down in obvious places and administrators must keep track of a separate password database on each server and deal with potential security proble...

Page 518: ...cate Every X 509 certificate consists of two sections The data section includes the following information The version number of the X 509 standard supported by the certificate The certificate s serial number Every certificate issued by a CA has a serial number that is unique among the certificates issued by that CA Information about the user s public key including the algorithm used and a represen...

Page 519: ...001 Extensions Identifier Certificate Type Critical no Certified Usage SSL Client Identifier Authority Key Identifier Critical no Key Identifier f2 f2 06 59 90 18 47 51 f5 89 33 5a 31 7a e6 5c fb 36 26 c9 Signature Algorithm PKCS 1 MD5 With RSA Encryption Signature 6d 23 af f3 d3 b6 7a df 90 df cd 7e 18 6c 01 69 8e 54 65 fc 06 30 43 34 d1 63 1f 06 7d c3 40 a8 2a 82 c1 a4 83 2a fb 2e 8f fb f0 6d ff...

Page 520: ...ich it has a certificate It is also possible for a trusted CA certificate to be part of a chain of CA certificates each issued by the CA above it in a certificate hierarchy The sections that follow explains how certificate hierarchies and certificate chains determine what certificates software can trust Section B 4 6 1 CA Hierarchies Section B 4 6 2 Certificate Chains Section B 4 6 3 Verifying a C...

Page 521: ...ficates signed by the higher level subordinate CAs Organizations have a great deal of flexibility in how CA hierarchies are set up Figure B 6 Example of a Hierarchy of Certificate Authorities shows just one example B 4 6 2 Certificate Chains CA hierarchies are reflected in certificate chains A certificate chain is series of certificates issued by successive CAs Figure B 7 Example of a Certificate ...

Page 522: ...at issued that certificate USA CA s DN is also the subject name of the next certificate in the chain Each certificate is signed with the private key of its issuer The signature can be verified with the public key in the issuer s certificate which is the next certificate in the chain In Figure B 7 Example of a Certificate Chain the public key in the certificate for the USA CA can be used to verify ...

Page 523: ...tops successfully here Otherwise the issuer s certificate is checked to make sure it contains the appropriate subordinate CA indication in the certificate type extension and chain verification starts over with this new certificate Figure B 8 Verifying a Certificate Chain to the Root CA presents an example of this process Figure B 8 Verifying a Certificate Chain to the Root CA Figure B 8 Verifying ...

Page 524: ...invalid signature or the absence of a certificate for the issuing CA at any point in the certificate chain causes authentication to fail Figure B 10 A Certificate Chain That cannot Be Verified shows how verification fails if neither the root CA certificate nor any of the intermediate CA certificates are included in the verifier s local database ...

Page 525: ...e management issues involved in managing the PKI Section B 5 1 Issuing Certificates Section B 5 2 Certificates and the LDAP Directory Section B 5 3 Key Management Section B 5 4 Revoking Certificates B 5 1 Issuing Certificates The process for issuing a certificate depends on the CA that issues it and the purpose for which it will be used Issuing nondigital forms of identification varies in similar ...

Page 526: ...ups Issuing certificates and other certificate management tasks can be an integral part of user and group management High performance directory services are an essential ingredient of any certificate management strategy For the Certificate System to function there must be a Red Hat Directory Server installed to support the LDAP directory services B 5 3 Key Management Before a certificate can be is...

Page 527: ... or moves to a new job in a different unit within the company Certificate revocation can be handled in several different ways Servers can be configured so that the authentication process checks the directory for the presence of the certificate being presented When an administrator revokes a certificate the certificate can be automatically removed from the directory and subsequent authentication at...

Page 528: ...506 ...

Page 529: ...uter s hostname and dnsname must be configured Please see Cisco Router Configuration to describe how to accomplish all this C 2 Configuration The router s hostname is scep Log into the router s console you ll see the following prompt scep Now run the following commands in sequence Enable Privileged Commands scep enable Enter Configuration Mode scep conf t Set up a CA identity scep config crypto ca...

Page 530: ...subject name in the certificate will be scep dsdev sjc redhat com Include the router serial number in the subject name yes no yes The serial number in the certificate will be 57DE391C Include an IP address in the subject name yes no yes Interface Ethernet0 0 Request certificate from CA yes no yes Certificate request sent to Certificate Authority The certificate request fingerprint will be displaye...

Page 531: ...to ca identity CA Removing an identity will destroy all certificates received from the related Certificate Authority Are you sure you want to do this yes no yes Be sure to ask the CA administrator to revoke your certificates No enrollment sessions are currently active C 2 1 Working with chained subordinate CAs Before running the crypto ca authenticate command above you must import all certificates...

Page 532: ...RL requirement scep ca root crl optional Set up a CA identity scep config crypto ca identity CA scep ca identity enrollment url http paw sfbay redhat com 12888 ee scep pkiclient cgi scep ca identity crl optional scep ca identity exit Submit enrollment request to subordinate CA in this example scep config crypto ca authenticate CA scep config crypto ca enroll CA C 2 2 DEBUGGING The router will prov...

Page 533: ...ent An enrollment that requires an agent to approve the request before the certificate is issued agent services 1 Services that can be administered by a Certificate System agent through HTML pages served by the Certificate System subsystem for which the agent has been assigned the necessary privileges 2 The HTML pages for administering such services attribute value assertion AVA An assertion of th...

Page 534: ...dentifies a certificate authority See also certificate authority CA subordinate CA root CA CA hierarchy A hierarchy of CAs in which a root CA delegates the authority to issue certificates to subordinate CAs Subordinate CAs can also expand the hierarchy by delegating issuing status to other CAs See also certificate authority CA subordinate CA root CA CA server key The SSL server key of the server p...

Page 535: ...ertificate changes even by a single character the same function produces a different number Certificate fingerprints can therefore be used to verify that certificates have not been tampered with Certificate Management Messages over Cryptographic Message Syntax CMC Message format used to convey a request for a certificate to a Certificate Manager A proposed standard from the Internet Engineering Ta...

Page 536: ... Layer SSL CMC See Certificate Management Messages over Cryptographic Message Syntax CMC CMC Enrollment Features that allow either signed enrollment or signed revocation requests to be sent to a Certificate Manager using an agent s signing certificate These requests are then automatically processed by the Certificate Manager CMMF See Certificate Management Message Formats CMMF Certificate System S...

Page 537: ...ger before issuing new certificates The Data Recovery Manager is useful only if end entities are encrypting data such as sensitive email that the organization may need to recover someday It can be used only with end entities that support dual key pairs two separate key pairs one for encryption and one for digital signatures Data Recovery Manager agent A user who belongs to a group authorized to ma...

Page 538: ...er See also nonrepudiation encryption distribution points Used for CRLs to define a set of certificates Each distribution point is defined by a set of certificates that are issued A CRL can be created for a particular distribution point distinguished name DN A series of AVAs that identify the subject of a certificate See attribute value assertion AVA dual key pair Two public private key pairs four...

Page 539: ...set which then dynamically creates the enrollment form from all inputs configured for this enrollment intermediate CA A CA whose certificate is located between the root CA and the issued certificate in a certificate chain IP spoofing The forgery of client IP addresses J JAR file A digital envelope for a compressed collection of files organized according to the Java archive JAR format Java archive ...

Page 540: ...500 directories LDAP is under IETF change control and has evolved to meet Internet requirements linked CA An internally deployed certificate authority CA whose certificate is signed by a public third party CA The internal CA acts as the root CA for certificates it issues and the third party CA acts as the root CA for certificates issued by other CAs that are linked to the same third party root CA ...

Page 541: ...ciated private key is used to sign objects using the technology known as object signing OCSP Online Certificate Status Protocol one way hash 1 A number of fixed length generated from data of arbitrary length with the aid of a hashing algorithm The number also called a message digest is unique to the hashed data Any change in the data even deleting or altering a single character results in a differ...

Page 542: ... name of the Data Recovery Manager subject name of the corresponding certificate and date of archival The signed proof of archival data are the response returned by the Data Recovery Manager to the Certificate Manager after a successful key archival operation See also Data Recovery Manager transport certificate public key One of a pair of keys used in public key cryptography The public key is dist...

Page 543: ...ts a Certificate System instance both when the instance starts up and on demand server authentication The process of identifying a server to a client See also client authentication server SSL certificate A certificate used to identify a server to a client using the Secure Sockets Layer SSL protocol servlet Java code that handles a particular kind of interaction with end entities on behalf of a Cer...

Page 544: ...d performs cryptographic operations Smart cards implement some or all of the PKCS 11 interface spoofing Pretending to be someone else For example a person can pretend to have the email address jdoe example com or a computer can identify itself as a site called www redhat com when it is not Spoofing is one form of impersonation See also misrepresentation SSL See Secure Sockets Layer SSL subject The...

Page 545: ...rity CA that issued the certificate If a CA is trusted then valid certificates issued by that CA can be trusted V virtual private network VPN A way of connecting geographically distant divisions of an enterprise The VPN allows the divisions to communicate over an encrypted channel allowing authenticated confidential transactions that would normally be restricted to a private network ...

Page 546: ...524 ...

Page 547: ...h the Console 379 382 384 password based 491 491 See also client authentication 491 See also server authentication 491 authentication modules agent initiated user enrollment 322 386 deleting 389 registering new ones 389 authorityKeyIdentifier 123 464 474 B backing up the Certificate System 107 backups 107 base 64 encoded file viewing content 359 basicConstraints 122 465 buffered logging 81 C CA ce...

Page 548: ...onfiguring authentication 379 382 384 Certificate System data where it is stored 103 certificate based authentication defined 491 certificate based enrollment 386 forms for 387 what you need 387 when to use 387 certificateIssuer 480 certificatePolicies 465 certificates and LDAP Directory 504 authentication using 491 CA certificate 494 chains 500 contents of 495 extensions for 123 459 how to revoke...

Page 549: ...pairs and certificates list of 173 storage key pair 174 transport certificate 174 setting up key archival 178 key recovery 179 deleting authentication modules 389 log modules 87 mapper modules 363 privileged users 400 publisher modules 363 deltaCRLIndicator 475 deployment planning CA decisions CA reissuance 120 distinguished name 112 root versus subordinate 25 114 signing certificate 113 signing k...

Page 550: ...over architecture 451 file based publisher 364 FIPS PUBS 140 1 22 flush interval for logs 81 G groups changing members 399 H hardware accelerators 269 hardware tokens See external tokens 265 265 high availability 451 holdInstructionCode 480 host name for mail server used for notifications 67 how to revoke certificates 324 how to search for keys 175 I installation 23 installing certificates 254 ins...

Page 551: ...76 Audit 76 Error 78 M mail server used for notifications 67 managing certificate database 254 mapper modules deleting 363 registering new ones 363 mappers created during installation 346 367 369 mappers that use CA certificate 367 DN components 370 master CA 14 modifying privileged user s group membership 399 N Name extension modules Issuer Alternative Name 300 nameConstraints 469 naming conventi...

Page 552: ...lic key cryptography 485 defined 487 infrastructure 503 management 504 publisher modules deleting 363 registering new ones 363 publishers created during installation 345 365 365 366 publishers that can publish to CA s entry in the directory 365 365 366 files 364 OCSP responder 366 users entries in the directory 365 publishing of certificates to files 338 of CRLs 323 to files 338 to LDAP directory ...

Page 553: ... starting subsystem instance 66 Status tab 62 stopping subsystem instance 66 storage key pair 174 storing user s certificates 252 subjectAltName 471 subjectDirectoryAttributes 471 subjectKeyIdentifier subjectKeyIdentifier 471 subordinate CA 7 T TCP IP defined 485 templates for notifications 436 timing log rotation 81 Token Key Service 15 217 administrators creating 220 394 agents creating 220 394 ...

Page 554: ...Index 532 users creating 124 161 181 220 394 storing certificates 252 W why to revoke certificates 324 wTLS CA signing certificate 112 nickname 112 X X 509 certificates 22 ...

Reviews:

No comments

Related manuals for CERTIFICATE SYSTEM 7.3 - ADMINISTRATION

Panasonic Workio DP-2310 Operating Instructions Manual preview
Workio DP-2310
Brand: Panasonic Pages: 20
Samsung SCX 4500 - B/W Laser - All-in-One Manual preview
SCX 4500 - B/W Laser - All-in-One
Brand: Samsung Pages: 21
Samsung SCX 4828FN - Laser Multi-Function Printer Manual preview
SCX 4828FN - Laser Multi-Function Printer
Brand: Samsung Pages: 38
Samsung SCX 4725FN - B/W Laser - All-in-One Manual preview
SCX 4725FN - B/W Laser - All-in-One
Brand: Samsung Pages: 33
Netscape Certificate Management System 6.2 Administrator'S Manual preview
Certificate Management System 6.2
Brand: Netscape Pages: 874
MACROMEDIA FLASH MX 2004 - FLASH LITE AUTHORING GUIDELINES FOR THE I-MODE... Manuallines preview
FLASH MX 2004 - FLASH LITE AUTHORING GUIDELINES FOR THE I-MODE...
Brand: MACROMEDIA Pages: 48
Valgrind BBV Quick Start Manual preview
BBV
Brand: Valgrind Pages: 319
FARONICS INSIGHT - Manual preview
INSIGHT -
Brand: FARONICS Pages: 43
MACROMEDIA FLEX Reference preview
FLEX
Brand: MACROMEDIA Pages: 830
M-Audio Wayoutware TimewARP 2600 User Manual preview
Wayoutware TimewARP 2600
Brand: M-Audio Pages: 49
MMSOFT Design Pulseway User Manual preview
Pulseway
Brand: MMSOFT Design Pages: 85
Red Hat CERTIFICATE SYSTEM 7.2 - AGENT GUIDE Manual preview
CERTIFICATE SYSTEM 7.2 - AGENT GUIDE
Brand: Red Hat Pages: 73
Nexo NXtension-ES User Manual preview
NXtension-ES
Brand: Nexo Pages: 24
Remote Reality OneShot360 User Manual preview
OneShot360
Brand: Remote Reality Pages: 61
Juniper TePM Agent Release Note preview
TePM Agent
Brand: Juniper Pages: 9
GRASS VALLEY KAYAK HD-SD Datasheet preview
KAYAK HD-SD
Brand: GRASS VALLEY Pages: 8
GRASS VALLEY K2 FCP CONNECT - Release Note preview
K2 FCP CONNECT -
Brand: GRASS VALLEY Pages: 19
Genius VIDEOCAM SLIMCLIP Installation Manual preview
VIDEOCAM SLIMCLIP
Brand: Genius Pages: 7

Brands by name

Popular brands

Load more brands