1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. CERTIFICATE SYSTEM 7.2 - AGENT GUIDE
  6. Manual

Red Hat CERTIFICATE SYSTEM 7.2 - AGENT GUIDE Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Red Hat Certificate System Agent Guide
7.2

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CERTIFICATE SYSTEM 7.2 - AGENT GUIDE and is the answer not in the manual?

Questions and answers

Related Manuals for Red Hat CERTIFICATE SYSTEM 7.2 - AGENT GUIDE

Summary of Contents for Red Hat CERTIFICATE SYSTEM 7.2 - AGENT GUIDE

  • Page 1 Red Hat Certificate System Agent Guide...
  • Page 2 All other trademarks referenced herein are the property of their respective owners. The GPG fingerprint of the security@redhat.com key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E...

  • Page 4: Table Of Contents

    Table of Contents About This Guide ..........................vi 1. Who Should Read This Guide ....................vi 2. Required Concepts ........................vi 3. What Is in This Guide ......................vi 4. Conventions Used in This Guide ....................vi 5. Documentation ........................vii 1.
  • Page 5 Red Hat Certificate System Agent Guide 8. TPS: Agent Services ........................54 1. Basic Operations for an Agent and Administrator ................54 2. Adding Tokens ........................54 3. Managing Tokens ........................55 3.1. Changing Token Status ....................56 3.2. Editing the Token ......................58 3.3. Listing Token Certificates ....................58 3.4.

  • Page 6: About This Guide

    About This Guide This guide describes the agent services interfaces used by Red Hat Certificate System agents to administer subsystem cer- tificates and keys and other management operations. 1. Who Should Read This Guide This guide is intended for Certificate System agents, privileged users designated by the Certificate System administrator to manage requests from end entities for certificate-related services.

  • Page 7: Documentation

    Certificate System. A downloadable zip file of this material is avail- able for user interaction with the tutorials. For the latest information about the Certificate System, including current release notes, complete product documentation, technical notes, and deployment information, visit the Red Hat Certificate System documentation page: http://www.redhat.com/docs/manuals/cert-system/...

  • Page 8: Agent Services

    Chapter 1. Agent Services This chapter describes the role of the privileged users, agents, in managing Certificate System subsystems. It also intro- duces the tools that agents use to administer service requests. 1. Overview of Certificate System Certificate System is a highly configurable set of software components and tools for creating, deploying, and managing certificates.
  • Page 9 2. Agent Tasks An online certificate-validation authority is often referred to as an OCSP responder. • Token Key Service. The Token Key Service (TKS) manages the master and transport keys required to generate and dis- tribute keys for smart cards. The TKS provides security between tokens and the TPS because it protects the integrity of the master key and token keys.

  • Page 10: Agent Tasks

    2.1. Certificate Manager Agent Services 2. Agent Tasks The designated agents for each subsystem are responsible for the everyday management of end-entity requests and other aspects of the PKI: • Certificate Manager agents manage certificate requests received by the Certificate Manager subsystem, maintain and revoke certificates as necessary, and maintain global information about certificates.
  • Page 11 2.2. Data Recovery Manager Agent Services Figure 1.2. Certificate Manager Agent Services Page A Certificate Manager agent performs the following tasks: • Handling certificate requests. An agent can list the certificate service requests received by the Certificate Manager subsystem, assign requests, reject or cancel requests, and approve requests for certificate enrollment.

  • Page 12: Data Recovery Manager Agent Services

    2.3. Online Certificate Status Man- ager Agent Services 2.2. Data Recovery Manager Agent Services The default entry page to the DRM agent services is shown in Figure 1.3, “Data Recovery Manager Agent Services Page”. Only designated DRM agents, with a valid certificate in their client software, are allowed to access these pages. Figure 1.3.

  • Page 13: Tps Agent Services

    2.4. TPS Agent Services Figure 1.4. Online Certificate Status Manager Agent Services Page An Online Certificate Status Manager agent performs the following tasks: • Checking CAs are currently configured to publish their CRLs to the Online Certificate Status Manager. • Identifying a Certificate Manager to the Online Certificate Status Manager.
  • Page 14 2.4. TPS Agent Services Figure 1.5. TPS Agent Services Page A TPS agent performs the following tasks: • Listing and searching enrolled tokens by user ID or token CUID. • Listing and searching certificates associated with enrolled tokens. • Searching token operations by CUID. •...

  • Page 15: Forms For Performing Agent Operations

    3. Forms for Performing Agent Operations Figure 1.6. TPS Administrator Operations Tab A TPS administrator can perform the following tasks: • Listing and searching enrolled tokens by user ID or token CUID. • Editing token information, including the token owner's user ID. •...
  • Page 16 3. Forms for Performing Agent Operations Form name Description ber of results to display. Display Revocation List Used to view the current CRL. The display can be custom- ized by the issuing point and display type. Clicking on the CRL number will display the time taken to generate this CRL, known as the CRL split time.

  • Page 17: Accessing Agent Services

    4. Accessing Agent Services Form name Description The operations are only searched by the contextually unique ID (CUID) of the token. See Section 5, “Searching Token Activities”. Table 1.1. Forms Used for Agent Operations 4. Accessing Agent Services Access to the agent services forms requires certificate-based authentication. Only users who authenticate with the correct certificate and who have been granted the proper access privilege can access and use the forms.
  • Page 18 4. Accessing Agent Services here. Check with the Certificate System administrator for information on the local installation. Chapter 1. Agent Services...

  • Page 19: Ca: Working With Certificate Profiles

    Chapter 2. CA: Working with Certificate Profiles A Certificate Manager agent is responsible for approving certificate profiles that have been configured by a Certificate System administrator. Certificate Manager agents also manage and approve certificate requests that come from profile- based enrollments. 1.

  • Page 20: List Of Certificate Profiles

    3. List of Certificate Profiles • Unassigns the certificate request, which removes the certificate request from an agent's queue. Enrollment requests are submitted to a certificate profile and are subject to the defaults and constraints set up in that certi- ficate profile, regardless of whether the request was created from the input form associated with the certificate profile or the request was created elsewhere and submitted preformatted.

  • Page 21: Example Profile

    3.1. Example Profile Profile ID Profile Name Description ment ing smart card-based enrollments initi- ated through the TPS server for sign- ing certificates. Table 2.1. List of Certificate Profiles 3.1. Example Profile An example caUserCert profile, as shipped with the server, is described here. A profile usually contains inputs, policy sets, and outputs.
  • Page 22 3.1. Example Profile Profile Policy Set Defaults Constraints The keytype should be RSA. keyminLength = 512 keymaxLength = 4096 The key length should be between 512 and 4096. set4 - Authority Key Identifier No defaults No constraints set5 - AIA extension No constraints authinfoaccesscritical = false...

  • Page 23: How Certificate Profiles Work

    4. How Certificate Profiles Work Profile Policy Set Defaults Constraints Type:RFC822Name,Enable: true}. set9 - SigningAlg Populates the certificate signing al- Accepts only the following signing gorithm. The default value is Al- algorithms: gorithm=SHA1withRSA. SHA1withRSA SHA256withRSA SHA512withRSA MD5withRSA MD2withRSA Table 2.2. caUserCert - Profile Policy Sets •...

  • Page 24: Enabling And Disabling Certificate Profiles

    5.1. Getting Certificate Profile In- formation 5. Enabling and Disabling Certificate Profiles Any certificate profiles that have been configured by an administrator are listed in the Manage Certificate Profiles page of the agent services page, which is accessed through the Manage Certificate Profiles link in the left menu of the CA agent services page.
  • Page 25 5.5. Disapproving a Certificate Profile Open the Manage Certificate Profiles page, and click on a certificate profile name. Open the certificate profile's Approve Certificate Profile page. Click the Disapprove button at the bottom of the page. NOTE It is only possible to disable a certificate profile after it has been approved. Once a certificate profile is disabled, it is no longer available in the end-entities page for end entities to use to enroll for certificates.

  • Page 26: Ca: Handling Certificate Requests

    Chapter Handling Certificate Requests A Certificate Manager agent is responsible for handling both manual enrollment requests made by end entities (end users, server administrators, and other Certificate System subsystems) and automated enrollment requests that have been de- ferred. This chapter describes the general procedure for handling requests and explains how to handle different aspects of certificate request management.

  • Page 27: Listing Certificate Requests

    2. Listing Certificate Requests Figure 3.1. Certificate Request Management Process 2. Listing Certificate Requests The Certificate Manager keeps a queue of all certificate service requests that have been submitted to it. The queue records whether a request is pending, completed, canceled, or rejected. Three types of requests can be in the queue: •...
  • Page 28 2. Listing Certificate Requests Go to the Certificate Manager agent services page. https://server.example.com:9443/ca/agent/ca NOTE An agent much have the proper client certificate to access this page. Click List Requests to view the queue of certificates requests. The List Requests form appears. Figure 3.2.

  • Page 29: Selecting A Request

    2.1. Selecting a Request ing profile processing. If the system has been configured to provide automatic notifications to users, a notice is sent to the requester when the request is rejected. • Show completed requests. These are requests that have been completed, including issued certificates and com- pleted revocation requests.

  • Page 30: Searching Requests

    2.2. Searching Requests Figure 3.4. Request Details NOTE If the system changes the state of the displayed request, using the browser's Back or Forward buttons or history to navigate can cause the data display to become out of date. To refresh the data, click the highlighted serial num- ber at the top of the page.

  • Page 31: Approving Requests

    3. Approving Requests • Renewal • Revocation • • Searching by Request Owner. There are to ways to search by the request owner: • Search for requests assigned to self • Search for requests assigned to a particular agent (based on UID attribute) Both of the following search constraints apply to any of the search operations: •...

  • Page 32: Sending An Issued Certificate To The Requester

    4. Sending an Issued Certificate to the Requester quest is confirmed as valid, or the system returns a list of fields that need to be edited. • Reject Request. Rejects the request. • Cancel Request. Cancels the request without issuing a certificate or a rejection. NOTE For more information on how to adjust parameters associated with certificate profiles, such as defaults and con- straints, refer to Chapter 2, CA: Working with Certificate Profiles.
  • Page 33 4. Sending an Issued Certificate to the Requester Figure 3.5. A Newly Issued Certificate Page To copy and mail a new server certificate to the requester, do the following: Create a new email addressed to the requester. From the agent services window where the new certificate is displayed, copy only the base-64 encoded certificate, in- cluding the marker lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
  • Page 34 4. Sending an Issued Certificate to the Requester Create a new email message addressed to the requester. Paste the URL into the body of the message, along with instructions to for the requester to go to that URL and click the Import button at the bottom of the page to import the certificate.

  • Page 35: Ca: Finding And Revoking Certificates

    Chapter 4. CA: Finding and Revoking Certificates A Certificate Manager agent can use the agent services page to find a specific certificate issued by the Certificate System or to retrieve a list of certificates that match specified criteria. The certificates which are retrieved can be examined or re- voked by the agent.

  • Page 36: Advanced Certificate Search

    2. Advanced Certificate Search Leaving either the lower limit or upper limit field blank displays the certificate with the specified number, plus all certificates before or after it in sequence. To limit the returned list to valid certificates, select the check boxes labeled with filtering methods. It is possible to include revoked certificates, to include expired certificates or certificates that are not yet valid, or to display only val- id certificates.
  • Page 37 2. Advanced Certificate Search Figure 4.2. Search Certificates To search by particular criteria, use one or more of the sections of the Search for Certificates form. To use a section, select the check box, then fill in any necessary information. •...
  • Page 38 2. Advanced Certificate Search • Revoked. The certificate has been revoked. • Expired. An expired certificate has passed the end of its validity period. • Revoked and Expired. The certificate has passed its validity period and been revoked. • Subject Name. Lists certificates belonging to a particular owner; it is possible to use wildcards in this field. For more information on wildcard syntax, see step 5.
  • Page 39 2. Advanced Certificate Search • Locality. Narrows the search by locality, such as the city. • State. Narrows the search by state or province. • Country. Narrows the search by country; use the two-letter country code, such as US. After entering the field values for the server to match, specify the type of search to perform: •...

  • Page 40: Examining Certificates

    3. Examining Certificates Figure 4.3. Search Results Form 3. Examining Certificates To examine the details of a certificate, do the following: On the agent services page, click List Certificates or Search for Certificates, specify search criteria, and click Find to display a list of certificates. On the Search Results form, select a certificate to examine.

  • Page 41: Revoking Certificates

    4. Revoking Certificates The certificate is shown in base-64 encoded form at the bottom of the Certificate page, under the heading Installing this certificate in a server. 4. Revoking Certificates Only Certificate Manager agents can revoke certificates other than their own. A certificate must be revoked if one of the following situations occurs: •...

  • Page 42: Revoking One Or More Certificates

    4.2. Revoking One or More Certi- ficates Figure 4.5. Revoke One or All Certificates 4.2. Revoking One or More Certificates An entire list of certificates returned by a search can be revoked, or selected certificates from the list can be revoked. CAUTION Whether revoking a single certificate or a list of certificates, be extremely careful that the correct certificate has been selected or that the list contains only certificates which should be revoked.

  • Page 43: Revoking Multiple Certificates

    4.2. Revoking One or More Certi- ficates Confirm the certificate to be revoked in the revocation form. 4.2.2. Revoking Multiple Certificates To revoke all of the certificates returned in a search, do the following: On the Certificate Manager's agent services page, click Revoke Certificates, specify search criteria, and click Find to display a list of certificates.
  • Page 44 4.2. Revoking One or More Certi- ficates Figure 4.6. Confirm Certificate Revocation To confirm the revocation, do the following: Inspect the details of the certificate to verify that it is the one to be revoked. If more than one certificate is being re- voked, the form shows details for all the certificates.

  • Page 45: Managing The Certificate Revocation List

    5. Managing the Certificate Revoc- ation List • Certificate superseded • Cessation of operation • Certificate is on hold Enter any additional comment. The comment is included in the revocation request. When the revocation request is submitted, it is automatically approved, and the certificate is revoked. Revocation requests are viewed by listing requests with a status of Completed;...
  • Page 46 5.2. Updating the CRL To update the CRL manually, do the following: Open the Certificate Manager agent services page. Click Update Revocation List to display the form for updating the CRL. Figure 4.7. Update Certificate Revocation List Select the algorithm to use to sign the new CRL. Before choosing an algorithm, make sure that any system or network applications that need to read or view this CRL support the algorithm.

  • Page 47: Ca: Publishing To A Directory

    Chapter 5. CA: Publishing to a Directory A Red Hat Directory Server installation is required for the Certificate System subsystems to be installed; this directory in- stance maintains user information and certificate and key information. The Certificate System can be configured to publish certificates and CRLs to that directory, or other LDAP directories, for other applications to access.
  • Page 48 2. Manual Directory Updates • To publish the latest CRL, select Update certificate revocation list to the publishing directory. • To update information on valid certificates to the publishing directory, select Update valid certificates to the directory. To update a range of certificates, such as only the most recently issued certificates, specify the range of the serial numbers of those certificates.

  • Page 49: Drm: Recovering Encrypted Data

    Chapter 6. DRM: Recovering Encrypted Data This chapter describes how authorized Data Recovery Manager (DRM) agents process key recovery requests and recover stored encrypted data when the encryption key has been lost. This service is available only when the DRM subsystem is installed.

  • Page 50: Finding And Recovering Keys

    2. Finding and Recovering Keys amine it in more detail. On the Key Service Request Queue form, find a particular request. If the desired request is not shown, scroll to the bottom of the list, and use the arrows to move to another page of search results. Clicking the ID number next to a request opens the Request Details form, which gives the complete information for the request.
  • Page 51 2.1. Finding Archived Keys Figure 6.1. Search for Keys Page To search by particular criteria, use the different sections of the Search for Keys or Recover Keys form. To use a section, select the check box for that section, then fill in any necessary information. •...
  • Page 52 2.1. Finding Archived Keys for maximum results. To limit the time allowed for the search, enter a value for time limit in seconds. After entering the search criteria, click Show Key. The DRM displays a list of the keys that match the search criteria. Select a key from the list to examine its details. If the search was initiated with the Recover Keys button, there is the additional option of recovering any key returned by the search.

  • Page 53: Recovering Keys

    2.2. Recovering Keys Figure 6.3. Key Details Page 2.2. Recovering Keys If the search was initiated through the Recover Keys button, the Search Results page also allows the agent to initiate the recovery of any key found. To initiate key recovery, do the following: On the DRM agent services page, click Recover Keys, specify search criteria, and click Show Key to display a list of archived keys.
  • Page 54 2.2. Recovering Keys Figure 6.4. Key Detail Page for Recovering Keys The number of key recovery agent authorizations required to recover a key is configured by the DRM administrator by setting the following parameters in the CS.cfg file. kra.noOfRequiredRecoveryAgents=1 kra.recoveryAgentGroup=Data Recovery Manager Agents Set the PKCS #12 token password that the requester uses to import the recovered certificate/key pair package.
  • Page 55 2.2. Recovering Keys Do not close the browser after initiating the key recovery. The agent must wait for all other agents to authorize the key recovery request before the system returns the hyperlink to download the PKCS #12 file containing the private key.

  • Page 56: Ocsp: Agent Services

    Chapter 7. OCSP: Agent Services This chapter describes how to perform Online Certificate Status Manager (OCSP) agent tasks, such as identifying a CA to the OCSP and adding a CRL to the OCSP's internal database. This service is available only when the OCSP subsystem is installed.
  • Page 57 2. Identifying a CA to the OCSP To store the Certificate Manager's CA signing certificate in the internal database of the OCSP, do the following: Open the Certificate Manager's end-entities page. https://server.example.com:9443/ca/agent/ca Select the Retrieval tab, and, in the left frame, click List Certificates. When the page opens, click Find.

  • Page 58: Adding A Crl To The Ocsp

    3. Adding a CRL to the OCSP Figure 7.2. Add Certificate Authority Page 11. Click Add. The certificate is added to the internal database of the OCSP. NOTE If the CA contains multiple CRL distribution points, always publish the master CRL (the CRL that contains all re- voked certificates from that CA) to the OCSP responder.

  • Page 59: Checking The Revocation Status Of A Certificate

    4. Checking the Revocation Status of a Certificate In the results page, select the desired CRL issuing point, select the option to display the CRL as base-64, and click Display. In the CRL details page, scroll to the Certificate revocation list base64 encoded section, which shows the CRL in base-64 format.
  • Page 60 4. Checking the Revocation Status of a Certificate Click Check. The next page shows the status of the certificate that was submitted. Chapter 7. OCSP: Agent Services...

  • Page 61: Tps: Agent Services

    Chapter 8. TPS: Agent Services This chapter describes how to perform Token Processing System (TPS) agent tasks, such as listing smart card tokens and resetting card PINs. Agents can manage the smart cards and the certificates stored on the cards. The TPS agent services page allows authorized agents to accomplish these tasks.

  • Page 62: Managing Tokens

    3. Managing Tokens Figure 8.1. Adding Tokens Normally, it is not necessary for agents to create a token entry because the entry is created automatically when the token connects to TPS, such as connecting through the Enterprise Security Client. However, an agent may want to pre-populate the tokens with keys or other custom information;...

  • Page 63: Changing Token Status

    3.1. Changing Token Status Figure 8.3. Token Search Results Selecting a token shows the token's detail page. Figure 8.4. Token Details Four operations can be performed on the token through this page: • Changing the token status. • Editing the token policy. NOTE Agents can only modify the policy in effect for the token and add a new token.
  • Page 64 3.1. Changing Token Status The status is changed through the token details page, which is shown by listing or searching for tokens and then selecting a token from the returned list. Figure 8.5. Changing Status There are six possible token statuses: •...

  • Page 65: Editing The Token

    3.2. Editing the Token To change the status, select the menu item, and click Go. 3.2. Editing the Token Clicking the Edit button opens up a page listing the token owner UID, the token CUID, the token status, and the token policy.

  • Page 66: Conflicting Token Certificate Status Information

    3.4. Conflicting Token Certificate Status Information Figure 8.7. Listing Token Certificates 3.4. Conflicting Token Certificate Status Information The TPS stores the complete history of certificates' status, so that all changes in status can be reviewed. However, the status shown on the token is that last status of the certificate at the time the token was formatted. The status of the certific- ates on the token may not immediately reflect the real status of the certificates.

  • Page 67: Listing And Searching Certificates

    4. Listing and Searching Certific- ates Clicking the Show Activities button in the token details page returns a list of all operations which have been performed on the token. Figure 8.8. Showing Token Activities 4. Listing and Searching Certificates There are two links for finding and viewing certificates stored in tokens in the Agent Operations tab: List Certificates and Search Certificates.

  • Page 68: Searching Token Activities

    5. Searching Token Activities Figure 8.10. Certificate Search Results 5. Searching Token Activities The token activities, such as enrollment, which are performed through the TPS subsystem can be searched and listed for assistance with token management. There are two links for finding and viewing certificates stored in tokens in the Agent Operations tab: List Activities and Search Activities.

  • Page 69: Administrator Operations

    6. Administrator Operations Figure 8.12. Listing Activities 6. Administrator Operations TPS administrators can perform all of the agent tasks through the Agent Operations tab of the TPS agent services page. Additionally, they can perform two tasks through the Administrator Operations tab: listing and searching tokens (with different editing options) and deleting tokens.

  • Page 70: Showing Token Activities

    6.1. Showing Token Activities Figure 8.13. Token Details Page The activities available through the administrator token details page are different than the ones available through the agent token details page: • Showing the activities performed on the token. • Editing the token. •...

  • Page 71: Deleting The Token

    6.3. Deleting the Token NOTE If the PIN_RESET policy is not set, then user-initiated PIN resets are allowed by default. If the policy is present and is changed from NO to YES, then a PIN reset can be initiated by the user once; after the PIN is reset, the policy value automatically changes back to NO.

  • Page 72: Index

    approving , 24 cloning , 19 Index examining , 22 handling process , 19 listing , 20 statuses , 21 accessing end-entity gateways , 2 accessing forms, 10 agent services forms fonts used in this book , vi accessing , 10 forms Certificate Manager , 3 accessing , 10...
  • Page 73 agent services forms , 6 certificates conflicting stat, 59 certificates and tokens, 54 changing token status, 56 deleting tokens, 62 editing tokens, 62 listing tokens, 55 searching activities, 61 searching tokens, 55, 60 type styles used in this book , vi...

This manual is also suitable for:

Certificate system 7.2

Table of Contents