1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. CERTIFICATE SYSTEM 7.3 - ADMINISTRATION
  6. Manual

Red Hat CERTIFICATE SYSTEM 7.3 - AGENT GUIDE Manual

Hide thumbs Also See for CERTIFICATE SYSTEM 7.3 - AGENT GUIDE:
Table of Contents

Advertisement

Quick Links

Download this manual
Red Hat Certificate System
7.3
Agents Guide
Publication date: May 2007, updated August 4, 2009

Advertisement

Table of Contents
loading

Related Manuals for Red Hat CERTIFICATE SYSTEM 7.3 - AGENT GUIDE

Summary of Contents for Red Hat CERTIFICATE SYSTEM 7.3 - AGENT GUIDE

  • Page 1 Red Hat Certificate System Agents Guide Publication date: May 2007, updated August 4, 2009...
  • Page 2 Agents Guide Red Hat Certificate System 7.3 Agents Guide Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc.. This material may only be distributed subject to the terms and condi- tions set forth in the Open Publication License, V1.0 or later (the latest version of the OPL is presently available at http://www.opencontent.org/openpub/).

  • Page 5: Table Of Contents

    1. About This Guide 1 1.1. Required Concepts ....................1 1.2. What Is in This Guide .................... 1 1.3. Examples and Formatting ..................2 1.3.1. File Locations for Examples and Commands ............2 1.3.2. Using Mozilla LDAP Tools ................... 2 1.3.3.
  • Page 6 Agents Guide 5.5.2. Updating the CRL ..................... 58 6. CA: Publishing to a Directory 61 6.1. Automatic Directory Updates ................61 6.2. Manual Directory Updates ..................61 7. DRM: Recovering Encrypted Data 65 7.1. List Requests ...................... 65 7.2. Finding and Recovering Keys ................66 7.2.1.

  • Page 7: About This Guide

    Chapter 1. About This Guide This guide describes the agent services interfaces used by Red Hat Certificate System agents to ad- minister subsystem certificates and keys and other management operations. This guide is intended for Certificate System agents. Agents are privileged users designated by the Certificate System administrator to manage requests from end entities for certificate-related services.

  • Page 8: Examples And Formatting

    Chapter 1. About This Guide quests and explains how to handle different aspects of certificate request management. A CM agent is responsible for handling requests by end entities (end users, server administrators, or other Certi- ficate System subsystems) for certificates using manual enrollment. •...

  • Page 9: Default Port Numbers

    Default Port Numbers There is another important consideration with the LDAP utilities. The LDAP tools referenced in this guide are Mozilla LDAP, installed with Red Hat Certificate System in the /usr/dir/mozldap direct- ory on Red Hat Enterprise Linux. However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the / usr/bin directory.

  • Page 10: Additional Reading

    Chapter 1. About This Guide Other formatting styles draw attention to important text. NOTE A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue. IMPORTANT Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot.

  • Page 11: Giving Feedback

    If there is any error in this Agent's Guide or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Certificate System through Bug- zilla, http://1bugzilla.redhat.com/1bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues: •...
  • Page 12 Chapter 1. About This Guide Correcting labels in the request flow diagram, per Bugzilla #510552. Revision 7.3.5 June 13, 2009 Ella Deon Lackeydlackey@redhat.com Removing references to the CS SDK and Java SDK, per Bugzilla #491405. Revision 7.3.4 January 29, 2009 Ella Deon Lackeydlackey@redhat.com...

  • Page 13: Agent Services

    Chapter 2. Agent Services This chapter describes the role of the privileged users, agents, in managing Certificate System sub- systems. It also introduces the tools that agents use to administer service requests. 2.1. Overview of Certificate System The Red Hat Certificate System is a highly configurable set of software components and tools for cre- ating, deploying, and managing certificates.
  • Page 14 Chapter 2. Agent Services scenarios are possible. Data Recovery Manager A Data Recovery Manager (DRM) oversees the long-term archival and recovery of private encryption keys for end entities. A CM or TPS can be configured to archive end entities' private encryption keys with a DRM as part of the process of issuing new certificates.

  • Page 15: Certificate System Users

    Certificate System Users 2.1.2. Certificate System Users Three kinds of users can access Certificate System subsystems: administrators, agents, and end entit- ies. Administrators are responsible for the initial setup and ongoing maintenance of the subsystems. Administrators can also assign agent status to users. Agents manage day-to-day interactions with end entities, which can be users or servers and clients, and other aspects of the PKI.

  • Page 16: Agent Tasks

    Chapter 2. Agent Services Figure 2.1. The Certificate System and Users 2.2. Agent Tasks The designated agents for each subsystem are responsible for the everyday management of end en- tity requests and other aspects of the PKI: Certificate Manager Agent Certificate Manager (CM) agents manage certificate requests received by the CM subsystem,...
  • Page 17 Agent Tasks maintain and revoke certificates as necessary, and maintain global information about certificates. Data Recovery Manager Agent Data Recovery Manager (DRM) agents initiate the recovery of lost keys and can obtain informa- tion about key service requests and archived keys. Note Recovering lost or archived key information is done automatically in smart card deploy- ments because the TPS server is a DRM agent.

  • Page 18: Certificate Manager Agent Services

    Chapter 2. Agent Services • Section 2.2.1, “Certificate Manager Agent Services” • Section 2.2.2, “Data Recovery Manager Agent Services” • Section 2.2.3, “Online Certificate Status Manager Agent Services” • Section 2.2.4, “Token Processing System Agent Services” 2.2.1. Certificate Manager Agent Services The default entry page for (CM) agent services is shown in Figure 2.2, “Certificate Manager Agent Ser- vices...

  • Page 19: Data Recovery Manager Agent Services

    Data Recovery Manager Agent Services Certificates can be searched for individually or searched and listed by different criteria. The details for all returned certificates are then displayed. See Chapter 5, CA: Finding and Revoking Certific- ates. • Revokes certificates. If a user's key is compromised, the certificate must be revoked to ensure that the key is not mis- used.

  • Page 20: Online Certificate Status Manager Agent Services

    Chapter 2. Agent Services Figure 2.3. Data Recovery Manager Agent Services Page A DRM agent performs the following tasks: • Lists key recovery requests from end entities. • Lists or searches for archived keys. • Recovers private data-encryption keys. • Authorizes and approves key recovery requests. Key recovery requires the authorization of one or more recovery agents.

  • Page 21: Token Processing System Agent Services

    Token Processing System Agent Services Figure 2.4. Online Certificate Status Manager Agent Services Page An OCSM agent performs the following tasks: • Checks that CAs are currently configured to publish their CRLs to the OCSM. • Identifies a CM to the OCSM. •...
  • Page 22 Chapter 2. Agent Services Figure 2.5. TPS Agent Services Page A TPS agent performs the following tasks: • Lists and searches enrolled tokens by user ID or token CUID. • Lists and searches certificates associated with enrolled tokens. • Searches token operations by CUID. •...

  • Page 23: Forms For Performing Agent Operations

    Forms for Performing Agent Operations Figure 2.6. TPS Administrator Operations Tab A TPS administrator performs the following tasks: • Lists and searches enrolled tokens by user ID or token CUID. • Edits token information, including the token owner's user ID. •...
  • Page 24 Chapter 2. Agent Services Form name (Operation) Subsystem Description List all Requests Examine, select, and process requests for certificate services. For instructions on using this form, see Section 4.2, “Listing Certificate Requests”. List all Certificates List certificates within a range of serial numbers;...
  • Page 25 Forms for Performing Agent Operations Form name (Operation) Subsystem Description issuing point and display type. Click the CRL number to display the time taken to generate this CRL; this is known as the CRL split time. List all Requests Find and examine requests for key services.

  • Page 26: Accessing Agent Services

    Chapter 2. Agent Services Form name (Operation) Subsystem Description can make changes to the profile by editing the profile configura- tion files or through the Con- sole. OCSP Service Manage the operation of the CA's internal OCSP service. List all Tokens List all the enrolled tokens, which shows all of the tokens enrolled by the TPS and basic...
  • Page 27 Accessing Agent Services on the SSL agent port. The agent services URLs use the following format: https://hostname:port/subsystem_type/agent/subsystem_type The port is either the default port or a user-defined port set with the -agent_secure_port when the instance was created with pkicreate. The default port numbers for the subsystem are as follows: •...
  • Page 28 Chapter 2. Agent Services Figure 2.7. Certificate Manager Services Page NOTE The services pages are written in HTML and are intended to be customized. This docu- ment describes the default pages. If an administrator has customized the agent ser- vices pages, those pages may differ from those described here. Check with the Certific- ate System administrator for information on the local installation.

  • Page 29: Ca: Working With Certificate Profiles

    Chapter 3. CA: Working with Certificate Profiles A Certificate Manager (CM) agent is responsible for approving certificate profiles that have been con- figured by a Certificate System administrator. CM agents also manage and approve certificate re- quests that come from profile-based enrollments. 3.1.

  • Page 30: List Of Certificate Profiles

    Chapter 3. CA: Working with Certificate Profiles Reject the request. No certificate is issued. The end entity is notified that the request was rejected for the reasons specified by the agent. The end entity can also view the request status using the CA's end entities page.
  • Page 31 List of Certificate Profiles Profile ID Profile Name Description Enrollment ficates. caRARouterCert RA Agent-Authenticated Router Used to enrol router certificates. Certificate Enrollment caRouterCert One Time Pin Router Certificate Used to enrol router certificates. Enrollment caServerCert Manual Server Certificate En- Used to enrol server certific- rollment ates.

  • Page 32: Example Profile

    Chapter 3. CA: Working with Certificate Profiles Profile ID Profile Name Description caTempTokenDeviceKeyEnroll- Temporary Device Certificate Used to enrol token device keys ment Enrollment caTempTokenUserEncryption- Temporary Token User Encryp- Used to enrol Token Encryption KeyEnrollment tion Certificate Enrollment caTempTokenUserSigningKey- Temporary Token User Signing Used to enrol Token Signing Enrollment Certificate Enrollment...
  • Page 33 Example Profile • Key generation Specifies that the key pair generation during the request submission be CRMF- based and 1024-bit. This is a read-only field. • Subject name The subject name input is used when distinguished name (DN) parameters need to be collected from the user;...
  • Page 34 Chapter 3. CA: Working with Certificate Profiles Profile Policy Set Defaults Constraints userCertSet.4 (Authority Key No defaults No constraints Identifier) userCertSet.5 (AIA extension) No constraints authinfoaccesscritical = false authinfoaccessADMethod_0= authinfoaccessADLocation- Type_0=URIName authinfoaccessADE- nable_0=true authinfoaccessADLocation_0= userCertSet.6 (Key Usage) Populates a Key Usage exten- Accepts the Key Usage exten- sion (2.5.29.15) to the re- sion, if present, only when the...

  • Page 35: How Certificate Profiles Work

    How Certificate Profiles Work The key length should be between 512 and 4096. Table 3.2. caUserCert Profile Policy Sets • Profile outputs. The Certificate Output output displays the certificate in pretty print format and cannot be con- figured or changed. This output needs to be specified for any automated enrollment. Once a user successfully authenticates using the automated enrollment method, the certificate is automatically generated, and this output page is returned to the user.

  • Page 36: Enabling And Disabling Certificate Profiles

    Chapter 3. CA: Working with Certificate Profiles second set is evaluated with the second certificate request. There is no need for more than one policy set when issuing single certificates or more than two sets when issuing dual key pairs. 3.5.

  • Page 37: Approving A Certificate Profile

    Disapproving a Certificate Profile 3.5.4. Approving a Certificate Profile To approve a certificate profile, do the following: 1. Go to the Manage Certificate Profiles page, and click on a certificate profile name. 2. Open the Approve Certificate Profile page for that certificate profile. 3.

  • Page 39: Ca: Handling Certificate Requests

    Chapter 4. CA: Handling Certificate Requests A Certificate Manager (CM) agent is responsible for handling both manual enrollment requests made by end entities (end users, server administrators, and other Certificate System subsystems) and auto- mated enrollment requests that have been deferred. This chapter describes the general procedure for handling requests and explains how to handle different aspects of certificate request management.

  • Page 40: Listing Certificate Requests

    Chapter 4. CA: Handling Certificate Requests • Unassign the request. A request can be removed from an agent's queue if necessary, such as when requests are assigned to an agent who has since left the company. Approving, canceling, and rejecting certificate requests all alter the request status. Assigning, unas- signing, update, and validating certificate requests do not alter the request status.
  • Page 41 Listing Certificate Requests • Certificate revocation requests A CM agent must review and approve manual enrollment requests. Certificate requests that require re- view have a status of pending. To see a list of requests, do the following: 1. Go to the CM agent services page. https://server.example.com:9443/ca/agent/ca NOTE An agent much have the proper client certificate to access this page.
  • Page 42 Chapter 4. CA: Handling Certificate Requests • Show renewal requests • Show revocation requests • Show all requests 4. View requests by request status by selecting one of the options in the Request status menu. • Show pending requests. These are enrollment requests that have not yet been processed but are waiting for manual review.

  • Page 43: Selecting A Request

    Selecting a Request Figure 4.3. Request Queue 4.2.1. Selecting a Request To select a request from the queue, do the following: 1. On the agent services page, click List Requests, specify search criteria, and click Find to display a list of certificate signing requests. 2.

  • Page 44: Searching Requests

    Chapter 4. CA: Handling Certificate Requests Figure 4.4. Request Details NOTE If the system changes the state of the displayed request, using the browser's Back or Forward buttons or history to navigate can cause the data display to become out of date.

  • Page 45: Approving Requests

    Approving Requests • Canceled • Rejected • Any • Searching by Request Type. To search by the request type, select the Show requests that are of type option, and select the type of certificate request: • Enrollment • Renewal • Revocation •...
  • Page 46 Chapter 4. CA: Handling Certificate Requests 1. Open the agent services page. https://server.example.com:9443/ca/agent/ca 2. Click Find at the bottom of the List requests page to list pending certificate requests. 3. Select the certificate request from the list. 4. The certificate request details page contains several tables with information about the request: •...

  • Page 47: Sending An Issued Certificate To The Requester

    Sending an Issued Certificate to the Requester • Cancel Request. Cancels the request without issuing a certificate or a rejection. NOTE For more information on how to adjust parameters associated with certificate profiles, such as defaults and constraints, refer to Chapter 3, CA: Working with Certificate Pro- files.
  • Page 48 Chapter 4. CA: Handling Certificate Requests Figure 4.5. A Newly Issued Certificate Page To copy and mail a new server certificate to the requester, do the following: 1. Create a new email addressed to the requester. 2. From the agent services window where the new certificate is displayed, copy only the base-64 en- coded certificate, including the marker lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
  • Page 49 Sending an Issued Certificate to the Requester 1. Open to the agent services page, click List Requests in the left frame, enter the serial number for the approved request, and click Find. 2. In the Request Queue form, click Details beside the relevant request. Right-click the certificate serial number, and choose Open Frame in New Window from the pop-up menu.

  • Page 51: Ca: Finding And Revoking Certificates

    Chapter 5. CA: Finding and Revoking Certificates A Certificate Manager (CM) agent can use the agent services page to find a specific certificate issued by the Certificate System or to retrieve a list of certificates that match specified criteria. The certificates which are retrieved can be examined or revoked by the agent.

  • Page 52: Advanced Certificate Search

    Chapter 5. CA: Finding and Revoking Certificates • To find all certificates within a range of serial numbers, enter the upper and lower limits of the serial number range in decimal or hexadecimal form. Leaving either the lower limit or upper limit field blank displays the certificate with the specified num- ber, plus all certificates before or after it in sequence.
  • Page 53 Advanced Certificate Search Figure 5.2. Search Certificates 3. To search by particular criteria, use one or more of the sections of the Search for Certificates form. To use a section, select the check box, then fill in any necessary information. •...
  • Page 54 Chapter 5. CA: Finding and Revoking Certificates • Status. Selects certificates by their status. A certificate has one of the following status codes: • Valid. A valid certificate has been issued, its validity period has begun but not ended, and it has not been revoked.
  • Page 55 Advanced Certificate Search and year from the drop-down lists to identify the beginning and end of the period. • To list certificates that have a validity period of a certain length in time, select Not greater than or Not less than from the drop-down list, enter a number, and select a time unit from the drop- down list: days, weeks, months, or years.
  • Page 56 Chapter 5. CA: Finding and Revoking Certificates • Partial searches for certificate subject names match the specified components, but the returned certificates may also contain values in components that were left blank. Wildcard patterns can be used in this type of search by using a question mark (?) to match an arbitrary single character and an asterisk (*) to match an arbitrary string of characters.

  • Page 57: Examining Certificates

    Examining Certificates Figure 5.3. Search Results Form 5.3. Examining Certificates To examine the details of a certificate, do the following: 1. On the agent services page, click List Certificates or Search for Certificates, specify search cri- teria, and click Find to display a list of certificates. 2.

  • Page 58: Revoking Certificates

    Chapter 5. CA: Finding and Revoking Certificates stalling the certificate in a server or in a web browser. Figure 5.4. Certificate Details 5. The certificate is shown in base-64 encoded form at the bottom of the Certificate page, under the heading Installing this certificate in a server.

  • Page 59: Searching For Certificates To Revoke

    Searching for Certificates to Revoke These two reasons are not the only ones why a certificate would need revoked; other reasons are mentioned in Section 5.4.2, “Revoking One or More Certificates”. To revoke one or more certificates, search for the certificates to revoke using the Revoke Certificates button.

  • Page 60: Revoking One Or More Certificates

    Chapter 5. CA: Finding and Revoking Certificates Figure 5.5. Revoke One or All Certificates 5.4.2. Revoking One or More Certificates An entire list of certificates returned by a search can be revoked, or selected certificates from the list can be revoked. CAUTION Whether revoking a single certificate or a list of certificates, be extremely careful that the correct certificate has been selected or that the list contains only certificates which...
  • Page 61 Revoking One or More Certificates 1. On the CM's agent services page, click Revoke Certificates, specify search criteria, and click Find to display a list of certificates. 2. On the Search Results form, select the certificate to revoke. If a desired certificate is not shown, scroll to the bottom of the list, specify an additional number of certificates to be returned, and click Find.
  • Page 62 Chapter 5. CA: Finding and Revoking Certificates Figure 5.6. Confirm Certificate Revocation To confirm the revocation, do the following: 1. Inspect the details of the certificate to verify that it is the one to be revoked. If more than one certi- ficate is being revoked, the form shows details for all the certificates.

  • Page 63: Managing The Certificate Revocation List

    Managing the Certificate Revocation List • Key compromised • CA key compromised • Affiliation changed • Certificate superseded • Cessation of operation • Certificate is on hold 4. Enter any additional comment. The comment is included in the revocation request. When the revocation request is submitted, it is automatically approved, and the certificate is revoked.

  • Page 64: Updating The Crl

    Chapter 5. CA: Finding and Revoking Certificates 3. Select the CRL to view. If the administrator has created multiple issuing points, these are listed in the Issuing point drop-down list. Otherwise, only the master CRL is shown. 4. Choose how to display the CRL by selecting one of the options from the Display Type menu. The choices on this menu are as follows: •...
  • Page 65 Updating the CRL Figure 5.7. Update Certificate Revocation List 3. Select the algorithm to use to sign the new CRL. Before choosing an algorithm, make sure that any system or network applications that need to read or view this CRL support the algorithm. •...
  • Page 66 Chapter 5. CA: Finding and Revoking Certificates The CRL appears in the browser window, allowing the agent to check whether a particular certific- ate appears in the list. Use the browser's Back button to return to the Update page. 5. To update the CRL with the latest certificate revocation information, click Update.

  • Page 67: Ca: Publishing To A Directory

    Chapter 6. CA: Publishing to a Directory A Red Hat Directory Server installation is required for the Certificate System subsystems to be in- stalled; this directory instance maintains user information and certificate and key information. The Cer- tificate System can be configured to publish certificates and CRLs to that directory, or other LDAP dir- ectories, for other applications to access.
  • Page 68 Chapter 6. CA: Publishing to a Directory NOTE Any client using a certificate is responsible for determining its validity by checking the expiration date against the client's current date information. To update the LDAP publishing directory with changes manually, do the following: 1.
  • Page 69 Manual Directory Updates 5. After specifying the changes to be updated, click Update Directory.

  • Page 71: Drm: Recovering Encrypted Data

    Chapter 7. DRM: Recovering Encrypted Data This chapter describes how authorized Data Recovery Manager (DRM) agents process key recovery requests and recover stored encrypted data when the encryption key has been lost. This service is available only when the DRM subsystem is installed. 7.1.

  • Page 72: Finding And Recovering Keys

    Chapter 7. DRM: Recovering Encrypted Data • Show rejected requests. Rejected requests do not comply with the archival or recovery policies. Unless the system is specially configured to allow requests to be rejected, there are no rejected requests. • Show completed requests. Completed requests include archival requests for which proof of archival has been sent and completed recovery requests.

  • Page 73: Finding Archived Keys

    Finding Archived Keys searched to view the details or to initiate a key recovery. Once a key recovery is initiated, a minimum number of designated DRM agents are required to authorize the recovery. Version 7.1 of Red Hat Certificate System introduced a new m-of-n, ACL-based recovery scheme to replace the old m-of-n, secret-splitting-based recovery scheme.
  • Page 74 Chapter 7. DRM: Recovering Encrypted Data Figure 7.1. Search for Keys Page 3. To search by particular criteria, use the different sections of the Search for Keys or Recover Keys form. To use a section, select the check box for that section, then fill in any necessary information. •...
  • Page 75 Finding Archived Keys • Certificate. Finds the archived key that corresponds to a specific public key. Select the check box and paste the certificate containing the base-64 encoded public key into the text area. Note The encryption certificate associated with the key pair must be found first. Use the CM agent services page to find the certificate;...

  • Page 76: Recovering Keys

    Chapter 7. DRM: Recovering Encrypted Data Figure 7.2. Search Results Page 5. In the Search Results form, select a key. If a desired key is not shown, scroll to the bottom of the list and use the arrows to move to another page of search results.
  • Page 77 Recovering Keys To initiate key recovery, do the following: 1. On the DRM agent services page, click Recover Keys, specify search criteria, and click Show Key to display a list of archived keys. 2. In the Search Results form, select a key. If a desired key is not shown, scroll to the bottom of the list and select Next or Previous for another page of search results.
  • Page 78 Chapter 7. DRM: Recovering Encrypted Data kra.noOfRequiredRecoveryAgents=1 kra.recoveryAgentGroup=Data Recovery Manager Agents 4. Set the PKCS #12 token password that the requester uses to import the recovered certificate/key pair package. 5. Optionally, set a certificate nickname for the archived key. 6. Paste the base-64 encoded certificate corresponding to the archived key into the text area. The certificate can be searched and viewed through the CM agent services pages.
  • Page 79 Recovering Keys is given a link download (import) the PKCS #12 file. When selecting the PKCS #12 file, a dialog box appears. Specify the path and filename to save the encrypted file containing the recovered certificate and key pair. Send the encrypted file to the requester. Give the recovery password to the requester in a secure manner.

  • Page 81: Ocsp: Agent Services

    Chapter 8. OCSP: Agent Services This chapter describes how to perform Online Certificate Status Manager (OCSP) agent tasks, such as identifying a CA to the OCSP and adding a CRL to the OCSP's internal database. This service is available only when the OCSP subsystem is installed. The OCSP agent services page allows author- ized agents to accomplish these tasks.

  • Page 82: Identifying A Ca To The Ocsp

    Chapter 8. OCSP: Agent Services Figure 8.1. OCSP List Certificate Authorities Page 8.2. Identifying a CA to the OCSP The OCSP can be configured to receive CRLs from multiple CMs. Before configuring a CM to publish CRLs to the OCSP, first identify the CM to the OCSP by storing the CM's CA signing certificate in the internal database of the OCSP.
  • Page 83 Identifying a CA to the OCSP 8. Open the OCSP agent services page. https://server.example.com:11443/ocsp/agent/ocsp 9. In the left frame, click Add Certificate Authority. In the resulting form, paste the encoded CA signing certificate inside the Base 64 encoded certi- ficate (including header and footer) text area. Figure 8.2.

  • Page 84: Adding A Crl To The Ocsp

    Chapter 8. OCSP: Agent Services 2. To verify that the certificate is added successfully, click List Certificate Authorities in the left frame. The next page shows information about the CM that was added. NOTE If the deployment contains chained CAs, such as a root CA and then several subordin- ate CAs, add each CA certificate separately to the OCSP responder.

  • Page 85: Checking The Revocation Status Of A Certificate

    Checking the Revocation Status of a Certificate 6. Open the OCSP's agent services page. https://server.example.com:11443/ocsp/agent/ocsp 7. In the left frame, click Add Certificate Revocation List. 8. In the resulting form, paste the encoded CRL inside the Base 64 encoded certificate revocation list (including the header and footer) text area.
  • Page 86 Chapter 8. OCSP: Agent Services 5. Click Check. The next page shows the status of the certificate that was submitted.

  • Page 87: Tps: Agent Services

    Chapter 9. TPS: Agent Services This chapter describes how to perform Token Processing System (TPS) agent tasks, such as listing smart card tokens and resetting card PINs. Agents can manage the smart cards and the certificates stored on the cards. The TPS agent services page allows authorized agents to accomplish these tasks.

  • Page 88: Adding Tokens

    Chapter 9. TPS: Agent Services • Listing activities associated with the tokens by the token CUID. • Searching activities by the token CUID. • Changing token status. Administrators can perform all of the agent operations, as well as the following: •...
  • Page 89 Managing Tokens Figure 9.1. Token Search Results Click the link associated with the token to display its details.
  • Page 90 Chapter 9. TPS: Agent Services Figure 9.2. Token Details Four operations can be performed on the token through this page: • Changing the token status. • Editing the token policy.

  • Page 91: Changing Token Status

    Changing Token Status NOTE Agents can only modify the policy in effect for the token and add a new token. Adminis- trators can also change the user ID of the owner and delete tokens. • Listing the certificates stored on the token. •...

  • Page 92: Editing The Token

    Chapter 9. TPS: Agent Services There are six possible token statuses: • The token is physically damaged. For this status, the TPS revokes the user certificates and marks the token lost. • The token has been permanently lost. For this status, the TPS revokes the user certificates and marks the token lost. •...

  • Page 93: Listing Token Certificates

    Listing Token Certificates Note If the PIN_RESET policy is not set, then user-initiated PIN resets are allowed by default. If the policy is present and is changed from NO to YES, then a PIN reset can be initiated by the user once; after the PIN is reset, the policy value automatically changes back to More token information can be modified through the Administrator Operations tab.

  • Page 94: Showing Token Activities

    Chapter 9. TPS: Agent Services Through the TPS agent's page, however, viewing Token #1 shows Signing #1 is active; viewing Token #2 shows that Signing #1 is revoked. This is because that Signing #1 was still revoked when Token #2 was formatted, and that information was not updated when Token #1 was subsequently formatted.

  • Page 95: Administrator Operations

    Administrator Operations The token activities, such as enrollment, which are performed through the TPS subsystem can be searched and listed for assistance with token management. There are two links for finding and viewing certificates stored in tokens in the Agent Operations tab: List Activities and Search Activities. Both of these options return lists of activities performed on the tokens managed by the TPS.

  • Page 97: Index

    Index Data Recovery Manager , 65 agent services forms , 13 overview , 8 Directory Server accessing end-entity gateways , 9 Certificate System and , 61 accessing forms, 20 agent services forms accessing , 20 Certificate Manager , 12 end entities , 7 Data Recovery Manager , 13 enrollment requests Online Certificate Status Manager , 14...
  • Page 98 Index how profiles work , 29 working with , 23 Request details form , 37 Request Queue form , 36 request status, on List Requests form , 35 requests, enrollment approving , 39 cloning , 34 examining , 37 handling process , 33 listing , 34 statuses , 35 types of , 34...

Table of Contents