Transport Key Pair And Certificate; Storage Key Pair; Ssl Server Certificate; Forms For Users And Key Recovery Agents - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Chapter 6. Data Recovery Manager
Section 6.2.1, "Transport Key Pair and Certificate"
•
Section 6.2.2, "Storage Key Pair"
•
Section 6.2.3, "SSL Server Certificate"
•

6.2.1. Transport Key Pair and Certificate

Every DRM has a transport certificate. The public key of the key pair that is used to generate the
transport certificate is used by the client software to encrypt an end entity's private encryption key
before it is sent to the DRM for archival; only those clients capable of generating dual-key pairs
use the transport certificate. For more information on how this certificate is used, see
"Overview of Archiving

6.2.2. Storage Key Pair

Every DRM has a storage key pair.
The DRM uses the public component of this key pair to encrypt (or wrap) private encryption keys
when archiving the keys. It uses the private component to decrypt (or unwrap) the archived key during
recovery. For more information on how this key pair is used, see
NOTE
The public component of the storage key pair is not certified; there is no certificate that
corresponds to the public key. It is a self-signed certificate.
Keys encrypted with the storage key can be retrieved only by authorized key recovery agents. For
Section 6.5.1, "Key Recovery Agents and Their
details, see

6.2.3. SSL Server Certificate

Every Certificate System DRM has at least one SSL server certificate. The first SSL server certificate
is generated when the DRM is configured. The default nickname for the certificate is Server-Cert
cert-instance_id, where instance_id identifies the DRM instance is installed.
The DRM's SSL server certificate was issued by the CA to which the certificate request was submitted,
which can be a Certificate System CA or a third-party CA. To view the issuer name, open the
certificate details in the System Keys and Certificates option in the DRM Console.
The DRM uses its SSL server certificate for server-side authentication to the DRM agent services
interface. By default, the Data Recovery Manager uses a single SSL server certificate for
authentication. However, additional SSL server certificates can be requested and installed for the
DRM.

6.3. Forms for Users and Key Recovery Agents

End entity private encryption keys are archived by the DRM when they are generated. When
a Certificate Manager processing a certificate request detects the request for key archival, it
automatically requests the service of the DRM. Because the DRM transport certificate is stored within
the CA's CS.cfg file, the CA enrollment form can automatically trigger the key archival.
142
Keys".
Chapter 6, Data Recovery
Passwords".
Section 6.4,
Manager.