Smart Card Certificate Enrollment Profiles; Automating Encryption Key Recovery - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

is encryption. Set the following parameters to enable server-side key generation and to
archive keys:
op.enroll.userKey.keyGen.encryption.serverKeygen.enable=true
op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=drm1
op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true
op.enroll.userKey.keyGen.encryption.serverKeygen.encryptPrivKey=true
d. Restart the TPS subsystem.
/etc/init.d/instance_ID start

7.5.3. Smart Card Certificate Enrollment Profiles

The CA subsystem has four default smart card enrollment profiles which the TPS is configured, by
default, to use:
• caTokenUserEncryptionKeyEnrollment.cfg
• caTokenUserSigningKeyEnrollment.cfg
• caTempTokenUserEncryptionKeyEnrollment.cfg
• caTempTokenUserSigningKeyEnrollment.cfg
The profile configuration files are in the /var/lib/instance_ID/profiles/ca/ directory.
Administrators have the ability to customize these profiles. For instance, a profile could be edited to
include the user's email address in the Subject Alternative Name extension. The email address for the
user is retrieved from the authentication directory. To configure the CA for LDAP access, change the
following parameters in the profile files, with the appropriate directory information:
policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User
policyset.set1.p1.default.params.ldap.enable=true
policyset.set1.p1.default.params.ldap.basedn=ou=people,dc=host,dc=example,dc=com
policyset.set1.p1.default.params.ldapStringAttributes=uid,mail
policyset.set1.p1.default.params.ldap.ldapconn.host=localhost.example.com
policyset.set1.p1.default.params.ldap.ldapconn.port=389
These CA profiles come with LDAP lookup disabled by default. The ldapStringAttributes parameter
tells the CA which LDAP attributes to retrieve from the company directory. For example, if the directory
contains uid as an LDAP attribute name, and this will be used in the subject name of the certificate,
then uid must be listed in the ldapStringAttributes parameter, and request.uid listed as one of the
components in the dnpattern.

7.5.4. Automating Encryption Key Recovery

The Certificate System allows for a semi-automated recovery if a user loses, destroys, or misplaces
a token. The TPS automatically recovers the appropriate encryption keys and certificates for a
permanently or temporarily lost token, depending on the circumstances of the token loss. To prevent
misuse of the recovery feature, the TPS requires that a user must have a single active token.
Smart Card Certificate Enrollment Profiles
159