Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual page 242

Chapter 10. Managing Certificates
10.4.1.1. Installing Certificates through the Console
WARNING
Installing certificates through the Certificate Setup Wizard is not supported in Certificate
System 7.2. Use the certutil tool to manage certificates instead.
The Certificate Setup Wizard can install or import the following certificates into either an internal or
external token used by the Certificate System instance:
• Any of the certificates used by a Certificate System subsystem
• Any trusted CA certificates from external CAs or other Certificate System CAs
• Certificate chains
A certificate chain includes a collection of certificates: the subject certificate, the trusted root CA
certificate, and any intermediate CA certificates needed to link the subject certificate to the trusted
root. However, the certificate chain the wizard imports must include only CA certificates; none of the
certificates can be a user certificate.
In a certificate chain, each certificate in the chain is encoded as a separate DER-encoded object.
When the wizard imports a certificate chain, it imports these objects one after the other, all the way
up the chain to the last certificate, which may or may not be the root CA certificate. If any of the
certificates in the chain are already installed in the local certificate database, the wizard replaces the
existing certificates with the ones in the chain. If the chain includes intermediate CA certificates, the
wizard adds them to the certificate database as untrusted CA certificates.
The subsystem console uses the same wizard to install certificates and certificate chains. To install
certificates in the local security database, do the following:
1. Open the Console.
pkiconsole https://hostname:SSLport/ca
2. In the Configuration tab, select System Keys and Certificates from the left navigation tree.
3. There are two tabs where certificates can be installed, depending on the subsystem type and the
type of certificate.
• The CA Certificates tab is for installing CA certificates and certificate chains. For Certificate
Managers, this tab is used for third-party CA certificates or other Certificate System CA
certificates; all of the local CA certificates are installed in the Local Certificates tab. For all
other subsystems, all CA certificates and chains are installed through this tab.
• The Local Certificates tab is where all server certificates, subsystem certificates, and local
certificates such as OCSP signing or DRM transport are installed.
Select the appropriate tab.
4. To install a certificate in the Local Certificates tab, click Add/Renew. To install a certificate in the
CA Certificates tab, click Add. Both will open the Certificate Setup Wizard.
a. When the wizard opens, select the Install a certificate radio button, and click Next.
222