Setting Up Certificate-Based Enrollment - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Certificate-based enrollment is useful in two common deployment scenarios:
• A client is deployed that can generate dual key pairs. Dual certificates, one for signing and one
for encrypting data, need to issued to the users. Additionally, users should be able to put their key
materials only on hardware tokens.
One way to achieve this is to initialize hardware tokens in bulk and preload them with dual
certificates issued by the Certificate System for dual key pairs. These certificates are generated with
generic common names, such as hardwaretoken1234. This way, there is no one-to-one relation
between users and the hardware tokens initially. Once the tokens are ready, they are given to the
users. A user can get and use any preinitialized and certificate-loaded hardware token.
Next, all users use the randomly-picked token to enroll for a pair of certificates that have a subject
name derived from their LDAP attribute values; the certificates are issued for the existing key pairs
preloaded into the token, but now the key pairs are associated with the user's identity.
• Users need to use the signing certificate already in their possession to get an encryption certificate.
For example, single certificates for single key pairs have already been issued to users. A client
application is deployed that is capable of generating dual key pairs. Now, users can use their signing
certificates as authentication tokens to request another certificate to use for encrypting data.

15.5.1. Setting up Certificate-Based Enrollment

To set up certificate-based enrollment, do the following:
1. Customize the enrollment form to use.
2. Enable the appropriate enrollment option, such as directory-based enrollment or certificate-based
enrollment. Configure the authentication module to compose the desired DN pattern.
3. Three enrollment forms are provided for the certificate-based enrollment:
• CertBasedDualEnroll.html This form enables end users to request dual certificates, one
for signing another for encryption, by submitting preissued certificates as authentication tokens;
when a user enrolls for a certificate, the server verifies the CA that has issued the certificate
used for authentication, uses the configured directory to formulate subject names for the new
certificates, and issues the certificates.
• CertBasedEncryptionEnroll.html This form is provided as a sample. It enables end
users to request encryption certificates by submitting preissued certificates as authentication
tokens; when a user enrolls for a certificate, the server verifies the CA that has issued the
certificate used for authentication, uses the configured directory to formulate the subject name
for the new certificate, and issues the certificate.
• CertBasedSingleEnroll.html This form is provided as a sample. It enables end users
to request signing certificates by submitting preissued certificates as authentication tokens;
when a user enrolls for a certificate, the server verifies the CA that has issued the certificate
used for authentication, uses the configured directory to formulate the subject name for the new
certificate, and issues the certificate.
Enabling certificate-based enrollment creates one link, named Certificate, under
the list of certificate profiles in the end-entities page. By default, the link points to
the CertBasedDualEnroll.html form. To use either of the other two forms,
Setting up Certificate-Based Enrollment
353