Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual page 6

Administration Guide
4.2.3. SSL Server Key Pair and Certificate ............................................................... 104
4.2.4. Certificate Considerations ............................................................................... 104
4.2.5. Cross-Pair Certificates .................................................................................... 105
4.3. CA Hierarchy ............................................................................................................ 105
4.3.1. Subordination to a Public CA .......................................................................... 106
4.3.2. Subordination to a Certificate System CA ........................................................ 106
4.4. Security Domains ..................................................................................................... 106
4.4.1. The domain.xml File ...................................................................................... 107
4.4.2. Security Domain Roles ................................................................................... 108
4.4.3. Creating a Security Domain ............................................................................ 109
4.4.4. Joining a Security Domain .............................................................................. 110
4.4.5. Additional Security Domain Information ........................................................... 110
4.5. Configuring the Certificate Manager Instance ............................................................. 110
4.6. CA Certificate Reissuance ........................................................................................ 112
4.7. Changing the Rules for Issuing Certificates ................................................................ 112
4.8. Setting Restrictions on CA Certificates through Certificate Extensions .......................... 114
4.9. Creating Certificate Manager Agents and Administrators ............................................. 116
4.10. Checking the Revocation Status of Agent Certificates ............................................... 117
4.11. CRL Signing Key Pair and Certificate ....................................................................... 119
4.12. DNs in the Certificate System .................................................................................. 120
4.12.1. Extending Attribute Support .......................................................................... 121
5. Online Certificate Status Protocol Responder
5.1. About OCSP Services .............................................................................................. 125
5.1.1. OCSP Response Signing ............................................................................... 125
5.1.2. OCSP Responses .......................................................................................... 126
5.2. CA OCSP Services .................................................................................................. 126
5.2.1. The Certificate Manager's Internal OCSP Service ............................................ 126
5.2.2. Online Certificate Status Manager ................................................................... 126
5.3. Online Certificate Status Manager Certificates ............................................................ 127
5.3.1. OCSP Signing Key Pair and Certificate ........................................................... 127
5.3.2. SSL Server Key Pair and Certificate ............................................................... 127
5.3.3. Recognizing Online Certificate Status Manager Certificates .............................. 128
5.4. Configuring the Online Certificate Status Manager ...................................................... 128
5.5. Creating Online Certificate Status Manager Agents and Administrators ......................... 129
5.6. Configuring the Certificate Manager's Internal OCSP Service ...................................... 130
5.7. Setting up the OCSP Responder ............................................................................... 131
5.8. Identifying the CA to the OCSP Responder ................................................................ 132
5.8.1. Verify Certificate Manager and Online Certificate Status Manager Connection ..... 133
5.8.2. Configure the Revocation Info Stores .............................................................. 133
5.9. Testing the OCSP Service Setup ............................................................................... 134
5.10. Submitting OCSP Requests Using the GET Method .................................................. 135
5.11. Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier ......... 137
6. Data Recovery Manager
6.1. PKI Setup for Archiving and Recovering Keys ............................................................ 141
6.1.1. Clients That Can Generate Dual Key Pairs ...................................................... 141
6.2. Data Recovery Manager Certificates .......................................................................... 141
6.2.1. Transport Key Pair and Certificate .................................................................. 142
6.2.2. Storage Key Pair ........................................................................................... 142
6.2.3. SSL Server Certificate .................................................................................... 142
6.3. Forms for Users and Key Recovery Agents ................................................................ 142
vi
125
141