Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual page 105

Once you have the certificate request ready, submit it to the Certificate Manager so
e.
that it can issue a certificate—in the request submission screen of the wizard, use
the auto-submission feature by entering the Certificate Manager's hostname and
port number so that the request gets added to the Certificate Manager's agent
queue.
Log in to the Agent Services interface, check the request for required extensions.
f.
For example, the CRL signing certificate must contain the Key Usage extension
with the
crlSigning
configured to add the Key Usage extension with correct bits to the CRL signing
certificate; see the policy rule named
instance of
KeyUsageExt
Approve the request.
g.
Once you have the CRL signing certificate ready, restart the wizard and install the
h.
certificate in the Certificate Manager's database.
Stop the Certificate Manager.
2.
Update the Certificate Manager's configuration to recognize the new key pair and
3.
certificate.
In the Certificate Manager host machine, go to this directory:
a.
<server_root>/cert-<instance_id>/config
Open the
b.
CS.cfg
Add the following lines to the configuration file:
c.
ca.crl_signing.cacertnickname=<nickname> cert-<instance_id>
ca.crl_signing.defaultSigningAlgorithm=<signing_algorithm>
ca.crl_signing.tokenname=<token_name>
Where:
nickname
instance_id
signing_algorithm
bit set. (By default, the Certificate Manager's policy is
CRLSignCertKeyUsageExt
plug-in.)
file in a text editor.
Is the name assigned to the CRL signing
certificate.
Is the name assigned to the Certificate Manager
instance.
Is
MD5withRSA
if the key type is RSA, or
key type is DSA.
Configuring the Certificate Manager
, which is an
, , or
MD2withRSA SHA1withRSA
SHA1withDSA
Chapter 3 Certificate Manager
,
, if the
105