Configuring Policies - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Configuring the Certificate Manager
• Portal Enrollment. End users are registered into an LDAP directory and issued a
certificate. If user already has an entry in the directory, they are authenticated against
the directory and then issued a certificate. See "Setting Up Portal Enrollment," on page
382.
• CMC Auth. This plug-in allows to send agent signed requests and have those requests
processed. See "Setting Up CMC Enrollment," on page 385.
• Agent Authentication. End-entities are authenticated against the CS internal user
database. If the end entities have agent certificates, the submitted certificate requests
will be approved immediately.

Configuring Policies

The Policy feature is a set of plug-ins that you create instances of and then configure. These
instances define certificate content and the values for that content and constraints for the
content that can either be associated with all certificates, or with a subset of certificates
defined using predicates. When a non-certificate profile enrollment request is processed, it
is evaluated against all policies that are applicable to this type of request. Any policy that
has no predicate is evaluated against all certificate requests. Those with predicates are
evaluated against certificates requests that match the predicate value of the policy. The
predicate value can be a certificate type, like a CA certificate or an SSL signing certificate,
in which case, all requests for that type of certificate are evaluated by the policy. The
predicate value can be some other evaluator that can be matched in the request. You can use
hidden values in the request form to match predicate values.
When using the policy feature for enrollment, you must take care to associate a form with
all of the policies you want to be evaluated for this certificate request.
Some of the policies can be configured to collect other information about an end entity from
an LDAP directory and place that information in the certificate. A default set of policies is
created. Some of these are enabled and some are disabled. You need to configure the policy
feature by configuring the existing policies, deleting unwanted policies, and creating
needed policies that are not created by default.
See also the following for information on certificate profiles, which replace the policies
functionaly in current and future releases of CS.
For detailed information, see Chapter 12, "Policies."
112 Red Hat Certificate System Administrator's Guide • September 2005