Internal Database; Signing Key Type And Length - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Registration Manager Deployment Considerations

Internal Database

Each Registration Manager instance contains an internal database that stores certificates,
certificate requests and the like.
During installation, you set up this database by either choosing to create a new database, or
use an existing database, providing user IDs and associated passwords to the database, and
the port the database will listen to requests on. You can choose to use the same internal
database for more than one subsystem by specifying this when running the installation
wizard to configure that subsystem. You should carefully consider whether you want to
store this information in a separate internal database for each subsystem or use one internal
database for all subsystems installed on the host.
It's recommended that you do not use this Directory Server instance for any other purposes;
the directory schema is configured for storing CS data.

Signing Key Type and Length

If you wish, you can import the signing key and certificate used in a previous version of CS
installation rather than generating a new signing key pair. For information on how to do
this, check the migration information.
If you decide to generate a new signing key, one of the first decisions you need to make is
whether to use the RSA or DSA algorithm. If you use DSA, the software can generate and
verify the PQG value. PQG values are used to create the DSA signing key pair. For more
information about the way they are used, check this document:
http://www.itl.nist.gov/div897/pubs/fip186.htm
In general, longer keys are considered to be cryptographically stronger than shorter keys.
However, longer keys also require more time for signing operations. (Certificate Manager
CA signing keys up to 2048 bits in length are not subject to export restrictions.)
Many people no longer consider an RSA key of length less than 1024 bits to be
cryptographically strong. Export and other regulations permitting, it may be a good rule of
thumb to start with 1024 bits and consider increasing the length to 4096 bits for certificates
that provide access to highly sensitive data or services. However, the question of key length
has no simple answers. Every organization must make its own decision based on its own
security requirements. For more information on key length and encryption strength, see
Appendix D of Managing Servers with Red Hat Console.
132 Red Hat Certificate System Administrator's Guide • September 2005
.