Dual-Key Pairs - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Dual-Key Pairs

• The certificate being presented by the end user for renewal must be currently valid or
must have expired; it cannot have been revoked.
• The validity period of a renewed certificate is determined by the policy rule
RenewalValidityConstraints
the renewal lead time does not permit renewing, the server rejects the renewal request.
Also, if the policy is disabled, renewal of certificates fails.
• If the certificate being presented by the end user has already been renewed, the server
displays the URL for downloading the certificate.
This situation may occur if the end user forgets to download the renewed certificate. It
can also happen if the end user maintains two identical certificate databases on two
machines, renews the certificate from one machine, and then tries to renew the same
certificate from the other machine.
You can set up the
entity at preconfigured intervals before the expiration of their current certificate. See
Chapter 14, "Automated Jobs" for details.
Dual-Key Pairs
Dual key pairs are a set of two private and public keys where one set is used for signing and
one for encryption. CS supports dual key-pairs allowing you to create them during
enrollment, and allowing you to create two certificates, one for the signing key, and one for
the encryption key. The dual key-pairs feature is only supported in CS when using version
7, or older versions that work with Personal Security Manager.
To create dual-key pairs, and the resultant certificates associated with each key, you need to
enable this function by changing the javascript found in the enrollment page. You use any
method of authentication, chaining it to enable dual-key pairs by modifying the javascript
on that enrollment page. There are instructions, presented as HTML comments, in the forms
describing how to change the javascript. Basically, you need to add some lines to the
javascript and you are ready to go.
When you set up dual-key pairs, you should check your policy or certificate profile set up
and set your policies or certificate profiles to work correctly when generating separate
certificates for signing and encryption.
372 Red Hat Certificate System Administrator's Guide • September 2005
, see "RenewalValidityConstraints," on page 481. If
RenewalNotification
job which sends email notifications to the end