Certificate-Based Enrollment - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Certificate-Based Enrollment

• Customize the HTML enrollment forms. Make sure the proper authentication method
is contained in the form, and do any other customization required.
In the enrollment form you use, be sure to include the following line, and replace
myAuthMgr
<INPUT TYPE="HIDDEN" NAME="authenticator" VALUE="myAuthMgr">
For more information on customizing the enrollment forms, see the CS Customization
Guide.
Certificate-Based Enrollment
Note: This feature is supported only in legacy enrollment. CS supports certificate-based
enrollment for browser certificates. End users can use preissued certificates to authenticate
to the server in order to enroll for certificates. The following are two deployment scenarios
that explain the usefulness of certificate-based enrollment:
• You have deployed a client that can generate dual key pairs and you want to issue dual
certificates (one for signing and another for encrypting data) to your users. You also
want to make sure that users put their key materials only on hardware tokens.
One way to achieve this would be to initialize hardware tokens in bulk and preload
them with dual certificates issued by CS for dual key pairs. You generate these
certificates with some generic-looking common names, for example,
hardwaretoken1234
hardware tokens initially. Once the tokens are ready, you make them available to users
by some means. Basically, a user can get and use any pre-initialized and
certificate-loaded hardware token.
Next, each user uses the randomly-picked token to enroll for a pair of certificates that
have a subject name derived from their LDAP attribute values; the certificates will be
issued for the existing key pairs preloaded into the token, but now the key pairs will be
associated with the user's identity.
• You want users use the signing certificate already in their possession to get an
encryption certificate.
For example, assume you have deployed CS and have issued single certificates (for
single key pairs) to users. Recently, you deployed a client application that is capable of
generating dual key pairs. Your CS installation includes the Data Recovery Manager,
but you weren't using it until now because you didn't have clients that were capable of
generating dual-key pairs. Now, you want your users to use their signing certificates as
authentication tokens to request another certificate that they'll use for encrypting data.
390 Red Hat Certificate System Administrator's Guide • September 2005
with the name of the authentication instance you added.
. This way, there's no one-to-one relation between users and the