How Certificate System Works
Types of Certificates That are Managed
CS can issue and manage certificates for Certificate Authority signing certificates,
cross-signed pair certificates (FBCA), SSL server certificates, router certificates, VPN
client certificates, and end user certificates.
Revocation and CRLs
CS provides the framework for revoking certificates which can either be initiated by an
agent or by the end user themselves. An administrator can also revoke the certificates of any
of the subsystems or agents.
CS also support CMC Revocation. When the
plug-in is enabled, CMC enrollment
CMCAuth
and CMC revocation are both enabled. CMC Revocation allows you to send signed
revocation requests that are automatically processed.
CS is capable of producing Certificate Revocation Lists (CRLs) that it can publish either to
files, an LDAP directory, or to an OCSP responder.
You can also set up CRLs by Certificate Issuing Points allowing you to create more than
one CRL defined by the issuing point. For example, you can issue a CRL for just CA
Signing certificates, or separate CRLs for California and Florida end user certificates.
Delta CRLs can also be produced allowing you to create CRLs that contain only the
revoked certificates since the last CRL was produced.
See Chapter 15, "Revocation and CRLs" for complete details.
How the Certificate Manager Works
This sections details the processes that a Certificate Manager goes through, and the various
configuration settings involved in those processes.
Accepting Enrollment Requests
The Certificate Manager contains an end-entity interface with various forms associated with
various types of certificates and various types of users. This interface is customizable
allowing you to only show the forms that are pertinent to your users, change the look and
feel of the pages, or add and delete fields for your particular needs. Certificate requests that
come through the Certificate Managers end-entity interface are processed by the Certificate
Manager. If it is an agent-approved enrollment, an agent of the Certificate Manager must
approve the request. If it is an automated enrollment, the request is considered approved if
the end-entity supplies the correct information, and authenticates against the authentication
method set up. See the Red Hat Certificate System Customization Guide for information
about customizing the end-entity interface.
Chapter 1
Overview
41
Need help?
Do you have a question about the CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR and is the answer not in the manual?