Password And Certificate Storage; Hardware Token; Protection Of Private And Secret Keys - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Password and Certificate Storage

Plan for the storage of any passwords and certificates. Also plan your user password policy.
Make sure everyone knows and adheres to these policies.

Hardware Token

This environment requires a FIPS 140-1 level 3 certified hardware cryptographic module.
You need to install the software and hardware for this hardware token before installing and
configuring the subsystems. You will also setup the hardware token for use with CS after
installing CS, but before installing a subsystem. Use the hardware token to create subsystem
certificates during installation of each subsystem.

Protection of Private and Secret Keys

CS certificate private keys and secret keys are to be generated and stored in a FIPS 140-1
level 3 certified hardware cryptographic token.
The CS private (asymmetric) keys are:
• Private key associated with the CA signing certificate.
• Private key associated with the RA-to-CA SSL client certificate.
• Private key associated with the OCSP Responder signing certificate.
• Private key associated with the CA-to-DRM SSL client certificate.
• Private key associated with the DRM transport certificate.
• Private key associated with the CA, RA, DRM, and OCSP SSL server certificates.
• Private key associated with the audit log signing certificate.
• Private key associated with the DRM storage certificate used for encrypting user
subject encryption private keys (for DRM key archival).
The CS secret (symmetric) key is:
• Symmetric key used to encrypt passwords for password cache (single-sign-on). See
"Password Cache," on page 245.
Note: CS does not store user secret keys, and it does not support the export of component
(subsystem) private or secret keys.
Appendix B Common Criteria Environment: Setup and Operations
IT Environment Assumptions
691