Key Management; Renewing And Revoking Certificates - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

Chapter 1. Introduction to Public-Key Cryptography
library card are different than the ones to get a driver's license. Similarly, different CAs have different
procedures for issuing different kinds of certificates. Requirements for receiving a certificate can be as
simple as an email address or username and password to notarized documents, a background check,
and a personal interview.
Depending on an organization's policies, the process of issuing certificates can range from being
completely transparent for the user to requiring significant user participation and complex procedures.
In general, processes for issuing certificates should be flexible, so organizations can tailor them to
their changing needs.

1.4.2. Key Management

Before a certificate can be issued, the public key it contains and the corresponding private key must
be generated. Sometimes it may be useful to issue a single person one certificate and key pair for
signing operations and another certificate and key pair for encryption operations. Separate signing
and encryption certificates keep the private signing key only on the local machine, providing maximum
nonrepudiation. This also aids in backing up the private encryption key in some central location where
it can be retrieved in case the user loses the original key or leaves the company.
Keys can be generated by client software or generated centrally by the CA and distributed to users
through an LDAP directory. There are costs associated with either method. Local key generation
provides maximum nonrepudiation but may involve more participation by the user in the issuing
process. Flexible key management capabilities are essential for most organizations.
Key recovery , or the ability to retrieve backups of encryption keys under carefully defined conditions,
can be a crucial part of certificate management, depending on how an organization uses certificates.
In some PKI setups, several authorized personnel must agree before an encryption key can be
recovered to ensure that the key is only recovered to the legitimate owner in authorized circumstance.
It can be necessary to recover a key when information is encrypted and can only be decrypted by the
lost key.

1.4.3. Renewing and Revoking Certificates

Like a driver's license, a certificate specifies a period of time during which it is valid. Attempts to
use a certificate for authentication before or after its validity period will fail. Managing certificate
expirations and renewals are an essential part of the certificate management strategy. For example,
an administrator may wish to be notified automatically when a certificate is about to expire so that an
appropriate renewal process can be completed without disrupting the system operation. The renewal
process may involve reusing the same public-private key pair or issuing a new one.
Additionally, it may be necessary to revoke a certificate before it has expired, such as when an
employee leaves a company or moves to a new job in a different unit within the company.
Certificate revocation can be handled in several different ways. Servers can be configured so that the
authentication process checks the directory for the presence of the certificate being presented. When
an administrator revokes a certificate, the certificate can be automatically removed from the directory,
and subsequent authentication attempts with that certificate will fail, even though the certificate
remains valid in every other respect. Alternatively, a list of revoked certificates, a certificate revocation
list (CRL), can be published to the directory at regular intervals. The CRL can be checked as part of
the authentication process. The issuing CA can also be checked directly each time a certificate is
presented for authentication. This procedure is sometimes called real-time status checking.
22