Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 35

When an end entity enrolls in a PKI by requesting a certificate, the following events can occur,
depending on the configuration of the PKI and the subsystems installed:
1. The end entity provides the information in one of the enrollment forms and submits a request.
The information gathered from the end entity is customizable in the form depending on the
information collected to store in the certificate or to authenticate against the authentication method
associated with the form. The form creates a request that is then submitted to the Certificate
Manager.
2. The enrollment form triggers the creation of the public and private keys or for dual-key pairs for the
request.
3. The end entity provides authentication credentials before submitting the request, depending on
the authentication type. This can be LDAP authentication, PIN-based authentication, or certificate-
based authentication.
4. The request is submitted either to an agent-approved enrollment process or an automated
process.
• The agent-approved process, which involves no end-entity authentication, sends the request to
the request queue in the agent services interface, where an agent must processes the request.
An agent can then modify parts of the request, change the status of the request, reject the
request, or approve the request.
Automatic notification can be set up so an email is sent to an agent any time a request appears
in the queue. Also, an automated job can be set to send a list of the contents of the queue to
agents on a pre configured schedule.
• The automated process, which involves end-entity authentication, processes the certificate
request as soon as the end entity successfully authenticates.
5. The form collects information about the end entity from an LDAP directory when the form is
submitted. For certificate profile-based enrollment, the defaults for the form can be used to collect
the user LDAP ID and password.
6. The certificate profile associated with the form determine aspects of the certificate that is issued.
Depending on the certificate profile, the request is evaluated to determine if the request meets the
constraints set, if the required information is provided, and the contents of the new certificate.
7. The form can also request that the user export the private encryption key. If the DRM subsystem is
set up with this CA, the end entity's key is requested, and an archival request is sent to the DRM.
This process generally requires no interaction from the end entity.
8. The certificate request is either rejected because it did not meet the certificate profile or
authentication requirements, or a certificate is issued.
9. The certificate is delivered to the end entity.
• In automated enrollment, the certificate is delivered to the user immediately. Since the
enrollment is normally through an HTML page, the certificate is returned as a response on
another HTML page.
• In agent-approved enrollment, the certificate can be retrieved by serial number or request Id in
the end-entity interface.
About the Certificate Manager (CA)
25