Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 4

Deployment Guide
4.4. CRLs ......................................................................................................................... 50
4.5. Publishing .................................................................................................................. 50
4.6. Notifications ............................................................................................................... 50
4.7. Jobs .......................................................................................................................... 50
4.8. Dual Key Pairs ........................................................................................................... 50
4.9. Cross-Pair Certificates ................................................................................................ 50
4.10. Logging .................................................................................................................... 50
4.11. Auditing .................................................................................................................... 51
4.12. Self-Tests ................................................................................................................. 51
4.13. Access Controls ....................................................................................................... 51
4.14. Security-Enhanced Linux Support .............................................................................. 51
5. Planning the Certificate System
5.1. Deciding on the Required Subsystems ........................................................................ 55
5.1.1. Single Certificate Manager ............................................................................... 55
5.1.2. Planning for Lost Keys: Key Archival and Recovery ........................................... 57
5.1.3. Balancing Certificate Request Processing ......................................................... 57
5.1.4. Balancing Client OCSP Requests ..................................................................... 58
5.1.5. Planning for Smart Cards ................................................................................. 59
5.2. Defining the Certificate Authority Hierarchy .................................................................. 61
5.2.1. Subordination to a Public CA ........................................................................... 62
5.2.2. Subordination to a Certificate System CA .......................................................... 62
5.2.3. Linked CA ....................................................................................................... 62
5.2.4. CA Cloning ...................................................................................................... 62
5.3. Planning Security Domains and Trust Relationships ..................................................... 63
5.3.1. Understanding Security Domains ...................................................................... 63
5.3.2. Using Trusted Managers .................................................................................. 65
5.4. Determining the Requirements for Subsystem Certificates ............................................. 65
5.4.1. Determining Which Certificates to Install ........................................................... 65
5.4.2. CA Distinguished Name ................................................................................... 67
5.4.3. CA Signing Certificate Validity Period ................................................................ 67
5.4.4. Signing Key Type and Length .......................................................................... 67
5.4.5. Using Certificate Extensions ............................................................................. 68
5.4.6. Using and Customizing Certificate Profiles ........................................................ 70
5.4.7. Planning Authentication Methods ...................................................................... 72
5.4.8. Publishing Certificates and CRLs ...................................................................... 73
5.4.9. Renewing or Reissuing CA Signing Certificates ................................................. 74
5.5. Planning for Network and Physical Security ................................................................. 74
5.5.1. Considering Firewalls ....................................................................................... 74
5.5.2. Considering Physical Security and Location ...................................................... 75
5.5.3. Port Considerations ......................................................................................... 75
5.6. Tokens for Storing Certificate System Subsystem Keys and Certificates ......................... 76
5.7. Questions for Planning the Certificate System .............................................................. 78
6. Setting up a Common Criteria Environment
6.1. About Common Criteria .............................................................................................. 79
6.2. Required Configuration for the Server or Network ......................................................... 79
6.3. Required Features and Configurations for the Certificate System Subsystems ................ 80
6.4. Users, Roles, and Access Control for Common Criteria ................................................ 81
6.4.1. Certificate System User Types .......................................................................... 82
6.4.2. Access Controls for Common Criteria ............................................................... 83
6.5. Security Objectives for the Common Criteria Environment for Certificate System ............. 83
iv
55
79