Ipv4 And Ipv6 Addresses - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for CERTIFICATE SYSTEM 8 - DEPLOYMENT:

Manual (86 pages)

Install manual (132 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

page of 114

/ 114
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 3. Supported Standards and Protocols

Bits of Security

256

The information in this table is from the National Institute of Standards and Technology (NIST). For more information, see

csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf.

Table 3.1. Comparison of RSA and ECC Cipher Strength

Certificate System supports using ECC with all of its subsystems, so ECC certificate requests can be

submitted to CAs through any of the enrollment profiles and ECC keys can be archived and restored in

the DRM. However, Certificate System does not include ECC support natively, so using ECC is slightly

different than using RSA:

• An external PKCS#11 module must be loaded before any subsystems are installed so that they can

be configured with ECC subsystem certificates.

• The CA profile pages can process ECC certificate requests, but they cannot generate ECC keys.

Some of the profile forms, like manual user certificates, then cannot be used for ECC certificates.

In those cases, a different or custom profile needs to be used, and certificate requests have to be

generated using certutil.

For a CA to issue ECC certificates, the CA must be configured with an ECC CA signing certificate.

This is best done by loading an ECC PKCS#11 module before the CA is installed, and then configuring

the CA using ECC keys.

NOTE

A CA with an ECC CA signing certificate can issue both ECC and RSA certificates. A CA

with an RSA CA signing certificate can only issue RSA certificates.

Only the CA signing certificate is required; if for support purposes it is better to use RSA client

certificates with the CA, simply delete the ECC subsystem certificates (except for the signing

certificate) and replace them with RSA certificates.

For more information on ECC, see

3.3. IPv4 and IPv6 Addresses

Certificate System supports both IPv4 addresses and IPv6 addresses. In a very wide variety of

circumstances, Certificate System subsystems or operations references a hostname or IP address;

supporting both IPv4- and IPv6-style addresses ensures forward compatibility with network protocols.

The operations that support IPv6 connections include the following:

• Communications between subsystems, including between the RA and CA and between the TPS,

TKS, and CA and for joining security domains

• Token operations between the TPS and Enterprise Security Client

• Subsystem logging

• Access control instructions

http://ietf.org/rfc/rfc4492.txt

RSA Key Length

15360

RFC 4492

, Section 5.6.1, Table 2.

ECC Key Length

512+

http://

Table of Contents

Ipv4 And Ipv6 Addresses - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

3.3. IPv4 and IPv6 Addresses

Related Manuals for Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Related Content for Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Table of Contents