Crls; Publishing; Notifications; Jobs - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

Chapter 4. Major Features in Certificate System

4.4. CRLs

The Certificate System can create certificate revocation lists (CRLs) from a configurable framework
which allows user-defined issuing points so a CRL can be created for each issuing point. Delta
CRLs can also be created for any issuing point that is defined. CRLs can be issued for each type
of certificate, for a specific subset of a type of certificate, or for certificates generated according to
a profile or list of profiles. The extensions used and the frequency and intervals when CRLs are
published can all be configured.
The Certificate Manager issues X.509-standard CRLs. A CRL can be automatically updated whenever
a certificate is revoked or at specified intervals.

4.5. Publishing

Certificates can be published to files and an LDAP directory, and CRLs to files, an LDAP directory, and
an OCSP responder. The publishing framework provides a robust set of tools to publish to all three
places and to set rules to define with more detail which types of certificates or CRLs are published
where.

4.6. Notifications

The notification feature sets up automated messages when a particular event occurs, such as when
a certificate is issued or revoked. The notification framework comes with default modules that can be
enabled and configured.

4.7. Jobs

The jobs feature sets up automated jobs that run at defined intervals.

4.8. Dual Key Pairs

The Certificate System supports generating dual key pairs, separate key pairs for signing and
encrypting email messages and other data. To support separate key pairs for signing and encrypting
data, dual certificates are generated for end entities, and the encryption keys are archived. If a client
makes a certificate request for dual key pairs, the server issues two separate certificates.

4.9. Cross-Pair Certificates

It is possible to create a trusted relationship between two separate CAs by issuing and storing cross-
signed certificates between these two CAs. By using cross-signed certificate pairs, certificates issued
outside the organization's PKI can be trusted within the system.

4.10. Logging

The Certificate System and each subsystem produce extensive system and error logs that record
system events so that the systems can be monitored and debugged. All log records are stored in the
local file system for quick retrieval. Logs are configurable, so logs can be created for specific types of
events and at the desired logging level.
Certificate System allows logs to be signed digitally before archiving them or distributing them for
auditing. This feature enables log files to be checked for tampering after being signed.
50