Planning The Certificate System; Deciding On The Required Subsystems; Single Certificate Manager - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

Chapter 5.

Planning the Certificate System

Each Red Hat Certificate System subsystem is installed and configured separately. They can all be
installed on the same machine, installed on separate servers, or have multiple instances installed
across an organization. Before installing any subsystem, it is important to plan the deployment out:
what kind of PKI services do you need? What are the network requirements? What people need to
access the Certificate System, what are their roles, and what are their physical locations? What kinds
of certificates do you want to issue and what constraints or rules need to be set for them?
This chapter covers some basic questions for planning a Certificate System deployment. Many of
these decisions are interrelated; one choice impacts another, like deciding whether to use smart cards
determines whether to install the TPS and TKS subsystems.

5.1. Deciding on the Required Subsystems

The Certificate System subsystems cover different aspects of managing certificates. Planning which
subsystems to install is one way of defining what PKI operations the deployment needs to perform.
Certificates, like software or equipment, have a lifecycle with defined stages. At its most basic, there
are three steps:
• It is requested and issued.
• It is valid.
• It expires.
However, this simplified scenario does not cover a lot of common issues with certificates:
• What if an employee leaves the company before the certificate expires?
• When a CA signing certificate expires, all of the certificates issued and signed using that certificate
also expire. So will the CA signing certificate be renewed, allowing its issued certificates to remain
valid, or will it be reissued?
• What if an employee loses a smart card or leaves it at home. Will a replacement certificate be
issued using the original certificates keys? Will the other certificates be suspended or revoked? Are
temporary certificates allowed?
• When a certificate expires, will a new certificate be issued or will the original certificate be renewed?
This introduces three other considerations for managing certificates: revocation, renewal, and
replacements.
Other considerations are the loads on the certificate authority. Are there a lot of issuance or renewal
requests? Is there a lot of traffic from clients trying to validate whether certificates are valid? How are
people requesting certificates supposed to authenticate their identity, and does that process slow
down the issuance process?

5.1.1. Single Certificate Manager

The core of the Certificate System PKI is the Certificate Manager, a certificate authority. The CA
receives certificate requests and issues all certificates.
55