Defining The Certificate Authority Hierarchy - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 8 - DEPLOYMENT:
- Manual (86 pages) ,
- Install manual (132 pages)
Table of Contents
Advertisement
After installation, the TPS configuration can be edited to use additional CA, DRM, and TKS instances
for failover support, so if the primary subsystem is unavailable, the TPS can switch to the next
available system without interrupting its token services.
5.2. Defining the Certificate Authority Hierarchy
The CA is the center of the PKI, so the relationship of CA systems, both to each other (CA hierarchy)
and to other subsystems (security domain) is vital to planning a Certificate System PKI.
When there are multiple CAs in a PKI, the CAs are structured in a hierarchy or chain. The CA above
another CA in a chain is called an root CA; a CA below another CA in the chain is called a subordinate
CA. A CA can also be subordinate to a root outside of the Certificate System deployment; for example,
a CA which functions as a root CA within the Certificate System deployment can be subordinate to a
third-party CA.
A Certificate Manager (or CA) is subordinate to another CA because its CA signing certificate,
the certificate that allows it to issue certificates, is issued by another CA. The CA that issued the
subordinate CA signing certificate controls the CA through the contents of the CA signing certificate.
The CA can constrain the subordinate CA through the kinds of certificates that it can issue, the
extensions that it is allowed to include in certificates, the number of levels of subordinate CAs the
subordinate CA can create, and the validity period of certificates it can issue, as well as the validity
period of the subordinate CAs signing certificate.
NOTE
Although a subordinate CA can create certificates that violate these constraints, a client
authenticating a certificate that violates those constraints will not accept that certificate.
A self-signed root CA signs its own CA signing certificate and sets its own constraints as well as
setting constraints on the subordinate CA signing certificates it issues.
A Certificate Manager can be configured as either a root CA or a subordinate CA. It is easiest to make
the first CA installed a self-signed root, so that it is not necessary to apply to a third party and wait for
Defining the Certificate Authority Hierarchy
61
Advertisement
Table of Contents
Related Manuals for Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
Related Products for Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
- Red Hat CERTIFICATE 7.2 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
- Red Hat CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR
- Red Hat CERTIFICATE 7.3 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE
- Red Hat CERTIFICATE 8.0 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
- Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE
- Red Hat CLUSTER SUITE - CONFIGURING AND MANAGING A CLUSTER 2006
- Red Hat CLUSTER MANAGER - INSTALLATION AND
- Red Hat Cluster Suite
- Red Hat Application Server
- Red Hat APPLICATION SERVER - JONAS
- Red Hat APPLICATION STACK 1.1 RELEASE
- Red Hat APPLICATION STACK 1.2 RELEASE
- Red Hat APPLICATION STACK 1.3 RELEASE
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8 - DEPLOYMENT and is the answer not in the manual?
Questions and answers