Planning Authentication Methods - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

Chapter 5. Planning the Certificate System
constraints. This validation procedure is only for verification and does not result in the request being
submitted. The agent is bound by the constraints set; they cannot change the request in such a way
that a constraint is violated. The signed approval is immediately processed, and a certificate is issued.
When a certificate profile is associated with an authentication method, the request is approved
immediately and generates a certificate automatically if the user successfully authenticates, all the
information required is provided, and the request does not violate any of the constraints set up for the
certificate profile. There are profile policies which allow user-supplied settings like subject names or
validity periods. The certificate profile framework can also preserve user-defined content set in the
original certificate request in the issued certificate.
The issued certificate contains the content defined in the defaults for this certificate profile, such as
the extensions and validity period for the certificate. The content of the certificate is constrained by
the constraints set for each default. Multiple policies (defaults and constraints) can be set for one
profile, distinguishing each set by using the same value in the policy set ID. This is particularly useful
for dealing with dual keys enrollment where encryption keys and signing keys are submitted to the
same profile. The server evaluates each set with each request it receives. When a single certificate
is issued, one set is evaluated, and any other sets are ignored. When dual-key pairs are issued, the
first set is evaluated with the first certificate request, and the second set is evaluated with the second
certificate request. There is no need for more than one set for issuing a single certificate or more than
two sets for issuing dual-key pairs.
Tailor the profiles for the organization to the real needs and anticipated certificate types used by the
organization:
• Decide which certificate profiles are needed in the PKI. There should be at least one profile for each
type of certificate issued. There can be more than one certificate profile for each type of certificate
to set different authentication methods or different defaults and constraints for a particular type of
certificate type. Any certificate profile available in the administrative interface can be approved by an
agent and then used by an end entity to enroll.
• Delete any certificate profiles that will not be used.
• Modify the existing certificate profiles for specific characteristics for the company's certificates.
• Change the defaults set up in the certificate profile, the values of the parameters set in the
defaults, or the constraints that control the certificate content.
• Change the constraints set up by changing the value of the parameters.
• Change the authentication method.
• Change the inputs by adding or deleting inputs in the certificate profile, which control the fields on
the input page.
• Add or delete the output.

5.4.7. Planning Authentication Methods

Section 5.4.6, "Using and Customizing Certificate
As implied in
certificate process means the way that a user or entity requesting a certificate proves that they are
who they say they are. There are three ways that the Certificate System can authenticate an entity:
• In agent-approved enrollment, end-entity requests are sent to an agent for approval. The agent
approves the certificate request.
72
Profiles", authentication for the