Renewing Or Reissuing Ca Signing Certificates; Planning For Network And Physical Security; Considering Firewalls - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

Chapter 5. Planning the Certificate System
• If certificates are published to the directory, than every user or server to which a certificate is issued
must have a corresponding entry in the LDAP directory.
• If CRLs are published to the directory, than they must be published to an entry for the CA which
issued them.
• For SSL, the directory service has to be configured in SSL and, optionally, be configured to allow the
Certificate Manager to use certificate-based authentication.
• The directory administrator should configure appropriate access control rules to control DN (entry
name) and password based authentication to the LDAP directory.

5.4.9. Renewing or Reissuing CA Signing Certificates

When a CA signing certificate expires, all certificates signed with the CA's corresponding signing key
become invalid. End entities use information in the CA certificate to verify the certificate's authenticity.
If the CA certificate itself has expired, applications cannot chain the certificate to a trusted CA.
There are two ways of resolving CA certificate expiration:
• Renewing a CA certificate involves issuing a new CA certificate with the same subject name and
public and private key material as the old CA certificate, but with an extended validity period.
As long as the new CA certificate is distributed to all users before the old CA certificate expires,
renewing the certificate allows certificates issued under the old CA certificate to continue working for
the full duration of their validity periods.
• Reissuing a CA certificate involves issuing a new CA certificate with a new name, public and
private key material, and validity period. This avoids some problems associated with renewing a CA
certificate, but it requires more work for both administrators and users to implement. All certificates
issued by the old CA, including those that have not yet expired, must be renewed by the new CA.
There are problems and advantages with either renewing or reissuing a CA certificate. Begin planning
the CA certificate renewal or re-issuance before installing any Certificate Managers, and consider the
ramifications the planned procedures may have for extensions, policies, and other aspects of the PKI
deployment.
NOTE
Correct use of extensions, for example the authorityKeyIdentifier extension, can
affect the transition from an old CA certificate to a new one.

5.5. Planning for Network and Physical Security

When deploying any Certificate System subsystem, the physical and network security of the
subsystem instance has to be considered because of the sensitivity of the data generated and stored
by the subsystems.

5.5.1. Considering Firewalls

There are two considerations about using firewalls with Certificate System subsystems:
• Protecting sensitive subsystems from unauthorized access
74