Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 87

certificates. The Certificate System automatically generates these files in the filesystem of its host
machine when first using the internal token. These files are created during the Certificate System
subsystem configuration if the internal token was selected for key-pair generation.
These security databases are located in the /var/lib/subsystem_name/alias directory.
An external token refers to an external hardware device, such as a smart card or hardware security
module (HSM), that the Certificate System uses to generate and store its key pairs and certificates.
The Certificate System supports any hardware tokens that are compliant with PKCS #11.
PKCS #11 is a standard set of APIs and shared libraries which isolate an application from the details
of the cryptographic device. This enables the application to provide a unified interface for PKCS #11-
compliant cryptographic devices.
The PKCS #11 module implemented in the Certificate System supports cryptographic devices supplied
by many different manufacturers. This module allows the Certificate System to plug in shared libraries
supplied by manufacturers of external encryption devices and use them for generating and storing
keys and certificates for the Certificate System managers.
Consider using external tokens for generating and storing the key pairs and certificates used by
Certificate System. These devices are another security measure to safeguard private keys because
hardware tokens are sometimes considered more secure than software tokens.
Before using external tokens, plan how the external token is going to be used with the subsystem:
• All system keys for a subsystem must be generated on the same token.
• The subsystem must be installed in an empty HSM slot. If the HSM slot has previously been used
to store other keys, then use the HSM vendor's utilities to delete the contents of the slot. The
Certificate System has to be able to create certificates and keys on the slot with default nicknames.
If not properly cleaned up, the names of these objects may collide with previous instances.
The Certificate System can also use hardware cryptographic accelerators with external tokens. Many
of the accelerators provide the following security features:
• Fast SSL connections. Speed is important to accommodate a high number of simultaneous
enrollment or service requests.
• Hardware protection of private keys. These devices behave like smart cards by not allowing private
keys to be copied or removed from the hardware token. This is important as a precaution against
key theft from an active attack of an online Certificate Manager.
The Certificate System supports the nCipher netHSM hardware security module (HSM), by default.
Certificate System-supported HSMs are automatically added to the secmod.db database with
modutil during the pre-configuration stage of the installation, if the PKCS #11 library modules are in
the default installation paths.
During configuration, the Security Modules panel displays the supported modules, along with the
NSS internal software PKCS #11 module. All supported modules that are detected show a status of
Found and is individually marked as either Logged in or Not logged in. If a token is found but not
logged in, it is possible to log in using the Login under Operations. If the administrator can log into
a token successfully, the password is stored in a configuration file. At the next start or restart of the
Certificate System instance, the passwords in the password store are used to attempt a login for each
corresponding token.
Tokens for Storing Certificate System Subsystem Keys and Certificates
77