Agent Services; Overview Of Certificate System; Certificate System Subsystems - Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE Agents Manual

Chapter 1.

Agent Services

This chapter describes the role of the privileged users, agents, in managing Certificate System
subsystems. It also introduces the tools that agents use to administer service requests.

1.1. Overview of Certificate System

The Red Hat Certificate System is a highly configurable set of software components and tools for
creating, deploying, and managing certificates. The standards and services that facilitate the use of
public-key cryptography and X.509 version 3 certificates in a networked environment are collectively
called the public-key infrastructure (PKI) for that environment. In any PKI, a certificate authority (CA) is
a trusted entity that issues, renews, and revokes certificates. An end entity is a person, server, or other
entity that uses a certificate to identify itself.
To participate in a PKI, an end entity must enroll, or register, in the system. The end entity typically
initiates enrollment by giving the CA some form of identification and a newly generated public key. The
CA uses the information provided to authenticate, or confirm, the identity, then issues the end entity a
certificate that associates that identity with the public key and signs the certificate with the CA's own
private signing key.
End entities and CAs can exist in different geographic or organizational areas or in completely different
organizations. CAs may include third parties that provide services through the Internet as well as the
root CAs and subordinate CAs for individual organizations. Policies and certificate content may vary
from one organization to another. End-entity enrollment for some certificates may require physical
verification, such as an interview or notarized documents, while enrollment for others may be fully
automated.

1.1.1. Certificate System Subsystems

To meet the widest possible range of configuration requirements, the Certificate System permits
independent installation of five separate subsystems, or managers, that play distinct roles.
1.1.1.1. Certificate Manager
A Certificate Manager functions as a root or subordinate certificate authority (CA). This subsystem
issues, renews, and revokes certificates and generates certificate revocation lists (CRLs). It can also
publish certificates, files, and CRLs to an LDAP directory, to files, and to an online certificate status
protocol (OCSP) responder.
The Certificate Manager can process requests manually (with agent action) or automatically (based on
customizable profiles). Publishing tasks can only be performed by the Certificate Manager.
The Certificate Manager also has a built-in OCSP service, enabling OCSP-compliant clients to query
the Certificate Manager directly about the revocation status of a certificate that it has issued. In certain
PKI deployments, it might be convenient to use the Certificate Manager's built-in OCSP service,
instead of a separate Online Certificate Status Manager.
Because CAs can delegate some responsibilities to subordinate CAs, a Certificate Manager might
share its load among one or more levels of subordinate Certificate Managers.
Subsystems can also be cloned. All clones use the same keys and certificates as the master, which
means that the master and clones essentially all function as a single CA. Many complex deployment
scenarios are possible.
1