Ocsp Signing Key Pair And Certificate; Ssl Server Key Pair And Certificate; Certificate Considerations - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Chapter 4. Certificate Manager

4.2.2. OCSP Signing Key Pair and Certificate

The key type, key size, key algorithm, and validity period provided for the CA signing key pair are
used to generate the OCSP signing key pair. The subject name of the OCSP signing certificate is
in the form cn=OCSP cert-instance_ID, and it contains extensions, such as OCSPSigning and
OCSPNoCheck, required for signing OCSP responses.
The default nickname for the OCSP signing certificate is ocspSigningCert cert-instance_ID,
where instance_ID identifies the Certificate Manager instance.
The OCSP private key, corresponding to the OCSP signing certificate's public key, is used by the
Certificate Manager to sign the OCSP responses to the OCSP-compliant clients when queried about
certificate revocation status.

4.2.3. SSL Server Key Pair and Certificate

Every Certificate Manager has at least one SSL server certificate that was first generated when
the Certificate Manager was installed. The default nickname for the certificate is Server-Cert
cert-instance_ID, where instance_ID identifies the Certificate Manager instance.
The Certificate Manager SSL server certificate was issued by the CA to which the certificate signing
request was submitted, which is the Certificate Manager itself, another Certificate System CA, or a
public CA.
By default, the Certificate Manager uses a single SSL server certificate for authentication. However,
additional server certificates can be requested to use for different operations, such as configuring the
Certificate Manager to use separate server certificates for authenticating to the end-entity services
interface and agent services interface.
If the Certificate Manager is configured for SSL-enabled communication with a publishing directory,
it uses its SSL server certificate for client authentication to the publishing directory by default. The
Certificate Manager can also be configured to use a different certificate for SSL client authentication.
If the Certificate Manager is configured to function as a trusted manager, the Certificate Manager
uses its subsystem certificate for client authentication to another subsystem. For details on trusted
Section 17.1.2.5, "Trusted Managers". The Certificate Manager can also be configured
managers, see
to use a different certificate to authenticate to the DRM.

4.2.4. Certificate Considerations

There are certain details of the certificate contents that are set during the Certificate Manager
configuration. These are described in the following sections.
4.2.4.1. CA Distinguished Name
The core elements of a CA are a signing unit and the Certificate Manager identity. The signing
unit digitally signs certificates requested by end entities. A Certificate Manager must have its own
distinguished name (DN), which is listed in every certificate it issues.
Like any other certificate, a CA certificate binds a DN to a public key. A DN is a series of name-
value pairs that in combination uniquely identify an entity. For example, the following DN identifies a
Certificate Manager for the Engineering department of a corporation named Example Corporation:
112