Looking At Smart Card Certificate Enrollment Profiles - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 7.3 - ADMINISTRATION:
- Manual (98 pages) ,
- Release note (24 pages) ,
- Manual (92 pages)
Table of Contents
Advertisement
8.5.2.3. Step 3: Configuring the TPS to Generate and Archive Keys
1. Stop the TPS.
/etc/init.d/instance_ID stop
2. Edit the following parameters in the TPS CS.cfg file to use the appropriate DRM connection
information:
conn.drm.totalConns=1
conn.drm1.hostport=DRM_HOST:DRM_SSLPORT
conn.drm1.clientNickname=Server-Cert
conn.drm1.servlet.GenerateKeyPair=/kra/GenerateKeyPair
conn.drm1.servlet.TokenKeyRecovery=/kra/TokenKeyRecovery
conn.drm1.retryConnect=3
conn.drm1.SSLOn=true
conn.drm1.keepAlive=false
3. Also edit the smart card profiles in the TPS CS.cfg file.
The TPS CS.cfg file has a section defining each type of smart card profile to maintain. In the
default configuration, the userKey is defined under the op.enroll.userKey subsection. The
keyGen subsection of the userKey profile defines each type of key/certificate pair allowed for that
type of smart card. In the default configuration, one of the key/certificate pairs is encryption. Set
the following parameters to enable server-side key generation and to archive keys:
op.enroll.userKey.keyGen.encryption.serverKeygen.enable=true
op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=drm1
op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true
op.enroll.userKey.keyGen.encryption.serverKeygen.encryptPrivKey=true
4. Restart the TPS subsystem.
/etc/init.d/instance_ID restart
8.5.3. Looking at Smart Card Certificate Enrollment Profiles
The CA subsystem has four default smart card enrollment profiles which the TPS is configured, by
default, to use:
• caTokenUserEncryptionKeyEnrollment.cfg
• caTokenUserSigningKeyEnrollment.cfg
• caTempTokenUserEncryptionKeyEnrollment.cfg
• caTempTokenUserSigningKeyEnrollment.cfg
The profile configuration files are in the /var/lib/instance_ID/profiles/ca/ directory.
Administrators have the ability to customize these profiles. For instance, a profile could be edited to
include the user's email address in the Subject Alternative Name extension. The email address for the
user is retrieved from the authentication directory. To configure the CA for LDAP access, change the
following parameters in the profile files, with the appropriate directory information:
Looking at Smart Card Certificate Enrollment Profiles
191
Advertisement
Table of Contents
Related Manuals for Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION
Related Products for Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION
- Red Hat CERTIFICATE SYSTEM 7.0 - MIGRATION GUIDE
- Red Hat CERTIFICATE 7.1 ADMINISTRATOR
- Red Hat LINUX 7.2 - S-390
- Red Hat LINUX 7.1 - PSERIES
- Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0
- Red Hat CERTIFICATE SYSTEM 7.2 - AGENT GUIDE
- Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
- Red Hat DIRECTORY SERVER 7.1 SP7 - S
Need help?
Do you have a question about the CERTIFICATE SYSTEM 7.3 - ADMINISTRATION and is the answer not in the manual?
Questions and answers