Overview; Features; Subsystems - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Chapter 1.

Overview

This chapter provides an overview of Red Hat Certificate System, a highly configurable set of software
components and tools for creating, deploying, and managing certificates. Based on open standards for
certificate management, Certificate System provides a complete, customizable, robust, scalable, and
high-performance certificate management solution for public-key infrastructure (PKI), extranets, and
intranets.

1.1. Features

This section discusses the Certificate System features.

1.1.1. Subsystems

The Certificate System is installed on each host running a Certificate System subsystem. The
subsystems on that host are then installed with a default configuration covering basic administrative
tasks like logging and containing configurable, subsystem-specific plug-in modules. More than one
subsystem can be installed on each host, or multiple instances of one subsystem can be installed on
the same host or on different hosts.
The Certificate System has five highly-configurable subsystems, which provide flexibility in designing
the PKI. The five subsystems that comprise Certificate System are as follows:
• The Certificate Manager is the subsystem that provides Certificate Authority functionality for issuing,
revoking, and publishing certificates and creating and publishing CRLs. See
Manager
for details.
• The Online Certificate Status Manager is an optional subsystem that provides OCSP responder
services, which means it stored CRLs for CAs and can distribute the load for verifying certificate
Chapter 6, Online Certificate Status Protocol Responder
status. See
• The Data Recovery Manager (DRM) is an optional subsystem that provides private encryption key
storage and retrieval. See
• The Token Key Service (TKS) manages one or more master keys required to set up secure
channels directly to the token management system. The privileged operations such as key
generation can only be requested on the tokens through a secure channel.
• The Token Processing System (TPS) provides the registration authority functionality in the token
management infrastructure and establishes secure channels between the Enterprise Security Client
and the back-end subsystems. See
using the TPS to manage tokens.
The subsystems are highly integrated with each other depending on the deployment scenario and use.
OCSP and CA instances work together for CRL publishing and certificate verification. CA and DRM
instances work together for key recovery and archival. Smart card tokens, which processed through
a user interface called the Enterprise Security Client, are managed by the TPS. The TPS, however,
is configured to work with at least two essential subsystem instances, a TKS to generate keys and
a CA to process token operations. A TPS can also be configured to use a DRM for server-side key
generation and key archival and recovery.
Chapter 7, Data Recovery Manager
Chapter 8, Token Processing System
Chapter 4, Certificate
for details.
for details.
for more information on
1