Dual Key Pairs; Hsms And Crypto Accelerators; Support For Open Standards - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Chapter 1. Overview

1.1.17. Dual Key Pairs

The Certificate System supports generating dual key pairs, separate key pairs for signing and
encrypting email messages and other data. To support separate key pairs for signing and encrypting
data, dual certificates are generated for end entities, and the encryption keys are archived. If a client
makes a certificate request for dual key pairs, the server issues two separate certificates.

1.1.18. HSMs and Crypto Accelerators

The Certificate System supports hardware security modules (HSMs) and crypto accelerators provided
by third-party vendors of PKCS #11-compliant tokens.
The server can be configured to use different PKCS #11 modules to generate and store key pairs
(and certificates) for all Certificate System subsystems
hardware devices also provide key backup and recovery features for the information stored on the
hardware token. Refer to the PKCS #11 vendor documentation for information on retrieving keys from
the tokens.

1.1.19. Support for Open Standards

The Certificate System supports open standards and protocols so that its subsystems can
communicate across a heterogeneous computing environment. Some of the standards and areas
which the Certificate System supports include the following:
• Formulates, signs, and issues industry-standard X.509 version 3 public-key certificates; version 3
certificates include extensions that make it easy to include organization-defined attributes. These
certificates are used for extranet and Internet authentication.
• Supports the RSA public-key algorithm for signing and encryption, and the MD2, MD5, SHA-1,
SHA-256, and SHA-512 algorithms for hashing.
• Supports signature key lengths of up to 4096 bits for RSA.
• Supports multiple message formats, such as KEYGEN/SPAC, CRMF/CMMF, and PKCS #10 and
CMC for certificate requests. All requests are delivered to the Certificate System over HTTP or
HTTPS.
• Supports certificate formats for SSL-based client and server authentication, secure Multipurpose
Internet Mail Extensions (S/MIME) message signing and encryption, and VPN clients.
• Supports generating and publishing CRLs conforming to X.509 version 1 and 2.
• Publishes certificates and CRLs to any LDAP-compliant directory over LDAP and HTTP/HTTPS
connections.
• Publishes certificates and CRLs to a flat file for importing into other resources. For example, the
sample code for Flat File CRL and certificate publisher can be customized to store certificates and
CRLs in an Oracle RDBMS.
• Publishes CRLs to an online validation authority (or OCSP responder) for real-time certificate
verification by OCSP-compliant clients.
6
CA, DRM, OCSP, TKS, and TPS. PKCS #11