How The Certificate Manager Works - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

How the Certificate Manager Works

1.2.1.5. Revocation and CRLs
Revoking certificates can be initiated either by an agent or by the end user. An administrator can also
revoke the certificates of any of the subsystems or agents.
The Certificate System also supports CMC revocation. When the CMCAuth plug-in is enabled, CMC
enrollment and CMC revocation are both enabled. CMC revocation sends signed revocation requests
that are automatically processed.
The Certificate System can create certificate revocation lists (CRLs) that it can publish to files, an
LDAP directory, or to an OCSP responder. It is also possible to create CRLs through certificate issuing
points, which allows more than one CRL to be defined by the issuing point. Lastly, creating delta CRLs
creates a list which contains only the certificates that were revoked since the last CRL was produced.
Chapter 14, Revocation and CRLs
See for details.
1.2.2. How the Certificate Manager Works
The next sections describe the different operations of the Certificate Manager and the associated
processes and configuration settings.
1.2.2.1. Accepting Enrollment Requests
The Certificate Manager server has an end-entities page with the forms for different types of
certificates and users. This interface can be customized to limit the forms that are available, change
the appearance of the pages, or add or delete fields. Certificate requests that come through the
Certificate Managers end-entities page are processed by the Certificate Manager. If it is an agent-
approved enrollment, an agent of the Certificate Manager must approve the request. If it is an
automated enrollment, the request is approved if the end entity supplies the correct information and
authenticates successfully.
1.2.2.2. Authentication Methods
Authentication plug-ins set up automated enrollment and configure the methods for the end entity
to authenticate itself. For agent-approved enrollment, the agent approves the request by default.
Each end-entity form is associated with a particular authentication method which is configured in the
certificate profile, either one of the automated methods or the agent-approved method. The Certificate
Manager processes the request according to the method associated with the form.
1.2.2.3. Processing Requests
When the Certificate Manager processes requests from its end-entities page, it first considers the
authentication method. If it is an agent-approved authentication method, the request is queued in
the agent services interface where it awaits agent approval. The agent can change some aspects of
the certificate that will be issued and can approve, deny, or change the status of the request. For an
automated enrollment, the CA authenticates the user and continues processing the request.
The Certificate Manager next evaluates the request to ensure that it meets the certificate profile set for
this type of enrollment.
Certificate profiles connect an authentication method and certificate type to a set of constraints and
certificate content definitions (defaults). A single module can be configured for a type of certificate
to use a specific authentication method and set constraints for the certificate, as well as defining the
9