Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 6

Administration Guide
4. Certificate Manager
4.1. How the Certificate Manager Works ........................................................................... 109
4.1.1. Enrollment ..................................................................................................... 109
4.1.2. Revocation .................................................................................................... 110
4.2. Certificate Manager Certificates ................................................................................. 111
4.2.1. CA Signing Key Pair and Certificate ................................................................ 111
4.2.2. OCSP Signing Key Pair and Certificate ........................................................... 112
4.2.3. SSL Server Key Pair and Certificate ............................................................... 112
4.2.4. Certificate Considerations ............................................................................... 112
4.2.5. Cross-Pair Certificates .................................................................................... 113
4.3. CA Hierarchy ............................................................................................................ 113
4.3.1. Subordination to a Public CA .......................................................................... 114
4.3.2. Subordination to a Certificate System CA ........................................................ 114
4.4. Security Domains ..................................................................................................... 114
4.4.1. The domain.xml File ...................................................................................... 115
4.4.2. Security Domain Roles ................................................................................... 116
4.4.3. Creating a Security Domain ............................................................................ 117
4.4.4. Joining a Security Domain .............................................................................. 118
4.4.5. Additional Security Domain Information ........................................................... 118
4.5. Configuring the Certificate Manager Instance ............................................................. 118
4.6. CA Certificate Reissuance ........................................................................................ 120
4.7. Changing the Rules for Issuing Certificates ................................................................ 120
4.8. Setting Restrictions on CA Certificates through Certificate Extensions .......................... 122
4.9. Creating Certificate Manager Agents and Administrators ............................................. 124
4.10. Checking the Revocation Status of Agent Certificates ............................................... 125
4.11. CRL Signing Key Pair and Certificate ....................................................................... 127
4.12. DNs in the Certificate System .................................................................................. 128
4.12.1. Extending Attribute Support .......................................................................... 129
5. Registration Authority
5.1. Introduction .............................................................................................................. 133
5.1.1. What is a Registration Authority? .................................................................... 133
5.1.2. Enrollment Types ........................................................................................... 133
5.1.3. Roles ............................................................................................................ 134
5.1.4. Interfaces ...................................................................................................... 134
5.2. Installation and Configuration .................................................................................... 135
5.2.1. Configuration ................................................................................................. 136
5.2.2. Directory Structure ......................................................................................... 140
5.2.3. Configuration Parameters ............................................................................... 140
5.2.4. RA Request Queue Plugins ............................................................................ 142
5.2.5. Libraries ........................................................................................................ 143
5.3. Working With the Registration Authority ..................................................................... 143
5.3.1. Configuring Additional RA Instances ............................................................... 143
5.3.2. Customizing the Subject DN in the CSR .......................................................... 147
5.3.3. Using the End Users Services Interface .......................................................... 148
5.3.4. Using the Agent Services Interface ................................................................. 153
5.3.5. Using the Administrator Interface .................................................................... 153
5.3.6. Command-line Operations .............................................................................. 155
6. Online Certificate Status Protocol Responder
6.1. About OCSP Services .............................................................................................. 157
6.1.1. OCSP Response Signing ............................................................................... 157
vi
109
133
157