1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
  6. Using manual

Red Hat CERTIFICATE SYSTEM 8.0 - USING END USER SERVICES Using Manual

End user services
Hide thumbs Also See for CERTIFICATE SYSTEM 8.0 - USING END USER SERVICES:
Table of Contents

Advertisement

Quick Links

Download this manual
Red Hat Certificate
Using End User Services
Copyright © 2009 Red Hat, Inc.. This material may only be distributed subject to the
terms and conditions set forth in the Open Publication License, V1.0 or later (the latest
version of the OPL is presently available at http://www.opencontent.org/openpub/).
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat,
Inc. in the United States and other countries.
All other trademarks referenced herein are the property of their respective owners.
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
PO Box 13588 Research Triangle Park, NC 27709 USA
Abstract
This guide contains easy to follow information for end users who use Red Hat
Certificate System certificate authority and registration authority services to generate
or submit certificate requests, check on request status, receive certificates, and
revoke certificates.
1. A Look at End User Services in Red Hat Certificate System ...................................................... 2
1.1. About Certificates and Cryptography ............................................................................. 2
1.2. About CA Services ....................................................................................................... 5
1.3. About RA Services ....................................................................................................... 8
1.4. Supported Web Browsers ............................................................................................. 8
1.5. Supported Charactersets .............................................................................................. 9
1.6. Configuring Internet Explorer to Enroll Certificates .......................................................... 9
2. Getting and Managing Certificates through CA Services .......................................................... 10
2.1. Opening the CA Services Page ................................................................................... 10
2.2. Generating Certificate Requests .................................................................................. 11
2.3. Requesting Certificates ............................................................................................... 12
System 8.0
Ella Deon Lackey
Copyright © 2009 Red Hat, Inc.
July 22, 2009
1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CERTIFICATE SYSTEM 8.0 - USING END USER SERVICES and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Red Hat CERTIFICATE SYSTEM 8.0 - USING END USER SERVICES

Summary of Contents for Red Hat CERTIFICATE SYSTEM 8.0 - USING END USER SERVICES

  • Page 1: Table Of Contents

    Red Hat Certificate System 8.0 Using End User Services Ella Deon Lackey Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc.. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version of the OPL is presently available at http://www.opencontent.org/openpub/).

  • Page 2: A Look At End User Services In Red Hat Certificate System

    Using End User Services 2.4. Checking on Your Request Status ................15 2.5. Retrieving Your Certificates ..................16 2.6. Listing and Searching for Certificates ................18 2.7. Renewing Certificates ....................23 2.8. Revoking Certificates ....................27 2.9. Downloading CA Certificates and Certificate Chains ............. 31 3.
  • Page 3 About Certificates and Cryptography both groups in a secure connection, while a private key is held by one group. The public key encrypts data; the private key is used to decrypt it. A certificate is created out of several pieces of information: •...
  • Page 4 Using End User Services key information. Sometimes, a series of authorities issues certificates; Server 1 issues a certificate to Server 2 which issues a certificate to Server 3. All of those successive CA certificates can be downloaded and installed together; that's a certificate chain. A certificate is issued or enrolled by a certificate authority (CA).

  • Page 5: About Ca Services

    About CA Services After the certificate is created, it is valid for a certain amount of time, until the expiration date. Some types of certificates can be renewed, which creates a new certificate using the same key pair, but with a new expiration date and serial nu,ber.
  • Page 6 Using End User Services Profile Name Description Agent-Authenticated Server Certificate Enrolls server certificates with agent authentication. Enrollment Manual Certificate Manager Signing Certificate Enrolls Certificate Authority certificates. Enrollment Signed CMC-Authenticated User Certificate Enrolls user certificates by using the CMC certificate Enrollment request with CMC Signature authentication.
  • Page 7 About CA Services Profile Name Description RA Agent-Authenticated Server Certificate Enrolls server certificates with RA agent Enrollment authentication. One Time Pin Router Certificate Enrollment Enrolls router certificates using an automatically- generated, one-time PIN that the router can use to retrieve its certificate. Manual Server Certificate Enrollment Enrolls server certificates.

  • Page 8: About Ra Services

    Using End User Services Profile Name Description Manual User Dual-Use Certificate Enrollment Enrolls user certificates. Manual device Dual-Use Certificate Enrollment Enrolls certificates for devices which must contain a to contain UUID in SAN unique user ID number (UUID) as a component in the certificate's subject alternate name extension.

  • Page 9: Supported Charactersets

    Supported Charactersets NOTE Browsers for Mac, such as Safari, and other types of web browsers, such as Opera, are not supported for the end-entities pages. This means that some operations may not complete successfully or forms may not be displayed properly. If DNS is properly configured, then an IPv4 or IPv6 address can be used to connect to the services pages.

  • Page 10: Getting And Managing Certificates Through Ca Services

    Using End User Services a. Open the unsecure end services page for the CA. http://server.example.com:9180/ca/ee/ca b. Click the Retrieval tab. c. Click Import CA Certificate Chain in the left menu, and then select Download the CA certificate chain in binary form. d.

  • Page 11: Generating Certificate Requests

    Generating Certificate Requests https://server.example.com:9180/ That opens a menu with links to regular user services or agent services. To get directly to the regular user pages, add /ca/ee/ca/ to the end of the URL. For example: https://server.example.com:9180/ca/ee/ca/ If DNS is properly configured, then an IPv4 or IPv6 address can be used to connect to the services pages, as well as a hostname or fully-qualified domain name.

  • Page 12: Requesting Certificates

    Using End User Services Option Description NOTE Certificate System supports all UTF-8 characters for the common name and organizational unit elements included in the subject name of the certificate. The output file to which to save the certificate request. The validity period, in months. Certificate database directory;...
  • Page 13 Requesting Certificates 2. Fill in the information required for the certificate. There are basically two kinds of certificate enrollment forms. One kind accepts certificate request blobs, and the other requires additional user information to build the subject name of the certificate (a major part of its identifier).
  • Page 14 Using End User Services NOTE The way that you generate the base 64-encoded certificate request depends on your network setup. There may be an online form you can use to create a certificate request, the client you are requesting the certificate for may have a built-in request tool, or you can use tools such as certutil.

  • Page 15: Checking On Your Request Status

    Checking on Your Request Status Other forms may require other information. For example, file signing profiles require a URL to the external file that will be signed by the CA. NOTE The CA certificate request forms support all UTF-8 characters for the common name, organizational unit, and requester name fields.

  • Page 16: Retrieving Your Certificates

    Using End User Services 3. The request status is shown as pending, rejected, or completed. If the request has been completed, click the link to retrieve the issued certificate. 2.5. Retrieving Your Certificates After a certificate is generated by the Certificate Manager, it can be copied to a file or imported directly into your browser.
  • Page 17 Retrieving Your Certificates 3. The certificate page has three major sections: the certificate fingerprint, the base 64-encoded certificate, and the certificate with the CA certificate chain. The certificate fingerprint shows the summary of the information contained in the base 64-encoded version, such as the serial number, issuing CA, validity period, and key information.

  • Page 18: Listing And Searching For Certificates

    Using End User Services 2.6. Listing and Searching for Certificates The Retrieval tab has two ways to search for certificates. The List Certificates page has a basic search for every issued certificates, while the Search for Certificates page has advanced search options which narrow down results based on specific information about the certificate.
  • Page 19 Listing and Searching for Certificates 4. Every certificate within that range is returned. To open the retrieval page for the certificate, click the link.
  • Page 20 Using End User Services 2.6.2. Searching for Certificates (Advanced Search) 1. Click the Retrieval tab. 2. On the left, click the Search Certificates link. 3. Fill in the search criteria. The Search form offers a number of different search areas: •...
  • Page 21 Listing and Searching for Certificates • Subject name, which is a very specific search based on elements used in the subject name of the certificate, narrowing the search to the user or machine for which it was issued, or by the department, locality, or other naming element.
  • Page 22 Using End User Services • Issuer information, basing the search on which Certificate Manager issued the certificate or on the dates when it was issued. • Validity dates, including the range of dates when the certificate was valid (e.g., every certificate which was valid on July 4, 2008), the date range of when the certificate expired (every certificate which expired between June 1 and June 15), and how long the certificate was valid (e.g., every temporary certificate which was valid for less than 30 days).

  • Page 23: Renewing Certificates

    Renewing Certificates • Certificate type, which can include or exclude certificates based on one of the major categories of certificates, including SSL client and server certificates and email certificates. 4. Set the search limits. The search scope can be limited in the total number of certificates returned and in how long to conduct the search.
  • Page 24 Using End User Services • Allow the certificate to lapse and request a new certificate. While simple, the problem in some situations is if the certificate was used to encrypt information, like emails or files. The encrypted data cannot be recovered if the certificate expires. •...
  • Page 25 Renewing Certificates 3. Click the renew button. 4. The request is submitted. For directory-based renewals, the renewed certificate is automatically returned. Otherwise, the renewal request will be approved by an agent.
  • Page 26 Using End User Services 2.7.2. Certificate-Based Renewal Some user certificates are stored directory in your browser, so some renewal forms will simply check your browser certificate database for a certificate to renew. If a certificate can be renewed, then the CA automatically approves and reissues it.

  • Page 27: Revoking Certificates

    Revoking Certificates 2.8. Revoking Certificates Revoking a certificate invalidates it before its expiration date. This can be necessary if a certificate is lost, compromised, or no longer needed. 2.8.1. Revoking Your User Certificate 1. Click the Revocation tab. 2. Click the User Certificate link. 3.
  • Page 28 Using End User Services 4. Select the certificates to revoke from the list. 2.8.2. Checking Whether a Certificate Is Revoked 1. Click the Retrieval tab. 2. Click the Import Certificate Revocation List link. 3. Select the radio button by Check whether the following certificate is included in CRL cache or Check whether the following certificate is listed by CRL, and enter the serial number of the certificate.
  • Page 29 Revoking Certificates 4. Click the Submit button. A message is returned either saying that the certificate is not listed in any CRL or giving the information for the CRL which contains the certificate. 2.8.3. Downloading and Importing CRLs Certificate revocation lists (CRLs) can be downloaded and installed in a web client, application, or machine.
  • Page 30 Using End User Services • To import the CRL into the browser or download and save it, select the appropriate radio button. There are two options: to download/import the full CRL or the delta CRL. The delta CRL only imports/downloads the list of certificates which have been revoked since the last time the CRL was generated.

  • Page 31: Downloading Ca Certificates And Certificate Chains

    Downloading CA Certificates and Certificate Chains 4. Click the Submit button. 5. Save the file or approve the import operation. 2.9. Downloading CA Certificates and Certificate Chains Some services require the certificate for the Certificate Manager which issued a certificate as well as the certificate itself.

  • Page 32: Getting And Managing Certificates Through Ra Services

    Using End User Services • Import the chain into the browser. • Save the entire CA certificate chain. • Show the CA certificate chain in a single blob. • Show the individual CA certificate blobs in the certificate chain. 4. Click Submit. 5.

  • Page 33: Requesting Certificates

    Requesting Certificates https://server.example.com:12890/ee/index.cgi If DNS is properly configured, then an IPv4 or IPv6 address can be used to connect to the services pages, as well as a hostname or fully-qualified domain name. For example: https://1.2.3.4:9444/ee/index.cgi https://[00:00:00:00:123:456:789:00:]:9444/ee/index.cgi 3.2. Requesting Certificates The RA user services page has submission forms for four different types of certificates. 3.2.1.
  • Page 34 Using End User Services 4. Click the Submit button. Check the request status 5. Wait for the request to be generated. and retrieve the certificate when it's issued. 3.2.2. Requesting Server Certificates 1. In the RA services page, click the Server Enrollment link. 2.
  • Page 35 Requesting Certificates 4. Click the Submit button. Check the request status and retrieve the certificate when it's issued. 3.2.3. Requesting SCEP (Router) Certificates 1. In the RA services page, click the SCEP Enrollment link. 2. Click the Pin Creation link. 3.
  • Page 36 Using End User Services 4. Click the Submit button. Check the request status 5. Wait for the request to be generated. and retrieve the PIN when it is issued. 6. Add the PIN and the router's ID to the flatfile.txt file so that the router can authenticate directly against the CA.
  • Page 37 Requesting Certificates 10. Import the CA certificate for every CA in the certificate chain, starting with the root. For example, this imports two CA certificates in the chain into the router: scep(config)# crypto ca trusted-root1 scep(ca-root)# root CEP http://server.example.com:12888/ee/scep/ pkiclient.cgi scep(ca-root)# crl optional scep(ca-root)# exit scep(config)# cry ca authenticate 1...
  • Page 38 Using End User Services password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: secret Re-enter password: secret % The subject name in the certificate will be: scep.server.example.com % Include the router serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: 57DE391C % Include an IP address in the subject name? [yes/no]: yes...
  • Page 39 Requesting Certificates Key Usage: Signature Issuer: CN = Certificate Authority O = Sfbay Red hat Domain 20070111d12 Subject: CN = Certificate Authority O = Sfbay Red hat Domain 20070111d12 Validity Date: start date: 21:49:50 UTC Jan 11 2007 end date: 21:49:50 UTC Dec 31 2008 Associated Identity: CA 3.2.4.
  • Page 40 Using End User Services 8. The base 64-encoded version of the certificate is displayed; this can be copied and saved to file. The agent certificate can be imported directly into the browser to enable access to the RA agent services by clicking the Import Certificate link at the bottom.

  • Page 41: Checking On Your Request Status

    Checking on Your Request Status NOTE Before you can perform the operations of an RA agent, you must be added as a member to the RA agent's group. This must be done by an RA administrator; check with your Certificate System administrator to make sure that you have the required group memberships.

  • Page 42: Retrieving And Importing Certificates

    Using End User Services 2. Enter the request ID number, and click the Check link. The request ID number was returned when the request was submitted. NOTE There is no way to search for a request ID. 3. The request status page opens. The status can be open (pending), approved, or rejected. 3.4.
  • Page 43 Retrieving and Importing Certificates NOTE There is no way to search for a request ID. 3. The request status page opens. If the status is APPROVED, then the certificate can be imported into the browser or saved to file. 4. If the request is approved, there will be a link by the Import Certificate field. Click the number, and then either copy the base 64-encoded certificate and save it to file or click the Import Certificate link.

  • Page 44: Renewing User Certificates

    Using End User Services 3.5. Renewing User Certificates When certificates reach the end of their validity period, there are two ways that users can respond: • Allow the certificate to lapse and request a new certificate. While simple, a problem may occur in some situations if the certificate was used to encrypt information, like emails or files.
  • Page 45 Renewing User Certificates • Renew the certificate. Renewal takes the original keys that were generated and regenerates the certificate with an extended validity period. Since the renewed certificate is identical to the original, everything that the original certificate did (such as decrypting files) is still possible. NOTE The serial number of the renewed certificate is different than that of the original certificate.

  • Page 46: Additional Reading

    Using End User Services 3. This prompts for the certificate to use from the certificates contained in your browser's security database. 4. The request is submitted; it can be retrieved by using the new request ID returned, as described in Section 3.4, “Retrieving and Importing Certificates”.

  • Page 47: Giving Feedback

    If there is any error in this Using End User Services or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Certificate System through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues: •...

  • Page 48: Revision History

    Using End User Services 6. Revision History Revision 8.0.1 July 26, 2009 Ella Deon Lackey Minor edits (mainly topographical), per technical reviews for Bugzilla #510560, Bugzilla #510561, and Bugzilla #510562. Revision 8.0.0 July 22, 2009 Ella Deon Lackey Initial draft for Certificate System 8.0 Using End User Services.

Table of Contents