Page 1 Red Hat Certificate System 8.0 Admin Guide Publication date: July 22, 2009, updated on March 25, 2010...
Page 2 Admin Guide Red Hat Certificate System 8.0 Admin Guide Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/.
Page 3: Table Of Contents
About This Guide 1. Recommended Concepts ....................xv 2. What Is in This Guide ....................xv 3. Supported Platforms, Hardware, and Programs .............. xvi 3.1. Supported Platforms ................... xvi 3.2. Supported Web Browsers ................... xvi 3.3. Supported Smart Cards ..................xvii 3.4.
Page 4 Admin Guide 2.3.1. Default RA Profiles .................. 48 2.3.2. Creating RA Enrollment Forms ..............48 2.3.3. Configuring the Request Queues .............. 50 2.4. Managing Smart Card CA Profiles ............... 53 2.4.1. Editing Enrollment Profiles for the TPS ............. 54 2.4.2. Creating Custom TPS Profiles ..............54 2.4.3.
Page 5 5.1. Configuring TPS Smart Card Operations ............127 5.1.1. Configuring Format Operations ............... 127 5.1.2. Configuring TPS Enrollment Operations ..........128 5.1.3. Configuring TPS Renewal Operations ............. 133 5.1.4. Configuring the PIN Reset Operation ............134 5.1.5. Configuring the Applet Update Operation ..........135 5.2.
Page 6 Admin Guide 6.4.1. Configuring Extended Updated Intervals for CRLs in the Console ....183 6.4.2. Configuring Extended Updated Intervals for CRLs in CS.cfg ...... 183 6.5. Enabling Automatic Revocation Checking for Agent Certificates ......184 7. Using the Online Certificate Status Protocol Responder 7.1.
Page 7 9.3. Setting up CMC Enrollment ................244 9.3.1. Setting up the Server for Multiple Requests in a Full CMC Request .... 245 9.3.2. Testing CMCEnroll ................. 246 9.4. Testing Enrollment .................... 246 9.5. Managing Authentication Plug-ins ..............247 10. Using Automated Notifications 10.1.
Page 8 Admin Guide 12.3.1. Configuring the password.conf .............. 286 12.3.2. Protecting the password.conf File ............286 12.3.3. Requiring System Password Prompts ............ 287 12.3.4. Changing System Passwords ............... 293 12.3.5. Password-Quality Checker ..............293 12.4. Configuration Files for Web Services ............... 294 13.
Page 9 14.4.2. Managing RA Users ................340 14.5. Creating and Managing Users for a TPS ............349 14.5.1. Searching for Users ................349 14.5.2. Adding Users ..................350 14.5.3. Setting Profiles for Users ..............351 14.5.4. Changing Roles for Users ..............352 14.5.5.
Page 10 Admin Guide 16.1.7. Using an HSM to Store Subsystem Certificates ........393 16.2. Requesting a Subsystem, Server, or Signing Certificate through the Console ..394 16.3. Renewing Subsystem Certificates ..............405 16.4. Using Cross-Pair Certificates ................406 16.4.1. Installing Cross-Pair Certificates ............407 16.4.2.
Page 11 B.1.12. No Default Extension ................440 B.1.13. OCSP No Check Extension Default ............440 B.1.14. Policy Constraints Extension Default ............. 441 B.1.15. Policy Mappers Extension Default ............442 B.1.16. Signing Algorithm Default ..............443 B.1.17. Subject Alternative Name Extension Default .......... 443 B.1.18.
Page 12 Admin Guide C.1. Publisher Plug-in Modules ................483 C.1.1. FileBasedPublisher ................483 C.1.2. LdapCaCertPublisher ................483 C.1.3. LdapUserCertPublisher ................484 C.1.4. LdapCrlPublisher ................... 484 C.1.5. LdapDeltaCrlPublisher ................484 C.1.6. LdapCertificatePairPublisher ..............485 C.1.7. OCSPPublisher ..................485 C.2. Mapper Plug-in Modules ................. 485 C.2.1.
Page 13 D.3.16. certServer.ca.request.profile ..............504 D.3.17. certServer.ca.requests ................. 504 D.3.18. certServer.ca.systemstatus ..............505 D.3.19. certServer.ee.certchain ................. 505 D.3.20. certServer.ee.certificate ................ 505 D.3.21. certServer.ee.certificates ..............506 D.3.22. certServer.ee.crl .................. 506 D.3.23. certServer.ee.profile ................506 D.3.24. certServer.ee.profiles ................506 D.3.25. certServer.ee.request.enrollment ............507 D.3.26.
Page 14 Admin Guide D.6.2. certServer.tks.group ................519 D.6.3. certServer.tks.importTransportCert ............519 D.6.4. certServer.tks.keysetdata ............... 519 D.6.5. certServer.tks.registerUser ..............520 D.6.6. certServer.tks.sessionkey ............... 520 D.6.7. certServer.tks.systemstatus ..............520 Glossary Index...
Page 15: About This Guide
About This Guide This guide explains how to install, configure, and maintain the Red Hat Certificate System and how to use it for issuing and managing certificates to end entities such as web browsers, users, servers, and virtual private network (VPN) clients. This guide is intended for experienced system administrators planning to deploy the Certificate System.
Page 16: Supported Platforms, Hardware, And Programs
About This Guide Concept Archiving keys Publishing certificates Revoking certificates Options for issuing certificates Configuring and managing Certificate System subsystems References for Subsystem Components Table 1. Content Overview 3. Supported Platforms, Hardware, and Programs 3.1. Supported Platforms The Certificate System subsystems (CA, RA, DRM, OCSP, RA, TKS, and TPS) are supported on the following platforms: •...
Page 17: Supported Smart Cards
Supported Smart Cards NOTE The only browser that is fully-supported for the HTML-based instance configuration wizard is Mozilla Firefox. Platform Agent Services End User Pages Red Hat Enterprise Linux Firefox 3.x Firefox 3.x Windows Vista Firefox 2.x Firefox 2.x Internet Explorer 7 and higher Windows XP Firefox 2.x Firefox 2.x...
Page 18: Examples And Formatting
About This Guide Four fields fully-support UTF-8 characters: • Common name (used in the subject name of the certificate) • Organizational unit (used in the subject name of the certificate) • Requester name • Additional notes (comments appended by the agent to the certificate) NOTE This support does not include supporting internationalized domain names, like in email addresses.
Page 19: Additional Reading
Additional Reading Formatting Style Bolded text Other formatting styles draw attention to important text. NOTE A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue. IMPORTANT Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot.
Page 20: Giving Feedback
"Bad example". We appreciate receiving any feedback — requests for new sections, corrections, improvements, enhancements, even new ways of delivering the documentation or new styles of docs. You are welcome to contact Red Hat Content Services directly at docs@redhat.com. http://bugzilla.redhat.com/bugzilla...
Page 21: Document History
Document History 7. Document History Revision March 25, 2010 Ella Deon Lackey 8.0.16 Adding information on new end-entities client authentication port for the CA, related to the MitM resolution in Errata RHBA-2010:0169. Revision December 16, 2009 Ella Deon Lackey 8.0.15 Adding section on removing password.conf and promoting for passwords, per Errata RHBA-2009:1665.
Page 22 About This Guide Adding back in the book index. Revision 8.0.4 August 18, 2009 Ella Deon Lackey Removing the section on SSL/client authentication for the console, related to Bugzilla #512493. Fixing section outline formatting for log chapter. Revision 8.0.3 August 12, 2009 Ella Deon Lackey Adding parameters for configuring audit logging and signed audit logging for the TPS, per Bugzilla #502122.
Page 23: Overview Of Red Hat Certificate System Subsystems
Chapter 1. Overview of Red Hat Certificate System Subsystems Every common PKI operation — issuing, renewing and revoking certificates; archiving and recovering keys; publishing CRLs and verifying certificate status — are carried out by interoperating subsystems within Red Hat Certificate System. The functions of each individual subsystem and the way that they work together to establish a robust and local PKI is described in this chapter.
Page 24 Chapter 1. Overview of Red Hat Certificate System Subsystems An email message that includes a digital signature provides some assurance that it was sent by the person whose name appears in the message header, thus authenticating the sender. If the digital signature cannot be validated by the email software, the user is alerted.
Page 25: Types Of Certificates
Types of Certificates The objects signed with object signing technology can be applets or other Java code, JavaScript scripts, plug-ins, or any kind of file. The signature is a digital signature. Signed objects and their signatures are typically stored in a special file called a JAR file. Software developers and others who wish to sign files using object-signing technology must first obtain an object-signing certificate.
Page 26 Chapter 1. Overview of Red Hat Certificate System Subsystems Certificate Type CA certificates Object-signing certificates Table 1.1. Common Certificates Section 1.1.2.1, “CA Signing Certificates” • Section 1.1.2.2, “Other Signing Certificates” • Section 1.1.2.3, “SSL Server and Client Certificates” • Section 1.1.2.4, “User Certificates” •...
Page 27: A Review Of Certificate System Subsystems
A Review of Certificate System Subsystems 1.1.2.2. Other Signing Certificates Other services, such as the OCSP responder service and CRL publishing, can use signing certificates other than the CA certificate. For example, a separate CRL signing certificate can be used to sign the revocation lists that are published by a CA instead of using the CA signing certificate.
Page 28: Certificate Manager
Chapter 1. Overview of Red Hat Certificate System Subsystems • A certificate authority called a Certificate Manager. The CA is the core of the PKI; it issues and revokes all certificates. The Certificate Manager is also the core of the Certificate System. By establishing a security domain of trusted subsystems, it establishes and manages relationships between the other subsystems.
Page 29: Registration Authority
Registration Authority 1.2.2. Registration Authority The Registration Authority subsystem handles certain certificate issuing tasks locally, such as generating and submitting certificate requests. This effectively makes the RA a load-balancer for the CA; a local RA can receive and verify the legitimacy of a certificate request (authenticate it) and then forward valid requests to the CA to issue the certificate.
Page 30: Token Key Service
Chapter 1. Overview of Red Hat Certificate System Subsystems 1.2.6. Token Key Service The Token Key Service (TKS) uses a master key to derive specific, separate keys for every smart card. The TPS uses these secret keys to communicate with each smart card securely, since all communication between the TPS and the smart card is encrypted.
Page 31 A Look at Managing Certificates Figure 1.2. CA and DRM Another aspect of how the subsystems work together is load balancing. If a site has high traffic, then it is possible to install a lot of CAs, as clones of each other or in a flat hierarchy (where each CA is independent) or in a tree hierarchy (where some CAs are subordinate to other CAs).
Page 32 Chapter 1. Overview of Red Hat Certificate System Subsystems Figure 1.4. CA and OCSP Even with all possible subsystems installed, the core of the Certificate System is still the CA (or CAs), since they ultimately process all certificate-related requests. The other subsystems connect to the CA or CAs likes spokes in a wheel.
Page 33: A Look At The Token Management System
A Look at the Token Management System 1.4. A Look at the Token Management System Certificate System creates, manages, renews, and revokes certificates, as well as archiving and recovering keys. For organizations which use smart cards, the Certificate System has a token management system —...
Page 34 Chapter 1. Overview of Red Hat Certificate System Subsystems are based on the card's unique ID. The keys are formatted on the smart card and are used to encrypt communications, or provide authentication, between the smart card and TPS. • The Certificate Authority (CA) creates and revokes user certificates stored on the smart card. •...
Page 35: Red Hat Certificate System Services
Red Hat Certificate System Services After installation, the TPS configuration file, CS.cfg, can have additional CA, DRM, and TKS instances added for provide failover support, so if the primary subsystem is unavailable, the TPS can switch to the next available system without interrupting its token services. 1.5.
Page 36 Chapter 1. Overview of Red Hat Certificate System Subsystems Figure 1.6. Certificate System Console The Configuration tab controls all of the setup for the subsystem, as the name implies. The choices available in this tab are different depending on which subsystem type the instance is; the CA has the most options since it has additional configuration for jobs, notifications, and certificate enrollment authentication.
Page 37 Interfaces for Administrators Figure 1.7. RA Admin Page The TPS only allows operations to manage users for the TPS subsystem. However, the TPS admin page can also list tokens and display all activities (including normally-hidden administrative actions) performed on the TPS.
Page 38: Agent Interfaces
Chapter 1. Overview of Red Hat Certificate System Subsystems Figure 1.8. TPS Admin Page 1.5.2. Agent Interfaces The agent services pages are where almost all of the certificate and token management tasks are performed. These services are HTML-based, and agents authenticate to the site using a special agent certificate.
Page 39: End User
End User Pages Figure 1.9. Certificate Manager's Agent Services Page The operations vary depending on the subsystem: • The Certificate Manager agent services include approving certificate requests (which issues the certificates), revoking certificates, and publishing certificates and CRLs. All certificates issued by the CA can be managed through its agent services page.
Page 40: Enterprise Security Client
Chapter 1. Overview of Red Hat Certificate System Subsystems The end-user services are accessed over standard HTTP using the server's hostname and the standard port number; they can also be accessed over HTTPS using the server's hostname and the specific end-entities SSL port. For CAs, each type of SSL certificate is processed through a specific online submission form, called a profile.
Page 41 Enterprise Security Client • Supports JavaCard 2.1 or higher cards and Global Platform 2.01-compliant smart cards like Safenet's 330J smart card • Supports Global Platform 2.01-compliant smart cards like Gemalto e-gate 32K and Gemalto TOP IM FIPS CY2 64K tokens, both the smart card and GemPCKey USB form factor key. •...
Page 43: Setting Up Certificate Services
Part I. Setting up Certificate Services...
Page 45: Making Rules For Issuing Certificates
Chapter 2. Making Rules for Issuing Certificates The Certificate System provides a customizable framework to apply policies for incoming certificate requests and to control the input request types and output certificate types; these are called certificate profiles. Certificate profiles set the required information for certificate enrollment forms in the Certificate Manager end-entities page.
Page 46 Chapter 2. Making Rules for Issuing Certificates authorized), the information that is included in the certificate content, and how long the certificate is valid. The profile itself is defined in a special .cfg file in the /var/lib/subsystem_name/profiles/ca directory for the CA. The parameters for this file defining the inputs, outputs, and policysets are listed Section 2.2.3, “Creating and Editing Certificate Profiles through the Command Line”.
Page 47: Certificate Extensions: Defaults And Constraints
Certificate Extensions: Defaults and Constraints output.list=o1 output.o1.class_id=certOutputImpl For caUserCert, the output displays the certificate in pretty print format. This output needs to be specified for any automated enrollment. Once a user successfully authenticates and is authorized using the automated enrollment method, the certificate is automatically generated, and this output page is returned to the user.
Page 48: Inputs And Outputs
Chapter 2. Making Rules for Issuing Certificates Basic Constraints Extension identifies whether a certificate is a CA signing certificate, the maximum number of subordinate CAs that can be configured beneath the CA, and whether the extensions is critical (required): policyset.caCertSet.5.default.name=Basic Constraints Extension Default policyset.caCertSet.5.default.params.basicConstraintsCritical=true policyset.caCertSet.5.default.params.basicConstraintsIsCA=true policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1...
Page 49: Creating Certificate Profiles Through The Ca Console
Creating Certificate Profiles through the CA Console NOTE The old policy framework for managing certificates was deprecated in Certificate System 7.1 and was removed entirely for Certificate System 7.2, 7.3, and 8.0. Any certificate enrollments or other operations must be performed using the new profile framework. 2.2.1.
Page 50 Chapter 2. Making Rules for Issuing Certificates 4. Fill in the profile information in the Certificate Profile Instance Editor. • Certificate Profile Instance ID. This is the ID used by the system to identify the profile. • Certificate Profile Name. This is the user-friendly name for the profile. •...
Page 51 Creating Certificate Profiles through the CA Console to be processed through the Certificate Manager's certificate profile framework, rather than through the input page for the certificate profile. • Certificate Profile Authentication. This sets the authentication method. An automated authentication is set by providing the instance ID for the authentication instance. If this field is blank, the authentication method is agent-approved enrollment;...
Page 52 Chapter 2. Making Rules for Issuing Certificates c. Fill in the policy set ID. When issuing dual key pairs, separate policy sets define the policies associated with each certificate. Then fill in the certificate profile policy ID, a name or identifier for the certificate profile policy.
Page 53 Creating Certificate Profiles through the CA Console Defaults defines attributes that populate the certificate request, which in turn determines the content of the certificate. These can be extensions, validity periods, or other fields contained in the certificates. Constraints defines valid values for the defaults. Section B.1, “Defaults Reference”...
Page 54 Chapter 2. Making Rules for Issuing Certificates b. Choose the input from the list, and click OK. See Section A.1, “Input Reference” for complete details of the default inputs. c. The New Certificate Profile Editor window opens. Set the input ID, and click OK.
Page 55 Creating Certificate Profiles through the CA Console Inputs can be added and deleted. It is possible to select edit for an input, but since inputs have no parameters or other settings, there is nothing to configure. To delete an input, select the input, and click Delete. 9.
Page 56 Chapter 2. Making Rules for Issuing Certificates Outputs can be added and deleted. It is possible to select edit for an output, but since outputs have no parameters or other settings, there is nothing to configure. a. To add an output, click Add. b.
Page 57: Editing Certificate Profiles In The Console
Editing Certificate Profiles in the Console https://server.example.com:9445/ca/services b. Click the Manage Certificate Profiles link. This page lists all of the certificate profiles that have been set up by an administrator, both active and inactive. c. Click the name of the certificate profile to approve. d.
Page 58: Creating And Editing Certificate Profiles Through The Command Line
Chapter 2. Making Rules for Issuing Certificates a profile has already been enabled, it must be disabled by the agent before it can be deleted from the profile list. NOTE Restart the server after editing the profile configuration file for the changes to take effect. 2.2.3.
Page 59 Creating and Editing Certificate Profiles through the Command Line certificate is issued, one set is evaluated, and any other sets in the profile are ignored. When dual key pairs are issued, the first policy set is evaluated with the first certificate request, and the second set is evaluated with the second certificate request.
Page 60 Chapter 2. Making Rules for Issuing Certificates 2.2.3.2. Modifying Certificate Extensions through the Command Line Changing constraints changes the restrictions on the type of information which can be supplied. Changing the defaults and constraints can also add, delete, or modify the extensions which are accepted or required from a certificate request.
Page 61: Defining Key Defaults In Profiles
Defining Key Defaults in Profiles 2.2.3.3. Adding Inputs through the Command Line The certificate profile configuration file in the CA's profiles/ca directory contains the input information for the that particular certificate profile form. Inputs are the fields in the end-entities page enrollment forms.
Page 62 Chapter 2. Making Rules for Issuing Certificates by a different CA. Both partner CAs store the other CA signing certificate in its database, so all of the certificates issued within the other PKI are trusted and recognized. Section B.3.4, Issuing cross-pair certificates requires the Certificate Policies Extension, explained in “certificatePoliciesExt”.
Page 63: List Of Certificate Profiles
List of Certificate Profiles 6. As a CA agent, enable the certificate profile. 2.2.6. List of Certificate Profiles The following pre-defined certificate profiles are ready to use when the Certificate System CA is installed. These certificate profiles have been designed for the most common types of certificates, and they provide common defaults and constraints, authentication methods, and inputs and outputs.
Page 64 Chapter 2. Making Rules for Issuing Certificates Profile ID Profile Name Description caCACert Manual Certificate Manager Enrolls Certificate Authority Signing Certificate Enrollment certificates. caCMCUserCert Signed CMC-Authenticated Enrolls user certificates by User Certificate Enrollment using the CMC certificate request with CMC Signature authentication.
Page 65 List of Certificate Profiles Profile ID Profile Name Description a few examples of these in the default profiles, and they are mostly not enabled by default. caDualCert Manual User Signing & Enrolls dual user certificates. It Encryption Certificates works only with Netscape 7.0 or Enrollment later.
Page 66 Chapter 2. Making Rules for Issuing Certificates Profile ID Profile Name Description NOTE Renewal profiles can only be used in conjunction with the profile that issued the original certificate. There are two settings that are beneficial: • It is important the the original enrollment profile name does not...
Page 67 List of Certificate Profiles Profile ID Profile Name Description caRARouterCert RA Agent-Authenticated Router Enrolls router certificates after Certificate Enrollment agent approval (as opposed to automatic enrollment). caRAserverCert RA Agent-Authenticated Server Enrolls server certificates with Certificate Enrollment RA agent authentication. caRouterCert One Time Pin Router Certificate Enrolls router certificates Enrollment...
Page 68 Chapter 2. Making Rules for Issuing Certificates Profile ID Profile Name Description enrollment profile. This defines the amount of time before and after the certificate's expiration date when the user is allowed to renew the certificate. There are only a few examples of these in the default profiles, and they are...
Page 69 List of Certificate Profiles Profile ID Profile Name Description TPS for smart card enrollment operations. caTokenMSLoginEnrollment Token User MS Login Enrolls key to be used by Certificate Enrollment a person for logging into a Windows domain or PC; used by the TPS for smart card enrollment operations.
Page 70: Configuring Custom Enrollment Profiles To Use With An Ra
Chapter 2. Making Rules for Issuing Certificates 2.3. Configuring Custom Enrollment Profiles to Use with an The profiles used to submit certificate requests through the RA are created and configured in the Section 2.2, “Setting up Certificate Profiles”. However, the way to process those CA, as described in requests and the specific profiles to use for the requests (both for existing and custom profiles) must be configured in the RA by calling on the RA's request queue plug-ins.
Page 71 Creating RA Enrollment Forms cp -r user/ example/ 3. Edit the main index file for the end-entities directory to add the new example profile to the list of available profiles: vim index.vm ... snip ... <font size="+1" face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif"> RA EE Services </font><br>...
Page 72: Configuring The Request Queues
Chapter 2. Making Rules for Issuing Certificates 7. Update the descriptions and names in the index.vm file. Update the docroot paths to the example/ directory and, if the related certificate and renewal forms were renamed and are being used for the new profile, then change referenced .cgi the file names. <font size="+1"...
Page 73 Configuring the Request Queues Plug-in or Library Location Description PKI::Request::Plug- /var/lib/pki-ra/lib/perl/PKI/ Automatically assigns a request in::AutoAssign (plug-in) Request/Plug-in to a group of agents. PKI::Request::Plug- /var/lib/pki-ra/lib/perl/PKI/ Creates a one-time PIN for in::CreatePin (plug-in) Request/Plug-in SCEP enrollment. PKI::Request::Plug- /var/lib/pki-ra/lib/perl/PKI/ Sends email notifications. in::EmailNotification (plug-in) Request/Plug-in PKI::Request::Plug-...
Page 74 Chapter 2. Making Rules for Issuing Certificates request.server.create_request.0.assignTo=agents request.server.create_request.0.plugin=PKI::Request::Plugin::AutoAssign request.server.create_request.1.mailTo=dlackey@redhat.com request.server.create_request.1.plugin=PKI::Request::Plugin::EmailNotification request.server.create_request.1.templateDir=/usr/share/pki/ra/conf request.server.create_request.1.templateFile=mail_create_request.vm request.server.create_request.num_plugins=2 ... when the request is rejected ... request.server.reject_request.num_plugins=0 Example 2.2. Server Certificate Enrollment To create the entry: 1. Stop the RA. service pki-ra stop 2. Open the CS.cfg file.
Page 75: Managing Smart Card Ca Profiles
Managing Smart Card CA Profiles service pki-ra start 2.4. Managing Smart Card CA Profiles The TPS does not generate or approve certificate requests; it sends any requests approved through the Enterprise Security Client to the configured CA to issue the certificate. This means that the CA actually contains the profiles to use for tokens and smart cards.
Page 76: Editing Enrollment Profiles For The Tps
Chapter 2. Making Rules for Issuing Certificates 2.4.1. Editing Enrollment Profiles for the TPS Administrators have the ability to customize the default smart card enrollment profiles, used with the TPS. For instance, a profile could be edited to include the user's email address in the Subject Alternative Name extension.
Page 77: Using The Windows Smart Card Logon Profile
Using the Windows Smart Card Logon Profile op.enroll.userKey.keyGen.signing.ca.profileId=tpsExampleEnrollProfile 5. Restart the CA and TPS after editing the smart card profiles. For example: service pki-ca restart service pki-tps restart 2.4.3. Using the Windows Smart Card Logon Profile The TPS uses a profile to generate certificates to use for single sign-on to a Windows domain or PC; this is the Token User MS Login Certificate Enrollment profile (caTokenMSLoginEnrollment.cfg).
Page 78: Setting The Signing Algorithm Default In A Profile
Chapter 2. Making Rules for Issuing Certificates pkiconsole https://server.example.com:9445/ca 2. In the Configuration tab, expand the Certificate Manager tree. 3. In the General Settings tab, set the algorithm to use in the Algorithm drop-down menu. 2.5.2. Setting the Signing Algorithm Default in a Profile Each profile has a Signing Algorithm Default extension defined.
Page 79 Setting the Signing Algorithm Default in a Profile NOTE Before a profile can be edited, it must first be disabled by an agent. 1. Open the CA console. pkiconsole https://server.example.com:9445/ca 2. In the Configuration tab, expand the Certificate Manager tree. 3.
Page 80: Managing Ca-Related Profiles
Chapter 2. Making Rules for Issuing Certificates Section B.2.9, “Signing Algorithm Constraint”. The possible values for the constraint are listed in 2.6. Managing CA-Related Profiles Certificate profiles and extensions must be used to set rules on how subordinate CAs can issue certificates.
Page 81: Changing The Restrictions For Cas On Issuing Certificates
Changing the Restrictions for CAs on Issuing Certificates edited in pkiconsole (since it is only available before the instance is configured). It is possible to edit the policies for this profile in the template file before the CA is configured using a text editor.
Page 82 Chapter 2. Making Rules for Issuing Certificates that certificate. Check the constraints set on the CA signing certificate before changing the issuing rules for a subordinate CA. To change the certificate issuance rules, do the following: 1. Open the Certificate System Console. pkiconsole https://server.example.com:9445/ca 2.
Page 83: Managing Subject Names And Subject Alternative Names
Managing Subject Names and Subject Alternative Names Serial number management can be enabled for CAs which are not cloned, if the parameters are set in the CS.cfg file. dbs.beginSerialNumber=1 dbs.enableSerialManagement=true dbs.endReplicaNumber=100 dbs.endRequestNumber=10000000 dbs.endSerialNumber=10000000 However, by default, serial number management is disabled unless a system is cloned, when it is automatically enabled.
Page 84 Chapter 2. Making Rules for Issuing Certificates policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl policyset.userCertSet.8.default.name=Subject Alt Name Constraint policyset.userCertSet.8.default.params.subjAltNameExtCritical=false policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true This inserts the requester's email as the first CN component in the subject alt name. To use additional components, increment the Type_, Pattern_, and Enable_ values numerically, such as Type_1. Section B.1.17, “Subject Alternative Name Extension Configuring the subject alt name is detailed in Default”, as well.
Page 85 Inserting LDAP Directory Attribute Values and Other Information into the Subject Alt Name 3. To enable the CA to insert the LDAP attribute value in the certificate extension, edit the profile's configuration file, and insert a policy set parameter for an extension. For example, to insert the mail attribute value in the Subject Alternative Name extension in the caDirUser profile, do the following: cd /var/lib/subsystem_name/profiles/ca...
Page 86: Changing Dn Attributes In Ca-Issued Certificates
Chapter 2. Making Rules for Issuing Certificates Policy Set Token Description 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000. $request.requestor_email$ The email address of the person who submitted the request. $request.requestowner$ The person who submitted the request. The subject name DN of the entity to which the certificate is issued. For example, uid=jsm $request.subject$ $request.tokencuid$ The card unique ID (CUID) of the smart card token used for requesting the enrollment.
Page 87 Changing DN Attributes in CA-Issued Certificates X500Name.NEW_ATTRNAME.oid=n.n.n.n X500Name.NEW_ATTRNAME.class=string_to_DER_value_converter_class The value converter class converts a string to an ASN.1 value; this class must implement the netscape.security.x509.AVAValueConverter interface. The string-to-value converter class can be one of the following: • netscape.security.x509.PrintableConverter converts a string to a PrintableString value.
Page 88 Chapter 2. Making Rules for Issuing Certificates X500Name.attr.MYATTR2.oid=11.22.33.44.55.66 X500Name.attr.MYATTR2.class=netscape.security.x509.IA5StringConverter X500Name.attr.MYATTR3.oid=111.222.333.444.555.666 X500Name.attr.MYATTR3.class=netscape.security.x509.PrintableConverter 5. Save the changes, and close the file. 6. Restart the Certificate Manager. service pki-ca start 7. Reload the enrollment page and verify the changes; the new attributes should show up in the form. 8.
Page 89: Customizing The Subject Dn In A Certificate Request Issued By An Ra
Customizing the Subject DN in a Certificate Request Issued by an RA X500Name.dirEncodingOrder=Printable,BMPString To change the DirectoryString encoding, do the following: 1. Stop the Certificate Manager. service pki-ca stop 2. Open the /var/lib/pki-ca/conf/ directory. 3. Open the CS.cfg configuration file. 4.
Page 90 Chapter 2. Making Rules for Issuing Certificates NOTE There is no graphical interface for performing this customization. To customize the DN: 1. Edit the user.vm file. By default, this is located in the /var/lib/pki-ra/docroot/ee/user/ directory. 2. Locate the "validate" function and formulate your preferred DN in the var dn= statement. For example: var dn = "uid="+x+".e="+e;...
Page 91: Setting Up Key Archival And Recovery
Chapter 3. Setting up Key Archival and Recovery This chapter explains how to use the Data Recovery Manager (DRM) to archive private keys and to recover these archived keys to restore encrypted data. NOTE Server-side key generation is an option provided for smart card enrollments performed through the TPS subsystem.
Page 92: Setting Up Key Archival
Chapter 3. Setting up Key Archival and Recovery The archived copy of the key remains wrapped with the DRM's storage key. It can be decrypted, or unwrapped, only by using the corresponding private key pair of the storage certificate. A combination of one or more key recovery (or DRM) agents' certificates authorizes the DRM to complete the key recovery to retrieve its private storage key and use it to decrypt/recover an archived private key.
Page 93 Setting up Key Archival Key archival requires two things: • Having a trusted relationship between a CA and a DRM. • Having the enrollment form enabled for key archival, meaning it has key archival configured and the DRM transport certificate stored in the form. Both of these configuration steps are done automatically when the DRM is configured because it is configured to have a trusted relationship with a CA.
Page 94: Setting Up Agent-Approved Key Recovery Schemes
Chapter 3. Setting up Key Archival and Recovery var keyTransportCert = MIIDbDCCAlSgAwIBAgIBDDANBgkqhkiG9w0BAQUFADA6MRgwFgYDVQQKEw9Eb21haW4gc28gbmFtZWQxHjAcBgNVBAMTFUNlcnRpZmljYXRl BTsU5A2sRUwNfoZSMs/d5KLuXOHPyGtmC6yVvaY719hr9EGYuv0Sw6jb3WnEKHpjbUO/ vhFwTufJHWKXFN3V4pMbHTkqW/x5fu/3QyyUre/5IhG0fcEmfvYxIyvZUJx+aQBW437ATD99Kuh+I+FuYdW +SqYHznHY8BqOdJwJ1JiJMNceXYAuAdk+9t70RztfAhBmkK0OOP0vH5BZ7RCwE3Y/6ycUdSyPZGGc76a0HrKOz +lwVFulFStiuZIaG1pv0NNivzcj0hEYq6AfJ3hgxcC1h87LmCxgRWUCAwEAAaN5MHcwHwYDVR0jBBgwFoAURShCYtSg +Oh4rrgmLFB/ Fg7X3qcwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vY2x5ZGUucmR1LnJlZGhhdC5jb206OTE4MC9jYS9vY3NwMA4GA1UdD wQEAwIE8DANBgkqhkiG9w0BAQUFAAOCAQEAFYz5ibujdIXgnJCbHSPWdKG0T +FmR67YqiOtoNlGyIgJ42fi5lsDPfCbIAe3YFqmF3wU472h8LDLGyBjy9RJxBj+aCizwHkuoH26KmPGntIayqWDH/ UGsIL0mvTSOeLqI3KM0IuH7bxGXjlION83xWbxumW/kVLbT9RCbL4216tqq5jsjfOHNNvUdFhWyYdfEOjpp/ UQZOhOM1d8GFiw8N8ClWBGc3mdlADQp6tviodXueluZ7UxJLNx3HXKFYLleewwIFhC82zqeQ1PbxQDL8QLjzca +IUzq6Cd/t7OAgvv3YmpXgNR0/xoWQGdM1/YwHxtcAcVlskXJw5ZR0Y2zA==; 3.3. Setting up Agent-Approved Key Recovery Schemes Key recovery agents collectively authorize and retrieve private encryption keys and associated certificates in a PKCS #12 package.
Page 95: Testing The Key Archival And Recovery Setup
Testing the Key Archival and Recovery Setup 3. Edit the two recovery scheme parameters. kra.noOfRequiredRecoveryAgents=3 kra.recoveryAgentGroup=Data Recovery Manager Agents 4. Restart the server. service pki-kra start The default key agent scheme requires a single agent from the Data Recovery Manager Agents group to be in charge of authorizing key recovery.
Page 96 Chapter 3. Setting up Key Archival and Recovery a. Open the DRM's agent services page, and click the Recover Keys link. Search for the key by the key owner, serial number, or public key. If the key has been archived successfully, the key information will be shown.
Page 97: Requesting, Enrolling, And Managing Certificates
Chapter 4. Requesting, Enrolling, and Managing Certificates Certificates are requested and used by end users. Although certificate enrollment and renewal are operations that are not limited to administrators, understanding the enrollment and renewal processes can make it easier for administrators to manage and create appropriate certificate profiles, Section 2.2, “Setting up Certificate Profiles”, and to use fitting authentication methods as described in...
Page 98 Chapter 4. Requesting, Enrolling, and Managing Certificates NOTE This configuration is not necessary to use Internet Explorer 7 and 8 on Microsoft Windows 2000, 2003, or XP. 1. Open Internet Explorer. 2. Import the CA certificate chain. a. Open the unsecure end services page for the CA. http://server.example.com:9180/ca/ee/ca b.
Page 99: Requesting And Receiving Certificates
Requesting and Receiving Certificates 4.3. Requesting and Receiving Certificates The first step for getting a certificate is generating the request, which is then submitted to the issuing CA. Some Certificate System profiles allow users to request a certificate right through the web services pages, and the profile generates and submits the request in a single step.
Page 100 Chapter 4. Requesting, Enrolling, and Managing Certificates NOTE The CA certificate request forms support all UTF-8 characters for the common name, organizational unit, and requester name fields. The common name and organization unit fields are included in the subject name of the certificate. This support does not include supporting internationalized domain names.
Page 101 Requesting and Receiving a User or Agent Certificate through the End-Entities Page 5. The key pairs for the user certificate are generated, and the certificate request is sent to the agent queue. Alternatively, if automatic enrollment is configured, the certificate is approved (or rejected) by the server, and the new certificate is displayed in the web browser window.
Page 102 Chapter 4. Requesting, Enrolling, and Managing Certificates There are two actions that can be taken through this page: • To install this certificate on a server or other application, scroll down to the Installing This Certificate in a Server section, which contains the base-64 encoded certificate. •...
Page 103: Requesting Certificates Using Certutil
Requesting Certificates Using certutil 4.3.2. Requesting Certificates Using certutil NOTE ECC certificates cannot be requested using the end user pages, but ECC certificate requests can be submitted through those pages. Therefore, if a user wants to request and ECC certificate and the CA is ECC-enabled, then the request can be generated using certutil.
Page 104 Chapter 4. Requesting, Enrolling, and Managing Certificates c. In Certificate Profiles of the Enrollment tab, click on the appropriate form to submit the Section 2.2.6, “List of Certificate Profiles”. request. The default profiles are listed in d. In the certificate enrollment form, enter the required information. The standard requirements are as follows: •...
Page 105 Requesting Certificates Using certutil • Requester Name. This is the common name of the person requesting the certificate. • Requester Email. This is the email address of the requester. The agent or CA system will use this address to contact the requester when the certificate is issued. For example, jdoe@someCompany.com.
Page 106 Chapter 4. Requesting, Enrolling, and Managing Certificates There are two actions that can be taken through this page: • To install this certificate on a server or other application, scroll down to the Installing This Certificate in a Server section, which contains the base-64 encoded certificate. •...
Page 107: Enrolling A Certificate On A Cisco Router
Enrolling a Certificate on a Cisco Router Option Description The key type to use; the only native option is rsa. If the CA is ECC-enabled (described in the Insta then this can also be ec. The key size. The recommended size for RSA keys is 2048 and for ECC, 256. The subject name of the certificate.
Page 108: Configuring A Router For Scep Enrollment
Chapter 4. Requesting, Enrolling, and Managing Certificates 4.4.1. Configuring a Router for SCEP Enrollment NOTE Not all versions of router IOS have the relevant crypto features. Make sure that the firmware image has the Certification Authority Interoperability feature. Certificate System SCEP support was tested on a Cisco 2611 router running IOS C2600 Software (C2600- JK9S-M), version 12.2(40), RELEASE SOFTWARE (fc1).
Page 109 Generating the SCEP Certificate for a Router 5. Wait for the request to be generated, then retrieve the PIN. 6. Add the PIN and the router's ID to the flatfile.txt file so that the router can authenticate directly against the CA. For example: vim /var/lib/pki-ca/conf/flatfile.txt UID:172.16.24.238 PWD:Uojs93wkfd0IS...
Page 110 Chapter 4. Requesting, Enrolling, and Managing Certificates scep(ca-identity)# enrollment url http://server.example.com:9180/ca/cgi-bin scep(ca-identity)# crl optional It is also possible to send the request to the RA. 12. Get the CA's certificate. scep(config)# crypto ca authenticate CA Certificate has the following attributes: Fingerprint: 145E3825 31998BA7 F001EA9A B4001F57 % Do you accept this certificate? [yes/no]: yes 13.
Page 111: Working With Subordinate Cas
Working with Subordinate CAs scep# show crypto ca certificates Certificate Status: Available Certificate Serial Number: 0C Key Usage: General Purpose Issuer: CN = Certificate Authority O = Sfbay Red hat Domain 20070111d12 Subject Name Contains: Name: scep.server.example.com IP Address: 10.14.1.94 Serial Number: 57DE391C Validity Date: start date: 21:42:40 UTC Jan 12 2007...
Page 112: Re-Enrolling A Router
Chapter 4. Requesting, Enrolling, and Managing Certificates scep(ca-identity)# enrollment url http://server.example.com:12888/ee/scep/pkiclient.cgi scep(ca-identity)# crl optional 4.4.4. Re-enrolling a Router Before a router can be re-enrolled with new certificates, the existing configuration has to be removed. 1. Remove (zeroize) the existing keys. scep(config)# crypto key zeroize rsa % Keys to be removed are named scep.server.example.com.
Page 113: Creating The Bulk Issuance File
Creating the Bulk Issuance File There are two parts to performing bulk issuance: Creating the HTML POST file • Running the bulk issuance command • 4.5.1. Creating the Bulk Issuance File Each certificate request has its own entry in the POST file which identifies information that is normally defined through the profile, like the requester information, some extension settings, the certificate type, and the certificate request itself (in CRMF format).
Page 114: Running The Bulk Issuance Command
Chapter 4. Requesting, Enrolling, and Managing Certificates email=true ssl_client=true digital_signature=true non_repudiation=true key_encipherment=true challengePassword=secret confirmChallengePassword=secret csrRequestorEmail=jsmith@example.com csrRequestorPhone=9195550000 csrRequestorComments= CRMFRequest=iJIaifasiuas90AEIFJHui submit=Submit subject=CN=John%20Smith,O=Example%20Corp. certType=client certPrettyPrint=false csrRequestorName= email=false ssl_client=true digital_signature=false non_repudiation=true key_encipherment=true challengePassword= confirmChallengePassword= csrRequestorEmail=mjones@example.com csrRequestorPhone= csrRequestorComments= CRMFRequest=iJIaifasiuas90AEIFJHui submit=Submit subject=CN=Mark%20Jones,O=Example%20Corp. certType=client certPrettyPrint=true Example 4.1. Bulk Issuance POST File 4.5.2.
Page 115: Configuring And Using The Auto Enrollment Proxy
Configuring and Using the Auto Enrollment Proxy 4.6. Configuring and Using the Auto Enrollment Proxy Red Hat Certificate System's Auto Enrollment Proxy for Windows allows users and computers in a Microsoft Windows domain to enroll for certificates automatically, and have them automatically issued from Red Hat Certificate System.
Page 116 Chapter 4. Requesting, Enrolling, and Managing Certificates Microsoft certificate services use a special request interface (ICertRequestD) to manage requests within the domain. ICertRequestD is a DCOM object. Windows uses components to manage APIs as if they are objects. The intent of the component object model, or COM, is to enable processes to communicate with each other and to generate objects dynamically.
Page 117 About Auto Enrollment • That the Certificate Authority is trusted. • That the requester has permission to access the proxy. If the process meets those requirements, the Windows server generates a PKCS#10 certificate request and submits it to the proxy. The proxy parses the request, pulls out required information and may derive or add other required information, and re-formats the request to meet the requirements for the Red Hat Certificate System CA.
Page 118 Chapter 4. Requesting, Enrolling, and Managing Certificates • Has a trusted CA that is listed in the CN=Certification Authorities subtree. • The last CA in the trust chain must be a self-signed root CA. 4.6.1.2. Planning the Auto Enrollment Configuration It only requires a single Auto Enrollment Proxy for an entire domain, but it depends on the domain configuration where and what machine the Auto Enrollment Proxy should be installed on.
Page 119 About Auto Enrollment Figure 4.4. Having the Proxy within the Domain The most complex arrangement has the proxy installed within a single domain but accessible to multiple domains within a Windows forest. For this configuration, see the Windows server and Active Directory documentation to explain how to configure the domain properly.
Page 120: Installing And Setting Up The Auto Enrollment Proxy
Chapter 4. Requesting, Enrolling, and Managing Certificates 4.6.2. Installing and Setting up the Auto Enrollment Proxy The Auto Enrollment Proxy must be installed and configured on a Windows server within a Windows http:// domain. The latest releases of the Certificate System Auto Enrollment Proxy are available at directory.fedoraproject.org/wiki/Windows_Certificate_Auto_Enrollment.
Page 121 Installing and Setting up the Auto Enrollment Proxy 3. Select the profile to which to add the snap-ins. (It may be beneficial to have a separate profile for the proxy.) Then click Add.
Page 122 Chapter 4. Requesting, Enrolling, and Managing Certificates 4. Select and go through the configuration each required snap-in. • Services • Certificate Templates • Certificates (with the My user account option, to create a snap-in for Certificates -Current User) • Certificates (with the Computer account option, to create a snap-in for Certificates [Local Computer) •...
Page 123 Installing and Setting up the Auto Enrollment Proxy 4.6.2.3. Setting up the Auto Enrollment Proxy 1. Open the Microsoft Management Console. If a profile was saved to the desktop, then launch it from there; otherwise, open the Start menu, select Run, and type in mmc. 2.
Page 124 Chapter 4. Requesting, Enrolling, and Managing Certificates http://directory.fedoraproject.org/wiki/ a. Download the Auto Enrollment Proxy file from Windows_Certificate_Auto_Enrollment. b. Double-click the .exe, and go through the installer. 5. Configure the Auto Enrollment Proxy by importing the CA certificate, setting the CAs to use, and setting the Auto Enrollment Proxy settings.
Page 125 Installing and Setting up the Auto Enrollment Proxy c. Next, click the Active Directory tab. Click the Populate AD button to create the Active Directory entry for the proxy service.
Page 126 Chapter 4. Requesting, Enrolling, and Managing Certificates d. Add the connection information for each Certificate Manager which will be used by the proxy. Click Add to add each CA.
Page 127 Installing and Setting up the Auto Enrollment Proxy The CA connection requires the following information: • The fully-qualified domain name of the Certificate Manager • The port number of the Certificate Manager • The Certificate System version number of the Certificate Manager •...
Page 128 Chapter 4. Requesting, Enrolling, and Managing Certificates When all of the configuration settings have been made, click Apply to save the settings. 6. The last configuration area is setting up the DCOM service. a. In the Microsoft Management Console, select the DCOM - Components snap-in. b.
Page 129 Installing and Setting up the Auto Enrollment Proxy c. Right-click Red Hat Auto Enrollment Proxy, and select Properties d. In the Security tab, click the Customize radio button under Launch and Activation Permissions, and click the Edit button. Make sure that the administrator and that Everyone is selected.
Page 130 Chapter 4. Requesting, Enrolling, and Managing Certificates e. In the Identity tab, select the This user radio button. It is better to browser for the user, even if you know the username for the administrator, because the domain name may have to be prepended in order for the user to log into the domain.
Page 131: Managing Auto Enrollment Proxy Settings
Managing Auto Enrollment Proxy Settings support.microsoft.com/kb/892777, which includes LDP (an LDAP browser) and DCDIAG (used for diagnosing domain controller, and DNS problems). Two monitoring tools, filemon and regmon, are http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Regmon.ms available at are extremely useful for monitoring and troubleshooting registry and file issues, which can help with analyzing the auto enrollment process.
Page 132 Chapter 4. Requesting, Enrolling, and Managing Certificates 4.6.3.1. Auto Enrollment Proxy Registry Settings The Auto Enrollment Proxy stores its configuration settings in the Windows registry, underneath the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Red Hat\RHCSProxy\Config This entry defines the basic behaviors of the proxy service. Name Description Example...
Page 133 Managing Auto Enrollment Proxy Settings 4.6.3.3. Mapping Certificate System Enrollment Profiles to Windows Profiles The proxy maintains a list of available certificate profiles, by default allowing domain controller certificates (caDomainController) and web server certificates (caAgentServerCert). These profiles are mapped to corresponding Windows certificate templates, maintained in the registry under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Red Hat\RHCSProxy\Config\ProfileMap To add additional certificate profiles to the proxy service, add a subkey under the ProfileMap folder...
Page 134: Manually Requesting Domain Certificates
Chapter 4. Requesting, Enrolling, and Managing Certificates NOTE Profile maps can only be done by editing the registry keys; they cannot be set in the Auto Enrollment Proxy configuration console. http://technet2.microsoft.com/ For reference, the schema for certificate templates is described as WindowsServer/en/Library/32260bb5-4405-4fda-b589-fe05ac3193201033.mspx?mfr=true http://technet2.microsoft.com/WindowsServer/en/ and certificate template setup is covered at...
Page 135 Manually Requesting Domain Certificates 4. The available types of certificates that can be requested are listed. Select the type of certificate to request.
Page 136 Chapter 4. Requesting, Enrolling, and Managing Certificates 5. Fill in the information to use to configure the certificate, such as a name or description.
Page 137 Manually Requesting Domain Certificates 6. Click Finish to submit the certificate request to the auto enrollment proxy. 4.6.4.2. Requesting Certificates Using certreq 1. Create an .inf file to use to supply values for the certificate request. This file defines the settings to use for the certificate request, such as the certificate profile for the Windows domain, the key settings, and any extensions.
Page 138: Renewing Certificates
Chapter 4. Requesting, Enrolling, and Managing Certificates [RequestAttributes] CertificateTemplate = DomainController http:// More information on using certreq and the format of the request file is available at technet.microsoft.com/en-us/library/cc736326(WS.10).aspx. 2. On the Windows machine, run the certreq command to generate the request, specifying the request .inf file and an output file for the certificate request.
Page 139 About Renewal 4.7.1.1. The Renewal Process There are two methods of renewing a certificate. Regenerating the certificate takes its original key and its original profile and request, and recreates a new certificate with a new validity period and expiration date using the identical key. Re-keying a certificate resubmits the initial certificate request to the original profile, but generates a new key pair.
Page 140 Chapter 4. Requesting, Enrolling, and Managing Certificates subjectName: UID=jsmith,E=jsmith@example.com,CN=John Smith,OU=engineering,OU=content,OU=services,OU=people,C=US publicKeyData:: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOhd4g9Fluurl3mtUzEKmilsGolBKr/ sEvGpPZecPpcFxfkxwfvfjl6ycEUcxXJXEhdSQ+ZPdCUwakSBhn15Uz8CAwEAAQ== extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.17 extension: 2.5.29.15 userCertificate;binary:: MIIDXzCCAkegAwIBAgIBNjANBgkqhkiG9w0BAQUFADBAMR4wHAYD VQQKExVSZWRidWRjb21wdXRlciBEb21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0wOTA2MjQxMzIxMTdaFw0wOTEyMjExMzIxMTdaMIGrMQswCQYDVQQGEwJVUzEPMA0GA1UE CxMGcGVvcGxlMREwDwYDVQQLEwhzZXJ2aWNlczEQMA4GA1UECxMHY29udGVudDEUMBIGA1UECxML ZW5naW5lZXJpbmcxFDASBgNVBAMTC0Rlb24gTGFja2V5MSEwHwYJKoZIhvcNAQkBFhJkbGFja2V5 QHJlZGhhdC5jb20xFzAVBgoJkiaJk/IsZAEBEwdkbGFja2V5MFwwDQYJKoZIhvcNAQEBBQADSwAw SAJBAOhd4g9Fluurl3mtUzEKmilsGolBKr/sEvGpPZecPpcFxfkxwfvfjl6ycEUcxXJXEhdSQ+ZP dCUwakSBhn15Uz8CAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBS7F3+uS3y2ZNesUZLcB/ZTwo9LIjBL BggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly93aWxidXIucmVkYnVkY29tcHV0ZXIu bG9jYWw6OTE4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI KwYBBQUHAwQwHQYDVR0RBBYwFIESZGxhY2tleUByZWRoYXQuY29tMA0GCSqGSIb3DQEBBQUAA4IB AQB1Jig+3mucNrvhl009ZWshzKSZN7d1rGP+SsYCNTk9KzEhU/lCkQnOLbrAMDE7gBKLkDvpm+4y ud5qzHC6+tCR+L0H6JCm1Gufv5VE4yIN+dLPcO4Wr8ZCIgt2Rr3aR3FqE0tqUXh2RDmq+EvfxBza FOTQpwz2EW1ppIXjKNZpi9+3enjMg0rc/CsT+c1rKeXJzo5mD6n+VmET8ZilvSgyq6jt9KgqeVfM Cfl+ypQ2u9EW6a0sYflw+vPOkcXqRUnKfKjn1lq8CALrGDG71pAlHzXQNMB0YWlKKywhdMfbHPN8 FdFHC6Ro5Ny01DDRBF+y3Iqc3flLFJt1Ya3c8hEc version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.5...
Page 141: Creating Custom Renewal Profiles
Creating Custom Renewal Profiles 4.7.1.2. Renewal Types in Certificate System As with any certificate request, a renewal request has to be approved before the CA will issue the new certificate. Certificate System has three renewal types, depending on the authorization method used to verify the requester, and any of the three types can be used to renew any kind of certificate: •...
Page 142 Chapter 4. Requesting, Enrolling, and Managing Certificates renewal=true Section B.2.8, The renewal grace period is set through the Renewal Grace Period Constraint (in “Renewal Grace Period Constraint”). This constraint has two parameters, setting the time period before and after the expiration date that renewal can be allowed. policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9 policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint...
Page 143: Renewing Certificates
Renewing Certificates output.o1.class_id=certOutputImpl Example 4.3. Agent-Based Renewal Profile For directory-based authentication, the requester must log into an LDAP directory and authenticate against that database, so the auth.instance_id parameter must be set to use directory authentication. desc=This certificate profile is for renewing a certificate by serial number by using directory based authentication.
Page 144 Chapter 4. Requesting, Enrolling, and Managing Certificates smoothly transitioning between subsystem certificates as they expire, and is especially useful for CA signing certificates. Certificate System subsystem and user certificates, as well as end user certificates, can be renewed by resubmitting the original certificate request using the original keys. The renewal process can be done by accessing the end user forms or by generating a new certificate request using the old keys with the certutil command.
Page 145 Renewing Certificates 4. Click the renew button. 5. The request is submitted. For directory-based renewals, the renewed certificate is automatically returned. Otherwise, the renewal request will be approved by an agent.
Page 146 Chapter 4. Requesting, Enrolling, and Managing Certificates 4.7.3.1.2. Certificate-Based Renewal Some user certificates are stored directory in your browser, so some renewal forms will simply check your browser certificate database for a certificate to renew. If a certificate can be renewed, then the CA automatically approved and reissued it.
Page 147 Renewing Certificates 4.7.3.2. Renewing Certificates Using certutil certutil can be used to generate a certificate request using an existing key pair in the certificate database. The new certificate request can then be submitted through the regular profile pages for the CA to issue a renewed certificate.
Page 148 Chapter 4. Requesting, Enrolling, and Managing Certificates certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa 69481646e38a6154dc105960aa24ccf61309d37d caSigningCert cert-pki-ca 4. Copy the alias directory as a backup, then delete the original certificate from the certificate database.
Page 149: Using And Configuring The Token Management System: Tps, Tks, And Enterprise Security Client
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client This chapter gives an overview of using hardware security modules, also called HSMs or tokens, to generate and store Certificate System instance certificates and keys. This chapter includes installation and usage considerations for supported HSMs, describes different tasks for managing tokens, and contains other information for using hardware tokens with Certificate System.
Page 150: Configuring Tps Enrollment Operations
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client op.format.tokenKey.revokeCert=true The different format operations can be configured to happen automatically by setting the appropriate parameters in the CS.cfg file. The TPS can also be configured with other options, such as requiring LDAP authentication and setting which subsystem instances will process the formatting operations.
Page 151 Configuring TPS Enrollment Operations ... card issuer information ... op.enroll.soKey.cardmgr_instance=A0000000030000 op.enroll.soKey.issuerinfo.enable=true op.enroll.soKey.issuerinfo.value=http://server.example.coml:7888/cgi-bin/so/index.cgi ... CA connection and profile ... op.enroll.soKey.keyGen.encryption.ca.conn=ca1 op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment op.enroll.soKey.keyGen.encryption.certAttrId=c2 op.enroll.soKey.keyGen.encryption.certId=C2 ... key generation information ... op.enroll.soKey.keyGen.encryption.cuid_label=$cuid$ op.enroll.soKey.keyGen.encryption.keySize=1024 op.enroll.soKey.keyGen.encryption.keyUsage=0 op.enroll.soKey.keyGen.encryption.keyUser=0 op.enroll.soKey.keyGen.encryption.label=encryption key for $userid$ op.enroll.soKey.keyGen.encryption.overwrite=true ... recovering lost tokens ... op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert=false op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast...
Page 152 Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client Parameter Description • 1 - Key compromised. • 2 - CA key compromised. • 3 - Affiliation changed. • 4 - Certificate superseded. • 5 - Cessation of operation. •...
Page 153 Configuring TPS Enrollment Operations Parameter Description op.enroll.tokenType.keyGen.encryption.recovery.keyCompromise.scheme Specifies encryption certificate recovery scheme for tokens whose RecoverLast. op.enroll.tokenType.keyGen.encryption.recovery.keyCompromise.revokeCert Specifies if the encryption certificate should be revoked if the toke op.enroll.tokenType.keyGen.encryption.recovery.keyCompromise.revokeCert.reason Specifies what the signing certificate revocation reason should be • 0 - Unspecified. •...
Page 154 Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client Parameter Description • 5 - Cessation of operation. • 6 - Certificate is on hold. op.enroll.tokenType.keyGen.tokenName The name of the token to use. The TPS can substitute some special strin of the token;...
Page 155: Configuring Tps Renewal Operations
Configuring TPS Renewal Operations op.enroll.tokenType.keyGen.signing|encryption.public.keyCapabilities.encrypt op.enroll.tokenType.keyGen.signing|encryption.public.keyCapabilities.sign op.enroll.tokenType.keyGen.signing|encryption.public.keyCapabilities.signRecover op.enroll.tokenType.keyGen.signing|encryption.public.keyCapabilities.decrypt op.enroll.tokenType.keyGen.signing|encryption.public.keyCapabilities.derive op.enroll.tokenType.keyGen.signing|encryption.public.keyCapabilities.unwrap op.enroll.tokenType.keyGen.signing|encryption.public.keyCapabilities.wrap op.enroll.tokenType.keyGen.signing|encryption.public.keyCapabilities.verifyRecover op.enroll.tokenType.keyGen.signing|encryption.public.keyCapabilities.verify op.enroll.tokenType.keyGen.signing|encryption.public.keyCapabilities.sensitive op.enroll.tokenType.keyGen.signing|encryption.public.keyCapabilities.private op.enroll.tokenType.keyGen.signing|encryption.public.keyCapabilities.token op.enroll.tokenType.keyGen.signing|encryption.private.keyCapabilities.encrypt op.enroll.tokenType.keyGen.signing|encryption.private.keyCapabilities.sign op.enroll.tokenType.keyGen.signing|encryption.private.keyCapabilities.signRecover op.enroll.tokenType.keyGen.signing|encryption.private.keyCapabilities.decrypt op.enroll.tokenType.keyGen.signing|encryption.private.keyCapabilities.derive op.enroll.tokenType.keyGen.signing|encryption.private.keyCapabilities.unwrap op.enroll.tokenType.keyGen.signing|encryption.private.keyCapabilities.wrap op.enroll.tokenType.keyGen.signing|encryption.private.keyCapabilities.verifyRecover op.enroll.tokenType.keyGen.signing|encryption.private.keyCapabilities.verify op.enroll.tokenType.keyGen.signing|encryption.private.keyCapabilities.sensitive op.enroll.tokenType.keyGen.signing|encryption.private.keyCapabilities.private op.enroll.tokenType.keyGen.signing|encryption.private.keyCapabilities.token Table 5.3. Important Enrollment Parameters That Should Never Be Edited 5.1.3. Configuring TPS Renewal Operations Renewal operations regenerate the certificates on a token, using existing key pairs to recreate the certificates.
Page 156: Configuring The Pin Reset Operation
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client Parameter Description op.renewal.tokenType.signing.certAttrId Identifies which key on the token is used for the signing certificate. op.renewal.tokenType.signing.certId Identifies which key on the token is used for the signing certificate. op.renewal.tokenType.signing.ca.profileId The CA profile that should be used for renewing the signing certificate.
Page 157: Configuring The Applet Update Operation
Configuring the Applet Update Operation 5.1.5. Configuring the Applet Update Operation The TPS communicates with an applet on the smart card. The smart cards can be manufactured with both a card manager applet and a vendor applet or with only the card manager applet. If the cards only have the card manager applet, the TPS can install the Certificate System applet onto the smart card.
Page 158: Allowing Token Renewal
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client 5.2. Allowing Token Renewal There are two default policies to allow encryption and signing certificates to be renewed on a token. Whether a token can be renewed depends on whether the user policy for the token allows it to be renewed.
Page 159: Changing The Token Policy
Changing the Token Policy 5. Save the changes. 5.3. Changing the Token Policy A token policy sets rules on what the user can do after the token is enrolled, such as whether the user can reset the password or reuse the token. There are three supported token policies: •...
Page 160 Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client Figure 5.1. Editing the Token Policy The supported token policies accept values of either YES or NO. To set two policies, separate them with a semi-colon. For example: RE_ENROLL=NO;PIN_RESET=YES RENEW=NO;PIN_RESET=NO If both RE_ENROLL and RENEW are set to YES, then the renewal setting takes precedence, the token...
Page 161: Setting Token Types For Specified Smart Cards
Setting Token Types for Specified Smart Cards 5.4. Setting Token Types for Specified Smart Cards The TPS can be configured to use specific token profiles to format a new smart card, based on some attribute of the smart card, such as its answer-to-reset (ATR) message or a range of serial numbers for the smart cards.
Page 162 Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client NOTE If the mapping.#. parameter contains more than one mapping ID, then each mapping ID is processed in sequential order until a target is determined or an error is returned. If the mapping.#.
Page 163: Example: Token Mapping With Two Different Token Types
Example: Token Mapping with Two Different Token Types Parameter Description op.operation.mapping.#.filter.tokenCUID.start The filter based on the CUID range. The target tokenType will b op.operation.mapping.#.filter.tokenCUID.end The filter based on the CUID range. The target tokenType will b op.operation.mapping.#.filter.appletMajorVersion The filter based on the applet version. This filter can be empty or are both zero, this indicates there is no applet on the token.
Page 164 Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client op.format.mapping.1.filter.tokenCUID.end=20000000000001000 ########################################################################## # Profile for DevKey ########################################################################## op.format.devKey.update.applet.emptyToken.enable=true op.format.devKey.update.applet.requiredVersion=1.3.427BDDB8 op.format.devKey.update.applet.directory=/usr/share/pki/tps/applets op.format.devKey.update.applet.encryption=true op.format.devKey.update.symmetricKeys.enable=false op.format.devKey.update.symmetricKeys.requiredVersion=1 op.format.devKey.revokeCert=true op.format.devKey.ca.conn=ca1 op.format.devKey.loginRequest.enable=true op.format.devKey.tks.conn=tks1 op.format.devKey.auth.id=ldap-dev op.format.devKey.auth.enable=true ########################################################################## # Profile for QAKey ########################################################################## op.format.qaKey.update.applet.emptyToken.enable=true op.format.qaKey.update.applet.requiredVersion=1.3.427BDDB8 op.format.qaKey.update.applet.directory=/usr/share/tps/applets...
Page 165: Automating Encryption Key Recovery
Automating Encryption Key Recovery LDAP directory. auth.instance.1.ui.id.UID.name.en=LDAP User ID auth.instance.1.ui.id.PASSWORD.name.en=LDAP Password auth.instance.1.ui.id.UID.description.en=QA LDAP User ID auth.instance.1.ui.id.PASSWORD.description.en=QA LDAP Password ########################################################################## • The two format operation profiles are devKey and qaKey. • The two mapping order 0 refers to the devKey and 1 refers to the qaKey. •...
Page 166: Configuring Key Generation For Temporary Tokens
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client The policy describing which keys should be regenerated and which keys should be recovered is defined in the following TPS CS.cfg parameters. For example: op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2 op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=encryption op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true...
Page 167: Managing Shared Keys
Managing Shared Keys op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.decrypt=true op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.derive=false op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.encrypt=false op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.private=true op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sensitive=true op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.sign=false op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.signRecover=false op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.token=true op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.unwrap=true op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verify=false op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.verifyRecover=false op.enroll.userKeyTemporary.keyGen.encryption.private.keyCapabilities.wrap=false op.enroll.userKeyTemporary.keyGen.encryption.privateKeyAttrId=k4 op.enroll.userKeyTemporary.keyGen.encryption.privateKeyNumber=4 ... snip ... 5.6. Managing Shared Keys The Token Key Service (TKS) derives keys for the TPS to use. TKS keys process key material sent from the user, the token CUID, an agreed on algorithm, and a public key to recombine a key that exists on the token (that is why the keys are derived rather than generated).
Page 168: Generating And Transporting Wrapped Master Keys
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client cd /var/lib/pki-tks/alias 3. Generate the new master key. For example: tkstool -M -n new_master1 -d /var/lib/pki-tks/alias -h token_name Enter Password or Pin for "NSS Certificate DB": Generating and storing the master key on the specified token .
Page 169 Generating and Transporting Wrapped Master Keys 2. Open the TKS instance alias/ directory. cd /var/lib/pki-tks/alias 3. Create a transport key called transport. tkstool -T -d . -n transport When prompted, fill in the database password, then type in some noise to seed the random number generator.
Page 170 Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client Generating second symmetric key . . . Generating third symmetric key . . . Extracting transport key from operational token . . . transport key KCV: 444F D5C2 Storing transport key on final specified token .
Page 171: Using Hsm For Generating Keys
Using HSM for Generating Keys tkstool -U -d directory -n new_master -t transport -i file Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key from the specified token (for unwrapping) . . . Reading in the wrapped data (and resident master key KCV) from the file called "file"...
Page 172 Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client 3. Generate the TKS master key on the HSM using the tkstool. (By default during installation, the TKS master key is generated on the software token.) For example: tkstool -M -n new_master -d /var/lib/pki-tks/alias -h nethsm This generates a master key named new_master on the nethsm token for the pki-tks instance.
Page 173: Updating Master Key Versions And Associating The Master Key With Its Version
Updating Master Key Versions and Associating the Master Key with Its Version 5.6.4. Updating Master Key Versions and Associating the Master Key with Its Version The master keys stored in the TKS are accessed by the TPS to perform token operations. Some default keys are built into the TKS, but these can be replaced by generating new masters keys.
Page 174: Configuring Symmetric Key Changeover
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client The new master key must be associated with the TKS keyset definition so that it can be used by the TPS. This keyset also requires a mapping parameter for the new master key version in the TPS CS.cfg file.
Page 175 Configuring Symmetric Key Changeover NOTE If this is being generated on an HSM or other external token, then use the -h option with the command to give the token name. Section 5.6.1, “Generating Generating a new master key on the TKS is described in more detail in Master Keys”.
Page 176: Configuring The Tps
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client op.format.tokenKey.update.symmetricKeys.requiredVersion=2 requiredVersion is the numeric key set identifier required for the operation to proceed. If the smart card does not have the key set specified by the requiredVersion parameter, key changeover will occur, and the operation process continues.
Page 177 Enabling SSL for TPS-Enterprise Security Client Connections <VirtualHost _default_:7889> Enable/Disable SSL for this virtual host. NSSEngine on List the ciphers that the client is permitted to negotiate. NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha, +rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,- rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha, +fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha NSSProtocol SSLv3,TLSv1 SSL Certificate Nickname: NSSNickname "Server-Cert cert-pki-tps" Server Certificate Database: NSSCertificateDatabase /var/lib/pki-tps/alias...
Page 178: Configuring The Channels Between The Tps And Tokens
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client First, the Enterprise Security Client has to have the CA certificate for the CA which issued the TPS's certificates in order to trust the TPS connection. 1.
Page 179: Configuring Or Disabling Ldap Authentication
Configuring or Disabling LDAP Authentication • Encryption • The encryption key version and type channel.blocksize=248 channel.defKeyIndex=0 channel.defKeyVersion=0 channel.encryption=true Example 5.3. Default TPS-Token Channel Configuration The defKeyIndex and defKeyVersion parameters should remain the default value, as in Example 5.3, “Default TPS-Token Channel Configuration”.
Page 180 Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client The operation_type is the token operation for which LDAP authentication is being disabled, such as enroll, format, or pinreset. Disabling authentication for one operation type does not disable it for any other operation types.
Page 181: Configuring The Token Database
Configuring the Token Database 5.7.4. Configuring the Token Database The TPS uses an LDAP database called the token database or tokenDB to keep specific information for each registered token. It also associates tokens with certificates and users. The token database is viewed or edited through the Administrator tab of the TPS HTML services page.
Page 182: Configuring Server-Side Key Generation And Archival Of Encryption Keys
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client Parameter Description • tokendb.searchActivityResultTemplate • tokendb.showAdminTemplate • tokendb.doTokenTemplate • tokendb.doTokenConfirmTemplate • tokendb.revokeTemplate • tokendb.editAdminTemplate • tokendb.editAdminResultTemplate • tokendb.searchAdminTemplate • tokendb.searchAdminResultTemplate tokendb.defaultPolicy The default policy to use. The valid values are PIN_RESET=YES|NO; and RE_ENROLL=Y Table 5.10.
Page 183 Configuring Server-Side Key Generation and Archival of Encryption Keys 5.7.5.1. Step 1: Configuring the DRM to Perform Server-Side Key Generation for Tokens The Data Recovery Manager (DRM) has different configuration settings to enable server-side key generation for different types of hardware security modules (HSM). If the DRM is not configured to perform key generation for the specific HSM type, the enrollment process on the TPS could fail.
Page 184 Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client The TKS also generates a session key for the DRM to use to transport the server-generated private key securely back to the token. The server transport key delivers the session key in two different forms to the TPS: •...
Page 185: Configuring Ipv6 Support
Configuring IPv6 Support conn.drm1.servlet.TokenKeyRecovery=/kra/TokenKeyRecovery conn.drm1.retryConnect=3 conn.drm1.SSLOn=true conn.drm1.keepAlive=false 3. Also edit the smart card profiles in the TPS CS.cfg file. The TPS CS.cfg file has a section defining each type of smart card profile to maintain. In the default configuration, the userKey is defined under the op.enroll.userKey subsection. The keyGen subsection of the userKey profile defines each type of key/certificate pair allowed for that type of smart card.
Page 186: Configuring Failover Support
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client The support subsystem (CA, TKS, and DRM) can handle requests from several TPS subsystems, so there does not have to be a one-to-one ratio, where there is one CA for every TPS. Figure 5.2.
Page 187 Configuring Failover Support Table 5.11, “CA Connection Settings”. The TKS The CA configuration parameters are listed in Table 5.12, “TKS Connection Settings”. The DRM configuration configuration parameters are listed in Table 5.13, “DRM Connection Settings”. parameters are listed in Parameter Description The Certificate Authority hostname and port number.
Page 188: Configuring Multiple Support Subsystem Instances For Different Functions
Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client Parameter Description conn.drm1.servlet.TokenKeyRecovery The servlet for handling smart card key recovery; for example, /kra/agent/kra/Token Table 5.13. DRM Connection Settings 5.8.2. Configuring Multiple Support Subsystem Instances for Different Functions Along with configuring multiple instances for failover support, the TPS can be configured to use multiple instances of a subsystem to perform different functions for different TPS profiles.
Page 189: Potential Token Operation Errors
Potential Token Operation Errors The CA parameters not only specify the type of token (userKey) but also the type of certificate (encryption). It would be possible in this case to use different CAs for signing and encryption certificate enrollments. The DRM parameters also specify the types of keys being generated and archived: op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=drm1 op.enroll.tokenKey.keyGen.encryption.serverKeygen.drm.conn=drm2 Table 5.1, “Format Operation...
Page 191: Revoking Certificates And Issuing Crls
Chapter 6. Revoking Certificates and Issuing CRLs The Certificate System provides methods for revoking certificates and for producing lists of revoked certificates, called certificate revocation lists (CRLs). This chapter describes the methods for revoking a certificate, describes CMC revocation, and provides details about CRLs and setting up CRLs. 6.1.
Page 192 Chapter 6. Revoking Certificates and Issuing CRLs “Setting CRL Extensions” for more information on setting up CRL extensions for issuing points. The Certificate Manager can generate the CRL every time a certificate is revoked and at periodic intervals. If publishing is set up, the CRLs can be published to a file, an LDAP directory, or an OCSP responder. A CRL is issued and digitally signed by the CA that issued the certificates listed in the CRL.
Page 193: User-Initiated Revocation
User-Initiated Revocation 6.1.1. User-Initiated Revocation When an end user submits a certificate revocation request, the first step in the revocation process is for the Certificate Manager to identify and authenticate the end user to verify that the user is attempting to revoke his own certificate, not a certificate belonging to someone else. In SSL client authentication, the server expects the end user to present a certificate that has the same subject name as the one to be revoked and uses that for authentication purposes.
Page 194: Delta Crls
Chapter 6. Revoking Certificates and Issuing CRLs a separate CRL with every partition. This partition is called a CRL issuing point, the location where a subset of all the revoked certificates is maintained. Partitioning can be based on whether the revoked certificate is a CA certificate or end-entity certificate.
Page 195: Setting Up Cmc Revocation
Setting up CMC Revocation 6.2.1. Setting up CMC Revocation To use CMC to revoke certificates, do the following: • Set up an instance of the CMCAuth Authentication plug-in module. An instance is enabled and configured by default. • Use the agent certificate to sign revocation requests. 6.2.1.1.
Page 196: Issuing Crls
Chapter 6. Revoking Certificates and Issuing CRLs revoker -d "/var/lib/pki-ca/alias" -n "ManagerAgentCert" -i "cn=agentAuthMgr" -s 22 -m 0 - c "test comment" 2. Open the end-entities page. https://server.example.com:9444/ca/ee/ca 3. Select the Revocation tab. 4. Select the CMC Revoke link on the menu. 5.
Page 197: Configuring Issuing Points
Configuring Issuing Points • ARL is an Authority Revocation List containing only revoked CA certificates. • CRL with expired certificates includes revoked certificates that have expired in the CRL. • CRL from certificate profiles determines the revoked certificates to include based on the profiles used to create the certificates originally.
Page 198: Configuring Crls For Each Issuing Point
Chapter 6. Revoking Certificates and Issuing CRLs Figure 6.2. CRL Issuing Point Editor NOTE If some fields do not appear large enough to read the content, expand the window by dragging one of the corners. Fill in the following fields: •...
Page 199 Configuring CRLs for Each Issuing Point 3. Select the issuing point name below the Issuing Points entry. 4. Configure how and how often the CRLs are updated by supplying information in the Update tab for the issuing point. This tab has two sections, Update Schema and Update Frequency. •...
Page 200 Chapter 6. Revoking Certificates and Issuing CRLs • Update the CRL at. This field sets a daily time when the CRL should be updated. To specify multiple times, enter a comma-separate list of times, such as 01:50,04:55,06:55. • Update the CRL every. This checkbox enables generating and publishing CRLs at the interval set in the field.
Page 201 Configuring CRLs for Each Issuing Point Figure 6.4. CRL Format Tab • The CRL Format section has two options: • Revocation list signing algorithm is a drop down list of allowed ciphers to encrypt the CRL. • Allow extensions for CRL v2 is a checkbox which enabled CRL v2 extensions for the Section 6.3.3, issuing point.
Page 202: Setting Crl Extensions
Chapter 6. Revoking Certificates and Issuing CRLs 6.3.3. Setting CRL Extensions NOTE Extensions only need configured for an issuing point if the Allow extensions for CRLs v2 checkbox is selected for that issuing point. When the issuing point is created, three extensions are automatically enabled: CRLReason, InvalidityDate, and CRLNumber.
Page 203: Setting A Ca To Use A Different Certificate To Sign Crls
Setting a CA to Use a Different Certificate to Sign CRLs 6.3.4. Setting a CA to Use a Different Certificate to Sign CRLs A Certificate Manager uses the key pair corresponding to the CA signing certificate for signing certificates and certificate revocation lists (CRLs). To use a different key pair to sign the CRLs that the Certificate Manager generates, then a CRL signing certificate can be created.
Page 204: Setting Full And Delta Crl Schedules
Chapter 6. Revoking Certificates and Issuing CRLs for generating the key pair and the certificate. If the internal/software token is used, use Internal Key Storage Token as the value. For example, the entries might look like this: ca.crl_signing.cacertnickname=crlSigningCert cert-pki-ca ca.crl_signing.defaultSigningAlgorithm=MD5withRSA ca.crl_signing.tokenname=Internal Key Storage Token d.
Page 205: Configuring Extended Updated Intervals For Crls In The Console
Configuring Extended Updated Intervals for CRLs in the Console 6.4.1. Configuring Extended Updated Intervals for CRLs in the Console 1. Open the console. pkiconsole https://server.example.com:9445/ca 2. In the Configuration tab, expand the Certificate Manager folder and the CRL Issuing Points subfolder.
Page 206: Enabling Automatic Revocation Checking For Agent Certificates
Chapter 6. Revoking Certificates and Issuing CRLs service pki-ca stop 2. Open the CA configuration directory. cd /var/lib/subsystem_name/conf 3. Edit the CS.cfg file, and add two lines to set the extended updated interval: ca.crl.extendedNextUpdate=false ca.crl.MasterCRL.updateSchema=3 The default interval is 1, meaning a full CRL is published every time a CRL is published. The updateSchema interval can be set to any integer.
Page 207 Enabling Automatic Revocation Checking for Agent Certificates 4. Edit the following parameters: • revocationChecking.bufferSize . Sets the total number of last-checked certificates the server should maintain in its cache. For example, if the buffer size is 2, the server retains the last two certificates checked in its cache.
Page 209: Using The Online Certificate Status Protocol Responder
Chapter 7. Using the Online Certificate Status Protocol Responder This chapter provides an overview of an Online Certificate Status Protocol (OCSP) service and explains how the OCSP service verifies the current status of the certificates issued by the Certificate Manager. The chapter also explains how to configure the Online Certificate Status Managers to publish CRLs.
Page 210: Identifying The Ca To The Ocsp Responder
Chapter 7. Using the Online Certificate Status Protocol Responder Section 7.2.1, “Verify 6. Verify that the CA is properly connected to the OCSP responder; see Certificate Manager and Online Certificate Status Manager Connection”. 7.2. Identifying the CA to the OCSP Responder Before a CA is configured to publish CRLs to the Online Certificate Status Manager, the CA must be identified to the Online Certificate Status Manager by storing the CA signing certificate in the internal database of the Online Certificate Status Manager.
Page 211: Verify Certificate Manager And Online Certificate Status Manager Connection
Verify Certificate Manager and Online Certificate Status Manager Connection 7.2.1. Verify Certificate Manager and Online Certificate Status Manager Connection When the Certificate Manager is restarted, it tries to connect to the Online Certificate Status Manager's SSL port. To verify that the Certificate Manager did indeed communicate with the Online Certificate Status Manager, check the This Update and Next Update fields, which should be updated with the appropriate timestamps of the CA's last communication with the Online Certificate Status Manager.
Page 212: Testing The Ocsp Service Setup
Chapter 7. Using the Online Certificate Status Protocol Responder • baseDN. The DN to start searching for the CRL. For example, O=example.com. • refreshInSec. How often the connection is refreshed. The default is 86400 seconds (daily). • caCertAttr. Leave the default value, cACertificate;binary, as it is. It is the attribute to which the Certificate Manager publishes its CA signing certificate.
Page 213: Enabling The Certificate Manager's Internal Ocsp Service
Enabling the Certificate Manager's Internal OCSP Service • The browser used that response to validate the certificate and returned its status, that the certificate could not be verified. 11. Check the independent OCSP service subsystem again to verify that these things happened: •...
Page 214: Enabling Revocation Checking For The Tps And Ra
Chapter 7. Using the Online Certificate Status Protocol Responder ca.ocsp=false 7.4. Enabling Revocation Checking for the TPS and RA Both the TPS and RA subsystems use web-based administrative services, which require administrators and agents to authenticate using SSL client certificates. The TPS also uses certificate- based authentication for officers to access the Enterprise Security Client interfaces.
Page 215 Enabling Revocation Checking for the TPS and RA If the CA's internal OCSP service is used, then the certificate to use for authentication is the CA signing certificate, which is the default value (caCert) the NSSOCSPDefaultName parameter. To use an external OCSP Manager, set the certificate nickname to the OCSP signing certificate nickname for the OCSP Manager;...
Page 216: Enabling Certificate Revocation Checking For Drm And Tks Users
Chapter 7. Using the Online Certificate Status Protocol Responder passed since a particular validation request has been made to the OCSP server, the cache settings give the TPS the option of getting the validity of the certificate from the value in the cache rather than the server.
Page 217 Enabling Certificate Revocation Checking for DRM and TKS Users maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="true" sslProtocol="SSL" sslOptions="ssl2=true,ssl3=true,tls=true" ssl2Ciphers="-SSL2_RC4_128_WITH_MD5, ..." ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA, ..." tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA, ..." SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" enableOCSP="true" ocspResponderURL="http://server.example.com:9180/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca 102409a" ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" debug="true" serverCertNickFile="/var/lib/pki-kra/conf/serverCertNick.conf" passwordFile="/var/lib/pki-kra/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" certdbDir="/var/lib/pki-kra/alias"/>...
Page 218: Submitting Ocsp Requests Using The Get Method
Chapter 7. Using the Online Certificate Status Protocol Responder Parameter Description ocspMinCacheEntryDuration Sets minimum seconds before another fetch attempt can be made. For example, if this is set to 120, then the validity of a certificate cannot be checked again until at least 2 minutes after the lest validity check.
Page 219: Setting Up A Redirect For Certificates Issued In Certificate System 7.1 And Earlier
Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier # OCSPClient server.example.com 11443 /var/lib/pki-ca/alias 'caSigningCert cert-pki-ca' 1 /export/output.txt 1 URI: /ocsp/ee/ocsp Data Length: 68 Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ 44kgy35o7xW5BMzM8FTvyTwCAQE= 2. Connect to the OCSP Manager using wget to send the OCSP request. wget https://server.example.com:11443/ocsp/ee/ocsp/MEIwQDA +MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4J pmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE= --no-check-certificate...
Page 220 Chapter 7. Using the Online Certificate Status Protocol Responder Certificate Manager or do not contain the Authority Information Access extension, then this configuration is not necessary. 1. Stop the OCSP Responder. For example: service pki-ocsp stop 2. Open the OCSP's end user web applications directory. For example: cd /var/lib/pki-ocsp/webapps 3.
Page 221 Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier <web-app> <display-name>Welcome to Tomcat</display-name> <description> Welcome to Tomcat </description> <servlet> <servlet-name>ocspProxy</servlet-name> <servlet-class>com.netscape.cms.servlet.base.ProxyServlet</servlet-class> <init-param> <param-name>destContext</param-name> <param-value>/ocsp2</param-value> </init-param> <init-param> <param-name>destServlet</param-name> <param-value>/ee/ocsp</param-value> </init-param> </servlet> <servlet> <servlet-name>ocspOther</servlet-name> <servlet-class>com.netscape.cms.servlet.base.ProxyServlet</servlet-class> <init-param> <param-name>destContext</param-name> <param-value>/ocsp2</param-value> </init-param>...
Page 222 Chapter 7. Using the Online Certificate Status Protocol Responder 11. Edit the /var/lib/pki-ocsp/conf/context.xml, changing the following line: <Context> <Context crossContext="true" > 12. Edit the /var/lib/pki-ocsp/webapps/ocsp2/services.template file and change the following line: result.recordSet[i].uri); result.recordSet[i].uri + "/"); 13. Start the OCSP instance. For example: service pki-ocsp start...
Page 223: Additional Configuration To Manage Ca Services
Part II. Additional Configuration to Manage CA Services...
Page 225: Publishing Certificates And Crls
Chapter 8. Publishing Certificates and CRLs Red Hat Certificate System includes a customizable publishing framework for the Certificate Manager, enabling certificate authorities to publish certificates, certificate revocation lists (CRLs), and other certificate-related objects to any of the supported repositories: an LDAP-compliant directory, a flat file, and an online validation authority.
Page 226: Publishers
Chapter 8. Publishing Certificates and CRLs When publishing is enabled, every time a certificate or a CRL is issued, updated, or revoked, the publishing system is invoked. The certificate or CRL is evaluated by the rules to see if it matches the type and predicate set in the rule.
Page 227: Mappers
Mappers publishers specify the attribute in the directory that stores the certificate or CRL; a mapper is used to determine the DN of the entry. For every DN, a different formula is set for deriving that DN. The location of the LDAP directory is specified when LDAP publishing is enabled. When publishing a CRL to an OCSP responder, publishers specify the hostname and URI of the Online Certificate Status Manager.
Page 228: Ldap Publishing
Chapter 8. Publishing Certificates and CRLs Chapter 7, Using the Online Certificate Status For detailed information on both OCSP services, see Protocol Responder. 8.1.6. LDAP Publishing In LDAP publishing, the server publishes the certificates, CRLs, and other certificate-related objects to a directory using LDAP or LDAPS. The branch of the directory to which it publishes is called the publishing directory.
Page 229: Configuring Publishing To A File
Configuring Publishing to a File The attributes set by default are the X.500 standard attributes for storing each object type. This attribute can be changed in the publisher, but, generally, LDAP publishers do not need Section 8.2.3, “Configuring Publishing to an LDAP changed.
Page 230 Chapter 8. Publishing Certificates and CRLs Figure 8.1. Using the Publishers Management Tab to Create Publishers 3. Click Add to open the Select Publisher Plug-in Implementation window, which lists registered publisher modules. Figure 8.2. Select Publisher Plug-in Implementation Window 4. Select the FileBasedPublisher module, then open the editor window. This is the module that enables the Certificate Manager to publish certificates and CRLs to files.
Page 231 Configuring Publishing to a File 5. Configure the information for publishing the certificate: • The publisher ID, an alphanumeric string with no spaces like PublishCertsToFile • The path to the directory in which the Certificate Manager should publish the files. The path can be an absolute path or can be relative to the Certificate System instance directory.
Page 232: Configuring Publishing To An Ocsp
Chapter 8. Publishing Certificates and CRLs 8.2.2. Configuring Publishing to an OCSP A publisher must be created and configured for each publishing location; publishers are not automatically created for publishing to the OCSP responder. Create a single publisher to publish everything to s single location, or create a publisher for every location to which CRLs will be published.
Page 233: Configuring Publishing To An Ldap Directory
Configuring Publishing to an LDAP Directory Figure 8.5. Publisher Editor Window The host can be the fully-qualified domain name or an IPv4 or IPv6 address. 5. Set the publisher ID, an alphanumeric string with no spaces like PublishCertsToOCSP; the fully- qualified domain name, such as ocspResponder.example.com, and port number of the Online Certificate Status Manager;...
Page 234 Chapter 8. Publishing Certificates and CRLs more than one mapper set for a type of certificate. This can be useful, for example, to publish certificates for two sets of users from different divisions of a company who are located in different parts of the directory tree.
Page 235 Configuring Publishing to an LDAP Directory Certificate Type 3. Set up a bind DN for the Certificate Manager to use to access the Directory Server. The Certificate Manager user must have read-write permissions to the directory to publish certificates and CRLs to the directory so that the Certificate Manager can modify the user entries with certificate-related information and the CA entry with CA's certificate and CRL related information.
Page 236 Chapter 8. Publishing Certificates and CRLs • A new user which is granted write access. The entry can be identified by the Certificate Manager's DN, such as cn=testCA, ou=Research Dept, o=Example Corporation, st=California, c=US. NOTE Carefully consider what privileges are given to this user. This user can be restricted in what it can write to the directory by creating ACLs for the account.
Page 237 Configuring Publishing to an LDAP Directory Mapper Description LdapCrlMap Locates the correct attribute of the CA's entry in the directory in order to publish th LdapCaCertMap Locates the correct attribute of the CA's entry in the directory in order to publish th Table 8.2.
Page 238 Chapter 8. Publishing Certificates and CRLs Figure 8.7. Mapper Editor Window 5. To create a new mapper instance, click Add. The Select Mapper Plugin Implementation window opens, which lists registered mapper modules. Select a module, and edit it. For complete Section C.2, “Mapper Plug-in Modules ”.
Page 239: Creating Rules
Creating Rules Figure 8.9. Creating a New Mapper Section C.2, “Mapper Plug-in Modules ” for detailed information about each mapper. 8.2.3.4. Creating Rules After configuring the mappers for LDAP publishing, configure the rules for the published certificates Section 8.2.4, “Creating Rules”.
Page 240 Chapter 8. Publishing Certificates and CRLs 1. Log into the Certificate Manager Console. pkiconsole https://server.example.com:9445/ca 2. In the Configuration tab, select Certificate Manager from the navigation tree on the left. Select Publishing, and then Rules. The Rules Management tab, which lists configured rules, opens on the right. Figure 8.10.
Page 241 Creating Rules Figure 8.11. Using the Rule Editor Window to Edit an Existing Rule 4. To create a rule, click Add. This opens the Select Rule Plug-in Implementation window. Figure 8.12. Select Rule Plugin Implementation Window Select the Rule module. This is the only default module. If any custom modules have been been registered, they are also available.
Page 242 Chapter 8. Publishing Certificates and CRLs Figure 8.13. Rule Editor Window • type. This is the type of certificate for which the rule applies. For a CA signing certificate, the value is cacert. For a cross-signed certificate, the value is xcert. For all other types of certificates, the value is certs.
Page 243: Enabling Publishing
Enabling Publishing Predicate Type Predicate To publish certificates based on the profile used to issue them, set profileId== Table 8.3. Predicate Expressions 8.2.5. Enabling Publishing Publishing can be enabled for only files, only LDAP, or both. Publishing should be enabled after setting up publishers, rules, and mappers.
Page 244: Publishing Crls Over Http
Chapter 8. Publishing Certificates and CRLs • Host name. If the Directory Server is configured for SSL client authenticated communication, the name must match the cn component in the subject DN of the Directory Server's SSL server certificate. The hostname can be the fully-qualified domain name or an IPv4 or IPv6 address. •...
Page 245: Configuring Crl Publishing To Resume After Interrupted Downloads
Configuring CRL Publishing to Resume after Interrupted Downloads Publishing CRLs over HTTP gives some robustness to how the CRLs are published. The publishing process can be interruped and resumed smoothly. It also gives flexibility for retrieving CRLs, since they can be downloaded using tools like wget. 8.3.1.
Page 246 Chapter 8. Publishing Certificates and CRLs 4. In the Publishers Management tab, click Add. 5. Select the FileBasedPublisher plug-in. 6. Fill in the CRL publishing information.
Page 247 Configuring CRL Publishing to Resume after Interrupted Downloads Three points are required for publishing CRLs over HTTP 1.1: • Select latestCrlLink, which configures the server to send the latest generated CRL or the most recent partial CRL. • Set the crlLinkExt to bin, which gives the proper file extension to the compressed published CRL.
Page 248 Chapter 8. Publishing Certificates and CRLs 9. Select Rule and click Next. 10. In the Rule Editor, configure the new rule. • Set the type to crl. • Make sure that the enable checkbox is selected. • Set the mapper to NoMap. •...
Page 249 Configuring CRL Publishing to Resume after Interrupted Downloads 11. Disable any unused rules. 12. In the left menu, select the main Publishing folder, and, in the General tab, check the Enable Publishing checkbox. NOTE Make sure that the Enable Default LDAP Connection option is not selected. 13.
Page 250: Retrieving Crls Using Wget
Chapter 8. Publishing Certificates and CRLs wget --no-check-certificate -d https://server.example.com:9444/ca/ee/ca/crl/MasterCRL.bin mv MasterCRL.bin MasterCRL.bin.full dd if=MasterCRL.bin.full of=MasterCRL.bin count=200 bs=1 Then attempt to download the partial CRL using wget -c. wget --no-check-certificate -c -d https://server.example.com:9444/ca/ee/ca/crl/ MasterCRL.bin 8.3.2. Retrieving CRLs Using wget Because CRLs can be published as a text file over HTTP, they can be manually retrieved from the CA using a tool like wget.
Page 251: Publishing Cross-Pair Certificates
Publishing Cross-Pair Certificates Table 8.4, “wget Options to Use for Retrieving Other relevant parameters for wget are summarized in CRLs”. Section 8.3.1, “Configuring CRL Publishing It can be beneficial to test the setup in to Resume after Interrupted Downloads” by interrupting a CRL download and then downloading the partial CRL.
Page 252: Testing Publishing To Files
Chapter 8. Publishing Certificates and CRLs 8.5. Testing Publishing to Files To verify that the Certificate Manager is publishing certificates and CRLs correctly to file: 1. Open the CA's end-entities page, and request a certificate. 2. Approve the request through the agent services page, if required. 3.
Page 253: Viewing Certificates And Crls Published To File
Viewing Certificates and CRLs Published to File 11. Convert the DER-encoded CRL to its base 64-encoded format using the Binary to ASCII tool. BtoA input_file output_file 12. Convert the base 64-encoded CRL to readable form using the Pretty Print CRL tool. PrettyPrintCrl input_file [output_file] 13.
Page 254: Manually Updating Certificates In The Directory
Chapter 8. Publishing Certificates and CRLs • Search the internal database for certificates that are out of sync and publish or unpublish. • Publish certificates that were issued while the Directory Server was down. Similarly, unpublish certificates that were revoked or that expired while Directory Server was down. •...
Page 255: Manually Updating The Crl In The Directory
Manually Updating the CRL in the Directory 8.7.2. Manually Updating the CRL in the Directory The Certificate Revocation List form in the Certificate Manager agent services page manually updates the directory with CRL-related information. Manually update the CRL information by doing the following: 1.
Page 257: Authentication For Enrolling Certificates
Chapter 9. Authentication for Enrolling Certificates This chapter covers how to enroll end entity certificates, how to create and manage server certificates, the authentication methods available in the Certificate System to use when enrolling end entity certificates, and how to set up those authentication methods. Enrollment is the process of issuing certificates to an end entity.
Page 258: Automated Enrollment
Chapter 9. Authentication for Enrolling Certificates 9.2. Automated Enrollment In automated enrollment, an end-entity enrollment request is processed as soon as the user successfully authenticates by the method set in the authentication plug-in module; no agent approval is necessary. The following authentication plug-in modules are provided: •...
Page 259 Setting up Directory-Based Authentication The right pane shows the Authentication Instance tab, which lists the currently configured authentication instances. NOTE The UidPwdDirAuth plug-in is enabled by default. c. Click Add. The Select Authentication Plug-in Implementation window appears. d. Select UidPwdDirAuth for user ID and password authentication, or select UdnPwdDirAuth for DN and password authentication.
Page 260: Setting Up Pin-Based Enrollment
Chapter 9. Authentication for Enrolling Certificates • ldap.minConns. Specifies the minimum number of connections permitted to the authentication directory. The permissible values are 1 to 3. • ldap.maxConns. Specifies the maximum number of connections permitted to the authentication directory. The permissible values are 3 to 10. Click OK.
Page 261 Setting up PIN-Based Enrollment Usually, the parameters which need updated are the Directory Server's host name, Directory Manager's bind password, and PIN manager's password. d. Run the setpin command with its optfile option pointing to the setpin.conf file. setpin optfile=/usr/lib/pki/native-tools/setpin.conf The tool modifies the schema with a new attribute (by default, pin) and a new object class (by default, pinPerson), creates a pinmanager user, and sets the ACI to allow only the pinmanager user to modify the pin attribute.
Page 262 Chapter 9. Authentication for Enrolling Certificates e. Fill in the following fields in the Authentication Instance Editor window: • Authentication Instance ID. Accept the default instance name or enter a new name. • removePin. Sets whether to remove PINs from the authentication directory after end users successfully authenticate.
Page 263: Using Certificate-Based Authentication
Using Certificate-Based Authentication has been configured to map the certificate correctly to a DN in the directory. This is needed for PIN removal only. • ldap.ldapAuthentication.authtype. Specifies the authentication type, basic authentication or SSL client authentication, required in order to remove PINs from the authentication directory.
Page 264 Chapter 9. Authentication for Enrolling Certificates It is also possible for a router to submit a certificate request directly to the CA. In that case, the CA uses the flatFileAuth authentication module to process a text file which contains the router's authentication credentials.
Page 265 Configuring Flat File Authentication 6. Save the edits. 9.2.4.2. Editing flatfile.txt The same flatfile.txt file is used to authenticate every SCEP enrollment. This file must be manually updated every time a new PIN is issued to a router, assuming that the router contacts the CA directly.
Page 266: Setting Up Cmc Enrollment
Chapter 9. Authentication for Enrolling Certificates If the authentication entries are not separated by an empty line, then when the router attempts to authenticate to the CA, it will fail. For example: ... flatfile.txt entry ... UID:192.168.123.123 PIN:HU89dj UID:12.255.80.13 PIN:fiowIO89 ...
Page 267: Setting Up The Server For Multiple Requests In A Full Cmc Request
Setting up the Server for Multiple Requests in a Full CMC Request Click OK. The authentication instance is now set up and enabled. 3. Use the CMCEnroll utility to sign certificate requests with the agent certificate. This utility has the following syntax: CMCEnroll -d /certificate/directory -h password -n cert_nickname -r certrequest.file -p certDB_passwd [-c] Parameter...
Page 268: Testing Cmcenroll
Chapter 9. Authentication for Enrolling Certificates 3. Restart the server. service pki-ca restart 9.3.2. Testing CMCEnroll 1. Enable CMCEnroll. 2. Create a certificate request using the certutil tool. 3. Copy the PKCS #10 ASCII output to a text file. 4. Run the CMCEnroll utility. For example, if the input file called request34.txt, the agent certificate is stored in the directory /var/lib/pki-ca/alias, the certificate common name of the agent certificate is CertificateManagerAgentsCert, and the password for the certificate database is secret,...
Page 269: Managing Authentication Plug-Ins
Managing Authentication Plug-ins 2. In the Enrollment tab, open the customized enrollment form. 3. Fill in the values, and submit the request. 4. Enter the password to the key database when prompted. 5. When the correct password is entered, the client generates the key pair. Do not interrupt the key-generation process.
Page 271: Using Automated Notifications
Chapter 10. Using Automated Notifications The Certificate System can be configured to send automatic email notifications to end users when certificates are issued or revoked or to an agent when a new request has arrived in the agent request queue. This chapter describes automated notifications and details how to enable, configure, and customize the notification email messages that are sent.
Page 272: About Ra Notifications
Chapter 10. Using Automated Notifications be found, the notification is sent to the email address specified in the Sender's Email Address field of the Notification panel. 10.1.3. About RA Notifications The notifications covered in this chapter are for operations that occur on the CA. The RA subsystem, however, also provides a method to send notifications to agents (or users) for certificate operations.
Page 273: Configuring Specific Notifications By Editing The Cs.cfg File
Configuring Specific Notifications by Editing the CS.cfg File 4. Notifications can be sent for three kinds of events: newly-issued certificates, revoked certificates, and new certificate requests. To send a notification for any event, select the tab, check the Enable checkbox, and specify information in the following fields: •...
Page 274: Testing Configuration
Chapter 10. Using Automated Notifications For certificate issuing notifications, there are four parameters: ca.notification.certIssued.emailSubject ca.notification.certIssued.emailTemplate ca.notification.certIssued.enabled ca.notification.certIssued.senderEmail For certificate revocation notifications, there are four parameters: ca.notification.certRevoked.emailSubject ca.notification.certRevoked.emailTemplate ca.notification.certRevoked.enabled ca.notification.certRevoked.senderEmail For certificate request notifications, there are five parameters: ca.notification.requestInQ.emailSubject ca.notification.requestInQ.emailTemplate ca.notification.requestInQ.enabled ca.notification.requestInQ.recipientEmail ca.notification.requestInQ.senderEmail Section 10.2, “Setting up...
Page 275: Customizing Notification Messages
Customizing Notification Messages When the server issues a certificate, the user receive a certificate-issued email notification to the address listed in the request. Check the message to see if it has the correct information. 4. Log into the agent interface, and revoke the certificate. The user email account should contain an email message reading that the certificate has been revoked.
Page 276 Chapter 10. Using Automated Notifications Notification message templates are located in the /var/lib/pki-ca/emails directory. The name and location of these messages can be changed; make the appropriate changes when configuring the notification. All template names can be changed except for the certificate rejected templates;...
Page 277: Customizing Ra Notification Messages
Customizing RA Notification Messages Token Description • other (other). $ExecutionTime Gives the time the job was run. $HexSerialNumber Gives the serial number of the certificate that was issued in hexadecimal format. $HttpHost Gives the fully qualified host name of the Certificate Manager to which end entities $HttpPort Gives the Certificate Manager's end-entities (non-SSL) port number.
Page 278: Configuring A Mail Server For Certificate System Notifications
Chapter 10. Using Automated Notifications Reply-to: $mail_to Subject: Request #$request_id approved To: $mail_to Content-type: text/plain\n\n Request #$request_id has been approved Subject DN: $subject_dn Import certificate at: https://$machineName:$nonClientAuthSecurePort/ee/request/getcert.cgi?id=$request_id Example 10.1. Default Approved Request Notification for an RA The text can be revised or additional tokens added to provide additional information about the event. Reply-to: $mail_to Subject: Your certificate request, ID #$request_id, has been approved To: $mail_to...
Page 279: Creating Custom Notifications For The Ca
Creating Custom Notifications for the CA 1. Open the CA subsystem administrative console. For example: pkiconsole https://server.example.com:9445/ca 2. In the Configuration tab, highlight the instance name at the top, and select the SMTP tab. 3. Supply the server name and port number of the mail server. The server name is the fully qualified DNS hostname of the machine on which the mail server is installed, such as mail.example.com.
Page 281: Setting Automated Jobs
Chapter 11. Setting Automated Jobs The Certificate System provides a customizable Job Scheduler that supports various mechanisms for scheduling cron jobs. This chapter explains how to configure Certificate System to use specific job plug-in modules for accomplishing jobs. 11.1. About Automated Jobs The Certificate Manager Console includes a Job Scheduler option that can execute specific jobs at specified times.
Page 282: Setting Up The Job Scheduler
Chapter 11. Setting Automated Jobs 11.1.2.2. requestInQueueNotifier The requestInQueueNotifier module checks the status of the request queue at pre-configured time intervals. If any deferred enrollment requests are waiting in the queue, the job constructs an email message summarizing its findings and sends it to the specified agents. 11.1.2.3.
Page 283: Setting Up Specific Jobs
Setting up Specific Jobs 2. In the Configuration tab navigation tree, click Job Scheduler. This opens the General Settings tab, which shows whether the Job Scheduler is currently enabled. 3. Click the Enable Jobs Schedule checkbox to enable or disable the Job Scheduler. Disabling the Job Scheduler turns off all the jobs.
Page 284 Chapter 11. Setting Automated Jobs Section 11.2, “Setting up the Job Scheduler” 2. Confirm that the Jobs Scheduler is enabled. See more information. 3. In the Configuration tab, select Job Scheduler from the navigation tree. Then select Jobs to open the Job Instance tab. Select the job instance from the list, and click Edit/View.
Page 285 Configuring Specific Jobs Using the Certificate Manager Console Figure 11.1. Job Configuration 4. Select enabled to turn on the job. 5. Set the configuration settings by specifying them in the fields for this dialog. Section 11.3.3, “Configuration Parameters of • For certRenewalNotifier, see certRenewalNotifier”.
Page 286: Configuring Jobs By Editing The Configuration File
Chapter 11. Setting Automated Jobs Section 11.3.7, “Frequency • For more information about setting the cron time frequencies, see Settings for Automated Jobs”. 6. Click OK. 7. Click Refresh to view any changes in the main window. 8. If the job is configured to send automatic messages, check that a mail server is set up correctly. Section 10.4, “Configuring a Mail Server for Certificate System Notifications”.
Page 287: Configuration Parameters Of Certrenewalnotifier
Configuration Parameters of certRenewalNotifier 11.3.3. Configuration Parameters of certRenewalNotifier Table 11.1, “certRenewalNotifier Parameters” gives details for each of these parameters that can be configured for the certRenewalNotifier job, either in the CS.cfg file or in the Certificate Manager Console. Parameter Description Specifies whether the job is enabled or disabled.
Page 288: Configuration Parameters Of Publishcerts
Chapter 11. Setting Automated Jobs Parameter Description Specifies whether a summary of the job accomplished should be compiled and sent. The summary.enabled false disables them. If enabled, set the remaining summary parameters; these are requ report. Sets the subject line of the summary message. summary.emailSubject Specifies the path, including the filename, to the directory containing the template to use t summary.emailTemplate...
Page 289: Frequency Settings For Automated Jobs
Frequency Settings for Automated Jobs Parameter Description Sets the time schedule for when the job runs. This is the time the Job Scheduler d cron expired certificates from the publishing directory. This setting must follow the conv Automated Jobs”. For example: 00**6 Specifies whether a summary of the certificates removed by the job should be com summary.enabled...
Page 290: Registering Or Deleting A Job Module
Chapter 11. Setting Automated Jobs The following example sets a job to run at noon on April 12: 0 12 12 4 * The day-of-month and day-of-week options can contain a comma-separated list of values to specify more than one day. If both day fields are specified, the specification is inclusive; that is, the day of the month is not required to fall on the day of the week to be valid.
Page 291 Registering or Deleting a Job Module If it is necessary to delete a module, open the Job Plugin Registration tab as when registering a new module, select the module to delete, and click Delete. When prompted, confirm the deletion.
Page 293: Managing The Subsystem Instances
Part III. Managing the Subsystem Instances...
Page 295: Editing Configuration In The Cs.cfg File
Chapter 12. Editing Configuration in the CS.cfg File The primary configuration file for every subsystem is its CS.cfg file. This chapter covers basic information about and rules for editing the CS.cfg file This chapter also describes some other useful configuration files used by the subsystems, such as password and web services files. 12.1.
Page 296: Default Ra Instance Information
Chapter 12. Editing Configuration in the CS.cfg File Setting Value Configuration File /etc/pki-ca/CS.cfg /etc/pki-ca/password.conf Subsystem Certificates CA signing certificate OCSP signing certificate (for the CA's internal OCSP service) SSL server certificate Audit log signing certificate Subsystem certificate Security Databases /var/lib/pki-ca/alias Log Files /var/log/pki-ca Install Logs...
Page 297: Default Drm Instance Information
Default DRM Instance Information The subsystem certificate is always issued by the security domain so that domain-level operations that require client authentication are based on this subsystem certificate. Table 12.2. Default RA Instance Information 12.1.3. Default DRM Instance Information Table 12.3, “Default KRA Instance Information”.
Page 298: Default Tks Instance Information
Chapter 12. Editing Configuration in the CS.cfg File Setting Value Agents Port 11443 Admin Port 11445 Tomcat Port 11701 Instance Name pki-ocsp Main Directory /var/lib/pki-ocsp Configuration Directory /etc/pki-ocsp Configuration File /etc/pki-ocsp/CS.cfg /etc/pki-ocsp/password.conf Subsystem Certificates OCSP signing certificate SSL server certificate Audit log signing certificate Subsystem certificate Security Databases...
Page 299: Default Tps Instance Information
Default TPS Instance Information Setting Value Security Databases /var/lib/pki-tks/alias Log Files /var/log/pki-tks Install Logs /var/log/pki-tks-install.log Process File /var/run/pki-tks.pid Running service instance_name status lists all of the configured ports and URLs (interfaces) for the subsystem instance. The subsystem certificate is always issued by the security domain so that domain-level operations that require client authentication are based on this subsystem certificate.
Page 300: Shared Certificate System Subsystem File Locations
Chapter 12. Editing Configuration in the CS.cfg File There are two ports for enrolling security officers and the one URL to access the security officer workstation UI: • One enrollment UI over a standard port, http://server.example.com:7888/cgi-bin/so/ enroll.cgi • One enrollment UI over a secure (SSL) port, http://server.example.com:7889/cgi-bin/so/ enroll.cgi •...
Page 301: Cs.cfg Files
CS.cfg Files Directory Location Contents /var/lib/tomcat5/server/lib Contains Java archive files used by the local Tomcat web server a subsystems. Contains Apache modules shared by TPS and RA subsystems. N /usr/lib/httpd/modules /usr/lib64/httpd/modules Mozilla LDAP SDK tools shared by TPS and RA subsystems. Not /usr/lib/mozilla /usr/lib64/mozilla Table 12.7.
Page 302 Chapter 12. Editing Configuration in the CS.cfg File • The security domain to which the instance belongs • Subsystem certificates • Other subsystems used by the subsystem instance • Database types and instances used by the subsystem • Settings for PKI-related tasks, like the key profiles in the TKS, the certificate profiles in the CA, and the required agents for key recovery in the DRM Many of the configuration parameters (aside from the ones for PKI tasks) are very much the same between the CA, OCSP, DRM, and TKS because they all use a Java-based console, so configuration...
Page 303 Overview of the CS.cfg Configuration File NOTE The values for configuration parameters must be properly formatted, so they must obey two rules: • The values that need to be localized must be in UTF8 characters. • The CS.cfg file supports forward slashes (/) in parameter values. If a back slash (\) is required in a value, it must be escaped with a back slash, meaning that two back slashes in a row must be used.
Page 304 Chapter 12. Editing Configuration in the CS.cfg File For example, the CA has this entry for transaction logs, which allows log rotation, buffered logging, and log levels, among other settings: log.instance.Transactions._000=## log.instance.Transactions._001=## Transaction Logging log.instance.Transactions._002=## log.instance.Transactions.bufferSize=512 log.instance.Transactions.enable=true log.instance.Transactions.expirationTime=0 log.instance.Transactions.fileName=/var/log/pki-ca/transactions log.instance.Transactions.flushInterval=5 log.instance.Transactions.level=1 log.instance.Transactions.maxFileSize=2000 log.instance.Transactions.pluginName=file...
Page 305 Overview of the CS.cfg Configuration File auth.instance.0.attributes=mail,cn,uid auth.instance.0.attributes._001=############################################## auth.instance.0.attributes._002=# attributes will be available auth.instance.0.attributes._003=# as $auth.<attribute>$ auth.instance.0.attributes._004=############################################## auth.instance.0.authId=ldap1 auth.instance.0.baseDN=dc=example,dc=com auth.instance.0.hostport=localhost:389 auth.instance.0.libraryFactory=GetAuthentication auth.instance.0.libraryName=/usr/lib64/libldapauth.so auth.instance.0.retries=1 auth.instance.0.retryConnect=3 auth.instance.0.ssl=false auth.instance.0.type=LDAP_Authentication auth.instance.0.ui.description.en=This authenticates user against the LDAP directory. auth.instance.0.ui.id.PASSWORD.description.en=LDAP Password auth.instance.0.ui.id.PASSWORD.name.en=LDAP Password auth.instance.0.ui.id.UID.description.en=LDAP User ID auth.instance.0.ui.id.UID.name.en=LDAP User ID auth.instance.0.ui.title.en=LDAP Authentication The CA also has to have a mechanism for approving user requests.
Page 306 Chapter 12. Editing Configuration in the CS.cfg File ca.sslserver.tokenname=Internal Key Storage Token 12.2.2.6. Settings for Required Subsystems At a minimum, each subsystem depends on a CA, which means that the CA (and any other required subsystem) has to be configured in the subsystem's settings. Any connection to another subsystem is prefaced by conn.
Page 307: Editing The Configuration File
Editing the Configuration File • The TPS and RA configure different token and certificate enrollment operations, respectively. • The TKS lists profiles for deriving keys from different key types. • The OCSP sets key information for different key sets. 12.2.3. Editing the Configuration File WARNING Do not edit the configuration file directly without being familiar with the configuration parameters or without being sure that the changes are acceptable to the server.
Page 308: Configuring The Password.conf
Chapter 12. Editing Configuration in the CS.cfg File • The bind password used by the Certificate System instance to access and remove PINs from the authentication directory, if the Certificate System is configured to remove PINs from the authentication directory. •...
Page 309: Requiring System Password Prompts
Requiring System Password Prompts service pki-ca start b. Monitor the Tomcat web server log file, catalina.out, and the debug log. For example: tail -f /var/log/pki-ca/catalina.out /var/log/pki-ca/debug The server process will hang as it restarts because it is waiting for the input from the default password.conf file.
Page 310 Chapter 12. Editing Configuration in the CS.cfg File NOTE If the password.conf file is present, the subsystem assumes that all the required passwords are present and properly formatted in clear text. If any passwords are missing or wrongly formatted, then the system will not start. For the CA, DRM, OCSP, and TKS subsystems, the expected passwords are: •...
Page 311 Requiring System Password Prompts # adding this line to enable password prompts NSSPassPhraseDialog builtin 12.3.3.2. Configuring Existing CA, DRM, TKS, and OCSP Instances to Prompt for Passwords Existing subsystem instances can be configured to prompt for passwords rather than using password.conf.
Page 312 Chapter 12. Editing Configuration in the CS.cfg File e. Remove the temporary file. crm -rf /tmp/dtomcat5-pki-old 6. Create a new HTTP init.d file for the instance. a. Copy the current httpd file in /usr/share/pki/type/etc/init.d. For example: cp /usr/share/pki/ca/etc/init.d/httpd /tmp/pki-ca-old b. Edit the copied httpd (such as /tmp/pki-ca-old) to supply the subsystem information. For example: sed -i 's/\[PKI_SUBSYSTEM_TYPE\]/ca/g' /tmp/pki-ca-old sed -i 's/\[PKI_INSTANCE_PATH\]/\/var\/lib\/pki-ca-old/g' /tmp/pki-ca-old...
Page 313 Requiring System Password Prompts 1. Make sure all of the Certificate System packages have been installed and updated. 2. Stop the instance. For example: service pki-tps stop 3. Back up the instance. For example: cp -R /var/lib/pki-tps-old /var/lib/pki-tps-old.bkup 4. Update the perl.conf file. a.
Page 314 Chapter 12. Editing Configuration in the CS.cfg File a. Create a temporary directory and copy the CGI scripts into it. mkdir /tmp/sow cp /usr/share/pki/tps/cgi-bin/sow/*.cgi /tmp/sow b. Create a temporary directory and copy the CGI scripts into it. c. Edit the CGI files, using the appropriate server root for the TPS instance. For example: pushd /tmp/sow for i in `ls *.cgi`;...
Page 315: Changing System Passwords
Changing System Passwords d. Copy the file into the /etc/init.d/ directory. cp /tmp/pki-tps-old /etc/init.d e. Set the proper file owner and permissions for the file. chown pkiuser: /etc/init.d/pki-tps-old chmod 770 /etc/init.d/pki-tps-old Remove the temporary file. rm -rf /tmp/pki-tps-old g. Use pkiremove to remove the temporary TPS instance. 8.
Page 316: Configuration Files For Web Services
Chapter 12. Editing Configuration in the CS.cfg File NOTE The TPS and RA subsystems do not have a password-quality checker. The Certificate System enforces password quality on only those passwords that it creates and manages. Passwords for LDAP directory access are not subjected to quality checks. In an LDAP directory access, the remote directory enforces the quality of the password because it is created and managed by the directory.
Page 317: Basic Subsystem Management
Chapter 13. Basic Subsystem Management This chapter discusses the Certificate System administrative console, the configuration files, and other basic administrative tasks such as starting and stopping the server, managing logs, changing port assignments, and changing the internal database. 13.1. Starting and Stopping Subsystem Instances Each Certificate System subsystem instance is started, stopped, and restarted separately.
Page 318: Managing Subsystem Processes With Chkconfig
/sbin/chkconfig --level 2345 dirsrv on /sbin/chkconfig --level 2345 pki-ca on Make sure the subsystem is listed with the other services. chkconfig --list | grep subsystem_name To remove the subsystem from the start list, simply turn the level to off: http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s1-services-chkconfig.html...
Page 319 Managing Subsystem Processes with chkconfig chkconfig --level 35 subsystem_name off Red Hat Enterprise Linux also has a GUI console that can manage chkconfig settings. Figure 13.1. chkconfig Settings The start order of services is extremely important, or the subsystems will not function. The Directory Server and Administration Server instances used by the subsystems must be running before the subsystems can be started, and their web services (Tomcat or Apache) must be running before the subsystems are started or their web services will not function.
Page 320: Opening Subsystem Consoles And Services
Chapter 13. Basic Subsystem Management Server Process Name Start Priority Shutdown Priority pki-ca pki-kra OCSP pki-ocsp pki-tks Apache httpd pki-ra pki-tps Table 13.1. Certificate System Processes and Their chkconfig Start Priority 13.2. Opening Subsystem Consoles and Services Each subsystem has different interfaces for different user types to access. All subsystems have some kind of web services page for agents, administrators, or end users (or all three), with the exception of the TKS.
Page 321 Finding the Subsystem Web Services Pages NOTE Anyone can access the end user pages for a subsystem, but accessing agent or admin web services pages requires that an agent or administrator certificate be issued and installed in the web browser, or authentication to the web services fails. Table 13.2, “Default Web Services Pages”...
Page 322: Starting The Certificate System Administrative Console
Chapter 13. Basic Subsystem Management Port Used for SSL Used for Web Services Client Authentication 11445 Configuration 11445 Services 11445 Console Token Key Service 13180 End Entities 13444 End Entities 13443 Agents 13445 Configuration 13445 Services 13445 Console Token Processing System 7888 Enterprise Security Client Phone Home 7890...
Page 323: Customizing Web Services
Customizing Web Services Pages pkiconsole https://server.example.com:admin_port/subsystem_type The subsystem_type can be ca, kra, ocsp, or tks. For example, this opens the DRM console: pkiconsole https://server.example.com:10445/kra If DNS is properly configured, then an IPv4 or IPv6 address can be used to connect to the console. For example: pkiconsole https://1.2.3.4:9445/ca pkiconsole https://[00:00:00:00:123:456:789:00:]:9445/ca...
Page 324 Chapter 13. Basic Subsystem Management Figure 13.2. CA End-Entities Services Page Most of the index.html file is JavaScript to dynamically create the tabs, profile lists, and menu options. The HTML markup within the script can be edited to change the logo, colors, and text. For example, this designs the top heading text and logo.
Page 325: Customizing Ra End-Entities
These are in the main / var/lib/pki-ra/docroot directory. <div id="header"> <a href="http://www.redhat.com" title="Visit redhat.com for more information"><img src="/ images/logo_header.gif" alt="Red Hat" id="myLogo" /></a> <div id="headertitle">...
Page 326: Setting Limits On Searches Through The Ca End-Entities
Chapter 13. Basic Subsystem Management </div> <div id="account"> <dl><dt></dt><dd></dd></dl> </div> </div> Example 13.1. Default RA Header File The profile *.vm files, as with CA profiles, uses a mix of HTML and JavaScript to create the interior form or index to use in the center of the page, as shown with index.vm in /var/lib/pki-ra/ Figure 13.3, “RA End-Entities Services Page”.
Page 327 Setting Limits on Searches through the CA End-Entities Pages service pki-ca stop 2. Open the CS.cfg file. vim /var/lib/pki-ca/conf/CS.cfg 3. Uncomment the ca.maxSearchReturns line and set the number of entries to return. # maxSearchReturns - limits number of search results returned by SearchReqs and SrchCerts # ca.maxSearchReturns=1000 4.
Page 328: Configuring Ports
Chapter 13. Basic Subsystem Management 13.4. Configuring Ports The Certificate System subsystem instances listen on different ports for requests from different types of users. Four subsystems (the CA, DRM, OCSP, and TKS) listen on an agent port, an end-entity port, and an administrative port, plus a standard non-SSL port.
Page 329: Changing A Port Number
Changing a Port Number ... web port ... <Server port="9701" shutdown="SHUTDOWN"> ... default standard port ... <Connector name="Unsecure" port="9180" ... /> the unsecure port definition, which is used by all services ... agent services port ... <Connector name="Agent" port="9443" ... /> ...
Page 330: Using A Single Ssl Port
Chapter 13. Basic Subsystem Management <Connector port="9180" maxHttpHeaderSize="8192" # Define a SSL HTTP/1.1 Connector on port 8443 <Connector port="9443" maxHttpHeaderSize="8192" 4. Restart the subsystem. To change a port number for a TPS subsystem: 1. Stop the TPS instance. 2. Open the instance's configuration directory. cd /var/lib/subsystem_name/conf 3.
Page 331: Updating Existing Cas To Use End-Entity Client Authentication Ports (Avoiding Tls-Related Man-In-The-Middle Attacks)
Updating Existing CAs to Use End-Entity Client Authentication Ports (Avoiding TLS-Related Man-in-the-Middle Attacks) 13.4.3. Updating Existing CAs to Use End-Entity Client Authentication Ports (Avoiding TLS-Related Man-in-the-Middle Attacks) NOTE These changes are not required if all clients accessing Certificate Systems are upgraded to support RFC 5746.
Page 332 Chapter 13. Basic Subsystem Management b. Add a section for the new port. Make sure that the clientAuth value is set to true. (The port number and serverCertNickFile and passwordFile directives should all match your instance information.) ...
Page 333 Updating Existing CAs to Use End-Entity Client Authentication Ports (Avoiding TLS-Related Man-in-the-Middle Attacks) [ "$head" == "$secure_ee_client_auth_port_statement" ] || [ "$head" == "$secure_admin_port_statement" ] || [ "$head" == "$pki_console_port_statement" ] || [ "$head" == "$tomcat_port_statement" then echo " $line" total_ports=`expr ${total_ports} + 1` done if [ ${total_ports} -eq 7 ] ;...
Page 334: Configuring The Ldap Database
Chapter 13. Basic Subsystem Management dn:cn=schema changetype: modify delete: objectClasses objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort ) X-ORIGIN 'user defined' ) add: objectClasses...
Page 335: Changing The Internal Database Configuration
Changing the Internal Database Configuration The subsystems use the database for storing different objects. A Certificate Manager stores all the data, certificate requests, certificates, CRLs, and related information, while a DRM only stores key records and related data. WARNING The internal database schema are configured to store only Certificate System data. Do not make any changes to it or configure the Certificate System to use any other LDAP directory.
Page 336: Enabling Ssl Client Authentication With The Internal Database
Chapter 13. Basic Subsystem Management 13.5.2. Enabling SSL Client Authentication with the Internal Database Client authentication allows one entity to authenticate to another entity by presenting a certificate. This method of authentication is used by Certificate System agents to log into agent services pages, for example.
Page 337 3. Set two ACIs for the Certificate System user (SSLuser), one on the data directory and one on the database plug-in instance. a. Open the Directory Server Console. redhat-idm-console b. Select the Directory tab. c. Select the instance's database, which will have a name like server.example.com-instance-name, and right-click.
Page 338 Chapter 13. Basic Subsystem Management b. Open the Advanced tab, and select Encryption. c. Click the View Certificates button. d. In the Your Certificates tab, select the SSLuser user certificate, and click the Backup ... button. e. Save the certificate to a file, like SSLuser.p12. 6.
Page 339: Restricting Access To The Internal Database
Restricting Access to the Internal Database cd /var/lib/subsystem_name/conf 10. Open the CS.cfg file. 11. Edit the following lines to the indicated values: internaldb._000=## internaldb._001=## Internal Database internaldb._002=## internaldb.basedn=dc=server.example.com-instance_name internaldb.database=server.example.com-instance_name internaldb.maxConns=15 internaldb.minConns=3 internaldb.ldapauth.authtype=SslClientAuth internaldb.ldapauth.bindDN=cn=Directory Manager internaldb.ldapauth.bindPWPrompt=Internal LDAP Database internaldb.ldapauth.clientCertNickname=user_certificate_nickname internaldb.ldapconn.host=LDAP_host internaldb.ldapconn.port=SSL_port internaldb.ldapconn.secureConn=true internaldb.multipleSuffix.enable=false 12.
Page 340: Searching The Sqlite Database
Chapter 13. Basic Subsystem Management 8. Close the Directory Server Console. 9. When the server is restarted, open the Directory Server Console for the internal database instance. The Login to Directory dialog box appears; the Distinguished Name field displays the Directory Manager DN;...
Page 341: Managing The Selinux Policies For Subsystems
SELinux is a collection of mandatory access control rules which are enforced across a system to restrict unauthorized access and tampering. SELinux is described in more detail in the Red Hat "Introduction to SELinux" Enterprise Linux documentation, such as the chapter in the Red Hat Enterprise Linux Deployment Guide. http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/ch-selinux.html...
Page 342: About Selinux
Chapter 13. Basic Subsystem Management 13.8.1. About SELinux Basically, SELinux identifies objects on a system, which can be files, directories, users, processes, sockets, or any other thing on a Linux host. These objects correspond to the Linux API objects. Each object is then mapped to a security context, which defines the type of object it is and how it is allowed to function on the Linux server.
Page 343 Viewing SELinux Policies for Subsystems 2. Open the Administration menu, and select the SELinux Management item. 3. To check the version of the Certificate System SELinux policy installed, click the Policy Module link.
Page 344: Backing Up And Restoring Certificate System
Chapter 13. Basic Subsystem Management 4. To view the policies set on the individual files and processes, click the File Labeling link. To view the policies for the port assignments for the subsystems, click the Network Port link. 13.9. Backing up and Restoring Certificate System Backup and restore tools are not included with the Certificate System.
Page 345 Backing up and Restoring Certificate System • Security databases. The security databases store the certificate and key material. If these are stored on an HSM, then consult the HSM vendor documentation for information on how to back up the data. If the information is stored in the default directories in the instance alias directory, then it is backed up with the instance directory.
Page 346: Self-Tests
Chapter 13. Basic Subsystem Management 4. Restart the subsystem instance. service pki-ca start NOTE Stop the subsystem instance before restoring the instance or the security databases. 13.10. Self-Tests The Certificate System has the added functionality to allow self-tests of the server. The self-tests are run at start up and can also be run on demand.
Page 347: Modifying Self-Test Configuration
Modifying Self-Test Configuration The implemented self-tests are automatically registered and configured when the instance was installed. The self-tests that are registered and configured are those associated with the subsystem type. Self-tests are turned off or the criticality is changed by changing those setting in the CS.cfg file. To turn a self-test off, remove is from the list of self-tests.
Page 348 Chapter 13. Basic Subsystem Management To disable a self-test, remove it as the value of either the selftests.container.order.onDemand or selftests.container.order.startup parameters. 5. Save the file. 6. Start the subsystem.
Page 349: Managing Certificate System Users And Groups
Chapter 14. Managing Certificate System Users and Groups This chapter explains how to set up authorization for access to the administrative, agent services, and end-entities pages. 14.1. About Authorization Authorization is the process of allowing access to certain tasks associated with the Certificate System. Access can be limited to allow certain tasks to certain areas of the subsystem for certain users or groups and different tasks to different users and groups.
Page 350: Administrators
Chapter 14. Managing Certificate System Users and Groups • Auditors. This group is given access to view the signed audit logs. This group does not have any other privileges. • Enterprise administrators. Each subsystem instance is automatically assigned a subsystem-specific role as an enterprise administrator when it is joined to a security domain during configuration.
Page 351: Auditors
Auditors Enterprise subsystem administrators are given enough privileges to perform operations on the subsystems in the domain. For example, an enterprise CA administrator has the privileges to have sub-CA certificates approved automatically during configuration. Alternatively, a security domain administrator can restrict this right if necessary. 14.2.2.
Page 352: Managing Users And Groups For A Ca, Ocsp, Drm, Or Tks
Chapter 14. Managing Certificate System Users and Groups security domain, so that each subsystem can efficiently carry out interactions with other subsystems. For example, this allows OCSPs to push CRL publishing publishing information to all CAs in the domain, DRMs to push KRA connector information, and CAs to approve certificates generated within the CA automatically.
Page 353: Managing Users
Managing Users It is only possible to add users who already exist in the internal database. Section 14.6.2, “Editing ACLs” 5. Edit the ACLs to grant the group privileges. See for more information. If no ACIs are added to the ACLs for the group, the group will have no access permissions to any part of Certificate System.
Page 354 Chapter 14. Managing Certificate System Users and Groups 14.3.2.1. Creating Users 1. Log into the administrative console. pkiconsole https://server.example.com:admin_port/subsystem_type 2. In the Configuration tab, select Users and Groups. Click Add. 3. Fill in the information in the Edit User Information dialog. Most of the information is standard user information, such as the user's name, email address, and password.
Page 355 Managing Users 14.3.2.2. Changing a Certificate System User's Certificate 1. Log into the administrative console. 2. Select Users and Groups. 3. Select the user to edit from the list of user IDs, and click Certificates. 4. Click Import to add the new certificate. 5.
Page 356 Chapter 14. Managing Certificate System Users and Groups 1. Log into the administrative console. 2. Select Users and Groups from the navigation menu on the left. 3. Select the user from the list of user IDs, and click Delete. 4. Confirm the delete when prompted. 14.3.2.5.
Page 357 Managing Users The full name must be the fully qualified host name of the Certificate Manager. The group must be set to Trusted Managers so that the CA has trusted manager privileges. 4. Store the Certificate Manager's SSL client certificate in the internal database of the subsystem. a.
Page 358: Creating And Managing Users And Groups For An Ra
Chapter 14. Managing Certificate System Users and Groups 14.4. Creating and Managing Users and Groups for an RA When an RA is first created, certain default users and groups with default roles are created automatically. An initial user, admin, is created with both agent and administrator roles, and two groups are created to identify agent and administrator users.
Page 359: Managing Ra Groups
Managing RA Groups 14.4.1. Managing RA Groups By default, the RA has administrator and agent groups. Other groups can be configured, depending on the local demands of the PKI and network, and then the new group can be assigned to function as an administrative or agent group.
Page 360 Chapter 14. Managing Certificate System Users and Groups 4. Fill in the group ID and the name of the group; the name can be longer than the GID, more like a description, to help differentiate the group. 5. Click the Add New Group link at the top of the form. 6.
Page 361 Managing RA Groups https://server.example.com:12889/services 2. Click the Administrator Services link. 3. Click the List Groups link. 4. Click the name of the group for which to change the group membership. 5. In the group page, each current member of the group is listed, with a [Delete] link next to the name.
Page 362: Managing Ra Users
Chapter 14. Managing Certificate System Users and Groups 14.4.2. Managing RA Users RAs have two distinct types of users: agents and administrators. There is a division between agent tasks and administrative tasks, even though both sets of functions are accessed through web services pages. RA agent tasks manage operations related to issuing certificates, like approving requests.
Page 363 Managing RA Users 5. The user details page shows the person's UID, full name, email address, and user SSL certificate.
Page 364 Chapter 14. Managing Certificate System Users and Groups 14.4.2.2. Creating a New User for an RA 1. Generate a new certificate for the user. All access to the RA web services pages is done through certificate-based authentication, so all RA agents and administrators must have a certificate. This Section 14.4.2.3, “Generating Agent Certificates for RA Agents”.
Page 365 Managing RA Users https://server.example.com:12889/services 3. Click the Administrator Services link. 4. Click the New User link. 5. Fill in the user ID, full name, and email address of the user, and paste in the base 64-encoded certificate requested in the first step (including the ----BEGIN CERTIFICATE----- and ---- END CERTIFICATE----- lines).
Page 366 Chapter 14. Managing Certificate System Users and Groups c. Click PIN Creation Request. d. Enter an appropriate UID and email address. 2. An existing agent must approve the PIN request. a. Open the agent services page.
Page 367 Managing RA Users b. Click List Requests. The PIN request is listed in a table with a status of OPEN. c. Click the Request ID to display the details of the request. d. Click Approve to approve the request. This generates the PIN the user will use to retrieve the certificate.
Page 368 Chapter 14. Managing Certificate System Users and Groups c. In the Request ID field, enter the ID of the PIN request. d. Click the value in the Import Certificate field to display the one-time PIN. e. Click Agent Enrollment again, and then click the Certificate Enrollment link. Enter the user ID and the PIN.
Page 369 Managing RA Users 14.4.2.4. Renewing RA Administrator Certificates Regenerating the certificate takes its original key and its original profile and request, and recreates an identical key with a new validity period and expiration date. The RA has a default administrative user that was created at the time the subsystem was created. A new certificate can be requested for this user when their original one expires, using one of the default renewal profiles.
Page 370 Chapter 14. Managing Certificate System Users and Groups 8. Restart the browser, and attempt to log in using the new certificate. When the browser prompts to select the certificate to use to authenticate, the new certificate should be available. 14.4.2.5. Deleting Users for an RA 1.
Page 371: Creating And Managing Users For A Tps
Creating and Managing Users for a TPS 14.5. Creating and Managing Users for a TPS There are three defined roles for TPS users, which function as groups for the TPS: • Agents, who perform actual token management operations, such setting the token status and changing token policies •...
Page 372: Adding Users
Chapter 14. Managing Certificate System Users and Groups 14.5.2. Adding Users 1. Obtain a user certificate for the new user. Requesting and submitting certificates is explained in Chapter 4, Requesting, Enrolling, and Managing Certificates. IMPORTANT A TPS administrator must have a signing certificate. The recommended profile to use is Manual User Signing and Encryption Certificates Enrollment.
Page 373: Setting Profiles For Users
Setting Profiles for Users 4. Select the roles to which the user belongs. The user can only see the tabs (services pages) of the roles to which he belongs. 14.5.3. Setting Profiles for Users A TPS profile is much like a CA profile; it defines rules for processing different types of tokens. The profile is assigned automatically to a token based on some characteristic of the token, like the CUID.
Page 374: Changing Roles For Users
Chapter 14. Managing Certificate System Users and Groups Section 2.4.2, “Creating Custom range. Token profiles are created as other certificate profiles (as in Profiles”) in the CA profile directory and are then added to the TPS configuration file, CS.cfg, to Section 5.4.2, map the CA's token profile to the token type.
Page 375: Renewing Tps Agent And Administrator Certificates
Renewing TPS Agent and Administrator Certificates 3. Click the Update button to save the new role settings. 14.5.5. Renewing TPS Agent and Administrator Certificates Regenerating the certificate takes its original key and its original profile and request, and recreates an identical key with a new validity period and expiration date.
Page 376: Configuring Access Control For Users For The Ca, Ocsp, Drm, And Tks
Chapter 14. Managing Certificate System Users and Groups 2. Click the Delete button in the lower right of the edit page. 14.6. Configuring Access Control for Users for the CA, OCSP, DRM, and TKS Authorization is the mechanism that checks whether a user is allowed to perform an operation. Authorization points are defined in certain groups of operations that require an authorization check.
Page 377 About Access Control An ACI can have more than one group, user, or IP address by separating them with two pipe symbols (||) with a space on either side. For example: allow (read) group="Administrators" || group="Auditors" The administrative console can create or modify ACIs. The interface sets whether to allow or deny the operation in the Allow and Deny field, sets which operations are possible in the Operations field, and then lists the groups, users, or IP addresses being granted or denied access in the Syntax field.
Page 378: Editing Acls
Chapter 14. Managing Certificate System Users and Groups user="BobC" || user!="JaneK" To specify all users, provide the value anybody. For example: user="anybody" It is also possible to use regular expressions to specify the user names, such as using wildcard characters like an asterisk (*). For example: user="*johnson"...
Page 379 Editing ACLs 3. Select the ACL to edit from the list, and click Edit. The ACL opens in the Access Control Editor window. 4. To add an ACI, click Add, and supply the ACI information. To edit an ACI, select the ACI from the list in the ACI entries text area of the ACL Editor window. Click Edit.
Page 380 Chapter 14. Managing Certificate System Users and Groups a. Select the allow or deny radio button from the Access field to allow or deny the operation to the groups, users, or IP addresses specified. For more information about allowing or denying Section 14.6.1, “About Access Control”.
Page 381: Configuring Subsystem Logs
Chapter 15. Configuring Subsystem Logs The Certificate System subsystems create log files that record events related to activities, such as administration, communications using any of the protocols the server supports, and various other processes employed by the subsystems. While a subsystem instance is running, it keeps a log of information and error messages on all the components it manages.
Page 382: Log Levels (Message Categories)
Chapter 15. Configuring Subsystem Logs Service Description Database Logs events related to activity with the internal database. HTTP Logs events related to the HTTP activity of the server. NOTE HTTP events are actually logged to the errors log belonging to the Apache se System to provide HTTP services.
Page 383: Buffered And Unbuffered Logging
Buffered and Unbuffered Logging Log level Message category Description Warning These messages are warnings only and do not indicate any failur Failure; the default selection These messages indicate errors and failures that prevent the serv operation (User authentication failed or Certificate revoked) and u for system and error logs back the request it processed for a client through the same chann Misconfiguration...
Page 384: Log File Rotation
Chapter 15. Configuring Subsystem Logs If the server is configured for unbuffered logging, the server flushes out messages as they are generated to the log files. Because the server performs an I/O operation (writing to the log file) each time a message is generated, configuring the server for unbuffered logging decreases performance. Section 15.3.1, “Configuring Logs in the Console (for the CA, Setting log parameters is described in OCSP, DRM, and...
Page 385: Transactions Log
Transactions Log and IPv6) of the client machine that accessed the server; operations performed, such as search, add, and edit; and the result of the access, such as the number of entries returned: id_number processor - [date:time] [number_of_operations] [result] servlet: message 10439.http-13443-Processor25 - [19/May/2009:14:16:51 CDT] [11] [3] UGSubsystem: Get User Error User not found Example 15.1.
Page 386 Chapter 15. Configuring Subsystem Logs The message can be a return message from the subsystem or contain values submitted to the subsystem. For example, the TKS records this message for connecting to an LDAP server: [10/Jun/2009:05:14:51][main]: Established LDAP connection using basic authentication to host localhost port 389 as cn=Directory Manager The processor is main, and the message is the message from the server about the LDAP connection, and there is no servlet.
Page 387: Error Log
Error Log [06/Jun/2009:14:59:38][http-9443-Processor24]: ProfileSubmitServlet: key= $request.requestor_name$ value= [06/Jun/2009:14:59:38][http-9443-Processor24]: ProfileSubmitServlet: key=$request.profileid$ value=caRAagentCert [06/Jun/2009:14:59:38][http-9443-Processor24]: ProfileSubmitServlet: key= $request.auth_token.userdn$ value=uid=RA- server.example.com-4747,ou=People,dc=server.example.com-pki-ca [06/Jun/2009:14:59:38][http-9443-Processor24]: ProfileSubmitServlet: key=$request.requestid$ value=20 [06/Jun/2009:14:59:38][http-9443-Processor24]: ProfileSubmitServlet: key= $request.auth_token.authtime$ value=1212782378071 [06/Jun/2009:14:59:38][http-9443-Processor24]: ProfileSubmitServlet: key=$request.req_x509info $ value=MIICIKADAgECAgEAMA0GCSqGSIb3DQEBBQUAMEAxHjAcBgNVBAoTFVJlZGJ1ZGNv^M bXB1dGVyIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X^M DTA4MDYwNjE5NTkzOFoXDTA4MTIwMzE5NTkzOFowOzEhMB8GCSqGSIb3DQEJARYS^M anNtaXRoQGV4YW1wbGUuY29tMRYwFAYKCZImiZPyLGQBARMGanNtaXRoMIGfMA0G^M CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDreuEsBWq9WuZ2MaBwtNYxvkLPHcN0cusY^M 7gxLzB+XwQ/VsWEoObGldg6WwJPOcBdvLiKKfC605wFdynbEgKs0fChVk9HYDhmJ^M 8hX6+PaquiHJSVNhsv5tOshZkCfMBbyxwrKd8yZ5G5I+2gE9PUznxJaMHTmlOqm4^M HwFxzy0RRQIDAQABo4HFMIHCMB8GA1UdIwQYMBaAFG8gWeOJIMt+aO8VuQTMzPBU^M 78k8MEoGCCsGAQUFBwEBBD4wPDA6BggrBgEFBQcwAYYuaHR0cDovL3Rlc3Q0LnJl^M ZGJ1ZGNvbXB1dGVyLmxvY2FsOjkwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAw^M HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMCQGA1UdEQQdMBuBGSRyZXF1^M ZXN0LnJlcXVlc3Rvcl9lbWFpbCQ= Example 15.3.
Page 388: Installation Logs
Chapter 15. Configuring Subsystem Logs [Sat Jun 20 16:28:09 2009] [debug] nss_engine_init.c(594): Enabling SSL3 [Sat Jun 20 16:28:09 2009] [debug] nss_engine_init.c(599): Enabling TLS [Sat Jun 20 16:28:09 2009] [debug] nss_engine_init.c(770): Configuring permitted SSL ciphers [-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,- rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,- rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,- rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha] [Sat Jun 20 16:28:09 2009] [info] Using nickname Server-Cert cert-pki-tps. Example 15.5.
Page 389: Self-Tests Log
Self-Tests Log Error and access logs are created by the Apache and Tomcat web servers, which are installed with the Certificate System and provide HTTP services. The error log contains the HTTP error messages the server has encountered. The access log lists access activity through the HTTP interface. Apache (TPS and RA) Tomcat (CA, DRM, OCSP, TKS) access_log...
Page 390: Configuring Tps Audit Logs In The Admin Services Page
Chapter 15. Configuring Subsystem Logs 2. The Log Event Listener Management tab lists the currently configured listeners. To create a new log instance, click Add, and select a module plug-in from the list in the Select Log Event Listener Plug-in Implementation window. 3.
Page 391 Configuring TPS Audit Logs in the Admin Services Page Audit logging is enabled by default for the TPS, but signed audit logging is disabled. Since the TPS does not use a Java Console, TPS audit log settings are managed by clicking the Configuring Signed Audit Logging link in the Administrator Operations tab of the HTML services page.
Page 392: Configuring Logs In The Cs.cfg File
Chapter 15. Configuring Subsystem Logs 15.4. Configuring Logs in the CS.cfg File Along with configuring subsystem logging through the Console, logging can be configured by directory editing the CS.cfg for the instance. This may be a convenience for the CA, OCSP, DRM, and TKS. For the RA and the TPS, this is the only way to configure logging because, with the exception of TPS audit logging, there is no way to configure logging in the RA or TPS administrator web services.
Page 393: Configuring Ra Logging
Configuring RA Logging Parameter Description Table 15.9, “Signed Audit L events Specifies which events are logged to the audit log. are separated by commas with no spaces. This is for self-test logs only. This is for audit logs only. Table 15.6. Log Entry Parameters 5.
Page 394 Chapter 15. Configuring Subsystem Logs logging.debug.enable=true logging.debug.filename=/var/log/pki-ra/ra-debug.log logging.debug.level=7 logging.error.enable=true logging.error.filename=/var/log/pki-ra/ra-error.log logging.error.level=10 Example 15.7. RA Log Configuration Table 15.7, “RA Logging Parameters”. The different logging parameters for RA logs are listed in NOTE Certain log features that are available to the other subsystems' logs do not apply to RA logging: •...
Page 395: Configuring Tps Logging
Configuring TPS Logging Table 15.7, “RA Logging 2. Edit the logging configuration. The log file parameters are listed in Parameters”. logging.audit.enable=true logging.audit.filename=/var/log/pki-ra/ra-audit.log logging.audit.level=10 logging.debug.enable=true logging.debug.filename=/var/log/pki-ra/ra-debug.log logging.debug.level=7 logging.error.enable=true logging.error.filename=/var/log/pki-ra/ra-error.log logging.error.level=10 3. Start the RA instance. service pki-ra start 15.4.3. Configuring TPS Logging TPS logs, like RA logs, are configured differently than other subsystem logs.
Page 396 Chapter 15. Configuring Subsystem Logs There are additional options to configure the audit log and to enable signed audit logging that are not used with the TPS's other logs. logging.audit.enable=true logging.audit.filename=/var/log/pki-tps/tps-audit.log logging.audit.level=10 logging.audit.logSigning=true logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING logging.audit.selectable.events=optional events logging.audit.selected.events=selected events logging.audit.signedAuditCertNickname=auditSigningCert cert-pki-tps logging.audit.signedAuditFilename=/var/log/pki-tps/signedAudit/tps_audit/audit logging.debug.enable=true logging.debug.filename=/var/log/pki-tps/tps-debug.log...
Page 397 Configuring TPS Logging Parameter Description logging.log_type.filename The full path to the log file, including its name. For example, /tmp/tps-debug.l logging.log_type.level The log levels. The levels range from 0 to 10. • 0 - No logging. • 4 - LL_PER_SERVER. Messages that happen only during startup or shutdown. •...
Page 398: Managing Signed Audit Logs
Chapter 15. Configuring Subsystem Logs 3. Start the TPS instance. service pki-tps start 15.5. Managing Signed Audit Logs The audit log contains records for events that have been set up as recordable events. If the logSigning attribute is set to true, the audit log is signed with a log signing certificate belonging to the server.
Page 399 Configuring a Signed Audit Log for a CA, OCSP, DRM, or TKS 2. In the navigation tree of the Configuration tab, select Log. 3. In the Log Event Listener Management tab, select the SignedAudit entry. 4. Click Edit/View. 5. There are three fields which must be reset in the Log Event Listener Editor window. •...
Page 400 Chapter 15. Configuring Subsystem Logs To get the audit signing certificate nickname, list the certificates in the subsystem's certificate database using certutil. For example: certutil -L -d /var/lib/pki-ca/alias Certificate Authority - Example Domain CT,c, subsystemCert cert-subsystem u,u,u Server-Cert cert-example u,u,u signedAuditCert cert-example u,u,u •...
Page 401: Configuring Tps Signed Audit Logging
Configuring TPS Signed Audit Logging Event Log Messages CONFIG_SIGNED_AUDIT A change is made to the configuration settings for the signed audit feature. CONFIG_ENCRYPTION A change is made to the encryption settings, including certificate settings and SSL CONFIG_TRUSTED_PUBLIC_KEY The Certificate Setup Wizard is used to import certificates into the certificate datab CONFIG_DRM The configuration associated with a DRM changes.
Page 402 Chapter 15. Configuring Subsystem Logs Audit logging is enabled by default when the TPS is configured, but signed audit logging is not. Signed audit logging can be enabled in the admin services page by setting the Enable Audit Log Signing radio button to Enable.
Page 403: Handling Audit Logging Failures
Handling Audit Logging Failures logging.audit.logSigning=true logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING logging.audit.selectable.events=optional events logging.audit.selected.events=selected events logging.audit.signedAuditCertNickname=auditSigningCert cert-pki-tps logging.audit.signedAuditFilename=/var/log/pki-tps/signedAudit/tps_audit/audit Example 15.9. TPS Audit Logging Config 3. Start the TPS instance. service pki-tps start Event Description logging.audit.logSigning Sets whether to sign the audit log. The default value is false. logging.audit.signedAuditCertNickname Gives the nickname of the certificate in the TPS database to use to sign the audit logging.audit.signedAuditFilename Gives the full path and filename of the file to use for the signed audit log file.
Page 404: Signing Log Files
Chapter 15. Configuring Subsystem Logs when the file permissions for the log file are accidentally changed. If audit logging fails, the Certificate System instance shuts down in the following manner. • Servlets are disabled and will not process new requests. •...
Page 405: Smart Card Error Codes
Smart Card Error Codes 2. Select the Status tab. 3. Under Logs, select the log to view. 4. Set the viewing preferences in the Display Options section. • Entries — The maximum number of entries to be displayed. When this limit is reached, the Certificate System returns any entries that match the search request.
Page 406: Managing Log Modules
Chapter 15. Configuring Subsystem Logs Return Code Description 6a86 Incorrect P1 P2 6d00 Invalid instruction 6e00 Invalid class Install Load Errors 6581 Memory Failure 6a80 Incorrect parameters in data field 6a84 Not enough memory space 6a88 Referenced data not found Delete Errors 6200 Application has been logically deleted...
Page 407: Deleting A Log Module
Deleting a Log Module To register a log plug-in module with a subsystem instance: 1. Log into the Console. 2. In the Configuration tab, select Logs from the navigation tree. Then select the Log Event Listener Plug-in Registration tab. 3. Click Register. The Register Log Event Listener Plug-in Implementation window appears.
Page 409: Managing Subsystem Certificates
Chapter 16. Managing Subsystem Certificates This chapter gives an overview of using certificates: what types and formats are available, how to request and create them through the HTML end-entity forms and through the Certificate System Console, and how to install certificates in the Certificate System and on different clients. Additionally, there is information on managing certificates through the Console and configuring the servers to use them.
Page 410 Chapter 16. Managing Subsystem Certificates 16.1.1.1. CA Signing Key Pair and Certificate Every Certificate Manager has a CA signing certificate with a public key corresponding to the private key the Certificate Manager uses to sign the certificates and CRLs it issues. This certificate is created and installed when the Certificate Manager is installed.
Page 411: Ra Certificates
RA Certificates 16.1.1.4. SSL Server Key Pair and Certificate Every Certificate Manager has at least one SSL server certificate that was first generated when the Certificate Manager was installed. The default nickname for the certificate is Server-Cert cert-instance_ID, where instance_ID identifies the Certificate Manager instance. The Certificate Manager SSL server certificate was issued by the CA to which the certificate signing request was submitted, which is the Certificate Manager itself, another Certificate System CA, or a public CA.
Page 412 Chapter 16. Managing Subsystem Certificates subsystem certificates are made. These certificate requests are submitted to a CA (either a Certificate System CA or a third-party CA) and must be installed in the Online Certificate Status Manager database to complete the configuration process. Section 16.1.3.2, “SSL Server Key Pair and Certificate”...
Page 413: Data Recovery Manager Certificates
Data Recovery Manager Certificates • If the Online Certificate Status Manager's server certificate is signed by the CA that is publishing CRLs, then nothing needs to be done. • If the Online Certificate Status Manager's server certificate is signed by the same root CA that signed the subordinate Certificate Manager's certificates, then the root CA must be marked as a trusted CA in the subordinate Certificate Manager's certificate database.
Page 414: Tks Certificates
Chapter 16. Managing Subsystem Certificates NOTE The public component of the storage key pair is not certified; there is no certificate that corresponds to the public key. It is a self-signed certificate. Keys encrypted with the storage key can be retrieved only by authorized key recovery agents. 16.1.4.3.
Page 415: Tps Certificates
TPS Certificates 16.1.5.2. Subsystem Certificate Every member of the security domain is issued a server certificate to use for communications among other domain members. The TKS is issued the subsystem certificate when the instance is first configured, as with its SSL certificate. The default nickname for the certificate is subsystemCert cert-instance_id.
Page 416: Requesting A Subsystem, Server, Or Signing Certificate Through The Console
Chapter 16. Managing Subsystem Certificates When an HSM is used to store certificates, then the HSM name is prepended to the certificate nickname, and the full name is used in the subsystem configuration, such as the server.xml file. For example: serverCert="nethsm:Server-Cert cert-pki-ca instanceID NOTE A single HSM can be used to store certificates and keys for mulitple subsystem instances,...
Page 417 Requesting a Subsystem, Server, or Signing Certificate through the Console 5. Select the Request a certificate radio button. 6. Choose the certificate type to request. The types of certificates that can be requested varies depending on the subsystem. NOTE If selecting to create an "other" certificate, the Certificate Type field becomes active. Fill in the type of certificate to create, either caCrlSigning for the CRL signing certificate or client for an SSL client certificate.
Page 418 Chapter 16. Managing Subsystem Certificates 7. For requests submitted through a Certificate Manager, after selecting the type of certificate, select which type of CA will sign the request: • For a CA signing certificate, the options are to use a root CA or a subordinate CA. •...
Page 419 Requesting a Subsystem, Server, or Signing Certificate through the Console 8. Set the key-pair information and set the location to generate the keys (the token), which can be either the internal security database directory or one of the listed external tokens. 9.
Page 420 Chapter 16. Managing Subsystem Certificates 10. Give the subject name. Either enter values for individual DN attributes to build the subject DN or enter the full string. NOTE For an SSL server certificate, the common name must be the fully-qualified host name of the Certificate System in the format machine_name.domain.domain.
Page 421 Requesting a Subsystem, Server, or Signing Certificate through the Console The default validity period is five years. 12. Only when requesting a certificate through the Certificate Manager Console submitting the request to the Certificate Manager automatically. Set the standard extensions for the certificate. The required extensions are chosen by default.
Page 422 Chapter 16. Managing Subsystem Certificates Figure 16.1. Setting the Certificate Extensions NOTE Certificate extensions are required to set up a CA hierarchy. Subordinate CAs must have certificates that include the extension identifying them as either a subordinate SSL CA (which allows them to issue certificates for SSL) or a subordinate email CA (which allows them to issue certificates for secure email).
Page 423 Requesting a Subsystem, Server, or Signing Certificate through the Console • Key Usage. The digital signature (bit 0), non-repudiation (bit 1), key certificate sign (bit 5), and CRL sign (bit 6) bits are set by default. The extension is marked critical as recommended by the RFC 2459 PKIX standard and RFC 2459.
Page 424 Chapter 16. Managing Subsystem Certificates Figure 16.2. Getting the Certificate Request The request is in base-64 encoded PKCS #10 format and is bounded by the marker lines -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----. For example: -----BEGIN NEW CERTIFICATE REQUEST----- MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBC6SAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pY2 F0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDA wMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFz...
Page 425 Requesting a Subsystem, Server, or Signing Certificate through the Console AVBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3Dbndg JARYUc3Vwcml5Yhvfggsvwryw4y7214vAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAM A0GCSqGSIb3DQEBBAUAA4GBAFi9FzyJlLmS+kzsue0kTXawbwamGdYql2w4hIBgdR+jWeLmD4CP4x -----END NEW CERTIFICATE REQUEST----- The wizard also copies the certificate request to a text file it creates in the configuration directory, which is located in /var/lib/subsystem_name/conf/. The name of the text file depends on Table 16.1, “Files Created for the type of certificate requested.
Page 426 Chapter 16. Managing Subsystem Certificates e. The new certificate information is shown in pretty-print format, in base-64 encoded format, and in PKCS #7 format.
Page 427: Renewing Subsystem Certificates
Renewing Subsystem Certificates There are two actions that can be taken through this page: • To install this certificate on a server or other application, scroll down to the Installing This Certificate in a Server section, which contains the base-64 encoded certificate. •...
Page 428: Using Cross-Pair Certificates
Chapter 16. Managing Subsystem Certificates Subsystem certificates can be renewed directly in the end user enrollment forms, using the serial number of the original certificate. Section 4.7.3.1, 1. Renew the admin user certificates in the CA's end users forms, as described in “Renewing Certificates through the End User Pages”.
Page 429: Installing Cross-Pair Certificates
Installing Cross-Pair Certificates 16.4.1. Installing Cross-Pair Certificates Both cross-pair certificates can be imported into the Certificate System databases using the certutil tool or by selecting the Cross-Pair Certificates option from the Certificate Setup Wizard, Section 16.5.1, “Installing Certificates in the Certificate System Database”.
Page 430 Chapter 16. Managing Subsystem Certificates Section 16.5.1.1, “Installing Certificates through the Console” • Section 16.5.1.2, “Installing Certificates Using certutil” • Section 16.5.1.3, “About CA Certificate Chains” • 16.5.1.1. Installing Certificates through the Console The Certificate Setup Wizard can install or import the following certificates into either an internal or external token used by the Certificate System instance: •...
Page 431 Installing Certificates in the Certificate System Database b. Select the type of certificate to install. The options for the drop-down menu are the same options available for creating a certificate, depending on the type of subsystem, with the additional option to install a cross-pair certificate. c.
Page 432: Viewing Database Content
Chapter 16. Managing Subsystem Certificates NOTE If the Certificate System instance's certificates and keys are stored on an HSM, then specify the token name using the -h option. For example: certutil -A -n "ServerCert cert-example" -t u,u,u -d . -a -i /tmp/example.cert http://www.mozilla.org/projects/security/pki/ For information about using the certutil command, see nss/tools/certutil.html.
Page 433 Viewing Database Content 1. Open the subsystem console. pkiconsole https://server.example.com:admin_port/subsystem_type 2. In the Configuration tab, select System Keys and Certificates from the left navigation tree. 3. There are two tabs, CA Certificates and Local Certificates, which list different kinds of certificates.
Page 434: Deleting Certificates From The Database
Chapter 16. Managing Subsystem Certificates Certificate Authority - Example Domain CT,c, subsystemCert cert-pki-tks u,u,u Server-Cert cert-pki-tks u,u,u To view the keys stored in the subsystem databases using certutil, run the certutil with the -K option. For example: cd /var/lib/subsystem_name/alias certutil -K -d . Enter Password or Pin for "NSS Certificate DB": <0>...
Page 435: Changing The Trust Settings Of A Ca Certificate
Changing the Trust Settings of a CA Certificate /var/lib/subsystem_name/alias 2. List the certificates in the database by running the certutil with the -L option. For example: certutil -L -d . Certificate Authority - Example Domain CT,c, subsystemCert cert-subsystem u,u,u Server-Cert cert-example u,u,u 3.
Page 436: Changing Trust Settings Using Certutil
Chapter 16. Managing Subsystem Certificates 4. Select the CA certificate to modify, and click Edit. 5. A prompt opens which reads The Certificate chain is (un)trusted, are you sure you want to (un)trust it? Clicking yes changes the trust setting of the certificate chain; pressing no preserves the original trust relationship.
Page 437: Detecting Tokens
Detecting Tokens 16.7.1. Detecting Tokens To see if a token can be detected by Certificate System to be installed or configured, use the TokenInfo utility. TokenInfo /var/lib/pki-ca/alias Database Path: /var/lib/pki-ca/alias Found external module 'NSS Internal PKCS #11 Module' This utility will return all tokens which can be detected by the Certificate System, not only tokens which are installed in the Certificate System.
Page 439: References
Part IV. References...
Page 441: Certificate Profile Input And Output Reference
Appendix A. Certificate Profile Input and Output Reference This appendix explains both the standard certificate extensions defined by X.509 v3 and the extensions defined by Netscape that were used in versions of products released before X.509 v3 was finalized. It provides recommendations for extensions to use with specific kinds of certificates, including PKIX Part 1 recommendations.
Page 442: File-Signing Input
Appendix A. Certificate Profile Input and Output Reference A.1.4. File-Signing Input The File-Signing input sets the fields to sign a file to show it has not been tampered with. This input creates the following fields: • Key Generation Request Type. This field is a read-only field displaying crmf as the request type. •...
Page 443: Serial Number Renewal Input
Serial Number Renewal Input A.1.9. Serial Number Renewal Input The Serial Number Renewal Input is used to set the serial number of an existing certificate so that the CA can pull the original certificate entry and use the information to regenerate the certificate. The input inserts a Serial Number field into the enrollment form.
Page 444: Pkcs #7 Output
Appendix A. Certificate Profile Input and Output Reference and this output page is returned to the user. In an agent-approved enrollment, the user can get the certificate, once it is issued, by providing the request ID in the end-entities page. A.2.2.
Page 445: Defaults, Constraints, And Extensions For Certificates And Crls
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs This appendix explains both the standard certificate extensions defined by X.509 v3 and the extensions defined by Netscape that were used in versions of products released before X.509 v3 was finalized. It provides recommendations for extensions to use with specific kinds of certificates, including PKIX Part 1 recommendations.
Page 446 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description Method_n Specifies the access method for retrieving additional information about the CA that has issued the certificate in which the extension appears. This is one of the following values: •...
Page 447: Authority Key Identifier Extension Default
Authority Key Identifier Extension Default Parameter Description example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:25 FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000. • For OID, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99. • For RFC822Name, the value must be a valid Internet mail address.
Page 448: Crl Distribution Points Extension Default
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description Critical Select true to mark this extension critical; select false to mark the extension noncritical. IsCA Specifies whether the certificate subject is a CA. With true, the server checks the PathLen parameter and sets the specified path length in the certificate.
Page 449 CRL Distribution Points Extension Default Section B.3.5, “CRLDistributionPoints”. For general information about this extension, see The following constraints can be defined with this default: Section B.2.3, “Extension Constraint”. • Extension Constraint; see Section B.2.6, “No Constraint”. • No Constraints; see This default defines up to five locations, with parameters for each location.
Page 450 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description point. The issuer name can be in any of the following formats: • RFC822Name • DirectoryName • DNSName • EDIPartyName • URIName • IPAddress • OIDName • OtherName IssuerName_n Specifies the name format of the CRL issuer that signed the CRL.
Page 451: Extended Key Usage Extension Default
Extended Key Usage Extension Default Parameter Description the IPv6 address separated by colons and the netmask separated by periods. For example, 0:0:0:0:0:0:13.1.68.3, FF01::43, 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:25 FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000. • For OIDName, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4.55.6.5.99.
Page 452: Freshest Crl Extension Default
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Usage IPsec user 1.3.6.1.5.5.7.3.7 Timestamping 1.3.6.1.5.5.7.3.8 Table B.4. PKIX Usage Definitions for the Extended Key Usage Extension Windows 2000 can encrypt files on the hard disk, a feature known as encrypted file system (EFS), using certificates that contain the Extended Key Usage extension with the following two OIDs: 1.3.6.1.4.1.311.10.3.4 (EFS certificate) 1.3.6.1.4.1.311.10.3.4.1 (EFS recovery certificate)
Page 453 Freshest CRL Extension Default Section B.2.6, “No Constraint”. • No Constraints; see This default defines five locations with parameters for each location. The parameters are marked with an n in the table to show with which location the parameter is associated. Parameter Description Critical...
Page 454 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description • For IPAddress, the value must be a valid IP address. An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m. For example, 128.21.39.40 or 128.21.39.40,255.255.255.00. An IPv6 address uses a 128-bit namespace, with the IPv6 address separated by colons and the netmask separated by periods.
Page 455: Issuer Alternative Name Extension Default
Issuer Alternative Name Extension Default Parameter Description • OtherName The value for this parameter must correspond to the value in the PointIssuerName field. Table B.6. Freshest CRL Extension Default Configuration Parameters B.1.7. Issuer Alternative Name Extension Default This default attaches the Issuer Alternative Name extension to the certificate. The Issuer Alternative Name extension is used to associate Internet-style identities with the certificate issuer.
Page 456: Key Usage Extension Default
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description the issuerAlternativeName, then literal string can be used without any token expression. For example, Certificate Authority. Table B.7. Issuer Alternative Name Extension Default Configuration Parameters B.1.8. Key Usage Extension Default This default attaches the Key Usage extension to the certificate.
Page 457: Name Constraints Extension Default
Name Constraints Extension Default Parameter Description used for CA certificates. Select true to set the option. cRLSign Specifies whether to set the extension for CA signing certificates that sign CRLs. Select true to set. encipherOnly Specifies whether to set the extension if the public key is only for encrypting data while performing key agreement.
Page 458 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description PermittedSubtreesmax_n Specifies the maximum number of permitted subtrees. • -1 specifies that the field should not be set in the extension. • 0 specifies that the maximum number of subtrees is zero.
Page 459 Name Constraints Extension Default Parameter Description rules. The name must include both a scheme, such as http, and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com. Certificate System supports both IPv4 and IPv6 addresses. •...
Page 460 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description • n must be an integer that is greater than zero. This sets the minimum number of required subtrees. ExcludedSubtreeMax_n Specifies the maximum number of excluded subtrees. • -1 specifies that the field should not be set in the extension.
Page 461 Name Constraints Extension Default Parameter Description • For URIName, the value must be a non-relative URI following the URL syntax and encoding rules. The name must include both a scheme, such as http, and a fully qualified domain name or IP address of the host. For example, http://testCA.example.com.
Page 462: Netscape Certificate Type Extension Default
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs B.1.10. Netscape Certificate Type Extension Default WARNING This extension is obsolete. Use the Key Usage or Extended Key Usage certificate extensions instead. This default attaches a Netscape Certificate Type extension to the certificate. The extension identifies the certificate type, such as CA certificate, server SSL certificate, client SSL certificate, or S/MIME certificate.
Page 463: Policy Constraints Extension Default
Policy Constraints Extension Default The following constraints can be defined with this default: Section B.2.3, “Extension Constraint”. • Extension Constraint; see Section B.2.6, “No Constraint”. • No Constraints; see Parameter Description critical Select true to mark this extension critical; select false to mark the extension noncritical.
Page 464: Policy Mappers Extension Default
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description certificate being validated and moving up the chain. The parameter has no effect if the extension is set in end-entity certificates. inhibitPolicyMapping Specifies the total number of certificates permitted in the path before policy mapping is no longer permitted.
Page 465: Signing Algorithm Default
Signing Algorithm Default Parameter Description policy statement of another CA. For example, 1.2.3.4.5. SubjectDomainPolicy_n Specifies the OID assigned to the policy statement of the subject CA that corresponds to the policy statement of the issuing CA. For example, 6.7.8.9.10. Table B.13. Policy Mappings Extension Default Configuration Parameters B.1.16.
Page 466 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs entering them in the ldapStringAttributes and ldapByteAttributes fields defined in the automated enrollment modules. If authenticated attributes — meaning attributes stored in an LDAP database — need to be part of this extension, use values from the $request.X$ token.
Page 467 Subject Alternative Name Extension Default Policy Set Token Description $request.auth_token.userid$ The value of the user ID attribute for the user who requested the certificate. $request.uid$ The value of the user ID attribute for the user who requested the certificate. $request.profileRemoteAddr$ The IP address of the user making the request.
Page 468 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description attribute included in the certificate request. For example, $request.requester_email$. Type Specifies the general name type for the request attribute. • Select RFC822Name if the request-attribute value is an email address in the local- part@domain format.
Page 469: Subject Directory Attributes Extension Default
Subject Directory Attributes Extension Default Parameter Description • Select OtherName for names with any other format. This supports PrintableString, IA5String, UTF8String, BMPString, Any, and KerberosName. PrintableString, IA5String, UTF8String, BMPString, and Any are a string which specifies the path to a base-64 encoded file which sets the subtree, such as /var/lib/pki-ca/ othername.txt.
Page 470: Subject Key Identifier Extension Default
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description Enable Sets whether that attribute is able to be added to the certificate. Select true to enable the attribute. Table B.17. Subject Directory Attributes Extension Default Configuration Parameters B.1.19.
Page 471: Token Supplied Subject Name Default
Token Supplied Subject Name Default B.1.21. Token Supplied Subject Name Default This default profile populates subject names based on the attribute values in the authentication token (AuthToken) object. This default plug-in works with the directory-based authentication manager. The Directory-Based User Dual-Use Certificate Enrollment certificate profile has two input parameters, UID and password.
Page 472: User Key Default
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs • If the OID of the extension is specified in both the certificate request and the default, then the extension is validated by the constraints and applied to the certificate. •...
Page 473: User Subject Name Default
User Subject Name Default The following constraints can be defined with this default: Section B.2.9, “Signing Algorithm Constraint”. • Signing Algorithm Constraint; see Section B.2.6, “No Constraint”. • No Constraints; see B.1.25. User Subject Name Default This default attaches a user-supplied subject name to the certificate request. If included in the certificate profile, it allows a user to supply a subject name for the certificate, subject to the constraints set.
Page 474: Basic Constraints Extension Constraint
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs B.2.1. Basic Constraints Extension Constraint The Basic Constraints extension constraint checks if the basic constraint in the certificate request satisfies the criteria set in this constraint. Parameter Description Critical Specifies whether the extension can be marked critical or noncritical.
Page 475: Extended Key Usage Extension Constraint
Extended Key Usage Extension Constraint Parameter Description if the issuer's path length is 4, the path length in the subordinate CA certificate is set to 3. Table B.20. Basic Constraints Extension Constraint Configuration Parameters B.2.2. Extended Key Usage Extension Constraint The Extended Key Usage extension constraint checks if the Extended Key Usage extension on the certificate satisfies the criteria set in this constraint.
Page 476 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description from being set; select a hyphen, -, to indicate no constraints are placed for this parameter. nonRepudiation Specifies whether to set S/MIME signing certificates. Select true to allow this to be set; select false to keep this from being set;...
Page 477: No Constraint
No Constraint Parameter Description false to keep this from being set; select a hyphen, -, to indicate no constraints are placed for this parameter. decipherOnly Specifies whether to set the extension if the public key is to be used only for deciphering data.
Page 478: Signing Algorithm Constraint
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs B.2.9. Signing Algorithm Constraint The Signing Algorithm constraint checks if the signing algorithm in the certificate request satisfies the criteria set in this constraint. Parameter Description signingAlgsAllowed Sets the signing algorithms that can be specified to sign the certificate.
Page 479: Unique Subject Name Constraint
Unique Subject Name Constraint ou=engineering,ou=people or ou=engineering,o="Example Corp", the pattern is .*ou=engineering,ou=people.* | .*ou=engineering,o="Example Corp".*. NOTE For constructing a pattern which uses a special character, such as a period (.), escape the character with a back slash (\). For example, to search for the string o="Example Inc.", set the pattern to o="Example Inc\.".
Page 480 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs extension. Certificates that support these extensions have the version 0x2 (which corresponds to version 3). Data: Version: Serial Number: 0x1 Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Issuer: CN=Certificate Manager,OU=netscape,O=ExampleCorp,L=MV,ST=CA,C=US Validity: Not Before: Friday, February 21, 2005 12:00:00 AM PST America/Los_Angeles After: Monday, February 21, 2007 12:00:00 AM PST America/Los_Angeles Subject: CN=Certificate Manager,OU=netscape,O=ExampleCorp,L=MV,ST=CA,C=US Subject Public Key Info:...
Page 481: Authorityinfoaccess
authorityInfoAccess 35:EA:A6:80:30:20:FF:B1:85:C8:4B:74:D9:DC:BB:50 Example B.3. Sample Pretty-Print Certificate Extensions An object identifier (OID) is a string of numbers identifying a unique object, such as a certificate extension or a company's certificate practice statement. The Certificate System comes with a set of extension-specific profile plug-in modules which enable X.509 certificate extensions to be added to the certificates the server issues.
Page 482: Authoritykeyidentifier
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs field. accessMethod specifies by OID the type and format of information about the issuer named in accessLocation. PKIX Part 1 defines one accessMethod (id-ad-caIssuers) to get a list of CAs that have issued certificates higher in the CA chain than the issuer of the certificate using the extension.
Page 483: Basicconstraints
basicConstraints Criticality This extension is always noncritical and is always evaluated. B.3.3. basicConstraints This extension is used during the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints. The cA component should be set to true for all CA certificates.
Page 484: Extkeyusage
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs 2.5.29.31 Criticality PKIX recommends that this extension be marked noncritical and that it be supported for all certificates. B.3.6. extKeyUsage The Extended Key Usage extension indicates the purposes for which the certified public key may be used.
Page 485: Issueraltname Extension
issuerAltName Extension Microsoft Encrypted File System 1.3.6.1.4.1.311.10.3.4 Netscape SGC 2.16.840.1.113730.4.1 Table B.30. Private Extended Key Usage Extension Uses B.3.7. issuerAltName Extension The Issuer Alternative Name extension is used to associate Internet-style identities with the certificate issuer. Names must use the forms defined for the Subject Alternative Name extension. 2.5.29.18 Criticality PKIX Part 1 recommends that this extension be marked noncritical.
Page 486: Nameconstraints
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Table B.31, “Certificate Uses and Corresponding Key Usage Bits” summarizes the guidelines for typical certificate uses. If the keyUsage extension is present and marked critical, then it is used to enforce the usage of the certificate and key.
Page 487: Policyconstraints
policyConstraints of the signing certificate). This extension is null-valued; its meaning is determined by its presence or absence. Since the presence of this extension in a certificate will cause OCSP clients to trust responses signed with that certificate, use of this extension should be managed carefully. If the OCSP signing key is compromised, the entire process of validating certificates in the PKI will be compromised for the duration of the validity period of the certificate.
Page 488: Privatekeyusageperiod
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs B.3.13. privateKeyUsagePeriod The Private Key Usage Period extension allows the certificate issuer to specify a different validity period for the private key than for the certificate itself. This extension is intended for use with digital signature keys.
Page 489: Subjectkeyidentifier
subjectKeyIdentifier B.3.16. subjectKeyIdentifier The Subject Key Identifier extension identifies the public key certified by this certificate. This extension provides a way of distinguishing public keys if more than one is available for a given subject name. The value of this extension should be calculated by performing a SHA-1 hash of the certificate's DER- encoded subjectPublicKey, as recommended by PKIX.
Page 490 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs • The object identifier (OID) for the extension. This identifier uniquely identifies the extension. It also determines the ASN.1 type of value in the value field and how the value is interpreted. When an extension appears in a CRL, the OID appears as the extension ID field (extnID) and the corresponding ASN.1 encoded structure appears as the value of the octet string (extnValue);...
Page 491 About CRL Extensions Critical: no Reason: Key_Compromise Identifier: Invalidity Date - 2.5.29.24 Critical: no Invalidity Date: Fri Jul 24 23:00:00 GMT-08:00 2009 Extensions: Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://example.com:9180/ca/ocsp Identifier: Issuer Alternative Name - 2.5.29.18 Critical: no Issuer Names:...
Page 492 Identifier: Delta CRL Indicator - 2.5.29.27 Critical: yes Base CRL Number: 39 Identifier: Issuer Alternative Name - 2.5.29.18 Critical: no Issuer Names: DNSName: a-f8.sjc.redhat.com Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 50:52:0C:AA:22:AC:8A:71:E3:91:0C:C5:77:21:46:9C: 0F:F8:30:60 Identifier: CRL Number - 2.5.29.20...
Page 493: Standard X.509 V3 Crl Extensions Reference
Standard X.509 v3 CRL Extensions Reference 7F:81:BB:80:99:B8:61:2A:02:C6:9C:41:2E:01:82:21: 80:82:69:52:BD:B2:AA:DB:0F:80:0A:7E:2A:F3:15:32: 69:D2:40:0D:39:59:93:75:A2:ED:24:70:FB:EE:19:C0: BE:A2:14:36:D0:AC:E8:E2:EE:23:83:DD:BC:DF:38:1A: 9E:37:AF:E3:50:D9:47:9D:22:7C:36:35:BF:13:2C:16: A2:79:CF:05:41:88:8E:B6:A2:4E:B3:48:6D:69:C6:38 B.4.2. Standard X.509 v3 CRL Extensions Reference In addition to certificate extensions, the X.509 proposed standard defines extensions to CRLs, which provide methods for associating additional attributes with Internet CRLs. These are one of two kinds: extensions to the CRL itself and extensions to individual certificate entries in the CRL.
Page 494 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description enable Specifies whether the rule is enabled or disabled. The default is to have this extension disabled. critical Sets whether the extension is marked as critical; the default is noncritical. numberOfAccessDescriptions Indicates the number of access descriptions, from 0 to any positive integer;...
Page 495 Standard X.509 v3 CRL Extensions Reference 2.5.29.35 Parameters Parameter Description enable Specifies whether the rule is enabled or disabled. The default is to have this extension disabled. critical Sets whether the extension is marked as critical; the default is noncritical. Table B.33.
Page 496 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Criticality PKIX requires that this extension be critical if it exists. Parameters Parameter Description enable Sets whether the rule is enabled. By default, it is disabled. critical Sets whether the extension is critical or noncritical.
Page 497 Standard X.509 v3 CRL Extensions Reference Parameter Description name, similar to the subject name in a certificate. For example, CN=CACentral,OU=Research Dept,O=Example Corporation,C=US. If pointType is set to URIName, the name must be a URI; the URI must be an absolute pathname and must specify the host.
Page 498 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Parameter Description • directoryName if the name is an X.500 directory name. • dNSName if the name is a DNS name. • ediPartyName if the name is a EDI party name.
Page 499 Standard X.509 v3 CRL Extensions Reference Parameter Description • For iPAddress, the value must be a valid IP address specified in dot-separated numeric component notation. It can be the IP address or the IP address including the netmask. An IPv4 address must be in the format n.n.n.n or n.n.n.n,m.m.m.m.
Page 500 Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs Criticality PKIX requires that this extension be critical if it exists. Parameters Parameter Description enable Sets whether the extension is enabled; the default is disabled. critical Marks the extension as critical, the default, or noncritical.
Page 501 Standard X.509 v3 CRL Extensions Reference Parameter Description separated by commas. Leave the field blank if the distribution point contains revoked certificates with all reason codes (default). onlyContainsCACerts Specifies that the distribution point contains user certificates only if set. By default, this is not set, which means the distribution point contains all types of certificates.
Page 502: Netscape-Defined Certificate Extensions Reference
Appendix B. Defaults, Constraints, and Extensions for Certificates and CRLs 2.5.29.21 Parameters Parameter Description enable Sets whether the extension rule is enabled or disabled. By default, this is enabled. critical Marks the extension as critical or noncritical. By default, this is noncritical. Table B.40.
Page 503 Netscape-Defined Certificate Extensions Reference 2.16.840.1.113730.13...
Page 505: Publishing Module Reference
Appendix C. Publishing Module Reference Several publisher, mapper, and rule modules are configured by default with the Certificate Manager. Section C.1, “Publisher Plug-in Modules” • Section C.2, “Mapper Plug-in Modules ” • Section C.3, “Rule Instances” • C.1. Publisher Plug-in Modules This section describes the publisher modules provided for the Certificate Manager.
Page 506: Ldapusercertpublisher
Appendix C. Publishing Module Reference The module converts the object class of the CA's entry to a certificationAuthority, if it is not used already. Similarly, it also removes the certificationAuthority object class when unpublishing if the CA has no other certificates. During installation, the Certificate Manager automatically creates an instance of the LdapCaCertPublisher module for publishing the CA certificate to the directory.
Page 507: Ldapcertificatepairpublisher
LdapCertificatePairPublisher Parameter Description Specifies the directory attribute of the mapped entry to which the Certificate Mana crlAttr deltaRevocationList;binary. Table C.5. LdapDeltaCrlPublisher Configuration Parameters C.1.6. LdapCertificatePairPublisher The LdapCertificatePairPublisher plug-in module configures a Certificate Manager to publish or unpublish a cross-signed certificate to the crossCertPair;binary attribute of the CA's directory entry.
Page 508: Ldapcasimplemap
Appendix C. Publishing Module Reference Section C.2.5, “LdapDNCompsMap” • C.2.1. LdapCaSimpleMap The LdapCaSimpleMap plug-in module configures a Certificate Manager to create an entry for the CA in an LDAP directory automatically and then map the CA's certificate to the directory entry by formulating the entry's DN from components specified in the certificate request, certificate subject name, certificate extension, and attribute variable assertion (AVA) constants.
Page 509: Ldapdnexactmap
LdapDNExactMap Parameter Description • Example 3: uid=$req.HTTP_PARAMS.uid, e=$ext.SubjectAlternativ In the above examples, $req takes the attribute from the certificate request, $sub name, and $ext takes the attribute from the certificate extension. Table C.8. LdapCaSimpleMap Configuration Parameters C.2.1.1. LdapCaCertMap The LdapCaCertMap mapper is an instance of the LdapCaSimpleMap module. The Certificate Manager automatically creates this mapper during installation.
Page 510: Ldapsubjattrmap
Appendix C. Publishing Module Reference certificate's subject name, certificate extension, and attribute variable assertion (AVA) constants. For more information on AVAs, see the directory documentation. By default, the Certificate Manager uses mapper rules that are based on the simple mapper. During installation, the Certificate Manager automatically creates an instance of the simple mapper module, named LdapUserCertMap.
Page 511 LdapDNCompsMap • End-entity entries in the directory for publishing end-entity certificates. The mapper takes DN components to build the search DN. The mapper also takes an optional root search DN. The server uses the DN components to form an LDAP entry to begin a subtree search and the filter components to form a search filter for the subtree.
Page 512 Appendix C. Publishing Module Reference cn=Jane Doe, o=Example Corporation, c=US For the dnComps parameter, enter those DN components that the Certificate Manager can use to form the LDAP DN exactly. In certain situations, however, the subject name in a certificate may match more than one entry in the directory.
Page 513: Rule Instances
Rule Instances Parameter Description If the dnComps field is empty, the server checks the baseDN field and searches th matching the filter specified by filterComps parameter values. The permissible values are valid DN components or attributes separated by comm Specifies components the Certificate Manager should use to filter entries from the filterComps values to form an LDAP search filter for the subtree.
Page 514: Ldapusercertrule
Appendix C. Publishing Module Reference Parameter mapper publisher Table C.12. LdapXCert Rule Configuration Parameters C.3.3. LdapUserCertRule The LdapUserCertRule is used to publish user certificates to an LDAP directory. Parameter type predicate enable mapper publisher Table C.13. LdapUserCert Rule Configuration Parameters C.3.4.
Page 515: Acl Reference
Appendix D. ACL Reference This section describes what each resource controls, lists the possible operations describing the outcome of those operations, and provides the default ACIs for each ACL resource defined. Each subsystem contains only those ACLs that are relevant to that subsystem. D.1.
Page 516: Common Acls
Appendix D. ACL Reference Each ACI has to apply to specific users or groups. This is set using a couple of common flags, usually user= or group=, though there are other options, like ipaddress= which defines client-based access rather than entry-based access. If there is more than one entry, then the names are separated by a double pipe (||).
Page 517: Certserver.admin.certificate
certServer.admin.certificate Operations Description modify Add, delete, and update ACL evaluators. Table D.2. certServer.acl.configuration ACL Summary D.2.2. certServer.admin.certificate Controls which users can import a certificate through a Certificate Manager. By default, this operation is allowed to everyone. The default configuration is: allow (import) user="anybody"...
Page 518: Certserver.auth.configuration
Appendix D. ACL Reference Operations Description execute Process (approve, deny, or otherwise dispose of) a CA administrator certificate enrollment request. Table D.4. certServer.admin.request.enrollment ACL Summary D.2.4. certServer.auth.configuration Controls operations on the authentication configuration. allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents"...
Page 519: Certserver.log.configuration
certServer.log.configuration Operations Description read View the operating environment, LDAP configuration, SMTP configuration, server statistics, encryp certificate nicknames, CA certificates, and all certificates for management. modify Modify the settings for the LDAP database, SMTP, and encryption. Import certificates, trust and un and delete certificates.
Page 520: Certserver.log.content
Appendix D. ACL Reference allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody Operations Description read View the value of the expirationTime parameter. modify Modify the value of the expirationTime parameter.
Page 521: Certserver.registry.configuration
certServer.registry.configuration D.2.12. certServer.registry.configuration Controls access to the administration registry, the file that is used to register plug-in modules. Currently, this is only used to register certificate profile plug-ins. allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents"...
Page 522: Certserver.ca.certificate
Appendix D. ACL Reference allow (modify,read) group="Enterprise OCSP Administrators" Operations Description read View OCSP plug-in information, OCSP configuration, and OCSP stores configuration. List OCSP stores co modify Modify the OCSP configuration, OCSP stores configuration, and default OCSP store. Table D.15. certServer.admin.ocsp ACL Summary D.3.2.
Page 523: Certserver.ca.configuration
certServer.ca.configuration allow (submit) group="Certificate Manager Agents" Operations Description submit Submit information about a revoked certificate from a cloned CA. Table D.18. certServer.ca.clone ACL Summary D.3.5. certServer.ca.configuration Controls operations on the general configuration for a Certificate Manager. The default configuration allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents"...
Page 524: Certserver.ca.crl
Appendix D. ACL Reference Operations Description read View connector plug-in information and configuration. modify Modify connector plug-in settings. Table D.21. certServer.ca.connectorInfo ACL Summary D.3.8. certServer.ca.crl Controls access to read or update CRLs through the agent services interface. The default setting is: allow (read,update) group="Certificate Manager Agents"...
Page 525: Certserver.ca.ocsp
certServer.ca.ocsp Operations Description read View user and group entries for the instance. Table D.24. certServer.ca.group ACL Summary D.3.11. certServer.ca.ocsp Controls the ability to access and read OCSP information, such as usage statistics, through the agent services interface. allow (read) group="Certificate Manager Agents" Operations Description read...
Page 526: Certserver.ca.request.enrollment
Appendix D. ACL Reference allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" Operations Description read View the user and agent entries and configuration. modify Edit existing user and agent entries or create new user accounts.
Page 527: Certserver.ca.systemstatus
certServer.ca.systemstatus allow (list) group="Certificate Manager Agents"|| group="Registration Manager Agents" Operations Description list Retrieve details on a range of requests. Table D.31. certServer.ca.requests ACL Summary D.3.18. certServer.ca.systemstatus Controls who can view the statistics for the Certificate Manager instance. allow (read) group="Certificate Manager Agents" Operations Description read...
Page 528: Certserver.ee.certificates
Appendix D. ACL Reference Operations Description import Import a certificate into a client. Table D.34. certServer.ee.certificate ACL Summary D.3.21. certServer.ee.certificates Controls who can list revoked certificates or submit a revocation request in the end-entities page. allow (revoke,list) user="anybody" Operations Description revoke Submit a list of certificates to revoke.
Page 529: Certserver.ee.request.enrollment
certServer.ee.request.enrollment allow (list) user="anybody" Operations Description list List certificate profiles. Table D.38. certServer.ee.profiles ACL Summary D.3.25. certServer.ee.request.enrollment Controls who can submit certificate requests through the enrollment forms in the end-entities page. allow (submit) user="anybody" Operations Description submit Submit a request for a new certificate. Table D.39.
Page 530: Certserver.job.configuration
Appendix D. ACL Reference allow (read) user="anybody" Operations Description read Retrieve the status of a request and serial numbers of any certificates that have been issued against that r Table D.42. certServer.ee.requestStatus ACL Summary D.3.29. certServer.job.configuration Controls who can configure jobs for the Certificate Manager. allow (read) group="Administrators"...
Page 531: Certserver.policy.configuration
certServer.policy.configuration Operations Description read View OCSP plug-in information, OCSP configuration, and OCSP stores configuration. List OCSP s modify Modify the OCSP configuration, OCSP stores configuration, and default OCSP store. Table D.45. certServer.ocsp.configuration ACL Summary D.3.32. certServer.policy.configuration Controls who can view and edit policy configuration used by the certificate profiles. The default setting allow (read) group="Administrators"...
Page 532: Certserver.ra.configuration
Appendix D. ACL Reference allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Data Recovery Manager Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators" Operations Description read View LDAP server destination information, publisher plug-in configuration, publisher instance configuration instance configuration, rules plug-in configuration, and rules instance configuration.
Page 533: Data Recovery Manager-Specific Acls
Data Recovery Manager-Specific ACLs D.4. Data Recovery Manager-Specific ACLs This section covers the default access control configuration which apply specifically to the DRM. The Section D.2, “Common ACLs”. DRM ACL configuration also includes all of the common ACLs listed in There are access control rules set for each of the DRM's interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading keys.
Page 534: Certserver.kra.connector
Appendix D. ACL Reference Operations Description modify Modify automatic key recovery archive configuration, agent passwords, and notification requests in queue Table D.53. certServer.kra.configuration ACL Summary D.4.4. certServer.kra.connector Controls what entities can submit requests over a special connector configured on the CA to connect to the DRM.
Page 535: Certserver.kra.group
certServer.kra.group D.4.7. certServer.kra.group Controls access to the internal database for adding users and groups for the DRM instance. allow (modify,read) group="Administrators" Operations Description modify Create or edit user and group entries for the instance. read View user and group entries for the instance. Table D.57.
Page 536: Certserver.kra.request
Appendix D. ACL Reference Operations Description read View the user and agent entries and configuration. modify Edit existing user and agent entries or create new user accounts. Table D.60. certServer.kra.registerUser ACL Summary D.4.11. certServer.kra.request Controls who can view key archival and recovery requests in the agents services interface. allow (read) group="Data Recovery Manager Agents"...
Page 537: Certserver.kra.tokenkeyrecovery
certServer.kra.TokenKeyRecovery allow (read) group="Data Recovery Manager Agents" Operations Description read View statistics. Table D.64. certServer.kra.systemstatus ACL Summary D.4.15. certServer.kra.TokenKeyRecovery Controls who can submit key recovery requests for a token to the DRM. This is a common request for replacing a lost token. The default configuration is: allow (read,submit) group="Data Recovery Manager Agents"...
Page 538: Certserver.ee.crl
Appendix D. ACL Reference Operations Description Table D.66. certServer.ca.ocsp ACL Summary D.5.2. certServer.ee.crl Controls access to CRLs through the end-entities page. allow (read,add) user="anybody" Operations Description read Retrieve and view the certificate revocation list. Add CRLs to the OCSP server. Table D.67.
Page 539: Certserver.ocsp.cas
certServer.ocsp.cas D.5.5. certServer.ocsp.cas Controls who can list, in the agent services interface, all of the Certificate Managers which publish CRLs to the Online Certificate Status Manager. The default setting is: allow (list) group="Online Certificate Status Manager Agents" Operations Description list Lists all of the Certificate Managers which publish CRLs to the OCSP responder.
Page 540: Certserver.ocsp.group
Appendix D. ACL Reference Operations Description Add new CRLs to those managed by the OCSP responder. Table D.73. certServer.ocsp.crl ACL Summary D.5.9. certServer.ocsp.group Controls access to the internal database for adding users and groups for the Online Certificate Status Manager instance. allow (modify,read) group="Administrators"...
Page 541: Certserver.tks.encrypteddata
certServer.tks.encrypteddata There are access control rules set for the TKS's administrative console and for access by other subsystems to the TKS. D.6.1. certServer.tks.encrypteddata Controls access to the key materials and encrypted data used by the TKS to derive keys. allow (read) group="Token Key Service Manager Agents" Operations Description read...
Page 542: D.6.5. Certserver.tks.registeruser
Appendix D. ACL Reference allow (read) group="Token Key Service Manager Agents" Operations Description read View the derived key set data. Table D.80. certServer.tks.keysetdata ACL Summary D.6.5. certServer.tks.registerUser Defines which group or user can create an agent user for the instance. The default configuration is: allow (modify,read) group="Enterprise CA Administrators"...
Page 543: Glossary
Glossary access control The process of controlling what particular users are allowed to do. For example, access control to servers is typically based on an identity, established by a password or a certificate, and on rules regarding access control list (ACL).
Page 544 Glossary authentication module A set of rules (implemented as a Java™ class) for authenticating an end entity, agent, administrator, or any other entity that needs to interact with a Certificate System subsystem. In the case of typical end-user enrollment, after the user has supplied the information requested by the enrollment form, the enrollment servlet uses an authentication module associated with that form to validate the information and authenticate the user's identity.
Page 545 entity named in the issuer field of a certificate is always a CA. Certificate authorities can be independent third parties or a person or organization using certificate-issuing server software, such as Red Hat Certificate System. certificate-based Authentication based on certificates and public-key cryptography. See password-based authentication.
Page 546 Glossary certificate profile A set of configuration settings that defines a certain type of enrollment. The certificate profile sets policies for a particular type of enrollment along with an authentication method in a certificate profile. Certificate Request Format used for messages related to management of X.509 Certificate Message Format (CRMF) certificates.
Page 547 each other, and then store both cross-pair certificates as a certificate pair. Certificate Request Message Format (CRMF). CRMF cross-certification The exchange of certificates by two CAs in different certification hierarchies, or chains. Cross-certification extends the chain of trust certificate authority so that it encompasses both hierarchies.
Page 548 Glossary Recovery Manager uses the private key corresponding to the certified public key to decrypt the end entity's key before encrypting it with the storage key. Unscrambling data that has been encrypted. See encryption. decryption Data Encryption Standard A FIPS-approved cryptographic algorithm required by FIPS 140-1 (DES) and specified by FIPS PUBS 46-2.
Page 549 http:// at smaller bits than RSA ciphers. For more information, see ietfreport.isoc.org/idref/draft-ietf-tls-ecc/. encryption Scrambling information in a way that disguises its meaning. See decryption. encryption key A private key used for encryption only. An encryption key and its signing key equivalent public key, plus a and its equivalent public key, dual key...
Page 550 Glossary JAR file A digital envelope for a compressed collection of files organized Java™ archive (JAR) format. according to the Java™ archive (JAR) format A set of conventions for associating digital signatures, installer scripts, and other information with files in a directory. Java™...
Page 551 third-party root CA. Also known as "chained CA" and by other terms used by different public CAs. manual authentication A way of configuring a Certificate System subsystem that requires human approval of each certificate request. With this form of authentication, a servlet forwards a certificate request to a request queue after successful authentication module processing.
Page 552 Glossary data, even deleting or altering a single character, results in a different value. 2. The content of the hashed data cannot be deduced from the hash. operation The specific operation, such as read or write, that is being allowed or denied in an access control instruction.
Page 553 public key One of a pair of keys used in public-key cryptography. The public key is distributed freely and published as part of a certificate. It is typically used to encrypt data sent to the public key's owner, who then private key.
Page 554 Pretending to be someone else. For example, a person can pretend to have the email address jdoe@example.com, or a computer can identify itself as a site called www.redhat.com when it is not. Spoofing is one form of impersonation. See also misrepresentation.
Page 555 The entity identified by a certificate. In particular, the subject field subject subject name of a certificate contains a that uniquely describes the certified entity. distinguished name (DN) subject subject name that uniquely describes the of a certificate. subordinate CA A certificate authority that's certificate is signed by another certificate, root...
Page 557: Index
Index bridge certificates, 406 buffered logging, 361 active logs certificate, 4 default file location, 359 configuring ECC signing algorithm, 55 message categories, 359 prompting for subsystem passwords adding existing instance, 289 extensions new instance, 288 to CRLs, 180 CA certificate mapper, 486 adding new directory attributes, 65 CA certificate publisher, 484, 485 administrators...
Page 558 Index Certificate Setup Wizard, 394 CRL publisher, 484 using to install certificate chains, 408 CRL signing certificate, 5, 170 using to install certificates, 408 requesting, 394 Certificate System cRLDistributionPoints, 461 backing up, 323 CRLNumber, 473 restoring, 323 CRLReason, 479 Certificate System console CRLs Configuration tab, 14 defined, 169...
Page 559 adding new, 65 keyUsage, 463 supported in CS, 64 nameConstraints, 464 distinguished name (DN) netscape-cert-type, 480 extending attribute support, 65 Netscape-defined, 480 DN components mapper, 488 policyConstraints, 465 downloading certificates, 407 policyMappings, 465 privateKeyUsagePeriod, 466 checking revocation status for agents and subjectAltName, 466 administrators, 194 subjectDirectoryAttributes, 466...
Page 560 Index jobs built-in modules mail server used for notifications, 257 unpublishExpiredCerts, 260 managing compared to plug-in implementation, 259 certificate database, 407 configuring job notification messages, 254, 259 mapper modules setting frequency, 260 deleting, 233 specifying schedule for, 267 registering new ones, 233 turning on scheduler, 260 mappers created during installation, 214, 486, 488...
Page 561 key pairs and certificates RA, 52 signing certificate, 390 profiles SSL server certificate, 390 how profiles work , 23 subsystem certificate, 390 prompting for system passwords, 287 publisher modules deleting, 233 registering new ones, 233 password-quality checker, 294 publishers password.conf created during installation, 214, 484, 484, 485 configuring contents, 286 publishers that can publish to...
Page 562 Index restore, 323 starting restoring the Certificate System, 323 subsystem instance, 295 revocation-status checking for agent certificates, Status tab, 14 stopping revoking certificates subsystem instance, 295 checking for TKS and DRM, 194 storage key pair, 391 checking for TPS and RA, 192 subjectAltName, 466 reasons, 171 subjectDirectoryAttributes, 466...
Page 563 Windows login, 55 adding users, 350 checking revocation status for agents, 192 prompting for subsystem passwords existing instance, 290 new instance, 288 setting profiles, 351 users, 349 Windows smart card login, 55 transport certificate, 391 changing trust settings of, 413 deleting, 412 viewing details of, 411 trusted managers...

Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Quick Links

Related Manuals for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION

Summary of Contents for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION