Overview Of Red Hat Certificate System Subsystems; How Certificates Are Used; Uses For Certificates - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 1.
Overview of Red Hat Certificate System
Subsystems
Every common PKI operation — issuing, renewing and revoking certificates; archiving and recovering
keys; publishing CRLs and verifying certificate status — are carried out by interoperating subsystems
within Red Hat Certificate System. The functions of each individual subsystem and the way that they
work together to establish a robust and local PKI is described in this chapter.

1.1. How Certificates Are Used

Certificates have a purpose: to establish trust. Their usage varies depending on the kind of trust they
are used to ensure. Some kinds of certificates are used to verify the identity of the presenter; others
are used to verify that an object or item has not been tampered with.
The way that certificates establish identities and relationships and the processes that use certificates
are described in more detail in the overview of public-key cryptography in the Red Hat Certificate
System Deployment Guide.

1.1.1. Uses for Certificates

Section 1.1.1.1, "SSL"
•
Section 1.1.1.2, "Signed and Encrypted Email"
•
Section 1.1.1.3, "Single Sign-on"
•
Section 1.1.1.4, "Object Signing"
•
1.1.1.1. SSL
The Secure Sockets Layer (SSL) protocol governs server authentication, client authentication, and
encrypted communication between servers and clients. SSL is widely used on the Internet, especially
for interactions that involve exchanging confidential information such as credit card numbers.
SSL requires an SSL server certificate. As part of the initial SSL handshake, the server presents
its certificate to the client to authenticate the server's identity. The authentication uses public-key
encryption and digital signatures to confirm that the server is the server it claims to be. Once the
server has been authenticated, the client and server use symmetric-key encryption, which is very fast,
to encrypt all the information exchanged for the remainder of the session and to detect any tampering.
Servers may be configured to require client authentication as well as server authentication. In this
case, after server authentication is successfully completed, the client must also present its certificate
to the server to authenticate the client's identity before the encrypted SSL session can be established.
1.1.1.2. Signed and Encrypted Email
Some email programs support digitally signed and encrypted email using a widely accepted protocol
known as Secure Multipurpose Internet Mail Extension (S/MIME). Using S/MIME to sign or encrypt
email messages requires the sender of the message to have an S/MIME certificate.
1