Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 410
Hide thumbs
Also See for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION:
- Using manual (48 pages) ,
- Agents manual (146 pages) ,
- Manual (124 pages)
Table of Contents
Advertisement
Chapter 16. Managing Subsystem Certificates
16.1.1.1. CA Signing Key Pair and Certificate
Every Certificate Manager has a CA signing certificate with a public key corresponding to the private
key the Certificate Manager uses to sign the certificates and CRLs it issues. This certificate is created
and installed when the Certificate Manager is installed. The default nickname for the certificate is
caSigningCert cert-instance_ID, where instance_ID identifies the Certificate Manager instance.
The default validity period for the certificate is five years.
The subject name of the CA signing certificate reflects the name of the CA that was set during
installation. All certificates signed or issued by the Certificate Manager include this name to identify the
issuer of the certificate.
The Certificate Manager's status as a root or subordinate CA is determined by whether its CA signing
certificate is self-signed or is signed by another CA, which affects the subject name on the certificates.
• If the Certificate Manager is a root CA, its CA signing certificate is self-signed, meaning the subject
name and issuer name of the certificate are the same.
• If the Certificate Manager is a subordinate CA, its CA signing certificate is signed by another CA,
usually the one that is a level above in the CA hierarchy (which may or may not be a root CA).
The root CA's signing certificate must be imported into individual clients and servers before the
Certificate Manager can be used to issue certificates to them.
NOTE
The CA name cannot be changed or all previously-issued certificates are invalidated.
Similarly, reissuing a CA signing certificate with a new key pair invalidates all certificates
that were signed by the old key pair.
16.1.1.2. OCSP Signing Key Pair and Certificate
The key type, key size, key algorithm, and validity period provided for the CA signing key pair are
used to generate the OCSP signing key pair. The subject name of the OCSP signing certificate is
in the form cn=OCSP cert-instance_ID, and it contains extensions, such as OCSPSigning and
OCSPNoCheck, required for signing OCSP responses.
The default nickname for the OCSP signing certificate is ocspSigningCert cert-instance_ID,
where instance_ID identifies the Certificate Manager instance.
The OCSP private key, corresponding to the OCSP signing certificate's public key, is used by the
Certificate Manager to sign the OCSP responses to the OCSP-compliant clients when queried about
certificate revocation status.
16.1.1.3. Subsystem Certificate
Every member of the security domain is issued a server certificate to use for communications
among other domain members. The CA is issued the subsystem certificate when the instance is first
configured, as with its SSL certificate.
The default nickname for the certificate is subsystemCert cert-instance_id.
388
Advertisement
Table of Contents
Related Manuals for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Related Products for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
- Red Hat CERTIFICATE 7.2 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
- Red Hat CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR
- Red Hat CERTIFICATE 7.3 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
- Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE
- Red Hat CERTIFICATE 8.0 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE
- Red Hat CLUSTER SUITE - CONFIGURING AND MANAGING A CLUSTER 2006
- Red Hat CLUSTER MANAGER - INSTALLATION AND
- Red Hat Cluster Suite
- Red Hat Application Server
- Red Hat APPLICATION SERVER - JONAS
- Red Hat APPLICATION STACK 1.1 RELEASE
- Red Hat APPLICATION STACK 1.2 RELEASE
- Red Hat APPLICATION STACK 1.3 RELEASE
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - ADMINISTRATION and is the answer not in the manual?