Using Cross-Pair Certificates - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION:
- Using manual (48 pages) ,
- Agents manual (146 pages) ,
- Manual (124 pages)
Table of Contents
Advertisement
Chapter 16. Managing Subsystem Certificates
Subsystem certificates can be renewed directly in the end user enrollment forms, using the serial
number of the original certificate.
1. Renew the admin user certificates in the CA's end users forms, as described in
"Renewing Certificates through the End User
subsystem certificate being renewed.
NOTE
It is also possible to regenerate a new certificate request using the existing keys
for the subsystem certificate using certutil, as described in
"Renewing Certificates Using
2. Import the certificate into the subsystem's database, as described in
Certificates in the Certificate System
certutil; for the other subsystems, the certificate can be imported using certutil or the
console. For example:
certutil -A -n "ServerCert cert-example" -t u,u,u -d /var/lib/pki-ca/alias -a -i /tmp/
example.cert
16.4. Using Cross-Pair Certificates
In the late 1990s, as the US government began enhancing its public key infrastructure, it became
apparent that branches of government with their own, separate PKI deployments still needed to be
able to recognize and trust each others certificates as if the certificates were issued from their own CA.
(The method of getting certificates trusted outside a network for external clients to use is a serious, not
easily resolved issue for any PKI administrator.)
The US government devised a standard for issuing cross-pair certificates called the Federal Bridge
Certificate Authority. These certificates are also called bridge certificates, for obvious reasons. Bridge
or cross-pair certificates are CA signing certificate that are framed as dual certificate pairs, similar
to encryption and signing certificate pairs for users, only each certificate in the pair is issued by a
different CA. Both partner CAs store the other CA signing certificate in its database, so all of the
certificates issued within the other PKI are trusted and recognized.
Bridging certificates honors certificates issued by a CA that is not chained to the root CA in its own
PKI. By establishing a trust between the Certificate System CA and another CA through a cross-pair
CA certificate, the cross-pair certificate can be downloaded and used to trust the certificates issued by
the other CA, just as downloading and installing a single CA certificate trusts all certificates issued by
the CA.
The Certificate System can issue, import, and publish cross-pair CA certificates. A special profile must
be created for issuing cross-pair certificates, and then the certificates can be requested and installed
for the CA using the Certificate Wizard for the CA subsystem.
To create cross-pair certificate profiles, see
information on publishing cross-pair certificates,
406
Pages". This requires the serial number of the
certutil".
Database". For the TPS and RA, this must be done using
Section 2.2.5, "Configuring Cross-Pair
Section 8.4, "Publishing Cross-Pair
Section 4.7.3.1,
Section 4.7.3.2,
Section 16.5.1, "Installing
Profiles". For
Certificates".
Advertisement
Table of Contents
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - ADMINISTRATION and is the answer not in the manual?