Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 5

5.1. Configuring TPS Smart Card Operations ............................................................ 127
5.1.1. Configuring Format Operations ............................................................... 127
5.1.2. Configuring TPS Enrollment Operations .................................................. 128
5.1.3. Configuring TPS Renewal Operations ..................................................... 133
5.1.4. Configuring the PIN Reset Operation ...................................................... 134
5.1.5. Configuring the Applet Update Operation ................................................. 135
5.2. Allowing Token Renewal ................................................................................... 136
5.3. Changing the Token Policy ................................................................................ 137
5.4. Setting Token Types for Specified Smart Cards .................................................. 139
5.4.1. Default Token Types .............................................................................. 139
5.4.2. Mapping Token Types to Smart Card Operation Profiles ........................... 139
5.4.3. Example: Token Mapping with Two Different Token Types ......................... 141
5.5. Automating Encryption Key Recovery ................................................................ 143
5.5.1. Configuring Enrollment for Replacement Tokens ...................................... 143
5.5.2. Configuring Key Generation for Temporary Tokens ................................... 144
5.6. Managing Shared Keys ..................................................................................... 145
5.6.1. Generating Master Keys ......................................................................... 145
5.6.2. Generating and Transporting Wrapped Master Keys ................................. 146
5.6.3. Using HSM for Generating Keys ............................................................. 149
5.6.4. Updating Master Key Versions and Associating the Master Key with Its
Version ........................................................................................................... 151
5.6.5. Configuring Symmetric Key Changeover ................................................. 152
5.7. Configuring the TPS ......................................................................................... 154
5.7.1. Enabling SSL for TPS-Enterprise Security Client Connections ................... 154
5.7.2. Configuring the Channels between the TPS and Tokens ........................... 156
5.7.3. Configuring or Disabling LDAP Authentication .......................................... 157
5.7.4. Configuring the Token Database ............................................................. 159
5.7.5. Configuring Server-Side Key Generation and Archival of Encryption Keys .. 160
5.7.6. Configuring IPv6 Support ....................................................................... 163
5.8. Scaling the TPS and Its Support Subsystems ..................................................... 163
5.8.1. Configuring Failover Support .................................................................. 164
5.8.2. Configuring Multiple Support Subsystem Instances for Different Functions
........................................................................................................................ 166
5.9. Potential Token Operation Errors ....................................................................... 167
6. Revoking Certificates and Issuing CRLs
6.1. About Revoking Certificates .............................................................................. 169
6.1.1. User-Initiated Revocation ........................................................................ 171
6.1.2. Reasons for Revoking a Certificate ......................................................... 171
6.1.3. CRL Issuing Points ................................................................................ 171
6.1.4. Delta CRLs ............................................................................................ 172
6.1.5. Publishing CRLs .................................................................................... 172
6.1.6. Certificate Revocation Pages .................................................................. 172
6.2. CMC Revocation .............................................................................................. 172
6.2.1. Setting up CMC Revocation ................................................................... 173
6.2.2. Testing CMC Revoke ............................................................................. 173
6.3. Issuing CRLs .................................................................................................... 174
6.3.1. Configuring Issuing Points ...................................................................... 175
6.3.2. Configuring CRLs for Each Issuing Point ................................................. 176
6.3.3. Setting CRL Extensions ......................................................................... 180
6.3.4. Setting a CA to Use a Different Certificate to Sign CRLs ........................... 181
6.4. Setting Full and Delta CRL Schedules ............................................................... 182
169
v