Managing Smart Card Ca Profiles - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

service pki-ra start

2.4. Managing Smart Card CA Profiles

The TPS does not generate or approve certificate requests; it sends any requests approved through
the Enterprise Security Client to the configured CA to issue the certificate. This means that the
CA actually contains the profiles to use for tokens and smart cards. The profiles to use can be
automatically assigned, based on the card type, as described in
Specified Smart Cards".
The profile configuration files are in the /var/lib/subsystem_name/profiles/ca/ directory with
the other CA profiles. The default profiles are listed in
Profile Name
Regular Enrollment Profiles
Token Device Key Enrollment
Token User Encryption Certificate Enrollment
Token User Signing Certificate Enrollment
Token User MS Login Certificate Enrollment
Temporary Token Profiles
Temporary Device Certificate Enrollment
Temporary Token User Encryption Certificate Enrollment
Temporary Token User Signing Certificate Enrollment
1
Renewal Profiles
Token User Encryption Certificate Enrollment (Renewal)
Token User Signing Certificate Enrollment (Renewal)
Renewal profiles can only be used in conjunction with the profile that issued the original certificate. There are two settings that
are beneficial:
• It is important the the original enrollment profile name does not change.
• The Renew Grace Period Constraint should be set in the original enrollment profile. This defines the amount of time before
and after the certificate's expiration date when the user is allowed to renew the certificate. There are only a few examples of
these in the default profiles, and they are mostly not enabled by default.
Table 2.5. Default Token Certificate Profiles
Managing Smart Card CA Profiles
Section 5.4, "Setting Token Types for
Table 2.5, "Default Token Certificate Profiles".
53