Changing The Restrictions For Cas On Issuing Certificates - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION:
- Using manual (48 pages) ,
- Agents manual (146 pages) ,
- Manual (124 pages)
Table of Contents
Advertisement
edited in pkiconsole (since it is only available before the instance is configured). It is
possible to edit the policies for this profile in the template file before the CA is configured
using a text editor.
To modify the default in the CA signing certificate profile used by a CA:
1. If the profile is currently enabled, it must be disabled before it can be edited. Open the agent
services page, select Manage Certificate Profiles from the left navigation menu, select the
profile, and click Disable profile.
2. Open the CA Console.
pkiconsole https://server.example.com:9445/ca
3. In the left navigation tree of the Configuration tab, select Certificate Manager, then Certificate
Profiles.
4. Select caCACert, or the appropriate CA signing certificate profile, from the right window, and click
Edit/View.
5. In the Policies tab of the Certificate Profile Rule Editor, select and edit the Key Usage or
Extended Key Usage Extension Default if it exists or add it to the profile.
6. Select the Key Usage or Extended Key Usage Extension Constraint, as appropriate, for the
default.
7. Set the default values for the CA certificates. For more information, see
Extension Default"
8. Set the constraint values for the CA certificates. There are no constraints to be set for a Key
Usage extension; for an Extended Key Usage extension, set the appropriate OID constraints for
the CA. For more information, see
9. When the changes have been made to the profile, log into the agent services page again, and re-
enable the certificate profile.
For more information on modifying certificate profiles, see
and the Certificate System Agent's Guide.
2.6.2. Changing the Restrictions for CAs on Issuing Certificates
The restrictions on the certificates issued are set by default after the subsystem is configured. These
include:
• Whether certificates can be issued with validity periods longer than the CA signing certificate. The
default is to disallow this.
• The signing algorithm used to sign certificates.
• The serial number range the CA is able to use to issue certificates.
Subordinate CAs have constraints for the validity periods, types of certificates, and the types of
extensions which they can issue. It is possible for a subordinate CA to issue certificates that violate
these constraints, but a client authenticating a certificate that violates those constraints will not accept
Section B.1.5, "Extended Key Usage Extension
and
Section B.1.5, "Extended Key Usage Extension
Changing the Restrictions for CAs on Issuing Certificates
Section 2.2, "Setting up Certificate Profiles"
Section B.1.8, "Key Usage
Default".
Default".
59
Advertisement
Table of Contents
Related Manuals for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Related Products for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
- Red Hat CERTIFICATE 7.2 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
- Red Hat CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR
- Red Hat CERTIFICATE 7.3 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
- Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE
- Red Hat CERTIFICATE 8.0 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE
- Red Hat CLUSTER SUITE - CONFIGURING AND MANAGING A CLUSTER 2006
- Red Hat CLUSTER MANAGER - INSTALLATION AND
- Red Hat Cluster Suite
- Red Hat Application Server
- Red Hat APPLICATION SERVER - JONAS
- Red Hat APPLICATION STACK 1.1 RELEASE
- Red Hat APPLICATION STACK 1.2 RELEASE
- Red Hat APPLICATION STACK 1.3 RELEASE
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - ADMINISTRATION and is the answer not in the manual?