Yast Modules For Ca Management - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

Field
List of revoked certificates
Extensions
17.1.4 Repository for Certificates and CRLs
The certificates and CRLs for a CA must be made publicly accessible using a repository.
Because the signature protects the certificates and CRLs from being forged, the repos-
itory itself does not need to be secured in a special way. Instead, it tries to grant the
simplest and fastest access possible. For this reason, certificates are often provided on
an LDAP or HTTP server. Find explanations about LDAP in
rectory Service (page 29). contains information about the HTTP server.
17.1.5 Proprietary PKI
YaST contains modules for the basic management of X.509 certificates. This mainly
involves the creation of CAs, sub-CAs, and their certificates. The services of a PKI go
far beyond simply creating and distributing certificates and CRLs. The operation of a
PKI requires a well-conceived administrative infrastructure allowing continuous update
of certificates and CRLs. This infrastructure is provided by commercial PKI products
and can also be partly automated. YaST provides tools for creating and distributing
CAs and certificates, but cannot currently offer this background infrastructure. To set
up a small PKI, you can use the available YaST modules. However, you should use
commercial products to set up an "official" or commercial PKI.
17.2 YaST Modules for CA
Management
YaST provides two modules for basic CA management. The primary management tasks
with these modules are explained here.
Content
Every entry contains the serial number of the certificate,
the time of revocation, and optional extensions (CRL
entry extensions)
Optional CRL extensions
Chapter 4, LDAP—A Di-
Managing X.509 Certification 163