Red Hat CERTIFICATE SYSTEM 7.2 - AGENT GUIDE, Manual

Page 1: ...Red Hat Certificate System Agent Guide 7 2 ...

Page 2: ...e distributed only subject to the terms and conditions set forth in the Open Publication License V1 0 or later the latest version is presently available at http www opencontent org openpub Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder Distribution of the work or derivative of the work in any standard paper boo...

Page 3: ......

Page 4: ...file 17 5 5 Disapproving a Certificate Profile 17 3 CA Handling Certificate Requests 19 1 Managing Requests 19 2 Listing Certificate Requests 20 2 1 Selecting a Request 22 2 2 Searching Requests 23 3 Approving Requests 24 4 Sending an Issued Certificate to the Requester 25 4 CA Finding and Revoking Certificates 28 1 Basic Certificate Listing 28 2 Advanced Certificate Search 29 3 Examining Certific...

Page 5: ...en 58 3 3 Listing Token Certificates 58 3 4 Conflicting Token Certificate Status Information 59 3 5 Showing Token Activities 59 4 Listing and Searching Certificates 60 5 Searching Token Activities 61 6 Administrator Operations 62 6 1 Showing Token Activities 63 6 2 Editing the Token 63 6 3 Deleting the Token 64 Index 65 Red Hat Certificate System Agent Guide 7 2 v ...

Page 6: ...following topics Encryption and decryption Public keys private keys and symmetric keys Digital signatures The role of digital certificates in a public key infrastructure PKI Certificate hierarchies SSL cipher suites The purpose of and major steps in the SSL handshake 3 What Is in This Guide This guide describes the duties of the agents for the different Certificate System subsystems and explains b...

Page 7: ...nistrative functions for the Certificate System such as adding users creating and renewing certificates managing smart cards publishing CRLs and modifying subsystem settings like port numbers Certificate System Command Line Tools Guide provides detailed information on Certificate System tools such as pkicreate tksTool and other Certificate System specific utilities used to manage Certificate Syste...

Page 8: ...or automatically based on customizable profiles Publishing tasks can be performed by the Certificate Manager only The Certificate Manager also has a built in OCSP service enabling OC SP compliant clients to query the Certificate Manager directly about the revocation status of a certificate that it has is sued In certain PKI deployments it might be convenient to use the Certificate Manager s built ...

Page 9: ...trators agents and end entities Administrators are responsible for the initial setup and ongoing maintenance of the subsystems Administrators can designate users with spe cial privileges agents for each subsystem Agents manage day to day interactions with end entities which can be users or servers and clients and other aspects of the PKI End entities must access a Certificate Manager subsystem to ...

Page 10: ...s list tokens from the token database edit token in formation delete tokens from the token database and mark tokens as permanently lost temporarily lost or damaged There is no direct TKS agent interface for TKS agents to interact with the system However configured TKS agents are capable of providing the secure communications channel through the TPS server required for smart card operations through...

Page 11: ...their own certificates be revoked See Section 4 Revoking Certificates Updating the CRL The Certificate Manager maintains a public list of revoked certificates called the certificate revocation list CRL The list is usually maintained automatically but when necessary the Certificate Manager agent services page can be used to update the list manually See Section 5 2 Updating the CRL Publishing certif...

Page 12: ...he authorization of one or more recovery agents The DRM administrator designates recovery agents Typically several recovery agents are required to approve key recovery requests in the DRM so DRM admin istrators should designate more than one agent For more information on these tasks see Chapter 6 DRM Recovering Encrypted Data 2 3 Online Certificate Status Manager Agent Services The default entry p...

Page 13: ...tus Manager Submitting requests for the revocation status of a certificate to the Online Certificate Status Manager For more information on these tasks see Chapter 7 OCSP Agent Services 2 4 TPS Agent Services The TPS agent services page allows operations by two types of users both agents and administrators The default entry page to the TPS agent services is shown in Figure 1 5 TPS Agent Services P...

Page 14: ... by user ID or token CUID Listing and searching certificates associated with enrolled tokens Searching token operations by CUID Editing token information Setting the token status The TPS agent services page also has a tab to allow operations from TPS administrators 2 4 TPS Agent Services 7 Chapter 1 Agent Services ...

Page 15: ...ist certificates within a range of serial numbers the list of returned certi ficates can be limited to valid certificates For instructions on using this form see Section 1 Basic Certificate List ing Search for Certificates Certificate Manager Used by Certificate Manager agents to search for and list Certificate System issued certificates by subject name cer tificate type the state of the certifica...

Page 16: ...CA to the OCSP Add Certificate Revocation List Online Certificate Status Manager Used to add a CRL to the Online Certificate Status Man ager s internal database For instructions see Section 3 Adding a CRL to the OCSP Check Certificate Status Online Certificate Status Man ager Used to check the status of OCSP service requests sent by OCSP compliant clients For instructions see Section 4 Checking th...

Page 17: ...f a CA is installed on a host named server example com running on port 9443 the agent services interface is opened using the following URL https server example com 9443 ca agent ca There is also a services page for each subsystem The URL for the services page would be like the following https server example com 9443 ca services The services page has links to the all of the HTML pages for the subsy...

Page 18: ...here Check with the Certificate System administrator for information on the local installation 4 Accessing Agent Services 11 Chapter 1 Agent Services ...

Page 19: ...issuing certific ates Profile constraints include rules like requiring the certificate subject name to have at least one CN component setting the validity of a certificate to a maximum of 360 days or requiring that the subjectaltname extension always be set to true Profile outputs Profile outputs are parameters and values that specify the format in which to issue the certificate to the end entity ...

Page 20: ...ng Certificate Enrollment This certificate profile is for enrolling Certificate Manager certificates CA signing certificates caOCSPCert Manual OCSP Manager Signing Certi ficate Enrollment This certificate profile is for enrolling OCSP Manager certificates OCSP signing certificates caTransportCert Manual Data Recovery Manager Transport Certificate Enrollment This certificate profile is for enrollin...

Page 21: ...put uses the following form fields UID The user ID of the user in the LDAP directory Email The email address of the user Common name The name of the user Organizational unit The organizational unit to which the user belongs Organization The organization name Country The country where the user is located Requester This input uses the following form fields Requester name The name of the certificate ...

Page 22: ...ty true Digital Signature true Non Repudiation true Key Encipherment true Data Encipherment false Key Agreement false Key Certificate Sign false Key CRL Sign false Encipher Only false Decipher Only false Accepts the Key Usage extension if present only when the default values are set set7 Extended Key Usage Populates an Extended Key Usage extension to the request The de fault values are Critical it...

Page 23: ...tificate profile The enrollment page for the certificate profile in the end entities page is dynamically generated from the inputs defined for the certificate profile If an authentication plug in is configured additional fields may be added that are needed to authenticate the user with that authentication method A manual enrollment is a request when no authentication plug in is configured When the...

Page 24: ...s a policy information section which shows a table for each policy set A certificate profile usually has one policy set If the enrollment is for dual key pairs then there are two policy sets one for the signing key and one for the en cryption key The policy set defines all of the defaults and constraints that have been set for the requested certificate For dual key pairs two certificates are reque...

Page 25: ...ck the Disapprove button at the bottom of the page NOTE It is only possible to disable a certificate profile after it has been approved Once a certificate profile is disabled it is no longer available in the end entities page for end entities to use to enroll for certificates 5 5 Disapproving a Certificate Profile 18 Chapter 2 CA Working with Certificate ...

Page 26: ...cate request is rejected Cancel the request A request can be canceled manually but requests can never be canceled automatically Users do not receive automatic notification of canceled requests Cancellation can be useful if the user has left the company since submitting the request or if the user has already been contacted about a problem with the certificate request and therefore does not need not...

Page 27: ...nding completed canceled or rejected Three types of requests can be in the queue Certificate enrollment requests Certificate renewal requests Certificate revocation requests A Certificate Manager agent must review and approve manual enrollment requests Certificate requests that require review have a status of pending To see a list of requests do the following 2 Listing Certificate Requests 20 Chap...

Page 28: ...s by selecting one of the options in the Request status menu Show pending requests These are enrollment requests that have not yet been processed but are waiting for manual review Show canceled requests These are requests that have been manually canceled by an agent Users do not receive automatic notification of canceled requests Cancellation can be useful if the user has left the company since su...

Page 29: ...quests beginning with the starting sequence number that matches the specified criteria 7 Click Find to display the list of requests that match the specified criteria Figure 3 3 Request Queue 2 1 Selecting a Request To select a request from the queue do the following 1 On the agent services page click List Requests specify search criteria and click Find to display a list of certificate signing requ...

Page 30: ... Requests category These criteria include the following Searching by Request ID Range An agent can perform searches on the request queue To perform searches by request ID range select the Show requests that fall within the following range option and enter the lowest and highest re quest ID Searching by Request Status To search by request status select the Show requests that are of status option an...

Page 31: ...ic information about the request Certificate Profile Information Lists the certificate profile being used along with basic information about that certificate profile Certificate Profile Inputs Lists the inputs contained in the enrollment form for this certificate profile as well as the values set by the requester Policy Information Lists the policies that apply to this certificate profile includin...

Page 32: ... copy to install locally Users install user certificates such as agent certificates in client software Server administrators in stall servers certificates in the servers that they manage Depending on how the Certificate System is configured an end user who requests a certificate might receive automatic email notification of the success of the request this email message contains either the certific...

Page 33: ...ody and send the message To deliver a new client certificate to the requester note the serial number of the approved request and do the following 1 Open to the agent services page click List Requests in the left frame enter the serial number for the approved re quest and click Find 2 In the Request Queue form click Details beside the relevant request Right click the certificate serial number and c...

Page 34: ... agent services page in the email message along with the certificate serial number and instruct the user to do following 1 Click the Retrieval tab The List Certificates form should appear 2 Enter the serial number of the certificate in both serial number fields 3 Click Find 4 When the Search Results form appears click Details 5 When the certificate appears scroll down to the bottom of the form and...

Page 35: ...ly those that are currently valid To find a specific certificate or to list certificates by serial number do the following 1 Open the Certificate Manager agent services page 2 Click List Certificates Figure 4 1 List Certificates To find a certificate with a specific serial number enter the serial number in both the upper limit and lower limit fields of the List Certificates form in either decimal ...

Page 36: ...ng the criteria are displayed 5 Click Find The Certificate System displays a list of the certificates that match the search criteria Select a certificate in the list to examine it in more detail or perform various operations on it For more information refer to Section 3 Examining Certificates 2 Advanced Certificate Search Search for certificates by more complex criteria than serial number using th...

Page 37: ...mal number such as 0x2A Serial numbers are displayed in hexadecimal form in the Search Results and Details pages To find all certificates within a range of serial numbers enter the upper and lower limits of the serial number range in decimal or hexadecimal Leaving either the lower limit or upper limit field blank returns all certific ates before or after the number specified Status Selects certifi...

Page 38: ...e or expire during a particular period For example an agent can list all certificates that became valid on June 1 2003 or that expired between January 1 2006 and June 1 2006 It is also possible to list certificates that have a validity period of a certain length of time such as all certificates that are valid for less than one month To list certificates that become effective or expire within a tim...

Page 39: ...single character and an asterisk to match an arbitrary string of characters NOTE Placing a single asterisk in a search field means that the component must be in the certificate s subject name but may have any value Leave the field blank if it does not matter if the field is present 6 After entering the search criteria scroll to the bottom of the form and enter the number of certificates matching t...

Page 40: ... not shown scroll to the bottom of the list specify an additional number of certificates to be returned and click Find The system displays the next certificates up to that number that match the original search criteria 3 After selecting a certificate click the Details button at the left side of its entry 4 The Certificate page shows the detailed contents of the selected certificate and instruction...

Page 41: ...e Revoke Certificates button While the search is similar to the one through the Search for Certificates form the Search Results form returned by this search of fers the option of revoking one or all of the returned certificates 4 1 Searching for Certificates to Revoke To search for one or more certificates to revoke do the following 1 Open the Certificate Manager agent services page 2 Click Revoke...

Page 42: ... way to undo it 4 2 1 Revoking One Certificate To revoke a single certificate do the following 1 On the Certificate Manager s agent services page click Revoke Certificates specify search criteria and click Find to display a list of certificates 2 On the Search Results form select the certificate to revoke If a desired certificate is not shown scroll to the bottom of the list specify an additional ...

Page 43: ...number shown on the button is the total number of certificates returned by the search This is usually a larger number than the num ber of certificates displayed on the current page 3 Verify that all of the certificates returned by the search should be revoked not only those displayed on the current page 4 Click Revoke ALL Certificates at the bottom of the form 5 Confirm the certificates to be revo...

Page 44: ... date The invalidity date is the date which it is known or suspected that the user s private key was compromised or that the certificate became invalid A set of drop down lists allows the agent to select the correct in validity date 3 Select a reason for the revocation The reason applies to all the listed certificates The different reasons are as follows Key compromised CA key compromised Affiliat...

Page 45: ...created multiple issuing points these are listed in the Issuing point drop down list Otherwise only the master CRL is shown 4 Choose how to display the CRL by selecting one of the options from the Display Type menu The choices on this menu are as follows Cached CRL Views the CRL from the cache rather than from the CRL itself This option displays results faster than viewing the entire CRL Entire CR...

Page 46: ...enerates a 128 bit message digest Most existing software applications that handle certificates support only MD5 This is the default algorithm MD2 with RSA generates a 128 bit message digest Before selecting an algorithm make sure that the Certificate System has that algorithm enabled The Certificate Sys tem administrator will have that information 4 To examine the CRL before updating it click Disp...

Page 47: ...e Certificate System to publish to the Directory Server see the Certificate System Administration Guide 2 Manual Directory Updates The LDAP publishing directory usually does not need certificate data updated manually because most updates are auto matic However it may be necessary to update the LDAP publishing directory manually in the following situations The publishing Directory Server is down fo...

Page 48: ...e publishing directory select Remove expired certificates from the dir ectory To remove a range of certificates instead of all expired certificates specify the range of the serial numbers of those certificates To remove revoked certificates from the publishing directory select Remove revoked certificates from the dir ectory If you want to remove a range of certificates instead of all revoked certi...

Page 49: ... Choose the type of requests to see from the Request type menu There are three request types Show Key Archivals requests Show Key Recovery requests Show Token Key requests Show all requests 4 Select the status of requests from the Request status menu Show canceled requests Unless the system is specially configured to allow requests to be canceled there are no canceled requests Show rejected reques...

Page 50: ...ey can then be recovered and used to read the data A DRM agent manages key recovery through the DRM agent services page Archived keys can be searched to view the details or to initiate a key recovery Once a key recovery is initiated a minimum number of designated DRM agents are re quired to authorize the recovery NOTE This section describes how to recover keys that are not stored on a smart card F...

Page 51: ...o find all keys within a range of key identifiers enter the upper and lower limits of the key identifier range in decimal or hexadecimal form Leaving either the lower limit or upper limit field blank displays all keys before or after the number specified Certificate Finds the archived key that corresponds to a specific public key Select the check box and paste the certificate containing the base 6...

Page 52: ...ith the Recover Keys button there is the additional option of recovering any key returned by the search Figure 6 2 Search Results Page 5 In the Search Results form select a key If a desired key is not shown scroll to the bottom of the list and use the arrows to move to another page of search res ults 6 Click the ID number next to the selected key The details of the selected key are shown in the Ke...

Page 53: ...ervices page click Recover Keys specify search criteria and click Show Key to display a list of archived keys 2 In the Search Results form select a key If a desired key is not shown scroll to the bottom of the list and select Next or Previous for another page of search results 3 Click Recover next to the selected key The key details are displayed in the Authorize Key Recovery form where the agent ...

Page 54: ...ertificate nickname for the archived key 6 Paste the base 64 encoded certificate corresponding to the archived key into the text area The certificate can be searched and viewed through the Certificate Manager agent services pages If the archived key was found through the corresponding public key the certificate information is automatically trans ferred to the form 7 Click Recover to initiate the k...

Page 55: ...very authorization request number d Select Examine to examine the key being recovered e Select Grant to complete the key recovery 9 Once all agents have authorized the recovery then the agent who initiated the key recovery request is given a link download import the PKCS 12 file 10 When selecting the PKCS 12 file a dialog box appears Specify the path and filename to save the encrypted file con tai...

Page 56: ...he OCSP must have its CA signing certificate stored in the internal database of the OCSP For instructions refer to Section 2 Identifying a CA to the OCSP The list of Certificate Managers currently recognized by the OCSP can be viewed at any time To see the list of Certificate Managers do the following 1 Open the OCSP agent services page 2 In the left frame click List Certificate Authorities Figure...

Page 57: ...is ex ample BEGIN CERTIFICATE MIIB DCCAaagAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMRwwGgYDVQQKExNTZmJh eSBSZWRoYXQgRG9tYWluMREwDwYDVQQLEwgxMDI3cm9vdDEeMBwGA1UEAxMVQ2Vy dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTA2MTAyNzE2MTkyM1oXDTA4MTAxNjE2MTky M1owUTEcMBoGA1UEChMTU2ZiYXkgUmVkaGF0IERvbWFpbjERMA8GA1UECxMIMTAy N3Jvb3QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTBcMA0GCSqGSIb3 DQEBAQUAA0sAMEgCQQDXA7qzGv1LJNxEvlHkDKvLjr Og...

Page 58: ...n about the Certificate Manager that was added NOTE If the deployment contains chained CAs such as a root CA and then several subordinate CAs add each CA certi ficate separately to the OCSP responder 3 Adding a CRL to the OCSP If a situation arises when a Certificate Manager is unable to publish its CRL to the OCSP it is possible to add a CRL manually to the OCSP internal database To add a CRL to ...

Page 59: ...ecking the Revocation Status of a Certificate The revocation status of a certificate is checked by submitting the certificate in its base 64 encoded format to the OCSP as follows 1 Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CER TIFICATE marker lines to the clipboard or a text file The certificate looks similar to this example BEGIN CERTIFICATE MIICGDCCAcKgAwIBAgIB...

Page 60: ...5 Click Check The next page shows the status of the certificate that was submitted 4 Checking the Revocation Status of a Certificate 53 Chapter 7 OCSP Agent Services ...

Page 61: ...additional agents by creating new user entries in the LDAP database For more in formation on creating users in the Red Hat Directory Server see the Directory Server Administration Guide NOTE There is no HTML end entities page for TPS services since end entity tasks are performed through the Enterprise Security Client The TPS agent tasks include the following Listing tokens Adding new tokens by tok...

Page 62: ...lts and have further operations performed on it such as changing the token status editing the token settings reviewing the token s certificates and showing the operations previously performed on the token Selecting the List Tokens link in the Agent Operations tab does an automatic search for all tokens configured through the TPS and lists them all in the returned search results To search for speci...

Page 63: ...ange the user ID of the owner and delete tokens Listing the certificates stored on the token Showing the operations performed on the token 3 1 Changing Token Status Agents can change the status of the token Token status affects key recovery policies the status of the token impacts whether a key should be recovered from the DRM or reissued whether new tokens will be blocked because there are alread...

Page 64: ...PS revokes the user certificates and marks the token lost The token is temporarily lost or unavailable For this status the TPS puts the user certificates on hold and marks the token inactive The lost token has been found For this status the TPS takes the certificates off hold and marks the token active The lost token cannot be found permanently lost For this status the TPS revokes the certificates...

Page 65: ...h a semi colon For example to allow the user to reset his PIN but to disallow re enrolling with the same token the policy would be as follows RE_ENROLL NO PIN_RESET YES NOTE If the PIN_RESET policy is not set then user initiated PIN resets are allowed by default If the policy is present and is changed from NO to YES then a PIN reset can be initiated by the user once after the PIN is reset the poli...

Page 66: ... and Signing 1 are marked as revoked When the user is issued a new token Token 2 then Encrypt 1 is recovered and a new signing certificate Sign ing 2 is issued The status for the three certificates then is as follows Signing 1 revoked Signing 2 active Encrypt 1 active If Token 1 is found then the the certificates for Token 2 are revoked and the certificates for Token 1 are reactivated The status f...

Page 67: ...ates and Search Certificates Both of these options return lists of certificates for the token or user ID specified Clicking List Certificates automatically returns all stored certificates Clicking Search Certificates opens a search form to supply the specific token ID or user ID for which to list the certificates Figure 8 9 Searching Certificates This will then return the certificates the same as ...

Page 68: ...arch Activities Both of these options return lists of activities performed on the tokens managed by the TPS Clicking List Activities automatically returns all token activities performed through the TPS on all tokens Clicking Search Activities opens a search form to supply the specific token ID for which to list activities Figure 8 11 Searching Activities This will then return the activities perfor...

Page 69: ...ministrator Operations tab listing and searching tokens with different editing options and deleting tokens Listing tokens automatically returns all enrolled tokens in the TPS search ing for a token returns the specific token matching the search criteria token or user ID Selecting a token from the complete list or from the search results will open the token s details page 6 Administrator Operations...

Page 70: ...ting the token owner UID the token CUID the token status and the token policy Administrators can edit the user ID associated with the token and the token policies The token owner UID can be any username The two supported token policies are RE_ENROLL which allows a user to re enroll certificates with the same token and PIN_RESET which allows the token user to initiate a PIN reset operation The valu...

Page 71: ...m NO to YES then a PIN reset can be initiated by the user once after the PIN is reset the policy value automatically changes back to NO 6 3 Deleting the Token Click the Delete button will remove the token and all its associated certificates and user information from the TPS data base 6 3 Deleting the Token 64 Chapter 8 TPS Agent Services ...

Page 72: ...ryptography concepts vi D Data Recovery Manager 42 agent services forms 5 overview 1 Directory Server Certificate System and 40 documentation conventions followed vi E end entities 1 enrollment requests approving 24 cloning 19 examining 22 handling process 19 listing 20 statuses 21 F fonts used in this book vi forms accessing 10 summary 8 I introduction 1 issuing a certificate 25 L List Requests f...

Page 73: ... 6 certificates conflicting stat 59 certificates and tokens 54 changing token status 56 deleting tokens 62 editing tokens 62 listing tokens 55 searching activities 61 searching tokens 55 60 type styles used in this book vi 66 ...