Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION, Admin Manual

Page 1: ...Red Hat Certificate System 8 0 Admin Guide Publication date July 22 2009 updated on March 25 2010 ...

Page 2: ...rmitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United States and other countries All other trademarks are the property of their respective owners 1801 Varsity Drive Raleigh NC 2...

Page 3: ...anager 7 1 2 5 Token Processing System 7 1 2 6 Token Key Service 8 1 2 7 Enterprise Security Client 8 1 3 A Look at Managing Certificates 8 1 4 A Look at the Token Management System 11 1 5 Red Hat Certificate System Services 13 1 5 1 Interfaces for Administrators 13 1 5 2 Agent Interfaces 16 1 5 3 End User Pages 17 1 5 4 Enterprise Security Client 18 I Setting up Certificate Services 21 2 Making R...

Page 4: ...Key Recovery Schemes 72 3 4 Testing the Key Archival and Recovery Setup 73 4 Requesting Enrolling and Managing Certificates 75 4 1 About Enrolling and Renewing Certificates 75 4 2 Configuring Internet Explorer to Enroll Certificates 75 4 3 Requesting and Receiving Certificates 77 4 3 1 Requesting and Receiving a User or Agent Certificate through the End Entities Page 77 4 3 2 Requesting Certificat...

Page 5: ... 5 7 Configuring the TPS 154 5 7 1 Enabling SSL for TPS Enterprise Security Client Connections 154 5 7 2 Configuring the Channels between the TPS and Tokens 156 5 7 3 Configuring or Disabling LDAP Authentication 157 5 7 4 Configuring the Token Database 159 5 7 5 Configuring Server Side Key Generation and Archival of Encryption Keys 160 5 7 6 Configuring IPv6 Support 163 5 8 Scaling the TPS and Its...

Page 6: ...ishers 204 8 1 2 Mappers 205 8 1 3 Rules 205 8 1 4 Publishing to Files 205 8 1 5 OCSP Publishing 205 8 1 6 LDAP Publishing 206 8 2 Setting up Publishing 206 8 2 1 Configuring Publishing to a File 207 8 2 2 Configuring Publishing to an OCSP 210 8 2 3 Configuring Publishing to an LDAP Directory 211 8 2 4 Creating Rules 217 8 2 5 Enabling Publishing 221 8 3 Publishing CRLs over HTTP 222 8 3 1 Configu...

Page 7: ...omated Jobs 259 11 2 Setting up the Job Scheduler 260 11 3 Setting up Specific Jobs 261 11 3 1 Configuring Specific Jobs Using the Certificate Manager Console 261 11 3 2 Configuring Jobs by Editing the Configuration File 264 11 3 3 Configuration Parameters of certRenewalNotifier 265 11 3 4 Configuration Parameters of requestInQueueNotifier 265 11 3 5 Configuration Parameters of publishCerts 266 11...

Page 8: ... Number 307 13 4 2 Using a Single SSL Port 308 13 4 3 Updating Existing CAs to Use End Entity Client Authentication Ports Avoiding TLS Related Man in the Middle Attacks 309 13 5 Configuring the LDAP Database 312 13 5 1 Changing the Internal Database Configuration 313 13 5 2 Enabling SSL Client Authentication with the Internal Database 314 13 5 3 Restricting Access to the Internal Database 317 13 6...

Page 9: ...Tests Log 367 15 3 Configuring Logs Using the UI 367 15 3 1 Configuring Logs in the Console for the CA OCSP DRM and TKS 367 15 3 2 Configuring TPS Audit Logs in the Admin Services Page 368 15 4 Configuring Logs in the CS cfg File 370 15 4 1 Configuring Logs in the CS cfg File for the CA OCSP DRM and TKS 370 15 4 2 Configuring RA Logging 371 15 4 3 Configuring TPS Logging 373 15 5 Managing Signed A...

Page 10: ...ertificate Request Input 419 A 1 2 CMC Certificate Request Input 419 A 1 3 Dual Key Generation Input 419 A 1 4 File Signing Input 420 A 1 5 Image Input 420 A 1 6 Key Generation Input 420 A 1 7 nsHKeyCertRequest Token Key Input 420 A 1 8 nsNKeyCertRequest Token User Key Input 420 A 1 9 Serial Number Renewal Input 421 A 1 10 Subject DN Input 421 A 1 11 Subject Name Input 421 A 1 12 Submitter Informa...

Page 11: ...int 453 B 2 5 Key Usage Extension Constraint 453 B 2 6 No Constraint 455 B 2 7 Netscape Certificate Type Extension Constraint 455 B 2 8 Renewal Grace Period Constraint 455 B 2 9 Signing Algorithm Constraint 456 B 2 10 Subject Name Constraint 456 B 2 11 Unique Subject Name Constraint 457 B 2 12 Validity Constraint 457 B 3 Standard X 509 v3 Certificate Extension Reference 457 B 3 1 authorityInfoAcce...

Page 12: ...ation 496 D 2 5 certServer clone configuration 496 D 2 6 certServer general configuration 496 D 2 7 certServer log configuration 497 D 2 8 certServer log configuration fileName 497 D 2 9 certServer log configuration signedAudit expirationTime 497 D 2 10 certServer log content 498 D 2 11 certServer log content signedAudit 498 D 2 12 certServer registry configuration 499 D 2 13 certServer usrgrp adm...

Page 13: ...s 511 D 4 1 certServer job configuration 511 D 4 2 certServer kra certificate transport 511 D 4 3 certServer kra configuration 511 D 4 4 certServer kra connector 512 D 4 5 certServer kra GenerateKeyPair 512 D 4 6 certServer kra getTransportCert 512 D 4 7 certServer kra group 513 D 4 8 certServer kra key 513 D 4 9 certServer kra keys 513 D 4 10 certServer kra registerUser 513 D 4 11 certServer kra ...

Page 14: ...er tks group 519 D 6 3 certServer tks importTransportCert 519 D 6 4 certServer tks keysetdata 519 D 6 5 certServer tks registerUser 520 D 6 6 certServer tks sessionkey 520 D 6 7 certServer tks systemstatus 520 Glossary 521 Index 535 ...

Page 15: ...e including the following topics Encryption and decryption Public keys private keys and symmetric keys Significance of key lengths Digital signatures Digital certificates including different types of digital certificates The role of digital certificates in a public key infrastructure PKI Certificate hierarchies LDAP and Red Hat Directory Server Public key cryptography and the Secure Sockets Layer ...

Page 16: ...d Hat Enterprise Linux 5 3 x86_64 64 bit The Enterprise Security Client which manages smart cards for end users is supported on the following platforms Red Hat Enterprise Linux 5 3 x86 32 bit Red Hat Enterprise Linux 5 3 x86_64 64 bit Microsoft Windows Vista 32 bit Microsoft Windows Vista 64 bit Microsoft Windows XP 32 bit Microsoft Windows XP 64 bit 3 2 Supported Web Browsers The services pages f...

Page 17: ...ard and GemPCKey USB form factor key Gemalto Cyberflex e gate 32K token Safenet 330J Java smart card Smart card testing was conducted using the SCM SCR331 CCID reader The only card manager applet supported with Certificate System is the CoolKey applet which ships with Red Hat Enterprise Linux 5 3 3 4 Supported HSM Red Hat Certificate System supports two hardware security modules HSM Safenet Chrysa...

Page 18: ... the examples for Red Hat Certificate System commands file locations and other usage are given for Red Hat Enterprise Linux 5 32 bit systems Be certain to use the appropriate commands and files for your platform To start the Red Hat Certificate System service pki ca start Example 1 Example Command 4 2 Tool Locations All of the tools for Red Hat Certificate System are located in the usr bin directo...

Page 19: ...administrators Certificate System Installation Guide 2 covers the installation process for all Certificate System subsystems This manual is intended for Certificate System administrators Certificate System Administrator s Guide 3 explains all administrative functions for the Certificate System Administrators maintain the subsystems themselves so this manual details backend configuration for certif...

Page 20: ...portant deployment information for Red Hat Certificate System 8 0 All of the latest information about Red Hat Certificate System and both current and archived documentation is available at http www redhat com docs manuals cert system 6 Giving Feedback If there is any error in this Administrator s Guide or there is any way to improve the documentation please let us know Bugs can be filed against th...

Page 21: ...ckey Tech edits to the TPS configuration chapter from Jack Magne per Bugzilla 510610 Revision 8 0 10 September 30 2009 Ella Deon Lackey Tech edits to the TPS configuration chapter per Bugzilla 510610 Revision 8 0 9 September 9 2009 Ella Deon Lackey Updating chapter 4 on managing certificates for the tech review per Bugzilla 510988 Tech edits to the ACL reference per Bugzilla 510613 Revision 8 0 8 ...

Page 22: ... Deon Lackey Beginning tech edits covering chapters 1 2 3 7 10 and 11 and appendices A and B according to Bugzilla 510614 510615 510625 510602 510604 510616 510623 and 510621 Some edits to the subsystems overview chapter based on tech edits for the deployment guide such as Bugzilla 510597 Revision 8 0 1 August 4 2009 Ella Deon Lackey Adding note to the TPS users section about setting all profiles ...

Page 23: ...col governs server authentication client authentication and encrypted communication between servers and clients SSL is widely used on the Internet especially for interactions that involve exchanging confidential information such as credit card numbers SSL requires an SSL server certificate As part of the initial SSL handshake the server presents its certificate to the client to authenticate the se...

Page 24: ...l with potential security problems related to the fact that passwords are sent over the network routinely and frequently Solving this problem requires some way for a user to log in once using a single password and get authenticated access to all network resources that user is authorized to use without sending any passwords over the network This capability is known as single sign on Both client SSL...

Page 25: ...tem instances This list is not exhaustive there are certificate enrollment forms for dual use certificates for LDAP directories file signing certificates and other subsystem certificates These forms are available through the Certificate Manager s end entities page at https server example com 9444 ca ee ca For more detailed information about the different certificates that can be created see the Ce...

Page 26: ...nate CA is determined by whether its CA signing certificate is self signed or is signed by another CA Self signed root CAs set the policies they use to issue certificates such as the subject names types of certificates that can be issued and to whom certificates can be issued A subordinate CA has a CA signing certificate signed by another CA usually the one that is a level above in the CA hierarch...

Page 27: ...Certificate System agents can be given client certificates to access special services 1 1 2 5 Dual Key Pairs Dual key pairs are a set of two private and public keys where one set is used for signing and one for encryption These dual keys are used to create dual certificates The dual certificate enrollment form is one of the standard forms listed in the end entities page of the Certificate Manager ...

Page 28: ...nal tokens like smart cards and manages the keys and certificates on those tokens through a local client the Enterprise Security Client The Enterprise Security Client contacts the TPS when there is a token operation and the TPS interacts with the CA DRM or TKS as required then send the information back to the token by way of the Enterprise Security Client 1 2 1 Certificate Manager The Certificate ...

Page 29: ...because that compromises the non repudiation properties of signing keys Non repudiation means that a user cannot deny having performed some action such as sending signed email because they are the only possessor of that signing key 1 2 4 Online Certificate Status Manager The Online Certificate Status Manager is an OCSP service external to the Certificate Manager Although the Certificate Manager is...

Page 30: ...en it is issued issuance and enrollment and the period when the certificates are no longer valid renewal or revocation There are also ways to manage the certificate during its cycle Making information about the certificate available to other applications is publishing the certificate and then backing up the key pairs so that the certificate can be recovered if it is lost The core of the Certificat...

Page 31: ... has to be verified in person by an agent with supporting documentation This creates a bottleneck for the CA agents to approve requests A registration authority RA is installed at each local office the requests are processed and approved locally and then a central CA issues all of the certificates Figure 1 3 CA and RA Alternatively a site may have a significant number of client requests to verify ...

Page 32: ... 10 Figure 1 4 CA and OCSP Even with all possible subsystems installed the core of the Certificate System is still the CA or CAs since they ultimately process all certificate related requests The other subsystems connect to the CA or CAs likes spokes in a wheel ...

Page 33: ... 5 How Certificate System Manages Smart Cards Four Certificate System subsystems are involved with managing tokens The Token Processing System TPS interacts with smart cards to help them generate and store keys and certificates for a specific entity such as a user or device Smart card operations go through the TPS and are forwarded to the appropriate subsystem for action such as the Certificate Au...

Page 34: ...Certificate System Manages Smart Cards To use the tokens the Token Processing System must be able to recognize and communicate with them The tokens must first be enrolled to format the tokens with required keys and certificates and add the tokens to the Certificate System The Enterprise Security Client provides the user interface for end entities to enroll tokens The token management system is ver...

Page 35: ...guring logs managing profiles and plug ins and the internal database among many other functions This interface is also the only interface that does not directly deal with certificates tokens or keys meaning it is not used for managing the PKI only the servers There are two types of administrative consoles Java based and HTML based Although the interface is different both are accessed using a serve...

Page 36: ...m Logs for more information 1 5 1 2 The Administrative Interface for the RA and TPS The RA and TPS subsystems use HTML based administrative interfaces These are accessed by entering the hostname and secure port as the URL authenticating with the administrator s certificate and clicking the appropriate Administrators link NOTE There is a single SSL port for RA and TPS subsystems which is used for b...

Page 37: ...gure 1 7 RA Admin Page The TPS only allows operations to manage users for the TPS subsystem However the TPS admin page can also list tokens and display all activities including normally hidden administrative actions performed on the TPS ...

Page 38: ...s 16 Figure 1 8 TPS Admin Page 1 5 2 Agent Interfaces The agent services pages are where almost all of the certificate and token management tasks are performed These services are HTML based and agents authenticate to the site using a special agent certificate ...

Page 39: ...n the tokens DRM agent services pages process key recovery requests which set whether to allow a certificate to be issued reusing an existing key pair if the certificate is lost The OCSP agent services page allows agents to configure CAs which publish CRLs to the OCSP to load CRLs to the OCSP manually and to view the state of client OCSP requests The RA agent services allows agents to list and app...

Page 40: ...s Like the CA the enrollment forms are accessed through the End Entities URL Users can submit certificate requests and retrieve their certificates through the RA 1 5 4 Enterprise Security Client The Enterprise Security Client is a tool for Red Hat Certificate System which simplifies managing smart cards End users can use security tokens smart cards to store user certificates used for applications ...

Page 41: ...curity Client provides the user interface of the token management system The end user can be issued security tokens containing certificates and keys required for signing encryption and other cryptographic functions To use the tokens the TPS must be able to recognize and communicate with them Enterprise Security Client is the method for the tokens to be enrolled Enterprise Security Client communica...

Page 42: ...20 ...

Page 43: ...Part I Setting up Certificate Services ...

Page 44: ......

Page 45: ...ts include public keys for the certificate request and the certificate subject name requested by the end entity for the certificate Certificate extensions Each issued certificate defines certain information like the name of the entity to which it is assigned the subject name its key fingerprint and its validity period What is included in a certificate is defined in the X 509 standard A certificate...

Page 46: ...ollment Next the profile lists all of the required inputs for the profile input list i1 i2 i3 input i1 class_id keyGenInputImpl input i2 class_id subjectNameInputImpl input i3 class_id submitterInfoInputImpl For the caUserCert profile this defines the keys to generate the fields to use in the subject name and the fields to use for the person submitting the certificate Key generation specifies that...

Page 47: ...e policyset userCertSet 6 constraint params keyUsageDataEncipherment false policyset userCertSet 6 constraint params keyUsageKeyEncipherment true policyset userCertSet 6 constraint params keyUsageKeyAgreement false policyset userCertSet 6 constraint params keyUsageKeyCertSign false policyset userCertSet 6 constraint params keyUsageCrlSign false policyset userCertSet 6 constraint params keyUsageEnc...

Page 48: ...raintsMinPathLen 1 policyset caCertSet 5 constraint params basicConstraintsMaxPathLen 1 NOTE To allow user supplied extensions to be embedded in the certificate requests and ignore the system defined default in the profile the profile needs to contain the User Supplied Extension Default which is described in Section B 1 22 User Supplied Extension Default 2 1 3 Inputs and Outputs Inputs set informa...

Page 49: ... must disapprove or disable the certificate profile before the administrator can edit that certificate profile Add a certificate profile and modify an existing certificate profile by doing the following 1 Log in to the Certificate System CA subsystem console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Certificate Manager and then select Certificate Profiles The Ce...

Page 50: ...ance ID This is the ID used by the system to identify the profile Certificate Profile Name This is the user friendly name for the profile Certificate Profile Description End User Certificate Profile This sets whether the request must be made through the input form for the profile This is usually set to true Setting this to false allows a signed request ...

Page 51: ...ved enrollment the request is submitted to the request queue of the agent services interface 5 Click OK The plug in editor closes and the new profile is listed in the profiles tab 6 Configure the policies inputs and outputs for the new profile Select the new profile from the list and click Edit View 7 Set up policies in the Policies tab of the Certificate Profile Rule Editor window The Policies ta...

Page 52: ...et ID When issuing dual key pairs separate policy sets define the policies associated with each certificate Then fill in the certificate profile policy ID a name or identifier for the certificate profile policy d Configure any parameters in the Defaults and Constraints tabs ...

Page 53: ...nes valid values for the defaults See Section B 1 Defaults Reference and Section B 2 Constraints Reference for complete details for each default or constraint To modify an existing policy select a policy and click Edit Then edit the default and constraints for that policy To delete a policy select the policy and click Delete 8 Set inputs in the Inputs tab of the Certificate Profile Rule Editor win...

Page 54: ...r Issuing Certificates 32 b Choose the input from the list and click OK See Section A 1 Input Reference for complete details of the default inputs c The New Certificate Profile Editor window opens Set the input ID and click OK ...

Page 55: ...te an input select the input and click Delete 9 Set up outputs in the Outputs tab of the Certificate Profile Rule Editor window Outputs must be set for any certificate profile that uses an automated authentication method no output needs to be set for any certificate profile that uses agent approved authentication The Certificate Output type is set by default for all profiles and is added automatic...

Page 56: ...and click OK c Give a name or identifier for the output and click OK This output will be listed in the output tab You can edit it to provide values to the parameters in this output To delete an output select the output from list and click Delete 10 Restart the CA to apply the new profile service pki ca start 11 After creating the profile as an administrator a CA agent has to approve the profile in...

Page 57: ...n only be added to the profile using the command line as described in Section 2 2 3 Creating and Editing Certificate Profiles through the Command Line 2 2 2 Editing Certificate Profiles in the Console To modify an existing certificate profile select a certificate profile click Edit View The Certificate Profile Rule Editor window appears If necessary enlarge the window by pulling out one of the cor...

Page 58: ...e conf directory with the name profile NOTE Restart the server after editing the profile configuration file for the changes to take effect Section 2 2 3 1 Profile Configuration Parameters Section 2 2 3 2 Modifying Certificate Extensions through the Command Line Section 2 2 3 3 Adding Inputs through the Command Line 2 2 3 1 Profile Configuration Parameters The configuration files are stored in the ...

Page 59: ...s_id Gives the java class name for the input by input ID the name of the input listed in input l input i1 class_id certReqInputImpl output list Lists the possible output formats for the profile by name For example output list o1 output output_id class_id Gives the java class name for the output format named in output list For example outpu policyset list Lists the configured profile rules For dual...

Page 60: ...rams keyUsageCrlSign false policyset cmcUserCertSet 6 default params keyUsageDataEncipherment false policyset cmcUserCertSet 6 default params keyUsageDecipherOnly false policyset cmcUserCertSet 6 default params keyUsageDigitalSignature true policyset cmcUserCertSet 6 default params keyUsageEncipherOnly false policyset cmcUserCertSet 6 default params keyUsageKeyAgreement false policyset cmcUserCert...

Page 61: ...s one important thing to do when creating profiles the Key Default must be added before the Subject Key Identifier Default Certificate System processes the key constraints in the Key Default before creating or applying the Subject Key Identifier Default so if the key has not been processed yet setting the key in the subject name fails For example an object signing profile may define both defaults ...

Page 62: ...atePoliciesExt enable false ca Policy rule CertificatePoliciesExt implName CertificatePoliciesExt ca Policy rule CertificatePoliciesExt numCertPolicies 1 ca Policy rule CertificatePoliciesExt predicate HTTP_PARAMS certType fbca ca Policy rule CertificatePoliciesExt certPolicy0 cpsURI ca Policy rule CertificatePoliciesExt certPolicy0 noticeRefNumbers ca Policy rule CertificatePoliciesExt certPolicy...

Page 63: ...s and inputs and outputs By default the profile configuration files are in the var lib subsystem_name profiles ca directory Profile ID Profile Name Description caAdminCert Security Domain Administrator Certificate Enrollment Enrolls Security Domain Administrator s certificates with LDAP authentication against the internal LDAP database caAgentFileSigning Agent Authenticated File Signing This certi...

Page 64: ...caDirUserRenewal Directory Authenticated User Certificate Self Renew profile Renews user certificates through directory based authentication The user certificate is issued as soon as the requester successfully authenticates to the LDAP directory NOTE Renewal profiles can only be used in conjunction with the profile that issued the original certificate There are two settings that are beneficial It ...

Page 65: ...t Enrolls a signing certificate to use for signing audit logs used automatically during any subsystem configuration with the exception of the RA caInternalAuthDRMstorageCert Security Domain DRM Storage Certificate Enrollment Enrolls DRM storage certificates for DRMs within a security domain used automatically during a DRM configuration caInternalAuthOCSPCert Security Domain OCSP Manager Signing Ce...

Page 66: ... time before and after the certificate s expiration date when the user is allowed to renew the certificate There are only a few examples of these in the default profiles and they are mostly not enabled by default caOCSPCert Manual OCSP Manager Signing Certificate Enrollment Enrolls OCSP Manager certificates caOtherCert Other Certificate Enrollment Enrolls other certificates caRAagentCert RA Agent ...

Page 67: ...r certificates caSignedLogCert Manual Log Signing Certificate Enrollment Enrolls audit log signing certificates caSimpleCMCUserCert Simple CMC Enrollment Enrolls user certificates by using the CMC certificate request with CMC Signature authentication caSSLClientSelfRenewal Self renew user SSL client certificates Renews SSL client certificates using certificate based authentication The certificate ...

Page 68: ...ry keys valid for about a week and intended to replace a temporarily lost token caTempTokenUserEncryptionKeyEnrollment Temporary Token User Encryption Certificate Enrollment Enrolls an encryption key on a token used by the TPS for smart card enrollment operations These are temporary keys valid for about a week and intended to replace a temporarily lost token caTempTokenUserSigningKeyEnrollment Tem...

Page 69: ...Enrollment Enrolls a signing key on a token used by the TPS for smart card enrollment operations caTokenUserSigningKeyRenewal smart card token signing cert renewal profile Renews a signing that was enrolled on a token using the caTokenUserSigningKeyEnrollment profile used by a TPS subsystem caTPSCert Manual TPS Server Certificate Enrollment Enrolls TPS server certificates caTransportCert Manual Da...

Page 70: ...anager Signing Certificate Enrollment Enrolls Registration Manager certificates caRARouterCert RA Agent Authenticated Router Certificate Enrollment Enrolls router certificates after agent approval as opposed to automatic enrollment caRAserverCert RA Agent Authenticated Server Certificate Enrollment Enrolls server certificates with RA agent authentication caRouterCert One Time Pin Router Certificat...

Page 71: ...Enrollment a li font td tr snip 4 Open the new profile directory cd example 5 The user profile directory has three main sets of files index cgi and index vm are all used to generate the index page renew cgi renew vm renewal cgi and renewal vm are all used to process renewal requests user cgi user vm submit cgi and submit vm are all used to create and submit new certificate requests The index cgi f...

Page 72: ...f li a href example cgi New Example Cert a li font td tr tr valign TOP td font size 4 face PrimaSans BT Verdana sans serif li a href example renew cgi Renewing an Example Cert a li font td tr table center 8 Edit every cgi and vm so that the specified directories all point to the new example directory For example vim example cgi my result parser execute_file_with_context ee example example vm vim e...

Page 73: ... var lib pki ra conf CS cfg file There are three ways that a request can be handled created approved and rejected so each profile entry has to define the behaviors of the RA for those three scenarios Much like a profile policy set each operation is defined with a different group of parameters request profile_name approve_request which specifies the plug in to call when a request is approved reques...

Page 74: ...mple approve_request 1 plugin PKI Request Plugin EmailNotification request example approve_request 1 templateDir usr share pki ra conf request example approve_request 1 templateFile mail_approve_request vm request example approve_request num_plugins 2 request example create_request 0 assignTo agents request example create_request 0 plugin PKI Request Plugin AutoAssign request example create_reques...

Page 75: ... Certificate Enrollment Token User Signing Certificate Enrollment Token User MS Login Certificate Enrollment Temporary Token Profiles Temporary Device Certificate Enrollment Temporary Token User Encryption Certificate Enrollment Temporary Token User Signing Certificate Enrollment Renewal Profiles 1 Token User Encryption Certificate Enrollment Renewal Token User Signing Certificate Enrollment Renew...

Page 76: ...l be used in the subject name of the certificate then uid must be listed in the ldapStringAttributes parameter and request uid listed as one of the components in the dnpattern Editing certificate profiles is covered in Section 2 2 Setting up Certificate Profiles 2 4 2 Creating Custom TPS Profiles Certificate profiles are created as normal in the CA but they also have to be configured in the TPS fo...

Page 77: ...le an ECC signing certificate can sign both ECC and RSA certificate requests as long as both ECC and RSA algorithms are supported by the CA An RSA signing certificate can can sign a PKCS 10 request with EC keys but may not be able to sign CRMF certificate requests with EC keys if the ECC module is not available for the CA to verify the CRMF proof of possession POP NOTE Although Certificate System ...

Page 78: ...a list of allowed algorithms if the certificate request specifies a different algorithm If no signing algorithms are specified then the profile uses whatever is set as the default for the CA In the profile s cfg file the algorithm is set with two parameters policyset serverCertSet 8 default class_id signingAlgDefaultImpl policyset serverCertSet 8 default name Signing Alg policyset serverCertSet 8 ...

Page 79: ...ger tree 3 Click the Certificate Profiles item 4 Click the Policies tab 5 Select the Signing Alg policy and click the Edit button 6 To set the default signing algorithm set the value in the Defaults tab If this is set to then the profile uses the CA s default 7 To set a list of allowed signing algorithms which can be accepted in a certificate request open the Constraints tab and set the list of al...

Page 80: ...sending a signed object As part of the handshake the sender is expected to send the subject certificate and any intermediate CA certificates needed to link the subject certificate to the trusted root For certificate chaining to work properly the certificates should have the following properties CA certificates must have the Basic Constraints extension CA certificates must have the keyCertSign bit ...

Page 81: ...ation see Section B 1 8 Key Usage Extension Default and Section B 1 5 Extended Key Usage Extension Default 8 Set the constraint values for the CA certificates There are no constraints to be set for a Key Usage extension for an Extended Key Usage extension set the appropriate OID constraints for the CA For more information see Section B 1 5 Extended Key Usage Extension Default 9 When the changes ha...

Page 82: ...y period longer than the CA signing certificate s validity period it automatically truncates the validity period to end on the day the CA signing certificate expires Certificate Serial Number These fields display the serial number range for certificates issued by the Certificate Manager The server assigns the serial number in the Next serial number field to the next certificate it issues and the n...

Page 83: ... Names and Subject Alternative Names The subject name of a certificate is a distinguished name DN that contains identifying information about the entity to which the certificate is issued This subject name is built from standard LDAP directory components such as email addresses common names and organizational units These components are defined in X 500 In addition to or even in place of the subjec...

Page 84: ...f the UidPwdDirAuth authentication plug in d Set the information for the LDAP directory e Set the LDAP attributes to populate f Save the new plug in instance For information on configuring the LDAP authentication modules see Section 9 2 1 Setting up Directory Based Authentication 2 When the new authentication plug in is added the corresponding parameters are added to the CA s CS cfg file For examp...

Page 85: ... auth_token cn The LDAP common name cn attribute of the user who requested the certificate request auth_token mail The value of the LDAP email mail attribute of the user who requested the certificate request auth_token tokenCertSubject The certificate subject name request auth_token uid The LDAP user ID uid attribute of the user who requested the certificate request auth_token user request auth_to...

Page 86: ...tificates should match the format of the DNs in the directory It is not necessary that the names match exactly certificate mapping allows the subject DN in a certificate to be different from the one in the directory In the Certificate System the DN is based on the components or attributes defined in the X 509 standard Table 2 7 Allowed Characters for Value Types lists the attributes supported by d...

Page 87: ...C 2253 netscape security x509 GenericValueConverter converts a string character by character in the following order from the smallest characterset to the largest Printable IA5String BMPString Universal String An attribute entry looks like the following X500Name MY_ATTR oid 1 2 3 4 5 6 X500Name MY_ATTR class netscape security x509 DirStrConverter 2 7 2 1 Adding New or Custom Attributes To add a new...

Page 88: ...bject names For example enter the following values for the new attributes and look for them in the subject name MYATTR1 a_value MYATTR2 a Value MYATTR3 aValue cn John Doe o Example Corporation 9 Open the agent services page and approve the request 10 When the certificate is issued check the subject name The certificate should show the new attribute values in the subject name 2 7 2 2 Changing the D...

Page 89: ...o verify that the encoding orders are in effect enroll for a certificate using the manual enrollment form Use John_Doe for the cn 8 Open the agent services page and approve the request 9 When the certificate is issued use the dumpasn1 tool to examine the encoding of the certificate The dumpasn1 tool can be downloaded at http fedoraproject org extras 4 i386 repodata repoview dumpasn1 0 20050404 1 f...

Page 90: ...form is included at the end of the user vm file For example tr td District td td input type text name district value td tr After making the appropriate changes to the enrollment form edit the user vm file to customize the Subject DN to utilize the information collected from the user WARNING The Subject DN must match the pattern specified in the Subject Name Constraint definition of the enrollment ...

Page 91: ... set up manually 3 1 About Key Archival and Recovery Key archival requires only two things a client meaning a browser which can generate dual keys and a certificate profile which is configured to support key archival NOTE For user dual key pairs only keys that are used exclusively for encrypting data should be archived signing keys should never be archived Having two copies of a signing key would ...

Page 92: ...riate stages If the request fails to meet any of the profile constraints the subsystem rejects the request The DRM supports agent initiated key recovery when designated recovery agents use the key recovery form on the DRM agent services page to process and approve key recovery requests With the approval of a specified number of agents an organization can recover keys when the key s owner is unavai...

Page 93: ...e certutil utility If the transport certificate is signed by a Certificate Manager then a copy of the certificate is available through the Certificate Manager end entities page in the Retrieval tab 3 Add the transport certificate to the CA s CS cfg file ca connector KRA enable true ca connector KRA host server example com ca connector KRA local false ca connector KRA nickName subsystemCert cert pk...

Page 94: ...overy agents about an impending key recovery All recovery agents access the DRM key recovery page One of the agents initiates the key recovery process The DRM returns a notification to the agent includes a recovery authorization reference number identifying the particular key recovery request that the agent is required to authorize Each agent uses the reference number and authorizes key recovery s...

Page 95: ...ey Archival and Recovery Setup To test whether a key can be successfully archived 1 Enroll for dual certificates using the CA s Manual User Signing Encryption Certificates Enrollment form 2 Submit the request Log in to the agent services page and approve the request 3 Log into the end entities page and check to see if the certificates have been issued In the list of certificates there should be tw...

Page 96: ...a link to verify the status of this key recovery initiation request This page keeps refreshing until all agents have completed authorizing the recovery request It is important not to close this browser window Depending on the agent scheme a specified number of agents must authorize this key recovery Send this key recovery request authorization number to each of those agents Once the agents receive...

Page 97: ...is best The certutil command can be used to generate a certificate request for any certificate type and then this request is submitted to the CA s end entities forms this is most appropriate for server or device certificates Some certificate profiles accept inputs that generate both the request and when approved the certificate this is the easiest method for user certificates Lastly the Java based...

Page 98: ...e certificate store based on the type of certificate h Once the certificate chain is imported open the Trusted Root Certificate Authorities tab to verify that the certificate chain was successfully imported 3 After the certificate chain is imported Internet Explorer can access the secure end services pages Open the secure site https server example com 9443 ca ee ca 4 There is probably a security e...

Page 99: ...e user certificates for email and SSL authentication Other enrollment forms are available for adding certificates to tokens and signing files For more information about the end entities enrollment forms see the Certificate System Agent s Guide The following profiles are used to create user certificates Manual User Dual Use Certificate Enrollment Manual User Signing and Encryption Certificates Enro...

Page 100: ...uest forms support all UTF 8 characters for the common name organizational unit and requester name fields The common name and organization unit fields are included in the subject name of the certificate This support does not include supporting internationalized domain names 4 Click Submit ...

Page 101: ... is approved and generated the CA sends a notification that you can retrieve the certificate a Open the Certificate Manager end entities page https server example com 9444 ca ee ca b Click the Retrieval tab c Fill in the request ID number that was created when the certificate request was submitted and click Submit d The next page shows the status of the certificate request If the status is complet...

Page 102: ...ed certificate If this is a client certificate that will be installed directly in the web browser scroll down to the Importing This Certificate section and click the Import your certificate or Import S MIME certificate button f Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file Save the text file and use it to store a copy of the ce...

Page 103: ...TE REQUEST MIICbTCCAVUCAQAwKDEQMA4GA1UEChMHRXhhbXBsZTEUMBIGA1UEAxMLZXhhbXBs ZSBuZXcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcH3CcFbSWFYCV WrR1pJf8OaLLvTJB45A grnNqCAQHnsOKO7XLuO oLt r1oEtM7o5eXlwZT1BZT5 bodglwJgo GXxElqX49EnPdwyNLiK8bMKRkKnPiIi9jkaGbiTnQLrKMO8 sGKTB DGu1VIsj9a 4tt2Kt5wwhtEMIfeNZ4Alk9UCWpC8r 0I3eNzyyk4pJ9qWDzYEpV3 TVFco 1FWo yangv7ThSnOJprILIOpcir0vm5zPSlON6JHyJq9O94wSqnIYs xqC ...

Page 104: ...icate enrollment form enter the required information The standard requirements are as follows Certificate Request Type This is either PKCS 10 or CRMF Certificate requests created through the subsystem administrative console are PKCS 10 those created through the certutil tool and other utilities are usually PKCS 10 Certificate Request Paste the base 64 encoded blob including the BEGIN NEW CERTIFICA...

Page 105: ... the CA signs then and delivers back to the email address specified in the request If the requester has agent access the requester can log in as an agent and approve the request 5 Retrieve the certificate a Open the Certificate Manager end entities page https server example com 9444 ca ee ca b Click the Retrieval tab c Fill in the request ID number that was created when the certificate request was...

Page 106: ...browser scroll down to the Importing This Certificate section and click the Import your certificate or Import S MIME certificate button f Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file Save the text file and use it to store a copy of the certificate in a subsystem s internal database See Section 14 3 2 1 Creating Users For infor...

Page 107: ...Key Usage 6 Email Subject Alternative Name 7 DNS Subject Alternative Name 8 a Outputs the certificate request to an ASCII file instead of binary Table 4 1 Options for Requesting Certificates with certutil 4 4 Enrolling a Certificate on a Cisco Router Simple Certificate Enrollment Protocol SCEP designed by Cisco is a way for a router to communicate a certificate issuing authority like a CA or RA to...

Page 108: ...EASE SOFTWARE fc1 Before enrolling SCEP certificates on the router make sure that the router is appropriately configured The router must be configured with an IP address DNS server and routing information The router s date time must be correct The router s hostname and dnsname must be configured See the router documentation for instructions on configuring the router hardware 4 4 2 Generating the S...

Page 109: ...Section 9 2 4 Configuring Flat File Authentication 7 Log into the router s console For this example the router s name is scep scep 8 Enable privileged commands scep enable 9 Enter configuration mode scep conf t 10 Import the CA certificate for every CA in the certificate chain starting with the root For example this imports two CA certificates in the chain into the router scep config crypto ca tru...

Page 110: ...e enrollment Create a challenge password You will need to verbally provide this password to the CA Administrator in order to revoke your certificate For security reasons your password will not be saved in the configuration Please make a note of it Password secret Re enter password secret The subject name in the certificate will be scep server example com Include the router serial number in the sub...

Page 111: ...th Subordinate CAs Before the router can authenticate to a CA every CA certificate in the CA s certificate chain must be imported into the router starting with the root For example this imports two CA certificates in the chain into the router scep config crypto ca trusted root1 scep ca root root CEP http server example com 12888 ee scep pkiclient cgi scep ca root crl optional scep ca root exit sce...

Page 112: ...r provides additional debugging during SCEP operations by enabling the debug statements scep debug crypto pki callbacks Crypto PKI callbacks debugging is on scep debug crypto pki messages Crypto PKI Msg debugging is on scep debug crypto pki transactions Crypto PKI Trans debugging is on scep debug crypto verbose verbose debug output debugging is on 4 5 Performing Bulk Issuance There can be instance...

Page 113: ...RMF reque like white spaces should be replaced with their HTML coded equivalent like using 20 certPrettyPrint Sets whether to return a pretty print format of the certificate this is either true or false challengePassword and confirmChallengePassword Sets and confirms a challenge password which is used to verify the requester when the Certificate Uses email Sets whether the certificate can be used ...

Page 114: ...k Issuance POST File 4 5 2 Running the Bulk Issuance Command The POST file is submitted directly to the CA using the bulkissuance command not through the web services pages or console The person performing the bulk issuance authenticates to the CA using his agent s certificate which is also used to approve the certificates automatically The bulkissuance command passes the agent certificate nicknam...

Page 115: ...ows servers for Server 2000 XP 2003 and Vista all have a feature for automatic certificate enrollment which allows Windows systems within a domain to contact a domain controller find available certificate services and request and receive those services based on their domain credentials That is a technical way of saying that whenever a new identity joins a domain a server a user or an administrator...

Page 116: ...ss from creating keys to generating and submitting the certificate request In a Windows domain servers and applications poll Active Directory to get the list of available certificate services When the Auto Enrollment Proxy is configured its information is added to Active Directory as one of the available certificate services Then when an enrollee like a server first asks the domain controller for ...

Page 117: ... enrolling application Figure 4 2 The Auto Enrollment Process At several points in the process the DCOM objects pull information about the proxy service from the registry settings or from the entry in Active Directory 1 The server runs an LDAP search on the root DSE to find the configuration naming context 2 Then it runs an LDAP search under the CN Enrollment Services CN Public Key Services CN Ser...

Page 118: ...er against information in the domain so the requester must be in the same forest as the proxy Additionally for security the proxy should be run on a dedicated machine in a secure environment with access limited to trusted administrators The simplest configuration is to install the proxy as the same machine as the domain controller This limits the field of the proxy to that single domain Figure 4 3...

Page 119: ...rangement has the proxy installed within a single domain but accessible to multiple domains within a Windows forest For this configuration see the Windows server and Active Directory documentation to explain how to configure the domain properly Figure 4 5 Using a Single Proxy within a Forest ...

Page 120: ... be able to cross trust each other Audit logging should be enabled for the group policy DNS must be properly configured the DNS settings can be verified using dcdiag All Windows servers should access the same NTP server so that their dates and times are in sync The Microsoft Management Console must be configured as described in Section 4 6 2 2 Configuring the Microsoft Management Console to Use wi...

Page 121: ...Installing and Setting up the Auto Enrollment Proxy 99 3 Select the profile to which to add the snap ins It may be beneficial to have a separate profile for the proxy Then click Add ...

Page 122: ...ates Current User Certificates with the Computer account option to create a snap in for Certificates Local Computer Active Directory users and computers Active Directory domains and trusts DNS Component Services 5 Save the Microsoft Management Console configuration to the desktop this ensures that it is easy to access 6 Verify that the console is properly configured by re opening it and double cli...

Page 123: ...he CA must be trusted in order to issue certificates meaning the CA certificate has to be loaded a Use IE and connect to the CA s agent page No errors warning should be displayed If they appear make sure they don t appear the next time b Retrieve the CA certificate chain in binary form from the CA s end entities pages Save the certificate chain to the desktop with a name like cacert cer c In the M...

Page 124: ...le click the exe and go through the installer 5 Configure the Auto Enrollment Proxy by importing the CA certificate setting the CAs to use and setting the Auto Enrollment Proxy settings a Open the Start menu and select Red Hat Auto Enrollment Proxy b Open the CA Certificate tab Click Load from File and import that CA certificate chain from the file Then click Set to apply the certificate ...

Page 125: ...Installing and Setting up the Auto Enrollment Proxy 103 c Next click the Active Directory tab Click the Populate AD button to create the Active Directory entry for the proxy service ...

Page 126: ...Chapter 4 Requesting Enrolling and Managing Certificates 104 d Add the connection information for each Certificate Manager which will be used by the proxy Click Add to add each CA ...

Page 127: ...rmation The fully qualified domain name of the Certificate Manager The port number of the Certificate Manager The Certificate System version number of the Certificate Manager The certificate to use to authenticate to the Certificate Manager e In the Logging tab set any log levels to use for the service ...

Page 128: ...e configuration settings have been made click Apply to save the settings 6 The last configuration area is setting up the DCOM service a In the Microsoft Management Console select the DCOM Components snap in b Select or expand the Computers folder then My Computer and DCOM Config ...

Page 129: ...ion Permissions and click the Edit button Make sure that the administrator and that Everyone is selected Then click the Customize radio button under Access Permissions and click the Edit button Make sure that the administrator and that Everyone is selected NOTE The user that launches the proxy and the computer account for the proxy host must be members of the Distributed COM Built in Principals Gr...

Page 130: ...e user to log into the domain f Save the changes to the DCOM snap in 7 In Administrative Tools open Services and manually start the Auto Enrollment Proxy service This should then be listed in the Task Manager as rhcsproxy exe 4 6 2 4 Troubleshooting and Diagnostic Tips Microsoft supplies several tools that are beneficial for diagnosing and troubleshooting problems with auto enrollment or the Auto ...

Page 131: ... there are a couple of different possible reasons The hostname in enrollment services is incorrect Use LDP to view the enrollment service in Active Directory for the proxy and verify the dNSHostName attribute This value is automatically populated when the proxy is first configured The proxy host is unreachable Try to ping the above hostname to make sure DNS resolves the hostname to an IP address c...

Page 132: ... and Adding CAs in the Windows Domain All of the CAs configured for enrollment services for a domain are listed in Active directory in the CN Enrollment Services CN Public Key Services subtree This subtree can be queried to show what Certificate Managers are configured for the proxy and what certificate templates and other settings they have available For example dsquery CN Example RHCS CA CN Enro...

Page 133: ... certificate templates maintained in the registry under the following key HKEY_LOCAL_MACHINE SOFTWARE Red Hat RHCSProxy Config ProfileMap To add additional certificate profiles to the proxy service add a subkey under the ProfileMap folder which maps a Windows template to the Certificate System profile The Windows template is identified in the key name the corresponding Certificate System profile i...

Page 134: ...spx mfr true 4 6 4 Manually Requesting Domain Certificates The auto enrollment proxy naturally automatically enrolls servers hardware and even users as soon as the entity is added to the Windows domain However once the auto enrollment proxy for Red Hat Certificate System is configured it is also possible to request and receive certificates manually on a Windows domain through a Certificate System ...

Page 135: ...Manually Requesting Domain Certificates 113 4 The available types of certificates that can be requested are listed Select the type of certificate to request ...

Page 136: ...Chapter 4 Requesting Enrolling and Managing Certificates 114 5 Fill in the information to use to configure the certificate such as a name or description ...

Page 137: ...certificate request such as the certificate profile for the Windows domain the key settings and any extensions For example Version Signature Windows NT NewRequest Subject CN domain example com KeySpec 1 KeyLength 1024 Exportable TRUE MachineKeySet TRUE SMIME False PrivateKeyArchive FALSE UserProtected FALSE UseExistingKeySet FALSE ProviderName Microsoft RSA SChannel Cryptographic Provider Provider...

Page 138: ... domain example com Certificate Authority SUBCA server example com submit dc cert request req dc cert cer 4 7 Renewing Certificates Renewing a certificate regenerates the certificate using the same public key as the original certificate Renewing a certificate can be preferable to simply generating new keys and installing new certificates for example if a new CA signing certificate is created all o...

Page 139: ... server identifies the certificate and then maps the renewal request to the initial certificate request entry in the CA database If more than one certificate matches the renewal request then the most recent certificate entry is used The renewal request must be submitted to the same CA which issued the original certificate This is the only way to map the serial number to the appropriate certificate...

Page 140: ...Wr8ZCIgt2Rr3aR3FqE0tqUXh2RDmq EvfxBza FOTQpwz2EW1ppIXjKNZpi9 3enjMg0rc CsT c1rKeXJzo5mD6n VmET8ZilvSgyq6jt9KgqeVfM Cfl ypQ2u9EW6a0sYflw vPOkcXqRUnKfKjn1lq8CALrGDG71pAlHzXQNMB0YWlKKywhdMfbHPN8 FdFHC6Ro5Ny01DDRBF y3Iqc3flLFJt1Ya3c8hEc version 2 algorithmId 1 2 840 113549 1 1 1 signingAlgorithmId 1 2 840 113549 1 1 5 dateOfCreate 20090624082244Z dateOfModify 20090624082244Z certStatus VALID autoRenew...

Page 141: ...raints and subject name A renewed certificate is identical to the original except that it has a new expiration date When a certificate is renewed it has to be renewed using a renewal profile that corresponds to the initial enrollment profile Certificate System supports renewals both for tokens and for regular certificates both through the RA and the CA The default configuration profiles cover user...

Page 142: ...es not need to define any defaults extensions or constraints all of that information is already contained in the original certificate What a renewal profile does define is whether renewal is allowed the input to use to locate the original certificate and the output of the regenerated certificate The renewal option as with the original profile is set to either true or false renewal true The origina...

Page 143: ...tern This is described in Section 9 2 1 Setting up Directory Based Authentication However for certificate based renewal the certificate is presented directly by the browser being used to open the renewal forms and that certificate is checked in the client database The certificate is used both to verify the identity of the requester and to get the certificate information for renewal For certificate...

Page 144: ... and the CA draws the information from its current certificate directory entry Certificate based renewal uses the certificate in the browser database to regenerate the new certificate which makes it common for user certificate renewals NOTE Encryption and signing certificates are created in a single step However the renewal process only renews one certificate at a time To renew both certificates i...

Page 145: ...g Certificates 123 4 Click the renew button 5 The request is submitted For directory based renewals the renewed certificate is automatically returned Otherwise the renewal request will be approved by an agent ...

Page 146: ...e to renew If a certificate can be renewed then the CA automatically approved and reissued it 1 Open the end entities services page for the CA which issued the certificate or its clone https server example com 9444 ca ee ca 2 Click the name of the renewal form to use 3 There is no input field so click the Renew button 4 When prompted select the certificate to renew 5 The request is submitted and t...

Page 147: ...al process only renews one certificate at a time To renew both certificates in a certificate pair each one has to be renewed individually 1 Get the password for the token database cat var lib pki ca conf password conf internal 263163888660 2 Open the certificate database directory of the instance that s certificate is being renewed cd var lib pki ca alias 3 List the key and nickname for the certif...

Page 148: ...o Example Domain a o example req2 txt The difference between generating a new certificate and key pair and renewing the certificate is the value of the k option To generate an entirely new request and key pair then k sets the key type and is used with g which sets the bit length For a renewal request the k option uses the certificate nickname to access the existing key pair stored in the security ...

Page 149: ...e password PIN on the smart card Upgrading the applet version on the smart card Each of these operations is configured in the TPS instance s CS cfg file similar to a CA enrollment profile 5 1 1 Configuring Format Operations When the TPS is contacted by a smart card for a format operation there are several different operations the TPS can perform depending on the status of the smart card Whether an...

Page 150: ...nn The TKS connection to use op format tokenType auth id The LDAP authentication instance to use The default value is ldap1 op format tokenType auth enable Specifies whether to authenticate the user information The valid values are tru op format tokenType issuerinfo enable Specifies whether the Phone Home information for the Enterprise Security Clien op format tokenType issuerinfo value Sets the P...

Page 151: ...covery onHold revokeCert reason 6 op enroll soKey keyGen encryption recovery onHold scheme GenerateNewKey op enroll soKey keyGen encryption revokeCert true key archival information op enroll soKey keyGen encryption serverKeygen archive true op enroll soKey keyGen encryption serverKeygen drm conn drm1 op enroll soKey keyGen encryption serverKeygen enable true NOTE There are a number of other parame...

Page 152: ...romised 2 CA key compromised 3 Affiliation changed 4 Certificate superseded 5 Cessation of operation 6 Certificate is on hold op enroll tokenType keyGen recovery keyCompromise keyType num The number of key types for recovery for the tokens whose keys are compromis op enroll tokenType keyGen recovery keyCompromise keyType value Specifies keyType The default values are signing encryption op enroll t...

Page 153: ...ning encryption op enroll tokenType keyGen signing recovery onHold scheme The recovery scheme for signing certificates for tokens that are to be pu op enroll tokenType keyGen signing recovery onHold revokeCert Specifies if the signing certificate should be revoked if the token s key ha op enroll tokenType keyGen signing recovery onHold revokeCert reason Specifies what the signing certificate revoc...

Page 154: ... token should be overwritten The va op enroll tokenType keyGen encryption ca profileId The CA profile to use for enrolling encryption certificates The default value is c op enroll tokenType keyGen encryption ca conn The CA connection to use to generate encryption certs The default value is ca1 op enroll tokenType update applet emptyToken enable Specifies whether TPS should upload an applet to the ...

Page 155: ... signing encryption private keyCapabilities unwrap op enroll tokenType keyGen signing encryption private keyCapabilities wrap op enroll tokenType keyGen signing encryption private keyCapabilities verifyRecover op enroll tokenType keyGen signing encryption private keyCapabilities verify op enroll tokenType keyGen signing encryption private keyCapabilities sensitive op enroll tokenType keyGen signin...

Page 156: ...on the TPS can be configured to upload or update the applet version on the smart card update the symmetric key and required LDAP authentication as well as setting which subsystem instances will process the operation The CS cfg file parameters for resetting the PIN are listed in Table 5 5 PIN Reset Operation Parameters Parameter Description op pinReset tokenType update applet emptyToken enable Spec...

Page 157: ...ts op enroll userKey update applet encryption true If a smart card only has the card manager then the card manager capability must be enabled by editing the following parameter op operation key_type update applet emptyToken enable true NOTE If the filename set in the update applet requiredVersion parameter contains any alphabetic characters then all of these alphabetic characters must always be up...

Page 158: ...can be renewed depends on whether the user policy for the token allows it to be renewed Setting the token policy is a TPS agent task and is described in the Agent s Guide 1 Log into the TPS services page as an agent https server example com 7889 tus 2 In the Agent Operations tab search for or list the tokens and click the token s ID number in the results page 3 Click the Edit button at the bottom ...

Page 159: ...ows a user to re enroll certificates with the same token PIN_RESET which allows the token user to initiate a PIN reset operation RENEW which allows a user to regenerate their existing certificates using the original keys and an extended validity period The token policy settings are configured through the TPS agent services page as described in the Agent s Guide The way to edit the token policy for...

Page 160: ...e set to YES then the renewal setting takes precedence the token certificates are renewed when they expire The default values for all three parameters can be set in the TPS s CS cfg file in the tokendb defaultPolicy parameter For example tokendb defaultPolicy RE_ENROLL YES NOTE If the PIN_RESET policy is not set then user initiated PIN resets are allowed by default If the policy is present and is ...

Page 161: ... 4 2 Mapping Token Types to Smart Card Operation Profiles 5 4 1 Default Token Types There are several default token types already configured for smart card operations as listed in Table 5 6 Default Token Types There are several profiles available for security officers regular users and devices Token Type Description cleanToken For operations for any blank token without any other applied token type...

Page 162: ... tokenCUID end 1 op format mapping 0 filter tokenCUID start 100 op format mapping 0 filter tokenType exampleKey op format mapping 0 target tokenType exampleKey this matches every token op format mapping 6 filter appletMajorVersion op format mapping 6 filter appletMinorVersion op format mapping 6 filter tokenATR op format mapping 6 filter tokenCUID end op format mapping 6 filter tokenCUID start op ...

Page 163: ...se Security Client prompts for LDAP authentication 4 The format operation completes When the token is selected in the Enterprise Security Client the Enterprise Security Client sends in the applet version CUID ATR and other information about the token to the TPS server TPS server checks the op format mapping section in the CS cfg file and figures out which tokenType to use for the token either devK...

Page 164: ...ginRequest enable true op format qaKey tks conn tks1 op format qaKey auth id ldap qa op format qaKey auth enable true LDAP Connection settings for devKey auth instance 0 type LDAP_Authentication auth instance 0 libraryName usr lib libldapauth so auth instance 0 libraryFactory GetAuthentication auth instance 0 authId ldap dev auth instance 0 hostport ldap dev example com 1111 auth instance 0 SSLOn ...

Page 165: ...h the TPS agent services page The TPS agent after affirmatively identifying the user can search for the user s ID in the Search tokens link The TPS agent select the active token and update the status with the appropriate reason to recover the key Agent Status Option Configuration Parameter Default Recovery Scheme This token has been physically damaged reason 0 RecoverLast This token has been perma...

Page 166: ...en signing recovery onHold revokeCert reason 6 op enroll userKey keyGen signing revokeCert true for the encryption key op enroll userKey keyGen encryption recovery destroyed revokeCert false op enroll userKey keyGen encryption recovery destroyed revokeCert reason 0 op enroll userKey keyGen encryption recovery keyCompromise revokeCert true op enroll userKey keyGen encryption recovery keyCompromise ...

Page 167: ...material sent from the user the token CUID an agreed on algorithm and a public key to recombine a key that exists on the token that is why the keys are derived rather than generated These derived keys both encrypt sessions between the TPS and the Enterprise Security Client and generate keys for the token enrollment Part of the way that the TKS derives these keys is by using a common master key tha...

Page 168: ...S Certificate DB Enter Password or Pin for NSS Certificate DB 0 new_master Using the tkstool is explained in more detail in the Certificate System Command Line Tools Guide 5 6 2 Generating and Transporting Wrapped Master Keys If a master key is going to be used on an external token or in multiple locations then that key must be wrapped so that it can be safely transported to the hardware tokens Th...

Page 169: ... this progress meter is full DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD Continue typing until the progress meter is full Finished Type the word proceed and press enter The next prompts generate a series of session keys For example The next screen generates the first session key share Type the word proceed and press enter to continue or C to break proceed sh tput command not found Generati...

Page 170: ...n key shares and KCVs are generated as with the initial transport key generation Write down all of this information 5 Use the transport key to generate and wrap a master key and store it in a file called file tkstool W d n new_master t transport o file Enter Password or Pin for NSS Certificate DB Retrieving the transport key for wrapping from the specified token Generating and storing the master k...

Page 171: ...store the master key on the specified token Naming the master key new_master Successfully unwrapped stored and named the master key 9 Verify that the keys have been added properly to the database tkstool L d slot NSS User Private Key and Certificate Services token NSS Certificate DB Enter Password or Pin for NSS Certificate DB 0 transport 1 new_master Using the tkstool is explained in more detail ...

Page 172: ...e token or no by default it s true even if it s not settks useSoftToken false mk_mappings maps key version to key name on token name in this example 02 is the version number nethsm is the token name and new_master is the key name tks mk_mappings 02 01 nethsm new_master It is not necessary to change the defaultSlot value it can remain the default value for the software database tks defaultSlot Inte...

Page 173: ...sistent NOTE Smart cards from the Axalto Web Store come with a default developer key set where all keys are set to 404142434445464748494a4b4c4d4e4f The TKS has this key built in and it is referred to with the master key set 01 The TKS uses key set 01 by default NOTE Always stop a subsystem instance before editing the configuration file 1 Stop the TKS service pki tks stop 2 Generate a new master ke...

Page 174: ...r symmetric key with the manufacturer The smart card TKS is configured to use these symmetric keys However during enrollment it is desirable to replace these symmetric keys with a set that is not shared by the manufacturer to restrict the set of entities that can manipulate the token NOTE Changing the symmetric keys can render the smart cards unusable if the master key is lost Use key changeover i...

Page 175: ...ore detail in Section 5 6 4 Updating Master Key Versions and Associating the Master Key with Its Version 6 Start the TKS instance service pki tks start 7 Stop the TPS instance to edit its configuration service pki tps stop 8 Edit the TPS s configuration file vi etc pki tps CS cfg 9 Change the symmetricKeys enable and requiredVersion parameters to use the newly generated master keys on the TKS For ...

Page 176: ...PS Enterprise Security Client Connections By default the TPS communicates with the Enterprise Security Client over standard HTTP but it is configured to listen over two different secure SSL ports for regular and security officer users of the Enterprise Security Client to connect over SSL The Enterprise Security Client can be configured to connect over these SSL ports 5 7 1 1 Default TPS SSL Config...

Page 177: ...t 7889 with one exception the NSSVerifyClient directive is set to none This means that client authentication is not required to connect to that port VirtualHost _default_ 7890 SSL Engine Switch NSSEngine on SSL Cipher Suite NSSCipherSuite des desede3 rc2 rc2export rc4 rc4export rsa_3des_sha rsa_des_56_sha rsa_des_sha rsa_null_md5 rsa_null_sha rsa_rc2_40_md5 rsa_rc4_128_md5 rsa_rc4_128_sha rsa_rc4_...

Page 178: ... to be configured to communicate with the TPS over SSL this is done by setting the Phone Home URL which is the default URL the Enterprise Security Client uses to connect to the TPS Resetting the Enterprise Security Client s Phone Home URL is described in more detail in Managing Smart Cards with the Enterprise Security Client 1 Open the Enterprise Security Client For example usr lib esc 1 0 1 esc 2...

Page 179: ...an LDAP directory when a smart card operation request is received There are three parameters for this which can be set for each separate token operation op operation key_type auth enable true false op operation key_type auth id ldap_db_config_entry op operation key_type loginRequest enable true false Setting these parameters determines whether LDAP authentication is required which the LDAP directo...

Page 180: ...uthentication type to use This must be LDAP_Authentication auth instance libraryName The library to use for LDAP authentication Provide the full path to the library The filename mus auth instance libraryFactory The function name to use for LDAP authentication This must be GetAuthentication auth instance authId Specifies this authentication instance ID to use to define operations For example ldap1 ...

Page 181: ...n database The default value is cn directory manag tokendb bindPassPath The path to a local password file which contains the subsystem passwords The default tokendb templateDir The directory where the templates for the TPS agent page are located tokendb userBaseDN The LDAP suffix where the user entries are tokendb baseDN The LDAP suffix where the token entries should be added and modified by the T...

Page 182: ... it is not necessary to configure it manually in the CS cfg If however the DRM information has changed or the DRM was not configured during the installation process then the procedure described in this section can be used to set up the DRM The global platform environment prevents removing private keys from the smart card For encryption keys it is often necessary to back up the key material for lat...

Page 183: ...on and archival 5 7 5 2 Step 2 Adding the TPS as a DRM Recovery Agent 1 Open the DRM Console 2 In the Configuration tab select Users and Groups 3 In the Users tab click Add and create the new user give this user a name such as TPS Recovery Agent Add this user to the Data Recovery Manager Agents group 4 Select the TPS user click Certificates and import the TPS server certificate 5 7 5 3 Step 3 Impo...

Page 184: ...A and save it to file 2 Import the transport certificate into the TKS security databases in the var lib subsystem_name alias directory In the TKS Console click Subsystem Keys and Certificates in the left navigation panel In the Local Certificates tab click Add and paste in the certificate information Alternatively use the certutil to import the certificate certutil d P cert db prefix A n DRM Trans...

Page 185: ... 7889 Listen 7890 To restrict the TPS its IPv4 address then edit Listen line to specify an IPv4 style address Listen 0 0 0 0 7889 5 8 Scaling the TPS and Its Support Subsystems When the TPS is configured it is configured to work with a specific instance of a CA TKS and optionally DRM subsystems It is possible after the configuration process to edit the TPS CS cfg file to provide backup CA TKS and ...

Page 186: ... whole then has very flexible scalability Additionally subsystems and clients can be added to improve performance without affecting the configuration of other subsystem instances 5 8 1 Configuring Failover Support The subsystem instance to which the TPS connects is set in the conn subsystem hostport parameter of the CS cfg configuration file For example the CA instance is set in the following para...

Page 187: ...is shou conn tks clientNickname The client certificate nickname to use This certificate is used by the TPS when connecti be trusted by the TKS and the client should be a configured TKS agent conn tks retryConnect The number of times the TPS tries to reconnect to the TKS after a connection attempt fa example 3 conn tks SSLOn Sets whether SSL needs to be turned on for the connection to the TKS This ...

Page 188: ...mple com 9443 conn ca1 keepAlive true conn ca1 retryConnect 3 conn ca1 servlet enrollment ca ee ca profileSubmitSSLClient conn ca1 servlet revoke ca subsystem ca doRevoke conn ca1 servlet unrevoke ca subsystem ca doUnrevoke conn ca1 timeout 100 conn ca2 clientNickname subsystemCert cert pki tps conn ca2 hostport bCA example com 9543 conn ca2 keepAlive true conn ca2 retryConnect 3 conn ca2 servlet ...

Page 189: ...rVersion 5 op enroll mapping 0 filter tokenATR op enroll mapping 0 filter tokenCUID end 1000 op enroll mapping 0 filter tokenCUID start 4000 op enroll mapping 0 filter tokenType userKey op enroll mapping 0 target tokenType userKey The mapping and filter parameters are listed in Table 5 7 Mapping and Filters 5 9 Potential Token Operation Errors Errors that are returned by smart cards are listed in ...

Page 190: ...168 ...

Page 191: ...icate System Agent s Guide When it receives the CRL the Certificate Manager marks the corresponding certificate records in its internal database as revoked and if configured to do so removes the revoked certificates from the publishing directory and updates the CRL in the publishing directory Server and client applications that use public key certificates as ID tokens need access to information ab...

Page 192: ...et up for this issuing point a delta CRL is also created at this time The full CRL contains all revoked certificate information since the Certificate Manager began collecting this information The delta CRL contains all revoked certificate information since the last update of the full CRL The full CRL and the delta CRL have the same number allowing clients to determine a match between them This num...

Page 193: ...wing 0 Unspecified no particular reason is given 1 The private key associated with the certificate was compromised 2 The private key associated with the CA that issued the certificate was compromised 3 The owner of the certificate is no longer affiliated with the issuer of the certificate and either no longer has rights to the access gained with the certificate or no longer needs it 4 Another cert...

Page 194: ... directory or to an OCSP responder Where and how frequently CRLs are published are configured in the Certificate Manager as described in Chapter 8 Publishing Certificates and CRLs Because CRLs can be very large publishing CRLs can take a very long time and it is possible for the process to be interrupted Special publishers can be configured to publish CRLs to a file over HTTP1 1 and if the process...

Page 195: ...s certificate i is the issuer name of the certificate being revoked s is the serial number of the certificate being revoked in decimal value m is the reason the certificate is being revoked which can be any of the following 0 unspecified 1 the key was compromised 2 the CA key was compromised 3 the employee s affiliation changed 4 the certificate has been superseded 5 cessation of operation 6 the c...

Page 196: ...te Manager uses its CA signing key to sign CRLs To use a separate signing key pair for CRLs set up a CRL signing key and change the Certificate Manager configuration to use this key to sign CRLs See Section 6 3 4 Setting a CA to Use a Different Certificate to Sign CRLs for more information 2 Set up CRL issuing points An issuing point is already set up and enabled for a master CRL Figure 6 1 Defaul...

Page 197: ...e information about the issuing point 7 Set up publishing CRLs to files an LDAP directory or an OCSP responder See Chapter 8 Publishing Certificates and CRLs for details about setting up publishing 6 3 1 Configuring Issuing Points Issuing points define which certificates are included in a new CRL A master CRL issuing point is created by default for a master CRL containing a list of all revoked cer...

Page 198: ...vigation tree Configure CRLs for the new issuing point and set up any CRL extensions that will be used with the CRL See Section 6 3 2 Configuring CRLs for Each Issuing Point for details on configuring an issuing point See Section 6 3 3 Setting CRL Extensions for details on setting up the CRL extensions All the CRLs created appear on the Update Revocation List page of the agent services pages 6 3 2...

Page 199: ...CRL will be issued The Update Frequency section sets the different intervals when the CRLs are generated and published to the directory Every time a certificate is revoked or released from hold This sets the Certificate Manager to generate the CRL every time it revokes a certificate The Certificate Manager attempts to publish the CRL to the configured directory whenever it is generated Publishing ...

Page 200: ...ver is configured to update the CRL every 20 minutes with a grace period of 2 minutes and if the CRL is updated at 16 00 the CRL is updated again at 16 18 5 The Cache tab sets whether caching is enabled and the cache frequency Figure 6 3 CRL Cache Tab Enable CRL cache This checkbox enables the cache which is used to create delta CRLs If the cache is disabled delta CRLs will not be created For more...

Page 201: ...pired certificates This includes revoked certificates that have expired If this is enabled information about revoked certificates remains in the CRL after the certificate expires If this is not enabled information about revoked certificates is removed when the certificate expires CA certificates only This includes only CA certificates in the CRL Selecting this option creates an Authority Revocatio...

Page 202: ...pen the CA console pkiconsole https server example com 9445 ca 2 In the navigation tree select Certificate Manager and then select CRL Issuing Points 3 Select the issuing point name below the Issuing Points entry and select the CRL Extension entry below the issuing point The right pane shows the CRL Extensions Management tab which lists configured extensions Figure 6 5 CRL Extensions 4 To modify a...

Page 203: ...illa org projects security pki nss tools 2 When the certificate request has been created submit it through the Certificate Manager end entities page The page has a URL in the following format https hostname port ca ee ca 3 After the request is submitted log into the agent services page 4 Check the request for required extensions The CRL signing certificate must contain the Key Usage extension with...

Page 204: ...inds of CRLs however The full CRL has a record of every single revoked certificate However the Certificate System also publishes a delta CRL which contains only the certificates that have been revoked since the last CRL delta or full was published By default full and delta CRLs are generated at the same time and every time However it is possible to space out when full CRLs are published and to pub...

Page 205: ...Select the MasterCRL node 4 Deselect the Extend next update time in full CRLs check box which disables publishing a full CRL every time a CRL is published Then set the new full CRL interval in the Generate full CRL every deltas field 5 Save the changes 6 4 2 Configuring Extended Updated Intervals for CRLs in CS cfg Two parameters need to be configured for setting the full delta CRL publishing inte...

Page 206: ...system CS cfg configuration file includes a parameter jss ocspcheck enable which sets whether a Certificate Manager should use an OCSP to verify the revocation status of the certificate it receives as a part of SSL client or server authentication Changing the value of this parameter to true means the Certificate Manager reads the Authority Information Access extension in the certificate and verifi...

Page 207: ... enabled Sets revocation checking true enables checking false disables checking By default the feature is enabled revocationChecking unknownStateInterval Sets how frequently the server checks the revocation status The default interval is 0 seconds revocationChecking validityInterval Sets how long the cached certificates are considered valid Be judicious when choosing the interval For example if th...

Page 208: ...186 ...

Page 209: ...not in the certificate chain must be trusted manually To set up the Online Certificate Status Manager for a Certificate Manager outside the security domain do the following 1 Configure the CRLs for every CA that will publish to an OCSP responder See Chapter 6 Revoking Certificates and Issuing CRLs for details 2 Enable publishing set up a publisher and set publishing rules in every CA that the OCSP...

Page 210: ... the OCSP service is if the CA connects to the Online Certificate Status Manager through SSL authentication when it publishes its CRL Otherwise the Online Certificate Status Manager does not need to have the complete certificate chain However the Online Certificate Status Manager must have the certificate which signed the CRL either a CA signing certificate or a separate CRL signing certificate in...

Page 211: ...ectory for verifying revocation status of certificate do the following 1 Open the Online Certificate Status Manager Console pkiconsole https server example com 11445 ocsp 2 In the Configuration tab select Online Certificate Status Manager and then select Revocation Info Stores The right pane shows the two repositories the Online Certificate Status Manager can use by default it uses the CRL in its ...

Page 212: ...operly by doing the following 1 Turn on revocation checking in the browser or client 2 Request a certificate from the CA that has been enabled for OCSP services 3 Approve the request 4 Download the certificate to the browser or client 5 Make sure the CA is trusted by the browser or client 6 Check the status of Certificate Manager s internal OCSP service Open the CA agent services page and select t...

Page 213: ...anager s internal database publishing does not have to be configured to use this service Clients can query the OCSP service through the non SSL end entity port of the Certificate Manager When queried for the revocation status of a certificate the Certificate Manager searches its internal database for the certificate checks its status and responds to the client Since the Certificate Manager has rea...

Page 214: ...commented and configured NOTE NSS part of the Apache web server used by the TPS and the RA provides the mechanism for contacting the OCSP service However NSS caches OCSP responses for 60 minutes If the TPS or RA polls again for the revocation status of a certificate within an hour of its being checked NSS returns the cached response even if the revocation status has changed If there is a very impo...

Page 215: ... ocspSigningCert cert pki ocsp t CTu Cu Cu d var lib pki tps alias a i tmp example cert Importing certificates into the security database is described in Section 16 5 1 2 Installing Certificates Using certutil c Import the OCSP signing certificate into the subsystem s security database certutil A n ocspSigningCert cert pki ocsp t u u u d var lib pki ca alias a i tmp example cert Importing certific...

Page 216: ...e before the TPS checks the OCSP responder about a certificate OCSP responders have an optional setting to configure it s a good time for the client to query the service The NSSOPCSPMaxCacheEntryDuration attribute overrides the default settings in the OCSP responder and allows you to define whatever window you want The default setting for this is one day For example NSSOCSPCacheSize 1000 NSSOCSPMi...

Page 217: ...7 1 OCSP Settings for the DRM Agent Interface All of the OCSP checking parameters are listed in Table 7 1 OCSP Parameters for server xml 3 If the given OCSP service is not the CA then the OCSP service s signing certificate must be imported into the subsystem s NSS database This can be done in the console or using certutil both options are covered in Section 16 5 1 Installing Certificates in the Ce...

Page 218: ...var lib pki ca alias caSigningCert cert pki ca 1 export output txt 1 URI ocsp ee ocsp Data Length 68 Data MEIwQDA MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ 44kgy35o7xW5BMzM8FTvyTwCAQE The Certificate System s OCSPClient tool has the format OCSPClient host port path to CA_cert_database CA_signing_cert_nickname serial_number output_file times An OCSP request can also be generated usin...

Page 219: ... 34 474 43 MB s MEIwQDA MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewd Dnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE saved 2362 2362 3 The status for the specified certificate is written to the OCSP s debug log and can be GoodInfo RevokeInfo or UnknownInfo 16 Jul 2009 16 48 47 http 11443 Processor24 Serial Number 1 Status com netscape cmsutil ocsp GoodInfo For certificates issued by a 7 1 CA with the Auth...

Page 220: ...r lib cd lib 5 Create a symlink that links back to the usr share java pki cms jar JAR file For example ln s usr share java pki cms jar cms jar 6 Move up to the main web application directory For example cd var lib pki ocsp webapps 7 Rename the current instance ocsp directory For example mv var lib pki ocsp webapps ocsp var lib pki ocsp webapps ocsp2 8 Open the WEB INF directory in the original ocs...

Page 221: ... param value ocsp2 param value init param init param param name srcContext param name param value ocsp param value init param init param param name destServlet param name param value param value init param init param param name matchURIStrings param name param value ocsp registry ocsp acl ocsp jobsScheduler ocsp ug ocsp server ocsp log ocsp auths ocsp start ocsp ocsp ocsp services ocsp agent ocsp ...

Page 222: ... ocsp conf context xml changing the following line Context to Context crossContext true 12 Edit the var lib pki ocsp webapps ocsp2 services template file and change the following line result recordSet i uri to result recordSet i uri 13 Start the OCSP instance For example service pki ocsp start ...

Page 223: ...Part II Additional Configuration to Manage CA Services ...

Page 224: ......

Page 225: ...r certificates Disable all rules that will not be used 3 Configure CRLs CRLs must be configured before they can be published See Chapter 6 Revoking Certificates and Issuing CRLs 4 Enable publishing after setting up publishers mappers and rules Once publishing is enabled the server starts publishing immediately If the publishers mappers and rules are not completely configured publishing may not wor...

Page 226: ... publisher that publishes to the LDAP attribute userCertificate binary attribute the certificate is published to the directory specified when LDAP publishing was enabled in this attribute in the user s entry For rules that specify to publish to a file a new file is created when either a certificate or a CRL is issued in the stipulated directory For rules that specify to publish to an LDAP director...

Page 227: ...repository such as a relational database When the server is configured to publish certificates and CRLs to file the published files are DER encoded binary blobs base 64 encoded text blobs or both For each certificate the server issues it creates a file that contains the certificate in either DER encoded or base 64 encoded format Each file is named either cert serial_number der or cert serial_numbe...

Page 228: ...of sync for some reason privileged users administrators and agents can also manually initiate the publishing process For instructions see Section 8 7 2 Manually Updating the CRL in the Directory 8 2 Setting up Publishing The general process to configure publishing involves setting up a publisher to publish the certificates or CRLs to the specific location There can be a single publisher or multipl...

Page 229: ... rule Rules can be set for each object type CA certificates CRLs user certificates and cross pair certificates There can be different rules for different kinds of certificates or different kinds of CRLs The rule first determines if the object meets the criteria by matching the type and predicate set in the rule The destination of matching objects is determined by the publisher and mapper associate...

Page 230: ...dd to open the Select Publisher Plug in Implementation window which lists registered publisher modules Figure 8 2 Select Publisher Plug in Implementation Window 4 Select the FileBasedPublisher module then open the editor window This is the module that enables the Certificate Manager to publish certificates and CRLs to files ...

Page 231: ...file type to publish by selecting the checkboxes for DER encoded files base 64 encoded files or both The format of the timestamp to use to name the published certificate or CRL files For CRLs whether to generate a link in the file to go to the latest CRL If enabled the link assumes that the name of the CRL issuing point to use with the extension will be supplied in the crlLinkExt field For CRLs wh...

Page 232: ...ishers for publishing CRLs to an OCSP 1 Log into the Certificate Manager Console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Publishing and then Publishers Figure 8 3 Publishers Management Tab 3 Click Add to open the Select Publisher Plug in Implementation window which lists registered publisher modul...

Page 233: ...ther publishing procedures with additional steps to configure the directory 1 Configure the Directory Server to which certificates will be published Certain attributes have to be added to entries and bind identities and authentication methods have to be configured 2 Configure a publisher for each type of object published CA certificates cross pair certificates CRLs and user certificates The publis...

Page 234: ...A and CRL mapper instances and enabled by default If the directory restricts the Certificate Manager from creating entries in the directory turn off this option in those mapper instances and add an entry for the CA manually in the directory When adding the CA s entry to the directory select the entry type based on the DN of the CA If the CA s DN begins with the cn component create a new person ent...

Page 235: ...ser must have read write permissions to the directory to publish certificates and CRLs to the directory so that the Certificate Manager can modify the user entries with certificate related information and the CA entry with CA s certificate and CRL related information The bind DN entry can be either of the following An existing DN that has write access such as the Directory Manager ...

Page 236: ...e X 500 standard attributes for storing certificates and CRLs and do not need to be changed Publisher Description LdapCaCertPublisher Publishes CA certificates to the LDAP directory LdapCrlPublisher Publishes CRLs to the LDAP directory LdapDeltaCrlPublisher Publishes Delta CRLs to the LDAP directory LdapUserCertPublisher Publishes all types of end entity certificates to the LDAP directory LdapCros...

Page 237: ...he CA entry in the directory To use other mappers create and configure an instance of the mapper For more information see Section C 2 Mapper Plug in Modules To modify a mapper 1 Log into the Certificate Manager Console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Publishing and then Mappers The Mappers...

Page 238: ...er instance click Add The Select Mapper Plugin Implementation window opens which lists registered mapper modules Select a module and edit it For complete information about these modules see Section C 2 Mapper Plug in Modules Figure 8 8 Selecting a New Mapper Type 6 Edit the mapper instance and click OK ...

Page 239: ... In this way the same certificate or CRL can be published to a file to an Online Certificate Status Manager and to an LDAP directory by matching a file based rule an OCSP rule and matching a directory based rule Rules can be set for each object type CA certificates CRLs user certificates and cross pair certificates The rules can be more detailed for different kinds of certificates or different kin...

Page 240: ...2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Publishing and then Rules The Rules Management tab which lists configured rules opens on the right Figure 8 10 Rules Management Tab 3 To edit an existing rule select that rule from the list and click Edit This opens the Rule Editor window ...

Page 241: ...le 4 To create a rule click Add This opens the Select Rule Plug in Implementation window Figure 8 12 Select Rule Plugin Implementation Window Select the Rule module This is the only default module If any custom modules have been been registered they are also available 5 Edit the rule ...

Page 242: ...pper Mappers are not necessary when publishing to a file they are only needed for LDAP publishing If this rule is associated with a publisher that publishes to an LDAP directory select an appropriate mapper here Leave blank for all other forms of publishing publisher Sets the publisher to associate with the rule Table 8 3 Predicate Expressions lists the predicates that can be used to identify CRL ...

Page 243: ...ior or may fail NOTE Configure CRLs CRLs must be configured before they can be published See Chapter 6 Revoking Certificates and Issuing CRLs 1 Log into the Certificate Manager Console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Publishing The right pane shows the details for publishing to an LDAP com...

Page 244: ...cate Manager s CS cfg file in the ca publish ldappublish ldap ldapauth bindPWPrompt parameter and it can be edited Client certificate This sets the certificate the Certificate Manager uses for SSL client authentication to the publishing directory By default the Certificate Manager uses its SSL server certificate LDAP version Select LDAP version 3 Authentication The way the Certificate Manager auth...

Page 245: ... the download progress can be tracked and if it is interrupted the download can resume at the point where it dropped off Using HTTP 1 1 allows the client to avoid fetching a CRL which has already been retrieved To do this the Certificate Manager publishes the CRL to a file and uses the Certificate Manager s web server to handle the HTTP 1 1 downloads Configuring the CA publishing to allow CRL down...

Page 246: ...Chapter 8 Publishing Certificates and CRLs 224 4 In the Publishers Management tab click Add 5 Select the FileBasedPublisher plug in 6 Fill in the CRL publishing information ...

Page 247: ...rver to send the latest generated CRL or the most recent partial CRL Set the crlLinkExt to bin which gives the proper file extension to the compressed published CRL Select the zipCrls checkbox to compress the CRL and optionally set the compression level 7 In the left menu select the Rules link 8 Click Add in the Rules Management tab to create a new rule for CRL publishing ...

Page 248: ...RLs 226 9 Select Rule and click Next 10 In the Rule Editor configure the new rule Set the type to crl Make sure that the enable checkbox is selected Set the mapper to NoMap Select the new CRL file publisher from the publisher drop down menu ...

Page 249: ...shed CRL location as its docroot by adding a new Context line For example vim var lib pki ca conf server xml Server Context docBase webapps path webapps reloadable false this line is commented out by default Context path ca ee ca crl docBase var lib pki ca webapps ca ee ca crl allowLinking true this is the new line Host Engine Service Server 14 It can be beneficial to test the setup by interruptin...

Page 250: ...r wget are summarized in Table 8 4 wget Options to Use for Retrieving CRLs Argument Description no argument Retrieves the full CRL N Retrieves the CRL that is newer than the local copy delta CRL c Retrieves a partially downloaded file no check certificate Skips SSL for the connection so it is not necessary to configure SSL between the host and client d Prints debug information Table 8 4 wget Optio...

Page 251: ...ficate Manager Console by doing the following 1 Open the CA console pkiconsole https server example com 9445 ca 2 In the Configuration tab select the Certificate Manager link in the left pane then the Publishing link 3 Click the Rules link under Publishing This opens the Rules Management pane on the right 4 If the rule exists and has been disabled select the enable checkbox If the rule has been de...

Page 252: ...DVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aWhfyyuougjgjjgmkgjkgmjg fjfgjjjgfyjfyj9ucyBDb3Jwb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyhgdfhbfdpffjphotoo gdhkBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0WjBXMQswCQYDVQQGEwJ VUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yY2F0aW9ucyBDb3Jwb3Jhd GlvbjpMEaMBgGA1UECxMRSXNzdWluZyBBdXRob3JpdHkwHh END CERTIFICATE 7 Convert the base 64 encoded certificate...

Page 253: ...e downloaded at http fedoraproject org extras 4 i386 repodata repoview dumpasn1 0 20050404 1 fc4 html To view the content of a DER encoded file simply run the dumpasn1 PrettyPrintCert or PrettyPrintCRL tool with the DER encoded file For example PrettyPrintCRL example der example crl 8 7 Updating Certificates and CRLs in a Directory The Certificate Manager and the publishing directory can become ou...

Page 254: ...the appropriate options and click Update Directory The Certificate Manager starts updating the directory with the certificate information in its internal database If the changes are substantial updating the directory can take considerable time During this period any changes made through the Certificate Manager including any certificates issued or any certificates revoked may not be included in the...

Page 255: ...in modules can be registered in a Certificate Manager s publishing framework Unwanted mapper or publisher plug in modules can be deleted Before deleting a module delete all the rules that are based on this module 1 Log into the Certificate Manager Console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Pu...

Page 256: ...234 ...

Page 257: ...or CMC authentication Automated enrollment is enabled by configuring one of the authentication plug in modules More than one authentication method can be configured in a single instance of a subsystem NOTE An email can be automatically sent to an end entity when the certificate is issued for any authentication method by configuring automated notifications See Chapter 10 Using Automated Notificatio...

Page 258: ...rtificate is recognized by the subsystem as an agent certificate then the CA automatically processes the certificate request This form of automatic authentication can be associated with the certificate profile for enrolling for server certificates This plug in is enabled by default and has no parameters Flat file based enrollment Used exclusively for router SCEP enrollments a text file is used whi...

Page 259: ...nal ldapByteAttributes Specifies the list of LDAP byte binary attributes that should be considered authentic for the end entity If specified the values corresponding to these attributes will be copied from the authentication directory into the authentication token for use by other modules such as adding additional information to users certificates Entering values for this parameter is optional lda...

Page 260: ... PINs to the users and then having the users provide the PIN along with their user ID and password when filling out a certificate request Users are then authenticated both against an LDAP directory using their user ID and password and against the PIN in their LDAP entry When the user successfully authenticates the request is automatically processed and a new certificate is issued The Certificate S...

Page 261: ...rectory For example setpin host yourhost port 9446 length 11 input infile output outfile write binddn cn pinmanager o example com bindpw password basedn o example com filter uid u g Use the output file for delivering PINs to users after completing setting up the required authentication method After confirming that the PIN based enrollment works deliver the PINs to users so they can use them during...

Page 262: ...ully qualified DNS host name of the authentication directory ldap ldapconn port Specifies the TCP IP port on which the authentication directory listens to requests from the Certificate System ldap ldapconn secureConn Specifies the type SSL or non SSL of the port on which the authentication directory listens to requests Select if this is an SSL port ldap ldapconn version Specifies the LDAP protocol...

Page 263: ...rollment forms by configuring the inputs in the certificate profiles Include the information that will be needed by the plug in to authenticate the user If the default inputs do not contain all of the information that needs to be collected submit a request created with a third party tool 9 2 3 Using Certificate Based Authentication Certificate based authentication is when a certificate is presente...

Page 264: ...at file and its authentication parameters can be edited 1 Open the CA Console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Authentication in the navigation tree 3 Select the flatFileAuth authentication module 4 Click Edit View 5 To change the file location and name reset the fileName field To change the authentication name parameter reset the keyAttributes value to...

Page 265: ...uter assuming that the router contacts the CA directly By default this file is in var lib pki ca conf and specifies two parameters per authentication entry the UID of the site usually its IP address either IPv4 or IPv6 and the random PIN generated by the RA UID 192 168 123 123 PIN HU89dj Each entry must be followed by a blank line For example UID 192 168 123 123 PIN HU89dj UID 12 255 80 13 PIN fio...

Page 266: ...e Manager When this method is set up the Certificate Manager automatically revokes certificates when a valid request signed with the agent certificate is received To set up CMC enrollment 1 Set up the certificate profile to use to enroll users by setting policies for specific certificates in the certificate profile See Chapter 2 Making Rules for Issuing Certificates for information about profile p...

Page 267: ...ks 9 3 1 Setting up the Server for Multiple Requests in a Full CMC Request CMC supports multiple CRMF or PKCS 10 requests in a single full CMC request If the numRequests parameter in the cfg file is larger than 1 modify the server s certificate profile by doing the following 1 By default the servlet processing a full CMC request uses the caFullCMCUserCert profile This profile only handles a single...

Page 268: ...with the same filename with out appended to the filename 5 Submit the signed certificate through the end entities page a Open the end entities page https server example com 9444 ca ee ca b Select the CMC enrollment form from the list of certificate profiles c Paste the content of the output file into the Certificate Request text area of this form d Remove BEGIN NEW CERTIFICATE REQUEST and END NEW ...

Page 269: ...tication Plug ins Custom authentication plug in modules can be registered through the CA Console Authentication plug in modules can also be deleted through the CA Console Before deleting a module delete instances that are based on that module 1 Log into the console pkiconsole https server example com 9445 ca 2 In the Configuration tab click Authentication in the navigation tree 3 In the right pane...

Page 270: ...248 ...

Page 271: ... text and tokens contained in the templates The HTML templates can also be customized for different appearances and formatting 10 1 1 Types of Automated Notifications There are three types of automated notifications Certificate Issued A notification message is automatically sent to users who have been issued certificates A rejection message is sent to a user if the user s certificate request is re...

Page 272: ...ified RA group such as the default agents group request user create_request 1 assignTo agents request user create_request 1 plugin PKI Request Plugin AutoAssign request user create_request 1 mailTo request user create_request 1 plugin PKI Request Plugin EmailNotification Other RA notifications alert the requester to indicate whether the request was approved or rejected request user approve_request...

Page 273: ...s in queue only Subject Type the subject title for the notification Content template path Type the path including the filename to the directory that contains the template to use to construct the message content 5 Click Save NOTE Make sure the mail server is set up correctly See Section 10 4 Configuring a Mail Server for Certificate System Notifications 6 Customize the notification message template...

Page 274: ... 10 2 Setting up Automated Notifications for the CA 4 Save the file 5 Restart the CA instance service pki ca start 6 If a job has been created to send automated messages check that the mail server is correctly configured See Section 10 4 Configuring a Mail Server for Certificate System Notifications 7 The messages that are sent automatically can be customized see Section 10 3 Customizing Notificat...

Page 275: ...iables for a list of available tokens The contents of any message type can be modified by changing the text and tokens in the message template The appearance of the HTML messages can be changed by modifying the HTML commands in the HTML message template The default text version of the certificate issuance notification message is as follows Your certificate request has been processed successfully S...

Page 276: ...e_CA html Template for HTML based notification emails to agents when a request enters the queue Table 10 1 Notification Templates Filename Description rnJob1 txt Template for formulating the message content sent to end entities to inform them that their certif the certificates should be renewed or replaced before they expire rnJob1Summary txt Template for constructing the summary report to be sent...

Page 277: ...sage Status Gives the request status SubjectDN Gives the DN of the certificate subject SummaryItemList Lists the items in the summary notification Each item corresponds to a certificate the job publishing directory SummaryTotalFailure Gives the total number of items in the summary report that failed SummaryTotalNum Gives the total number of certificate requests that are pending in the queue or the...

Page 278: ... n n Certificate request request_id with the subject name subject_dn for uid has been approved This certificate can be imported by clicking the following link https machineName nonClientAuthSecurePort ee request getcert cgi id request_id Example 10 2 Custom Approved Request Notification for an RA The available notification message tokens are listed in Table 10 4 RA Notification Message Tokens Toke...

Page 279: ...n which the mail server is installed such as mail example com By default the hostname of the mail server is localhost instead of the actual hostname The default port number on which the SMTP mail server listens is 25 4 Click Save 10 5 Creating Custom Notifications for the CA It can be possible to create custom notification functions to handle other PKI operations such as token enrollments by editi...

Page 280: ...258 ...

Page 281: ...Enabling and configuring the Job Scheduler see Section 11 2 Setting up the Job Scheduler for more information Enabling and configuring the job modules and setting preferences for those job modules see Section 11 3 Setting up Specific Jobs for more information Customizing the email notification messages sent with these jobs by changing the templates associated with the types of notification The mes...

Page 282: ...are not automatically removed from the publishing directory If a Certificate Manager is configured to publish certificates to an LDAP directory over time the directory will contain expired certificates The unpublishExpiredCerts job checks for certificates that have expired and are still marked as published in the internal database at the configured time interval The job connects to the publishing ...

Page 283: ...t meet the cron specification By default it is set to one minute NOTE The window for entering this information may be too small to see the input Drag the corners of the Certificate Manager Console to enlarge the entire window 5 Click Save 11 3 Setting up Specific Jobs Automated jobs can be configured through the Certificate Manager Console or by editing the configuration file directory It is recom...

Page 284: ...1 2 Setting up the Job Scheduler for more information 3 In the Configuration tab select Job Scheduler from the navigation tree Then select Jobs to open the Job Instance tab Select the job instance from the list and click Edit View The Job Instance Editor opens showing the current job configuration ...

Page 285: ...n the fields for this dialog For certRenewalNotifier see Section 11 3 3 Configuration Parameters of certRenewalNotifier For requestInQueueNotifier see Section 11 3 4 Configuration Parameters of requestInQueueNotifier For publishCerts see Section 11 3 5 Configuration Parameters of publishCerts For unpublishExpiredCerts see Section 11 3 6 Configuration Parameters of unpublishExpiredCerts ...

Page 286: ...figured To configure the certRenewalNotifier job edit all parameters that begin with jobsScheduler job certRenewalNotifier see Section 11 3 3 Configuration Parameters of certRenewalNotifier To configure the requestInQueueNotifier job edit all parameters that begin with jobsScheduler job requestInQueueNotifier see Section 11 3 4 Configuration Parameters of requestInQueueNotifier To configure the pu...

Page 287: ...report of renewal notifications should be compiled and sent Th false disables it If enabled set the remaining summary parameters these are require summary recipientEmail Specifies the recipients of the summary message These can be agents who need to kn users Set more than one recipient by separating each email address with a comma summary senderEmail Specifies the email address of the sender of th...

Page 288: ...duler daemon thread expired certificates from the publishing directory This setting must follow the conventions in Sec Automated Jobs For example 00 6 summary enabled Specifies whether a summary of the certificates removed by the job should be compiled and sen summaries false disables them If enabled set the remaining summary parameters these are summary report summary emailSubject Gives the subje...

Page 289: ... can be agents who need to kn users More than one recipient can be set by separating each email address with a comm Table 11 4 unpublishExpiredCerts Parameters 11 3 7 Frequency Settings for Automated Jobs The Job Scheduler uses a variation of the Unix crontab entry format to specify dates and times for checking the job queue and executing jobs As shown in Table 11 5 Time Values for Scheduling Jobs...

Page 290: ...nsole Registering a new module involves specifying the name of the module and the full name of the Java class that implements the module To register a new job module 1 Log into the Certificate Manager Console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Job Scheduler in the left navigation tree Select Jobs The Job Instance tab opens which lists any currently config...

Page 291: ...r Deleting a Job Module 269 If it is necessary to delete a module open the Job Plugin Registration tab as when registering a new module select the module to delete and click Delete When prompted confirm the deletion ...

Page 292: ...270 ...

Page 293: ...Part III Managing the Subsystem Instances ...

Page 294: ......

Page 295: ...r defined installation directories instead of the default locations in var lib To use custom directory locations install the subsystems through the ISO image with this environment variable set to block the pkicreate script Server instances are somewhat relocatable and have user specific default and customized forms and data Subsystem instances can be stored anywhere on a system When the Certificat...

Page 296: ... client authentication are based on this subsystem certificate Table 12 1 Default CA Instance Information 12 1 2 Default RA Instance Information The default RA configuration is listed in Table 12 2 Default RA Instance Information Most of these values are unique to the default instance the default certificates and some other settings are true for every RA instance Setting Value Standard Port for En...

Page 297: ...ubsystem Certificates Transport certificate Storage certificate SSL server certificate Audit log signing certificate Subsystem certificate 2 Security Databases var lib pki kra alias Log Files var log pki kra Install Logs var log pki kra install log Process File var run pki kra pid Web Services Files var lib pki kra webapps kra Running service instance_name status lists all of the configured ports ...

Page 298: ...faces for the subsystem instance The subsystem certificate is always issued by the security domain so that domain level operations that require client authentication are based on this subsystem certificate Table 12 4 Default OCSP Instance Information 12 1 5 Default TKS Instance Information The default TKS configuration is listed in Table 12 5 Default TKS Instance Information Most of these values a...

Page 299: ...s Main Directory var lib pki tps Configuration Directory etc pki tps Configuration File etc pki tps CS cfg etc pki tps nss conf etc pki tps password conf Subsystem Certificates SSL server certificate Subsystem certificate Security Databases var lib pki tps alias Log Files var log pki tps Install Logs var log pki tps install log Web Services Files var lib pki tps docroot var lib pki tps cgi bin var...

Page 300: ...erprise Security Client s esc prefs js configuration file determines which URL to access Setting the Phone Home URL is described in the Managing Smart Cards with the Enterprise Security Client guide 12 1 7 Shared Certificate System Subsystem File Locations There are some directories used by all Certificate System subsystems for general server operations listed in Table 12 7 Subsystem File Location...

Page 301: ...asiest way to manage the subsystem For example since the TPS and RA subsystems do not use an administrative console all configuration changes must be made by editing the CS cfg file manually 12 2 1 Locating the CS cfg File Each instance of a Certificate System subsystem has its own configuration file CS cfg The contents of the file for each subsystem instance is different depending on the way the ...

Page 302: ...tance tend to be grouped together into the same block log instance System _000 log instance System _001 System Logging log instance System _002 log instance System bufferSize 512 log instance System enable true log instance System expirationTime 0 log instance System fileName var lib pki ca logs system log instance System flushInterval 5 log instance System level 3 log instance System maxFileSize ...

Page 303: ...mbers Many of the settings assigned when the instance is first installed or configured are prefaced with pkicreate authType pwd installDate Mon Jul 13 08 13 39 2009 instanceId pki ca instanceRoot var lib pki ca machineName server example com multiroles true passwordClass com netscape cmsutil password PlainPasswordFile passwordFile var lib pki ca conf password conf admin interface uri ca admin cons...

Page 304: ...ngs for logging into the subsystem For some authorization settings that is all that is required It is also possible to select an authorization method that uses an LDAP database to store user entries in which case the database settings are configured along with the plug in authz impl DirAclAuthz class com netscape cms authorization DirAclAuthz authz instance DirAclAuthz ldap internaldb authz instan...

Page 305: ...rtAuth class com netscape cms authentication AgentCertAuthentication auths instance AgentCertAuth agentGroup Certificate Manager Agents auths instance AgentCertAuth pluginName AgentCertAuth 12 2 2 4 Security Domain Settings Every instance must belong to a security domain so every instance has a securitydomain definition block securitydomain flushinterval 86400000 securitydomain host server example...

Page 306: ...rameters except for the TPS which configured it in the tokendb parameters with a lot of other configuration settings internaldb _000 internaldb _001 Internal Database internaldb _002 internaldb basedn dc server example com pki ca internaldb database server example com pki ca internaldb maxConns 15 internaldb minConns 3 internaldb ldapauth authtype BasicAuth internaldb ldapauth bindDN cn Directory ...

Page 307: ...the configuration file stored in the cache is written to disk Stop the server before editing the configuration file or the changes will be overwritten by the cached version when the server is stopped 2 Open the var lib subsystem_name conf directory 3 Open the CS cfg file in a text editor 4 Edit the parameters in the file and save the changes 5 Start the subsystem instance service subsystem_name st...

Page 308: ...ts internal LDAP directory internaldb and its replication database The internal password store and replication database have randomly generated PINs which were set when the subsystem was configured the internal LDAP database password was defined by the administrator when the instance was configured internal 376577078151 internaldb secret12 replicationdb 1535106826 12 3 2 Protecting the password co...

Page 309: ...ssword conf file and create a pipe called password conf 3 Run the regular start script 4 Monitor the Tomcat web server log catalina out and the debug log 5 Provide the passwords to the subsystem instance by running the following unzip c secret zip password conf password conf This is a simple and very flexible way to protect the clear text password file while still allowing passwords to be managed ...

Page 310: ...me that the instance restarts any external hardware token passwords For the TPS this prompts for three passwords internal for the NSS database tokendbpass for the internal LDAP database any external hardware token passwords All of the passwords which will be prompted for when the subsystem instance starts are listed in the cms passwordlist in the CS cfg file for the instance 12 3 3 1 Configuring N...

Page 311: ...tem_name conf CS cfg cms passwordlist internaldb replicationdb If publishing has been enabled then make sure the LDAP publishing password is listed For example cms passwordlist internaldb replicationdb CA LDAP Publishing 5 Create a new dtomcat5 file for the instance a Copy the current file in usr share pki type conf For example usr share pki ca conf dtomcat5 tmp dtomcat5 pki old b Edit the copied ...

Page 312: ...d conf server xml g tmp pki ca old c Copy the file into the etc init d directory cp tmp pki ca old etc init d d Set the proper file owner and permissions for the file chown pkiuser etc init d pki ca old chmod 770 etc init d pki ca old e Remove the temporary file crm rf tmp pki ca old 7 Edit the server xml file For each configured connector add the configFile attribute configFile var lib subsystem_...

Page 313: ... temporary file into the TPS s conf directory cp tmp perl conf var lib pki tps old conf d Set the proper file owner and permissions for the file chown pkiuser var lib pki tps old conf chmod 660 var lib pki tps old conf e Remove the temporary file rm tmp perl conf f Edit the nss conf file to change the NSSPassPhraseDialog from the password file to builtin original NSSPassPhraseDialog defer var lib ...

Page 314: ...cgi bin sow cgi 6 If the security officer scripts have been customized then the files need to be updated so that they properly run under mod_perl PerlRun instead of mod_cgi The primary change is to replace any relative file paths with full paths For example replace this line require cfg pl With require var lib pki tps cgi bin sow cfg pl Other changes may be needed to eliminate warnings in the erro...

Page 315: ...ole LDAP related passwords such as internaldb and tokendbpass for the internal database can be changed in the LDAP server directly using the Directory Server console or tools like ldapmodify LDAP publishing passwords are changed in the LDAP server but that change mmeans that the password must be updated in the Certificate System CA configuration The publishing password is reset in the CA console t...

Page 316: ...er files in the var lib subsystem_name conf directory for configuring their Tomcat engine The server xml file sets the files and ports to use to access all of their end user agent and even administrative services Connector name Agent port 9443 maxHttpHeaderSize 8192 maxThreads 150 minSpareThreads 25 maxSpareThreads 75 enableLookups false disableUploadTimeout true acceptCount 100 scheme https secur...

Page 317: ...icate System user pkiuser 2 Run service specifying the instance name and the action For example service subsystem_name start stop restart 13 1 2 Restarting a Subsystem after a Machine Restart If a computer running a subsystem is shut down unexpectedly more services than just the subsystem must be restarted in the proper order for the subsystem to be available both through the HTML services page an...

Page 318: ...inux 5 3 has a tool called chkconfig which manages the automatic startup and shutdown settings for each process on the server This means that when a system reboots some services can be automatically restarted chkconfig also defines startup settings for different run levels of the server chkconfig is explained more in the Red Hat Enterprise Linux documentation such as the Deployment Guide 1 Certifi...

Page 319: ...ult Certificate System chkconfig settings set a start and stop priority for all of the subsystems and their dependent services so that they start and stop in the proper order as listed in Table 13 1 Certificate System Processes and Their chkconfig Start Priority Processes with a low number for their start priority are started first so Directory Server Administration Server and Tomcat are started b...

Page 320: ...administrators These menu of web services can be accessed by opening the URL to the subsystem host over the subsystem s secure end user s port For example for the CA https server example com 9445 ca services The main web services page for each subsystem has a list of available services pages these are summarized in Table 13 2 Default Web Services Pages To access any service specifically access the...

Page 321: ...ttings using pkicreate or if the instance was customized or reconfigured later Port Used for SSL Used for Client Authentication 1 Web Services Certificate Manager 9180 No End Entities 9444 Yes No End Entities 9443 Yes Yes Agents 9445 Yes Configuration 9445 Yes No Services 9445 Yes No Console Registration Manager 12888 No End Entities 12889 Yes Yes Agents 12889 Yes Yes Admin 12890 Yes Configuration...

Page 322: ...lue of No can be reconfigured to require client authentication Services which do not have either a Yes or No value cannot be configured to use client authentication Although this subsystem type does have end entities ports and interfaces these end entity services are not accessible through a web browser as other end entity services are Although the OCSP does have end entities ports and interfaces ...

Page 323: ...heir web server instead of Tomcat have a docroot directory var lib subsystem_name docroot which contains sub directories for their different interfaces meaning admin agent and end entities for the RA and the different Enterprise Security Client web UIs and admin pages for the TPS While any of the web services pages can be customized the CA and RA end entities pages are the most likely to be edited...

Page 324: ... 1 face PrimaSans BT Verdana sans serif color white b Red Hat sup font color cccccc size 2 font sup Certificate Manager b this is a test about stuff font td writeln tr writeln table Likewise the template files also use JavaScript to generate the pages and the HTML markup can be edited The profile HTML pages use standard HTML markup with little generated content For example this is from the Manual ...

Page 325: ...ctory for the end entities pages is var lib pki ra docroot ee Each RA profile has its own sub directory and its own specific cgi and vm file pairs For example the user profile enrollment forms are in var lib pki ra docroot ee user Figure 13 3 RA End Entities Services Page Each web services page uses three files to construct it The header vm and footer vm files give the text and styles for the head...

Page 326: ...ype text name email value td tr table center Example 13 2 Excerpt from the Default User Enrollment Form 13 3 3 Setting Limits on Searches through the CA End Entities Pages Large PKIs can have tens of thousands even millions of certificates keys and requests maintained in its databases When users search for their certificates or agents list requests then it is possible for thousands or millions of ...

Page 327: ... parameters in the web xml file which set the search limits are maxResults and timeLimits These parameters are added as param value lines to a servlet entry Either one or both can be set for each entry Each servlet entry is identified in servlet name tags and the interface web services pages that the servlet is used for is identified in the param name interface param name parameter Example 13 3 we...

Page 328: ...r using a single SSL port depending on the port parameters used with pkicreate The default ports are listed in Table 13 3 Default Port Assignments for Certificate System 8 0 Subsystem Standard End Entity SSL End Entity Client Authentication Agent SSL Admin SSL Tomcat CA 9180 9444 9446 9443 9445 9701 DRM 10180 10443 10445 10701 OCSP 11180 11443 11445 11701 RA 12888 12890 12889 12889 TKS 13180 13443...

Page 329: ...conf in the Listen parameter Listen 0 0 0 0 7888 The two SSL ports are defined in the nss conf Because there are two SSL ports both ports are listed in the Listen parameter and then defined in two VirtualHost entries For example for the TPS Listen 0 0 0 0 7889 Listen 0 0 0 0 7890 VirtualHost _default_ 7889 VirtualHost VirtualHost _default_ 7890 VirtualHost 13 4 1 Changing a Port Number To change a...

Page 330: ...ost _default_ 7889 5 Open the CS cfg file and edit the both the SSL and non SSL port numbers For example service securePort 7889 service unsecurePort 7888 op format tokenKey issuerinfo value http server example com 7888 6 Restart the subsystem 13 4 2 Using a Single SSL Port It is possible to use a single SSL port instead of separated ports for subsystem services CAUTION Although using a single SSL...

Page 331: ...tificate In Certificate System this kind of session renegotiation occurs if a user connects to an end entity port that doesn t require client authentication but then attempts to submit a certificate enrollment form for an enrollment profile that requires client authentication The Certificate System server requests and then parses a client certificate for the user 1 Before making any edits to the C...

Page 332: ..._WITH_NULL_SHA SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA SSL3_RSA_WITH_RC4_128_SHA SSL3_RSA_EXPORT_WITH_RC4_40_MD5 SSL3_RSA_WITH_3DES_EDE_CBC_SHA SSL3_RSA_WITH_DES_CBC_SHA SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA SSL3_RSA_WITH_NULL_MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ...

Page 333: ...omRequest servlet name url pattern eeca ca getCertFromRequest url pattern servlet mapping 7 Edit the profile selection template to use the URL for the new secure end entities client authentication services port For example assuming the default end entities client authentication SSL port of 9446 vim var lib instance_name webapps ca ee ca ProfileSelect template original uri profileSubmitSSLClient up...

Page 334: ...se functions include the following Storing and retrieving certificate requests Storing and retrieving certificate records Storing CRLs Storing ACLs Storing privileged user and role information Storing and retrieving end users encryption private key records To fulfill these functions the Certificate System is incorporated with a Red Hat Directory Server referred to as the internal database or local...

Page 335: ...lled such as certificates example com The Certificate System uses this name to access the directory By default the hostname of the Directory Server instance used as the internal database is shown as localhost instead of the actual hostname This is done to insulate the internal database from being visible outside the system since a server on localhost can only be accessed from the local machine Thu...

Page 336: ...ling Server Certificates 2 in the Directory Server Administrator s Guide b Configure the Directory Server instance to run over its SSL port This is covered in section 12 4 1 Enabling TLS SSL in the Only Directory Server 3 in the Directory Server Administrator s Guide TIP When SSL is enabled the server prompts for a password to access the NSS security token for the Directory Server every time the i...

Page 337: ... ldbm database folder and select the plug in instance for the Certificate System subsystem instance This will have a name like server example com instance name j Select Set Access Permissions from the drop down menu k In the bottom left of the Access Control Editor window click the Edit Manually button l Paste in the following ACI with the appropriate LDAP URL for the target and the appropriate us...

Page 338: ...cate was properly installed For example certutil d var lib subsystem_name alias L Certificate Nickname Trust Attributes SSL S MIME JAR XPI s Example Domain u u u subsystemCert cert instance_name u u u Server Cert cert instance_name u u u auditSigningCert cert instance_name u u u TIP The nickname for user certificates is frequently blank or not friendly To change the nickname of the certificate re ...

Page 339: ... an entry or icon for the Directory Server instance that the Certificate System uses as its internal database Unlike the Certificate System Console in which access is restricted to users with Certificate System administrator privileges the Directory Server Console can be accessed by any user The user can open the Directory Server Console for the internal database and change to the data stored ther...

Page 340: ...mpt opens sqlite 2 You can now use standard sqlite commands to query the database for example To display all user information use the following command sqlite select from users To display all request information use the following command sqlite select from requests To display a list of available tables use the following command sqlite tables 13 7 Viewing Security Domain Configuration A security do...

Page 341: ...ecurity Domain dc server example com pki ca Then there is a list of each subsystem type beneath the security domain organizational group with a special object class pkiSecurityGroup to identify the group type cn KRAList ou Security Domain dc server example com pki ca objectClass top objectClass pkiSecurityGroup cn KRAList Each subsystem instance is then stored as a member of that group with a spec...

Page 342: ... RPM package pki selinux which is installed as a prerequisite for the other Certificate System subsystem packages Certificate System SELinux policies are already configured when the subsystems are installed and all SELinux policies are updated every time a subsystem is added with pkicreate or removed with pkiremove types that the process runs as and the domain type pki ca_t pki ca_process type pki...

Page 343: ... SELinux Policies for Subsystems 321 2 Open the Administration menu and select the SELinux Management item 3 To check the version of the Certificate System SELinux policy installed click the Policy Module link ...

Page 344: ...Certificate System However the Certificate System components can still be archived and restored manually and this can be necessary for deployments where information cannot be accessed if certificate or key information is lost There are three major parts of the Certificate System which need backed up routinely in case of data loss or hardware failure Internal database The Directory Server provides ...

Page 345: ...ca 3 Restart the subsystem instance service instance_ID start NOTE Stop the subsystem instance before backing up the instance or the security databases The Directory Server database can be restored using Directory Server specific tools see the Directory Server documentation for more information on restoring the LDAP database The Certificate System backup files both the alias database backups and t...

Page 346: ...e subsystem will run If any critical self tests fail the server will stop 5 The On Demand Self Tests Results window appears showing the logged events for this run of the self tests 13 10 1 Self Test Logging A new log selftest log is added to the log directory that contains reports for both the start up self tests and the on demand self tests This log is configured by changing the setting for the l...

Page 347: ...the file The default interval is 5 seconds The flushInterval is the amount of time before the contents of the buffer are flushed out and added to the log file level The default selection is 1 this log is not set up for any level beside 1 maxFileSize Specify the file size in kilobytes KB for the error log The default size is 100 KB The maxFileSize determines how large a log file can become before i...

Page 348: ... Basic Subsystem Management 326 To disable a self test remove it as the value of either the selftests container order onDemand or selftests container order startup parameters 5 Save the file 6 Start the subsystem ...

Page 349: ...wly created groups Authorization goes through the following process 1 The users authenticate to the interface using either the Certificate System user ID and password or a certificate 2 The server authenticates the user either by matching the user ID and password with the one stored in the database or by checking the certificate against one stored in the database With certificate based authenticat...

Page 350: ...d trust policies Manage the access controls on the domain services By default the CA administrator of the CA hosting the domain is assigned as the security domai Enterprise CA Administrators Automatically approve any sub CA server and subsystem certificate from any CA in the dom Register and unregister CA subsystem information in the security domain Enterprise DRM Administrators Automatically appr...

Page 351: ...en assigned end entity certificate and key management privileges Agents can access the agent services interface For a complete list of agent tasks see the Certificate System Agent s Guide Agents are created by assigning a user to the appropriate subsystem agent group and identifying certificates that the agents must use for SSL client authentication to the subsystem for it to service requests from...

Page 352: ...l users and trust relationships within the domain Each subsystem administrator authenticates to the other subsystems using SSL client authentication with the subsystem certificate issued during configuration by the security domain CA 14 3 Managing Users and Groups for a CA OCSP DRM or TKS Many of the operations that users can perform are dictated by the groups that they belong to for instance agen...

Page 353: ...d Groups from the navigation tree on the left 3 Click the Groups tab 4 Select the group from the list of names and click Edit 5 Make the appropriate changes To change the group description type a new description in the Group description field To remove a user from the group select the user and click Delete To add users click Add User Select the users to add from the dialog box and click OK 14 3 2 ...

Page 354: ...he user most basically this field can show whether this is an active user It is necessary to select the group to which the user will belong The user s group membership determines what privileges the user has Assign agents and administrators to the appropriate subsystem group 4 Store the user s certificate a Request a user certificate through the CA or RA end entities service pages b If auto enroll...

Page 355: ...newed directly in the end user enrollment forms using the serial number of the original certificate 1 Renew the admin user certificates in the CA s end users forms as described in Section 4 7 3 1 2 Certificate Based Renewal This must be the same CA as first issued the certificate or a clone of it Agent certificates can be renewed by using the certificate based renewal form in the end entities page...

Page 356: ...ust relationships is not necessary except in rare situations when an administrator may want to adjust different values If for some reason it is necessary for one subsystem to trust another subsystem in a different security domain then it is possible to configure a trusted manager essentially a user entry for the subsystem which it can use to connect to another subsystem 1 Log into the administrati...

Page 357: ...ATE and END CERTIFICATE marker lines d To view the certificate select it and click View Next configure the connector settings of the Certificate Manager This enables the Certificate Manager to utilize the agent port to communicate with the subsystem 1 Log into the administrative console for the Certificate Manager 2 In the navigation tree select Certificate Manager 3 Select the Connectors tab 4 Se...

Page 358: ...ally An initial user admin is created with both agent and administrator roles and two groups are created to identify agent and administrator users Additional users and additional groups can be added to manage the RA subsystem and PKI operations The RA subsystem does not use a Java console as the other subsystems do so users and groups are created and managed through the administrator s web service...

Page 359: ...for example must belong to a configured RA agent group to perform agent tasks 14 4 1 1 Listing Groups for an RA 1 Open the RA services page https server example com 12889 services 2 Click the Administrator Services link 3 Click the List Groups link 4 There are two default groups for agents and for administrators To view the details about any group click the GID of the group 14 4 1 2 Creating a New...

Page 360: ...ice pki ra stop Always stop a subsystem before editing the subsystem configuration files b Open the CS cfg file vim var lib pki ra conf CS conf c Add the new group s GID to the administrator or agent group list admin authorized_groups administrators example agent authorized_groups administrators agents example d Start the RA instance service pki ra start 14 4 1 3 Adding and Removing Users in an RA...

Page 361: ...s link 4 Click the name of the group for which to change the group membership 5 In the group page each current member of the group is listed with a Delete link next to the name Existing members who are not members of the group are listed in a drop down menu To add a member select them from the name from the menu and click Add ...

Page 362: ...ks relate to managing the server instance mainly managing users and groups For an RA user to be able to perform their tasks the user entry must be created and then added to the appropriate group A default user is created when the RA is first configured and this admin user belongs to both the agent and administrator groups 14 4 2 1 Listing and Viewing Users for an RA 1 Open the RA services page htt...

Page 363: ...Managing RA Users 341 5 The user details page shows the person s UID full name email address and user SSL certificate ...

Page 364: ... 1 Generate a new certificate for the user All access to the RA web services pages is done through certificate based authentication so all RA agents and administrators must have a certificate This is covered in Section 14 4 2 3 Generating Agent Certificates for RA Agents 2 Open the RA services page ...

Page 365: ...perform any RA agent or administrator functions Adding members to groups is covered in Section 14 4 1 3 Adding and Removing Users in an RA Group 14 4 2 3 Generating Agent Certificates for RA Agents RA agents must have a client certificate that allows them to authenticate to the RA subsystem meaning accessing the RA agent and administrator services pages Any SSL client certificate can be used as lo...

Page 366: ...r 14 Managing Certificate System Users and Groups 344 c Click PIN Creation Request d Enter an appropriate UID and email address 2 An existing agent must approve the PIN request a Open the agent services page ...

Page 367: ...the Request ID to display the details of the request d Click Approve to approve the request This generates the PIN the user will use to retrieve the certificate 3 The last step is for the user to use the generated PIN to retrieve his certificate a Open the SSL End Users Services page b Click Request Status Check ...

Page 368: ...he ID of the PIN request d Click the value in the Import Certificate field to display the one time PIN e Click Agent Enrollment again and then click the Certificate Enrollment link f Enter the user ID and the PIN g When the certificate is successfully generated base 64 encoded blob is displayed ...

Page 369: ...e This form recognizes and updates the certificate stored in the browser s certificate store directly TIP It is also possible to renew the certificate using certutil as described in Section 4 7 3 2 Renewing Certificates Using certutil Rather than using the certificate stored in a browser to initiate renewal certutil uses an input file with the original key 2 Export the renewed certificate from the...

Page 370: ...te to use to authenticate the new certificate should be available 14 4 2 5 Deleting Users for an RA 1 Open the RA services page https server example com 12889 services 2 Click the Administrator Services link 3 Click the List Users link 4 All of the configured users for the RA are shown To view a user click the UID for that user 5 At the bottom of the page click the Delete link ...

Page 371: ... the TPS subsystem users are authenticated against an LDAP directory database that contains their certificate because accessing the TPS s web services requires certificate based authentication and the authentication process checks the TPS group entries ou TUS Agents ou TUS Administrators and ou TUS Operators to see to which roles the user belongs using Apache s mod_tokendb module Users for the TPS...

Page 372: ...er 4 Requesting Enrolling and Managing Certificates IMPORTANT A TPS administrator must have a signing certificate The recommended profile to use is Manual User Signing and Encryption Certificates Enrollment 2 Click the Add New User link in the Administrator Operations tab 3 Fill in the user s name and ID and paste in the certificate without the BEGIN CERTIFICATE and END CERTIFICATE lines ...

Page 373: ...les which are assigned to them NOTE A user can only see entries relating to the profile configured for it including both token operations and tokens themselves For an administrator to be able to search and manage all tokens configured in the TPS the administrator user entry should be set to All profiles Setting specific profiles for users is a simple way to control access for operators and agents ...

Page 374: ...ile manually NOTE If the All Profiles option is added to the user then any other configured profiles are dropped because they are already included in the All Profiles option 3 Click the Add Profile button to add the profile to the user entry The new profile is listed as part of the user entry attributes Up to fifteen profiles are listed on the profile if there are more than fifteen then the profil...

Page 375: ...as described in Section 4 7 3 1 2 Certificate Based Renewal This must be the same CA as first issued the certificate or a clone of it Agent certificates can be renewed by using the certificate based renewal form in the end entities page Self renew user SSL client certificate This form recognizes and updates the certificate stored in the browser s certificate store directly TIP It is also possible ...

Page 376: ...ich the user is a member for the users themselves or for the IP address of the user New groups are assigned access control by adding that group to the access control lists For example a new group for administrators who are only authorized to view logs LogAdmins can be added to the ACLs relevant to logs to allow read or modify access to this group If this group is not added to any other ACLs member...

Page 377: ...n fired It may be necessary to deny access specifically to JohnB if the user cannot be deleted immediately Another situation is that a user BrianC is an administrator but he should not have the ability to change some resource Since the Administrators group must access this resource BrianC can be specifically denied access by creating an ACI that denies this user access The allowed rights are the o...

Page 378: ...IPv6 address An IPv4 address has the format n n n n or n n n n m m m m with the netmask An IPv6 address uses a 128 bit namespace with the IPv6 address separated by colons and the netmask separated by periods For example ipaddress 0 0 0 0 0 0 13 1 68 3 It is also possible to use regular expressions to specify the IP address such as using wildcard characters like an asterisk For example ipaddress 12...

Page 379: ...from the list and click Edit The ACL opens in the Access Control Editor window 4 To add an ACI click Add and supply the ACI information To edit an ACI select the ACI from the list in the ACI entries text area of the ACL Editor window Click Edit ...

Page 380: ...resses specified For more information about allowing or denying access see Section 14 6 1 About Access Control b Set the rights for the access control The options are read and modify To set both use the Ctrl or Shift buttons c Specify the user group or IP address that will be granted or denied access in the Syntax field See Section 14 6 1 About Access Control for details on syntax ...

Page 381: ...elated to operations within that specific subsystem instance For each subsystem different logs are kept for issues such as installation access and web servers The way that logs are configured can affect Certificate System performance For example log file rotation keeps logs from becoming too large which slows down subsystem performance This section explains the different kinds of logs recorded by ...

Page 382: ...els and Log Entries NOTE Four of the Certificate System subsystems CA DRM TKS and OCSP have seven log levels 0 to 6 The RA and TPS subsystems have eleven log levels 0 to 10 Log levels are represented by numbers 0 to 6 0 to 10 for TPS and RA each number indicating the level of logging to be performed by the server The level sets how detailed the logging should be A higher priority level means less ...

Page 383: ...ilter log entries based on the severity of an event By default log level 3 Failure is set for all services The log level is successive specifying a value of 3 causes levels 4 5 and 6 to be logged Log data can be extensive especially at lower more verbose logging levels Make sure that the host machine has sufficient disk space for all the log files It is also important to define the logging level l...

Page 384: ...nd time have the forms YYYYMMDD year month day and HHMMSS hour minute second Log files especially the audit log file contain critical information These files should be periodically archived to some backup medium by copying the entire logs directory to an archive medium NOTE The Certificate System does not provide any tool or utility for archiving log files The Certificate System provides a command...

Page 385: ...6 18 CDT 1 1 archival reqID 4 fromAgent agentID CA server example com 9444 authenticated by noAuthManager is completed DN requested UID recoverykey E recoverykey email com CN recover key serial number 0x3 Example 15 2 DRM Transactions Log This log is on by default 15 2 3 Debug Logs Debug logs are maintained for all six subsystems with varying degrees and types of information Debug logs for each su...

Page 386: ...PuSPOaQmtKBpAEVaQoUwnEytOqDkCkhlZ1nt02w1 06 Jun 2009 14 59 38 http 9443 Processor24 ProfileSubmitServlet key request profile value true 06 Jun 2009 14 59 38 http 9443 Processor24 ProfileSubmitServlet key request cert_request_type value crmf 06 Jun 2009 14 59 38 http 9443 Processor24 ProfileSubmitServlet key request requestversion value 1 0 0 06 Jun 2009 14 59 38 http 9443 Processor24 ProfileSubmit...

Page 387: ...EoGCCsGAQUFBwEBBD4wPDA6BggrBgEFBQcwAYYuaHR0cDovL3Rlc3Q0LnJl M ZGJ1ZGNvbXB1dGVyLmxvY2FsOjkwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAw M HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMCQGA1UdEQQdMBuBGSRyZXF1 M ZXN0LnJlcXVlc3Rvcl9lbWFpbCQ Example 15 3 CA Certificate Request Log Messages Likewise the OCSP shows OCSP request information 07 Jul 2009 06 25 40 http 11180 Processor25 OCSPServlet OCSP Request 07 Jul 20...

Page 388: ...ar lib pki ra 2009 05 19 09 30 31 debug Processing PKI security modules for var lib pki ra 2009 05 19 09 30 31 debug Attempting to add hardware security modules to system if applicable 2009 05 19 09 30 31 debug module name lunasa lib usr lunasa lib libCryptoki2 so DOES NOT EXIST 2009 05 19 09 30 31 debug module name nfast lib opt nfast toolkits pkcs11 libcknfast so DOES NOT EXIST 2009 05 19 09 30 ...

Page 389: ... changing settings in the CS cfg file The information about logs in this section does not pertain to this log See Section 13 10 Self Tests for more information about self tests 15 3 Configuring Logs Using the UI Every subsystem but the RA provides an administrative Interface that allows users to configure logging For the CA OCSP DRM and TKS all logs can be configured using the pkiconsole For the T...

Page 390: ...nd added to the log file Th maxFileSize The size kilobytes KB a log file can become before it is rotated Once it reaches this size the log file is started new For more information on log file rotation see Section 15 1 4 Log File Ro rolloverInterval The frequency which the server rotates the active log file The available choices are hourly daily default selection is monthly For more information see...

Page 391: ... Operations tab of the HTML services page The events that can be selected to be recorded in the audit log are listed in Table 15 11 Events Recorded to the TPS Audit Log Figure 15 1 Configuring TPS Audit Logging in the Console The TPS HTML services page is https server example com 7889 tus NOTE Although audit logs for the TPS are configured in the HTML services page they are not viewable through th...

Page 392: ...nually entered in the field there is no setting is a numeric value as listed in Section 15 1 2 Log Levels Message Categories fileName The full path including the filename to the log file The subsystem user should have read w bufferSize The buffer size in kilobytes KB for the log Once the buffer reaches this size the contents o copied to the log file The default size is 512 KB For more information ...

Page 393: ... An audit log ra audit log These logs are stored in the var log subsystem_name directory by default Other types of logs such as transaction logs and system logs are not generated by the RA instance 15 4 2 1 About RA Log Settings For each log generated by an RA instance there are three parameters which must be configured in the CS cfg file enable which sets whether the log is generated filename whi...

Page 394: ...cific log type The valid values are true false logging log_type filename The full path to the log file including its name For example tmp tps debug log logging log_type level The log levels The levels range from 0 to 10 0 No logging 4 LL_PER_SERVER Messages that happen only during startup or shutdown 6 LL_PER_CONNECTION Messages that happen per connection 8 LL_PER_PDU Messages that happen for ever...

Page 395: ...stems CA OCSP DRM and TKS but the TPS does not use a Java console The TPS maintains three subsystem logs A debug log tps debug log An error log tps error log An audit log tps audit log These logs are stored in the var log subsystem_name directory by default Other types of logs such as transaction logs and system logs are not generated by the TPS instance 15 4 3 1 About TPS Log Parameters For each ...

Page 396: ... to TPS logging Log rotation Registering and deleting log modules Buffered logging Log level 0 is least verbose 10 is most verbose For example 2009 04 29 13 47 08 b65b9828 Upgradeop applet_upgrade app_ver 1 2 416DA155 new_app_ver 1 3 42659461 2009 04 29 13 47 08 b65b9828 Formatstatus success app_ver 1 3 42659461 key_ver 0 cuid 40900062FF02000065C5 msn FFFFFFFF uid time 45389 msec 2009 04 29 15 56 ...

Page 397: ...ents that can be record list is displayed in the admin services configuration page logging audit selected events For TPS audit logs only Shows events that are actually selected in the admin services c log regular or signed This parameter s value can be edited directly in the CS cfg file t log Table 15 8 TPS Logging Parameters 15 4 3 2 Configuring TPS Logs 1 Stop the TPS instance service pki tps st...

Page 398: ...vity Signed audit logs are configured by default when the instance is first created but it is possible to edit the configuration or change the signing certificates after configuration TIP Provide enough space in the filesystem for the signed audit logs since they can be large NOTE The audit logs for an RA subsystem cannot be signed TPS audit log signing is described in Section 15 5 2 Configuring T...

Page 399: ... tab select the SignedAudit entry 4 Click Edit View 5 There are three fields which must be reset in the Log Event Listener Editor window Fill in the signedAuditCertNickname This is the nickname of the certificate used to sign audit logs An audit signing certificate is created when the subsystem is configured it has a nickname like auditSigningCert cert pki ca ...

Page 400: ... the auditor group Members of the auditor group are the only users who can view and verify the signed audit log See Section 14 3 2 1 Creating Users for details about setting up auditors Auditors can verify logs by using the AuditVerify tool See the Certificate System Command Line Tools Guide for details about using this tool Event Log Messages AUDIT_LOG_STARTUP The start of the subsystem and thus ...

Page 401: ...T_PROCESSED Shows when a certificate request is being processed CERT_STATUS_CHANGE_REQUEST Shows when the request is made to change the status of a certificate CERT_STATUS_CHANGE_REQUEST_PROCESSED Shows when a certificate status change is processed AUTHZ_SUCCESS Shows when a user is successfully processed by the authorization servlets AUTHZ_FAIL Shows when a user is not successfully processed by t...

Page 402: ...radio button to Enable The TPS HTML services page is https server example com 7889 tus 1 Stop the TPS instance service pki tps stop 2 Edit the audit logging configuration The log file parameters are listed in Table 15 10 TPS Signed Audit Log Parameters and the auditable events are listed in Table 15 11 Events Recorded to the TPS Audit Log logging audit enable true logging audit filename var log pk...

Page 403: ...orded in the audit log All loggable events both required and optional are listed in Table 15 11 Events Recorded to the TPS Audit Log Event Description AUDIT_LOG_STARTUP The start of the subsystem and thus the start of the audit function AUDIT_LOG_SHUTDOWN The shutdown of the subsystem and thus the shutdown of the audit function LOGGING_SIGNED_AUDIT_SIGNING Shows changes in whether the audit log is...

Page 404: ...anually signs archived logs See Section 15 5 1 Configuring a Signed Audit Log for a CA OCSP DRM or TKS for details about signed audit logs For signing log files use a command line utility called the Signing Tool signtool For details about this utility see http www mozilla org projects security pki nss tools The utility uses information in the certificate key and security module databases of the su...

Page 405: ... view Choose Current to view the currently active system log file 5 Click Refresh The table displays the system log entries The entries are in reverse chronological order with the most current entry placed at the top Use the scroll arrows on the right edge of the panel to scroll through the log entries Each entry has the following information shown Source The component or resource that logged the ...

Page 406: ...8 Referenced data not found 6a80 Incorrect values in command data Load Errors 6581 Memory failure 6a84 Not enough memory space 6a86 Incorrect P1 P2 6985 Conditions of use not satisfied Table 15 12 Smart Card Error Codes 15 8 Managing Log Modules The types of logs that are allowed and their behaviors are configured through log module plug ins New logging modules can be created and used to make cust...

Page 407: ...his class is part of a package include the package name For example registering a class named customLog in a package named com customplugins the class name would be com customplugins customLog 5 Click OK 15 8 2 Deleting a Log Module Unwanted log plug in modules can be deleted through the Console Before deleting a module delete all the listeners based on this module see Section 15 1 4 Log File Rota...

Page 408: ...386 ...

Page 409: ...A must be up and available for the other subsystems in a security domain to communicate If the security domain CA goes down for any reason then the communications between servers and authentication using administrator or agent certificates fails Because of the dependency on the security domain it is recommended that subordinate CAs are created within their own security domain rather than relying o...

Page 410: ...hy which may or may not be a root CA The root CA s signing certificate must be imported into individual clients and servers before the Certificate Manager can be used to issue certificates to them NOTE The CA name cannot be changed or all previously issued certificates are invalidated Similarly reissuing a CA signing certificate with a new key pair invalidates all certificates that were signed by ...

Page 411: ...ir and Certificate The CA keeps a secure audit log of all events which occurred on the server To guarantee that the audit log has not been tampered with the log file is signed by a special log signing certificate The audit log signing certificate is issued when the server is first configured 16 1 2 RA Certificates An RA only uses two certificates an SSL server certificate and a subsystem certifica...

Page 412: ...hen the Online Certificate Status Manager was configured The default nickname for the certificate is Server Cert cert instance_ID where instance_ID identifies the Online Certificate Status Manager instance name The Online Certificate Status Manager uses its server certificate for server side authentication for the Online Certificate Status Manager agent services page The Online Certificate Status ...

Page 413: ...cally trusted by the OCSP Manager when it is configured Every CA in the certificate chain of the CA configured in the CA panel is however trusted automatically by the OCSP Manager Other CAs within the security domain but not in the certificate chain must be added manually 16 1 4 Data Recovery Manager Certificates The DRM uses the following key pairs and certificates Section 16 1 4 1 Transport Key ...

Page 414: ...ificates can be requested and installed for the DRM 16 1 4 4 Subsystem Certificate Every member of the security domain is issued a server certificate to use for communications among other domain members The Data Recovery Manager is issued the subsystem certificate when the instance is first configured as with its SSL certificate The default nickname for the certificate is subsystemCert cert instan...

Page 415: ...ficate is generated when the TPS is configured The default nickname for the certificate is Server Cert cert instance_id 16 1 6 2 Subsystem Certificate Every member of the security domain is issued a server certificate to use for communications among other domain members The TPS is issued the subsystem certificate when the instance is first configured as with its SSL certificate The default nicknam...

Page 416: ...icate enrollment process for subsystem certificates The Console can create submit and install certificate requests and certificates for any of the certificates used by that subsystem These certificates can be a server certificate or subsystem specific certificate such as a CA signing certificate or DRM transport certificate NOTE It is important that the agent or user generate and submit the client...

Page 417: ...he certificate type to request The types of certificates that can be requested varies depending on the subsystem NOTE If selecting to create an other certificate the Certificate Type field becomes active Fill in the type of certificate to create either caCrlSigning for the CRL signing certificate or client for an SSL client certificate ...

Page 418: ...er after selecting the type of certificate select which type of CA will sign the request For a CA signing certificate the options are to use a root CA or a subordinate CA For all other certificates the options are to use the local CA signing certificate or to create a request to submit to another CA ...

Page 419: ...le 397 8 Set the key pair information and set the location to generate the keys the token which can be either the internal security database directory or one of the listed external tokens 9 Select the message digest algorithm the choices are MC2 MD5 SHA1 SHA256 and SHA512 ...

Page 420: ...omain domain NOTE The CA certificate request forms support all UTF 8 characters for the common name organizational unit and requester name fields This support does not include supporting internationalized domain names 11 Only when requesting a certificate through the Certificate Manager Console and submitting the request to the Certificate Manager automatically Specify the start and end dates of t...

Page 421: ... certificate through the Certificate Manager Console submitting the request to the Certificate Manager automatically Set the standard extensions for the certificate The required extensions are chosen by default To change the default choices read the guidelines explained in Appendix B Defaults Constraints and Extensions for Certificates and CRLs ...

Page 422: ...entifying them as either a subordinate SSL CA which allows them to issue certificates for SSL or a subordinate email CA which allows them to issue certificates for secure email Disabling certificate extensions means that CA hierarchies cannot be set up Basic Constraints The associated fields are CA setting and a numeric setting for the certification path length Extended Key Usage Authority Key Ide...

Page 423: ...nded by the PKIX standard and RFC 2459 See RFC 2459 1 for a description of the Key Usage extension Base 64 SEQUENCE of extensions This is for custom extensions Paste the extension in MIME 64 DER encoded format into the text field To add multiple extensions use the ExtJoiner program For information on using the tools see the Certificate System Command Line Tools Guide 13 The wizard generates the ke...

Page 424: ...arker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST For example BEGIN NEW CERTIFICATE REQUEST MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBC6SAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pY2 F0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDA wMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFz ...

Page 425: ...certificate othercsr txt Other certificates such as Certificate Manager CRL signing certificate or SSL client Table 16 1 Files Created for Certificate Signing Requests Do not modify the certificate request before sending it to the CA The request can either be submitted automatically through the wizard or copied to the clipboard and manually submitted to the CA through its end entities page NOTE Th...

Page 426: ...Chapter 16 Managing Subsystem Certificates 404 e The new certificate information is shown in pretty print format in base 64 encoded format and in PKCS 7 format ...

Page 427: ...Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file Save the text file and use it to store a copy of the certificate in a subsystem s internal database See Section 14 3 2 1 Creating Users 16 3 Renewing Subsystem Certificates There are two methods of renewing a certificate Regenerating the certificate takes its original key and its or...

Page 428: ...utside a network for external clients to use is a serious not easily resolved issue for any PKI administrator The US government devised a standard for issuing cross pair certificates called the Federal Bridge Certificate Authority These certificates are also called bridge certificates for obvious reasons Bridge or cross pair certificates are CA signing certificate that are framed as dual certifica...

Page 429: ...n if an external token is used to generate and store key pairs Certificate System always maintains its list of trusted and untrusted CA certificates in its internal token This section explains how to view the contents of the certificate database delete unwanted certificates and change the trust settings of CA certificates installed in the database using the Certificate System window For informatio...

Page 430: ...ertificate database the wizard replaces the existing certificates with the ones in the chain If the chain includes intermediate CA certificates the wizard adds them to the certificate database as untrusted CA certificates The subsystem console uses the same wizard to install certificates and certificate chains To install certificates in the local security database do the following 1 Open the conso...

Page 431: ... the correct certificate or use the Back button to go back and submit a different one Give a nickname for the certificate The wizard installs the certificate 6 Any CA that signed the certificate must be trusted by the subsystem Make sure that this CA s certificate exists in the subsystem s certificate database internal or external and that it is trusted If the CA certificate is not listed add the ...

Page 432: ...ent type used on the object being downloaded For Red Hat servers it depends upon the options selected in the server administration interface Subsequent certificates are all treated the same If the certificates contain the SSL CA bit in the Netscape Certificate Type certificate extension and do not already exist in the local certificate database they are added as untrusted CAs They can be used for ...

Page 433: ...6 3 Certificate Database Tab 4 The Certificate Database Management table lists the all of the certificates installed on the subsystem The following information is supplied for each certificate Certificate Name Serial Number Issuer Names the common name cn of the issuer of this certificate Token Name the name of the cryptographic token holding the certificate for certificate stored in the database ...

Page 434: ...se be careful not to delete the intermediate CA certificates which help a subsystem chain up to the trusted CA certificate If in doubt leave the certificates in the database as untrusted CA certificates see Section 16 6 Changing the Trust Settings of a CA Certificate Section 16 5 3 1 Deleting Certificates through the Console Section 16 5 3 2 Deleting Certificates Using certutil 16 5 3 1 Deleting C...

Page 435: ...ms use the CA certificates in their certificate databases to validate certificates received during an SSL enabled communication It can be necessary to change the trust settings on a CA stored in the certificate database temporarily or permanently For example if there is a problem with access or compromised certificates marking the CA certificate as untrusted prevents entities with certificates sig...

Page 436: ...Change the trust settings for the certificate by running the certutil with the M option certutil M n cert_nickname t trust d For example certutil M n Certificate Authority Example Domain t TCu TCu TCu d 4 List the certificates again to confirm that the certificate trust was changed certutil L d Certificate Authority Example Domain CTu CTu CTu subsystemCert cert subsystem u u u Server Cert cert exa...

Page 437: ...bdir nocertdb list 16 7 3 Changing a Token s Password The token internal or external that stores the key pairs and certificates for the subsystems is protected encrypted by a password To decrypt the key pairs or to gain access to them enter the token password This password is set when the token is first accessed usually during Certificate System installation It is good security practice to change ...

Page 438: ...416 ...

Page 439: ...Part IV References ...

Page 440: ......

Page 441: ...eld to paste the request This input puts the following fields in the enrollment form Certificate Request Type This drop down menu lets the user specify the certificate request type The choices are PKCS 10 or CRMF Certificate Management Messages over Cryptographic Message Syntax CMC enrollment is supported with both PKCS 10 and CRMF Certificate Request This is the text area in which to paste the re...

Page 442: ...nts This input puts the following fields into the enrollment form Key Generation Request Type This field is a read only field displaying crmf as the request type Key Generation Request This input adds a drop down menu to select the key size to use in the key generation request A 1 7 nsHKeyCertRequest Token Key Input The Token Key input is used to enroll keys for hardware tokens for agents to use l...

Page 443: ... in the certificate This input puts the following fields into the enrollment form UID the LDAP directory user ID Email Common Name the name of the user Organizational Unit the organizational unit ou to which the user belongs Organization the organization name Country the country where the user is located A 1 12 Submitter Information Input The Submitter Information input collects the certificate re...

Page 444: ...7 Output This output returns the certificate and the certificate chain in PKCS 7 format PKCS 7 format is the Cryptographic Message Syntax Standard which is used for signing This output cannot be configured or changed A 2 3 CMMF Output This output returns the certificate in Certificate Management Messages Formats CMMF CMMF govern communication between different parts of a PKI and is used for reques...

Page 445: ...icate This section lists and defines the predefined defaults B 1 1 Authority Info Access Extension Default This default attaches the Authority Info Access extension This extension specifies how an application validating a certificate can access information such as online validation services and CA policy data about the CA that has issued the certificate This extension should not be used to point d...

Page 446: ...ess OID RFC822Name URIName Location_n Specifies the address or location to get additional information about the CA that has issued the certificate For directoryName the value must be a string form of X 500 name similar to the subject name in a certificate For example cn SubCA ou Research Dept o Example Corporation c US For dNSName the value must be a valid fully qualified domain name For example t...

Page 447: ... This default attaches the Authority Key Identifier extension to the certificate The extension identifies the public key that corresponds to the private key used by a CA to sign certificates This default has no parameters If used this extension is included in the certificate with the public key information This default takes the following constraint No Constraints see Section B 2 6 No Constraint F...

Page 448: ...ificate 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate only an end entity certificate may follow in the path n must be an integer greater than zero It specifies the maximum number of subordinate CA certificates allowed below the subordinate CA certificate If the field is blank the path length defaults to a value that is determined by the path lengt...

Page 449: ...URIName or RelativeToIssuer The type must correspond to the value in the Name field Name_n Specifies the name of the CRL distribution point the name can be in any of the following formats An X 500 directory name in the RFC 2253 syntax The name looks similar to the subject name in a certificate like cn CA Central ou Research Dept o Example Corporation c US A URIName such as http testCA example com ...

Page 450: ...ate For example cn SubCA ou Research Dept o Example Corporation c US For DNSName the value must be a valid fully qualified domain name For example testCA example com For EDIPartyName the value must be an IA5String For example Example Corporation For URIName the value must be a non relative URI following the URL syntax and encoding rules The name must include both a scheme such as http and a fully ...

Page 451: ...D1 userID2 OtherName must have the format type oid string For example IA5String 1 2 3 4 MyExample The value for this parameter must correspond to the value in the issuerName field Table B 3 CRL Distribution Points Extension Configuration Parameters B 1 5 Extended Key Usage Extension Default This default attaches the Extended Key Usage extension to the certificate For general information about this...

Page 452: ...tension Constraint Extension Constraint see Section B 2 3 Extension Constraint No Constraints see Section B 2 6 No Constraint Parameter Description Critical Select true to mark this extension critical select false to mark the extension noncritical OIDs Specifies the OID that identifies a key usage purpose The permissible values are a unique valid OID specified in the dot separated numeric componen...

Page 453: ...me must be a URI an absolute pathname that specifies the host For example http testCA example com get crls here PointIssuerName_n Specifies the name of the issuer that has signed the CRL The name can be in any of the following formats For RFC822Name the value must be a valid Internet mail address For example testCA example com For DirectoryName the value must be a string form of X 500 name similar...

Page 454: ...pecified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 OtherName is used for names with any other format this supports PrintableString IA5String UTF8String BMPString Any and KerberosName PrintableString IA5String UTF8String BMPString and Any set a string to a base 64 encoded file specifying the subtree such as var lib pki ca othername txt KerberosName has the format Rea...

Page 455: ... to show with which location the parameter is associated Parameter Description Critical Select true to mark this extension critical select false to mark the extension noncritical issuerAltExtType This sets the type of name extension to be used which can be one of the following RFC822Name DirectoryName DNSName EDIPartyName URIName IPAddress OIDName issuerAltExtPattern Specifies the request attribut...

Page 456: ...n B 2 6 No Constraint Parameter Description critical Select true to mark this extension critical select false to mark the extension noncritical digitalSignature Specifies whether to allow signing SSL client certificates and S MIME signing certificates Select true to set nonRepudiation Specifies whether to use for S MIME signing certificates Select true to set WARNING Using this bit is controversia...

Page 457: ...ndicate a name space within which the subject names or subject alternative names in subsequent certificates in a certificate chain should be located For general information about this extension see Section B 3 9 nameConstraints The following constraints can be defined with this default Extension Constraint see Section B 2 3 Extension Constraint No Constraints see Section B 2 6 No Constraint This d...

Page 458: ...llows RFC822Name DirectoryName DNSName EDIPartyName URIName IPAddress OIDName OtherName PermittedSubtreeNameValue_n Specifies the general name value for the permitted subtree to include in the extension For RFC822Name the value must be a valid Internet mail address For example testCA example com For DirectoryName the value must be a string form of X 500 name similar to the subject name in a certif...

Page 459: ...IDName the value must be a unique valid OID specified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 OtherName is used for names with any other format this supports PrintableString IA5String UTF8String BMPString Any and KerberosName PrintableString IA5String UTF8String BMPString and Any set a string to a base 64 encoded file specifying the subtree such as var lib pki ca ...

Page 460: ...al name type for the excluded subtree to include in the extension The permissible values are as follows RFC822Name DirectoryName DNSName EDIPartyName URIName IPAddress OIDName OtherName ExcludedSubtreeNameValue_n Specifies the general name value for the permitted subtree to include in the extension For RFC822Name the value must be a valid Internet mail address For example testCA example com For Di...

Page 461: ...1 43 0 0 0 0 0 0 13 1 68 3 FFFF FFFF FFFF FFFF FFFF FFFF 255 255 and FF01 43 FFFF FFFF FFFF FFFF FFFF FFFF FF00 0000 For OIDName the value must be a unique valid OID specified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 For OtherName the values are names with any other format This supports PrintableString IA5String UTF8String BMPString Any and KerberosName PrintableSt...

Page 462: ...n see Section B 4 3 2 netscape comment The following constraints can be defined with this default Extension Constraint see Section B 2 3 Extension Constraint No Constraints see Section B 2 6 No Constraint Parameter Description critical Select true to mark this extension critical select false to mark the extension noncritical CommentContent Specifies the content of the comment to appear in the cert...

Page 463: ...two specified fields must be present For general information about this extension see Section B 3 11 policyConstraints The following constraints can be defined with this default Extension Constraint see Section B 2 3 Extension Constraint No Constraints see Section B 2 6 No Constraint Parameter Description critical Select true to mark this extension critical select false to mark the extension noncr...

Page 464: ...of OIDs each pair identifying two policy statements of two CAs The pairing indicates that the corresponding policies of one CA are equivalent to policies of another CA The extension may be useful in the context of cross certification If supported the extension is included in CA certificates only The default maps policy statements of one CA to that of another by pairing the OIDs assigned to their p...

Page 465: ...ue by specifying one of the values contained in the signingAlgsAllowed parameter signingAlgsAllowed Specify the signing algorithms that can be used for signing this certificate The algorithms can be any or all of the following MD2withRSA MD5withRSA SHA1withRSA SHA256withRSA SHA512withRSA SHA1withEC if ECC is enabled Table B 14 Signing Algorithm Default Configuration Parameters B 1 17 Subject Alter...

Page 466: ...ertSet 9 default params subjAltExtType_3 OtherName policyset serverCertSet 9 default params subjAltExtPattern_3 IA5String 1 2 3 4 server source policyset serverCertSet 9 default params subjAltExtSource_3 UUID4 policyset serverCertSet 9 default params subjAltExtGNEnable_3 true policyset serverCertSet 9 default params subjAltExtType_4 RFC822Name policyset serverCertSet 9 default params subjAltExtGNE...

Page 467: ...nique ID CUID of the smart card token used for requesting the enrollment request upn The Microsoft UPN This has the format UTF8String 1 3 6 1 4 1 311 20 2 3 request up server source Instructs the server to generate a version 4 UUID random number component in the su IA5String 1 2 3 4 server source Table B 15 Variables to Insert Values in the Subject Alternative Name Multiple attributes can be set f...

Page 468: ...n Select URIName if the request attribute value is a non relative URI that includes both a scheme such as http and a fully qualified domain name or IP address of the host For example http hr example com Certificate System supports both IPv4 and IPv6 addresses Select IPAddress if the request attribute value is a valid IP address specified in dot separated numeric component notation For example 128 ...

Page 469: ...arameters B 1 18 Subject Directory Attributes Extension Default This default attaches a Subject Directory Attributes extension to the certificate The Subject Directory Attributes extension conveys any desired directory attribute values for the subject of the certificate The following constraints can be defined with this default Extension Constraint see Section B 2 3 Extension Constraint No Constra...

Page 470: ...sion is included in the certificate with the public key information The following constraints can be defined with this default Extension Constraint see Section B 2 3 Extension Constraint No Constraints see Section B 2 6 No Constraint B 1 20 Subject Name Default This default attaches a server side configurable subject name to the certificate request A static subject name is used as the subject name...

Page 471: ...ile can require specific extensions before enrolling a certificate WARNING Be exceptionally cautious about setting this extension default since it allows users to specify an extension in the certificate request If this default is used then Red Hat strongly recommends using a constraint corresponding to the extension to minimize any possible abuse of the User Supplied Extension Default The user def...

Page 472: ... params exKeyUsageCritical false policyset set1 2 constraint params exKeyUsageOIDs 1 3 6 1 5 5 7 3 2 1 3 6 1 5 5 7 3 4 policyset set1 2 default class_id userExtensionDefaultImpl policyset set1 2 default name User Supplied Extension Default policyset set1 2 default params userExtOID 2 5 29 37 Example B 2 User Supplied Extension Default for the Extended Key Usage Extension In Example B 2 User Suppli...

Page 473: ...ificate profile it allows a user to supply the validity period subject to the constraints set This default profile preserves that user defined validity in the original certificate request when the certificate is issued No inputs are provided to add user supplied validity date to the enrollment form but it is possible to submit a request that contains this information The following constraints can ...

Page 474: ... the number of CA certificates used during certificate validation The chain starts with the end entity certificate being validated and moves up This parameter has no effect if the extension is set in end entity certificates The permissible values are 0 or n The value must be less than the path length specified in the Basic Constraints extension of the CA signing certificate 0 specifies that no sub...

Page 475: ...raint This constraint implements the general extension constraint It checks if the extension is present B 2 4 Key Constraint This constraint checks the key length For example policyset caCertSet 3 constraint params keyType policyset caCertSet 3 constraint params keyMinLength 256 policyset caCertSet 3 constraint params keyMaxLength 4096 Parameter Description keyType Gives a key type this is set to ...

Page 476: ...stead of key material Select true to allow this to be set select false to keep this from being set select a hyphen to indicate no constraints are placed for this parameter keyAgreement Specifies whether to set the extension whenever the subject s public key is used for key agreement Select true to allow this to be set select false to keep this from being set select a hyphen to indicate no constrai...

Page 477: ... request satisfies the criteria set in this constraint B 2 8 Renewal Grace Period Constraint The Renewal Grace Period Constraint sets rules on when a user can renew a certificate based on its expiration date For example users cannot renew a certificate until a certain time before it expires or if it goes past a certain time after its expiration date One important thing to remember when using this ...

Page 478: ... constraint supports all regular expression constructs listed in http java sun com j2se 1 4 1 docs api java util regex Pattern html This allows wildcards such as asterisks to search for any number of the characters and periods to search for any type character For example if the pattern of the subject name constraint is set to uid the certificate profile framework checks if the subject name in the ...

Page 479: ... long as their key usage settings are different This is either true or false The default is true which allows duplicate subject names Table B 27 Unique Subject Name Constraint Configuration Parameters B 2 12 Validity Constraint The Validity constraint checks if the validity in the certificate request satisfies the criteria Parameter Description range The range of the validity period This is an int...

Page 480: ... 29 3B 91 D3 EE 24 E9 AF F6 A1 49 E1 96 70 DE 6F B2 BE 3A 07 1A 0B FD FE 2F 75 FD F9 FC 63 69 36 B6 5B 09 C6 84 92 17 9C 3E 64 C3 C4 C9 Extensions Identifier Netscape Certificate Type 2 16 840 1 113730 1 1 Critical no Certificate Usage SSL CA Secure Email CA ObjectSigning CA Identifier Basic Constraints 2 5 29 19 Critical yes Is CA yes Path Length Constraint UNLIMITED Identifier Subject Key Identi...

Page 481: ...e defined OID for an extension named Netscape Certificate Comment is 2 16 840 1 113730 1 13 The OID assigned to this extension is hierarchical and includes the former Netscape company arc 2 16 840 1 The OID definition entry is http www alvestrand no objectid 2 16 840 1 113730 1 13 html If an OID extension exists in a certificate and is marked critical the application validating the certificate mus...

Page 482: ...s multiple signing keys such as when a CA certificate is renewed The extension consists of one or both of the following An explicit key identifier set in the keyIdentifier field An issuer set in the authorityCertIssuer field and serial number set in the authorityCertSerialNumber field identifying a certificate If the keyIdentifier field exists it is used to select the certificate with a matching s...

Page 483: ...es each of which consists of an OID and optional qualifiers The extension can include a URI to the issuer s Certificate Practice Statement or can embed issuer information such as a user notice in text form This information can be used by certificate enabled applications If this extension is present PKIX Part 1 recommends that policies be identified with an OID only or if necessary only certain rec...

Page 484: ...lications can use these extensions to disallow the use of a certificate in inappropriate contexts Table B 29 PKIX Extended Key Usage Extension Uses lists the uses defined by PKIX for this extension and Table B 30 Private Extended Key Usage Extension Uses lists uses privately defined by Netscape OID 2 5 29 37 Criticality If this extension is marked critical the certificate must be used for one of t...

Page 485: ... at all set the bits as follows digitalSignature 0 for SSL client certificates S MIME signing certificates and object signing certificates nonRepudiation 1 for some S MIME signing certificates and object signing certificates WARNING Use of this bit is controversial Carefully consider the legal consequences of its use before setting it for any certificate keyEncipherment 2 for SSL server certificat...

Page 486: ...PKIX Part 1 recommends that it should be marked critical if it is used Purpose of Certificate Required Key Usage Bit CA Signing keyCertSign cRLSign SSL Client digitalSignature SSL Server keyEncipherment S MIME Signing digitalSignature S MIME Encryption keyEncipherment Certificate Signing keyCertSign Object Signing digitalSignature Table B 31 Certificate Uses and Corresponding Key Usage Bits B 3 9 ...

Page 487: ...itical B 3 11 policyConstraints This extension which is for CA certificates only constrains path validation in two ways It can be used to prohibit policy mapping or to require that each certificate in a path contain an acceptable policy identifier PKIX requires that if present this extension must never consist of a null sequence At least one of the two available fields must be present OID 2 5 29 3...

Page 488: ...er URI PKIX requires this extension for entities identified by name forms other than the X 500 distinguished name DN used in the subject field PKIX Part 1 describes additional rules for the relationship between this extension and the subject field Email addresses may be provided in the Subject Alternative Name extension the certificate subject name field or both If the email address is part of the...

Page 489: ...ublication the X 509 standard for CRL formats has been amended to include additional information within a CRL This information is added through CRL extensions The extensions defined by ANSI X9 and ISO IEC ITU for X 509 CRLs X 509 X9 55 allow additional attributes to be associated with CRLs The Internet X 509 Public Key Infrastructure Certificate and CRL Profile available at RFC 5280 4 recommends a...

Page 490: ...can recognize the ID If it can it uses the extension ID to determine the type of value used B 4 1 2 Sample CRL and CRL Entry Extensions The following is an example of an X 509 CRL version 2 extension The Certificate System can display CRLs in readable pretty print format as shown here As shown in the example CRL extensions appear in sequence and only one instance of a particular extension may appe...

Page 491: ...gPoint MasterCRL Only Contains User Certificates no Only Contains CA Certificates no Indirect CRL no Signature Algorithm SHA1withRSA 1 2 840 113549 1 1 5 Signature 47 D2 CD C9 E5 F5 9D 56 0A 97 31 F5 D5 F2 51 EB 1F CF FA 9E 63 D4 80 13 85 E5 D8 27 F0 69 67 B5 89 4F 59 5E 69 E4 39 93 61 F2 E3 83 51 0B 68 26 CD 99 C4 A2 6C 2B 06 43 35 36 38 07 34 E4 93 80 99 2F 79 FB 76 E8 3D 4C 15 5A 79 4E E5 3F 7E...

Page 492: ...dicator 2 5 29 27 Critical yes Base CRL Number 39 Identifier Issuer Alternative Name 2 5 29 18 Critical no Issuer Names DNSName a f8 sjc redhat com Identifier Authority Key Identifier 2 5 29 35 Critical no Key Identifier 50 52 0C AA 22 AC 8A 71 E3 91 0C C5 77 21 46 9C 0F F8 30 60 Identifier CRL Number 2 5 29 20 Critical no Number 41 Identifier Issuing Distribution Point 2 5 29 28 Critical yes Dist...

Page 493: ...ificate entries in the CRL Section B 4 2 1 Extensions for CRLs Section B 4 2 2 CRL Entry Extensions B 4 2 1 Extensions for CRLs The following CRL descriptions are defined as part of the Internet X 509 v3 Public Key Infrastructure proposed standard Section B 4 2 1 1 authorityInfoAccess Section B 4 2 1 2 authorityKeyIdentifier Section B 4 2 1 3 CRLNumber Section B 4 2 1 4 deltaCRLIndicator Section B...

Page 494: ... DirectoryName or URI accessLocationn If accessLocationType is set to DirectoryName the value must be a string in the form of an X 500 name similar to the subject name in a certificate For example CN CACentral OU Research Dept O Example Corporation C US If accessLocationType is set to URI the name must be a URI the URI must be an absolute pathname and must specify the host For example http testCA ...

Page 495: ...ave this extension OID 2 5 29 20 Criticality This extension must not be critical Parameters Parameter Description enable Specifies whether the rule is enabled which is the default critical Sets whether the extension is marked as critical the default is noncritical Table B 34 CRLNumber Configuration Parameters B 4 2 1 4 deltaCRLIndicator The deltaCRLIndicator extension generates a delta CRL a list ...

Page 496: ...extension must be noncritical Parameters Parameter Description enable Sets whether the extension rule is enabled By default this is disabled critical Marks the extension as critical or noncritical The default is noncritical numPoints Indicates the number of issuing points for the delta CRL from 0 to any positive integer the default is 0 When setting this to an integer other than 0 set the number a...

Page 497: ...at Section B 3 7 issuerAltName Extension OID 2 5 29 18 Parameters Parameter Description enable Sets whether the extension rule is enabled by default this is disabled critical Sets whether the extension is critical by default this is noncritical numNames Sets the total number of alternative names or identities permitted in the extension Each name has a set of configuration parameters nameType and n...

Page 498: ... FF01 43 FFFF FFFF FFFF FFFF FFFF FFFF FF00 0000 OID if the name is an object identifier otherName if the name is in any other name form this supports PrintableString IA5String UTF8String BMPString Any and KerberosName namen Specifies the general name value the allowed values depend on the name type specified in the nameType field For rfc822Name the value must be a valid Internet mail address in t...

Page 499: ...nment comply with the ISO rules for defining OIDs and for registering subtrees of IDs For otherName the names can be any other format this supports PrintableString IA5String UTF8String BMPString Any and KerberosName PrintableString IA5String UTF8String BMPString and Any set a string to a base 64 encoded file specifying the subtree such as var lib pki ca othername txt KerberosName has the format Re...

Page 500: ...stribution point The name of the distribution point depends on the value specified for the pointType parameter For directoryName the name must be an X 500 name For example cn CRLCentral ou Research Dept o Example Corporation c US For URIName the name must be a URI that is an absolute pathname and specifies the host For example http testCA example com get crls here NOTE The CRL may be stored in the...

Page 501: ...Internet X 509 v3 Public Key Infrastructure proposed standard All of these extensions are noncritical B 4 2 2 1 certificateIssuer The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL This extension is used only with indirect CRLs which are not supported by the Certificate System OID 2 5 29 29 B 4 2 2 2 invalidityDate The Invalidity Date ext...

Page 502: ...cate incompatible with other clients B 4 3 1 netscape cert type The Netscape Certificate Type extension can be used to limit the purposes for which a certificate can be used It has been replaced by the X 509 v3 extensions Section B 3 6 extKeyUsage and Section B 3 3 basicConstraints If the extension exists in a certificate it limits the certificate to the uses specified in it If the extension is no...

Page 503: ...Netscape Defined Certificate Extensions Reference 481 OID 2 16 840 1 113730 13 ...

Page 504: ...482 ...

Page 505: ...blish base 64 encoded files DER encoded files or both depending on the checkboxes selected when the publisher is configured The certificate and CRL content can be viewed by converting the files using the PrettyPrintCert and PrettyPrintCRL tools For details on viewing the content in base 64 and DER encoded certificates and CRLs see Section 8 6 Viewing Certificates and CRLs Published to File By defa...

Page 506: ...P responder During installation the Certificate Manager automatically creates an instance of the LdapUserCertPublisher module for publishing end entity certificates to the directory Parameter Description certAttr Specifies the directory attribute of the mapped entry to which the Certificate Manager should pu userCertificate binary Table C 3 LdapUserCertPublisher Configuration Parameters C 1 4 Ldap...

Page 507: ...to publish the CA certificate This must be crossC caObjectClass Specifies the object class for the CA s entry in the directory This must be certificati Table C 6 LdapCertificatePairPublisher Parameters C 1 7 OCSPPublisher The OCSPPublisher plug in module configures a Certificate Manager to publish its CRLs to an Online Certificate Status Manager The Certificate Manager does not create any instance...

Page 508: ...D CA If the mapper fails to create a second CA entry check the base DN to which the UID Uniqueness plug in is set and check if an entry with the same UID already exists in the directory If necessary adjust the mapper setting remove the old CA entry comment out the plug in or create the entry manually During installation the Certificate Manager automatically creates two instances of the CA certific...

Page 509: ...ctory and maps the CRL to the CA s entry in the directory By default the mapper is configured to create an entry for the CA in the directory The default DN pattern for locating the CA s entry is as follows uid subj cn ou people o subj o C 2 2 LdapDNExactMap The LdapDNExactMap plug in module configures a Certificate Manager to map a certificate to an LDAP directory entry by searching for the LDAP e...

Page 510: ...this mapper the directory entries must include the specified LDAP attribute This mapper requires the exact pattern of the subject DN because the Certificate Manager searches the directory for the attribute with a value that exactly matches the entire subject DN For example if the specified LDAP attribute is certSubjectDN and the certificate subject name is uid jdoe o Example Corporation c US the C...

Page 511: ...izational unit in the directory o represents an organization in the directory l represents a locality city st represents a state c represents a country For example the following DN represents the user named Jane Doe who works for the Sales department at Example Corporation which is located in Mountain View California United States cn Jane Doe ou Sales o Example Corporation l Mountain View st Calif...

Page 512: ... of certificates can be set to include the uid component NOTE The e l and st components are not included in the standard set of certificate request forms provided for end entities These components can be added to the forms or the issuing agents can be required to insert these components when editing the subject name in the certificate issuance forms C 2 5 1 Configuration Parameters of LdapDNCompsM...

Page 513: ...erforms a verification For example if filterCom attributes filterComps e uid the server searches the directory for an entry whose information gathered from the certificate The permissible values are valid directory attributes in the certificate DN separated by co need to be attribute names from the certificate not from ones in the LDAP directory For attribute for the user s email address LDAP call...

Page 514: ...apUserCertRule is used to publish user certificates to an LDAP directory Parameter type predicate enable mapper publisher Table C 13 LdapUserCert Rule Configuration Parameters C 3 4 LdapCRLRule The LdapCRLRule is used to publish CRLs to an LDAP directory Parameter type predicate enable mapper publisher Table C 14 LdapCRL Rule Configuration Parameters ...

Page 515: ...tion Each rule which allows or denies access to a resource is called an access control instruction ACI The sum of all of the ACIs for a resource is an access control list Before defining the actual ACI the ACL attribute is first applied to a specific plug in class used by the Certificate System subsystem This focuses each ACL to a specific function performed by the subsystem providing both more se...

Page 516: ...es manage access to basic and common configuration settings such as logging and adding users and groups IMPORTANT These ACLs are common in that the same ACLs are occur in each subsystem instance s acl ldif file These are not shared ACLs in the sense that the configuration files or settings are held in common by all subsystem instances As with all other instance configuration these ACLs are maintai...

Page 517: ...ption import Import a CA administrator certificate Table D 3 certServer admin certificate ACL Summary D 2 3 certServer admin request enrollment Controls access to enrollment processes including submitting enrollment requests and processing and accessing enrollment requests By default anyone can submit a certificate request but only CA agents can process them NOTE This entry is associated with the ...

Page 518: ...odify authentication instances Table D 5 certServer auth configuration ACL Summary D 2 5 certServer clone configuration Controls who can clone the configuration for an instance The default setting is allow modify read group Enterprise CA Administrators group Enterprise KRA Administrators group Enterprise RA Administrators group Enterprise OCSP Administrators group Enterprise TKS Administrators Ope...

Page 519: ...Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Operations Description read View log plug in information log plug in configuration and log instance configuration List log plug ins an modify Add and delete log plug ins and log instances Modify log instances Table D 8 certServer log configuration ACL Summary D 2 8 certServer ...

Page 520: ...istration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors Operations Description read View log content List all logs Table D 11 certServer log content ACL Summary D 2 11 certServer log content signedAudit Explicitly denies access to the signed audit logs for all users except the auditor The default setting is deny read group Administr...

Page 521: ...tors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Operations Description read View users groups and user s certificates Find users and groups modify Add modify and delete groups and users Add and modify a user certificate Table D 14 certServer usrgrp administrat...

Page 522: ...tatus of a certificate from revoked revoke Revoke certificates or approve certificate revocation requests read Retrieve certificates based on the request ID and display certificate details based on the request ID Table D 16 certServer ca certificate ACL Summary D 3 3 certServer ca certificates Controls operations for listing or revoking certificates through the agent services interface The default...

Page 523: ...sions configuration and CRL issuing points configuration modify Add and delete CRL issuing points Modify general CA settings CA connector configuration CRL issuing request notification configuration revocation notification configuration request in queue notification confi Table D 19 certServer ca configuration ACL Summary D 3 6 certServer ca connector Controls operations to submit requests over a ...

Page 524: ... update Update CRLs Table D 22 certServer ca crl ACL Summary D 3 9 certServer ca directory Controls access to the LDAP directory used for publishing certificates and CRLs allow update group Certificate Manager Agents Operations Description update Publish CA certificates and user certificates to the LDAP directory Table D 23 certServer ca directory ACL Summary D 3 10 certServer ca group Controls ac...

Page 525: ...cess to certificate profile configuration in the agent services pages allow read approve group Certificate Manager Agents Operations Description read View the details of the certificate profiles approve Approve and enable certificate profiles Table D 26 certServer ca profile ACL Summary D 3 13 certServer ca profiles Controls access to list certificate profiles in the agent services interface allow...

Page 526: ... user anybody allow read execute assign unassign group Certificate Manager Agents Operations Description submit Submit an enrollment request read View an enrollment request execute Modify the approval state of a request assign Assign a request to a Certificate Manager agent unassign Change the assignment of a request Table D 29 certServer ca request enrollment ACL Summary D 3 16 certServer ca requ...

Page 527: ...tchain Controls who can access the CA certificate chain in the end entities page allow download read user anybody Operations Description download Download the CA s certificate chain read View the CA s certificate chain Table D 33 certServer ee certchain ACL Summary D 3 20 certServer ee certificate Controls who can access certificates for most operations like importing or revoking certificates thro...

Page 528: ...ss to CRLs through the end entities page allow read add user anybody Operations Description read Retrieve and view the certificate revocation list add Add CRLs to the OCSP server Table D 36 certServer ee crl ACL Summary D 3 23 certServer ee profile Controls some access to certificate profiles in the end entities page including who can view details about a profile or submit a request through the pr...

Page 529: ...CL Summary D 3 26 certServer ee request ocsp Controls access based on IP address on which clients submit OCSP requests allow submit ipaddress Operations Description submit Submit OCSP requests Table D 40 certServer ee request ocsp ACL Summary D 3 27 certServer ee request revocation Controls what users can submit certificate revocation requests in the end entities page allow submit user anybody Ope...

Page 530: ... Summary D 3 30 certServer kra configuration Controls who can view and manage the DRM instance configuration allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Operations Description read View automatic key recovery autom...

Page 531: ...e D 46 certServer policy configuration ACL Summary D 3 33 certServer profile configuration Controls access to the certificate profile configuration The default setting is allow read group Administrators group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators...

Page 532: ...any RA associated with the Certificate Manager The default configuration is allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Operations Description read View the RA configuration modify Modify the RA configuration Table...

Page 533: ...Description read View basic job settings job instance settings and job plug in settings List job plug ins and job instances modify Add and delete job plug ins and job instances Modify job plug ins and job instances Table D 51 certServer job configuration ACL Summary D 4 2 certServer kra certificate transport Controls who can view the transport certificate for the DRM allow read user anybody Operat...

Page 534: ...overy requests to the DRM The default configuration is allow read submit group Data Recovery Manager Agents Operations Description read View key recovery request information submit Submit or initiate key recovery requests through the agent services pages Table D 55 certServer kra GenerateKeyPair ACL Summary D 4 6 certServer kra getTransportCert Controls who can submit key recovery requests to the ...

Page 535: ...recover Retrieve key information from the database to perform a recovery operation download Download key information through the agent services pages Table D 58 certServer kra key ACL Summary D 4 9 certServer kra keys Controls who can list archived keys through the agent services pages allow list group Data Recovery Manager Agents Operations Description list Search for and list a range of archived...

Page 536: ... certServer kra request status Controls who can view the status for a key recovery request in the end entities page allow read group Data Recovery Manager Agents Operations Description read Retrieve the status of a key recovery request in the agents services pages Table D 62 certServer kra request status ACL Summary D 4 13 certServer kra requests Controls who can list key archival and recovery req...

Page 537: ...rver kra TokenKeyRecovery ACL Summary D 5 Online Certificate Status Manager Specific ACLs This section covers the default access control configuration attributes which are set specifically for the Online Certificate Status Manager The OCSP responder s ACL configuration also includes all of the common ACLs listed in Section D 2 Common ACLs There are access control rules set for each of the OCSP s i...

Page 538: ...certServer ee request ocsp Controls access based on IP address on which clients submit OCSP requests allow submit ipaddress Operations Description submit Submit OCSP requests Table D 68 certServer ee request ocsp ACL Summary D 5 4 certServer ocsp ca Controls who can add a Certificate Manager to the Online Certificate Status Manager configuration The default setting is allow add group Online Certif...

Page 539: ...icate Manager s OCSP services The default configuration is allow read group Administrators group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Operations Description read View CRL plug in information general CA configuration CA connector configuration CR...

Page 540: ...who can read information about the OCSP responder allow read group Online Certificate Status Manager Agents Operations Description read View OCSP responder information Table D 75 certServer ocsp info ACL Summary D 5 11 certServer ocsp systemstatus Controls who can view the statistics for the Online Certificate Status Manager instance read allow read group Online Certificate Status Manager Agents O...

Page 541: ...istrators Operations Description modify Create or edit user and group entries for the instance read View user and group entries for the instance Table D 78 certServer tks group ACL Summary D 6 3 certServer tks importTransportCert Controls who can import the transport certificate used by the TKS to deliver keys allow modify read group Enterprise CA Administrators group Enterprise KRA Administrators...

Page 542: ...tions Description read View the user and agent entries and configuration modify Edit existing user and agent entries or create new user accounts Table D 81 certServer tks registerUser ACL Summary D 6 6 certServer tks sessionkey Controls who can view the session keys used by the TKS instance to connections to the TPS allow read group Token Key Service Manager Agents Operations Description read View...

Page 543: ...ent An enrollment that requires an agent to approve the request before the certificate is issued agent services 1 Services that can be administered by a Certificate System agent through HTML pages served by the Certificate System subsystem for which the agent has been assigned the necessary privileges 2 The HTML pages for administering such services attribute value assertion AVA An assertion of th...

Page 544: ...dentifies a certificate authority See also certificate authority CA subordinate CA root CA CA hierarchy A hierarchy of CAs in which a root CA delegates the authority to issue certificates to subordinate CAs Subordinate CAs can also expand the hierarchy by delegating issuing status to other CAs See also certificate authority CA subordinate CA root CA CA server key The SSL server key of the server p...

Page 545: ...ertificate changes even by a single character the same function produces a different number Certificate fingerprints can therefore be used to verify that certificates have not been tampered with Certificate Management Messages over Cryptographic Message Syntax CMC Message format used to convey a request for a certificate to a Certificate Manager A proposed standard from the Internet Engineering Ta...

Page 546: ...ng the SSL protocol See Secure Sockets Layer SSL CMC See Certificate Management Messages over Cryptographic Message Syntax CMC CMC Enrollment Features that allow either signed enrollment or signed revocation requests to be sent to a Certificate Manager using an agent s signing certificate These requests are then automatically processed by the Certificate Manager CMMF See Certificate Management Mes...

Page 547: ...very of RSA encryption keys for end entities A Certificate Manager can be configured to archive end entities encryption keys with a Data Recovery Manager before issuing new certificates The Data Recovery Manager is useful only if end entities are encrypting data such as sensitive email that the organization may need to recover someday It can be used only with end entities that support dual key pai...

Page 548: ...re with the signer s public key and comparison with another hash of the same data provides tamper detection Verification of the certificate chain for the certificate containing the public key provides authentication of the signer See also nonrepudiation encryption distribution points Used for CRLs to define a set of certificates Each distribution point is defined by a set of certificates that are ...

Page 549: ...e certificate fingerprint FIPS PUBS 140 1 Federal Information Standards Publications FIPS PUBS 140 1 is a US government standard for implementations of cryptographic modules hardware or software that encrypts and decrypts data or performs other cryptographic operations such as creating or verifying digital signatures Many products sold to the US government must comply with one or more of the FIPS ...

Page 550: ...rvices JSS A Java interface for controlling security operations performed by Netscape Security Services NSS K KEA See Key Exchange Algorithm KEA key A large number used by a cryptographic algorithm to encrypt or decrypt data A person s public key for example allows other people to encrypt messages intended for that person The messages must then be decrypted by using the corresponding private key k...

Page 551: ...scape Security Services NSS A set of libraries designed to support cross platform development of security enabled communications applications Applications built using the NSS libraries support the Secure Sockets Layer SSL protocol for authentication tamper detection and encryption and the PKCS 11 protocol for cryptographic token interfaces NSS is also available separately as a software development...

Page 552: ...PKCS 11 module also called a cryptographic module or cryptographic service provider can be implemented in either hardware or software A PKCS 11 module always has one or more slots which may be implemented as physical hardware slots in some form of physical reader such as for smart cards or as conceptual slots in software Each slot for a PKCS 11 module can in turn contain a token which is the hardw...

Page 553: ...ying and managing certificates Certificate System is comprised of five major subsystems that can be installed in different Certificate System instances in different physical locations Certificate Manager Online Certificate Status Manager Data Recovery Manager Token Key Service and Token Processing System registration See enrollment root CA The certificate authority CA with a self signed certificat...

Page 554: ...he way to sign on to Red Hat Certificate System by storing the passwords for the internal database and tokens Each time a user logs on he is required to enter this single password 2 The ability for a user to log in once to a single computer and be authenticated automatically by a variety of servers within a network Partial single sign on solutions can take many forms including mechanisms for autom...

Page 555: ...riginal version of the same data token A hardware or software device that is associated with a slot in a PKCS 11 module It provides cryptographic services and optionally stores certificates and keys tree hierarchy The hierarchical structure of an LDAP directory trust Confident reliance on a person or other entity In a public key infrastructure PKI trust refers to the relationship between the user ...

Page 556: ...534 ...

Page 557: ...ertificates 406 buffered logging 361 C CA certificate 4 configuring ECC signing algorithm 55 prompting for subsystem passwords existing instance 289 new instance 288 CA certificate mapper 486 CA certificate publisher 484 485 CA signing certificate 4 388 changing trust settings of 413 deleting 412 nickname 388 requesting 394 viewing details of 411 certificate viewing content 231 certificate chains ...

Page 558: ...iguration file 279 279 CS cfg 279 format 280 Configuration tab 14 CRL viewing content 231 CRL Distribution Point extension 172 CRL extension modules CRLReason 430 CRL publisher 484 CRL signing certificate 5 170 requesting 394 cRLDistributionPoints 461 CRLNumber 473 CRLReason 479 CRLs defined 169 entering multiple update times 178 entering update period 178 extension specific modules 467 extensions...

Page 559: ...suer 479 certificatePolicies 461 cRLDistributionPoints 461 CRLNumber 473 CRLReason 479 deltaCRLIndicator 473 extKeyUsage 462 invalidityDate 479 issuerAltName 463 475 issuingDistributionPoint 477 keyUsage 463 nameConstraints 464 netscape cert type 480 Netscape defined 480 policyConstraints 465 policyMappings 465 privateKeyUsagePeriod 466 subjectAltName 466 subjectDirectoryAttributes 466 tool for jo...

Page 560: ...le 382 services that are logged 359 types of logs 359 Audit 363 Error 366 M mail server used for notifications 257 managing certificate database 407 mapper modules deleting 233 registering new ones 233 mappers created during installation 214 486 488 mappers that use CA certificate 486 DN components 488 modifying privileged user s group membership 331 N Name extension modules Issuer Alternative Nam...

Page 561: ...privileged users deleting 333 modifying privileges group membership 331 types agents 329 profile variables RA 52 profiles how profiles work 23 prompting for system passwords 287 publisher modules deleting 233 registering new ones 233 publishers created during installation 214 484 484 485 publishers that can publish to CA s entry in the directory 484 484 485 files 483 OCSP responder 485 users entri...

Page 562: ... requesting 394 viewing details of 411 starting subsystem instance 295 Status tab 14 stopping subsystem instance 295 storage key pair 391 subjectAltName 466 subjectDirectoryAttributes 466 subjectKeyIdentifier subjectKeyIdentifier 467 subsystem certificate 388 390 392 nickname 388 390 392 subsystems configuring password file 286 passwords required at startup 288 subsystems for certificates Certific...

Page 563: ...288 setting profiles 351 users 349 Windows smart card login 55 transport certificate 391 changing trust settings of 413 deleting 412 viewing details of 411 trusted managers deleting 333 modifying group membership 331 U unbuffered logging 361 user certificate 5 requesting 77 users creating 332 W why to revoke certificates 171 Windows smart card login 55 ...

Page 564: ...542 ...