Red Hat CERTIFICATE SYSTEM 7.2 - AGENT GUIDE User manual

Brand: Red Hat

Model: CERTIFICATE SYSTEM 7.2 - AGENT GUIDE

Type: User manual

This manual is also suitable for

CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Red Hat Certificate System Agent Guide

7.2

Red Hat Certificate System Agent Guide 7.2:

This manual is for agents of Certificate System subsystems. This guide explains the different agent services interfaces for

the Certificate System subsystems and details the agent operations which can be performed. This information is used to

manage and maintain certificates and keys for users in the PKI deployment.

Red Hat, Inc.

1801 Varsity Drive

Raleigh, NC 27606-2072

USA

Phone: +1 919 754 3700

Phone: 888 733 4281

Fax: +1 919 754 3701

PO Box 13588

Research Triangle Park, NC 27709

USA

Documentation-Deployment

V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).

Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.

Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is ob-

tained from the copyright holder.

Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries.

All other trademarks referenced herein are the property of their respective owners.

The GPG fingerprint of the [email protected] key is:

CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E

Table of Contents

About This Guide ............................................................................................................................... vi

1. Who Should Read This Guide ................................................................................................... vi

2. Required Concepts .................................................................................................................. vi

3. What Is in This Guide .............................................................................................................. vi

4. Conventions Used in This Guide ................................................................................................ vi

5. Documentation ...................................................................................................................... vii

1. Agent Services ................................................................................................................................ 1

1. Overview of Certificate System .................................................................................................. 1

2. Agent Tasks ............................................................................................................................ 3

2.1. Certificate Manager Agent Services .................................................................................. 3

2.2. Data Recovery Manager Agent Services ............................................................................ 5

2.3. Online Certificate Status Manager Agent Services ............................................................... 5

2.4. TPS Agent Services ....................................................................................................... 6

3. Forms for Performing Agent Operations ....................................................................................... 8

4. Accessing Agent Services .........................................................................................................10

2. CA: Working with Certificate Profiles ................................................................................................12

1. About Certificate Profiles .........................................................................................................12

1.1. Profile Definition .........................................................................................................12

1.2. Categories of Certificate Profiles .....................................................................................12

2. Basic Profile Operations for an Agent .........................................................................................12

3. List of Certificate Profiles ........................................................................................................13

3.1. Example Profile ...........................................................................................................14

4. How Certificate Profiles Work ..................................................................................................16

5. Enabling and Disabling Certificate Profiles ..................................................................................17

5.1. Getting Certificate Profile Information .............................................................................17

5.2. End User Certificate Profile ............................................................................................17

5.3. Policy Information ........................................................................................................17

5.4. Approving a Certificate Profile .......................................................................................17

5.5. Disapproving a Certificate Profile ....................................................................................17

3. CA: Handling Certificate Requests .....................................................................................................19

1. Managing Requests .................................................................................................................19

2. Listing Certificate Requests ......................................................................................................20

2.1. Selecting a Request .......................................................................................................22

2.2. Searching Requests .......................................................................................................23

3. Approving Requests ................................................................................................................24

4. Sending an Issued Certificate to the Requester ..............................................................................25

4. CA: Finding and Revoking Certificates ...............................................................................................28

1. Basic Certificate Listing ...........................................................................................................28

2. Advanced Certificate Search .....................................................................................................29

3. Examining Certificates .............................................................................................................33

4. Revoking Certificates ..............................................................................................................34

4.1. Searching for Certificates to Revoke ................................................................................34

4.2. Revoking One or More Certificates ..................................................................................35

4.2.1. Revoking One Certificate ....................................................................................35

4.2.2. Revoking Multiple Certificates .............................................................................36

4.2.3. Confirming a Revocation ....................................................................................36

5. Managing the Certificate Revocation List ....................................................................................38

5.1. Viewing or Examining CRLs ..........................................................................................38

5.2. Updating the CRL ........................................................................................................38

5. CA: Publishing to a Directory ...........................................................................................................40

1. Automatic Directory Updates ....................................................................................................40

2. Manual Directory Updates ........................................................................................................40

6. DRM: Recovering Encrypted Data .....................................................................................................42

1. List Requests .........................................................................................................................42

2. Finding and Recovering Keys ...................................................................................................43

2.1. Finding Archived Keys ..................................................................................................43

2.2. Recovering Keys ..........................................................................................................46

7. OCSP: Agent Services .....................................................................................................................49

1. Listing CAs Identified by the OCSP ...........................................................................................49

2. Identifying a CA to the OCSP ...................................................................................................49

3. Adding a CRL to the OCSP ......................................................................................................51

4. Checking the Revocation Status of a Certificate ............................................................................52

8. TPS: Agent Services ........................................................................................................................54

1. Basic Operations for an Agent and Administrator ..........................................................................54

2. Adding Tokens .......................................................................................................................54

3. Managing Tokens ...................................................................................................................55

3.1. Changing Token Status ..................................................................................................56

3.2. Editing the Token .........................................................................................................58

3.3. Listing Token Certificates ..............................................................................................58

3.4. Conflicting Token Certificate Status Information ................................................................59

3.5. Showing Token Activities ..............................................................................................59

4. Listing and Searching Certificates ..............................................................................................60

5. Searching Token Activities .......................................................................................................61

6. Administrator Operations .........................................................................................................62

6.1. Showing Token Activities ..............................................................................................63

6.2. Editing the Token .........................................................................................................63

6.3. Deleting the Token .......................................................................................................64

Index ...............................................................................................................................................65

Red Hat Certificate System Agent Guide

7.2

About This Guide

This guide describes the agent services interfaces used by Red Hat Certificate System agents to administer subsystem cer-

tificates and keys and other management operations.

1. Who Should Read This Guide

This guide is intended for Certificate System agents, privileged users designated by the Certificate System administrator to

manage requests from end entities for certificate-related services. Each installed Certificate System subsystem # Certificate

Manager, Data Recovery Manager (DRM), Online Certificate Status Manager, Token Key Service (TKS), and Token Pro-

cessing System (TPS) # can have multiple agents.

2. Required Concepts

Before reading this guide, be familiar with the basic concepts of public-key cryptography and the Secure Sockets Layer

(SSL) protocol, including the following topics:

• Encryption and decryption

• Public keys, private keys, and symmetric keys

• Digital signatures

• The role of digital certificates in a public-key infrastructure (PKI)

• Certificate hierarchies

• SSL cipher suites

• The purpose of and major steps in the SSL handshake

3. What Is in This Guide

This guide describes the duties of the agents for the different Certificate System subsystems and explains basic usage and

tasks.

Chapter 1, Agent Services

Chapter 2, CA: Working with Certificate Profiles

Chapter 3, CA: Handling Certificate Requests

Chapter 4, CA: Finding and Revoking Certificates

Chapter 5, CA: Publishing to a Directory

Chapter 6, DRM: Recovering Encrypted Data

Chapter 7, OCSP: Agent Services

Chapter 8, TPS: Agent Services

Table 1. List of Chapters

4. Conventions Used in This Guide

The following conventions are used in this guide:

• Monospaced font is used for any text that appears on the computer screen, commands that the user inputs, file-

names, functions, and examples. For example:

cd /var/lib/rhpki-ca/

• Italics are used for emphasis, variables, book titles, glossary terms, and when a phrase is first used. For example:

This control depends on the access permissions the super user has set for the user.

• Square brackets ([]) enclose commands that are optional. For example:

PrettyPrintCert input_file [output_file]

input_file specifies the path to the file that contains the base-64 encoded certificate. output_file specifies the path to the

file to write the certificate. This argument is optional; if an output file is not specified, the certificate information is

written to the standard output.

• A forward slash (/) is used to separate directories in a path. For example:

Almost all command-line utilities are in the /usr/bin directory.

• Notes and Cautions

Note and Caution boxes indicate important information to be considered before performing tasks.

Note

A note contains information that may be of interest.

Caution

A caution signals a potential risk of losing data, damaging software or hardware, or otherwise disrupting system

performance.

5. Documentation

The Certificate System documentation also contains the following manuals:

• Certificate System Administration Guide explains all administrative functions for the Certificate System, such as

adding users, creating and renewing certificates, managing smart cards, publishing CRLs, and modifying subsystem

settings like port numbers.

• Certificate System Command-Line Tools Guide provides detailed information on Certificate System tools such as

pkicreate, tksTool, and other Certificate System-specific utilities used to manage Certificate System instances.

• Certificate System Enterprise Security Client Guide explains how to install, configure, and use the Enterprise Security

Client, the user client application for managing smart cards, user certificates, and user keys.

• Certificate System Migration Guide provides detailed migration information for migrating all parts and subsystems of

previous versions of Certificate System to Red Hat Certificate System 7.2.

Additional Certificate System information is provided in the CS SDK, which contains an online reference to HTTP inter-

faces, javadocs, samples, and tutorials related to the Certificate System. A downloadable zip file of this material is avail-

able for user interaction with the tutorials.

For the latest information about the Certificate System, including current release notes, complete product documentation,

technical notes, and deployment information, visit the Red Hat Certificate System documentation page:

http://www.redhat.com/docs/manuals/cert-system/

5. Documentation

vii

Chapter 1. Agent Services

This chapter describes the role of the privileged users, agents, in managing Certificate System subsystems. It also intro-

duces the tools that agents use to administer service requests.

1. Overview of Certificate System

Certificate System is a highly configurable set of software components and tools for creating, deploying, and managing

certificates. The standards and services that facilitate the use of public-key cryptography and X.509 version 3 certificates

in a networked environment are collectively called the public-key infrastructure (PKI) for that environment. In any PKI, a

certificate authority (CA) is a trusted entity that issues, renews, and revokes certificates. An end entity is a person, server,

or other entity that uses a certificate to identify itself.

To participate in a PKI, an end entity must enroll, or register, in the system. The end entity typically initiates enrollment by

giving the CA some form of identification and a newly generated public key. The CA uses the information provided to au-

thenticate, or confirm, the identity, then issues the end entity a certificate that associates that identity with the public key

and signs the certificate with the CA's own private signing key.

End entities and CAs may be in different geographic or organizational areas or in completely different organizations. CAs

may include third parties that provide services through the Internet as well as the root CAs and subordinate CAs for indi-

vidual organizations. Policies and certificate content may vary from one organization to another. End-entity enrollment for

some certificates may require physical verification, such as an interview or notarized documents, while enrollment for oth-

ers may be fully automated.

To meet the widest possible range of configuration requirements, the Certificate System permits independent installation

of five separate subsystems, or managers, that play distinct roles:

• Certificate Manager. A Certificate Manager functions as a root or subordinate CA. This subsystem issues, renews, and

revokes certificates and generates certificate revocation lists (CRLs). It can publish certificates, files, and CRLs to an

LDAP directory, to files, and to an Online Certificate Status Protocol (OCSP) responder. The Certificate Manager can

process requests manually (with agent action) or automatically (based on customizable profiles). Publishing tasks can

be performed by the Certificate Manager only. The Certificate Manager also has a built-in OCSP service, enabling OC-

SP-compliant clients to query the Certificate Manager directly about the revocation status of a certificate that it has is-

sued. In certain PKI deployments, it might be convenient to use the Certificate Manager's built-in OCSP service, in-

stead of an Online Certificate Status Manager.

Since CAs can delegate some responsibilities to subordinate CAs, a Certificate Manager might share its load among

one or more levels of subordinate Certificate Managers. Additionally, subsystems can be cloned; the clone uses the

same keys and certificates as the master, so, essentially, the master and clones all function as a single CA. Many com-

plex deployment scenarios are possible.

• Data Recovery Manager. A Data Recovery Manager (DRM) oversees the long-term archival and recovery of private

encryption keys for end entities. A Certificate Manager or a Token Processing System (TPS) can be configured to

archive end entities' private encryption keys with a DRM as part of the process of issuing new certificates.

The DRM is useful only if end entities are encrypting data, using applications such as S/MIME email, that the organiz-

ation may need to recover someday. It can be used only with client software that supports dual key pairs - two separate

key pairs, one for encryption and one for digital signatures. Also, it is possible to do server-side key generation using

the TPS server when enrolling smart cards.

NOTE

The DRM archives encryption keys. It does not archive signing keys, since archiving signing keys would under-

mine the non-repudiation properties of dual-key certificates.

• Online Certificate Status Manager. An Online Certificate Status Manager works as an online certificate validation au-

thority and allows OCSP-compliant clients to verify certificates' current status. The Online Certificate Status Manager

can receive CRLs from multiple Certificate Managers; clients then query the Online Certificate Status Manager for the

revocation status of certificates issued by all the Certificate Managers. For example, in a PKI comprising multiple CAs

(a root CA and many subordinate CAs), each CA can be configured to publish its CRL to the Online Certificate Status

Manager, allowing all clients in the PKI deployment to verify the revocation status of a certificate by querying a single

Online Certificate Status Manager.

NOTE

1 Chapter 1. Agent Services

An online certificate-validation authority is often referred to as an OCSP responder.

• Token Key Service. The Token Key Service (TKS) manages the master and transport keys required to generate and dis-

tribute keys for smart cards. The TKS provides security between tokens and the TPS because it protects the integrity of

the master key and token keys.

• Token Processing System. The Token Processing System (TPS) acts as a registration authority for authenticating and

processing smart card enrollment requests, PIN reset requests, and formatting requests from the Enterprise Security

Client.

Three kinds of users can access Certificate System subsystems: administrators, agents, and end entities. Administrators are

responsible for the initial setup and ongoing maintenance of the subsystems. Administrators can designate users with spe-

cial privileges, agents, for each subsystem. Agents manage day-to-day interactions with end entities, which can be users or

servers and clients, and other aspects of the PKI. End entities must access a Certificate Manager subsystem to enroll for

certificates in a PKI deployment and for certificate maintenance, such as renewal or revocation.

Figure 1.1, “The Certificate System and Users” shows the ports used by administrators, agents, and end entities. All agent

and administrator interactions with Certificate System subsystems occur over HTTPS. End-entity interactions can take

place over HTTP or HTTPS.

Figure 1.1. The Certificate System and Users

2. Agent Tasks

2 Chapter 1. Agent Services

2. Agent Tasks

The designated agents for each subsystem are responsible for the everyday management of end-entity requests and other

aspects of the PKI:

• Certificate Manager agents manage certificate requests received by the Certificate Manager subsystem, maintain and

revoke certificates as necessary, and maintain global information about certificates.

• DRM agents initiate the recovery of lost keys and can obtain information about key service requests and archived keys.

NOTE

Recovering lost or archived key information is done automatically in smart card deployments because the TPS

server is a DRM agent. Smart cards are marked as lost in the TPS agent page, and then another smart card is later

used to recover the old encryption keys automatically during certificate enrollment.

• Online Certificate Status Manager agents can perform tasks such as checking which CAs are currently configured to

publish their CRLs to the Online Certificate Status Manager, identifying a Certificate Manager to the Online Certific-

ate Status Manager, adding CRLs directly to the Online Certificate Status Manager, and viewing the status of OCSP

service requests submitted by OCSP-compliant clients.

• TPS agents can view smart card enrollment and formatting activities, list tokens from the token database, edit token in-

formation, delete tokens from the token database, and mark tokens as permanently lost, temporarily lost, or damaged.

• There is no direct TKS agent interface for TKS agents to interact with the system. However, configured TKS agents

are capable of providing the secure communications channel through the TPS server required for smart card operations

through the token management system. The allowed smart card operations are similar to those for TPS agents.

The privileged operations of an agent are performed through the Certificate System agent services pages. For a user to ac-

cess these pages, the user must have a personal SSL client certificate and have been identified as a privileged user in the

user database by the Certificate System administrator. For more information on creating privileged users, see the Certific-

ate System Administration Guide.

• Section 2.1, “Certificate Manager Agent Services”

• Section 2.2, “Data Recovery Manager Agent Services”

• Section 2.3, “Online Certificate Status Manager Agent Services”

• Section 2.4, “TPS Agent Services”

2.1. Certificate Manager Agent Services

The default entry page for Certificate Manager agent services is shown in Figure 1.2, “Certificate Manager Agent Services

Page”. Only designated Certificate Manager agents, with a valid certificate in their client software, are allowed to access

these pages.

2.1. Certificate Manager Agent

Services

3 Chapter 1. Agent Services

Figure 1.2. Certificate Manager Agent Services Page

A Certificate Manager agent performs the following tasks:

• Handling certificate requests.

An agent can list the certificate service requests received by the Certificate Manager subsystem, assign requests, reject

or cancel requests, and approve requests for certificate enrollment. See Chapter 3, CA: Handling Certificate Requests.

• Finding certificates.

Certificates can be searched individually or searched and listed by different criteria. The details for all returned certific-

ates are then displayed. See Chapter 4, CA: Finding and Revoking Certificates.

• Revoking certificates.

If a user's key is compromised, the certificate must be revoked to ensure that the key is not misused. Certificates be-

longing to users who have left the organization may also need revoked. Certificate Manager agents can find and revoke

a specific certificate or a set of certificates. Users can also request that their own certificates be revoked. See Section 4,

“Revoking Certificates”.

• Updating the CRL.

The Certificate Manager maintains a public list of revoked certificates, called the certificate revocation list (CRL). The

list is usually maintained automatically, but, when necessary, the Certificate Manager agent services page can be used

to update the list manually. See Section 5.2, “Updating the CRL”.

• Publishing certificates to a directory.

The Certificate System can be configured to publish certificates and and CRLs to an LDAP directory. This information

is usually published automatically, but the Certificate Manager agent services page can be used to update the directory

manually. See Section 2, “Manual Directory Updates”.

• Managing certificate profiles.

The agent can enable and disable certificate profiles. A profile must be temporarily disabled for an administrator can

make changes to the profile itself through the administrative interface. Once the changes have been made, the agent

can re-enable the profile for regular use. See Chapter 2, CA: Working with Certificate Profiles.

2.2. Data Recovery Manager Agent

Services

4 Chapter 1. Agent Services

2.2. Data Recovery Manager Agent Services

The default entry page to the DRM agent services is shown in Figure 1.3, “Data Recovery Manager Agent Services Page”.

Only designated DRM agents, with a valid certificate in their client software, are allowed to access these pages.

Figure 1.3. Data Recovery Manager Agent Services Page

A DRM agent performs the following tasks:

• Listing key recovery requests from end entities.

• Listing or searches for archived keys.

• Recovering private data-encryption keys.

• Authorizing and approving key recovery requests.

Key recovery requires the authorization of one or more recovery agents. The DRM administrator designates recovery

agents. Typically, several recovery agents are required to approve key recovery requests in the DRM, so DRM admin-

istrators should designate more than one agent.

For more information on these tasks, see Chapter 6, DRM: Recovering Encrypted Data.

2.3. Online Certificate Status Manager Agent Services

The default entry page to the Online Certificate Status Manager agent services is shown in Figure 1.4, “Online Certificate

Status Manager Agent Services Page”. Only designated Online Certificate Status Manager agents, with a valid certificate

in their client software, are allowed to access these pages.

2.3. Online Certificate Status Man-

ager Agent Services

5 Chapter 1. Agent Services

Figure 1.4. Online Certificate Status Manager Agent Services Page

An Online Certificate Status Manager agent performs the following tasks:

• Checking CAs are currently configured to publish their CRLs to the Online Certificate Status Manager.

• Identifying a Certificate Manager to the Online Certificate Status Manager.

• Adding CRLs manually to the Online Certificate Status Manager.

• Submitting requests for the revocation status of a certificate to the Online Certificate Status Manager.

For more information on these tasks, see Chapter 7, OCSP: Agent Services.

2.4. TPS Agent Services

The TPS agent services page allows operations by two types of users, both agents and administrators.

The default entry page to the TPS agent services is shown in Figure 1.5, “TPS Agent Services Page”. Only designated TPS

agents, with a valid certificate in their client software, are allowed to access these pages.

2.4. TPS Agent Services

6 Chapter 1. Agent Services

Figure 1.5. TPS Agent Services Page

A TPS agent performs the following tasks:

• Listing and searching enrolled tokens by user ID or token CUID.

• Listing and searching certificates associated with enrolled tokens.

• Searching token operations by CUID.

• Editing token information.

• Setting the token status.

The TPS agent services page also has a tab to allow operations from TPS administrators.

2.4. TPS Agent Services

7 Chapter 1. Agent Services

Figure 1.6. TPS Administrator Operations Tab

A TPS administrator can perform the following tasks:

• Listing and searching enrolled tokens by user ID or token CUID.

• Editing token information, including the token owner's user ID.

• Adding tokens.

• Deleting tokens.

For more information about TPS agent and administrator tasks, see Chapter 8, TPS: Agent Services.

3. Forms for Performing Agent Operations

The agent services interfaces are form-based HTML pages that are part of the Certificate System installation. The Certific-

ate System administrator designates users as agents for each installed subsystem (Certificate Manager, Data Recovery

Manager, Online Certificate Status Manager, and TPS). Only a designated agent for a subsystem can use that subsystem's

agent services interface. Additionally, the designated agents must have personal client SSL certificates loaded into their

client software to access the agent services interface.

A subsystem agent with the proper certificates can access agent services forms through the agent services page to manage

certificates. Table 1.1, “Forms Used for Agent Operations”, describes each of these HTML forms.

Form name Description

List Requests (Certificate Manager) Used by Certificate Managers agents to examine, select,

and process requests for certificate services. For instruc-

tions on using this form, see Section 2, “Listing Certificate

Requests”.

List Certificates (Certificate Manager) Used by Certificate Manager agents to list certificates

within a range of serial numbers; the list of returned certi-

ficates can be limited to valid certificates. For instructions

on using this form, see Section 1, “Basic Certificate List-

ing”.

Search for Certificates (Certificate Manager) Used by Certificate Manager agents to search for and list

Certificate System-issued certificates by subject name, cer-

tificate type, the state of the certificate (such as expired or

revoked), and the dates when the certificate was issued, re-

voked, expired, or valid. For instructions on using this

form, see Section 2, “Advanced Certificate Search”.

Revoke Certificates (Certificate Manager) Used by Certificate Manager agents to search for and re-

voke certificates issued by the Certificate System. For in-

structions on using this form, see Section 4, “Revoking

Certificates”.

Update Revocation List (Certificate Manager) Used by Certificate Manager agents for manual updates of

the published CRL. For instructions on using this form, see

Section 5.2, “Updating the CRL”.

Update the Directory Server (Certificate Manager) Used by Certificate Manager agents to update the LDAP

publishing directory with changes in certificate information

like newly issued certificates and updated CRLs. For in-

structions on using this form, see Section 2, “Manual Dir-

ectory Updates”.

Search for Requests Used to search for requests filed by end-entities with the

Certificate System. Searched criteria include request ID

range, request type, request status, and request owner.

Searches are limited by two factors: the total time allowed

for the search operation (in seconds) and maximum num-

3. Forms for Performing Agent

Operations

8 Chapter 1. Agent Services

Form name Description

ber of results to display.

Display Revocation List Used to view the current CRL. The display can be custom-

ized by the issuing point and display type. Clicking on the

CRL number will display the time taken to generate this

CRL, known as the CRL split time.

List Requests (DRM) Used by DRM agents to find and examine requests for key

services. For instructions on using this form, see Section 1,

“List Requests”.

Search for Keys (DRM) Used by DRM agents to find and list specific archived

keys. For instructions on using this form, see Section 2,

“Finding and Recovering Keys”.

Recover Keys (DRM) Used by DRM agents to find and recover specific archived

keys. A key in the list returned by a search is selected and

its recovery is initiated; the recovery must be authorized by

designated key recovery agents. For instructions on using

this form, see Section 2.2, “Recovering Keys”.

Authorize Recovery (DRM) Used to authorize a key recovery request remotely that was

initiated by another DRM agent. For instructions on using

this form, see Section 2.2, “Recovering Keys”.

List Certificate Authorities (Online Certificate Status Man-

ager)

Used to list Certificate Managers that are currently con-

figured to publish their CRLs to the Online Certificate

Status Manager. For instructions, see Section 1, “Listing

CAs Identified by the OCSP”.

Add Certificate Authority (Online Certificate Status Man-

ager)

Used to identify a Certificate Manager to the Online Certi-

ficate Status Manager. For instructions, see Section 2,

“Identifying a CA to the OCSP”.

Add Certificate Revocation List (Online Certificate Status

Manager)

Used to add a CRL to the Online Certificate Status Man-

ager's internal database. For instructions, see Section 3,

“Adding a CRL to the OCSP”.

Check Certificate Status (Online Certificate Status Man-

ager)

Used to check the status of OCSP service requests sent by

OCSP-compliant clients. For instructions, see Section 4,

“Checking the Revocation Status of a Certificate”.

Manage Certificate Profiles (CA) Used to enable and disable supported certificate profiles.

Once a profile is disabled, the administrator can make

changes to the profile by editing the profile configuration

files or through the Console.

OCSP Service (CA) Used to manage the operation of the CA's internal OCSP

service.

List Tokens (TPS) Used to list all the enrolled tokens, which shows all of the

tokens enrolled by the TPS and basic information about the

token. See Section 3, “Managing Tokens”.

Search Tokens (TPS) Used to search for the tokens by either user ID for the user

issued the token or by the contextually unique ID (CUID)

of the token. See Section 3, “Managing Tokens”.

List Certificates (TPS) Used to list all certificates on the token. See Section 4,

“Listing and Searching Certificates”.

Search Certificates (TPS) Used to search for certificates stored on the tokens by

either user ID for the user issued the certificate or by the

contextually unique ID (CUID) of the token. See Section 4,

“Listing and Searching Certificates”.

List Activities (TPS) Used to list all operations performed through the TPS. See

Section 5, “Searching Token Activities”.

Search Activities (TPS) Used to search for operations performed through the TPS.

3. Forms for Performing Agent

Operations

9 Chapter 1. Agent Services

Form name Description

The operations are only searched by the contextually

unique ID (CUID) of the token. See Section 5, “Searching

Token Activities”.

Table 1.1. Forms Used for Agent Operations

4. Accessing Agent Services

Access to the agent services forms requires certificate-based authentication. Only users who authenticate with the correct

certificate and who have been granted the proper access privilege can access and use the forms. Operations are performed

over SSL, so the server connection uses HTTPS on the SSL agent port. The agent services URLs have the following

format:

https://hostname:port/subsystem_type/agent/subsystem_type

If a CA is installed on a host named server.example.com running on port 9443, the agent services interface is

opened using the following URL:

https://server.example.com:9443/ca/agent/ca

There is also a services page for each subsystem. The URL for the services page would be like the following:

https://server.example.com:9443/ca/services

The services page has links to the all of the HTML pages for the subsystem, such as agent and end-entities, as well as the

admin page if the subsystem has not yet been configured.

Figure 1.7. Certificate Manager Services Page

NOTE

The services pages are written in HTML and are intended to be customized. This document describes the default

pages. If an administrator has customized the agent services pages, those pages may differ from those described

4. Accessing Agent Services

10 Chapter 1. Agent Services

here. Check with the Certificate System administrator for information on the local installation.

4. Accessing Agent Services

11 Chapter 1. Agent Services

Chapter 2. CA: Working with Certificate

Profiles

A Certificate Manager agent is responsible for approving certificate profiles that have been configured by a Certificate

System administrator. Certificate Manager agents also manage and approve certificate requests that come from profile-

based enrollments.

1. About Certificate Profiles

1.1. Profile Definition

A certificate profile defines everything associated with issuing a certificate, including the authentication method, the certi-

ficate content (defaults), constraints for content values in the requested certificate type, and the contents of the input and

output forms associated with the certificate profile.

1.2. Categories of Certificate Profiles

There are three categories of information that constitute a certificate profile:

• Profile inputs. Profile inputs are parameters and values that are submitted to the CA when a certificate is requested.

Profile inputs include public keys for the certificate request and the certificate subject name requested by the end entity

for the certificate.

• Profile policy sets. A certificate profile can have one or more policy sets, which are each defined by a set of defaults

and constraints.

• Profile defaults. Profile defaults are parameters and values defined by the CA administrator. Profile defaults in-

clude the authentication mechanism for the end-entity, how long the certificate is valid, and what certificate exten-

sions appear for each type of certificate issued.

• Profile constraints. Profile constraints are parameters and values that form the rules or policies for issuing certific-

ates. Profile constraints include rules like requiring the certificate subject name to have at least one CN component,

setting the validity of a certificate to a maximum of 360 days, or requiring that the subjectaltname extension

always be set to true.

• Profile outputs. Profile outputs are parameters and values that specify the format in which to issue the certificate to the

end entity. Profile outputs include base-64 encoded files, CMMF responses, and PKCS #7 output, which also includes

the CA chain.

2. Basic Profile Operations for an Agent

A CA agent reviews profile requests and takes any of the following actions:

• Approves the certificate request, so the certificate is issued. The end entity then retrieves and uses the certificate.

• Rejects the certificate request, so no certificate is issued. The end entity is notified that the request was rejected for

whatever reasons are specified by the agent. The end entity can also view the request status on the CA's end-entities

page.

• Cancels the certificate request, so no certificate is issued. The end entity is notified that the request was rejected for

whatever reasons are specified by the agent. The end entity can also view the request status on the CA's end-entities

page.

• Updates the certificate request. The agent has the authority to change the certificate request to ensure that the request

follows the policies that have been set. For example, the agent may change the values for certificate extensions.

• Validates the certificate request. Validation tests that the output of the request conforms to the constraints defined in

the profile.

• Assigns the certificate request, so that the certificate request is transferred from agent to another for approval.

12 Chapter 2. CA: Working with Certificate

• Unassigns the certificate request, which removes the certificate request from an agent's queue.

Enrollment requests are submitted to a certificate profile and are subject to the defaults and constraints set up in that certi-

ficate profile, regardless of whether the request was created from the input form associated with the certificate profile or

the request was created elsewhere and submitted preformatted.

3. List of Certificate Profiles

The certificate profiles described here have been pre-defined and are ready to use when the Certificate System is installed.

This set of certificate profiles have been pre-built for the most common types of certificates and provide standard defaults

and constraints, the authentication methods, and inputs and outputs common for these certificate profiles. It is possible to

add more profiles or edit these profiles. An administrator can set up additional defaults and constraints using the CS SDK.

Profile ID Profile Name Description

caUserCert Manual User Dual-Use Certificate En-

rollment

This certificate profile is for enrolling

user certificates.

caDualCert Manual User Signing and Encryption

Certificates Enrollment

This certificate profile is for enrolling

dual user certificates.

caLogCert Manual Log Signing Certificate En-

rollment

This profile is for enrolling audit log

signing certificates

caTPSCert Manual TPS Server Certificate Enroll-

ment

This certificate profile is for enrolling

TPS server certificates.

caServerCert Manual Server Certificate Enrollment This certificate profile is for enrolling

server certificates.

caCAcert Manual Certificate Manager Signing

Certificate Enrollment

This certificate profile is for enrolling

Certificate Manager certificates (CA

signing certificates).

caOCSPCert Manual OCSP Manager Signing Certi-

ficate Enrollment

This certificate profile is for enrolling

OCSP Manager certificates (OCSP

signing certificates).

caTransportCert Manual Data Recovery Manager

Transport Certificate Enrollment

This certificate profile is for enrolling

DRM transport certificates.

caDirAuthCert Directory-Authenticated User Dual-

Use Certificate Enrollment

This certificate profile is for enrolling

user certificates with directory-based

authentication (LDAP authentication).

caAgentServerCert Agent-Authenticated Server Certific-

ate Enrollment

This certificate profile is for enrolling

server certificates with agent authen-

tication.

caAgentFileSigning Agent-Authenticated File Signing This certificate profile is for file sign-

ing with agent authentication.

caFullCMCCert Signed CMC-Authenticated User Cer-

tificate Enrollment

This certificate profile is for enrolling

user certificates by using the CMC

certificate request with CMC signature

authentication; a full CMC request

conforming to the RFC is expected.

caSimpleCMCCert Simple CMC Enrollment Request for

User Certificate

This certificate profile is for enrolling

user certificates by using the CMC

certificate request with CMC signature

authentication; a simple CMC request

conforming to the RFC is expected.

caTokenUserEncryptionKeyEnroll-

ment

Token User Encryption Certificate En-

rollment

This certificate profile is for perform-

ing smart card-based enrollments initi-

ated through the TPS server for en-

cryption certificates.

caTokenUserSigningKeyEnrollment Token User Signing Certificate Enroll- This certificate profile is for perform-

3. List of Certificate Profiles

13 Chapter 2. CA: Working with Certificate

Page is loading ...

Red Hat CERTIFICATE SYSTEM 7.2 - AGENT GUIDE User manual

Brand: Red Hat

Model: CERTIFICATE SYSTEM 7.2 - AGENT GUIDE

Type: User manual

This manual is also suitable for

CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Download PDF

report

Red Hat CERTIFICATE SYSTEM 7.2 - AGENT GUIDE User manual

This manual is also suitable for

Red Hat CERTIFICATE SYSTEM 7.2 - AGENT GUIDE User manual

Related papers

Other documents