Red Hat Certificate System 8.1.1

Admin Guide

for administrators

Edition 8.1.1

Ella Deon Ballard

Legal Notice

Copyright © 2009 Red Hat, Inc..
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
December 20, 2013

Abstract

This manual covers all aspects of installing, configuring, and managing Certificate System subsystems. It also covers management tasks such as adding users; requesting, renewing, and revoking certificates; publishing CRLs; and managing smart cards. This guide is intended for Certificate System administrators.
About This Guide
1. Recommended Concepts
2. What Is in This Guide
3. Supported Platforms, Hardware, and Programs
3.1. Supported Platforms
3.2. Supported Web Browsers
3.3. Supported Smart Cards
3.4. Supported HSM
3.5. Supported Charactersets
4. Additional Reading
5. Giving Feedback
6. Document History
1. Overview of Red Hat Certificate System Subsystems
1.1. How Certificates Are Used
1.1.1. Uses for Certificates
1.1.2. Types of Certificates
1.2. A Review of Certificate System Subsystems
1.2.1. Certificate Manager
1.2.2. Registration Authority
1.2.3. Data Recovery Manager
1.2.4. Online Certificate Status Manager
1.2.5. Token Processing System
1.2.6. Token Key Service
1.2.7. Enterprise Security Client
1.3. A Look at Managing Certificates (Non-TMS)
1.4. A Look at the Token Management System (TMS)
1.5. Red Hat Certificate System Services
1.5.1. Interfaces for Administrators
1.5.2. Agent Interfaces
1.5.3. End User Pages
1.5.4. Enterprise Security Client
I. Setting up Certificate Services
2. Making Rules for Issuing Certificates
2.1. About Certificate Profiles
2.1.1. The Profile
2.1.2. Certificate Extensions: Defaults and Constraints
2.1.3. Inputs and Outputs
2.2. Setting up Certificate Profiles
2.2.1. Creating Certificate Profiles through the CA Console
2.2.2. Editing Certificate Profiles in the Console
2.2.3. Creating and Editing Certificate Profiles through the Command Line
2.2.4. Defining Key Defaults in Profiles
2.2.5. Configuring Cross-Pair Profiles
2.2.6. List of Certificate Profiles
2.3. Configuring Custom Enrollment Profiles to Use with an RA
2.3.1. Default RA Profiles
2.3.2. Creating RA Enrollment Forms
2.3.3. Configuring the Request Queues
2.4. Configuring Renewal Profiles
2.4.1. About Renewal
2.4.2. Creating Custom Renewal Profiles
2.5. Managing Smart Card CA Profiles
2.5.1. Editing Enrollment Profiles for the TPS
2.5.2. Creating Custom TPS Profiles
2.5.3. Using the Windows Smart Card Logon Profile
2.6. Setting the Signing Algorithms for Certificates
2.6.1. Setting the CA's Default Signing Algorithm
2.6.2. Setting the Signing Algorithm Default in a Profile
2.7. Managing CA-Related Profiles
2.7.1. Setting Restrictions on CA Certificates
2.7.2. Changing the Restrictions for CAs on Issuing Certificates
2.7.3. Allowing a CA Certificate to Be Renewed Past the CA's Validity Period
2.8. Managing Subject Names and Subject Alternative Names
2.8.1. Using the Requester CN or UID in the Subject Name
2.8.2. Inserting LDAP Directory Attribute Values and Other Information into the Subject Alt Name
2.8.3. Changing DN Attributes in CA-Issued Certificates
2.8.4. Customizing the Subject DN in a Certificate Request Issued by an RA
3. Setting up Key Archival and Recovery
3.1. About Key Archival and Recovery
3.2. Manually Setting up Key Archival
3.3. Updating CA-DRM Connector Information After Cloning
3.4. Setting up Agent-Approved Key Recovery Schemes
3.4.1. Configuring Agent-Approved Key Recovery in the Console
3.4.2. Configuring Agent-Approved Key Recovery in the Command Line
3.4.3. Customizing the Key Recovery Form
3.5. Testing the Key Archival and Recovery Setup
3.6. Rewrapping Keys in a New Private Storage Key
3.6.1. About DRMTool
3.6.2. Rewrapping and Merging Keys in a New DRM
4. Requesting, Enrolling, and Managing Certificates
4.1. About Enrolling and Renewing Certificates
4.2. Configuring Internet Explorer to Enroll Certificates
4.2.1. About Key Limits and Internet Explorer
4.2.2. Configuring Internet Explorer
4.3. Requesting and Receiving Certificates
4.3.1. Requesting and Receiving a User or Agent Certificate through the End-Entities Page
4.3.2. Requesting Certificates Using certutil
4.4. Signing Files with Certificates
4.5. Performing Bulk Issuance
4.6. Enrolling a Certificate on a Cisco Router
4.6.1. Enabling SCEP Enrollments
4.6.2. Configuring Security Settings for SCEP
4.6.3. Configuring a Router for SCEP Enrollment
4.6.4. Generating the SCEP Certificate for a Router
4.6.5. Working with Subordinate CAs
4.6.6. Re-enrolling a Router
4.6.7. Enabling Debugging
4.7. Configuring and Using the Auto Enrollment Proxy
4.7.1. About Auto Enrollment
4.7.2. Installing and Setting up the Auto Enrollment Proxy
4.7.3. Managing Auto Enrollment Proxy Settings
4.7.4. Manually Requesting Domain Certificates
4.8. Renewing Certificates
4.8.1. Agent-Approved or Directory-Based Renewals
4.8.2. Certificate-Based Renewal
4.8.3. Re-keying Certificates
5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client
5.1. Configuring TPS Smart Card Operation Policies
5.1.1. Configuring Format Policies
5.1.2. Configuring TPS Enrollment Policies
5.1.3. Configuring TPS Renewal Operations
5.1.4. Configuring the PIN Reset Policies
5.1.5. Configuring the Applet Update Policies
5.1.6. Editing TPS Policies in the TPS UI
5.2. Mapping Token Types and Policies to Specified Smart Cards
5.2.1. Default Token Types
5.2.2. Mapping Token Types to Smart Card Operation Policies
5.2.3. Mapping Token Types and TPS Policies in the TPS UI
5.2.4. Example: Token Mapping with Two Different Token Types
5.3. Creating Custom User Token Profiles
5.4. Allowing Token Renewal
5.5. Changing the Token Policy
5.6. Defining Specific Certificates to Add or Recover on a Token
5.6.1. Example Recovery Profiles and Planning New Profiles
5.6.2. Creating a Profile for a Logged-In User to Add Certificates
5.6.3. Creating a Recovery Profile for a Shared Certificate
5.6.4. Creating a Delegation Profile
5.7. Setting Token Status Transitions
5.7.1. Setting Token Transitions for Agent-Initiated Status Changes (UI)
5.7.2. Setting Token Transitions for Token Operations
5.8. Automating Encryption Key Recovery
5.8.1. Configuring Enrollment for Replacement Tokens
5.8.2. Configuring Key Generation for Temporary Tokens
5.9. Routing Revocation Requests to Different CAs
5.9.1. How Revocation Requests Are Sent to the CA
5.9.2. Setting the List of CAs for Revocation Routing
5.10. Managing Shared Keys
5.10.1. Generating Master Keys
5.10.2. Generating and Transporting Wrapped Master Keys
5.10.3. Using HSM for Generating Keys
5.10.4. Updating Master Key Versions and Associating the Master Key with Its Version
5.10.5. Configuring Symmetric Key Changeover
5.10.6. Troubleshooting Master Key and HSM Problems
5.11. Configuring the TPS
5.11.1. Configuring the TPS Administrative UI
5.11.2. Enabling SSL for TPS-Enterprise Security Client Connections
5.11.3. Configuring the Channels between the TPS and Tokens
5.11.4. Configuring or Disabling LDAP Authentication
5.11.5. Configuring the Token Database
5.11.6. Configuring Server-Side Key Generation and Archival of Encryption Keys
5.11.7. Setting TPS Server Password Lengths
5.11.8. Setting TPS Server Search Configuration
5.11.9. Configuring IPv6 Support
5.12. Configuring Connections to Other Subsystems
5.12.1. Editing Subsystem Connections in the TPS UI
5.12.2. Scaling the TPS and Its Support Subsystems
5.12.3. Configuring Multiple Support Subsystem Instances for Different Functions
5.13. Potential Token Operation Errors
6. Revoking Certificates and Issuing CRLs
6.1. About Revoking Certificates
6.1.1. User-Initiated Revocation
6.1.2. Reasons for Revoking a Certificate
6.1.3. CRL Issuing Points
6.1.4. Delta CRLs
6.1.5. Publishing CRLs
6.1.6. Certificate Revocation Pages
6.2. Performing a CMC Revocation
6.2.1. Setting up CMC Revocation
6.2.2. Testing CMCRevoke
6.3. Issuing CRLs
6.3.1. Configuring Issuing Points
6.3.2. Configuring CRLs for Each Issuing Point
6.3.3. Setting CRL Extensions
6.3.4. Setting a CA to Use a Different Certificate to Sign CRLs
6.3.5. Generating CRLs from Cache
6.4. Setting Full and Delta CRL Schedules
6.4.1. Configuring CRL Update Intervals in the Console
6.4.2. Configuring Update Intervals for CRLs in CS.cfg
6.4.3. Configuring CRL Generation Schedules over Multiple Days
6.5. Enabling Revocation Checking
6.5.1. Enabling Automatic Revocation Checking on the CA
6.5.2. Enabling Certificate Revocation Checking for DRM, OCSP, and TKS Users
6.5.3. Enabling Revocation Checking for the TPS and RA
6.6. Using the Online Certificate Status Protocol Responder
6.6.1. Setting up the OCSP Responder
6.6.2. Identifying the CA to the OCSP Responder
6.6.3. Setting the Response for Bad Serial Numbers
6.6.4. Enabling the Certificate Manager's Internal OCSP Service
6.6.5. Submitting OCSP Requests Using the GET Method
6.6.6. Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier
II. Additional Configuration to Manage CA Services
7. Publishing Certificates and CRLs
7.1. About Publishing
7.1.1. Publishers
7.1.2. Mappers
7.1.3. Rules
7.1.4. Publishing to Files
7.1.5. OCSP Publishing
7.1.6. LDAP Publishing
7.2. Configuring Publishing to a File
7.3. Configuring Publishing to an OCSP
7.3.1. Enabling Publishing to an OCSP with Client Authentication
7.3.2. Enabling Publishing to an OCSP without Client Authentication
7.4. Configuring Publishing to an LDAP Directory
7.4.1. Configuring the LDAP Directory
7.4.2. Configuring LDAP Publishers
7.4.3. Creating Mappers
7.4.4. Completing Configuration: Rules and Enabling
7.5. Creating Rules
7.6. Enabling Publishing
7.7. Enabling a Publishing Queue
7.8. Setting up Resumable CRL Downloads
7.8.1. Configuring Resumable CRL Downloads
7.8.2. Retrieving CRLs Using wget
7.8.3. Retrieving Partial CRLs
7.9. Publishing Cross-Pair Certificates
7.10. Testing Publishing to Files
7.11. Viewing Certificates and CRLs Published to File
7.12. Updating Certificates and CRLs in a Directory
7.12.1. Manually Updating Certificates in the Directory
7.12.2. Manually Updating the CRL in the Directory
7.13. Registering Custom Mapper and Publisher Plug-in Modules
8. Authentication for Enrolling Certificates
8.1. Configuring Agent-Approved Enrollment
8.2. Automated Enrollment
8.2.1. Setting up Directory-Based Authentication
8.2.2. Setting up PIN-Based Enrollment
8.2.3. Using Certificate-Based Authentication
8.2.4. Configuring Flat File Authentication
8.3. Using CMC Enrollment
8.3.1. Sending Multiple Requests in a Full CMC Request
8.3.2. Testing CMCEnroll
8.4. Testing Enrollment
8.5. Registering Custom Authentication Plug-ins
9. Using Automated Notifications
9.1. About Automated Notifications for the CA
9.1.1. Types of Automated Notifications
9.1.2. Determining End-Entity Email Addresses
9.1.3. About RA Notifications
9.2. Setting up Automated Notifications for the CA
9.2.1. Setting up Automated Notifications in the Console
9.2.2. Configuring Specific Notifications by Editing the CS.cfg File
9.2.3. Testing Configuration
9.3. Customizing Notification Messages
9.3.1. Customizing CA Notification Messages
9.3.2. Customizing RA Notification Messages
9.4. Configuring a Mail Server for Certificate System Notifications
9.5. Creating Custom Notifications for the CA
10. Setting Automated Jobs
10.1. About Automated Jobs
10.1.1. Setting up Automated Jobs
10.1.2. Types of Automated Jobs
10.2. Setting up the Job Scheduler
10.3. Setting up Specific Jobs
10.3.1. Configuring Specific Jobs Using the Certificate Manager Console
10.3.2. Configuring Jobs by Editing the Configuration File
10.3.3. Configuration Parameters of certRenewalNotifier
10.3.4. Configuration Parameters of requestInQueueNotifier
10.3.5. Configuration Parameters of publishCerts
10.3.6. Configuration Parameters of unpublishExpiredCerts
10.3.7. Frequency Settings for Automated Jobs
10.4. Registering a Job Module
III. Managing the Subsystem Instances
11. The Certificate System Configuration Files
11.1. File and Directory Locations for Certificate System Subsystems
11.1.1. CA Instance Information
11.1.2. RA Instance Information
11.1.3. DRM Instance Information
11.1.4. OCSP Instance Information
11.1.5. TKS Instance Information
11.1.6. TPS Instance Information
11.1.7. Shared Certificate System Subsystem File Locations
11.2. CS.cfg Files
11.2.1. Locating the CS.cfg File
11.2.2. Overview of the CS.cfg Configuration File
11.2.3. Editing the Configuration File
11.3. Managing System Passwords
11.3.1. Configuring the password.conf File
11.3.2. Requiring System Password Prompts
11.3.3. Changing System Passwords
11.4. Configuration Files for Web Services
11.5. Removing Unused Interfaces from web.xml (CA Only)
11.6. Restoring Configuration in web.xml
12. Basic Subsystem Management
12.1. Starting and Stopping Subsystem Instances
12.1.1. Starting and Stopping a Subsystem Server Instance
12.1.2. Restarting a Subsystem after a Machine Restart
12.1.3. Checking the Subsystem Instance Status
12.1.4. Managing Subsystem Processes with chkconfig
12.1.5. Setting sudo Permissions for Certificate System Services
12.2. Opening Subsystem Consoles and Services
12.2.1. Finding the Subsystem Web Services Pages
12.2.2. Starting the Certificate System Administrative Console
12.2.3. Enabling SSL for the Java Administrative Console
12.3. Customizing Web Services
12.3.1. Customizing CA End-Entities Pages
12.3.2. Customizing RA End-Entities Pages
12.3.3. Setting Limits on Searches through the CA End-Entities Pages
12.3.4. Setting SSL Session Timeouts
12.3.5. Configuring Port Forwarding
12.4. Running Subsystems under a Java Security Manager
12.4.1. About the Security Manager Policy Files
12.4.2. Starting a Subsystem Instance without the Java Security Manager
12.5. Configuring Ports
12.5.1. About Port Assignments
12.5.2. Changing a Port Number
12.6. Configuring the LDAP Database
12.6.1. Changing the Internal Database Configuration
12.6.2. Enabling SSL Client Authentication with the Internal Database
12.6.3. Restricting Access to the Internal Database
12.7. Searching the SQLite Database
12.8. Viewing Security Domain Configuration
12.9. Managing the SELinux Policies for Subsystems
12.9.1. About SELinux
12.9.2. Viewing SELinux Policies for Subsystems
12.9.3. Relabeling Subsystem and LDAP Ports
12.9.4. Relabeling nCipher netHSM Contexts
12.10. Backing up and Restoring Certificate System
12.10.1. Backing up and Restoring the LDAP Internal Database
12.10.2. Backing up and Restoring the SQLite Internal Database
12.10.3. Backing up and Restoring the Instance Directory
12.11. Running Self-Tests
12.11.1. Running Self-Tests
12.11.2. Self-Test Logging
12.11.3. Configuring Self-Tests
12.11.4. Modifying Self-Test Configuration
12.12. Configuring POSIX System ACLs
12.12.1. Setting POSIX System ACLs for the CA, DRM, OCSP, TKS, and TPS
12.12.2. Setting POSIX System ACLs for the RA
13. Managing Certificate System Users and Groups
13.1. About Authorization
13.2. Default Groups
13.2.1. Administrators
13.2.2. Auditors
13.2.3. Agents
13.2.4. Enterprise Groups
13.3. Disabling Multi-Roles Support
13.4. Managing Users and Groups for a CA, OCSP, DRM, or TKS
13.4.1. Managing Groups
13.4.2. Managing Users (Administrators, Agents, and Auditors)
13.4.3. Preventing Users from Belonging to Multiple Roles
13.5. Creating and Managing Users and Groups for an RA
13.5.1. Managing RA Groups
13.5.2. Managing RA Users
13.6. Creating and Managing Users for a TPS
13.6.1. Searching for Users
13.6.2. Adding Users
13.6.3. Setting Profiles for Users
13.6.4. Changing Roles for Users
13.6.5. Renewing TPS Agent and Administrator Certificates
13.6.6. Deleting Users
13.7. Configuring Access Control for Users for the CA, OCSP, DRM, and TKS
13.7.1. About Access Control
13.7.2. Changing the Access Control Settings for the Subsystem
13.7.3. Editing ACLs
14. Configuring Subsystem Logs
14.1. About Certificate System Logs
14.1.1. System Log
14.1.2. Transactions Log
14.1.3. Debug Logs
14.1.4. Error Log
14.1.5. Installation Logs
14.1.6. Apache and Tomcat Error and Access Logs
14.1.7. Self-Tests Log
14.2. Managing Logs for the Java Subsystems
14.2.1. An Overview of Log Settings
14.2.2. Viewing Logs
14.2.3. Configuring Logs in the Console
14.2.4. Configuring Logs in the CS.cfg File
14.2.5. Managing Audit Logs
14.2.6. Managing Log Modules
14.3. Managing TPS Logs
14.3.1. An Overview of TPS Log Settings
14.3.2. Configuring TPS Logging in CS.cfg
14.3.3. Managing Audit Logs
14.3.4. Smart Card Error Codes
14.4. Configuring RA Logging
14.4.1. About RA Log Settings
14.4.2. Configuring RA Logs
15. Managing Subsystem Certificates
15.1. Required Subsystem Certificates
15.1.1. Certificate Manager Certificates
15.1.2. RA Certificates
15.1.3. Online Certificate Status Manager Certificates
15.1.4. Data Recovery Manager Certificates
15.1.5. TKS Certificates
15.1.6. TPS Certificates
15.1.7. About Subsystem Certificate Key Types
15.1.8. Using an HSM to Store Subsystem Certificates
15.2. Requesting Certificates through the Console
15.2.1. Requesting Signing Certificates
15.2.2. Requesting Other Certificates
15.3. Renewing Subsystem Certificates
15.3.1. Re-keying Certificates in the End-Entities Forms
15.3.2. Renewing Certificates in the Console
15.3.3. Renewing Certificates Using certutil
15.4. Changing the Names of Subsystem Certificates
15.5. Using Cross-Pair Certificates
15.5.1. Installing Cross-Pair Certificates
15.5.2. Searching for Cross-Pair Certificates
15.6. Managing the Certificate Database
15.6.1. Installing Certificates in the Certificate System Database
15.6.2. Viewing Database Content
15.6.3. Deleting Certificates from the Database
15.7. Changing the Trust Settings of a CA Certificate
15.7.1. Changing Trust Settings through the Console
15.7.2. Changing Trust Settings Using certutil
15.8. Managing Tokens Used by the Subsystems
15.8.1. Detecting Tokens
15.8.2. Viewing Tokens
15.8.3. Changing a Token's Password
IV. References
A. Certificate Profile Input and Output Reference
A.1. Input Reference
A.1.1. Certificate Request Input
A.1.2. CMC Certificate Request Input
A.1.3. Dual Key Generation Input
A.1.4. File-Signing Input
A.1.5. Image Input
A.1.6. Key Generation Input
A.1.7. nsHKeyCertRequest (Token Key) Input
A.1.8. nsNKeyCertRequest (Token User Key) Input
A.1.9. Serial Number Renewal Input
A.1.10. Subject DN Input
A.1.11. Subject Name Input
A.1.12. Submitter Information Input
A.2. Output Reference
A.2.1. Certificate Output
A.2.2. PKCS #7 Output
A.2.3. nsNSKeyOutput
A.2.4. CMMF Output
B. Defaults, Constraints, and Extensions for Certificates and CRLs
B.1. Defaults Reference
B.1.1. Authority Info Access Extension Default
B.1.2. Authority Key Identifier Extension Default
B.1.3. Authentication Token Subject Name Default
B.1.4. Basic Constraints Extension Default
B.1.5. CA Validity Default
B.1.6. Certificate Policies Extension Default
B.1.7. CRL Distribution Points Extension Default
B.1.8. Extended Key Usage Extension Default
B.1.9. Freshest CRL Extension Default
B.1.10. Generic Extension Default
B.1.11. Inhibit Any-Policy Extension Default
B.1.12. Issuer Alternative Name Extension Default
B.1.13. Key Usage Extension Default
B.1.14. Name Constraints Extension Default
B.1.15. Netscape Certificate Type Extension Default
B.1.16. Netscape Comment Extension Default
B.1.17. No Default Extension
B.1.18. OCSP No Check Extension Default
B.1.19. Policy Constraints Extension Default
B.1.20. Policy Mappers Extension Default
B.1.21. Private Key Usage Period Extension Default
B.1.22. Signing Algorithm Default
B.1.23. Subject Alternative Name Extension Default
B.1.24. Subject Directory Attributes Extension Default
B.1.25. Subject Info Access Extension Default
B.1.26. Subject Key Identifier Extension Default
B.1.27. Subject Name Default
B.1.28. User Key Default
B.1.29. User Signing Algorithm Default
B.1.30. User Subject Name Default
B.1.31. User Validity Default
B.1.32. User Supplied Extension Default
B.1.33. Validity Default
B.2. Constraints Reference
B.2.1. Basic Constraints Extension Constraint
B.2.2. CA Validity Constraint
B.2.3. Extended Key Usage Extension Constraint
B.2.4. Extension Constraint
B.2.5. Key Constraint
B.2.6. Key Usage Extension Constraint
B.2.7. Netscape Certificate Type Extension Constraint
B.2.8. No Constraint
B.2.9. Renewal Grace Period Constraint
B.2.10. Signing Algorithm Constraint
B.2.11. Subject Name Constraint
B.2.12. Unique Key Constraint
B.2.13. Unique Subject Name Constraint
B.2.14. Validity Constraint
B.3. Standard X.509 v3 Certificate Extension Reference
B.3.1. authorityInfoAccess
B.3.2. authorityKeyIdentifier
B.3.3. basicConstraints
B.3.4. certificatePoliciesExt
B.3.5. CRLDistributionPoints
B.3.6. extKeyUsage
B.3.7. issuerAltName Extension
B.3.8. keyUsage
B.3.9. nameConstraints
B.3.10. OCSPNocheck
B.3.11. policyConstraints
B.3.12. policyMappings
B.3.13. privateKeyUsagePeriod
B.3.14. subjectAltName
B.3.15. subjectDirectoryAttributes
B.3.16. subjectKeyIdentifier
B.4. CRL Extensions
B.4.1. About CRL Extensions
B.4.2. Standard X.509 v3 CRL Extensions Reference
B.4.3. Netscape-Defined Certificate Extensions Reference
C. Publishing Module Reference
C.1. Publisher Plug-in Modules
C.1.1. FileBasedPublisher
C.1.2. LdapCaCertPublisher
C.1.3. LdapUserCertPublisher
C.1.4. LdapCrlPublisher
C.1.5. LdapDeltaCrlPublisher
C.1.6. LdapCertificatePairPublisher
C.1.7. OCSPPublisher
C.2. Mapper Plug-in Modules
C.2.1. LdapCaSimpleMap
C.2.2. LdapDNExactMap
C.2.3. LdapSimpleMap
C.2.4. LdapSubjAttrMap
C.2.5. LdapDNCompsMap
C.3. Rule Instances
C.3.1. LdapCaCertRule
C.3.2. LdapXCertRule
C.3.3. LdapUserCertRule
C.3.4. LdapCRLRule
D. ACL Reference
D.1. About ACL Configuration Files
D.2. Common ACLs
D.2.1. certServer.acl.configuration
D.2.2. certServer.admin.certificate
D.2.3. certServer.auth.configuration
D.2.4. certServer.clone.configuration.GetConfigEntries
D.2.5. certServer.clone.configuration.UpdateNumberRange
D.2.6. certServer.general.configuration
D.2.7. certServer.log.configuration
D.2.8. certServer.log.configuration.fileName
D.2.9. certServer.log.content.system
D.2.10. certServer.log.content.transactions
D.2.11. certServer.log.content.signedAudit
D.2.12. certServer.registry.configuration
D.3. Certificate Manager-Specific ACLs
D.3.1. certServer.admin.ocsp
D.3.2. certServer.ca.certificate
D.3.3. certServer.ca.certificates
D.3.4. certServer.ca.configuration
D.3.5. certServer.ca.connector
D.3.6. certServer.ca.connectorInfo
D.3.7. certServer.ca.crl
D.3.8. certServer.ca.directory
D.3.9. certServer.ca.group
D.3.10. certServer.ca.ocsp
D.3.11. certServer.ca.profile
D.3.12. certServer.ca.profiles
D.3.13. certServer.ca.registerUser
D.3.14. certServer.ca.request.enrollment
D.3.15. certServer.ca.request.profile
D.3.16. certServer.ca.requests
D.3.17. certServer.ca.systemstatus
D.3.18. certServer.ee.certchain
D.3.19. certServer.ee.certificate
D.3.20. certServer.ee.certificates
D.3.21. certServer.ee.crl
D.3.22. certServer.ee.profile
D.3.23. certServer.ee.profiles
D.3.24. certServer.ee.request.ocsp
D.3.25. certServer.ee.request.revocation
D.3.26. certServer.ee.requestStatus
D.3.27. certServer.job.configuration
D.3.28. certServer.profile.configuration
D.3.29. certServer.publisher.configuration
D.3.30. certServer.securitydomain.domainxml
D.4. Data Recovery Manager-Specific ACLs
D.4.1. certServer.job.configuration
D.4.2. certServer.kra.certificate.transport
D.4.3. certServer.kra.configuration
D.4.4. certServer.kra.connector
D.4.5. certServer.kra.GenerateKeyPair
D.4.6. certServer.kra.getTransportCert
D.4.7. certServer.kra.group
D.4.8. certServer.kra.key
D.4.9. certServer.kra.keys
D.4.10. certServer.kra.registerUser
D.4.11. certServer.kra.request
D.4.12. certServer.kra.request.status
D.4.13. certServer.kra.requests
D.4.14. certServer.kra.systemstatus
D.4.15. certServer.kra.TokenKeyRecovery
D.5. Online Certificate Status Manager-Specific ACLs
D.5.1. certServer.ca.ocsp
D.5.2. certServer.ee.crl
D.5.3. certServer.ee.request.ocsp
D.5.4. certServer.ocsp.ca
D.5.5. certServer.ocsp.cas
D.5.6. certServer.ocsp.certificate
D.5.7. certServer.ocsp.configuration
D.5.8. certServer.ocsp.crl
D.5.9. certServer.ocsp.group
D.5.10. certServer.ocsp.info
D.6. Token Key Service-Specific ACLs
D.6.1. certServer.tks.encrypteddata
D.6.2. certServer.tks.group
D.6.3. certServer.tks.importTransportCert
D.6.4. certServer.tks.keysetdata
D.6.5. certServer.tks.registerUser
D.6.6. certServer.tks.sessionkey
D.6.7. certServer.tks.randomdata
16. Troubleshooting
Glossary
Index