Red Hat Certificate System 8.1

Deployment, Planning, and Installation

preparing for a PKI infrastructure

Edition 8.1.1

Ella Deon Ballard

Legal Notice

Copyright © 2012 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
December 20, 2013


This guide covers the major PKI concepts and decisions areas for planning a PKI infrastructure.
This guide was updated for Errata RHSA-2012:1103.
About This Guide
1. Examples and Formatting
1.1. Formatting for Examples and Commands
1.2. Tool Locations
1.3. Text Formatting
1.4. Recommended and Required Boxes
2. Additional Reading
3. Giving Feedback
4. Document History
I. Planning How to Deploy Red Hat Certificate System
1. Introduction to Public-Key Cryptography
1.1. Encryption and Decryption
1.1.1. Symmetric-Key Encryption
1.1.2. Public-Key Encryption
1.1.3. Key Length and Encryption Strength
1.2. Digital Signatures
1.3. Certificates and Authentication
1.3.1. A Certificate Identifies Someone or Something
1.3.2. Authentication Confirms an Identity
1.3.3. How Certificates Are Used
1.3.4. Contents of a Certificate
1.3.5. How CA Certificates Establish Trust
1.4. Managing Certificates
1.4.1. Issuing Certificates
1.4.2. Key Management
1.4.3. Renewing and Revoking Certificates
2. Introduction to Red Hat Certificate System
2.1. A Review of Certificate System Subsystems
2.2. How Certificate System Creates PKI (Non-TMS Environment)
2.2.1. Issuing Certificates
2.2.2. Renewing Certificates
2.2.3. Publishing Certificates and CRLs
2.2.4. Revoking Certificates and Checking Status
2.2.5. Archiving and Recovering Keys
2.3. Working with Smart Cards (TMS)
2.3.1. The TKS and Secure Channels
2.3.2. TPS Operations
2.3.3. Token Profiles
2.4. Management and Security for Subsystems
2.4.1. Notifications
2.4.2. Jobs
2.4.3. Logging
2.4.4. Auditing
2.4.5. Self-Tests
2.4.6. Users, Authorization, and Access Controls
2.4.7. Security-Enhanced Linux
2.5. Red Hat Certificate System Services
2.5.1. Administrative Consoles
2.5.2. Agent Interfaces
2.5.3. End User Pages
2.5.4. Enterprise Security Client
3. Supported Standards and Protocols
3.1. PKCS #11
3.2. SSL/TLS, ECC, and RSA
3.2.1. Supported Cipher Suites for RSA
3.2.2. Using ECC
3.3. IPv4 and IPv6 Addresses
3.4. Supported PKIX Formats and Protocols
3.5. Supported Security and Directory Protocols
4. Planning the Certificate System
4.1. Deciding on the Required Subsystems
4.1.1. Using a Single Certificate Manager
4.1.2. Planning for Lost Keys: Key Archival and Recovery
4.1.3. Balancing Certificate Request Processing
4.1.4. Balancing Client OCSP Requests
4.1.5. Using Smart Cards
4.2. Defining the Certificate Authority Hierarchy
4.2.1. Subordination to a Public CA
4.2.2. Subordination to a Certificate System CA
4.2.3. Linked CA
4.2.4. CA Cloning
4.3. Planning Security Domains
4.4. Determining the Requirements for Subsystem Certificates
4.4.1. Determining Which Certificates to Install
4.4.2. Planning the CA Distinguished Name
4.4.3. Setting the CA Signing Certificate Validity Period
4.4.4. Choosing the Signing Key Type and Length
4.4.5. Using Certificate Extensions
4.4.6. Using and Customizing Certificate Profiles
4.4.7. Planning Authentication Methods
4.4.8. Publishing Certificates and CRLs
4.4.9. Renewing or Reissuing CA Signing Certificates
4.5. Planning for Network and Physical Security
4.5.1. Considering Firewalls
4.5.2. Considering Physical Security and Location
4.5.3. Planning Ports
4.6. Tokens for Storing Certificate System Subsystem Keys and Certificates
4.7. Implementing a Common Criteria Environment
4.8. A Checklist for Planning the PKI
II. Installing Red Hat Certificate System
5. Prerequisites and Preparation for Installation
5.1. Supported Platforms, Hardware, and Programs
5.1.1. Supported Platforms
5.1.2. Supported Web Browsers
5.1.3. Supported Smart Cards
5.1.4. Supported HSM
5.1.5. Supported Charactersets
5.1.6. Summary of Requirements for Common Criteria
5.2. Packages Installed on Red Hat Enterprise Linux
5.3. Before Installation: Setting up the Operating Environment
5.3.1. Installing the Required Java Development Kit (JDK)
5.3.2. Installing Apache (for the TPS)
5.3.3. Installing Red Hat Directory Server
5.3.4. Installing Additional Operating System Packages
5.3.5. Verifying Firewall Configuration and iptables
5.3.6. Enabling SELinux
5.3.7. Setting up Operating System Users and Groups
5.3.8. Using a Java Security Manager
6. Installing and Configuring Certificate System
6.1. About pkicreate
6.2. Basic Installation
6.2.1. Installing and Configuring a CA
6.2.2. Installing and Configuring a DRM
6.2.3. Installing and Configuring an OCSP Responder
6.2.4. Installing and Configuring an RA
6.3. Configuring a Token Management System
6.3.1. Installing and Configuring a TKS
6.3.2. Installing and Configuring a TPS
7. Installing Red Hat Certificate System with SSL Connections to Red Hat Directory Server
7.1. Using an External CA to Issue Directory Server Certificates
7.2. Using Temporary Self-Signed Directory Server Certificates
8. Using Hardware Security Modules for Subsystem Security Databases
8.1. Setting up HSMs for Storing Certificate System Subsystem Keys and Certificates
8.1.1. Types of Hardware Tokens
8.1.2. Using Hardware Security Modules with Subsystems
8.1.3. Viewing Tokens
8.1.4. Detecting Tokens
8.2. Configuring Subsystems with an HSM in FIPS Mode
8.2.1. Configuring a CA with an HSM in FIPS Mode
8.2.2. Configuring a DRM, OCSP, or TKS with an HSM in FIPS Mode
8.2.3. Configuring a TPS with an HSM in FIPS Mode
8.3. About Retrieving Keys from an HSM
9. Installing an Instance with ECC Enabled
9.1. Loading a Third-Party ECC Module
9.2. Loading the Certicom ECC Module
9.3. Using ECC with an HSM
10. Cloning Subsystems
10.1. About Cloning
10.1.1. Cloning for CAs
10.1.2. Cloning for DRMs
10.1.3. Cloning for Other Subsystems
10.1.4. Cloning and Key Stores
10.1.5. LDAP and Port Considerations
10.1.6. Replica ID Numbers
10.1.7. Custom Configuration and Clones
10.2. Exporting Keys from a Software Database
10.3. Cloning a CA
10.4. Updating CA-DRM Connector Information After Cloning
10.5. Cloning OCSP Subsystems
10.6. Cloning DRM Subsystems
10.7. Cloning TKS Subsystems
10.8. Converting Masters and Clones
10.8.1. Converting CA Clones and Masters
10.8.2. Converting OCSP Clones
10.9. Cloning a CA That Has Been Re-Keyed
10.10. Updating CA Clones
11. Silently Configuring Instances
11.1. About pkisilent
11.2. Silently Configuring Subsystems
11.3. Using Different Key Settings
11.4. Cloning a Subsystem Silently
11.5. Performing Silent Configuration Using an External CA
12. Additional Installation Options
12.1. Requesting Subsystem Certificates from an External CA
12.2. Installing with Shared Port Assignments
12.3. Enabling IPv6 for a Subsystem
12.4. Configuring Separate RA Instances
13. Updating and Removing Subsystem Packages
13.1. Updating Certificate System Packages
13.2. Uninstalling Certificate System Subsystems
13.2.1. Removing a Subsystem Instance
13.2.2. Removing Certificate System Subsystem Packages
14. Troubleshooting Installation, Cloning, and Upgrade
III. After Installing Red Hat Certificate System
15. After Configuration: Checklist of Configuration Areas for Deploying Certificate System
16. Basic Information for Using Certificate System
16.1. Starting the Certificate System Console
16.2. Starting, Stopping, and Restarting an Instance
16.3. Starting the Subsystem Automatically
16.4. Finding the Subsystem Web Services Pages
16.5. File and Directory Locations for Certificate System
16.5.1. CA Instance Information
16.5.2. RA Instance Information
16.5.3. DRM Instance Information
16.5.4. OCSP Instance Information
16.5.5. TKS Instance Information
16.5.6. TPS Instance Information
16.5.7. Shared Certificate System Subsystem File Locations
A. Supported Algorithms and Curves
A.1. RSA Hashing Algorithms
A.2. ECC Algorithms and Curves
A.3. Key Size Limits and Internet Explorer
B. Defining the Common Criteria Environment
B.1. Common Criteria: Setup and Operations
B.1.1. PKI Overview
B.1.2. Security Objectives
B.1.3. Security Requirements
B.1.4. Target of Evaluation Security Environment Assumptions
B.1.5. IT Environment Assumptions
B.1.6. Red Hat Certificate System 8.1 Privileged Users and Groups (Roles)
B.1.7. Understanding Setup of Common Criteria Evaluated Red Hat Certificate System 8.1
B.1.8. Common Criteria Deployment Scenarios
B.1.9. Understanding Subsystem Setup
B.1.10. Reporting Security Flaws
B.1.11. Relevant Links
B.2. Example Common Criteria Installations
B.2.1. Non-TMS Common Criteria Setup Procedures
B.2.2. TMS Common Criteria Setup Procedures
B.3. Common Criteria: Security Environment Assumptions
B.3.1. Secure Usage Assumptions
B.3.2. Organization Security Policies
B.4. Common Criteria: Security Objectives
B.4.1. Security Objectives for the Target of Evaluation
B.4.2. Security Objectives for the Environment
B.4.3. Security Objectives for Both the Target of Evaluation and the Environment
B.5. Common Criteria: Security Requirements
B.5.1. Security Requirements for the IT Environment
B.5.2. Target of Evaluation Security Functional Requirements
B.5.3. Target of Evaluation Security Assurance Requirements