Part I. Planning How to Deploy Red Hat Certificate System

This section provides an overview of Certificate System, including general PKI principles and specific features of Certificate System and its subsystems. Planning a deployment is vital to designing a PKI infrastructure that adequately meets the needs of your organization.

Table of Contents

1. Introduction to Public-Key Cryptography

1.1. Encryption and Decryption

1.1.1. Symmetric-Key Encryption
1.1.2. Public-Key Encryption
1.1.3. Key Length and Encryption Strength

1.2. Digital Signatures

1.3. Certificates and Authentication

1.3.1. A Certificate Identifies Someone or Something
1.3.2. Authentication Confirms an Identity
1.3.3. How Certificates Are Used
1.3.4. Contents of a Certificate
1.3.5. How CA Certificates Establish Trust

1.4. Managing Certificates

1.4.1. Issuing Certificates
1.4.2. Key Management
1.4.3. Renewing and Revoking Certificates

2. Introduction to Red Hat Certificate System

2.1. A Review of Certificate System Subsystems

2.2. How Certificate System Creates PKI (Non-TMS Environment)

2.2.1. Issuing Certificates
2.2.2. Renewing Certificates
2.2.3. Publishing Certificates and CRLs
2.2.4. Revoking Certificates and Checking Status
2.2.5. Archiving and Recovering Keys

2.3. Working with Smart Cards (TMS)

2.3.1. The TKS and Secure Channels
2.3.2. TPS Operations
2.3.3. Token Profiles

2.4. Management and Security for Subsystems

2.4.1. Notifications
2.4.2. Jobs
2.4.3. Logging
2.4.4. Auditing
2.4.5. Self-Tests
2.4.6. Users, Authorization, and Access Controls
2.4.7. Security-Enhanced Linux

2.5. Red Hat Certificate System Services

2.5.1. Administrative Consoles
2.5.2. Agent Interfaces
2.5.3. End User Pages
2.5.4. Enterprise Security Client

3. Supported Standards and Protocols

3.1. PKCS #11

3.2. SSL/TLS, ECC, and RSA

3.2.1. Supported Cipher Suites for RSA
3.2.2. Using ECC

3.3. IPv4 and IPv6 Addresses

3.4. Supported PKIX Formats and Protocols

3.5. Supported Security and Directory Protocols

4. Planning the Certificate System

4.1. Deciding on the Required Subsystems

4.1.1. Using a Single Certificate Manager
4.1.2. Planning for Lost Keys: Key Archival and Recovery
4.1.3. Balancing Certificate Request Processing
4.1.4. Balancing Client OCSP Requests
4.1.5. Using Smart Cards

4.2. Defining the Certificate Authority Hierarchy

4.2.1. Subordination to a Public CA
4.2.2. Subordination to a Certificate System CA
4.2.3. Linked CA
4.2.4. CA Cloning

4.3. Planning Security Domains

4.4. Determining the Requirements for Subsystem Certificates

4.4.1. Determining Which Certificates to Install
4.4.2. Planning the CA Distinguished Name
4.4.3. Setting the CA Signing Certificate Validity Period
4.4.4. Choosing the Signing Key Type and Length
4.4.5. Using Certificate Extensions
4.4.6. Using and Customizing Certificate Profiles
4.4.7. Planning Authentication Methods
4.4.8. Publishing Certificates and CRLs
4.4.9. Renewing or Reissuing CA Signing Certificates

4.5. Planning for Network and Physical Security

4.5.1. Considering Firewalls
4.5.2. Considering Physical Security and Location
4.5.3. Planning Ports

4.6. Tokens for Storing Certificate System Subsystem Keys and Certificates

4.7. Implementing a Common Criteria Environment

4.8. A Checklist for Planning the PKI