5.2. Common Criteria Environment: A Walkthrough of the Preparation, Installation, and Configuration for a Certified PKI

As with a standard PKI environment, a Common Criteria-certified deployment has certain required preparation (covered in Chapter 6, Prerequisites and Preparation for Installation), required instance creation parameters (Chapter 7, Installing and Configuring Certificate System), and required post-installation configuration for certain subsystem features (Chapter 8, After Configuration: Checklist of Configuration Areas for Deploying Certificate System). Because the parameters of the Common Criteria certification process, the design of a Common Criteria environment is less flexible than a standard PKI environment. Certain configuration and settings must be implemented. Configuring a Common Criteria environment includes all of the steps in Section 5.1, “Basic Setup: A Walkthrough of the Prerequisites, Installation, and Configuration for a Standard Environment”, with additional steps to harden the environment or the individual subsystem configuration.
This walk-through shows, at a very high level, the major steps to deploy a Common Criteria-certified Certificate System PKI. Familiarize yourself with the overall process first, and then follow the links to go through the detailed procedures.


Any of the required steps for a Common Criteria-certified environment, such as configuring server and client SSL authentication with the Red Hat Directory Server, can also be performed in other environments. These steps are optional in general PKI deployments and are required in Common Criteria environments.
  1. A hardware security module must be used to store the subsystem certificates and keys. Initialize the token and make sure that it is running in FIPS 140-2 Level 3 mode. Loading and using HSMs is described in Section 6.3.9, “Setting up HSMs for Storing Certificate System Subsystem Keys and Certificates”.
  2. Make sure SELinux is configured to run in enforcing mode, as described in Section 6.3.6, “Enabling SELinux”.
  3. Create new, specific operating system groups for the Certificate System subsystems to run as. This is described in Section, “Creating Operating System Groups”.
  4. Assign users to the operating system groups to perform the subsystem administrative tasks. This is described in Section, “Associating Existing User Accounts with PKI Groups”.
  5. Install a Red Hat Directory Server, as described in Section 6.3.3, “Installing Red Hat Directory Server”. This can be on a different machine from the Certificate System, which is the recommended scenario for most deployments.
  6. Download the Certificate System packages from the Red Hat Network channel.
  7. For ISO installations (instead of yum), verify the packages by running md5sum or sha256sum. This is part of the process at Section 7.3.2, “Installing from an ISO Image”.
  8. Run pkicreate to create the subsystem instances, as described in Section 7.4, “Creating Subsystem Instances”. Details for pkicreate options is at Section 7.1, “About pkicreate”. Each subsystem setup section has an example for that subsystem type. There are certain options which are required:
    • Specify the operating system user to use for the subsystem processes and files with the -user and -group options.
    • Specify the audit group to use for audit operations by specifying the -audit_group option.
    • For all of the Java subsystems, make sure that the instance is able to run with a Java Security Manager (do not use the -sans_security_manager option).


    The RA subsystem is not part of the Common Criteria-certified environment for Certificate System 8.1.
  9. Configure SSL server authentication for the connections with the Directory Server, as described in Section 7.5, “Configuring Server SSL Connections Between Red Hat Directory Server and Red Hat Certificate System”.
  10. Set up all of the subsystems in the environment (CA, DRM, OCSP, TKS, and TPS) by going through the setup wizards, in the same order described in Figure 5.1, “Order of Subsystem Configuration” and steps 7 through 9 in Section 5.1, “Basic Setup: A Walkthrough of the Prerequisites, Installation, and Configuration for a Standard Environment”.


    Configure SSL client authentication when running through the configuration wizard by making sure that the SSL port is set and the SSL checkbox is selected when configuring the LDAP internal database.
  11. Configure the necessary features for the subsystems after they're set up, as described in Chapter 8, After Configuration: Checklist of Configuration Areas for Deploying Certificate System.
    • Set up agent, administrator, and auditor users for each subsystem.
    • Import the CA certificate chain for each browser that will be used by agents or administrators.
    • Configure each subsystem to enable signed audit logging.
    • Set an SSL session timeout period.
    • Schedule backups and plan for restore procedures.
    • Set sudo permissions on the PKI services for the PKI administrators.
    • Configure SSL client authentication with the internal database.
    • For the CA and OCSP. Set up CRL publishing and enable OCSP checking.
    • For the CA. Remove the unused interfaces from the CA's web.xml file.