Red Hat Certificate System Common Criteria Certification 8.1

Deployment, Planning, and Installation

preparing for a PKI infrastructure

Edition 8.1

Ella Deon Lackey

Legal Notice

Copyright © 2012 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
January 31, 2012


This guide covers the major PKI concepts and decisions areas for planning a PKI infrastructure.
About This Guide
1. Examples and Formatting
1.1. Formatting for Examples and Commands
1.2. Tool Locations
1.3. Text Formatting
1.4. Recommended and Required Boxes
2. Additional Reading
3. Giving Feedback
4. Document History
I. Planning How to Deploy Red Hat Certificate System
1. Introduction to Public-Key Cryptography
1.1. Encryption and Decryption
1.1.1. Symmetric-Key Encryption
1.1.2. Public-Key Encryption
1.1.3. Key Length and Encryption Strength
1.2. Digital Signatures
1.3. Certificates and Authentication
1.3.1. A Certificate Identifies Someone or Something
1.3.2. Authentication Confirms an Identity
1.3.3. How Certificates Are Used
1.3.4. Contents of a Certificate
1.3.5. How CA Certificates Establish Trust
1.4. Managing Certificates
1.4.1. Issuing Certificates
1.4.2. Key Management
1.4.3. Renewing and Revoking Certificates
2. Introduction to Red Hat Certificate System
2.1. A Review of Certificate System Subsystems
2.2. How Certificate System Creates PKI (Non-TMS Environment)
2.2.1. Issuing Certificates
2.2.2. Renewing Certificates
2.2.3. Publishing Certificates and CRLs
2.2.4. Revoking Certificates and Checking Status
2.2.5. Archiving and Recovering Keys
2.3. Working with Smart Cards (TMS)
2.3.1. The TKS and Secure Channels
2.3.2. TPS Operations
2.3.3. Token Profiles
2.4. Management and Security for Subsystems
2.4.1. Notifications
2.4.2. Jobs
2.4.3. Logging
2.4.4. Auditing
2.4.5. Self-Tests
2.4.6. Users, Authorization, and Access Controls
2.4.7. Security-Enhanced Linux
2.5. Red Hat Certificate System Services
2.5.1. Administrative Consoles
2.5.2. Agent Interfaces
2.5.3. End User Pages
2.5.4. Enterprise Security Client
3. Supported Standards and Protocols
3.1. PKCS #11
3.2. SSL/TLS, ECC, and RSA
3.2.1. Supported Cipher Suites for RSA
3.2.2. Using ECC
3.3. IPv4 and IPv6 Addresses
3.4. Supported PKIX Formats and Protocols
3.5. Supported Security and Directory Protocols
4. Planning the Certificate System
4.1. Deciding on the Required Subsystems
4.1.1. Using a Single Certificate Manager
4.1.2. Planning for Lost Keys: Key Archival and Recovery
4.1.3. Balancing Certificate Request Processing
4.1.4. Balancing Client OCSP Requests
4.1.5. Using Smart Cards
4.2. Defining the Certificate Authority Hierarchy
4.2.1. Subordination to a Public CA
4.2.2. Subordination to a Certificate System CA
4.2.3. Linked CA
4.2.4. CA Cloning
4.3. Planning Security Domains
4.4. Determining the Requirements for Subsystem Certificates
4.4.1. Determining Which Certificates to Install
4.4.2. Planning the CA Distinguished Name
4.4.3. Setting the CA Signing Certificate Validity Period
4.4.4. Choosing the Signing Key Type and Length
4.4.5. Using Certificate Extensions
4.4.6. Using and Customizing Certificate Profiles
4.4.7. Planning Authentication Methods
4.4.8. Publishing Certificates and CRLs
4.4.9. Renewing or Reissuing CA Signing Certificates
4.5. Planning for Network and Physical Security
4.5.1. Considering Firewalls
4.5.2. Considering Physical Security and Location
4.5.3. Planning Ports
4.6. Tokens for Storing Certificate System Subsystem Keys and Certificates
4.7. Implementing a Common Criteria Environment
4.8. A Checklist for Planning the PKI
II. Installing Red Hat Certificate System
5. A High-Level View of the Setup Process
5.1. Basic Setup: A Walkthrough of the Prerequisites, Installation, and Configuration for a Standard Environment
5.2. Common Criteria Environment: A Walkthrough of the Preparation, Installation, and Configuration for a Certified PKI
6. Prerequisites and Preparation for Installation
6.1. Supported Platforms, Hardware, and Programs
6.1.1. Supported Platforms
6.1.2. Supported Web Browsers
6.1.3. Supported Smart Cards
6.1.4. Supported HSM
6.1.5. Supported Charactersets
6.1.6. Summary of Requirements for Common Criteria
6.2. Packages Installed on Red Hat Enterprise Linux
6.3. Before Installation: Setting up the Operating Environment
6.3.1. Installing the Required Java Development Kit (JDK)
6.3.2. Installing Apache (for the TPS)
6.3.3. Installing Red Hat Directory Server
6.3.4. Installing Additional Operating System Packages
6.3.5. Verifying Firewall Configuration and iptables
6.3.6. Enabling SELinux
6.3.7. Setting up Operating System Users and Groups
6.3.8. Using a Java Security Manager
6.3.9. Setting up HSMs for Storing Certificate System Subsystem Keys and Certificates
7. Installing and Configuring Certificate System
7.1. About pkicreate
7.2. Required Information for Subsystem Configuration
7.3. Installing the Certificate System Packages
7.3.1. Installing through yum
7.3.2. Installing from an ISO Image
7.4. Creating Subsystem Instances
7.4.1. Creating the CA Instance
7.4.2. Creating the RA Instance
7.4.3. Creating the DRM, OCSP, or TKS Instance
7.4.4. Creating the TPS Instance
7.5. Configuring Server SSL Connections Between Red Hat Directory Server and Red Hat Certificate System
7.5.1. Using an External CA to Issue Directory Server Certificates
7.5.2. Using Temporary Self-Signed Directory Server Certificates
7.6. Configuring Certificate System Subsystems
7.6.1. Checklist Before Configuring Subsystem Instances
7.6.2. Setting up CAs
7.6.3. Setting up RAs
7.6.4. Setting up DRMs, OCSPs, and TKSs
7.6.5. Setting up TPSs
7.7. Configuring Subsystems with an HSM in FIPS Mode
7.7.1. Configuring a CA with an HSM in FIPS Mode
7.7.2. Configuring a DRM, OCSP, or TKS with an HSM in FIPS Mode
7.7.3. Configuring a TPS with an HSM in FIPS Mode
8. After Configuration: Checklist of Configuration Areas for Deploying Certificate System
9. Additional Installation Options
9.1. Requesting Subsystem Certificates from an External CA
9.2. Installing with Shared Port Assignments
9.3. Installing an Instance with ECC Enabled
9.3.1. Loading a Third-Party ECC Module
9.3.2. Loading the Certicom ECC Module
9.3.3. Using ECC with an HSM
9.4. Enabling IPv6 for a Subsystem
9.5. Configuring Separate RA Instances
10. Cloning Subsystems
10.1. About Cloning
10.1.1. Cloning for CAs
10.1.2. Cloning for DRMs
10.1.3. Cloning for Other Subsystems
10.1.4. Cloning and Key Stores
10.1.5. LDAP and Port Considerations
10.1.6. Replica ID Numbers
10.2. Exporting Keys from a Software Database
10.3. Cloning a CA
10.4. Cloning OCSP Subsystems
10.5. Cloning DRM Subsystems
10.6. Cloning TKS Subsystems
10.7. Converting Masters and Clones
10.7.1. Converting CA Clones and Masters
10.7.2. Converting OCSP Clones
10.8. Cloning a CA That Has Been Re-Keyed
10.9. Updating CA Clones
11. Silent Configuration
11.1. About pkisilent
11.2. Silently Configuring Subsystems
11.3. Using Different Key Settings
11.4. Cloning a Subsystem Silently
11.5. Performing Silent Configuration Using an External CA
12. Updating and Removing Subsystem Packages
12.1. Updating Certificate System Packages
12.2. Uninstalling Certificate System Subsystems
12.2.1. Removing a Subsystem Instance
12.2.2. Removing Certificate System Subsystem Packages
13. Troubleshooting Installation
III. After Installing Red Hat Certificate System
14. Basic Information for Using Certificate System
14.1. Starting the Certificate System Console
14.2. Starting, Stopping, and Restarting an Instance
14.3. Starting the Subsystem Automatically
14.4. Finding the Subsystem Web Services Pages
14.5. File and Directory Locations for Certificate System
14.5.1. CA Instance Information
14.5.2. RA Instance Information
14.5.3. DRM Instance Information
14.5.4. OCSP Instance Information
14.5.5. TKS Instance Information
14.5.6. TPS Instance Information
14.5.7. Shared Certificate System Subsystem File Locations
A. Supported Algorithms and Curves
A.1. RSA Hashing Algorithms
A.2. ECC Algorithms and Curves
B. Defining the Common Criteria Environment
B.1. Common Criteria: Setup and Operations
B.1.1. PKI Overview
B.1.2. Security Objectives
B.1.3. Security Requirements
B.1.4. Target of Evaluation Security Environment Assumptions
B.1.5. IT Environment Assumptions
B.1.6. Red Hat Certificate System 8.1 Privileged Users and Groups (Roles)
B.1.7. Understanding Setup of Common Criteria Evaluated Red Hat Certificate System 8.1
B.1.8. Common Criteria Deployment Scenarios
B.1.9. Understanding Subsystem Setup
B.1.10. Reporting Security Flaws
B.1.11. Relevant Links
B.2. Example Common Criteria Installations
B.2.1. Non-TMS Common Criteria Setup Procedures
B.2.2. TMS Common Criteria Setup Procedures
B.3. Common Criteria: Security Environment Assumptions
B.3.1. Secure Usage Assumptions
B.3.2. Organization Security Policies
B.4. Common Criteria: Security Objectives
B.4.1. Security Objectives for the Target of Evaluation
B.4.2. Security Objectives for the Environment
B.4.3. Security Objectives for Both the Target of Evaluation and the Environment
B.5. Common Criteria: Security Requirements
B.5.1. Security Requirements for the IT Environment
B.5.2. Target of Evaluation Security Functional Requirements
B.5.3. Target of Evaluation Security Assurance Requirements