Chapter 5. A High-Level View of the Setup Process

The Certificate System is comprised of subsystems which can be independently installed on different servers, multiple instances installed on a single server, and other flexible configurations for availability, scalability, and failover support. The procedures for downloading, installing, and configuring instances of Certificate System subsystems are described in this chapter.


There are different paths for the installation process, depending on the planning decisions that you made and the needs of your environment. Two common scenarios are outlined here:
  • A general setup process with all six subsystems, which assumes a token management system or TMS environment
  • A Common Criteria certified environment, which lays out all of the settings that are part of the target of evaluation for the Common Criteria certification process
The Certificate System servers include six subsystems:
  • Certificate Authority (CA)
  • Registration Authority (RA)
  • Data Recovery Manager (DRM), sometimes referred to as a Key Recovery Authority (KRA)
  • Online Certificate Status Protocol (OCSP) Responder
  • Token Key Service (TKS)
  • Token Processing System (TPS)
Each subsystem is installed and then configured individually. The initial installation is done using package management tools such as RPM; the subsystem setup is done through an HTML-based configuration wizard.
The order in which subsystems are configured is very important because of the basic relationships which are established between subsystems at the time they are installed. For example, every subsystem depends on a certificate authority; the TPS also depends on a TKS and (optionally) DRM.
Order of Subsystem Configuration

Figure 5.1. Order of Subsystem Configuration

The installation process includes not only setting up the individual subsystems but also setting up the environment. The environment configuration is flexible and largely optional; the configuration that you select should depend on the existing network environment and security requirements.
One special case (with stricter requirements on the Certificate System setup) is setting up a Common Criteria environment. The required configuration for the Certificate System certified environment is included as a separate installation outline for convenience.
The complete subsystem setup process includes the preparation for the environment, the instance creation and setup, and then the configuration of major features for each subsystem. Each major setup step is broken into an individual chapter:
The overviews given here show the overall path to take when installing and setting up subsystems. This is a way to visualize and better plan the complete installation and setup process.

5.1. Basic Setup: A Walkthrough of the Prerequisites, Installation, and Configuration for a Standard Environment

There are three major steps to be taken when setting up Certificate System. The first (covered in Chapter 6, Prerequisites and Preparation for Installation) goes through setting up the machine and the environment that will host the subsystem instance — making sure that the platform meets requirements, installing necessary applications and packages, and setting up the operating system. The next step involves creating and configuring the subsystem instance itself (Chapter 7, Installing and Configuring Certificate System). The last step involves customizing the instance by setting up recommended features (Chapter 8, After Configuration: Checklist of Configuration Areas for Deploying Certificate System).
This walk-through simply shows, at a very high level, the major steps for setting up a functional Certificate System. Familiarize yourself with the overall process first, and then follow the links to go through the detailed procedures. The exact configuration, like what subsystem types are installed and the desired post-installation configuration, are dependent on the specific PKI design that you developed as part of planning your Certificate System deployment.
  1. Install a Red Hat Directory Server, as described in Section 6.3.3, “Installing Red Hat Directory Server”. This can be on a different machine from the Certificate System, which is the recommended scenario for most deployments.
  2. Create new, specific operating system groups for the Certificate System subsystems to run as. This is described in Section, “Creating Operating System Groups”.
  3. Assign users to the operating system groups to perform the subsystem administrative tasks. This is described in Section, “Associating Existing User Accounts with PKI Groups”.
  4. Download the Certificate System packages from the Red Hat Network channel. Each subsystem has its own packages, as well as dependencies and related packages. These are listed in Section 6.2, “Packages Installed on Red Hat Enterprise Linux”.
  5. Run pkicreate to create the subsystem instances, as described in Section 7.4, “Creating Subsystem Instances”.
  6. Configure the Certificate System CA subsystem. At least one CA subsystem must be installed and fully configured before any other type of subsystem can be configured.
    See Section, “Configuring a CA” for instructions on setting up the Certificate Manager.
  7. Configure the RA, OCSP, DRM, and TKS subsystems. Once the CA is installed, the other subsystems, except for the TPS, can be installed and configured in any order.
    See Section 7.6.4, “Setting up DRMs, OCSPs, and TKSs” and Section 7.6.3, “Setting up RAs” for the process on installing and configuring the OCSP, DRM, TKS, and RA subsystems.
  8. Configure the TPS subsystem. The TPS requires having an existing TKS and DRM available when it is configured, so this is the last subsystem to set up.
    See Section 7.6.5, “Setting up TPSs” for the process on installing and configuring the TPS.