About This Guide

This guide explains how to install and configure Red Hat Certificate System subsystems.
This guide is intended for experienced system administrators planning to deploy the Certificate System. Certificate System agents should refer to the Certificate System Agent's Guide for information on how to perform agent tasks, such as handling certificate requests and revoking certificates. For information on using Certificate System to manage smart cards and security tokens, see Managing Smart Cards with the Enterprise Security Client.
Before using Certificate System, become familiar with the following concepts:
  • Intranet, extranet, and Internet security and the role of digital certificates in a secure enterprise, including the following topics:
    • Encryption and decryption
    • Public keys, private keys, and symmetric keys
    • Significance of key lengths
    • Digital signatures
    • Digital certificates, including different types of digital certificates
    • The role of digital certificates in a public-key infrastructure (PKI)
    • Certificate hierarchies
  • LDAP and Red Hat Directory Server
  • Public-key cryptography and the Secure Sockets Layer (SSL) protocol, including the following:
    • SSL cipher suites
    • The purpose of and major steps in the SSL handshake

1. Examples and Formatting

1.1. Formatting for Examples and Commands

All of the examples for Red Hat Certificate System commands, file locations, and other usage are given for Red Hat Enterprise Linux 5.6 (32-bit) systems. Be certain to use the appropriate commands and files for your platform.

Example 1. Example Command

To start the Red Hat Certificate System:
service pki-ca start

The directory names are usually instance-specific. For example, the instance names are assumed to be pki-subsystem_type, such as pki-ca.
The port numbers used in the examples for the example subsystem instances are listed in Table 1, “Example Port Assignments for Certificate System 8.1”. The real port numbers used in a deployment depend on the values given when the subsystem was created.

Table 1. Example Port Assignments for Certificate System 8.1

Subsystem Standard End-Entity SSL Agent SSL Admin SSL Tomcat
CA 9180 9444 9443 9445 9701
RA 12888 12889 12889
OCSP 11180 11444 11443 11445 11701
DRM 10180 10444 10443 10445 10701
TKS 13180 13444 13443 13445 13701
TPS 7888 7889 7889

1.2. Tool Locations

All of the tools for Red Hat Certificate System are located in the /usr/bin directory. These tools can be run from any location without specifying the tool location.

1.3. Text Formatting

Certain words are represented in different fonts, styles, and weights. Different character formatting is used to indicate the function or purpose of the phrase being highlighted.
Formatting Style Purpose
Monospace font Monospace is used for commands, package names, files and directory paths, and any text displayed in a prompt.
Monospace with a background
This type of formatting is used for anything entered or returned in a command prompt.
Italicized text Any text which is italicized is a variable, such as instance_name or hostname. Occasionally, this is also used to emphasize a new term or other phrase.
Bolded text Most phrases which are in bold are application names, such as Cygwin, or are fields or options in a user interface, such as a User Name Here: field or Save button.
Other formatting styles draw attention to important text.


A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue.


Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot.


A warning indicates potential data loss, as may happen when tuning hardware for maximum performance.

1.4. Recommended and Required Boxes

Tasks may be available, recommended, or required to configure a Certificate System deployment. Additionally, some tasks may be recommended for a regular environment but required for a Common Criteria-certificated environment. Whether a task is required and what subsystems it is applied to are listed in recommended/required graphics at the beginning of major sections.