The Certificate Manager is the subsystem which functions as a certificate authority in Red Hat Certificate System and issues and manages certificates.
The URL for the CA web services can vary depending on your group's server deployment. The default way to connect to the CA web services is to connect to the server over port 9180. For example:
https://server.example.com:9180/
That opens a menu with links to regular user services or agent services. To get directly to the regular user pages, add
/ca/ee/ca/ to the end of the URL. For example:
https://server.example.com:9180/ca/ee/ca/
If DNS is properly configured, then an IPv4 or IPv6 address can be used to connect to the services pages, as well as a hostname or fully-qualified domain name. For example:
https://1.2.3.4:9444/ca/services https://[00:00:00:00:123:456:789:00:]:9444/ca/services
Most user profiles in the CA do not require you to generate a certificate request separately. However, there can be situations where you need to request a certificate that doesn't match the default configuration in the certificate profiles. In that case, you can generate a certificate request and submit it using the Other Certificates profile.
One common example is requesting an ECC certificate. Elliptic curve cryptography (ECC) is a strong cryptographic algorithm which is very secure and very fast. By default, a Certificate System CA issues RSA certificates (a different cryptographic algorithm), but a CA can be configured to support ECC as well. The CA profiles, however, will only generate RSA keys for a certificate, even though they can process both RSA and ECC requests. So, if you want an ECC certificate, you need to prepare a separate certificate request (and generate the ECC keys) and then submit it through the certificate profile.
Windows and Red Hat Enterprise Linux both have a tool called
certutil that can generate certificate requests, with slightly different options and settings. There may also be tools or services in your organization that generate certificate requests.
For example (and this command should all be on one line):
certutil -R -k ec -g 256 -s "CN=example cert server.example.com, e=admin@example.com, O=Example Domain" -o request.cert -v 12 -d . -1 -7 -8
For information about using the
certutil command, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
Table 3. Options for Requesting Certificates with certutil
| Option | Description |
|---|---|
| -R | Flag to generate a certificate request. |
| -k |
The key type to use; the only native option is rsa. If the CA is ECC-enabled (described in the Installation Guide), then this can also be ec.
|
| -g | The key size. The recommended size for RSA keys is 2048 and for ECC, 256. |
| -s |
The subject name of the certificate.
NOTE
Certificate System supports all UTF-8 characters for the common name and organizational unit elements included in the subject name of the certificate.
|
| -o | The output file to which to save the certificate request. |
| -v | The validity period, in months. |
| -d | Certificate database directory; this is the directory for the subsystem instance. |
| numbers 1-8 |
These set the available certificate extensions. Only eight can be specified through the certutil tool:
|
| -a | Outputs the certificate request to an ASCII file instead of binary. |
Certificate requests are submitted to the Certificate Manager through the forms listed in the Enrollment tab. The Certificate Manager has a variety of different certificate request submission forms (called certificate profiles). The type of form to use depends on the type of certificate you need. The different certificate profiles are listed in Table 1, “Available Certificate Profiles”.
Most user certificates can be requested directly through the enrollment forms; there is no need to generate a separate certificate request. Other types of certificates (especially certificates for servers or applications), may require generating a separate certificate request, and then submitting that through the enrollment form. Generating certificate requests is covered in Section 2.2, “Generating Certificate Requests”.
To submit a certificate request:
- Click the name of the submission form to use.
- Fill in the information required for the certificate.There are basically two kinds of certificate enrollment forms. One kind accepts certificate request blobs, and the other requires additional user information to build the subject name of the certificate (a major part of its identifier).To submit a certificate request:
- Set the certificate format to generate. There are two options, PKCS #10 (the most common one) or CRMF.
- Paste in the base 64-encoded certificate request.
NOTE
The way that you generate the base 64-encoded certificate request depends on your network setup. There may be an online form you can use to create a certificate request, the client you are requesting the certificate for may have a built-in request tool, or you can use tools such ascertutil. The options for creating a certificate request are covered more in the Certificate System Administrator's Guide.
For other types of certificate profiles, the form requires information about the requester in order to create the subject name of the new certificate.[1]- The certificate format may be automatically set to PKCS#10 or CRMF, depending on the profile, and the key size is selected by the requester.
- Fill in the subject name information, such as the username (UID), email address, location, and organization information.
Other forms may require other information. For example, file signing profiles require a URL to the external file that will be signed by the CA.NOTE
The CA certificate request forms support all UTF-8 characters for the common name, organizational unit, and requester name fields.This support does not include supporting internationalized domain names. - For every certificate enrollment, fill in the requester information. All certificate forms take the name, phone number, and email address of the requester. The email address may be required if you will be notified by email when the certificate is issued.
- Click the button.
- Click the Retrieval tab.
- Enter the request ID number (the one returned when you submitted the request) in the Request identifier field. To search for or list requests, see Section 2.6, “Listing and Searching for Certificates”.
- The request status is shown as pending, rejected, or completed. If the request has been completed, click the link to retrieve the issued certificate.
After a certificate is generated by the Certificate Manager, it can be copied to a file or imported directly into your browser.
- Click the Retrieval tab in the CA web services page.
- Open the certificate, either by checking the status and opening it or by finding it in a list of issued certificates.
- The certificate page has three major sections: the certificate fingerprint, the base 64-encoded certificate, and the certificate with the CA certificate chain. The certificate fingerprint shows the summary of the information contained in the base 64-encoded version, such as the serial number, issuing CA, validity period, and key information.To copy the certificate, scroll to the base 64-encoded blob and simple copy and paste.
- To import the certificate directly into your web browser or email client, scroll to the bottom of the certificate's page, and click the button.
The Retrieval tab has two ways to search for certificates. The List Certificates page has a basic search for every issued certificates, while the Search for Certificates page has advanced search options which narrow down results based on specific information about the certificate.
- Click the Retrieval tab.
- On the left, click the List Certificates link.
- Fill in the serial number range and, if you want, filter out revoked or expired certificates. Leaving the lowest and highest fields blank returns all certificates that have been issued.
- Every certificate within that range is returned. To open the retrieval page for the certificate, click the link.
- Click the Retrieval tab.
- On the left, click the Search Certificates link.
- Fill in the search criteria. The Search form offers a number of different search areas:
- Serial number range for every certificate issued within that serial number block, same as with listing certificates.
- Subject name, which is a very specific search based on elements used in the subject name of the certificate, narrowing the search to the user or machine for which it was issued, or by the department, locality, or other naming element.
NOTE
The CA certificate request forms support all UTF-8 characters for the common name, organizational unit, and requester name fields. The common name and organization unit fields are included in the subject name of the certificate.This support does not include supporting internationalized domain names. - Revocation status for certificates which have been revoked. This can specify the agent or user which revoked the certificate, the date range in which the certificates were revoked, and the reason given when the certificate was revoked.
- Issuer information, basing the search on which Certificate Manager issued the certificate or on the dates when it was issued.
- Validity dates, including the range of dates when the certificate was valid (e.g., every certificate which was valid on July 4, 2008), the date range of when the certificate expired (every certificate which expired between June 1 and June 15), and how long the certificate was valid (e.g., every temporary certificate which was valid for less than 30 days).
- Certificate type, which can include or exclude certificates based on one of the major categories of certificates, including SSL client and server certificates and email certificates.
- Set the search limits. The search scope can be limited in the total number of certificates returned and in how long to conduct the search.
When certificates reach the end of their validity period, there are two ways that users can respond:
- Allow the certificate to lapse and request a new certificate. While simple, the problem in some situations is if the certificate was used to encrypt information, like emails or files. The encrypted data cannot be recovered if the certificate expires.
- Renew the certificate. Renewal takes the original keys that were generated, and regenerate the certificate with an extended validity period. Since the renewed certificate is identical to the original, everything that the original certificate did (such as decrypting files) is still possible.
NOTE
Certificates can only be renewed within a certain window of time. If you try to renew a certificate too early or too long after its expiration date, then the renewal request will fail.
There are three different certificate renewal forms,
Table 4. Enrollment Forms and Corresponding Renewal Forms
| If the Renewal Form Is ... | ... Then The Certificate Is Approved By ... |
|---|---|
| Self-renew user SSL client certificates | The original certificate is in your browser database. Since the original has already been approved once, then having the original automatically verifies your request. |
| Directory-Authenticated User Dual-Use Certificate Enrollment | The certificate is approved is you can provide the correct username and password to access the LDAP directory. |
| Renew certificate to be manually approved by agents | Approved by an agent. |
NOTE
Encryption and signing certificates (and other types of dual certificates) are created in a single step. However, the renewal process only renews one certificate at a time.
To renew both certificates in a certificate pair, each one has to be renewed individually.
Sometimes, a certificate renewal request has to be manually approved, either by a CA agent or by your providing login information for the user directory.
- Click the name of the renewal form to use.
- Enter the serial number of the certificate to renew. This can be in decimal or hexadecimal form.
- Click the renew button.
- The request is submitted. For directory-based renewals, the renewed certificate is automatically returned. Otherwise, the renewal request will be approved by an agent.
Some user certificates are stored directory in your browser, so some renewal forms will simply check your browser certificate database for a certificate to renew. If a certificate can be renewed, then the CA automatically approves and reissues it.
- Click the name of the renewal form to use.
- There is no input field, so click the button.
- When prompted, select the certificate to renew.
- The request is submitted and the renewed certificate is automatically returned.
Revoking a certificate invalidates it before its expiration date. This can be necessary if a certificate is lost, compromised, or no longer needed.
- Click the Revocation tab.
- Click the User Certificate link.
- Select the reason why the certificate is being revoked, and click .
- Select the certificates to revoke from the list.
- Click the Retrieval tab.
- Click the Import Certificate Revocation List link.
- Select the radio button by Check whether the following certificate is included in CRL cache or Check whether the following certificate is listed by CRL, and enter the serial number of the certificate.
- Click the Submit button.A message is returned either saying that the certificate is not listed in any CRL or giving the information for the CRL which contains the certificate.
Certificate revocation lists (CRLs) can be downloaded and installed in a web client, application, or machine. They can also be viewed to see what certificates have been revoked.
- Click the Retrieval tab.
- Click the Import Certificate Revocation List link.
- Select the radio button to view, download, or import the CRL.
- To import the CRL into the browser or download and save it, select the appropriate radio button. There are two options: to download/import the full CRL or the delta CRL. The delta CRL only imports/downloads the list of certificates which have been revoked since the last time the CRL was generated.
- To view the CRL, select Display the CRL information and select which CRL subset (called an issuing point) to view. This shows the CRL information, including the number of certificates included in it.
- Click the button.
- Save the file or approve the import operation.
Some services require the certificate for the Certificate Manager which issued a certificate as well as the certificate itself. The CA certificate and CA certificate chain can be downloaded, saved, and imported as needed.
- Click the Retrieval tab.
- Click the Import CA Certificate Chain link.
- Select the radio button to import the CA certificate.
- Import the chain into the browser.
- Save the entire CA certificate chain.
- Show the CA certificate chain in a single blob.
- Show the individual CA certificate blobs in the certificate chain.
- Click .
- Save the file or complete installing the package.