Jump To Close Expand all Collapse all Table of contents Administration Guide 1. Overview of Red Hat Certificate System Subsystems Expand section "1. Overview of Red Hat Certificate System Subsystems" Collapse section "1. Overview of Red Hat Certificate System Subsystems" 1.1. Uses for Certificates 1.2. A Review of Certificate System Subsystems 1.3. A Look at Managing Certificates (Non-TMS) 1.4. A Look at the Token Management System (TMS) 1.5. Red Hat Certificate System services I. Red Hat Certificate System User Interfaces Expand section "I. Red Hat Certificate System User Interfaces" Collapse section "I. Red Hat Certificate System User Interfaces" 2. User Interfaces Expand section "2. User Interfaces" Collapse section "2. User Interfaces" 2.1. User Interfaces Overview 2.2. Client NSS Database Initialization 2.3. Graphical Interface Expand section "2.3. Graphical Interface" Collapse section "2.3. Graphical Interface" 2.3.1. pkiconsole Initialization 2.3.2. Using pkiconsole for CA, OCSP, KRA, and TKS Subsystems 2.4. Web Interface Expand section "2.4. Web Interface" Collapse section "2.4. Web Interface" 2.4.1. Browser Initialization 2.4.2. The Administrative Interfaces 2.4.3. Agent Interfaces 2.4.4. End User Pages 2.5. Command Line Interfaces Expand section "2.5. Command Line Interfaces" Collapse section "2.5. Command Line Interfaces" 2.5.1. "pki" CLI Expand section "2.5.1. "pki" CLI" Collapse section "2.5.1. "pki" CLI" 2.5.1.1. pki CLI Initialization 2.5.1.2. Using "pki" CLI 2.5.2. AtoB 2.5.3. AuditVerify 2.5.4. BtoA 2.5.5. CMCRequest 2.5.6. CMCRevoke 2.5.7. CMCSharedToken 2.5.8. CRMFPopClient 2.5.9. HttpClient 2.5.10. OCSPClient 2.5.11. PKCS10Client 2.5.12. PrettyPrintCert 2.5.13. PrettyPrintCrl 2.5.14. TokenInfo 2.5.15. tkstool 2.6. Enterprise Security Client II. Setting up Certificate Services Expand section "II. Setting up Certificate Services" Collapse section "II. Setting up Certificate Services" 3. Making Rules for Issuing Certificates (Certificate Profiles) Expand section "3. Making Rules for Issuing Certificates (Certificate Profiles)" Collapse section "3. Making Rules for Issuing Certificates (Certificate Profiles)" 3.1. About Certificate Profiles Expand section "3.1. About Certificate Profiles" Collapse section "3.1. About Certificate Profiles" 3.1.1. The Enrollment Profile 3.1.2. Certificate Extensions: Defaults and Constraints 3.1.3. Inputs and Outputs 3.2. Setting up Certificate Profiles Expand section "3.2. Setting up Certificate Profiles" Collapse section "3.2. Setting up Certificate Profiles" 3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface Expand section "3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface" Collapse section "3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface" 3.2.1.1. Enabling and Disabling a Certificate Profile 3.2.1.2. Creating a Certificate Profile in Raw Format 3.2.1.3. Editing a Certificate Profile in Raw Format 3.2.1.4. Deleting a Certificate Profile 3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console Expand section "3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console" Collapse section "3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console" 3.2.2.1. Creating Certificate Profiles through the CA Console 3.2.2.2. Editing Certificate Profiles in the Console 3.2.3. Listing Certificate Enrollment Profiles 3.2.4. Displaying Details of a Certificate Enrollment Profile 3.3. Defining Key Defaults in Profiles 3.4. Configuring Profiles to Enable Renewal Expand section "3.4. Configuring Profiles to Enable Renewal" Collapse section "3.4. Configuring Profiles to Enable Renewal" 3.4.1. Renewing Using the Same Key 3.4.2. Renewal Using a New Key 3.5. Setting the Signing Algorithms for Certificates Expand section "3.5. Setting the Signing Algorithms for Certificates" Collapse section "3.5. Setting the Signing Algorithms for Certificates" 3.5.1. Setting the CA's Default Signing Algorithm 3.5.2. Setting the Signing Algorithm Default in a Profile 3.6. Managing CA-Related Profiles Expand section "3.6. Managing CA-Related Profiles" Collapse section "3.6. Managing CA-Related Profiles" 3.6.1. Setting Restrictions on CA Certificates 3.6.2. Changing the Restrictions for CAs on Issuing Certificates 3.6.3. Using Random Certificate Serial Numbers Expand section "3.6.3. Using Random Certificate Serial Numbers" Collapse section "3.6.3. Using Random Certificate Serial Numbers" 3.6.3.1. Enabling Random Certificate Serial Numbers 3.6.4. Allowing a CA Certificate to Be Renewed Past the CA's Validity Period 3.7. Managing Subject Names and Subject Alternative Names Expand section "3.7. Managing Subject Names and Subject Alternative Names" Collapse section "3.7. Managing Subject Names and Subject Alternative Names" 3.7.1. Using the Requester CN or UID in the Subject Name 3.7.2. Inserting LDAP Directory Attribute Values and Other Information into the Subject Alt Name 3.7.3. Using the CN Attribute in the SAN Extension 3.7.4. Accepting SAN Extensions from a CSR Expand section "3.7.4. Accepting SAN Extensions from a CSR" Collapse section "3.7.4. Accepting SAN Extensions from a CSR" 3.7.4.1. Configuring a Profile to Retrieve SANs from a CSR 3.7.4.2. Generating a CSR with SANs 4. Setting up Key Archival and Recovery Expand section "4. Setting up Key Archival and Recovery" Collapse section "4. Setting up Key Archival and Recovery" 4.1. Configuring Agent-Approved Key Recovery in the Console 4.2. Testing the Key Archival and Recovery Setup 5. Requesting, Enrolling, and Managing Certificates Expand section "5. Requesting, Enrolling, and Managing Certificates" Collapse section "5. Requesting, Enrolling, and Managing Certificates" 5.1. About Enrolling and Renewing Certificates 5.2. Creating Certificate Signing Requests Expand section "5.2. Creating Certificate Signing Requests" Collapse section "5.2. Creating Certificate Signing Requests" 5.2.1. Generating CSRs Using Command-Line Utilities Expand section "5.2.1. Generating CSRs Using Command-Line Utilities" Collapse section "5.2.1. Generating CSRs Using Command-Line Utilities" 5.2.1.1. Creating a CSR Using certutil Expand section "5.2.1.1. Creating a CSR Using certutil" Collapse section "5.2.1.1. Creating a CSR Using certutil" 5.2.1.1.1. Using certutil to Create a CSR with EC Keys 5.2.1.1.2. Using certutil to Create a CSR With User-defined Extensions 5.2.1.2. Creating a CSR Using PKCS10Client Expand section "5.2.1.2. Creating a CSR Using PKCS10Client" Collapse section "5.2.1.2. Creating a CSR Using PKCS10Client" 5.2.1.2.1. Using PKCS10Client to Create a CSR 5.2.1.2.2. Using PKCS10Client to Create a CSR for SharedSecret-based CMC 5.2.1.3. Creating a CSR Using CRMFPopClient Expand section "5.2.1.3. Creating a CSR Using CRMFPopClient" Collapse section "5.2.1.3. Creating a CSR Using CRMFPopClient" 5.2.1.3.1. Using CRMFPopClient to Create a CSR with Key Archival 5.2.1.3.2. Using CRMFPopClient to Create a CSR for SharedSecret-based CMC 5.2.1.4. Creating a CSR using client-cert-request in the PKI CLI 5.2.2. Generating CSRs Using Server-Side Key Generation Expand section "5.2.2. Generating CSRs Using Server-Side Key Generation" Collapse section "5.2.2. Generating CSRs Using Server-Side Key Generation" 5.2.2.1. Functionality Highlights 5.2.2.2. Enrolling a Certificate Using Server-Side Keygen 5.2.2.3. Key Recovery 5.2.2.4. Additional Information Expand section "5.2.2.4. Additional Information" Collapse section "5.2.2.4. Additional Information" 5.2.2.4.1. KRA Request Records 5.2.2.4.2. Audit Records 5.3. Requesting and Receiving Certificates Expand section "5.3. Requesting and Receiving Certificates" Collapse section "5.3. Requesting and Receiving Certificates" 5.3.1. Requesting and Receiving a Certificate through the End-Entities Page 5.4. Renewing Certificates Expand section "5.4. Renewing Certificates" Collapse section "5.4. Renewing Certificates" 5.4.1. Same Keys Renewal Expand section "5.4.1. Same Keys Renewal" Collapse section "5.4.1. Same Keys Renewal" 5.4.1.1. Reusing CSR Expand section "5.4.1.1. Reusing CSR" Collapse section "5.4.1.1. Reusing CSR" 5.4.1.1.1. Agent-Approved or Directory-Based Renewals 5.4.1.1.2. Certificate-Based Renewal 5.4.1.2. Renewal by generating CSR with same keys 5.4.2. Renewal by Re-keying Certificates 5.5. Submitting Certificate requests Using CMC Expand section "5.5. Submitting Certificate requests Using CMC" Collapse section "5.5. Submitting Certificate requests Using CMC" 5.5.1. Using CMC Enrollment Expand section "5.5.1. Using CMC Enrollment" Collapse section "5.5.1. Using CMC Enrollment" 5.5.1.1. Testing CMCEnroll 5.5.2. The CMC Enrollment Process 5.5.3. Practical CMC Enrollment Scenarios Expand section "5.5.3. Practical CMC Enrollment Scenarios" Collapse section "5.5.3. Practical CMC Enrollment Scenarios" 5.5.3.1. Obtaining System and Server Certificates 5.5.3.2. Obtaining the First Signing Certificate for a User Expand section "5.5.3.2. Obtaining the First Signing Certificate for a User" Collapse section "5.5.3.2. Obtaining the First Signing Certificate for a User" 5.5.3.2.1. Signing a CMC Request with an Agent Certificate 5.5.3.2.2. Authenticating for Certificate Enrollment Using a Shared Secret 5.5.3.3. Obtaining an Encryption-only Certificate for a User Expand section "5.5.3.3. Obtaining an Encryption-only Certificate for a User" Collapse section "5.5.3.3. Obtaining an Encryption-only Certificate for a User" 5.5.3.3.1. Example on Obtaining an Encryption-only certificate with Key Archival 5.6. Performing Bulk Issuance 5.7. Enrolling a Certificate on a Cisco Router Expand section "5.7. Enrolling a Certificate on a Cisco Router" Collapse section "5.7. Enrolling a Certificate on a Cisco Router" 5.7.1. Enabling SCEP Enrollments 5.7.2. Configuring Security Settings for SCEP 5.7.3. Configuring a Router for SCEP Enrollment 5.7.4. Generating the SCEP Certificate for a Router 5.7.5. Working with Subordinate CAs 5.7.6. Re-enrolling a Router 5.7.7. Enabling Debugging 5.7.8. Issuing ECC Certificates with SCEP 5.8. Using Certificate Transparency Expand section "5.8. Using Certificate Transparency" Collapse section "5.8. Using Certificate Transparency" 5.8.1. Testing Certificate Transparency 6. Using and Configuring the Token Management System: TPS and TKS Expand section "6. Using and Configuring the Token Management System: TPS and TKS" Collapse section "6. Using and Configuring the Token Management System: TPS and TKS" 6.1. TPS Profiles 6.2. TPS Operations 6.3. Token Policies 6.4. Token Operation and Policy Processing 6.5. Internal Registration 6.6. External Registration Expand section "6.6. External Registration" Collapse section "6.6. External Registration" 6.6.1. Enabling External Registration 6.6.2. Customizing User LDAP Record Attribute Names 6.6.3. Configuring certsToAdd attributes 6.6.4. Token to User Matching Enforcement 6.6.5. Delegation Support 6.6.6. SAN and DN Patterns 6.7. Mapping Resolver Configuration Expand section "6.7. Mapping Resolver Configuration" Collapse section "6.7. Mapping Resolver Configuration" 6.7.1. Key Set Mapping Resolver 6.7.2. Token Type (TPS) Mapping Resolver 6.8. Authentication Configuration 6.9. Connectors 6.10. Revocation Routing Configuration 6.11. Setting Up Server-side Key Generation 6.12. Setting Up New Key Sets 6.13. Setting Up a New Master Key Expand section "6.13. Setting Up a New Master Key" Collapse section "6.13. Setting Up a New Master Key" 6.13.1. Generating and Transporting Wrapped Master Keys (Key Ceremony) 6.14. Setting Up a TKS/TPS Shared Symmetric Key Expand section "6.14. Setting Up a TKS/TPS Shared Symmetric Key" Collapse section "6.14. Setting Up a TKS/TPS Shared Symmetric Key" 6.14.1. Manually Generating and Transporting a Shared Symmetric Key 6.15. Using Different Applets for Different SCP Versions 7. Revoking Certificates and Issuing CRLs Expand section "7. Revoking Certificates and Issuing CRLs" Collapse section "7. Revoking Certificates and Issuing CRLs" 7.1. About Revoking Certificates Expand section "7.1. About Revoking Certificates" Collapse section "7.1. About Revoking Certificates" 7.1.1. User-Initiated Revocation 7.1.2. Reasons for Revoking a Certificate 7.1.3. CRL Issuing Points 7.1.4. Delta CRLs 7.1.5. Publishing CRLs 7.1.6. Certificate Revocation Pages 7.2. Performing a CMC Revocation Expand section "7.2. Performing a CMC Revocation" Collapse section "7.2. Performing a CMC Revocation" 7.2.1. Revoking a Certificate Using CMCRequest 7.2.2. Revoking a Certificate Using CMCRevoke Expand section "7.2.2. Revoking a Certificate Using CMCRevoke" Collapse section "7.2.2. Revoking a Certificate Using CMCRevoke" 7.2.2.1. Testing CMCRevoke 7.3. Issuing CRLs Expand section "7.3. Issuing CRLs" Collapse section "7.3. Issuing CRLs" 7.3.1. Configuring Issuing Points 7.3.2. Configuring CRLs for Each Issuing Point 7.3.3. Setting CRL Extensions 7.3.4. Setting a CA to Use a Different Certificate to Sign CRLs 7.3.5. Generating CRLs from Cache Expand section "7.3.5. Generating CRLs from Cache" Collapse section "7.3.5. Generating CRLs from Cache" 7.3.5.1. Configuring CRL Generation from Cache in the Console 7.3.5.2. Configuring CRL Generation from Cache in CS.cfg 7.4. Setting Full and Delta CRL Schedules Expand section "7.4. Setting Full and Delta CRL Schedules" Collapse section "7.4. Setting Full and Delta CRL Schedules" 7.4.1. Configuring CRL Update Intervals in the Console 7.4.2. Configuring Update Intervals for CRLs in CS.cfg 7.4.3. Configuring CRL Generation Schedules over Multiple Days 7.5. Enabling Revocation Checking 7.6. Using the Online Certificate Status Protocol (OCSP) Responder Expand section "7.6. Using the Online Certificate Status Protocol (OCSP) Responder" Collapse section "7.6. Using the Online Certificate Status Protocol (OCSP) Responder" 7.6.1. Setting up the OCSP Responder 7.6.2. Identifying the CA to the OCSP Responder Expand section "7.6.2. Identifying the CA to the OCSP Responder" Collapse section "7.6.2. Identifying the CA to the OCSP Responder" 7.6.2.1. Verify Certificate Manager and Online Certificate Status Manager Connection 7.6.2.2. Configure the Revocation Info Stores: Internal Database 7.6.2.3. Configure the Revocation Info Stores: LDAP Directory 7.6.2.4. Testing the OCSP Service Setup 7.6.3. Setting the Response for Bad Serial Numbers 7.6.4. Enabling the Certificate Manager's Internal OCSP Service 7.6.5. Submitting OCSP Requests Using the OCSPClient program 7.6.6. Submitting OCSP Requests Using the GET Method 7.6.7. Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier 8. Managing PKI ACME Responder Expand section "8. Managing PKI ACME Responder" Collapse section "8. Managing PKI ACME Responder" 8.1. Enabling/Disabling ACME Services 8.2. Checking the Status of PKI ACME Responder III. Additional Configuration to Manage CA Services Expand section "III. Additional Configuration to Manage CA Services" Collapse section "III. Additional Configuration to Manage CA Services" 9. Publishing Certificates and CRLs Expand section "9. Publishing Certificates and CRLs" Collapse section "9. Publishing Certificates and CRLs" 9.1. About Publishing Expand section "9.1. About Publishing" Collapse section "9.1. About Publishing" 9.1.1. Publishers 9.1.2. Mappers 9.1.3. Rules 9.1.4. Publishing to Files 9.1.5. OCSP Publishing 9.1.6. LDAP Publishing 9.2. Configuring Publishing to a File 9.3. Configuring Publishing to an OCSP Expand section "9.3. Configuring Publishing to an OCSP" Collapse section "9.3. Configuring Publishing to an OCSP" 9.3.1. Enabling Publishing to an OCSP with Client Authentication 9.4. Configuring Publishing to an LDAP Directory Expand section "9.4. Configuring Publishing to an LDAP Directory" Collapse section "9.4. Configuring Publishing to an LDAP Directory" 9.4.1. Configuring the LDAP Directory 9.4.2. Configuring LDAP Publishers 9.4.3. Creating Mappers 9.4.4. Completing Configuration: Rules and Enabling 9.5. Creating Rules 9.6. Enabling Publishing 9.7. Enabling a Publishing Queue 9.8. Setting up Resumable CRL Downloads Expand section "9.8. Setting up Resumable CRL Downloads" Collapse section "9.8. Setting up Resumable CRL Downloads" 9.8.1. Retrieving CRLs Using wget 9.9. Publishing Cross-Pair Certificates 9.10. Testing Publishing to Files 9.11. Viewing Certificates and CRLs Published to File 9.12. Updating Certificates and CRLs in a Directory Expand section "9.12. Updating Certificates and CRLs in a Directory" Collapse section "9.12. Updating Certificates and CRLs in a Directory" 9.12.1. Manually Updating Certificates in the Directory 9.12.2. Manually Updating the CRL in the Directory 9.13. Registering Custom Mapper and Publisher Plug-in Modules 10. Authentication for Enrolling Certificates Expand section "10. Authentication for Enrolling Certificates" Collapse section "10. Authentication for Enrolling Certificates" 10.1. Configuring Agent-Approved Enrollment 10.2. Automated Enrollment Expand section "10.2. Automated Enrollment" Collapse section "10.2. Automated Enrollment" 10.2.1. Setting up Directory-Based Authentication 10.2.2. Setting up PIN-Based Enrollment 10.2.3. Using Certificate-Based Authentication 10.2.4. Configuring Flat File Authentication Expand section "10.2.4. Configuring Flat File Authentication" Collapse section "10.2.4. Configuring Flat File Authentication" 10.2.4.1. Configuring the flatFileAuth Module 10.2.4.2. Editing flatfile.txt 10.3. CMC Authentication Plug-ins 10.4. CMC SharedSecret Authentication Expand section "10.4. CMC SharedSecret Authentication" Collapse section "10.4. CMC SharedSecret Authentication" 10.4.1. Creating a Shared Secret Token 10.4.2. Setting a CMC Shared Secret Expand section "10.4.2. Setting a CMC Shared Secret" Collapse section "10.4.2. Setting a CMC Shared Secret" 10.4.2.1. Adding a CMC Shared Secret to a User Entry for Certificate Enrollment 10.4.2.2. Adding a CMC Shared Secret to a Certificate for Certificate Revocations 10.5. Testing Enrollment 10.6. Registering Custom Authentication Plug-ins 10.7. Manually Reviewing the Certificate Status Using the Command Line 10.8. Manually Reviewing the Certificate Status Using the Web Interface 11. Authorization for Enrolling Certificates (Access Evaluators) Expand section "11. Authorization for Enrolling Certificates (Access Evaluators)" Collapse section "11. Authorization for Enrolling Certificates (Access Evaluators)" 11.1. Authorization Mechanism 11.2. Default Evaluators 12. Using Automated Notifications Expand section "12. Using Automated Notifications" Collapse section "12. Using Automated Notifications" 12.1. About Automated Notifications for the CA Expand section "12.1. About Automated Notifications for the CA" Collapse section "12.1. About Automated Notifications for the CA" 12.1.1. Types of Automated Notifications 12.1.2. Determining End-Entity Email Addresses 12.2. Setting up Automated Notifications for the CA Expand section "12.2. Setting up Automated Notifications for the CA" Collapse section "12.2. Setting up Automated Notifications for the CA" 12.2.1. Setting up Automated Notifications in the Console 12.2.2. Configuring Specific Notifications by Editing the CS.cfg File 12.2.3. Testing Configuration 12.3. Customizing Notification Messages Expand section "12.3. Customizing Notification Messages" Collapse section "12.3. Customizing Notification Messages" 12.3.1. Customizing CA Notification Messages 12.4. Configuring a Mail Server for Certificate System Notifications 12.5. Creating Custom Notifications for the CA 13. Setting Automated Jobs Expand section "13. Setting Automated Jobs" Collapse section "13. Setting Automated Jobs" 13.1. About Automated Jobs Expand section "13.1. About Automated Jobs" Collapse section "13.1. About Automated Jobs" 13.1.1. Setting up Automated Jobs 13.1.2. Types of Automated Jobs Expand section "13.1.2. Types of Automated Jobs" Collapse section "13.1.2. Types of Automated Jobs" 13.1.2.1. certRenewalNotifier (RenewalNotificationJob) 13.1.2.2. requestInQueueNotifier (RequestInQueueJob) 13.1.2.3. publishCerts (PublishCertsJob) 13.1.2.4. unpublishExpiredCerts (UnpublishExpiredJob) 13.2. Setting up the Job Scheduler 13.3. Setting up Specific Jobs Expand section "13.3. Setting up Specific Jobs" Collapse section "13.3. Setting up Specific Jobs" 13.3.1. Configuring Specific Jobs Using the Certificate Manager Console 13.3.2. Configuring Jobs by Editing the Configuration File 13.3.3. Configuration Parameters of certRenewalNotifier 13.3.4. Configuration Parameters of requestInQueueNotifier 13.3.5. Configuration Parameters of publishCerts 13.3.6. Configuration Parameters of unpublishExpiredCerts 13.3.7. Frequency Settings for Automated Jobs 13.4. Registering a Job Module IV. Managing the Subsystem Instances Expand section "IV. Managing the Subsystem Instances" Collapse section "IV. Managing the Subsystem Instances" 14. Basic Subsystem Management Expand section "14. Basic Subsystem Management" Collapse section "14. Basic Subsystem Management" 14.1. PKI Instances 14.2. PKI Instance Execution Management Expand section "14.2. PKI Instance Execution Management" Collapse section "14.2. PKI Instance Execution Management" 14.2.1. Starting, Stopping, and Restarting a PKI Instance 14.2.2. Restarting a PKI Instance after a Machine Restart 14.2.3. Checking the PKI Instance Status 14.2.4. Configuring a PKI Instance to Automatically Start Upon Reboot 14.2.5. Setting sudo Permissions for Certificate System Services 14.3. Opening Subsystem Consoles and Services Expand section "14.3. Opening Subsystem Consoles and Services" Collapse section "14.3. Opening Subsystem Consoles and Services" 14.3.1. Finding the Subsystem Web Services Pages 14.3.2. Starting the Certificate System Administrative Console 14.3.3. Enabling SSL for the Java Administrative Console 14.4. Running Subsystems under a Java Security Manager Expand section "14.4. Running Subsystems under a Java Security Manager" Collapse section "14.4. Running Subsystems under a Java Security Manager" 14.4.1. About the Security Manager Policy Files 14.4.2. Starting a Subsystem Instance without the Java Security Manager 14.5. Configuring the LDAP Database Expand section "14.5. Configuring the LDAP Database" Collapse section "14.5. Configuring the LDAP Database" 14.5.1. Changing the Internal Database Configuration 14.5.2. Using a Certificate Issued by Certificate System in Directory Server 14.5.3. Enabling SSL/TLS Client Authentication with the Internal Database 14.5.4. Restricting Access to the Internal Database 14.6. Viewing Security Domain Configuration 14.7. Managing the SELinux Policies for Subsystems Expand section "14.7. Managing the SELinux Policies for Subsystems" Collapse section "14.7. Managing the SELinux Policies for Subsystems" 14.7.1. About SELinux 14.7.2. Viewing SELinux Policies for Subsystems 14.7.3. Relabeling nCipher netHSM Contexts 14.8. Backing up and Restoring Certificate System Expand section "14.8. Backing up and Restoring Certificate System" Collapse section "14.8. Backing up and Restoring Certificate System" 14.8.1. Backing up and Restoring the LDAP Internal Database Expand section "14.8.1. Backing up and Restoring the LDAP Internal Database" Collapse section "14.8.1. Backing up and Restoring the LDAP Internal Database" 14.8.1.1. Backing up the LDAP Internal Database Expand section "14.8.1.1. Backing up the LDAP Internal Database" Collapse section "14.8.1.1. Backing up the LDAP Internal Database" 14.8.1.1.1. Backing up using db2ldif 14.8.1.1.2. Backing up using db2bak 14.8.1.2. Restoring the LDAP Internal Database Expand section "14.8.1.2. Restoring the LDAP Internal Database" Collapse section "14.8.1.2. Restoring the LDAP Internal Database" 14.8.1.2.1. Restoring using ldif2db 14.8.1.2.2. Restoring using bak2db 14.8.2. Backing up and Restoring the Instance Directory 14.9. Running Self-Tests Expand section "14.9. Running Self-Tests" Collapse section "14.9. Running Self-Tests" 14.9.1. Running Self-Tests Expand section "14.9.1. Running Self-Tests" Collapse section "14.9.1. Running Self-Tests" 14.9.1.1. Running Self-Tests from the Console 14.9.1.2. Running TPS Self-Tests 14.9.2. Self-Test Logging 14.9.3. Configuring POSIX System ACLs Expand section "14.9.3. Configuring POSIX System ACLs" Collapse section "14.9.3. Configuring POSIX System ACLs" 14.9.3.1. Setting POSIX System ACLs for the CA, KRA, OCSP, TKS, and TPS 15. Managing Certificate System Users and Groups Expand section "15. Managing Certificate System Users and Groups" Collapse section "15. Managing Certificate System Users and Groups" 15.1. About Authorization 15.2. Default Groups Expand section "15.2. Default Groups" Collapse section "15.2. Default Groups" 15.2.1. Administrators 15.2.2. Auditors 15.2.3. Agents 15.2.4. Enterprise Groups 15.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS Expand section "15.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS" Collapse section "15.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS" 15.3.1. Managing Groups Expand section "15.3.1. Managing Groups" Collapse section "15.3.1. Managing Groups" 15.3.1.1. Creating a New Group 15.3.1.2. Changing Members in a Group 15.3.2. Managing Users (Administrators, Agents, and Auditors) Expand section "15.3.2. Managing Users (Administrators, Agents, and Auditors)" Collapse section "15.3.2. Managing Users (Administrators, Agents, and Auditors)" 15.3.2.1. Creating Users Expand section "15.3.2.1. Creating Users" Collapse section "15.3.2.1. Creating Users" 15.3.2.1.1. Creating Users Using the Command Line 15.3.2.1.2. Creating Users Using the Console 15.3.2.2. Changing a Certificate System User's Certificate 15.3.2.3. Renewing Administrator, Agent, and Auditor User Certificates 15.3.2.4. Renewing an Expired Administrator, Agent, and Auditor User Certificate 15.3.2.5. Deleting a Certificate System User 15.4. Creating and Managing Users for a TPS Expand section "15.4. Creating and Managing Users for a TPS" Collapse section "15.4. Creating and Managing Users for a TPS" 15.4.1. Listing and Searching for Users Expand section "15.4.1. Listing and Searching for Users" Collapse section "15.4.1. Listing and Searching for Users" 15.4.1.1. From the Web UI 15.4.1.2. From the Command Line 15.4.2. Adding Users Expand section "15.4.2. Adding Users" Collapse section "15.4.2. Adding Users" 15.4.2.1. From the Web UI Expand section "15.4.2.1. From the Web UI" Collapse section "15.4.2.1. From the Web UI" 15.4.2.1.1. From the Command Line 15.4.3. Setting Profiles for Users 15.4.4. Managing User Roles Expand section "15.4.4. Managing User Roles" Collapse section "15.4.4. Managing User Roles" 15.4.4.1. From the Web UI 15.4.4.2. From the Command Line 15.4.5. Managing User Certificates 15.4.6. Renewing TPS Agent and Administrator Certificates 15.4.7. Deleting Users 15.5. Configuring Access Control for Users Expand section "15.5. Configuring Access Control for Users" Collapse section "15.5. Configuring Access Control for Users" 15.5.1. About Access Control 15.5.2. Changing the Access Control Settings for the Subsystem 15.5.3. Adding ACLs 15.5.4. Editing ACLs 16. Configuring Subsystem Logs Expand section "16. Configuring Subsystem Logs" Collapse section "16. Configuring Subsystem Logs" 16.1. About Certificate System Logs Expand section "16.1. About Certificate System Logs" Collapse section "16.1. About Certificate System Logs" 16.1.1. Signed Audit Logs 16.1.2. Debug Logs Expand section "16.1.2. Debug Logs" Collapse section "16.1.2. Debug Logs" 16.1.2.1. Installation Logs 16.1.2.2. Tomcat Error and Access Logs 16.1.2.3. Self-Tests Log 16.2. Managing Logs Expand section "16.2. Managing Logs" Collapse section "16.2. Managing Logs" 16.2.1. An Overview of Log Settings Expand section "16.2.1. An Overview of Log Settings" Collapse section "16.2.1. An Overview of Log Settings" 16.2.1.1. Services That Are Logged 16.2.1.2. Log Levels (Message Categories) 16.2.1.3. Buffered and Unbuffered Logging 16.2.1.4. Log File Rotation 16.2.2. Configuring Logs in the Console 16.2.3. Configuring Logs in the CS.cfg File 16.2.4. Managing Audit Logs Expand section "16.2.4. Managing Audit Logs" Collapse section "16.2.4. Managing Audit Logs" 16.2.4.1. A List of Audit Events 16.2.4.2. Enabling Signed Audit Logging after Installation 16.2.4.3. Configuring a Signed Audit Log in the Console 16.2.4.4. Handling Audit Logging Failures 16.2.4.5. Signing Log Files 16.2.4.6. Filtering Audit Events 16.2.5. Managing Log Modules 16.3. Using Logs Expand section "16.3. Using Logs" Collapse section "16.3. Using Logs" 16.3.1. Viewing Logs in the Console 16.3.2. Using Signed Audit Logs Expand section "16.3.2. Using Signed Audit Logs" Collapse section "16.3.2. Using Signed Audit Logs" 16.3.2.1. Listing Audit Logs 16.3.2.2. Downloading Audit Logs 16.3.2.3. Verifying Signed Audit Logs 16.3.3. Displaying Operating System-level Audit Logs Expand section "16.3.3. Displaying Operating System-level Audit Logs" Collapse section "16.3.3. Displaying Operating System-level Audit Logs" 16.3.3.1. Displaying Audit Log Deletion Events 16.3.3.2. Displaying Access to the NSS Database for Secret and Private Keys 16.3.3.3. Displaying Time Change Events 16.3.3.4. Displaying Package Update Events 16.3.3.5. Displaying Changes to the PKI Configuration 16.3.4. Smart Card Error Codes 17. Managing Subsystem Certificates Expand section "17. Managing Subsystem Certificates" Collapse section "17. Managing Subsystem Certificates" 17.1. Required Subsystem Certificates Expand section "17.1. Required Subsystem Certificates" Collapse section "17.1. Required Subsystem Certificates" 17.1.1. Certificate Manager Certificates Expand section "17.1.1. Certificate Manager Certificates" Collapse section "17.1.1. Certificate Manager Certificates" 17.1.1.1. CA Signing Key Pair and Certificate 17.1.1.2. OCSP Signing Key Pair and Certificate 17.1.1.3. Subsystem Certificate 17.1.1.4. SSL Server Key Pair and Certificate 17.1.1.5. Audit Log Signing Key Pair and Certificate 17.1.2. Online Certificate Status Manager Certificates Expand section "17.1.2. Online Certificate Status Manager Certificates" Collapse section "17.1.2. Online Certificate Status Manager Certificates" 17.1.2.1. OCSP Signing Key Pair and Certificate 17.1.2.2. SSL Server Key Pair and Certificate 17.1.2.3. Subsystem Certificate 17.1.2.4. Audit Log Signing Key Pair and Certificate 17.1.2.5. Recognizing Online Certificate Status Manager Certificates 17.1.3. Key Recovery Authority Certificates Expand section "17.1.3. Key Recovery Authority Certificates" Collapse section "17.1.3. Key Recovery Authority Certificates" 17.1.3.1. Transport Key Pair and Certificate 17.1.3.2. Storage Key Pair 17.1.3.3. SSL Server Certificate 17.1.3.4. Subsystem Certificate 17.1.3.5. Audit Log Signing Key Pair and Certificate 17.1.4. TKS Certificates Expand section "17.1.4. TKS Certificates" Collapse section "17.1.4. TKS Certificates" 17.1.4.1. SSL Server Certificate 17.1.4.2. Subsystem Certificate 17.1.4.3. Audit Log Signing Key Pair and Certificate 17.1.5. TPS Certificates Expand section "17.1.5. TPS Certificates" Collapse section "17.1.5. TPS Certificates" 17.1.5.1. SSL Server Certificate 17.1.5.2. Subsystem Certificate 17.1.5.3. Audit Log Signing Key Pair and Certificate 17.1.6. About Subsystem Certificate Key Types 17.1.7. Using an HSM to Store Subsystem Certificates 17.2. Requesting Certificates through the Console Expand section "17.2. Requesting Certificates through the Console" Collapse section "17.2. Requesting Certificates through the Console" 17.2.1. Requesting Signing Certificates 17.2.2. Requesting Other Certificates 17.3. Renewing Subsystem Certificates Expand section "17.3. Renewing Subsystem Certificates" Collapse section "17.3. Renewing Subsystem Certificates" 17.3.1. Re-keying Certificates in the End-Entities Forms 17.3.2. Renewing Certificates in the Console 17.3.3. Renewing Certificates Using certutil 17.3.4. Renewing System Certificates 17.4. Changing the Names of Subsystem Certificates 17.5. Using Cross-Pair Certificates Expand section "17.5. Using Cross-Pair Certificates" Collapse section "17.5. Using Cross-Pair Certificates" 17.5.1. Installing Cross-Pair Certificates 17.5.2. Searching for Cross-Pair Certificates 17.6. Managing the Certificate Database Expand section "17.6. Managing the Certificate Database" Collapse section "17.6. Managing the Certificate Database" 17.6.1. Installing Certificates in the Certificate System Database Expand section "17.6.1. Installing Certificates in the Certificate System Database" Collapse section "17.6.1. Installing Certificates in the Certificate System Database" 17.6.1.1. Installing Certificates through the Console 17.6.1.2. Installing Certificates Using certutil 17.6.1.3. About CA Certificate Chains 17.6.2. Viewing Database Content Expand section "17.6.2. Viewing Database Content" Collapse section "17.6.2. Viewing Database Content" 17.6.2.1. Viewing Database Content through the Console 17.6.2.2. Viewing Database Content Using certutil 17.6.3. Deleting Certificates from the Database Expand section "17.6.3. Deleting Certificates from the Database" Collapse section "17.6.3. Deleting Certificates from the Database" 17.6.3.1. Deleting Certificates through the Console 17.6.3.2. Deleting Certificates Using certutil 17.7. Changing the Trust Settings of a CA Certificate Expand section "17.7. Changing the Trust Settings of a CA Certificate" Collapse section "17.7. Changing the Trust Settings of a CA Certificate" 17.7.1. Changing Trust Settings through the Console 17.7.2. Changing Trust Settings Using certutil 17.8. Managing Tokens Used by the Subsystems Expand section "17.8. Managing Tokens Used by the Subsystems" Collapse section "17.8. Managing Tokens Used by the Subsystems" 17.8.1. Detecting Tokens 17.8.2. Viewing Tokens 17.8.3. Changing a Token's Password 18. Setting Time and Date in Red Hat Enterprise Linux 7 19. Determining Certificate System Product Version 20. Updating Red Hat Certificate System 21. Troubleshooting 22. Subsystem Control And maintenance Expand section "22. Subsystem Control And maintenance" Collapse section "22. Subsystem Control And maintenance" 22.1. Starting, Stopping, Restarting, and Obtaining Status 22.2. Subsystem Health Check Expand section "22.2. Subsystem Health Check" Collapse section "22.2. Subsystem Health Check" 22.2.1. Healthcheck in PKI Expand section "22.2.1. Healthcheck in PKI" Collapse section "22.2.1. Healthcheck in PKI" 22.2.1.1. PKI Healthcheck Test Modules 22.2.1.2. PKI Healthcheck Configuration 22.2.1.3. Running PKI Healthcheck 22.2.1.4. Healthcheck Output Formats 22.2.1.5. Healthcheck Results V. References Expand section "V. References" Collapse section "V. References" A. Certificate Profile Input and Output Reference Expand section "A. Certificate Profile Input and Output Reference" Collapse section "A. Certificate Profile Input and Output Reference" A.1. Input Reference Expand section "A.1. Input Reference" Collapse section "A.1. Input Reference" A.1.1. Certificate Request Input A.1.2. CMC Certificate Request Input A.1.3. Dual Key Generation Input A.1.4. File-Signing Input A.1.5. Image Input A.1.6. Key Generation Input A.1.7. nsHKeyCertRequest (Token Key) Input A.1.8. nsNKeyCertRequest (Token User Key) Input A.1.9. Serial Number Renewal Input A.1.10. Subject DN Input A.1.11. Subject Name Input A.1.12. Submitter Information Input A.1.13. Generic Input A.1.14. Subject Alternative Name Extension Input A.2. Output Reference Expand section "A.2. Output Reference" Collapse section "A.2. Output Reference" A.2.1. Certificate Output A.2.2. PKCS #7 Output A.2.3. nsNSKeyOutput A.2.4. CMMF Output B. Defaults, Constraints, and Extensions for Certificates and CRLs Expand section "B. Defaults, Constraints, and Extensions for Certificates and CRLs" Collapse section "B. Defaults, Constraints, and Extensions for Certificates and CRLs" B.1. Defaults Reference Expand section "B.1. Defaults Reference" Collapse section "B.1. Defaults Reference" B.1.1. Authority Info Access Extension Default B.1.2. Authority Key Identifier Extension Default B.1.3. Authentication Token Subject Name Default B.1.4. Basic Constraints Extension Default B.1.5. CA Validity Default B.1.6. Certificate Policies Extension Default B.1.7. CRL Distribution Points Extension Default B.1.8. Extended Key Usage Extension Default B.1.9. Freshest CRL Extension Default B.1.10. Generic Extension Default B.1.11. Inhibit Any-Policy Extension Default B.1.12. Issuer Alternative Name Extension Default B.1.13. Key Usage Extension Default B.1.14. Name Constraints Extension Default B.1.15. Netscape Certificate Type Extension Default B.1.16. Netscape Comment Extension Default B.1.17. No Default Extension B.1.18. OCSP No Check Extension Default B.1.19. Policy Constraints Extension Default B.1.20. Policy Mappers Extension Default B.1.21. Private Key Usage Period Extension Default B.1.22. Signing Algorithm Default B.1.23. Subject Alternative Name Extension Default B.1.24. Subject Directory Attributes Extension Default B.1.25. Subject Info Access Extension Default B.1.26. Subject Key Identifier Extension Default B.1.27. Subject Name Default B.1.28. User Key Default B.1.29. User Signing Algorithm Default B.1.30. User Subject Name Default B.1.31. User Validity Default B.1.32. User Supplied Extension Default B.1.33. Validity Default B.2. Constraints Reference Expand section "B.2. Constraints Reference" Collapse section "B.2. Constraints Reference" B.2.1. Basic Constraints Extension Constraint B.2.2. CA Validity Constraint B.2.3. Extended Key Usage Extension Constraint B.2.4. Extension Constraint B.2.5. Key Constraint B.2.6. Key Usage Extension Constraint B.2.7. Netscape Certificate Type Extension Constraint B.2.8. No Constraint B.2.9. Renewal Grace Period Constraint B.2.10. Signing Algorithm Constraint B.2.11. Subject Name Constraint B.2.12. Unique Key Constraint B.2.13. Unique Subject Name Constraint B.2.14. Validity Constraint B.3. Standard X.509 v3 Certificate Extension Reference Expand section "B.3. Standard X.509 v3 Certificate Extension Reference" Collapse section "B.3. Standard X.509 v3 Certificate Extension Reference" B.3.1. authorityInfoAccess B.3.2. authorityKeyIdentifier B.3.3. basicConstraints B.3.4. certificatePoliciesExt B.3.5. CRLDistributionPoints B.3.6. extKeyUsage B.3.7. issuerAltName Extension B.3.8. keyUsage B.3.9. nameConstraints B.3.10. OCSPNocheck B.3.11. policyConstraints B.3.12. policyMappings B.3.13. privateKeyUsagePeriod B.3.14. subjectAltName B.3.15. subjectDirectoryAttributes B.3.16. subjectKeyIdentifier B.4. CRL Extensions Expand section "B.4. CRL Extensions" Collapse section "B.4. CRL Extensions" B.4.1. About CRL Extensions Expand section "B.4.1. About CRL Extensions" Collapse section "B.4.1. About CRL Extensions" B.4.1.1. Structure of CRL Extensions B.4.1.2. Sample CRL and CRL Entry Extensions B.4.2. Standard X.509 v3 CRL Extensions Reference Expand section "B.4.2. Standard X.509 v3 CRL Extensions Reference" Collapse section "B.4.2. Standard X.509 v3 CRL Extensions Reference" B.4.2.1. Extensions for CRLs Expand section "B.4.2.1. Extensions for CRLs" Collapse section "B.4.2.1. Extensions for CRLs" B.4.2.1.1. authorityInfoAccess B.4.2.1.2. authorityKeyIdentifier B.4.2.1.3. CRLNumber B.4.2.1.4. deltaCRLIndicator B.4.2.1.5. FreshestCRL B.4.2.1.6. issuerAltName B.4.2.1.7. issuingDistributionPoint B.4.2.2. CRL Entry Extensions Expand section "B.4.2.2. CRL Entry Extensions" Collapse section "B.4.2.2. CRL Entry Extensions" B.4.2.2.1. certificateIssuer B.4.2.2.2. invalidityDate B.4.2.2.3. CRLReason B.4.3. Netscape-Defined Certificate Extensions Reference Expand section "B.4.3. Netscape-Defined Certificate Extensions Reference" Collapse section "B.4.3. Netscape-Defined Certificate Extensions Reference" B.4.3.1. netscape-cert-type B.4.3.2. netscape-comment C. Publishing Module Reference Expand section "C. Publishing Module Reference" Collapse section "C. Publishing Module Reference" C.1. Publisher Plug-in Modules Expand section "C.1. Publisher Plug-in Modules" Collapse section "C.1. Publisher Plug-in Modules" C.1.1. FileBasedPublisher C.1.2. LdapCaCertPublisher C.1.3. LdapUserCertPublisher C.1.4. LdapCrlPublisher C.1.5. LdapDeltaCrlPublisher C.1.6. LdapCertificatePairPublisher C.1.7. OCSPPublisher C.2. Mapper Plug-in Modules Expand section "C.2. Mapper Plug-in Modules " Collapse section "C.2. Mapper Plug-in Modules " C.2.1. LdapCaSimpleMap Expand section "C.2.1. LdapCaSimpleMap" Collapse section "C.2.1. LdapCaSimpleMap" C.2.1.1. LdapCaCertMap C.2.1.2. LdapCrlMap C.2.2. LdapDNExactMap C.2.3. LdapSimpleMap C.2.4. LdapSubjAttrMap C.2.5. LdapDNCompsMap Expand section "C.2.5. LdapDNCompsMap" Collapse section "C.2.5. LdapDNCompsMap" C.2.5.1. Configuration Parameters of LdapDNCompsMap C.3. Rule Instances Expand section "C.3. Rule Instances" Collapse section "C.3. Rule Instances" C.3.1. LdapCaCertRule C.3.2. LdapXCertRule C.3.3. LdapUserCertRule C.3.4. LdapCRLRule D. ACL Reference Expand section "D. ACL Reference" Collapse section "D. ACL Reference" D.1. About ACL Configuration Files D.2. Common ACLs Expand section "D.2. Common ACLs" Collapse section "D.2. Common ACLs" D.2.1. certServer.acl.configuration D.2.2. certServer.admin.certificate D.2.3. certServer.auth.configuration D.2.4. certServer.clone.configuration D.2.5. certServer.general.configuration D.2.6. certServer.log.configuration D.2.7. certServer.log.configuration.fileName D.2.8. certServer.log.content.system D.2.9. certServer.log.content.signedAudit D.2.10. certServer.registry.configuration D.3. Certificate Manager-Specific ACLs Expand section "D.3. Certificate Manager-Specific ACLs" Collapse section "D.3. Certificate Manager-Specific ACLs" D.3.1. certServer.admin.ocsp D.3.2. certServer.ca.certificate D.3.3. certServer.ca.certificates D.3.4. certServer.ca.configuration D.3.5. certServer.ca.connector D.3.6. certServer.ca.connectorInfo D.3.7. certServer.ca.crl D.3.8. certServer.ca.directory D.3.9. certServer.ca.group D.3.10. certServer.ca.ocsp D.3.11. certServer.ca.profile D.3.12. certServer.ca.profiles D.3.13. certServer.ca.registerUser D.3.14. certServer.ca.request.enrollment D.3.15. certServer.ca.request.profile D.3.16. certServer.ca.requests D.3.17. certServer.ca.systemstatus D.3.18. certServer.ee.certchain D.3.19. certServer.ee.certificate D.3.20. certServer.ee.certificates D.3.21. certServer.ee.crl D.3.22. certServer.ee.profile D.3.23. certServer.ee.profiles D.3.24. certServer.ee.request.ocsp D.3.25. certServer.ee.request.revocation D.3.26. certServer.ee.requestStatus D.3.27. certServer.job.configuration D.3.28. certServer.profile.configuration D.3.29. certServer.publisher.configuration D.3.30. certServer.securitydomain.domainxml D.4. Key Recovery Authority-Specific ACLs Expand section "D.4. Key Recovery Authority-Specific ACLs" Collapse section "D.4. Key Recovery Authority-Specific ACLs" D.4.1. certServer.job.configuration D.4.2. certServer.kra.certificate.transport D.4.3. certServer.kra.configuration D.4.4. certServer.kra.connector D.4.5. certServer.kra.GenerateKeyPair D.4.6. certServer.kra.getTransportCert D.4.7. certServer.kra.group D.4.8. certServer.kra.key D.4.9. certServer.kra.keys D.4.10. certServer.kra.registerUser D.4.11. certServer.kra.request D.4.12. certServer.kra.request.status D.4.13. certServer.kra.requests D.4.14. certServer.kra.systemstatus D.4.15. certServer.kra.TokenKeyRecovery D.5. Online Certificate Status Manager-Specific ACLs Expand section "D.5. Online Certificate Status Manager-Specific ACLs" Collapse section "D.5. Online Certificate Status Manager-Specific ACLs" D.5.1. certServer.ee.crl D.5.2. certServer.ee.request.ocsp D.5.3. certServer.ocsp.ca D.5.4. certServer.ocsp.cas D.5.5. certServer.ocsp.certificate D.5.6. certServer.ocsp.configuration D.5.7. certServer.ocsp.crl D.5.8. certServer.ocsp.group D.5.9. certServer.ocsp.info D.6. Token Key Service-Specific ACLs Expand section "D.6. Token Key Service-Specific ACLs" Collapse section "D.6. Token Key Service-Specific ACLs" D.6.1. certServer.tks.encrypteddata D.6.2. certServer.tks.group D.6.3. certServer.tks.importTransportCert D.6.4. certServer.tks.keysetdata D.6.5. certServer.tks.registerUser D.6.6. certServer.tks.sessionkey D.6.7. certServer.tks.randomdata E. Audit Events Expand section "E. Audit Events" Collapse section "E. Audit Events" E.1. Audit Event Descriptions Glossary Index F. Revision History Legal Notice Settings Close Language: 简体中文 日本語 English Language: 简体中文 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Language and Page Formatting Options Language: 简体中文 日本語 English Language: 简体中文 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Part V. References Previous Next