Administration Guide
1. Overview of Red Hat Certificate System Subsystems
Expand section "1. Overview of Red Hat Certificate System Subsystems" Collapse section "1. Overview of Red Hat Certificate System Subsystems"
I. Red Hat Certificate System User Interfaces
Expand section "I. Red Hat Certificate System User Interfaces" Collapse section "I. Red Hat Certificate System User Interfaces"
1. 2. User Interfaces
  Expand section "2. User Interfaces" Collapse section "2. User Interfaces"
  1. 2.1. User Interfaces Overview
  2. 2.2. Client NSS Database Initialization
  3. 2.3. Graphical Interface
    
    Expand section "2.3. Graphical Interface" Collapse section "2.3. Graphical Interface"
    
    2.3.1. pkiconsole Initialization
    
    2.3.2. Using pkiconsole for CA, OCSP, KRA, and TKS Subsystems
  4. 2.4. Web Interface
    
    Expand section "2.4. Web Interface" Collapse section "2.4. Web Interface"
    
    2.4.1. Browser Initialization
    
    2.4.2. The Administrative Interfaces
    
    2.4.3. Agent Interfaces
    
    2.4.4. End User Pages
  5. 2.5. Command Line Interfaces
    
    Expand section "2.5. Command Line Interfaces" Collapse section "2.5. Command Line Interfaces"
    
    2.5.1. "pki" CLI
    
    Expand section "2.5.1. "pki" CLI" Collapse section "2.5.1. "pki" CLI"
    
    2.5.1.1. pki CLI Initialization
    
    2.5.1.2. Using "pki" CLI
    
    2.5.2. AtoB
    
    2.5.3. AuditVerify
    
    2.5.4. BtoA
    
    2.5.5. CMCRequest
    
    2.5.6. CMCRevoke
    
    2.5.7. CMCSharedToken
    
    2.5.8. CRMFPopClient
    
    2.5.9. HttpClient
    
    2.5.10. OCSPClient
    
    2.5.11. PKCS10Client
    
    2.5.12. PrettyPrintCert
    
    2.5.13. PrettyPrintCrl
    
    2.5.14. TokenInfo
    
    2.5.15. tkstool
  6. 2.6. Enterprise Security Client
II. Setting up Certificate Services
Expand section "II. Setting up Certificate Services" Collapse section "II. Setting up Certificate Services"
1. 3. Making Rules for Issuing Certificates (Certificate Profiles)
  Expand section "3. Making Rules for Issuing Certificates (Certificate Profiles)" Collapse section "3. Making Rules for Issuing Certificates (Certificate Profiles)"
  1. 3.1. About Certificate Profiles
    
    Expand section "3.1. About Certificate Profiles" Collapse section "3.1. About Certificate Profiles"
    
    3.1.1. The Enrollment Profile
    
    3.1.2. Certificate Extensions: Defaults and Constraints
    
    3.1.3. Inputs and Outputs
  2. 3.2. Setting up Certificate Profiles
    
    Expand section "3.2. Setting up Certificate Profiles" Collapse section "3.2. Setting up Certificate Profiles"
    
    3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface
    
    Expand section "3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface" Collapse section "3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface"
    
    3.2.1.1. Enabling and Disabling a Certificate Profile
    
    3.2.1.2. Creating a Certificate Profile in Raw Format
    
    3.2.1.3. Editing a Certificate Profile in Raw Format
    
    3.2.1.4. Deleting a Certificate Profile
    
    3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console
    
    Expand section "3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console" Collapse section "3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console"
    
    3.2.2.1. Creating Certificate Profiles through the CA Console
    
    3.2.2.2. Editing Certificate Profiles in the Console
    
    3.2.3. Listing Certificate Enrollment Profiles
    
    3.2.4. Displaying Details of a Certificate Enrollment Profile
  3. 3.3. Defining Key Defaults in Profiles
  4. 3.4. Configuring Profiles to Enable Renewal
    
    Expand section "3.4. Configuring Profiles to Enable Renewal" Collapse section "3.4. Configuring Profiles to Enable Renewal"
    
    3.4.1. Renewing Using the Same Key
    
    3.4.2. Renewal Using a New Key
  5. 3.5. Setting the Signing Algorithms for Certificates
    
    Expand section "3.5. Setting the Signing Algorithms for Certificates" Collapse section "3.5. Setting the Signing Algorithms for Certificates"
    
    3.5.1. Setting the CA's Default Signing Algorithm
    
    3.5.2. Setting the Signing Algorithm Default in a Profile
  6. 3.6. Managing CA-Related Profiles
    
    Expand section "3.6. Managing CA-Related Profiles" Collapse section "3.6. Managing CA-Related Profiles"
    
    3.6.1. Setting Restrictions on CA Certificates
    
    3.6.2. Changing the Restrictions for CAs on Issuing Certificates
    
    3.6.3. Using Random Certificate Serial Numbers
    
    Expand section "3.6.3. Using Random Certificate Serial Numbers" Collapse section "3.6.3. Using Random Certificate Serial Numbers"
    
    3.6.3.1. Enabling Random Certificate Serial Numbers
    
    3.6.4. Allowing a CA Certificate to Be Renewed Past the CA's Validity Period
  7. 3.7. Managing Subject Names and Subject Alternative Names
    
    Expand section "3.7. Managing Subject Names and Subject Alternative Names" Collapse section "3.7. Managing Subject Names and Subject Alternative Names"
    
    3.7.1. Using the Requester CN or UID in the Subject Name
    
    3.7.2. Inserting LDAP Directory Attribute Values and Other Information into the Subject Alt Name
    
    3.7.3. Using the CN Attribute in the SAN Extension
    
    3.7.4. Accepting SAN Extensions from a CSR
    
    Expand section "3.7.4. Accepting SAN Extensions from a CSR" Collapse section "3.7.4. Accepting SAN Extensions from a CSR"
    
    3.7.4.1. Configuring a Profile to Retrieve SANs from a CSR
    
    3.7.4.2. Generating a CSR with SANs
2. 4. Setting up Key Archival and Recovery
  Expand section "4. Setting up Key Archival and Recovery" Collapse section "4. Setting up Key Archival and Recovery"
  1. 4.1. Configuring Agent-Approved Key Recovery in the Console
  2. 4.2. Testing the Key Archival and Recovery Setup
3. 5. Requesting, Enrolling, and Managing Certificates
  Expand section "5. Requesting, Enrolling, and Managing Certificates" Collapse section "5. Requesting, Enrolling, and Managing Certificates"
  1. 5.1. About Enrolling and Renewing Certificates
  2. 5.2. Creating Certificate Signing Requests
    
    Expand section "5.2. Creating Certificate Signing Requests" Collapse section "5.2. Creating Certificate Signing Requests"
    
    5.2.1. Generating CSRs Using Command-Line Utilities
    
    Expand section "5.2.1. Generating CSRs Using Command-Line Utilities" Collapse section "5.2.1. Generating CSRs Using Command-Line Utilities"
    
    5.2.1.1. Creating a CSR Using certutil
    
    Expand section "5.2.1.1. Creating a CSR Using certutil" Collapse section "5.2.1.1. Creating a CSR Using certutil"
    
    5.2.1.1.1. Using certutil to Create a CSR with EC Keys
    
    5.2.1.1.2. Using certutil to Create a CSR With User-defined Extensions
    
    5.2.1.2. Creating a CSR Using PKCS10Client
    
    Expand section "5.2.1.2. Creating a CSR Using PKCS10Client" Collapse section "5.2.1.2. Creating a CSR Using PKCS10Client"
    
    5.2.1.2.1. Using PKCS10Client to Create a CSR
    
    5.2.1.2.2. Using PKCS10Client to Create a CSR for SharedSecret-based CMC
    
    5.2.1.3. Creating a CSR Using CRMFPopClient
    
    Expand section "5.2.1.3. Creating a CSR Using CRMFPopClient" Collapse section "5.2.1.3. Creating a CSR Using CRMFPopClient"
    
    5.2.1.3.1. Using CRMFPopClient to Create a CSR with Key Archival
    
    5.2.1.3.2. Using CRMFPopClient to Create a CSR for SharedSecret-based CMC
    
    5.2.1.4. Creating a CSR using client-cert-request in the PKI CLI
    
    5.2.2. Generating CSRs Using Server-Side Key Generation
    
    Expand section "5.2.2. Generating CSRs Using Server-Side Key Generation" Collapse section "5.2.2. Generating CSRs Using Server-Side Key Generation"
    
    5.2.2.1. Functionality Highlights
    
    5.2.2.2. Enrolling a Certificate Using Server-Side Keygen
    
    5.2.2.3. Key Recovery
    
    5.2.2.4. Additional Information
    
    Expand section "5.2.2.4. Additional Information" Collapse section "5.2.2.4. Additional Information"
    
    5.2.2.4.1. KRA Request Records
    
    5.2.2.4.2. Audit Records
  3. 5.3. Configuring Internet Explorer to Enroll Certificates
    
    Expand section "5.3. Configuring Internet Explorer to Enroll Certificates" Collapse section "5.3. Configuring Internet Explorer to Enroll Certificates"
    
    5.3.1. About Key Limits and Internet Explorer
    
    5.3.2. Configuring Internet Explorer
  4. 5.4. Requesting and Receiving Certificates
    
    Expand section "5.4. Requesting and Receiving Certificates" Collapse section "5.4. Requesting and Receiving Certificates"
    
    5.4.1. Requesting and Receiving a Certificate through the End-Entities Page
  5. 5.5. Renewing Certificates
    
    Expand section "5.5. Renewing Certificates" Collapse section "5.5. Renewing Certificates"
    
    5.5.1. Same Keys Renewal
    
    Expand section "5.5.1. Same Keys Renewal" Collapse section "5.5.1. Same Keys Renewal"
    
    5.5.1.1. Reusing CSR
    
    Expand section "5.5.1.1. Reusing CSR" Collapse section "5.5.1.1. Reusing CSR"
    
    5.5.1.1.1. Agent-Approved or Directory-Based Renewals
    
    5.5.1.1.2. Certificate-Based Renewal
    
    5.5.1.2. Renewal by generating CSR with same keys
    
    5.5.2. Renewal by Re-keying Certificates
  6. 5.6. Submitting Certificate requests Using CMC
    
    Expand section "5.6. Submitting Certificate requests Using CMC" Collapse section "5.6. Submitting Certificate requests Using CMC"
    
    5.6.1. Using CMC Enrollment
    
    Expand section "5.6.1. Using CMC Enrollment" Collapse section "5.6.1. Using CMC Enrollment"
    
    5.6.1.1. Testing CMCEnroll
    
    5.6.2. The CMC Enrollment Process
    
    5.6.3. Practical CMC Enrollment Scenarios
    
    Expand section "5.6.3. Practical CMC Enrollment Scenarios" Collapse section "5.6.3. Practical CMC Enrollment Scenarios"
    
    5.6.3.1. Obtaining System and Server Certificates
    
    5.6.3.2. Obtaining the First Signing Certificate for a User
    
    Expand section "5.6.3.2. Obtaining the First Signing Certificate for a User" Collapse section "5.6.3.2. Obtaining the First Signing Certificate for a User"
    
    5.6.3.2.1. Signing a CMC Request with an Agent Certificate
    
    5.6.3.2.2. Authenticating for Certificate Enrollment Using a Shared Secret
    
    5.6.3.3. Obtaining an Encryption-only Certificate for a User
    
    Expand section "5.6.3.3. Obtaining an Encryption-only Certificate for a User" Collapse section "5.6.3.3. Obtaining an Encryption-only Certificate for a User"
    
    5.6.3.3.1. Example on Obtaining an Encryption-only certificate with Key Archival
  7. 5.7. Performing Bulk Issuance
  8. 5.8. Enrolling a Certificate on a Cisco Router
    
    Expand section "5.8. Enrolling a Certificate on a Cisco Router" Collapse section "5.8. Enrolling a Certificate on a Cisco Router"
    
    5.8.1. Enabling SCEP Enrollments
    
    5.8.2. Configuring Security Settings for SCEP
    
    5.8.3. Configuring a Router for SCEP Enrollment
    
    5.8.4. Generating the SCEP Certificate for a Router
    
    5.8.5. Working with Subordinate CAs
    
    5.8.6. Re-enrolling a Router
    
    5.8.7. Enabling Debugging
    
    5.8.8. Issuing ECC Certificates with SCEP
4. 6. Using and Configuring the Token Management System: TPS and TKS
  Expand section "6. Using and Configuring the Token Management System: TPS and TKS" Collapse section "6. Using and Configuring the Token Management System: TPS and TKS"
  1. 6.1. TPS Profiles
  2. 6.2. TPS Operations
  3. 6.3. Token Policies
  4. 6.4. Token Operation and Policy Processing
  5. 6.5. Internal Registration
  6. 6.6. External Registration
    
    Expand section "6.6. External Registration" Collapse section "6.6. External Registration"
    
    6.6.1. Enabling External Registration
    
    6.6.2. Customizing User LDAP Record Attribute Names
    
    6.6.3. Configuring certsToAdd attributes
    
    6.6.4. Token to User Matching Enforcement
    
    6.6.5. Delegation Support
    
    6.6.6. SAN and DN Patterns
  7. 6.7. Mapping Resolver Configuration
    
    Expand section "6.7. Mapping Resolver Configuration" Collapse section "6.7. Mapping Resolver Configuration"
    
    6.7.1. Key Set Mapping Resolver
    
    6.7.2. Token Type (TPS) Mapping Resolver
  8. 6.8. Authentication Configuration
  9. 6.9. Connectors
  10. 6.10. Revocation Routing Configuration
  11. 6.11. Setting Up Server-side Key Generation
  12. 6.12. Setting Up New Key Sets
  13. 6.13. Setting Up a New Master Key
    
    Expand section "6.13. Setting Up a New Master Key" Collapse section "6.13. Setting Up a New Master Key"
    
    6.13.1. Generating and Transporting Wrapped Master Keys (Key Ceremony)
  14. 6.14. Setting Up a TKS/TPS Shared Symmetric Key
    
    Expand section "6.14. Setting Up a TKS/TPS Shared Symmetric Key" Collapse section "6.14. Setting Up a TKS/TPS Shared Symmetric Key"
    
    6.14.1. Manually Generating and Transporting a Shared Symmetric Key
  15. 6.15. Using Different Applets for Different SCP Versions
5. 7. Revoking Certificates and Issuing CRLs
  Expand section "7. Revoking Certificates and Issuing CRLs" Collapse section "7. Revoking Certificates and Issuing CRLs"
  1. 7.1. About Revoking Certificates
    
    Expand section "7.1. About Revoking Certificates" Collapse section "7.1. About Revoking Certificates"
    
    7.1.1. User-Initiated Revocation
    
    7.1.2. Reasons for Revoking a Certificate
    
    7.1.3. CRL Issuing Points
    
    7.1.4. Delta CRLs
    
    7.1.5. Publishing CRLs
    
    7.1.6. Certificate Revocation Pages
  2. 7.2. Performing a CMC Revocation
    
    Expand section "7.2. Performing a CMC Revocation" Collapse section "7.2. Performing a CMC Revocation"
    
    7.2.1. Revoking a Certificate Using CMCRequest
    
    7.2.2. Revoking a Certificate Using CMCRevoke
    
    Expand section "7.2.2. Revoking a Certificate Using CMCRevoke" Collapse section "7.2.2. Revoking a Certificate Using CMCRevoke"
    
    7.2.2.1. Testing CMCRevoke
  3. 7.3. Issuing CRLs
    
    Expand section "7.3. Issuing CRLs" Collapse section "7.3. Issuing CRLs"
    
    7.3.1. Configuring Issuing Points
    
    7.3.2. Configuring CRLs for Each Issuing Point
    
    7.3.3. Setting CRL Extensions
    
    7.3.4. Setting a CA to Use a Different Certificate to Sign CRLs
    
    7.3.5. Generating CRLs from Cache
    
    Expand section "7.3.5. Generating CRLs from Cache" Collapse section "7.3.5. Generating CRLs from Cache"
    
    7.3.5.1. Configuring CRL Generation from Cache in the Console
    
    7.3.5.2. Configuring CRL Generation from Cache in CS.cfg
  4. 7.4. Setting Full and Delta CRL Schedules
    
    Expand section "7.4. Setting Full and Delta CRL Schedules" Collapse section "7.4. Setting Full and Delta CRL Schedules"
    
    7.4.1. Configuring CRL Update Intervals in the Console
    
    7.4.2. Configuring Update Intervals for CRLs in CS.cfg
    
    7.4.3. Configuring CRL Generation Schedules over Multiple Days
  5. 7.5. Enabling Revocation Checking
  6. 7.6. Using the Online Certificate Status Protocol (OCSP) Responder
    
    Expand section "7.6. Using the Online Certificate Status Protocol (OCSP) Responder" Collapse section "7.6. Using the Online Certificate Status Protocol (OCSP) Responder"
    
    7.6.1. Setting up the OCSP Responder
    
    7.6.2. Identifying the CA to the OCSP Responder
    
    Expand section "7.6.2. Identifying the CA to the OCSP Responder" Collapse section "7.6.2. Identifying the CA to the OCSP Responder"
    
    7.6.2.1. Verify Certificate Manager and Online Certificate Status Manager Connection
    
    7.6.2.2. Configure the Revocation Info Stores: Internal Database
    
    7.6.2.3. Configure the Revocation Info Stores: LDAP Directory
    
    7.6.2.4. Testing the OCSP Service Setup
    
    7.6.3. Setting the Response for Bad Serial Numbers
    
    7.6.4. Enabling the Certificate Manager's Internal OCSP Service
    
    7.6.5. Submitting OCSP Requests Using the OCSPClient program
    
    7.6.6. Submitting OCSP Requests Using the GET Method
    
    7.6.7. Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier
III. Additional Configuration to Manage CA Services
Expand section "III. Additional Configuration to Manage CA Services" Collapse section "III. Additional Configuration to Manage CA Services"
1. 8. Publishing Certificates and CRLs
  Expand section "8. Publishing Certificates and CRLs" Collapse section "8. Publishing Certificates and CRLs"
  1. 8.1. About Publishing
    
    Expand section "8.1. About Publishing" Collapse section "8.1. About Publishing"
    
    8.1.1. Publishers
    
    8.1.2. Mappers
    
    8.1.3. Rules
    
    8.1.4. Publishing to Files
    
    8.1.5. OCSP Publishing
    
    8.1.6. LDAP Publishing
  2. 8.2. Configuring Publishing to a File
  3. 8.3. Configuring Publishing to an OCSP
    
    Expand section "8.3. Configuring Publishing to an OCSP" Collapse section "8.3. Configuring Publishing to an OCSP"
    
    8.3.1. Enabling Publishing to an OCSP with Client Authentication
  4. 8.4. Configuring Publishing to an LDAP Directory
    
    Expand section "8.4. Configuring Publishing to an LDAP Directory" Collapse section "8.4. Configuring Publishing to an LDAP Directory"
    
    8.4.1. Configuring the LDAP Directory
    
    8.4.2. Configuring LDAP Publishers
    
    8.4.3. Creating Mappers
    
    8.4.4. Completing Configuration: Rules and Enabling
  5. 8.5. Creating Rules
  6. 8.6. Enabling Publishing
  7. 8.7. Enabling a Publishing Queue
  8. 8.8. Setting up Resumable CRL Downloads
    
    Expand section "8.8. Setting up Resumable CRL Downloads" Collapse section "8.8. Setting up Resumable CRL Downloads"
    
    8.8.1. Retrieving CRLs Using wget
  9. 8.9. Publishing Cross-Pair Certificates
  10. 8.10. Testing Publishing to Files
  11. 8.11. Viewing Certificates and CRLs Published to File
  12. 8.12. Updating Certificates and CRLs in a Directory
    
    Expand section "8.12. Updating Certificates and CRLs in a Directory" Collapse section "8.12. Updating Certificates and CRLs in a Directory"
    
    8.12.1. Manually Updating Certificates in the Directory
    
    8.12.2. Manually Updating the CRL in the Directory
  13. 8.13. Registering Custom Mapper and Publisher Plug-in Modules
2. 9. Authentication for Enrolling Certificates
  Expand section "9. Authentication for Enrolling Certificates" Collapse section "9. Authentication for Enrolling Certificates"
  1. 9.1. Configuring Agent-Approved Enrollment
  2. 9.2. Automated Enrollment
    
    Expand section "9.2. Automated Enrollment" Collapse section "9.2. Automated Enrollment"
    
    9.2.1. Setting up Directory-Based Authentication
    
    9.2.2. Setting up PIN-Based Enrollment
    
    9.2.3. Using Certificate-Based Authentication
    
    9.2.4. Configuring Flat File Authentication
    
    Expand section "9.2.4. Configuring Flat File Authentication" Collapse section "9.2.4. Configuring Flat File Authentication"
    
    9.2.4.1. Configuring the flatFileAuth Module
    
    9.2.4.2. Editing flatfile.txt
  3. 9.3. CMC Authentication Plug-ins
  4. 9.4. CMC SharedSecret Authentication
    
    Expand section "9.4. CMC SharedSecret Authentication" Collapse section "9.4. CMC SharedSecret Authentication"
    
    9.4.1. Creating a Shared Secret Token
    
    9.4.2. Setting a CMC Shared Secret
    
    Expand section "9.4.2. Setting a CMC Shared Secret" Collapse section "9.4.2. Setting a CMC Shared Secret"
    
    9.4.2.1. Adding a CMC Shared Secret to a User Entry for Certificate Enrollment
    
    9.4.2.2. Adding a CMC Shared Secret to a Certificate for Certificate Revocations
  5. 9.5. Testing Enrollment
  6. 9.6. Registering Custom Authentication Plug-ins
  7. 9.7. Manually Reviewing the Certificate Status Using the Command Line
  8. 9.8. Manually Reviewing the Certificate Status Using the Web Interface
3. 10. Authorization for Enrolling Certificates (Access Evaluators)
  Expand section "10. Authorization for Enrolling Certificates (Access Evaluators)" Collapse section "10. Authorization for Enrolling Certificates (Access Evaluators)"
  1. 10.1. Authorization Mechanism
  2. 10.2. Default Evaluators
4. 11. Using Automated Notifications
  Expand section "11. Using Automated Notifications" Collapse section "11. Using Automated Notifications"
  1. 11.1. About Automated Notifications for the CA
    
    Expand section "11.1. About Automated Notifications for the CA" Collapse section "11.1. About Automated Notifications for the CA"
    
    11.1.1. Types of Automated Notifications
    
    11.1.2. Determining End-Entity Email Addresses
  2. 11.2. Setting up Automated Notifications for the CA
    
    Expand section "11.2. Setting up Automated Notifications for the CA" Collapse section "11.2. Setting up Automated Notifications for the CA"
    
    11.2.1. Setting up Automated Notifications in the Console
    
    11.2.2. Configuring Specific Notifications by Editing the CS.cfg File
    
    11.2.3. Testing Configuration
  3. 11.3. Customizing Notification Messages
    
    Expand section "11.3. Customizing Notification Messages" Collapse section "11.3. Customizing Notification Messages"
    
    11.3.1. Customizing CA Notification Messages
  4. 11.4. Configuring a Mail Server for Certificate System Notifications
  5. 11.5. Creating Custom Notifications for the CA
5. 12. Setting Automated Jobs
  Expand section "12. Setting Automated Jobs" Collapse section "12. Setting Automated Jobs"
  1. 12.1. About Automated Jobs
    
    Expand section "12.1. About Automated Jobs" Collapse section "12.1. About Automated Jobs"
    
    12.1.1. Setting up Automated Jobs
    
    12.1.2. Types of Automated Jobs
    
    Expand section "12.1.2. Types of Automated Jobs" Collapse section "12.1.2. Types of Automated Jobs"
    
    12.1.2.1. certRenewalNotifier (RenewalNotificationJob)
    
    12.1.2.2. requestInQueueNotifier (RequestInQueueJob)
    
    12.1.2.3. publishCerts (PublishCertsJob)
    
    12.1.2.4. unpublishExpiredCerts (UnpublishExpiredJob)
  2. 12.2. Setting up the Job Scheduler
  3. 12.3. Setting up Specific Jobs
    
    Expand section "12.3. Setting up Specific Jobs" Collapse section "12.3. Setting up Specific Jobs"
    
    12.3.1. Configuring Specific Jobs Using the Certificate Manager Console
    
    12.3.2. Configuring Jobs by Editing the Configuration File
    
    12.3.3. Configuration Parameters of certRenewalNotifier
    
    12.3.4. Configuration Parameters of requestInQueueNotifier
    
    12.3.5. Configuration Parameters of publishCerts
    
    12.3.6. Configuration Parameters of unpublishExpiredCerts
    
    12.3.7. Frequency Settings for Automated Jobs
  4. 12.4. Registering a Job Module
IV. Managing the Subsystem Instances
Expand section "IV. Managing the Subsystem Instances" Collapse section "IV. Managing the Subsystem Instances"
1. 13. Basic Subsystem Management
  Expand section "13. Basic Subsystem Management" Collapse section "13. Basic Subsystem Management"
  1. 13.1. PKI Instances
  2. 13.2. PKI Instance Execution Management
    
    Expand section "13.2. PKI Instance Execution Management" Collapse section "13.2. PKI Instance Execution Management"
    
    13.2.1. Starting, Stopping, and Restarting a PKI Instance
    
    13.2.2. Restarting a PKI Instance after a Machine Restart
    
    13.2.3. Checking the PKI Instance Status
    
    13.2.4. Configuring a PKI Instance to Automatically Start Upon Reboot
    
    13.2.5. Setting sudo Permissions for Certificate System Services
  3. 13.3. Opening Subsystem Consoles and Services
    
    Expand section "13.3. Opening Subsystem Consoles and Services" Collapse section "13.3. Opening Subsystem Consoles and Services"
    
    13.3.1. Finding the Subsystem Web Services Pages
    
    13.3.2. Starting the Certificate System Administrative Console
    
    13.3.3. Enabling SSL for the Java Administrative Console
  4. 13.4. Running Subsystems under a Java Security Manager
    
    Expand section "13.4. Running Subsystems under a Java Security Manager" Collapse section "13.4. Running Subsystems under a Java Security Manager"
    
    13.4.1. About the Security Manager Policy Files
    
    13.4.2. Starting a Subsystem Instance without the Java Security Manager
  5. 13.5. Configuring the LDAP Database
    
    Expand section "13.5. Configuring the LDAP Database" Collapse section "13.5. Configuring the LDAP Database"
    
    13.5.1. Changing the Internal Database Configuration
    
    13.5.2. Using a Certificate Issued by Certificate System in Directory Server
    
    13.5.3. Enabling SSL/TLS Client Authentication with the Internal Database
    
    13.5.4. Restricting Access to the Internal Database
  6. 13.6. Viewing Security Domain Configuration
  7. 13.7. Managing the SELinux Policies for Subsystems
    
    Expand section "13.7. Managing the SELinux Policies for Subsystems" Collapse section "13.7. Managing the SELinux Policies for Subsystems"
    
    13.7.1. About SELinux
    
    13.7.2. Viewing SELinux Policies for Subsystems
    
    13.7.3. Relabeling nCipher netHSM Contexts
  8. 13.8. Backing up and Restoring Certificate System
    
    Expand section "13.8. Backing up and Restoring Certificate System" Collapse section "13.8. Backing up and Restoring Certificate System"
    
    13.8.1. Backing up and Restoring the LDAP Internal Database
    
    Expand section "13.8.1. Backing up and Restoring the LDAP Internal Database" Collapse section "13.8.1. Backing up and Restoring the LDAP Internal Database"
    
    13.8.1.1. Backing up the LDAP Internal Database
    
    Expand section "13.8.1.1. Backing up the LDAP Internal Database" Collapse section "13.8.1.1. Backing up the LDAP Internal Database"
    
    13.8.1.1.1. Backing up using db2ldif
    
    13.8.1.1.2. Backing up using db2bak
    
    13.8.1.2. Restoring the LDAP Internal Database
    
    Expand section "13.8.1.2. Restoring the LDAP Internal Database" Collapse section "13.8.1.2. Restoring the LDAP Internal Database"
    
    13.8.1.2.1. Restoring using ldif2db
    
    13.8.1.2.2. Restoring using bak2db
    
    13.8.2. Backing up and Restoring the Instance Directory
  9. 13.9. Running Self-Tests
    
    Expand section "13.9. Running Self-Tests" Collapse section "13.9. Running Self-Tests"
    
    13.9.1. Running Self-Tests
    
    Expand section "13.9.1. Running Self-Tests" Collapse section "13.9.1. Running Self-Tests"
    
    13.9.1.1. Running Self-Tests from the Console
    
    13.9.1.2. Running TPS Self-Tests
    
    13.9.2. Self-Test Logging
    
    13.9.3. Configuring POSIX System ACLs
    
    Expand section "13.9.3. Configuring POSIX System ACLs" Collapse section "13.9.3. Configuring POSIX System ACLs"
    
    13.9.3.1. Setting POSIX System ACLs for the CA, KRA, OCSP, TKS, and TPS
2. 14. Managing Certificate System Users and Groups
  Expand section "14. Managing Certificate System Users and Groups" Collapse section "14. Managing Certificate System Users and Groups"
  1. 14.1. About Authorization
  2. 14.2. Default Groups
    
    Expand section "14.2. Default Groups" Collapse section "14.2. Default Groups"
    
    14.2.1. Administrators
    
    14.2.2. Auditors
    
    14.2.3. Agents
    
    14.2.4. Enterprise Groups
  3. 14.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS
    
    Expand section "14.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS" Collapse section "14.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS"
    
    14.3.1. Managing Groups
    
    Expand section "14.3.1. Managing Groups" Collapse section "14.3.1. Managing Groups"
    
    14.3.1.1. Creating a New Group
    
    14.3.1.2. Changing Members in a Group
    
    14.3.2. Managing Users (Administrators, Agents, and Auditors)
    
    Expand section "14.3.2. Managing Users (Administrators, Agents, and Auditors)" Collapse section "14.3.2. Managing Users (Administrators, Agents, and Auditors)"
    
    14.3.2.1. Creating Users
    
    Expand section "14.3.2.1. Creating Users" Collapse section "14.3.2.1. Creating Users"
    
    14.3.2.1.1. Creating Users Using the Command Line
    
    14.3.2.1.2. Creating Users Using the Console
    
    14.3.2.2. Changing a Certificate System User's Certificate
    
    14.3.2.3. Renewing Administrator, Agent, and Auditor User Certificates
    
    14.3.2.4. Deleting a Certificate System User
  4. 14.4. Creating and Managing Users for a TPS
    
    Expand section "14.4. Creating and Managing Users for a TPS" Collapse section "14.4. Creating and Managing Users for a TPS"
    
    14.4.1. Listing and Searching for Users
    
    Expand section "14.4.1. Listing and Searching for Users" Collapse section "14.4.1. Listing and Searching for Users"
    
    14.4.1.1. From the Web UI
    
    14.4.1.2. From the Command Line
    
    14.4.2. Adding Users
    
    Expand section "14.4.2. Adding Users" Collapse section "14.4.2. Adding Users"
    
    14.4.2.1. From the Web UI
    
    Expand section "14.4.2.1. From the Web UI" Collapse section "14.4.2.1. From the Web UI"
    
    14.4.2.1.1. From the Command Line
    
    14.4.3. Setting Profiles for Users
    
    14.4.4. Managing User Roles
    
    Expand section "14.4.4. Managing User Roles" Collapse section "14.4.4. Managing User Roles"
    
    14.4.4.1. From the Web UI
    
    14.4.4.2. From the Command Line
    
    14.4.5. Managing User Certificates
    
    14.4.6. Renewing TPS Agent and Administrator Certificates
    
    14.4.7. Deleting Users
  5. 14.5. Configuring Access Control for Users
    
    Expand section "14.5. Configuring Access Control for Users" Collapse section "14.5. Configuring Access Control for Users"
    
    14.5.1. About Access Control
    
    14.5.2. Changing the Access Control Settings for the Subsystem
    
    14.5.3. Adding ACLs
    
    14.5.4. Editing ACLs
3. 15. Configuring Subsystem Logs
  Expand section "15. Configuring Subsystem Logs" Collapse section "15. Configuring Subsystem Logs"
  1. 15.1. About Certificate System Logs
    
    Expand section "15.1. About Certificate System Logs" Collapse section "15.1. About Certificate System Logs"
    
    15.1.1. System Log
    
    15.1.2. Transactions Log
    
    15.1.3. Debug Logs
    
    Expand section "15.1.3. Debug Logs" Collapse section "15.1.3. Debug Logs"
    
    15.1.3.1. Installation Logs
    
    15.1.3.2. Tomcat Error and Access Logs
    
    15.1.3.3. Self-Tests Log
  2. 15.2. Managing Logs
    
    Expand section "15.2. Managing Logs" Collapse section "15.2. Managing Logs"
    
    15.2.1. An Overview of Log Settings
    
    Expand section "15.2.1. An Overview of Log Settings" Collapse section "15.2.1. An Overview of Log Settings"
    
    15.2.1.1. Services That Are Logged
    
    15.2.1.2. Log Levels (Message Categories)
    
    15.2.1.3. Buffered and Unbuffered Logging
    
    15.2.1.4. Log File Rotation
    
    15.2.2. Configuring Logs in the Console
    
    15.2.3. Configuring Logs in the CS.cfg File
    
    15.2.4. Managing Audit Logs
    
    Expand section "15.2.4. Managing Audit Logs" Collapse section "15.2.4. Managing Audit Logs"
    
    15.2.4.1. A List of Audit Events
    
    15.2.4.2. Enabling Signed Audit Logging after Installation
    
    15.2.4.3. Configuring a Signed Audit Log in the Console
    
    15.2.4.4. Handling Audit Logging Failures
    
    15.2.4.5. Signing Log Files
    
    15.2.4.6. Filtering Audit Events
    
    15.2.5. Managing Log Modules
  3. 15.3. Using Logs
    
    Expand section "15.3. Using Logs" Collapse section "15.3. Using Logs"
    
    15.3.1. Viewing Logs in the Console
    
    15.3.2. Using Signed Audit Logs
    
    Expand section "15.3.2. Using Signed Audit Logs" Collapse section "15.3.2. Using Signed Audit Logs"
    
    15.3.2.1. Listing Audit Logs
    
    15.3.2.2. Downloading Audit Logs
    
    15.3.2.3. Verifying Signed Audit Logs
    
    15.3.3. Displaying Operating System-level Audit Logs
    
    Expand section "15.3.3. Displaying Operating System-level Audit Logs" Collapse section "15.3.3. Displaying Operating System-level Audit Logs"
    
    15.3.3.1. Displaying Audit Log Deletion Events
    
    15.3.3.2. Displaying Access to the NSS Database for Secret and Private Keys
    
    15.3.3.3. Displaying Time Change Events
    
    15.3.3.4. Displaying Package Update Events
    
    15.3.3.5. Displaying Changes to the PKI Configuration
    
    15.3.4. Smart Card Error Codes
4. 16. Managing Subsystem Certificates
  Expand section "16. Managing Subsystem Certificates" Collapse section "16. Managing Subsystem Certificates"
  1. 16.1. Required Subsystem Certificates
    
    Expand section "16.1. Required Subsystem Certificates" Collapse section "16.1. Required Subsystem Certificates"
    
    16.1.1. Certificate Manager Certificates
    
    Expand section "16.1.1. Certificate Manager Certificates" Collapse section "16.1.1. Certificate Manager Certificates"
    
    16.1.1.1. CA Signing Key Pair and Certificate
    
    16.1.1.2. OCSP Signing Key Pair and Certificate
    
    16.1.1.3. Subsystem Certificate
    
    16.1.1.4. SSL Server Key Pair and Certificate
    
    16.1.1.5. Audit Log Signing Key Pair and Certificate
    
    16.1.2. Online Certificate Status Manager Certificates
    
    Expand section "16.1.2. Online Certificate Status Manager Certificates" Collapse section "16.1.2. Online Certificate Status Manager Certificates"
    
    16.1.2.1. OCSP Signing Key Pair and Certificate
    
    16.1.2.2. SSL Server Key Pair and Certificate
    
    16.1.2.3. Subsystem Certificate
    
    16.1.2.4. Audit Log Signing Key Pair and Certificate
    
    16.1.2.5. Recognizing Online Certificate Status Manager Certificates
    
    16.1.3. Key Recovery Authority Certificates
    
    Expand section "16.1.3. Key Recovery Authority Certificates" Collapse section "16.1.3. Key Recovery Authority Certificates"
    
    16.1.3.1. Transport Key Pair and Certificate
    
    16.1.3.2. Storage Key Pair
    
    16.1.3.3. SSL Server Certificate
    
    16.1.3.4. Subsystem Certificate
    
    16.1.3.5. Audit Log Signing Key Pair and Certificate
    
    16.1.4. TKS Certificates
    
    Expand section "16.1.4. TKS Certificates" Collapse section "16.1.4. TKS Certificates"
    
    16.1.4.1. SSL Server Certificate
    
    16.1.4.2. Subsystem Certificate
    
    16.1.4.3. Audit Log Signing Key Pair and Certificate
    
    16.1.5. TPS Certificates
    
    Expand section "16.1.5. TPS Certificates" Collapse section "16.1.5. TPS Certificates"
    
    16.1.5.1. SSL Server Certificate
    
    16.1.5.2. Subsystem Certificate
    
    16.1.5.3. Audit Log Signing Key Pair and Certificate
    
    16.1.6. About Subsystem Certificate Key Types
    
    16.1.7. Using an HSM to Store Subsystem Certificates
  2. 16.2. Requesting Certificates through the Console
    
    Expand section "16.2. Requesting Certificates through the Console" Collapse section "16.2. Requesting Certificates through the Console"
    
    16.2.1. Requesting Signing Certificates
    
    16.2.2. Requesting Other Certificates
  3. 16.3. Renewing Subsystem Certificates
    
    Expand section "16.3. Renewing Subsystem Certificates" Collapse section "16.3. Renewing Subsystem Certificates"
    
    16.3.1. Re-keying Certificates in the End-Entities Forms
    
    16.3.2. Renewing Certificates in the Console
    
    16.3.3. Renewing Certificates Using certutil
    
    16.3.4. Renewing System Certificates
  4. 16.4. Changing the Names of Subsystem Certificates
  5. 16.5. Using Cross-Pair Certificates
    
    Expand section "16.5. Using Cross-Pair Certificates" Collapse section "16.5. Using Cross-Pair Certificates"
    
    16.5.1. Installing Cross-Pair Certificates
    
    16.5.2. Searching for Cross-Pair Certificates
  6. 16.6. Managing the Certificate Database
    
    Expand section "16.6. Managing the Certificate Database" Collapse section "16.6. Managing the Certificate Database"
    
    16.6.1. Installing Certificates in the Certificate System Database
    
    Expand section "16.6.1. Installing Certificates in the Certificate System Database" Collapse section "16.6.1. Installing Certificates in the Certificate System Database"
    
    16.6.1.1. Installing Certificates through the Console
    
    16.6.1.2. Installing Certificates Using certutil
    
    16.6.1.3. About CA Certificate Chains
    
    16.6.2. Viewing Database Content
    
    Expand section "16.6.2. Viewing Database Content" Collapse section "16.6.2. Viewing Database Content"
    
    16.6.2.1. Viewing Database Content through the Console
    
    16.6.2.2. Viewing Database Content Using certutil
    
    16.6.3. Deleting Certificates from the Database
    
    Expand section "16.6.3. Deleting Certificates from the Database" Collapse section "16.6.3. Deleting Certificates from the Database"
    
    16.6.3.1. Deleting Certificates through the Console
    
    16.6.3.2. Deleting Certificates Using certutil
  7. 16.7. Changing the Trust Settings of a CA Certificate
    
    Expand section "16.7. Changing the Trust Settings of a CA Certificate" Collapse section "16.7. Changing the Trust Settings of a CA Certificate"
    
    16.7.1. Changing Trust Settings through the Console
    
    16.7.2. Changing Trust Settings Using certutil
  8. 16.8. Managing Tokens Used by the Subsystems
    
    Expand section "16.8. Managing Tokens Used by the Subsystems" Collapse section "16.8. Managing Tokens Used by the Subsystems"
    
    16.8.1. Detecting Tokens
    
    16.8.2. Viewing Tokens
    
    16.8.3. Changing a Token's Password
5. 17. Setting Time and Date in Red Hat Enterprise Linux 7
6. 18. Determining Certificate System Product Version
7. 19. Updating Red Hat Certificate System
8. 20. Troubleshooting
9. 21. Subsystem Control And maintenance
  Expand section "21. Subsystem Control And maintenance" Collapse section "21. Subsystem Control And maintenance"
  1. 21.1. Starting, Stopping, Restarting, and Obtaining Status
  2. 21.2. Subsystem Health Check
V. References
Expand section "V. References" Collapse section "V. References"
1. A. Certificate Profile Input and Output Reference
  Expand section "A. Certificate Profile Input and Output Reference" Collapse section "A. Certificate Profile Input and Output Reference"
  1. A.1. Input Reference
    
    Expand section "A.1. Input Reference" Collapse section "A.1. Input Reference"
    
    A.1.1. Certificate Request Input
    
    A.1.2. CMC Certificate Request Input
    
    A.1.3. Dual Key Generation Input
    
    A.1.4. File-Signing Input
    
    A.1.5. Image Input
    
    A.1.6. Key Generation Input
    
    A.1.7. nsHKeyCertRequest (Token Key) Input
    
    A.1.8. nsNKeyCertRequest (Token User Key) Input
    
    A.1.9. Serial Number Renewal Input
    
    A.1.10. Subject DN Input
    
    A.1.11. Subject Name Input
    
    A.1.12. Submitter Information Input
    
    A.1.13. Generic Input
    
    A.1.14. Subject Alternative Name Extension Input
  2. A.2. Output Reference
    
    Expand section "A.2. Output Reference" Collapse section "A.2. Output Reference"
    
    A.2.1. Certificate Output
    
    A.2.2. PKCS #7 Output
    
    A.2.3. nsNSKeyOutput
    
    A.2.4. CMMF Output
2. B. Defaults, Constraints, and Extensions for Certificates and CRLs
  Expand section "B. Defaults, Constraints, and Extensions for Certificates and CRLs" Collapse section "B. Defaults, Constraints, and Extensions for Certificates and CRLs"
  1. B.1. Defaults Reference
    
    Expand section "B.1. Defaults Reference" Collapse section "B.1. Defaults Reference"
    
    B.1.1. Authority Info Access Extension Default
    
    B.1.2. Authority Key Identifier Extension Default
    
    B.1.3. Authentication Token Subject Name Default
    
    B.1.4. Basic Constraints Extension Default
    
    B.1.5. CA Validity Default
    
    B.1.6. Certificate Policies Extension Default
    
    B.1.7. CRL Distribution Points Extension Default
    
    B.1.8. Extended Key Usage Extension Default
    
    B.1.9. Freshest CRL Extension Default
    
    B.1.10. Generic Extension Default
    
    B.1.11. Inhibit Any-Policy Extension Default
    
    B.1.12. Issuer Alternative Name Extension Default
    
    B.1.13. Key Usage Extension Default
    
    B.1.14. Name Constraints Extension Default
    
    B.1.15. Netscape Certificate Type Extension Default
    
    B.1.16. Netscape Comment Extension Default
    
    B.1.17. No Default Extension
    
    B.1.18. OCSP No Check Extension Default
    
    B.1.19. Policy Constraints Extension Default
    
    B.1.20. Policy Mappers Extension Default
    
    B.1.21. Private Key Usage Period Extension Default
    
    B.1.22. Signing Algorithm Default
    
    B.1.23. Subject Alternative Name Extension Default
    
    B.1.24. Subject Directory Attributes Extension Default
    
    B.1.25. Subject Info Access Extension Default
    
    B.1.26. Subject Key Identifier Extension Default
    
    B.1.27. Subject Name Default
    
    B.1.28. User Key Default
    
    B.1.29. User Signing Algorithm Default
    
    B.1.30. User Subject Name Default
    
    B.1.31. User Validity Default
    
    B.1.32. User Supplied Extension Default
    
    B.1.33. Validity Default
  2. B.2. Constraints Reference
    
    Expand section "B.2. Constraints Reference" Collapse section "B.2. Constraints Reference"
    
    B.2.1. Basic Constraints Extension Constraint
    
    B.2.2. CA Validity Constraint
    
    B.2.3. Extended Key Usage Extension Constraint
    
    B.2.4. Extension Constraint
    
    B.2.5. Key Constraint
    
    B.2.6. Key Usage Extension Constraint
    
    B.2.7. Netscape Certificate Type Extension Constraint
    
    B.2.8. No Constraint
    
    B.2.9. Renewal Grace Period Constraint
    
    B.2.10. Signing Algorithm Constraint
    
    B.2.11. Subject Name Constraint
    
    B.2.12. Unique Key Constraint
    
    B.2.13. Unique Subject Name Constraint
    
    B.2.14. Validity Constraint
  3. B.3. Standard X.509 v3 Certificate Extension Reference
    
    Expand section "B.3. Standard X.509 v3 Certificate Extension Reference" Collapse section "B.3. Standard X.509 v3 Certificate Extension Reference"
    
    B.3.1. authorityInfoAccess
    
    B.3.2. authorityKeyIdentifier
    
    B.3.3. basicConstraints
    
    B.3.4. certificatePoliciesExt
    
    B.3.5. CRLDistributionPoints
    
    B.3.6. extKeyUsage
    
    B.3.7. issuerAltName Extension
    
    B.3.8. keyUsage
    
    B.3.9. nameConstraints
    
    B.3.10. OCSPNocheck
    
    B.3.11. policyConstraints
    
    B.3.12. policyMappings
    
    B.3.13. privateKeyUsagePeriod
    
    B.3.14. subjectAltName
    
    B.3.15. subjectDirectoryAttributes
    
    B.3.16. subjectKeyIdentifier
  4. B.4. CRL Extensions
    
    Expand section "B.4. CRL Extensions" Collapse section "B.4. CRL Extensions"
    
    B.4.1. About CRL Extensions
    
    Expand section "B.4.1. About CRL Extensions" Collapse section "B.4.1. About CRL Extensions"
    
    B.4.1.1. Structure of CRL Extensions
    
    B.4.1.2. Sample CRL and CRL Entry Extensions
    
    B.4.2. Standard X.509 v3 CRL Extensions Reference
    
    Expand section "B.4.2. Standard X.509 v3 CRL Extensions Reference" Collapse section "B.4.2. Standard X.509 v3 CRL Extensions Reference"
    
    B.4.2.1. Extensions for CRLs
    
    Expand section "B.4.2.1. Extensions for CRLs" Collapse section "B.4.2.1. Extensions for CRLs"
    
    B.4.2.1.1. authorityInfoAccess
    
    B.4.2.1.2. authorityKeyIdentifier
    
    B.4.2.1.3. CRLNumber
    
    B.4.2.1.4. deltaCRLIndicator
    
    B.4.2.1.5. FreshestCRL
    
    B.4.2.1.6. issuerAltName
    
    B.4.2.1.7. issuingDistributionPoint
    
    B.4.2.2. CRL Entry Extensions
    
    Expand section "B.4.2.2. CRL Entry Extensions" Collapse section "B.4.2.2. CRL Entry Extensions"
    
    B.4.2.2.1. certificateIssuer
    
    B.4.2.2.2. invalidityDate
    
    B.4.2.2.3. CRLReason
    
    B.4.3. Netscape-Defined Certificate Extensions Reference
    
    Expand section "B.4.3. Netscape-Defined Certificate Extensions Reference" Collapse section "B.4.3. Netscape-Defined Certificate Extensions Reference"
    
    B.4.3.1. netscape-cert-type
    
    B.4.3.2. netscape-comment
3. C. Publishing Module Reference
  Expand section "C. Publishing Module Reference" Collapse section "C. Publishing Module Reference"
  1. C.1. Publisher Plug-in Modules
    
    Expand section "C.1. Publisher Plug-in Modules" Collapse section "C.1. Publisher Plug-in Modules"
    
    C.1.1. FileBasedPublisher
    
    C.1.2. LdapCaCertPublisher
    
    C.1.3. LdapUserCertPublisher
    
    C.1.4. LdapCrlPublisher
    
    C.1.5. LdapDeltaCrlPublisher
    
    C.1.6. LdapCertificatePairPublisher
    
    C.1.7. OCSPPublisher
  2. C.2. Mapper Plug-in Modules
    
    Expand section "C.2. Mapper Plug-in Modules " Collapse section "C.2. Mapper Plug-in Modules "
    
    C.2.1. LdapCaSimpleMap
    
    Expand section "C.2.1. LdapCaSimpleMap" Collapse section "C.2.1. LdapCaSimpleMap"
    
    C.2.1.1. LdapCaCertMap
    
    C.2.1.2. LdapCrlMap
    
    C.2.2. LdapDNExactMap
    
    C.2.3. LdapSimpleMap
    
    C.2.4. LdapSubjAttrMap
    
    C.2.5. LdapDNCompsMap
    
    Expand section "C.2.5. LdapDNCompsMap" Collapse section "C.2.5. LdapDNCompsMap"
    
    C.2.5.1. Configuration Parameters of LdapDNCompsMap
  3. C.3. Rule Instances
    
    Expand section "C.3. Rule Instances" Collapse section "C.3. Rule Instances"
    
    C.3.1. LdapCaCertRule
    
    C.3.2. LdapXCertRule
    
    C.3.3. LdapUserCertRule
    
    C.3.4. LdapCRLRule
4. D. ACL Reference
  Expand section "D. ACL Reference" Collapse section "D. ACL Reference"
  1. D.1. About ACL Configuration Files
  2. D.2. Common ACLs
    
    Expand section "D.2. Common ACLs" Collapse section "D.2. Common ACLs"
    
    D.2.1. certServer.acl.configuration
    
    D.2.2. certServer.admin.certificate
    
    D.2.3. certServer.auth.configuration
    
    D.2.4. certServer.clone.configuration
    
    D.2.5. certServer.general.configuration
    
    D.2.6. certServer.log.configuration
    
    D.2.7. certServer.log.configuration.fileName
    
    D.2.8. certServer.log.content.system
    
    D.2.9. certServer.log.content.transactions
    
    D.2.10. certServer.log.content.signedAudit
    
    D.2.11. certServer.registry.configuration
  3. D.3. Certificate Manager-Specific ACLs
    
    Expand section "D.3. Certificate Manager-Specific ACLs" Collapse section "D.3. Certificate Manager-Specific ACLs"
    
    D.3.1. certServer.admin.ocsp
    
    D.3.2. certServer.ca.certificate
    
    D.3.3. certServer.ca.certificates
    
    D.3.4. certServer.ca.configuration
    
    D.3.5. certServer.ca.connector
    
    D.3.6. certServer.ca.connectorInfo
    
    D.3.7. certServer.ca.crl
    
    D.3.8. certServer.ca.directory
    
    D.3.9. certServer.ca.group
    
    D.3.10. certServer.ca.ocsp
    
    D.3.11. certServer.ca.profile
    
    D.3.12. certServer.ca.profiles
    
    D.3.13. certServer.ca.registerUser
    
    D.3.14. certServer.ca.request.enrollment
    
    D.3.15. certServer.ca.request.profile
    
    D.3.16. certServer.ca.requests
    
    D.3.17. certServer.ca.systemstatus
    
    D.3.18. certServer.ee.certchain
    
    D.3.19. certServer.ee.certificate
    
    D.3.20. certServer.ee.certificates
    
    D.3.21. certServer.ee.crl
    
    D.3.22. certServer.ee.profile
    
    D.3.23. certServer.ee.profiles
    
    D.3.24. certServer.ee.request.ocsp
    
    D.3.25. certServer.ee.request.revocation
    
    D.3.26. certServer.ee.requestStatus
    
    D.3.27. certServer.job.configuration
    
    D.3.28. certServer.profile.configuration
    
    D.3.29. certServer.publisher.configuration
    
    D.3.30. certServer.securitydomain.domainxml
  4. D.4. Key Recovery Authority-Specific ACLs
    
    Expand section "D.4. Key Recovery Authority-Specific ACLs" Collapse section "D.4. Key Recovery Authority-Specific ACLs"
    
    D.4.1. certServer.job.configuration
    
    D.4.2. certServer.kra.certificate.transport
    
    D.4.3. certServer.kra.configuration
    
    D.4.4. certServer.kra.connector
    
    D.4.5. certServer.kra.GenerateKeyPair
    
    D.4.6. certServer.kra.getTransportCert
    
    D.4.7. certServer.kra.group
    
    D.4.8. certServer.kra.key
    
    D.4.9. certServer.kra.keys
    
    D.4.10. certServer.kra.registerUser
    
    D.4.11. certServer.kra.request
    
    D.4.12. certServer.kra.request.status
    
    D.4.13. certServer.kra.requests
    
    D.4.14. certServer.kra.systemstatus
    
    D.4.15. certServer.kra.TokenKeyRecovery
  5. D.5. Online Certificate Status Manager-Specific ACLs
    
    Expand section "D.5. Online Certificate Status Manager-Specific ACLs" Collapse section "D.5. Online Certificate Status Manager-Specific ACLs"
    
    D.5.1. certServer.ee.crl
    
    D.5.2. certServer.ee.request.ocsp
    
    D.5.3. certServer.ocsp.ca
    
    D.5.4. certServer.ocsp.cas
    
    D.5.5. certServer.ocsp.certificate
    
    D.5.6. certServer.ocsp.configuration
    
    D.5.7. certServer.ocsp.crl
    
    D.5.8. certServer.ocsp.group
    
    D.5.9. certServer.ocsp.info
  6. D.6. Token Key Service-Specific ACLs
    
    Expand section "D.6. Token Key Service-Specific ACLs" Collapse section "D.6. Token Key Service-Specific ACLs"
    
    D.6.1. certServer.tks.encrypteddata
    
    D.6.2. certServer.tks.group
    
    D.6.3. certServer.tks.importTransportCert
    
    D.6.4. certServer.tks.keysetdata
    
    D.6.5. certServer.tks.registerUser
    
    D.6.6. certServer.tks.sessionkey
    
    D.6.7. certServer.tks.randomdata
5. E. Audit Events
  Expand section "E. Audit Events" Collapse section "E. Audit Events"
  1. E.1. Audit Event Descriptions
6. Glossary
7. Index
F. Revision History
Legal Notice

15.2. Managing Logs

The Certificate System subsystem log files record events related to operations within that specific subsystem instance. For each subsystem, different logs are kept for issues such as installation, access, and web servers.

All subsystems have similar log configuration, options, and administrative paths.

15.2.1. An Overview of Log Settings

The way that logs are configured can affect Certificate System performance. For example, log file rotation keeps logs from becoming too large, which slows down subsystem performance. This section explains the different kinds of logs recorded by Certificate System subsystems and covers important concepts such as log file rotation, buffered logging, and available log levels.

15.2.1.1. Services That Are Logged

All major components and protocols of Certificate System log messages to log files. Table 15.1, “Services Logged” lists services that are logged by default. To view messages logged by a specific service, customize log settings accordingly. For details, see Section 15.3.1, “Viewing Logs in the Console”.

Table 15.1. Services Logged

Service	Description
ACLs	Logs events related to access control lists.
Administration	Logs events related to administration activities, such as HTTPS communication between the Console and the instance.
All	Logs events related to all the services.
Authentication	Logs events related to activity with the authentication module.
Certificate Authority	Logs events related to the Certificate Manager.
Database	Logs events related to activity with the internal database.
HTTP	Logs events related to the HTTP activity of the server. Note that HTTP events are actually logged to the errors log belonging to the Apache server incorporated with the Certificate System to provide HTTP services.
Key Recovery Authority	Logs events related to the KRA.
LDAP	Logs events related to activity with the LDAP directory, which is used for publishing certificates and CRLs.
OCSP	Logs events related to OCSP, such as OCSP status GET requests.
Others	Logs events related to other activities, such as command-line utilities and other processes.
Request Queue	Logs events related to the request queue activity.
User and Group	Logs events related to users and groups of the instance.

15.2.1.2. Log Levels (Message Categories)

The different events logged by Certificate System services are determined by the log levels, which makes identifying and filtering events simpler. The different Certificate System log levels are listed in Table 15.2, “Log Levels and Corresponding Log Messages”.

Log levels are represented by numbers indicating how detailed the level of logging to be performed by the server should be.

A higher priority level means less detail because only events of high priority are logged.

Table 15.2. Log Levels and Corresponding Log Messages

Log level	Message category	Description
0-1	Tracing	These messages contain finer-grained debugging information. This level should not be used regularly because it may impact the performance.
2-5	Debugging	These messages contain debugging information. This level is not recommended for regular use because it generates too much information.
6-10	Informational	These messages provide general information about the state of the Certificate System, including status messages such as Certificate System initialization complete and Request for operation succeeded.
11-15	Warning	These messages are warnings only and do not indicate any failure in the normal operation of the server.
> 15	Failure	These messages indicate errors and failures that prevent the server from operating normally, including failures to perform a certificate service operation (User authentication failed or Certificate revoked) and unexpected situations that can cause irrevocable errors (The server cannot send back the request it processed for a client through the same channel the request came from the client). Setting the level above 15 will minimize the logs, as only failures will be recorded.

Log levels can be used to filter log entries based on the severity of an event. The default log level is 10.

Log data can be extensive, especially at lower (more verbose) logging levels. Make sure that the host machine has sufficient disk space for all the log files. It is also important to define the logging level, log rotation, and server-backup policies appropriately so that all the log files are backed up and the host system does not get overloaded; otherwise, information can be lost.

15.2.1.3. Buffered and Unbuffered Logging

The Java subsystems support buffered logging for all types of logs. The server can be configured for either buffered or unbuffered logging.

If buffered logging is configured, the server creates buffers for the corresponding logs and holds the messages in the buffers for as long as possible. The server flushes out the messages to the log files only when one of the following conditions occurs:

The buffer gets full. The buffer is full when the buffer size is equal to or greater than the value specified by the bufferSize configuration parameter. The default value for this parameter is 512 KB.
The flush interval for the buffer is reached. The flush interval is reached when the time interval since the last buffer flush is equal to or greater than the value specified by the flushInterval configuration parameter. The default value for this parameter is 5 seconds.
When current logs are read from Console. The server retrieves the latest log when it is queried for current logs.

If the server is configured for unbuffered logging, the server flushes out messages as they are generated to the log files. Because the server performs an I/O operation (writing to the log file) each time a message is generated, configuring the server for unbuffered logging decreases performance.

Setting log parameters is described in Section 15.2.2, “Configuring Logs in the Console”.

15.2.1.4. Log File Rotation

The subsystem logs have an optional log setting that allows them to be rotated and start a new log file instead of letting log files grow indefinitely. Log files are rotated when either of the following occur:

The size limit for the corresponding file is reached. The size of the corresponding log file is equal to or greater than the value specified by the maxFileSize configuration parameter. The default value for this parameter is 100 KB.
The age limit for the corresponding file is reached. The corresponding log file is equal to or older than the interval specified by the rolloverInterval configuration parameter. The default value for this parameter is 2592000 seconds (every thirty days).

Note

Setting both these parameters to 0 effectively disables the log file rotation.

When a log file is rotated, the old file is named using the name of the file with an appended time stamp. The appended time stamp is an integer that indicates the date and time the corresponding active log file was rotated. The date and time have the forms YYYYMMDD (year, month, day) and HHMMSS (hour, minute, second).

Log files, especially the audit log file, contain critical information. These files should be periodically archived to some backup medium by copying the entire log directory to an archive medium.

Note

The Certificate System does not provide any tool or utility for archiving log files.

The Certificate System provides a command-line utility, signtool, that signs log files before archiving them as a means of tamper detection. For details, see Section 15.2.4.5, “Signing Log Files”.

Signing log files is an alternative to the signed audit logs feature. Signed audit logs create audit logs that are automatically signed with a subsystem signing certificate. See Section 15.2.4.3, “Configuring a Signed Audit Log in the Console” for details about signed audit logs.

Rotated log files are not deleted.

15.2.2. Configuring Logs in the Console

Logs can be configured through both the subsystem Console and through the subsystem's CS.cfg file. Specialized logs, such as signed audit logs and custom logs, can also be created through the Console or configuration file.

System, transaction, and audit logs can be configured through the subsystem Console for the CA, OCSP, TKS, and KRA subsystems. TPS logs are only configured through the configuration file.

In the navigation tree of the Configuration tab, select Log.
The Log Event Listener Management tab lists the currently configured listeners.
To create a new log instance, click Add, and select a module plug-in from the list in the Select Log Event Listener Plug-in Implementation window.
Set or modify the fields in the Log Event Listener Editor window. The different parameters are listed in Table 15.3, “Log Event Listener Fields”.

Table 15.3. Log Event Listener Fields

Field	Description
Log Event Listener ID	Gives the unique name that identifies the listener. The names can have any combination of letters (aA to zZ), digits (0 to 9), an underscore (_), and a hyphen (-), but it cannot contain other characters or spaces.
type	Gives the type of log file. system creates error and system logs; transaction records audit logs.
enabled	Sets whether the log is active. Only enabled logs actually record events. The value is either `true` or `false`.
level	Sets the log level in the text field. The level must be manually entered in the field; there is no selection menu. The choices are Debug, Information, Warning, Failure, Misconfiguration, Catastrophe, and Security. For more information, see Section 15.2.1.2, “Log Levels (Message Categories)”.
fileName	Gives the full path, including the file name, to the log file. The subsystem user should have read/write permission to the file.
bufferSize	Sets the buffer size in kilobytes (KB) for the log. Once the buffer reaches this size, the contents of the buffer are flushed out and copied to the log file. The default size is 512 KB. For more information on buffered logging, see Section 15.2.1.3, “Buffered and Unbuffered Logging”.
flushInterval	Sets the amount of time before the contents of the buffer are flushed out and added to the log file. The default interval is 5 seconds.
maxFileSize	Sets the size, in kilobytes (KB), a log file can become before it is rotated. Once it reaches this size, the file is copied to a rotated file, and the log file is started new. For more information on log file rotation, see Section 15.2.1.4, “Log File Rotation”. The default size is 2000 KB.
rolloverInterval	Sets the frequency for the server to rotate the active log file. The available options are hourly, daily, weekly, monthly, and yearly. The default is monthly. For more information, see Section 15.2.1.4, “Log File Rotation”.

15.2.3. Configuring Logs in the CS.cfg File

For instruction on how to configure logs by editing the CS.cfg file, see the Configuring Logs in the CS.cfg File section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.

15.2.4. Managing Audit Logs

The audit log contains records for events that have been set up as recordable events. If the logSigning attribute is set to true, the audit log is signed with a log signing certificate belonging to the server. This certificate can be used by auditors to verify that the log has not been tampered with.

By default, regular audit logs are located in the /var/log/pki/instance_name/subsystem_name/ directory with other types of logs, while signed audit logs are written to /var/log/pki/instance_name/subsystem_name/signedAudit/. The default location for logs can be changed by modifying the configuration.

The signed audit log creates a log recording system events, and the events are selected from a list of potential events. When enabled, signed audit logs record a verbose set of messages about the selected event activity.

Signed audit logs are configured by default when the instance is first created, but it is possible to configure signed audits logs after installation. (See Section 15.2.4.2, “Enabling Signed Audit Logging after Installation”.) It is also possible to edit the configuration or change the signing certificates after configuration, as covered in Section 15.2.4.3, “Configuring a Signed Audit Log in the Console”.

15.2.4.1. A List of Audit Events

For a list of audit events in Certificate System, see Appendix E, Audit Events.

15.2.4.2. Enabling Signed Audit Logging after Installation

Signed audit logs can be enabled by default when an instance is first created by using the pki_audit_group deployment parameter with the pkispawn command. If, however, signed audit logs were not configured when an instance was created, they can be enabled afterwards by reassigning ownership of the audit log directory to the auditor system users group, such as pkiaudit.

Stop the instance:

systemctl stop pki-tomcatd@instance_name.service

Set the group ownership of the signed audit log directory to the PKI auditors operating system group, such as pkiaudit. This allows the users in the PKI auditors group to have the required read access to the signedAudit directory to verify the signatures on the log files. No user (except for the Certificate System user account, pkiuser) should have write access to the log files in this directory.
```
chgrp -R pkiaudit /var/log/pki/instance_name/subsystem_name/signedAudit
```

Restart the instance:

systemctl start pki-tomcatd@instance_name.service

15.2.4.3. Configuring a Signed Audit Log in the Console

Signed audit logs are configured by default when the instance is first created, but it is possible to edit the configuration or change the signing certificates after configuration.

Note

Provide enough space in the file system for the signed audit logs, since they can be large.

A log is set to a signed audit log by setting the logSigning parameter to enable and providing the nickname of the certificate used to sign the log. A special log signing certificate is created when the subsystems are first configured.

Only a user with auditor privileges can access and view a signed audit log. Auditors can use the AuditVerify tool to verify that signed audit logs have not been tampered with.

The signed audit log is created and enabled when the subsystem is configured, but it needs additional configuration to begin creating and signing audit logs.

Open the Console.
Note
To create or configure the audit log by editing the CS.cfg file, see the Configuring Logs in the CS.cfg File section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
In the navigation tree of the Configuration tab, select Log.
In the Log Event Listener Management tab, select the SignedAudit entry.
Click Edit/View.
There are three fields which must be reset in the Log Event Listener Editor window.
- Fill in the signedAuditCertNickname. This is the nickname of the certificate used to sign audit logs. An audit signing certificate is created when the subsystem is configured; it has a nickname like auditSigningCert cert-instance_name subsystem_name.
  Note
  To get the audit signing certificate nickname, list the certificates in the subsystem's certificate database using certutil. For example:
  certutil -L -d /var/lib/pki-tomcat/alias Certificate Authority - Example Domain CT,c, subsystemCert cert-pki-tomcat u,u,u Server-Cert cert-pki-tomcat u,u,u auditSigningCert cert-pki-tomcat CA u,u,Pu
- Set the logSigning field to true to enable signed logging.
- Set any events which are logged to the audit log. Appendix E, Audit Events lists the loggable events. Log events are separated by commas with no spaces.
Set any other settings for the log, such as the file name, the log level, the file size, or the rotation schedule.
Note
By default, regular audit logs are located in the /var/log/pki/instance_name/subsystem_name/ directory with other types of logs, while signed audit logs are written to /var/log/pki/instance_name/subsystem_name/signedAudit/. The default location for logs can be changed by modifying the configuration.
Save the log configuration.

After enabling signed audit logging, assign auditor users by creating the user and assigning that entry to the auditor group. Members of the auditor group are the only users who can view and verify the signed audit log. See Section 14.3.2.1, “Creating Users” for details about setting up auditors.

Auditors can verify logs by using the AuditVerify tool. See the AuditVerify(1) man page for details about using this tool.

15.2.4.4. Handling Audit Logging Failures

There are events that could cause the audit logging function to fail, so events cannot be written to the log. For example, audit logging can fail when the file system containing the audit log file is full or when the file permissions for the log file are accidentally changed. If audit logging fails, the Certificate System instance shuts down in the following manner.

Servlets are disabled and will not process new requests.
All pending and new requests are killed.
The subsystem is shut down.

When this happens, administrators and auditors should work together with the operating system administrator to resolve the disk space or file permission issues. When the IT problem is resolved, the auditor should make sure that the last audit log entries are signed. If not, they should be preserved by manual signing (Section 15.2.4.5, “Signing Log Files”), archived, and removed to prevent audit verification failures in the future. When this is completed, the administrators can restart the Certificate System.

15.2.4.5. Signing Log Files

The Certificate System can digitally sign log files before they are archived or distributed for audit purposes. This feature allows files to be checked for tampering.

This is an alternative to the signed audit logs feature. The signed audit log feature creates audit logs that are automatically signed; this tool manually signs archived logs. See Section 15.2.4.3, “Configuring a Signed Audit Log in the Console” for details about signed audit logs.

For signing log files, use a command-line utility called the Signing Tool (signtool). For details about this utility, see http://www.mozilla.org/projects/security/pki/nss/tools/.

The utility uses information in the certificate, key, and security module databases of the subsystem instance.

As a user with auditor privilegesuse the signtool command to sign the log directories:

signtool -d secdb_dir -k cert_nickname -Z output input

secdb_dir specifies the path to the directory that contains the certificate, key, and security module databases for the CA.
cert_nickname specifies the nickname of the certificate to use for signing.
output specifies the name of the JAR file (a signed zip file).
input specifies the path to the directory that contains the log files.

15.2.4.6. Filtering Audit Events

In Certificate System administrators can set filters to configure which audit events will be logged in the audit file based on the event attributes.

The format of the filters is the same as for LDAP filters. However, Certificate System only supports the following filters:

Table 15.4. Supported Audit Event Filters

Type	Format	Example
Presence	(attribute=*)	(ReqID=*)
Equality	(attribute=value)	(Outcome=Failure)
Substring	(attribute=initialany...anyfinal)	(SubjectID=admin)
`AND` operation	(&(filter_1)(filter_2)...(filter_n))	(&(SubjectID=admin)(Outcome=Failure))
`OR` operation	(\|(filter_1)(filter_2)...(filter_n))	(\|(SubjectID=admin)(Outcome=Failure))
`NOT` operation	(!(filter))	(!(SubjectID=admin))

For further details on LDAP filters, see the Using Compound Search Filters in the Red Hat Directory Server Administration Guide.

Example 15.5. Filtering Audit Events

To log only failed events for profile certificate requests and events for processed certificates requests that have the InfoName field set to rejectReadon or cancelReason:

Edit the /var/lib/pki/instance_name/subsystem_type/conf/CS.cfg file and set the following parameters:

log.instance.SignedAudit.filters.PROFILE_CERT_REQUEST=(Outcome=Failure)
log.instance.SignedAudit.filters.CERT_REQUEST_PROCESSED=(|(InfoName=rejectReason)(InfoName=cancelReason))

Restart Certificate System:

# systemctl restart pki-tomcatd@instance_name.service

15.2.5. Managing Log Modules

The types of logs that are allowed and their behaviors are configured through log module plug-ins. New logging modules can be created and used to make custom logs.

New log plug-in modules can be registered through the Console. Registering a new module involves specifying the name of the module and the full name of the Java™ class that implements the log interface.

Before registering a plug-in module, put the Java™ class for the module in the classes directory; the implementation must be on the class path.

To register a log plug-in module with a subsystem instance:

Create the custom job class. For this example, the custom log plug-in is called MyLog.java.

Compile the new class into the lib directory of the instance.

javac -d . /var/lib/pki/pki-tomcat/lib -classpath $CLASSPATH MyLog.java

Create a directory in the CA's WEB-INF web directory to hold the custom classes, so that the CA can access them.
```
mkdir /var/lib/pki/pki-tomcat/webapps/ca/WEB-INF/classes
```
Set the owner to the Certificate System system user (pkiuser).
```
chown -R pkiuser:pkiuser /var/lib/pki/pki-tomcat/lib
```
Register the plug-in.
1. Log into the Console.
2. In the Configuration tab, select Logs from the navigation tree. Then select the Log Event Listener Plug-in Registration tab.
3. Click Register.
  The Register Log Event Listener Plug-in Implementation window appears.
4. Give the name for the plug-in module and the Java™ class name.
  The Java™ class name is the full path to the implementing Java™ class. If this class is part of a package, include the package name. For example, registering a class named customLog in a package named com.customplugins, the class name would be com.customplugins.customLog.
5. Click OK.

Unwanted log plug-in modules can be deleted through the Console. Before deleting a module, delete all the listeners based on this module; see Section 15.2.1.4, “Log File Rotation”.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

15.2. Managing Logs

15.2.1. An Overview of Log Settings

15.2.1.1. Services That Are Logged

15.2.1.2. Log Levels (Message Categories)

15.2.1.3. Buffered and Unbuffered Logging

15.2.1.4. Log File Rotation

15.2.2. Configuring Logs in the Console

15.2.3. Configuring Logs in the CS.cfg File

15.2.4. Managing Audit Logs

15.2.4.1. A List of Audit Events

15.2.4.2. Enabling Signed Audit Logging after Installation

15.2.4.3. Configuring a Signed Audit Log in the Console

15.2.4.4. Handling Audit Logging Failures

15.2.4.5. Signing Log Files

15.2.4.6. Filtering Audit Events

15.2.5. Managing Log Modules