Administration Guide
1. Overview of Red Hat Certificate System Subsystems
Expand section "1. Overview of Red Hat Certificate System Subsystems" Collapse section "1. Overview of Red Hat Certificate System Subsystems"
I. Red Hat Certificate System User Interfaces
Expand section "I. Red Hat Certificate System User Interfaces" Collapse section "I. Red Hat Certificate System User Interfaces"
1. 2. User Interfaces
  Expand section "2. User Interfaces" Collapse section "2. User Interfaces"
  1. 2.1. User Interfaces Overview
  2. 2.2. Client NSS Database Initialization
  3. 2.3. Graphical Interface
    
    Expand section "2.3. Graphical Interface" Collapse section "2.3. Graphical Interface"
    
    2.3.1. pkiconsole Initialization
    
    2.3.2. Using pkiconsole for CA, OCSP, KRA, and TKS Subsystems
  4. 2.4. Web Interface
    
    Expand section "2.4. Web Interface" Collapse section "2.4. Web Interface"
    
    2.4.1. Browser Initialization
    
    2.4.2. The Administrative Interfaces
    
    2.4.3. Agent Interfaces
    
    2.4.4. End User Pages
  5. 2.5. Command Line Interfaces
    
    Expand section "2.5. Command Line Interfaces" Collapse section "2.5. Command Line Interfaces"
    
    2.5.1. "pki" CLI
    
    Expand section "2.5.1. "pki" CLI" Collapse section "2.5.1. "pki" CLI"
    
    2.5.1.1. pki CLI Initialization
    
    2.5.1.2. Using "pki" CLI
    
    2.5.2. AtoB
    
    2.5.3. AuditVerify
    
    2.5.4. BtoA
    
    2.5.5. CMCRequest
    
    2.5.6. CMCRevoke
    
    2.5.7. CMCSharedToken
    
    2.5.8. CRMFPopClient
    
    2.5.9. HttpClient
    
    2.5.10. OCSPClient
    
    2.5.11. PKCS10Client
    
    2.5.12. PrettyPrintCert
    
    2.5.13. PrettyPrintCrl
    
    2.5.14. TokenInfo
    
    2.5.15. tkstool
  6. 2.6. Enterprise Security Client
II. Setting up Certificate Services
Expand section "II. Setting up Certificate Services" Collapse section "II. Setting up Certificate Services"
1. 3. Making Rules for Issuing Certificates (Certificate Profiles)
  Expand section "3. Making Rules for Issuing Certificates (Certificate Profiles)" Collapse section "3. Making Rules for Issuing Certificates (Certificate Profiles)"
  1. 3.1. About Certificate Profiles
    
    Expand section "3.1. About Certificate Profiles" Collapse section "3.1. About Certificate Profiles"
    
    3.1.1. The Enrollment Profile
    
    3.1.2. Certificate Extensions: Defaults and Constraints
    
    3.1.3. Inputs and Outputs
  2. 3.2. Setting up Certificate Profiles
    
    Expand section "3.2. Setting up Certificate Profiles" Collapse section "3.2. Setting up Certificate Profiles"
    
    3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface
    
    Expand section "3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface" Collapse section "3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface"
    
    3.2.1.1. Enabling and Disabling a Certificate Profile
    
    3.2.1.2. Creating a Certificate Profile in Raw Format
    
    3.2.1.3. Editing a Certificate Profile in Raw Format
    
    3.2.1.4. Deleting a Certificate Profile
    
    3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console
    
    Expand section "3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console" Collapse section "3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console"
    
    3.2.2.1. Creating Certificate Profiles through the CA Console
    
    3.2.2.2. Editing Certificate Profiles in the Console
    
    3.2.3. Listing Certificate Enrollment Profiles
    
    3.2.4. Displaying Details of a Certificate Enrollment Profile
  3. 3.3. Defining Key Defaults in Profiles
  4. 3.4. Configuring Profiles to Enable Renewal
    
    Expand section "3.4. Configuring Profiles to Enable Renewal" Collapse section "3.4. Configuring Profiles to Enable Renewal"
    
    3.4.1. Renewing Using the Same Key
    
    3.4.2. Renewal Using a New Key
  5. 3.5. Setting the Signing Algorithms for Certificates
    
    Expand section "3.5. Setting the Signing Algorithms for Certificates" Collapse section "3.5. Setting the Signing Algorithms for Certificates"
    
    3.5.1. Setting the CA's Default Signing Algorithm
    
    3.5.2. Setting the Signing Algorithm Default in a Profile
  6. 3.6. Managing CA-Related Profiles
    
    Expand section "3.6. Managing CA-Related Profiles" Collapse section "3.6. Managing CA-Related Profiles"
    
    3.6.1. Setting Restrictions on CA Certificates
    
    3.6.2. Changing the Restrictions for CAs on Issuing Certificates
    
    3.6.3. Using Random Certificate Serial Numbers
    
    Expand section "3.6.3. Using Random Certificate Serial Numbers" Collapse section "3.6.3. Using Random Certificate Serial Numbers"
    
    3.6.3.1. Enabling Random Certificate Serial Numbers
    
    3.6.4. Allowing a CA Certificate to Be Renewed Past the CA's Validity Period
  7. 3.7. Managing Subject Names and Subject Alternative Names
    
    Expand section "3.7. Managing Subject Names and Subject Alternative Names" Collapse section "3.7. Managing Subject Names and Subject Alternative Names"
    
    3.7.1. Using the Requester CN or UID in the Subject Name
    
    3.7.2. Inserting LDAP Directory Attribute Values and Other Information into the Subject Alt Name
    
    3.7.3. Using the CN Attribute in the SAN Extension
    
    3.7.4. Accepting SAN Extensions from a CSR
    
    Expand section "3.7.4. Accepting SAN Extensions from a CSR" Collapse section "3.7.4. Accepting SAN Extensions from a CSR"
    
    3.7.4.1. Configuring a Profile to Retrieve SANs from a CSR
    
    3.7.4.2. Generating a CSR with SANs
2. 4. Setting up Key Archival and Recovery
  Expand section "4. Setting up Key Archival and Recovery" Collapse section "4. Setting up Key Archival and Recovery"
  1. 4.1. Configuring Agent-Approved Key Recovery in the Console
  2. 4.2. Testing the Key Archival and Recovery Setup
3. 5. Requesting, Enrolling, and Managing Certificates
  Expand section "5. Requesting, Enrolling, and Managing Certificates" Collapse section "5. Requesting, Enrolling, and Managing Certificates"
  1. 5.1. About Enrolling and Renewing Certificates
  2. 5.2. Creating Certificate Signing Requests
    
    Expand section "5.2. Creating Certificate Signing Requests" Collapse section "5.2. Creating Certificate Signing Requests"
    
    5.2.1. Generating CSRs Using Command-Line Utilities
    
    Expand section "5.2.1. Generating CSRs Using Command-Line Utilities" Collapse section "5.2.1. Generating CSRs Using Command-Line Utilities"
    
    5.2.1.1. Creating a CSR Using certutil
    
    Expand section "5.2.1.1. Creating a CSR Using certutil" Collapse section "5.2.1.1. Creating a CSR Using certutil"
    
    5.2.1.1.1. Using certutil to Create a CSR with EC Keys
    
    5.2.1.1.2. Using certutil to Create a CSR With User-defined Extensions
    
    5.2.1.2. Creating a CSR Using PKCS10Client
    
    Expand section "5.2.1.2. Creating a CSR Using PKCS10Client" Collapse section "5.2.1.2. Creating a CSR Using PKCS10Client"
    
    5.2.1.2.1. Using PKCS10Client to Create a CSR
    
    5.2.1.2.2. Using PKCS10Client to Create a CSR for SharedSecret-based CMC
    
    5.2.1.3. Creating a CSR Using CRMFPopClient
    
    Expand section "5.2.1.3. Creating a CSR Using CRMFPopClient" Collapse section "5.2.1.3. Creating a CSR Using CRMFPopClient"
    
    5.2.1.3.1. Using CRMFPopClient to Create a CSR with Key Archival
    
    5.2.1.3.2. Using CRMFPopClient to Create a CSR for SharedSecret-based CMC
    
    5.2.1.4. Creating a CSR using client-cert-request in the PKI CLI
    
    5.2.2. Generating CSRs Using Server-Side Key Generation
    
    Expand section "5.2.2. Generating CSRs Using Server-Side Key Generation" Collapse section "5.2.2. Generating CSRs Using Server-Side Key Generation"
    
    5.2.2.1. Functionality Highlights
    
    5.2.2.2. Enrolling a Certificate Using Server-Side Keygen
    
    5.2.2.3. Key Recovery
    
    5.2.2.4. Additional Information
    
    Expand section "5.2.2.4. Additional Information" Collapse section "5.2.2.4. Additional Information"
    
    5.2.2.4.1. KRA Request Records
    
    5.2.2.4.2. Audit Records
  3. 5.3. Configuring Internet Explorer to Enroll Certificates
    
    Expand section "5.3. Configuring Internet Explorer to Enroll Certificates" Collapse section "5.3. Configuring Internet Explorer to Enroll Certificates"
    
    5.3.1. About Key Limits and Internet Explorer
    
    5.3.2. Configuring Internet Explorer
  4. 5.4. Requesting and Receiving Certificates
    
    Expand section "5.4. Requesting and Receiving Certificates" Collapse section "5.4. Requesting and Receiving Certificates"
    
    5.4.1. Requesting and Receiving a Certificate through the End-Entities Page
  5. 5.5. Renewing Certificates
    
    Expand section "5.5. Renewing Certificates" Collapse section "5.5. Renewing Certificates"
    
    5.5.1. Same Keys Renewal
    
    Expand section "5.5.1. Same Keys Renewal" Collapse section "5.5.1. Same Keys Renewal"
    
    5.5.1.1. Reusing CSR
    
    Expand section "5.5.1.1. Reusing CSR" Collapse section "5.5.1.1. Reusing CSR"
    
    5.5.1.1.1. Agent-Approved or Directory-Based Renewals
    
    5.5.1.1.2. Certificate-Based Renewal
    
    5.5.1.2. Renewal by generating CSR with same keys
    
    5.5.2. Renewal by Re-keying Certificates
  6. 5.6. Submitting Certificate requests Using CMC
    
    Expand section "5.6. Submitting Certificate requests Using CMC" Collapse section "5.6. Submitting Certificate requests Using CMC"
    
    5.6.1. Using CMC Enrollment
    
    Expand section "5.6.1. Using CMC Enrollment" Collapse section "5.6.1. Using CMC Enrollment"
    
    5.6.1.1. Testing CMCEnroll
    
    5.6.2. The CMC Enrollment Process
    
    5.6.3. Practical CMC Enrollment Scenarios
    
    Expand section "5.6.3. Practical CMC Enrollment Scenarios" Collapse section "5.6.3. Practical CMC Enrollment Scenarios"
    
    5.6.3.1. Obtaining System and Server Certificates
    
    5.6.3.2. Obtaining the First Signing Certificate for a User
    
    Expand section "5.6.3.2. Obtaining the First Signing Certificate for a User" Collapse section "5.6.3.2. Obtaining the First Signing Certificate for a User"
    
    5.6.3.2.1. Signing a CMC Request with an Agent Certificate
    
    5.6.3.2.2. Authenticating for Certificate Enrollment Using a Shared Secret
    
    5.6.3.3. Obtaining an Encryption-only Certificate for a User
    
    Expand section "5.6.3.3. Obtaining an Encryption-only Certificate for a User" Collapse section "5.6.3.3. Obtaining an Encryption-only Certificate for a User"
    
    5.6.3.3.1. Example on Obtaining an Encryption-only certificate with Key Archival
  7. 5.7. Performing Bulk Issuance
  8. 5.8. Enrolling a Certificate on a Cisco Router
    
    Expand section "5.8. Enrolling a Certificate on a Cisco Router" Collapse section "5.8. Enrolling a Certificate on a Cisco Router"
    
    5.8.1. Enabling SCEP Enrollments
    
    5.8.2. Configuring Security Settings for SCEP
    
    5.8.3. Configuring a Router for SCEP Enrollment
    
    5.8.4. Generating the SCEP Certificate for a Router
    
    5.8.5. Working with Subordinate CAs
    
    5.8.6. Re-enrolling a Router
    
    5.8.7. Enabling Debugging
    
    5.8.8. Issuing ECC Certificates with SCEP
4. 6. Using and Configuring the Token Management System: TPS and TKS
  Expand section "6. Using and Configuring the Token Management System: TPS and TKS" Collapse section "6. Using and Configuring the Token Management System: TPS and TKS"
  1. 6.1. TPS Profiles
  2. 6.2. TPS Operations
  3. 6.3. Token Policies
  4. 6.4. Token Operation and Policy Processing
  5. 6.5. Internal Registration
  6. 6.6. External Registration
    
    Expand section "6.6. External Registration" Collapse section "6.6. External Registration"
    
    6.6.1. Enabling External Registration
    
    6.6.2. Customizing User LDAP Record Attribute Names
    
    6.6.3. Configuring certsToAdd attributes
    
    6.6.4. Token to User Matching Enforcement
    
    6.6.5. Delegation Support
    
    6.6.6. SAN and DN Patterns
  7. 6.7. Mapping Resolver Configuration
    
    Expand section "6.7. Mapping Resolver Configuration" Collapse section "6.7. Mapping Resolver Configuration"
    
    6.7.1. Key Set Mapping Resolver
    
    6.7.2. Token Type (TPS) Mapping Resolver
  8. 6.8. Authentication Configuration
  9. 6.9. Connectors
  10. 6.10. Revocation Routing Configuration
  11. 6.11. Setting Up Server-side Key Generation
  12. 6.12. Setting Up New Key Sets
  13. 6.13. Setting Up a New Master Key
    
    Expand section "6.13. Setting Up a New Master Key" Collapse section "6.13. Setting Up a New Master Key"
    
    6.13.1. Generating and Transporting Wrapped Master Keys (Key Ceremony)
  14. 6.14. Setting Up a TKS/TPS Shared Symmetric Key
    
    Expand section "6.14. Setting Up a TKS/TPS Shared Symmetric Key" Collapse section "6.14. Setting Up a TKS/TPS Shared Symmetric Key"
    
    6.14.1. Manually Generating and Transporting a Shared Symmetric Key
  15. 6.15. Using Different Applets for Different SCP Versions
5. 7. Revoking Certificates and Issuing CRLs
  Expand section "7. Revoking Certificates and Issuing CRLs" Collapse section "7. Revoking Certificates and Issuing CRLs"
  1. 7.1. About Revoking Certificates
    
    Expand section "7.1. About Revoking Certificates" Collapse section "7.1. About Revoking Certificates"
    
    7.1.1. User-Initiated Revocation
    
    7.1.2. Reasons for Revoking a Certificate
    
    7.1.3. CRL Issuing Points
    
    7.1.4. Delta CRLs
    
    7.1.5. Publishing CRLs
    
    7.1.6. Certificate Revocation Pages
  2. 7.2. Performing a CMC Revocation
    
    Expand section "7.2. Performing a CMC Revocation" Collapse section "7.2. Performing a CMC Revocation"
    
    7.2.1. Revoking a Certificate Using CMCRequest
    
    7.2.2. Revoking a Certificate Using CMCRevoke
    
    Expand section "7.2.2. Revoking a Certificate Using CMCRevoke" Collapse section "7.2.2. Revoking a Certificate Using CMCRevoke"
    
    7.2.2.1. Testing CMCRevoke
  3. 7.3. Issuing CRLs
    
    Expand section "7.3. Issuing CRLs" Collapse section "7.3. Issuing CRLs"
    
    7.3.1. Configuring Issuing Points
    
    7.3.2. Configuring CRLs for Each Issuing Point
    
    7.3.3. Setting CRL Extensions
    
    7.3.4. Setting a CA to Use a Different Certificate to Sign CRLs
    
    7.3.5. Generating CRLs from Cache
    
    Expand section "7.3.5. Generating CRLs from Cache" Collapse section "7.3.5. Generating CRLs from Cache"
    
    7.3.5.1. Configuring CRL Generation from Cache in the Console
    
    7.3.5.2. Configuring CRL Generation from Cache in CS.cfg
  4. 7.4. Setting Full and Delta CRL Schedules
    
    Expand section "7.4. Setting Full and Delta CRL Schedules" Collapse section "7.4. Setting Full and Delta CRL Schedules"
    
    7.4.1. Configuring CRL Update Intervals in the Console
    
    7.4.2. Configuring Update Intervals for CRLs in CS.cfg
    
    7.4.3. Configuring CRL Generation Schedules over Multiple Days
  5. 7.5. Enabling Revocation Checking
  6. 7.6. Using the Online Certificate Status Protocol (OCSP) Responder
    
    Expand section "7.6. Using the Online Certificate Status Protocol (OCSP) Responder" Collapse section "7.6. Using the Online Certificate Status Protocol (OCSP) Responder"
    
    7.6.1. Setting up the OCSP Responder
    
    7.6.2. Identifying the CA to the OCSP Responder
    
    Expand section "7.6.2. Identifying the CA to the OCSP Responder" Collapse section "7.6.2. Identifying the CA to the OCSP Responder"
    
    7.6.2.1. Verify Certificate Manager and Online Certificate Status Manager Connection
    
    7.6.2.2. Configure the Revocation Info Stores: Internal Database
    
    7.6.2.3. Configure the Revocation Info Stores: LDAP Directory
    
    7.6.2.4. Testing the OCSP Service Setup
    
    7.6.3. Setting the Response for Bad Serial Numbers
    
    7.6.4. Enabling the Certificate Manager's Internal OCSP Service
    
    7.6.5. Submitting OCSP Requests Using the OCSPClient program
    
    7.6.6. Submitting OCSP Requests Using the GET Method
    
    7.6.7. Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier
III. Additional Configuration to Manage CA Services
Expand section "III. Additional Configuration to Manage CA Services" Collapse section "III. Additional Configuration to Manage CA Services"
1. 8. Publishing Certificates and CRLs
  Expand section "8. Publishing Certificates and CRLs" Collapse section "8. Publishing Certificates and CRLs"
  1. 8.1. About Publishing
    
    Expand section "8.1. About Publishing" Collapse section "8.1. About Publishing"
    
    8.1.1. Publishers
    
    8.1.2. Mappers
    
    8.1.3. Rules
    
    8.1.4. Publishing to Files
    
    8.1.5. OCSP Publishing
    
    8.1.6. LDAP Publishing
  2. 8.2. Configuring Publishing to a File
  3. 8.3. Configuring Publishing to an OCSP
    
    Expand section "8.3. Configuring Publishing to an OCSP" Collapse section "8.3. Configuring Publishing to an OCSP"
    
    8.3.1. Enabling Publishing to an OCSP with Client Authentication
  4. 8.4. Configuring Publishing to an LDAP Directory
    
    Expand section "8.4. Configuring Publishing to an LDAP Directory" Collapse section "8.4. Configuring Publishing to an LDAP Directory"
    
    8.4.1. Configuring the LDAP Directory
    
    8.4.2. Configuring LDAP Publishers
    
    8.4.3. Creating Mappers
    
    8.4.4. Completing Configuration: Rules and Enabling
  5. 8.5. Creating Rules
  6. 8.6. Enabling Publishing
  7. 8.7. Enabling a Publishing Queue
  8. 8.8. Setting up Resumable CRL Downloads
    
    Expand section "8.8. Setting up Resumable CRL Downloads" Collapse section "8.8. Setting up Resumable CRL Downloads"
    
    8.8.1. Retrieving CRLs Using wget
  9. 8.9. Publishing Cross-Pair Certificates
  10. 8.10. Testing Publishing to Files
  11. 8.11. Viewing Certificates and CRLs Published to File
  12. 8.12. Updating Certificates and CRLs in a Directory
    
    Expand section "8.12. Updating Certificates and CRLs in a Directory" Collapse section "8.12. Updating Certificates and CRLs in a Directory"
    
    8.12.1. Manually Updating Certificates in the Directory
    
    8.12.2. Manually Updating the CRL in the Directory
  13. 8.13. Registering Custom Mapper and Publisher Plug-in Modules
2. 9. Authentication for Enrolling Certificates
  Expand section "9. Authentication for Enrolling Certificates" Collapse section "9. Authentication for Enrolling Certificates"
  1. 9.1. Configuring Agent-Approved Enrollment
  2. 9.2. Automated Enrollment
    
    Expand section "9.2. Automated Enrollment" Collapse section "9.2. Automated Enrollment"
    
    9.2.1. Setting up Directory-Based Authentication
    
    9.2.2. Setting up PIN-Based Enrollment
    
    9.2.3. Using Certificate-Based Authentication
    
    9.2.4. Configuring Flat File Authentication
    
    Expand section "9.2.4. Configuring Flat File Authentication" Collapse section "9.2.4. Configuring Flat File Authentication"
    
    9.2.4.1. Configuring the flatFileAuth Module
    
    9.2.4.2. Editing flatfile.txt
  3. 9.3. CMC Authentication Plug-ins
  4. 9.4. CMC SharedSecret Authentication
    
    Expand section "9.4. CMC SharedSecret Authentication" Collapse section "9.4. CMC SharedSecret Authentication"
    
    9.4.1. Creating a Shared Secret Token
    
    9.4.2. Setting a CMC Shared Secret
    
    Expand section "9.4.2. Setting a CMC Shared Secret" Collapse section "9.4.2. Setting a CMC Shared Secret"
    
    9.4.2.1. Adding a CMC Shared Secret to a User Entry for Certificate Enrollment
    
    9.4.2.2. Adding a CMC Shared Secret to a Certificate for Certificate Revocations
  5. 9.5. Testing Enrollment
  6. 9.6. Registering Custom Authentication Plug-ins
  7. 9.7. Manually Reviewing the Certificate Status Using the Command Line
  8. 9.8. Manually Reviewing the Certificate Status Using the Web Interface
3. 10. Authorization for Enrolling Certificates (Access Evaluators)
  Expand section "10. Authorization for Enrolling Certificates (Access Evaluators)" Collapse section "10. Authorization for Enrolling Certificates (Access Evaluators)"
  1. 10.1. Authorization Mechanism
  2. 10.2. Default Evaluators
4. 11. Using Automated Notifications
  Expand section "11. Using Automated Notifications" Collapse section "11. Using Automated Notifications"
  1. 11.1. About Automated Notifications for the CA
    
    Expand section "11.1. About Automated Notifications for the CA" Collapse section "11.1. About Automated Notifications for the CA"
    
    11.1.1. Types of Automated Notifications
    
    11.1.2. Determining End-Entity Email Addresses
  2. 11.2. Setting up Automated Notifications for the CA
    
    Expand section "11.2. Setting up Automated Notifications for the CA" Collapse section "11.2. Setting up Automated Notifications for the CA"
    
    11.2.1. Setting up Automated Notifications in the Console
    
    11.2.2. Configuring Specific Notifications by Editing the CS.cfg File
    
    11.2.3. Testing Configuration
  3. 11.3. Customizing Notification Messages
    
    Expand section "11.3. Customizing Notification Messages" Collapse section "11.3. Customizing Notification Messages"
    
    11.3.1. Customizing CA Notification Messages
  4. 11.4. Configuring a Mail Server for Certificate System Notifications
  5. 11.5. Creating Custom Notifications for the CA
5. 12. Setting Automated Jobs
  Expand section "12. Setting Automated Jobs" Collapse section "12. Setting Automated Jobs"
  1. 12.1. About Automated Jobs
    
    Expand section "12.1. About Automated Jobs" Collapse section "12.1. About Automated Jobs"
    
    12.1.1. Setting up Automated Jobs
    
    12.1.2. Types of Automated Jobs
    
    Expand section "12.1.2. Types of Automated Jobs" Collapse section "12.1.2. Types of Automated Jobs"
    
    12.1.2.1. certRenewalNotifier (RenewalNotificationJob)
    
    12.1.2.2. requestInQueueNotifier (RequestInQueueJob)
    
    12.1.2.3. publishCerts (PublishCertsJob)
    
    12.1.2.4. unpublishExpiredCerts (UnpublishExpiredJob)
  2. 12.2. Setting up the Job Scheduler
  3. 12.3. Setting up Specific Jobs
    
    Expand section "12.3. Setting up Specific Jobs" Collapse section "12.3. Setting up Specific Jobs"
    
    12.3.1. Configuring Specific Jobs Using the Certificate Manager Console
    
    12.3.2. Configuring Jobs by Editing the Configuration File
    
    12.3.3. Configuration Parameters of certRenewalNotifier
    
    12.3.4. Configuration Parameters of requestInQueueNotifier
    
    12.3.5. Configuration Parameters of publishCerts
    
    12.3.6. Configuration Parameters of unpublishExpiredCerts
    
    12.3.7. Frequency Settings for Automated Jobs
  4. 12.4. Registering a Job Module
IV. Managing the Subsystem Instances
Expand section "IV. Managing the Subsystem Instances" Collapse section "IV. Managing the Subsystem Instances"
1. 13. Basic Subsystem Management
  Expand section "13. Basic Subsystem Management" Collapse section "13. Basic Subsystem Management"
  1. 13.1. PKI Instances
  2. 13.2. PKI Instance Execution Management
    
    Expand section "13.2. PKI Instance Execution Management" Collapse section "13.2. PKI Instance Execution Management"
    
    13.2.1. Starting, Stopping, and Restarting a PKI Instance
    
    13.2.2. Restarting a PKI Instance after a Machine Restart
    
    13.2.3. Checking the PKI Instance Status
    
    13.2.4. Configuring a PKI Instance to Automatically Start Upon Reboot
    
    13.2.5. Setting sudo Permissions for Certificate System Services
  3. 13.3. Opening Subsystem Consoles and Services
    
    Expand section "13.3. Opening Subsystem Consoles and Services" Collapse section "13.3. Opening Subsystem Consoles and Services"
    
    13.3.1. Finding the Subsystem Web Services Pages
    
    13.3.2. Starting the Certificate System Administrative Console
    
    13.3.3. Enabling SSL for the Java Administrative Console
  4. 13.4. Running Subsystems under a Java Security Manager
    
    Expand section "13.4. Running Subsystems under a Java Security Manager" Collapse section "13.4. Running Subsystems under a Java Security Manager"
    
    13.4.1. About the Security Manager Policy Files
    
    13.4.2. Starting a Subsystem Instance without the Java Security Manager
  5. 13.5. Configuring the LDAP Database
    
    Expand section "13.5. Configuring the LDAP Database" Collapse section "13.5. Configuring the LDAP Database"
    
    13.5.1. Changing the Internal Database Configuration
    
    13.5.2. Using a Certificate Issued by Certificate System in Directory Server
    
    13.5.3. Enabling SSL/TLS Client Authentication with the Internal Database
    
    13.5.4. Restricting Access to the Internal Database
  6. 13.6. Viewing Security Domain Configuration
  7. 13.7. Managing the SELinux Policies for Subsystems
    
    Expand section "13.7. Managing the SELinux Policies for Subsystems" Collapse section "13.7. Managing the SELinux Policies for Subsystems"
    
    13.7.1. About SELinux
    
    13.7.2. Viewing SELinux Policies for Subsystems
    
    13.7.3. Relabeling nCipher netHSM Contexts
  8. 13.8. Backing up and Restoring Certificate System
    
    Expand section "13.8. Backing up and Restoring Certificate System" Collapse section "13.8. Backing up and Restoring Certificate System"
    
    13.8.1. Backing up and Restoring the LDAP Internal Database
    
    Expand section "13.8.1. Backing up and Restoring the LDAP Internal Database" Collapse section "13.8.1. Backing up and Restoring the LDAP Internal Database"
    
    13.8.1.1. Backing up the LDAP Internal Database
    
    Expand section "13.8.1.1. Backing up the LDAP Internal Database" Collapse section "13.8.1.1. Backing up the LDAP Internal Database"
    
    13.8.1.1.1. Backing up using db2ldif
    
    13.8.1.1.2. Backing up using db2bak
    
    13.8.1.2. Restoring the LDAP Internal Database
    
    Expand section "13.8.1.2. Restoring the LDAP Internal Database" Collapse section "13.8.1.2. Restoring the LDAP Internal Database"
    
    13.8.1.2.1. Restoring using ldif2db
    
    13.8.1.2.2. Restoring using bak2db
    
    13.8.2. Backing up and Restoring the Instance Directory
  9. 13.9. Running Self-Tests
    
    Expand section "13.9. Running Self-Tests" Collapse section "13.9. Running Self-Tests"
    
    13.9.1. Running Self-Tests
    
    Expand section "13.9.1. Running Self-Tests" Collapse section "13.9.1. Running Self-Tests"
    
    13.9.1.1. Running Self-Tests from the Console
    
    13.9.1.2. Running TPS Self-Tests
    
    13.9.2. Self-Test Logging
    
    13.9.3. Configuring POSIX System ACLs
    
    Expand section "13.9.3. Configuring POSIX System ACLs" Collapse section "13.9.3. Configuring POSIX System ACLs"
    
    13.9.3.1. Setting POSIX System ACLs for the CA, KRA, OCSP, TKS, and TPS
2. 14. Managing Certificate System Users and Groups
  Expand section "14. Managing Certificate System Users and Groups" Collapse section "14. Managing Certificate System Users and Groups"
  1. 14.1. About Authorization
  2. 14.2. Default Groups
    
    Expand section "14.2. Default Groups" Collapse section "14.2. Default Groups"
    
    14.2.1. Administrators
    
    14.2.2. Auditors
    
    14.2.3. Agents
    
    14.2.4. Enterprise Groups
  3. 14.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS
    
    Expand section "14.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS" Collapse section "14.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS"
    
    14.3.1. Managing Groups
    
    Expand section "14.3.1. Managing Groups" Collapse section "14.3.1. Managing Groups"
    
    14.3.1.1. Creating a New Group
    
    14.3.1.2. Changing Members in a Group
    
    14.3.2. Managing Users (Administrators, Agents, and Auditors)
    
    Expand section "14.3.2. Managing Users (Administrators, Agents, and Auditors)" Collapse section "14.3.2. Managing Users (Administrators, Agents, and Auditors)"
    
    14.3.2.1. Creating Users
    
    Expand section "14.3.2.1. Creating Users" Collapse section "14.3.2.1. Creating Users"
    
    14.3.2.1.1. Creating Users Using the Command Line
    
    14.3.2.1.2. Creating Users Using the Console
    
    14.3.2.2. Changing a Certificate System User's Certificate
    
    14.3.2.3. Renewing Administrator, Agent, and Auditor User Certificates
    
    14.3.2.4. Deleting a Certificate System User
  4. 14.4. Creating and Managing Users for a TPS
    
    Expand section "14.4. Creating and Managing Users for a TPS" Collapse section "14.4. Creating and Managing Users for a TPS"
    
    14.4.1. Listing and Searching for Users
    
    Expand section "14.4.1. Listing and Searching for Users" Collapse section "14.4.1. Listing and Searching for Users"
    
    14.4.1.1. From the Web UI
    
    14.4.1.2. From the Command Line
    
    14.4.2. Adding Users
    
    Expand section "14.4.2. Adding Users" Collapse section "14.4.2. Adding Users"
    
    14.4.2.1. From the Web UI
    
    Expand section "14.4.2.1. From the Web UI" Collapse section "14.4.2.1. From the Web UI"
    
    14.4.2.1.1. From the Command Line
    
    14.4.3. Setting Profiles for Users
    
    14.4.4. Managing User Roles
    
    Expand section "14.4.4. Managing User Roles" Collapse section "14.4.4. Managing User Roles"
    
    14.4.4.1. From the Web UI
    
    14.4.4.2. From the Command Line
    
    14.4.5. Managing User Certificates
    
    14.4.6. Renewing TPS Agent and Administrator Certificates
    
    14.4.7. Deleting Users
  5. 14.5. Configuring Access Control for Users
    
    Expand section "14.5. Configuring Access Control for Users" Collapse section "14.5. Configuring Access Control for Users"
    
    14.5.1. About Access Control
    
    14.5.2. Changing the Access Control Settings for the Subsystem
    
    14.5.3. Adding ACLs
    
    14.5.4. Editing ACLs
3. 15. Configuring Subsystem Logs
  Expand section "15. Configuring Subsystem Logs" Collapse section "15. Configuring Subsystem Logs"
  1. 15.1. About Certificate System Logs
    
    Expand section "15.1. About Certificate System Logs" Collapse section "15.1. About Certificate System Logs"
    
    15.1.1. System Log
    
    15.1.2. Transactions Log
    
    15.1.3. Debug Logs
    
    Expand section "15.1.3. Debug Logs" Collapse section "15.1.3. Debug Logs"
    
    15.1.3.1. Installation Logs
    
    15.1.3.2. Tomcat Error and Access Logs
    
    15.1.3.3. Self-Tests Log
  2. 15.2. Managing Logs
    
    Expand section "15.2. Managing Logs" Collapse section "15.2. Managing Logs"
    
    15.2.1. An Overview of Log Settings
    
    Expand section "15.2.1. An Overview of Log Settings" Collapse section "15.2.1. An Overview of Log Settings"
    
    15.2.1.1. Services That Are Logged
    
    15.2.1.2. Log Levels (Message Categories)
    
    15.2.1.3. Buffered and Unbuffered Logging
    
    15.2.1.4. Log File Rotation
    
    15.2.2. Configuring Logs in the Console
    
    15.2.3. Configuring Logs in the CS.cfg File
    
    15.2.4. Managing Audit Logs
    
    Expand section "15.2.4. Managing Audit Logs" Collapse section "15.2.4. Managing Audit Logs"
    
    15.2.4.1. A List of Audit Events
    
    15.2.4.2. Enabling Signed Audit Logging after Installation
    
    15.2.4.3. Configuring a Signed Audit Log in the Console
    
    15.2.4.4. Handling Audit Logging Failures
    
    15.2.4.5. Signing Log Files
    
    15.2.4.6. Filtering Audit Events
    
    15.2.5. Managing Log Modules
  3. 15.3. Using Logs
    
    Expand section "15.3. Using Logs" Collapse section "15.3. Using Logs"
    
    15.3.1. Viewing Logs in the Console
    
    15.3.2. Using Signed Audit Logs
    
    Expand section "15.3.2. Using Signed Audit Logs" Collapse section "15.3.2. Using Signed Audit Logs"
    
    15.3.2.1. Listing Audit Logs
    
    15.3.2.2. Downloading Audit Logs
    
    15.3.2.3. Verifying Signed Audit Logs
    
    15.3.3. Displaying Operating System-level Audit Logs
    
    Expand section "15.3.3. Displaying Operating System-level Audit Logs" Collapse section "15.3.3. Displaying Operating System-level Audit Logs"
    
    15.3.3.1. Displaying Audit Log Deletion Events
    
    15.3.3.2. Displaying Access to the NSS Database for Secret and Private Keys
    
    15.3.3.3. Displaying Time Change Events
    
    15.3.3.4. Displaying Package Update Events
    
    15.3.3.5. Displaying Changes to the PKI Configuration
    
    15.3.4. Smart Card Error Codes
4. 16. Managing Subsystem Certificates
  Expand section "16. Managing Subsystem Certificates" Collapse section "16. Managing Subsystem Certificates"
  1. 16.1. Required Subsystem Certificates
    
    Expand section "16.1. Required Subsystem Certificates" Collapse section "16.1. Required Subsystem Certificates"
    
    16.1.1. Certificate Manager Certificates
    
    Expand section "16.1.1. Certificate Manager Certificates" Collapse section "16.1.1. Certificate Manager Certificates"
    
    16.1.1.1. CA Signing Key Pair and Certificate
    
    16.1.1.2. OCSP Signing Key Pair and Certificate
    
    16.1.1.3. Subsystem Certificate
    
    16.1.1.4. SSL Server Key Pair and Certificate
    
    16.1.1.5. Audit Log Signing Key Pair and Certificate
    
    16.1.2. Online Certificate Status Manager Certificates
    
    Expand section "16.1.2. Online Certificate Status Manager Certificates" Collapse section "16.1.2. Online Certificate Status Manager Certificates"
    
    16.1.2.1. OCSP Signing Key Pair and Certificate
    
    16.1.2.2. SSL Server Key Pair and Certificate
    
    16.1.2.3. Subsystem Certificate
    
    16.1.2.4. Audit Log Signing Key Pair and Certificate
    
    16.1.2.5. Recognizing Online Certificate Status Manager Certificates
    
    16.1.3. Key Recovery Authority Certificates
    
    Expand section "16.1.3. Key Recovery Authority Certificates" Collapse section "16.1.3. Key Recovery Authority Certificates"
    
    16.1.3.1. Transport Key Pair and Certificate
    
    16.1.3.2. Storage Key Pair
    
    16.1.3.3. SSL Server Certificate
    
    16.1.3.4. Subsystem Certificate
    
    16.1.3.5. Audit Log Signing Key Pair and Certificate
    
    16.1.4. TKS Certificates
    
    Expand section "16.1.4. TKS Certificates" Collapse section "16.1.4. TKS Certificates"
    
    16.1.4.1. SSL Server Certificate
    
    16.1.4.2. Subsystem Certificate
    
    16.1.4.3. Audit Log Signing Key Pair and Certificate
    
    16.1.5. TPS Certificates
    
    Expand section "16.1.5. TPS Certificates" Collapse section "16.1.5. TPS Certificates"
    
    16.1.5.1. SSL Server Certificate
    
    16.1.5.2. Subsystem Certificate
    
    16.1.5.3. Audit Log Signing Key Pair and Certificate
    
    16.1.6. About Subsystem Certificate Key Types
    
    16.1.7. Using an HSM to Store Subsystem Certificates
  2. 16.2. Requesting Certificates through the Console
    
    Expand section "16.2. Requesting Certificates through the Console" Collapse section "16.2. Requesting Certificates through the Console"
    
    16.2.1. Requesting Signing Certificates
    
    16.2.2. Requesting Other Certificates
  3. 16.3. Renewing Subsystem Certificates
    
    Expand section "16.3. Renewing Subsystem Certificates" Collapse section "16.3. Renewing Subsystem Certificates"
    
    16.3.1. Re-keying Certificates in the End-Entities Forms
    
    16.3.2. Renewing Certificates in the Console
    
    16.3.3. Renewing Certificates Using certutil
    
    16.3.4. Renewing System Certificates
  4. 16.4. Changing the Names of Subsystem Certificates
  5. 16.5. Using Cross-Pair Certificates
    
    Expand section "16.5. Using Cross-Pair Certificates" Collapse section "16.5. Using Cross-Pair Certificates"
    
    16.5.1. Installing Cross-Pair Certificates
    
    16.5.2. Searching for Cross-Pair Certificates
  6. 16.6. Managing the Certificate Database
    
    Expand section "16.6. Managing the Certificate Database" Collapse section "16.6. Managing the Certificate Database"
    
    16.6.1. Installing Certificates in the Certificate System Database
    
    Expand section "16.6.1. Installing Certificates in the Certificate System Database" Collapse section "16.6.1. Installing Certificates in the Certificate System Database"
    
    16.6.1.1. Installing Certificates through the Console
    
    16.6.1.2. Installing Certificates Using certutil
    
    16.6.1.3. About CA Certificate Chains
    
    16.6.2. Viewing Database Content
    
    Expand section "16.6.2. Viewing Database Content" Collapse section "16.6.2. Viewing Database Content"
    
    16.6.2.1. Viewing Database Content through the Console
    
    16.6.2.2. Viewing Database Content Using certutil
    
    16.6.3. Deleting Certificates from the Database
    
    Expand section "16.6.3. Deleting Certificates from the Database" Collapse section "16.6.3. Deleting Certificates from the Database"
    
    16.6.3.1. Deleting Certificates through the Console
    
    16.6.3.2. Deleting Certificates Using certutil
  7. 16.7. Changing the Trust Settings of a CA Certificate
    
    Expand section "16.7. Changing the Trust Settings of a CA Certificate" Collapse section "16.7. Changing the Trust Settings of a CA Certificate"
    
    16.7.1. Changing Trust Settings through the Console
    
    16.7.2. Changing Trust Settings Using certutil
  8. 16.8. Managing Tokens Used by the Subsystems
    
    Expand section "16.8. Managing Tokens Used by the Subsystems" Collapse section "16.8. Managing Tokens Used by the Subsystems"
    
    16.8.1. Detecting Tokens
    
    16.8.2. Viewing Tokens
    
    16.8.3. Changing a Token's Password
5. 17. Setting Time and Date in Red Hat Enterprise Linux 7
6. 18. Determining Certificate System Product Version
7. 19. Updating Red Hat Certificate System
8. 20. Troubleshooting
9. 21. Subsystem Control And maintenance
  Expand section "21. Subsystem Control And maintenance" Collapse section "21. Subsystem Control And maintenance"
  1. 21.1. Starting, Stopping, Restarting, and Obtaining Status
  2. 21.2. Subsystem Health Check
V. References
Expand section "V. References" Collapse section "V. References"
1. A. Certificate Profile Input and Output Reference
  Expand section "A. Certificate Profile Input and Output Reference" Collapse section "A. Certificate Profile Input and Output Reference"
  1. A.1. Input Reference
    
    Expand section "A.1. Input Reference" Collapse section "A.1. Input Reference"
    
    A.1.1. Certificate Request Input
    
    A.1.2. CMC Certificate Request Input
    
    A.1.3. Dual Key Generation Input
    
    A.1.4. File-Signing Input
    
    A.1.5. Image Input
    
    A.1.6. Key Generation Input
    
    A.1.7. nsHKeyCertRequest (Token Key) Input
    
    A.1.8. nsNKeyCertRequest (Token User Key) Input
    
    A.1.9. Serial Number Renewal Input
    
    A.1.10. Subject DN Input
    
    A.1.11. Subject Name Input
    
    A.1.12. Submitter Information Input
    
    A.1.13. Generic Input
    
    A.1.14. Subject Alternative Name Extension Input
  2. A.2. Output Reference
    
    Expand section "A.2. Output Reference" Collapse section "A.2. Output Reference"
    
    A.2.1. Certificate Output
    
    A.2.2. PKCS #7 Output
    
    A.2.3. nsNSKeyOutput
    
    A.2.4. CMMF Output
2. B. Defaults, Constraints, and Extensions for Certificates and CRLs
  Expand section "B. Defaults, Constraints, and Extensions for Certificates and CRLs" Collapse section "B. Defaults, Constraints, and Extensions for Certificates and CRLs"
  1. B.1. Defaults Reference
    
    Expand section "B.1. Defaults Reference" Collapse section "B.1. Defaults Reference"
    
    B.1.1. Authority Info Access Extension Default
    
    B.1.2. Authority Key Identifier Extension Default
    
    B.1.3. Authentication Token Subject Name Default
    
    B.1.4. Basic Constraints Extension Default
    
    B.1.5. CA Validity Default
    
    B.1.6. Certificate Policies Extension Default
    
    B.1.7. CRL Distribution Points Extension Default
    
    B.1.8. Extended Key Usage Extension Default
    
    B.1.9. Freshest CRL Extension Default
    
    B.1.10. Generic Extension Default
    
    B.1.11. Inhibit Any-Policy Extension Default
    
    B.1.12. Issuer Alternative Name Extension Default
    
    B.1.13. Key Usage Extension Default
    
    B.1.14. Name Constraints Extension Default
    
    B.1.15. Netscape Certificate Type Extension Default
    
    B.1.16. Netscape Comment Extension Default
    
    B.1.17. No Default Extension
    
    B.1.18. OCSP No Check Extension Default
    
    B.1.19. Policy Constraints Extension Default
    
    B.1.20. Policy Mappers Extension Default
    
    B.1.21. Private Key Usage Period Extension Default
    
    B.1.22. Signing Algorithm Default
    
    B.1.23. Subject Alternative Name Extension Default
    
    B.1.24. Subject Directory Attributes Extension Default
    
    B.1.25. Subject Info Access Extension Default
    
    B.1.26. Subject Key Identifier Extension Default
    
    B.1.27. Subject Name Default
    
    B.1.28. User Key Default
    
    B.1.29. User Signing Algorithm Default
    
    B.1.30. User Subject Name Default
    
    B.1.31. User Validity Default
    
    B.1.32. User Supplied Extension Default
    
    B.1.33. Validity Default
  2. B.2. Constraints Reference
    
    Expand section "B.2. Constraints Reference" Collapse section "B.2. Constraints Reference"
    
    B.2.1. Basic Constraints Extension Constraint
    
    B.2.2. CA Validity Constraint
    
    B.2.3. Extended Key Usage Extension Constraint
    
    B.2.4. Extension Constraint
    
    B.2.5. Key Constraint
    
    B.2.6. Key Usage Extension Constraint
    
    B.2.7. Netscape Certificate Type Extension Constraint
    
    B.2.8. No Constraint
    
    B.2.9. Renewal Grace Period Constraint
    
    B.2.10. Signing Algorithm Constraint
    
    B.2.11. Subject Name Constraint
    
    B.2.12. Unique Key Constraint
    
    B.2.13. Unique Subject Name Constraint
    
    B.2.14. Validity Constraint
  3. B.3. Standard X.509 v3 Certificate Extension Reference
    
    Expand section "B.3. Standard X.509 v3 Certificate Extension Reference" Collapse section "B.3. Standard X.509 v3 Certificate Extension Reference"
    
    B.3.1. authorityInfoAccess
    
    B.3.2. authorityKeyIdentifier
    
    B.3.3. basicConstraints
    
    B.3.4. certificatePoliciesExt
    
    B.3.5. CRLDistributionPoints
    
    B.3.6. extKeyUsage
    
    B.3.7. issuerAltName Extension
    
    B.3.8. keyUsage
    
    B.3.9. nameConstraints
    
    B.3.10. OCSPNocheck
    
    B.3.11. policyConstraints
    
    B.3.12. policyMappings
    
    B.3.13. privateKeyUsagePeriod
    
    B.3.14. subjectAltName
    
    B.3.15. subjectDirectoryAttributes
    
    B.3.16. subjectKeyIdentifier
  4. B.4. CRL Extensions
    
    Expand section "B.4. CRL Extensions" Collapse section "B.4. CRL Extensions"
    
    B.4.1. About CRL Extensions
    
    Expand section "B.4.1. About CRL Extensions" Collapse section "B.4.1. About CRL Extensions"
    
    B.4.1.1. Structure of CRL Extensions
    
    B.4.1.2. Sample CRL and CRL Entry Extensions
    
    B.4.2. Standard X.509 v3 CRL Extensions Reference
    
    Expand section "B.4.2. Standard X.509 v3 CRL Extensions Reference" Collapse section "B.4.2. Standard X.509 v3 CRL Extensions Reference"
    
    B.4.2.1. Extensions for CRLs
    
    Expand section "B.4.2.1. Extensions for CRLs" Collapse section "B.4.2.1. Extensions for CRLs"
    
    B.4.2.1.1. authorityInfoAccess
    
    B.4.2.1.2. authorityKeyIdentifier
    
    B.4.2.1.3. CRLNumber
    
    B.4.2.1.4. deltaCRLIndicator
    
    B.4.2.1.5. FreshestCRL
    
    B.4.2.1.6. issuerAltName
    
    B.4.2.1.7. issuingDistributionPoint
    
    B.4.2.2. CRL Entry Extensions
    
    Expand section "B.4.2.2. CRL Entry Extensions" Collapse section "B.4.2.2. CRL Entry Extensions"
    
    B.4.2.2.1. certificateIssuer
    
    B.4.2.2.2. invalidityDate
    
    B.4.2.2.3. CRLReason
    
    B.4.3. Netscape-Defined Certificate Extensions Reference
    
    Expand section "B.4.3. Netscape-Defined Certificate Extensions Reference" Collapse section "B.4.3. Netscape-Defined Certificate Extensions Reference"
    
    B.4.3.1. netscape-cert-type
    
    B.4.3.2. netscape-comment
3. C. Publishing Module Reference
  Expand section "C. Publishing Module Reference" Collapse section "C. Publishing Module Reference"
  1. C.1. Publisher Plug-in Modules
    
    Expand section "C.1. Publisher Plug-in Modules" Collapse section "C.1. Publisher Plug-in Modules"
    
    C.1.1. FileBasedPublisher
    
    C.1.2. LdapCaCertPublisher
    
    C.1.3. LdapUserCertPublisher
    
    C.1.4. LdapCrlPublisher
    
    C.1.5. LdapDeltaCrlPublisher
    
    C.1.6. LdapCertificatePairPublisher
    
    C.1.7. OCSPPublisher
  2. C.2. Mapper Plug-in Modules
    
    Expand section "C.2. Mapper Plug-in Modules " Collapse section "C.2. Mapper Plug-in Modules "
    
    C.2.1. LdapCaSimpleMap
    
    Expand section "C.2.1. LdapCaSimpleMap" Collapse section "C.2.1. LdapCaSimpleMap"
    
    C.2.1.1. LdapCaCertMap
    
    C.2.1.2. LdapCrlMap
    
    C.2.2. LdapDNExactMap
    
    C.2.3. LdapSimpleMap
    
    C.2.4. LdapSubjAttrMap
    
    C.2.5. LdapDNCompsMap
    
    Expand section "C.2.5. LdapDNCompsMap" Collapse section "C.2.5. LdapDNCompsMap"
    
    C.2.5.1. Configuration Parameters of LdapDNCompsMap
  3. C.3. Rule Instances
    
    Expand section "C.3. Rule Instances" Collapse section "C.3. Rule Instances"
    
    C.3.1. LdapCaCertRule
    
    C.3.2. LdapXCertRule
    
    C.3.3. LdapUserCertRule
    
    C.3.4. LdapCRLRule
4. D. ACL Reference
  Expand section "D. ACL Reference" Collapse section "D. ACL Reference"
  1. D.1. About ACL Configuration Files
  2. D.2. Common ACLs
    
    Expand section "D.2. Common ACLs" Collapse section "D.2. Common ACLs"
    
    D.2.1. certServer.acl.configuration
    
    D.2.2. certServer.admin.certificate
    
    D.2.3. certServer.auth.configuration
    
    D.2.4. certServer.clone.configuration
    
    D.2.5. certServer.general.configuration
    
    D.2.6. certServer.log.configuration
    
    D.2.7. certServer.log.configuration.fileName
    
    D.2.8. certServer.log.content.system
    
    D.2.9. certServer.log.content.transactions
    
    D.2.10. certServer.log.content.signedAudit
    
    D.2.11. certServer.registry.configuration
  3. D.3. Certificate Manager-Specific ACLs
    
    Expand section "D.3. Certificate Manager-Specific ACLs" Collapse section "D.3. Certificate Manager-Specific ACLs"
    
    D.3.1. certServer.admin.ocsp
    
    D.3.2. certServer.ca.certificate
    
    D.3.3. certServer.ca.certificates
    
    D.3.4. certServer.ca.configuration
    
    D.3.5. certServer.ca.connector
    
    D.3.6. certServer.ca.connectorInfo
    
    D.3.7. certServer.ca.crl
    
    D.3.8. certServer.ca.directory
    
    D.3.9. certServer.ca.group
    
    D.3.10. certServer.ca.ocsp
    
    D.3.11. certServer.ca.profile
    
    D.3.12. certServer.ca.profiles
    
    D.3.13. certServer.ca.registerUser
    
    D.3.14. certServer.ca.request.enrollment
    
    D.3.15. certServer.ca.request.profile
    
    D.3.16. certServer.ca.requests
    
    D.3.17. certServer.ca.systemstatus
    
    D.3.18. certServer.ee.certchain
    
    D.3.19. certServer.ee.certificate
    
    D.3.20. certServer.ee.certificates
    
    D.3.21. certServer.ee.crl
    
    D.3.22. certServer.ee.profile
    
    D.3.23. certServer.ee.profiles
    
    D.3.24. certServer.ee.request.ocsp
    
    D.3.25. certServer.ee.request.revocation
    
    D.3.26. certServer.ee.requestStatus
    
    D.3.27. certServer.job.configuration
    
    D.3.28. certServer.profile.configuration
    
    D.3.29. certServer.publisher.configuration
    
    D.3.30. certServer.securitydomain.domainxml
  4. D.4. Key Recovery Authority-Specific ACLs
    
    Expand section "D.4. Key Recovery Authority-Specific ACLs" Collapse section "D.4. Key Recovery Authority-Specific ACLs"
    
    D.4.1. certServer.job.configuration
    
    D.4.2. certServer.kra.certificate.transport
    
    D.4.3. certServer.kra.configuration
    
    D.4.4. certServer.kra.connector
    
    D.4.5. certServer.kra.GenerateKeyPair
    
    D.4.6. certServer.kra.getTransportCert
    
    D.4.7. certServer.kra.group
    
    D.4.8. certServer.kra.key
    
    D.4.9. certServer.kra.keys
    
    D.4.10. certServer.kra.registerUser
    
    D.4.11. certServer.kra.request
    
    D.4.12. certServer.kra.request.status
    
    D.4.13. certServer.kra.requests
    
    D.4.14. certServer.kra.systemstatus
    
    D.4.15. certServer.kra.TokenKeyRecovery
  5. D.5. Online Certificate Status Manager-Specific ACLs
    
    Expand section "D.5. Online Certificate Status Manager-Specific ACLs" Collapse section "D.5. Online Certificate Status Manager-Specific ACLs"
    
    D.5.1. certServer.ee.crl
    
    D.5.2. certServer.ee.request.ocsp
    
    D.5.3. certServer.ocsp.ca
    
    D.5.4. certServer.ocsp.cas
    
    D.5.5. certServer.ocsp.certificate
    
    D.5.6. certServer.ocsp.configuration
    
    D.5.7. certServer.ocsp.crl
    
    D.5.8. certServer.ocsp.group
    
    D.5.9. certServer.ocsp.info
  6. D.6. Token Key Service-Specific ACLs
    
    Expand section "D.6. Token Key Service-Specific ACLs" Collapse section "D.6. Token Key Service-Specific ACLs"
    
    D.6.1. certServer.tks.encrypteddata
    
    D.6.2. certServer.tks.group
    
    D.6.3. certServer.tks.importTransportCert
    
    D.6.4. certServer.tks.keysetdata
    
    D.6.5. certServer.tks.registerUser
    
    D.6.6. certServer.tks.sessionkey
    
    D.6.7. certServer.tks.randomdata
5. E. Audit Events
  Expand section "E. Audit Events" Collapse section "E. Audit Events"
  1. E.1. Audit Event Descriptions
6. Glossary
7. Index
F. Revision History
Legal Notice

Language:
Format:

Language:
Format:

12.3. Setting up Specific Jobs

Automated jobs can be configured through the Certificate Manager Console or by editing the configuration file directory. It is recommended that these changes be made through the Certificate Manager Console.

12.3.1. Configuring Specific Jobs Using the Certificate Manager Console

To enable and configure an automated job using the Certificate Manager Console:

Open the Certificate Manager Console.

pkiconsole https://server.example.com:8443/ca

Confirm that the Jobs Scheduler is enabled. See Section 12.2, “Setting up the Job Scheduler” for more information.
In the Configuration tab, select Job Scheduler from the navigation tree. Then select Jobs to open the Job Instance tab.
Select the job instance from the list, and click Edit/View.
The Job Instance Editor opens, showing the current job configuration.
Figure 12.1. Job Configuration
Select enabled to turn on the job.
Set the configuration settings by specifying them in the fields for this dialog.
- For certRenewalNotifier, see Section 12.3.3, “Configuration Parameters of certRenewalNotifier”.
- For requestInQueueNotifier, see Section 12.3.4, “Configuration Parameters of requestInQueueNotifier”.
- For publishCerts, see Section 12.3.5, “Configuration Parameters of publishCerts”.
- For unpublishExpiredCerts, see Section 12.3.6, “Configuration Parameters of unpublishExpiredCerts”.
- For more information about setting the cron time frequencies, see Section 12.3.7, “Frequency Settings for Automated Jobs”.
Click OK.
Click Refresh to view any changes in the main window.
If the job is configured to send automatic messages, check that a mail server is set up correctly. See Section 11.4, “Configuring a Mail Server for Certificate System Notifications”.
Customize the email message text and appearance.

12.3.2. Configuring Jobs by Editing the Configuration File

Ensure that the Jobs Scheduler is enabled and configured; see Section 12.2, “Setting up the Job Scheduler”.

Stop the CA subsystem instance.

systemctl stop pki-tomcatd@instance_name.service

Open the CS.cfg file for that server instance in a text editor.
Edit all of the configuration parameters for the job module being configured.
- To configure the certRenewalNotifier job, edit all parameters that begin with jobsScheduler.job.certRenewalNotifier; see Section 12.3.3, “Configuration Parameters of certRenewalNotifier”.
- To configure the requestInQueueNotifier job, edit all parameters that begin with jobsScheduler.job.requestInQueueNotifier; see Section 12.3.4, “Configuration Parameters of requestInQueueNotifier”.
- To configure the publishCerts job, edit all parameters that begin with jobsScheduler.job.publishCerts; see Section 12.3.5, “Configuration Parameters of publishCerts”.
- To configure the unpublishExpiredCerts job, edit all parameters that begin with jobsScheduler.job.unpublishExpiredCerts; see Section 12.3.6, “Configuration Parameters of unpublishExpiredCerts”.
Save the file.

Restart the server instance.

systemctl start pki-tomcatd@instance_name.service

If the job will send automated messages, check that the mail server is set up correctly. See Section 11.4, “Configuring a Mail Server for Certificate System Notifications”.
Customize the automatic job messages.

12.3.3. Configuration Parameters of certRenewalNotifier

Table 12.1, “certRenewalNotifier Parameters” gives details for each of these parameters that can be configured for the certRenewalNotifier job, either in the CS.cfg file or in the Certificate Manager Console.

Table 12.1. certRenewalNotifier Parameters

Parameter	Description
`enabled`	Specifies whether the job is enabled or disabled. The value `true` enables the job; `false` disables it.
`cron`	Sets the schedule when this job should be run. This sets the time at which the Job Scheduler daemon thread checks the certificates for sending renewal notifications. These settings must follow the conventions in Section 12.3.7, “Frequency Settings for Automated Jobs”. For example: 0 3 * * 1-5 The job in the example is run Monday through Friday at 3:00 pm.
`notifyTriggerOffset`	Sets how long (in days) before the certificate expiration date the first notification will be sent.
`notifyEndOffset`	Sets how long (in days) after the certificate expires that notifications will continue to be sent if the certificate is not replaced.
`senderEmail`	Sets the sender of the notification messages, who will be notified of any delivery problems.
`emailSubject`	Sets the text of the subject line of the notification message.
`emailTemplate`	Sets the path, including the filename, to the directory that contains the template to use to create the message content.
`summary.enabled`	Sets whether a summary report of renewal notifications should be compiled and sent. The value `true` enables sending the summary; `false` disables it. If enabled, set the remaining summary parameters; these are required by the server to send the summary report.
`summary.recipientEmail`	Specifies the recipients of the summary message. These can be agents who need to know the status of user certificates or other users. Set more than one recipient by separating each email address with a comma.
`summary.senderEmail`	Specifies the email address of the sender of the summary message.
`summary.emailSubject`	Gives the subject line of the summary message.
`summary.itemTemplate`	Gives the path, including the filename, to the directory that contains the template to use to create the content and format of each item to be collected for the summary report.
`summary.emailTemplate`	Gives the path, including the filename, to the directory that contains the template to use to create the summary report email notification.

12.3.4. Configuration Parameters of requestInQueueNotifier

Table 12.2, “requestInQueueNotifier Parameters” gives details for each of these parameters that can be configured for the requestInQueueNotifier job, either in the CS.cfg file or in the Certificate Manager Console.

Table 12.2. requestInQueueNotifier Parameters

Parameter	Description
`enabled`	Sets whether the job is enabled (`true`) or disabled (`false`).
`cron`	Sets the time schedule for when the job should run. This is the time at which the Job Scheduler daemon thread checks the queue for pending requests. This setting must follow the conventions in Section 12.3.7, “Frequency Settings for Automated Jobs”. For example: 0 0 * * 0
`subsystemid`	Specifies the subsystem which is running the job. The only possible value is `ca`, for the Certificate Manager.
`summary.enabled`	Specifies whether a summary of the job accomplished should be compiled and sent. The value `true` enables the summary reports; `false` disables them. If enabled, set the remaining summary parameters; these are required by the server to send the summary report.
`summary.emailSubject`	Sets the subject line of the summary message.
`summary.emailTemplate`	Specifies the path, including the filename, to the directory containing the template to use to create the summary report.
`summary.senderEmail`	Specifies the sender of the notification message, who will be notified of any delivery problems.
`summary.recipientEmail`	Specifies the recipients of the summary message. These can be agents who need to process pending requests or other users. More than one recipient can be listed by separating each email address with a comma.

12.3.5. Configuration Parameters of publishCerts

Table 12.3, “publishCerts Parameters” gives details for each of these parameters that can be configured for the publishCerts job, either in the CS.cfg file or in the Certificate Manager Console.

Table 12.3. publishCerts Parameters

Parameter	Description
`enabled`	Sets whether the job is enabled. The value `true` is enabled; `false` is disabled.
`cron`	Sets the time schedule for when the job runs. This is the time the Job Scheduler daemon thread checks the certificates to removing expired certificates from the publishing directory. This setting must follow the conventions in Section 12.3.7, “Frequency Settings for Automated Jobs”. For example: 0 0 * * 6
`summary.enabled`	Specifies whether a summary of the certificates published by the job should be compiled and sent. The value `true` enables the summaries; `false` disables them. If enabled, set the remaining summary parameters; these are required by the server to send the summary report.
`summary.emailSubject`	Gives the subject line of the summary message.
`summary.emailTemplate`	Specifies the path, including the filename, to the directory containing the template to use to create the summary report.
`summary.itemTemplate`	Specifies the path, including the filename, to the directory containing the template to use to create the content and format of each item collected for the summary report.
`summary.senderEmail`	Specifies the sender of the summary message, who will be notified of any delivery problems.
`summary.recipientEmail`	Specifies the recipients of the summary message. These can be agents who need to know the status of user certificates or other users. More than one recipient can be set by separating each email address with a comma.

12.3.6. Configuration Parameters of unpublishExpiredCerts

Table 12.4, “unpublishExpiredCerts Parameters” gives details for each of these parameters that can be configured for the unpublishedExpiresCerts job, either in the CS.cfg file or in the Certificate Manager Console.

Table 12.4. unpublishExpiredCerts Parameters

Parameter	Description
`enabled`	Sets whether the job is enabled. The value `true` is enabled; `false` is disabled.
`cron`	Sets the time schedule for when the job runs. This is the time the Job Scheduler daemon thread checks the certificates to removing expired certificates from the publishing directory. This setting must follow the conventions in Section 12.3.7, “Frequency Settings for Automated Jobs”. For example: 0 0 * * 6
`summary.enabled`	Specifies whether a summary of the certificates published by the job should be compiled and sent. The value `true` enables the summaries; `false` disables them. If enabled, set the remaining summary parameters; these are required by the server to send the summary report.
`summary.emailSubject`	Gives the subject line of the summary message.
`summary.emailTemplate`	Specifies the path, including the filename, to the directory containing the template to use to create the summary report.
`summary.itemTemplate`	Specifies the path, including the filename, to the directory containing the template to use to create the content and format of each item collected for the summary report.
`summary.senderEmail`	Specifies the sender of the summary message, who will be notified of any delivery problems.
`summary.recipientEmail`	Specifies the recipients of the summary message. These can be agents who need to know the status of user certificates or other users. More than one recipient can be set by separating each email address with a comma.

12.3.7. Frequency Settings for Automated Jobs

The Job Scheduler uses a variation of the Unix crontab entry format to specify dates and times for checking the job queue and executing jobs. As shown in Table 12.5, “Time Values for Scheduling Jobs” and Figure 12.1, “Job Configuration”, the time entry format consists of five fields. (The sixth field specified for the Unix crontab is not used by the Job Scheduler.) Values are separated by spaces or tabs.

Each field can contain either a single integer or a pair of integers separated by a hyphen (-) to indicate an inclusive range. To specify all legal values, a field can contain an asterisk rather than an integer. Day fields can contain a comma-separated list of values. The syntax of this expression is

Minute Hour Day_of_month Month_of_year Day_of_week

Table 12.5. Time Values for Scheduling Jobs

Field	Value
Minute	0-59
Hour	0-23
Day of month	1-31
Month of year	1-12
Day of week	0-6 (where 0=Sunday)

For example, the following time entry specifies every hour at 15 minutes (1:15, 2:15, 3:15, and so on):

15 * * * *

The following example sets a job to run at noon on April 12:

0 12 12 4 *

The day-of-month and day-of-week options can contain a comma-separated list of values to specify more than one day. If both day fields are specified, the specification is inclusive; that is, the day of the month is not required to fall on the day of the week to be valid. For example, the following entry specifies a job execution time of midnight on the first and fifteenth of every month and on every Monday:

0 0 1,15 * 1

To specify one day type without the other, use an asterisk in the other day field. For example, the following entry runs the job at 3:15 a.m. every weekday morning:

15 3 * * 1-5

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

12.3. Setting up Specific Jobs

12.3.1. Configuring Specific Jobs Using the Certificate Manager Console

12.3.2. Configuring Jobs by Editing the Configuration File

12.3.3. Configuration Parameters of certRenewalNotifier

12.3.4. Configuration Parameters of requestInQueueNotifier

12.3.5. Configuration Parameters of publishCerts

12.3.6. Configuration Parameters of unpublishExpiredCerts

12.3.7. Frequency Settings for Automated Jobs

Language and Page Formatting Options

12.3. Setting up Specific Jobs

12.3.1. Configuring Specific Jobs Using the Certificate Manager Console

12.3.2. Configuring Jobs by Editing the Configuration File

12.3.3. Configuration Parameters of certRenewalNotifier

12.3.4. Configuration Parameters of requestInQueueNotifier

12.3.5. Configuration Parameters of publishCerts

12.3.6. Configuration Parameters of unpublishExpiredCerts

12.3.7. Frequency Settings for Automated Jobs