3.6. Managing CA-Related Profiles
- Managing the CA signing certificate
- Defining issuance rules
3.6.1. Setting Restrictions on CA Certificates
- CA certificates must have the Basic Constraints extension.
- CA certificates must have the keyCertSign bit set in the Key Usage extension.
/var/lib/pki/instance_name/ca/conf/caCert.profile. This profile cannot be edited in
pkiconsole(since it is only available before the instance is configured). It is possible to edit the policies for this profile in the template file before the CA is configured using a text editor.
- If the profile is currently enabled, it must be disabled before it can be edited. Open the agent services page, select Manage Certificate Profiles from the left navigation menu, select the profile, and click Disable profile.
- Open the CA Console.
- In the left navigation tree of the Configuration tab, select Certificate Manager, then Certificate Profiles.
- Select caCACert, or the appropriate CA signing certificate profile, from the right window, and click Edit/View.
- In the Policies tab of the Certificate Profile Rule Editor, select and edit the Key Usage or Extended Key Usage Extension Default if it exists or add it to the profile.
- Select the Key Usage or Extended Key Usage Extension Constraint, as appropriate, for the default.
- Set the default values for the CA certificates. For more information, see Section B.1.14, “Key Usage Extension Default” and Section B.1.9, “Extended Key Usage Extension Default”.
- Set the constraint values for the CA certificates. There are no constraints to be set for a Key Usage extension; for an Extended Key Usage extension, set the appropriate OID constraints for the CA. For more information, see Section B.1.9, “Extended Key Usage Extension Default”.
- When the changes have been made to the profile, log into the agent services page again, and re-enable the certificate profile.
3.6.2. Changing the Restrictions for CAs on Issuing Certificates
- Whether certificates can be issued with validity periods longer than the CA signing certificate. The default is to disallow this.
- The signing algorithm used to sign certificates.
- The serial number range the CA is able to use to issue certificates.
- Open the Certificate System Console.
- Select the Certificate Manager item in the left navigation tree of the Configuration tab.
Figure 3.1. The General Settings Tab in non-subordinate CAs by default
- By default, in non-cloned CAs, the General Settings tab of the Certificate Manager menu item contains these options:
- Override validity nesting requirement. This checkbox sets whether the Certificate Manager can issue certificates with validity periods longer than the CA signing certificate validity period.If this checkbox is not selected and the CA receives a request with validity period longer than the CA signing certificate's validity period, it automatically truncates the validity period to end on the day the CA signing certificate expires.
- Certificate Serial Number. These fields display the serial number range for certificates issued by the Certificate Manager. The server assigns the serial number in the Next serial number field to the next certificate it issues and the number in the Ending serial number to the last certificate it issues.The serial number range allows multiple CAs to be deployed and balances the number of certificates each CA issues. The combination of an issuer name and a serial number uniquely identifies a certificate.
NoteThe serial number ranges with cloned CAs are fluid. All cloned CAs share a common configuration entry which defines the next available range. When one CA starts running low on available numbers, it checks this configuration entry and claims the next range. The entry is automatically updated, so that the next CA gets a new range.The ranges are defined in
end*Numberattributes, with separate ranges defined for requests and certificate serial numbers. For example:
dbs.beginRequestNumber=1 dbs.beginSerialNumber=1 dbs.enableSerialManagement=true dbs.endRequestNumber=9980000 dbs.endSerialNumber=ffe0000 dbs.ldap=internaldb dbs.newSchemaEntryAdded=true dbs.replicaCloneTransferNumber=5Serial number management can be enabled for CAs which are not cloned. However, by default, serial number management is disabled unless a system is cloned, when it is automatically enabled.The serial number range cannot be updated manually through the console. The serial number ranges are read-only fields.
- Default Signing Algorithm. Specifies the signing algorithm the Certificate Manager uses to sign certificates. The options are
SHA512withRSA, if the CA's signing key type is RSA.The signing algorithm specified in the certificate profile configuration overrides the algorithm set here.
- By default, in cloned CAs, the General Settings tab of the Certificate Manager menu item contains these options:
Select both check boxes.
- Enable serial number management
- Enable random certificate serial numbers
Figure 3.2. The General Settings Tab in cloned CAs by default
- Click Save.
3.6.3. Using Random Certificate Serial Numbers
- making part of the certificate serial number unpredictable to the attacker
- adding a randomly chosen component to the identity
- making the validity dates unpredictable to the attacker by skewing each one forwards or backwards
- works with cloning
- allows resolving conflicts
- is compatible with the current serial number management method
- is compatible with the current workflows for administrators, agents, and end entities
- fixes the existing bugs in sequential serial number management
126.96.36.199. Enabling Random Certificate Serial Numbers
- Tick the Enable serial number management option in the General Settings tab.
Figure 3.3. The General Settings Tab when Random Serial Number Assignment is enabled
- Tick the Enable random certificate serial numbers option.
3.6.4. Allowing a CA Certificate to Be Renewed Past the CA's Validity Period
bypassCAnotafter) which allows a CA certificate to be issued with a validity period that extends past the issuing CA's expiration (notAfter) date.
Figure 3.4. CA Validity Default Configuration
- Open the
- The CA Validity Default should be present by default. Set the value to
trueto allow a CA certificate to be renewed past the issuing CA's validity period.
policyset.caCertSet.2.default.name=CA Certificate Validity Default policyset.caCertSet.2.default.params.range=2922 policyset.caCertSet.2.default.params.startTime=0
- Restart the CA to apply the changes.
false, the constraint is enforced, even if
bypassCAnotafter=trueis set in the profile. If the agent selects true when the
bypassCAnotaftervalue is not enabled, then the renewal request is rejected by the CA.
Figure 3.5. Bypass CA Constraints Option in the Agent Services Page
ca.enablePastCATime, can be used to allow certificates to be renewed past the CA's validity period. However, this applies to every certificate issued by that CA. Because of the potential security issues, this setting is not recommended for production environments.