Jump To Close Expand all Collapse all Table of contents Administration Guide (Common Criteria Edition) 1. Overview of Red Hat Certificate System Subsystems Expand section "1. Overview of Red Hat Certificate System Subsystems" Collapse section "1. Overview of Red Hat Certificate System Subsystems" 1.1. Uses for Certificates 1.2. A Review of Certificate System Subsystems 1.3. A Look at Managing Certificates (Non-TMS) 1.4. A Look at the Token Management System (TMS) 1.5. Red Hat Certificate System services I. Red Hat Certificate System User Interfaces Expand section "I. Red Hat Certificate System User Interfaces" Collapse section "I. Red Hat Certificate System User Interfaces" 2. User Interfaces Expand section "2. User Interfaces" Collapse section "2. User Interfaces" 2.1. User Interfaces Overview 2.2. Client NSS Database Initialization 2.3. Graphical Interface Expand section "2.3. Graphical Interface" Collapse section "2.3. Graphical Interface" 2.3.1. pkiconsole Initialization 2.3.2. Using pkiconsole for CA, OCSP, KRA, and TKS Subsystems 2.4. Web Interface Expand section "2.4. Web Interface" Collapse section "2.4. Web Interface" 2.4.1. Browser Initialization 2.4.2. The Administrative Interfaces 2.4.3. Agent Interfaces 2.4.4. End User Pages 2.5. Command Line Interfaces Expand section "2.5. Command Line Interfaces" Collapse section "2.5. Command Line Interfaces" 2.5.1. "pki" CLI Expand section "2.5.1. "pki" CLI" Collapse section "2.5.1. "pki" CLI" 2.5.1.1. pki CLI Initialization 2.5.1.2. Using "pki" CLI 2.5.2. AtoB 2.5.3. AuditVerify 2.5.4. BtoA 2.5.5. CMCRequest 2.5.6. CMCRevoke 2.5.7. CMCSharedToken 2.5.8. CRMFPopClient 2.5.9. HttpClient 2.5.10. OCSPClient 2.5.11. PKCS10Client 2.5.12. PrettyPrintCert 2.5.13. PrettyPrintCrl 2.5.14. TokenInfo 2.5.15. tkstool II. Setting up Certificate Services Expand section "II. Setting up Certificate Services" Collapse section "II. Setting up Certificate Services" 3. Making Rules for Issuing Certificates (Certificate Profiles) Expand section "3. Making Rules for Issuing Certificates (Certificate Profiles)" Collapse section "3. Making Rules for Issuing Certificates (Certificate Profiles)" 3.1. About Certificate Profiles Expand section "3.1. About Certificate Profiles" Collapse section "3.1. About Certificate Profiles" 3.1.1. The Enrollment Profile 3.1.2. Certificate Extensions: Defaults and Constraints 3.1.3. Inputs and Outputs 3.2. Setting up Certificate Profiles Expand section "3.2. Setting up Certificate Profiles" Collapse section "3.2. Setting up Certificate Profiles" 3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface Expand section "3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface" Collapse section "3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface" 3.2.1.1. Enabling and Disabling a Certificate Profile 3.2.1.2. Creating a Certificate Profile in Raw Format 3.2.1.3. Editing a Certificate Profile in Raw Format 3.2.1.4. Deleting a Certificate Profile 3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console Expand section "3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console" Collapse section "3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console" 3.2.2.1. Creating Certificate Profiles through the CA Console 3.2.2.2. Editing Certificate Profiles in the Console 3.2.3. Listing Certificate Enrollment Profiles 3.2.4. Displaying Details of a Certificate Enrollment Profile 3.3. Defining Key Defaults in Profiles 3.4. Configuring Profiles to Enable Renewal Expand section "3.4. Configuring Profiles to Enable Renewal" Collapse section "3.4. Configuring Profiles to Enable Renewal" 3.4.1. About Renewal Expand section "3.4.1. About Renewal" Collapse section "3.4.1. About Renewal" 3.4.1.1. The Renewal Process Expand section "3.4.1.1. The Renewal Process" Collapse section "3.4.1.1. The Renewal Process" 3.4.1.1.1. Renewing Using the Same Key 3.4.1.1.2. Renewal Using a New Key 3.5. Setting the Signing Algorithms for Certificates Expand section "3.5. Setting the Signing Algorithms for Certificates" Collapse section "3.5. Setting the Signing Algorithms for Certificates" 3.5.1. Setting the CA's Default Signing Algorithm 3.5.2. Setting the Signing Algorithm Default in a Profile 3.6. Managing CA-Related Profiles Expand section "3.6. Managing CA-Related Profiles" Collapse section "3.6. Managing CA-Related Profiles" 3.6.1. Setting Restrictions on CA Certificates 3.6.2. Changing the Restrictions for CAs on Issuing Certificates 3.6.3. Using Random Certificate Serial Numbers Expand section "3.6.3. Using Random Certificate Serial Numbers" Collapse section "3.6.3. Using Random Certificate Serial Numbers" 3.6.3.1. Enabling Random Certificate Serial Numbers 3.6.4. Allowing a CA Certificate to Be Renewed Past the CA's Validity Period 3.7. Managing Subject Names and Subject Alternative Names Expand section "3.7. Managing Subject Names and Subject Alternative Names" Collapse section "3.7. Managing Subject Names and Subject Alternative Names" 3.7.1. Using the Requester CN or UID in the Subject Name 3.7.2. Inserting LDAP Directory Attribute Values and Other Information into the Subject Alt Name 3.7.3. Using the CN Attribute in the SAN Extension 3.7.4. Accepting SAN Extensions from a CSR Expand section "3.7.4. Accepting SAN Extensions from a CSR" Collapse section "3.7.4. Accepting SAN Extensions from a CSR" 3.7.4.1. Configuring a Profile to Retrieve SANs from a CSR 3.7.4.2. Generating a CSR with SANs 4. Setting up Key Archival and Recovery Expand section "4. Setting up Key Archival and Recovery" Collapse section "4. Setting up Key Archival and Recovery" 4.1. About Key Archival and Recovery Expand section "4.1. About Key Archival and Recovery" Collapse section "4.1. About Key Archival and Recovery" 4.1.1. Key Archival 4.1.2. Key Recovery 5. Requesting, Enrolling, and Managing Certificates Expand section "5. Requesting, Enrolling, and Managing Certificates" Collapse section "5. Requesting, Enrolling, and Managing Certificates" 5.1. About Enrolling and Renewing Certificates 5.2. Creating Certificate Signing Requests Expand section "5.2. Creating Certificate Signing Requests" Collapse section "5.2. Creating Certificate Signing Requests" 5.2.1. Creating a CSR Using certutil Expand section "5.2.1. Creating a CSR Using certutil" Collapse section "5.2.1. Creating a CSR Using certutil" 5.2.1.1. Using certutil to Create a CSR with EC Keys 5.2.1.2. Using certutil to Create a CSR With User-defined Extensions 5.2.2. Creating a CSR Using PKCS10Client Expand section "5.2.2. Creating a CSR Using PKCS10Client" Collapse section "5.2.2. Creating a CSR Using PKCS10Client" 5.2.2.1. Using PKCS10Client to Create a CSR 5.2.2.2. Using PKCS10Client to Create a CSR for SharedSecret-based CMC 5.2.3. Creating a CSR Using CRMFPopClient Expand section "5.2.3. Creating a CSR Using CRMFPopClient" Collapse section "5.2.3. Creating a CSR Using CRMFPopClient" 5.2.3.1. Using CRMFPopClient to Create a CSR with Key Archival 5.2.3.2. Using CRMFPopClient to Create a CSR for SharedSecret-based CMC 5.3. Requesting and Receiving Certificates Using CMC Expand section "5.3. Requesting and Receiving Certificates Using CMC" Collapse section "5.3. Requesting and Receiving Certificates Using CMC" 5.3.1. The CMC Enrollment Process 5.3.2. Practical CMC Enrollment Scenarios Expand section "5.3.2. Practical CMC Enrollment Scenarios" Collapse section "5.3.2. Practical CMC Enrollment Scenarios" 5.3.2.1. Obtaining System and Server Certificates 5.3.2.2. Obtaining the First Signing Certificate for a User Expand section "5.3.2.2. Obtaining the First Signing Certificate for a User" Collapse section "5.3.2.2. Obtaining the First Signing Certificate for a User" 5.3.2.2.1. Signing a CMC Request with an Agent Certificate 5.3.2.2.2. Authenticating for Certificate Enrollment Using a Shared Secret 5.3.2.3. Obtaining an Encryption-only Certificate for a User Expand section "5.3.2.3. Obtaining an Encryption-only Certificate for a User" Collapse section "5.3.2.3. Obtaining an Encryption-only Certificate for a User" 5.3.2.3.1. Example on Obtaining an Encryption-only certificate with Key Archival 5.4. Renewing Certificates Expand section "5.4. Renewing Certificates" Collapse section "5.4. Renewing Certificates" 5.4.1. Renewal Using the Same Key 5.4.2. Renewal Using a New Key 5.5. Tracing Issued Certificate to CSR, and CSR to Issued Certificate 6. Revoking Certificates and Issuing CRLs Expand section "6. Revoking Certificates and Issuing CRLs" Collapse section "6. Revoking Certificates and Issuing CRLs" 6.1. About Revoking Certificates Expand section "6.1. About Revoking Certificates" Collapse section "6.1. About Revoking Certificates" 6.1.1. CRL Issuing Points 6.1.2. Delta CRLs 6.1.3. Publishing CRLs 6.2. Revoking Certificates Expand section "6.2. Revoking Certificates" Collapse section "6.2. Revoking Certificates" 6.2.1. Performing a CMC Revocation Expand section "6.2.1. Performing a CMC Revocation" Collapse section "6.2.1. Performing a CMC Revocation" 6.2.1.1. Revoking a Certificate Using CMCRequest 6.2.1.2. Revoking a Certificate Using CMCRevoke Expand section "6.2.1.2. Revoking a Certificate Using CMCRevoke" Collapse section "6.2.1.2. Revoking a Certificate Using CMCRevoke" 6.2.1.2.1. Testing CMCRevoke 6.2.2. Performing Revocation as an Agent from the Web UI Expand section "6.2.2. Performing Revocation as an Agent from the Web UI" Collapse section "6.2.2. Performing Revocation as an Agent from the Web UI" 6.2.2.1. Listing Certificates 6.2.2.2. Searching for Certificates (Advanced) 6.2.2.3. Examining Certificate Details 6.2.2.4. Revoking Certificates Expand section "6.2.2.4. Revoking Certificates" Collapse section "6.2.2.4. Revoking Certificates" 6.2.2.4.1. Revoking Certificates 6.2.2.4.2. Taking Ceritificates Off Hold 6.2.2.5. Managing the Certificate Revocation List Expand section "6.2.2.5. Managing the Certificate Revocation List" Collapse section "6.2.2.5. Managing the Certificate Revocation List" 6.2.2.5.1. Viewing or Examining CRLs 6.2.2.5.2. Updating the CRL 6.2.3. Performing Revocation on Own Certificate as a User Using the Web UI Expand section "6.2.3. Performing Revocation on Own Certificate as a User Using the Web UI" Collapse section "6.2.3. Performing Revocation on Own Certificate as a User Using the Web UI" 6.2.3.1. Revoking Your User Certificate 6.2.3.2. Checking Whether a Certificate Is Revoked 6.2.3.3. Downloading and Importing CRLs 6.3. Issuing CRLs Expand section "6.3. Issuing CRLs" Collapse section "6.3. Issuing CRLs" 6.3.1. Configuring Issuing Points 6.3.2. Configuring CRLs for Each Issuing Point 6.3.3. Setting CRL Extensions 6.3.4. Generating CRLs from Cache Expand section "6.3.4. Generating CRLs from Cache" Collapse section "6.3.4. Generating CRLs from Cache" 6.3.4.1. Configuring CRL Generation from Cache in the Console 6.4. Setting Full and Delta CRL Schedules Expand section "6.4. Setting Full and Delta CRL Schedules" Collapse section "6.4. Setting Full and Delta CRL Schedules" 6.4.1. Configuring CRL Update Intervals in the Console 6.4.2. Configuring CRL Generation Schedules over Multiple Days 6.5. Using the Online Certificate Status Protocol (OCSP) Responder Expand section "6.5. Using the Online Certificate Status Protocol (OCSP) Responder" Collapse section "6.5. Using the Online Certificate Status Protocol (OCSP) Responder" 6.5.1. Setting up the OCSP Responder 6.5.2. Identifying the CA to the OCSP Responder Expand section "6.5.2. Identifying the CA to the OCSP Responder" Collapse section "6.5.2. Identifying the CA to the OCSP Responder" 6.5.2.1. Verify Certificate Manager and Online Certificate Status Manager Connection 6.5.2.2. Configure the Revocation Info Stores: Internal Database 6.5.2.3. Configure the Revocation Info Stores: LDAP Directory 6.5.2.4. Testing the OCSP Service Setup 6.5.3. Setting the Response for Bad Serial Numbers 6.5.4. Enabling the Certificate Manager's Internal OCSP Service 6.5.5. Submitting OCSP Requests Using the OCSPClient program 6.5.6. Submitting OCSP Requests Using the GET Method III. Additional Configuration to Manage CA Services Expand section "III. Additional Configuration to Manage CA Services" Collapse section "III. Additional Configuration to Manage CA Services" 7. Publishing Certificates and CRLs Expand section "7. Publishing Certificates and CRLs" Collapse section "7. Publishing Certificates and CRLs" 7.1. About Publishing Expand section "7.1. About Publishing" Collapse section "7.1. About Publishing" 7.1.1. Publishers 7.1.2. Mappers 7.1.3. Rules 7.1.4. Publishing to Files 7.1.5. OCSP Publishing 7.1.6. LDAP Publishing 7.2. Configuring Publishing to a File 7.3. Configuring Publishing to an OCSP Expand section "7.3. Configuring Publishing to an OCSP" Collapse section "7.3. Configuring Publishing to an OCSP" 7.3.1. Enabling Publishing to an OCSP with Client Authentication 7.4. Configuring Publishing to an LDAP Directory Expand section "7.4. Configuring Publishing to an LDAP Directory" Collapse section "7.4. Configuring Publishing to an LDAP Directory" 7.4.1. Configuring the LDAP Directory 7.4.2. Configuring LDAP Publishers 7.4.3. Creating Mappers 7.4.4. Completing Configuration: Rules and Enabling 7.5. Creating Rules 7.6. Enabling Publishing 7.7. Setting up Resumable CRL Downloads Expand section "7.7. Setting up Resumable CRL Downloads" Collapse section "7.7. Setting up Resumable CRL Downloads" 7.7.1. Retrieving CRLs Using wget 7.8. Publishing Cross-Pair Certificates 7.9. Testing Publishing to Files 7.10. Viewing Certificates and CRLs Published to File 7.11. Updating Certificates and CRLs in a Directory Expand section "7.11. Updating Certificates and CRLs in a Directory" Collapse section "7.11. Updating Certificates and CRLs in a Directory" 7.11.1. Manually Updating Certificates in the Directory 7.11.2. Manually Updating the CRL in the Directory 8. Authentication for Enrolling Certificates Expand section "8. Authentication for Enrolling Certificates" Collapse section "8. Authentication for Enrolling Certificates" 8.1. Automatic Approval by an Authentication Plug-in Expand section "8.1. Automatic Approval by an Authentication Plug-in" Collapse section "8.1. Automatic Approval by an Authentication Plug-in" 8.1.1. Setting up Auto-approval of Enrollment Requests 8.1.2. CMC Authentication Plug-ins 8.1.3. CMC SharedSecret Authentication Expand section "8.1.3. CMC SharedSecret Authentication" Collapse section "8.1.3. CMC SharedSecret Authentication" 8.1.3.1. Creating a Shared Secret Token 8.1.3.2. Setting a CMC Shared Secret Expand section "8.1.3.2. Setting a CMC Shared Secret" Collapse section "8.1.3.2. Setting a CMC Shared Secret" 8.1.3.2.1. Adding a CMC Shared Secret to a User Entry for Certificate Enrollment 8.1.3.2.2. Adding a CMC Shared Secret to a Certificate for Certificate Revocations 8.2. Manual Approval by a CA Agent 8.3. Manually Reviewing the Certificate Status Using the Command Line 8.4. Manually Reviewing the Certificate Status Using the Web Interface 9. Authorization for Enrolling Certificates (Access Evaluators) Expand section "9. Authorization for Enrolling Certificates (Access Evaluators)" Collapse section "9. Authorization for Enrolling Certificates (Access Evaluators)" 9.1. Authorization Mechanism 9.2. Default Evaluators IV. Managing the Subsystem Instances Expand section "IV. Managing the Subsystem Instances" Collapse section "IV. Managing the Subsystem Instances" 10. Self Tests Expand section "10. Self Tests" Collapse section "10. Self Tests" 10.1. Running Self-Tests Expand section "10.1. Running Self-Tests" Collapse section "10.1. Running Self-Tests" 10.1.1. Running Self-Tests Expand section "10.1.1. Running Self-Tests" Collapse section "10.1.1. Running Self-Tests" 10.1.1.1. Running Self-Tests from the Console 10.1.1.2. Running TPS Self-Tests 10.2. Debugging Self-Tests Failures Expand section "10.2. Debugging Self-Tests Failures" Collapse section "10.2. Debugging Self-Tests Failures" 10.2.1. Self-Test Logging 11. Managing Certificate/Key Crypto Token Expand section "11. Managing Certificate/Key Crypto Token" Collapse section "11. Managing Certificate/Key Crypto Token" 11.1. About certutil and PKICertImport Expand section "11.1. About certutil and PKICertImport" Collapse section "11.1. About certutil and PKICertImport" 11.1.1. certutil Basic Usage 11.1.2. PKICertImport Basic Usage 11.1.3. certutil Common Commands 11.1.4. Common certutil and PKICertImport Options 11.2. Importing a Root Certificate 11.3. Importing an Intermediate Certificate Chain 11.4. Importing a certificate into an NSS Database 12. Managing Certificate System Users and Groups Expand section "12. Managing Certificate System Users and Groups" Collapse section "12. Managing Certificate System Users and Groups" 12.1. About Authorization 12.2. Default Groups Expand section "12.2. Default Groups" Collapse section "12.2. Default Groups" 12.2.1. Administrators 12.2.2. Auditors 12.2.3. Agents 12.2.4. Enterprise Groups 12.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS Expand section "12.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS" Collapse section "12.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS" 12.3.1. Managing Groups Expand section "12.3.1. Managing Groups" Collapse section "12.3.1. Managing Groups" 12.3.1.1. Creating a New Group 12.3.1.2. Changing Members in a Group 12.3.2. Managing Users (Administrators, Agents, and Auditors) Expand section "12.3.2. Managing Users (Administrators, Agents, and Auditors)" Collapse section "12.3.2. Managing Users (Administrators, Agents, and Auditors)" 12.3.2.1. Creating Users Expand section "12.3.2.1. Creating Users" Collapse section "12.3.2.1. Creating Users" 12.3.2.1.1. Creating Users Using the Command Line 12.3.2.1.2. Creating Users Using the Console 12.3.2.2. Changing a Certificate System User's Certificate 12.3.2.3. Renewing Administrator, Agent, and Auditor User Certificates 12.3.2.4. Deleting a Certificate System User 12.4. Configuring Access Control for Users Expand section "12.4. Configuring Access Control for Users" Collapse section "12.4. Configuring Access Control for Users" 12.4.1. About Access Control 12.4.2. Adding ACLs 12.4.3. Editing ACLs 13. Configuring Subsystem Logs Expand section "13. Configuring Subsystem Logs" Collapse section "13. Configuring Subsystem Logs" 13.1. Managing Logs Expand section "13.1. Managing Logs" Collapse section "13.1. Managing Logs" 13.1.1. Configuring Logs in the Console 13.1.2. Managing Audit Logs Expand section "13.1.2. Managing Audit Logs" Collapse section "13.1.2. Managing Audit Logs" 13.1.2.1. Configuring a Signed Audit Log in the Console 13.1.2.2. Handling Audit Logging Failures 13.2. Using Logs Expand section "13.2. Using Logs" Collapse section "13.2. Using Logs" 13.2.1. Viewing Logs in the Console 13.2.2. Using Signed Audit Logs Expand section "13.2.2. Using Signed Audit Logs" Collapse section "13.2.2. Using Signed Audit Logs" 13.2.2.1. Listing Audit Logs 13.2.2.2. Downloading Audit Logs 13.2.2.3. Verifying Signed Audit Logs 13.2.3. Displaying Operating System-level Audit Logs Expand section "13.2.3. Displaying Operating System-level Audit Logs" Collapse section "13.2.3. Displaying Operating System-level Audit Logs" 13.2.3.1. Displaying Audit Log Deletion Events 13.2.3.2. Displaying Access to the NSS Database for Secret and Private Keys 13.2.3.3. Displaying Time Change Events 13.2.3.4. Displaying Package Update Events 13.2.3.5. Displaying Changes to the PKI Configuration 14. Managing Subsystem Certificates Expand section "14. Managing Subsystem Certificates" Collapse section "14. Managing Subsystem Certificates" 14.1. Required Subsystem Certificates Expand section "14.1. Required Subsystem Certificates" Collapse section "14.1. Required Subsystem Certificates" 14.1.1. Certificate Manager Certificates Expand section "14.1.1. Certificate Manager Certificates" Collapse section "14.1.1. Certificate Manager Certificates" 14.1.1.1. CA Signing Key Pair and Certificate 14.1.1.2. OCSP Signing Key Pair and Certificate 14.1.1.3. Subsystem Certificate 14.1.1.4. TLS Server Key Pair and Certificate 14.1.1.5. Audit Log Signing Key Pair and Certificate 14.1.2. Online Certificate Status Manager Certificates Expand section "14.1.2. Online Certificate Status Manager Certificates" Collapse section "14.1.2. Online Certificate Status Manager Certificates" 14.1.2.1. OCSP Signing Key Pair and Certificate 14.1.2.2. TLS Server Key Pair and Certificate 14.1.2.3. Subsystem Certificate 14.1.2.4. Audit Log Signing Key Pair and Certificate 14.1.2.5. Recognizing Online Certificate Status Manager Certificates 14.1.3. Key Recovery Authority Certificates Expand section "14.1.3. Key Recovery Authority Certificates" Collapse section "14.1.3. Key Recovery Authority Certificates" 14.1.3.1. Transport Key Pair and Certificate 14.1.3.2. Storage Key Pair 14.1.3.3. TLS Server Certificate 14.1.3.4. Subsystem Certificate 14.1.3.5. Audit Log Signing Key Pair and Certificate 14.1.4. TKS Certificates Expand section "14.1.4. TKS Certificates" Collapse section "14.1.4. TKS Certificates" 14.1.4.1. TLS Server Certificate 14.1.4.2. Subsystem Certificate 14.1.4.3. Audit Log Signing Key Pair and Certificate 14.1.5. TPS Certificates Expand section "14.1.5. TPS Certificates" Collapse section "14.1.5. TPS Certificates" 14.1.5.1. TLS Server Certificate 14.1.5.2. Subsystem Certificate 14.1.5.3. Audit Log Signing Key Pair and Certificate 14.1.6. About Subsystem Certificate Key Types 14.1.7. Using an HSM to Store Subsystem Certificates 14.2. Renewing Subsystem Certificates Expand section "14.2. Renewing Subsystem Certificates" Collapse section "14.2. Renewing Subsystem Certificates" 14.2.1. Renewing Certificates Using certutil 14.2.2. Renewing Expired Certificate System Server Certificates 14.3. Changing the Names of Subsystem Certificates 14.4. Managing the Certificate Database Expand section "14.4. Managing the Certificate Database" Collapse section "14.4. Managing the Certificate Database" 14.4.1. Installing Certificates in the Certificate System Database Expand section "14.4.1. Installing Certificates in the Certificate System Database" Collapse section "14.4.1. Installing Certificates in the Certificate System Database" 14.4.1.1. Installing Certificates through the Console 14.4.1.2. Installing Certificates Using certutil 14.4.1.3. About CA Certificate Chains 14.4.2. Viewing Database Content Expand section "14.4.2. Viewing Database Content" Collapse section "14.4.2. Viewing Database Content" 14.4.2.1. Viewing Database Content through the Console 14.4.2.2. Viewing Database Content Using certutil 14.4.3. Deleting Certificates from the Database Expand section "14.4.3. Deleting Certificates from the Database" Collapse section "14.4.3. Deleting Certificates from the Database" 14.4.3.1. Deleting Certificates through the Console 14.4.3.2. Deleting Certificates Using certutil 14.5. Changing the Trust Settings of a CA Certificate Expand section "14.5. Changing the Trust Settings of a CA Certificate" Collapse section "14.5. Changing the Trust Settings of a CA Certificate" 14.5.1. Changing Trust Settings through the Console 14.5.2. Changing Trust Settings Using certutil 14.6. Managing Tokens Used by the Subsystems Expand section "14.6. Managing Tokens Used by the Subsystems" Collapse section "14.6. Managing Tokens Used by the Subsystems" 14.6.1. Detecting Tokens 14.6.2. Viewing Tokens 14.6.3. Changing a Token's Password 15. Setting Time and Date in Red Hat Enterprise Linux 7.6 16. Determining Certificate System Product Version 17. Updating Red Hat Certificate System 18. Troubleshooting 19. Subsystem Control And maintenance Expand section "19. Subsystem Control And maintenance" Collapse section "19. Subsystem Control And maintenance" 19.1. Starting, Stopping, Restarting, and Obtaining Status 19.2. Subsystem Health Check V. References Expand section "V. References" Collapse section "V. References" A. Certificate Profile Input and Output Reference Expand section "A. Certificate Profile Input and Output Reference" Collapse section "A. Certificate Profile Input and Output Reference" A.1. Input Reference Expand section "A.1. Input Reference" Collapse section "A.1. Input Reference" A.1.1. CMC Certificate Request Input A.1.2. nsHKeyCertRequest (Token Key) Input A.1.3. nsNKeyCertRequest (Token User Key) Input A.1.4. Subject DN Input A.1.5. Subject Alternative Name Extension Input A.2. Output Reference Expand section "A.2. Output Reference" Collapse section "A.2. Output Reference" A.2.1. CMC Certificate Output A.2.2. nsNSKeyOutput B. Defaults, Constraints, and Extensions for Certificates and CRLs Expand section "B. Defaults, Constraints, and Extensions for Certificates and CRLs" Collapse section "B. Defaults, Constraints, and Extensions for Certificates and CRLs" B.1. Defaults Reference Expand section "B.1. Defaults Reference" Collapse section "B.1. Defaults Reference" B.1.1. Authority Info Access Extension Default B.1.2. Authority Key Identifier Extension Default B.1.3. Authentication Token Subject Name Default B.1.4. CMC User-signed Subject Name Default B.1.5. Basic Constraints Extension Default B.1.6. CA Validity Default B.1.7. Certificate Policies Extension Default B.1.8. CRL Distribution Points Extension Default B.1.9. Extended Key Usage Extension Default B.1.10. Freshest CRL Extension Default B.1.11. Generic Extension Default B.1.12. Inhibit Any-Policy Extension Default B.1.13. Issuer Alternative Name Extension Default B.1.14. Key Usage Extension Default B.1.15. Name Constraints Extension Default B.1.16. Netscape Certificate Type Extension Default B.1.17. Netscape Comment Extension Default B.1.18. No Default Extension B.1.19. OCSP No Check Extension Default B.1.20. Policy Constraints Extension Default B.1.21. Policy Mappers Extension Default B.1.22. Private Key Usage Period Extension Default B.1.23. Signing Algorithm Default B.1.24. Subject Alternative Name Extension Default B.1.25. Subject Directory Attributes Extension Default B.1.26. Subject Info Access Extension Default B.1.27. Subject Key Identifier Extension Default B.1.28. Subject Name Default B.1.29. User Key Default B.1.30. User Signing Algorithm Default B.1.31. User Subject Name Default B.1.32. User Validity Default B.1.33. User Supplied Extension Default B.1.34. Validity Default B.2. Constraints Reference Expand section "B.2. Constraints Reference" Collapse section "B.2. Constraints Reference" B.2.1. Basic Constraints Extension Constraint B.2.2. CA Validity Constraint B.2.3. Extended Key Usage Extension Constraint B.2.4. Extension Constraint B.2.5. Key Constraint B.2.6. Key Usage Extension Constraint B.2.7. Netscape Certificate Type Extension Constraint B.2.8. No Constraint B.2.9. Renewal Grace Period Constraint B.2.10. Signing Algorithm Constraint B.2.11. Subject Name Constraint B.2.12. Unique Key Constraint B.2.13. Unique Subject Name Constraint B.2.14. CMC User-signed Subject Name Constraint B.2.15. Validity Constraint B.3. Standard X.509 v3 Certificate Extension Reference Expand section "B.3. Standard X.509 v3 Certificate Extension Reference" Collapse section "B.3. Standard X.509 v3 Certificate Extension Reference" B.3.1. authorityInfoAccess B.3.2. authorityKeyIdentifier B.3.3. basicConstraints B.3.4. certificatePoliciesExt B.3.5. CRLDistributionPoints B.3.6. extKeyUsage B.3.7. issuerAltName Extension B.3.8. keyUsage B.3.9. nameConstraints B.3.10. OCSPNocheck B.3.11. policyConstraints B.3.12. policyMappings B.3.13. privateKeyUsagePeriod B.3.14. subjectAltName B.3.15. subjectDirectoryAttributes B.3.16. subjectKeyIdentifier B.4. CRL Extensions Expand section "B.4. CRL Extensions" Collapse section "B.4. CRL Extensions" B.4.1. About CRL Extensions Expand section "B.4.1. About CRL Extensions" Collapse section "B.4.1. About CRL Extensions" B.4.1.1. Structure of CRL Extensions B.4.1.2. Sample CRL and CRL Entry Extensions B.4.2. Standard X.509 v3 CRL Extensions Reference Expand section "B.4.2. Standard X.509 v3 CRL Extensions Reference" Collapse section "B.4.2. Standard X.509 v3 CRL Extensions Reference" B.4.2.1. Extensions for CRLs Expand section "B.4.2.1. Extensions for CRLs" Collapse section "B.4.2.1. Extensions for CRLs" B.4.2.1.1. authorityInfoAccess B.4.2.1.2. authorityKeyIdentifier B.4.2.1.3. CRLNumber B.4.2.1.4. deltaCRLIndicator B.4.2.1.5. FreshestCRL B.4.2.1.6. issuerAltName B.4.2.1.7. issuingDistributionPoint B.4.2.2. CRL Entry Extensions Expand section "B.4.2.2. CRL Entry Extensions" Collapse section "B.4.2.2. CRL Entry Extensions" B.4.2.2.1. certificateIssuer B.4.2.2.2. invalidityDate B.4.2.2.3. CRLReason B.4.3. Netscape-Defined Certificate Extensions Reference Expand section "B.4.3. Netscape-Defined Certificate Extensions Reference" Collapse section "B.4.3. Netscape-Defined Certificate Extensions Reference" B.4.3.1. netscape-cert-type B.4.3.2. netscape-comment C. Publishing Module Reference Expand section "C. Publishing Module Reference" Collapse section "C. Publishing Module Reference" C.1. Publisher Plug-in Modules Expand section "C.1. Publisher Plug-in Modules" Collapse section "C.1. Publisher Plug-in Modules" C.1.1. FileBasedPublisher C.1.2. LdapCaCertPublisher C.1.3. LdapUserCertPublisher C.1.4. LdapCrlPublisher C.1.5. LdapDeltaCrlPublisher C.1.6. LdapCertificatePairPublisher C.1.7. OCSPPublisher C.2. Mapper Plug-in Modules Expand section "C.2. Mapper Plug-in Modules " Collapse section "C.2. Mapper Plug-in Modules " C.2.1. LdapCaSimpleMap Expand section "C.2.1. LdapCaSimpleMap" Collapse section "C.2.1. LdapCaSimpleMap" C.2.1.1. LdapCaCertMap C.2.1.2. LdapCrlMap C.2.2. LdapDNExactMap C.2.3. LdapSimpleMap C.2.4. LdapSubjAttrMap C.2.5. LdapDNCompsMap Expand section "C.2.5. LdapDNCompsMap" Collapse section "C.2.5. LdapDNCompsMap" C.2.5.1. Configuration Parameters of LdapDNCompsMap C.3. Rule Instances Expand section "C.3. Rule Instances" Collapse section "C.3. Rule Instances" C.3.1. LdapCaCertRule C.3.2. LdapXCertRule C.3.3. LdapUserCertRule C.3.4. LdapCRLRule D. ACL Reference Expand section "D. ACL Reference" Collapse section "D. ACL Reference" D.1. About ACL Configuration Files D.2. Common ACLs Expand section "D.2. Common ACLs" Collapse section "D.2. Common ACLs" D.2.1. certServer.acl.configuration D.2.2. certServer.admin.certificate D.2.3. certServer.auth.configuration D.2.4. certServer.clone.configuration D.2.5. certServer.general.configuration D.2.6. certServer.log.configuration D.2.7. certServer.log.configuration.fileName D.2.8. certServer.log.content.system D.2.9. certServer.log.content.transactions D.2.10. certServer.log.content.signedAudit D.2.11. certServer.registry.configuration D.3. Certificate Manager-Specific ACLs Expand section "D.3. Certificate Manager-Specific ACLs" Collapse section "D.3. Certificate Manager-Specific ACLs" D.3.1. certServer.admin.ocsp D.3.2. certServer.ca.certificate D.3.3. certServer.ca.certificates D.3.4. certServer.ca.configuration D.3.5. certServer.ca.connector D.3.6. certServer.ca.connectorInfo D.3.7. certServer.ca.crl D.3.8. certServer.ca.directory D.3.9. certServer.ca.group D.3.10. certServer.ca.ocsp D.3.11. certServer.ca.profile D.3.12. certServer.ca.profiles D.3.13. certServer.ca.registerUser D.3.14. certServer.ca.request.enrollment D.3.15. certServer.ca.request.profile D.3.16. certServer.ca.requests D.3.17. certServer.ca.systemstatus D.3.18. certServer.ee.certchain D.3.19. certServer.ee.certificate D.3.20. certServer.ee.certificates D.3.21. certServer.ee.crl D.3.22. certServer.ee.profile D.3.23. certServer.ee.profiles D.3.24. certServer.ee.request.ocsp D.3.25. certServer.ee.request.revocation D.3.26. certServer.ee.requestStatus D.3.27. certServer.job.configuration D.3.28. certServer.profile.configuration D.3.29. certServer.publisher.configuration D.3.30. certServer.securitydomain.domainxml D.4. Key Recovery Authority-Specific ACLs Expand section "D.4. Key Recovery Authority-Specific ACLs" Collapse section "D.4. Key Recovery Authority-Specific ACLs" D.4.1. certServer.job.configuration D.4.2. certServer.kra.certificate.transport D.4.3. certServer.kra.configuration D.4.4. certServer.kra.connector D.4.5. certServer.kra.GenerateKeyPair D.4.6. certServer.kra.getTransportCert D.4.7. certServer.kra.group D.4.8. certServer.kra.key D.4.9. certServer.kra.keys D.4.10. certServer.kra.registerUser D.4.11. certServer.kra.request D.4.12. certServer.kra.request.status D.4.13. certServer.kra.requests D.4.14. certServer.kra.systemstatus D.4.15. certServer.kra.TokenKeyRecovery D.5. Online Certificate Status Manager-Specific ACLs Expand section "D.5. Online Certificate Status Manager-Specific ACLs" Collapse section "D.5. Online Certificate Status Manager-Specific ACLs" D.5.1. certServer.ee.crl D.5.2. certServer.ee.request.ocsp D.5.3. certServer.ocsp.ca D.5.4. certServer.ocsp.cas D.5.5. certServer.ocsp.certificate D.5.6. certServer.ocsp.configuration D.5.7. certServer.ocsp.crl D.5.8. certServer.ocsp.group D.5.9. certServer.ocsp.info D.6. Token Key Service-Specific ACLs Expand section "D.6. Token Key Service-Specific ACLs" Collapse section "D.6. Token Key Service-Specific ACLs" D.6.1. certServer.tks.encrypteddata D.6.2. certServer.tks.group D.6.3. certServer.tks.importTransportCert D.6.4. certServer.tks.keysetdata D.6.5. certServer.tks.registerUser D.6.6. certServer.tks.sessionkey D.6.7. certServer.tks.randomdata D.7. TPS-specific ACLs Expand section "D.7. TPS-specific ACLs" Collapse section "D.7. TPS-specific ACLs" D.7.1. certServer.tps.account D.7.2. certServer.tps.authenticators D.7.3. certServer.tps.audit D.7.4. certServer.tps.config D.7.5. certServer.tps.connectors D.7.6. certServer.tps.groups D.7.7. certServer.tps.users D.7.8. certServer.tps.profiles D.7.9. certServer.tps.profile-mappings D.7.10. certServer.tps.selftests D.7.11. certServer.tps.tokens E. Audit Events Expand section "E. Audit Events" Collapse section "E. Audit Events" E.1. Required Audit Events and Their Examples E.2. Audit Event Descriptions Glossary Index F. Revision History Legal Notice Settings Close Language: 日本語 English Language: 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Language and Page Formatting Options Language: 日本語 English Language: 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Part I. Red Hat Certificate System User Interfaces Previous Next