Chapter 7. Installing and Configuring Certificate System

Red Hat Certificate System provides different subsystems that can be installed individually. For example, you can install multiple subsystem instances on a single server or you can run them independently on different hosts. This enables you to adapt the installation to your environment to provide a higher availability, scalability, and fail-over support. This chapter describes the package installation and how to set up the individual subsystems.
The Certificate System includes the following subsystems:
  • Certificate Authority (CA)
  • Key Recovery Authority (KRA)
  • Online Certificate Status Protocol (OCSP) Responder
  • Token Key Service (TKS)
  • Token Processing System (TPS)
Each subsystem is installed and configured individually as a standalone Tomcat web server instance. However, Red Hat Certificate System additionally supports running a single shared Tomcat web server instance that can contain up to one of each subsystem.

7.1. Subsystem Configuration Order

The order in which the individual subsystems are set up is important because of relationships between the different subsystems:
  1. At least one CA running as a security domain is required before any of the other public key infrastructure (PKI) subsystems can be installed.
  2. Install the OCSP after the CA has been configured.
  3. The KRA, and TKS subsystems can be installed in any order, after the CA and OCSP have been configured.
  4. The TPS subsystem depends on the CA and TKS, and optionally on the KRA and OCSP subsystem.


In certain situations, administrators want to install a standalone KRA or OCSP which do not require a CA running as a security domain. For details, see Section 7.9, “Setting up a Standalone KRA or OCSP”.