7.10. Post-installation Tasks

It is important to have the time set up correctly for running RHCS; see the Setting Time and Date section in the Red Hat Certificate System Administration Guide.

If the internal LDAP server was initially created with a temporary self-signed server certificate, refer to Section 6.5.3, “Replacing the Temporary Certificate” to replace it with a new certificate issued by the CA you just installed.

Red Hat Certificate System can communicate with its internal LDAP server via TLS mutual authentication. For further details, see Section 6.5.4, “Enabling TLS Client Authentication”.

Various timeout configurations exist on the system that could affect how long a TLS session is allowed to remain idle before termination. For details, see Section 13.4.2, “Session Timeout”.

CRL publishing is critical in providing OCSP service. Certificate publishing is optional but often desired by sites. For details, see the Publishing Certificates and CRLs section in the Red Hat Certificate System Administration Guide.

RHCS has a rich profile framework that allows for customization of the certificate enrollment profiles. It is very common for a site to enable/disable default profiles that come with the system, or modify existing profiles, or create their own profiles. For details, see Chapter 15, Certificate Profiles Configuration.

To enable user interface banners, refer to Section 13.7.1, “Enabling an Access Banner”.

The watchdog (nuxwdog) service provides secure system password management. For details, see Section 13.3.2.1, “Enabling the Watchdog Service”.

Certificate enrollments and revocation can be done via CMC.

To require Certificate System administrators to present a user TLS client certificate when logging into the Java console, see Section 13.2.3.15, “Setting Requirement for pkiconsole to use TLS Client Certificate Authentication”.

Create real role users so that you can remove the bootstrap user.

To create users and assign them to different privileged roles to manage Certificate System, see Chapter 18, Creating a Role User.

Once the real role users are created, the bootstrap user that was created automatically during the installation is not needed anymore. To delete this account, see Chapter 19, Deleting the Bootstrap User after making sure you created a new administrator account assigned to an individual person.

To disable the multi-role support once the bootstrap user is removed, see Section 19.1, “Disabling Multi-roles Support”.

Before a user could use an approved user interface, initialization needs to be performed. Users (administrative roles or otherwise) are required to setup their clients for accessing the user interface. See the Client NSS Database Initialization section in the Red Hat Certificate System Administration Guide.