7.10. Post-installation Tasks

Once installation using the pkispawn utility is complete, further steps could be taken to customize the configuration, depending on the site's preferences. These are described in Part III, “Configuring Certificate System”.
This section provides a list of operations from Part III, “Configuring Certificate System” which are suggested for improving the security for the deployment.

7.10.1. Setting Date/Time for RHCS

It is important to have the time set up correctly for running RHCS; see the Setting Time and Date section in the Red Hat Certificate System Administration Guide.

7.10.2. Replacing a Temporary Self-Signed Certificate in Directory Server (CA)

If the internal LDAP server was initially created with a temporary self-signed server certificate, refer to Section 6.5.4, “Replacing the Temporary Certificate” to replace it with a new certificate issued by the CA you just installed.

7.10.3. Enabling TLS Client Authentication for the Internal LDAP Server

Red Hat Certificate System can communicate with its internal LDAP server via TLS mutual authentication. For further details, see Section 6.5.5, “Enabling TLS Client Authentication”.

7.10.4. Configuring Session Timeout

Various timeout configurations exist on the system that could affect how long a TLS session is allowed to remain idle before termination. For details, see Section 13.4.2, “Session Timeout”.

7.10.5. CRL or Certificate Publishing

CRL publishing is critical in providing OCSP service. Certificate publishing is optional but often desired by sites. For details, see the Publishing Certificates and CRLs section in the Red Hat Certificate System Administration Guide.

7.10.6. Configuring Certificate Enrollment Profiles (CA)

RHCS has a rich profile framework that allows for customization of the certificate enrollment profiles. It is very common for a site to enable/disable default profiles that come with the system, or modify existing profiles, or create their own profiles. For details, see Chapter 15, Certificate Profiles Configuration.

7.10.7. Enabling Access Banner

To enable user interface banners, refer to Section 13.7.1, “Enabling an Access Banner”.

7.10.8. Enabling the Watchdog Service

The watchdog (nuxwdog) service provides secure system password management. For details, see Section 13.3.2.1, “Enabling the Watchdog Service”.

7.10.9. Configuration for CMC Enrollment and Revocation (CA)

Certificate enrollments and revocation can be done via CMC.

7.10.10. TLS client-authentication for the Java Console

To require Certificate System administrators to present a user TLS client certificate when logging into the Java console, see Section 13.2.3.15, “Setting Requirement for pkiconsole to use TLS Client Certificate Authentication”.

7.10.11. Creating a Role User

Create real role users so that you can remove the bootstrap user.
To create users and assign them to different privileged roles to manage Certificate System, see Chapter 18, Creating a Role User.

7.10.12. Removing the Bootstrap User

Once the real role users are created, the bootstrap user that was created automatically during the installation is not needed anymore. To delete this account, see Chapter 19, Deleting the Bootstrap User after making sure you created a new administrator account assigned to an individual person.

7.10.13. Disabling Multi-role Support

To disable the multi-role support once the bootstrap user is removed, see Section 19.1, “Disabling Multi-roles Support”.

7.10.14. KRA Configurations

7.10.14.1. Adding Requirement for Multiple Agent Approval for Key Recovery Authority (KRA)

To set up a requirement for multiple KRA agents to approve key recovery, see the Configuring Agent-Approved Key Recovery in the Command Line section in the Red Hat Certificate System Administration Guide.

7.10.14.2. Configuring KRA Encryption Settings

To configure key encryption/wrapping algorithms, see Section 16.2, “Encryption Of KRA Operations”.

7.10.15. Setting up Users to use User Interfaces

Before a user could use an approved user interface, initialization needs to be performed. Users (administrative roles or otherwise) are required to setup their clients for accessing the user interface. See the Client NSS Database Initialization section in the Red Hat Certificate System Administration Guide.