7.10. Post-installation Tasks
Once installation using the
pkispawnutility is complete, further steps could be taken to customize the configuration, depending on the site's preferences. These are described in Part III, “Configuring Certificate System”.
This section provides a list of operations from Part III, “Configuring Certificate System” which are suggested for improving the security for the deployment.
7.10.1. Setting Date/Time for RHCS
It is important to have the time set up correctly for running RHCS; see the Setting Time and Date section in the Red Hat Certificate System Administration Guide.
7.10.2. Replacing a Temporary Self-Signed Certificate in Directory Server (CA)
If the internal LDAP server was initially created with a temporary self-signed server certificate, refer to Section 6.5.4, “Replacing the Temporary Certificate” to replace it with a new certificate issued by the CA you just installed.
7.10.3. Enabling TLS Client Authentication for the Internal LDAP Server
Red Hat Certificate System can communicate with its internal LDAP server via TLS mutual authentication. For further details, see Section 6.5.5, “Enabling TLS Client Authentication”.
7.10.4. Configuring Session Timeout
Various timeout configurations exist on the system that could affect how long a TLS session is allowed to remain idle before termination. For details, see Section 13.4.2, “Session Timeout”.
7.10.5. CRL or Certificate Publishing
CRL publishing is critical in providing OCSP service. Certificate publishing is optional but often desired by sites. For details, see the Publishing Certificates and CRLs section in the Red Hat Certificate System Administration Guide.
7.10.6. Configuring Certificate Enrollment Profiles (CA)
RHCS has a rich profile framework that allows for customization of the certificate enrollment profiles. It is very common for a site to enable/disable default profiles that come with the system, or modify existing profiles, or create their own profiles. For details, see Chapter 15, Certificate Profiles Configuration.
7.10.7. Enabling Access Banner
To enable user interface banners, refer to Section 13.7.1, “Enabling an Access Banner”.
7.10.8. Enabling the Watchdog Service
The watchdog (
nuxwdog) service provides secure system password management. For details, see Section 126.96.36.199, “Enabling the Watchdog Service”.
7.10.9. Configuration for CMC Enrollment and Revocation (CA)
Certificate enrollments and revocation can be done via CMC.
- For details about enabling the CMC Shared Token Feature, see Section 13.8.3, “Enabling the CMC Shared Secret Feature”.
- For details about enabling the
PopLinkWittnessfeature, see Section 13.8.2, “Enabling the
- For details about enabling
CMCRevokefor the web user interface, see Section 13.8.4, “Enabling CMCRevoke for the Web User Interface”.
7.10.10. TLS client-authentication for the Java Console
To require Certificate System administrators to present a user TLS client certificate when logging into the Java console, see Section 188.8.131.52, “Setting Requirement for
pkiconsoleto use TLS Client Certificate Authentication”.
7.10.11. Creating a Role User
Create real role users so that you can remove the bootstrap user.
To create users and assign them to different privileged roles to manage Certificate System, see Chapter 18, Creating a Role User.
7.10.12. Removing the Bootstrap User
Once the real role users are created, the bootstrap user that was created automatically during the installation is not needed anymore. To delete this account, see Chapter 19, Deleting the Bootstrap User after making sure you created a new administrator account assigned to an individual person.
7.10.13. Disabling Multi-role Support
To disable the multi-role support once the bootstrap user is removed, see Section 19.1, “Disabling Multi-roles Support”.
7.10.14. KRA Configurations
184.108.40.206. Adding Requirement for Multiple Agent Approval for Key Recovery Authority (KRA)
To set up a requirement for multiple KRA agents to approve key recovery, see the Configuring Agent-Approved Key Recovery in the Command Line section in the Red Hat Certificate System Administration Guide.
220.127.116.11. Configuring KRA Encryption Settings
To configure key encryption/wrapping algorithms, see Section 16.2, “Encryption Of KRA Operations”.
7.10.15. Setting up Users to use User Interfaces
Before a user could use an approved user interface, initialization needs to be performed. Users (administrative roles or otherwise) are required to setup their clients for accessing the user interface. See the Client NSS Database Initialization section in the Red Hat Certificate System Administration Guide.