Show Table of Contents
11.2. Lightweight Sub-CAs
Using the default settings, you are able to create lightweight sub-CAs. They enable you to configure services, like virtual private network (VPN) gateways, to accept only certificates issued by one sub-CA. At the same time, you can configure other services to accept only certificates issued by a different sub-CA or the root CA.
If you revoke the intermediate certificate of a sub-CA, all certificates issued by this sub-CA are automatically invalid.
If you set up the CA subsystem in Certificate System, it is automatically the root CA. All sub-CAs you create, are subordinated to this root CA.
11.2.1. Setting up a Lightweight Sub-CA
Depending on your environment, the installation of a sub-CA is different:
- If the parent CA is a Red Hat Certificate System instance and the sub-CA will join the parent’s security domain, see http://www.dogtagpki.org/wiki/Installing_Subordinate_CA.
- If the parent CA is not a Red Hat Certificate System instance, or if the sub-CA will not join the parent’s security domain, see http://www.dogtagpki.org/wiki/Installing_CA_with_Externaly-Signed_CA_Certificate.
11.2.2. Disabling the Creation of Lightweight Sub-CAs
In certain situations, administrators want to disable lightweight sub-CAs. To prevent adding, modifying, or removing sub-CAs, enter the following command on the Directory Server instance used by Certificate System:
# ldapmodify -D "cn=Directory Manager" -W -x -h server.example.com dn: cn=aclResources,o=instance_name changetype: modify delete: resourceACLS resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify) gr oup="Administrators":Administrators may create and modify lightweight authori ties - delete: resourceACLS resourceACLS: certServer.ca.authorities:delete:allow (delete) group="Administr ators":Administrators may delete lightweight authorities
This command removes the default Access Control List (ACL) entries, which grant the permissions to manage sub-CAs.
Note
If any ACLs related to lightweight sub-CA creation have been modified or added, remove the relevant values.
11.2.3. Re-enabling the Creation of Lightweight Sub-CAs
If you previously disabled the creation of lightweight sub-CAs, you can re-enable the feature by entering the following command on the Directory Server instance used by Certificate System:
# ldapmodify -D "cn=Directory Manager" -W -x -h server.example.com dn: cn=aclResources,o=instance_name changetype: modify add: resourceACLS resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify) gr oup="Administrators":Administrators may create and modify lightweight authori ties resourceACLS: certServer.ca.authorities:delete:allow (delete) group="Administr ators":Administrators may delete lightweight authorities
This command adds the Access Control List (ACL) entries, which grant the permissions to manage sub-CAs.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.