Chapter 5. Red Hat Certificate System 9.3

This section describes changes in Red Hat Certificate System 9.3.

5.1. Supported Platforms

This section describes the different server platforms, hardware, tokens, and software supported by Red Hat Certificate System 9.3.

5.1.1. Server Support

Running the Certificate Authority (CA), Key Recovery Authority (KRA), Online Certificate Status Protocol (OCSP), Token Key Service (TKS), and Token Processing System (TPS) subsystems of Certificate System 9.3 is supported on Red Hat Enterprise Linux 7.5 and later. The supported Directory Server version is 10.2 and later.

Note

Certificate System 9.3 is supported running on a Red Hat Enterprise Linux virtual guest on a certified hypervisor. For details, see the Which hypervisors are certified to run Red Hat Enterprise Linux? solution article.

5.1.2. Client Support

The Enterprise Security Client (ESC) is supported on:
  • Red Hat Enterprise Linux 7.
  • The latest versions of Red Hat Enterprise Linux 5 and 6.
    Although these platforms do not support Red Hat Certificate System 9.3, those clients can be used with the Token Management System (TMS) system in Red Hat Certificate System 9.3.

5.1.3. Supported Web Browsers

Certificate System 9.3 supports the following browsers:

Table 5.1. Supported Web Browsers by Platform

Platform Agent Services End User Pages
Red Hat Enterprise Linux Firefox 52 and later [a] Firefox 52 and later [a]
Windows 7 Firefox 52 and later [a]
Firefox 52 and later
Internet Explorer 10 [b]
[a] This Firefox version no longer supports the crypto web object used to generate and archive keys from the browser. As a result, expect limited functionality in this area.
[b] Internet Explorer 11 is currently not supported by Red Hat Certificate System 9 because the enrollment code for this web browser depends upon Visual Basic Script, which has been deprecated in Internet Explorer 11.

Note

The only fully-supported browser for the HTML-based instance configuration is Mozilla Firefox.

5.1.4. Supported Smart Cards

The Enterprise Security Client (ESC) supports Global Platform 2.01-compliant smart cards and JavaCard 2.1 or higher.
The Certificate System subsystems have been tested using the following tokens:
  • Gemalto TOP IM FIPS CY2 64K token (SCP01)
  • Giesecke & Devrient (G&D) SmartCafe Expert 6.0 (SCP03)
  • SafeNet Assured Technologies SC-650 (SCP01)
The only card manager applet supported with Certificate System is the CoolKey applet, which is part of the pki-tps package in Red Hat Certificate System.

5.1.5. Supported Hardware Security Modules

The following table lists Hardware Security Modules (HSM) supported by Red Hat Certificate System:
HSM Firmware Appliance Software Client Software
Thales nCipher nShield Connect 6000 2.61.2 CipherTools-linux64-dev-12.30.00 CipherTools-linux64-dev-12.30.00
Gemalto SafeNet Luna SA 1700 / 7000 (limited)
(Limited support [a] )
6.24.0 6.2.0-15 libcryptoki-6.2.x86_64

5.1.5.1. Gemalto SafeNet Luna SA 1700 / 7000 (limited)

This section provides information on supported features when using the Gemalto SafeNet Luna SA 1700 / 7000 HSM.
Gemalto SafeNet Luna SA only supports PKI private key extraction in its CKE - Key Export model, and only in non-FIPS mode. The Luna SA Cloning model and the CKE model in FIPS mode do not support PKI private key extraction. When the Luna SA CKE – Key Export Model is in FIPS mode, PKI private keys cannot be extracted.
CL - Cloning Model
  • Cloning of symmetric keys and objects: Possible to other Luna SAs/G5 or Luna Backup HSM
  • Cloning of asymmetric (private) keys and objects: Possible to other Luna SAs/G5 or Luna Backup HSM
  • Replication of symmetric keys and objects: All symmetric keys and objects are replicated when configured in an HA group
  • Replication of asymmetric keys and objects: All asymmetric keys and objects are replicated when configured in an HA group
  • Wrapping private (asymmetric) keys off the HSM: Not possible
Example of a Cloning Model

Figure 5.1. Example of a Cloning Model

CKE - Key Export Model
  • Cloning of symmetric keys and objects: Possible to other Luna SAs/G5 or Luna Backup HSM
  • Cloning of asymmetric (private) keys and objects: Not possible
  • Replication of symmetric keys and objects: All symmetric keys and objects are replicated when configured in an HA group
  • Replication of asymmetric keys and objects: Not possible
  • Wrapping private (asymmetric) keys off the HSM: Possible
Example of a Key Export Model

Figure 5.2. Example of a Key Export Model