7.3. Highlighted Updates and New Features

Red Hat Certificate System 9.1 has introduced the following new features and important updates:


Note that this document only contains release notes for features which are not available in the base Red Hat Enterprise Linux 7.3 release. Many of the new features in Red Hat Certificate System are in the pki-core, and those are documented in Red Hat Enterprise Linux 7.3 Release Notes.

New Java-based Token Processing System

Red Hat Certificate System 9.1 replaces the Apache HTTPD-based Token Processing System (TPS) with a Java Tomcat-based TPS. The new Java-based TPS retains feature parity with the existing C-based implementation and provides a new user interface for better user experience.


This feature was offered as a Technology Preview in the previous release of Red Hat Certificate System. This release changes the feature status to fully supported.

Global Platform 2.1.1 in the Token Processing System

The latest version of Global Platform has been included and supported in the version of TPS that comes with Red Hat Certificate System 9. TPS is now able to provision cards that support newer versions of Global Platform and the latest cryptographic operations. In particular, the gp211 applet has been introduced that provides support for Secure Channel Protocol 02 (SCP02). SCP02 has been tested with SafeNet Assured Technologies Smart Card 650.


This feature was offered as a Technology Preview in the previous release of Red Hat Certificate System. This release changes the feature status to fully supported.

Certificate System now supports setting SSL ciphers for individual installation

Previously, if an existing Certificate Server had a customized cipher set that did not overlap with the default ciphers used during the installation, a new instance could not be installed to work with existing instances. With this update, Certificate System enables you to customize the SSL cipher using a two-step installation, which avoids this problem.
To set the ciphers during a Certificate System instance installation:
  1. Prepare a deployment configuration file that includes the pki_skip_configuration=True option.
  2. Pass the deployment configuration file to the pkispawn command to start the initial part of the installation.
  3. Set the ciphers in the sslRangeCiphers option in the /var/lib/pki/instance/conf/server.xml file. Replace instance with the instance name.
  4. Replace the pki_skip_configuration=True option set in the first step with pki_skip_installation=True in the deployment configuration file.
  5. Run the same pkispawn command to complete the installation.

Man pages updates

Man pages for many tools provided by Red Hat Certificate System 9 have been added, rewritten or significantly updated in this release. Important usage information that was previously published in the Red Hat Certificate System 9 Command-Line Tools Guide is now in man pages, ensuring access to this information on any system where Certificate System is installed, even without internet access. At the same time, the Command-Line Tools Guide is deprecated for Red Hat Certificate System 9.1 and will not be published on the Red Hat Customer Portal.

Certificate System now uses a specific JDK and version and no longer supports alternatives

Red Hat Certificate System 9.1 no longer relies on the system java selectable using the /usr/sbin/alternatives mechanism. Instead, Red Hat Certificate System 9.1 always uses its own specified JDK and version. For Red Hat Certificate System 9.1, this JDK is java-1.8.0-openjdk, and the version is 1:1.8.0.