8.3. Highlighted Updates and New Features

Red Hat Certificate System 9.0 on Red Hat Enterprise Linux 7.1 requires packages from the Optional repository

When the Red Hat Certificate System 9.0 layered product is deployed on Red Hat Enterprise Linux 7.1, it requires access to packages that only exist in the Red Hat Enterprise Linux Optional repository. These are the required packages:
resteasy-base-client >= 3.0.6-1 is needed by pki-base-10.2.4-2.el7.noarch
				resteasy-base-jackson-provider >= 3.0.6-1 is needed by pki-base-10.2.4-2.el7.noarch
				libsvrcore.so.0()(64bit) is needed by pki-tps-10.2.4-2.el7.x86_64
				jss-javadoc >= 4.2.6-35 is needed by redhat-pki-10.2.4-1.el7.noarch
				nuxwdog-client-java >= 1.0.1-11 is needed by pki-server-10.2.4-2.el7.noarch


Note that as of Red Hat Enterprise Linux 7.2, these packages will be added among common dependencies, thus eliminating the requirement to use the Optional repository.

A New pki Command-line Utility

Red Hat Certificate System 9 introduces a new pki command-line utility that provides an interface to access PKI services on a PKI server. The main purpose of the utility is to:
  • allow commonly used CA and KRA functionality to be usable from the command line for end users and for simple scripting and automation purposes.
  • allow use of the new REST API operations from the command line.
For more information about the pki utility, see the pki man page.

Simplified Installation and Deployment

Several new features for simplified installation and deployment have been introduced in Red Hat Certificate System 9.0 to provide the following functions:
  • Simplify silent installation by using INI-like configuration files instead of command-line arguments
  • Instance creation and configuration can be performed in a single automated operation
  • Multiple subsystems can be deployed in a single Tomcat instance.
For more information about the improvements to installation and deployments, see the pkispawn man page.

Technology Preview: Global Platform 2.1.1 in TPS


Note that this feature is offered as a technology preview, provides early access to upcoming product functionality, and is not yet fully supported under subscription agreements.
The latest version of Global Platform has been included and supported in the version of TPS that comes with Red Hat Certificate System 9. TPS is now able to provision cards that support newer versions of Global Platform and the latest cryptographic operations. In particular, the gp211 applet has been introduced that provides support for Secure Channel Protocol 02 (SCP02). SCP02 has been tested with SafeNet Assured Technologies Smart Card 650.

REST Web Service APIs

Red Hat Certificate System 9 provides a new set of REST APIs to access various web services of the Certificate System. It also provides Java and Python client libraries to allow easier integration with other applications.

Technology Preview: New Java-based Token Processing System


Note that this feature is offered as a technology preview, provides early access to upcoming product functionality, and is not yet fully supported under subscription agreements.
Red Hat Certificate System 9 replaces the Apache HTTPD-based TPS with a Java Tomcat-based TPS. The new Java-based TPS retains feature parity with the existing C-based implementation and provides a new user interface for better user experience.

KRA Enhancements

Previously, the Key Recovery Authority (KRA) only archived private (asymmetric) encryption keys when enrolling certificates using certain profiles in the CA. In Red Hat Certificate System 9, KRA has been extended to archive other types of secrets, such as passphrases or symmetric keys. These keys can be archived and retrieved by agents contacting the new KRA REST interfaces directly.
This capability allows KRA to function as a secure and audited vault for all kinds of secrets. In fact, KRA serves as the secure back-end store for the Vault feature in Red Hat Identity Management.
In addition, KRA's ability to generate and archive asymmetric keys to support server-side key generation for TMS workflows has been extended to allow the generation of symmetric key. This feature has also been exposed to the KRA REST interface.

Support for KRA Transport Key Rotation

Employing transport key rotation in a large enterprise environment with cloned certificate system instances may be impractical as it required shutdowns for the transition. Red Hat Certificate System 9 introduces a KRA transport key rotation feature that allows for seamless transition between CA/KRA subsystem instances using a current and a new transport key. This feature allows KRA transport keys to be periodically rotated for enhanced security by allowing both old and new transport keys to operate during the time of the transition; individual subsystem instances take turns being configured while other clones continue to serve with no downtime.

External Authorization LDAP Server

Red Hat Certificate System 9 introduces an "External Authorization" mechanism to work in conjunction with the directory-based authentication during enrollments. When any of the directory-based authentications is defined, new parameters pertaining to the group evaluation of the users can also be defined. This feature enhances the authentication methods with authorization so that if required, certain profile enrollment can be restricted to users of certain group(s) defined in the external authentication/authorization LDAP server.

Adding SAN to a Server Certificate during Installation

Previously, administrators had no control over the Subject Alternative (SAN) Extension that is used for system SSL certificates. In this release, a new feature has been added to allow the administrators to specify a SAN extension in the pkispawn configuration.

Common Criteria Evaluation

Red Hat Certificate System 9 has not yet been evaluated for Common Criteria.

The PKI Configuration Has Been Removed from the GUI-based Installation Wizard

Previously, Certificate System provided a web interface for the public key infrastructure (PKI) configuration. Due to unclear support of features associated with the GUI in Firefox, the PKI configuration has been removed from Red Hat Certificate System 9.0. To install and configure PKI instances, use the pkispawn utility.