Jump To Close Expand all Collapse all Table of contents Planning, Installation, and Deployment Guide (Common Criteria Edition) I. Introduction to Red Hat Certificate System and Deployment Planning Expand section "I. Introduction to Red Hat Certificate System and Deployment Planning" Collapse section "I. Introduction to Red Hat Certificate System and Deployment Planning" 1. About This Guidance Document 2. Introduction to Red Hat Certificate System Expand section "2. Introduction to Red Hat Certificate System" Collapse section "2. Introduction to Red Hat Certificate System" 2.1. A Review of Certificate System Subsystems 2.2. Overview of Certificate System Subsystems Expand section "2.2. Overview of Certificate System Subsystems" Collapse section "2.2. Overview of Certificate System Subsystems" 2.2.1. Separate versus Shared Instances 2.2.2. Instance Installation Prerequisites Expand section "2.2.2. Instance Installation Prerequisites" Collapse section "2.2.2. Instance Installation Prerequisites" 2.2.2.1. Directory Server Instance Availability 2.2.2.2. PKI Packages 2.2.2.3. Instance Installation and Configuration 2.2.2.4. Instance Removal 2.2.3. Execution Management (systemctl) Expand section "2.2.3. Execution Management (systemctl)" Collapse section "2.2.3. Execution Management (systemctl)" 2.2.3.1. Starting, Stopping, Restarting, and Obtaining Status 2.2.3.2. Starting the Instance Automatically 2.2.4. Process Management (pki-server and pkidaemon) Expand section "2.2.4. Process Management (pki-server and pkidaemon)" Collapse section "2.2.4. Process Management (pki-server and pkidaemon)" 2.2.4.1. The pki-server Command Line Tool 2.2.4.2. Enabling and Disabling an Installed Subsystem Using pki-server 2.2.4.3. The pkidaemon Command Line Tool 2.2.4.4. Finding the Subsystem Web Services URLs 2.2.4.5. Starting the Certificate System Console 2.3. Certificate System Architecture Overview Expand section "2.3. Certificate System Architecture Overview" Collapse section "2.3. Certificate System Architecture Overview" 2.3.1. Java Application Server 2.3.2. Java Security Manager Expand section "2.3.2. Java Security Manager" Collapse section "2.3.2. Java Security Manager" 2.3.2.1. Running Subsystems under a Java Security Manager Expand section "2.3.2.1. Running Subsystems under a Java Security Manager" Collapse section "2.3.2.1. Running Subsystems under a Java Security Manager" 2.3.2.1.1. About the Security Manager Policy Files 2.3.2.1.2. Starting a Subsystem Instance without the Java Security Manager 2.3.3. Interfaces Expand section "2.3.3. Interfaces" Collapse section "2.3.3. Interfaces" 2.3.3.1. Servlet Interface 2.3.3.2. Administrative Interface 2.3.3.3. End-Entity Interface 2.3.3.4. Operator Interface 2.3.4. REST Interface 2.3.5. NSS 2.3.6. JSS 2.3.7. Tomcatjss 2.3.8. PKCS #11 Expand section "2.3.8. PKCS #11" Collapse section "2.3.8. PKCS #11" 2.3.8.1. NSS Soft Token (internal token) 2.3.8.2. Hardware Security Module (HSM, external token) 2.3.9. Certificate System Serial Number Management Expand section "2.3.9. Certificate System Serial Number Management" Collapse section "2.3.9. Certificate System Serial Number Management" 2.3.9.1. Serial Number Ranges 2.3.9.2. Random Serial Number Management 2.3.10. Security Domain 2.3.11. Passwords and Watchdog (nuxwdog) 2.3.12. Internal LDAP Database 2.3.13. Security-Enhanced Linux (SELinux) 2.3.14. Self-tests 2.3.15. Logs Expand section "2.3.15. Logs" Collapse section "2.3.15. Logs" 2.3.15.1. Audit Log 2.3.15.2. System Log 2.3.15.3. Transactions Log 2.3.15.4. Debug Logs 2.3.15.5. Installation Logs 2.3.15.6. Tomcat Error and Access Logs 2.3.15.7. Self-Tests Log 2.3.15.8. journalctl Logs 2.3.16. Instance Layout Expand section "2.3.16. Instance Layout" Collapse section "2.3.16. Instance Layout" 2.3.16.1. File and Directory Locations for Certificate System 2.3.16.2. CA Subsystem Information 2.3.16.3. KRA Subsystem Information 2.3.16.4. OCSP Subsystem Information 2.3.16.5. TKS Subsystem Information 2.3.16.6. TPS Subsystem Information 2.3.16.7. Shared Certificate System Subsystem File Locations 2.4. PKI with Certificate System Expand section "2.4. PKI with Certificate System" Collapse section "2.4. PKI with Certificate System" 2.4.1. Issuing Certificates Expand section "2.4.1. Issuing Certificates" Collapse section "2.4.1. Issuing Certificates" 2.4.1.1. Enrollment Using the Command Line Expand section "2.4.1.1. Enrollment Using the Command Line" Collapse section "2.4.1.1. Enrollment Using the Command Line" 2.4.1.1.1. Enrolling with CMC 2.4.1.1.2. CMC Enrollment without POP 2.4.1.1.3. Signed CMC Requests 2.4.1.1.4. Unsigned CMC Requests 2.4.1.1.5. The Shared Secret Workflow 2.4.1.1.6. Simple CMC Requests 2.4.1.2. Certificate Profiles 2.4.1.3. Authentication for Certificate Enrollment 2.4.1.4. Cross-Pair Certificates 2.4.2. Renewing Certificates 2.4.3. Publishing Certificates and CRLs 2.4.4. Revoking Certificates and Checking Status Expand section "2.4.4. Revoking Certificates and Checking Status" Collapse section "2.4.4. Revoking Certificates and Checking Status" 2.4.4.1. Revoking Certificates 2.4.4.2. Certificate Status Expand section "2.4.4.2. Certificate Status" Collapse section "2.4.4.2. Certificate Status" 2.4.4.2.1. CRLs 2.4.4.2.2. OCSP Services Expand section "2.4.4.2.2. OCSP Services" Collapse section "2.4.4.2.2. OCSP Services" 2.4.4.2.2.1. OCSP Response Signing 2.4.4.2.2.2. OCSP Responses 2.4.4.2.2.3. OCSP Services 2.4.5. Archiving, Recovering, and Rotating Keys Expand section "2.4.5. Archiving, Recovering, and Rotating Keys" Collapse section "2.4.5. Archiving, Recovering, and Rotating Keys" 2.4.5.1. Archiving Keys 2.4.5.2. Recovering Keys 2.4.5.3. KRA Transport Key Rotation 2.5. Smart Card Token Management with Certificate System Expand section "2.5. Smart Card Token Management with Certificate System" Collapse section "2.5. Smart Card Token Management with Certificate System" 2.5.1. Token Key Service (TKS) Expand section "2.5.1. Token Key Service (TKS)" Collapse section "2.5.1. Token Key Service (TKS)" 2.5.1.1. Master Keys and Key Sets 2.5.1.2. Key Ceremony (Shared Key Transport) 2.5.1.3. Key Update (Key Changeover) 2.5.1.4. APDUs and Secure Channels 2.5.2. Token Processing System (TPS) Expand section "2.5.2. Token Processing System (TPS)" Collapse section "2.5.2. Token Processing System (TPS)" 2.5.2.1. Coolkey Applet 2.5.2.2. Token Operations 2.5.2.3. TPS Profiles 2.5.2.4. Token Database Expand section "2.5.2.4. Token Database" Collapse section "2.5.2.4. Token Database" 2.5.2.4.1. Token States and Transitions Expand section "2.5.2.4.1. Token States and Transitions" Collapse section "2.5.2.4.1. Token States and Transitions" 2.5.2.4.1.1. Token States 2.5.2.4.1.2. Token State Transitions Done Using the Graphical or Command Line Interface Expand section "2.5.2.4.1.2. Token State Transitions Done Using the Graphical or Command Line Interface" Collapse section "2.5.2.4.1.2. Token State Transitions Done Using the Graphical or Command Line Interface" 2.5.2.4.1.2.1. Token State Transitions Using the Command Line or Graphical Interface 2.5.2.4.1.3. Token State Transitions using Token Operations 2.5.2.4.1.4. Token State and Transition Labels 2.5.2.4.1.5. Customizing Allowed Token State Transitions 2.5.2.4.1.6. Customizing Token State and Transition Labels 2.5.2.4.1.7. Token Activity Log 2.5.2.4.2. Token Policies 2.5.2.5. Mapping Resolver 2.5.2.6. TPS Roles 2.5.3. TKS/TPS Shared Secret 2.5.4. Enterprise Security Client (ESC) 2.6. Red Hat Certificate System Services Expand section "2.6. Red Hat Certificate System Services" Collapse section "2.6. Red Hat Certificate System Services" 2.6.1. Notifications 2.6.2. Jobs 2.6.3. Logging 2.6.4. Auditing 2.6.5. Self-Tests 2.6.6. Users, Authorization, and Access Controls Expand section "2.6.6. Users, Authorization, and Access Controls" Collapse section "2.6.6. Users, Authorization, and Access Controls" 2.6.6.1. Default Administrative Roles 2.6.6.2. Built-in Subsystem Trust Roles 3. Allowed Standards and Protocols Expand section "3. Allowed Standards and Protocols" Collapse section "3. Allowed Standards and Protocols" 3.1. Allowed TLS Cipher Suites 3.2. Allowed Key Algorithms and Their Sizes 3.3. Allowed Hash Functions 3.4. Allowed PKIX Formats and Protocols 4. Supported Platforms Expand section "4. Supported Platforms" Collapse section "4. Supported Platforms" 4.1. Server Support 4.2. Supported Web Browsers 4.3. Supported Hardware Security Modules 5. Planning the Certificate System Expand section "5. Planning the Certificate System" Collapse section "5. Planning the Certificate System" 5.1. Deciding on the Required Subsystems Expand section "5.1. Deciding on the Required Subsystems" Collapse section "5.1. Deciding on the Required Subsystems" 5.1.1. Using a Single Certificate Manager 5.1.2. Planning for Lost Keys: Key Archival and Recovery 5.1.3. Balancing Certificate Request Processing 5.1.4. Balancing Client OCSP Requests 5.2. Defining the Certificate Authority Hierarchy Expand section "5.2. Defining the Certificate Authority Hierarchy" Collapse section "5.2. Defining the Certificate Authority Hierarchy" 5.2.1. Subordination to a Public CA 5.2.2. Subordination to a Certificate System CA 5.2.3. Linked CA 5.3. Planning Security Domains 5.4. Determining the Requirements for Subsystem Certificates Expand section "5.4. Determining the Requirements for Subsystem Certificates" Collapse section "5.4. Determining the Requirements for Subsystem Certificates" 5.4.1. Determining Which Certificates to Install 5.4.2. Planning the CA Distinguished Name 5.4.3. Setting the CA Signing Certificate Validity Period 5.4.4. Choosing the Signing Key Type and Length 5.4.5. Using Certificate Extensions Expand section "5.4.5. Using Certificate Extensions" Collapse section "5.4.5. Using Certificate Extensions" 5.4.5.1. Structure of Certificate Extensions 5.4.6. Using and Customizing Certificate Profiles Expand section "5.4.6. Using and Customizing Certificate Profiles" Collapse section "5.4.6. Using and Customizing Certificate Profiles" 5.4.6.1. Adding SAN Extensions to the TLS Server Certificate 5.4.7. Planning Authentication Methods 5.4.8. Publishing Certificates and CRLs 5.4.9. Renewing or Reissuing CA Signing Certificates 5.5. Planning for Network and Physical Security Expand section "5.5. Planning for Network and Physical Security" Collapse section "5.5. Planning for Network and Physical Security" 5.5.1. Considering Firewalls 5.5.2. Considering Physical Security and Location 5.5.3. Planning Ports 5.6. A Checklist for Planning the PKI II. Installing Red Hat Certificate System Expand section "II. Installing Red Hat Certificate System" Collapse section "II. Installing Red Hat Certificate System" 6. Prerequisites and Preparation for Installation Expand section "6. Prerequisites and Preparation for Installation" Collapse section "6. Prerequisites and Preparation for Installation" 6.1. Installing Red Hat Enterprise Linux 6.2. Securing the System Using SELinux Expand section "6.2. Securing the System Using SELinux" Collapse section "6.2. Securing the System Using SELinux" 6.2.1. Verifying if SELinux is Running in Enforcing Mode 6.3. Firewall Configuration Expand section "6.3. Firewall Configuration" Collapse section "6.3. Firewall Configuration" 6.3.1. Opening the Required Ports in the Firewall 6.4. Hardware Security Module Expand section "6.4. Hardware Security Module" Collapse section "6.4. Hardware Security Module" 6.4.1. Setting up SELinux for an HSM 6.4.2. Enabling FIPS Mode on an HSM 6.4.3. Verifying if FIPS Mode is Enabled on an HSM Expand section "6.4.3. Verifying if FIPS Mode is Enabled on an HSM" Collapse section "6.4.3. Verifying if FIPS Mode is Enabled on an HSM" 6.4.3.1. Verifying if FIPS Mode is Enabled on an nCipher HSM 6.4.3.2. Verifying if FIPS Mode is Enabled on a Luna SA HSM 6.4.4. Preparing for Installing Certificate System with an HSM Expand section "6.4.4. Preparing for Installing Certificate System with an HSM" Collapse section "6.4.4. Preparing for Installing Certificate System with an HSM" 6.4.4.1. nCipher HSM Parameters 6.4.4.2. SafeNet / Luna SA HSM Parameters 6.4.5. Backing up Keys on Hardware Security Modules 6.5. Installing Red Hat Directory Server Expand section "6.5. Installing Red Hat Directory Server" Collapse section "6.5. Installing Red Hat Directory Server" 6.5.1. Preparing a Directory Server Instance for Certificate System 6.5.2. Enabling TLS Support in Directory Server Expand section "6.5.2. Enabling TLS Support in Directory Server" Collapse section "6.5.2. Enabling TLS Support in Directory Server" 6.5.2.1. How to Enable LDAPS for new Red Hat Certificate System Subsystems Using Examples Values 6.5.3. Preparing for Configuring Certificate System 6.5.4. Replacing the Temporary Certificate 6.5.5. Enabling TLS Client Authentication 6.6. Attaching a Red Hat Subscription and Enabling the Certificate System Package Repository 6.7. Certificate System Operating System Users and Groups 7. Installing and Configuring Certificate System Expand section "7. Installing and Configuring Certificate System" Collapse section "7. Installing and Configuring Certificate System" 7.1. Subsystem Configuration Order 7.2. Certificate System Packages Expand section "7.2. Certificate System Packages" Collapse section "7.2. Certificate System Packages" 7.2.1. Installing Certificate System Packages in non-TMS Environments 7.2.2. Installing Certificate System Packages in TMS Environments 7.2.3. Updating Certificate System Packages 7.2.4. Determining Certificate System Product Version 7.3. Installing Using the pkispawn Utility Expand section "7.3. Installing Using the pkispawn Utility" Collapse section "7.3. Installing Using the pkispawn Utility" 7.3.1. About the pkispawn Utility 7.3.2. Two-step Installation Using pkispawn Expand section "7.3.2. Two-step Installation Using pkispawn" Collapse section "7.3.2. Two-step Installation Using pkispawn" 7.3.2.1. Creating the Configuration File for the First Step of the Installation 7.3.2.2. Starting the pkispawn Step One Installation 7.3.2.3. Configuration Between the Two pkispawn Installation Steps Expand section "7.3.2.3. Configuration Between the Two pkispawn Installation Steps" Collapse section "7.3.2.3. Configuration Between the Two pkispawn Installation Steps" 7.3.2.3.1. Enabling Signed Audit Logging 7.3.2.3.2. Setting the KRA into Encryption Mode 7.3.2.3.3. Enabling OCSP 7.3.2.4. Starting the pkispawn Step Two Installation 7.3.3. Single-step Installation Using pkispawn (TMS-only) Expand section "7.3.3. Single-step Installation Using pkispawn (TMS-only)" Collapse section "7.3.3. Single-step Installation Using pkispawn (TMS-only)" 7.3.3.1. Creating the Configuration File for pkispawn single-step Installation 7.3.3.2. Running pkispawn for single-step Installation 7.3.3.3. Post-Installation for Single-Step Installation 7.4. Post-installation Tasks Expand section "7.4. Post-installation Tasks" Collapse section "7.4. Post-installation Tasks" 7.4.1. Setting Date/Time for RHCS 7.4.2. Replacing a Temporary Self-Signed Certificate in Directory Server (CA) 7.4.3. Enabling TLS Client Authentication for the Internal LDAP Server 7.4.4. Configuring Session Timeout 7.4.5. CRL or Certificate Publishing 7.4.6. Disabling Certificate Enrollment Profiles (CA) 7.4.7. Enabling Access Banner 7.4.8. Enabling the Watchdog Service 7.4.9. Configuration for CMC Enrollment and Revocation (CA) 7.4.10. Requiring TLS client-authentication for the Java Console 7.4.11. Creating a Role User 7.4.12. Removing the Bootstrap User 7.4.13. Disabling Multi-role Support 7.4.14. KRA Configurations Expand section "7.4.14. KRA Configurations" Collapse section "7.4.14. KRA Configurations" 7.4.14.1. Adding Requirement for Multiple Agent Approval for Key Recovery Authority (KRA) 7.4.14.2. Configuring KRA Encryption Settings 7.4.15. Setting up Users to use User Interfaces 8. Troubleshooting Installation Expand section "8. Troubleshooting Installation" Collapse section "8. Troubleshooting Installation" 8.1. Frequently Asked Questions 8.2. Hardware Security Modules Expand section "8.2. Hardware Security Modules" Collapse section "8.2. Hardware Security Modules" 8.2.1. Detecting Tokens 8.2.2. Viewing Tokens III. Configuring Certificate System Expand section "III. Configuring Certificate System" Collapse section "III. Configuring Certificate System" 9. The Certificate System Configuration Files Expand section "9. The Certificate System Configuration Files" Collapse section "9. The Certificate System Configuration Files" 9.1. File and Directory Locations for Certificate System Subsystems Expand section "9.1. File and Directory Locations for Certificate System Subsystems" Collapse section "9.1. File and Directory Locations for Certificate System Subsystems" 9.1.1. Instance-specific Information 9.1.2. CA Subsystem Information 9.1.3. KRA Subsystem Information 9.1.4. OCSP Subsystem Information 9.1.5. TKS Subsystem Information 9.1.6. TPS Subsystem Information 9.1.7. Shared Certificate System Subsystem File Locations 9.2. CS.cfg Files Expand section "9.2. CS.cfg Files" Collapse section "9.2. CS.cfg Files" 9.2.1. Locating the CS.cfg File 9.2.2. Editing the Configuration File 9.2.3. Overview of the CS.cfg Configuration File Expand section "9.2.3. Overview of the CS.cfg Configuration File" Collapse section "9.2.3. Overview of the CS.cfg Configuration File" 9.2.3.1. Basic Instance Parameters for the CA: pkispawn file ca.cfg 9.2.3.2. Logging Settings 9.2.3.3. Authentication and Authorization Settings 9.2.3.4. Subsystem Certificate Settings 9.2.3.5. Settings for Required Subsystems 9.2.3.6. Database Settings 9.2.3.7. Enabling and Configuring a Publishing Queue 9.2.3.8. Settings for PKI Tasks 9.2.3.9. Changing DN Attributes in CA-Issued Certificates Expand section "9.2.3.9. Changing DN Attributes in CA-Issued Certificates" Collapse section "9.2.3.9. Changing DN Attributes in CA-Issued Certificates" 9.2.3.9.1. Adding New or Custom Attributes 9.2.3.9.2. Changing the DER-Encoding Order 9.2.3.10. Setting a CA to Use a Different Certificate to Sign CRLs 9.2.3.11. Configuring CRL Generation from Cache in CS.cfg 9.2.3.12. Configuring Update Intervals for CRLs in CS.cfg 9.2.3.13. Changing the Access Control Settings for the Subsystem 9.2.3.14. Setting Requirement for pkiconsole to use TLS Client Certificate Authentication 9.3. Managing System Passwords Expand section "9.3. Managing System Passwords" Collapse section "9.3. Managing System Passwords" 9.3.1. Configuring the password.conf File 9.3.2. Using the Certificate System Watchdog Service Expand section "9.3.2. Using the Certificate System Watchdog Service" Collapse section "9.3.2. Using the Certificate System Watchdog Service" 9.3.2.1. Enabling the Watchdog Service 9.3.2.2. Starting and Stopping Certificate System with the Watchdog Enabled 9.3.2.3. Verifying That the Certificate System Watchdog Service is Enabled 9.3.2.4. Disabling the Watchdog Service 9.4. Configuration Files for the Tomcat Engine and Web Services Expand section "9.4. Configuration Files for the Tomcat Engine and Web Services" Collapse section "9.4. Configuration Files for the Tomcat Engine and Web Services" 9.4.1. Tomcatjss Expand section "9.4.1. Tomcatjss" Collapse section "9.4.1. Tomcatjss" 9.4.1.1. TLS Cipher Configuration 9.4.1.2. Enabling Certificate Revocation Checking for Subsystems Expand section "9.4.1.2. Enabling Certificate Revocation Checking for Subsystems" Collapse section "9.4.1.2. Enabling Certificate Revocation Checking for Subsystems" 9.4.1.2.1. Setting Trust of the OCSP Signing Certificate 9.4.1.2.2. Enabling a Certificate System Subsystem to use the OCSP Responder URL Specified in the Peer Certificate's Authority Information Access (AIA) Extension 9.4.1.2.3. Adding an AIA Extension to an Enrollment Profile 9.4.1.3. Session Timeout Expand section "9.4.1.3. Session Timeout" Collapse section "9.4.1.3. Session Timeout" 9.4.1.3.1. TLS Session Timeout 9.4.1.3.2. HTTP Session Timeout 9.4.1.3.3. Session Timeout for PKI Web UI 9.4.1.3.4. Session Timeout for PKI Console 9.4.1.3.5. Session Timeout for PKI CLI 9.4.2. web.xml Expand section "9.4.2. web.xml" Collapse section "9.4.2. web.xml" 9.4.2.1. Removing Unused Interfaces from web.xml (CA Only) 9.4.3. Customizing Web Services Expand section "9.4.3. Customizing Web Services" Collapse section "9.4.3. Customizing Web Services" 9.4.3.1. Customizing Subsystem Web Applications 9.4.3.2. Customizing the Web UI Theme 9.4.3.3. Customizing TPS Token State Labels 9.5. Using an Access Banner Expand section "9.5. Using an Access Banner" Collapse section "9.5. Using an Access Banner" 9.5.1. Enabling an Access Banner 9.5.2. Displaying the Banner 9.5.3. Validating the Banner 9.6. Configuration for CMC Expand section "9.6. Configuration for CMC" Collapse section "9.6. Configuration for CMC" 9.6.1. Understanding How CMC Works 9.6.2. Enabling the PopLinkWittnessV2 Feature 9.6.3. Enabling the CMC Shared Secret Feature 9.6.4. Enabling CMCRevoke for the Web User Interface 10. Managing Certificate/Key Crypto Token Expand section "10. Managing Certificate/Key Crypto Token" Collapse section "10. Managing Certificate/Key Crypto Token" 10.1. About certutil and PKICertImport Expand section "10.1. About certutil and PKICertImport" Collapse section "10.1. About certutil and PKICertImport" 10.1.1. certutil Basic Usage 10.1.2. PKICertImport Basic Usage 10.1.3. certutil Common Commands 10.1.4. Common certutil and PKICertImport Options 10.2. Importing a Root Certificate 10.3. Importing an Intermediate Certificate Chain 10.4. Importing a certificate into an HSM 10.5. Importing a certificate into an NSS Database 11. Certificate Profiles Configuration Expand section "11. Certificate Profiles Configuration" Collapse section "11. Certificate Profiles Configuration" 11.1. Creating and Editing Certificate Profiles Directly on the File System Expand section "11.1. Creating and Editing Certificate Profiles Directly on the File System" Collapse section "11.1. Creating and Editing Certificate Profiles Directly on the File System" 11.1.1. Configuring non-CA System Certificate Profiles Expand section "11.1.1. Configuring non-CA System Certificate Profiles" Collapse section "11.1.1. Configuring non-CA System Certificate Profiles" 11.1.1.1. Profile Configuration Parameters 11.1.1.2. Modifying Certificate Extensions Directly on the File System Expand section "11.1.1.2. Modifying Certificate Extensions Directly on the File System" Collapse section "11.1.1.2. Modifying Certificate Extensions Directly on the File System" 11.1.1.2.1. Key Usage and Extended Key Usage Consistency 11.1.1.3. Adding Profile Inputs Directly on the File System 11.1.2. Changing the Default Validity Time of Certificates 11.1.3. Configuring CA System Certificate Profiles 11.1.4. Managing Smart Card CA Profiles Expand section "11.1.4. Managing Smart Card CA Profiles" Collapse section "11.1.4. Managing Smart Card CA Profiles" 11.1.4.1. Editing Enrollment Profiles for the TPS 11.1.4.2. Creating Custom TPS Profiles 11.1.4.3. Using the Windows Smart Card Logon Profile 11.1.5. Disabling Certificate Enrolment Profiles 12. Configuring the Key Recovery Authority Expand section "12. Configuring the Key Recovery Authority" Collapse section "12. Configuring the Key Recovery Authority" 12.1. Manually Setting up Key Archival 12.2. Encryption Of KRA Operations Expand section "12.2. Encryption Of KRA Operations" Collapse section "12.2. Encryption Of KRA Operations" 12.2.1. How Clients Manage Key Operation Encryption 12.2.2. Configuring the Encryption Algorithm in the KRA Expand section "12.2.2. Configuring the Encryption Algorithm in the KRA" Collapse section "12.2.2. Configuring the Encryption Algorithm in the KRA" 12.2.2.1. Explanation of Parameters and their Values 12.2.2.2. Solving Limitations of HSMs When Using AES Encryption in KRAs 12.3. Setting up Agent-Approved Key Recovery Schemes Expand section "12.3. Setting up Agent-Approved Key Recovery Schemes" Collapse section "12.3. Setting up Agent-Approved Key Recovery Schemes" 12.3.1. Configuring Agent-Approved Key Recovery in the Console 12.3.2. Configuring Agent-Approved Key Recovery in the Command Line 12.3.3. Customizing the Key Recovery Form 13. Configuring Logs Expand section "13. Configuring Logs" Collapse section "13. Configuring Logs" 13.1. Certificate System Log Settings Expand section "13.1. Certificate System Log Settings" Collapse section "13.1. Certificate System Log Settings" 13.1.1. Services That Are Logged 13.1.2. Log Levels (Message Categories) 13.1.3. Buffered and Unbuffered Logging 13.1.4. Log File Rotation 13.2. Operating System (external to RHCS) Log Settings Expand section "13.2. Operating System (external to RHCS) Log Settings" Collapse section "13.2. Operating System (external to RHCS) Log Settings" 13.2.1. Enabling OS-level Audit Logs Expand section "13.2.1. Enabling OS-level Audit Logs" Collapse section "13.2.1. Enabling OS-level Audit Logs" 13.2.1.1. Auditing Certificate System Audit Log Deletion 13.2.1.2. Auditing Unauthorized Certificate System Use of Secret Keys 13.2.1.3. Auditing Time Change Events 13.2.1.4. Auditing Access to Certificate System Configuration 13.3. Configuring Logs in the CS.cfg File Expand section "13.3. Configuring Logs in the CS.cfg File" Collapse section "13.3. Configuring Logs in the CS.cfg File" 13.3.1. Enabling and Configuring Signed Audit Log Expand section "13.3.1. Enabling and Configuring Signed Audit Log" Collapse section "13.3.1. Enabling and Configuring Signed Audit Log" 13.3.1.1. Enabling Signed Audit Logging 13.3.1.2. Configuring Audit Events Expand section "13.3.1.2. Configuring Audit Events" Collapse section "13.3.1.2. Configuring Audit Events" 13.3.1.2.1. Enabling and Disabling Audit Events 13.3.1.2.2. Filtering Audit Events 13.3.2. Configuring Self-Tests Expand section "13.3.2. Configuring Self-Tests" Collapse section "13.3.2. Configuring Self-Tests" 13.3.2.1. Default Self-Tests at Startup 13.3.2.2. Modifying Self-Test Configuration 13.3.3. Additional Configuration for Debug Log Expand section "13.3.3. Additional Configuration for Debug Log" Collapse section "13.3.3. Additional Configuration for Debug Log" 13.3.3.1. Enabling and Disabling Debug Logging 13.3.3.2. Setting up Rotation of Debug Log Files 13.4. Audit Retention Expand section "13.4. Audit Retention" Collapse section "13.4. Audit Retention" 13.4.1. Location of Audit Data Expand section "13.4.1. Location of Audit Data" Collapse section "13.4.1. Location of Audit Data" 13.4.1.1. Location of Audit Logs 13.4.1.2. Location of Certificate Requests and Certificate Records 14. Creating a Role User Expand section "14. Creating a Role User" Collapse section "14. Creating a Role User" 14.1. Creating a PKI Administrative User on the Operating System 14.2. Creating a PKI Role User in Certificate System 15. Deleting the Bootstrap User Expand section "15. Deleting the Bootstrap User" Collapse section "15. Deleting the Bootstrap User" 15.1. Disabling Multi-roles Support IV. Uninstalling Certificate System Subsystems Expand section "IV. Uninstalling Certificate System Subsystems" Collapse section "IV. Uninstalling Certificate System Subsystems" 16. Removing a Subsystem 17. Removing Certificate System Subsystem Packages Glossary Index A. Revision History Legal Notice Settings Close Language: 日本語 English Language: 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Language and Page Formatting Options Language: 日本語 English Language: 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF 14.2. Creating a PKI Role User in Certificate System To create a PKI role user, see the Managing Certificate System Users and Groups section in the Red Hat Certificate System Administration Guide (Common Criteria Edition). Previous Next