Chapter 1. Agent Services

This chapter describes the role of the privileged users, agents, in managing Certificate System subsystems. It also introduces the tools that agents use to administer service requests.

1.1. Overview of Certificate System

The Red Hat Certificate System is a highly configurable set of software components and tools for creating, deploying, and managing certificates. The standards and services that facilitate the use of public-key cryptography and X.509 version 3 certificates in a networked environment are collectively called the public-key infrastructure (PKI) for that environment. In any PKI, a certificate authority (CA) is a trusted entity that issues, renews, and revokes certificates. An end entity is a person, server, or other entity that uses a certificate to identify itself.
To participate in a PKI, an end entity must enroll, or register, in the system. The end entity typically initiates enrollment by giving the CA some form of identification and a newly generated public key. The CA uses the information provided to authenticate, or confirm, the identity, then issues the end entity a certificate that associates that identity with the public key and signs the certificate with the CA's own private signing key.
End entities and CAs can exist in different geographic or organizational areas or in completely different organizations. CAs may include third parties that provide services through the Internet as well as the root CAs and subordinate CAs for individual organizations. Policies and certificate content may vary from one organization to another. End-entity enrollment for some certificates may require physical verification, such as an interview or notarized documents, while enrollment for others may be fully automated.

1.1.1. Certificate System Subsystems

To meet the widest possible range of configuration requirements, the Certificate System permits independent installation of five separate subsystems, or managers, that play distinct roles.

1.1.1.1. Certificate Manager

A Certificate Manager functions as a root or subordinate certificate authority (CA). This subsystem issues, renews, and revokes certificates and generates certificate revocation lists (CRLs). It can also publish certificates, files, and CRLs to an LDAP directory, to files, and to an online certificate status protocol (OCSP) responder.
The Certificate Manager can process requests manually (with agent action) or automatically (based on customizable profiles). Publishing tasks can only be performed by the Certificate Manager.
The Certificate Manager also has a built-in OCSP service, enabling OCSP-compliant clients to query the Certificate Manager directly about the revocation status of a certificate that it has issued. In certain PKI deployments, it might be convenient to use the Certificate Manager's built-in OCSP service, instead of a separate Online Certificate Status Manager.
Because CAs can delegate some responsibilities to subordinate CAs, a Certificate Manager might share its load among one or more levels of subordinate Certificate Managers.
Subsystems can also be cloned. All clones use the same keys and certificates as the master, which means that the master and clones essentially all function as a single CA. Many complex deployment scenarios are possible.

1.1.1.2. Registration Manager

A registration authority is an intermediary between a user or location and a CA. The registration authority processes and authenticates enrollment requests; approved requests are then sent to the CA for it to issue the new certificate. Breaking the approval and issuance steps into separate subsystems takes some of the burden off centralized CAs.
RAs agents can approve or reject certificate requests. They can also revoke certificates which they approved.

1.1.1.3. Data Recovery Manager

A Data Recovery Manager (DRM) oversees the long-term archival and recovery of private encryption keys for end entities. A Certificate Manager or TPS can be configured to archive end entities' private encryption keys with a DRM as part of the process of issuing new certificates.
The DRM is useful only if end entities are encrypting data, using applications such as S/MIME email, that the organization may need to recover someday. It can be used only with client software that supports dual key pairs; two separate key pairs, one for encryption and one for digital signatures. It is also possible to perform server-side key generation using the TPS server when enrolling smart cards.

NOTE

The DRM archives encryption keys. It does not archive signing keys, since archiving signing keys would undermine the non-repudiation properties of dual-key certificates.

1.1.1.4. Online Certificate Status Manager

An Online Certificate Status Manager works as an online certificate validation authority and allows OCSP-compliant clients to verify certificates' current status. The Online Certificate Status Manager can receive CRLs from multiple Certificate Managers; clients then query the OCSP service for the revocation status of certificates issued by all Certificate Managers. For example, in a PKI comprising multiple CAs (a root CA and many subordinate CAs), each CA can be configured to publish its CRL to the Online Certificate Status Manager, allowing all clients in the PKI deployment to verify the revocation status of a certificate by querying a single OCSP service.

NOTE

An online certificate-validation authority is often referred to as an OCSP responder.

1.1.1.5. Token Processing System

The Token Processing System (TPS) acts as a registration authority for authenticating and processing smart card enrollment requests, PIN reset requests, and formatting requests from the Enterprise Security Client.

1.1.2. Certificate System Users

Three kinds of users can access Certificate System subsystems: administrators, agents, and end entities. Administrators are responsible for the initial setup and ongoing maintenance of the subsystems. Administrators can also assign agent status to users. Agents manage day-to-day interactions with end entities, which can be users or servers and clients, and other aspects of the PKI. End entities must access a Certificate Manager (CA) subsystem to enroll for certificates in a PKI deployment and for certificate maintenance, such as renewal or revocation.
Figure 1.1, “The Certificate System and Users” shows the ports used by administrators, agents, and end entities. All agent and administrator interactions with Certificate System subsystems occur over HTTPS. End-entity interactions can take place over HTTP or HTTPS.
The Certificate System and Users

Figure 1.1. The Certificate System and Users