Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE Technical Information Seite 1

Red Hat Certificate System 7.3System Agent Guide7.3ISBN: N/APublication date:

A warning indicates potential data loss, as may happen when tuning hardwarefor maximum performance.5. DocumentationThe Certificate System documentatio

Agent ServicesThis chapter describes the role of the privileged users, agents, in managing Certificate Systemsubsystems. It also introduces the tools

among one or more levels of subordinate CMs.Subsystems can also be cloned. All clones use the same keys and certificates as the master,which means tha

Token Processing System.The Token Processing System (TPS) acts as a registration authority for authenticating andprocessing smart card enrollment requ

Figure 2.1. The Certificate System and Users2. Agent TasksThe designated agents for each subsystem are responsible for the everyday management ofend e

Data Recovery Manager AgentData Recovery Manager (DRM) agents initiate the recovery of lost keys and can obtaininformation about key service requests

2.1. Certificate Manager Agent ServicesThe default entry page for (CM) agent services is shown in Figure 2.2, “Certificate ManagerAgent Services Page”

• Updates the CRL.The CM maintains a public list of revoked certificates, called the Certificate Revocation List(CRL). The list is usually maintained

• Lists key recovery requests from end entities.• Lists or searches for archived keys.• Recovers private data-encryption keys.• Authorizes and approve

• Identifies a CM to the OCSM.• Manually adds CRLs to the OCSM.• Submits requests for the revocation status of a certificate to the OCSM.For more info

This guide is for agents of Certificate System subsystems. It explains the different agentservices interfaces for the Certificate System subsystems an

• Edits token information.• Sets the token status.The TPS agent services page also has a tab to allow operations by TPS administrators.Figure 2.6. TPS

A subsystem agent with the correct certificates can access agent services forms through theagent services page to manage certificates. Table 2.1, “For

Form name (Operation) Subsystem Descriptionnewly issued certificates andupdated CRLs. Forinstructions on using thisform, see Section 2, “ManualDirecto

Form name (Operation) Subsystem DescriptionAuthorize Recovery DRM Authorize a key recoveryrequest remotely that wasinitiated by another DRMagent. For

Form name (Operation) Subsystem DescriptionSearch for Tokens TPS Search for tokens using eitherthe user ID of the user towhom the token was issued,or

9443, use the following URL to access the agent services interface:https://server.example.com:9443/ca/agent/caThere is also a services page for each s

20

CA: Working with Certificate ProfilesA Certificate Manager (CM) agent is responsible for approving certificate profiles that have beenconfigured by a

Approve the request.The certificate is issued, and the end entity then retrieves and uses it.Reject the request.No certificate is issued. The end enti

Profile ID Profile Name DescriptioncaSignedLogCert Manual Log SigningCertificate EnrollmentUsed to enrol audit logsigning certificatescaTPSCert Manual

Red Hat Certificate System 7.3: System Agent GuideCopyright © 2008 Red Hat, Inc.Copyright © 2008 Red Hat. This material may only be distributed subjec

Profile ID Profile Name Descriptionauthentication.caSimpleCMCUserCert Simple CMC Enrollment Request for User CertificateUsed to enrol user certificate

Profile ID Profile Name DescriptioncaDualRAuserCert RA Agent-Authenticated UserCertificate EnrollmentUsed to enrol user certificateswith RA agent auth

• Requester email The email address of the certificate requester.• Requester phone The phone number of the certificate requester.• Profile policy sets

Profile Policy Set Defaults Constraintsrequest. The default valuesare Criticality=false andOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4.userCertSet.8 - Su

agent can approve, and thus enable, a certificate profile. Once the certificate profile is enabled,it appears on the Certificate Profile tab of the en

which is linked to the Approve Certificate Profile page. This page lists information about thecertificate profile and allows an agent to approve a cer

profile. The certificate profile must first be disabled before an administrator to modify thecertificate profile.5.5. Disapproving a Certificate Profi

CA: Handling Certificate RequestsA Certificate Manager (CM) agent is responsible for handling both manual enrollment requestsmade by end entities (end

action only checks the request but does not submit or edit the request.• Assign the request. A certificate request can be manually assigned by the age

Figure 4.1. Certificate Request Management Process2. Listing Certificate RequestsThe CM keeps a queue of all certificate service requests that have be

Red Hat Certificate System 7.3

• Certificate enrollment requests• Certificate renewal requests• Certificate revocation requestsA CM agent must review and approve manual enrollment r

3.View certificate requests request type by selecting one of the options from the Request typemenu.• Show enrollment requests• Show renewal requests•

Figure 4.3. Request Queue2.1. Selecting a RequestTo select a request from the queue, do the following:1. On the agent services page, click List Reques

Figure 4.4. Request DetailsNOTEIf the system changes the state of the displayed request, using the browser'sBack or Forward buttons or history to

• Completed• Canceled• Rejected• Any• Searching by Request Type. To search by the request type, select the Show requests thatare of type option, and s

3. Select the certificate request from the list.4. The certificate request details page contains several tables with information about therequest:• Re

generated and available to the user through the end entities page. If notifications have been set,then an email will be sent to the requester automati

Figure 4.5. A Newly Issued Certificate PageTo copy and mail a new server certificate to the requester, do the following:1. Create a new email addresse

1. Open to the agent services page, click List Requests in the left frame, enter the serialnumber for the approved request, and click Find.2. In the R

CA: Finding and RevokingCertificatesA Certificate Manager (CM) agent can use the agent services page to find a specific certificateissued by the Certi

1. About This Guide ... 11. Who Should Read This Guide

• To find a certificate with a specific serial number, enter the serial number in both the upperlimit and lower limit fields of the List Certificates

Figure 5.2. Search Certificates3. To search by particular criteria, use one or more of the sections of the Search forCertificates form. To use a secti

• Status. Selects certificates by their status. A certificate has one of the following statuscodes:• Valid. A valid certificate has been issued, its v

• Basic Constraints. Shows CA certificates that are based on the Basic Constraintsextension.• Type. Lists certain types of certificates, such as all c

certificates matching the specified criteria that should be returned.Setting the number of certificates to be returned returns the first certificates

2. On the Search Results form, select a certificate to examine.If the desired certificate is not shown, scroll to the bottom of the list, specify an a

Only CM agents can revoke certificates other than their own. A certificate must be revoked ifone of the following situations occurs:• The owner of the

Figure 5.5. Revoke One or All Certificates4.2. Revoking One or More CertificatesAn entire list of certificates returned by a search can be revoked, or

1. On the CM's agent services page, click Revoke Certificates, specify search criteria, andclick Find to display a list of certificates.2. On the

Figure 5.6. Confirm Certificate RevocationTo confirm the revocation, do the following:1. Inspect the details of the certificate to verify that it is t

5.2. Updating the CRL ...556. CA: Publishing to a Directory ...

• Key compromised• CA key compromised• Affiliation changed• Certificate superseded• Cessation of operation• Certificate is on hold4. Enter any additio

4. Choose how to display the CRL by selecting one of the options from the Display Type menu.The choices on this menu are as follows:• Cached CRL. View

Figure 5.7. Update Certificate Revocation List3. Select the algorithm to use to sign the new CRL. Before choosing an algorithm, make surethat any syst

5. To update the CRL with the latest certificate revocation information, click Update.Updating the CRL57

58

CA: Publishing to a DirectoryA Red Hat Directory Server installation is required for the Certificate System subsystems to beinstalled; this directory

NOTEAny client using a certificate is responsible for determining its validity by checkingthe expiration date against the client's current date i

DRM: Recovering Encrypted DataThis chapter describes how authorized Data Recovery Manager (DRM) agents process keyrecovery requests and recover stored

• Show completed requests. Completed requests include archival requests for which proof ofarchival has been sent and completed recovery requests.• Sho

In the old scheme, the password for the storage token was split and protected by individualrecovery agent passwords. This made it hard to access the s

About This GuideThis guide describes the agent services interfaces used by Red Hat Certificate System agentsto administer subsystem certificates and k

Figure 7.1. Search for Keys Page3. To search by particular criteria, use the different sections of the Search for Keys or RecoverKeys form. To use a s

• Certificate. Finds the archived key that corresponds to a specific public key. Select thecheck box and paste the certificate containing the base-64

Figure 7.2. Search Results Page5. In the Search Results form, select a key.If a desired key is not shown, scroll to the bottom of the list and use the

To initiate key recovery, do the following:1. On the DRM agent services page, click Recover Keys, specify search criteria, and clickShow Key to displa

kra.noOfRequiredRecoveryAgents=1kra.recoveryAgentGroup=Data Recovery Manager Agents4. Set the PKCS #12 token password that the requester uses to impor

11.Send the encrypted file to the requester.12.Give the recovery password to the requester in a secure manner.The requester must use this password to

70

OCSP: Agent ServicesThis chapter describes how to perform Online Certificate Status Manager (OCSP) agent tasks,such as identifying a CA to the OCSP an

Figure 8.1. OCSP List Certificate Authorities Page2. Identifying a CA to the OCSPThe OCSP can be configured to receive CRLs from multiple CMs. Before

https://server.example.com:11443/ocsp/agent/ocsp9. In the left frame, click Add Certificate Authority.10.In the resulting form, paste the encoded CA s

requests and explains how to handle different aspects of certificate request management. ACM agent is responsible for handling requests by end entitie

The next page shows information about the CM that was added.NOTEIf the deployment contains chained CAs, such as a root CA and then severalsubordinate

https://server.example.com:11443/ocsp/agent/ocsp7. In the left frame, click Add Certificate Revocation List.8. In the resulting form, paste the encode

76

TPS: Agent ServicesThis chapter describes how to perform Token Processing System (TPS) agent tasks, such aslisting smart card tokens and resetting car

• Listing activities associated with the tokens by the token CUID.• Searching activities by the token CUID.• Changing token status.Administrators can

Figure 9.1. Token Search ResultsClick the link associated with the token to display its details.Managing Tokens79

Figure 9.2. Token DetailsFour operations can be performed on the token through this page:• Changing the token status.• Editing the token policy.Chapte

NOTEAgents can only modify the policy in effect for the token and add a new token.Administrators can also change the user ID of the owner and delete t

There are six possible token statuses:• The token is physically damaged.For this status, the TPS revokes the user certificates and marks the token los

NoteIf the PIN_RESET policy is not set, then user-initiated PIN resets are allowed bydefault. If the policy is present and is changed from NO to YES,

italic Courier fontItalic Courier font represents a variable, such as an installation directory:install_dir/bin/bold fontBold font represents applicat

Through the TPS agent's page, however, viewing Token #1 shows Signing #1 is active; viewingToken #2 shows that Signing #1 is revoked. This is bec

Certificates.5. Searching Token ActivitiesThe token activities, such as enrollment, which are performed through the TPS subsystem canbe searched and l

Click Delete to remove the token, and all its associated certificates and user information, fromthe TPS database.Chapter 9. TPS: Agent Services86

IndexAaccessing end-entity gateways , 7accessing forms, 18agent services formsaccessing , 18Certificate Manager , 10Data Recovery Manager , 11Online C

overview , 6online certificate validation authoritydefined , 6PPKI (public-key infrastructure) , 5prerequisites , 1privileged operations and users , 9