Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

17.4. Changing the Names of Subsystem Certificates


One alternative to renewing certificates is replacing them with new certificates, meaning that a new certificate is generated with new keys. Generally, a new certificate can be added to the database and the old one deleted, a simple one-to-one swap. This is possible because the individual subsystem servers identify certificates based on their nickname; as long as the certificate nickname remains the same, the server can find the required certificate even if other factors — like the subject name, serial number, or key — are different.
However, in some situations, the new certificate may have a new certificate nickname, as well. In that case, the certificate nickname needs to be updated in all of the required settings in the subsystem's CS.cfg configuration file.

Important

Always restart a subsystem after editing the CS.cfg file.
These tables list all of the configuration parameters for each of the subsystem's certificates:
Table 17.3. CA Certificate Nickname Parameters
CA Signing Certificate
  • ca.cert.signing.nickname
  • ca.signing.cacertnickname
  • ca.signing.certnickname
  • ca.signing.nickname
  • cloning.signing.nickname
OCSP Signing Certificate
  • ca.ocsp_signing.cacertnickname
  • ca.ocsp_signing.certnickname
  • ca.cert.ocsp_signing.nickname
  • ca.ocsp_signing.nickname
  • cloning.ocsp_signing.nickname
Subsystem Certificate
  • ca.cert.subsystem.nickname
  • ca.subsystem.nickname
  • cloning.subsystem.nickname
  • pkiremove.cert.subsystem.nickname
Server Certificate
  • ca.sslserver.nickname
  • ca.cert.sslserver.nickname
Audit Signing Certificate
  • ca.audit_signing.nickname
  • ca.cert.audit_signing.nickname
  • cloning.audit_signing.nickname
Table 17.4. KRA Certificate Nickname Parameters
Transport Certificate
  • cloning.transport.nickname
  • kra.cert.transport.nickname
  • kra.transport.nickname
  • tks.kra_transport_cert_nickname
    Note that this parameter is in the TKS configuration file. This needs changed in the TKS configuration if the KRA transport certificate nickname changes, even if the TKS certificates all stay the same.
Storage Certificate
  • cloning.storage.nickname
  • kra.storage.nickname
  • kra.cert.storage.nickname
Server Certificate
  • kra.cert.sslserver.nickname
  • kra.sslserver.nickname
Subsystem Certificate
  • cloning.subsystem.nickname
  • kra.cert.subsystem.nickname
  • kra.subsystem.nickname
  • pkiremove.cert.subsystem.nickname
Audit Log Signing Certificate
  • cloning.audit_signing.nickname
  • kra.cert.audit_signing.nickname
  • kra.audit_signing.nickname
Table 17.5. OCSP Certificate Nickname Parameters
OCSP Signing Certificate
  • cloning.signing.nickname
  • ocsp.signing.certnickname
  • ocsp.signing.cacertnickname
  • ocsp.signing.nickname
Server Certificate
  • ocsp.cert.sslserver.nickname
  • ocsp.sslserver.nickname
Subsystem Certificate
  • cloning.subsystem.nickname
  • ocsp.subsystem.nickname
  • ocsp.cert.subsystem.nickname
  • pkiremove.cert.subsystem
Audit Log Signing Certificate
  • cloning.audit_signing.nickname
  • ocsp.audit_signing.nickname
  • ocsp.cert.audit_signing.nickname
Table 17.6. TKS Certificate Nickname Parameters
KRA Transport Certificate[a]
  • tks.kra_transport_cert_nickname
Server Certificate
  • tks.cert.sslserver.nickname
  • tks.sslserver.nickname
Subsystem Certificate
  • cloning.subsystem.nickname
  • tks.cert.subsystem.nickname
  • tks.subsystem.nickname
  • pkiremove.cert.subsystem.nickname
Audit Log Signing Certificate
  • cloning.audit_signing.nickname
  • tks.audit_signing.nickname
  • tks.cert.audit_signing.nickname
[a] This needs changed in the TKS configuration if the KRA transport certificate nickname changes, even if the TKS certificates all stay the same.
Table 17.7. TPS Nickname Parameters in CS.cfg
Server Certificate
  • tps.cert.sslserver.nickname
Subsystem Certificate
  • tps.cert.subsystem.nickname
  • selftests.plugin.TPSValidity.nickname
  • selftests.plugin.TPSPresence.nickname
  • pkiremove.cert.subsystem.nickname
Audit Log Signing Certificate
  • tps.cert.audit_signing.nickname
Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.