Administration Guide
Updated for Red Hat Certificate System 10.4
Abstract
Chapter 1. Overview of Red Hat Certificate System Subsystems
1.1. Uses for Certificates
1.2. A Review of Certificate System Subsystems
Enterprise Security Client
1.3. A Look at Managing Certificates (Non-TMS)
1.4. A Look at the Token Management System (TMS)
1.5. Red Hat Certificate System services
Part I. Red Hat Certificate System User Interfaces
Chapter 2. User Interfaces
2.1. User Interfaces Overview
- The PKI command-line interface and other command-line utilities
- The PKI Console graphical interface
- The Certificate System web interface.
~/.dogtag/nssdb/
directory. Section 2.5.1.1, “pki CLI Initialization” provides detailed steps for initializing the NSS database with the administrator's certificate and key. Some examples of using the PKI command-line utility are described in Section 2.5.1.2, “Using "pki" CLI”. Additional examples are shown through the rest of the guide.
PKCS10Client
”.
pkiconsole
Initialization” describes how to initialize this console interface. Section 2.3.2, “Using pkiconsole
for CA, OCSP, KRA, and TKS Subsystems” gives an overview of using it. Later sections, such as Section 3.2.2, “Managing Certificate Enrollment Profiles Using the Java-based Administration Console” go into greater detail for specific operations.
Note
2.2. Client NSS Database Initialization
- Prepare an NSS database for the client. This can be a new database or an existing one.
- Import the CA certificate chain and trust them.
- Have a certificate and corresponding key. They can be generated in the NSS database or imported from somewhere else, such as from a PKCS #12 file.
2.3. Graphical Interface
Important
pkiconsole is being deprecated.
pkiconsole
, is a graphical interface that is designed for users with the Administrator role privilege to manage the subsystem itself. This includes adding users, configuring logs, managing profiles and plug-ins, and the internal database, among many other functions. This utility communicates with the Certificate System server via TLS using client-authentication and can be used to manage the server remotely.
2.3.1. pkiconsole
Initialization
pkiconsole
interface for the first time, specify a new password and use the following command:
$ pki -c password -d ~/.redhat-idm-console client-init
~/.redhat-idm-console/
directory.
.p12
file:
$ openssl pkcs12 -in file -clcerts -nodes -nokeys -out file.crt
$ PKICertImport -d ~/.redhat-idm-console -n "nickname" -t ",," -a -i file.crt -u C
Important
$ pki -c password -d ~/.redhat-idm-console pkcs12-import --pkcs12-file file --pkcs12-password pkcs12-password
$ certutil -V -u C -n "nickname" -d ~/.redhat-idm-console
2.3.2. Using pkiconsole
for CA, OCSP, KRA, and TKS Subsystems
pkiconsole
utility. It can access any subsystem because the command requires the host name, the subsystem's administrative TLS port, and the specific subsystem type.
pkiconsole https://server.example.com:admin_port/subsystem_type
https://192.0.2.1:8443/ca https://[2001:DB8::1111]:8443/ca
Figure 2.1. Certificate System Console
- Users and groups
- Access control lists
- Log configuration
- Subsystem certificates (meaning the certificates issued to the subsystem for use, for example, in the security domain or audit signing)
2.4. Web Interface
2.4.1. Browser Initialization
Importing a CA Certificate
- Click→ → → .
- Select the Authorities tab and click the button.
- Select the
ca.crt
file and click .
Importing a Client Certificate
- Click→ → → .
- Select the Your Certificates tab.
- Click onand select the client p12 file, such as
ca_admin_cert.p12
. - Enter the password for the client certificate on the prompt.
- Click.
- Verify that an entry is added under Your Certificates.
Accessing the Web Console
https://host_name:port
in your browser.
2.4.2. The Administrative Interfaces
Note
Figure 2.2. TPS Admin Page
2.4.3. Agent Interfaces
Figure 2.3. Certificate Manager's Agent Services Page
- The Certificate Manager agent services include approving certificate requests (which issues the certificates), revoking certificates, and publishing certificates and CRLs. All certificates issued by the CA can be managed through its agent services page.
- The TPS agent services, like the CA agent services, manages all of the tokens which have been formatted and have had certificates issued to them through the TPS. Tokens can be enrolled, suspended, and deleted by agents. Two other roles (operator and admin) can view tokens in web services pages, but cannot perform any actions on the tokens.
- KRA agent services pages process key recovery requests, which set whether to allow a certificate to be issued reusing an existing key pair if the certificate is lost.
- The OCSP agent services page allows agents to configure CAs which publish CRLs to the OCSP, to load CRLs to the OCSP manually, and to view the state of client OCSP requests.
2.4.4. End User Pages
Figure 2.4. Certificate Manager's End-Entities Page
2.5. Command Line Interfaces
2.5.1. "pki" CLI
pki
command-line interface (CLI) provides access to various services on the server using the REST interface (see the REST Interface section in the Red Hat Certificate System Planning, Installation, and Deployment Guide. The CLI can be invoked as follows:
$
pki [CLI options]
<command> [command parameters]
2.5.1.1. pki CLI Initialization
$
pki -c <password> client-init
~/.dogtag/nssdb
directory. The password must be specified in all CLI operations that uses the client NSS database. Alternatively, if the password is stored in a file, you can specify the file using the -C
option. For example:
$
pki -C password_file client-init
.p12
file:
$ openssl pkcs12 -in file -clcerts -nodes -nokeys -out file.crt
$ PKICertImport -d ~/.dogtag/nssdb -n "nickname" -t ",," -a -i file.crt -u C
Important
$
pki -c <password> pkcs12-import --pkcs12-file <file> --pkcs12-password <password>
certutil -V -u C -n "nickname" -d ~/.dogtag/nssdb
2.5.1.2. Using "pki" CLI
pki
command without any additional commands or parameters:
$
pki
pki
with the command name and no additional options. For example:
$
pki ca
$
pki ca-cert
--help
option:
$
pki --help
$
pki ca-cert-find --help
help
command:
$
pki help
$
pki help ca-cert-find
$
pki ca-cert-find
$
pki -U <server URL> -n <nickname> -c <password> <command> [command parameters]
$
pki -n jsmith -c password ca-user-find ...
http://local_host_name:8080
. To communicate with a server at a different location, specify the URL with the -U
option, for example:
$
pki -U https://server.example.com:8443 -n jsmith -c password ca-user-find
2.5.2. AtoB
$
AtoB input.ascii output.bin
2.5.3. AuditVerify
$ AuditVerify -d ~jsmith/auditVerifyDir -n Log Signing Certificate -a ~jsmith/auditVerifyDir/logListFile -P "" -v
Log Signing Certificate
(-n
) in the ~jsmith/auditVerifyDir
NSS database (-d
). The list of logs to verify (-a
) are in the ~jsmith/auditVerifyDir/logListFile
file, comma-separated and ordered chronologically. The prefix (-P
) to prepend to the certificate and key database file names is empty. The output is verbose (-v
).
2.5.4. BtoA
$
BtoA input.bin output.ascii
2.5.5. CMCRequest
$
CMCRequest example.cfg
Note
CMCRequest
utility are specified as part of the configuration filed passed to the utility. See the CMCRequest(1) man page for configuration file options and further information. Also see 4.3. Requesting and Receiving Certificates Using CMC and Section 7.2.1, “Revoking a Certificate Using CMCRequest
”.
2.5.6. CMCRevoke
2.5.8. CRMFPopClient
CRMFPopClient
utility is Certificate Request Message Format (CRMF) client using NSS databases and supplying Proof of Possession.
$ CRMFPopClient -d . -p password -n "cn=subject_name" -q POP_SUCCESS -b kra.transport -w "AES/CBC/PKCS5Padding" -t false -v -o /user_or_entity_database_directory/example.csr
cn=subject_name
subject DN (-n)
, NSS database in the current directory (-d
), certificate to use for transport kra.transport
(-b
), the AES/CBC/PKCS5Padding
key wrap algorithm verbose output is specified (-v
) and the resulting CSR is written to the /user_or_entity_database_directory/example.csr
file (-o)
.
CRMFPopClient --help
command and also Section 7.2.1, “Revoking a Certificate Using CMCRequest
”.
2.5.9. HttpClient
HttpClient
utility is an NSS-aware HTTP client for submitting CMC requests.
$ HttpClient request.cfg
Note
HttpClient
utility are stored in the request.cfg
file. For further information, see the output of the HttpClient --help
command.
2.5.10. OCSPClient
$ OCSPClient -h server.example.com -p 8080 -d /etc/pki/pki-tomcat/alias -c "caSigningCert cert-pki-ca" --serial 2
server.example.com
OCSP server (-h
) on port 8080
(-p
) to check whether the certificate signed by caSigningcet cert-pki-ca
(-c
) with serial number 2
(--serial
) is valid. The NSS database in the /etc/pki/pki-tomcat/alias
directory is used.
OCSPClient --help
command.
2.5.11. PKCS10Client
PKCS10Client
utility creates a CSR in PKCS10 format for RSA and EC keys, optionally on an HSM.
$ PKCS10Client -d /etc/dirsrv/slapd-instance_name/ -p password -a rsa -l 2048 -o ~/ds.csr -n "CN=$HOSTNAME"
-a
) key with 2048 bits (-l
) in the /etc/dirsrv/slapd-instance_name/
directory (-d
with database password password
(-p
). The output CSR is stored in the ~/ds.cfg
file (-o
) and the certificate DN is CN=$HOSTNAME
(-n
).
2.5.12. PrettyPrintCert
$ PrettyPrintCert ascii_data.cert
ascii_data.cert
file and displays its contents in human readable format. The output includes information like signature algorithm, exponent, modulus, and certificate extensions.
2.5.13. PrettyPrintCrl
$ PrettyPrintCrl ascii_data.crl
ascii_data.crl
and displays its contents in human readable format. The output includes information, such as revocation signature algorithm, the issuer of the revocation, and a list of revoked certificates and their reason.
2.5.14. TokenInfo
$ TokenInfo ./nssdb/
TokenInfo
command
2.5.15. tkstool
tkstool
utility is interacting with the token Key Service (TKS) subsystem.
$ tkstool -M -n new_master -d /var/lib/pki/pki-tomcat/alias -h token_name
-M
) named new_master
(-n
) in the /var/lib/pki/pki-tomcat/alias
NSS database on the HSM token_name
tkstool -H
command.
2.6. Enterprise Security Client
- Supports JavaCard 2.1 or higher cards and Global Platform 2.01-compliant smart cards like Safenet's 330J smart card.
- Supports Gemalto TOP IM FIPS CY2 tokens, both the smart card and GemPCKey USB form factor key.
- Supports SafeNet Smart Card 650 (SC650).
- Enrolls security tokens so they are recognized by TPS.
- Maintains the security token, such as re-enrolling a token with TPS.
- Provides information about the current status of the token or tokens being managed.
- Supports server-side key generation so that keys can be archived and recovered on a separate token if a token is lost.
- Allows the user to enroll security tokens so they are recognized by the TPS.
- Allows the user to maintain the security token. For example, Enterprise Security Client makes it possible to re-enroll a token with the TPS.
- Provides support for several different kinds of tokens through default and custom token profiles. By default, the TPS can automatically enroll user keys, device keys, and security officer keys; additional profiles can be added so that tokens for different uses (recognized by attributes such as the token CUID) can automatically be enrolled according to the appropriate profile.
- Provides information about the current status of the tokens being managed.
Part II. Setting up Certificate Services
Chapter 3. Making Rules for Issuing Certificates (Certificate Profiles)
3.1. About Certificate Profiles
- Authentication. In every certification profile can be specified an authentication method.
- Authorization. In every certification profile can be specified an authorization method.
- Profile inputs. Profile inputs are parameters and values that are submitted to the CA when a certificate is requested. Profile inputs include public keys for the certificate request and the certificate subject name requested by the end entity for the certificate.
- Profile outputs. Profile outputs are parameters and values that specify the format in which to provide the certificate to the end entity. Profile outputs are CMC responses which contain a PKCS#7 certificate chain, when the request was successful.
- Certificate content. Each certificate defines content information, such as the name of the entity to which it is assigned (the subject name), its signing algorithm, and its validity period. What is included in a certificate is defined in the X.509 standard. With version 3 of the X509 standard, certificates can also contain extensions. For more information about certificate extensions, see Section B.3, “Standard X.509 v3 Certificate Extension Reference”.All of the information about a certificate profile is defined in the
set
entry of the profile policy in the profile's configuration file. When multiple certificates are expected to be requested at the same time, multiple set entries can be defined in the profile policy to satisfy needs of each certificate. Each policy set consists of a number of policy rules and each policy rule describes a field in the certificate content. A policy rule can include the following parts:- Profile defaults. These are predefined parameters and allowed values for information contained within the certificate. Profile defaults include the validity period of the certificate, and what certificate extensions appear for each type of certificate issued.
- Profile constraints. Constraints set rules or policies for issuing certificates. Amongst other, profile constraints include rules to require the certificate subject name to have at least one CN component, to set the validity of a certificate to a maximum of 360 days, to define the allowed grace period for renewal, or to require that the
subjectaltname
extension is always set totrue
.
3.1.1. The Enrollment Profile
caUserCert
profile in Example 3.1, “Example caCMCUserCert Profile”.
Example 3.1. Example caCMCUserCert Profile
desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. visible=true enable=true enableBy=admin name=Signed CMC-Authenticated User Certificate Enrollment
Note
auth.instance_id=
entry in this profile means that with this profile, authentication is not needed to submit the enrollment request. However, manual approval by an authorized CA agent will be required to get an issuance.
input.list=i1 input.i1.class_id=cmcCertReqInputImp
caCMCUserCert
profile, this defines the certificate request type, which is CMC.
certOutputImpl
, which results in CMC response to be returned to the requestor in case of success.
output.list=o1 output.o1.class_id=certOutputImpl
policyset.list
parameter identifies the block name of the policies that apply to one certificate; the policyset.userCertSet.list
lists the individual policies to apply.
policyset.list=userCertSet policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9 ... policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint policyset.userCertSet.6.constraint.params.keyUsageCritical=true policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.userCertSet.6.default.name=Key Usage Default policyset.userCertSet.6.default.params.keyUsageCritical=true policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false policyset.userCertSet.6.default.params.keyUsageCrlSign=false policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false ...
3.1.2. Certificate Extensions: Defaults and Constraints
policyset.caCertSet.5.default.name=Basic Constraints Extension Default policyset.caCertSet.5.default.params.basicConstraintsCritical=true policyset.caCertSet.5.default.params.basicConstraintsIsCA=true policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1
policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1 policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1
Note
3.1.3. Inputs and Outputs
3.2. Setting up Certificate Profiles
- Using the PKI command-line interface
- Using the Java-based administration console
3.2.1. Managing Certificate Enrollment Profiles Using the PKI Command-line Interface
pki
utility. For further details, see the pki-ca-profile(1) man page.
Note
3.2.1.1. Enabling and Disabling a Certificate Profile
Note
caCMCECserverCert
certificate profile:
# pki -c password -n caagent ca-profile-disable caCMCECserverCert
caCMCECserverCert
certificate profile:
# pki -c password -n caagent ca-profile-enable caCMCECserverCert
3.2.1.2. Creating a Certificate Profile in Raw Format
# pki -c password -n caadmin ca-profile-add profile_name.cfg --raw
Note
profileId=profile_name
3.2.1.3. Editing a Certificate Profile in Raw Format
caCMCECserverCert
profile:
# pki -c password -n caadmin ca-profile-edit caCMCECserverCert
VI
editor. When you close the editor, the profile configuration is updated on the server.
Important
Example 3.2. Editing a Certificate Profile in RAW Format
caCMCserverCert
profile to accept multiple user-supplied extensions:
- Disable the profile as a CA agent:
# pki -c password -n caagemt ca-profile-disable caCMCserverCert
- Edit the profile as a CA administrator:
- Download and open the profile in the
VI
editor:# pki -c password -n caadmin ca-profile-edit caCMCserverCert
- Update the configuration to accept the extensions. For details, see Example B.3, “Multiple User Supplied Extensions in CSR”.
- Enable the profile as a CA agent:
# pki -c password -n caagent ca-profile-enable caCMCserverCert
3.2.1.4. Deleting a Certificate Profile
# pki -c password -n caadmin ca-profile-del profile_name
Important
3.2.2. Managing Certificate Enrollment Profiles Using the Java-based Administration Console
Important
pkiconsole
is being deprecated.
3.2.2.1. Creating Certificate Profiles through the CA Console
- Log in to the Certificate System CA subsystem console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, select Certificate Manager, and then select Certificate Profiles.The Certificate Profile Instances Management tab, which lists configured certificate profiles, opens.
- To create a new certificate profile, click.In the Select Certificate Profile Plugin Implementation window, select the type of certificate for which the profile is being created.
- Fill in the profile information in the Certificate Profile Instance Editor.
- Certificate Profile Instance ID. This is the ID used by the system to identify the profile.
- Certificate Profile Name. This is the user-friendly name for the profile.
- Certificate Profile Description.
- End User Certificate Profile. This sets whether the request must be made through the input form for the profile. This is usually set to
true
. Setting this tofalse
allows a signed request to be processed through the Certificate Manager's certificate profile framework, rather than through the input page for the certificate profile. - Certificate Profile Authentication. This sets the authentication method. An automated authentication is set by providing the instance ID for the authentication instance. If this field is blank, the authentication method is agent-approved enrollment; the request is submitted to the request queue of the agent services interface.Unless it is for a TMS subsystem, administrators must select one of the following authentication plug-ins:
CMCAuth
: Use this plug-in when a CA agent must approve and submit the enrollment request.CMCUserSignedAuth
: Use this plug-in to enable non-agent users to enroll own certificates.
- Click. The plug-in editor closes, and the new profile is listed in the profiles tab.
- Configure the policies, inputs, and outputs for the new profile. Select the new profile from the list, and click.
- Set up policies in the Policies tab of the Certificate Profile Rule Editor window. The Policies tab lists policies that are already set by default for the profile type.
- To add a policy, click.
- Choose the default from the Default field, choose the constraints associated with that policy in the Constraints field, and click .
- Fill in the policy set ID. When issuing dual key pairs, separate policy sets define the policies associated with each certificate. Then fill in the certificate profile policy ID, a name or identifier for the certificate profile policy.
- Configure any parameters in the Defaults and Constraints tabs.Defaults defines attributes that populate the certificate request, which in turn determines the content of the certificate. These can be extensions, validity periods, or other fields contained in the certificates. Constraints defines valid values for the defaults.See Section B.1, “Defaults Reference” and Section B.2, “Constraints Reference” for complete details for each default or constraint.
To modify an existing policy, select a policy, and click. Then edit the default and constraints for that policy.To delete a policy, select the policy, and click. - Set inputs in the Inputs tab of the Certificate Profile Rule Editor window. There can be more than one input type for a profile.
Note
Unless you configure the profile for a TMS subsystem, select onlycmcCertReqInput
and delete other profiles by selecting them and clicking the button.- To add an input, click.
- Choose the input from the list, and click Section A.1, “Input Reference” for complete details of the default inputs.. See
- The New Certificate Profile Editor window opens. Set the input ID, and click .
Inputs can be added and deleted. It is possible to select edit for an input, but since inputs have no parameters or other settings, there is nothing to configure.To delete an input, select the input, and click. - Set up outputs in the Outputs tab of the Certificate Profile Rule Editor window.Outputs must be set for any certificate profile that uses an automated authentication method; no output needs to be set for any certificate profile that uses agent-approved authentication. The Certificate Output type is set by default for all profiles and is added automatically to custom profiles.Unless you configure the profile for a TMS subsystem, select only
certOutput
.Outputs can be added and deleted. It is possible to select edit for an output, but since outputs have no parameters or other settings, there is nothing to configure.- To add an output, click.
- Choose the output from the list, and click.
- Give a name or identifier for the output, and click.This output will be listed in the output tab. You can edit it to provide values to the parameters in this output.
To delete an output, select the output from list, and click. - Restart the CA to apply the new profile.
systemctl restart pki-tomcatd-nuxwdog@instance_name.service
- After creating the profile as an administrator, a CA agent has to approve the profile in the agent services pages to enable the profile.
- Open the CA's services page.
https://server.example.com:8443/ca/services
- Click the Manage Certificate Profiles link. This page lists all of the certificate profiles that have been set up by an administrator, both active and inactive.
- Click the name of the certificate profile to approve.
- At the bottom of the page, click thebutton.
Note
3.2.2.2. Editing Certificate Profiles in the Console
- Log into the agent services pages and disable the profile.Once a certificate profile is enabled by an agent, that certificate profile is marked enabled in the Certificate Profile Instance Management tab, and the certificate profile cannot be edited in any way through the console.
- Log in to the Certificate System CA subsystem console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, select Certificate Manager, and then select Certificate Profiles.
- Select the certificate profile, and click.
- The Certificate Profile Rule Editor window appears. Many any changes to the defaults, constraints, inputs, or outputs.
Note
The profile instance ID cannot be modified.If necessary, enlarge the window by pulling out one of the corners of the window. - Restart the CA to apply the changes.
- In the agent services page, re-enable the profile.
Note
3.2.3. Listing Certificate Enrollment Profiles
pki
utility. For example:
# pki -c password -n caadmin ca-profile-find ------------------ 59 entries matched ------------------ Profile ID: caCMCserverCert Name: Server Certificate Enrollment using CMC Description: This certificate profile is for enrolling server certificates using CMC. Profile ID: caCMCECserverCert Name: Server Certificate wth ECC keys Enrollment using CMC Description: This certificate profile is for enrolling server certificates with ECC keys using CMC. Profile ID: caCMCECsubsystemCert Name: Subsystem Certificate Enrollment with ECC keys using CMC Description: This certificate profile is for enrolling subsystem certificates with ECC keys using CMC. Profile ID: caCMCsubsystemCert Name: Subsystem Certificate Enrollment using CMC Description: This certificate profile is for enrolling subsystem certificates using CMC. ... ----------------------------- Number of entries returned 20
3.2.4. Displaying Details of a Certificate Enrollment Profile
caECFullCMCUserSignedCert
:
$ pki -c password -n caadmin ca-profile-show caECFullCMCUserSignedCert ----------------------------------- Profile "caECFullCMCUserSignedCert" ----------------------------------- Profile ID: caECFullCMCUserSignedCert Name: User-Signed CMC-Authenticated User Certificate Enrollment Description: This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication. Name: Certificate Request Input Class: cmcCertReqInputImpl Attribute Name: cert_request Attribute Description: Certificate Request Attribute Syntax: cert_request Name: Certificate Output Class: certOutputImpl Attribute Name: pretty_cert Attribute Description: Certificate Pretty Print Attribute Syntax: pretty_print Attribute Name: b64_cert Attribute Description: Certificate Base-64 Encoded Attribute Syntax: pretty_print
caECFullCMCUserSignedCert
, in raw format:
$ pki -c password -n caadmin ca-profile-show caECFullCMCUserSignedCert --raw #Wed Jul 25 14:41:35 PDT 2018 auth.instance_id=CMCUserSignedAuth policyset.cmcUserCertSet.1.default.params.name= policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false policyset.cmcUserCertSet.10.default.class_id=noDefaultImpl policyset.cmcUserCertSet.10.constraint.name=Renewal Grace Period Constraint output.o1.class_id=certOutputImpl ...
3.3. Defining Key Defaults in Profiles
policyset.set1.p3.constraint.class_id=noConstraintImpl policyset.set1.p3.constraint.name=No Constraint policyset.set1.p3.default.class_id=subjectKeyIdentifierExtDefaultImpl policyset.set1.p3.default.name=Subject Key Identifier Default ... policyset.set1.p11.constraint.class_id=keyConstraintImpl policyset.set1.p11.constraint.name=Key Constraint policyset.set1.p11.constraint.params.keyType=RSA policyset.set1.p11.constraint.params.keyParameters=1024,2048,3072,4096 policyset.set1.p11.default.class_id=userKeyDefaultImpl policyset.set1.p11.default.name=Key Default
policyset
list, then, the Key Default (p11
) must be listed before the Subject Key Identifier Default (p3
).
policyset.set1.list=p1,p2,p11,p3
,p4,p5,p6,p7,p8,p9,p10
3.4. Configuring Profiles to Enable Renewal
renewGracePeriodConstraint
entry. For example:
policyset.cmcUserCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl policyset.cmcUserCertSet.10.constraint.name=Renewal Grace Period Constraint policyset.cmcUserCertSet.10.constraint.params.renewal.graceBefore=30 policyset.cmcUserCertSet.10.constraint.params.renewal.graceAfter=30 policyset.cmcUserCertSet.10.default.class_id=noDefaultImpl policyset.cmcUserCertSet.10.default.name=No Default
3.4.1. Renewing Using the Same Key
allowSameKeyRenewal
parameter set to true
in the uniqueKeyConstraint
entry. For example:
policyset.cmcUserCertSet.9.constraint.class_id=uniqueKeyConstraintImpl policyset.cmcUserCertSet.9.constraint.name=Unique Key Constraint policyset.cmcUserCertSet.9.constraint.params.allowSameKeyRenewal=true policyset.cmcUserCertSet.9.default.class_id=noDefaultImpl policyset.cmcUserCertSet.9.default.name=No Default
3.4.2. Renewal Using a New Key
subjectDN
from the user signing certificate used to sign the request for the new certificate.
3.5. Setting the Signing Algorithms for Certificates
3.5.1. Setting the CA's Default Signing Algorithm
- Open the CA console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, expand the Certificate Manager tree.
- In the General Settings tab, set the algorithm to use in the Algorithm drop-down menu.
Note
pkiconsole
is being deprecated.
3.5.2. Setting the Signing Algorithm Default in a Profile
.cfg
file, the algorithm is set with two parameters:
policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl policyset.cmcUserCertSet.8.constraint.name=No Constraint policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl policyset.cmcUserCertSet.8.default.name=Signing Alg policyset.cmcUserCertSet.8.default.params.signingAlg=-
Note
- Open the CA console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, expand the Certificate Manager tree.
- Click the Certificate Profiles item.
- Click the Policies tab.
- Select the Signing Alg policy, and click the button.
- To set the default signing algorithm, set the value in the Defaults tab. If this is set to -, then the profile uses the CA's default.
- To set a list of allowed signing algorithms which can be accepted in a certificate request, open the Constraints tab, and set the list of algorithms in the Value field for
signingAlgsAllowed
.The possible values for the constraint are listed in Section B.2.10, “Signing Algorithm Constraint”.
Note
pkiconsole
is being deprecated.
3.7. Managing Subject Names and Subject Alternative Names
Important
3.7.1. Using the Requester CN or UID in the Subject Name
cn
or uid
value from a certificate request can be used to build the subject name of the issued certificate. This section demonstrates a profile that requires the naming attribute (CN or UID) being specified in the Subject Name Constraint to be present in the certificate request. If the naming attribute is missing, the request is rejected.
- The CN or UID format is set in the
pattern
configuration in the Subject Name Constraint. - The format of the subject DN, including the CN or UID token and the specific suffix for the certificate, is set in the Subject Name Default.
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
policyset.serverCertSet.1.constraint.params.accept=true policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl policyset.serverCertSet.1.default.name=Subject Name Default policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,DC=example, DC=com
cn=John Smith
, then the certificate will be issued with a subject DN of cn=John Smith,DC=example, DC=com
. If the request comes in but it has a UID of uid=jsmith
and no CN, then the request is rejected.
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.pattern=UID=[^,]+,.+
policyset.serverCertSet.1.constraint.params.accept=true policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl policyset.serverCertSet.1.default.name=Subject Name Default policyset.serverCertSet.1.default.params.name=UID=$request.req_subject_name.uid$,DC=example, DC=com
pattern
parameter is covered in Section B.2.11, “Subject Name Constraint” and Section B.1.27, “Subject Name Default”.
3.7.2. Inserting LDAP Directory Attribute Values and Other Information into the Subject Alt Name
policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl policyset.userCertSet.8.default.name=Subject Alt Name Constraint policyset.userCertSet.8.default.params.subjAltNameExtCritical=false policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
Type_
, Pattern_
, and Enable_
values numerically, such as Type_1
.
- Inserting LDAP attribute values requires enabling the user directory authentication plug-in,
SharedSecret
.- Open the CA Console.
pkiconsole https://server.example.com:8443/ca
- Select Authentication in the left navigation tree.
- In the Authentication Instance tab, click , and add an instance of the
SharedSecret
authentication plug-in. - Enter the following information:
Authentication InstanceID=SharedToken shrTokAttr=shrTok ldap.ldapconn.host=server.example.com ldap.ldapconn.port=636 ldap.ldapconn.secureConn=true ldap.ldapauth.bindDN=cn=Directory Manager password=password ldap.ldapauth.authtype=BasicAuth ldap.basedn=ou=People,dc=example,dc=org
- Save the new plug-in instance.
Note
pkiconsole
is being deprecated.For information on setting a CMC shared token, see Section 10.4.2, “Setting a CMC Shared Secret”. - The
ldapStringAttributes
parameter instructs the authentication plug-in to read the value of themail
attribute from the user's LDAP entry and put that value in the certificate request. When the value is in the request, the certificate profile policy can be set to insert that value for an extension value.The format for thednpattern
parameter is covered in Section B.2.11, “Subject Name Constraint” and Section B.1.27, “Subject Name Default”. - To enable the CA to insert the LDAP attribute value in the certificate extension, edit the profile's configuration file, and insert a policy set parameter for an extension. For example, to insert the
mail
attribute value in the Subject Alternative Name extension in thecaFullCMCSharedTokenCert
profile, change the following code:policyset.setID.8.default.params.
subjAltExtPattern_0=$request.auth_token.mail[0]$
For more details about editing a profile, see Section 3.2.1.3, “Editing a Certificate Profile in Raw Format”. - Restart the CA.
systemctl restart pki-tomcatd-nuxwdog@instance_name.service
caFullCMCSharedTokenCert
profile enrollment form will have the Subject Alternative Name extension added with the value of the requester's mail
LDAP attribute. For example:
Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: RFC822Name: jsmith@example.com
Pattern_
parameters in the policy set. The common tokens are listed in Table 3.1, “Variables Used to Populate Certificates”, and the default profiles contain examples for how these tokens are used.
Policy Set Token | Description |
---|---|
$request.auth_token.cn[0]$ | The LDAP common name (cn ) attribute of the user who requested the certificate. |
$request.auth_token.mail[0]$ | The value of the LDAP email (mail ) attribute of the user who requested the certificate. |
$request.auth_token.tokencertsubject$ | The certificate subject name. |
$request.auth_token.uid$ | The LDAP user ID (uid ) attribute of the user who requested the certificate. |
$request.auth_token.userdn$ | The user DN of the user who requested the certificate. |
$request.auth_token.userid$ | The value of the user ID attribute for the user who requested the certificate. |
$request.uid$ | The value of the user ID attribute for the user who requested the certificate. |
$request.requestor_email$ | The email address of the person who submitted the request. |
$request.requestor_name$ | The person who submitted the request. |
$request.upn$ | The Microsoft UPN. This has the format (UTF8String)1.3.6.1.4.1.311.20.2.3,$request.upn$. |
$server.source$ | Instructs the server to generate a version 4 UUID (random number) component in the subject name. This always has the format (IA5String)1.2.3.4,$server.source$. |
$request.auth_token.user$ | Used when the request was submitted by TPS. The TPS subsystem trusted manager who requested the certificate. |
$request.subject$ | Used when the request was submitted by TPS. The subject name DN of the entity to which TPS has resolved and requested for. For example, cn=John.Smith.123456789,o=TMS Org |
3.7.3. Using the CN Attribute in the SAN Extension
dNSName
Subject Alternative Name (SAN) value in the certificate request.
dNSName
value based on the CN is appended to existing SANs.
- Disable the profile:
# pki -c password -p 8080 \ -n "PKI Administrator for example.com" ca-profile-disable profile_name
- Edit the profile:
# pki -c password -p 8080 \ -n "PKI Administrator for example.com" ca-profile-edit profile_name
- Add the following configuration with a unique set number for the profile. For example:
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl policyset.serverCertSet.12.constraint.name=No Constraint policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl policyset.serverCertSet.12.default.name=Copy Common Name to Subject
The previous example uses12
as the set number. - Append the new policy set number to the
policyset.userCertSet.list
parameter. For example:policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9,12
- Save the profile.
- Enable the profile:
# pki -c password -p 8080 \ -n "PKI Administrator for example.com" ca-profile-enable profile_name
Note
commonNameToSANDefaultImpl
default.
3.7.4. Accepting SAN Extensions from a CSR
3.7.4.1. Configuring a Profile to Retrieve SANs from a CSR
Note
caCMCECserverCert
:
prefix.constraint.class_id=noConstraintImpl prefix.constraint.name=No Constraint prefix.default.class_id=userExtensionDefaultImpl prefix.default.name=User supplied extension in CSR prefix.default.params.userExtOID=2.5.29.17
3.7.4.2. Generating a CSR with SANs
certutil
utility:
# certutil -R -k ec -q nistp256 -d . -s "cn=Example Multiple SANs" --extSAN dns:www.example.com,dns:www.example.org -a -o /root/request.csr.p10
Chapter 4. Setting up Key Archival and Recovery
Note
Note
Note
4.1. Configuring Agent-Approved Key Recovery in the Console
Note
CS.cfg
file. The Console uses the Key Recovery Authority Agents Group
by default.
- Open the KRA's console. For example:
pkiconsole https://server.example.com:8443/kra
- Click the Key Recovery Authority link in the left navigation tree.
- Enter the number of agents to use to approve key recover in the Required Number of Agents field.
Note
CS.cfg
file, see the Configuring Agent-Approved Key Recovery in the Command Line section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
4.2. Testing the Key Archival and Recovery Setup
Note
- Enroll for dual certificates using the CA's Manual User Signing & Encryption Certificates Enrollment form.
- Submit the request. Log in to the agent services page, and approve the request.
- Log into the end-entities page, and check to see if the certificates have been issued. In the list of certificates, there should be two new certificates with consecutive serial numbers.
- Import the certificates into the web browser.
- Confirm that the key has been archived. In the KRA's agent services page, select Show completed requests. If the key has been archived successfully, there will be information about that key. If the key is not shown, check the logs, and correct the problem. If the key has been successfully archived, close the browser window.
- Verify the key. Send a signed and encrypted email. When the email is received, open it, and check the message to see if it is signed and encrypted. There should be a security icon at the top-right corner of the message window that indicates that the message is signed and encrypted.
- Delete the certificate. Check the encrypted email again; the mail client should not be able to decrypt the message.
- Test whether an archived key can be recovered successfully:
- Open the KRA's agent services page, and click the Recover Keys link. Search for the key by the key owner, serial number, or public key. If the key has been archived successfully, the key information will be shown.
- Click.
- In the form that appears, enter the base-64 encoded certificate that corresponds to the private key to recover; use the CA to get this information. If the archived key was searched for by providing the base-64 encoded certificate, then the certificate does not have to be supplied here.
- Make sure that the Async Recovery checkbox is selected to allow the browser session to be closed while recovery is ongoing.
Note
An async recovery is the default and recommended way to perform a key recovery. If you want to perform a synchronous key recovery, the browser window cannot be shut and the KRA cannot be stopped during the recovery process. - Depending on the agent scheme, a specified number of agents must authorize this key recovery. Have the agents search for the key to recover and then to approve the initiated recovery.
- Once all the agents have authorized the recovery, the next screen requests a password to encrypt the PKCS #12 file with the certificate.
- The next screen returns a link to download a PKCS #12 blob containing the recovered key pair. Follow the link, and save the blob to file.
Important
Opening the PKCS #12 file directly from the browser in thegcr-viewer
utility can fail in certain situations. To work around the problem, download the file and manually open it ingcr-viewer
.
- Restore the key to the browser's database. Import the
.p12
file into the browser and mail client. - Open the test email. The message should be shown again.
Chapter 5. Requesting, Enrolling, and Managing Certificates
5.1. About Enrolling and Renewing Certificates
- A certificate request (CSR) is generated.
- The certificate request is submitted to the CA.
- The request is verified by authenticating the entity which requested it and by confirming that the request meets the certificate profile rules which were used to submit it.
- The request is approved.
- The requesting party retrieves the new certificate.
5.2. Creating Certificate Signing Requests
- Generating CSRs using command line utilities
- Generating CSRs inside a supporting browser
- Generating CSRs inside an application, such as the installer of a server
- Command-line utilities
- Server-Side Key Generation
5.2.1. Generating CSRs Using Command-Line Utilities
certutil
: Supports creating PKCS #10 requests.PKCS10Client
: Supports creating PKCS #10 requests.CRMFPopClient
: Supports creating CRMF requests.pki client-cert-request
: Supports both PKCS#10 and CRMF requests.
5.2.1.1. Creating a CSR Using certutil
certutil
utility to create a CSR.
certutil
, see:
- The certutil(1) man page
- The output of the
certutil --help
command
5.2.1.1.1. Using certutil
to Create a CSR with EC Keys
certutil
utility to create an Elliptic Curve (EC) key pair and CSR:
- Change to the certificate database directory of the user or entity for which the certificate is being requested, for example:
$ cd /user_or_entity_database_directory/
- Create the binary CSR and store it in the
/user_or_entity_database_directory/request.csr
file:$ certutil -d . -R -k ec -q nistp256 -s "CN=subject_name" -o /user_or_entity_database_directory/request-bin.csr
Enter the required NSS database password when prompted.For further details about the parameters, see the certutil(1) man page. - Convert the created binary format CSR to PEM format:
$ BtoA /user_or_entity_database_directory/request-bin.csr /user_or_entity_database_directory/request.csr
- Optionally, verify that the CSR file is correct:
$ cat /user_or_entity_database_directory/request.csr MIICbTCCAVUCAQAwKDEQMA4GA1UEChMHRXhhbXBsZTEUMBIGA1UEAxMLZXhhbXBs ...
This is a PKCS#10 PEM certificate request.
5.2.1.1.2. Using certutil
to Create a CSR With User-defined Extensions
certutil
utility.
- Change to the certificate database directory of the user or entity for which the certificate is being requested, for example:
$ cd /user_or_entity_database_directory/
- Create the CSR with user-defined Key Usage extension as well as user-defined Extended Key Usage extension and store it in the
/user_or_entity_database_directory/request.csr
file:$ certutil -d . -R -k rsa -g 1024 -s "CN=subject_name" --keyUsage keyEncipherment,dataEncipherment,critical --extKeyUsage timeStamp,msTrustListSign,critical -a -o /user_or_entity_database_directory/request.csr
Enter the required NSS database password when prompted.For further details about the parameters, see the certutil(1) man page. - Optionally, verify that the CSR file is correct:
$ cat /user_or_entity_database_directory/request.csr Certificate request generated by Netscape certutil Phone: (not specified) Common Name: user 4-2-1-2 Email: (not specified) Organization: (not specified) State: (not specified) Country: (not specified)
This is a PKCS#10 PEM certificate request.
5.2.1.2. Creating a CSR Using PKCS10Client
PKCS10Client
utility to create a CSR.
PKCS10Client
, see:
- The PKCS10Client(1) man page
- The output of the
PKCS10Client --help
command
5.2.1.2.1. Using PKCS10Client
to Create a CSR
PKCS10Client
utility to create an Elliptic Curve (EC) key pair and CSR:
- Change to the certificate database directory of the user or entity for which the certificate is being requested, for example:
$ cd /user_or_entity_database_directory/
- Create the CSR and store it in the
/user_or_entity_database_directory/example.csr
file:$ PKCS10Client -d . -p NSS_password -a ec -c nistp256 -o /user_or_entity_database_directory/example.csr -n "CN=subject_name"
For further details about the parameters, see the PKCS10Client(1) man page. - Optionally, verify that the CSR is correct:
$ cat /user_or_entity_database_directory/example.csr -----BEGIN CERTIFICATE REQUEST----- MIICzzCCAbcCAQAwgYkx ... -----END CERTIFICATE REQUEST-----
5.2.1.2.2. Using PKCS10Client
to Create a CSR for SharedSecret-based CMC
PKCS10Client
utility to create an RSA key pair and CSR for SharedSecret-based CMC. Use it only with the CMC Shared Secret authentication method which is, by default, handled by the caFullCMCSharedTokenCert
and caECFullCMCSharedTokenCert
profiles.
- Change to the certificate database directory of the user or entity for which the certificate is being requested, for example:
$ cd /user_or_entity_database_directory/
- Create the CSR and store it in the
/user_or_entity_database_directory/example.csr
file:$ PKCS10Client -d . -p NSS_password -o /user_or_entity_database_directory/example.csr -y true -n "CN=subject_name"
For further details about the parameters, see the PKCS10Client(1) man page. - Optionally, verify that the CSR is correct:
$ cat /user_or_entity_database_directory/example.csr -----BEGIN CERTIFICATE REQUEST----- MIICzzCCAbcCAQAwgYkx ... -----END CERTIFICATE REQUEST-----
5.2.1.3. Creating a CSR Using CRMFPopClient
CRMFPopClient
utility to create a CSR.
CRMFPopClient
, see the CRMFPopClient(1) man page.
5.2.1.3.1. Using CRMFPopClient
to Create a CSR with Key Archival
CRMFPopClient
utility to create an RSA key pair and a CSR with the key archival option:
- Change to the certificate database directory of the user or entity for which the certificate is being requested, for example:
$ cd /user_or_entity_database_directory/
- Retrieve the KRA transport certificate:
$ pki ca-cert-find --name "DRM Transport Certificate" --------------- 1 entries found --------------- Serial Number: 0x7 Subject DN: CN=DRM Transport Certificate,O=EXAMPLE Status: VALID Type: X.509 version 3 Key A lgorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Thu Oct 22 18:26:11 CEST 2015 Not Valid After: Wed Oct 11 18:26:11 CEST 2017 Issued On: Thu Oct 22 18:26:11 CEST 2015 Issued By: caadmin ---------------------------- Number of entries returned 1
- Export the KRA transport certificate:
$ pki ca-cert-show 0x7 --output kra.transport
- Create the CSR and store it in the
/user_or_entity_database_directory/example.csr
file:$ CRMFPopClient -d . -p password -n "cn=subject_name" -q POP_SUCCESS -b kra.transport -w "AES/CBC/PKCS5Padding" -v -o /user_or_entity_database_directory/example.csr
To create an Elliptic Curve (EC) key pair and CSR, pass the-a ec -t false
options to the command.For further details about the parameters, see the CRMFPopClient(1) man page. - Optionally, verify that the CSR is correct:
$ cat /user_or_entity_database_directory/example.csr -----BEGIN CERTIFICATE REQUEST----- MIICzzCCAbcCAQAwgYkx ... -----END CERTIFICATE REQUEST-----
5.2.1.3.2. Using CRMFPopClient
to Create a CSR for SharedSecret-based CMC
CRMFPopClient
utility to create an RSA key pair and CSR for SharedSecret-based CMC. Use it only with the CMC Shared Secret authentication method which is, by default, handled by the caFullCMCSharedTokenCert
and caECFullCMCSharedTokenCert
profiles.
- Change to the certificate database directory of the user or entity for which the certificate is being requested, for example:
$ cd /user_or_entity_database_directory/
- Retrieve the KRA transport certificate:
$ pki ca-cert-find --name "DRM Transport Certificate" --------------- 1 entries found --------------- Serial Number: 0x7 Subject DN: CN=DRM Transport Certificate,O=EXAMPLE Status: VALID Type: X.509 version 3 Key A lgorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Thu Oct 22 18:26:11 CEST 2015 Not Valid After: Wed Oct 11 18:26:11 CEST 2017 Issued On: Thu Oct 22 18:26:11 CEST 2015 Issued By: caadmin ---------------------------- Number of entries returned 1
- Export the KRA transport certificate:
$ pki ca-cert-show 0x7 --output kra.transport
- Create the CSR and store it in the
/user_or_entity_database_directory/example.csr
file:$ CRMFPopClient -d . -p password -n "cn=subject_name" -q POP_SUCCESS -b kra.transport -w "AES/CBC/PKCS5Padding" -y -v -o /user_or_entity_database_directory/example.csr
To create an EC key pair and CSR, pass the-a ec -t false
options to the command.For further details about the parameters, see the output of theCRMFPopClient --help
command. - Optionally, verify that the CSR is correct:
$ cat /user_or_entity_database_directory/example.csr -----BEGIN CERTIFICATE REQUEST----- MIICzzCCAbcCAQAwgYkx ... -----END CERTIFICATE REQUEST-----
5.2.1.4. Creating a CSR using client-cert-request
in the PKI
CLI
pki
command-line tool can also be used with the client-cert-request
command to generate a CSR. However, unlike the previously discussed tools, CSR generated with pki are submitted directly to the CA. Both PKCS#10 or CRMF requests can be generated.
pki -d user token db directory -P https -p 8443 -h host.test.com -c user token db passwd client-cert-request "uid=test2" --length 4096 --type pkcs10
pki -d user token db directory -P https -p 8443 -h host.test.com -c user token db passwd client-cert-request "uid=test2" --length 4096 --type crmf
ca-cert-request-approve
command.
pki -d agent token db directory -P https -p 8443 -h host.test.com -c agent token db passwd -n <CA agent cert nickname> ca-cert-request-approve request id
pki client-cert-request --help
command.
5.2.2. Generating CSRs Using Server-Side Key Generation
CRMFPopClient
(see CRMFPopClient --help
) or pki
(see pki client-cert-request --help
) could be used as a workaround.
Note
5.2.2.1. Functionality Highlights
- Certificate request keys are generated on the KRA (Note: a KRA must be installed to work with the CA)
- The profile default plugin,
serverKeygenUserKeyDefaultImpl
, provides selection to enable or disable key archival (i.e. the enableArchival parameter) - Support for both RSA and EC keys
- Support for both manual (agent) approval and automatic approval (e.g. directory password-based)
5.2.2.2. Enrolling a Certificate Using Server-Side Keygen
Manual User Dual-Use Certificate Enrollment Using server-side Key generation
Figure 5.1. Server-Side Keygen Enrollment that requires agent manual approval
Directory-authenticated User Dual-Use Certificate Enrollment Using server-side Key generation
Figure 5.2. Server-Side Keygen Enrollment that will be automatically approved upon successful LDAP uid/pwd authentication
Important
- In case of manual approval, the PKCS#12 file will be returned to the CA agent that approves the request; the agent is then expected to forward the PKCS#12 file to the user.
- In case of automatic approval, the PKCS#12 file will be returned to the user who submitted the request
Figure 5.3. Enrollment manually approved by an agent
pkcs12util
to import this file into their own user internal cert/key database for each application. E.g. the Firefox nss database of the user.
5.2.2.3. Key Recovery
5.2.2.4. Additional Information
5.2.2.4.1. KRA Request Records
Note
- One for the request type asymkeyGenRequestThis request type cannot be filtered using List Requests on the KRA agent page; you can select Show All Requests to see them listed.
- One for the request type recovery
5.2.2.4.2. Audit Records
- SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST
- SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST
- SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST_PROCESSED
- SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST_PROCESSED (not yet implemented)
5.3. Requesting and Receiving Certificates
5.3.1. Requesting and Receiving a Certificate through the End-Entities Page
- Certificate Request Type. This is either PKCS#10 or CRMF. Certificate requests created through the subsystem administrative console are PKCS #10; those created through the
certutil
tool and other utilities are usually PKCS #10. - Certificate Request. Paste the base-64 encoded blob, including the
-----BEGIN NEW CERTIFICATE REQUEST-----
and-----END NEW CERTIFICATE REQUEST-----
marker lines. - Requester Name. This is the common name of the person requesting the certificate.
- Requester Email. This is the email address of the requester. The agent or CA system will use this address to contact the requester when the certificate is issued. For example,
jdoe@someCompany.com
. - Requester Phone. This is the contact phone number of the requester.
Note
- Open the Certificate Manager end-entities page, for example:
http
s
://server.example.com:8443/ca/ee/ca
- Click the Retrieval tab.
- Fill in the request ID number that was created when the certificate request was submitted, and click.
- The next page shows the status of the certificate request. If the status is
complete
, then there is a link to the certificate. Click the Issued certificate link. - The new certificate information is shown in pretty-print format, in base-64 encoded format, and in PKCS #7 format.The following actions can be taken through this page:
- To install this certificate on a server or other application, scroll down to the Installing This Certificate in a Server section, which contains the base-64 encoded certificate.
- Copy the base-64 encoded certificate, including the
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
marker lines, to a text file. Save the text file, and use it to store a copy of the certificate in the security module of the entity where the private key resides. See Section 15.3.2.1, “Creating Users”.
5.4. Renewing Certificates
- Same key Renewal takes the original key, profile, and request of the certificate and recreates a new certificate with a new validity period and expiration date using the identical key. This can be done by either of the following methods:
- resubmitting the original certificate request (CSR) through the original profile, or
- regenerating a CSR with the original keys by using supporting tools such as certutil
- Re-keying a certificate requires regeneration of a certificate request with the same information, so that a new key pair is generated. The CSR is then submitted through the original profile.
5.4.1. Same Keys Renewal
5.4.1.1. Reusing CSR
- Agent-approved method requires submitting the serial number of the certificate to be renewed; This method would require a CA agent’s approval.
- Directory-based renewal requires submitting the serial number of the certificate to be renewed, and the CA draws the information from its current certificate directory entry. The certificate is automatically approved if the ldap uid/pwd is authenticated successfully.
- Certificate-based renewal uses the certificate in the browser database to authenticate and have the same certificate re-issued.
5.4.1.1.1. Agent-Approved or Directory-Based Renewals
- Open the end-entities services page for the CA which issued the certificate (or its clone).
http
s
://server.example.com:8443/ca/ee/ca
- Click the name of the renewal form to use.
- Enter the serial number of the certificate to renew. This can be in decimal or hexadecimal form.
- Click the renew button.
- The request is submitted. For directory-based renewals, the renewed certificate is automatically returned. Otherwise, the renewal request will be approved by an agent.
5.4.1.1.2. Certificate-Based Renewal
Important
- Open the end-entities services page for the CA which issued the certificate (or its clone).
http
s
://server.example.com:8443/ca/ee/ca
- Click the name of the renewal form to use.
- There is no input field, so click thebutton.
- When prompted, select the certificate to renew.
- The request is submitted and the renewed certificate is automatically returned.
5.4.1.2. Renewal by generating CSR with same keys
certutil
tool allows one to regenerate a CSR with the same keys, provided that the key pair is in the NSS database. This can be achieved by doing the following:
- Find the corresponding key id in the NSS db:
Certutil -d <nssdb dir> -K
- Generate a CSR using a specific key:
Certutil -d <nssdb dir> -R -k <key id> -s <subject DN> -o <CSR output file>
- Generate a CSR using an existing nickname:
Certutil -d <nssdb dir> -R -k <nickname> -s <subject DN> -o <CSR output file>
5.4.2. Renewal by Re-keying Certificates
5.5. Submitting Certificate requests Using CMC
- The Configuration for CMC section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
- The Enrolling with CMC section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
- CMCRequest(1) man page
- CMCResponse(1) man page
5.5.1. Using CMC Enrollment
Note
CMCRevoke
command line tool. For more information about CMCRevoke
, see Section 7.2, “Performing a CMC Revocation”.
HttpClient
to post the request to the appropriate profile. The CMCRequest
tool generates a signed certificate request which can then be submitted using the HttpClient
tool or the browser end-entities forms to enroll and receive the certificate automatically and immediately.
CMCRequest
tool has a simple command syntax, with all the configuration given in the .cfg
input file:
CMCRequest /path/to/file.cfg
CMCEnroll
tool, with the following syntax:
CMCEnroll -d /agent's/certificate/directory -h password -n cert_nickname -r certrequest.file -p certDB_passwd [-c "comment"]
CMCEnroll(1)
man page.
Note
5.5.1.1. Testing CMCEnroll
- Create a certificate request using the
certutil
tool. - Copy the PKCS #10 ASCII output to a text file.
- Run the CMCEnroll utility.For example, if the input file called
request34.txt
, the agent certificate is stored in the browser databases, the certificate common name of the agent certificate isCertificateManagerAgentsCert
, and the password for the certificate database issecret
, the command is as follows:CMCEnroll -d ~jsmith/.mozilla/firefox/1234.jsmith -n "CertificateManagerAgentsCert" -r /export/requests/request34.txt -p secret
The output of this command is stored in a file with the same filename with.out
appended to the filename. - Submit the signed certificate through the end-entities page.
- Open the end-entities page.
http
s
://server.example.com:8443/ca/ee/ca
- Select the CMC enrollment form from the list of certificate profiles.
- Paste the content of the output file into the Certificate Request text area of this form.
- Remove
-----BEGIN NEW CERTIFICATE REQUEST-----
and----END NEW CERTIFICATE REQUEST-----
from the pasted content. - Fill in the contact information, and submit the form.
- The certificate is immediately processed and returned.
- Use the agent page to search for the new certificate.
5.5.2. The CMC Enrollment Process
- Create a Certificate Signing Request (CSR) in one of the following formats:
- PKCS #10 format
- Certificate Request Message Format (CRMF) format
For details about creating CSRs in these formats, see Section 5.2, “Creating Certificate Signing Requests”. - Import the admin certificate into the client NSS database. For example:
- Execute the command below to extract the admin client certificate from the
.p12
file:$
openssl pkcs12 -in /root/.dogtag/instance/ca_admin_cert.p12 -clcerts -nodes -nokeys -out /root/.dogtag/instance/ca_admin_cert.crt - Validate and import the admin client certificate according to guidance in Managing Certificate/Key Crypto Token section in the Red Hat Certificate System Planning, Installation, and Deployment Guide:
$
PKICertImport -d . -n "CA Admin - Client Certificate" -t ",," -a -i /root/.dogtag/instance/ca_admin_cert.crt -u CImportant
Make sure all intermediate certificates and the root CA certificate have been imported before importing the CA Admin client certificate. - Import the private keys associated with the certificates.
$ pki -c password pkcs12-import --pkcs12-file /root/.dogtag/instance/ca_admin_cert.p12 --pkcs12-password-file /root/.dogtag/instance/ca/pkcs12_password.conf
- Create a configuration file for a CMC request, such as
/home/user_name/cmc-request.cfg
, with the following content:# NSS database directory where CA agent certificate is stored dbdir=/home/user_name/.dogtag/nssdb/ # NSS database password password=password # Token name (default is internal) tokenname=internal # Nickname for signing certificate nickname=subsystem_admin # Request format: pkcs10 or crmf format=pkcs10 # Total number of PKCS10/CRMF requests numRequests=1 # Path to the PKCS10/CRMF request # The content must be in Base-64 encoded format. # Multiple files are supported. They must be separated by space. input=/home/user_name/file.csr # Path for the CMC request output=/home/user_name/cmc-request.bin
For further details, see the CMCRequest(1) man page. - Create the CMC request:
$ CMCRequest /home/user_name/cmc-request.cfg
If the command succeeds, theCMCRequest
utility stored the CMC request in the file specified in theoutput
parameter in the request configuration file. - Create a configuration file for
HttpClient
, such as/home/user_name/cmc-submit.cfg
, which you use in a later step to submit the CMC request to the CA. Add the following content to the created file:# PKI server host name host=server.example.com # PKI server port number port=8443 # Use secure connection secure=true # Use client authentication clientmode=true # NSS database directory where the CA agent certificate is stored. dbdir=/home/user_name/.dogtag/nssdb/ # NSS database password password=password # Token name (default: internal) tokenname=internal # Nickname of signing certificate nickname=subsystem_admin # Path for the CMC request input=/home/user_name/cmc-request.bin # Path for the CMC response output=/home/user_name/cmc-response.bin
Important
The nickname of the certificate specified in thenickname
parameter must match the one previously used for the CMC request. - Depending on what type of certificate you request, add the following parameter to the configuration file created in the previous step:
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=profile_name
For example, for a CA signing certificate:servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCcaCert
Important
When an agent submits the CMC request in the next step, the profile specified in this parameter must use theCMCAuth
authentication plug-in. Whereas in user-initiated enrollments, the profile must use theCMCUserSignedAuth
plug-in. For further details, see the Section 10.3, “CMC Authentication Plug-ins”. - Submit the CMC request to the CA:
$ HttpClient /home/user_name/cmc-submit.cfg
- To convert the CMC response to a PKCS #7 certificate chain, pass the CMC response file to the
-i
parameter of theCMCResponse
utility. For example:$ CMCResponse -i /home/user_name/cmc-response.bin -o /home/user_name/cert_chain.crt
5.5.3. Practical CMC Enrollment Scenarios
5.5.3.1. Obtaining System and Server Certificates
- Enrollment Profiles
- The agent must either use one of the existing CMC profiles listed in Section 10.3, “CMC Authentication Plug-ins”, or, alternatively, create a custom profile that uses the
CMCAuth
authentication mechanism. - CMC Signing Certificate
- For system certificates, the CA agent must generate and sign the CMC request. For this, set the
nickname
parameter in theCMCRequest
configuration file to the nickname of the CA agent.Note
The CA agent must have access to its own private key. HttpClient
TLS Client Nickname- Use the same certificate for signing in the
CMCRequest
utility's configuration file as for TLS client authentication in the configuration file forHttpClient
. HttpClient
servlet
Parameter- The
servlet
in the configuration file passed to theHttpClient
utility refers to the CMC servlet and the enrollment profile which handles the request.Depending on what type of certificate you request, add one of the following entries to the configuration file created in the previous step:- For a CA signing certificate:
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCcaCert
- For a KRA transport certificate:
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCkraTransportCert
- For a OCSP signing certificate:
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCocspCert
- For a audit signing certificate:
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCauditSigningCert
- For a subsystem certificate:
- For RSA certificates:
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCsubsystemCert
- For ECC certificates:
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCECCsubsystemCert
- For a TLS server certificate:
- For RSA certificates:
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCserverCert
- For ECC certificates:
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCECCserverCert
- For an admin certificate:
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert
- When an agent pre-signs a CSR, the Proof of Identification is considered established because the agent examines the CSR for identification. No additional CMC-specific identification proof is required.
- PKCS #10 files already provide Proof of Possession information and no additional Proof of Possession (POP) is required.
- In agent pre-approved requests, the
PopLinkWittnessV2
feature must be disabled because the identification is checked by the agent.
5.5.3.2. Obtaining the First Signing Certificate for a User
- An agent signs the CMC request. See Section 5.5.3.2.1, “Signing a CMC Request with an Agent Certificate”.
- Certificate enrollment is authenticated by using a Shared Secret. See Section 5.5.3.2.2, “Authenticating for Certificate Enrollment Using a Shared Secret”.
5.5.3.2.1. Signing a CMC Request with an Agent Certificate
5.5.3.3. Obtaining an Encryption-only Certificate for a User
Note
- Use the cryptographic token stored in a Network Security Services (NSS) database or on a smart card that contains the user's signing certificate and keys.
- Generate the CSR in PKCS #10 or the CRMF format.
Note
Use the CRMF format, if key archival is required. - Generate the CMC request.Since this is an encryption-only certificate, the private key is not able to sign. Therefore, Proof Of Possession (POP) is not included. For this reason, the enrollment requires two steps: If the initial request is successful, results in a CMC status with the
EncryptedPOP
control. The user then uses the response and generates a CMC request that contains theDecryptedPOP
control and submits it in the second step.- For the first step, in addition to the default parameters, the user must set the following parameters in the configuration file passed to the
CMCRequest
utility:identification.enable
witness.sharedSecret
identityProofV2.enable
identityProofV2.hashAlg
identityProofV2.macAlg
popLinkWitnessV2.enable
if required by the CApopLinkWitnessV2.keyGenAlg
if required by the CApopLinkWitnessV2.macAlg
if required by the CArequest.privKeyId
For details, see the CMCRequest(1) man page.The response contains:- A CMC encrypted POP control
- The
CMCStatusInfoV2
control with thePOP required
error - The request ID
- For the second step, in addition to the default parameters, the user must set the following parameters in the configuration file passed to the
CMCRequest
utility:decryptedPop.enable
encryptedPopResponseFile
decryptedPopRequestFile
request.privKeyId
For details, see the CMCRequest(1) man page.
5.5.3.3.1. Example on Obtaining an Encryption-only certificate with Key Archival
Note
-q POP_SUCCESS
option instead of -q POP_NONE
to the CRMFPopClient
utility for a single-trip issuance.
CRMFPoPClient
with POP_SUCCESS
, see Section 5.2.1.3.1, “Using CRMFPopClient
to Create a CSR with Key Archival” and Section 5.2.1.3.2, “Using CRMFPopClient
to Create a CSR for SharedSecret-based CMC”.
- Search for the KRA transport certificate. For example:
$ pki cert-find --name KRA_transport_certificate_subject_CN
- Use the serial number of the KRA transport certificate, which you retrieved in the previous step, to store the certificate in a file. For example, to store the certificate with the 12345 serial number in the
/home/user_name/kra.cert
file:$ pki cert-show 12345 --output /home/user_name/kra.cert
- Use the
CRMFPopClient
utility to:- Create a CSR with key archival:
- Change to the certificate database directory of the user or entity for which the certificate is being requested, for example:
$ cd /home/user_name/
- Use the
CRMFPopClient
utility to create a CRMF request, where the RSA private key is wrapped by the KRA transport certificate. For example, to store the request in the/home/user_name/crmf.req
file:$ CRMFPopClient -d . -p token_password -n subject_DN -q POP_NONE \ -b /home/user_name/kra.cert -w "AES/CBC/PKCS5Padding" \ -v -o /home/user_name/crmf.req
Note the ID of the private key displayed by the command. The ID is required in a later step as value in therequest.privKeyId
parameter in the configuration file for the second trip.
- Create a configuration file for the
CRMRequest
utility, such as/home/user_name/cmc.cfg
with the following content:#numRequests: Total number of PKCS10 requests or CRMF requests. numRequests=1 #input: full path for the PKCS10 request or CRMF request, #the content must be in Base-64 encoded format input=/home/user_name/crmf.req #output: full path for the CMC request in binary format output=/home/user_name/cmc.req #tokenname: name of token where agent signing cert can be found #(default is internal) tokenname=internal #nickname: nickname for user certificate which will be used #to sign the CMC full request. nickname=signing_certificate #dbdir: directory for cert9.db, key4.db and pkcs11.txt dbdir=/home/user_name/.dogtag/nssdb/ #password: password for cert9.db which stores the agent certificate password=password #format: request format, either pkcs10 or crmf format=crmf
- Create the CMC request:
$ CMCRequest /home/user_name/cmc.cfg
If the command succeeds, theCMCRequest
utility stored the CMC request in the file specified in theoutput
parameter in the request configuration file. - Create a configuration file for
HttpClient
, such as/home/user_name/cmc-submit.cfg
, which you use in a later step to submit the CMC request to the CA. Add the following content to the created file:#host: host name for the http server host=server.example.com #port: port number port=8443 #secure: true for secure connection, false for nonsecure connection secure=true #input: full path for the enrollment request, the content must be in #binary format input=/home/user_name/cmc.req #output: full path for the response in binary format output=/home/user_name/cmc-response_round_1.bin #tokenname: name of token where TLS client authentication cert can be found #(default is internal) #This parameter will be ignored if secure=false tokenname=internal #dbdir: directory for cert9.db, key4.db and pkcs11.txt #This parameter will be ignored if secure=false dbdir=/home/user_name/.dogtag/nssdb/ #clientmode: true for client authentication, false for no client authentication #This parameter will be ignored if secure=false clientmode=true #password: password for cert9.db #This parameter will be ignored if secure=false and clientauth=false password=password #nickname: nickname for client certificate #This parameter will be ignored if clientmode=false nickname=signing_certificate #servlet: servlet name servlet=/ca/ee/ca/profileSubmitUserSignedCMCFull?profileId=caFullCMCUserSignedCert
- Submit the CMC request to the CA:
$ HttpClient /home/user_name/cmc-submit.cfg
If the command succeeds, theHTTPClient
utility stored the CMC response in the file specified in theoutput
parameter in the configuration file. - Verify the response by passing the response file to the
CMCResponse
utility. For example:$ CMCResponse -d /home/user_name/.dogtag/nssdb/ -i /home/user_name/cmc-response_round_1.bin
If the first trip was successful,CMCResponse
displays output similar to the following:Certificates: Certificate: Data: Version: v3 Serial Number: 0x1 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=unknown00262DFC6A5E Security Domain Validity: Not Before: Wednesday, May 17, 2017 6:06:50 PM PDT America/Los_Angeles Not After: Sunday, May 17, 2037 6:06:50 PM PDT America/Los_Angeles Subject: CN=CA Signing Certificate,OU=pki-tomcat,O=unknown00262DFC6A5E Security Domain ... Number of controls is 3 Control #0: CMC encrypted POP OID: {1 3 6 1 5 5 7 7 9} encryptedPOP decoded Control #1: CMCStatusInfoV2 OID: {1 3 6 1 5 5 7 7 25} BodyList: 1 OtherInfo type: FAIL failInfo=POP required Control #2: CMC ResponseInfo requestID: 15
- For the second trip, create a configuration file for
DecryptedPOP
, such as/home/user_name/cmc_DecryptedPOP.cfg
, which you use in a later step. Add the following content to the created file:#numRequests: Total number of PKCS10 requests or CRMF requests. numRequests=1 #input: full path for the PKCS10 request or CRMF request, #the content must be in Base-64 encoded format #this field is actually unused in 2nd trip input=/home/user_name/crmf.req #output: full path for the CMC request in binary format #this field is actually unused in 2nd trip output=/home/user_name/cmc2.req #tokenname: name of token where agent signing cert can be found #(default is internal) tokenname=internal #nickname: nickname for agent certificate which will be used #to sign the CMC full request. nickname=signing_certificate #dbdir: directory for cert9.db, key4.db and pkcs11.txt dbdir=/home/user_name/.dogtag/nssdb/ #password: password for cert9.db which stores the agent #certificate password=password #format: request format, either pkcs10 or crmf format=crmf decryptedPop.enable=true encryptedPopResponseFile=/home/user_name/cmc-response_round_1.bin request.privKeyId=-25aa0a8aad395ebac7e6a19c364f0dcb5350cfef decryptedPopRequestFile=/home/user_name/cmc.DecryptedPOP.req
- Create the
DecryptPOP
CMC request:$ CMCRequest /home/user_name/cmc.DecryptedPOP.cfg
If the command succeeds, theCMCRequest
utility stored the CMC request in the file specified in thedecryptedPopRequestFile
parameter in the request configuration file. - Create a configuration file for
HttpClient
, such as/home/user_name/decrypted_POP_cmc-submit.cfg
, which you use in a later step to submit theDecryptedPOP
CMC request to the CA. Add the following content to the created file:#host: host name for the http server host=server.example.com #port: port number port=8443 #secure: true for secure connection, false for nonsecure connection secure=true #input: full path for the enrollment request, the content must be in binary format input=/home/user_name/cmc.DecryptedPOP.req #output: full path for the response in binary format output=/home/user_name/cmc-response_round_2.bin #tokenname: name of token where TLS client authentication cert can be found (default is internal) #This parameter will be ignored if secure=false tokenname=internal #dbdir: directory for cert9.db, key4.db and pkcs11.txt #This parameter will be ignored if secure=false dbdir=/home/user_name/.dogtag/nssdb/ #clientmode: true for client authentication, false for no client authentication #This parameter will be ignored if secure=false clientmode=true #password: password for cert9.db #This parameter will be ignored if secure=false and clientauth=false password=password #nickname: nickname for client certificate #This parameter will be ignored if clientmode=false nickname=singing_certificate #servlet: servlet name servlet=/ca/ee/ca/profileSubmitUserSignedCMCFull?profileId=caFullCMCUserCert
- Submit the
DecryptedPOP
CMC request to the CA:$ HttpClient /home/user_name/decrypted_POP_cmc-submit.cfg
If the command succeeds, theHTTPClient
utility stored the CMC response in the file specified in theoutput
parameter in the configuration file. - To convert the CMC response to a PKCS #7 certificate chain, pass the CMC response file to the
-i
parameter of theCMCResponse
utility. For example:$ CMCResponse -i /home/user_name/cmc-response_round_2.bin -o /home/user_name/certs.p7
Alternatively, to display the individual certificates in PEM format, pass the-v
to the utility.If the second trip was successful,CMCResponse
displays output similar to the following:Certificates: Certificate: Data: Version: v3 Serial Number: 0x2D Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=unknown00262DFC6A5E Security Domain Validity: Not Before: Thursday, June 15, 2017 3:43:45 PM PDT America/Los_Angeles Not After: Tuesday, December 12, 2017 3:43:45 PM PST America/Los_Angeles Subject: CN=user_name,UID=example,OU=keyArchivalExample ... Number of controls is 1 Control #0: CMCStatusInfo OID: {1 3 6 1 5 5 7 7 1} BodyList: 1 Status: SUCCESS
5.6. Performing Bulk Issuance
PKCS10Client
command to generate the requests and the sslget
command to send the requests to the CA.
- Since this process is scripted, multiple variables need to be set to identify the CA (host, port) and the items used for authentication (the agent certificate and certificate database and password). For example, set these variables for the session by exporting them in the terminal:
export d=/var/tmp/testDir export p=password export f=/var/tmp/server.csr.txt export nick="CA agent cert" export cahost=1.2.3.4 export caport=8443
Note
The local system must have a valid security database with an agent's certificate in it. To set up the databases:- Export or download the agent user certificate and keys from the browser and save to a file, such as
agent.p12
. - If necessary, create a new directory for the security databases.
mkdir ${d}
- If necessary, create new security databases.
certutil -N -d ${d}
- Stop the Certificate System instance.
pki-server stop instance_name
- Use
pk12util
to import the certificates.# pk12util -i /tmp/agent.p12 -d ${d} -W p12filepassword
If the procedure is successful, the command prints the following output:pk12util: PKCS12 IMPORT SUCCESSFUL
- Start the Certificate System instance.
pki-server start instance_name
- Two additional variables must be set. A variable that identify the CA profile to be used to process the requests, and a variable that is used to send a post statement to supply the information for the profile form.
export post="cert_request_type=pkcs10&xmlOutput=true&profileId=caAgentServerCert&cert_request=" export url="/ca/ee/ca/profileSubmitSSLClient"
Note
This example submits the certificate requests to thecaAgentServerCert
profile (identified in theprofileId
element of thepost
statement. Any certificate profile can be used, including custom profiles. - Test the variable configuration.
echo ${d} ${p} ${f} ${nick} ${cahost} ${caport} ${post} ${url}
- Generate the certificate requests using (for this example)
PKCS10Client
:time for i in {1..10}; do /usr/bin/PKCS10Client -d ${d} -p ${p} -o ${f}.${i} -s "cn=testms${i}.example.com"; cat ${f}.${i} >> ${f}; done perl -pi -e 's/\r\n//;s/\+/%2B/g;s/\//%2F/g' ${f} wc -l ${f}
- Submit the bulk certificate request file created in step 4 to the CA profile interface using
sslget
. For example:cat ${f} | while read thisreq; do /usr/bin/sslget -n "${nick}" -p ${p} -d ${d} -e ${post}${thisreq} -v -r ${url} ${cahost}:${caport}; done
5.7. Enrolling a Certificate on a Cisco Router
5.7.1. Enabling SCEP Enrollments
- Stop the CA server, so that you can edit the configuration files.
pki-server stop instance_name
- Open the CA's
CS.cfg
file.vim
/var/lib/pki/instance_name/ca/conf/CS.cfg
- Set the
ca.scep.enable
to true. If the parameter is not present, then add a line with the parameter.ca.scep.enable=true
- Restart the CA server.
pki-server start instance_name
5.7.2. Configuring Security Settings for SCEP
Parameter | Description |
---|---|
ca.scep.encryptionAlgorithm | Sets the default or preferred encryption algorithm. |
ca.scep.allowedEncryptionAlgorithms | Sets a comma-separated list of allowed encryption algorithms. |
ca.scep.hashAlgorithm | Sets the default or preferred hash algorithm. |
ca.scep.allowedHashAlgorithms | Sets a comma-separated list of allowed hash algorithms. |
ca.scep.nickname | Gives the nickname of the certificate to use for SCEP communication. The default is to use the CA's key pair and certificate unless this parameter is set. |
ca.scep.nonceSizeLimit | Sets the maximum nonce size, in bytes, allowed for SCEP requests. The default is 16 bytes. |
- Stop the CA server, so that you can edit the configuration files.
pki-server stop instance_name
- Open the CA's
CS.cfg
file.vim
/var/lib/pki/instance_name/ca/conf/CS.cfg
- Set the desired security parameters, as listed in Table 5.1, “Configuration Parameters for SCEP Security”. If the parameter is not already present, then add it to the
CS.cfg
file.ca.scep.encryptionAlgorithm=DES3 ca.scep.allowedEncryptionAlgorithms=DES3 ca.scep.hashAlgorithm=SHA1 ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 ca.scep.nickname=Server-Cert ca.scep.nonceSizeLimit=20
- Restart the CA server.
pki-server start instance_name
5.7.3. Configuring a Router for SCEP Enrollment
Note
- The router must be configured with an IP address, DNS server, and routing information.
- The router's date/time must be correct.
- The router's hostname and dnsname must be configured.
5.7.4. Generating the SCEP Certificate for a Router
- Pick a random PIN.
- Add the PIN and the router's ID to the
flatfile.txt
file so that the router can authenticate directly against the CA. For example:vim /var/lib/pki/instance_name/ca/conf/flatfile.txt UID:172.16.24.238 PWD:Uojs93wkfd0IS
Be sure to insert an empty line after thePWD
line.The router's IP address can be an IPv4 address or an IPv6 address.Using flat file authentication is described in Section 10.2.4, “Configuring Flat File Authentication”. - Log into the router's console. For this example, the router's name is
scep
:scep>
- Enable privileged commands.
scep> enable
- Enter configuration mode.
scep# conf t
- Import the CA certificate for every CA in the certificate chain, starting with the root. For example, the following command sequence imports two CA certificates in the chain into the router:
scep(config)# crypto ca trusted-root1 scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe scep(ca-root)# crl optional scep(ca-root)# exit scep(config)# cry ca authenticate 1 scep(config)# crypto ca trusted-root0 scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe scep(ca-root)# crl optional scep(ca-root)# exit scep(config)# cry ca authenticate 0
- Set up a CA identity, and enter the URL to access the SCEP enrollment profile. For example, for the CA:
scep(config)# crypto ca identity CA scep(ca-identity)# enrollment url http://server.example.com:8080/ca/cgi-bin scep(ca-identity)# crl optional
- Get the CA's certificate.
scep(config)# crypto ca authenticate CA Certificate has the following attributes: Fingerprint: 145E3825 31998BA7 F001EA9A B4001F57 % Do you accept this certificate? [yes/no]: yes
- Generate RSA key pair.
scep(config)# crypto key generate rsa The name for the keys will be: scep.server.example.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: Generating RSA keys ... [OK]
- Lastly, generate the certificate on the router.
scep(config)# crypto ca enroll CA % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: secret Re-enter password: secret % The subject name in the certificate will be: scep.server.example.com % Include the router serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: 57DE391C % Include an IP address in the subject name? [yes/no]: yes % Interface: Ethernet0/0 % Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The 'show crypto ca certificate' command will also show the fingerprint. % Fingerprint:D89DB555 E64CC2F7 123725B4 3DBDF263 Jan 12 13:41:17.348: %CRYPTO-6-CERTRET: Certificate received from Certificate
- Close configuration mode.
scep(config)# exit
- To make sure that the router was properly enrolled, list all of the certificates stored on the router.
scep# show crypto ca certificates Certificate Status: Available Certificate Serial Number: 0C Key Usage: General Purpose Issuer: CN = Certificate Authority O = Sfbay Red hat Domain 20070111d12 Subject Name Contains: Name: scep.server.example.com IP Address: 10.14.1.94 Serial Number: 57DE391C Validity Date: start date: 21:42:40 UTC Jan 12 2007 end date: 21:49:50 UTC Dec 31 2008 Associated Identity: CA CA Certificate Status: Available Certificate Serial Number: 01 Key Usage: Signature Issuer: CN = Certificate Authority O = Sfbay Red hat Domain 20070111d12 Subject: CN = Certificate Authority O = Sfbay Red hat Domain 20070111d12 Validity Date: start date: 21:49:50 UTC Jan 11 2007 end date: 21:49:50 UTC Dec 31 2008 Associated Identity: CA
5.7.5. Working with Subordinate CAs
scep(config)# crypto ca trusted-root1 scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe scep(ca-root)# crl optional scep(ca-root)# exit scep(config)# cry ca authenticate 1 scep(config)# crypto ca trusted-root0 scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe scep(ca-root)# crl optional scep(ca-root)# exit scep(config)# cry ca authenticate 0
optional
:
scep(ca-root)# crl optional
5.7.6. Re-enrolling a Router
- Remove (zeroize) the existing keys.
scep(config)# crypto key zeroize rsa % Keys to be removed are named scep.server.example.com. Do you really want to remove these keys? [yes/no]: yes
- Remove the CA identity.
scep(config)# no crypto ca identity CA % Removing an identity will destroy all certificates received from the related Certificate Authority. Are you sure you want to do this? [yes/no]: yes % Be sure to ask the CA administrator to revoke your certificates. No enrollment sessions are currently active.
5.7.7. Enabling Debugging
scep# debug crypto pki callbacks
Crypto PKI callbacks debugging is onscep# debug crypto pki messages
Crypto PKI Msg debugging is onscep# debug crypto pki transactions
Crypto PKI Trans debugging is onscep#debug crypto verbose
verbose debug output debugging is on
5.7.8. Issuing ECC Certificates with SCEP
- encryption/decryption cert - designate an RSA cert having encryption/decryption capability; (scepRSAcert in the following example)
- signature cert - get an RSA cert to use on the client side for signing purpose instead of self-signed; (signingCert cert in the following example)
sscep enroll -c ca.crt -e scepRSAcert.crt -k local.key -r local.csr -K sign.key -O sign.crt -E 3des -S sha256 -l cert.crt -u 'http://example.example.com:8080/ca/cgi-bin/pkiclient.exe'
5.8. Using Certificate Transparency
Important
5.8.1. Testing Certificate Transparency
openssl
. The test configuration in the CS.cfg
file is as follows:
ca.certTransparency.mode=enabled ca.certTransparency.log.1.enable=true ca.certTransparency.log.1.pubKey=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEw8i8S7qiGEs9NXv0ZJFh6uuOm<snip> ca.certTransparency.log.1.url=http://ct.googleapis.com:80/testtube/ ca.certTransparency.log.1.version=1 ca.certTransparency.log.2.enable=true ca.certTransparency.log.2.pubKey=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKATl2B3SAbxyzGOfNRB+AytNTG<snip> ca.certTransparency.log.2.url=http://ct.googleapis.com:80/logs/crucible/ ca.certTransparency.log.2.version=1 ca.certTransparency.log.3.enable=false ca.certTransparency.log.3.pubKey=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiKfWtuoWCPMEzSKySjMjXpo38W<snip> ca.certTransparency.log.3.url=http://ct.googleapis.com:80/logs/solera2020/ ca.certTransparency.log.3.version=1 ca.certTransparency.log.num=3
- First, generate a CSR, e.g:
# PKCS10Client -d . -p passwd -l 2048 -n "cn=user.test.domain.com,OU=user-TEST,O=TestDomain" -o pkcs10-TLS.req
- Next, submit the CSR to an enrollment profile depending on the CT mode defined by the
ca.certTransparency.mode
parameter inCS.cfg
:- if the parameter is set to enabled, use any enrollment profile
- if the parameter is set to perProfile, use one of the CT profiles: e.g. caServerCertWithSCT
- Copy the issued b64 cert into a file, e.g.
.ct1.pem
. - Convert the pem to binary:
# AtoB ct1.pem ct1.bin
- Display the DER certificate content:
# openssl x509 -noout -text -inform der -in ct1.bin
- Observe that the SCT extension is present, e.g:
CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : B0:CC:83:E5:A5:F9:7D:6B:AF:7C:09:CC:28:49:04:87: 2A:C7:E8:8B:13:2C:63:50:B7:C6:FD:26:E1:6C:6C:77 Timestamp : Jun 11 23:07:14.146 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:6E:E7:DC:D6:6B:A6:43:E3:BB:8E:1D:28: 63:C6:6B:03:43:4E:7A:90:0F:D6:2B:E8:ED:55:1D:5F: 86:0C:5A:CE:02:20:53:EB:75:FA:75:54:9C:9F:D3:7A: D4:E7:C6:6C:9B:33:2A:75:D8:AB:DE:7D:B9:FA:2B:19: 56:22:BB:EF:19:AD Signed Certificate Timestamp: Version : v1 (0x0) Log ID : C3:BF:03:A7:E1:CA:88:41:C6:07:BA:E3:FF:42:70:FC: A5:EC:45:B1:86:EB:BE:4E:2C:F3:FC:77:86:30:F5:F6 Timestamp : Jun 11 23:07:14.516 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:4A:C9:4D:EF:64:02:A7:69:FF:34:4E:41: F4:87:E1:6D:67:B9:07:14:E6:01:47:C2:0A:72:88:7A: A9:C3:9C:90:02:20:31:26:15:75:60:1E:E2:C0:A3:C2: ED:CF:22:A0:3B:A4:10:86:D1:C1:A3:7F:68:CC:1A:DD: 6A:5E:10:B2:F1:8F
Alternatively, verify the SCT by running an asn1 dump:# openssl asn1parse -i -inform der -in ct1.bin
and observe the hex dump, e.g:740:d=4 hl=4 l= 258 cons: SEQUENCE 744:d=5 hl=2 l= 10 prim: OBJECT :CT Precertificate SCTs 756:d=5 hl=3 l= 243 prim: OCTET STRING [HEX DUMP]:0481F000EE007500B0CC83E5A5F97D6B<snip>
Chapter 6. Using and Configuring the Token Management System: TPS and TKS
6.1. TPS Profiles
Note
CS.cfg
.
op.<explicit op>.<profile id>.<implicit op>.<key type>.*
op.enroll.userKey.keyGen.encryption.*
6.2. TPS Operations
An explicit operation is an operation called by a user. Explicit operations include enroll
(op.enroll.*
), format
(op.format.*
), and pinReset
(op.pinReset.*
).
An implicit operation is an operation that takes place due to the policy or status of a token at a time when an explicit operation is being processed. Implicit operations include keyGen
(op.enroll.userKey.keyGen.*
), renewal
(op.enroll.userKey.renewal.*
), update.applet
(op.enroll.userKey.update.applet.*
), and key update (op.enroll.userKey.update.symmetricKeys.*
).
recovery
, serverKeygen
, and revocation
.
op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=kra1 op.enroll.userKey.keyGen.encryption.serverKeygen.enable=true
1
during the state transition:
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
Reason | Code |
---|---|
unspecified | 0 |
keyCompromise | 1 |
CACompromise | 2 |
affiliationChanged | 3 |
superseded | 4 |
cessationOfOperation | 5 |
certificateHold | 6 |
removeFromCRL | 8 |
privilegeWithdrawn | 9 |
AACompromise | 10 |
6.3. Token Policies
Note
;
""). Each policy can be turned on or off with the keywords YES
or NO
. Each policy in the list below will be introduced with its default value - the action taken by TPS if the setting did not exist at all in the policy string.
- RE_ENROLL=YES
- This policy controls whether or not a token allows a reenroll operation. This allows an already enrolled token (with certificates) to be reenrolled and given new ones. If set to
NO
, the server will return an error if a reenrollment is attempted.This policy does not require special configuration. The enrollment will proceed with the standard enrollment profile, which likely enrolled the token originally. - RENEW=NO;RENEW_KEEP_OLD_ENC_CERTS=YES
- Renewal allows a token to have their profile generated certificates to be renewed in place on the token. If
RENEW
is set toYES
, a simple enrollment from the Enterprise Security Client (ESC) will result in a renewal instead of a reenrollment as discussed above.TheRENEW_KEEP_OLD_ENC_CERTS
setting determines if a renewal operation will retain the previous version of the encryption certificate. Retaining the previous certificate allows users to access data encrypted with the old certificate. Setting this option toNO
will mean that anything encrypted with the old certificate will no longer be recoverable.Configuration:op.enroll.userKey.renewal.encryption.ca.conn=ca1 op.enroll.userKey.renewal.encryption.ca.profileId=caTokenUserEncryptionKeyRenewal op.enroll.userKey.renewal.encryption.certAttrId=c2 op.enroll.userKey.renewal.encryption.certId=C2 op.enroll.userKey.renewal.encryption.enable=true op.enroll.userKey.renewal.encryption.gracePeriod.after=30 op.enroll.userKey.renewal.encryption.gracePeriod.before=30 op.enroll.userKey.renewal.encryption.gracePeriod.enable=false op.enroll.userKey.renewal.keyType.num=2 op.enroll.userKey.renewal.keyType.value.0=signing op.enroll.userKey.renewal.keyType.value.1=encryption op.enroll.userKey.renewal.signing.ca.conn=ca1 op.enroll.userKey.renewal.signing.ca.profileId=caTokenUserSigningKeyRenewal op.enroll.userKey.renewal.signing.certAttrId=c1 op.enroll.userKey.renewal.signing.certId=C1 op.enroll.userKey.renewal.signing.enable=true op.enroll.userKey.renewal.signing.gracePeriod.after=30 op.enroll.userKey.renewal.signing.gracePeriod.before=30 op.enroll.userKey.renewal.signing.gracePeriod.enable=false
This type of renewal configuration mirrors the basicuserKey
standard enrollment profile with a few added settings that are renewal specific. This parity is needed because we went to renew exactly the number and type of certs that were enrolled originally on to the token before renewal is to be put into play. - FORCE_FORMAT=NO
- This policy causes every enrollment operation to prompt a format operation if enabled. This is a last-step option to allow tokens to be reset without a user having to return it to an administrator. If set to
YES
, every enrollment operation initiated by the user will cause a format to happen, esentially resetting the token to the formatted state.No additional configuration is necessary. A simple format occurs given the same TPS profile used to perform a standard format operation. - PIN_RESET=NO
- This policy determines if an already enrolled token can perform an explicit “pin reset” change using the ESC. This value must be set to
YES
or the attempted operation will be rejected with an error by the server.Configuration:op.enroll.userKey.pinReset.enable=true op.enroll.userKey.pinReset.pin.maxLen=10 op.enroll.userKey.pinReset.pin.maxRetries=127 op.enroll.userKey.pinReset.pin.minLen=4
In the above example, the settings forminLen
andmaxLen
put constraints on the length of a chosen password, and themaxRetries
setting sets the token to only allow a given number of retries before locking up.
<POLICYNAME>=YES
or <POLICYNAME>=NO
in order to be recognized by TPS.
6.4. Token Operation and Policy Processing
Note
- Format
- The Format operation (user-initiated) takes a token in a completely blank state as supplied by the manufacturer, and loads a Coolkey applet on it.Configuration example:
#specify that we want authentication for format. We almost always want this at true: op.format.userKey.auth.enable=true #specify the ldap authentication configuration, so TPS knows where to validate credentials: op.format.userKey.auth.id=ldap1 #specify the connection the the CA op.format.userKey.ca.conn=ca1 #specify id of the card manager applet on given token op.format.userKey.cardmgr_instance=A0000000030000 #specify if we need to match the visa cuid to the nist sp800sp derivation algorithm KDD value. Mostly will be false: op.format.userKey.cuidMustMatchKDD=false #enable ability to restrict key changoever to a specific range of key set: op.format.userKey.enableBoundedGPKeyVersion=true #enable the phone home url to write to the token: op.format.userKey.issuerinfo.enable=true #actual home url to write to token: op.format.userKey.issuerinfo.value=http://server.example.com:8080/tps/phoneHome #specify whether to request a login from the client. Mostly true, external reg may want this to be false: op.format.userKey.loginRequest.enable=true #Actual range of desired keyset numbers: op.format.userKey.maximumGPKeyVersion=FF op.format.userKey.minimumGPKeyVersion=01 #Whether or not to revoke certs on the token after a format, and what the reason will be if so: op.format.userKey.revokeCert=true op.format.userKey.revokeCert.reason=0 #This will roll back the reflected keyyset version of the token in the tokendb. After a failed key changeover operation. This is to keep the value in sync with reality in the tokendb. Always false, since this version of TPS avoids this situation now: op.format.userKey.rollbackKeyVersionOnPutKeyFailure=false #specify connection to the TKS: op.format.userKey.tks.conn=tks1 #where to get the actual applet file to write to the token: op.format.userKey.update.applet.directory=/usr/share/pki/tps/applets #Allows a completely blank token to be recognized by TPS. Mostly should be true: op.format.userKey.update.applet.emptyToken.enable=true #Always should be true, not supported: op.format.userKey.update.applet.encryption=true #Actual version of the applet file we want to upgrade to. This file will have a name something like: 1.4.54de7a99.ijc: op.format.userKey.update.applet.requiredVersion=1.4.54de790f #Symm key changeover: op.format.userKey.update.symmetricKeys.enable=false op.format.userKey.update.symmetricKeys.requiredVersion=1 #Make sure the token db is in sync with reality. Should always be true: op.format.userKey.validateCardKeyInfoAgainstTokenDB=true
- Enrollment
- The basic enrollment operation takes a formatted token and places certs and keys onto the token in an effort to personalize the token. The following configuration example will explain how this can be controlled.The example shows basic enrollment which does not deal with renewal and internal recovery. Settings not discussed here are either covered in the Format section, or not crucial.
op.enroll.userKey.auth.enable=true op.enroll.userKey.auth.id=ldap1 op.enroll.userKey.cardmgr_instance=A0000000030000 op.enroll.userKey.cuidMustMatchKDD=false op.enroll.userKey.enableBoundedGPKeyVersion=true op.enroll.userKey.issuerinfo.enable=true op.enroll.userKey.issuerinfo.value=http://server.example.com:8080/tps/phoneHome #configure the encryption cert and keys we want on the token: #connection the the CA, which issues the certs: op.enroll.userKey.keyGen.encryption.ca.conn=ca1 #Profile id we want the CA to use to issue our encrytion cert: op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment #These two cover the indexes of the certs written to the token. Each cert needs a unique index or “slot”. In our sample the enc cert will occupy slot 2 and the signing cert, shown later, will occupy slot 1. Avoid overlap with these numbers: op.enroll.userKey.keyGen.encryption.certAttrId=c2 op.enroll.userKey.keyGen.encryption.certId=C2 op.enroll.userKey.keyGen.encryption.cuid_label=$cuid$ #specify size of generated private key: op.enroll.userKey.keyGen.encryption.keySize=1024 op.enroll.userKey.keyGen.encryption.keyUsage=0 op.enroll.userKey.keyGen.encryption.keyUser=0 #specify pattern for what the label of the cert will look like when the cert nickname is displayed in browsers and mail clients: op.enroll.userKey.keyGen.encryption.label=encryption key for $userid$ #specify if we want to overwrite certs on a re-enrollment operation. This is almost always the case: op.enroll.userKey.keyGen.encryption.overwrite=true #The next several settings specify the capabilities that the private key on the final token will inherit. For instance this will determine if the cert can be used for encryption or digital signatures. There are settings for both the private and public key. op.enroll.userKey.keyGen.encryption.private.keyCapabilities.decrypt=true op.enroll.userKey.keyGen.encryption.private.keyCapabilities.derive=false op.enroll.userKey.keyGen.encryption.private.keyCapabilities.encrypt=false op.enroll.userKey.keyGen.encryption.private.keyCapabilities.private=true op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sensitive=true op.enroll.userKey.keyGen.encryption.private.keyCapabilities.sign=false op.enroll.userKey.keyGen.encryption.private.keyCapabilities.signRecover=false op.enroll.userKey.keyGen.encryption.private.keyCapabilities.token=true op.enroll.userKey.keyGen.encryption.private.keyCapabilities.unwrap=true op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verify=false op.enroll.userKey.keyGen.encryption.private.keyCapabilities.verifyRecover=false op.enroll.userKey.keyGen.encryption.private.keyCapabilities.wrap=false op.enroll.userKey.keyGen.encryption.privateKeyAttrId=k4 op.enroll.userKey.keyGen.encryption.privateKeyNumber=4 op.enroll.userKey.keyGen.encryption.public.keyCapabilities.decrypt=false op.enroll.userKey.keyGen.encryption.public.keyCapabilities.derive=false op.enroll.userKey.keyGen.encryption.public.keyCapabilities.encrypt=true op.enroll.userKey.keyGen.encryption.public.keyCapabilities.private=false op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sensitive=false op.enroll.userKey.keyGen.encryption.public.keyCapabilities.sign=false op.enroll.userKey.keyGen.encryption.public.keyCapabilities.signRecover=false op.enroll.userKey.keyGen.encryption.public.keyCapabilities.token=true op.enroll.userKey.keyGen.encryption.public.keyCapabilities.unwrap=false op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verify=false op.enroll.userKey.keyGen.encryption.public.keyCapabilities.verifyRecover=false op.enroll.userKey.keyGen.encryption.public.keyCapabilities.wrap=true #The following index numbers correspond to the index or slot that the private and public keys occupy. The common formula we use is that the public key index will be 2 * cert id + 1, and the private key index, shown above will be 2 * cert id. In this example the cert id is 2, so the key ids will be 4 and 5 respectively. When composing these, be careful not to create conflicts. This applies to the signing key section below. op.enroll.userKey.keyGen.encryption.publicKeyAttrId=k5 op.enroll.userKey.keyGen.encryption.publicKeyNumber=5 #specify if, when a certificate is slated for revocation, based on other rules, we want to check to see if some other token is using this cert in a shared situation. If this is set to true, and this situation is found the cert will not be revoked until the last token wants to revoke this cert: op.enroll.userKey.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastCredential=false #specify, if we want server side keygen, if we want to have that generated key archived to the drm. This is almost always the case, since we want the ability to later recover a cert and its encryption private key back to a new token: op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true #connection to drm to generate the key for us: op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=kra1 #specify server side keygen of the encryption private key. This most often will be desired: op.enroll.userKey.keyGen.encryption.serverKeygen.enable=true #This setting tells us how many certs we want to enroll for this TPS profile, in the case “userKey”. Here we want 2 total certs. The next values then go on to index into the config what two types of certs we want, signing and encryption: op.enroll.userKey.keyGen.keyType.num=2 op.enroll.userKey.keyGen.keyType.value.0=signing op.enroll.userKey.keyGen.keyType.value.1=encryption #configure the signing cert and keys we want on the token the settings for these are similar to the encryption settings already discussed, except the capability flags presented below, since this is a signing key. op.enroll.userKey.keyGen.signing.ca.conn=ca1 op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment op.enroll.userKey.keyGen.signing.certAttrId=c1 op.enroll.userKey.keyGen.signing.certId=C1 op.enroll.userKey.keyGen.signing.cuid_label=$cuid$ op.enroll.userKey.keyGen.signing.keySize=1024 op.enroll.userKey.keyGen.signing.keyUsage=0 op.enroll.userKey.keyGen.signing.keyUser=0 op.enroll.userKey.keyGen.signing.label=signing key for $userid$ op.enroll.userKey.keyGen.signing.overwrite=true op.enroll.userKey.keyGen.signing.private.keyCapabilities.decrypt=false op.enroll.userKey.keyGen.signing.private.keyCapabilities.derive=false op.enroll.userKey.keyGen.signing.private.keyCapabilities.encrypt=false op.enroll.userKey.keyGen.signing.private.keyCapabilities.private=true op.enroll.userKey.keyGen.signing.private.keyCapabilities.sensitive=true op.enroll.userKey.keyGen.signing.private.keyCapabilities.sign=true op.enroll.userKey.keyGen.signing.private.keyCapabilities.signRecover=true op.enroll.userKey.keyGen.signing.private.keyCapabilities.token=true op.enroll.userKey.keyGen.signing.private.keyCapabilities.unwrap=false op.enroll.userKey.keyGen.signing.private.keyCapabilities.verify=false op.enroll.userKey.keyGen.signing.private.keyCapabilities.verifyRecover=false op.enroll.userKey.keyGen.signing.private.keyCapabilities.wrap=false op.enroll.userKey.keyGen.signing.privateKeyAttrId=k2 op.enroll.userKey.keyGen.signing.privateKeyNumber=2 op.enroll.userKey.keyGen.signing.public.keyCapabilities.decrypt=false op.enroll.userKey.keyGen.signing.public.keyCapabilities.derive=false op.enroll.userKey.keyGen.signing.public.keyCapabilities.encrypt=false op.enroll.userKey.keyGen.signing.public.keyCapabilities.private=false op.enroll.userKey.keyGen.signing.public.keyCapabilities.sensitive=false op.enroll.userKey.keyGen.signing.public.keyCapabilities.sign=false op.enroll.userKey.keyGen.signing.public.keyCapabilities.signRecover=false op.enroll.userKey.keyGen.signing.public.keyCapabilities.token=true op.enroll.userKey.keyGen.signing.public.keyCapabilities.unwrap=false op.enroll.userKey.keyGen.signing.public.keyCapabilities.verify=true op.enroll.userKey.keyGen.signing.public.keyCapabilities.verifyRecover=true op.enroll.userKey.keyGen.signing.public.keyCapabilities.wrap=false op.enroll.userKey.keyGen.signing.publicKeyAttrId=k3 op.enroll.userKey.keyGen.signing.publicKeyNumber=3
- Pin Reset
- The configuration for pin reset is discussed in Section 6.3, “Token Policies”, because pin reset relies on a policy to determine if it is to be legally performed or not.
- Renewal
- The configuration for renewal is discussed in Section 6.3, “Token Policies”, since renewal relies on a policy to determine if it is legal to perform or not upon an already enrolled token.
- Recovery
- Recovery is implicitly set into motion when the user of the TPS user interface marks a previously active token into an unfavorable state such as “lost” or “destroyed”. Once this happens, the next enrollment of a new token by the same user will adhere to the following configuration to recover the certificates from the user’s old token, to this new token.The end result of this operation is that the user will have a new physical token that may contain the encryption certificates recovered from the old token, so that the user can continue to encrypt and decrypt data as needed. A new signing certificate is also usually placed on this token as shown in the sample config examples below.The following is a list of supported states into which a token can be placed manually in the TPS user interface, as seen in the configuration:
tokendb._069=#
-DAMAGED (1)
: Corresponds todestroyed
in the recovery configuration. Used when a token has been physically damaged.tokendb._070=#
-PERM_LOST (2)
: Corresponds tokeyCompromise
in the recovery configuration. Used when a token has been lost permanently.tokendb._071=#
-SUSPENDED (3)
: Corresponds toonHold
in the recovery configuration. Used when a token has been temporarily misplaced, but the user expects to find it again.tokendb._072=#
-TERMINATED (6)
: Corresponds toterminated
in the recovery configuration. Used to take a token out of service forever for internal reasons.
Example recovery configuration:#When a token is marked destroyed, don’t revoke the certs on the token unless all other tokens do not have the certs included: op.enroll.userKey.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastCredential=false #specify if we even want to revoke certs a token is marked destroyed: op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false #if we want to revoke any certs here, specify the reason for revocation that will be sent to the CA: op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0 #speficy if we want to revoke expired certs when marking the token destroyed: op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeExpiredCerts=false
Additional settings are used to specify what kind of supported static recovery should be used when performing a recovery operation to a new token (when the original token has been marked destroyed). The following schemes are supported:- Recover Last (
RecoverLast
): Recover the latest encryption certificate to be placed on the token. - Generate New Key and Recover Last (
GenerateNewKeyAndRecoverLast
): Same as Recover Last, but also generate a new encryption certificate and upload it to the token as well. The new token will then have two certificates. - Generate New Key (
GenerateNewKey
): Generate a new encryption certificate and place it on the token. Do not recover any old certificates.
For example:op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast
The following configuration example determines how to recover tokens marked as permanently lost:op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.holdRevocationUntilLastCredential=false op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1 op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeExpiredCerts=false op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey # Section when a token is marked terminated. op.enroll.userKey.keyGen.encryption.recovery.terminated.holdRevocationUntilLastCredential=false op.enroll.userKey.keyGen.encryption.recovery.terminated.revokeCert=true op.enroll.userKey.keyGen.encryption.recovery.terminated.revokeCert.reason=1 op.enroll.userKey.keyGen.encryption.recovery.terminated.revokeExpiredCerts=false op.enroll.userKey.keyGen.encryption.recovery.terminated.scheme=GenerateNewKey # This section details the recovery profile with respect to which certs and of what kind get recovered on the token. op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2 op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=encryption
Finally, the following example determines what the system will do about the signing certificate that was on the old token. In most cases, theGenerateNewKey
recovery scheme should be used in order to avoid potentially having multiple copies of a signing private key available (for example, one that is recovered on a new token, and one on an old token that was permanently lost but found by somebody else).op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.0=signing op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption op.enroll.userKey.keyGen.recovery.onHold.keyType.num=2 op.enroll.userKey.keyGen.recovery.onHold.keyType.value.0=signing op.enroll.userKey.keyGen.recovery.onHold.keyType.value.1=encryption op.enroll.userKey.keyGen.signing.recovery.destroyed.holdRevocationUntilLastCredential=false op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0 op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeExpiredCerts=false op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey op.enroll.userKey.keyGen.signing.recovery.keyCompromise.holdRevocationUntilLastCredential=false op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert=true op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1 op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeExpiredCerts=false op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey op.enroll.userKey.keyGen.signing.recovery.onHold.holdRevocationUntilLastCredential=false op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6 op.enroll.userKey.keyGen.signing.recovery.onHold.revokeExpiredCerts=false op.enroll.userKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey op.enroll.userKey.keyGen.signing.recovery.terminated.holdRevocationUntilLastCredential=false op.enroll.userKey.keyGen.signing.recovery.terminated.revokeCert=true op.enroll.userKey.keyGen.signing.recovery.terminated.revokeCert.reason=1 op.enroll.userKey.keyGen.signing.recovery.terminated.revokeExpiredCerts=false op.enroll.userKey.keyGen.signing.recovery.terminated.scheme=GenerateNewKey # Configuration for the case when we mark a token “onHold” or temporarily lost op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert.reason=0 op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.num=2 op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0 op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
- Applet Update
- The following example shows how to configure a Coolkey applet update operation. This operation can be performed during format, enrollment, and PIN reset operations:
op.format.userKey.update.applet.directory=/usr/share/pki/tps/applets op.format.userKey.update.applet.emptyToken.enable=true op.format.userKey.update.applet.encryption=true op.format.userKey.update.applet.requiredVersion=1.4.54de790f
Some of these options have already been demonstrated in the Format section. They provide information needed to determine if applet upgrade should be allowed, where to find the applet files, and the applet version to upgrade the token to. The version in therequiredVersion
maps to a file name inside thedirectory
. - Key Update
- This operation, which can take place during format, enrollment, and PIN reset operations, allows the user to have their Global Platform key set version upgraded from the default supplied by the manufacturer.
- TPS
- The following options will instruct the TPS to upgrade the keyset from 1 to 2 during the next format operation requested on behalf of a given token. After this is done, the TKS must derive the three new keys that will be written to the token, Afterwards, the token must be used with the same TPS and TKS installation, otherwise it will become locked.
op.format.userKey.update.symmetricKeys.enable=true op.format.userKey.update.symmetricKeys.requiredVersion=2
You can also specify a version lower than current to downgrade the keyset instead. - TKS
- As mentioned above, the TKS must be configured to generate the new keys to write to the token. First, the new master key identifier,
02
, must be mapped to its PKCS #11 object nickname in the TKSCS.cfg
, as shown in the following example:tks.mk_mappings.#02#01=internal:new_master tks.defKeySet.mk_mappings.#02#01=internal:new_master
The above will map a key set number to an actual master key which exists in the TKS NSS database.Master keys are identified by IDs such as01
. The TKS maps these IDs to PKCS #11 object nicknames specified in themasterKeyId
part of the mapping. Therefore, the first number is updated as the master key version is updated, and the second number stays consistent.When attempting to upgrade from version 1 to version 2, the mapping determines how to find the master key nickname which will be used to derive the 3 parts of the new key set.The setting ofinternal
in the above example references the name of the token where the master key resides. It could also be an external HSM module with a name such asnethsm
. The strongnew_master
is an example of the master key nickname itself.
6.5. Internal Registration
Note
op.enroll.userKey.auth.enable=true op.enroll.userKey.auth.id=ldap1
op.enroll.userKey.keyGen.encryption.ca.conn=ca1 op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=kra1
op.enroll.userKey.tks.conn=tks1
Note
6.6. External Registration
Note
6.6.1. Enabling External Registration
externalReg.allowRecoverInvalidCert.enable=true externalReg.authId=ldap1 externalReg.default.tokenType=externalRegAddToToken externalReg.delegation.enable=true externalReg.enable=true externalReg.recover.byKeyID=false externalReg.format.loginRequest.enable=true externalReg.mappingResolver=keySetMappingResolver
6.6.2. Customizing User LDAP Record Attribute Names
auths.instance.ldap1.externalReg.certs.recoverAttributeName=certsToAdd auths.instance.ldap1.externalReg.cuidAttributeName=tokenCUID auths.instance.ldap1.externalReg.tokenTypeAttributeName=tokenType
6.6.3. Configuring certsToAdd attributes
certsToAdd
attribute takes multiple values in the following form:
<cert serial # in decimal>,<CA connector ID>,<key ID>,<kra connector ID>
59,ca1,0,kra1
Important
certsToAdd
attribute with only certificate and CA information, the TPS assumes that the certificate in question is already on the token, and that it should be preserved. This concept is called Key Retention.
tokenType: externalRegAddToToken certstoadd: 59,ca1,0,kra1 certstoadd: 134,ca1,0,kra1 Certstoadd: 24,ca1
6.6.4. Token to User Matching Enforcement
tokencuid
) is missing from the record, CUID matching is not enforced.
Tokencuid: a10192030405028001c0
Note
certstoadd: 59,ca1
,0,kra1
6.6.5. Delegation Support
- Authentication certificate/keys: The CN contains the name and unique ID of the delegate. The Subject Alternative Name (SAN) extension contains the Principal Name (UPN) of the executive.
- Encryption certificate: An exact copy of the executive's encryption certificate.
- Signing certificate: The CN contains the delegate's name and unique ID. The SAN contains the RFC822Name of the executive.
externalReg.delegation.enable=true
Important
op.enroll.delegateISEtoken.keyGen.encryption.ca.profileId
parameter in the /var/lib/pki/instance_name/tps/conf/CS.cfg
file to caTokenUserDelegateAuthKeyEnrollment
:
op.enroll.delegateISEtoken.keyGen.encryption.ca.profileId=caTokenUserDelegateAuthKeyEnrollment
6.6.6. SAN and DN Patterns
auths.instance.<authID>.ldapStringAttributes
in the authentication instance configuration specifies which attributes will be retrieved during authentication. For example:
auths.instance.ldap1.ldapStringAttributes=mail,cn,uid,edipi,pcc,firstname,lastname,exec-edipi,exec-pcc,exec-mail,certsToAdd,tokenCUID,tokenType
$auth.<attribute name>$
. For example:
op.enroll.delegateIEtoken.keyGen.authentication.SANpattern=$auth.exec-edipi$.$auth.exec-pcc$@EXAMPLE.com op.enroll.delegateIEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org
- On TPS, in profile delegateIEtoken
op.enroll.delegateIEtoken.keyGen.authentication.ca.profileId=caTokenUserDelegateAuthKeyEnrollment
- On CA, in enrollment profile caTokenUserDelegateAuthKeyEnrollment
- The
subjectDNInputImpl
plug-in must be specified as one of the inputs in order to allow the DN to be specified by the TPS profile above:input.i2.class_id=subjectDNInputImpl input.i2.name=subjectDNInputImpl
Similarly, to allow the SAN to be specified by the above TPS profile, thesubjectAltNameExtInputImpl
plug-in must be specified:input.i3.class_id=subjectAltNameExtInputImpl input.i3.name=subjectAltNameExtInputImpl
ThesubjAltExtpattern
must be specified as well:policyset.set1.p6.default.params.subjAltExtPattern_0=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.req_san_pattern_0$
In the above example, the OID1.3.6.1.4.1.311.20.2.3
is the OID for the User Principal Name (UPN), andrequest.req_san_pattern_0
is the first SAN pattern specified in thedelegateIEtoken
SAN pattern.
SANpattern
, delimited by a comma (",
"). On the CA side, a corresponding amount of subjAltExtPattern
needs to be defined in the following format:
policyset.<policy set id>.<policy id>.default.params.subjAltExtPattern_<ordered number>=
policyset.set1.p6.default.params.subjAltExtPattern_0= policyset.set1.p6.default.params.subjAltExtPattern_1= ...
Example 6.1. SANpattern and DNpattern configuration
givenName: user1a mail: user1a@example.org firstname: user1a edipi: 123456789 pcc: AA exec-edipi: 999999999 exec-pcc: BB exec-mail: user1b@EXAMPLE.com tokenType: delegateISEtoken certstoadd: 59,ca1,0,kra1
delegateIEtoken
contains:
SANpattern
:op.enroll.delegateISEtoken.keyGen.authentication.SANpattern=$auth.exec-edipi$.$auth.exec-pcc$@EXAMPLE.com
DNPattern
:op.enroll.delegateISEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org
caTokenUserDelegateAuthKeyEnrollment
contains:
input.i2.class_id=subjectDNInputImpl input.i2.name=subjectDNInputImpl input.i3.class_id=subjectAltNameExtInputImpl input.i3.name=subjectAltNameExtInputImpl policyset.set1.p6.constraint.class_id=noConstraintImpl policyset.set1.p6.constraint.name=No Constraint policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl policyset.set1.p6.default.name=Subject Alternative Name Extension Default policyset.set1.p6.default.params.subjAltExtGNEnable_0=true policyset.set1.p6.default.params.subjAltExtPattern_0=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.req_san_pattern_0$ policyset.set1.p6.default.params.subjAltExtType_0=OtherName policyset.set1.p6.default.params.subjAltNameExtCritical=false policyset.set1.p6.default.params.subjAltNameNumGNs=1
Subject: CN=user1a..123456789,E=user1a@example.org,O=TMS Org Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: OtherName: (UTF8String)1.3.6.1.4.1.311.20.2.3,999999999.BB@EXAMPLE.com
6.7. Mapping Resolver Configuration
FilterMappingResolver
. This section will cover its configuration.
Note
6.7.1. Key Set Mapping Resolver
externalReg.mappingResolver=<keySet mapping resolver name>
externalReg.mappingResolver=keySetMappingResolver
mappingResolver.keySetMappingResolver.class_id=filterMappingResolverImpl mappingResolver.keySetMappingResolver.mapping.0.filter.appletMajorVersion=0 mappingResolver.keySetMappingResolver.mapping.0.filter.appletMinorVersion=0 mappingResolver.keySetMappingResolver.mapping.0.filter.keySet= mappingResolver.keySetMappingResolver.mapping.0.filter.tokenATR= mappingResolver.keySetMappingResolver.mapping.0.filter.tokenCUID.end=a1000000000000000000 mappingResolver.keySetMappingResolver.mapping.0.filter.tokenCUID.start=a0000000000000000000 mappingResolver.keySetMappingResolver.mapping.0.target.keySet=defKeySet mappingResolver.keySetMappingResolver.mapping.1.filter.appletMajorVersion=1 mappingResolver.keySetMappingResolver.mapping.1.filter.appletMinorVersion=1 mappingResolver.keySetMappingResolver.mapping.1.filter.keySet= mappingResolver.keySetMappingResolver.mapping.1.filter.tokenATR=1234 mappingResolver.keySetMappingResolver.mapping.1.filter.tokenCUID.end= mappingResolver.keySetMappingResolver.mapping.1.filter.tokenCUID.start= mappingResolver.keySetMappingResolver.mapping.1.target.keySet=defKeySet mappingResolver.keySetMappingResolver.mapping.2.filter.appletMajorVersion= mappingResolver.keySetMappingResolver.mapping.2.filter.appletMinorVersion= mappingResolver.keySetMappingResolver.mapping.2.filter.keySet= mappingResolver.keySetMappingResolver.mapping.2.filter.tokenATR= mappingResolver.keySetMappingResolver.mapping.2.filter.tokenCUID.end= mappingResolver.keySetMappingResolver.mapping.2.filter.tokenCUID.start= mappingResolver.keySetMappingResolver.mapping.2.target.keySet=jForte mappingResolver.keySetMappingResolver.mapping.order=0,1,2
0
, 1
, and 2
. They are ordered in ascending order using the mappingResolver.keySetMappingResolver.mapping.order=0,1,2
line in the example. This order means the input parameters will be run against the mapping filter 0
first; only if they do not match that filter, the next one in the mapping order will be tried. For example, if a token with the following characteristics is evaluated:
CUID=a0000000000000000011 appletMajorVersion=0 appletMinorVersion=0
0
and be assigned its target, which is configured to defKeySet
, because the applet version matches and the CUID falls within the CUID start and end range for that mapping.
CUID=b0000000000000000000 ATR=2222 appletMajorVersion=1 appletMinorVersion=1
0
because it is outside the specified CUID range. It also fails mapping 1
because while the applet versions match, the ATR does not. The above token will be assigned to mapping 2
and its target, jForte
.
2
has no assignments for any of its filters. This causes the mapping to match all tokens, effectively making it a "default" value. Mappings like this must be specified last in the mapping order, because any other mappings after it will never be evaluated.
6.7.2. Token Type (TPS) Mapping Resolver
tokenType
mapping resolvers defined in the Token Processing System: formatProfileMappingResolver
, enrollProfileMappingResolver
, and pinResetProfileMappingResolver
. Compared to the External Registration case discussed in the previous section, in the Internal Registration case token types are actually calculated from the defined mapping resolver.
op.<op>.mappingResolver=<mapping resolver name>
op.enroll.mappingResolver=enrollProfileMappingResolver
enrollProfileMappingResolver
:
mappingResolver.enrollProfileMappingResolver.class_id=filterMappingResolverImpl mappingResolver.enrollProfileMappingResolver.mapping.0.filter.appletMajorVersion=1 mappingResolver.enrollProfileMappingResolver.mapping.0.filter.appletMinorVersion= mappingResolver.enrollProfileMappingResolver.mapping.0.filter.tokenATR= mappingResolver.enrollProfileMappingResolver.mapping.0.filter.tokenCUID.end=b1000000000000000000 mappingResolver.enrollProfileMappingResolver.mapping.0.filter.tokenCUID.start=b0000000000000000000 mappingResolver.enrollProfileMappingResolver.mapping.0.filter.tokenType=userKey mappingResolver.enrollProfileMappingResolver.mapping.0.target.tokenType=userKey mappingResolver.enrollProfileMappingResolver.mapping.1.filter.appletMajorVersion=1 mappingResolver.enrollProfileMappingResolver.mapping.1.filter.appletMinorVersion= mappingResolver.enrollProfileMappingResolver.mapping.1.filter.tokenATR= mappingResolver.enrollProfileMappingResolver.mapping.1.filter.tokenCUID.end=a0000000000000001000 mappingResolver.enrollProfileMappingResolver.mapping.1.filter.tokenCUID.start=a0000000000000000000 mappingResolver.enrollProfileMappingResolver.mapping.1.filter.tokenType=soKey mappingResolver.enrollProfileMappingResolver.mapping.1.target.tokenType=soKey mappingResolver.enrollProfileMappingResolver.mapping.2.filter.appletMajorVersion= mappingResolver.enrollProfileMappingResolver.mapping.2.filter.appletMinorVersion= mappingResolver.enrollProfileMappingResolver.mapping.2.filter.tokenATR= mappingResolver.enrollProfileMappingResolver.mapping.2.filter.tokenCUID.end= mappingResolver.enrollProfileMappingResolver.mapping.2.filter.tokenCUID.start= mappingResolver.enrollProfileMappingResolver.mapping.2.filter.tokenType= mappingResolver.enrollProfileMappingResolver.mapping.2.target.tokenType=userKey mappingResolver.enrollProfileMappingResolver.mapping.order=1,0,2
enrollProfileMappingResolver
in the above example. The mappings are named 0
, 1
, and 2
. The mappingResolver.enrollProfileMappingResolver.mapping.order=1,0,2
line defines the order in which the mappings will be processed. If a token matches a mapping, no further mappings in the order will be evaluated; if it does not match a mapping, the next one in the order will be tried.
CUID=a0000000000000000011 appletMajorVersion=1 appletMinorVersion=0 extension: tokenType=soKey
1
because the applet version matches, the CUID fails within the specified start and end range, and the extension tokenType
matches. Therefore, this token will be assigned the target for that mapping - soKey
.
CUID=b0000000000000000010 appletMajorVersion=1 appletMinorVersion=1
1
because the CUID is outside the specified range. Then it will also fail mapping 0
, because the tokenType
extension is missing. This token will then match mapping 2
, because it has no specified filters in order to match all tokens which did not match any of the previous filters.
6.8. Authentication Configuration
UidPwdDirAuthentication
) by default. Authentication instances are defined in the CS.cfg
file using the following pattern:
auths.instance.<auths ID>.*
op.enroll.userKey.auth.id=ldap1
auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication auths.instance.ldap1.pluginName=UidPwdDirAuth auths.instance.ldap1.authCredName=uid auths.instance.ldap1.dnpattern= auths.instance.ldap1.externalReg.certs.recoverAttributeName=certsToAdd auths.instance.ldap1.externalReg.cuidAttributeName=tokenCUID auths.instance.ldap1.externalReg.tokenTypeAttributeName=tokenType auths.instance.ldap1.ldap.basedn=dc=sjc,dc=example,dc=com auths.instance.ldap1.ldap.ldapauth.authtype=BasicAuth auths.instance.ldap1.ldap.ldapauth.bindDN= auths.instance.ldap1.ldap.ldapauth.bindPWPrompt=ldap1 auths.instance.ldap1.ldap.ldapauth.clientCertNickname=subsystemCert cert-pki-tomcat auths.instance.ldap1.ldap.ldapconn.host=host1.EXAMPLE.com auths.instance.ldap1.ldap.ldapconn.port=389 auths.instance.ldap1.ldap.ldapconn.secureConn=False auths.instance.ldap1.ldap.ldapconn.version=3 auths.instance.ldap1.ldap.maxConns=15 auths.instance.ldap1.ldap.minConns=3 auths.instance.ldap1.ldapByteAttributes= auths.instance.ldap1.ldapStringAttributes=mail,cn,uid,edipi,pcc,firstname,lastname,exec-edipi,exec-pcc,exec-mail,certsToAdd,tokenCUID,tokenType auths.instance.ldap1.ldapStringAttributes._000=################################# auths.instance.ldap1.ldapStringAttributes._001=# For isExternalReg auths.instance.ldap1.ldapStringAttributes._002=# attributes will be available as auths.instance.ldap1.ldapStringAttributes._003=# $<attribute>$ auths.instance.ldap1.ldapStringAttributes._004=# attributes example: auths.instance.ldap1.ldapStringAttributes._005=#mail,cn,uid,edipi,pcc,firstname,lastname,exec-edipi,exec-pcc,exec-mail,certsToAdd,tokenCUID,tokenType auths.instance.ldap1.ldapStringAttributes._006=################################# auths.instance.ldap1.pluginName=UidPwdDirAuth auths.instance.ldap1.ui.description.en=This authenticates user against the LDAP directory. auths.instance.ldap1.ui.id.PASSWORD.credMap.authCred=pwd auths.instance.ldap1.ui.id.PASSWORD.credMap.msgCred.extlogin=PASSWORD auths.instance.ldap1.ui.id.PASSWORD.credMap.msgCred.login=password auths.instance.ldap1.ui.id.PASSWORD.description.en=LDAP Password auths.instance.ldap1.ui.id.PASSWORD.name.en=LDAP Password auths.instance.ldap1.ui.id.UID.credMap.authCred=uid auths.instance.ldap1.ui.id.UID.credMap.msgCred.extlogin=UID auths.instance.ldap1.ui.id.UID.credMap.msgCred.login=screen_name auths.instance.ldap1.ui.id.UID.description.en=LDAP User ID auths.instance.ldap1.ui.id.UID.name.en=LDAP User ID auths.instance.ldap1.ui.retries=3 auths.instance.ldap1.ui.title.en=LDAP Authentication
UidPwdDirAuthentication
authentication instance, since both are handled by the same plug-in. However, the TPS requires several extra parameters on top of the CA configuration.
auths.instance.ldap1.ui.id.UID.name.en=LDAP User ID
and auths.instance.ldap1.ui.id.PASSWORD.name.en=LDAP Password
parameters in the above example; this configuration tells clients to display the UID/password pair as "LDAP User ID" and "LDAP Password". Both parameters can be customized.
credMap.authCred
entries configure how the internal authentication plug-in accepts information presented to it, and the credMap.msgCred
entries configure how this information is passed to the TPS. These fields allow you to use customized plug-in implementations, and should be left at their default values unless you are using a custom authentication plug-in.
6.9. Connectors
tps.connector.ca1.enable=true tps.connector.ca1.host=host1.EXAMPLE.com tps.connector.ca1.maxHttpConns=15 tps.connector.ca1.minHttpConns=1 tps.connector.ca1.nickName=subsystemCert cert-pki-tomcat tps.connector.ca1.port=8443 tps.connector.ca1.timeout=30 tps.connector.ca1.uri.enrollment=/ca/ee/ca/profileSubmitSSLClient tps.connector.ca1.uri.getcert=/ca/ee/ca/displayBySerial tps.connector.ca1.uri.renewal=/ca/ee/ca/profileSubmitSSLClient tps.connector.ca1.uri.revoke=/ca/ee/subsystem/ca/doRevoke tps.connector.ca1.uri.unrevoke=/ca/ee/subsystem/ca/doUnrevoke tps.connector.kra1.enable=true tps.connector.kra1.host=host1.EXAMPLE.com tps.connector.kra1.maxHttpConns=15 tps.connector.kra1.minHttpConns=1 tps.connector.kra1.nickName=subsystemCert cert-pki-tomcat tps.connector.kra1.port=8443 tps.connector.kra1.timeout=30 tps.connector.kra1.uri.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair tps.connector.kra1.uri.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery tps.connector.tks1.enable=true tps.connector.tks1.generateHostChallenge=true tps.connector.tks1.host=host1.EXAMPLE.com tps.connector.tks1.keySet=defKeySet tps.connector.tks1.maxHttpConns=15 tps.connector.tks1.minHttpConns=1 tps.connector.tks1.nickName=subsystemCert cert-pki-tomcat tps.connector.tks1.port=8443 tps.connector.tks1.serverKeygen=true tps.connector.tks1.timeout=30 tps.connector.tks1.tksSharedSymKeyName=sharedSecret tps.connector.tks1.uri.computeRandomData=/tks/agent/tks/computeRandomData tps.connector.tks1.uri.computeSessionKey=/tks/agent/tks/computeSessionKey tps.connector.tks1.uri.createKeySetData=/tks/agent/tks/createKeySetData tps.connector.tks1.uri.encryptData=/tks/agent/tks/encryptData
op.enroll.userKey.keyGen.signing.ca.conn=ca1
Note
6.10. Revocation Routing Configuration
tps.connCAList=ca1,ca2
nssdb
and set up trust:
#
cd <TPS instance directory>/alias
#
certutil -d . -A -n <CA signing cert nickname> -t “CT,C,C” -i <CA signing cert b64 file name>
tps.connector.ca1.caNickname=caSigningCert cert-pki-tomcat CA
Note
tps.connector.ca1.caSKI=i9wOnN0QZLkzkndAB1MKMcjbRP8=
6.11. Setting Up Server-side Key Generation
- TPS connector parameters for the KRA:
tps.connector.kra1.enable=true tps.connector.kra1.host=host1.EXAMPLE.com tps.connector.kra1.maxHttpConns=15 tps.connector.kra1.minHttpConns=1 tps.connector.kra1.nickName=subsystemCert cert-pki-tomcat tps.connector.kra1.port=8443 tps.connector.kra1.timeout=30 tps.connector.kra1.uri.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair tps.connector.kra1.uri.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery
- TPS profile-specific parameters for server-side key generation:
op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=kra1 op.enroll.userKey.keyGen.encryption.serverKeygen.enable=true
Set theserverKeygen.enable=true
option forserverKeygen.archive
to take effect.Important
The LunaSA HSM does not support a smaller key size than 2048 bits for RSA encryption.For example, to configure a key size of 2048 bits, set the following parameter in the/var/lib/pki/instance_name/tps/conf/CS.cfg
file:op.enroll.userKey.keyGen.encryption.keySize=2048
- TKS configuration:
- The following configures the nickname of the transport certificate used for communication between the TKS and KRA (via TPS):
tks.drm_transport_cert_nickname=transportCert cert-pki-tomcat KRA
The referenced transport certificate must also exist in the TKS instance security module. For example:transportCert cert-pki-tomcat KRA u,u,u
- KRA configuration
- Depending on the PKCS#11 token, parameters
kra.keygen.temporaryPairs
,kra.keygen.sensitivePairs
, andkra.keygen.extractablePairs
can be customized for key generation options. These parameters are all set tofalse
by default.The following values for these parameters have been tested with some of the security modules supported by Red Hat Certificate System:- NSS (when in FIPS mode):
kra.keygen.extractablePairs=true
- nCipher nShield Connect 6000 (works by default without specifying):
- For specifying RSA keys:
kra.keygen.temporaryPairs=true
(Do not specify any other parameters.)For generating ECC keys:kra.keygen.temporaryPairs=true kra.keygen.sensitivePairs=false kra.keygen.extractablePairs=true
- LunaSA CKE - Key Export Model (non-FIPS mode):
kra.keygen.temporaryPairs=true kra.keygen.sensitivePairs=true kra.keygen.extractablePairs=true
Note
Note
6.12. Setting Up New Key Sets
- TKS configuration
- The default key set is configured in the TKS using the following options in the
/var/lib/pki/instance_name/tks/conf/CS.cfg
file:tks.defKeySet._000=## tks.defKeySet._001=## Axalto default key set: tks.defKeySet._002=## tks.defKeySet._003=## tks.defKeySet.mk_mappings.#02#01=<tokenname>:<nickname> tks.defKeySet._004=## tks.defKeySet.auth_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f tks.defKeySet.kek_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f tks.defKeySet.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f tks.defKeySet.nistSP800-108KdfOnKeyVersion=00 tks.defKeySet.nistSP800-108KdfUseCuidAsKdd=false
The above configuration defines settings specific to a certain type or class of tokens that can be used in the TMS. The most important part are the 3 developer or (out of the box) session keys, which are used to create a secure channel before symmetric key handover takes place. A different type of key may have different default values for these keys.The settings describing thenistSP800
key diversification method control whether this method or the standard Visa method is used. Specifically, the value of thetks.defKeySet.nistSP800-108KdfOnKeyVersion
option determines that the NIST version will be used. ThenistSP800-108KdfUseCuidAsKdd
option allows you to use the legacy key ID value of CUID during processing. The newer KDD value is most commonly used and therefore this option is disabled (false
) by default. This allows you to configure a new key set to enable support for a new class of keys.Example 6.2. Enabling Support for the
jForte
ClassTo enable support for thejForte
class, set:tks.jForte._000=## tks.jForte._001=## SAFLink's jForte default key set: tks.jForte._002=## tks.jForte._003=## tks.jForte.mk_mappings.#02#01=<tokenname>:<nickname> tks.jForte._004=## tks.jForte.auth_key=#30#31#32#33#34#35#36#37#38#39#3a#3b#3c#3d#3e#3f tks.jForte.kek_key=#50#51#52#53#54#55#56#57#58#59#5a#5b#5c#5d#5e#5f tks.jForte.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f tks.jForte.nistSP800-108KdfOnKeyVersion=00 tks.jForte.nistSP800-108KdfUseCuidAsKdd=false
Note the difference in the 3 static session keys compared to the previous example.Certificate System supports the Secure Channel Protocol 03 (SCP03) for Giesecke & Devrient (G&D) Smart Cafe 6 smart cards. To enable SCP03 support for these smart cards in a TKS, set in the/var/lib/pki/instance_name/tks/conf/CS.cfg
file:tks.defKeySet.prot3.divers=emv tks.defKeySet.prot3.diversVer1Keys=emv tks.defKeySet.prot3.devKeyType=DES3 tks.defKeySet.prot3.masterKeyType=DES3
- TPS configuration
- The TPS must be configured to recognize the new key set when a supported client attempts to perform an operation on a token. The default
defKeySet
is used most often.The primary method to determine thekeySet
in the TPS involves Section 6.7, “Mapping Resolver Configuration”. See the linked section for a discussion of the exact settings needed to establish this resolver mechanism.If the KeySet Mapping Resolver is not present, several fallback methods are available for the TPS to determine the correctkeySet
:- You can add the
tps.connector.tks1.keySet=defKeySet
to theCS.cfg
configuration file of the TPS. - Certain clients can possibly be configured to explicitly pass the desired
keySet
value. However, the Enterprise Security Client does not have this ability at this point. - When the TPS calculates the proper
keySet
based on the desired method, all requests to the TKS to help create secure channels pass thekeySet
value as well. The TKS can then use its ownkeySet
configuration (described above) to determine how to proceed.
6.13. Setting Up a New Master Key
Procedure 6.1. Creating a New Master Key
- Obtain internal the PIN required to access the TKS security databases:
#
cat /var/lib/pki/pki-tomcat/tks/conf/password.conf
internal=649713464822 internaldb=secret12 replicationdb=-752230707 - Open the
alias/
directory of the TKS instance:#
cd /var/lib/pki/pki-tomcat/alias
- Generate a new master key using the
tkstool
utility. For example:#
tkstool -M -n new_master -d /var/lib/pki/pki-tomcat/alias -h <token_name>
Enter Password or Pin for "NSS Certificate DB": Generating and storing the master key on the specified token . . . Naming the master key "new_master" . . . Computing and displaying KCV of the master key on the specified token . . . new_master key KCV: CA5E 1764 - Verify that the keys have been properly added to the database:
#
tkstool -L -d .
slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": <0> new_master
6.13.1. Generating and Transporting Wrapped Master Keys (Key Ceremony)
tkstool
utility can be used to generate transport keys, which are then used to send the master key to the facility where the tokens are generated. The process of transferring wrapped master keys is commonly called a Key Ceremony.
Note
Procedure 6.2. Generating and Transporting Wrapped Master Keys
- Obtain the internal PIN required to access the Token Key Service security databases:
internal=649713464822 internaldb=secret12 replicationdb=-752230707#
cat /var/lib/pki/pki-tomcat/tks/conf/password.conf - Open the TKS instance
alias/
directory:#
cd /var/lib/pki/pki-tomcat/alias
- Create a transport key named
transport
:#
tkstool -T -d . -n transport
Note
Thetkstool
utility prints out the key shares and KCV values for each of the three session keys generated. Save them to a file as they are necessary to regenerate the transport key in new databases later in this procedure, and to regenerate the key if lost. - When prompted, fill in the database password. Then, follow on-screen instructions to generate a random seed.
A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Type the word "proceed" and press enter
- The next prompt will generate a series of session keys. Follow on-screen instructions until the final message:
Successfully generated, stored, and named the transport key!
- Use the transport key to generate and wrap a master key and store it in a file named
file
:
Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key (for wrapping) from the specified token . . . Generating and storing the master key on the specified token . . . Naming the master key "new_master" . . . Successfully generated, stored, and named the master key! Using the transport key to wrap and store the master key . . . Writing the wrapped data (and resident master key KCV) into the file called "file" . . . wrapped data: 47C0 06DB 7D3F D9ED FE91 7E6F A7E5 91B9 master key KCV: CED9 4A7B (computed KCV of the master key residing inside the wrapped data)#
tkstool -W -d . -n new_master -t transport -o file - Copy the wrapped master key over to the appropriate locations or facility.
- If necessary, generate new security databases on the HSM or at the facility:
#
tkstool -N -d <directory>
Alternatively, add the-I
option to produce a key identical to the one generated originally in a the new database. Regenerating the transport key in this way requires that you input the session key share and KCV for each of the session keys generated earlier in this procedure.#
tkstool -I -d <directory> -n verify_transport
- Use the transport key to unwrap the master key stored in the file. Provide the security database PIN when prompted:
Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key from the specified token (for unwrapping) . . . Reading in the wrapped data (and resident master key KCV) from the file called "file" . . . wrapped data: 47C0 06DB 7D3F D9ED FE91 7E6F A7E5 91B9 master key KCV: CED9 4A7B (pre-computed KCV of the master key residing inside the wrapped data) Using the transport key to temporarily unwrap the master key to recompute its KCV value to check against its pre-computed KCV value . . . master key KCV: CED9 4A7B (computed KCV of the master key residing inside the wrapped data) master key KCV: CED9 4A7B (pre-computed KCV of the master key residing inside the wrapped data) Using the transport key to unwrap and store the master key on the specified token . . . Naming the master key "new_master" . . . Successfully unwrapped, stored, and named the master key!#
tkstool -U -d directory -n new_master -t verify_transport -i file - Verify that the keys have been added to the database properly:
slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": <0> transport <1> new_master#
tkstool -L -d
6.15. Using Different Applets for Different SCP Versions
/var/lib/instance_name/tps/conf/CS.cfg
file specifies which applet should be loaded for all Secure Channel Protocol (SCP) versions for each token operation:
op.operation.token_type.update.applet.requiredVersion=version
op.operation.token_type.update.applet.requiredVersion.prot.protocol_version=version
format
enroll
pinReset
Example 6.3. Setting Protocol Versions for Enrollment Operations
userKey
token:
- Edit the
/var/lib/instance_name/tps/conf/CS.cfg
file:- Set the
op.enroll.userKey.update.applet.requiredVersion
parameter to specify the applet used by default. For example:op.enroll.userKey.update.applet.requiredVersion=1.4.58768072
- Set the
op.enroll.userKey.update.applet.requiredVersion.prot.3
parameter to configure the applet Certificate System uses for the SCP03 protocol. For example:op.enroll.userKey.update.applet.requiredVersion.prot.3=1.5.558cdcff
- Restart Certificate System:
pki-server restart instance_name
Chapter 7. Revoking Certificates and Issuing CRLs
7.1. About Revoking Certificates
- Revoke the certificate if a revocation request is received by the CA and approved.
- Make the revoked certificate status available to parties or applications that need to verify its validity status.
Note
7.1.1. User-Initiated Revocation
7.1.2. Reasons for Revoking a Certificate
0
. Unspecified; no particular reason is given.1
. The private key associated with the certificate was compromised.2
. The private key associated with the CA that issued the certificate was compromised.3
. The owner of the certificate is no longer affiliated with the issuer of the certificate and either no longer has rights to the access gained with the certificate or no longer needs it.4
. Another certificate replaces this one.5
. The CA that issued the certificate has ceased to operate.6
. The certificate is on hold pending further action. It is treated as revoked but may be taken off hold in the future so that the certificate is active and valid again.8
. The certificate is going to be removed from the CRL because it was removed from hold. This only occurs in delta CRLs.9
. The certificate is revoked because the privilege of the owner of the certificate has been withdrawn.
7.1.3. CRL Issuing Points
7.1.4. Delta CRLs
DeltaCRLIndicator
extension.
7.1.5. Publishing CRLs
7.1.6. Certificate Revocation Pages
UserRevocation.html
, the form that allows the SSL/TSL client authenticated revocation of client or personal certificates. The file is in the /var/lib/instance_name/webapps/subsystem_type/ee/subsystem_type
directory.
7.2. Performing a CMC Revocation
subjectDN
attribute. Then the user can send the signed request to the Certificate Manager.
CMCRequest
. For details, see Section 7.2.1, “Revoking a Certificate UsingCMCRequest
”.CMCRevoke
. For details, see Section 7.2.2, “Revoking a Certificate UsingCMCRevoke
”.
Important
CMCRequest
utility to generate CMC revocation requests, because it provides more options than CMCRevoke
.
7.2.1. Revoking a Certificate Using CMCRequest
CMCRequest
:
- Create a configuration file for the CMC revocation request, such as
/home/user_name/cmc-request.cfg
, with the following content:#numRequests: Total number of PKCS10 requests or CRMF requests. numRequests=1 #output: full path for the CMC request in binary format output=/home/user_name/cmc.revoke.userSigned.req #tokenname: name of token where user signing cert can be found #(default is internal) tokenname=internal #nickname: nickname for user signing certificate which will be used #to sign the CMC full request. nickname=signer_user_certificate #dbdir: directory for cert9.db, key4.db and pkcs11.txt dbdir=/home/user_name/.dogtag/nssdb/ #password: password for cert9.db which stores the user signing #certificate and keys password=myPass #format: request format, either pkcs10 or crmf. format=pkcs10 ## revocation parameters revRequest.enable=true revRequest.serial=45 revRequest.reason=unspecified revRequest.comment=user test revocation revRequest.issuer=issuer revRequest.sharedSecret=shared_secret
- Create the CMC request:
# CMCRequest /home/user_name/cmc-request.cfg
If the command succeeds, theCMCRequest
utility stores the CMC request in the file specified in theoutput
parameter in the request configuration file. - Create a configuration file, such as
/home/user_name/cmc-submit.cfg
, which you use in a later step to submit the CMC revocation request to the CA. Add the following content to the created file:#host: host name for the http server host=>server.example.com #port: port number port=8443 #secure: true for secure connection, false for nonsecure connection secure=true #input: full path for the enrollment request, the content must be #in binary format input=/home/user_name/cmc.revoke.userSigned.req #output: full path for the response in binary format output=/home/user_name/cmc.revoke.userSigned.resp #tokenname: name of token where SSL client authentication certificate #can be found (default is internal) #This parameter will be ignored if secure=false tokenname=internal #dbdir: directory for cert9.db, key4.db and pkcs11.txt #This parameter will be ignored if secure=false dbdir=/home/user_name/.dogtag/nssdb/ #clientmode: true for client authentication, false for no client #authentication. This parameter will be ignored if secure=false clientmode=true #password: password for cert9.db #This parameter will be ignored if secure=false and clientauth=false password=password #nickname: nickname for client certificate #This parameter will be ignored if clientmode=false nickname=signer_user_certificate
Important
If the CMC revocation request is signed, set thesecure
andclientmode
parameters totrue
and, additionally, fill thenickname
parameter. - Depending on who signed the request, the
servlet
parameter in the configuration file forHttpClient
must be set accordingly:- If an agent signed the request, set:
servlet=/ca/ee/ca/profileSubmitCMCFull
- If a user signed the request, set:
servlet=/ca/ee/ca/profileSubmitSelfSignedCMCFull
- Submit the CMC request:
# HttpClient /home/user_name/cmc-submit.cfg
CMCRequest
, see the CMCRequest(1) man page.
7.2.2. Revoking a Certificate Using CMCRevoke
CMCRevoke
, is used to sign a revocation request with an agent's certificate. This utility simply passes the required information — certificate serial number, issuer name, and revocation reason — to identify the certificate to revoke, and then the require information to identify the CA agent performing the revocation (certificate nickname and the database with the certificate).
CMCRevoke
utility):
0
— unspecified1
— the key was compromised2
— the CA key was compromised3
— the employee's affiliation changed4
— the certificate has been superseded5
— cessation of operation6
— the certificate is on hold
7.2.2.1. Testing CMCRevoke
- Create a CMC revocation request for an existing certificate.
CMCRevoke -d/path/to/agent-cert-db -nnickname -iissuerName -sserialName -mreason -ccomment
For example, if the directory containing the agent certificate is~jsmith/.mozilla/firefox/
, the nickname of the certificate isAgentCert
, and the serial number of the certificate is22
, the command is as shown:CMCRevoke -d"~jsmith/.mozilla/firefox/" -n"ManagerAgentCert" -i"cn=agentAuthMgr" -s22 -m0 -c"test comment"
Note
Surround values that include spaces in quotation marks.Important
Do not have a space between the argument and its value. For example, giving a serial number of 26 is-s26
, not-s 26
. - Open the end-entities page.
http
s
://server.example.com:8443/ca/ee/ca
- Select the Revocation tab.
- Select the CMC Revoke link on the menu.
- Paste the output from the
CMCRevoke
into the text area. - Remove
-----BEGIN NEW CERTIFICATE REQUEST-----
and----END NEW CERTIFICATE REQUEST-----
from the pasted content. - Click.
- The returned page should confirm that correct certificate has been revoked.
7.3. Issuing CRLs
- The Certificate Manager uses its CA signing certificate key to sign CRLs. To use a separate signing key pair for CRLs, set up a CRL signing key and change the Certificate Manager configuration to use this key to sign CRLs. See Section 7.3.4, “Setting a CA to Use a Different Certificate to Sign CRLs” for more information.
- Set up CRL issuing points. An issuing point is already set up and enabled for a master CRL.
Figure 7.1. Default CRL Issuing Point
Additional issuing points for the CRLs can be created. See Section 7.3.1, “Configuring Issuing Points” for details.There are five types of CRLs the issuing points can create, depending on the options set when configuring the issuing point to define what the CRL will list:- Master CRL contains the list of revoked certificates from the entire CA.
- ARL is an Authority Revocation List containing only revoked CA certificates.
- CRL with expired certificates includes revoked certificates that have expired in the CRL.
- CRL from certificate profiles determines the revoked certificates to include based on the profiles used to create the certificates originally.
- CRLs by reason code determines the revoked certificates to include based on the revocation reason code.
- Configure the CRLs for each issuing point. See Section 7.3.2, “Configuring CRLs for Each Issuing Point” for details.
- Set up the CRL extensions which are configured for the issuing point. See Section 7.3.3, “Setting CRL Extensions” for details.
- Set up the delta CRL for an issuing point by enabling extensions for that issuing point,
DeltaCRLIndicator
orCRLNumber
. - Set up the
CRLDistributionPoint
extension to include information about the issuing point. - Set up publishing CRLs to files, an LDAP directory, or an OCSP responder. See Chapter 9, Publishing Certificates and CRLs for details about setting up publishing.
7.3.1. Configuring Issuing Points
- Open the Certificate System Console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, expand Certificate Manager from the left navigation menu. Then select CRL Issuing Points.
- To edit an issuing point, select the issuing point, and click. The only parameters which can be edited are the name of the issuing point and whether the issuing point is enabled or disabled.To add an issuing point, click. The CRL Issuing Point Editor window opens.
Figure 7.2. CRL Issuing Point Editor
Note
If some fields do not appear large enough to read the content, expand the window by dragging one of the corners.Fill in the following fields:- Enable. Enables the issuing point if selected; deselect to disable.
- CRL Issuing Point name. Gives the name for the issuing point; spaces are not allowed.
- Description. Describes the issuing point.
- Click.
Note
pkiconsole
is being deprecated.
7.3.2. Configuring CRLs for Each Issuing Point
- Open the CA console.
pkiconsole https://server.example.com:8443/ca
- In the navigation tree, select Certificate Manager, and then select CRL Issuing Points.
- Select the issuing point name below the Issuing Points entry.
- Configure how and how often the CRLs are updated by supplying information in the Update tab for the issuing point. This tab has two sections, Update Schema and Update Frequency.
- The Update Schema section has the following options:
- Enable CRL generation. This checkbox sets whether CRLs are generated for that issuing point.
- Generate full CRL every # delta(s). This field sets how frequently CRLs are created in relation to the number of changes.
- Extend next update time in full CRLs. This provides an option to set the
nextUpdate
field in the generated CRLs. ThenextUpdate
parameter shows the date when the next CRL is issued, regardless of whether it is a full or delta CRL. When using a combination of full and delta CRLs, enablingExtend next update time in full CRLs
will make thenextUpdate
parameter in a full CRL show when the next full CRL will be issued. Otherwise, thenextUpdate
parameter in the full CRL will show when the next delta CRL will be issued, since the delta will be the next CRL to be issued.
- The Update Frequency section sets the different intervals when the CRLs are generated and issued to the directory.
- Every time a certificate is revoked or released from hold. This sets the Certificate Manager to generate the CRL every time it revokes a certificate. The Certificate Manager attempts to issue the CRL to the configured directory whenever it is generated. Generating a CRL can be time consuming if the CRL is large. Configuring the Certificate Manager to generate CRLs every time a certificate is revoked may engage the server for a considerable amount of time; during this time, the server will not be able to update the directory with any changes it receives.This setting is not recommended for a standard installation. This option should be selected to test revocation immediately, such as testing whether the server issues the CRL to a flat file.
- Update the CRL at. This field sets a daily time when the CRL should be updated. To specify multiple times, enter a comma-separate list of times, such as
01:50,04:55,06:55
. To enter a schedule for multiple days, enter a comma-separated list to set the times within the same day, and then a semicolon separated list to identify times for different days. For example, this sets revocation on Day 1 of the cycle at 1:50am, 4:55am, and 6:55am and then Day 2 at 2am, 5am, and 5pm:01:50,04:55,06:55;02:00,05:00,17:00
- Next update grace period. If the Certificate Manager updates the CRL at a specific frequency, the server can be configured to have a grace period to the next update time to allow time to create the CRL and issue it. For example, if the server is configured to update the CRL every 20 minutes with a grace period of 2 minutes, and if the CRL is updated at 16:00, the CRL is updated again at 16:18.
Important
Due to a known issue, when currently setting full and delta Certificate Revocation List schedules, theUpdate CRL every time a certificate is revoked or released from hold
option also requires you to fill out the twograce period
settings. Thus, in order to select this option you need to first select theUpdate CRL every
option and enter a number for theNext update grace period # minutes
box. - The Cache tab sets whether caching is enabled and the cache frequency.
Figure 7.3. CRL Cache Tab
- Enable CRL cache. This checkbox enables the cache, which is used to create delta CRLs. If the cache is disabled, delta CRLs will not be created. For more information about the cache, see Section 7.1, “About Revoking Certificates”.
- Update cache every. This field sets how frequently the cache is written to the internal database. Set to
0
to have the cache written to the database every time a certificate is revoked. - Enable cache recovery. This checkbox allows the cache to be restored.
- Enable CRL cache testing. This checkbox enables CRL performance testing for specific CRL issuing points. CRLs generated with this option should not be used in deployed CAs, as CRLs issued for testing purposed contain data generated solely for the purpose of performance testing.
- The Format tab sets the formatting and contents of the CRLs that are created. There are two sections, CRL Format and CRL Contents.
Figure 7.4. CRL Format Tab
- The CRL Format section has two options:
- Revocation list signing algorithm is a drop down list of allowed ciphers to encrypt the CRL.
- Allow extensions for CRL v2 is a checkbox which enabled CRL v2 extensions for the issuing point. If this is enabled, set the required CRL extensions described in Section 7.3.3, “Setting CRL Extensions”.
Note
Extensions must be turned on to create delta CRLs. - The CRL Contents section has three checkboxes which set what types of certificates to include in the CRL:
- Include expired certificates. This includes revoked certificates that have expired. If this is enabled, information about revoked certificates remains in the CRL after the certificate expires. If this is not enabled, information about revoked certificates is removed when the certificate expires.
- CA certificates only. This includes only CA certificates in the CRL. Selecting this option creates an Authority Revocation List (ARL), which lists only revoked CA certificates.
- Certificates issued according to profiles. This only includes certificates that were issued according to the listed profiles; to specify multiple profiles, enter a comma-separated list.
- Click.
- Extensions are allowed for this issuing point and can be configured. See Section 7.3.3, “Setting CRL Extensions” for details.
Note
pkiconsole
is being deprecated.
7.3.3. Setting CRL Extensions
Note
CRLReason
, InvalidityDate
, and CRLNumber
. Other extensions are available but are disabled by default. These can be enabled and modified. For more information about the available CRL extensions, see Section B.4.2, “Standard X.509 v3 CRL Extensions Reference”.
- Open the CA console.
pkiconsole https://server.example.com:8443/ca
- In the navigation tree, select Certificate Manager, and then select CRL Issuing Points.
- Select the issuing point name below the Issuing Points entry, and select the CRL Extension entry below the issuing point.The right pane shows the CRL Extensions Management tab, which lists configured extensions.
Figure 7.5. CRL Extensions
- To modify a rule, select it, and click.
- Most extensions have two options, enabling them and setting whether they are critical. Some require more information. Supply all required values. See Section B.4.2, “Standard X.509 v3 CRL Extensions Reference” for complete information about each extension and the parameters for those extensions.
- Click.
- Clickto see the updated status of all the rules.
Note
pkiconsole
is being deprecated.
7.3.4. Setting a CA to Use a Different Certificate to Sign CRLs
CS.cfg
file, see the Setting a CA to Use a Different Certificate to Sign CRLs section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
7.3.5. Generating CRLs from Cache
Note
enableCRLCache
parameter in most environments. However, the Enable CRL cache testing
parameter should not be enabled in a production environment.
7.3.5.1. Configuring CRL Generation from Cache in the Console
Note
pkiconsole
is being deprecated.
- Open the console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, expand the Certificate Manager folder and the CRL Issuing Points subfolder.
- Select the MasterCRL node.
- Select Enable CRL cache.
- Save the changes.
7.3.5.2. Configuring CRL Generation from Cache in CS.cfg
CS.cfg
file, see the Configuring CRL Generation from Cache in CS.cfg section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
7.4. Setting Full and Delta CRL Schedules
Interval 1, 2, 3, 4, 5, 6, 7 ... Full CRL 1 4 7 ... Delta CRL 1, 2, 3, 4, 5, 6, 7 ...
Note
7.4.1. Configuring CRL Update Intervals in the Console
Note
pkiconsole
is being deprecated.
- Open the console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, expand the Certificate Manager folder and the CRL Issuing Points subfolder.
- Select the MasterCRL node.
- Enter the required interval in the Generate full CRL every # delta(s) field.
- Set the update frequency, either by specifying the occasion of a certificate revocation, a cyclical interval or set times for the updates to occur:
- Select the Update CRL every time a certificate is revoked or released from hold checkbox. The Update CRL every time a certificate is revoked or released from hold option also requires you to fill out the two Grace period settings. This is a known issue, and the bug is being tracked in Red Hat Bugzilla.
- Select the Update CRL every time a certificate is revoked or released from hold checkbox.
- Select the Update CRL at checkbox and enter specific times separated by commas, such as
01:50,04:55,06:55
. - Select Update CRL every checkbox and enter the required interval, such as
240
.
- Save the changes.
Important
Note
7.4.2. Configuring Update Intervals for CRLs in CS.cfg
CS.cfg
file, see the Configuring Update Intervals for CRLs in CS.cfg section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
7.4.3. Configuring CRL Generation Schedules over Multiple Days
ca.crl.MasterCRL.dailyUpdates=01:00,03:00,18:00;02:00,05:00,17:00
Note
ca.crl.MasterCRL.dailyUpdates=01:00,03:00,18:00,*23:00;02:00,05:00,21:00,*23:30
Note
CS.cfg
file.
7.5. Enabling Revocation Checking
7.6. Using the Online Certificate Status Protocol (OCSP) Responder
7.6.1. Setting up the OCSP Responder
Note
- Configure the CRLs for every CA that will publish to an OCSP responder.
- Enable publishing, set up a publisher, and set publishing rules in every CA that the OCSP service will handle (Chapter 9, Publishing Certificates and CRLs). This is not necessary if the Certificate Managers publish to an LDAP directory and the Online Certificated Status Manager is set up to read from that directory.
- The certificate profiles must be configured to include the Authority Information Access extension, pointing to the location at which the Certificate Manager listens for OCSP service requests (Section 7.6.4, “Enabling the Certificate Manager's Internal OCSP Service”).
- Configure the OCSP Responder.
- Configure the Revocation Info store (Section 7.6.2.2, “Configure the Revocation Info Stores: Internal Database” and Section 7.6.2.3, “Configure the Revocation Info Stores: LDAP Directory”).
- Identify every publishing Certificate Manager to the OCSP responder (Section 7.6.2, “Identifying the CA to the OCSP Responder”).
- If necessary, configure the trust settings for the CA which signed the OCSP signing certificate (Section 17.7, “Changing the Trust Settings of a CA Certificate”).
- Restart both subsystems after configuring them.
- Verify that the CA is properly connected to the OCSP responder (Section 7.6.2.1, “Verify Certificate Manager and Online Certificate Status Manager Connection”).
7.6.2. Identifying the CA to the OCSP Responder
Note
- Get the Certificate Manager's base-64 CA signing certificate from the end-entities page of the CA.
- Open the Online Certificate Status Manager agent page. The URL has the format
https://
hostname:SSLport/ocsp/agent/ocsp
. - In the left frame, click.
- In the form, paste the encoded CA signing certificate inside the text area labeled Base 64 encoded certificate (including the header and footer).
- To verify that the certificate is added successfully, in the left frame, click List Certificate Authorities.
7.6.2.1. Verify Certificate Manager and Online Certificate Status Manager Connection
7.6.2.2. Configure the Revocation Info Stores: Internal Database
- Open the Online Certificate Status Manager Console.
pkiconsole https://server.example.com:8443/ocsp
- In the Configuration tab, select Online Certificate Status Manager, and then select Revocation Info Stores.The right pane shows the two repositories the Online Certificate Status Manager can use; by default, it uses the CRL in its internal database.
- Select the
defStore
, and click . - Edit the
defStore
values.- notFoundAsGood. Sets the OCSP service to return an OCSP response of GOOD if the certificate in question cannot be found in any of the CRLs. If this is not selected, the response is UNKNOWN, which, when encountered by a client, results in an error message.
- byName. The OCSP Responder only supports the basic response type, which includes the ID of the OCSP Responder making the response. The ResponderID field within the basic response type is determined by the value of the
ocsp.store.defStore.byName
parameter. IfbyName
parameter is true or is missing, the OCSP authority signing certificate subject name is used as the ResponderID field of the OCSP response. IfbyName
parameter is false, the OCSP authority signing certificate key hash will be the ResponderID field of the OCSP response. - includeNextUpdate. Includes the timestamp of the next CRL update time.
Note
pkiconsole
is being deprecated.
7.6.2.3. Configure the Revocation Info Stores: LDAP Directory
Important
ldapStore
method is enabled, the OCSP user interface does not check the certificate status.
- Open the Online Certificate Status Manager Console.
pkiconsole https://server.example.com:8443/ocsp
- In the Configuration tab, select Online Certificate Status Manager, and then select Revocation Info Stores.The right pane shows the two repositories the Online Certificate Status Manager can use; by default, it uses the CRL in its internal database.
- To use the CRLs in LDAP directories, clickto enable the
ldapStore
option. - Select
ldapStore
, and click . - Set the
ldapStore
parameters.- numConns. The total number of LDAP directories the OCSP service should check. By default, this is set to 0. Setting this value shows the corresponding number of host, port, baseDN, and refreshInSec fields.
- host. The fully-qualified DNS hostname of the LDAP directory.
- port. The non-SSL/TLS port of the LDAP directory.
- baseDN. The DN to start searching for the CRL. For example,
O=example.com
. - refreshInSec. How often the connection is refreshed. The default is 86400 seconds (daily).
- caCertAttr. Leave the default value,
cACertificate;binary
, as it is. It is the attribute to which the Certificate Manager publishes its CA signing certificate. - crlAttr. Leave the default value,
certificateRevocationList;binary
, as it is. It is the attribute to which the Certificate Manager publishes CRLs. - notFoundAsGood. Sets the OCSP service to return an OCSP response of GOOD if the certificate in question cannot be found in any of the CRLs. If this is not selected, the response is UNKNOWN, which, when encountered by a client, results in an error message.
- byName. The OCSP Responder only supports the basic response type, which includes the ID of the OCSP Responder making the response. The ResponderID field within the basic response type is determined by the value of the
ocsp.store.defStore.byName
parameter. IfbyName
parameter is true or is missing, the OCSP authority signing certificate subject name is used as the ResponderID field of the OCSP response. IfbyName
parameter is false, the OCSP authority signing certificate key hash will be the ResponderID field of the OCSP response. - includeNextUpdate. The Online Certificate Status Manager can include the timestamp of the next CRL update time.
Note
pkiconsole
is being deprecated.
7.6.2.4. Testing the OCSP Service Setup
- Turn on revocation checking in the browser or client.
- Request a certificate from the CA that has been enabled for OCSP services.
- Approve the request.
- Download the certificate to the browser or client.
- Make sure the CA is trusted by the browser or client.
- Check the status of Certificate Manager's internal OCSP service.Open the CA agent services page, and select the OCSP Services link.
- Test the independent Online Certificate Status Manager subsystem.Open the Online Certificate Status Manager agent services page, and click the List Certificate Authorities link.The page should show information about the Certificate Manager configured to publish CRLs to the Online Certificate Status Manager. The page also summarizes the Online Certificate Status Manager's activity since it was last started.
- Revoke the certificate.
- Verify the certificate in the browser or client. The server should return that the certificate has been revoked.
- Check the Certificate Manager's OCSP-service status again to verify that these things happened:
- The browser sent an OCSP query to the Certificate Manager.
- The Certificate Manager sent an OCSP response to the browser.
- The browser used that response to validate the certificate and returned its status, that the certificate could not be verified.
- Check the independent OCSP service subsystem again to verify that these things happened:
- The Certificate Manager published the CRL to the Online Certificate Status Manager.
- The browser sent an OCSP response to the Online Certificate Status Manager.
- The Online Certificate Status Manager sent an OCSP response to the browser.
- The browser used that response to validate the certificate and returned its status, that the certificate could not be verified.
7.6.3. Setting the Response for Bad Serial Numbers
notFoundAsGood
parameter sets how the OCSP handles a certificate with an invalid serial number. This parameter is enabled by default, which means that if a certificate is present with a bad serial number but the certificate is otherwise valid, the OCSP returns a status of GOOD
for the certificate.
notFoundAsGood
setting. In that case, the OCSP returns a status of UNKNOWN
with a certificate with a bad serial number. The client interprets that as an error and can respond accordingly.
- Open the Online Certificate Status Manager Console.
pkiconsole https://server.example.com:8443/ocsp
- In the Configuration tab, select Online Certificate Status Manager, and then select Revocation Info Stores.
- Select the
defStore
, and click . - Edit the
notFoundAsGood
value. Selecting the checkbox means that the OCSP returns a value ofGOOD
even if the serial number on the certificate is bad. Unselecting the checkbox means that the OCSP sends a value ofUNKNOWN
, which the client can intrepret as an error. - Restart the OCSP Manager.
]# pki-server restart instance-name
Note
pkiconsole
is being deprecated.
7.6.4. Enabling the Certificate Manager's Internal OCSP Service
- Go to the CA's end-entities page. For example:
http
s
://server.example.com:8443/ca/ee/ca
- Find the CA signing certificate.
- Look for the Authority Info Access extension in the certificate, and note the
Location URIName
value, such ashttp
.s
://server.example.com:8443
/ca/ocsp - Update the enrollment profiles to enable the Authority Information Access extension, and set the
Location
parameter to the Certificate Manager's URI. For information on editing the certificate profiles, see Section 3.2, “Setting up Certificate Profiles”. - Restart the CA instance.
]# pki-server restart instance-name
Note
CS.cfg
file and change the value of the ca.ocsp
parameter to false
.
ca.ocsp=false
7.6.5. Submitting OCSP Requests Using the OCSPClient program
]# OCSPClient -h server.example.com -p 8080 -d /etc/pki/pki-tomcat/alias -c "caSigningCert cert-pki-ca" --serial 2 CertID.serialNumber=2 CertStatus=Good
OCSPClient
command can be used with the following command-line options:
Option | Description |
---|---|
-d database | Security database location (default: current directory) |
-h hostname | OCSP server hostname (default: example.com) |
-p port | OCSP server port number (default: 8080) |
-t path | OCSP service path (default: /ocsp/ee/ocsp) |
-c nickname | CA certificate nickname (defaut: CA Signing Certificate) |
-n times | Number of submissions (default: 1) |
--serial serial_number | Serial number of certificate to be checked |
--input input_file | Input file containing DER-encoded OCSP request |
--output output_file | Output file to store DER-encoded OCSP response |
-v, --verbose | Run in verbose mode |
--help | Show help message |
7.6.6. Submitting OCSP Requests Using the GET Method
- Generate an OCSP request for the certificate the status of which is being queried. For example:
]# openssl ocsp -CAfile ca.pem -issuer issuer.pem -serial serial_number -reqout - | base64 MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE=
- Paste the URL in the address bar of a web browser to return the status information. The browser must be able to handle OCSP requests.
https://server.example.com:8443/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE=
- The OCSP Manager responds with the certificate status which the browser can interpret. The possible statuses are GOOD, REVOKED, and UNKNOWN.
curl
to send the request and openssl
to parse the response. For example:
- Generate an OCSP request for the certificate the status of which is being queried. For example:
]# openssl ocsp -CAfile ca.pem -issuer issuer.pem -serial serial_number -reqout - | base64 MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE=
- Connect to the OCSP Manager using
curl
to send the OCSP request.curl https://server.example.com:8443/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE= > ocspresp.der
- Parse the response using
openssl
:openssl ocsp -respin ocspresp.der -resp_text
7.6.7. Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier
/ocsp/ee/ocsp/
, is different in Certificate System 10 or Certificate System 8.1 than the location in Certificate System 7.1, which was simply /ocsp/
. In order for certificates issued by a 7.1 or earlier CA with the Authority Information Access extension to be sent to the OCSP, create a redirect to forward the requests to the appropriate URL.
Note
- Stop the OCSP Responder.
]# pki-server stop instance-name
- Change to the OCSP's end user web applications directory. For example:
]# cd /var/lib/pki-ocsp/webapps/ocsp
- Change to the
ROOT/WEB-INF/
directory in theROOT
folder of the OCSP's web applications directory. For example:]# cd /var/lib/pki-ocsp/webapps/ocsp/ROOT/WEB-INF/
- Create and open the
lib/
directory in theROOT
folder of the OCSP's web applications directory.]# mkdir lib ]# cd lib/
- Create a symlink that links back to the
/usr/share/java/pki/cms.jar
JAR file. For example:]# ln -s /usr/share/java/pki/cms.jar cms.jar
- Move up to the main web application directory. For example:
]# cd /var/lib/pki-ocsp/webapps/ocsp/
- Rename the current instance (
ocsp
) directory. For example:]# mv /var/lib/pki-ocsp/webapps/ocsp/ocsp /var/lib/pki-ocsp/webapps/ocsp/ocsp2
- Change to the
WEB-INF/
directory in the originalocsp/
directory. For example:]# cd /var/lib/pki-ocsp/webapps/ocsp/ocsp/WEB-INF
- In the original
ocsp/WEB-INF/
directory, edit theweb.xml
file and add lines mapping between theeeocspAddCRL
andcsadmin-wizard
servlets.<servlet-mapping> <servlet-name> ocspOCSP </servlet-name> <url-pattern> /ee/ocsp/* </url-pattern> </servlet-mapping>
- Create and install the
web.xml
file in theROOT
directory. For example:<?xml version="1.0" encoding="ISO-8859-1"?> <web-app> <display-name>Welcome to Tomcat</display-name> <description> Welcome to Tomcat </description> <servlet> <servlet-name>ocspProxy</servlet-name> <servlet-class>com.netscape.cms.servlet.base.ProxyServlet</servlet-class> <init-param> <param-name>destContext</param-name> <param-value>/ocsp2</param-value> </init-param> <init-param> <param-name>destServlet</param-name> <param-value>/ee/ocsp</param-value> </init-param> </servlet> <servlet> <servlet-name>ocspOther</servlet-name> <servlet-class>com.netscape.cms.servlet.base.ProxyServlet</servlet-class> <init-param> <param-name>destContext</param-name> <param-value>/ocsp2</param-value> </init-param> <init-param> <param-name>srcContext</param-name> <param-value>/ocsp</param-value> </init-param> <init-param> <param-name>destServlet</param-name> <param-value></param-value> </init-param> <init-param> <param-name>matchURIStrings</param-name> <param-value>/ocsp/registry,/ocsp/acl,/ocsp/jobsScheduler,/ocsp/ug,/ocsp/server,/ocsp/log, /ocsp/auths,/ocsp/start,/ocsp/ocsp,/ocsp/services,/ocsp/agent,/ocsp/ee, /ocsp/admin</param-value> </init-param> <init-param> <param-name>destServletOnNoMatch</param-name> <param-value>/ee/ocsp</param-value> </init-param> <init-param> <param-name>appendPathInfoOnNoMatch</param-name> <param-value>/ocsp</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>ocspProxy</servlet-name> <url-pattern>/ocsp</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>ocspOther</servlet-name> <url-pattern>/ocsp/*</url-pattern> </servlet-mapping> </web-app>
- Edit the
/var/lib/pki-ocsp/conf/context.xml
file, changing the following line:<Context> to <Context crossContext="true" >
- Edit the
/var/lib/pki-ocsp/webapps/ocsp/ocsp2/services.template
file and change the following line:result.recordSet[i].uri); to result.recordSet[i].uri + "/");
- Start the OCSP instance.
]# pki-server start instance-name
Chapter 8. Managing PKI ACME Responder
8.1. Enabling/Disabling ACME Services
- To enable or disable ACME services with basic authentication, specify the username and password:
$ pki -u <username> -p <password> acme-<enable/disable>
- To enable or disable ACME services with client certificate authentication, specify the certificate nickname and NSS database password:
$ pki -n <nickname> -c <password> acme-<enable/disable>
8.2. Checking the Status of PKI ACME Responder
- To check the status of the ACME responder, run the following command:
$ pki acme-info Status: Available Terms of Service: https://www.example.com/acme/tos.pdf Website: https://www.example.com CAA Identities: example.com External Account Required:false
If the services are disabled, the command will show the following result:$ pki acme-info Status: Unavailable
Note
metadata.conf
configuration file.
Part III. Additional Configuration to Manage CA Services
Chapter 9. Publishing Certificates and CRLs
- Configure publishing to a file, LDAP directory, or OCSP responder.There can be a single publisher or multiple publishers, depending on how many locations will be used. The locations can be split by certificates and CRLs or narrower definitions, such as certificate type. Rules determine which type to publish and to what location by being associated with the publisher.
- Set rules to determine what certificates are published to the locations. Any rule which a certificate or CRL matches is activated, so the same certificate can be published to a file and to an LDAP directory by matching a file-based rule and matching a directory-based rule.Rules can be set for each object type: CA certificates, CRLs, user certificates, and cross-pair certificates. Disable all rules that will not be used.
- Configure CRLs. CRLs must be configured before they can be published. See Chapter 7, Revoking Certificates and Issuing CRLs.
- Enable publishing after setting up publishers, mappers, and rules. Once publishing is enabled, the server starts publishing immediately. If the publishers, mappers, and rules are not completely configured, publishing may not work correctly or at all.
9.1. About Publishing
Note
CRL
is set as the type.
/etc/CS/certificates
, the certificate is published as a file to that location. If another rule matches all certificates issued to users, and the rule has a publisher that publishes to the LDAP attribute userCertificate;binary
attribute, the certificate is published to the directory specified when LDAP publishing was enabled in this attribute in the user's entry.
9.1.1. Publishers
9.1.2. Mappers
9.1.3. Rules
9.1.4. Publishing to Files
- For each certificate the server issues, it creates a file that contains the certificate in either DER-encoded or base-64 encoded format. Each file is named either
cert-
serial_number.der
orcert-
serial_number.b64
. The serial_number is the serial number of the certificate contained in the file. For example, the filename for a DER-encoded certificate with the serial number1234
iscert-1234.der
. - Every time the server generates a CRL, it creates a file that contains the new CRL in either DER-encoded or base-64 encoded format. Each file is named either issuing_point_name-this_update
.der
or issuing_point_name-this_update.b64
, depending on the format. The issuing_point_name identifies the CRL issuing point which published the CRL, and this_update specifies the value derived from the time-dependent update value for the CRL contained in the file. For example, the filename for a DER-encoded CRL with the valueThis Update: Friday January 28 15:36:00 PST 2020
, isMasterCRL-20200128-153600.der
.
9.1.5. OCSP Publishing
9.1.6. LDAP Publishing
- For each certificate the server issues, it creates a blob that contains the certificate in its DER-encoded format in the specified attribute of the user's entry. The certificate is published as a DER encoded binary blob.
- Every time the server generates a CRL, it creates a blob that contains the new CRL in its DER-encoded format in the specified attribute of the entry for the CA.
9.2. Configuring Publishing to a File
- Log into the Certificate Manager Console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, select Certificate Manager from the navigation tree on the left. Select Publishing, and then Publishers.The Publishers Management tab, which lists configured publisher instances, opens on the right.
- Click Select Publisher Plug-in Implementation window, which lists registered publisher modules.to open the
- Select the
FileBasedPublisher
module, then open the editor window.This is the module that enables the Certificate Manager to publish certificates and CRLs to files. - Configure the information for publishing the certificate:
- The publisher ID, an alphanumeric string with no spaces like
PublishCertsToFile
- The path to the directory in which the Certificate Manager should publish the files. The path can be an absolute path or can be relative to the Certificate System instance directory. For example,
/export/CS/certificates
. - The file type to publish, by selecting the checkboxes for DER-encoded files, base-64 encoded files, or both.
- For CRLs, the format of the timestamp. Published certificates include serial numbers in their file names, while CRLs use timestamps.
- For CRLs, whether to generate a link in the file to go to the latest CRL. If enabled, the link assumes that the name of the CRL issuing point to use with the extension will be supplied in the crlLinkExt field.
- For CRLs, whether to compress (zip) CRLs and the compression level to use.
Note
pkiconsole
is being deprecated.
9.3. Configuring Publishing to an OCSP
9.3.1. Enabling Publishing to an OCSP with Client Authentication
- Log into the Certificate Manager Console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, select Certificate Manager from the navigation tree on the left. Select Publishing, and then Publishers.
- Click Select Publisher Plug-in Implementation window, which lists registered publisher modules.to open the
- Select the
OCSPPublisher
module, then open the editor window. This is the publisher module that enables the Certificate Manager to publish CRLs to the Online Certificate Status Manager.- The publisher ID must be an alphanumeric string with no spaces, like
PublishCertsToOCSP
. - The host can be the fully-qualified domain name, such as
ocspResponder.example.com
, or an IPv4 or IPv6 address. - The default path is the directory to send the CRL to, like
/ocsp/agent/ocsp/addCRL
. - If client authentication is used (enableClientAuth is checked), then the nickname field gives the nickname of the certificate to use for authentication. This certificate must already exist in the OCSP security database; this will usually be the CA subsystem certificate.
- Create a user entry for the CA on the OCSP Manager. The user is used to authenticate to the OCSP when sending a new CRL. There are two things required:
- Name the OCSP user entry after the CA server, like
CA-
hostname-EEport. - Use whatever certificate was specified in the publisher configuration as the user certificate in the OCSP user account. This is usually the CA's subsystem certificate.
Setting up subsystem users is covered in Section 15.3.2.1, “Creating Users”.
Note
pkiconsole
is being deprecated.
9.4. Configuring Publishing to an LDAP Directory
- Configure the Directory Server to which certificates will be published. Certain attributes have to be added to entries and bind identities and authentication methods have to be configured.
- Configure a publisher for each type of object published: CA certificates, cross-pair certificates, CRLs, and user certificates. The publisher declares in which attribute to store the object. The attributes set by default are the X.500 standard attributes for storing each object type. This attribute can be changed in the publisher, but generally, it is not necessary to change the LDAP publishers.
- Set up mappers to enable an entry's DN to be derived from the certificate's subject name. This generally does not need set for CA certificates, CRLs, and user certificates. There can be more than one mapper set for a type of certificate. This can be useful, for example, to publish certificates for two sets of users from different divisions of a company who are located in different parts of the directory tree. A mapper is created for each of the groups to specify a different branch of the tree.For details about setting up mappers, see Section 9.4.3, “Creating Mappers”.
- Create rules to connect publishers to mappers, as described in Section 9.5, “Creating Rules”.
- Enable publishing, as described in Section 9.6, “Enabling Publishing”.
9.4.1. Configuring the LDAP Directory
- Set up the entry for the CA. For the Certificate Manager to publish its CA certificate and CRL, the directory must include an entry for the CA.
Note
When LDAP publishing is configured, the Certificate Manager automatically creates or converts an entry for the CA in the directory. This option is set in both the CA and CRL mapper instances and enabled by default. If the directory restricts the Certificate Manager from creating entries in the directory, turn off this option in those mapper instances, and add an entry for the CA manually in the directory.When adding the CA's entry to the directory, select the entry type based on the DN of the CA:- If the CA's DN begins with the
cn
component, create a newperson
entry for the CA. Selecting a different type of entry may not allow thecn
component to be specified. - If the CA's DN begins with the
ou
component, create a neworganizationalunit
entry for the CA.
The entry does not have to be in thepkiCA
orcertificationAuthority
object class. The Certificate Manager will convert this entry to thepkiCA
orcertificationAuthority
object class automatically by publishing its CA's signing certificate.Note
ThepkiCA
object class is defined in RFC 4523, while thecertificationAuthority
object class is defined in the (obsolete) RFC 2256. Either object class is acceptable, depending on the schema definitions used by the Directory Server. In some situations, both object classes can be used for the same CA entry.For more information on creating directory entries, see the Red Hat Directory Server documentation. - Add the correct schema elements to the CA and user directory entries.For a Certificate Manager to publish certificates and CRLs to a directory, it must be configured with specific attributes and object classes.
Object Type Schema Reason End-entity certificate userCertificate;binary (attribute) This is the attribute to which the Certificate Manager publishes the certificate.This is a multi-valued attribute, and each value is a DER-encoded binary X.509 certificate. The LDAP object class namedinetOrgPerson
allows this attribute. ThestrongAuthenticationUser
object class allows this attribute and can be combined with any other object class to allow certificates to be published to directory entries with other object classes. The Certificate Manager does not automatically add this object class to the schema table of the corresponding Directory Server.If the directory object that it finds does not allow theuserCertificate;binary
attribute, adding or removing the certificate fails.CA certificate caCertificate;binary (attribute) This is the attribute to which the Certificate Manager publishes the certificate.The Certificate Manager publishes its own CA certificate to its own LDAP directory entry when the server starts. The entry corresponds to the Certificate Manager's issuer name.This is a required attribute of thepkiCA
orcertificationAuthority
object class. The Certificate Manager adds this object class to the directory entry for the CA if it can find the CA's directory entry.CRL certificateRevocationList;binary (attribute) This is the attribute to which the Certificate Manager publishes the CRL.The Certificate Manager publishes the CRL to its own LDAP directory entry. The entry corresponds to the Certificate Manager's issuer name.This is an attribute of thepkiCA
orcertificationAuthority
object class. The value of the attribute is the DER-encoded binary X.509 CRL. The CA's entry must already contain thepkiCA
orcertificationAuthority
object class for the CRL to be published to the entry.Delta CRL deltaRevocationList;binary (attribute) This is the attribute to which the Certificate Manager publishes the delta CRL. The Certificate Manager publishes the delta CRL to its own LDAP directory entry, separate from the full CRL. The delta CRL entry corresponds to the Certificate Manager's issuer name.This attribute belongs to thedeltaCRL
orcertificationAuthority-V2
object class. The value of the attribute is the DER-encoded binary X.509 delta CRL. - Set up a bind DN for the Certificate Manager to use to access the Directory Server.The Certificate Manager user must have read-write permissions to the directory to publish certificates and CRLs to the directory so that the Certificate Manager can modify the user entries with certificate-related information and the CA entry with CA's certificate and CRL related information.The bind DN entry can be either of the following:
- An existing DN that has write access, such as the Directory Manager.
- A new user which is granted write access. The entry can be identified by the Certificate Manager's DN, such as
cn=testCA, ou=Research Dept, o=Example Corporation, st=California, c=US
.Note
Carefully consider what privileges are given to this user. This user can be restricted in what it can write to the directory by creating ACLs for the account. For instructions on giving write access to the Certificate Manager's entry, see the Directory Server documentation.
- Set the directory authentication method for how the Certificate Manager authenticates to Directory Server. There are three options: basic authentication (simple username and password); SSL without client authentication (simple username and password); and SSL with client authentication (certificate-based).See the Red Hat Directory Server documentation for instructions on setting up these methods of communication with the server.
9.4.2. Configuring LDAP Publishers
Publisher | Description |
---|---|
LdapCaCertPublisher | Publishes CA certificates to the LDAP directory. |
LdapCrlPublisher | Publishes CRLs to the LDAP directory. |
LdapDeltaCrlPublisher | Publishes delta CRLs to the LDAP directory. |
LdapUserCertPublisher | Publishes all types of end-entity certificates to the LDAP directory. |
LdapCrossCertPairPublisher | Publishes cross-signed certificates to the LDAP directory. |
9.4.3. Creating Mappers
Mapper | Description |
---|---|
LdapUserCertMap | Locates the correct attribute of user entries in the directory in order to publish user certificates. |
LdapCrlMap | Locates the correct attribute of the CA's entry in the directory in order to publish the CRL. |
LdapCaCertMap | Locates the correct attribute of the CA's entry in the directory in order to publish the CA certificate. |
- Log into the Certificate Manager Console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, select Certificate Manager from the navigation tree on the left. Select Publishing, and then Mappers.The Mappers Management tab, which lists configured mappers, opens on the right.
- To create a new mapper instance, click Select Mapper Plugin Implementation window opens, which lists registered mapper modules. Select a module, and edit it. For complete information about these modules, see Section C.2, “Mapper Plug-in Modules ”.. The
- Edit the mapper instance, and click.See Section C.2, “Mapper Plug-in Modules ” for detailed information about each mapper.
Note
pkiconsole
is being deprecated.
9.4.4. Completing Configuration: Rules and Enabling
9.5. Creating Rules
- Log into the Certificate Manager Console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, select Certificate Manager from the navigation tree on the left. Select Publishing, and then Rules.The Rules Management tab, which lists configured rules, opens on the right.
- To edit an existing rule, select that rule from the list, and click Rule Editor window.. This opens the
- To create a rule, click Select Rule Plug-in Implementation window.. This opens theSelect the
Rule
module. This is the only default module. If any custom modules have been been registered, they are also available. - Edit the rule.
- type. This is the type of certificate for which the rule applies. For a CA signing certificate, the value is
cacert
. For a cross-signed certificate, the value isxcert
. For all other types of certificates, the value iscerts
. For CRLs, specifycrl
. - predicate. This sets the predicate value for the type of certificate or CRL issuing point to which this rule applies. The predicate values for CRL issuing points, delta CRLs, and certificates are listed in Table 9.3, “Predicate Expressions”.
- enable.
- mapper. Mappers are not necessary when publishing to a file; they are only needed for LDAP publishing. If this rule is associated with a publisher that publishes to an LDAP directory, select an appropriate mapper here. Leave blank for all other forms of publishing.
- publisher. Sets the publisher to associate with the rule.
Predicate Type | Predicate |
---|---|
CRL Issuing Point | issuingPointId== Issuing_Point_Instance_ID && isDeltaCRL==[true|false]
To publish only the master CRL, set
isDeltaCRL==false . To publish only the delta CRL, set isDeltaCRL==true . To publish both, set a rule for the master CRL and another rule for the delta CRL.
|
Certificate Profile | profileId== profile_name
To publish certificates based on the profile used to issue them, set
profileId== to a profile name, such as caServerCert .
|
Note
pkiconsole
is being deprecated.
9.6. Enabling Publishing
Note
- Log into the Certificate Manager Console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, select Certificate Manager from the navigation tree on the left. Select Publishing.The right pane shows the details for publishing to an LDAP-compliant directory.
- To enable publishing to a file only, select Enable Publishing.
- To enable LDAP publishing, select both Enable Publishing and Enable Default LDAP Connection.In the Destination section, set the information for the Directory Server instance.
- Host name. If the Directory Server is configured for SSL client authenticated communication, the name must match the
cn
component in the subject DN of the Directory Server's SSL server certificate.The hostname can be the fully-qualified domain name or an IPv4 or IPv6 address. - Port number.
- Directory Manager DN. This is the distinguished name (DN) of the directory entry that has Directory Manager privileges. The Certificate Manager uses this DN to access the directory tree and to publish to the directory. The access control set up for this DN determines whether the Certificate Manager can perform publishing. It is possible to create another DN that has limited read-write permissions for only those attributes that the publishing system actually needs to write.
- Password. This is the password which the CA uses to bind to the LDAP directory to which the certificate or CRL is published. The Certificate Manager saves this password in its
password.conf
file. For example:CA LDAP Publishing:password
Note
The parameter name which identifies the publishing password (CA LDAP Publishing
) is set in the Certificate Manager'sCS.cfg
file in theca.publish.ldappublish.ldap.ldapauth.bindPWPrompt
parameter, and it can be edited. - Client certificate. This sets the certificate the Certificate Manager uses for SSL client authentication to the publishing directory. By default, the Certificate Manager uses its SSL server certificate.
- LDAP version. Select LDAP version 3.
- Authentication. The way the Certificate Manager authenticates to the Directory Server. The choices are
Basic authentication
andSSL client authentication
.If the Directory Server is configured for basic authentication or for SSL communication without client authentication, selectBasic authentication
and specify values for the Directory manager DN and password.If the Directory Server is configured for SSL communication with client authentication, selectSSL client authentication
and theUse SSL communication
option, and identify the certificate that the Certificate Manager must use for SSL client authentication to the directory.
Note
pkiconsole
is being deprecated.
9.7. Enabling a Publishing Queue
Note
pkiconsole
is being deprecated.
Note
Figure 9.1. Enabling the Publishing Queue
Note
CS.cfg
file allows administrators to set other options for publishing, like the number of threads to use for publishing operations and the queue page size.
CS.cfg
file, see the Enabling and Configuring a Publishing Queue section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
9.8. Setting up Resumable CRL Downloads
9.8.1. Retrieving CRLs Using wget
wget
. The wget
command can be used to retrieve any published CRL. For example, to retrieve a full CRL which is newer than the previous full CRL:
[root@server ~]# wget --no-check-certificate -d https://server.example.com:8443/ca/ee/ca/crl/MasterCRL.bin
wget
are summarized in Table 9.4, “wget Options to Use for Retrieving CRLs”.
Argument | Description |
---|---|
no argument | Retrieves the full CRL. |
-N | Retrieves the CRL that is newer than the local copy (delta CRL). |
-c | Retrieves a partially-downloaded file. |
--no-check-certificate | Skips SSL for the connection, so it is not necessary to configure SSL between the host and client. |
-d | Prints debug information. |
9.9. Publishing Cross-Pair Certificates
crossCertificatePair
entry to an LDAP directory or to a file; this is enabled by default. If this has been disabled, it can be re-enabled through the Certificate Manager Console by doing the following:
- Open the CA console.
pkiconsole https://server.example.com:8443/ca
- In the Configuration tab, select the Certificate Manager link in the left pane, then the Publishing link.
- Click the Rules link under Publishing. This opens the Rules Management pane on the right.
- If the rule exists and has been disabled, select the enable checkbox. If the rule has been deleted, then click and create a new rule.
- Select xcerts from the type drop-down menu.
- Make sure the enable checkbox is selected.
- Select LdapCaCertMap from the mapper drop-down menu.
- Select LdapCrossCertPairPublisher from the publisher drop-down menu.
LdapCaCertMap
, by default designates that the crossCertificatePair
be stored to the LdapCaSimpleMap
LDAP entry. The publisher, LDAPCrossPairPublisher
, by default sets the attribute to store the cross-pair certificate in the CA entry to crossCertificatePair;binary
.
Note
pkiconsole
is being deprecated.