Chapter 5. Red Hat Certificate System 9.3
This section describes changes in Red Hat Certificate System 9.3.
5.1. Supported Platforms
This section describes the different server platforms, hardware, tokens, and software supported by Red Hat Certificate System 9.3.
5.1.1. Server Support
Running the Certificate Authority (CA), Key Recovery Authority (KRA), Online Certificate Status Protocol (OCSP), Token Key Service (TKS), and Token Processing System (TPS) subsystems of Certificate System 9.3 is supported on Red Hat Enterprise Linux 7.5 and later. The supported Directory Server version is 10.2 and later.
Note
Certificate System 9.3 is supported running on a Red Hat Enterprise Linux virtual guest on a certified hypervisor. For details, see the Which hypervisors are certified to run Red Hat Enterprise Linux? solution article.
5.1.2. Client Support
The Enterprise Security Client (ESC) is supported on:
- Red Hat Enterprise Linux 7.
- The latest versions of Red Hat Enterprise Linux 5 and 6.Although these platforms do not support Red Hat Certificate System 9.3, those clients can be used with the Token Management System (TMS) system in Red Hat Certificate System 9.3.
5.1.3. Supported Web Browsers
Certificate System 9.3 supports the following browsers:
Platform | Agent Services | End User Pages |
---|---|---|
Red Hat Enterprise Linux | Firefox 52 and later [a] | Firefox 52 and later [a] |
Windows 7 | Firefox 52 and later [a] |
Firefox 52 and later
Internet Explorer 10 [b]
|
[a]
This Firefox version no longer supports the crypto web object used to generate and archive keys from the browser. As a result, expect limited functionality in this area.
[b]
Internet Explorer 11 is currently not supported by Red Hat Certificate System 9 because the enrollment code for this web browser depends upon Visual Basic Script, which has been deprecated in Internet Explorer 11.
|
Note
The only fully-supported browser for the HTML-based instance configuration is Mozilla Firefox.
5.1.4. Supported Smart Cards
The Enterprise Security Client (ESC) supports Global Platform 2.01-compliant smart cards and JavaCard 2.1 or higher.
The Certificate System subsystems have been tested using the following tokens:
- Gemalto TOP IM FIPS CY2 64K token (SCP01)
- Giesecke & Devrient (G&D) SmartCafe Expert 6.0 (SCP03)
- SafeNet Assured Technologies SC-650 (SCP01)
The only card manager applet supported with Certificate System is the CoolKey applet, which is part of the pki-tps package in Red Hat Certificate System.
5.1.5. Supported Hardware Security Modules
The following table lists Hardware Security Modules (HSM) supported by Red Hat Certificate System:
HSM | Firmware | Appliance Software | Client Software |
---|---|---|---|
Thales nCipher nShield Connect 6000 | 2.61.2 | CipherTools-linux64-dev-12.30.00 | CipherTools-linux64-dev-12.30.00 |
Gemalto SafeNet Luna SA 1700 / 7000 (limited)
(Limited support [a] )
| 6.24.0 | 6.2.0-15 | libcryptoki-6.2.x86_64 |
[a]
For details about supported features, see Section 5.1.5.1, “Gemalto SafeNet Luna SA 1700 / 7000 (limited)”.
|
5.1.5.1. Gemalto SafeNet Luna SA 1700 / 7000 (limited)
This section provides information on supported features when using the Gemalto SafeNet Luna SA 1700 / 7000 HSM.
Gemalto SafeNet Luna SA only supports PKI private key extraction in its CKE - Key Export model, and only in non-FIPS mode. The Luna SA Cloning model and the CKE model in FIPS mode do not support PKI private key extraction. When the Luna SA CKE – Key Export Model is in FIPS mode, PKI private keys cannot be extracted.
- CL - Cloning Model
- Cloning of symmetric keys and objects: Possible to other Luna SAs/G5 or Luna Backup HSM
- Cloning of asymmetric (private) keys and objects: Possible to other Luna SAs/G5 or Luna Backup HSM
- Replication of symmetric keys and objects: All symmetric keys and objects are replicated when configured in an HA group
- Replication of asymmetric keys and objects: All asymmetric keys and objects are replicated when configured in an HA group
- Wrapping private (asymmetric) keys off the HSM: Not possible
Figure 5.1. Example of a Cloning Model
- CKE - Key Export Model
- Cloning of symmetric keys and objects: Possible to other Luna SAs/G5 or Luna Backup HSM
- Cloning of asymmetric (private) keys and objects: Not possible
- Replication of symmetric keys and objects: All symmetric keys and objects are replicated when configured in an HA group
- Replication of asymmetric keys and objects: Not possible
- Wrapping private (asymmetric) keys off the HSM: Possible
Figure 5.2. Example of a Key Export Model