Index
A
- active logs
- default file location, Configuring Subsystem Logs
- message categories, Services That Are Logged
- adding
- extensions
- to CRLs, Setting CRL Extensions
- administrators
- creating, Creating Users
- deleting, Deleting a Certificate System User
- modifying
- group membership, Changing Members in a Group
- sudo permissions for, Setting sudo Permissions for Certificate System Services
- tools provided
- Certificate System console, Using pkiconsole for CA, OCSP, KRA, and TKS Subsystems
- agent certificate
- agents
- creating, Creating Users
- deleting, Deleting a Certificate System User
- enrolling users in person, Certificate Revocation Pages
- modifying
- group membership, Changing Members in a Group
- role defined, Agents
- See also Agent Services interface, Agents
- archiving
- rotated log files, Log File Rotation
- auditors
- creating, Creating Users
- authentication
- during certificate revocation, User-Initiated Revocation
- managing through the Console, Setting up PIN-Based Enrollment
- authentication modules
- agent initiated user enrollment, Certificate Revocation Pages
- deleting, Registering Custom Authentication Plug-ins
- registering new ones, Registering Custom Authentication Plug-ins
- authorityInfoAccess, authorityInfoAccess
- authorityKeyIdentifier, Setting Restrictions on CA Certificates , authorityKeyIdentifier, authorityKeyIdentifier
B
- backing up the Certificate System, Backing up and Restoring Certificate System
- backups, Backing up and Restoring Certificate System
- base-64 encoded file
- viewing content, Viewing Certificates and CRLs Published to File
- basicConstraints, basicConstraints
- bridge certificates, Using Cross-Pair Certificates
- buffered logging, Buffered and Unbuffered Logging
C
- CA
- configuring ECC signing algorithm, Setting the Signing Algorithms for Certificates
- enabling SCEP enrollments, Enabling SCEP Enrollments
- SCEP settings, Configuring Security Settings for SCEP
- CA certificate mapper, LdapCaSimpleMap
- CA certificate publisher, LdapCaCertPublisher, LdapCertificatePairPublisher
- CA signing certificate, CA Signing Key Pair and Certificate
- changing trust settings of, Changing the Trust Settings of a CA Certificate
- deleting, Deleting Certificates from the Database
- nickname, CA Signing Key Pair and Certificate
- requesting, Requesting Certificates through the Console
- viewing details of, Viewing Database Content through the Console
- certificate
- viewing content, Viewing Certificates and CRLs Published to File
- certificate chains
- installing in the certificate database, Installing Certificates through the Console
- why install, About CA Certificate Chains
- certificate database
- how to manage, Managing the Certificate Database
- what it contains, Managing the Certificate Database
- where it is maintained, Managing the Certificate Database
- Certificate Manager
- administrators
- creating, Creating Users
- agents
- creating, Creating Users
- configuring
- SMTP settings for notifications, Configuring a Mail Server for Certificate System Notifications
- key pairs and certificates
- CA signing certificate, CA Signing Key Pair and Certificate
- OCSP signing certificate, OCSP Signing Key Pair and Certificate
- SSL server certificate, SSL Server Key Pair and Certificate
- subsystem certificate, Subsystem Certificate
- TLS CA signing certificate, OCSP Signing Key Pair and Certificate
- manual updates to publishing directory, Updating Certificates and CRLs in a Directory
- serial number range, Changing the Restrictions for CAs on Issuing Certificates
- certificate profiles
- signing algorithms, Setting the Signing Algorithms for Certificates
- certificate renewal, Configuring Profiles to Enable Renewal
- certificate revocation
- authentication during, User-Initiated Revocation
- reasons for, Reasons for Revoking a Certificate
- who can revoke certificates, Reasons for Revoking a Certificate
- Certificate Setup Wizard
- using to install certificate chains, Installing Certificates through the Console
- using to install certificates, Installing Certificates through the Console
- Certificate System
- backing up, Backing up and Restoring Certificate System
- restoring, Backing up and Restoring the Instance Directory
- Certificate System console
- Configuration tab, Using pkiconsole for CA, OCSP, KRA, and TKS Subsystems
- managing logs, Viewing Logs in the Console
- Status tab, Using pkiconsole for CA, OCSP, KRA, and TKS Subsystems
- Certificate System Console
- configuring authentication, Setting up Directory-Based Authentication, Setting up PIN-Based Enrollment
- Certificate System data
- where it is stored, Configuring the LDAP Database
- certificateIssuer, certificateIssuer
- certificatePolicies, certificatePoliciesExt
- certificates
- extensions for, Setting Restrictions on CA Certificates , Defaults, Constraints, and Extensions for Certificates and CRLs
- how to revoke, Reasons for Revoking a Certificate
- installing, Installing Certificates in the Certificate System Database
- publishing to files, Publishing to Files
- publishing to LDAP directory
- required schema, Configuring the LDAP Directory
- revocation reasons, Reasons for Revoking a Certificate
- signing algorithms, Setting the Signing Algorithms for Certificates
- certutil
- requesting certificates, Creating Certificate Signing Requests
- changing
- group members, Changing Members in a Group
- trust settings in certificates, Changing the Trust Settings of a CA Certificate
- why would you change, Changing the Trust Settings of a CA Certificate
- command-line utilities
- for adding extensions to Certificate System certificates, Requesting Signing Certificates, Requesting Other Certificates
- Configuration tab, Using pkiconsole for CA, OCSP, KRA, and TKS Subsystems
- CRL
- viewing content, Viewing Certificates and CRLs Published to File
- CRL Distribution Point extension, CRL Issuing Points
- CRL extension modules
- CRLReason, Freshest CRL Extension Default
- CRL publisher, LdapCrlPublisher
- CRL signing certificate, About Revoking Certificates
- requesting, Requesting Certificates through the Console
- cRLDistributionPoints, CRLDistributionPoints
- CRLNumber, CRLNumber
- CRLReason, CRLReason
- CRLs
- defined, About Revoking Certificates
- entering multiple update times, Configuring CRLs for Each Issuing Point
- entering update period, Configuring CRLs for Each Issuing Point
- extension-specific modules, About CRL Extensions
- extensions for, Standard X.509 v3 CRL Extensions Reference
- issuing or distribution points, CRL Issuing Points
- publishing of, About Revoking Certificates
- publishing to files, Publishing to Files
- publishing to LDAP directory, Publishing CRLs, LDAP Publishing
- required schema, Configuring the LDAP Directory
- supported extensions, About Revoking Certificates
- when automated updates take place, About Revoking Certificates
- when generated, About Revoking Certificates
- who generates it, About Revoking Certificates
- cross-pair certificates, Using Cross-Pair Certificates
D
- deleting
- authentication modules, Registering Custom Authentication Plug-ins
- log modules, Managing Log Modules
- mapper modules, Registering Custom Mapper and Publisher Plug-in Modules
- privileged users, Deleting a Certificate System User
- publisher modules, Registering Custom Mapper and Publisher Plug-in Modules
- deltaCRLIndicator, deltaCRLIndicator
- DER-encoded file
- viewing content, Viewing Certificates and CRLs Published to File
- directory
- removing expired certificates from, unpublishExpiredCerts (UnpublishExpiredJob)
- DN components mapper, LdapDNCompsMap
- downloading certificates, Installing Certificates in the Certificate System Database
E
- ECC
- configuring, Setting the Signing Algorithms for Certificates
- requesting, Creating Certificate Signing Requests
- encrypted file system (EFS), Extended Key Usage Extension Default
- end-entity certificate publisher, LdapUserCertPublisher
- end-entity certificates
- enrollment
- agent initiated, Certificate Revocation Pages
- Enterprise Security Client, Enterprise Security Client
- Error log
- defined, Tomcat Error and Access Logs
- expired certificates
- removing from the directory, unpublishExpiredCerts (UnpublishExpiredJob)
- Extended Key Usage extension
- OIDs for encrypted file system, Extended Key Usage Extension Default
- extensions, Setting Restrictions on CA Certificates , Defaults, Constraints, and Extensions for Certificates and CRLs
- an example, Standard X.509 v3 Certificate Extension Reference
- authorityInfoAccess, authorityInfoAccess
- authorityKeyIdentifier, Setting Restrictions on CA Certificates , authorityKeyIdentifier, authorityKeyIdentifier
- basicConstraints, basicConstraints
- CA certificates and, Setting Restrictions on CA Certificates
- certificateIssuer, certificateIssuer
- certificatePolicies, certificatePoliciesExt
- cRLDistributionPoints, CRLDistributionPoints
- CRLNumber, CRLNumber
- CRLReason, CRLReason
- deltaCRLIndicator, deltaCRLIndicator
- extKeyUsage, extKeyUsage
- invalidityDate, invalidityDate
- issuerAltName, issuerAltName Extension, issuerAltName
- issuingDistributionPoint, issuingDistributionPoint
- keyUsage, keyUsage
- nameConstraints, nameConstraints
- netscape-cert-type, netscape-cert-type
- Netscape-defined, Netscape-Defined Certificate Extensions Reference
- policyConstraints, policyConstraints
- policyMappings, policyMappings
- privateKeyUsagePeriod, privateKeyUsagePeriod
- subjectAltName, subjectAltName
- subjectDirectoryAttributes, subjectDirectoryAttributes
- tool for joining, Requesting Signing Certificates, Requesting Other Certificates
- tools for generating, Requesting Signing Certificates, Requesting Other Certificates
- X.509 certificate, summarized, Standard X.509 v3 Certificate Extension Reference
- X.509 CRL, summarized, Standard X.509 v3 CRL Extensions Reference
- extKeyUsage, extKeyUsage
F
- Federal Bridge Certificate Authority, Using Cross-Pair Certificates
- file-based publisher, FileBasedPublisher
- flush interval for logs, Buffered and Unbuffered Logging
G
- groups
- changing members, Changing Members in a Group
H
- host name
- for mail server used for notifications, Configuring a Mail Server for Certificate System Notifications
- how to revoke certificates, Reasons for Revoking a Certificate
I
- installing certificates, Installing Certificates in the Certificate System Database
- internal database
- default hostname, Changing the Internal Database Configuration
- precaution for changing the hostname, Changing the Internal Database Configuration
- defined, Configuring the LDAP Database
- how to distinguish from other Directory Server instances, Restricting Access to the Internal Database
- name format, Restricting Access to the Internal Database
- schema, Configuring the LDAP Database
- what is it used for, Configuring the LDAP Database
- when installed, Configuring the LDAP Database
- invalidityDate, invalidityDate
- IPv6
- and SCEP certificates, Generating the SCEP Certificate for a Router
- issuerAltName, issuerAltName Extension, issuerAltName
- issuingDistributionPoint, issuingDistributionPoint
J
- job modules
- registering new ones, Registering a Job Module
- jobs
- built-in modules
- unpublishExpiredCerts, unpublishExpiredCerts (UnpublishExpiredJob)
- compared to plug-in implementation, About Automated Jobs
- configuring job notification messages, Customizing CA Notification Messages, Setting up Automated Jobs
- setting frequency, Setting up the Job Scheduler
- specifying schedule for, Frequency Settings for Automated Jobs
- turning on scheduler, Setting up the Job Scheduler
K
- Key Recovery Authority
- administrators
- creating, Creating Users
- agents
- creating, Creating Users
- key pairs and certificates
- list of, Key Recovery Authority Certificates
- storage key pair, Storage Key Pair
- subsystem certificate, Subsystem Certificate
- transport certificate, Transport Key Pair and Certificate
- keyUsage, keyUsage
- KRA transport certificate
- requesting, Requesting Certificates through the Console
L
- LDAP publishing
- defined, LDAP Publishing
- manual updates, Updating Certificates and CRLs in a Directory
- when to do, Manually Updating Certificates in the Directory
- who can do this, Updating Certificates and CRLs in a Directory
- location of
- active log files, Configuring Subsystem Logs
- log modules
- deleting, Managing Log Modules
- registering new ones, Managing Log Modules
- logging
- buffered vs. unbuffered, Buffered and Unbuffered Logging
- log files
- archiving rotated files, Log File Rotation
- default location, Configuring Subsystem Logs
- signing rotated files, Signing Log Files
- timing of rotation, Log File Rotation
- log levels, Log Levels (Message Categories)
- default selection, Log Levels (Message Categories)
- how they relate to message categories, Log Levels (Message Categories)
- significance of choosing the right level, Log Levels (Message Categories)
- managing from Certificate System console, Viewing Logs in the Console
- services that are logged, Services That Are Logged
- types of logs, Configuring Subsystem Logs
- Error, Tomcat Error and Access Logs
M
- mail server used for notifications, Configuring a Mail Server for Certificate System Notifications
- managing
- certificate database, Managing the Certificate Database
- mapper modules
- deleting, Registering Custom Mapper and Publisher Plug-in Modules
- registering new ones, Registering Custom Mapper and Publisher Plug-in Modules
- mappers
- created during installation, Creating Mappers, LdapCaSimpleMap, LdapSimpleMap
- mappers that use
- CA certificate, LdapCaSimpleMap
- DN components, LdapDNCompsMap
- modifying
- privileged user's group membership, Changing Members in a Group
N
- Name extension modules
- Issuer Alternative Name, Issuer Alternative Name Extension Default
- nameConstraints, nameConstraints
- naming convention
- for internal database instances, Restricting Access to the Internal Database
- netscape-cert-type, netscape-cert-type
- nickname
- for CA signing certificate, CA Signing Key Pair and Certificate
- for OCSP signing certificate, OCSP Signing Key Pair and Certificate
- for signing certificate, OCSP Signing Key Pair and Certificate
- for SSL server certificate, SSL Server Key Pair and Certificate, SSL Server Key Pair and Certificate
- for subsystem certificate, Subsystem Certificate, Subsystem Certificate, Subsystem Certificate
- for TLS signing certificate, OCSP Signing Key Pair and Certificate
- notifications
- configuring the mail server
- to agents about unpublishing certificates, unpublishExpiredCerts (UnpublishExpiredJob)
O
- OCSP publisher, OCSPPublisher
- OCSP signing certificate, OCSP Signing Key Pair and Certificate
- nickname, OCSP Signing Key Pair and Certificate
- requesting, Requesting Certificates through the Console
- Online Certificate Status Manager
- administrators
- creating, Creating Users
- agents
- creating, Creating Users
- key pairs and certificates
- signing certificate, OCSP Signing Key Pair and Certificate
- SSL server certificate, SSL Server Key Pair and Certificate
- subsystem certificate, Subsystem Certificate
P
- PIN Generator tool
- delivering PINs to users, Setting up PIN-Based Enrollment
- plug-in modules
- for CRL extensions
- CRLReason, Freshest CRL Extension Default
- for publishing
- FileBasedPublisher, FileBasedPublisher
- LdapCaCertPublisher, LdapCaCertPublisher, LdapCertificatePairPublisher
- LdapCaSimpleMap, LdapCaSimpleMap
- LdapCrlPublisher, LdapCrlPublisher
- LdapDNCompsMap, LdapDNCompsMap
- LdapUserCertPublisher, LdapUserCertPublisher
- OCSPPublisher, OCSPPublisher
- for scheduling jobs
- unpublishExpiredCerts, unpublishExpiredCerts (UnpublishExpiredJob)
- Issuer Alternative Name, Issuer Alternative Name Extension Default
- policyConstraints, policyConstraints
- policyMappings, policyMappings
- ports
- for the mail server used for notifications, Configuring a Mail Server for Certificate System Notifications
- privateKeyUsagePeriod, privateKeyUsagePeriod
- privileged users
- deleting, Deleting a Certificate System User
- modifying privileges
- group membership, Changing Members in a Group
- types
- agents, Agents
- profiles
- how profiles work , The Enrollment Profile
- publisher modules
- deleting, Registering Custom Mapper and Publisher Plug-in Modules
- registering new ones, Registering Custom Mapper and Publisher Plug-in Modules
- publishers
- created during installation, Configuring LDAP Publishers, LdapCaCertPublisher, LdapUserCertPublisher, LdapCertificatePairPublisher
- publishers that can publish to
- CA's entry in the directory, LdapCaCertPublisher, LdapCrlPublisher, LdapCertificatePairPublisher
- files, FileBasedPublisher
- OCSP responder, OCSPPublisher
- users' entries in the directory, LdapUserCertPublisher
- publishing
- of certificates
- to files, Publishing to Files
- of CRLs, About Revoking Certificates
- to files, Publishing to Files
- to LDAP directory, Publishing CRLs, LDAP Publishing
- queue, Enabling a Publishing Queue
- (see also publishing queue)
- viewing content, Viewing Certificates and CRLs Published to File
- publishing directory
- defined, LDAP Publishing
- publishing queue, Enabling a Publishing Queue
- enabling, Enabling a Publishing Queue
R
- reasons for revoking certificates, Reasons for Revoking a Certificate
- registering
- authentication modules, Registering Custom Authentication Plug-ins
- custom OIDs, Standard X.509 v3 Certificate Extension Reference
- job modules, Registering a Job Module
- log modules, Managing Log Modules
- mapper modules, Registering Custom Mapper and Publisher Plug-in Modules
- publisher modules, Registering Custom Mapper and Publisher Plug-in Modules
- requesting certificates
- agent certificate, Requesting and Receiving a Certificate through the End-Entities Page
- CA signing certificate, Requesting Certificates through the Console
- CRL signing certificate, Requesting Certificates through the Console
- ECC certificates, Creating Certificate Signing Requests
- KRA transport certificate, Requesting Certificates through the Console
- OCSP signing certificate, Requesting Certificates through the Console
- SSL client certificate, Requesting Certificates through the Console
- SSL server certificate, Requesting Certificates through the Console
- through the Console, Requesting Certificates through the Console
- through the end-entities page, Requesting and Receiving a Certificate through the End-Entities Page
- user certificate, Requesting and Receiving a Certificate through the End-Entities Page
- using certutil, Creating Certificate Signing Requests
- restarting
- subsystem instance, Starting, Stopping, and Restarting a PKI Instance
- sudo permissions for administrators, Setting sudo Permissions for Certificate System Services
- without the java security manager, Starting a Subsystem Instance without the Java Security Manager
- restore, Backing up and Restoring the Instance Directory
- restoring the Certificate System, Backing up and Restoring the Instance Directory
- revoking certificates
- reasons, Reasons for Revoking a Certificate
- who can revoke certificates, Reasons for Revoking a Certificate
- roles
- agent, Agents
- rotating log files
- archiving files, Log File Rotation
- how to set the time, Log File Rotation
- signing files, Signing Log Files
- RSA
- configuring, Setting the Signing Algorithms for Certificates
S
- SCEP
- enabling, Enabling SCEP Enrollments
- setting allowed algorithms, Configuring Security Settings for SCEP
- setting nonce sizes, Configuring Security Settings for SCEP
- using a separate authentication certificate, Configuring Security Settings for SCEP
- SCEP certificates
- setting CRL extensions, Setting CRL Extensions
- signing
- rotated log files, Signing Log Files
- signing algorithms, Setting the Signing Algorithms for Certificates
- ECC certificates, Setting the Signing Algorithms for Certificates
- RSA certificates, Setting the Signing Algorithms for Certificates
- signing certificate, OCSP Signing Key Pair and Certificate
- changing trust settings of, Changing the Trust Settings of a CA Certificate
- deleting, Deleting Certificates from the Database
- nickname, OCSP Signing Key Pair and Certificate
- viewing details of, Viewing Database Content through the Console
- SMTP settings, Configuring a Mail Server for Certificate System Notifications
- SSL client certificate
- requesting, Requesting Certificates through the Console
- SSL server certificate, SSL Server Key Pair and Certificate, SSL Server Key Pair and Certificate
- changing trust settings of, Changing the Trust Settings of a CA Certificate
- deleting, Deleting Certificates from the Database
- nickname, SSL Server Key Pair and Certificate, SSL Server Key Pair and Certificate
- requesting, Requesting Certificates through the Console
- viewing details of, Viewing Database Content through the Console
- starting
- subsystem instance, Starting, Stopping, and Restarting a PKI Instance
- sudo permissions for administrators, Setting sudo Permissions for Certificate System Services
- without the java security manager, Starting a Subsystem Instance without the Java Security Manager
- Status tab, Using pkiconsole for CA, OCSP, KRA, and TKS Subsystems
- stoping
- subsystem instance
- sudo permissions for administrators, Setting sudo Permissions for Certificate System Services
- stopping
- subsystem instance, Starting, Stopping, and Restarting a PKI Instance
- storage key pair, Storage Key Pair
- subjectAltName, subjectAltName
- subjectDirectoryAttributes, subjectDirectoryAttributes
- subjectKeyIdentifier
- subjectKeyIdentifier, subjectKeyIdentifier
- subsystem certificate, Subsystem Certificate, Subsystem Certificate, Subsystem Certificate
- subsystems for tokens
- Enterprise Security Client, A Review of Certificate System Subsystems
- sudo
- permissions for administrators, Setting sudo Permissions for Certificate System Services
T
- templates
- for notifications, Customizing CA Notification Messages
- timing log rotation, Log File Rotation
- TLS CA signing certificate, OCSP Signing Key Pair and Certificate
- nickname, OCSP Signing Key Pair and Certificate
- Token Key Service
- administrators
- creating, Creating Users
- agents
- creating, Creating Users
- Token Management System
- Enterprise Security Client, Enterprise Security Client
- tokens
- changing password of, Changing a Token's Password
- managing, Managing Tokens Used by the Subsystems
- viewing which tokens are installed, Viewing Tokens
- TPS
- setting profiles, Setting Profiles for Users
- users, Creating and Managing Users for a TPS
- transport certificate, Transport Key Pair and Certificate
- changing trust settings of, Changing the Trust Settings of a CA Certificate
- deleting, Deleting Certificates from the Database
- viewing details of, Viewing Database Content through the Console
- trusted managers
- deleting, Deleting a Certificate System User
- modifying
- group membership, Changing Members in a Group
U
- unbuffered logging, Buffered and Unbuffered Logging
- user certificate
- users
- creating, Creating Users
W
- why to revoke certificates, Reasons for Revoking a Certificate