Chapter 13. Managing subsystem certificates


This chapter gives an overview of using certificates: what types and formats are available, how to request and create them through the HTML end-entity forms and through the Certificate System Console, and how to install certificates in the Certificate System and on different clients. Additionally, there is information on managing certificates through the Console and configuring the servers to use them.

13.1. Required subsystem certificates

Each subsystem has a defined set of certificates which must be issued to the subsystem instance for it to perform its operations. There are certain details of the certificate contents that are set during the Certificate Manager configuration, with different considerations for constraints, settings, and attributes depending on the types of certificates.

13.1.1. Certificate Manager certificates

When a Certificate Manager is installed, the keys and requests for the CA signing certificate, SSL server certificate, and OCSP signing certificate are generated. The certificates are created before the configuration can be completed.

The CA certificate request is either submitted as a self-signing request to the CA, which then issues the certificate and finishes creating the self-signed root CA, or is submitted to a third-party public CA or another Certificate System CA. When the external CA returns the certificate, the certificate is installed, and installation of the subordinate CA is completed.

13.1.1.1. CA signing key pair and certificate

Every Certificate Manager has a CA signing certificate with a public key corresponding to the private key the Certificate Manager uses to sign the certificates and CRLs it issues. This certificate is created and installed when the Certificate Manager is installed. The default nickname for the certificate is caSigningCert cert-instance_ID CA, where instance_ID identifies the Certificate Manager instance. The default validity period for the certificate is five years.

The subject name of the CA signing certificate reflects the name of the CA that was set during installation. All certificates signed or issued by the Certificate Manager include this name to identify the issuer of the certificate.

The Certificate Manager’s status as a root or subordinate CA is determined by whether its CA signing certificate is self-signed or is signed by another CA, which affects the subject name on the certificates.

  • If the Certificate Manager is a root CA, its CA signing certificate is self-signed, meaning the subject name and issuer name of the certificate are the same.
  • If the Certificate Manager is a subordinate CA, its CA signing certificate is signed by another CA, usually the one that is a level above in the CA hierarchy (which may or may not be a root CA). The root CA’s signing certificate must be imported into individual clients and servers before the Certificate Manager can be used to issue certificates to them.
Note

The CA name cannot be changed or all previously-issued certificates are invalidated. Similarly, reissuing a CA signing certificate with a new key pair invalidates all certificates that were signed by the old key pair.

13.1.1.2. OCSP signing key pair and certificate

The subject name of the OCSP signing certificate is in the form cn=OCSP cert-instance_ID CA, and it contains extensions, such as OCSPSigning and OCSPNoCheck, required for signing OCSP responses.

The default nickname for the OCSP signing certificate is ocspSigningCert cert-instance_ID CA, where instance_ID CA identifies the Certificate Manager instance.

The OCSP private key, corresponding to the OCSP signing certificate’s public key, is used by the Certificate Manager to sign the OCSP responses to the OCSP-compliant clients when queried about certificate revocation status.

13.1.1.3. Subsystem certificate

Every member of the security domain is issued a server certificate to use for communications among other domain members, which is separate from the server SSL certificate. This certificate is signed by the security domain CA; for the security domain CA itself, its subsystem certificate is signed by itself.

The default nickname for the certificate is subsystemCert cert-instance_ID.

13.1.1.4. SSL server key pair and certificate

Every Certificate Manager has at least one SSL server certificate that was first generated when the Certificate Manager was installed. The default nickname for the certificate is Server-Cert cert-instance_ID, where instance_ID identifies the Certificate Manager instance.

By default, the Certificate Manager uses a single SSL server certificate for authentication. However, additional server certificates can be requested to use for different operations, such as configuring the Certificate Manager to use separate server certificates for authenticating to the end-entity services interface and agent services interface.

If the Certificate Manager is configured for SSL-enabled communication with a publishing directory, it uses its SSL server certificate for client authentication to the publishing directory by default. The Certificate Manager can also be configured to use a different certificate for SSL client authentication.

13.1.1.5. Audit log signing key pair and certificate

The CA keeps a secure audit log of all events which occurred on the server. To guarantee that the audit log has not been tampered with, the log file is signed by a special log signing certificate.

The audit log signing certificate is issued when the server is first configured.

13.1.2. Online Certificate Status Manager certificates

When the Online Certificate Status Manager is first configured, the keys for all required certificates are created, and the certificate requests for the OCSP signing, SSL server, audit log signing, and subsystem certificates are made. These certificate requests are submitted to a CA (either a Certificate System CA or a third-party CA) and must be installed in the Online Certificate Status Manager database to complete the configuration process.

13.1.2.1. OCSP signing key pair and certificate

Every Online Certificate Status Manager has a certificate, the OCSP signing certificate, which has a public key corresponding to the private key the Online Certificate Status Manager uses to sign OCSP responses. The Online Certificate Status Manager’s signature provides persistent proof that the Online Certificate Status Manager has processed the request. This certificate is generated when the Online Certificate Status Manager is configured. The default nickname for the certificate is ocspSigningCert cert-instance_ID, where instance_ID OSCP is the Online Certificate Status Manager instance name.

13.1.2.2. SSL server key pair and certificate

Every Online Certificate Status Manager has at least one SSL server certificate which was generated when the Online Certificate Status Manager was configured. The default nickname for the certificate is Server-Cert cert-instance_ID, where instance_ID identifies the Online Certificate Status Manager instance name.

The Online Certificate Status Manager uses its server certificate for server-side authentication for the Online Certificate Status Manager agent services page.

The Online Certificate Status Manager uses a single server certificate for authentication purposes. Additional server certificates can be installed and used for different purposes.

13.1.2.3. Subsystem certificate

Every member of the security domain is issued a server certificate to use for communications among other domain members, which is separate from the server SSL certificate. This certificate is signed by the security domain CA.

The default nickname for the certificate is subsystemCert cert-instance_ID.

13.1.2.4. Audit log signing key pair and certificate

The OCSP keeps a secure audit log of all events which occurred on the server. To guarantee that the audit log has not been tampered with, the log file is signed by a special log signing certificate.

The audit log signing certificate is issued when the server is first configured.

13.1.2.5. Recognizing Online Certificate Status Manager certificates

Depending on the CA which signed the Online Certificate Status Manager’s SSL server certificate, it may be necessary to get the certificate and issuing CA recognized by the Certificate Manager.

  • If the Online Certificate Status Manager’s server certificate is signed by the CA that is publishing CRLs, then nothing needs to be done.
  • If the Online Certificate Status Manager’s server certificate is signed by the same root CA that signed the subordinate Certificate Manager’s certificates, then the root CA must be marked as a trusted CA in the subordinate Certificate Manager’s certificate database.
  • If the Online Certificate Status Manager’s SSL server certificate is signed by a different root CA, then the root CA certificate must be imported into the subordinate Certificate Manager’s certificate database and marked as a trusted CA.

If the Online Certificate Status Manager’s server certificate is signed by a CA within the selected security domain, the certificate chain is imported and marked when the Online Certificate Status Manager is configured. No other configuration is required. However, if the server certificate is signed by an external CA, the certificate chain has to be imported for the configuration to be completed.

Note

Not every CA within the security domain is automatically trusted by the OCSP Manager when it is configured. Every CA in the certificate chain of the CA configured in the CA panel is, however, trusted automatically by the OCSP Manager. Other CAs within the security domain but not in the certificate chain must be added manually.

13.1.3. Key Recovery Authority certificates

The KRA uses the following key pairs and certificates:

13.1.3.1. Transport key pair and certificate

Every KRA has a transport certificate. The public key of the key pair that is used to generate the transport certificate is used by the client software to encrypt an end entity’s private encryption key before it is sent to the KRA for archival; only those clients capable of generating dual-key pairs use the transport certificate.

13.1.3.2. Storage key pair

Every KRA has a storage key pair. The KRA uses the public component of this key pair to encrypt (or wrap) private encryption keys when archiving the keys. It uses the private component to decrypt (or unwrap) the archived key during recovery. For more information on how this key pair is used, see Chapter 4, Setting up key archival and recovery.

Keys encrypted with the storage key can be retrieved only by authorized key recovery agents.

13.1.3.3. SSL server certificate

Every Certificate System KRA has at least one SSL server certificate. The first SSL server certificate is generated when the KRA is configured. The default nickname for the certificate is Server-Cert cert-instance_ID, where instance_id identifies the KRA instance is installed.

The KRA’s SSL server certificate was issued by the CA to which the certificate request was submitted, which can be a Certificate System CA or a third-party CA. To view the issuer name, open the certificate details in the System Keys and Certificates option in the KRA Console.

The KRA uses its SSL server certificate for server-side authentication to the KRA agent services interface. By default, the Key Recovery Authority uses a single SSL server certificate for authentication. However, additional SSL server certificates can be requested and installed for the KRA.

13.1.3.4. Subsystem certificate

Every member of the security domain is issued a server certificate to use for communications among other domain members, which is separate from the server SSL certificate. This certificate is signed by the security domain CA.

The default nickname for the certificate is subsystemCert cert-instance_ID.

13.1.3.5. Audit log signing key pair and certificate

The KRA keeps a secure audit log of all events which occurred on the server. To guarantee that the audit log has not been tampered with, the log file is signed by a special log signing certificate.

The audit log signing certificate is issued when the server is first configured.

13.1.4. TKS certificates

The TKS has three certificates. The SSL server and subsystem certificates are used for standard operations. An additional signing certificate is used to protect audit logs.

13.1.4.1. SSL server certificate

Every Certificate System TKS has at least one SSL server certificate. The first SSL server certificate is generated when the TKS is configured. The default nickname for the certificate is Server-Cert cert-instance_ID.

13.1.4.2. Subsystem certificate

Every member of the security domain is issued a server certificate to use for communications among other domain members, which is separate from the server SSL certificate. This certificate is signed by the security domain CA.

The default nickname for the certificate is subsystemCert cert-instance_ID.

13.1.4.3. Audit log signing key pair and certificate

The TKS keeps a secure audit log of all events which occurred on the server. To guarantee that the audit log has not been tampered with, the log file is signed by a special log signing certificate.

The audit log signing certificate is issued when the server is first configured.

13.1.5. TPS Certificates

The TPS only uses three certificates: a server certificate, subsystem certificate, and audit log signing certificate.

13.1.5.1. SSL server certificate

Every Certificate System TPS has at least one SSL server certificate. The first SSL server certificate is generated when the TPS is configured. The default nickname for the certificate is Server-Cert cert-instance_ID.

13.1.5.2. Subsystem certificate

Every member of the security domain is issued a server certificate to use for communications among other domain members, which is separate from the server SSL certificate. This certificate is signed by the security domain CA.

The default nickname for the certificate is subsystemCert cert-instance_ID.

13.1.5.3. Audit log signing key pair and certificate

The TPS keeps a secure audit log of all events which occurred on the server. To guarantee that the audit log has not been tampered with, the log file is signed by a special log signing certificate.

The audit log signing certificate is issued when the server is first configured.

13.1.6. About subsystem certificate key types

When you create a new instance, you can specify the key type and key size in the configuration file passed to the pkispawn utility.

Example 13.1. Key type-related Configuration Parameters for a CA

The following are key type-related parameters including example values. You can set these parameters in the configuration file which you pass to pkispawn when creating a new CA.

pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa

pki_ca_signing_key_algorithm=SHA256withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa

pki_sslserver_key_algorithm=SHA256withRSA
pki_sslserver_key_size=2048
pki_sslserver_key_type=rsa

pki_subsystem_key_algorithm=SHA256withRSA
pki_subsystem_key_size=2048
pki_subsystem_key_type=rsa

pki_admin_keysize=2048
pki_admin_key_size=2048
pki_admin_key_type=rsa

pki_audit_signing_key_algorithm=SHA256withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
Note

The values in the example are for a CA. Other subsystems require different parameters.

For further details, see:

13.1.7. Using an HSM to store subsystem certificates

By default, keys and certificates are stored in locally-managed databases, key4.db and cert9.db, respectively, in the /var/lib/pki/instance_name/alias directory. However, Red Hat Certificate System also supports hardware security modules (HSM), external devices which can store keys and certificates in a centralized place on the network. Using an HSM can make some functions, like cloning, easier because the keys and certificates for the instance are readily accessible.

When an HSM is used to store certificates, then the HSM name is prepended to the certificate nickname, and the full name is used in the subsystem configuration, such as the server.xml file. For example:

serverCert="nethsm:Server-Cert cert-instance_ID
Note

A single HSM can be used to store certificates and keys for mulitple subsystem instances, which may be installed on multiple hosts. When an HSM is used, any certificate nickname for a subsystem must be unique for every subsystem instance managed on the HSM.

Certificate System supports two types of HSM, nShield Connect XC and Luna.

13.2. Renewing subsystem certificates

For details about renewing subsystem certificates, see Section 3.4.1, “The renewal process”.

The process for renewing a subsystem certificate is the same as for renewing a user certificate.

To renew a system certificate, submit the request using the corresponding enrollment profile when using the HttpClient utility. For details about the different system certificate profiles, see Section 5.3.2.1, “Obtaining system and server certificates”.

13.2.1. Renewing certificates using certutil

certutil can be used to generate a certificate request using an existing key pair in the certificate database. The new certificate request can then be submitted through the regular profile pages for the CA to issue a renewed certificate.

Note

Encryption and signing certificates are created in a single step. However, the renewal process only renews one certificate at a time.

To renew both certificates in a certificate pair, each one has to be renewed individually.

  1. Get the password for the token database.

    # cat /var/lib/pki/instance_name/conf/password.conf
    
    internal=263163888660
  2. Open the certificate database directory of the instance whose certificate is being renewed.

    # cd /var/lib/pki/instance_name/alias
  3. List the key and nickname for the certificate being renewed. In order to renew a certificate, the key pairs used to generate and the subject name given to the new certificate must be the same as the one in the old certificate.

    # certutil -K -d .
    
    certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
    Enter Password or Pin for "NSS Certificate DB":
    < 0> rsa      69481646e38a6154dc105960aa24ccf61309d37d   caSigningCert cert-pki-tomcat CA
  4. Copy the alias directory as a backup, then delete the original certificate from the certificate database. For example:

    # certutil -D -n "ServerCert cert-example" -d .
  5. Run the certutil command with the options set to the values in the existing certificate.

    # certutil -d . -R -n "NSS Certificate DB:cert-pki-tomcat CA" -s "cn=CA Authority,o=Example Domain" -a -o example.req2.txt

    The difference between generating a new certificate and key pair and renewing the certificate is the value of the -n option. To generate an entirely new request and key pair, then -k sets the key type and is used with -g, which sets the bit length. For a renewal request, the -n option uses the certificate nickname to access the existing key pair stored in the security database.

    For further details about the parameters, see the certutil(1) man page.

  6. Submit the certificate request and then retrieve it and install it, as described in Section 5.3, “Requesting and receiving certificates using CMC”.

13.2.2. Renewing expired Certificate System server certificates

Certificate System does not automatically renew its server certificates online while the PKI server is running. In general, administrators should renew the system certificates before they expire. However, if a system certificate expires, Certificate System will fail to start.

To renew system certificates after expiration, you can set up a temporary server certificate:

  1. If the system certificate is expired:

    1. Create a temporary certificate:

      # pki-server cert-create sslserver --temp
    2. Import the temporary certificate into Certificate System’s Network Security Services (NSS) database:

      # pki-server cert-import sslserver
    3. Start Certificate System:

      # pki-server start instance_name
  2. Display the certificates and note the ID of the expired system certificate:

    # pki-server cert-find
  3. Create the new permanent certificate:

    # pki-server cert-create certificate_ID
  4. Stop Certificate System:

    # pki-server stop instance_name
  5. Import the new certificate to replace the expired certificate:

    # pki-server cert-import certificate_ID
  6. Start Certificate System:

    # pki-server start instance_name

13.3. Changing the Names of Subsystem Certificates

One alternative to renewing certificates is replacing them with new certificates, meaning that a new certificate is generated with new keys. Generally, a new certificate can be added to the database and the old one deleted, a simple one-to-one swap. This is possible because the individual subsystem servers identify certificates based on their nickname; as long as the certificate nickname remains the same, the server can find the required certificate even if other factors -like the subject name, serial number, or key -are different.

However, in some situations, the new certificate may have a new certificate nickname, as well. In that case, the certificate nickname needs to be updated in all of the required settings in the subsystem’s CS.cfg configuration file.

Important

Always restart a subsystem after editing the CS.cfg file.

These tables list all of the configuration parameters for each of the subsystem’s certificates:

Table 13.1. CA certificate nickname parameters

CA Signing Certificate

  • ca.cert.signing.nickname
  • ca.signing.cacertnickname
  • ca.signing.certnickname
  • ca.signing.nickname
  • cloning.signing.nickname

OCSP Signing Certificate

  • ca.ocsp_signing.cacertnickname
  • ca.ocsp_signing.certnickname
  • ca.cert.ocsp_signing.nickname
  • ca.ocsp_signing.nickname
  • cloning.ocsp_signing.nickname

Subsystem Certificate

  • ca.cert.subsystem.nickname
  • ca.subsystem.nickname
  • cloning.subsystem.nickname
  • pkiremove.cert.subsystem.nickname

Server Certificate

  • ca.sslserver.nickname
  • ca.cert.sslserver.nickname

Audit Signing Certificate

  • ca.audit_signing.nickname
  • ca.cert.audit_signing.nickname
  • cloning.audit_signing.nickname
Table 13.2. KRA certificate nickname parameters

Transport Certificate

  • cloning.transport.nickname
  • kra.cert.transport.nickname
  • kra.transport.nickname
  • tks.kra_transport_cert_nickname

    Note that this parameter is in the TKS configuration file. This needs to be changed in the TKS configuration if the KRA transport certificate nickname changes, even if the TKS certificates all stay the same.

Storage Certificate

  • cloning.storage.nickname
  • kra.storage.nickname
  • kra.cert.storage.nickname

Server Certificate

  • kra.cert.sslserver.nickname
  • kra.sslserver.nickname

Subsystem Certificate

  • cloning.subsystem.nickname
  • kra.cert.subsystem.nickname
  • kra.subsystem.nickname
  • pkiremove.cert.subsystem.nickname

Audit Log Signing Certificate

  • cloning.audit_signing.nickname
  • kra.cert.audit_signing.nickname
  • kra.audit_signing.nickname
Table 13.3. OCSP certificate nickname parameters

OCSP Signing Certificate

  • cloning.signing.nickname
  • ocsp.signing.certnickname
  • ocsp.signing.cacertnickname
  • ocsp.signing.nickname

Server Certificate

  • ocsp.cert.sslserver.nickname
  • ocsp.sslserver.nickname

Subsystem Certificate

  • cloning.subsystem.nickname
  • ocsp.subsystem.nickname
  • ocsp.cert.subsystem.nickname
  • pkiremove.cert.subsystem

Audit Log Signing Certificate

  • cloning.audit_signing.nickname
  • ocsp.audit_signing.nickname
  • ocsp.cert.audit_signing.nickname
Table 13.4. TKS certificate nickname parameters

KRA Transport Certificate[a]

  • tks.kra_transport_cert_nickname

Server Certificate

  • tks.cert.sslserver.nickname
  • tks.sslserver.nickname

Subsystem Certificate

  • cloning.subsystem.nickname
  • tks.cert.subsystem.nickname
  • tks.subsystem.nickname
  • pkiremove.cert.subsystem.nickname

Audit Log Signing Certificate

  • cloning.audit_signing.nickname
  • tks.audit_signing.nickname
  • tks.cert.audit_signing.nickname
[a] This needs to be changed in the TKS configuration if the KRA transport certificate nickname changes, even if the TKS certificates all stay the same.
Table 13.5. TPS nickname parameters in CS.cfg

Server Certificate

  • tps.cert.sslserver.nickname

Subsystem Certificate

  • tps.cert.subsystem.nickname
  • selftests.plugin.TPSValidity.nickname
  • selftests.plugin.TPSPresence.nickname
  • pkiremove.cert.subsystem.nickname

Audit Log Signing Certificate

  • tps.cert.audit_signing.nickname

13.4. Using cross-pair certificates

In the late 1990s, as the US government began enhancing its public key infrastructure, it became apparent that branches of government with their own, separate PKI deployments still needed to be able to recognize and trust each others certificates as if the certificates were issued from their own CA. (The method of getting certificates trusted outside a network for external clients to use is a serious, not easily resolved issue for any PKI administrator.)

The US government devised a standard for issuing cross-pair certificates called the Federal Bridge Certificate Authority. These certificates are also called bridge certificates, for obvious reasons. Bridge or cross-pair certificates are CA signing certificate that are framed as dual certificate pairs, similar to encryption and signing certificate pairs for users, only each certificate in the pair is issued by a different CA. Both partner CAs store the other CA signing certificate in its database, so all of the certificates issued within the other PKI are trusted and recognized.

Bridging certificates honors certificates issued by a CA that is not chained to the root CA in its own PKI. By establishing a trust between the Certificate System CA and another CA through a cross-pair CA certificate, the cross-pair certificate can be downloaded and used to trust the certificates issued by the other CA, just as downloading and installing a single CA certificate trusts all certificates issued by the CA.

The Certificate System can issue, import, and publish cross-pair CA certificates. A special profile must be created for issuing cross-pair certificates, and then the certificates can be requested and installed for the CA using the Certificate Wizard for the CA subsystem.

For more information on creating cross-pair certificate profiles, see the Configuring Cross-Pair profiles in the Planning, Installation and Deployment Guide (Common Criteria Edition).

For more information on publishing cross-pair certificates, see Section 7.8, “Publishing cross-pair certificates”.

13.4.1. Installing cross-pair certificates

Both cross-pair certificates can be imported into the Certificate System databases using the certutil tool or by selecting the Cross-Pair Certificates option from the Certificate Setup Wizard, as described in Section 13.5.1, “Installing certificates in the Certificate System database”.

When both certificates have been imported into the database, a crossCertificatePair entry is formed and stored in the database. The original individual cross-pair CA certificates are deleted once the crossCertificatePair entry is created.

13.4.2. Searching for cross-pair certificates

Both CAs in bridge certificates can store or publish the cross-pair certificates as a crossCertificatePair entry in an LDAP database. The Certificate Manager’s internal database can be searched for the crossCertificatePair entry with ldapsearch.

/usr/lib[64]/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.com -b "o=server.example.com-pki-ca" -s sub "(crossCertificatePair=*)"

13.5. Managing the certificate database

Each Certificate System instance has a certificate database, which is maintained in its internal token. This database contains certificates belonging to the subsystem installed in the Certificate System instance and various CA certificates the subsystems use for validating the certificates they receive.

Even if an external token is used to generate and store key pairs, Certificate System always maintains its list of trusted and untrusted CA certificates in its internal token.

This section explains how to view the contents of the certificate database, delete unwanted certificates, and change the trust settings of CA certificates installed in the database using the Certificate System window. For information on adding certificates to the database, see Section 13.5.1, “Installing certificates in the Certificate System database”.

Note

The Certificate System command-line utility certutil can be used to manage the certificate database by editing trust settings and adding and deleting certificates. For details about this tool, see http://www.mozilla.org/projects/security/pki/nss/tools/.

Administrators should periodically check the contents of the certificate database to make sure that it does not include any unwanted CA certificates. For example, if the database includes CA certificates that should not ever be trusted within the PKI setup, delete them.

13.5.1. Installing certificates in the Certificate System database

If new server certificates are issued for a subsystem, they must be installed in that subsystem database. Additionally, user and agent certificates must be installed in the subsystem databases. If the certificates are issued by an external CA, then usually the corresponding CA certificate or certificate chain needs to be installed.

Certificates can be installed in the subsystem certificate database through the Console’s Certificate Setup Wizard or using the certutil utility.

13.5.1.1. Installing certificates through the console

Note

pkiconsole is being deprecated and will be replaced by a new browser-based UI in a future major release. Although pkiconsole will continue to be available until the replacement UI is released, we encourage using the command line equivalent of pkiconsole at this time, as the pki CLI will continue to be supported and improved upon even when the new browser-based UI becomes available in the future.

The Certificate Setup Wizard can install or import the following certificates into either an internal or external token used by the Certificate System instance:

  • Any of the certificates used by a Certificate System subsystem
  • Any trusted CA certificates from external CAs or other Certificate System CAs
  • Certificate chains

A certificate chain includes a collection of certificates: the subject certificate, the trusted root CA certificate, and any intermediate CA certificates needed to link the subject certificate to the trusted root. However, the certificate chain the wizard imports must include only CA certificates; none of the certificates can be a user certificate.

In a certificate chain, each certificate in the chain is encoded as a separate DER-encoded object. When the wizard imports a certificate chain, it imports these objects one after the other, all the way up the chain to the last certificate, which may or may not be the root CA certificate. If any of the certificates in the chain are already installed in the local certificate database, the wizard replaces the existing certificates with the ones in the chain. If the chain includes intermediate CA certificates, the wizard adds them to the certificate database as untrusted CA certificates.

The subsystem console uses the same wizard to install certificates and certificate chains. To install certificates in the local security database, do the following:

  1. Open the console.

    # pkiconsole -d nssdb -n 'optional client cert nickname' https://server.example.com:secure_port/subsystem_type
  2. In the Configuration tab, select System Keys and Certificates from the left navigation tree.
  3. There are two tabs where certificates can be installed, depending on the subsystem type and the type of certificate.

    • The CA Certificates tab is for installing CA certificates and certificate chains. For Certificate Managers, this tab is used for third-party CA certificates or other Certificate System CA certificates; all of the local CA certificates are installed in the Local Certificates tab. For all other subsystems, all CA certificates and chains are installed through this tab.
    • The Local Certificates tab is where all server certificates, subsystem certificates, and local certificates such as OCSP signing or KRA transport are installed.

    Select the appropriate tab.

  4. To install a certificate in the Local Certificates tab, click Add/Renew. To install a certificate in the CA Certificates tab, click Add. Both will open the Certificate Setup Wizard.

    1. When the wizard opens, select the Install a certificate radio button, and click Next.
    2. Select the type of certificate to install. The options for the drop-down menu are the same options available for creating a certificate, depending on the type of subsystem, with the additional option to install a cross-pair certificate.
    3. Paste in the certificate body, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, into the text area, or specify the absolute file location; this must be a local file.

      The certificate will look like the following:

      -----BEGIN CERTIFICATE-----
      MIICKzCCAZSgAwIBAgIBAzANgkqkiG9w0BAQQFADA3MQswCQYDVQQGEw
      JVUzERMA8GA1UEChMITmV0c2NhcGUxFTATBgNVBAsTDFN1cHJpeWEncy
      BDQTAeFw05NzEwMTgwMTM2MjVaFw05OTEwMTgwMTM2MjVaMEgxCzAJBg
      NVBAYTAlVTMREwDwYDVQQKEwhOZXRzY2FwZTENMAsGA1UECxMEUHawcz
      EXMBUGA1UEAxMOU3Vwcml5YSBTaGV0dHkwgZ8wDQYJKoZIhdfNAQEBBQ
      ADgY0AMIGJAoGBAMr6eZiPGfjX3uRJgEjmKiqG7SdATYzBcABu1AVyd7
      chRFOGD3wNktbf6hRo6EAmM5R1Askzf8AW7LiQZBcrXpc0k4du+2j6xJ
      u2MPm8WKuMOTuvzpo+SGXelmHVChEqooCwfdiZywyZNmgaMa2MS6pUkf
      QVAgMBAAGjNjA0MBEGCWCGSAGG+EIBAQQEAwIAgD
      -----END CERTIFICATE-----
  5. The wizard displays the certificate details. Review the fingerprint to make sure this is the correct certificate, or use the Back button to go back and submit a different one. Give a nickname for the certificate.

    The wizard installs the certificate.

  6. Any CA that signed the certificate must be trusted by the subsystem. Make sure that this CA’s certificate exists in the subsystem’s certificate database (internal or external) and that it is trusted.

    If the CA certificate is not listed, add the certificate to the certificate database as a trusted CA. If the CA’s certificate is listed but untrusted, change the trust setting to trusted, as shown in Section 13.6, “Changing the trust settings of a CA certificate”.

    When installing a certificate issued by a CA that is not stored in the Certificate System certificate database, add that CA’s certificate chain to the database. To add the CA chain to the database, copy the CA chain to a text file, start the wizard again, and install the CA chain.

13.5.1.2. Installing certificates using certutil

To install subsystem certificates in the Certificate System instance’s security databases using certutil, do the following:

  1. Open the subsystem’s security database directory.

    # cd /var/lib/pki/instance_name/alias
  2. Run the certutil command with the -A to add the certificate and -i pointing to the file containing the certificate issued by the CA.

    # certutil -A -n cert-name -t trustargs -d . -a -i certificate_file
    Note

    If the Certificate System instance’s certificates and keys are stored on an HSM, then specify the token name using the -h option.

    For example:

    certutil -A -n "ServerCert cert-instance_name" -t u,u,u -d . -a -i /tmp/example.cert

For information about using the certutil command, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.

13.5.1.3. About CA certificate chains

Any client or server software that supports certificates maintains a collection of trusted CA certificates in its certificate database. These CA certificates determine which other certificates the software can validate. In the simplest case, the software can validate only certificates issued by one of the CAs for which it has a certificate. It is also possible for a trusted CA certificate to be part of a chain of CA certificates, each issued by the CA above it in a certificate hierarchy.

The first certificate in the chain is processed in a context-specific manner, which varies according to how it is being imported. For Mozilla Firefox, this handling depends upon the MIME content type used on the object being downloaded. For Red Hat servers, it depends upon the options selected in the server administration interface.

Subsequent certificates are all treated the same. If the certificates contain the SSL-CA bit in the Netscape Certificate Type certificate extension and do not already exist in the local certificate database, they are added as untrusted CAs. They can be used for certificate chain validation as long as there is a trusted CA somewhere in the chain.

13.5.1.4. Viewing database content

The certificates stored in the subsystem certificates database, cert9.db, can be viewed through the subsystem administrative console. Alternatively, the certificates can be listed using the certutil utility. certutil must be used to view the TPS certificates because the TPS subsystem does not use an administrative console.

Note

The certificates listed in the cert9.db database are the subsystem certificates used for subsystem operations. User certificates are stored with the user entries in the LDAP internal database.

13.5.1.4.1. Viewing Database Content through the Console
Note

pkiconsole is being deprecated and will be replaced by a new browser-based UI in a future major release. Although pkiconsole will continue to be available until the replacement UI is released, we encourage using the command line equivalent of pkiconsole at this time, as the pki CLI will continue to be supported and improved upon even when the new browser-based UI becomes available in the future.

To view the contents of the database through the administrative console, do the following:

  1. Open the subsystem console.

    # pkiconsole -d nssdb -n 'optional client cert nickname' https://server.example.com:secure_port/subsystem_type
  2. In the Configuration tab, select System Keys and Certificates from the left navigation tree.
  3. There are two tabs, CA Certificates and Local Certificates, which list different kinds of certificates.

    • CA Certificates lists CA certificates for which the corresponding private key material is not available, such as certificates issued by third-party CAs such as Entrust or Verisign or external Certificate System Certificate Managers.
    • Local Certificates lists certificates kept by the Certificate System subsystem instance, such as the KRA transport certificate or OCSP signing certificate.

    .Certificate database tab image::cert-db1.png[]

  4. The Certificate Database Management table lists the all of the certificates installed on the subsystem. The following information is supplied for each certificate:

    • Certificate Name
    • Serial Number
    • Issuer Names, the common name (cn) of the issuer of this certificate.
    • Token Name, the name of the cryptographic token holding the certificate; for certificate stored in the database, this is internal.

To view more detailed information about the certificate, select the certificate, and click View. This opens a window which shows the serial number, validity period, subject name, issuer name, and certificate fingerprint of the certificate.

13.5.1.5. Viewing database content using certutil

To view the certificates in the subsystem database using certutil, open the instance’s certificate database directory, and run the certutil with the -L option. For example:

cd /var/lib/pki/instance_name/alias
certutil -L -d .

Certificate Authority - Example Domain    CT,c,
subsystemCert cert-instance name          u,u,u
Server-Cert cert-instance_name            u,u,u

To view the keys stored in the subsystem databases using certutil, run the certutil with the -K option. For example:

cd /var/lib/pki/instance_name/alias
certutil -K -d .

Enter Password or Pin for "NSS Certificate DB":
<0> subsystemCert cert-instance_name
1
<2> Server-Cert cert-instance_name

For information about using the certutil command, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.

13.5.2. Deleting certificates from the database

Removing unwanted certificates reduces the size of the certificate database.

Note

When deleting CA certificates from the certificate database, be careful not to delete the intermediate CA certificates, which help a subsystem chain up to the trusted CA certificate. If in doubt, leave the certificates in the database as untrusted CA certificates; see Section 13.6, “Changing the trust settings of a CA certificate”.

13.5.2.1. Deleting certificates through the console

Note

pkiconsole is being deprecated and will be replaced by a new browser-based UI in a future major release. Although pkiconsole will continue to be available until the replacement UI is released, we encourage using the command line equivalent of pkiconsole at this time, as the pki CLI will continue to be supported and improved upon even when the new browser-based UI becomes available in the future.

To delete a certificate through the Console, do the following:

  1. Open the subsystem console.

    # pkiconsole -d nssdb -n 'optional client cert nickname' https://server.example.com:secure_port/subsystem_type
  2. In the Configuration tab, select System Keys and Certificates from the left navigation tree.
  3. Select the certificate to delete, and click Delete.
  4. When prompted, confirm the deletion.

13.5.2.2. Deleting certificates using certutil

To delete a certificate from the database using certutil:

  1. Open the instance’s certificate databases directory.

    /var/lib/pki/instance_name/alias
  2. List the certificates in the database by running the certutil with the -L option. For example:

    # certutil -L -d .
    
    Certificate Authority - Example Domain    CT,c,
    subsystemCert cert-instance_name          u,u,u
    Server-Cert cert-instance_name            u,u,u
  3. Delete the certificate by running the certutil with the -D option.

    # certutil -D -d . -n certificate_nickname

    For example:

    # certutil -D -d . -n "ServerCert cert-instance_name"
  4. List the certificates again to confirm that the certificate was removed.

    # certutil -L -d .
    
    Certificate Authority - Example Domain    CT,c,
    subsystemCert cert-instance_name          u,u,u

For information about using the certutil command, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.

13.6. Changing the trust settings of a CA certificate

Certificate System subsystems use the CA certificates in their certificate databases to validate certificates received during an SSL-enabled communication.

It can be necessary to change the trust settings on a CA stored in the certificate database, temporarily or permanently. For example, if there is a problem with access or compromised certificates, marking the CA certificate as untrusted prevents entities with certificates signed by that CA from authenticating to the Certificate System. When the problem is resolved, the CA can be marked as trusted again.

To untrust a CA permanently, consider removing its certificate from the trust database. For instructions, see Section 13.5.2, “Deleting certificates from the database”.

13.6.1. Changing trust settings through the console

Note

pkiconsole is being deprecated and will be replaced by a new browser-based UI in a future major release. Although pkiconsole will continue to be available until the replacement UI is released, we encourage using the command line equivalent of pkiconsole at this time, as the pki CLI will continue to be supported and improved upon even when the new browser-based UI becomes available in the future.

To change the trust setting of a CA certificate, do the following:

  1. Open the subsystem console.

    # pkiconsole -d nssdb -n 'optional client cert nickname' https://server.example.com:secure_port/subsystem_type
  2. In the Configuration tab, System Keys and Certificates from the left navigation tree.
  3. Select the CA certificates tab.
  4. Select the CA certificate to modify, and click Edit.
  5. A prompt opens which reads The Certificate chain is (un)trusted, are you sure you want to (un)trust it?

    Clicking yes changes the trust setting of the certificate chain; pressing no preserves the original trust relationship.

13.6.2. Changing trust settings using certutil

To change the trust setting of a certificate using certutil, do the following:

  1. Open the instance’s certificate databases directory.

    # cd /var/lib/pki/instance_name/alias
  2. List the certificates in the database by running the certutil with the -L option. For example:

    # certutil -L -d .
    
    Certificate Authority - Example Domain    CT,c,
    subsystemCert cert-instance_name          u,u,u
    Server-Cert cert-instance_name            u,u,u
  3. Change the trust settings for the certificate by running the certutil with the -M option.

    # certutil -M -n cert_nickname -t trust -d .

    For example:

    # certutil -M -n "Certificate Authority - Example Domain" -t TCu,TCu,TCu -d .
  4. List the certificates again to confirm that the certificate trust was changed.

    # certutil -L -d .
    
    Certificate Authority - Example Domain    CTu,CTu,CTu
    subsystemCert cert-instance_name          u,u,u
    Server-Cert cert-instance_name            u,u,u

For information about using the certutil command, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.

13.7. Managing tokens used by the subsystems

Certificate System manages two groups of tokens: tokens used by the subsystems to perform PKI tasks and tokens issued through the subsystem. These management tasks refer specifically to tokens that are used by the subsystems.

13.7.1. Detecting tokens

To see if a token can be detected by Certificate System to be installed or configured, use the TokenInfo utility. For example:

TokenInfo /var/lib/pki/instance_name/alias
Database Path: /var/lib/pki/instance_name/alias
Found external module 'NSS Internal PKCS #11 Module'

This utility will return all tokens which can be detected by the Certificate System, not only tokens which are installed in the Certificate System.

13.7.1.1. Viewing tokens

To view a list of the tokens currently installed for a Certificate System instance, use the modutil utility.

  1. Open the instance alias directory. For example:

    cd /var/lib/pki/instance_name/alias
  2. Show the information about the installed PKCS #11 modules installed as well as information on the corresponding tokens using the modutil tool.

    modutil -dbdir . -nocertdb -list

13.7.2. Changing a token’s password

The token, internal or external, that stores the key pairs and certificates for the subsystems is protected (encrypted) by a password. To decrypt the key pairs or to gain access to them, enter the token password. This password is set when the token is first accessed, usually during Certificate System installation.

It is good security practice to change the password that protects the server’s keys and certificates periodically. Changing the password minimizes the risk of someone finding out the password. To change a token’s password, use the certutil command-line utility.

For information about certutil, see http://www.mozilla.org/projects/security/pki/nss/tools/.

The single sign-on password cache stores token passwords in the password.conf file. This file must be manually updated every time the token password is changed. For more information on managing passwords through the password.conf file, see 9.3 Managing system passwords in the Planning, Installation and Deployment Guide (Common Criteria Edition).

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.