SupportConsoleDevelopersStart a trialContact

Chapter 1. Red Hat Certificate System 10

This section contains general information about Red Hat Certificate System 10, such as the supported platforms and system requirements, installation notes, and deprecations.

Important

Red Hat Certificate System 10 packages and their dependencies are provided on Red Hat Enterprise Linux 8 via the redhat-pki module.

1.1. Prerequisites

Installing Red Hat Certificate System 10 requires Red Hat Enterprise Linux 8. For details on how to install Red Hat Enterprise Linux 8, see Performing a standard RHEL installation.

1.2. Hardware Requirements

This section describes the minimal and recommended hardware for Red Hat Certificate System 10. Note that, depending on your environment, more resources might be required.

1.2.1. Minimal Requirements

  • CPU: 2 threads
  • RAM: 2 GB
  • Disk space: 20 GB

The minimal requirements are based on the Red Hat Enterprise Linux 8 minimal requirements. For details, see Red Hat Enterprise Linux technology capabilities and limits.

1.3. Supported platforms

This section describes the different server platforms, hardware, tokens, and software supported by Red Hat Certificate System 10.

1.3.1. Server Support

Running the Certificate Authority (CA), Key Recovery Authority (KRA), Online Certificate Status Protocol (OCSP), Token Key Service (TKS), and Token Processing System (TPS) subsystems of Red Hat Certificate System 10 is supported on Red Hat Enterprise Linux 8. Each Red Hat Certificate System 10 minor release is tested and released on a specific Red Hat Enterprise Linux 8 minor version. Additionally, each minor version of Red Hat Certificate System is also tested against a specific version of Red Hat Directory Server. The following table shows the minor versions tested and supported with Red Hat Certificate System.

Table 1.1. Versions of Red Hat Enterprise Linux and Red Hat Directory Server supported and tested with Red Hat Certificate System 10.x versions
Red Hat Certificate System versionRed Hat Enterprise Linux versionRed Hat Directory Server version

10.0

8.2

11.1

10.1

8.3

11.2

10.2

8.4

11.3

10.3

8.5

11.4

10.4

8.6

11.5

Note

Red Hat Certificate System 10 is supported running on a Red Hat Enterprise Linux 8 virtual guest on a certified hypervisor. For details, see the Which hypervisors are certified to run RHEL? solution article.

1.3.2. Client Support

The Enterprise Security Client (ESC) is supported on:

  • Red Hat Enterprise Linux 8.

  • The latest versions of Red Hat Enterprise Linux 6 and 7.

    Although these platforms do not support Red Hat Certificate System 10, those clients can be used with the Token Management System (TMS) system in Red Hat Certificate System 10.

1.3.3. Supported Web Browsers

Red Hat Certificate System 10 supports the following browsers:

Table 1.2. Supported Web Browsers by Platform
PlatformAgent ServicesEnd User Pages

Red Hat Enterprise Linux

Firefox 60 and later[a]

Firefox 60 and later

[a] This Firefox version no longer supports the crypto web object used to generate and archive keys from the browser. As a result, expect limited functionality in this area.
Note

The only fully-supported browser for the HTML-based instance configuration is Mozilla Firefox.

1.3.4. Supported Smart Cards

The Enterprise Security Client (ESC) supports Global Platform 2.01-compliant smart cards and JavaCard 2.1 or higher.

The Certificate System subsystems have been tested using the following tokens:

  • Gemalto TOP IM FIPS CY2 64K token (SCP01)
  • Giesecke & Devrient (G&D) SmartCafe Expert 7.0 (SCP03)
  • SafeNet Assured Technologies SC-650 (SCP01)

The only card manager applet supported with Certificate System is the CoolKey applet, which is part of the pki-tps package in Red Hat Certificate System.

1.3.5. Supported Hardware Security Modules

The following table lists Hardware Security Modules (HSM) supported by Red Hat Certificate System.

HSMFirmwareAppliance SoftwareClient Software

nCipher nShield Connect XC (High)

nShield_HSM_Firmware-12.72.1

12.71.0

SecWorld_Lin64-12.71.0

Thales TCT Luna Network HSM Luna-T7

lunafw_update-7.11.1-4

7.11.0-25

610-500244-001_LunaClient-7.11.1-5

1.4. Quickstart for installing RHCS subsystems

The following procedure describes the prerequisites and the basic installation process for {RHCS} 10.

Prerequisites

Procedure

  1. Register the system to a Customer Portal account using Red Hat Subscription Manager (RHSM), then list the subscriptions available on this account for the system you registered: 

    $ subscription-manager register
$ subscription-manager list --available --all

  2. Attach the required subscriptions for Red Hat Enterprise Linux Server and Red Hat Certificate System using the corresponding pool IDs obtained in the previous step: 

    $ subscription-manager attach --pool=POOL_ID_RHEL_SERVER
$ subscription-manager attach --pool=POOL_ID_CERT_SYSTEM

  3. Make sure Red Hat Enterprise Linux has the latest updates: 

    $ dnf update

  4. Install the Directory Server module: 

    & dnf module enable 389-ds:1.4 && dnf install 389-ds-base
  5. Ensure that a real domain name is specified is /etc/resolv.conf a host name is set within /etc/hosts.

  6. Run the Directory Server interactive installer and customize as required. 

    $ dscreate interactive

    For more information or for other installation methods, refer to the Red Hat Directory Server installation guide.

  7. Install Certificate System packages and dependencies: 

    $ dnf module enable redhat-pki:10 && dnf install redhat-pki

  8. Run the pkispawn script to create and configure the subsystem instances. You must install and fully configure at least one CA subsystem before you can configure any other type of subsystem. For details, see the pkispawn manpage. Without options, pkispawn runs in interactive mode, prompting the user for basic information required for installation. 

    $ pkispawn
  9. Access the agent interface of various Red Hat Certificate System subsystems by using a properly configured local or remote Mozilla Firefox web browser.

Installing and configuring Red Hat Certificate System subsystems is described in more detail in the Planning, Installation, and Deployment Guide.

Additional resources

1.5. Deprecated functionality

This section describes deprecated functionality in Red Hat Certificate System 10.

SCP01 support in Certificate System is deprecated

Support for Secure Channel Protocol 01 (SCP01) is deprecated in Certificate System 10 and may be removed. Red Hat recommends using smart cards that support SCP03.

The pkiconsole tool is being deprecated

In Certificate System 10, the pkiconsole tool will be deprecated.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.