Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Red Hat Certificate System 10

This section contains general information about Red Hat Certificate System 10, such as the supported platforms and system requirements, installation notes, and deprecations.

Important

Red Hat Certificate System 10 packages and their dependencies are provided on Red Hat Enterprise Linux 8 via the redhat-pki module.

1.1. Prerequisites
Copy link

Installing Red Hat Certificate System 10 requires Red Hat Enterprise Linux 8. For details on how to install Red Hat Enterprise Linux 8, see Performing a standard RHEL installation.

1.2. Hardware Requirements
Copy link

This section describes the minimal and recommended hardware for Red Hat Certificate System 10. Note that, depending on your environment, more resources might be required.

1.2.1. Minimal Requirements
Copy link

  • CPU: 2 threads
  • RAM: 2 GB
  • Disk space: 20 GB

The minimal requirements are based on the Red Hat Enterprise Linux 8 minimal requirements. For details, see Red Hat Enterprise Linux technology capabilities and limits.

1.3. Supported platforms
Copy link

This section describes the different server platforms, hardware, tokens, and software supported by Red Hat Certificate System 10.

1.3.1. Server Support
Copy link

Running the Certificate Authority (CA), Key Recovery Authority (KRA), Online Certificate Status Protocol (OCSP), Token Key Service (TKS), and Token Processing System (TPS) subsystems of Red Hat Certificate System 10 is supported on Red Hat Enterprise Linux 8. Each Red Hat Certificate System 10 minor release is tested and released on a specific Red Hat Enterprise Linux 8 minor version. Additionally, each minor version of Red Hat Certificate System is also tested against a specific version of Red Hat Directory Server. The following table shows the minor versions tested and supported with Red Hat Certificate System.

Expand
Table 1.1. Versions of Red Hat Enterprise Linux and Red Hat Directory Server supported and tested with Red Hat Certificate System 10.x versions
Red Hat Certificate System versionRed Hat Enterprise Linux versionRed Hat Directory Server version

10.0

8.2

11.1

10.1

8.3

11.2

10.2

8.4

11.3

10.3

8.5

11.4

10.4

8.6

11.5

10.6

8.8

11.7

10.8

8.10

11.9

Note

Red Hat Certificate System 10 is supported running on a Red Hat Enterprise Linux 8 virtual guest on a certified hypervisor. For details, see the Which hypervisors are certified to run RHEL? solution article.

1.3.2. Client Support
Copy link

The Enterprise Security Client (ESC) is supported on:

  • Red Hat Enterprise Linux 8.

  • The latest versions of Red Hat Enterprise Linux 6 and 7.

    Although these platforms do not support Red Hat Certificate System 10, those clients can be used with the Token Management System (TMS) system in Red Hat Certificate System 10.

1.3.3. Supported Web Browsers
Copy link

Red Hat Certificate System 10 supports the following browsers:

Expand
Table 1.2. Supported Web Browsers by Platform
PlatformAgent ServicesEnd User Pages

Red Hat Enterprise Linux

Firefox 60 and later [a]

Firefox 60 and later

[a] This Firefox version no longer supports the crypto web object used to generate and archive keys from the browser. As a result, expect limited functionality in this area.
Note

The only fully-supported browser for the HTML-based instance configuration is Mozilla Firefox.

1.3.4. Supported Smart Cards
Copy link

The Enterprise Security Client (ESC) supports Global Platform 2.01-compliant smart cards and JavaCard 2.1 or higher.

The Certificate System subsystems have been tested using the following tokens:

  • Gemalto TOP IM FIPS CY2 64K token (SCP01)
  • Giesecke & Devrient (G&D) SmartCafe Expert 7.0 (SCP03)
  • SafeNet Assured Technologies SC-650 (SCP01)

The only card manager applet supported with Certificate System is the CoolKey applet, which is part of the pki-tps package in Red Hat Certificate System.

1.3.5. Supported Hardware Security Modules
Copy link

The following table lists Hardware Security Modules (HSM) supported by Red Hat Certificate System.

Expand
HSMFirmwareAppliance SoftwareClient Software

nCipher nShield Connect XC (High)

nShield_HSM_Firmware-12.72.1

12.71.0

SecWorld_Lin64-12.71.0

Thales TCT Luna Network HSM Luna-T7

lunafw_update-7.11.1-4

7.11.0-25

610-500244-001_LunaClient-7.11.1-5

1.4. Quickstart for installing RHCS subsystems
Copy link

The following procedure describes the prerequisites and the basic installation process for Red Hat Certificate System 10.

Prerequisites

Procedure

  1. Register the system to a Customer Portal account using Red Hat Subscription Manager (RHSM), then list the subscriptions available on this account for the system you registered: 

    $ subscription-manager register
$ subscription-manager list --available --all
    Copy to Clipboard Toggle word wrap

  2. Attach the required subscriptions for Red Hat Enterprise Linux Server and Red Hat Certificate System using the corresponding pool IDs obtained in the previous step: 

    $ subscription-manager attach --pool=POOL_ID_RHEL_SERVER
$ subscription-manager attach --pool=POOL_ID_CERT_SYSTEM
    Copy to Clipboard Toggle word wrap

  3. Make sure Red Hat Enterprise Linux has the latest updates: 

    $ dnf update
    Copy to Clipboard Toggle word wrap

  4. Install the Directory Server module: 

    $ dnf module enable redhat-ds:11
$ dnf install 389-ds-base
    Copy to Clipboard Toggle word wrap
  5. Ensure that a real domain name is specified is /etc/resolv.conf a host name is set within /etc/hosts.

  6. Run the Directory Server interactive installer and customize as required. 

    $ dscreate interactive
    Copy to Clipboard Toggle word wrap

    For more information or for other installation methods, refer to the Red Hat Directory Server installation guide.

  7. Install Certificate System packages and dependencies: 

    $ dnf module enable redhat-pki:10
$ dnf install redhat-pki
    Copy to Clipboard Toggle word wrap

  8. Run the pkispawn script to create and configure the subsystem instances. You must install and fully configure at least one CA subsystem before you can configure any other type of subsystem. For details, see the pkispawn manpage. Without options, pkispawn runs in interactive mode, prompting the user for basic information required for installation. 

    $ pkispawn
    Copy to Clipboard Toggle word wrap
  9. Access the agent interface of various Red Hat Certificate System subsystems by using a properly configured local or remote Mozilla Firefox web browser.

Installing and configuring Red Hat Certificate System subsystems is described in more detail in the Planning, Installation, and Deployment Guide.

1.5. Deprecated functionality
Copy link

This section describes deprecated functionality in Red Hat Certificate System 10.

SCP01 support in Certificate System is deprecated

Support for Secure Channel Protocol 01 (SCP01) is deprecated in Certificate System 10 and may be removed. Red Hat recommends using smart cards that support SCP03.

The pkiconsole tool is being deprecated

In Certificate System 10, the pkiconsole tool will be deprecated.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat