Chapter 5. Planning your CA services
Identity Management (IdM) in Red Hat Enterprise Linux provides different types of certificate authority (CA) configurations. The following sections describe different scenarios and provide advice to help you determine which configuration is best for your use case.
- CA subject DN
- The Certificate Authority (CA) subject distinguished name (DN) is the name of the CA. It must be globally unique in the Identity Management (IdM) CA infrastructure and cannot be changed after the installation. In case you need the IdM CA to be externally signed, you might need to consult the administrator of the external CA about the form your IdM CA Subject DN should take.
5.1. CA Services available in an IdM server
You can install an Identity Management (IdM) server with an integrated IdM certificate authority (CA) or without a CA.
| Integrated CA | Without a CA | |
|---|---|---|
| Overview: | IdM uses its own public key infrastructure (PKI) service with a CA signing certificate to create and sign the certificates in the IdM domain.
The external CA can be a corporate CA or a third-party CA. | IdM does not set up its own CA, but uses signed host certificates from an external CA. Installing a server without a CA requires you to request the following certificates from a third-party authority:
|
| Limitations: | If the integrated CA is subordinate to an external CA, the certificates issued within the IdM domain are potentially subject to restrictions set by the external CA for various certificate attributes, such as:
| Managing certificates outside of IdM causes many additional activities, such as :
|
| Works best for: | Environments that allow you to create and use your own certificate infrastructure. | Very rare cases when restrictions within the infrastructure do not allow you to install certificate services integrated with the server. |
Switching from the self-signed CA to an externally-signed CA, or the other way around, as well as changing which external CA issues the IdM CA certificate, is possible even after the installation. It is also possible to configure an integrated CA even after an installation without a CA. For more details, see Installing an IdM server: With integrated DNS, without a CA.
Additional resources
5.2. Guidelines for distribution of CA services
The following steps provide guidelines for the distribution of your certificate authority (CA) services.
Procedure
Install the CA services on more than one server in the topology.
Replicas configured without a CA forward all certificate operation requests to the CA servers in your topology.
WarningIf you lose all servers with a CA, you lose all the CA configuration without any chance of recovery. In this case you must configure a new CA and issue and install new certificates.
- Maintain a sufficient number of CA servers to handle the CA requests in your deployment.
See the following table for further recommendations on appropriate number of CA servers:
| Description of the deployment | Suggested number of CA servers |
|---|---|
| A deployment with a very large number of certificates issued | Three or four CA servers |
| A deployment with bandwidth or availability problems between multiple regions | One CA server per region, with a minimum of three servers total for the deployment |
| All other deployments | Two CA servers |
Four CA servers in the topology are usually enough if the number of concurrent certificate requests is not high. The replication processes between more than four CA servers can increase processor usage and lead to performance degradation.
