7.4. Post-installation Tasks

It is important that the time is correct for running RHCS; see Chapter 15. Setting Time and Date in Red Hat Enterprise Linux 7.6 in Red Hat Certificate System's Administration Guide.

When the internal LDAP server was created initially with a temporary self-signed server certificate, this is time to replace it with a new certificate that is issued by the CA you just installed.

For details, see Section 6.5.4, “Replacing the Temporary Certificate”.

Red Hat Certificate System is required to communicate with its internal LDAP server via TLS mutual authentication. For further details see Enabling TLS Client Authentication.

Various timeout configurations exist on the system that could affect how long a TLS session is allowed to remain idle before termination. For details, see Section 9.4.1.3, “Session Timeout”.

CRL publishing is critical in providing OCSP service. Certificate publishing is optional but often desired by sites. For details, see Chapter 7. Publishing Certificates and CRLs in Red Hat Certificate System Administration Guide.

Only CMC certificate enrollment profiles are allowed. All other profiles need to be disabled.

For details, see Section 11.1.5, “Disabling Certificate Enrolment Profiles”.

User interface banners are required.

For details, see Section 9.5.1, “Enabling an Access Banner”.

The watchdog (nuxwdog) service provides secure system password management.

For details, see Section 9.3.2.1, “Enabling the Watchdog Service”.

Certificate enrollments and revocation have to be done via CMC.

Certificate System administrators are required to present a user TLS client certificate when logging into the Java console. See Section 9.2.3.14, “Setting Requirement for pkiconsole to use TLS Client Certificate Authentication”.

Real role users have to be created so the bootstrap user could be removed.

Create users and assign them to different privileged roles to manage Certificate System. See Chapter 14, Creating a Role User.

Bootstrap user is to be removed once the real role users are created.

After creating a new administrator account which is assigned to an individual person, remove the account which was automatically created during the installation. For details, see Chapter 15, Deleting the Bootstrap User.

Once the bootstrap user is removed, the multi-role support needs to be disabled.

For details, see Section 15.1, “Disabling Multi-roles Support”.

Before a user could use an approved user interface, initialization needs to be performed.

Users (administrative roles or otherwise) are required to setup their clients for accessing the user interface. See 2.1. Client NSS Database Initialization in Red Hat Certificate System's Administration Guide.