Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 1. Red Hat Certificate System 10
This section contains general information about Red Hat Certificate System 10, such as the supported platforms and system requirements, installation notes, and deprecations.
Red Hat Certificate System 10 packages and their dependencies are provided on Red Hat Enterprise Linux 8 via the redhat-pki module.
1.1. Prerequisites
Installing Red Hat Certificate System 10 requires Red Hat Enterprise Linux 8. For details on how to install Red Hat Enterprise Linux 8, see Performing a standard RHEL installation.
1.2. Hardware Requirements
This section describes the minimal and recommended hardware for Red Hat Certificate System 10. Note that, depending on your environment, more resources might be required.
1.2.1. Minimal Requirements
- CPU: 2 threads
- RAM: 2 GB
- Disk space: 20 GB
The minimal requirements are based on the Red Hat Enterprise Linux 8 minimal requirements. For details, see Red Hat Enterprise Linux technology capabilities and limits.
1.2.2. Recommended Requirements
- CPU: 4 or more threads, AES-NI support
- RAM: 4 GB or more
- Disk space: 80 GB or more
1.3. Supported platforms
This section describes the different server platforms, hardware, tokens, and software supported by Red Hat Certificate System 10.
1.3.1. Server Support
Running the Certificate Authority (CA), Key Recovery Authority (KRA), Online Certificate Status Protocol (OCSP), Token Key Service (TKS), and Token Processing System (TPS) subsystems of {RHCS }10 is supported on Red Hat Enterprise Linux 8 and later. The supported Red Hat Directory Server version is 11 and later.
Red Hat Certificate System 10 is supported running on a Red Hat Enterprise Linux 8 virtual guest on a certified hypervisor. For details, see the Which hypervisors are certified to run RHEL? solution article.
1.3.2. Client Support
The Enterprise Security Client (ESC) is supported on:
- Red Hat Enterprise Linux 8.
The latest versions of Red Hat Enterprise Linux 6 and 7.
Although these platforms do not support Red Hat Certificate System 10, those clients can be used with the Token Management System (TMS) system in Red Hat Certificate System 10.
1.3.3. Supported Web Browsers
Red Hat Certificate System 10 supports the following browsers:
| Platform | Agent Services | End User Pages |
|---|---|---|
| Red Hat Enterprise Linux | Firefox 60 and later[a] | Firefox 60 and later |
[a]
This Firefox version no longer supports the crypto web object used to generate and archive keys from the browser. As a result, expect limited functionality in this area.
| ||
The only fully-supported browser for the HTML-based instance configuration is Mozilla Firefox.
1.3.4. Supported Smart Cards
The Enterprise Security Client (ESC) supports Global Platform 2.01-compliant smart cards and JavaCard 2.1 or higher.
The Certificate System subsystems have been tested using the following tokens:
- Gemalto TOP IM FIPS CY2 64K token (SCP01)
- Giesecke & Devrient (G&D) SmartCafe Expert 7.0 (SCP03)
- SafeNet Assured Technologies SC-650 (SCP01)
The only card manager applet supported with Certificate System is the CoolKey applet, which is part of the pki-tps package in Red Hat Certificate System.
1.3.5. Supported Hardware Security Modules
The following table lists Hardware Security Modules (HSM) supported by Red Hat Certificate System.
| HSM | Firmware | Appliance Software | Client Software |
|---|---|---|---|
| nCipher nShield Connect XC (High) | nShield_HSM_Firmware-12.72.1 | 12.71.0 | SecWorld_Lin64-12.71.0 |
| Thales TCT Luna Network HSM Luna-T7 | lunafw_update-7.11.1-4 | 7.11.0-25 | 610-500244-001_LunaClient-7.11.1-5 |
1.4. Quickstart for installing RHCS subsystems
The following procedure describes the prerequisites and the basic installation process for {RHCS} 10.Prerequisites
- The latest Red Hat Enterprise Linux 8 version is installed with an active network connexion. For the latest iso image, see Download Red Hat Enterprise Linux.
Procedure
Register the system to a Customer Portal account using Red Hat Subscription Manager (RHSM), then list the subscriptions available on this account for the system you registered:
$ subscription-manager register $ subscription-manager list --available --all
Attach the required subscriptions for Red Hat Enterprise Linux Server and Red Hat Certificate System using the corresponding pool IDs obtained in the previous step:
$ subscription-manager attach --pool=POOL_ID_RHEL_SERVER $ subscription-manager attach --pool=POOL_ID_CERT_SYSTEM
Make sure Red Hat Enterprise Linux has the latest updates:
$ dnf update
Install the Directory Server module:
& dnf module enable 389-ds:1.4 && dnf install 389-ds-base
-
Ensure that a real domain name is specified is
/etc/resolv.confa host name is set within/etc/hosts. Run the Directory Server interactive installer and customize as required.
$ dscreate interactive
For more information or for other installation methods, refer to the Red Hat Directory Server installation guide.
Install Certificate System packages and dependencies:
$ dnf module enable redhat-pki:10 && dnf install redhat-pki
Run the
pkispawnscript to create and configure the subsystem instances. You must install and fully configure at least one CA subsystem before you can configure any other type of subsystem. For details, see thepkispawnmanpage. Without options, pkispawn runs in interactive mode, prompting the user for basic information required for installation.$ pkispawn
- Access the agent interface of various Red Hat Certificate System subsystems by using a properly configured local or remote Mozilla Firefox web browser.
Installing and configuring Red Hat Certificate System subsystems is described in more detail in the Planning, Installation, and Deployment Guide.
1.5. Deprecated functionality
This section describes deprecated functionality in Red Hat Certificate System 10.
SCP01 support in Certificate System is deprecated
Support for Secure Channel Protocol 01 (SCP01) is deprecated in Certificate System 10 and may be removed. Red Hat recommends using smart cards that support SCP03.
The pkiconsole tool is being deprecated
In Certificate System 10, the pkiconsole tool will be deprecated.
