Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
Chapter 11. Additional installation options
All Red Hat Certificate System instances created with pkispawn make certain assumptions about the instances being installed, such as the default signing algorithm to use for CA signing certificates and whether to allow IPv6 addresses for hosts.
This chapter describes additional configuration options that impact the installation and configuration for new instances, so many of these procedures occur before the instance is created.
11.1. Lightweight sub-CAs
Using the default settings, you are able to create lightweight sub-CAs. They enable you to configure services, like virtual private network (VPN) gateways, to accept only certificates issued by one sub-CA. At the same time, you can configure other services to accept only certificates issued by a different sub-CA or the root CA.
If you revoke the intermediate certificate of a sub-CA, all certificates issued by this sub-CA are automatically invalid.
If you set up the CA subsystem in Certificate System, it is automatically the root CA. All sub-CAs you create, are subordinated to this root CA.
11.1.1. Setting up a lightweight sub-CA
Depending on your environment, the installation of a sub-CA differs between Internal CAs and External CAs. For more information, see example in Installing CA with external CA signing certificate.
11.1.2. Disabling the creation of lightweight sub-CAs
In certain situations, administrators want to disable lightweight sub-CAs. To prevent adding, modifying, or removing sub-CAs, enter the following command on the Directory Server instance used by Certificate System:
This command removes the default Access Control List (ACL) entries, which grant the permissions to manage sub-CAs.
If any ACLs related to lightweight sub-CA creation have been modified or added, remove the relevant values.
11.1.3. Re-enabling the creation of lightweight sub-CAs
If you previously disabled the creation of lightweight sub-CAs, you can re-enable the feature by entering the following command on the Directory Server instance used by Certificate System:
This command adds the Access Control List (ACL) entries, which grant the permissions to manage sub-CAs.
11.2. Enabling IPv6 for a subsystem
Certificate System automatically configures and manages connections between subsystems. Every subsystem must interact with a CA as members of a security domain and to perform their PKI operations.
For these connections, Certificate System subsystems can be recognized by their host’s fully-qualified domain name or an IP address. By default, Certificate System resolves IPv4 addresses and host names automatically, but Certificate System can also use IPv6 for their connections. IPv6 is supported for all server connections: to other subsystems, to the administrative console (pkiconsole), or through command-line scripts such as tpsclient:
op=var_set name=ca_host value=IPv6 address
op=var_set name=ca_host value=IPv6 address- Install the Red Hat Certificate System packages.
Set the IPv4 and IPv6 addresses in the
/etc/hostsfile. For example:vim /etc/hosts
# vim /etc/hosts 192.0.0.0 server.example.com IPv4 address 3ffe:1234:2222:2000:202:55ff:fe67:f527 server6.example.com IPv6 addressCopy to Clipboard Copied! Toggle word wrap Toggle overflow Then, export the environment variable to use the IPv6 address for the server. For example:
export PKI_HOSTNAME=server6.example.com
export PKI_HOSTNAME=server6.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Run
pkispawnto create the new instance. The values for the server host name in theCS.cfgfile will be set to the IPv6 address.
11.3. Enabling LDAP-based enrollment profiles
-
To install with LDAP-based profiles, set the pki_profile_in_ldap=True option in the
[CA]section of thepkispawnconfiguration file.
In this case, profile files will still appear in /var/lib/pki/ instance_name/ca/profiles/ca/, but will be ignored.
To enable LDAP-based profiles on an existing instance, change the following in the instance’s
CS.cfg:subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem
subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystemCopy to Clipboard Copied! Toggle word wrap Toggle overflow Then, import profiles manually into the database using either the
pkicommand line utility or a custom script.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}