이 콘텐츠는 선택한 언어로 제공되지 않습니다.

17.4. Changing the Names of Subsystem Certificates

One alternative to renewing certificates is replacing them with new certificates, meaning that a new certificate is generated with new keys. Generally, a new certificate can be added to the database and the old one deleted, a simple one-to-one swap. This is possible because the individual subsystem servers identify certificates based on their nickname; as long as the certificate nickname remains the same, the server can find the required certificate even if other factors — like the subject name, serial number, or key — are different.

However, in some situations, the new certificate may have a new certificate nickname, as well. In that case, the certificate nickname needs to be updated in all of the required settings in the subsystem's CS.cfg configuration file.

Important

Always restart a subsystem after editing the CS.cfg file.

These tables list all of the configuration parameters for each of the subsystem's certificates:

Table 17.3. CA Certificate Nickname Parameters
CA Signing Certificate	ca.cert.signing.nickname ca.signing.cacertnickname ca.signing.certnickname ca.signing.nickname cloning.signing.nickname
OCSP Signing Certificate	ca.ocsp_signing.cacertnickname ca.ocsp_signing.certnickname ca.cert.ocsp_signing.nickname ca.ocsp_signing.nickname cloning.ocsp_signing.nickname
Subsystem Certificate	ca.cert.subsystem.nickname ca.subsystem.nickname cloning.subsystem.nickname pkiremove.cert.subsystem.nickname
Server Certificate	ca.sslserver.nickname ca.cert.sslserver.nickname
Audit Signing Certificate	ca.audit_signing.nickname ca.cert.audit_signing.nickname cloning.audit_signing.nickname

Table 17.4. KRA Certificate Nickname Parameters
Transport Certificate	cloning.transport.nickname kra.cert.transport.nickname kra.transport.nickname tks.kra_transport_cert_nickname Note that this parameter is in the TKS configuration file. This needs changed in the TKS configuration if the KRA transport certificate nickname changes, even if the TKS certificates all stay the same.
Storage Certificate	cloning.storage.nickname kra.storage.nickname kra.cert.storage.nickname
Server Certificate	kra.cert.sslserver.nickname kra.sslserver.nickname
Subsystem Certificate	cloning.subsystem.nickname kra.cert.subsystem.nickname kra.subsystem.nickname pkiremove.cert.subsystem.nickname
Audit Log Signing Certificate	cloning.audit_signing.nickname kra.cert.audit_signing.nickname kra.audit_signing.nickname

Table 17.5. OCSP Certificate Nickname Parameters
OCSP Signing Certificate	cloning.signing.nickname ocsp.signing.certnickname ocsp.signing.cacertnickname ocsp.signing.nickname
Server Certificate	ocsp.cert.sslserver.nickname ocsp.sslserver.nickname
Subsystem Certificate	cloning.subsystem.nickname ocsp.subsystem.nickname ocsp.cert.subsystem.nickname pkiremove.cert.subsystem
Audit Log Signing Certificate	cloning.audit_signing.nickname ocsp.audit_signing.nickname ocsp.cert.audit_signing.nickname

Table 17.6. TKS Certificate Nickname Parameters
KRA Transport Certificate^[a]	tks.kra_transport_cert_nickname
Server Certificate	tks.cert.sslserver.nickname tks.sslserver.nickname
Subsystem Certificate	cloning.subsystem.nickname tks.cert.subsystem.nickname tks.subsystem.nickname pkiremove.cert.subsystem.nickname
Audit Log Signing Certificate	cloning.audit_signing.nickname tks.audit_signing.nickname tks.cert.audit_signing.nickname
^[a] This needs changed in the TKS configuration if the KRA transport certificate nickname changes, even if the TKS certificates all stay the same.

Table 17.7. TPS Nickname Parameters in CS.cfg
Server Certificate	tps.cert.sslserver.nickname
Subsystem Certificate	tps.cert.subsystem.nickname selftests.plugin.TPSValidity.nickname selftests.plugin.TPSPresence.nickname pkiremove.cert.subsystem.nickname
Audit Log Signing Certificate	tps.cert.audit_signing.nickname

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

17.4. Changing the Names of Subsystem Certificates

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 소개

Red Hat legal and privacy links

Red Hat legal and privacy links