此内容没有您所选择的语言版本。
Chapter 11. Additional Installation Options
All Red Hat Certificate System instances created with
pkispawn
make certain assumptions about the instances being installed, such as the default signing algorithm to use for CA signing certificates and whether to allow IPv6 addresses for hosts.
This chapter describes additional configuration options that impact the installation and configuration for new instances, so many of these procedures occur before the instance is created.
11.1. Lightweight Sub-CAs
Using the default settings, you are able to create lightweight sub-CAs. They enable you to configure services, like virtual private network (VPN) gateways, to accept only certificates issued by one sub-CA. At the same time, you can configure other services to accept only certificates issued by a different sub-CA or the root CA.
If you revoke the intermediate certificate of a sub-CA, all certificates issued by this sub-CA are automatically invalid.
If you set up the CA subsystem in Certificate System, it is automatically the root CA. All sub-CAs you create, are subordinated to this root CA.
11.1.1. Setting up a Lightweight Sub-CA
Depending on your environment, the installation of a sub-CA differs between Internal CAs and External CAs. For more information, see Section 7.8, “Setting up Subsystems with an External CA”.
11.1.2. Disabling the Creation of Lightweight Sub-CAs
In certain situations, administrators want to disable lightweight sub-CAs. To prevent adding, modifying, or removing sub-CAs, enter the following command on the Directory Server instance used by Certificate System:
# ldapmodify -D "cn=Directory Manager" -W -x -h server.example.com dn: cn=aclResources,o=instance_name changetype: modify delete: resourceACLS resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify) group="Administrators":Administrators may create and modify lightweight authorities delete: resourceACLS resourceACLS: certServer.ca.authorities:delete:allow (delete) group="Administrators":Administrators may delete lightweight authorities
This command removes the default Access Control List (ACL) entries, which grant the permissions to manage sub-CAs.
Note
If any ACLs related to lightweight sub-CA creation have been modified or added, remove the relevant values.
11.1.3. Re-enabling the Creation of Lightweight Sub-CAs
If you previously disabled the creation of lightweight sub-CAs, you can re-enable the feature by entering the following command on the Directory Server instance used by Certificate System:
# ldapmodify -D "cn=Directory Manager" -W -x -h server.example.com dn: cn=aclResources,o=instance_name changetype: modify add: resourceACLS resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify) group="Administrators":Administrators may create and modify lightweight authorities resourceACLS: certServer.ca.authorities:delete:allow (delete) group="Administrators":Administrators may delete lightweight authorities
This command adds the Access Control List (ACL) entries, which grant the permissions to manage sub-CAs.