User manual REDHAT CERTIFICATE SYSTEM 7.2 ADMINISTRATION

[. . . ] Red Hat Certificate System 7. 2 Administration Guide Publication date: November 6, 2006, and updated on August 25, 2009 Administration Guide Red Hat Certificate System 7. 2 Administration Guide Copyright © 2008 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution­Share Alike 3. 0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons. org/licenses/by-sa/3. 0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. [. . . ] Fill in the type of certificate to create, either caCrlSigning for the CRL signing certificate or client for an SSL client certificate. 201 Chapter 10. For requests submitted through a Certificate Manager, after selecting the type of certificate, select which type of CA will sign the request: · For a CA signing certificate, the options are to use a root CA or a subordinate CA. · For all other certificates, the options are to use the local CA signing certificate or to create a request to submit to another CA. 202 Requesting Certificates 8. Set the key-pair information. Figure 10. 4. Generating the Key Pair · Set the token, either the security database directory (internal) or one of the listed external tokens. The recommended length for an RSA key is 2048 bits or higher to be crytpographically strong. Select the message digest algorithm; the choices are MC2, MD5, SHA1, SHA256, and SHA512. 203 Chapter 10. Either enter values for individual DN attributes to build the subject DN or enter the full string. 204 Requesting Certificates Figure 10. 6. Setting the Subject Name NOTE For an SSL server certificate, the common name must be the fully-qualified host name of the Certificate System in the format machine_name. domain. domain. Only when requesting a certificate through the Certificate Manager Console and submitting the request to the Certificate Manager automatically. Specify the start and end dates of the validity period for the certificate and the time at which the validity period will start and end on those dates. 205 Chapter 10. Setting the Validity Period The default validity period is five years. Only when requesting a certificate through the Certificate Manager Console submitting the request to the Certificate Manager automatically. Set the standard extensions for the certificate. The required extensions are chosen by default. To change the default choices, read the guidelines explained in Appendix A, Certificate and CRL Extensions. 206 Requesting Certificates Figure 10. 8. Setting the Certificate Extensions NOTE Certificate extensions are required to set up a CA hierarchy. Subordinate CAs must have certificates that include the extension identifying them as either a subordinate SSL CA (which allows them to issue certificates for SSL) or a subordinate email CA (which allows them to issue certificates for secure email). Disabling certificate extensions means that CA hierarchies cannot be set up. The associated fields are CA setting and a numeric setting for the certification path length. · Subject Key Identifier. 207 Chapter 10. Managing Certificates · Key Usage. [. . . ] See also cryptographic algorithm, digital signature. A certificate that's public key corresponds to a private key used to create digital signatures. For example, a Certificate Manager must have a signing certificate that's public key corresponds to the private key it uses to sign the certificates it issues. A signing key and its equivalent public key, plus an encryption key and its equivalent public key, constitute a dual key pair. self tests server authentication server SSL certificate servlet SHA-1 signature algorithm signed audit log signing certificate signing key 481 Glossary single sign-on 1. [. . . ]