User manual REDHAT CERTIFICATE SYSTEM 7.3 ADMINISTRATION

[. . . ] Red Hat Certificate System 7. 3 Administration Guide Publication date: May 2007, updated March 25, 2010 Administration Guide Red Hat Certificate System 7. 3 Administration Guide Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution­Share Alike 3. 0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons. org/licenses/by-sa/3. 0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. [. . . ] The version 2 master key nickname. NOTE Master keys are generated using the tksTool utility. The version 1 key set is the default set by the smart card manufacturer. Smart cards can optionally be upgraded to the version 2 key set. TKS Configuration Parameters for Key Update 215 216 Chapter 9. Token Key Service The Certificate System Token Management System consists of three components, the Token Processing System (TPS), the Token Key Service (TKS), and the Enterprise Security Client. This chapter explains the TKS, which manages the master keys required set up a secure communication channel between the TPS and the client. 9. 1. Overview A TKS manages the master and transport keys required to generate and distribute keys for smart cards or tokens. A master key is a Triple DES symmetric key stored either in software or hardware token. When supplied with the token CUID, a TKS can derive the corresponding three symmetric keys authentication key, Mac key, and key encryption key (KEK) on each token. This effectively shares secrets between the Certificate System and the token without having to store these symmetric keys on the server. The Certificate System TPS subsystem uses the TKS subsystem to generate the token keys the TPS uses to communicate with the Enterprise Security Client. The TPS communicates with the TKS over SSL. The TKS provides the security between tokens and the TPS since the security relies on the relationship between the master key and the token keys. The functions provided by the TKS include the following: · Helps establish a secure channel (signed and encrypted) between the token and TPS. · Provides proof of presence for the security token during enrollment. · Supports key changeover when the master key changes on the TKS. Tokens with older keys get new token keys. · Helps generate a symmetric session key for the DRM to wrap (encrypt) the entity's private key for (optional) server-side key generation, where the entity's encryption keys are generated on the DRM NOTE Because of the sensitivity of the data that the TKS manages, the TKS should be set behind the firewall with restricted access. 9. 2. Using Master Keys Generate new master and transport keys using the tksTool utility. The transport key is used to send the master key securely to the facility where the tokens are generated. Tokens that are generated with a particular master key can only be used with that master key. Open the TKS instance alias/ directory. cd /var/lib/instance_ID/alias/ 2. For example: tksTool -M -n new_master -d /var/lib/rhpki-tks/alias -h token_name -p certDBPrefix 217 Chapter 9. [. . . ] See also cryptographic algorithm, digital signature. A certificate that's public key corresponds to a private key used to create digital signatures. For example, a Certificate Manager must have a signing certificate that's public key corresponds to the private key it uses to sign the certificates it issues. A signing key and its equivalent public key, plus an encryption key and its equivalent public key, constitute a dual key pair. self tests server authentication server SSL certificate servlet SHA-1 signature algorithm signed audit log signing certificate signing key 521 Glossary single sign-on 1. [. . . ]