User manual REDHAT SYSTEM 8 INSTALL GUIDE 25-03-2010

[. . . ] Red Hat Certificate System 8 Install Guide Publication date: July 22, 2009, updated on March 25, 2010 Ella Deon Lackey Install Guide Red Hat Certificate System 8 Install Guide Author Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution­Share Alike 3. 0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons. org/licenses/by-sa/3. 0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. [. . . ] When they are issued, paste the certificates into this panel to add them to the TPS database, and then proceed with the installation. Click Apply to view the certificates as they are imported. Provide the information for the new subsystem administrator. 58 Configuring a TPS 15. Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration. When the configuration is complete, restart the subsystem. service pki-tps restart IMPORTANT The new instance is not active until it is restarted, and weird behaviors can occur if you try to use the instance without restarting it first. 59 60 Chapter 4. Additional Installation Options The Certificate System default installation, and all subsequent instances created with pkicreate, make certain assumptions about the instances being installed, such as the default signing algorithm to use for CA signing certificates and whether to allow IPv6 addresses for hosts. This chapter describes additional configuration options that impact the installation and configuration for new instances, so many of these procedures occur before the instance is created. 4. 1. Requesting Subsystem Certificates from an External CA Most of the time, it is easier and simpler to have a CA within your PKI be the root CA, since this affords a lot of flexibility for defining the rules and settings of the PKI deployment. However, for public-facing networks, this can be a difficult thing to implement, because web administrators have to find some way to propagate and update CA certificate chains to their clients so that any site is trusted. For this reason, people often use public CAs, hosted by companies like VeriSign or Thawte, to issue CA signing certificates and make all of their CAs subordinate to the public CA. This is one of the planning considerations covered in the Certificate System Deployment Guide. All subsystem certificates can be submitted to an external CA when the subsystem is configured. When the certificates are generated from a CA outside the Certificate System deployment (or from a Certificate System CA in a different security domain), then the configuration process does not occur in one sitting. The configuration process is on hold until the certificates can be retrieved. Aside from that delay, the process is more or less the same as in Chapter 3, Installation and Configuration. Install the subsystem packages, and open the configuration URL. For a CA, it is also possible to create a new security domain. Set the subsystem information, like its name. For a CA, set the CA to be a subordinate CA. This is required in order to submit CA subsystem certificates to an external CA; making a root CA automatically generates self-signed certificates. Select the key store, and generate the key pairs. Set the subsystem certificate names; you can set these to whatever you want, but make sure that they conform to any requirements that the external CA sets for the subject names of certificates. At the bottom of the screen is the list of CAs which are available to accept the submitted certificate requests. [. . . ] Using Certificate System Setting Value /var/lib/pki-ocsp/webapps. admin - Admin services The subsystem certificate is always issued by the security domain so that domain-level operations that require client authentication are based on this subsystem certificate. Table 9. 6. Default OCSP Instance Information 9. 5. 5. Default TKS Instance Information The default TKS configuration is listed in Table 9. 7, "Default TKS Instance Information". Most of these values are unique to the default instance; the default certificates and some other settings are true for every TKS instance. [. . . ]