Red Hat Certificate System 9
Last Updated: 2021-11-07
Red Hat Certificate System 9.7
Enter your first name here. Enter your surname here. Enter your
organisation's name here. Enter your organisational division here.
Enter your email address here.
Copyright © 2021 | You need to change the HOLDER entity in the en-
US/Planning_Installation_and_Deployment_Guide.ent file |.
The text of and illustrations in this document are licensed by Red
Hat under a Creative Commons Attribution–Share Alike 3.0 Unported
license ("CC-BY-SA"). An explanation of CC-BY-SA is available at
http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with
CC-BY-SA, if you distribute this document or an adaptation of it,
you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to
enforce, and agrees not to assert, Section 4d of CC-BY-SA to the
fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat
logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are
trademarks of Red Hat, Inc., registered in the United States and
other countries.
Linux ® is the registered trademark of Linus Torvalds in the United
States and other countries.
Java ® is a registered trademark of Oracle and/or its
affiliates.
XFS ® is a trademark of Silicon Graphics International Corp. or its
subsidiaries in the United States and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States,
the European Union and other countries.
Node.js ® is an official trademark of Joyent. Red Hat is not
formally related to or endorsed by the official Joyent Node.js open
source or commercial project.
The OpenStack ® Word Mark and OpenStack logo are either registered
trademarks/service marks or trademarks/service marks of the
OpenStack Foundation, in the United States and other countries and
are used with the OpenStack Foundation's permission. We are not
affiliated with, endorsed or sponsored by the OpenStack Foundation,
or the OpenStack community.
All other trademarks are the property of their respective
owners.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . .
1 1.1.
1.2. 1.3.
1.3.2.1. 1.3.2.2.
1.3.4. 1.3.4.1. CA 1.3.4.2. 1.3.4.3. SSL/TLS 1.3.4.4. 1.3.4.5.
1.3.4.6.
1.3.5. 1.3.5.1.
1.3.5.1.1. 1.3.5.1.2.
1.3.5.2. 1.3.5.3.
1.3.6. CA 1.3.6.1. CA 1.3.6.2. 1.3.6.3.
1.3.7. 1.4.
1.4.1. 1.4.2.
1.5.
2 RED HAT CERTIFICATE SYSTEM 2.1. CERTIFICATE SYSTEM 2.2.
CERTIFICATE SYSTEM
2.2.1. 2.2.2.
2.2.3. (systemctl)
13
14 14 15 15 16 16 17 17 18 19 19 21 21 21 22 22 23 24 25 25 25 25
25 25 26 26 26 26 27 29 29 30 31
33 33 33 34 34
36 36 37 37 37 37 38 39 41 41
1
2.2.4. (pki-server pkidaemon) 2.2.4.1. pki-server 2.2.4.2.
pki-server 2.2.4.3. pkidaemon 2.2.4.4. Web URL 2.2.4.5.
2.3. 2.3.1. Java Application Server 2.3.2. Java Security Manager
2.3.3.
2.3.3.1. 2.3.3.2. 2.3.3.3. 2.3.3.4. Operator
2.3.4. REST 2.3.5. JSS 2.3.6. Tomcatjss 2.3.7. PKCS #11
2.3.7.1. NSS Soft Token () 2.3.7.2. (HSM)
2.3.8. 2.3.8.1. 2.3.8.2.
2.3.9. 2.3.10. (nuxwdog) 2.3.11. LDAP 2.3.12. SELinux (Security
Enhanced Linux) 2.3.13. 2.3.14.
2.3.14.1. 2.3.14.2. 2.3.14.3. 2.3.14.4. 2.3.14.5. 2.3.14.6. Tomcat
2.3.14.7. 2.3.14.8. journalctl
2.3.15. 2.3.15.1. 2.3.15.2. CA 2.3.15.3. KRA 2.3.15.4. OCSP
2.3.15.5. TKS 2.3.15.6. TPS 2.3.15.7. Certificate System
2.4. PKI () 2.4.1.
2.4.1.1. 2.4.1.1.1. 2.4.1.1.2. ()
41 42 42 42 43 43 44 47 47 47 48 49 49 49 50 50 51 52 52 53 54 55
55 55 56 56 56 57 57 59 59 60 60 60 60 63 63 64 64 64 65 66 66 67
67 68 68 69 69 69 70 71 73
Red Hat Certificate System 9
2
2.4.2. 2.4.3. CRL 2.4.4.
2.4.4.1. 2.4.4.2.
2.4.5. 2.4.5.1. 2.4.5.2. 2.4.5.3. KRA
2.5. 2.5.1. (TKS)
2.5.1.1. 2.5.1.2. () 2.5.1.3. () 2.5.1.4. APDU
2.5.2. (TPS) 2.5.2.1. Coolkey 2.5.2.2. 2.5.2.3. TPS 2.5.2.4.
2.5.2.4.1. 2.5.2.4.2.
2.5.3. TKS/TPS 2.5.4. Enterprise Security Client (ESC)
2.6. RED HAT CERTIFICATE SYSTEM 2.6.1. 2.6.2. 2.6.3. 2.6.4. 2.6.5.
2.6.6.
2.6.6.1. 2.6.6.2.
2.7. 2.7.1. CA 2.7.2. KRA 2.7.3. 2.7.4. 2.7.5. LDAP 2.7.6. ID
2.7.7.
3 3.1. TLSECC RSA
73 74 74 75 75 75 75 75 75 76 76 76 78 78 79 81
87 87 88 88 88 89 89 89 90 91
92 92 97 97 98 99 99 99 99 99 99
100 100 100 100 101 101
103 104 104 104 105 106 106
107 107
3.2. 3.3. 3.4. IPV4 IPV6 3.5. PKIX
4 4.1. 4.2. 4.3. WEB 4.4.
5 5.1.
5.1.1. 5.1.2. 5.1.3. 5.1.4. OCSP 5.1.5.
5.2. 5.2.1. CA 5.2.2. CA 5.2.3. CA 5.2.4. CA
5.3. 5.4.
5.4.5.1. 5.4.6. 5.4.6.1. SSL SAN
5.4.7. 5.4.8. CRL 5.4.9. CA
5.5. 5.5.1. 5.5.2. 5.5.3.
5.6. CERTIFICATE SYSTEM 5.7. PKI 5.8.
5.8.1. 5.8.2.
107 107 108 109 109 110
112 112 112 112 112
114 114 114 116 117 117 118 118 119 119
120 120 120 122 122 124 124 125 125 126 127 127 128 128 129 129 130
131 131 132 132 132 132 133 134 138 138 138
139
Red Hat Certificate System 9
4
6.2.1. SELinux Enforcing 6.3.
6.3.1. 6.4.
6.4.1. HSM SELinux 6.4.2. HSM FIPS 6.4.3. FIPS HSM
6.4.3.1. FIPS nCipher HSM 6.4.3.2. FIPS Luna SA HSM
6.4.4. HSM 6.4.4.1. NCipher HSM 6.4.4.2. SafeNet / Luna SA
HSM
6.4.5. 6.5. RED HAT DIRECTORY SERVER
6.5.1. Directory Server 6.5.2. Directory Server TLS
6.5.2.1. Red Hat Certificate System LDAPS 6.5.3. 6.5.4. 6.5.5.
TLS
6.6. RED HAT CERTIFICATE SYSTEM 6.7. CERTIFICATE SYSTEM
7 CERTIFICATE SYSTEM 7.1. 7.2. CERTIFICATE SYSTEM
7.2.1. Certificate System 7.2.2. Certificate System
7.3. PKISPAWN 7.4. 7.5. 7.6.
7.7. 2 7.7.1. 2 7.7.2. 2 2 7.7.3. CA
7.7.4. 7.7.5.
140 140 140 140 140 141 141
142 142 142 142 143 143 144 145 145 145 145 146 146 149 150 152 153
154
155 155 155 156 157 157 158 159 159 159 159 160 160 160 160
161
162 163 163 163 163 164 164 164 164 165 165
5
7.7.6. 7.7.7.
7.8. CA 7.8.1. CA CA 7.8.2. CA CA CA
7.8.3. 7.9. KRA OCSP 7.10.
7.10.1. RHCS / 7.10.2. Directory Server (CA) 7.10.3. LDAP TLS
7.10.4. 7.10.5. CRL 7.10.6. (CA) 7.10.7. 7.10.8. Watchdog 7.10.9.
CMC (CA) 7.10.10. Java TLS 7.10.11. 7.10.12. Bootstrap 7.10.13.
7.10.14. KRA
7.10.14.1. KRA (Key Recovery Authority) 7.10.14.2. KRA
7.10.15.
8.2.1. HSM FIPS 8.2.2. FIPS HSM
8.2.2.1. FIPS nCipher HSM 8.2.2.2. FIPS Luna SA HSM
8.2.3. HSM 8.2.4. HSM SELinux 8.2.5. nCipher nShield HSM 8.2.6.
Gemalto Safenet LunaSA HSM
8.3. 8.4. HSM 8.5. 8.6. 8.7.
8.7.1. nCipher nShield HSM 8.7.1.1. 8.7.1.2.
8.7.2. Gemalto Safenet LunaSA HSM 8.7.2.1.
165 165 165 165 166 166 166 166 166 167 169 169 170 171 171 171 171
171 171 171 171 171 172 172 172 172 172 172 172 172
173 173 173 173 174 174 174 175 175 175 180 181 181
182 182 183 183 183 183 183 183
Red Hat Certificate System 9
6
10 10.1. 10.2. CA 10.3. CA-KRA 10.4. OCSP 10.5. KRA 10.6. TKS
10.7.
10.7.1. CA 10.7.2. OCSP
10.8. CA
11 11.1. CA
11.1.1. CA 11.1.2. CA 11.1.3. CA
11.2. IPV6 11.3. LDAP 11.4. TLS
12 12.1. #1: LDAP #2: VPN
12.2. Java
13 CERTIFICATE SYSTEM 13.1.
13.1.1. 13.1.2. CA 13.1.3. KRA 13.1.4. OCSP 13.1.5. TKS 13.1.6. TPS
13.1.7. Certificate System
13.2. CS.CFG 13.2.1. CS.cfg 13.2.2. 13.2.3. CS.cfg
13.2.3.1. 13.2.3.2. 13.2.3.3. 13.2.3.4. 13.2.3.5. 13.2.3.6.
13.2.3.7.
13.2.3.7.1. CS.cfg Queue
184 184 184
185 185 185 186 187 188 188 188 189 190 191
193 193 193 193 193 194 194 195
196 196 198 198 199
201
202 202 202 202 203 204 205 206 207 209 209 209 210 212 213 213 214
214 215 215 216
7
13.2.3.9.1. 13.2.3.9.2. DER
13.2.3.10. CA CRL 13.2.3.11. CS.cfg CRL 13.2.3.12. CS.cfg CRL
13.2.3.13. 13.2.3.14. 13.2.3.15. TLS pkiconsole
13.3. 13.3.1. password.conf 13.3.2. Certificate System
Watchdog
13.3.2.1. Watchdog 13.3.2.2. Watchdog Certificate System 13.3.2.3.
Certificate System Watchdog 13.3.2.4. Watchdog
13.4. TOMCAT ENGINE WEB 13.4.1. Tomcatjss
13.4.1.1. TLS 13.4.1.1.1. TLS
13.4.1.2. CA 13.4.1.3. 13.4.1.4. AIA
13.4.2. 13.4.2.1. TLS 13.4.2.2. HTTP 13.4.2.3. PKI Web UI 13.4.2.4.
PKI 13.4.2.5. PKI CLI
13.5. WEB.XML 13.5.1. web.xml (CA )
13.6. WEB 13.6.1. Web 13.6.2. Web UI 13.6.3. TPS
13.7. 13.7.1. 13.7.2. 13.7.3. 13.7.4.
13.8. CMC 13.8.1. CMC 13.8.2. PopLinkWittnessV2 13.8.3. CMC 13.8.4.
Web CMCRevoke
13.9. CA EE PORTAL 13.9.1. 13.9.2. Policyset
217 217 219
220 221 222 223 226 226 227 227 228 229 230 231 231
232 232 233 234 235 235 237 239 240 240 241 241 242 242 242 242 244
244 245 246 246 247 247 247 247 247 248 248 248 250 250 250
251
252 252 252 252
Red Hat Certificate System 9
8
14.1.1. certutil 14.1.2. PKICertImport 14.1.3. certutil
certutil -A certutil -V certutil -D certutil -M certutil -L
14.1.4. certutil PKICertImport -n <nickname> -d
<directory> -t <trust> -h <HSM> -e -a -i
<certificate> -u <usage>
14.2.
14.3.
14.5. NSS NSS OCSP
15 15.1.
15.1.1.2.1. 15.1.1.2.2.
15.1.4.1. TPS 15.1.4.2. TPS 15.1.4.3. Windows
15.1.5.
16 16.1. 16.2. KRA
253 253 253 253 253 253 253 254 254 254 254 254 254 254 254 255 255
255 256 256 256 257 257 257 258 258 258 259 259 259 259 260
260
262 262 262 262 265 266 267 268 269 269 270 271
272 273 273
275 275 276
16.2.2.1. 16.2.2.2. KRA AES HSM KRA
16.3. 16.3.1. 16.3.2. 16.3.3.
16.3.3.1. KRATool 16.3.3.2. 1 KRA 1 KRA
16.3.4. CA-KRA
17 17.1.
17.2. (RHCS ) 17.2.1. OS
17.2.1.1. 17.2.1.2. Certificate System 17.2.1.3. 17.2.1.4.
17.3. CS.CFG 17.3.1.
17.3.1.1. 17.3.1.2.
17.3.1.2.1. 17.3.1.2.2.
17.4. 17.4.1.
17.4.1.1. 17.4.1.2.
19 BOOTSTRAP 19.1.
IV. CERTIFICATE SYSTEM 9.X
20
21
277 277 278 278 278 279 280 280 281 281 281 282 285
286 286 286 287 288 289 290 290 290 291 291 292 292 294 294 295 295
295 296 297 298 299 299 299 300 300 300 301
303 303 305
Red Hat Certificate System 9
10
21.1. 9.0 9.1 21.1.1. 21.1.2. CA 21.1.3. KRA 21.1.4. TPS
21.2. 9.1
22 CERTIFICATE SYSTEM 8 9 22.1. 22.2. CA 22.3. CA 22.4.
23 OPENSSL CA 23.1. HSM OPENSSL CA 23.2. HSM OPENSSL CA
VI.
326 326 328
Red Hat Certificate System 9
12
I. RED HAT CERTIFICATE SYSTEM
13
Impersonation
[email protected] www.example.net
www.example.net
Red Hat Certificate System 9
14
2 1 1
1.1.1.
1.1
SSL/TLS TCP/IP SSL/TLS
1.1.2.
1.2
1
SSL/TLS
1.2 Mozilla Firefox
1.1.3.
1 ()
RSA RSA (2048) 80 Elliptic Curve Digital Signature Algorithm
(ECDSA) (ECC) RSA
1.2.
Red Hat Certificate System 9
16
1
1.3
1.3
2
1.3.
1
ID (CA) ID CA Certificate System CA CA ID
CA
CA CA CA CA
CA CA
1.3.2.
Web () ( )
HTML
2
Red Hat Certificate System 9
18
SSL/TLS
3. ID
4.
1.5 SSL/TLS
1
1.5
SSL/TLS
Red Hat Certificate System 9
20
ID
1.3.3.
1.3.3.1. SSL/TLS
SSL/TLS SSL/TLS SSL/TLS
SSL/TLS
SSL/TLS
1.3.3.2.
1
1.3.3.3.
Java
Red Hat Certificate System 9
22
LDAP https://server.example.com:8443/ca/ee/ca Certificate
Manager
Certificate System Certificate Manager CA CA OCSP SSL/TLS KRA
Certificate Manager
1.1
SSL/TLS
SSL/TLS ID ID SSL/TLS SSL/TLS
SSL/TLS
SSL/TLS
SSL/TLS
SSL/TLS Web SSL/TLS
1
S/MIME SSL/TLS ID SSL/TLS S/MIME
CA CA CA CA
Mozilla Firefox CA Firefox CA
1.3.4.1. CA
CRL
Certificate Manager CA CA CA CA CA CA ( CA ( CA )) CA Certificate
Manager CA CA Certificate Manager CA
CA CA CA
Red Hat Certificate System 9
24
1.3.4.4.
1.3.4.5.
1.3.4.6.
Certificate System CA 1 CA 2 CA 2 CA CA CA
crossCertificatePair
CA CA CA Certificate System CA CA CA
1.3.5.
1
1.3.5.1.
1.3.5.1.1.
PKCS#7 PKCS #7 SignedData SignedData PKCS #7
Netscape PKCS #7 ContentInfo contentType netscape-cert-sequence
content
CertificateSequence ::= SEQUENCE OF Certificate
-----END CERTIFICATE-----
1.3.5.2.
X.509 v3 (DN) DN uid=doe
Example Corp DN
uid=doe, cn=John Doe,o=Example Corp.,c=US
DN uid cn o c
DNS LDAP (Lightweight Directory Access
Red Hat Certificate System 9
26
1.3.5.3.
CA DN
2004 11 15 1 2020 11 15 1
DNSSL/TLS DN
Netscape Certificate Type SSL/TLS SSL/TLS
SAN (Subject Alternative Name) 1
1
base-64
Red Hat Certificate System 9
28
UkdGYpcd2cYRCgKi4MwqdWyLtpuHAH18hHZ5uvi00mJYw8W2wUOsY0RC/a/IDy84
hW3WWehBUqVK5SY4/zJ4oTjx7dwNMdGwbWfpRqjd1A== -----END
CERTIFICATE-----
1.3.6. CA
CA ID CA Certificate System
CA CA CA 1 CA CA CA
CA CA CA
CA X.509 CA (: 1.6)
1.6
CA CA CA
1
29
CA CA CA CA CA CA CA
CA 1.6 1
1.3.6.2.
CA CA 1.7 1.6 CA 2 CA CA CA
1.7
1.7 CA
Red Hat Certificate System 9
30
1.7 CA CA (USA CA) DN USA CA DN
( )
1.7 USA CA CA USA CA
1.3.6.3.
1.
3.
6. CA 1.8 CA
1.8 CA
1.8 CA CA CA CA 1.9 Chain CA
1.9 Chain CA
Red Hat Certificate System 9
32
1.10
1.3.7.
(OCSP) OCSP
1.4.
1.4.1.
CA ID
1
1.4.2.
CRL OCSP
1.5.
Red Hat Certificate System 9
34
PKI
1
35
2 RED HAT CERTIFICATE SYSTEM PKI CRL Red Hat Certificate System
PKI
2.1. CERTIFICATE SYSTEM
Red Hat Certificate System 5 PKI
Certificate Manager CA PKI Certificate Manager Certificate
System
(KRA) ( ) KRA
Certificate System KRA (DRM) Web KRA DRM
(OCSP) OCSP OCSP CA OCSP CA
(TKS)TKS CCID TPS
(TPS)TPS (Enterprise Security Client (ESC)) TPS TPS CAKRA TKS
Enterprise Security Client
Certificate System CA wheel CA (PKI) PKI 2 1 ()
TMS CATKS TPS KRA
Red Hat Certificate System 9
36
TMS TMS CA TMS OCSP KRA
2.2. CERTIFICATE SYSTEM
PKI Java Apache Tomcat
PKI PKI (CAKRAOCSPTKS TPS)
(VM) PKI
Certificate System PKI
PKI Java Apache Tomcat
PKI PKI PKI
PKI PKI
CA
TKS
CAKRAOCSPTKS TPS
PKI
2.2.2.
37
Certificate System Red Hat Directory Server LDAP Red Hat Directory
Server Red Hat Directory Server Installation Guide
2.2.2.2. PKI
Certificate System Red Hat Enterprise Linux
pki-core.el7
pki-base
pki-base-java
pki-ca
pki-javadoc
pki-kra
pki-server
pki-symkey
pki-tools
pki-console.el7pki
pki-console
pki-core.el7pki
pki-ocsp
pki-tks
pki-tps
redhat-pki.el7pki
redhat-pki
redhat-pki-theme.el7pki
redhat-pki-console-theme
redhat-pki-server-theme
Red Hat Certificate System 9
pki-javadoc Certificate System Yum redhat-pki
# yum install redhat-pki
JSS PKI javadoc (jss-javadoc pki-javadoc)
2.2.2.3.
pkispawn --help
2. Python
3.
4. Python JavaScript Object Notation (JSON) Java
5. PKI pkispawn PKI /var/lib/pki/instance_name/<subsystem>
/registry/<subsystem>/deployment.cfg
pkispawn man
/etc/pki/default.cfg
39
[DEFAULT][Tomcat][CA][KRA][OCSP][TKS] [TPS] name=value
pkispawn -s
name=value [Tomcat] [DEFAULT] PKI
name=value pkispawn man myconfig.txt .ini PKI
pki_default.cfg man
/usr/share/java/pki/pki-certsrv.jar
com/netscape/certsrv/system/ConfigurationRequest.class Java
pkispawn JSON
com/netscape/certsrv/system/ConfigurationResponse.class Java
pkispawn
root pkispawn
# pkispawn
Elliptic Curve Cryptography (ECC) CA Hardware Security Module (HSM)
CA
PKI
1. # mkdir -p /root/pki
[DEFAULT] pki_admin_password=<password>
pki_client_pkcs12_password=<password>
pki_ds_password=<password>
3. # pkispawn -s CA -f /root/pki/ca.cfg
Red Hat Certificate System 9
40
2.2.2.4.
pkidestroy PKI
(/var/lib/pki/instance_name/<subsystem>/registry/<subsystem>/deployment.cfg)
PKI PKI pkidestroy man
pkidestroy
Begin uninstallation (Yes/No/Quit)? Yes
Uninstallation complete.
Uninstallation complete.
2.2.3.1.
Red Hat Certificate System Red Hat Enterprise Linux 7
systemctl
# systemctl start <unit-file>@instance_name.service
# systemctl status <unit-file>@instance_name.service
# systemctl stop <unit-file>@instance_name.service
41
Watchdog (nuxwdog) Red Hat Certificate System Certificate System
Watchdog
2.2.3.2.
Certificate System systemctl Certificate System systemctl
# systemctl disable pki-tomcatd@instance_name.service
2.2.4. (pki-server pkidaemon)
2.2.4.1. pki-server
Red Hat Certificate System pki-server pki-server -- help pki-server
man
pki-server (CLI) ( ) CLI
$ pki-server [CLI options] <command> [command
parameters]
CLI NSS CLI CLI root CLI
CLI
Red Hat Certificate System 9
$ pki-server
$ pki-server ca $ pki-server ca-audit
2.2.4.2. pki-server
subsystem_id (cakratksocsp tps)
# pki-server subsystem-disable -i pki-tomcat ocsp
2.2.4.3. pkidaemon
pkidaemon {start|status} instance-type [instance_name]
pkidaemon status tomcat: PKI PKI
2 RED HAT CERTIFICATE SYSTEM
43
pkidaemon status tomcat: PKI PKI /URL
pkidaemon status tomcatinstance_name: PKI / URL
pkidaemon start tomcat instance_name.service - systemctl
pkidaemon man
2.2.4.4. Web URL
CAKRAOCSPTKS TPS Web Web URL CA
https://server.example.com:8443/ca/services
pkidaemon status instance_name
Web 2.1 Web URL CA () Web
https://server.example.com:8443/ca/ee/ca
https://192.0.2.1:8443/ca/services
https://[2001:DB8::1111]:8443/ca/services
2.1 Web
Red Hat Certificate System 9
44
Web Web
Certificate Manager
ca/ee/ca
8443 pkiconsole https://host:port/c a
kra/ee/kra
kra/ee/kra
8443 pkiconsole https://host:port/k ra
ocsp/ee/ocsp
ocsp/ee/ocsp
2 RED HAT CERTIFICATE SYSTEM
45
8443 pkiconsole https://host:port/o csp
tks/ee/tks
tks/ee/tks
8443 pkiconsole https://host:port/t ks
tps/phoneHome
tps/phoneHome
8443 Operator [d]
tps/ui
Web Web
Red Hat Certificate System 9
46
[a] No Yes No
[b] Web
[c] OCSP Web OCSP OCSP
[d] Operator Web
SSL/TLS [a]
Web Web
2.2.4.5.
CAKRAOCSP TKS Java KRAOCSP TKS CA
pkiconsole SSL/TLS
pkiconsole
https://server.example.com:admin_port/subsystem_type
subsystem_type cakraocsp tks KRA
pkiconsole https://server.example.com:8443/kra
https://192.0.2.1:8443/ca https://[2001:DB8::1111]:8443/ca
2.3.1. Java Application Server
Certificate System Tomcat Tomcat
2 RED HAT CERTIFICATE SYSTEM
Certificate System Tomcat Tomcat server.xml
https://tomcat.apache.org/tomcat-8.0-doc/config/ Tomcat
Certificate System (CA KRA ) Tomcat Web Web web.xml Java Servlet
3.1 https://www.jcp.org/en/jsr/detail?id=340
Certificate System CS.cfg
pkispawn Tomcat pki_security_manager=false Security Manager
Security Manager
1. # systemctl stop pki-tomcatd@instance_name.service
3. # systemctl start pki-tomcatd@instance_name.service
Red Hat Certificate System 9
/usr/share/pki/server/conf/catalina.policy
/usr/share/tomcat/conf/catalina.policy
/var/lib/pki/$PKI_INSTANCE_NAME/conf/pki.policy
/var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy
Certificate System
2.3.3.2.
49
TMS CA KRA CIMC SSL Trusted Manager Trusted Manager (CIMC )
SSL
TMS CIMC TPS CATPS KRA TPS TKS
2.3.3.3.
2.3.3.4. Operator
Red Hat Certificate System 9
50
Hitsal state transfer (REST) HTTP Web Red Hat Certificate System
REST
Red Hat Certificate System REST RESTEasy RESTEasy Web RESTEasy
web.xml RESTEasy http://resteasy.jboss.org/
REST URL
CA : http://<host_name>:<port>/ca/rest/certs/
KRA :
http://<host_name>:<port>/kra/rest/agent/keys/
TKS :
http://<host_name>:<port>/tks/rest/admin/users/
TPS :
http://<host_name>:<port>/tps/rest/admin/groups/
HTTP HTTPS
REST HTTP (GETPUTPOSTDELETE) GET /ca/rest/users CA
REST XML JSON
{ "id":"admin", "UserID":"admin", "FullName":"Administrator",
CLIWeb UI REST REST Certificate System JavaPython JavaScript
REST 2
REST http://www.dogtagpki.org/wiki/REST
2.3.6. Tomcatjss
Red Hat Certificate System Java Tomcat Server HTTP JSS tomcatjss
JAR NSS Java Tomcatjss Tomcat Java Security Services (JSS) Java
Secure Socket Extension (JSSE)
Tomcatjss TLS TLS tomcatjss tomcat tomcatjss Java JSS NSS
Tomcat Certificate System tomcatjss
1.
3. server.xml Tomcatjs
4. Tomcajss
Red Hat Certificate System 9
5. Tomcat Certificate System
Tomcat JSS Certificate System JSS
server.xml Tomcat Engine Web
2.3.7. PKCS #11
Certificate System 1 PKCS #11 PKCS #11 ( ) PKCS #11 Certificate
System PKCS #11
PKCS 11 1 PKCS #11
2 RED HAT CERTIFICATE SYSTEM
53
2.3.7.1. NSS Soft Token ()
NSS Soft 2 (cert8.db) (key3.db) 2 Certificate System
/var/lib/pki/instance_name/alias
NSS Certificate System
PKCS #11 2
Red Hat Certificate System 9
54
NSS 14/
Network Security Services (NSS) Mozilla Developer Web
2.3.7.2. (HSM)
PKCS #11 Certificate System PKCS #11
PKCS #11 secmod.db modutil modutil Mozilla Developer Web Network
Security Services (NSS)
PKCS #11 PKCS #11
HSM 14/
ID
[CA] pki_serial_number_range_start=1
pki_serial_number_range_end=10000000
pki_request_number_range_start=1
pki_request_number_range_end=10000000
pki_replica_number_range_start=1
pki_replica_number_range_end=100
2.3.8.2.
[CA] pki_random_serial_numbers_enable=True
2.3.10. (nuxwdog)
Red Hat Certificate System 9
56
CS.cfg Red Hat Enterprise Linux PKI CS.cfg
password.conf
Nuxwdog (watchdog)
RHCS Certificate System Watchdog
Red Hat Certificate System
2.3.11. LDAP
Red Hat Certificate System ACL Red Hat Directory Server (RHDS)
Certificate System LDAP SSL
Certificate System Directory Server 2 Certificate System
pkispawn
Red Hat Directory Server
2.3.12. SELinux (Security Enhanced Linux)
SELinux SELinux Red Hat Enterprise Linux 7 SELinux
SELinux Linux Linux API
2 RED HAT CERTIFICATE SYSTEM
Certificate System SELinux SELinux SELinux Certificate System
SELinux Certificate System Certificate System
2.1 CA SELinux
SELinux
SELinux
Certificate System
Certificate System SELinux SELinux Certificate System Enforcing
SELinux
pkispawn Certificate System
Red Hat Certificate System 9
58
SELinux pki_tomcat_t Certificate System Tomcat pki_tomcat_t
tomcat_t Tomcat Certificate System
Certificate System (unconfined_t) pki_tomcat_t pki_tomcat_log_t
pki_tomcat_etc_rw_t http_port_t
SELinux Enforcing Permissive
2.3.13.
Java™
pkispawn pki_subsystem_log_path
/var/log/pki/instance_name/subsystem_name/signedAudit
2 RED HAT CERTIFICATE SYSTEM
59
2.3.14.1.
2.3.14.2.
system (HTTP HTTPS ) IP (IPv4 IPv6 )
id_number processor - [date:time] [number_of_operations] [result]
servlet: message
2.1 TKS
id_number.processor - [date:time] [number_of_operations] [result]
servlet: message
CA KRA TPS TKS
2.2
Red Hat Certificate System 9
Web
[date:time] [processor]: servlet: message
[10/Jun/2020:05:14:51][main]: Established LDAP connection using
basic authentication to host localhost port 389 as cn=Directory
Manager
main LDAP
CA
[06/Jun/2020:14:59:38][http-8443;-Processor24]:
ProfileSubmitServlet: key=$request.requestowner$
value=KRA-server.example.com-8443
CA HTTP profile () (KRA )
2.3 CA
2 RED HAT CERTIFICATE SYSTEM
61
bXB1dGVyIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X^M
DTA4MDYwNjE5NTkzOFoXDTA4MTIwMzE5NTkzOFowOzEhMB8GCSqGSIb3DQEJARYS^M
anNtaXRoQGV4YW1wbGUuY29tMRYwFAYKCZImiZPyLGQBARMGanNtaXRoMIGfMA0G^M
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDreuEsBWq9WuZ2MaBwtNYxvkLPHcN0cusY^M
7gxLzB+XwQ/VsWEoObGldg6WwJPOcBdvLiKKfC605wFdynbEgKs0fChVk9HYDhmJ^M
8hX6+PaquiHJSVNhsv5tOshZkCfMBbyxwrKd8yZ5G5I+2gE9PUznxJaMHTmlOqm4^M
HwFxzy0RRQIDAQABo4HFMIHCMB8GA1UdIwQYMBaAFG8gWeOJIMt+aO8VuQTMzPBU^M
78k8MEoGCCsGAQUFBwEBBD4wPDA6BggrBgEFBQcwAYYuaHR0cDovL3Rlc3Q0LnJl^M
ZGJ1ZGNvbXB1dGVyLmxvY2FsOjkwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAw^M
HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMCQGA1UdEQQdMBuBGSRyZXF1^ M
ZXN0LnJlcXVlc3Rvcl9lbWFpbCQ=
[07/Jul/2020:06:25:40][http-11180-Processor25]: OCSPServlet: OCSP
Request: [07/Jul/2020:06:25:40][http-11180-Processor25]:
OCSPServlet:
MEUwQwIBADA+MDwwOjAJBgUrDgMCGgUABBSEWjCarLE6/BiSiENSsV9kHjqB3QQU
Red Hat Certificate System 9
62
2.3.14.6. Tomcat
CAKRAOCSPTKS TPS Tomcat Web
Certificate System HTTP Tomcat Web HTTP HTTP
Tomcat :
63
catalina.timestamp
catalina.out
host-manager.timestamp
localhost.timestamp
localhost_access_log.timestamp
manager.timestamp
Certificate System Apache Tomcat Apache
2.3.14.7.
2.3.14.8. journalctl
# journalctl -f -u pki-tomcatd@instance_name.service
/etc/pki/instance_name/server.xml
Red Hat Certificate System 9
64
2.3.15.1.
Certificate System 1 Certificate System Tomcat Certificate System
PKI Web RPM Java
pki-tomcat true pkispawn
2.2 Tomcat
65
2.3 CA
2.4 KRA
Red Hat Certificate System 9
66
2.5 OCSP
2.6 TKS
67
2.7 TPS
Certificate System (2.8 )
2.8
Red Hat Certificate System 9
68
pki/ca (CA)
pki/kra (KRA)
pki/ocsp (OCSP)
pki/tks (TKS)
pki/tps (TPS)
/usr/share/java/pki Tomcat Web Certificate System Java
PKI TMS TMS
TMS CA TMS OCSP KRA
2.4.1.
Certificate Manager Certificate System ()
Certificate System Web (VPN) X.509 3
Red Hat Certificate System
2.4.1.1.
Certificate Manager CSR
2.4.1.1.1.
PKI PKI
1. 1
Certificate Manager
3. LDAP PIN
4.
6.
7. KRA CA
Red Hat Certificate System 9
70
8.
9.
HTML HTML
ID
10.
12. Certificate Manager LDAP
13. OCSP
CA
PKCS #10 Certificate Request Message Format (CRMF) CSR
2.4.1.1.2.
2.4.1.1.2.2. CMC
CMC
1. PKCS10ClientCRMFPopClient PKCS #10 CRMF (CSR)
CMCRequest(1) man
3. HttpClient CMC CA HttpClient CMC
HttpClient CA CMC PKCS 7
HttpClient
4. CMCResponse HttpClient PKCS #7 CMCResponse
CMCResponse(1) man
5.
2.4.1.1.2.2.1. POP CMC
POP (Proof Of Possession) HttpClient EncryptedPOP CMC CMCResponse
CMCRequest
Red Hat Certificate System CMC
2.4.1.1.2.2.2. CMC
CMCAuth
Red Hat Certificate System 9
72
Red Hat Certificate System CMC
2.4.1.1.2.2.3. CMC
CMC
Red Hat Certificate System CMC CMC
2.4.1.1.2.2.4.
()
3. CMCSharedToken
4. LDAP shrTok
5. CMCRequest witness.sharedSecret
CA CA
2. LDAP shrTok
3.
2.4.1.1.2.2.5. CMC
Certificate System CMC CMC
CMC HttpClient
servlet=/ca/ee/ca/profileSubmitCMCSimple?profileId=caECSimpleCMCUserCert
UI HTML
Certificate Manager
X.509 3
<instance directory>/ca/profiles/ca <profile id>.cfg
pkispawn LDAP
Red Hat Certificate System 9
74
2.4.1.4.
2 CA 2 CA PKI
2.4.2.
2.4.3. CRL
LDAP CRL LDAP OCSP 3 CRL
2.4.4.
Certificate Manager
OCSP
2 RED HAT CERTIFICATE SYSTEM
75
Red Hat Certificate System
CMCRequest Red Hat Certificate System CMC
pki pki-cert(1) man
2.4.4.2.
2.4.4.2.1. CRL
Certificate System (CRL) CRL CRL CRL CRL
Certificate Manager X.509 CRL CRL
2.4.4.2.2. OCSP
Certificate System CA PKIX RFC 2560 Online Certificate Status
Protocol (OCSP) OCSP OCSP CA CRL OCSP
1. CA OCSP Authority Information Access
2. CA CRL OCSP
3. OCSP CA CRL
4. OCSP OCSP Authority Information Access OCSP
5. OCSP
2.4.4.2.2.1. OCSP
CA
Red Hat Certificate System 9
76
Certificate Manager OCSP OCSP OCSPNoCheck Extended Key Usage
2.4.4.2.2.2. OCSP
Good or Verified
Revoked
2.4.4.2.2.3. OCSP
Online Certificate Status Manager
Certificate Manager OCSP CRL OCSP CA CRL Certificate System Online
Certificate Status Manager Online Certificate Status Manager
Certificate Manager CRL CRL OCSP
Certificate Manager CRL OCSP Certificate Manager CRL Online
Certificate Status Manager OCSP CRL
2 RED HAT CERTIFICATE SYSTEM
77
Online Certificate Status Manager Certificate Manager CRL CRL
Online Certificate Status Manager LDAP CRL Certificate Manager CRL
Online Certificate Status Manager
2.4.5.
2 2 ID
2.4.5.1.
: CRMF CSR (KRA) CA Red Hat Certificate System CRMFPopClient
CSR
: PKI KRA Red Hat Certificate System CSR
KRA
KRA 1 ( KRA) KRA
KRA
ID ID
Red Hat Certificate System 9
2.2
a. CRMF KRA
2. CA CRMF KRA
3. KRA / LDAP /
4. KRA CA
5. CA
2.4.5.2.
2 RED HAT CERTIFICATE SYSTEM
79
1 KRA 1 KRA
KRA ( ) KRA LDAP KRA
2.3
Red Hat Certificate System 9
80
KRA
Firefox Web KRA Red Hat Enterprise Linux 7 Firefox 31.6 pki pki(1)
pki- key(1) man run CRMFPopClient --help man CMCRequest
KRA pki
2.4.5.3. KRA
KRA 2 KRA KRA 2 CA KRA CA
KRA
81
4. KRA
KRA CA KRA KRA
KRA
1. KRA
a. KRA
systemctl stop
[email protected]
b. KRA NSS
mkdir nss_db_backup cp *.db nss_db_backup
d. PKCS10Client
PKCS10Client -p password -d '.' -o 'req.txt' -n 'CN=KRA Transport 2
Certificate,O=example.com Security Domain'
certutil
certutil -d . -R -k rsa -g 2048 -s 'CN=KRA Transport 2
Certificate,O=example.com Security Domain' -f password-file -a -o
transport-certificate-request-file
e. CA
f. End-Entity
2. CA Agent Services KRA
3. KRA
Red Hat Certificate System 9
82
c. KRA Base64 (: cert-serial_number.txt ) (-----BEGIN
CERTIFICATE-----) (-----END CERTIFICATE---- -)
4. KRA
certutil -d . -A -n 'transportCert-serial_number cert-pki-kra KRA'
-t 'u,u,u' -a -i cert- serial_number.txt
5. KRA
certutil -d . -L certutil -d . -L -n 'transportCert-serial_number
cert-pki-kra KRA'
c. /var/lib/pki/pki-kra/kra/conf/CS.cfg
kra.transportUnit.newNickName=transportCert-serial_number
cert-pki-kra KRA
2.
83
c. KRA
certutil -d . -L certutil -d . -L -n 'transportCert-serial_number
cert-pki-kra KRA'
d. KRA
e. KRA
b. NSS
d. NSS
Red Hat Certificate System 9
84
KRA CA
1. CA KRA
a. KRA cert- serial_number.txt KRA
b. cert-serial_number.txt Base64 1
tr -d '\n' < cert-serial_number.txt >
cert-one-line-serial_number.txt
2. CA KRA
a. CA
systemctl stop
[email protected]
b. /var/lib/pki/pki-ca/ca/conf/CS.cfg
ca.connector.KRA.transportCert=certificate
85
CA KRA CA KRA CA KRA KRA
KRA
KRA
3. KRA
certutil -d . -L certutil -d . -L -n 'transportCert-serial_number
cert-pki-kra KRA'
4. /var/lib/pki/pki-kra/kra/conf/CS.cfg nickName
kra.transportUnit.nickName=transportCert cert-pki-kra KRA
kra.transportUnit.newNickName=transportCert-serial_number
cert-pki-kra KRA
Red Hat Certificate System 9
86
2.5.
TMS (CA) (TKS) (TPS) (KRA) OCSP (Online Certificate Status
Protocol) CA Red Hat Certificate System TKS TPS TMS Enterprise
Security Client (ESC)
2.4 TMS
2.5.1. (TKS)
Token Key Service (TKS) 1 TMS (CUID) ID
() Key Changeover TKS
2 RED HAT CERTIFICATE SYSTEM
87
2.5.1.1.
Java TKS ( keySet ) TKS (CS.cfg) TPS TMS Secure Channel TKS
TKS TPS keySet TPS () keySet TPS keySet Mapping Resolver
2.5.1.2. ()
2.5.1.3. ()
Token Key Service TKS 1 TKS
Red Hat Certificate System 9
88
TKS
2.5.1.4. APDU
Red Hat Certificate System Token Management System (TMS)
GlobalPlatform Token Key System (TKS) Application Protocol Data
Units (APDU) () Token Processing System (TPS) Secure Channel
APDU 2
APDU (TPS )
APDU Certificate System TPS InitializeUpdate APDU
ExternalAuthenticate APDU TMS Secure Channel
TKS Secure Channel TMS
2.5.2. (TPS)
TMS TPS TPS APDU TMS TPS TPS CA KRA
2.5.2.1. Coolkey
2 RED HAT CERTIFICATE SYSTEM
89
2.5.2.2.
: Coolkey
: Web 2
: TPS
: LDAP TPS
PIN : PIN PIN
: PKI Red Hat Certificate System TPS 2
: PKI
: PKI TMS
:
: TPS
CA CA CA CA
:
Red Hat Certificate System 9
90
2.5.2.3. TPS
TPS
Coolkey
1 2
Internal Registration: TPS (tokenType) Mapping Resolver
: (
2 RED HAT CERTIFICATE SYSTEM
LDAP
TPS
2.5.2.4.1.
2.5.2.4.1.1.
2.9
DAMAGED 1
PERM_LOST 2
Red Hat Certificate System 9
92
2.5.2.4.1.2.
tokendb.allowedTransitions tps.operations.allowedTransitions
tokendb.allowedTransitions=0:1,0:2,0:3,0:6,3:2,3:6,4:1,4:2,4:3,4:6,6:7
2.10
0:3 FORMATTED SUSPENDED ( )
0:6 FORMATTED TERMINATED
2 RED HAT CERTIFICATE SYSTEM
93
3:6 SUSPENDED TERMINATED
4:1 ACTIVE DAMAGED
4:2 ACTIVE PERM_LOST
4:3 ACTIVE SUSPENDED ( )
4:6 ACTIVE TERMINATED
6:7 TERMINATED UNFORMATTED
2.11
2.5.2.4.1.3.
tps.operations.allowedTransitions=0:0,0:4,4:4,4:0,7:0
Red Hat Certificate System 9
94
2.12
0:4 FORMATTED ACTIVE
4:4 ACTIVE ACTIVE
4:0 ACTIVE FORMATTED
7:0 UNFORMATTED FORMATTED
2.5.2.4.1.4.
# Token state transitions FORMATTED.DAMAGED = This token has been
physically damaged. FORMATTED.PERM_LOST = This token has been
permanently lost. FORMATTED.SUSPENDED = This token has been
suspended (temporarily lost). FORMATTED.TERMINATED = This token has
been terminated. SUSPENDED.ACTIVE = This suspended (temporarily
lost) token has been found.
2 RED HAT CERTIFICATE SYSTEM
95
2.5.2.4.1.5.
2.5.2.4.1.6.
2.5.2.4.1.7.
2.13 TPS
Red Hat Certificate System 9
96
token_modify
delete
cert_revocation
cert_unrevocation
2.5.2.4.2.
TPS TPS
2.5.2.5.
FilterMappingResolver TPS
target
97
appletMajorVersion - Coolkey
appletMinorVersion - Coolkey
tokenType - okenType tokenType (TPS )
tokenATR - Answer to Reset (ATR)
tokenCUID - startend Card Unique ID (CUID)
2.5.2.6. TPS
TPS
TPS :
Red Hat Certificate System 9
98
2.5.4. Enterprise Security Client (ESC)
Enterprise Security Client TPS Web HTTP ESC TPS HTTPS TLS TMS
Secure Channel
2.6. RED HAT CERTIFICATE SYSTEM
Certificate System PKI
2.6.1.
2.6.2.
2.6.3.
99
2.6.4.
2.6.5.
2.6.6.
Certificate System /SSL/TLS LDAP NIS CMC CA
Certificate System IP
2.6.6.1.
Red Hat Certificate System
Certificate System 3
Red Hat Certificate System 9
100
auditors
2.6.6.2.
2.7.
PKI
Certificate System HTTP HTTPS
2.5
101
DNS
LDAP PKI [Tomcat] 2 name=value pkispawn
[Tomcat] pki_clone_setup_replication=False
pki_clone_reindex_data=False
Red Hat Certificate System 9
102
CA
CA CA 2 CA CA 1 CA
CA fluid CA 1 CA CA
begin*Number end*Number
dbs.beginRequestNumber=1 dbs.beginSerialNumber=1
dbs.enableSerialManagement=true dbs.endRequestNumber=9980000
dbs.endSerialNumber=ffe0000 dbs.replicaCloneTransferNumber=5
CRL 1 CA CRL CA CA CRL CRL CA CA CRL CA CRL CRL CRL CA CA
CA CA
CA ( )
2 RED HAT CERTIFICATE SYSTEM
103
2.7.2. KRA
KRA 1 KRA KRA KRA KRA
KRA
KRA KRA KRA
2.7.3.
TKS 1
OCSP 1 OCSP CRL CRL
2.7.4.
pkispawn pki_backup_keys pki_backup_password PKCS #12
pki_default.cfg(5) man BACKUP PARAMETERS
PKCS12Export PKCS #12
PKCS #12 clone pki_clone_pkcs12_password pki_clone_pkcs12_path
pkispawn man pkispawn(8) Installing a Clone PKCS#12 pkiuser
SELinux
Red Hat Certificate System 9
104
Directory Server Directory Server
LDAPS SSL/TLS LDAP (SSL/TLS ) Directory Server Directory Server
3
SSL/TLS SSL/TLS / Directory Server SSL/TLS
Directory Server
/ Directory Server Start TLS TLS
TLS SSL/TLS Directory Server CA Directory Server SSL/TLS
() Directory Server
105
LDAP ( 389) LDAP
Directory Server LDAP
2.7.6. ID
Directory Server ID ID
(CA ) ID ID 1
dbs.beginReplicaNumber=1 dbs.endReplicaNumber=95
ID
CS.cfg
CA 2 KRA CA CA-KRA CA CS.cfg CA CA CA-KRA KRA CA KRA
()
Red Hat Certificate System 9
106
3.1. TLSECC RSA
Transport Layer Security (TLS) TLS
TLS TLS
TLS ()
RSA EllipticCurve Diffie-Hellman (ECDH) TLS TLS ECC (Elliptic Curve
Cryptography) RSA RSA ECC
2 PFS (Perfect Forward Secrecy) PFS ( )
RSA RSA 2048 1024 2048 64 CA 2048 (30724096 )
3.1.1.
3.1.1.1. TLS
3
Red Hat Certificate System
ECC
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
RSA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Red Hat Certificate System PKCS #11
RSA :
Red Hat Certificate System 9
108
https://csrc.nist.gov/publications/detail/fips/186/4/final
nistp256
nistp384
nistp521
IPv4 IPv6 Certificate System IP IPv4 IPv6 IPv6
TPSTKSCA
TPS Enterprise Security Client
pki Subject Alt Name Extension HttpClientBulk Issuance Tool
Certificate System
(pkiconsole Web IPv6 )
()
IPv4 n.n.n.n n.n.n.n,m.m.m.m 128.21.39.40
128.21.39.40,255.255.255.00
IPv6 128 IPv6
3
DNS IPv4 IPv6 Web Java
https://ipv6host.example.com:8443/ca/services pkiconsole
https://ipv6host.example.com:8443/ca
https://[00:00:00:00:123:456:789:00:]:8443/ca/services pkiconsole
https://[00:00:00:00:123:456:789:00:]:8443/ca
3.5. PKIX
Certificate System IETF Public-Key Infrastructure (X.509) PKIX PKIX
IETF Datatracker Web
3.1 9 PKIX
RFC
(ITU)
(CMMF)
CA CMMF CMC
CS (CMC)
RFC 5274 CS PKCS #10 Diffie- Hellman RSA CMC CRMF CMMF
(CMS) RFC 2630 PKCS #7
Red Hat Certificate System 9
PKIX CRL
RFC 5280 IETF CRL
(OCSP)
RFC
4.1.
4.2.
4.3. WEB
4.1 Web
Red Hat Enterprise Linux Firefox 60 [a] Firefox 60 [a]
Windows 7 Firefox 60 [a] Firefox 60
Internet Explorer 10[b]
[a] Firefox Web
[b] Internet Explorer 11 Red Hat Certificate System 9 Web Internet
Explorer 11 Visual Basic
4.4.
Red Hat Certificate System Hardware Security Modules (HSM)
Red Hat Certificate System 9
CipherTools- linux64-dev- 12.30.00
()
Certificate System TPS TKS
5.1.
ID
5.1.1.
Certificate System PKI Certificate Manager () CA
5.1 CA
Red Hat Certificate System 9
114
Certificate Manager 1 CA
5
KRA
5.2 CA KRA
Red Hat Certificate System 9
116
5.1.3.
1 ( CA ) ( CA CA ) CA
5.1.4. OCSP
Example Corp. Web SSL/TLS CA
5
5.3 CA OCSP
TPS TPS
TPS CATKS KRA Enterprise Security Clients 1 TPS TPS TPS TPS CATKS
KRA
TPS CA KRA TKS TPS
5.2.
CA PKI CA (CA ) (
Red Hat Certificate System 9
118
CA PKI CA (CA ) ( ) Certificate System PKI
PKI CA CA CA CA CA CA CA CA Certificate System Certificate System
CA CA CA
( CA) CA () CA CA CA CA CA CA CA CA CA CA CA
CA
CA CA CA
Certificate Manager CA CA CA PKI CA CA CA
5.2.1. CA
Certificate System CA CA CA CA CA CA SSL/TLS S/MIME (Secure
Multipurpose Internet Mail Extensions) SSL/TLS CA PKI
CA 1 CA Web CA CA Certificate System
5.2.2. CA
Certificate System CA CA CA CA CA CA CA CA CA
Certificate System CA CA CA Certificate System CA CA CA
5
Certificate System Certificate Manager CA CA Certificate Manager CA
Certificate Manager CA CA
Certificate Manager 2 CA 2 CA PKI
(FBCA)
5.2.4. CA
CA CA Certificate Manager
Certificate Manager CA Certificate Manager ( Certificate
Manager)
pk12util PKCS12Export
CA CA CA CA Certificate Manager CA
Certificate Manager CA
Certificate Manager Certificate Manager
Certificate Manager
5.3.
Red Hat Certificate System 9
120
PKI Certificate System
CA CA PKI
CA CA LDAP CA
CA URL Example Corp Intranet PKI (KRATPS TKSOCSPCA( URL
TPS CA TPS CA
CA LDAP CA
ou=Security Domain,dc=server.example.com-pki-ca
(pkiSecurityGroup)
pkiSubsystem
5
(CA ) CA CA LDAP
CA KRA KRA CA KRA CA
Certificate System CA CA
CA OCSP OCSP CA OCSP CA CA CA
5.4.
5.4.1.
5.1
Red Hat Certificate System 9
122
5
CA
CA OCSP CA CRL CA OCSP
KRA CA CS.cfg KRA ca.connector.KRA.transportCert
CA Certificate Manager SSL/TLS CA SSL/TLS
Certificate Manager CRL LDAP SSL/TLS SSL/TLS SSL/TLS
SSL/TLS 1 SSL/TLS
5.4.2. CA
CA Certificate Manager ID Certificate Manager (DN)
CA DN DN DN Example Corporation Certificate Manager
cn=demoCA, o=Example Corporation, ou=Engineering, c=US
Certificate Manager DN DN
5.4.3. CA
Red Hat Certificate System 9
124
5.4.4.
CA CA CRL OCSP
SHA256withRSA
SHA512withRSA
SHA256withEC
SHA512withEC
Certificate System ECC ECC PKCS #11 9 ECC
RSA 2048 4096 ECC RSA ECC 256 2048 RSA
5.4.5.
X.509 v1 X.500
X.500 X.500
5
CA CA CA
CRL CRL
X.509 v3 X.509 v3 X.509 CRL CA
X.509 v3
X.500 X.509 ITU (International Telecommunication Union) IETF
(Internet Engineering Task Force) X.509 (PKIX) X.509v3 CRL PKIX
1
2 Abstract Syntax Notation One (ASN.1) Distinguished Encoding Rules
(DER) Certificate System CCITT X.208 X.209 ASN.1 DER RSA
Laboratories Web (http://www.rsa.com) A Layman's Guide to a Subset
of ASN.1, BER, and DER
5.4.5.1.
Extension ::= SEQUENCE {
Red Hat Certificate System 9
(OID) ASN.1 OID ID (extnID) ASN.1 (extnValue)
critical
ID
ID
DER octet
ID ID ID
X.509 v3
5.4.6.
()
5
2 2 2 4 2
SSL/TLS 2 1 6 1 2
Certificate System
PKCS 7
1 1 PKCS#10 1 CRMF () CRMF 1
PKI
Manage Certificate Profiles Certificate Profile
1
Red Hat Certificate System 9
128
() ( )
1 () ID 1 1 2 2
Certificate System CA Certificate System
5
pki_san_inject
CMC
Certificate Manager CMC 1 HTML
2. CA Certificate Manager ID
3. LDAP
Red Hat Certificate System 9
130
5.4.8. CRL
CA CRL LDAP CRL LDAP OCSP
CRL
LDAP
LDAP
SSL/TLS SSL/TLS Certificate Manager
LDAP DN ()
5.4.9. CA
CA 2
CA CA CA CA CA CA
CA CA CA CA CA
CA Certificate Manager CA PKI
5
5.5.
5.5.1.
LDAP LDAP ( LDAP 389LDAPS 636) LDAP
iptables Certificate System iptables Red Hat
5.5.2.
5.5.3.
HTTP
Red Hat Certificate System 9
Tomcat Server Management
Tomcat AJP
Red Hat Certificate System Red Hat Certificate System URL
https://server.example.com:8443/ca/ee/ca
<Service name="Catalina"> <!--Connector port="8080" ...
/--> unused standard port <Connector port="8443" ...
/>
165535
5.6. CERTIFICATE SYSTEM
Certificate System Certificate System 2
( cert8.db) (key3.db)Certificate System Certificate System
Certificate System
/var/lib/pki/instance_name/alias
PKCS11 API PKCS 11
Certificate System PKCS 11 Certificate System Certificate
System
Certificate System 1
Certificate System
SSL/TLS
Certificate Manager
Certificate System nCipher nShield (HSM) Certificate System HSM
PKCS #11 modutil secmod.db
Security Modules NSS PKCS 11 Found Operations Login Certificate
System
5.7. PKI
Red Hat Certificate System 9
134
LDAP
(CA) VPN
PKI
Certificate System
CA Certificate SystemCA
CA CA CA (PKI CA CA)
Certificate Manager CA CA CA CA CA CA CA CA ()
CA CA CA CA
CA CA Certificate System CA CA CA CA CA
1 Certificate Manager CA CA CA CA 1 CA Web
Red Hat Certificate System 9
136
1 CA CA Certificate System CA CA CA Certificate System CA
CA CA CA CA
ID ID ()
Certificate Manager OCSP
PKI ?
?
CRL CRL
CRL
5.8.
5.8.1.
5.8.2.
Red Hat Certificate System 9
138
II. RED HAT CERTIFICATE SYSTEM Red Hat Certificate System
II. RED HAT CERTIFICATE SYSTEM
139
6.1. RED HAT ENTERPRISE LINUX
Red Hat Certificate System Red Hat Enterprise Linux 7 Red Hat
Enterprise Linux Red Hat Enterprise Linux
Red Hat Enterprise Linux FIPS(Federal Information Processing
Standard)Red Hat Security Guide
# sysctl crypto.fips_enabled
6.2. SELINUX
enforcing SELinux Certificate System (HSM) Certificate System
SELinux
SELinux SELinux
6.2.1. SELinux Enforcing
Red Hat Enterprise Linux SELinux enforcing
SELinux
Red Hat Certificate System 9
Directory Server Directory Server Installation Guide
6.3.1.
1. firewalld
# systemctl status firewalld
3. firewall-cmd Certificate System
# firewall-cmd --permanent
--add-port={8080/tcp,8443/tcp,8009/tcp,8005/tcp}
4. firewall-cmd
(HSM) FIPS (Federal Information Processing Standard) 140-2 HSM HSM
FIPS HSM
6
HSM Certificate System SELinux
HSM
1. /opt/nfast/
# restorecon -R /opt/nfast/
2. nfast
6.4.2. HSM FIPS
HSM FIPS HSM
nCipher HSM FIPS Security World Security World new-world FIPS
Security World nCipher HSM
LunaSA HSM
Luna HSM FIPS HSM Luna HSM
6.4.3. FIPS HSM
HSM FIPS HSM
6.4.3.1. FIPS nCipher HSM
Red Hat Certificate System 9
142
# /opt/nfast/bin/nfkminfo
6.4.3.2. FIPS Luna SA HSM
1. lunash
2. hsm show The HSM is in FIPS 140-2 approved operation mode.
lunash:> hsm show ... FIPS 140-2 Operation:
===================== The HSM is in FIPS 140-2 approved operation
mode. ...
6.4.4. HSM
pkispawn HSM Certificate System pkispawn
... [DEFAULT] ########################## # Provide HSM parameters #
########################## pki_hsm_enable=True
pki_hsm_libfile=hsm_libfile pki_hsm_modulename=hsm_modulename
pki_token_name=hsm_token_name
pki_token_password=pki_token_password
######################################## # Provide PKI-specific HSM
token names # ########################################
6
pki_token_password HSM HSM pkispawn
pki_hsm_modulename HSM pkispawn pkispawn Certificate System
HSM
HSM HSM HSM
6.4.4.1. NCipher HSM
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
...~snip~...
...~snip~...
Red Hat Certificate System 9
144
6.4.4.2. SafeNet / Luna SA HSM
SafeNet Luna Network HSM SafeNet / Luna SA HSM
pki_hsm_libfile=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
pki_hsm_modulename=lunasa
Slot Serial # Label ==== ================ ===== 0 1209461834772
lunasaQE
label
Certificate System Red Hat Directory Server Directory Server
Certificate System
6.5.1. Directory Server
Red Hat Directory Server
1. Directory Server
# yum install redhat-ds openldap-clients
6
[slapd] ServerIdentifier=instance_name ServerPort=389
Suffix=dc=example,dc=org RootDN=cn=Directory Manager
RootDNPwd=password
b.
6.5.2. Directory Server TLS
Certificate System Directory Server TLS Certificate System TLS
Directory Server Certificate System () Directory Server
Directory Server TLS Directory Server Directory Server TLS
Directory Server TLS Red Hat Certificate System Directory Server
Certificate System
Directory Server (CA) TLS Certificate System CA CA Directory
Server
6.5.2.1. Red Hat Certificate System LDAPS
1. NSS Directory Server
# systemctl stop dirsrv@instance_name.service
Red Hat Certificate System 9
# echo password > /etc/dirsrv/slapd-instance_name/password.txt #
chown dirsrv.dirsrv /etc/dirsrv/slapd-instance_name/password.txt #
chmod 400 /etc/dirsrv/slapd-instance_name/password.txt
# echo "Internal (Software) Token:password" >
/etc/dirsrv/slapd-instance_name/pin.txt # chown dirsrv.dirsrv
/etc/dirsrv/slapd-instance_name/pin.txt # chmod 400
/etc/dirsrv/slapd-instance_name/pin.txt
5. Directory Server
$ cd /etc/dirsrv/slapd-instance_name $ openssl rand -out noise.bin
2048 $ certutil -S \ -x \ -d . \ -f password.txt \ -z noise.bin \
-n "DS Certificate" \ -s "CN=$HOSTNAME" \ -t "CT,C,C" \ -m $RANDOM
\ -k rsa \ -g 2048 \ -Z SHA256 \ --keyUsage
certSigning,keyEncipherment
6. Directory Server NSS
# certutil -L -d /etc/dirsrv/slapd-instance_name/
8. Directory Server
9. Directory Server
10.
# ldapmodify -x -p 389 -h $HOSTNAME -D "cn=Directory Manager" -w
password << EOF dn: cn=config changetype: modify replace:
nsslapd-security nsslapd-security: on
dn: cn=RSA,cn=encryption,cn=config changetype: add objectclass: top
objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: DS
Certificate nsSSLToken: internal (software) nsSSLActivation: on
EOF
11. (636) LDAPS
a. LDAPS 11636
ldapmodify -x -p 389 -h $HOSTNAME -D "cn=Directory Manager" -w
password << EOF dn: cn=config changetype: modify replace:
nsslapd-secureport nsslapd-secureport: 11636 EOF
b. SELinux
12. Directory Server
[30/Jun/2016:00:23:31 +0200] - SSL alert: Security Initialization:
Enabling default cipher set. [30/Jun/2016:00:23:31 +0200] - SSL
alert: Configured NSS Ciphers [30/Jun/2016:00:23:31 +0200] - SSL
alert: TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[30/Jun/2016:00:23:31 +0200] - SSL alert:
Red Hat Certificate System 9
148
14. openldap-clients NSS TLS
$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-instance_name \ ldapsearch -H
ldaps://$HOSTNAME:11636 \ -x -D "cn=Directory Manager" -w
Secret.123 \ -b "dc=example,dc=org" -s base "(objectClass=*)"
6.5.3.
6
pki_ds_database=back_end_database_name pki_ds_hostname=host_name
pki_ds_secure_connection=True
pki_ds_secure_connection_ca_pem_file=path_to_CA_or_self-signed_certificate
pki_ds_password=password pki_ds_ldaps_port=port
pki_ds_bind_dn=cn=Directory Manager
pki_ds_hostname Directory Server Directory Server Directory Server
TLS
pki_ds_secure_connection=True
pki_ds_secure_connection_ca_pem_file: Directory Server CA
pkispawn
pki_ds_ldaps_port: Directory Server LDAPS 636
6.5.4.
Directory Server CA Directory Server Directory Server
1. Directory Server CA CMC Directory Server Red Hat Certificate
System
TLS Directory Server
2. NSS Directory Server
# systemctl stop dirsrv@instance_name
Red Hat Certificate System 9
4. CA
5. Directory Server
# PKICertImport -d /etc/dirsrv/slapd-instance_name -f
/etc/dirsrv/slapd-instance_name/password.txt -n "DS Certificate" -t
",," -a -i ds.crt -u V
HSM
a. Certificate System
c. Certificate System
8. Directory Server NSS CA
a. Directory Server
Issuer: "CN=CA Signing Certificate,O=EXAMPLE" Subject:
"CN=server.example.com"
b. Directory Server PKI NSS
$ certutil -L -d /var/lib/pki/instance_name/alias
6
$ pki cert-find
2 TLS LDAP 9.8 Red Hat Directory Server
/etc/dirsrv/slapd-instance_name/certmap.conf
Directory Server
CS.cfg RHCS internaldb.ldapauth.clientCertNickname 2
internaldb.ldapauth.bindDN internaldb.ldapauth.bindPWPrompt
Red Hat Certificate System 9
152
CS
internaldb.ldapauth.authtype=SslClientAuth
internaldb.ldapconn.secureConn=true
internaldb.ldapauth.clientCertNickname NSS DB LDAP TLS
1. Red Hat
a. Red Hat
# subscription-manager register --auto-attach Username:
[email protected] Password: The system has been registered with id:
566629db-a4ec-43e1-aa02-9cbaa6177c3f
Installed Product Current Status: Product Name: Red Hat Enterprise
Linux Server Status: Subscribed
--auto-attach
b. Red Hat Certificate System ID
# subscription-manager list --available --all ... Subscription
Name: Red Hat Enterprise Linux Developer Suite Provides: ... Red
Hat Certificate System ... Pool ID:
7aba89677a6a38fc0bba7dac673f7993 Available: 1 ...
# subscription-manager list --available --all >
/root/subscriptions.txt
c. ID Certificate System
# subscription-manager attach
--pool=7aba89677a6a38fc0bba7dac673f7993 Successfully attached a
subscription for: Red Hat Enterprise Linux Developer Suite
2. Certificate Server
7Certificate System
6.7. CERTIFICATE SYSTEM
Certificate Systempkiuser pkiuser Certificate System
Certificate System
Red Hat Certificate System 9
154
Certificate System
(TKS)
(TPS)
7.1.
2. CA OCSP
3. KRA TKS CA OCSP
4. TPS CA TKS KRA OCSP
7.2. CERTIFICATE SYSTEM
7 CERTIFICATE SYSTEM
pki-ocsp: OCSP (Online Certificate Status Protocol)
pki-tks: Token Key Service (TKS)
pki-tps: Token Processing Service (TPS)
pki-console redhat-pki-console-theme: Java Red Hat PKI
pki-server redhat-pki-server-theme: Web Certificate System
pki-capki-krapki-ocsppki-tkspki-tps
7.1 Certificate System
# yum install pki-ca redhat-pki-server-theme
PKI
# yum install pki-console redhat-pki-console-theme
# yum install redhat-pki
1. Certificate System
2. # yum update
Red Hat Certificate System 9
156
yum update --downloadonly
7.2.2. Certificate System
# cat /usr/share/pki/CS_SERVER_VERSION Red Hat Certificate System
9.4 (Batch Update 3)
URL
7.3. PKISPAWN
1. /etc/pki/default.cfg pki_default.cfg(5) man
7 CERTIFICATE SYSTEM
2.
3. PKI
4. Java
CA
pkispawn CA CA CA CA
pkispawn pkispawn(8) man
7.4.
Certificate System CA
:
1 2 Certificate System
pkispawn(8) man ()
2 (2 )
Red Hat Certificate System 9
158
7.6.
1 2 Certificate System
pkispawn(8) man ()
2 (2 )
subsystem KRAOCSPTKS TPS
CA CA 2 2
7 CERTIFICATE SYSTEM
7.7.1. 2
2
FIPS CA KRAOCSPTKS TPS
FIPS (HSM) Certificate System
7.7.2. 2 2
2 2
1.
1.
2.
2.
1.
2.
7.7.3.
/root/config.txt
Red Hat Certificate System 9
160
pki_default.cfg(5) man
1. Certificate System admin PKCS #12 Directory Server
[DEFAULT] pki_admin_password=password
pki_client_pkcs12_password=password pki_ds_password=password
2. Directory Server LDAPS [DEFAULT]
pki_ds_secure_connection=True
pki_ds_secure_connection_ca_pem_file=path_to_CA_or_self-signed_certificate
[CA] pki_random_serial_numbers_enable=true
pki_admin_nickname=caadmin pki_admin_name=CA administrator account
pki_admin_password=password pki_admin_uid=caadmin
[email protected]
Certificate System Certificate System
3. Certificate System [DEFAULT]
pki_instance_name=instance_name
pki_security_domain_name=example.com Security Domain
pki_host=server.example.com
(HSM) Certificate System
4. RSA Elliptic Curve Cryptography (ECC)
a. [DEFAULT]
Red Hat Certificate System 9
162
pki_source_admincert_profile=/usr/share/pki/ca/conf/eccAdminCert.profile
pki_source_servercert_profile=/usr/share/pki/ca/conf/eccServerCert.profile
pki_source_subsystemcert_profile=/usr/share/pki/ca/conf/eccSubsystemCert.profile
CAKRAOCSPTKS TPS
1. [DEFAULT]
pki_enable_server_side_keygen=True
7.7.4.
subsystem CAKRAOCSPTKS TPS
7.7.5.
7.7.5.1.
7.7.5.2.
7.7.5.3.
Red Hat Certificate System
RSA FIPS Certificate System RSA FIPS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Red Hat Certificate System 9
164
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
7.7.5.5. KRA
Hardware Security Module (HSM) Key Recovery Authority (KRA)
KRA
7.7.5.6. OCSP
7.7.5.7.
subsystem CAKRAOCSPTKS TPS
pkispawn
7 CERTIFICATE SYSTEM
To check the status of the subsystem: systemctl status
pki-tomcatd@instance_name.service
To restart the subsystem: systemctl restart
pki-tomcatd@instance_name.service
The URL for the subsystem is:
https://server.example.com:8443/ca/
PKI instances will be enabled upon system boot
================================================================
7.8. CA
Red Hat Certificate System pkispawn (CSR) Certificate System
pkispawn CSR CA Internal CA
External CA
Certificate System CA RedHat Certificate System CA
CSR Red Hat Certificate System CA CAKRAOCSPTKS TPS CSR PKCS
#10
7.8.2. CA
CA Certificate System
Certificate System CA
Red Hat Certificate System 9
166
2.
CA :
CA
subsystem (CAKRAOCSP)
7 CERTIFICATE SYSTEM
2. CA CSR CA
CA Certificate System PKCS#10 CSR CA ESP Red Hat Certificate System
CMC
3.
4. CA
a. pki_external_step_two True
pki_external_step_two=True
pki_ca_signing_nickname=CA Signing Certificate
pki_ca_signing_cert_path=/home/user_name/ca_signing.crt
pki_cert_chain_nickname=External Certificate Chain
pki_cert_chain_path=/home/user_name/cert_chain.p7b
OCSP
Red Hat Certificate System 9
pki_ca_signing_nickname=CA Signing Certificate
pki_ca_signing_cert_path=/home/user_name/ca_signing.crt
pki_cert_chain_nickname=External Certificate Chain
pki_cert_chain_path=/home/user_name/cert_chain.p7b
5.
6.
subsystem (CAKRAOCSP)
7.9. KRA OCSP
KRA OCSP CA CSR CA KRA OCSP CA CA
KRA OCSP
1. /root/config.txt
pki_standalone=True pki_external_step_two=False
[KRA]
[email protected]
pki_ds_base_dn=dc=kra,dc=example,dc=com pki_ds_database=kra
7 CERTIFICATE SYSTEM
[OCSP]
[email protected]
pki_ds_base_dn=dc=ocsp,dc=example,dc=com pki_ds_database=ocsp
pki_admin_nickname=ocspadmin
pki_audit_signing_nickname=ocsp_audit_signing
pki_ocsp_signing_nickname=ocsp_signing
pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem
pki_ds_secure_connection=True
pki_ds_secure_connection_ca_pem_file=path_to_CA_or_self-signed_certificate
5. CA
7.10.
Red Hat Certificate System 9
170
7.10.2. Directory Server (CA)
LDAP CA
7.10.3. LDAP TLS
Red Hat Certificate System TLS LDAP TLS
7.10.4.
7.10.5. CRL
CRL OCSP Red Hat Certificate System CRL
7.10.6. (CA)
7.10.7.
7.10.9. CMC (CA)
CMC
PopLinkWittness PopLinkWittnessV2
7 CERTIFICATE SYSTEM
7.10.10. Java TLS
Certificate System Java TLS TLS pkiconsole
7.10.11.
7.10.12. Bootstrap
KRA Red Hat Certificate System
7.10.14.2. KRA
Red Hat Certificate System 9
172
8.1. HSM CERTIFICATE SYSTEM
HSM Certificate System pkispawn
[DEFAULT] ########################## # Provide HSM parameters #
########################## pki_hsm_enable=True
pki_hsm_libfile=hsm_libfile pki_hsm_modulename=hsm_modulename
pki_token_name=hsm_token_name
pki_token_password=pki_token_password
######################################## # Provide PKI-specific HSM
token names # ########################################
pki_audit_signing_token=hsm_token_name
pki_ssl_server_token=hsm_token_name
pki_subsystem_token=hsm_token_name
8.2.
8.2.1. HSM FIPS
HSM FIPS HSM
8
173
nCipher HSM FIPS Security World Security World new-world FIPS
Security World nCipher HSM
LunaSA HSM
Luna HSM FIPS HSM Luna HSM
8.2.2. FIPS HSM
HSM FIPS HSM
8.2.2.1. FIPS nCipher HSM
# /opt/nfast/bin/nfkminfo
8.2.2.2. FIPS Luna SA HSM
1. lunash
2. hsm show The HSM is in FIPS 140-2 approved operation mode.
lunash:> hsm show ... FIPS 140-2 Operation:
Red Hat Certificate System 9
174
8.2.3. HSM
hardware-HSM_token_name=HSM_token_password
Hardware Security Modules (HSM) Certificate System SELinux
enforcing Certificate System HSM SELinux
HSM
1. /opt/nfast/
# restorecon -R /opt/nfast/
2. nfast
nCipher nShield HSM
1. default_hms.txt
8
175
########################################################################
#######
########################################################################
#######
########################################################################
####### ## ## ## EXAMPLE: Configuration File used to override
'/etc/pki/default.cfg' ## ## when using an nCipher Hardware
Security Module (HSM): ## ## ## ## ## ## # modutil -dbdir . -list
## ## ## ## Listing of PKCS #11 Modules ## ##
----------------------------------------------------------- ## ##
1. NSS Internal PKCS #11 Module ## ## slots: 2 slots attached ## ##
status: loaded ## ## ## ## slot: NSS Internal Cryptographic
Services ## ## token: NSS Generic Crypto Services ## ## ## ## slot:
NSS User Private Key and Certificate Services ## ## token: NSS
Certificate DB ## ## ## ## 2. nfast ## ## library name:
/opt/nfast/toolkits/pkcs11/libcknfast.so ## ## slots: 2 slots
attached ## ## status: loaded ## ## ## ## slot:
<serial_number> Rt1 ## ## token: accelerator ## ## ## ##
slot: <serial_number> Rt1 slot 0 ## ## token:
<HSM_token_name> ## ##
----------------------------------------------------------- ## ##
## ## ## ## Based on the example above, substitute all password
values, ## ## as well as the following values: ## ## ## ##
<hsm_libfile>=/opt/nfast/toolkits/pkcs11/libcknfast.so ## ##
<hsm_modulename>=nfast ## ## <hsm_token_name>=NHSM6000
## ## ##
########################################################################
#######
########################################################################
#######
########################################################################
#######
[DEFAULT]
Red Hat Certificate System 9
176
######################################## # Provide PKI-specific HSM
token names # ########################################
pki_audit_signing_token=<hsm_token_name>
pki_ssl_server_token=<hsm_token_name>
pki_subsystem_token=<hsm_token_name>
################################## # Provide PKI-specific passwords
# ##################################
pki_admin_password=<pki_admin_password>
pki_client_pkcs12_password=<pki_client_pkcs12_password>
pki_ds_password=<pki_ds_password>
##################################### # Provide non-CA-specific
passwords # #####################################
pki_client_database_password=<pki_client_database_password>
############################################################### #
ONLY required if specifying a non-default PKI instance name #
###############################################################
#pki_instance_name=<pki_instance_name>
############################################################## #
ONLY required if specifying non-default PKI instance ports #
##############################################################
#pki_http_port=<pki_http_port>
#pki_https_port=<pki_https_port>
######################################################################
# ONLY required if specifying non-default 389 Directory Server
ports #
######################################################################
#pki_ds_ldap_port=<pki_ds_ldap_port>
#pki_ds_ldaps_port=<pki_ds_ldaps_port>
######################################################################
# ONLY required if PKI is using a Security Domain on a remote
system #
######################################################################
#pki_ca_hostname=<pki_ca_hostname>
#pki_issuing_ca_hostname=<pki_issuing_ca_hostname>
#pki_issuing_ca_https_port=<pki_issuing_ca_https_port>
#pki_security_domain_hostname=<pki_security_domain_hostname>
#pki_security_domain_https_port=<pki_security_domain_https_port>
########################################################### # ONLY
required for PKI using an existing Security Domain #
8
177
[Tomcat]
############################################################## #
ONLY required if specifying non-default PKI instance ports #
##############################################################
#pki_ajp_port=<pki_ajp_port>
#pki_tomcat_server_port=<pki_tomcat_server_port>
[CA] ####################################### # Provide CA-specific
HSM token names # #######################################
pki_ca_signing_token=<hsm_token_name>
pki_ocsp_signing_token=<hsm_token_name>
########################################################################
### # ONLY required if 389 Directory Server for CA resides on a
remote system #
########################################################################
### #pki_ds_hostname=<389 hostname>
[KRA] ######################################## # Provide
KRA-specific HSM token names #
########################################
pki_storage_token=<hsm_token_name>
pki_transport_token=<hsm_token_name>
########################################################################
#### # ONLY required if 389 Directory Server for KRA resides on a
remote system #
########################################################################
#### #pki_ds_hostname=<389 hostname>
[OCSP] ######################################### # Provide
OCSP-specific HSM token names #
#########################################
pki_ocsp_signing_token=<hsm_token_name>
########################################################################
##### # ONLY required if 389 Directory Server for OCSP resides on a
remote system #
########################################################################
##### #pki_ds_hostname=<389 hostname>
Red Hat Certificate System 9
178
[TKS] ######################################## # Provide
TKS-specific HSM token names #
########################################
########################################################################
#### # ONLY required if 389 Directory Server for TKS resides on a
remote system #
########################################################################
#### #pki_ds_hostname=<389 hostname>
[TPS] ################################### # Provide TPS-specific
parameters # ###################################
pki_authdb_basedn=<dnsdomainname where hostname.b.c.d is
dc=b,dc=c,dc=d>
######################################## # Provide TPS-specific HSM
token names # ########################################
########################################################################
#### # ONLY required if 389 Directory Server for TPS resides on a
remote system #
########################################################################
#### #pki_ds_hostname=<389 hostname>
########################################################## # ONLY
required if TPS requires a CA on a remote machine #
##########################################################
#pki_ca_uri=https://<pki_ca_hostname>:<pki_ca_https_port>
####################################### # ONLY required if TPS
requires a KRA # #######################################
#pki_enable_server_side_keygen=True
########################################################### # ONLY
required if TPS requires a KRA on a remote machine #
###########################################################
#pki_kra_uri=https://<pki_kra_hostname>:<pki_kra_https_port>
########################################################### # ONLY
required if TPS requires a TKS on a remote machine #
###########################################################
#pki_tks_uri=https://<pki_tks_hostname>:<pki_tks_https_port>
8
179
Gemalto Safenet LunaSA HSM nCipher nShield HSM 8.1nCipher HSM
nCipher [DEFAULT][Tomcat][CA][KRA][OCSP] [TKS][TPS] nCipher
LunaSA
8.2 LunaSA
###############################################################################
###############################################################################
###############################################################################
## ## ## EXAMPLE: Configuration File used to override
'/etc/pki/default.cfg' ## ## when using a LunaSA Hardware Security
Module (HSM): ## ## ## ## ## ## # modutil -dbdir . -list ## ## ##
## Listing of PKCS #11 Modules ## ##
----------------------------------------------------------- ## ##
1. NSS Internal PKCS #11 Module ## ## slots: 2 slots attached ## ##
status: loaded ## ## ## ## slot: NSS Internal Cryptographic
Services ## ## token: NSS Generic Crypto Services ## ## ## ## slot:
NSS User Private Key and Certificate Services ## ## token: NSS
Certificate DB ## ## ## ## 2. lunasa ## ## library name:
/usr/safenet/lunaclient/lib/libCryptoki2_64.so ## ## slots: 4 slots
attached ## ## status: loaded ##
Red Hat Certificate System 9
180
8.4. HSM
HSM HSM PKCS12 HSM HSM HSM HSM pkispawn master
Certificate System HSM PKCS #12 PKCS #12 CA PKI [Tomcat]
###############################################################################
###############################################################################
pki_clone=True
pki_clone_pkcs12_password=Secret123
pki_clone_pkcs12_path=<path_to_pkcs12_file>
pki_clone=True
1. alias
# cd /var/lib/pki/pki-tomcat/alias
# modutil -dbdir . -nocertdb -list
Red Hat Certificate System 9
182
HSM (Hardware Security Module) HSM HSM Red Hat Certificate
System
8.7.1. nCipher nShield HSM
8.7.1.1.
nShield Connect 6000 2 HSM nShield1 nShield2
nShield 1 1 RHCS Certificate System
(1 HSM ) hsm 1 Certificate System hsm HSM
8.7.1.2.
nShield Connect 6000 HSM 90 90
8.7.2. Gemalto Safenet LunaSA HSM
8.7.2.1.
8
183
9.1. ECC
9.2. HSM ECC
Certificate System HSM ECC ECC
1. HSM HSM
2. pkispawn pkispawn ecc.inf Certificate System ECC CA
1. ecc.inf pkispawn(8) man
2. ecc.inf pkispawn
$ script -c 'pkispawn -s CA -f /root/pki/ecc.inf -vvv'
Red Hat Certificate System 9
184
CA CRL CA
10.1.
PKCS #12
HSM HSM
10.2. CA
1. CA
2. CA CS.cfg ca.listenToCloneModifications CA
ca.listenToCloneModifications=true
3.
CA pkispawn man pkispawn(8) Installing a CA clone Installing a CA
clone on the same host
4. Directory Server
systemctl restart
[email protected]
5.
2.
3.
4.
5. CA CRL Certificate Manager Update Certificate Revocation List
CRL
CRL Certificate Manager
10.3. CA-KRA
CA KRA CA KRA CA KRA
KRA CA pki ca-kraconnector-add
1. CA CS.cfg KRA ca.connector.KRA.*
[root@master ~]# vim
/var/lib/pki/instance_name/ca/conf/CS.cfg
[root@clone-ca ~] systemctl stop
pki-tomcatd@instance_name.service
[root@clone-ca ~]# vim
/var/lib/pki/instance_name/ca/conf/CS.cfg
Red Hat Certificate System 9
186
2. OCSP CS.cfg OCSP.Responder.store.defStore.refreshInSec 21600
21600
vim /etc/instance_name/CS.cfg
OCSP.Responder.store.defStore.refreshInSec=15000
4. Directory Server
systemctl dirsrv@instance_name.service
5.
1. CRL OCSP CA OCSP
2. CRL OCSP List Certificate Authority
3. OCSPClient Online Certificate Status Manager OCSP OCSP
10
KRA pkispawn pkispawn(8) man Installing a KRA or TPS clone
3. Directory Server
systemctl dirsrv@instance_name.service
4.
1. KRA
4. Submit
10.6. TKS
1. master
2. pkispawn
TKS pkispawn man pkispawn(8) Installing a KRA or TKS clone
3.
10.7.
Red Hat Certificate System 9
188
CRL 1 CA CRL OCSP 1 CA OCSP 1
KRA TKS CA OCSP PKI 1
10.7.1. CA
a. ca.crl.
b. ca.crl. CA CS.cfg CA CS.cfg
c. CA 600
ca.certStatusUpdateInterval=600
d.
ca.listenToCloneModifications=true
7. CA
OCSP.Responder.store.defStore.refreshInSec=21600
Red Hat Certificate System 9
190
OCSP.Responder.store.defStore.refreshInSec=15000
CA CS.cfg CA ID ID
CA CA
CertUtil::createSelfSignedCert() - CA private key is null!
CA
# grep privkey.id /var/lib/pki/instance_name/ca/conf/CS.cfg
cloning.signing.privkey.id
=-4d798441aa7230910d4e1c39fa132ea228d5d1bc
cloning.ocsp_signing.privkey.id
=-3e23e743e0ddd88f2a7c6f69fa9f9bcebef1a60
cloning.subsystem.privkey.id
=-c3c1b3b4e8f5dd6d2bdefd07581c0b15529536
cloning.sslserver.privkey.id
=3023d30245804a4fab42be209ebb0dc683423a8f
cloning.audit_signing.privkey.id=2fe35d9d46b373efabe9ef01b8436667a70df096
2. NSS ID CS.cfg ID
# certutil -K -d alias certutil: Checking token "NSS Certificate
DB" in slot "NSS User Private Key and Certificate Services" Enter
Password or Pin for "NSS Certificate DB": < 0> rsa
a7b0944b7b8397729a4c8c9af3a9c2b96f49c6f3 caSigningCert
cert-ca4-test- master < 1> rsa
6006094af3e5d02aaa91426594ca66cb53e73ac0 ocspSigningCert cert-ca4-
test-master < 2> rsa d684da39bf4f2789a3fc9d42204596f4578ad2d9
subsystemCert cert-ca4-test- master < 3> rsa
a8edd7c2b5c94f13144cacd99624578ae30b7e43 sslserverCert
cert-ca4-test1 < 4> rsa
2fe35d9d46b373efabe9ef01b8436667a70df096 auditSigningCert
cert-ca4-test1
10
3. 2 (certutil ) Java BigInteger (Certificate System )
calculator 10.1certutil BigInteger
4. CS.cfg
10.1 certutil BigInteger
Java certutil BigInteger
Test.java .java
import java.math.BigInteger;
public class Test {
public static byte[] hexStringToByteArray(String s) { int len =
s.length(); byte[] data = new byte[len / 2]; for (int i = 0; i <
len; i += 2) { data[i / 2] = (byte) ((Character.digit(s.charAt(i),
16) << 4) + Character.digit(s.charAt(i+1), 16)); } return
data; }
public static void main(String[] args) { byte[] bytes =
hexStringToByteArray(args[0]); BigInteger big = new BigInteger
(bytes); System.out.println("Result is ==> " +
big.toString(16)); } }
# javac Test.java
Red Hat Certificate System 9
192
11.1. CA
CA 1 CA (VPN) CA CA
CA CA
Certificate System CA CA CA CA
11.1.1. CA
CA CA CA CA
11.1.2. CA
CA CA Certificate System Directory Server
# ldapmodify -D "cn=Directory Manager" -W -x -h
server.example.com
dn: cn=aclResources,o=instance_name changetype: modify delete:
resourceACLS resourceACLS:
certServer.ca.authorities:create,modify:allow (create,modify)
group="Administrators":Administrators may create and modify
lightweight authorities delete: resourceACLS resourceACLS:
certServer.ca.authorities:delete:allow (delete)
group="Administrators":Administrators may delete lightweight
authorities
CA (ACL)
11.1.3. CA
# ldapmodify -D "cn=Directory Manager" -W -x -h
server.example.com
dn: cn=aclResources,o=instance_name changetype: modify add:
resourceACLS resourceACLS:
certServer.ca.authorities:create,modify:allow (create,modify)
group="Administrators":Administrators may create and modify
lightweight authorities resourceACLS:
certServer.ca.authorities:delete:allow (delete)
group="Administrators":Administrators may delete lightweight
authorities
(ACL) CA
11.2. IPV6
Certificate System IP Certificate System IPv4 Certificate System
IPv6 IPv6 (pkiconsole) tpsclient
op=var_set name=ca_host value=IPv6 address
1. Red Hat Certificate System
2. /etc/hosts IPv4 IPv6
vim /etc/hosts
3. IPv6
export PKI_HOSTNAME=server6.example.com
11.3. LDAP
Red Hat C