Red Hat Certificate System 9

Red Hat Certificate System 9
Last Updated: 2021-11-07
Red Hat Certificate System 9.7
Enter your first name here. Enter your surname here. Enter your organisation's name here. Enter your organisational division here. Enter your email address here.

Copyright © 2021 | You need to change the HOLDER entity in the en- US/Planning_Installation_and_Deployment_Guide.ent file |.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.
Java ® is a registered trademark of Oracle and/or its affiliates.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 1.1.
1.2. 1.3.
1.3.2.1. 1.3.2.2.
1.3.4. 1.3.4.1. CA 1.3.4.2. 1.3.4.3. SSL/TLS 1.3.4.4. 1.3.4.5. 1.3.4.6.
1.3.5. 1.3.5.1.
1.3.5.1.1. 1.3.5.1.2.
1.3.5.2. 1.3.5.3.
1.3.6. CA 1.3.6.1. CA 1.3.6.2. 1.3.6.3.
1.3.7. 1.4.
1.4.1. 1.4.2.
1.5.
2 RED HAT CERTIFICATE SYSTEM 2.1. CERTIFICATE SYSTEM 2.2. CERTIFICATE SYSTEM
2.2.1. 2.2.2.
2.2.3. (systemctl)
13
14 14 15 15 16 16 17 17 18 19 19 21 21 21 22 22 23 24 25 25 25 25 25 25 26 26 26 26 27 29 29 30 31
33 33 33 34 34
36 36 37 37 37 37 38 39 41 41

1
2.2.4. (pki-server pkidaemon) 2.2.4.1. pki-server 2.2.4.2. pki-server 2.2.4.3. pkidaemon 2.2.4.4. Web URL 2.2.4.5.
2.3. 2.3.1. Java Application Server 2.3.2. Java Security Manager 2.3.3.
2.3.3.1. 2.3.3.2. 2.3.3.3. 2.3.3.4. Operator
2.3.4. REST 2.3.5. JSS 2.3.6. Tomcatjss 2.3.7. PKCS #11
2.3.7.1. NSS Soft Token () 2.3.7.2. (HSM)
2.3.8. 2.3.8.1. 2.3.8.2.
2.3.9. 2.3.10. (nuxwdog) 2.3.11. LDAP 2.3.12. SELinux (Security Enhanced Linux) 2.3.13. 2.3.14.
2.3.14.1. 2.3.14.2. 2.3.14.3. 2.3.14.4. 2.3.14.5. 2.3.14.6. Tomcat 2.3.14.7. 2.3.14.8. journalctl
2.3.15. 2.3.15.1. 2.3.15.2. CA 2.3.15.3. KRA 2.3.15.4. OCSP 2.3.15.5. TKS 2.3.15.6. TPS 2.3.15.7. Certificate System
2.4. PKI () 2.4.1.
2.4.1.1. 2.4.1.1.1. 2.4.1.1.2. ()
41 42 42 42 43 43 44 47 47 47 48 49 49 49 50 50 51 52 52 53 54 55 55 55 56 56 56 57 57 59 59 60 60 60 60 63 63 64 64 64 65 66 66 67 67 68 68 69 69 69 70 71 73
2
2.4.2. 2.4.3. CRL 2.4.4.
2.4.4.1. 2.4.4.2.
2.4.5. 2.4.5.1. 2.4.5.2. 2.4.5.3. KRA
2.5. 2.5.1. (TKS)
2.5.1.1. 2.5.1.2. () 2.5.1.3. () 2.5.1.4. APDU
2.5.2. (TPS) 2.5.2.1. Coolkey 2.5.2.2. 2.5.2.3. TPS 2.5.2.4.
2.5.2.4.1. 2.5.2.4.2.
2.5.3. TKS/TPS 2.5.4. Enterprise Security Client (ESC)
2.6. RED HAT CERTIFICATE SYSTEM 2.6.1. 2.6.2. 2.6.3. 2.6.4. 2.6.5. 2.6.6.
2.6.6.1. 2.6.6.2.
2.7. 2.7.1. CA 2.7.2. KRA 2.7.3. 2.7.4. 2.7.5. LDAP 2.7.6. ID 2.7.7.
3 3.1. TLSECC RSA
73 74 74 75 75 75 75 75 75 76 76 76 78 78 79 81
87 87 88 88 88 89 89 89 90 91
92 92 97 97 98 99 99 99 99 99 99
100 100 100 100 101 101
103 104 104 104 105 106 106
107 107
3.2. 3.3. 3.4. IPV4 IPV6 3.5. PKIX
4 4.1. 4.2. 4.3. WEB 4.4.
5 5.1.
5.1.1. 5.1.2. 5.1.3. 5.1.4. OCSP 5.1.5.
5.2. 5.2.1. CA 5.2.2. CA 5.2.3. CA 5.2.4. CA
5.3. 5.4.
5.4.5.1. 5.4.6. 5.4.6.1. SSL SAN
5.4.7. 5.4.8. CRL 5.4.9. CA
5.5. 5.5.1. 5.5.2. 5.5.3.
5.6. CERTIFICATE SYSTEM 5.7. PKI 5.8.
5.8.1. 5.8.2.
107 107 108 109 109 110
112 112 112 112 112
114 114 114 116 117 117 118 118 119 119
120 120 120 122 122 124 124 125 125 126 127 127 128 128 129 129 130 131 131 132 132 132 132 133 134 138 138 138
139
4
6.2.1. SELinux Enforcing 6.3.
6.3.1. 6.4.
6.4.1. HSM SELinux 6.4.2. HSM FIPS 6.4.3. FIPS HSM
6.4.3.1. FIPS nCipher HSM 6.4.3.2. FIPS Luna SA HSM
6.4.4. HSM 6.4.4.1. NCipher HSM 6.4.4.2. SafeNet / Luna SA HSM
6.4.5. 6.5. RED HAT DIRECTORY SERVER
6.5.1. Directory Server 6.5.2. Directory Server TLS
6.5.2.1. Red Hat Certificate System LDAPS 6.5.3. 6.5.4. 6.5.5. TLS
6.6. RED HAT CERTIFICATE SYSTEM 6.7. CERTIFICATE SYSTEM
7 CERTIFICATE SYSTEM 7.1. 7.2. CERTIFICATE SYSTEM
7.2.1. Certificate System 7.2.2. Certificate System
7.3. PKISPAWN 7.4. 7.5. 7.6.
7.7. 2 7.7.1. 2 7.7.2. 2 2 7.7.3. CA
7.7.4. 7.7.5.
140 140 140 140 140 141 141
142 142 142 142 143 143 144 145 145 145 145 146 146 149 150 152 153 154
155 155 155 156 157 157 158 159 159 159 159 160 160 160 160 161
162 163 163 163 163 164 164 164 164 165 165

5
7.7.6. 7.7.7.
7.8. CA 7.8.1. CA CA 7.8.2. CA CA CA
7.8.3. 7.9. KRA OCSP 7.10.
7.10.1. RHCS / 7.10.2. Directory Server (CA) 7.10.3. LDAP TLS 7.10.4. 7.10.5. CRL 7.10.6. (CA) 7.10.7. 7.10.8. Watchdog 7.10.9. CMC (CA) 7.10.10. Java TLS 7.10.11. 7.10.12. Bootstrap 7.10.13. 7.10.14. KRA
7.10.14.1. KRA (Key Recovery Authority) 7.10.14.2. KRA
7.10.15.
8.2.1. HSM FIPS 8.2.2. FIPS HSM
8.2.2.1. FIPS nCipher HSM 8.2.2.2. FIPS Luna SA HSM
8.2.3. HSM 8.2.4. HSM SELinux 8.2.5. nCipher nShield HSM 8.2.6. Gemalto Safenet LunaSA HSM
8.3. 8.4. HSM 8.5. 8.6. 8.7.
8.7.1. nCipher nShield HSM 8.7.1.1. 8.7.1.2.
8.7.2. Gemalto Safenet LunaSA HSM 8.7.2.1.
165 165 165 165 166 166 166 166 166 167 169 169 170 171 171 171 171 171 171 171 171 171 172 172 172 172 172 172 172 172
173 173 173 173 174 174 174 175 175 175 180 181 181
182 182 183 183 183 183 183 183
6
10 10.1. 10.2. CA 10.3. CA-KRA 10.4. OCSP 10.5. KRA 10.6. TKS 10.7.
10.7.1. CA 10.7.2. OCSP
10.8. CA
11 11.1. CA
11.1.1. CA 11.1.2. CA 11.1.3. CA
11.2. IPV6 11.3. LDAP 11.4. TLS
12 12.1. #1: LDAP #2: VPN
12.2. Java
13 CERTIFICATE SYSTEM 13.1.
13.1.1. 13.1.2. CA 13.1.3. KRA 13.1.4. OCSP 13.1.5. TKS 13.1.6. TPS 13.1.7. Certificate System
13.2. CS.CFG 13.2.1. CS.cfg 13.2.2. 13.2.3. CS.cfg
13.2.3.1. 13.2.3.2. 13.2.3.3. 13.2.3.4. 13.2.3.5. 13.2.3.6. 13.2.3.7.
13.2.3.7.1. CS.cfg Queue
184 184 184
185 185 185 186 187 188 188 188 189 190 191
193 193 193 193 193 194 194 195
196 196 198 198 199
201
202 202 202 202 203 204 205 206 207 209 209 209 210 212 213 213 214 214 215 215 216

7
13.2.3.9.1. 13.2.3.9.2. DER
13.2.3.10. CA CRL 13.2.3.11. CS.cfg CRL 13.2.3.12. CS.cfg CRL 13.2.3.13. 13.2.3.14. 13.2.3.15. TLS pkiconsole
13.3. 13.3.1. password.conf 13.3.2. Certificate System Watchdog
13.3.2.1. Watchdog 13.3.2.2. Watchdog Certificate System 13.3.2.3. Certificate System Watchdog 13.3.2.4. Watchdog
13.4. TOMCAT ENGINE WEB 13.4.1. Tomcatjss
13.4.1.1. TLS 13.4.1.1.1. TLS
13.4.1.2. CA 13.4.1.3. 13.4.1.4. AIA
13.4.2. 13.4.2.1. TLS 13.4.2.2. HTTP 13.4.2.3. PKI Web UI 13.4.2.4. PKI 13.4.2.5. PKI CLI
13.5. WEB.XML 13.5.1. web.xml (CA )
13.6. WEB 13.6.1. Web 13.6.2. Web UI 13.6.3. TPS
13.7. 13.7.1. 13.7.2. 13.7.3. 13.7.4.
13.8. CMC 13.8.1. CMC 13.8.2. PopLinkWittnessV2 13.8.3. CMC 13.8.4. Web CMCRevoke
13.9. CA EE PORTAL 13.9.1. 13.9.2. Policyset
217 217 219
220 221 222 223 226 226 227 227 228 229 230 231 231
232 232 233 234 235 235 237 239 240 240 241 241 242 242 242 242 244 244 245 246 246 247 247 247 247 247 248 248 248 250 250 250 251
252 252 252 252
8
14.1.1. certutil 14.1.2. PKICertImport 14.1.3. certutil
certutil -A certutil -V certutil -D certutil -M certutil -L
14.1.4. certutil PKICertImport -n <nickname> -d <directory> -t <trust> -h <HSM> -e -a -i <certificate> -u <usage>
14.2.
14.3.
14.5. NSS NSS OCSP
15 15.1.
15.1.1.2.1. 15.1.1.2.2.
15.1.4.1. TPS 15.1.4.2. TPS 15.1.4.3. Windows
15.1.5.
16 16.1. 16.2. KRA
253 253 253 253 253 253 253 254 254 254 254 254 254 254 254 255 255 255 256 256 256 257 257 257 258 258 258 259 259 259 259 260 260
262 262 262 262 265 266 267 268 269 269 270 271
272 273 273
275 275 276
16.2.2.1. 16.2.2.2. KRA AES HSM KRA
16.3. 16.3.1. 16.3.2. 16.3.3.
16.3.3.1. KRATool 16.3.3.2. 1 KRA 1 KRA
16.3.4. CA-KRA
17 17.1.
17.2. (RHCS ) 17.2.1. OS
17.2.1.1. 17.2.1.2. Certificate System 17.2.1.3. 17.2.1.4.
17.3. CS.CFG 17.3.1.
17.3.1.1. 17.3.1.2.
17.3.1.2.1. 17.3.1.2.2.
17.4. 17.4.1.
17.4.1.1. 17.4.1.2.
19 BOOTSTRAP 19.1.
IV. CERTIFICATE SYSTEM 9.X
20
21
277 277 278 278 278 279 280 280 281 281 281 282 285
286 286 286 287 288 289 290 290 290 291 291 292 292 294 294 295 295 295 296 297 298 299 299 299 300 300 300 301
303 303 305
10
21.1. 9.0 9.1 21.1.1. 21.1.2. CA 21.1.3. KRA 21.1.4. TPS
21.2. 9.1
22 CERTIFICATE SYSTEM 8 9 22.1. 22.2. CA 22.3. CA 22.4.
23 OPENSSL CA 23.1. HSM OPENSSL CA 23.2. HSM OPENSSL CA
VI.
326 326 328
12
I. RED HAT CERTIFICATE SYSTEM
13

Impersonation
[email protected] www.example.net
www.example.net

14
2 1 1

1.1.1.
1.1
SSL/TLS TCP/IP SSL/TLS
1.1.2.
1.2
1
SSL/TLS
1.2 Mozilla Firefox
1.1.3.
1 ()

RSA RSA (2048) 80 Elliptic Curve Digital Signature Algorithm (ECDSA) (ECC) RSA
1.2.
16
1

1.3
1.3
2

1.3.
1
ID (CA) ID CA Certificate System CA CA ID
CA
CA CA CA CA
CA CA
1.3.2.
Web () ( )
HTML
2

18
SSL/TLS

3. ID
4.

1.5 SSL/TLS
1
1.5

SSL/TLS
20
ID
1.3.3.
1.3.3.1. SSL/TLS
SSL/TLS SSL/TLS SSL/TLS
SSL/TLS
SSL/TLS
1.3.3.2.
1

1.3.3.3.

Java
22

LDAP https://server.example.com:8443/ca/ee/ca Certificate Manager
Certificate System Certificate Manager CA CA OCSP SSL/TLS KRA Certificate Manager
1.1

SSL/TLS
SSL/TLS ID ID SSL/TLS SSL/TLS
SSL/TLS
SSL/TLS
SSL/TLS
SSL/TLS Web SSL/TLS
1
S/MIME SSL/TLS ID SSL/TLS S/MIME
CA CA CA CA
Mozilla Firefox CA Firefox CA

1.3.4.1. CA

CRL
Certificate Manager CA CA CA CA CA CA ( CA ( CA )) CA Certificate Manager CA CA Certificate Manager CA
CA CA CA
24

1.3.4.4.
1.3.4.5.

1.3.4.6.
Certificate System CA 1 CA 2 CA 2 CA CA CA crossCertificatePair
CA CA CA Certificate System CA CA CA
1.3.5.
1
1.3.5.1.
1.3.5.1.1.
PKCS#7 PKCS #7 SignedData SignedData PKCS #7
Netscape PKCS #7 ContentInfo contentType netscape-cert-sequence content
CertificateSequence ::= SEQUENCE OF Certificate
-----END CERTIFICATE-----
1.3.5.2.
X.509 v3 (DN) DN uid=doe
Example Corp DN
uid=doe, cn=John Doe,o=Example Corp.,c=US
DN uid cn o c
DNS LDAP (Lightweight Directory Access
26
1.3.5.3.

CA DN
2004 11 15 1 2020 11 15 1
DNSSL/TLS DN

Netscape Certificate Type SSL/TLS SSL/TLS
SAN (Subject Alternative Name) 1

1
base-64
28
UkdGYpcd2cYRCgKi4MwqdWyLtpuHAH18hHZ5uvi00mJYw8W2wUOsY0RC/a/IDy84 hW3WWehBUqVK5SY4/zJ4oTjx7dwNMdGwbWfpRqjd1A== -----END CERTIFICATE-----
1.3.6. CA
CA ID CA Certificate System
CA CA CA 1 CA CA CA

CA CA CA
CA X.509 CA (: 1.6)
1.6
CA CA CA
1
29
CA CA CA CA CA CA CA
CA 1.6 1
1.3.6.2.
CA CA 1.7 1.6 CA 2 CA CA CA
1.7

1.7 CA
30
1.7 CA CA (USA CA) DN USA CA DN
( )
1.7 USA CA CA USA CA
1.3.6.3.
1.
3.
6. CA 1.8 CA
1.8 CA
1.8 CA CA CA CA 1.9 Chain CA
1.9 Chain CA
32
1.10
1.3.7.
(OCSP) OCSP
1.4.
1.4.1.
CA ID
1

1.4.2.

CRL OCSP
1.5.
34
PKI
1
35
2 RED HAT CERTIFICATE SYSTEM PKI CRL Red Hat Certificate System PKI
2.1. CERTIFICATE SYSTEM
Red Hat Certificate System 5 PKI
Certificate Manager CA PKI Certificate Manager Certificate System
(KRA) ( ) KRA

Certificate System KRA (DRM) Web KRA DRM
(OCSP) OCSP OCSP CA OCSP CA
(TKS)TKS CCID TPS
(TPS)TPS (Enterprise Security Client (ESC)) TPS TPS CAKRA TKS Enterprise Security Client
Certificate System CA wheel CA (PKI) PKI 2 1 ()
TMS CATKS TPS KRA

36
TMS TMS CA TMS OCSP KRA
PKI Java Apache Tomcat
PKI PKI (CAKRAOCSPTKS TPS)
(VM) PKI
Certificate System PKI
PKI Java Apache Tomcat
PKI PKI PKI
PKI PKI
CA
TKS
CAKRAOCSPTKS TPS

PKI
2.2.2.
37
Certificate System Red Hat Directory Server LDAP Red Hat Directory Server Red Hat Directory Server Installation Guide
2.2.2.2. PKI
Certificate System Red Hat Enterprise Linux
pki-core.el7
pki-base
pki-base-java
pki-ca
pki-javadoc
pki-kra
pki-server
pki-symkey
pki-tools
pki-console.el7pki
pki-console
pki-core.el7pki
pki-ocsp
pki-tks
pki-tps
redhat-pki.el7pki
redhat-pki
redhat-pki-theme.el7pki
redhat-pki-console-theme
redhat-pki-server-theme
pki-javadoc Certificate System Yum redhat-pki
# yum install redhat-pki
JSS PKI javadoc (jss-javadoc pki-javadoc)

2.2.2.3.
pkispawn --help
2. Python
3.
4. Python JavaScript Object Notation (JSON) Java
5. PKI pkispawn PKI /var/lib/pki/instance_name/<subsystem> /registry/<subsystem>/deployment.cfg
pkispawn man
/etc/pki/default.cfg
39
[DEFAULT][Tomcat][CA][KRA][OCSP][TKS] [TPS] name=value
pkispawn -s
name=value [Tomcat] [DEFAULT] PKI

name=value pkispawn man myconfig.txt .ini PKI
pki_default.cfg man
/usr/share/java/pki/pki-certsrv.jar com/netscape/certsrv/system/ConfigurationRequest.class Java pkispawn JSON com/netscape/certsrv/system/ConfigurationResponse.class Java pkispawn
root pkispawn
# pkispawn

Elliptic Curve Cryptography (ECC) CA Hardware Security Module (HSM) CA
PKI
1. # mkdir -p /root/pki
[DEFAULT] pki_admin_password=<password> pki_client_pkcs12_password=<password> pki_ds_password=<password>
3. # pkispawn -s CA -f /root/pki/ca.cfg
40
2.2.2.4.
pkidestroy PKI (/var/lib/pki/instance_name/<subsystem>/registry/<subsystem>/deployment.cfg) PKI PKI pkidestroy man
pkidestroy
Begin uninstallation (Yes/No/Quit)? Yes
Uninstallation complete.

Uninstallation complete.
2.2.3.1.
Red Hat Certificate System Red Hat Enterprise Linux 7 systemctl
# systemctl start <unit-file>@instance_name.service
# systemctl status <unit-file>@instance_name.service
# systemctl stop <unit-file>@instance_name.service
41
Watchdog (nuxwdog) Red Hat Certificate System Certificate System Watchdog
2.2.3.2.
Certificate System systemctl Certificate System systemctl
# systemctl disable pki-tomcatd@instance_name.service
2.2.4. (pki-server pkidaemon)
2.2.4.1. pki-server
Red Hat Certificate System pki-server pki-server -- help pki-server man
pki-server (CLI) ( ) CLI
$ pki-server [CLI options] <command> [command parameters]
CLI NSS CLI CLI root CLI
CLI
$ pki-server
$ pki-server ca $ pki-server ca-audit
2.2.4.2. pki-server
subsystem_id (cakratksocsp tps)

# pki-server subsystem-disable -i pki-tomcat ocsp

2.2.4.3. pkidaemon
pkidaemon {start|status} instance-type [instance_name]
pkidaemon status tomcat: PKI PKI
2 RED HAT CERTIFICATE SYSTEM
43
pkidaemon status tomcat: PKI PKI /URL
pkidaemon status tomcatinstance_name: PKI / URL
pkidaemon start tomcat instance_name.service - systemctl
pkidaemon man
2.2.4.4. Web URL
CAKRAOCSPTKS TPS Web Web URL CA
https://server.example.com:8443/ca/services

pkidaemon status instance_name
Web 2.1 Web URL CA () Web
https://server.example.com:8443/ca/ee/ca
https://192.0.2.1:8443/ca/services https://[2001:DB8::1111]:8443/ca/services
2.1 Web
44
Web Web
Certificate Manager
ca/ee/ca
8443 pkiconsole https://host:port/c a

kra/ee/kra
kra/ee/kra
8443 pkiconsole https://host:port/k ra

ocsp/ee/ocsp
ocsp/ee/ocsp
45
8443 pkiconsole https://host:port/o csp

tks/ee/tks
tks/ee/tks
8443 pkiconsole https://host:port/t ks

tps/phoneHome
tps/phoneHome
8443 Operator [d]
tps/ui
Web Web
46
[a] No Yes No
[b] Web
[c] OCSP Web OCSP OCSP
[d] Operator Web
SSL/TLS [a]
Web Web
2.2.4.5.
CAKRAOCSP TKS Java KRAOCSP TKS CA
pkiconsole SSL/TLS
pkiconsole https://server.example.com:admin_port/subsystem_type
subsystem_type cakraocsp tks KRA
pkiconsole https://server.example.com:8443/kra
https://192.0.2.1:8443/ca https://[2001:DB8::1111]:8443/ca
2.3.1. Java Application Server
Certificate System Tomcat Tomcat
Certificate System Tomcat Tomcat server.xml https://tomcat.apache.org/tomcat-8.0-doc/config/ Tomcat
Certificate System (CA KRA ) Tomcat Web Web web.xml Java Servlet 3.1 https://www.jcp.org/en/jsr/detail?id=340
Certificate System CS.cfg

pkispawn Tomcat pki_security_manager=false Security Manager
Security Manager
1. # systemctl stop pki-tomcatd@instance_name.service
3. # systemctl start pki-tomcatd@instance_name.service
/usr/share/pki/server/conf/catalina.policy /usr/share/tomcat/conf/catalina.policy /var/lib/pki/$PKI_INSTANCE_NAME/conf/pki.policy /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy
Certificate System
2.3.3.2.
49
TMS CA KRA CIMC SSL Trusted Manager Trusted Manager (CIMC ) SSL
TMS CIMC TPS CATPS KRA TPS TKS
2.3.3.3.
2.3.3.4. Operator
50
Hitsal state transfer (REST) HTTP Web Red Hat Certificate System REST
Red Hat Certificate System REST RESTEasy RESTEasy Web RESTEasy web.xml RESTEasy http://resteasy.jboss.org/
REST URL
CA : http://<host_name>:<port>/ca/rest/certs/
KRA : http://<host_name>:<port>/kra/rest/agent/keys/
TKS : http://<host_name>:<port>/tks/rest/admin/users/
TPS : http://<host_name>:<port>/tps/rest/admin/groups/
HTTP HTTPS
REST HTTP (GETPUTPOSTDELETE) GET /ca/rest/users CA
REST XML JSON
{ "id":"admin", "UserID":"admin", "FullName":"Administrator",
CLIWeb UI REST REST Certificate System JavaPython JavaScript
REST 2
REST http://www.dogtagpki.org/wiki/REST
2.3.6. Tomcatjss
Red Hat Certificate System Java Tomcat Server HTTP JSS tomcatjss JAR NSS Java Tomcatjss Tomcat Java Security Services (JSS) Java Secure Socket Extension (JSSE)
Tomcatjss TLS TLS tomcatjss tomcat tomcatjss Java JSS NSS
Tomcat Certificate System tomcatjss
1.
3. server.xml Tomcatjs
4. Tomcajss
5. Tomcat Certificate System
Tomcat JSS Certificate System JSS
server.xml Tomcat Engine Web
2.3.7. PKCS #11
Certificate System 1 PKCS #11 PKCS #11 ( ) PKCS #11 Certificate System PKCS #11
PKCS 11 1 PKCS #11
53
2.3.7.1. NSS Soft Token ()

NSS Soft 2 (cert8.db) (key3.db) 2 Certificate System /var/lib/pki/instance_name/alias
NSS Certificate System
PKCS #11 2

54
NSS 14/
Network Security Services (NSS) Mozilla Developer Web
2.3.7.2. (HSM)

PKCS #11 Certificate System PKCS #11
PKCS #11 secmod.db modutil modutil Mozilla Developer Web Network Security Services (NSS)
PKCS #11 PKCS #11
HSM 14/

ID

[CA] pki_serial_number_range_start=1 pki_serial_number_range_end=10000000 pki_request_number_range_start=1 pki_request_number_range_end=10000000 pki_replica_number_range_start=1 pki_replica_number_range_end=100
2.3.8.2.
[CA] pki_random_serial_numbers_enable=True

2.3.10. (nuxwdog)
56
CS.cfg Red Hat Enterprise Linux PKI CS.cfg
password.conf
Nuxwdog (watchdog)

RHCS Certificate System Watchdog
Red Hat Certificate System
2.3.11. LDAP
Red Hat Certificate System ACL Red Hat Directory Server (RHDS) Certificate System LDAP SSL
Certificate System Directory Server 2 Certificate System pkispawn
Red Hat Directory Server
2.3.12. SELinux (Security Enhanced Linux)
SELinux SELinux Red Hat Enterprise Linux 7 SELinux
SELinux Linux Linux API
Certificate System SELinux SELinux SELinux Certificate System SELinux Certificate System Certificate System
2.1 CA SELinux
SELinux
SELinux
Certificate System

Certificate System SELinux SELinux Certificate System Enforcing SELinux
pkispawn Certificate System
58
SELinux pki_tomcat_t Certificate System Tomcat pki_tomcat_t tomcat_t Tomcat Certificate System
Certificate System (unconfined_t) pki_tomcat_t pki_tomcat_log_t pki_tomcat_etc_rw_t http_port_t
SELinux Enforcing Permissive
2.3.13.

Java™
pkispawn pki_subsystem_log_path /var/log/pki/instance_name/subsystem_name/signedAudit
59
2.3.14.1.
2.3.14.2.
system (HTTP HTTPS ) IP (IPv4 IPv6 )
id_number processor - [date:time] [number_of_operations] [result] servlet: message
2.1 TKS

id_number.processor - [date:time] [number_of_operations] [result] servlet: message
CA KRA TPS TKS
2.2

Web

[date:time] [processor]: servlet: message

[10/Jun/2020:05:14:51][main]: Established LDAP connection using basic authentication to host localhost port 389 as cn=Directory Manager
main LDAP
CA
[06/Jun/2020:14:59:38][http-8443;-Processor24]: ProfileSubmitServlet: key=$request.requestowner$ value=KRA-server.example.com-8443
CA HTTP profile () (KRA )
2.3 CA
61
bXB1dGVyIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X^M DTA4MDYwNjE5NTkzOFoXDTA4MTIwMzE5NTkzOFowOzEhMB8GCSqGSIb3DQEJARYS^M anNtaXRoQGV4YW1wbGUuY29tMRYwFAYKCZImiZPyLGQBARMGanNtaXRoMIGfMA0G^M CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDreuEsBWq9WuZ2MaBwtNYxvkLPHcN0cusY^M 7gxLzB+XwQ/VsWEoObGldg6WwJPOcBdvLiKKfC605wFdynbEgKs0fChVk9HYDhmJ^M 8hX6+PaquiHJSVNhsv5tOshZkCfMBbyxwrKd8yZ5G5I+2gE9PUznxJaMHTmlOqm4^M HwFxzy0RRQIDAQABo4HFMIHCMB8GA1UdIwQYMBaAFG8gWeOJIMt+aO8VuQTMzPBU^M 78k8MEoGCCsGAQUFBwEBBD4wPDA6BggrBgEFBQcwAYYuaHR0cDovL3Rlc3Q0LnJl^M ZGJ1ZGNvbXB1dGVyLmxvY2FsOjkwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAw^M HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMCQGA1UdEQQdMBuBGSRyZXF1^ M ZXN0LnJlcXVlc3Rvcl9lbWFpbCQ=
[07/Jul/2020:06:25:40][http-11180-Processor25]: OCSPServlet: OCSP Request: [07/Jul/2020:06:25:40][http-11180-Processor25]: OCSPServlet: MEUwQwIBADA+MDwwOjAJBgUrDgMCGgUABBSEWjCarLE6/BiSiENSsV9kHjqB3QQU
62

2.3.14.6. Tomcat
CAKRAOCSPTKS TPS Tomcat Web
Certificate System HTTP Tomcat Web HTTP HTTP
Tomcat :
63
catalina.timestamp
catalina.out
host-manager.timestamp
localhost.timestamp
localhost_access_log.timestamp
manager.timestamp
Certificate System Apache Tomcat Apache
2.3.14.7.
2.3.14.8. journalctl

# journalctl -f -u pki-tomcatd@instance_name.service
/etc/pki/instance_name/server.xml
64
2.3.15.1.
Certificate System 1 Certificate System Tomcat Certificate System PKI Web RPM Java
pki-tomcat true pkispawn

2.2 Tomcat
65
2.3 CA

2.4 KRA
66
2.5 OCSP
2.6 TKS
67
2.7 TPS
Certificate System (2.8 )
2.8

68
pki/ca (CA)
pki/kra (KRA)
pki/ocsp (OCSP)
pki/tks (TKS)
pki/tps (TPS)
/usr/share/java/pki Tomcat Web Certificate System Java

PKI TMS TMS
TMS CA TMS OCSP KRA
2.4.1.
Certificate Manager Certificate System ()
Certificate System Web (VPN) X.509 3
2.4.1.1.
Certificate Manager CSR
2.4.1.1.1.
PKI PKI
1. 1
Certificate Manager
3. LDAP PIN
4.

6.
7. KRA CA
70
8.
9.
HTML HTML
ID

10.
12. Certificate Manager LDAP
13. OCSP
CA
PKCS #10 Certificate Request Message Format (CRMF) CSR
2.4.1.1.2.
2.4.1.1.2.2. CMC
CMC
1. PKCS10ClientCRMFPopClient PKCS #10 CRMF (CSR)

CMCRequest(1) man
3. HttpClient CMC CA HttpClient CMC
HttpClient CA CMC PKCS 7
HttpClient
4. CMCResponse HttpClient PKCS #7 CMCResponse
CMCResponse(1) man
5.

2.4.1.1.2.2.1. POP CMC
POP (Proof Of Possession) HttpClient EncryptedPOP CMC CMCResponse CMCRequest
Red Hat Certificate System CMC
2.4.1.1.2.2.2. CMC
CMCAuth
72
Red Hat Certificate System CMC
2.4.1.1.2.2.3. CMC

CMC
Red Hat Certificate System CMC CMC
2.4.1.1.2.2.4.
()

3. CMCSharedToken
4. LDAP shrTok
5. CMCRequest witness.sharedSecret
CA CA

2. LDAP shrTok
3.
2.4.1.1.2.2.5. CMC
Certificate System CMC CMC
CMC HttpClient
servlet=/ca/ee/ca/profileSubmitCMCSimple?profileId=caECSimpleCMCUserCert
UI HTML
Certificate Manager
X.509 3
<instance directory>/ca/profiles/ca <profile id>.cfg pkispawn LDAP
74
2.4.1.4.
2 CA 2 CA PKI
2.4.2.

2.4.3. CRL
LDAP CRL LDAP OCSP 3 CRL
2.4.4.
Certificate Manager
OCSP

75
CMCRequest Red Hat Certificate System CMC
pki pki-cert(1) man
2.4.4.2.
2.4.4.2.1. CRL
Certificate System (CRL) CRL CRL CRL CRL
Certificate Manager X.509 CRL CRL
2.4.4.2.2. OCSP
Certificate System CA PKIX RFC 2560 Online Certificate Status Protocol (OCSP) OCSP OCSP CA CRL OCSP
1. CA OCSP Authority Information Access
2. CA CRL OCSP
3. OCSP CA CRL
4. OCSP OCSP Authority Information Access OCSP
5. OCSP
2.4.4.2.2.1. OCSP
CA
76
Certificate Manager OCSP OCSP OCSPNoCheck Extended Key Usage
2.4.4.2.2.2. OCSP
Good or Verified
Revoked

2.4.4.2.2.3. OCSP
Online Certificate Status Manager
Certificate Manager OCSP CRL OCSP CA CRL Certificate System Online Certificate Status Manager Online Certificate Status Manager Certificate Manager CRL CRL OCSP
Certificate Manager CRL OCSP Certificate Manager CRL Online Certificate Status Manager OCSP CRL

77
Online Certificate Status Manager Certificate Manager CRL CRL Online Certificate Status Manager LDAP CRL Certificate Manager CRL Online Certificate Status Manager
2.4.5.
2 2 ID
2.4.5.1.
: CRMF CSR (KRA) CA Red Hat Certificate System CRMFPopClient CSR
: PKI KRA Red Hat Certificate System CSR
KRA
KRA 1 ( KRA) KRA
KRA
ID ID


2.2
a. CRMF KRA
2. CA CRMF KRA
3. KRA / LDAP /
4. KRA CA
5. CA
2.4.5.2.
79
1 KRA 1 KRA
KRA ( ) KRA LDAP KRA
2.3
80

KRA

Firefox Web KRA Red Hat Enterprise Linux 7 Firefox 31.6 pki pki(1) pki- key(1) man run CRMFPopClient --help man CMCRequest
KRA pki
2.4.5.3. KRA
KRA 2 KRA KRA 2 CA KRA CA
KRA
81
4. KRA
KRA CA KRA KRA
KRA
1. KRA
a. KRA
systemctl stop [email protected]
b. KRA NSS
mkdir nss_db_backup cp *.db nss_db_backup
d. PKCS10Client
PKCS10Client -p password -d '.' -o 'req.txt' -n 'CN=KRA Transport 2 Certificate,O=example.com Security Domain'
certutil
certutil -d . -R -k rsa -g 2048 -s 'CN=KRA Transport 2 Certificate,O=example.com Security Domain' -f password-file -a -o transport-certificate-request-file
e. CA
f. End-Entity
2. CA Agent Services KRA
3. KRA
82
c. KRA Base64 (: cert-serial_number.txt ) (-----BEGIN CERTIFICATE-----) (-----END CERTIFICATE---- -)
4. KRA
certutil -d . -A -n 'transportCert-serial_number cert-pki-kra KRA' -t 'u,u,u' -a -i cert- serial_number.txt
5. KRA
certutil -d . -L certutil -d . -L -n 'transportCert-serial_number cert-pki-kra KRA'
c. /var/lib/pki/pki-kra/kra/conf/CS.cfg
kra.transportUnit.newNickName=transportCert-serial_number cert-pki-kra KRA
2.
83
c. KRA
d. KRA
e. KRA
b. NSS
d. NSS
84
KRA CA
1. CA KRA
a. KRA cert- serial_number.txt KRA
b. cert-serial_number.txt Base64 1
tr -d '\n' < cert-serial_number.txt > cert-one-line-serial_number.txt
2. CA KRA
a. CA
systemctl stop [email protected]
b. /var/lib/pki/pki-ca/ca/conf/CS.cfg
ca.connector.KRA.transportCert=certificate

85

CA KRA CA KRA CA KRA KRA
KRA
KRA
3. KRA
4. /var/lib/pki/pki-kra/kra/conf/CS.cfg nickName
kra.transportUnit.nickName=transportCert cert-pki-kra KRA
kra.transportUnit.newNickName=transportCert-serial_number cert-pki-kra KRA
86
2.5.
TMS (CA) (TKS) (TPS) (KRA) OCSP (Online Certificate Status Protocol) CA Red Hat Certificate System TKS TPS TMS Enterprise Security Client (ESC)
2.4 TMS
2.5.1. (TKS)
Token Key Service (TKS) 1 TMS (CUID) ID
() Key Changeover TKS
87

2.5.1.1.
Java TKS ( keySet ) TKS (CS.cfg) TPS TMS Secure Channel TKS
TKS TPS keySet TPS () keySet TPS keySet Mapping Resolver
2.5.1.2. ()
2.5.1.3. ()
Token Key Service TKS 1 TKS

88

TKS
2.5.1.4. APDU
Red Hat Certificate System Token Management System (TMS) GlobalPlatform Token Key System (TKS) Application Protocol Data Units (APDU) () Token Processing System (TPS) Secure Channel
APDU 2
APDU (TPS )
APDU Certificate System TPS InitializeUpdate APDU ExternalAuthenticate APDU TMS Secure Channel
TKS Secure Channel TMS
2.5.2. (TPS)
TMS TPS TPS APDU TMS TPS TPS CA KRA
2.5.2.1. Coolkey
89
2.5.2.2.
: Coolkey
: Web 2
: TPS
: LDAP TPS
PIN : PIN PIN

: PKI Red Hat Certificate System TPS 2
: PKI
: PKI TMS
:
: TPS
CA CA CA CA
:
90
2.5.2.3. TPS
TPS

Coolkey
1 2
Internal Registration: TPS (tokenType) Mapping Resolver
: (
LDAP
TPS
2.5.2.4.1.
2.5.2.4.1.1.

2.9
DAMAGED 1
PERM_LOST 2

92

2.5.2.4.1.2.
tokendb.allowedTransitions tps.operations.allowedTransitions
tokendb.allowedTransitions=0:1,0:2,0:3,0:6,3:2,3:6,4:1,4:2,4:3,4:6,6:7

2.10
0:3 FORMATTED SUSPENDED ( )
0:6 FORMATTED TERMINATED
93
3:6 SUSPENDED TERMINATED
4:1 ACTIVE DAMAGED
4:2 ACTIVE PERM_LOST
4:3 ACTIVE SUSPENDED ( )
4:6 ACTIVE TERMINATED
6:7 TERMINATED UNFORMATTED

2.11
2.5.2.4.1.3.
tps.operations.allowedTransitions=0:0,0:4,4:4,4:0,7:0
94

2.12
0:4 FORMATTED ACTIVE
4:4 ACTIVE ACTIVE
4:0 ACTIVE FORMATTED
7:0 UNFORMATTED FORMATTED
2.5.2.4.1.4.
# Token state transitions FORMATTED.DAMAGED = This token has been physically damaged. FORMATTED.PERM_LOST = This token has been permanently lost. FORMATTED.SUSPENDED = This token has been suspended (temporarily lost). FORMATTED.TERMINATED = This token has been terminated. SUSPENDED.ACTIVE = This suspended (temporarily lost) token has been found.
95
2.5.2.4.1.5.
2.5.2.4.1.6.
2.5.2.4.1.7.
2.13 TPS
96
token_modify
delete
cert_revocation
cert_unrevocation

2.5.2.4.2.
TPS TPS
2.5.2.5.

FilterMappingResolver TPS
target

97
appletMajorVersion - Coolkey
appletMinorVersion - Coolkey
tokenType - okenType tokenType (TPS )
tokenATR - Answer to Reset (ATR)
tokenCUID - startend Card Unique ID (CUID)
2.5.2.6. TPS
TPS
TPS :
98

2.5.4. Enterprise Security Client (ESC)
Enterprise Security Client TPS Web HTTP ESC TPS HTTPS TLS TMS Secure Channel
2.6. RED HAT CERTIFICATE SYSTEM
Certificate System PKI
2.6.1.
2.6.2.

2.6.3.
99
2.6.4.
2.6.5.
2.6.6.
Certificate System /SSL/TLS LDAP NIS CMC CA

Certificate System IP
2.6.6.1.
Certificate System 3

100
auditors
2.6.6.2.
2.7.
PKI

Certificate System HTTP HTTPS
2.5
101
DNS
LDAP PKI [Tomcat] 2 name=value pkispawn
[Tomcat] pki_clone_setup_replication=False pki_clone_reindex_data=False

102
CA
CA CA 2 CA CA 1 CA
CA fluid CA 1 CA CA
begin*Number end*Number
dbs.beginRequestNumber=1 dbs.beginSerialNumber=1 dbs.enableSerialManagement=true dbs.endRequestNumber=9980000 dbs.endSerialNumber=ffe0000 dbs.replicaCloneTransferNumber=5
CRL 1 CA CRL CA CA CRL CRL CA CA CRL CA CRL CRL CRL CA CA
CA CA

CA ( )
103
2.7.2. KRA
KRA 1 KRA KRA KRA KRA
KRA
KRA KRA KRA

2.7.3.
TKS 1
OCSP 1 OCSP CRL CRL
2.7.4.
pkispawn pki_backup_keys pki_backup_password PKCS #12 pki_default.cfg(5) man BACKUP PARAMETERS
PKCS12Export PKCS #12
PKCS #12 clone pki_clone_pkcs12_password pki_clone_pkcs12_path pkispawn man pkispawn(8) Installing a Clone PKCS#12 pkiuser SELinux

104
Directory Server Directory Server

LDAPS SSL/TLS LDAP (SSL/TLS ) Directory Server Directory Server 3
SSL/TLS SSL/TLS / Directory Server SSL/TLS
Directory Server
/ Directory Server Start TLS TLS

TLS SSL/TLS Directory Server CA Directory Server SSL/TLS
() Directory Server

105

LDAP ( 389) LDAP
Directory Server LDAP
2.7.6. ID
Directory Server ID ID
(CA ) ID ID 1
dbs.beginReplicaNumber=1 dbs.endReplicaNumber=95
ID
CS.cfg
CA 2 KRA CA CA-KRA CA CS.cfg CA CA CA-KRA KRA CA KRA

()
106
3.1. TLSECC RSA
Transport Layer Security (TLS) TLS
TLS TLS
TLS ()
RSA EllipticCurve Diffie-Hellman (ECDH) TLS TLS ECC (Elliptic Curve Cryptography) RSA RSA ECC
2 PFS (Perfect Forward Secrecy) PFS ( )

RSA RSA 2048 1024 2048 64 CA 2048 (30724096 )
3.1.1.
3.1.1.1. TLS
3
ECC
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
RSA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Red Hat Certificate System PKCS #11
RSA :
108
https://csrc.nist.gov/publications/detail/fips/186/4/final
nistp256
nistp384
nistp521
IPv4 IPv6 Certificate System IP IPv4 IPv6 IPv6
TPSTKSCA
TPS Enterprise Security Client

pki Subject Alt Name Extension HttpClientBulk Issuance Tool Certificate System
(pkiconsole Web IPv6 )
()
IPv4 n.n.n.n n.n.n.n,m.m.m.m 128.21.39.40 128.21.39.40,255.255.255.00
IPv6 128 IPv6
3
DNS IPv4 IPv6 Web Java
https://ipv6host.example.com:8443/ca/services pkiconsole https://ipv6host.example.com:8443/ca
https://[00:00:00:00:123:456:789:00:]:8443/ca/services pkiconsole https://[00:00:00:00:123:456:789:00:]:8443/ca
3.5. PKIX
Certificate System IETF Public-Key Infrastructure (X.509) PKIX PKIX IETF Datatracker Web
3.1 9 PKIX
RFC
(ITU)
(CMMF)
CA CMMF CMC
CS (CMC)
RFC 5274 CS PKCS #10 Diffie- Hellman RSA CMC CRMF CMMF
(CMS) RFC 2630 PKCS #7
PKIX CRL
RFC 5280 IETF CRL
(OCSP)
RFC
4.1.
4.2.

4.3. WEB
4.1 Web

Red Hat Enterprise Linux Firefox 60 [a] Firefox 60 [a]
Windows 7 Firefox 60 [a] Firefox 60
Internet Explorer 10[b]
[a] Firefox Web
[b] Internet Explorer 11 Red Hat Certificate System 9 Web Internet Explorer 11 Visual Basic

4.4.
Red Hat Certificate System Hardware Security Modules (HSM)
CipherTools- linux64-dev- 12.30.00
()
Certificate System TPS TKS
5.1.

ID
5.1.1.
Certificate System PKI Certificate Manager () CA
5.1 CA
114
Certificate Manager 1 CA
5
KRA
5.2 CA KRA
116

5.1.3.
1 ( CA ) ( CA CA ) CA
5.1.4. OCSP
Example Corp. Web SSL/TLS CA
5
5.3 CA OCSP
TPS TPS
TPS CATKS KRA Enterprise Security Clients 1 TPS TPS TPS TPS CATKS KRA
TPS CA KRA TKS TPS
5.2.
CA PKI CA (CA ) (
118
CA PKI CA (CA ) ( ) Certificate System PKI
PKI CA CA CA CA CA CA CA CA Certificate System Certificate System CA CA CA
( CA) CA () CA CA CA CA CA CA CA CA CA CA CA

CA
CA CA CA
Certificate Manager CA CA CA PKI CA CA CA
5.2.1. CA
Certificate System CA CA CA CA CA CA SSL/TLS S/MIME (Secure Multipurpose Internet Mail Extensions) SSL/TLS CA PKI
CA 1 CA Web CA CA Certificate System
5.2.2. CA
Certificate System CA CA CA CA CA CA CA CA CA
Certificate System CA CA CA Certificate System CA CA CA
5
Certificate System Certificate Manager CA CA Certificate Manager CA Certificate Manager CA CA
Certificate Manager 2 CA 2 CA PKI
(FBCA)
5.2.4. CA
CA CA Certificate Manager
Certificate Manager CA Certificate Manager ( Certificate Manager)

pk12util PKCS12Export
CA CA CA CA Certificate Manager CA
Certificate Manager CA
Certificate Manager Certificate Manager
Certificate Manager
5.3.
120
PKI Certificate System
CA CA PKI
CA CA LDAP CA
CA URL Example Corp Intranet PKI (KRATPS TKSOCSPCA( URL
TPS CA TPS CA
CA LDAP CA
ou=Security Domain,dc=server.example.com-pki-ca
(pkiSecurityGroup)
pkiSubsystem
5
(CA ) CA CA LDAP

CA KRA KRA CA KRA CA
Certificate System CA CA
CA OCSP OCSP CA OCSP CA CA CA
5.4.
5.4.1.
5.1

122
5
CA
CA OCSP CA CRL CA OCSP
KRA CA CS.cfg KRA ca.connector.KRA.transportCert
CA Certificate Manager SSL/TLS CA SSL/TLS
Certificate Manager CRL LDAP SSL/TLS SSL/TLS SSL/TLS
SSL/TLS 1 SSL/TLS
5.4.2. CA
CA Certificate Manager ID Certificate Manager (DN)
CA DN DN DN Example Corporation Certificate Manager
cn=demoCA, o=Example Corporation, ou=Engineering, c=US
Certificate Manager DN DN
5.4.3. CA
124
5.4.4.
CA CA CRL OCSP

SHA256withRSA
SHA512withRSA
SHA256withEC
SHA512withEC

Certificate System ECC ECC PKCS #11 9 ECC

RSA 2048 4096 ECC RSA ECC 256 2048 RSA
5.4.5.
X.509 v1 X.500
X.500 X.500

5
CA CA CA
CRL CRL
X.509 v3 X.509 v3 X.509 CRL CA

X.509 v3
X.500 X.509 ITU (International Telecommunication Union) IETF (Internet Engineering Task Force) X.509 (PKIX) X.509v3 CRL PKIX 1
2 Abstract Syntax Notation One (ASN.1) Distinguished Encoding Rules (DER) Certificate System CCITT X.208 X.209 ASN.1 DER RSA Laboratories Web (http://www.rsa.com) A Layman's Guide to a Subset of ASN.1, BER, and DER
5.4.5.1.
Extension ::= SEQUENCE {

(OID) ASN.1 OID ID (extnID) ASN.1 (extnValue)
critical
ID
ID
DER octet
ID ID ID
X.509 v3

5.4.6.
()
5
2 2 2 4 2

SSL/TLS 2 1 6 1 2
Certificate System
PKCS 7
1 1 PKCS#10 1 CRMF () CRMF 1
PKI
Manage Certificate Profiles Certificate Profile
1
128
() ( )

1 () ID 1 1 2 2

Certificate System CA Certificate System
5
pki_san_inject

CMC
Certificate Manager CMC 1 HTML

2. CA Certificate Manager ID
3. LDAP
130

5.4.8. CRL
CA CRL LDAP CRL LDAP OCSP
CRL
LDAP
LDAP
SSL/TLS SSL/TLS Certificate Manager
LDAP DN ()
5.4.9. CA
CA 2
CA CA CA CA CA CA
CA CA CA CA CA
CA Certificate Manager CA PKI
5
5.5.
5.5.1.

LDAP LDAP ( LDAP 389LDAPS 636) LDAP
iptables Certificate System iptables Red Hat
5.5.2.

5.5.3.
HTTP

Tomcat Server Management
Tomcat AJP
Red Hat Certificate System Red Hat Certificate System URL
https://server.example.com:8443/ca/ee/ca
<Service name="Catalina">  unused standard port <Connector port="8443" ... />

165535
Certificate System Certificate System 2
( cert8.db) (key3.db)Certificate System Certificate System Certificate System
/var/lib/pki/instance_name/alias
PKCS11 API PKCS 11
Certificate System PKCS 11 Certificate System Certificate System
Certificate System 1
Certificate System
SSL/TLS
Certificate Manager
Certificate System nCipher nShield (HSM) Certificate System HSM PKCS #11 modutil secmod.db
Security Modules NSS PKCS 11 Found Operations Login Certificate System

5.7. PKI
134
LDAP
(CA) VPN

PKI

Certificate System
CA Certificate SystemCA
CA CA CA (PKI CA CA)
Certificate Manager CA CA CA CA CA CA CA CA ()
CA CA CA CA
CA CA Certificate System CA CA CA CA CA
1 Certificate Manager CA CA CA CA 1 CA Web
136

1 CA CA Certificate System CA CA CA Certificate System CA
CA CA CA CA

ID ID ()
Certificate Manager OCSP
PKI ?
?
CRL CRL
CRL
5.8.
5.8.1.
5.8.2.
138
II. RED HAT CERTIFICATE SYSTEM Red Hat Certificate System
II. RED HAT CERTIFICATE SYSTEM
139
6.1. RED HAT ENTERPRISE LINUX
Red Hat Certificate System Red Hat Enterprise Linux 7 Red Hat Enterprise Linux Red Hat Enterprise Linux
Red Hat Enterprise Linux FIPS(Federal Information Processing Standard)Red Hat Security Guide

# sysctl crypto.fips_enabled
6.2. SELINUX
enforcing SELinux Certificate System (HSM) Certificate System SELinux
SELinux SELinux
6.2.1. SELinux Enforcing
Red Hat Enterprise Linux SELinux enforcing
SELinux
Directory Server Directory Server Installation Guide
6.3.1.
1. firewalld
# systemctl status firewalld
3. firewall-cmd Certificate System
# firewall-cmd --permanent --add-port={8080/tcp,8443/tcp,8009/tcp,8005/tcp}
4. firewall-cmd
(HSM) FIPS (Federal Information Processing Standard) 140-2 HSM HSM FIPS HSM
6
HSM Certificate System SELinux
HSM
1. /opt/nfast/
# restorecon -R /opt/nfast/
2. nfast
6.4.2. HSM FIPS
HSM FIPS HSM

nCipher HSM FIPS Security World Security World new-world FIPS Security World nCipher HSM
LunaSA HSM
Luna HSM FIPS HSM Luna HSM
6.4.3. FIPS HSM
HSM FIPS HSM
6.4.3.1. FIPS nCipher HSM

142

# /opt/nfast/bin/nfkminfo
6.4.3.2. FIPS Luna SA HSM

1. lunash
2. hsm show The HSM is in FIPS 140-2 approved operation mode.
lunash:> hsm show ... FIPS 140-2 Operation: ===================== The HSM is in FIPS 140-2 approved operation mode. ...
6.4.4. HSM
pkispawn HSM Certificate System pkispawn
... [DEFAULT] ########################## # Provide HSM parameters # ########################## pki_hsm_enable=True pki_hsm_libfile=hsm_libfile pki_hsm_modulename=hsm_modulename pki_token_name=hsm_token_name pki_token_password=pki_token_password
######################################## # Provide PKI-specific HSM token names # ########################################
6
pki_token_password HSM HSM pkispawn
pki_hsm_modulename HSM pkispawn pkispawn Certificate System HSM
HSM HSM HSM
6.4.4.1. NCipher HSM
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so pki_hsm_modulename=nfast
...~snip~...
...~snip~...

144
6.4.4.2. SafeNet / Luna SA HSM
SafeNet Luna Network HSM SafeNet / Luna SA HSM
pki_hsm_libfile=/usr/safenet/lunaclient/lib/libCryptoki2_64.so pki_hsm_modulename=lunasa
Slot Serial # Label ==== ================ ===== 0 1209461834772 lunasaQE
label
Certificate System Red Hat Directory Server Directory Server Certificate System
6.5.1. Directory Server
Red Hat Directory Server
1. Directory Server
# yum install redhat-ds openldap-clients
6
[slapd] ServerIdentifier=instance_name ServerPort=389 Suffix=dc=example,dc=org RootDN=cn=Directory Manager RootDNPwd=password
b.
6.5.2. Directory Server TLS
Certificate System Directory Server TLS Certificate System TLS Directory Server Certificate System () Directory Server
Directory Server TLS Directory Server Directory Server TLS
Directory Server TLS Red Hat Certificate System Directory Server Certificate System
Directory Server (CA) TLS Certificate System CA CA Directory Server
6.5.2.1. Red Hat Certificate System LDAPS

1. NSS Directory Server
# systemctl stop dirsrv@instance_name.service
# echo password > /etc/dirsrv/slapd-instance_name/password.txt # chown dirsrv.dirsrv /etc/dirsrv/slapd-instance_name/password.txt # chmod 400 /etc/dirsrv/slapd-instance_name/password.txt
# echo "Internal (Software) Token:password" > /etc/dirsrv/slapd-instance_name/pin.txt # chown dirsrv.dirsrv /etc/dirsrv/slapd-instance_name/pin.txt # chmod 400 /etc/dirsrv/slapd-instance_name/pin.txt
5. Directory Server
$ cd /etc/dirsrv/slapd-instance_name $ openssl rand -out noise.bin 2048 $ certutil -S \ -x \ -d . \ -f password.txt \ -z noise.bin \ -n "DS Certificate" \ -s "CN=$HOSTNAME" \ -t "CT,C,C" \ -m $RANDOM \ -k rsa \ -g 2048 \ -Z SHA256 \ --keyUsage certSigning,keyEncipherment
6. Directory Server NSS
# certutil -L -d /etc/dirsrv/slapd-instance_name/
8. Directory Server
9. Directory Server
10.
# ldapmodify -x -p 389 -h $HOSTNAME -D "cn=Directory Manager" -w password << EOF dn: cn=config changetype: modify replace: nsslapd-security nsslapd-security: on
dn: cn=RSA,cn=encryption,cn=config changetype: add objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: DS Certificate nsSSLToken: internal (software) nsSSLActivation: on EOF
11. (636) LDAPS
a. LDAPS 11636
ldapmodify -x -p 389 -h $HOSTNAME -D "cn=Directory Manager" -w password << EOF dn: cn=config changetype: modify replace: nsslapd-secureport nsslapd-secureport: 11636 EOF
b. SELinux
12. Directory Server
[30/Jun/2016:00:23:31 +0200] - SSL alert: Security Initialization: Enabling default cipher set. [30/Jun/2016:00:23:31 +0200] - SSL alert: Configured NSS Ciphers [30/Jun/2016:00:23:31 +0200] - SSL alert: TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: enabled [30/Jun/2016:00:23:31 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [30/Jun/2016:00:23:31 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [30/Jun/2016:00:23:31 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [30/Jun/2016:00:23:31 +0200] - SSL alert:
148
14. openldap-clients NSS TLS
$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-instance_name \ ldapsearch -H ldaps://$HOSTNAME:11636 \ -x -D "cn=Directory Manager" -w Secret.123 \ -b "dc=example,dc=org" -s base "(objectClass=*)"
6.5.3.
6
pki_ds_database=back_end_database_name pki_ds_hostname=host_name pki_ds_secure_connection=True pki_ds_secure_connection_ca_pem_file=path_to_CA_or_self-signed_certificate pki_ds_password=password pki_ds_ldaps_port=port pki_ds_bind_dn=cn=Directory Manager
pki_ds_hostname Directory Server Directory Server Directory Server TLS
pki_ds_secure_connection=True
pki_ds_secure_connection_ca_pem_file: Directory Server CA pkispawn
pki_ds_ldaps_port: Directory Server LDAPS 636
6.5.4.
Directory Server CA Directory Server Directory Server
1. Directory Server CA CMC Directory Server Red Hat Certificate System
TLS Directory Server
2. NSS Directory Server
# systemctl stop dirsrv@instance_name
4. CA
5. Directory Server
# PKICertImport -d /etc/dirsrv/slapd-instance_name -f /etc/dirsrv/slapd-instance_name/password.txt -n "DS Certificate" -t ",," -a -i ds.crt -u V
HSM
a. Certificate System
c. Certificate System
8. Directory Server NSS CA
a. Directory Server
Issuer: "CN=CA Signing Certificate,O=EXAMPLE" Subject: "CN=server.example.com"
b. Directory Server PKI NSS
$ certutil -L -d /var/lib/pki/instance_name/alias
6
$ pki cert-find
2 TLS LDAP 9.8 Red Hat Directory Server

/etc/dirsrv/slapd-instance_name/certmap.conf

Directory Server
CS.cfg RHCS internaldb.ldapauth.clientCertNickname 2
internaldb.ldapauth.bindDN internaldb.ldapauth.bindPWPrompt
152

CS
internaldb.ldapauth.authtype=SslClientAuth internaldb.ldapconn.secureConn=true internaldb.ldapauth.clientCertNickname NSS DB LDAP TLS

1. Red Hat
a. Red Hat
# subscription-manager register --auto-attach Username: [email protected] Password: The system has been registered with id: 566629db-a4ec-43e1-aa02-9cbaa6177c3f
Installed Product Current Status: Product Name: Red Hat Enterprise Linux Server Status: Subscribed
--auto-attach
b. Red Hat Certificate System ID
# subscription-manager list --available --all ... Subscription Name: Red Hat Enterprise Linux Developer Suite Provides: ... Red Hat Certificate System ... Pool ID: 7aba89677a6a38fc0bba7dac673f7993 Available: 1 ...

# subscription-manager list --available --all > /root/subscriptions.txt
c. ID Certificate System
# subscription-manager attach --pool=7aba89677a6a38fc0bba7dac673f7993 Successfully attached a subscription for: Red Hat Enterprise Linux Developer Suite
2. Certificate Server
7Certificate System

Certificate Systempkiuser pkiuser Certificate System
Certificate System
154
Certificate System
(TKS)
(TPS)
7.1.

2. CA OCSP
3. KRA TKS CA OCSP
4. TPS CA TKS KRA OCSP


7 CERTIFICATE SYSTEM
pki-ocsp: OCSP (Online Certificate Status Protocol)
pki-tks: Token Key Service (TKS)
pki-tps: Token Processing Service (TPS)
pki-console redhat-pki-console-theme: Java Red Hat PKI
pki-server redhat-pki-server-theme: Web Certificate System
pki-capki-krapki-ocsppki-tkspki-tps
7.1 Certificate System
# yum install pki-ca redhat-pki-server-theme
PKI
# yum install pki-console redhat-pki-console-theme
# yum install redhat-pki
1. Certificate System
2. # yum update
156

yum update --downloadonly
7.2.2. Certificate System
# cat /usr/share/pki/CS_SERVER_VERSION Red Hat Certificate System 9.4 (Batch Update 3)
URL
7.3. PKISPAWN
1. /etc/pki/default.cfg pki_default.cfg(5) man
2.
3. PKI
4. Java
CA

pkispawn CA CA CA CA
pkispawn pkispawn(8) man
7.4.
Certificate System CA
:
1 2 Certificate System
pkispawn(8) man ()
2 (2 )
158
7.6.

1 2 Certificate System
pkispawn(8) man ()
2 (2 )
subsystem KRAOCSPTKS TPS
CA CA 2 2
7.7.1. 2
2
FIPS CA KRAOCSPTKS TPS
FIPS (HSM) Certificate System
7.7.2. 2 2
2 2
1.

1.
2.
2.

1.
2.
7.7.3.
/root/config.txt
160

pki_default.cfg(5) man

1. Certificate System admin PKCS #12 Directory Server
[DEFAULT] pki_admin_password=password pki_client_pkcs12_password=password pki_ds_password=password
2. Directory Server LDAPS [DEFAULT]
pki_ds_secure_connection=True pki_ds_secure_connection_ca_pem_file=path_to_CA_or_self-signed_certificate

[CA] pki_random_serial_numbers_enable=true
pki_admin_nickname=caadmin pki_admin_name=CA administrator account pki_admin_password=password pki_admin_uid=caadmin [email protected]
Certificate System Certificate System
3. Certificate System [DEFAULT]
pki_instance_name=instance_name pki_security_domain_name=example.com Security Domain pki_host=server.example.com

(HSM) Certificate System
4. RSA Elliptic Curve Cryptography (ECC)
a. [DEFAULT]
162
pki_source_admincert_profile=/usr/share/pki/ca/conf/eccAdminCert.profile pki_source_servercert_profile=/usr/share/pki/ca/conf/eccServerCert.profile pki_source_subsystemcert_profile=/usr/share/pki/ca/conf/eccSubsystemCert.profile
CAKRAOCSPTKS TPS
1. [DEFAULT]
pki_enable_server_side_keygen=True
7.7.4.
subsystem CAKRAOCSPTKS TPS
7.7.5.
7.7.5.1.
7.7.5.2.
7.7.5.3.
RSA FIPS Certificate System RSA FIPS
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
164
7.7.5.5. KRA
Hardware Security Module (HSM) Key Recovery Authority (KRA) KRA
7.7.5.6. OCSP
7.7.5.7.
subsystem CAKRAOCSPTKS TPS
pkispawn
To check the status of the subsystem: systemctl status pki-tomcatd@instance_name.service
To restart the subsystem: systemctl restart pki-tomcatd@instance_name.service
The URL for the subsystem is: https://server.example.com:8443/ca/
PKI instances will be enabled upon system boot
================================================================
7.8. CA
Red Hat Certificate System pkispawn (CSR) Certificate System pkispawn CSR CA Internal CA
External CA
Certificate System CA RedHat Certificate System CA
CSR Red Hat Certificate System CA CAKRAOCSPTKS TPS CSR PKCS #10
7.8.2. CA
CA Certificate System
Certificate System CA
166
2.
CA :
CA
subsystem (CAKRAOCSP)
2. CA CSR CA
CA Certificate System PKCS#10 CSR CA ESP Red Hat Certificate System CMC
3.
4. CA
a. pki_external_step_two True
pki_external_step_two=True
pki_ca_signing_nickname=CA Signing Certificate pki_ca_signing_cert_path=/home/user_name/ca_signing.crt pki_cert_chain_nickname=External Certificate Chain pki_cert_chain_path=/home/user_name/cert_chain.p7b
OCSP
pki_ca_signing_nickname=CA Signing Certificate pki_ca_signing_cert_path=/home/user_name/ca_signing.crt pki_cert_chain_nickname=External Certificate Chain pki_cert_chain_path=/home/user_name/cert_chain.p7b
5.
6.
subsystem (CAKRAOCSP)
7.9. KRA OCSP
KRA OCSP CA CSR CA KRA OCSP CA CA
KRA OCSP
1. /root/config.txt
pki_standalone=True pki_external_step_two=False
[KRA] [email protected] pki_ds_base_dn=dc=kra,dc=example,dc=com pki_ds_database=kra
[OCSP] [email protected] pki_ds_base_dn=dc=ocsp,dc=example,dc=com pki_ds_database=ocsp
pki_admin_nickname=ocspadmin pki_audit_signing_nickname=ocsp_audit_signing pki_ocsp_signing_nickname=ocsp_signing pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem
pki_ds_secure_connection=True pki_ds_secure_connection_ca_pem_file=path_to_CA_or_self-signed_certificate
5. CA
7.10.
170
7.10.2. Directory Server (CA)
LDAP CA
7.10.3. LDAP TLS
Red Hat Certificate System TLS LDAP TLS
7.10.4.
7.10.5. CRL
CRL OCSP Red Hat Certificate System CRL
7.10.6. (CA)
7.10.7.
7.10.9. CMC (CA)
CMC
PopLinkWittness PopLinkWittnessV2
7.10.10. Java TLS
Certificate System Java TLS TLS pkiconsole
7.10.11.

7.10.12. Bootstrap
KRA Red Hat Certificate System
7.10.14.2. KRA
172
8.1. HSM CERTIFICATE SYSTEM
HSM Certificate System pkispawn
[DEFAULT] ########################## # Provide HSM parameters # ########################## pki_hsm_enable=True pki_hsm_libfile=hsm_libfile pki_hsm_modulename=hsm_modulename pki_token_name=hsm_token_name pki_token_password=pki_token_password
######################################## # Provide PKI-specific HSM token names # ######################################## pki_audit_signing_token=hsm_token_name pki_ssl_server_token=hsm_token_name pki_subsystem_token=hsm_token_name
8.2.

8.2.1. HSM FIPS
HSM FIPS HSM

8
173

nCipher HSM FIPS Security World Security World new-world FIPS Security World nCipher HSM
LunaSA HSM
Luna HSM FIPS HSM Luna HSM
8.2.2. FIPS HSM
HSM FIPS HSM
8.2.2.1. FIPS nCipher HSM

# /opt/nfast/bin/nfkminfo
8.2.2.2. FIPS Luna SA HSM

1. lunash
2. hsm show The HSM is in FIPS 140-2 approved operation mode.
lunash:> hsm show ... FIPS 140-2 Operation:
174
8.2.3. HSM
hardware-HSM_token_name=HSM_token_password
Hardware Security Modules (HSM) Certificate System SELinux enforcing Certificate System HSM SELinux
HSM
1. /opt/nfast/
# restorecon -R /opt/nfast/
2. nfast
nCipher nShield HSM
1. default_hms.txt

8
175
######################################################################## ####### ######################################################################## ####### ######################################################################## ####### ## ## ## EXAMPLE: Configuration File used to override '/etc/pki/default.cfg' ## ## when using an nCipher Hardware Security Module (HSM): ## ## ## ## ## ## # modutil -dbdir . -list ## ## ## ## Listing of PKCS #11 Modules ## ## ----------------------------------------------------------- ## ## 1. NSS Internal PKCS #11 Module ## ## slots: 2 slots attached ## ## status: loaded ## ## ## ## slot: NSS Internal Cryptographic Services ## ## token: NSS Generic Crypto Services ## ## ## ## slot: NSS User Private Key and Certificate Services ## ## token: NSS Certificate DB ## ## ## ## 2. nfast ## ## library name: /opt/nfast/toolkits/pkcs11/libcknfast.so ## ## slots: 2 slots attached ## ## status: loaded ## ## ## ## slot: <serial_number> Rt1 ## ## token: accelerator ## ## ## ## slot: <serial_number> Rt1 slot 0 ## ## token: <HSM_token_name> ## ## ----------------------------------------------------------- ## ## ## ## ## ## Based on the example above, substitute all password values, ## ## as well as the following values: ## ## ## ## <hsm_libfile>=/opt/nfast/toolkits/pkcs11/libcknfast.so ## ## <hsm_modulename>=nfast ## ## <hsm_token_name>=NHSM6000 ## ## ## ######################################################################## ####### ######################################################################## ####### ######################################################################## #######
[DEFAULT]
176
######################################## # Provide PKI-specific HSM token names # ######################################## pki_audit_signing_token=<hsm_token_name> pki_ssl_server_token=<hsm_token_name> pki_subsystem_token=<hsm_token_name>
################################## # Provide PKI-specific passwords # ################################## pki_admin_password=<pki_admin_password> pki_client_pkcs12_password=<pki_client_pkcs12_password> pki_ds_password=<pki_ds_password>
##################################### # Provide non-CA-specific passwords # ##################################### pki_client_database_password=<pki_client_database_password>
############################################################### # ONLY required if specifying a non-default PKI instance name # ############################################################### #pki_instance_name=<pki_instance_name>
############################################################## # ONLY required if specifying non-default PKI instance ports # ############################################################## #pki_http_port=<pki_http_port> #pki_https_port=<pki_https_port>
###################################################################### # ONLY required if specifying non-default 389 Directory Server ports # ###################################################################### #pki_ds_ldap_port=<pki_ds_ldap_port> #pki_ds_ldaps_port=<pki_ds_ldaps_port>
###################################################################### # ONLY required if PKI is using a Security Domain on a remote system # ###################################################################### #pki_ca_hostname=<pki_ca_hostname> #pki_issuing_ca_hostname=<pki_issuing_ca_hostname> #pki_issuing_ca_https_port=<pki_issuing_ca_https_port> #pki_security_domain_hostname=<pki_security_domain_hostname> #pki_security_domain_https_port=<pki_security_domain_https_port>
########################################################### # ONLY required for PKI using an existing Security Domain #
8
177
[Tomcat] ############################################################## # ONLY required if specifying non-default PKI instance ports # ############################################################## #pki_ajp_port=<pki_ajp_port> #pki_tomcat_server_port=<pki_tomcat_server_port>
[CA] ####################################### # Provide CA-specific HSM token names # ####################################### pki_ca_signing_token=<hsm_token_name> pki_ocsp_signing_token=<hsm_token_name>
######################################################################## ### # ONLY required if 389 Directory Server for CA resides on a remote system # ######################################################################## ### #pki_ds_hostname=<389 hostname>
[KRA] ######################################## # Provide KRA-specific HSM token names # ######################################## pki_storage_token=<hsm_token_name> pki_transport_token=<hsm_token_name>
######################################################################## #### # ONLY required if 389 Directory Server for KRA resides on a remote system # ######################################################################## #### #pki_ds_hostname=<389 hostname>
[OCSP] ######################################### # Provide OCSP-specific HSM token names # ######################################### pki_ocsp_signing_token=<hsm_token_name>
######################################################################## ##### # ONLY required if 389 Directory Server for OCSP resides on a remote system # ######################################################################## ##### #pki_ds_hostname=<389 hostname>
178
[TKS] ######################################## # Provide TKS-specific HSM token names # ########################################
######################################################################## #### # ONLY required if 389 Directory Server for TKS resides on a remote system # ######################################################################## #### #pki_ds_hostname=<389 hostname>
[TPS] ################################### # Provide TPS-specific parameters # ################################### pki_authdb_basedn=<dnsdomainname where hostname.b.c.d is dc=b,dc=c,dc=d>
######################################## # Provide TPS-specific HSM token names # ########################################
######################################################################## #### # ONLY required if 389 Directory Server for TPS resides on a remote system # ######################################################################## #### #pki_ds_hostname=<389 hostname>
########################################################## # ONLY required if TPS requires a CA on a remote machine # ########################################################## #pki_ca_uri=https://<pki_ca_hostname>:<pki_ca_https_port>
####################################### # ONLY required if TPS requires a KRA # ####################################### #pki_enable_server_side_keygen=True
########################################################### # ONLY required if TPS requires a KRA on a remote machine # ########################################################### #pki_kra_uri=https://<pki_kra_hostname>:<pki_kra_https_port>
########################################################### # ONLY required if TPS requires a TKS on a remote machine # ########################################################### #pki_tks_uri=https://<pki_tks_hostname>:<pki_tks_https_port>
8
179
Gemalto Safenet LunaSA HSM nCipher nShield HSM 8.1nCipher HSM nCipher [DEFAULT][Tomcat][CA][KRA][OCSP] [TKS][TPS] nCipher LunaSA
8.2 LunaSA
###############################################################################
###############################################################################
###############################################################################
## ## ## EXAMPLE: Configuration File used to override '/etc/pki/default.cfg' ## ## when using a LunaSA Hardware Security Module (HSM): ## ## ## ## ## ## # modutil -dbdir . -list ## ## ## ## Listing of PKCS #11 Modules ## ## ----------------------------------------------------------- ## ## 1. NSS Internal PKCS #11 Module ## ## slots: 2 slots attached ## ## status: loaded ## ## ## ## slot: NSS Internal Cryptographic Services ## ## token: NSS Generic Crypto Services ## ## ## ## slot: NSS User Private Key and Certificate Services ## ## token: NSS Certificate DB ## ## ## ## 2. lunasa ## ## library name: /usr/safenet/lunaclient/lib/libCryptoki2_64.so ## ## slots: 4 slots attached ## ## status: loaded ##
180
8.4. HSM
HSM HSM PKCS12 HSM HSM HSM HSM pkispawn master
Certificate System HSM PKCS #12 PKCS #12 CA PKI [Tomcat]
###############################################################################
###############################################################################
pki_clone=True
pki_clone_pkcs12_password=Secret123
pki_clone_pkcs12_path=<path_to_pkcs12_file>
pki_clone=True
1. alias
# cd /var/lib/pki/pki-tomcat/alias
# modutil -dbdir . -nocertdb -list

182

HSM (Hardware Security Module) HSM HSM Red Hat Certificate System
8.7.1. nCipher nShield HSM
8.7.1.1.
nShield Connect 6000 2 HSM nShield1 nShield2
nShield 1 1 RHCS Certificate System
(1 HSM ) hsm 1 Certificate System hsm HSM
8.7.1.2.
nShield Connect 6000 HSM 90 90
8.7.2. Gemalto Safenet LunaSA HSM
8.7.2.1.
8
183

9.1. ECC
9.2. HSM ECC
Certificate System HSM ECC ECC
1. HSM HSM
2. pkispawn pkispawn ecc.inf Certificate System ECC CA
1. ecc.inf pkispawn(8) man
2. ecc.inf pkispawn
$ script -c 'pkispawn -s CA -f /root/pki/ecc.inf -vvv'
184
CA CRL CA
10.1.
PKCS #12

HSM HSM
10.2. CA
1. CA
2. CA CS.cfg ca.listenToCloneModifications CA
ca.listenToCloneModifications=true
3.
CA pkispawn man pkispawn(8) Installing a CA clone Installing a CA clone on the same host
4. Directory Server
systemctl restart [email protected]
5.
2.
3.
4.
5. CA CRL Certificate Manager Update Certificate Revocation List CRL
CRL Certificate Manager
10.3. CA-KRA

CA KRA CA KRA CA KRA
KRA CA pki ca-kraconnector-add

1. CA CS.cfg KRA ca.connector.KRA.*
[root@master ~]# vim /var/lib/pki/instance_name/ca/conf/CS.cfg
[root@clone-ca ~] systemctl stop pki-tomcatd@instance_name.service
[root@clone-ca ~]# vim /var/lib/pki/instance_name/ca/conf/CS.cfg
186
2. OCSP CS.cfg OCSP.Responder.store.defStore.refreshInSec 21600 21600
vim /etc/instance_name/CS.cfg
OCSP.Responder.store.defStore.refreshInSec=15000
4. Directory Server
systemctl dirsrv@instance_name.service
5.
1. CRL OCSP CA OCSP
2. CRL OCSP List Certificate Authority
3. OCSPClient Online Certificate Status Manager OCSP OCSP
10
KRA pkispawn pkispawn(8) man Installing a KRA or TPS clone
3. Directory Server
systemctl dirsrv@instance_name.service
4.
1. KRA
4. Submit
10.6. TKS
1. master
2. pkispawn
TKS pkispawn man pkispawn(8) Installing a KRA or TKS clone
3.
10.7.
188
CRL 1 CA CRL OCSP 1 CA OCSP 1
KRA TKS CA OCSP PKI 1
10.7.1. CA

a. ca.crl.
b. ca.crl. CA CS.cfg CA CS.cfg
c. CA 600
ca.certStatusUpdateInterval=600
d.
ca.listenToCloneModifications=true
7. CA
190
CA CS.cfg CA ID ID
CA CA
CertUtil::createSelfSignedCert() - CA private key is null!
CA
# grep privkey.id /var/lib/pki/instance_name/ca/conf/CS.cfg cloning.signing.privkey.id =-4d798441aa7230910d4e1c39fa132ea228d5d1bc cloning.ocsp_signing.privkey.id =-3e23e743e0ddd88f2a7c6f69fa9f9bcebef1a60 cloning.subsystem.privkey.id =-c3c1b3b4e8f5dd6d2bdefd07581c0b15529536 cloning.sslserver.privkey.id =3023d30245804a4fab42be209ebb0dc683423a8f cloning.audit_signing.privkey.id=2fe35d9d46b373efabe9ef01b8436667a70df096
2. NSS ID CS.cfg ID
# certutil -K -d alias certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa a7b0944b7b8397729a4c8c9af3a9c2b96f49c6f3 caSigningCert cert-ca4-test- master < 1> rsa 6006094af3e5d02aaa91426594ca66cb53e73ac0 ocspSigningCert cert-ca4- test-master < 2> rsa d684da39bf4f2789a3fc9d42204596f4578ad2d9 subsystemCert cert-ca4-test- master < 3> rsa a8edd7c2b5c94f13144cacd99624578ae30b7e43 sslserverCert cert-ca4-test1 < 4> rsa 2fe35d9d46b373efabe9ef01b8436667a70df096 auditSigningCert cert-ca4-test1
10

3. 2 (certutil ) Java BigInteger (Certificate System )
calculator 10.1certutil BigInteger
4. CS.cfg
10.1 certutil BigInteger
Java certutil BigInteger
Test.java .java

import java.math.BigInteger;
public class Test {
public static byte[] hexStringToByteArray(String s) { int len = s.length(); byte[] data = new byte[len / 2]; for (int i = 0; i < len; i += 2) { data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i+1), 16)); } return data; }
public static void main(String[] args) { byte[] bytes = hexStringToByteArray(args[0]); BigInteger big = new BigInteger (bytes); System.out.println("Result is ==> " + big.toString(16)); } }
# javac Test.java
192

11.1. CA
CA 1 CA (VPN) CA CA
CA CA
Certificate System CA CA CA CA
11.1.1. CA
CA CA CA CA
11.1.2. CA
CA CA Certificate System Directory Server
# ldapmodify -D "cn=Directory Manager" -W -x -h server.example.com
dn: cn=aclResources,o=instance_name changetype: modify delete: resourceACLS resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify) group="Administrators":Administrators may create and modify lightweight authorities delete: resourceACLS resourceACLS: certServer.ca.authorities:delete:allow (delete) group="Administrators":Administrators may delete lightweight authorities
CA (ACL)

11.1.3. CA
# ldapmodify -D "cn=Directory Manager" -W -x -h server.example.com
dn: cn=aclResources,o=instance_name changetype: modify add: resourceACLS resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify) group="Administrators":Administrators may create and modify lightweight authorities resourceACLS: certServer.ca.authorities:delete:allow (delete) group="Administrators":Administrators may delete lightweight authorities
(ACL) CA
11.2. IPV6
Certificate System IP Certificate System IPv4 Certificate System IPv6 IPv6 (pkiconsole) tpsclient
op=var_set name=ca_host value=IPv6 address
1. Red Hat Certificate System
2. /etc/hosts IPv4 IPv6
vim /etc/hosts
3. IPv6
export PKI_HOSTNAME=server6.example.com
11.3. LDAP

Red Hat C

Documents

Red Hat Certificate System 9