Red Hat Certificate System 7.3 System Agent Guide 7.
Red Hat Certificate System 7.3 This guide is for agents of Certificate System subsystems. It explains the different agent services interfaces for the Certificate System subsystems and details the agent operations which can be performed. This information is used to manage and maintain certificates and keys for users in the PKI deployment.
Red Hat Certificate System 7.3: System Agent Guide Copyright © 2008 Red Hat, Inc. Copyright © 2008 Red Hat. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0 or later with the restrictions noted below (the latest version of the OPL is presently available at http://www.opencontent.org/openpub/). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.
Red Hat Certificate System 7.
1. About This Guide ................................................................................................... 1 1. Who Should Read This Guide ......................................................................... 1 2. Required Concepts ........................................................................................ 1 3. What is in This Guide ..................................................................................... 1 4. Document Conventions ...................................
Red Hat Certificate System 7.3 5.2. Updating the CRL ...............................................................................55 6. CA: Publishing to a Directory .................................................................................59 1. Automatic Directory Updates .........................................................................59 2. Manual Directory Updates .............................................................................59 7. DRM: Recovering Encrypted Data ..........
Chapter 1. About This Guide This guide describes the agent services interfaces used by Red Hat Certificate System agents to administer subsystem certificates and keys and other management operations. 1. Who Should Read This Guide This guide is intended for Certificate System agents. Agents are privileged users designated by the Certificate System administrator to manage requests from end entities for certificate-related services.
Chapter 1. About This Guide requests and explains how to handle different aspects of certificate request management. A CM agent is responsible for handling requests by end entities (end users, server administrators, or other Certificate System subsystems) for certificates using manual enrollment.
Document Conventions italic Courier font Italic Courier font represents a variable, such as an installation directory: install_dir/bin/ bold font Bold font represents application programs and text found on a graphical interface. When shown like this: OK , it indicates a button on a graphical application interface. Additionally, the manual uses different strategies to draw your attention to pieces of information.
Chapter 1. About This Guide A warning indicates potential data loss, as may happen when tuning hardware for maximum performance. 5. Documentation The Certificate System documentation also contains the following manuals: • Certificate System Administrator's Guide explains all administrative functions for the Certificate System, such as adding users, creating and renewing certificates, managing smart cards, publishing CRLs, and modifying subsystem settings like port numbers.
Chapter 2. Agent Services This chapter describes the role of the privileged users, agents, in managing Certificate System subsystems. It also introduces the tools that agents use to administer service requests. 1. Overview of Certificate System The Red Hat Certificate System is a highly configurable set of software components and tools for creating, deploying, and managing certificates. The standards and services that facilitate the use of public-key cryptography and X.
Chapter 2. Agent Services among one or more levels of subordinate CMs. Subsystems can also be cloned. All clones use the same keys and certificates as the master, which means that the master and clones essentially all function as a single CA. Many complex deployment scenarios are possible. Data Recovery Manager. A Data Recovery Manager (DRM) oversees the long-term archival and recovery of private encryption keys for end entities.
Certificate System Users Token Processing System. The Token Processing System (TPS) acts as a registration authority for authenticating and processing smart card enrollment requests, PIN reset requests, and formatting requests from the Enterprise Security Client. 1.2. Certificate System Users Three kinds of users can access Certificate System subsystems: administrators, agents, and end entities. Administrators are responsible for the initial setup and ongoing maintenance of the subsystems.
Chapter 2. Agent Services Figure 2.1. The Certificate System and Users 2. Agent Tasks The designated agents for each subsystem are responsible for the everyday management of end entity requests and other aspects of the PKI: Certificate Manager Agent Certificate Manager (CM) agents manage certificate requests received by the CM subsystem, maintain and revoke certificates as necessary, and maintain global information about certificates.
Certificate Manager Agent Services Data Recovery Manager Agent Data Recovery Manager (DRM) agents initiate the recovery of lost keys and can obtain information about key service requests and archived keys. Note Recovering lost or archived key information is done automatically in smart card deployments because the TPS server is a DRM agent.
Chapter 2. Agent Services 2.1. Certificate Manager Agent Services The default entry page for (CM) agent services is shown in Figure 2.2, “Certificate Manager Agent Services Page”. Only designated CM agents, with a valid certificate installed in their client software, are authorized to access these pages. Figure 2.2. Certificate Manager Agent Services Page A CM agent performs the following tasks: • Handles certificate requests.
Data Recovery Manager Agent Services • Updates the CRL. The CM maintains a public list of revoked certificates, called the Certificate Revocation List (CRL). The list is usually maintained automatically, but, when necessary, the CM agent services page can be used to update the list manually. See Section 5.2, “Updating the CRL”. • Publishes certificates to a directory. The Certificate System can be configured to publish certificates and CRLs to an LDAP directory.
Chapter 2. Agent Services • Lists key recovery requests from end entities. • Lists or searches for archived keys. • Recovers private data-encryption keys. • Authorizes and approves key recovery requests. Key recovery requires the authorization of one or more recovery agents. The DRM administrator designates recovery agents. Typically, several recovery agents are required to approve key recovery requests in the DRM, so DRM administrators should designate more than one agent.
Token Processing System Agent Services • Identifies a CM to the OCSM. • Manually adds CRLs to the OCSM. • Submits requests for the revocation status of a certificate to the OCSM. For more information on these tasks, see Chapter 8, OCSP: Agent Services. 2.4. Token Processing System Agent Services The TPS agent services page allows operations by two types of users, both agents and administrators. The default entry page to the Token Processing System (TPS) agent services is shown in Figure 2.
Chapter 2. Agent Services • Edits token information. • Sets the token status. The TPS agent services page also has a tab to allow operations by TPS administrators. Figure 2.6. TPS Administrator Operations Tab A TPS administrator performs the following tasks: • Lists and searches enrolled tokens by user ID or token CUID. • Edits token information, including the token owner's user ID. • Adds tokens. • Deletes tokens.
Forms for Performing Agent Operations A subsystem agent with the correct certificates can access agent services forms through the agent services page to manage certificates. Table 2.1, “Forms Used for Agent Operations”, describes each of these HTML forms. Form name (Operation) Subsystem Description List all Requests CM Examine, select, and process requests for certificate services. For instructions on using this form, see Section 2, “Listing Certificate Requests”.
Chapter 2. Agent Services Form name (Operation) Subsystem Description newly issued certificates and updated CRLs. For instructions on using this form, see Section 2, “Manual Directory Updates”. Search for Requests CA and DRM Search for requests filed by end entities with the Certificate System. Search criteria include the request ID range, request type, request status, and request owner.
Forms for Performing Agent Operations Form name (Operation) Subsystem Description Authorize Recovery DRM Authorize a key recovery request remotely that was initiated by another DRM agent. For instructions on using this form, see Section 2.2, “Recovering Keys”. List Certificate Authorities OCSM List CMs that are currently configured to publish their CRLs to the OCSM. For instructions, see Section 1, “Listing CAs Identified by the OCSP”. Add Certificate Authority OCSM Identify a CM to the OCSM.
Chapter 2. Agent Services Form name (Operation) Subsystem Description Search for Tokens TPS Search for tokens using either the user ID of the user to whom the token was issued, or by the contextually unique ID (CUID) of the token. See Section 3, “Managing Tokens”. List all Certificates TPS List all certificates on the token. See Section 4, “Listing and Searching Certificates”.
Accessing Agent Services 9443, use the following URL to access the agent services interface: https://server.example.com:9443/ca/agent/ca There is also a services page for each subsystem. The URL for the services page for the previous example would be as follows: https://server.example.com:9443/ca/services The services page has links to the all of the HTML pages for the subsystem, such as agent and end entities, as well as the administration page if the subsystem has not yet been configured. Figure 2.7.
20
Chapter 3. CA: Working with Certificate Profiles A Certificate Manager (CM) agent is responsible for approving certificate profiles that have been configured by a Certificate System administrator. CM agents also manage and approve certificate requests that come from profile-based enrollments. 1. About Certificate Profiles Profile Definition.
Chapter 3. CA: Working with Certificate Profiles Approve the request. The certificate is issued, and the end entity then retrieves and uses it. Reject the request. No certificate is issued. The end entity is notified that the request was rejected for the reasons specified by the agent. The end entity can also view the request status using the CA's end entities page. Cancel the request. No certificate is issued. The end entity is notified that the request was canceled for the reasons specified by the agent.
List of Certificate Profiles Profile ID Profile Name Description caSignedLogCert Manual Log Signing Certificate Enrollment Used to enrol audit log signing certificates caTPSCert Manual TPS Server Certificate Enrollment Used to enrol TPS server certificates. caRARouterCert RA Agent-Authenticated Router Certificate Enrollment Used to enrol router certificates. caRouterCert One Time Pin Router Certificate Enrollment Used to enrol router certificates.
Chapter 3. CA: Working with Certificate Profiles Profile ID Profile Name Description authentication. caSimpleCMCUserCert Simple CMC Enrollment Request for User Certificate Used to enrol user certificates by using the CMC certificate request with CMC Signature authentication.
Example Profile Profile ID Profile Name Description caDualRAuserCert RA Agent-Authenticated User Certificate Enrollment Used to enrol user certificates with RA agent authentication. caRAagentCert RA Agent-Authenticated Agent User Certificate Enrollment Used to enrol RA agent user certificates with RA agent authentication. caRAserverCert RA Agent-Authenticated Server Certificate Enrollment Used to enrol server certificates with RA agent authentication. Table 3.1. List of Certificate Profiles 3.
Chapter 3. CA: Working with Certificate Profiles • Requester email The email address of the certificate requester. • Requester phone The phone number of the certificate requester. • Profile policy sets The different policy sets that are set by default on caUserCert are listed in Table 3.2, “caUserCert Profile Policy Sets”. Profile Policy Set Defaults Constraints userCertSet.1 (SubjectName) No defaults userCertSet.2 (Validity) range = 180 days userCertSet.3 (Key) No defaults userCertSet.
How Certificate Profiles Work Profile Policy Set Defaults Constraints request. The default values are Criticality=false and OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4. userCertSet.8 - Subject Alt Name Constraint Populates a Subject Alternative Name extension (2.5.29.17) to the request. The default values are Criticality=false and No constraints Record #0{Pattern:$request.requester_email$,Pattern Type:RFC822Name,Enable:true}. userCertSet.9 - SigningAlg Populates the certificate signing algorithm.
Chapter 3. CA: Working with Certificate Profiles agent can approve, and thus enable, a certificate profile. Once the certificate profile is enabled, it appears on the Certificate Profile tab of the end entities page, so end entities can enroll for a certificate using the certificate profile. The certificate profile enrollment page contains links to each type of certificate profile enrollment that has been enabled.
End User Certificate Profile which is linked to the Approve Certificate Profile page. This page lists information about the certificate profile and allows an agent to approve a certificate profile or disable a previously-approved certificate profile. An approved certificate profile can only be disabled by the agent who originally approved it. 5.2.
Chapter 3. CA: Working with Certificate Profiles profile. The certificate profile must first be disabled before an administrator to modify the certificate profile. 5.5. Disapproving a Certificate Profile A certificate profile can only be disabled by the agent who approved the certificate profile. To disable a certificate profile, do the following: 1. Open the Manage Certificate Profiles page, and click on a certificate profile name. 2. Open the certificate profile's Approve Certificate Profile page. 3.
Chapter 4. CA: Handling Certificate Requests A Certificate Manager (CM) agent is responsible for handling both manual enrollment requests made by end entities (end users, server administrators, and other Certificate System subsystems) and automated enrollment requests that have been deferred. This chapter describes the general procedure for handling requests and explains how to handle different aspects of certificate request management. 1.
Chapter 4. CA: Handling Certificate Requests action only checks the request but does not submit or edit the request. • Assign the request. A certificate request can be manually assigned by the agent processing the request to himself. Requests cannot be assigned to another agent. • Unassign the request. A request can be removed from an agent's queue if necessary, such as when requests are assigned to an agent who has since left the company.
Listing Certificate Requests Figure 4.1. Certificate Request Management Process 2. Listing Certificate Requests The CM keeps a queue of all certificate service requests that have been submitted to it. The queue records whether a request is pending, completed, canceled, or rejected.
Chapter 4. CA: Handling Certificate Requests • Certificate enrollment requests • Certificate renewal requests • Certificate revocation requests A CM agent must review and approve manual enrollment requests. Certificate requests that require review have a status of pending. To see a list of requests, do the following: 1. Go to the CM agent services page. https://server.example.com:9443/ca/agent/ca NOTE An agent much have the proper client certificate to access this page. 2.
Listing Certificate Requests 3. View certificate requests request type by selecting one of the options from the Request type menu. • Show enrollment requests • Show renewal requests • Show revocation requests • Show all requests 4. View requests by request status by selecting one of the options in the Request status menu. • Show pending requests. These are enrollment requests that have not yet been processed but are waiting for manual review. • Show canceled requests.
Chapter 4. CA: Handling Certificate Requests Figure 4.3. Request Queue 2.1. Selecting a Request To select a request from the queue, do the following: 1. On the agent services page, click List Requests, specify search criteria, and click Find to display a list of certificate signing requests. 2. Select a request to examine from the Request Queue form. 3. If a desired request not shown, scroll to the bottom of the list, specify an additional number of requests to be listed, and click Find.
Searching Requests Figure 4.4. Request Details NOTE If the system changes the state of the displayed request, using the browser's Back or Forward buttons or history to navigate can cause the data display to become out of date. To refresh the data, click the highlighted serial number at the top of the page. 2.2. Searching Requests The CM agent interface provides a method for agents to see the request queue based on search criteria other than those described in the List Requests category.
Chapter 4. CA: Handling Certificate Requests • Completed • Canceled • Rejected • Any • Searching by Request Type. To search by the request type, select the Show requests that are of type option, and select the type of certificate request: • Enrollment • Renewal • Revocation • Any • Searching by Request Owner.
Approving Requests 3. Select the certificate request from the list. 4. The certificate request details page contains several tables with information about the request: • Request Information. Lists basic information about the request. • Certificate Profile Information. Lists the certificate profile being used, along with basic information about that certificate profile. • Certificate Profile Inputs.
Chapter 4. CA: Handling Certificate Requests generated and available to the user through the end entities page. If notifications have been set, then an email will be sent to the requester automatically. 4. Sending an Issued Certificate to the Requester When the CM has issued a certificate in response to a request, the user who requested it must receive a copy to install locally. Users install user certificates, such as agent certificates, in client software.
Sending an Issued Certificate to the Figure 4.5. A Newly Issued Certificate Page To copy and mail a new server certificate to the requester, do the following: 1. Create a new email addressed to the requester. 2. From the agent services window where the new certificate is displayed, copy only the base-64 encoded certificate, including the marker lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. 3. Paste the base-64 encoded certificate into the email message body, and send the message.
Chapter 4. CA: Handling Certificate Requests 1. Open to the agent services page, click List Requests in the left frame, enter the serial number for the approved request, and click Find. 2. In the Request Queue form, click Details beside the relevant request. Right-click the certificate serial number, and choose Open Frame in New Window from the pop-up menu. 3. In the new browser window containing the certificate, copy the URL from the location or address field. 4.
Chapter 5. CA: Finding and Revoking Certificates A Certificate Manager (CM) agent can use the agent services page to find a specific certificate issued by the Certificate System or to retrieve a list of certificates that match specified criteria. The certificates which are retrieved can be examined or revoked by the agent. The CM agent can also manage the certificate revocation list (CRL). 1. Basic Certificate Listing It is possible to list certificates within a range of serial numbers.
Chapter 5. CA: Finding and Revoking Certificates • To find a certificate with a specific serial number, enter the serial number in both the upper limit and lower limit fields of the List Certificates form, in either decimal or hexadecimal form. Use 0x to indicate the beginning of a hexadecimal number; for example, 0x00000006. Serial numbers are displayed in hexadecimal form in the Search Results and Details pages.
Advanced Certificate Search Figure 5.2. Search Certificates 3. To search by particular criteria, use one or more of the sections of the Search for Certificates form. To use a section, select the check box, then fill in any necessary information. • Serial Number Range. Finds a certificate with a specific serial number or lists all certificates within a range of serial numbers.
Chapter 5. CA: Finding and Revoking Certificates • Status. Selects certificates by their status. A certificate has one of the following status codes: • Valid. A valid certificate has been issued, its validity period has begun but not ended, and it has not been revoked. • Invalid. An invalid certificate has been issued, but its validity period has not yet begun. • Revoked. The certificate has been revoked. • Expired. An expired certificate has passed the end of its validity period. • Revoked and Expired.
Advanced Certificate Search • Basic Constraints. Shows CA certificates that are based on the Basic Constraints extension. • Type. Lists certain types of certificates, such as all certificates for subordinate CAs. This search works only for certificates containing the Netscape Certificate Type extension, which stores type information. For each type, choose from the drop-down list to find certificates where that type is On, Off, or Do Not Care. 4.
Chapter 5. CA: Finding and Revoking Certificates certificates matching the specified criteria that should be returned. Setting the number of certificates to be returned returns the first certificates found that match the search criteria up to that number. It is also possible to put a time limit on the search in seconds. 7. Click Find. 8. The Search Results form appears, showing a list of the certificates that match the search criteria. Select a certificate in the list to examine it in more detail.
Revoking Certificates 2. On the Search Results form, select a certificate to examine. If the desired certificate is not shown, scroll to the bottom of the list, specify an additional number of certificates to be returned, and click Find. The system displays the next certificates up to that number that match the original search criteria. 3. After selecting a certificate, click the Details button at the left side of its entry. 4.
Chapter 5. CA: Finding and Revoking Certificates Only CM agents can revoke certificates other than their own. A certificate must be revoked if one of the following situations occurs: • The owner of the certificate has changed status and no longer has the right to use the certificate. • The private key of a certificate owner has been compromised. These two reasons are not the only ones why a certificate would need revoked; other reasons are mentioned in Section 4.2, “Revoking One or More Certificates”.
Revoking One or More Certificates Figure 5.5. Revoke One or All Certificates 4.2. Revoking One or More Certificates An entire list of certificates returned by a search can be revoked, or selected certificates from the list can be revoked. CAUTION Whether revoking a single certificate or a list of certificates, be extremely careful that the correct certificate has been selected or that the list contains only certificates which should be revoked.
Chapter 5. CA: Finding and Revoking Certificates 1. On the CM's agent services page, click Revoke Certificates, specify search criteria, and click Find to display a list of certificates. 2. On the Search Results form, select the certificate to revoke. If a desired certificate is not shown, scroll to the bottom of the list, specify an additional number of certificates to be returned, and click Find. The system displays the next certificates up to that number that match the original search criteria. 3.
Revoking One or More Certificates Figure 5.6. Confirm Certificate Revocation To confirm the revocation, do the following: 1. Inspect the details of the certificate to verify that it is the one to be revoked. If more than one certificate is being revoked, the form shows details for all the certificates. 2. Select an invalidity date. The invalidity date is the date which it is known or suspected that the user's private key was compromised or that the certificate became invalid.
Chapter 5. CA: Finding and Revoking Certificates • Key compromised • CA key compromised • Affiliation changed • Certificate superseded • Cessation of operation • Certificate is on hold 4. Enter any additional comment. The comment is included in the revocation request. When the revocation request is submitted, it is automatically approved, and the certificate is revoked.
Updating the CRL 4. Choose how to display the CRL by selecting one of the options from the Display Type menu. The choices on this menu are as follows: • Cached CRL. Views the CRL from the cache rather than from the CRL itself. This option displays results faster than viewing the entire CRL. • Entire CRL. Retrieves and views the entire CRL. • CRL header. Retrieves and views the CRL header only. • Base 64 Encoded. Retrieves and views the CRL in base-64 encoded format. 5.
Chapter 5. CA: Finding and Revoking Certificates Figure 5.7. Update Certificate Revocation List 3. Select the algorithm to use to sign the new CRL. Before choosing an algorithm, make sure that any system or network applications that need to read or view this CRL support the algorithm. • SHA-1 with RSA generates a 160-bit message digest. • SHA-256 with RSA. • SHA-512 with RSA. • MD5 with RSA generates a 128-bit message digest. Most existing software applications that handle certificates support only MD5.
Updating the CRL 5. To update the CRL with the latest certificate revocation information, click Update.
58
Chapter 6. CA: Publishing to a Directory A Red Hat Directory Server installation is required for the Certificate System subsystems to be installed; this directory instance maintains user information and certificate and key information. The Certificate System can be configured to publish certificates and CRLs to that directory, or other LDAP directories, for other applications to access.
Chapter 6. CA: Publishing to a Directory NOTE Any client using a certificate is responsible for determining its validity by checking the expiration date against the client's current date information. To update the LDAP publishing directory with changes manually, do the following: 1. Open the CM agent services page. 2. Click Update Directory Server. 3.
Chapter 7. DRM: Recovering Encrypted Data This chapter describes how authorized Data Recovery Manager (DRM) agents process key recovery requests and recover stored encrypted data when the encryption key has been lost. This service is available only when the DRM subsystem is installed. 1.
Chapter 7. DRM: Recovering Encrypted Data • Show completed requests. Completed requests include archival requests for which proof of archival has been sent and completed recovery requests. • Show all requests. All requests stored in the system. 5. To start the list at a specific place in the queue, enter the starting request identifier in decimal or hexadecimal form. Use 0x to indicate the beginning of a hexadecimal number; for example, 0x2A.
Finding Archived Keys In the old scheme, the password for the storage token was split and protected by individual recovery agent passwords. This made it hard to access the storage private, but it did not allow CS to fully leverage the key protection facility provided by the underlying hardware token. In the new scheme, CS uses its existing access control scheme to ensure recovery agents are appropiately authenticated via SSL, and ensures that the agent belongs to the specific recovery agent group.
Chapter 7. DRM: Recovering Encrypted Data Figure 7.1. Search for Keys Page 3. To search by particular criteria, use the different sections of the Search for Keys or Recover Keys form. To use a section, select the check box for that section, then fill in any necessary information. • Owner name. Finds an archived key with a specific owner name. The owner name for a key, like the subject name for a certificate, consists of a string that can be used in searches. • Key identifiers.
Finding Archived Keys • Certificate. Finds the archived key that corresponds to a specific public key. Select the check box and paste the certificate containing the base-64 encoded public key into the text area. Note The encryption certificate associated with the key pair must be found first. Use the CM agent services page to find the certificate; for instructions, see Section 3, “Examining Certificates”. • Archiver. Finds keys that were archived by a specific server.
Chapter 7. DRM: Recovering Encrypted Data Figure 7.2. Search Results Page 5. In the Search Results form, select a key. If a desired key is not shown, scroll to the bottom of the list and use the arrows to move to another page of search results. 6. Click the ID number next to the selected key. The details of the selected key are shown in the Key details page. It is not possible to modify the key through this page. Figure 7.3. Key Details Page 2.2.
Recovering Keys To initiate key recovery, do the following: 1. On the DRM agent services page, click Recover Keys, specify search criteria, and click Show Key to display a list of archived keys. 2. In the Search Results form, select a key. If a desired key is not shown, scroll to the bottom of the list and select Next or Previous for another page of search results. 3. Click Recover next to the selected key.
Chapter 7. DRM: Recovering Encrypted Data kra.noOfRequiredRecoveryAgents=1 kra.recoveryAgentGroup=Data Recovery Manager Agents 4. Set the PKCS #12 token password that the requester uses to import the recovered certificate/key pair package. 5. Optionally, set a certificate nickname for the archived key. 6. Paste the base-64 encoded certificate corresponding to the archived key into the text area. The certificate can be searched and viewed through the CM agent services pages.
Recovering Keys 11.Send the encrypted file to the requester. 12.Give the recovery password to the requester in a secure manner. The requester must use this password to import the recovered certificate/key pair.
70
Chapter 8. OCSP: Agent Services This chapter describes how to perform Online Certificate Status Manager (OCSP) agent tasks, such as identifying a CA to the OCSP and adding a CRL to the OCSP's internal database. This service is available only when the OCSP subsystem is installed. The OCSP agent services page allows authorized agents to accomplish these tasks. NOTE For this documentation, Online Certificate Status Manager is abbreviated OCSP. 1.
Chapter 8. OCSP: Agent Services Figure 8.1. OCSP List Certificate Authorities Page 2. Identifying a CA to the OCSP The OCSP can be configured to receive CRLs from multiple CMs. Before configuring a CM to publish CRLs to the OCSP, first identify the CM to the OCSP by storing the CM's CA signing certificate in the internal database of the OCSP. To store the CM's CA signing certificate in the internal database of the OCSP, do the following: 1. Open the CM's end entities page. https://server.example.
Identifying a CA to the OCSP https://server.example.com:11443/ocsp/agent/ocsp 9. In the left frame, click Add Certificate Authority. 10.In the resulting form, paste the encoded CA signing certificate inside the Base 64 encoded certificate (including header and footer) text area. Figure 8.2. Add Certificate Authority Page 11.Click Add. The certificate is added to the internal database of the OCSP.
Chapter 8. OCSP: Agent Services The next page shows information about the CM that was added. NOTE If the deployment contains chained CAs, such as a root CA and then several subordinate CAs, add each CA certificate separately to the OCSP responder. 3. Adding a CRL to the OCSP If a situation arises when a CM is unable to publish its CRL to the OCSP, it is possible to add a CRL manually to the OCSP internal database. To add a CRL to the internal database, do the following: 1.
Checking the Revocation Status of a https://server.example.com:11443/ocsp/agent/ocsp 7. In the left frame, click Add Certificate Revocation List. 8. In the resulting form, paste the encoded CRL inside the Base 64 encoded certificate revocation list (including the header and footer) text area. 9. Click Add. The CRL is added to the internal database of the OCSP. 4.
76
Chapter 9. TPS: Agent Services This chapter describes how to perform Token Processing System (TPS) agent tasks, such as listing smart card tokens and resetting card PINs. Agents can manage the smart cards and the certificates stored on the cards. The TPS agent services page allows authorized agents to accomplish these tasks. NOTE Smart cards are also referred to as tokens in this chapter and in the TPS agent and admin services pages. 1.
Chapter 9. TPS: Agent Services • Listing activities associated with the tokens by the token CUID. • Searching activities by the token CUID. • Changing token status. Administrators can perform all of the agent operations, as well as the following: • Editing the token attributes, such as the user ID, and the reason for the token status. • Deleting a token. 2. Adding Tokens New tokens are added to the TPS subsystem through the Add tokens link in the Agent Operations tab.
Managing Tokens Figure 9.1. Token Search Results Click the link associated with the token to display its details.
Chapter 9. TPS: Agent Services Figure 9.2. Token Details Four operations can be performed on the token through this page: • Changing the token status. • Editing the token policy.
Changing Token Status NOTE Agents can only modify the policy in effect for the token and add a new token. Administrators can also change the user ID of the owner and delete tokens. • Listing the certificates stored on the token. • Showing the operations performed on the token. 3.1. Changing Token Status Agents can change the status of the token.
Chapter 9. TPS: Agent Services There are six possible token statuses: • The token is physically damaged. For this status, the TPS revokes the user certificates and marks the token lost. • The token has been permanently lost. For this status, the TPS revokes the user certificates and marks the token lost. • The token is temporarily lost or unavailable. For this status, the TPS puts the user certificates on hold and marks the token inactive. • The lost token has been found.
Listing Token Certificates Note If the PIN_RESET policy is not set, then user-initiated PIN resets are allowed by default. If the policy is present and is changed from NO to YES, then a PIN reset can be initiated by the user once; after the PIN is reset, the policy value automatically changes back to NO. More token information can be modified through the Administrator Operations tab. 3.3.
Chapter 9. TPS: Agent Services Through the TPS agent's page, however, viewing Token #1 shows Signing #1 is active; viewing Token #2 shows that Signing #1 is revoked. This is because that Signing #1 was still revoked when Token #2 was formatted, and that information was not updated when Token #1 was subsequently formatted. To find the current status of certificates, view an active token, and list the certificates. Active tokens always have the most current certificate status.
Searching Token Activities Certificates. 5. Searching Token Activities The token activities, such as enrollment, which are performed through the TPS subsystem can be searched and listed for assistance with token management. There are two links for finding and viewing certificates stored in tokens in the Agent Operations tab: List Activities and Search Activities. Both of these options return lists of activities performed on the tokens managed by the TPS.
Chapter 9. TPS: Agent Services Click Delete to remove the token, and all its associated certificates and user information, from the TPS database.
Index A accessing end-entity gateways , 7 accessing forms, 18 agent services forms accessing , 18 Certificate Manager , 10 Data Recovery Manager , 11 Online Certificate Status Manager , 12 summary , 14 TPS, 13 agents requirements for , 9 responsibilities , 8 C CA built-in OCSP service , 6 certificate authorities (CAs) , 5 Certificate Manager agent services forms , 10 built-in OCSP service , 6 overview , 5 certificate profile approving , 29 certificate profile information , 28 disapproving , 30 end user cer
Index overview , 6 online certificate validation authority defined , 6 P PKI (public-key infrastructure) , 5 prerequisites , 1 privileged operations and users , 9 profiles , 21 about , 21 approving and disapproving , 28 enabling and disabling , 28 how profiles work , 27 working with , 21 R Request details form , 36 Request Queue form , 35 request status, on List Requests form , 35 requests, enrollment approving , 38 cloning , 32 examining , 36 handling process , 31 listing , 33 statuses , 35 types of , 3
