Difference between revisions of "PKI Documentation"

From Dogtag
Jump to: navigation, search
(Design Docs)
m (Replaced content with "This page has been moved to https://github.com/dogtagpki/pki/wiki.")
(41 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Dogtag Certificate System (DCS) is a complete open source implementation of an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments.
This page has been moved to https://github.com/dogtagpki/pki/wiki.
The DCS has six highly-configurable subsystems, which provide flexibility in designing the PKI. The six subsystems that comprise DCS are as follows:
* The Certificate Authority (CA) is the subsystem that provides certificate management functionality for issuing, renewing, revoking, and publishing certificates and creating and publishing Certificate Revocation Lists (CRL)s.
* The Data Recovery Manager (DRM) is an optional subsystem that provides private encryption key storage and retrieval.
* The Online Certificate Status Protocol (OCSP) Manager is an optional subsystem that provides OCSP responder services, which means it stored CRLs for CAs and can distribute the load for verifying certificate status.
* The Registration Authority (RA) is a subsystem that provides local enrollment request verifications.
* The Token Key Service (TKS) manages one or more master keys required to set up secure channels directly to the token management system. The privileged operations such as key generation can only be requested on the tokens through a secure channel.
* The Token Processing System (TPS) provides the registration authority functionality in the token management infrastructure and establishes secure channels between the Enterprise Security Client (ESC) and the back-end subsystems.
=== Certificate Authority ===
The Dogtag Certificate System is a highly configurable set of software components and tools for creating, deploying, and managing certificates. The standards and services that facilitate the use of public-key cryptography and X.509 version 3 certificates in a networked environment are collectively called the public key infrastructure for that environment. In any PKI, a certificate authority is a trusted entity that issues, renews, and revokes certificates. An end entity is a person, server, or other entity that uses a certificate to identify itself.
=== Data Recovery Manager ===
Archiving private keys offers protection for users, and for information, if that key is ever lost. Information is encrypted by the public key when it is stored. The corresponding private key must be available to decrypt the information. If the private key is lost, the data cannot be retrieved. A private key can be lost because of a hardware failure or because the key's owner forgets the password or loses the hardware token in which the key is stored. Similarly, encrypted data cannot be retrieved if the owner of the key is unavailable to supply it.
=== Online Certificate Status Protocol Manager ===
The Certificate System CA supports the Online Certificate Status Protocol as defined in Public-Key Infrastructure (X.509) (PKIX) standard Request For Comment (RFC) 2560 (see http://www.ietf.org/rfc/rfc2560.txt). The OCSP protocol enables OCSP-compliant applications to determine the state of a certificate, including the revocation status, without having to directly check a CRL published by a CA to the validation authority. The validation authority, which is also called an OCSP responder, checks for the application.
=== Registration Authority ===
A Registration Authority is a subsystem that accepts enrollment requests and authenticates them in a local context (e.g., a department of an organization, or an organization within an association). Upon the successful authentication, the RA then forwards the enrollment request to the designated Certificate Authority to generate the certificate.
Depending on the type of enrollment, an RA can be set up with the appropriate authentication plugin to authenticate the request in an automated fashion. Alternatively, the RA has a local request queue where requests can be stored and reviewed by local RA agents for manual authentication.
=== Token Key Service ===
A Token Key Service manages the master and transport keys required to generate and distribute keys for smart cards or tokens. A master key is a Triple Digital Encryption Standard (DES) symmetric key stored either in software or hardware token. When supplied with the token Card Unique ID (CUID), a TKS can generate the corresponding three secret keys ‐ authentication key, Message Authentication Code (MAC) key, and key encryption key (KEK) ‐ on the tokens.
=== Token Processing System ===
The Token Processing System serves as the conduit between the Enterprise Security Client aka (Smart Card Manager) and the other subsystems (CA, DRM, TKS) in the Dogtag Certificate System and is the only means for the client to communicate with the other subsystems.
== Use and Deployment ==
=== Dogtag Documentation ===
* [[PKI_Release_Notes|Release Notes]]
* [[PKI_FAQ|Frequently Asked Questions]]
* [[PKI_Architecture|Architecture]]
=== Red Hat Documentation ===
* [http://docs.redhat.com/docs/en-US/index.html Red Hat Documentation]
=== Quick Links ===
* [http://directory.fedoraproject.org Fedora Directory Server]
* [http://directory.fedoraproject.org/wiki/Fortitude Fortitude]
* [http://directory.fedoraproject.org/wiki/CoolKey Coolkey]
* [http://directory.fedoraproject.org/wiki/Windows_Certificate_Auto_Enrollment Windows Certificate Auto Enrollment]
* [http://www.mozilla.org/projects/nspr/ Netscape Portable Runtime (NSPR)]
* [http://www.mozilla.org/projects/security/pki/nss/ Network Security Services (NSS)]
* [http://www.mozilla.org/projects/security/pki/nss/tools Network Security Services Tools (NSS Security Tools)]
* [http://www.mozilla.org/projects/security/pki/jss/ Network Security Services for Java (JSS)]
=== Howtos ===
== Software Developers ==
=== Building and Installing ===
* [[PKI_Building|How to Build Dogtag Certificate System]]
* [[PKI_Install_Guide|Installation Guide]]
* [http://www.admin-magazin.de/content/dogtag-als-public-key-infrastruktur-pki Article on Installation and Configuration (German)]
=== Known Issues ===
* [[PKI_Known_Issues|PKI Known Issues: Problems and Solutions]]
=== Design Docs ===
* [[PKI_Design|Tech Notes]]
* [[PKI_Features|Features]]
* [[Dogtag Future Directions]]
=== How To Docs ===
* [[PKI_How_To|How Tos]]
== Data Storage ==
* A [http://directory.fedoraproject.org Fedora Directory Server] is used for data storage by the CA, DRM, OCSP, TKS, and TPS subsystems.
* An [http://www.sqlite.org SQLite database] is used for data storage by the RA subsystem.
== RFCs ==
Some relevant Request For Comments (RFC)s that Dogtag Certificate System supports include:
* RFC 2560 - X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
* RFC 3280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
* RFC 4211 - Internet X.509 Certificate Request Message Format (CRMF)

Latest revision as of 21:54, 7 July 2021

This page has been moved to https://github.com/dogtagpki/pki/wiki.