Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsConsumer electronicsCERTIFICATE 8.0 RELEASE NOTES
12345678910
2.1. Default Port Separation
Starting in Certificate System 8.0, there are three SSL ports, one each for each of the user interfaces
(agents, administrators, and end entities). The web application folders are also separated, so each web
service is independent and secure. The pkicreate script has been updated to permit both separated
and non-separated port configurations.
The original RA and TPS standard and SSL ports remain the same, but new SSL ports have been added
for end entities.
NOTE
Port separation was originally introduced in an update to Certificate System 7.3, but the default for
this errata was still to use a single SSL port at installation. In Certificate System 8.0, the default
configuration is to have separate ports.
Table 1. New Port Assignments for Certificate System 8.0
Subsyst em Standard End-Entity
SSL
Agent SSL Admin SSL Tomcat
CA 9180 9444 9443 9445 9701
RA 12888 12890 12889 12889
OCSP 11180 11443 11445 11701
DRM 10180 10443 10445 10701
TKS 13180 13443 13445 13701
TPS 7888 7890 7889 7889
2.2. Changes in the Security Domain
In previous releases of Certificate System, the security domain was maintained in an XML file for the CA,
dom ain.xm l. In Certificate System 8.0, the security domain configuration has been moved to LDAP
entries within the CA's LDAP entry.
2.3. Renamed Directory Paths
In previous releases of Red Hat Certificate System, the subsystem directories had the term rhpki in the
name, such as /etc/rhpki-tps/CS.cfg and /usr/lib/rhpki/native-tools. All directories
have been renamed pki, such as /etc/pki-tps/CS.cfg.
2.4. Replacing Policy Framework with Profile Framework
The old policy framework for managing certificates was deprecated in Certificate System 7.1 and was
removed entirely for Certificate System 7.2, 7.3, and 8.0. Any certificate enrollments or other operations
must be performed using the new profile framework.
2.5. Removed Bulk Issuance Tools
The bulk issuance tool, bulkissuance, is deprecated in Certificate System 8.0 because it worked with
the deprecated policy framework, not the new profile framework. T o perform bulk issuance of certificates,
use the httpclient tool to post the certificate requests to the CA's agent interface. An additional tool,
2. Important Configuration Changes
5