background image

Plug-Ins Guide

Netscape Certificate Management System

Version 6.0

March 2002

Summary of Contents for Certificate Management System 6.0

Page 1: ...Plug Ins Guide Netscape Certificate Management System Version6 0 March 2002...

Page 2: ...DOCUMENTATION INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS PROFITS USE OR DATA The Software and documentation are copyright 2001 Sun Microsystems Inc Portions copyright 1999 2002...

Page 3: ...Module 28 Configuration Parameters of UidPwdPinDirAuth 29 NISAuth Plug in Module 35 Configuration Parameters of NISAuth 37 PortalEnroll Plug in Module 42 Configuration Parameters of PortalAuth 45 Cert...

Page 4: ...Constraints 92 DSAKeyRule Rule 94 IssuerConstraints Plug in Module 94 Configuration Parameters of IssuerConstraints 95 IssuerRule Rule 96 KeyAlgorithmConstraints Plug in Module 97 Configuration Parame...

Page 5: ...lug in Module 148 Configuration Parameters of CertificatePoliciesExt 149 CertificatePoliciesExt Rule 152 CertificateRenewalWindowExt Plug in Module 153 Configuration Parameters of CertificateRenewalWi...

Page 6: ...xt 225 PolicyMappingsExt Rule 228 PrivateKeyUsagePeriodExt Plug in Module 228 Configuration Parameters of PrivateKeyUsagePeriodExt 229 RemoveBasicConstraintsExt Plug in Module 230 Configuration Parame...

Page 7: ...sher Publisher 275 LdapCrlPublisher Plug in Module 275 Configuration Parameters of LdapCrlPublisher 276 LdapCrlPublisher Publisher 277 OCSPPublisher Plug in Module 277 Configuration Parameters of OCSP...

Page 8: ...icates 320 Selecting DNs for Certificates 321 DN Patterns and Certificate Subject Names 321 Appendix B Object Identifiers 325 What s an Object Identifier 325 Registration of Object Identifiers 325 App...

Page 9: ...ions 360 Extensions for CRLs 360 authorityKeyIdentifier 361 CRLNumber 361 deltaCRLIndicator 362 issuerAltName 363 issuingDistributionPoint 363 CRL Entry Extensions 364 certificateIssuer 364 holdInstru...

Page 10: ...10 Netscape Certificate Management System Plug Ins Guide March 2002...

Page 11: ...Where to Go for Related Information page 15 What s in This Guide This guide covers topics that are listed below You should use this guide in conjunction with the other CMS documentation such as the on...

Page 12: ...hapter 6 Publisher Plug in Modules Describes the plug in modules that enable you to configure a Certificate Manager to publish certificates to the correct attribute of the located directory entries Ch...

Page 13: ...e of digital certificates in a secure enterprise These include the following topics Encryption and decryption Public keys private keys and symmetric keys Significance of key lengths Digital signatures...

Page 14: ...in the glossary which can be found in CMS Installation and Setup Guide Example Rotation frequency From the drop down list select the interval at which the server should rotate the active error log fi...

Page 15: ...agement System specified during installation The documentation set for Certificate Management System includes the following Managing Servers with Netscape Console Provides background information on ba...

Page 16: ...n this file server_root manual en cert custom_guide contents htm CMS Agent s Guide Provides detailed reference information on CMS agent interfaces To access this information from the Agent Services pa...

Page 17: ...er explains the authentication modules that are installed with the Certificate Manager and Registration Manager it lists and briefly describes the modules and then explains each one in detail The chap...

Page 18: ...ificate issuance repositories such as directories supply part of the end entity information End entities only supply certain information for example a user ID and password contained in the repository...

Page 19: ...an LDAP compliant directory such as Netscape Directory Server with end user data you can use that directory for any of the purposes mentioned above For example if you have an NIS server and LDAP direc...

Page 20: ...llment in Chapter 15 Setting Up End User Authentication of CMS Installation and Setup Guide Keep in mind that in an automated certificate management setup the Certificate Manager and Registration Mana...

Page 21: ...53 Note that the manual authentication method is hardcoded you cannot configure it in any other way This ensures that when the server receives requests that lack authentication credentials it sends th...

Page 22: ...the agent approved request it subjects it to policy processing For details see Chapter 18 Setting Up Policies of CMS Installation and Setup Guide If the request fails any of the configured policies t...

Page 23: ...nt Figure 1 3 User ID and password based authentication of an end user These are the steps shown in Figure 1 3 1 In the directory based certificate enrollment form the end user enters a user ID and pa...

Page 24: ...olicies the server rejects the request logs an error message and sends a rejection notification to the end entity If the request passes all the configured policies the server issues the end user a cer...

Page 25: ...idPwdDirAuth Plug in Module Chapter 1 Authentication Plug in Modules 25 Figure 1 4 Parameters defined in the UidPwdDirAuth module Table 1 2 gives details about each of these parameters and their value...

Page 26: ...er uses E attr mail CN attr cn O dn o C dn c as the DN pattern This default DN pattern works well with Netscape Communicator and other browsers For Communicator if you leave out E in end user certific...

Page 27: ...o which is included in the standard inetOrgPerson object class should be stored in the authentication token and be used to put the user s picture in his or her certificate ldap ldapconn host Specifies...

Page 28: ...cifies LDAP version 2 If your authentication directory is based on Netscape Directory Server 1 x choose 2 3 specifies LDAP version 3 For Directory Server versions 3 x and later choose 3 Example 3 ldap...

Page 29: ...user entries in directories do not contain PINs In order to use the UidPwdPinDirAuth module you must first populate the directory that you intend to use for authentication with unique PINs for users e...

Page 30: ...to remove PINs from the authentication directory after end users successfully authenticate Removing PINs from the directory restricts users from enrolling more than once and thus prevents them from ge...

Page 31: ...syntax is illustrated in the following example E attr mail 1 CN attr cn OU dn ou 2 O dn o C US This sample configuration specifies that the subject name should be formulated as follows E the first ma...

Page 32: ...r use by other modules that is values retrieved from this parameter can be used by policy modules to make certain policy decisions or to add additional information to users certificates For example as...

Page 33: ...r choose 3 default Example 3 ldap ldapauth bindDN Specifies the user entry to bind as when removing PINs from the authentication directory You need to specify this parameter only if you ve selected re...

Page 34: ...or SslClientAuth BasicAuth specifies basic authentication If you choose this option be sure to enter the correct values for ldap ldapauth bindDN and password parameters the server uses the DN from th...

Page 35: ...ch for and retrieve specific LDAP attribute values from the directory The ability of the module to use an LDAP directory to form certificate subject names is useful in cases where the NIS server only...

Page 36: ...1 In the NIS server based certificate enrollment form the end user enters his or her user ID and password for the NIS server and submits the request to a Certificate Manager or Registration Manager 2...

Page 37: ...shown below 30 Dec 1999 18 40 25 0700 conn 0 op 7 RESULT err 32 tag 101 nentries 0 etime 0 3 Next the server subjects the certificate request to policy processing For details see Chapter 18 Setting U...

Page 38: ...values Table 1 4 Description of parameters defined in the NISAuth module Parameter Description nisserver Specifies the NIS server name In Unix use the ypwhich command to find the NIS server name Permi...

Page 39: ...mail CN attr cn O dn o C dn c as the DN pattern This default DN pattern works well with Netscape Communicator and other browsers For Communicator if you leave out E in end user certificates S MIME may...

Page 40: ...n for use by other modules that is values retrieved from this parameter can be used by policy modules to make certain policy decisions or to add additional information to users certificates For exampl...

Page 41: ...lues true or false 2 specifies LDAP version 2 If your directory is based on Netscape Directory Server 1 x choose 2 3 specifies LDAP version 3 For Directory Server versions 3 x and later choose 3 Examp...

Page 42: ...e user name as the only authentication token required to obtain a certificate Uses the information from the enrollment form to create new user entries and update directory entry attributes for unique...

Page 43: ...r then queries the directory for the user name specified by the user and if it doesn t find a match it adds the entry with all the standard LDAP field names that match the directory attributes For exa...

Page 44: ...mailing address and submits the request to the server 2 When the server receives the request it verifies that the required fields contain appropriate information for example the values entered in the...

Page 45: ...gured policies the server rejects the request logs an error message and sends a rejection notification to the end user Note that if this happens the user won t be able to reregister using the same use...

Page 46: ...Plug in Module 46 Netscape Certificate Management System Plug Ins Guide March 2002 Figure 1 9 Parameters defined in the PortalEnroll module Table 1 5 gives details about each of these parameters and...

Page 47: ...s entry OU the second ou value in the user s entry DN O the first o value in the user s entry DN C the string US If this parameter value is empty or not set the server uses E attr mail CN attr cn O dn...

Page 48: ...entries in the portal directory It is recommended that you create and use a separate user account that has permission to create user entries and modify user attributes in the directory For example don...

Page 49: ...f the certificate to be used for SSL client authentication Example BasicAuth ldap basedn Specifies the base DN for searching the portal directory the server uses the value of the uid field from the HT...

Page 50: ...the tokens are ready you make them available to users by some means for example from a vending machine like box in the break room Basically a user can get and use any pre initialized and certificate l...

Page 51: ...a certificate the server verifies the CA that has issued the certificate the user uses for authentication uses the configured directory to formulate the subject name for the new certificate and issues...

Page 52: ...e issuer DN in the authentication certificate must match the issuer DN specified in the policy configuration Here are a few things to keep in mind Enrollment requests for dual certificates must be sub...

Page 53: ...e IssuerRule policy with the correct issuer DN and set the predicate expression so that the rule is applied to client certificates only On the client side you need to do the following Install drivers...

Page 54: ...ab lists only those forms that are associated with the manual enrollment method it does not list the forms provided for the automated enrollment methods However when you create an instance of any of t...

Page 55: ...nk and form filename Description Browser This section lists menu options for end user enrollments Manual ManUserEnroll html End users can use this form to request SSL client and S MIME certificates Re...

Page 56: ...ubject name for the certificate from the directory As explained in PortalEnroll Plug in Module on page 42 if the user ID is unique the server issues a certificate and registers the user automatically...

Page 57: ...der certificate Requests submitted using this form get queued for agent approval Other This section lists menu options for object signing enrollments ObjectSigning PKCS10 ObjSignPKCS10Enroll html Serv...

Page 58: ...ending on the enrollment plug in you want to use for authenticating end users you may need to modify the KEYGEN tags in the following certificate enrollment forms DirPinUserEnroll html DirUserEnroll h...

Page 59: ...z7iB7co04LCa0wDU7Z0x oTwmsd0 name subjectKeyGenInfo 10 Repeat steps 7 through 9 to modify any additional KEYGEN tags 11 Save your changes 12 Next configure the Certificate Manager to accept DSA key ba...

Page 60: ...ctory in which you want the private key file created for example C myKey PVK Be sure to use the PVK extension and to enclose the path in double quotes 7 Optionally you may further edit the form to inc...

Page 61: ...IN CERTIFICATE and END CERTIFICATE to the file 7 Convert the text based certificate to its DER encoded format using the ASCII to Binary tool explained in CMS Command Line Tools Guide For example the c...

Page 62: ...Enrollment Forms 62 Netscape Certificate Management System Plug Ins Guide March 2002...

Page 63: ...tion on the part of users and periodic activities such as updates of related directories This chapter describes the job plug in modules that are provided with Certificate Management System and explain...

Page 64: ...of these notices to agents For more information see RenewalNotificationJob Plug in Module on page 65 RequestInQueueJob A schedulable job that notifies agents at regular intervals of the current state...

Page 65: ...dministrators or issuing agents a summary of users who have received these reminders The RenewalNotificationJob plug in module is a schedulable job When an instance of the job is enabled it checks for...

Page 66: ...resolved Whether a summary will be compiled and sent If a summary is to be sent you can configure the following The recipients of the summary message These can be for example agents who need to know t...

Page 67: ...b is enabled or disabled Check the box to enable the job Uncheck the box to disable the job If you enable the job and set the remaining parameters correctly the server runs the job at scheduled interv...

Page 68: ...ate to be used for formulating the message content Permissible values Template file path including the file name Example usr netscape servers cert testCA emails rnJob1 txt summary enabled Specifies wh...

Page 69: ...as the following default location server_root cert instance_id emails summary emailSubject Specifies the subject line of the summary message Permissible values An alphanumeric string of up to 255 char...

Page 70: ...see Schedule for Executing Jobs on page 76 The sender of the notification messages who will be notified of any delivery problems The file location of the notification email template The subject line...

Page 71: ...ou enable the job and set the remaining parameters correctly the server runs the job at scheduled intervals cron Specifies the cron specification for when this job should be run This is the time at wh...

Page 72: ...to set the remaining parameters these are required by the server to send the summary report summary emailSubject Specifies the subject line of the summary message Permissible values An alphanumeric s...

Page 73: ...iguration The job constructs the summary message by using a template located in a configured directory This directory has the following default location server_root cert instance_id emails You can con...

Page 74: ...ting Up LDAP Publishing of CMS Installation and Setup Guide Configuration Parameters of UnpublishExpiredJob In the CMS configuration file the UnpublishExpiredJob module is identified as jobsScheduler...

Page 75: ...check the box be sure to set the remaining parameters these are required by the server to send the summary report summary emailSubject Specifies the subject line of the summary message Permissible val...

Page 76: ...field can contain an asterisk rather than an integer Day fields can contain a comma separated list of values For example the following time entry specifies every hour at 15 minutes 1 15 2 15 3 15 and...

Page 77: ...ls directory of a CMS instance This directory has the following default location server_root cert instance_id emails Both text an HTML templates are included by default They are listed in Table 2 6 Te...

Page 78: ...hJobItem Template for formatting the items to be included in the summary table which is constructed using the ExpiredUnpublishJob template Templates for RequestInQueueJob module riq1Item html Template...

Page 79: ...RENEWAL NOTIFICATION Your certificate will expire soon Serial Number SerialNumber SubjectDN SubjectDN IssuerDN IssuerDN Validity Period NotBefore NotAfter To renew your certificate please follow this...

Page 80: ...r of items in the summary report succeeded Table 2 8 Tokens for items in renewal notification job s summary report Token Description CertType Specifies the type of certificate whether SSL client clien...

Page 81: ...ival or key recovery request SerialNumber Specifies the serial number of the certificate the serial number will be displayed as a hexadecimal value in the resulting message Status Specifies whether th...

Page 82: ...ectory in the summary report SummaryTotalSuccess Specifies how many of the total number of items in the summary report succeeded Table 2 11 Tokens for items in the unpublish expired job s summary repo...

Page 83: ...overn the server s certificate generation and management operations The modules are categorized based on their functionality into two groups constraints specific policy modules and extension specific...

Page 84: ...lug in modules help you define rules or constraints that Certificate Management System uses to evaluate an incoming certificate enrollment renewal or revocation request Each module enables you to conf...

Page 85: ...pter 18 Setting Up Policies of CMS Installation and Setup Guide Keep in mind that the changes made to a request by a Registration Manager may be overwritten by a Certificate Manager when it subjects t...

Page 86: ...ewalValidityConstraints Plug in Module on page 102 RevocationConstraints Allows or rejects requests for revocation of expired certificates For details see RevocationConstraints Plug in Module on page...

Page 87: ...tribute parameter does not have the specified value the policy rejects the request In the case of multi valued attributes the request will be accepted if any of the values matches the specified value...

Page 88: ...e specified LDAP directory Table 3 2 describes each of the parameters Table 3 2 Description of parameters defined in the AttributePresentConstraints module Parameter Description enable Specifies wheth...

Page 89: ...apconn secureConn Specifies the type SSL or non SSL of the port at which the LDAP directory listens to requests from Certificate Management System Check the box if the port is an SSL HTTPS port If you...

Page 90: ...ion default If you choose this option be sure to enter the correct values for ldap ldapauth bindDN and password parameters the plug in uses the DN from the ldap ldapauth bindDN attribute to bind to th...

Page 91: ...to do so using the policy During installation Certificate Management System automatically creates an instance of the DSA key constraints policy See DSAKeyRule Rule on page 94 ldap ldapconn maxConns Sp...

Page 92: ...a prefix identifying the subsystem In the CMS window the module is identified as DSAKeyConstraints Figure 3 3 shows how configurable parameters for the module are displayed in the CMS window Figure 3...

Page 93: ...t be smaller than or equal to the one specified by the maxSize parameter In general a longer key size results in a key pair that is more difficult to crack You may want to enforce a minimum length to...

Page 94: ...llation and Setup Guide For instructions on adding additional instances see section Step 4 Add New Policy Rules in the same chapter IssuerConstraints Plug in Module The IssuerConstraints plug in modul...

Page 95: ...S window the module is identified as IssuerConstraints Figure 3 4 shows how the configurable parameters for the module are displayed in the CMS window Figure 3 4 Parameters of the IssuerConstraints mo...

Page 96: ...le the rule default Uncheck the box to disable the rule If you enable the rule and set the remaining parameters correctly the server checks for certificates issued by the specified CA and enforces cer...

Page 97: ...his policy allows you to set restrictions on the types of public keys certified by Certificate Management System You may apply this policy to end entity certificate enrollment and renewal requests For...

Page 98: ...ecifies whether the rule is enabled or disabled Check the box to enable the rule default Uncheck the box to disable the rule If you enable the rule and set the remaining parameters correctly the serve...

Page 99: ...n the same chapter RenewalConstraints Plug in Module The RenewalConstraints plug in module implements the renewal constraints policy This policy imposes constraints on renewal of expired certificates...

Page 100: ...l renew all expired certificates that are submitted for renewal During installation Certificate Management System automatically creates an instance of the renewal constraints policy See RenewalConstra...

Page 101: ...the rule and set the remaining parameters correctly the server verifies the validity period of the certificate being renewed checks the value assigned to the allowExpiredCerts parameter and according...

Page 102: ...PKI using system beyond this validity period the entity owning the certificate must renew the certificate the new certificate generally contains a new validity time period and some updated attributes...

Page 103: ...es For example if the CA signing certificate expires on June 10 2004 any renewal request with validity period beyond June 10 2004 will have validity period truncated to end on June 10 2004 However you...

Page 104: ...d in the RenewalValidityConstraints module Parameter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the rule default Uncheck the box to disable the rule I...

Page 105: ...details on individual parameters defined in the rule see Table 3 7 on page 104 You need to review this rule and make the changes appropriate for your PKI setup For instructions see section Step 2 Mod...

Page 106: ...figure the server accordingly using the policy During installation Certificate Management System automatically creates an instance of the revocation constraints policy See Configuration Parameters of...

Page 107: ...whether the rule is enabled or disabled Check the box to enable the rule default Uncheck the box to disable the rule If you enable the rule and set the remaining parameters correctly the server verif...

Page 108: ...ertificate Management System 512 1024 or 2048 In other words the policy allows you to set up restrictions on the lengths of public keys certified by Certificate Management System You may apply this po...

Page 109: ...ion enable Specifies whether the rule is enabled or disabled Check the box to enable the rule default Uncheck the box to disable the rule If you enable the rule and set the remaining parameters correc...

Page 110: ...u may want to allow a minimum length to ensure a minimum level of security Permissible values 512 1024 or 2048 You may also enter a custom key size that is between 512 and 2048 bits The default value...

Page 111: ...thms supported by Certificate Management System MD2 with RSA MD5 with RSA and SHA 1 with RSA if the Certificate Manager s signing key is RSA and SHA 1 with DSA if the Certificate Manager s signing key...

Page 112: ...s where subsystem is ca or ra prefix identifying the subsystem In the CMS window the module is identified as SigningAlgorithmConstraints Figure 3 10 shows how the configurable parameters for the modul...

Page 113: ...ndow predicate Specifies the predicate expression for this rule If you want the rule to be applied to all certificate requests leave the field blank default To form a predicate expression see section...

Page 114: ...tional instances see section Step 4 Add New Policy Rules in the same chapter SubCANameConstraints Plug in Module The SubCANameConstraints plug in module implements the subordinate CA name constraints...

Page 115: ...s In the CMS window the module is identified as SubCANameConstraints Figure 3 11 shows how configurable parameters for the module are displayed in the CMS window Figure 3 11 Parameters of the SubCANam...

Page 116: ...ns on adding additional instances see section Step 4 Add New Policy Rules in the same chapter Table 3 11 Description of parameters defined in the SubCANameConstraints module Parameter Description enab...

Page 117: ...s to own multiple certificates each for a different use all having the same subject name you can do so easily using the enableKeyUsageExtensionChecking parameter defined in this policy This parameter...

Page 118: ...he rule is enabled or disabled Check the box to enable the rule Uncheck the box to disable the rule default If you enable the rule and set the remaining parameters correctly the server checks the cert...

Page 119: ...agent approves the request Check the box if you want the server to check the certificate request for the Key Usage extension If you check the box the server checks its internal database for certifica...

Page 120: ...e section Step 2 Modify Existing Policy Rules in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide For instructions on adding additional instances see section Step 4 Add New Policy Ru...

Page 121: ...t to 1 25 p m would have passed however You may apply this policy to end entity certificate enrollment requests It can be useful to restrict the length of the validity period for certificates issued b...

Page 122: ...on Certificate Management System automatically creates an instance of the validity constraints policy See DefaultValidityRule Rule on page 125 Configuration Parameters of ValidityConstraints In the CM...

Page 123: ...y the predicate parameter If you disable the rule the server does not set the configured validity period in certificates it sets the validity period to the one specified in the request predicate Speci...

Page 124: ...of the lagTime in the past relative to the time when the policy is run The notBefore attribute value specifies the date on which the certificate validity ends validity dates through the year 2049 are...

Page 125: ...alidity 1 The maximum validity period allowed for certificates is 365 days maxValidity 365 The lead time allowed is 10 minutes leadTime 10 The lag time allowed is 10 minutes lagTime 10 The the number...

Page 126: ...ValidityConstraints Plug in Module 126 Netscape Certificate Management System Plug Ins Guide March 2002...

Page 127: ...of Extension Specific Policy Modules page 128 AuthInfoAccessExt Plug in Module page 132 AuthorityKeyIdentifierExt Plug in Module page 141 BasicConstraintsExt Plug in Module page 144 CertificatePolici...

Page 128: ...a particular extension to a certificate request Plug in modules are implemented as Java classes and are registered in the CMS policy framework The Policy Plugin Registration tab of the CMS window Fig...

Page 129: ...eyIdentifierExt BasicConstraintsExt NameConstraintsExt PolicyConstraintsExt PolicyMappingsExt You can use these modules to configure a Certificate Manager and Registration Manager to add extensions to...

Page 130: ...see CertificateScopeOfUseExt Plug in Module on page 158 CRLDistributionPointsExt Adds the CRL Distribution Points extension to certificates For details see CRLDistributionPointsExt Plug in Module on p...

Page 131: ...of Java Docs at this location server_root cms_sdk cms_jdk javadocs PolicyConstraintsExt Adds the Policy Constraints extension to certificates For details see PolicyConstraintsExt Plug in Module on pag...

Page 132: ...CA that has issued the certificate in which the extension appears Note that this extension should not be used to point directly to the CRL location maintained by a CA the CRL Distribution Points exten...

Page 133: ...it must use the OCSP protocol to access the location that contains additional information about the CA that has issued the certificate You should use the ocsp method when you want to reference to the...

Page 134: ...Configuration Parameters of AuthInfoAccessExt In the CMS configuration file the AuthInfoAccessExt module is identified as subsystem Policy impl AuthInfoAccessExt class com netscape cms policy AuthInf...

Page 135: ...xample com 8000 The extension is marked noncritical to comply with the PKIX recommendation Table 4 2 gives details about the configurable parameters defined in the AuthInfoAccessExt module Table 4 2 D...

Page 136: ...ng the value assigned to this parameter there s no restriction on the total number of locations you can include in the extension Note that each location has its own set of configuration parameters and...

Page 137: ...t rfc822Name if the location is an Internet mail address Select directoryName if the location is an X 500 directory name Select dNSName if the location is a DNS name Select ediPartyName if the locatio...

Page 138: ...cted directoryName the value must be a string form of X 500 name similar to the subject name in a certificate in the RFC 2253 syntax see http www ietf org rfc rfc2253 txt Note that RFC 2253 replaces R...

Page 139: ...version 6 IPv6 the address should be in the form described in RFC 1884 http www ietf org rfc rfc1884 txt with netmask separated by a comma Examples of IPv6 addresses with no netmask are 0 0 0 0 0 0 13...

Page 140: ...the CA that has issued the certificate in which the extension appears is set to URL ad0_location_type URL The address or location to get additional information about the CA that has issued the certifi...

Page 141: ...orrect key to use in situations when multiple keys exist the extension specifies the public key to be used to verify the signature on the certificate For general guidelines on setting the authority ke...

Page 142: ...al enrollments after an agent approves the enrollment request the policy accepts any authority key identifier extension that is already there During installation Certificate Management System automati...

Page 143: ...t ignores the values in the remaining fields predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the field blank default To...

Page 144: ...r 18 Setting Up Policies of CMS Installation and Setup Guide For instructions on adding additional instances see section Step 4 Add New Policy Rules in the same chapter BasicConstraintsExt Plug in Mod...

Page 145: ...icy again If there s a change in the configuration of the basic constraints extension the server may reject the agent approved request For the server to approve the request the user will have to resub...

Page 146: ...xtension to certificates it ignores the values in the remaining fields predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave...

Page 147: ...r n Make sure that the value you choose is less than the path length specified in the Basic Constraints extension of the CA signing certificate owned by the CA that will issue these certificates 0 spe...

Page 148: ...e has been issued and identifying the purposes for which the certificate may be used Presence of this extension in certificates enables an application with specific policy requirements to compare its...

Page 149: ...email messages from an employee To see an example of a CPS check this site http people netscape com shadow cps html A textual user notice which the application validating the certificate can interpret...

Page 150: ...fies whether the rule is enabled or disabled Check the box to enable the rule default If you enable the rule and set the remaining parameters correctly the server adds the certificate policies extensi...

Page 151: ...mber in the certificate by extracting the notice text that corresponds to the number from the file and display it to the relying party Permissible values A unique valid OID specified in dot separated...

Page 152: ...stances see section Step 4 Add New Policy Rules in the displayText Specifies the textual statement to be included in certificates this parameter corresponds to the explicitText field of the user notic...

Page 153: ...ir with a new validity time period and updated attributes Once a certificate is issued the owner of the certificate may attempt its renewal any time To prevent certificate owners from renewing their c...

Page 154: ...which reminds users to renew their certificates before they expire The renewal constraints policy which determines whether expired certificates can be renewed see RenewalConstraints Plug in Module on...

Page 155: ...WindowExt module Parameter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the rule default If you enable the rule and set the remaining parameters correct...

Page 156: ...will be set to the time of certificate issuance n specifies a future time for certificate renewal the beginTime field of the extension will be set to the specified time since certificate issuance You...

Page 157: ...inutes hours days or months Use the following suffixes to indicate the time unit s seconds m minutes h hours D days M months For example if you re issuing certificates with a validity period of two ye...

Page 158: ...itself to the server This information may include the name and key information contained in the certificate It also releases the information that the client holds a certificate from a particular CA Th...

Page 159: ...s ca or ra prefix identifying the subsystem In the CMS window the module is identified as CertificateScopeOfUseExt Figure 4 7 shows how the configurable parameters for the module are displayed in the...

Page 160: ...he extension should be marked critical or noncritical in certificates specified by the predicate parameter Check the box if you want the server to mark the extension critical Uncheck the box if you wa...

Page 161: ...rfc822Name the value must be a valid Internet mail address in the local part domain format see the definition of an rfc822Name as defined in RFC 822 http www ietf org rfc rfc0822 txt You may use upper...

Page 162: ...escribed in RFC 1884 http www ietf org rfc rfc1884 txt with netmask separated by a comma Examples of IPv6 addresses with no netmask are 0 0 0 0 0 0 13 1 68 3 and FF01 43 Examples of IPv6 addresses wit...

Page 163: ...RL or both Note that in the current implementation the policy supports only two name forms for distribution points X 500 Directory Name and URI URIs described in this document support two CRL retrieva...

Page 164: ...ld set the CRL distribution point extension in router certificates the CRL location is a X 500 directory Table 4 8 gives details about each of these parameters Table 4 8 Description of parameters defi...

Page 165: ...eld is set to 3 and the UI shows fields for configuring three distribution points You can change the total number of distribution points by changing the value assigned to this parameter there s no res...

Page 166: ...pe attribute must be RelativeToIssuer pointType n Specifies the type of the CRL distribution point Permissible values DirectoryName URI or RelativeToIssuer The type you select must correspond to the v...

Page 167: ...n point Permissible values Any supported name forms By default the name can be in any of the following formats An X 500 directory name in the RFC 2253 syntax see http www ietf org rfc rfc2253 txt note...

Page 168: ...or more purposes in addition to or in place of the basic purposes indicated in the key usage extension for which the certified public key may be used For example if the key usage extension identifies...

Page 169: ...should be created with only the EFS OID not the recovery OID For general guidelines on setting the extended key usage extension in certificates see extKeyUsage on page 344 The extended key usage exten...

Page 170: ...re subsystem is ca or ra prefix identifying the subsystem In the CMS window the module is identified as ExtendedKeyUsageExt Figure 4 9 shows how the configurable parameters for the module are displaye...

Page 171: ...hould be marked critical or noncritical in certificates specified by the predicate parameter Check the box if you want the server to mark the extension critical default Uncheck the box if you want the...

Page 172: ...in the rule see Table 4 10 on page 171 You need to review this rule and make the changes appropriate for your PKI setup For instructions see section Step 2 Modify Existing Policy Rules in Chapter 18...

Page 173: ...er certificate indicating that the associated key can be used for signing OCSP responses Here s some background information that will help you understand why you should set this extension in OCSP resp...

Page 174: ...and it enables OCSP compliant applications to identify the responder as a CA designated responder a responder authorized to sign OCSP responses for all certificates issued by the CA The special marki...

Page 175: ...ed extension values The resulting extension would look similar to the way a standard extension appears in certificates as defined in RFC 2459 Extension SEQUENCE extnID OBJECT IDENTIFIER critical BOOLE...

Page 176: ...E SET or ASN 1 tagging During installation Certificate Management System automatically creates an instance of the generic ASN 1 extension policy See GenericASN1Ext Rule on page 181 Configuration Param...

Page 177: ...in 1st sequence 437 04 10 OCTET STRING 11 22 33 44 A0 B0 C0 D0 E0 F0 449 30 37 SEQUENCE 451 17 13 UTCTime 000406070000Z 466 30 8 SEQUENCE 468 01 1 BOOLEAN TRUE 471 06 3 OBJECT IDENTIFIER 2 4 5 100 476...

Page 178: ...critical if you want your certificates supported by other applications Other applications most likely will not understand your extension name Specifies the name of the extension The name is displayed...

Page 179: ...t Integer for extensions that have ASN 1 INTEGER values default It s case insensitive and accepts an integer in decimal notation as value Select IA5String for extensions that have ASN 1 IA5String valu...

Page 180: ...c attribute The value of n can be 0 to 9 Permissible values Depends on the data type and source you selected If the data type is Integer enter an integer in decimal notation as value For example 12345...

Page 181: ...Policies of CMS Installation and Setup Guide For instructions on adding additional instances see section Step 4 Add New Policy Rules in the same chapter IssuerAltNameExt Plug in Module The IssuerAltNa...

Page 182: ...e of the IssuerAltNameExt module and configure it For instructions see section Step 4 Add New Policy Rules in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide Configuration Parameter...

Page 183: ...ies of CMS Installation and Setup Guide Example HTTP_PARAMS certType ca critical Specifies whether the extension should be marked critical or noncritical in certificates specified by the predicate par...

Page 184: ...name is in any other name form Example rfc822Name generalName n general NameValue Specifies the general name value for the alternative name you want to include in the extension Permissible values Dep...

Page 185: ...form specified in RFC 791 http www ietf org rfc rfc0791 txt IPv4 address must be in the n n n n format for example 128 21 39 40 IPv4 address with netmask must be in the n n n n m m m m format For exam...

Page 186: ...termined purposes The key usage extension is a string of boolean bit flags each bit identifying the purpose for which a key is to be used Table 4 13 lists the bits and their designated purposes You ca...

Page 187: ...Management System automatically creates multiple instances of the key usage extension policy suitable for various types of certificates that you may want the server to issue The default instances are...

Page 188: ...riables that correspond to the key usage bits By default only variables that correspond to key usage bits that need to be set are included in the form Typically you won t have to change the key usage...

Page 189: ...odule are displayed in the CMS window Figure 4 12 Parameters defined in the KeyUsageExt module The configuration shown in Figure 4 12 creates a policy rule named KeyUsageExtForClientCert which enforce...

Page 190: ...ession see section Using Predicates in Policy Rules in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide Example HTTP_PARAMS certType client critical Specifies whether the extension s...

Page 191: ...et the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corresponding to the k...

Page 192: ...t the server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corre...

Page 193: ...default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corresponding to the encipherOnl...

Page 194: ...e Certificate Manager enrollment form RMCertKeyUsageExt Rule The policy rule named RMCertKeyUsageExt is an instance of the KeyUsageExt module This rule is for setting the appropriate key usage bits in...

Page 195: ...d ServerCertKeyUsageExt is an instance of the KeyUsageExt module This rule is for setting the appropriate key usage bits in SSL server certificates By default the rule is configured as follows The rul...

Page 196: ...ertificate requests The extension is marked noncritical to comply with the PKIX recommendation The server is configured to set digitalSignature nonRepudiation and keyEncipherment key usage bits in SSL...

Page 197: ...n bits in the directory based enrollment form Keep in mind that for requesting client certificates there are many enrollment forms You may be using a combination of them Certificate based enrollment f...

Page 198: ...sageExt is an instance of the KeyUsageExt module This rule is for setting the appropriate key usage bits in object signing certificates By default the rule is configured as follows The rule is enabled...

Page 199: ...9 see http www ietf org rfc rfc2459 txt to certificates The extension is used in CA certificates to indicate a name space within which subject names or subject alternative names in subsequent certific...

Page 200: ...aintsExt In the CMS window the module is identified as NameConstraintsExt Figure 4 18 shows how the configurable parameters for the module are displayed in the CMS window Figure 4 18 Parameters define...

Page 201: ...sion should be marked critical or noncritical in certificates specified by the predicate parameter Check the box if you want the server to mark the extension critical default Uncheck the box if you wa...

Page 202: ...luded subtrees can be contained in the extension n specifies the total number of excluded subtrees to be included in the extension it must be an integer greater than zero The default value is 8 Exampl...

Page 203: ...3 txt Note that RFC 2253 replaces RFC 1779 For example CN SubCA OU Research Dept O Example Corporation C US If you selected dNSName the value must be a valid domain name in the preferred name syntax a...

Page 204: ...and FF01 43 FFFF FFFF FFFF FFFF FFFF FFFF FF00 0000 If you selected OID the value must be a unique valid OID specified in dot separated numeric component notation Although you can invent your own OID...

Page 205: ...subtree is a DNS name Select ediPartyName if the subtree is a EDI party name Select URL if the subtree is a uniform resource locator Select iPAddress if the subtree is an IP address Select OID if the...

Page 206: ...hat is the name must include both a scheme for example http and a fully qualified domain name or IP address of the host For example http testCA example com If you selected iPAddress the value must be...

Page 207: ...otherName the value must be the absolute path to the file that contains the base 64 encoded string of the subtree For example usr netscape servers ext nc othername txt excludedSubtrees n min Specifies...

Page 208: ...dding additional instances see section Step 4 Add New Policy Rules in the same chapter NSCCommentExt Plug in Module The NSCCommentExt plug in module implements the Netscape certificate comment extensi...

Page 209: ...dentifying the subsystem In the CMS window the module is identified as NSCCommentExt Figure 4 19 shows how the configurable parameters for the module are displayed in the CMS window Figure 4 19 Parame...

Page 210: ...TTP_PARAMS certType client critical Specifies whether the extension should be marked critical or noncritical in certificates specified by the predicate parameter Check the box if you want the server t...

Page 211: ...s in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide For instructions on adding additional instances see section Step 4 Add New Policy Rules in the same chapter displayText Specifie...

Page 212: ...ape certificate type extension is a string of boolean bit flags each bit identifying the purpose for which a certificate to be used Table 4 18 lists the bits and their designated purposes The extensio...

Page 213: ...on are to be set on the client side you specify whether to add the extension by enabling the Netscape certificate type extension policy and which bits are to be set by adding the appropriate HTTP vari...

Page 214: ...ssl_client and email indicating that these bits be set in certificates requested using this form Figure 4 20 Netscape certificate type extension specific variables in enrollment forms Note that the de...

Page 215: ...where subsystem is ca or ra prefix identifying the subsystem In the CMS window the module is identified as NSCertTypeExt Figure 4 21 shows how the configurable parameters for the module are displayed...

Page 216: ...rtificate request and the status of the setDefaultBits parameter predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the fi...

Page 217: ...ule The OCSPNoCheckExt plug in module implements the OCSP no check extension policy This policy enables you to configure Certificate Management System to add the OCSP No Check Extension defined in X 5...

Page 218: ...CSP responder a certificate with the OCSP no check extension which indicates that the certificate can be trusted by the clients for its lifetime The OCSP no check policy of Certificate Management Syst...

Page 219: ...class com netscape cms policy OCSPNoCheckExt where subsystem is ca or ra prefix identifying the subsystem In the CMS window the module is identified as OCSPNoCheckExt Figure 4 22 shows how the config...

Page 220: ...the same chapter Table 4 21 Description of parameters defined in the OCSPNoCheckExt module Parameter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the ru...

Page 221: ...509 definition The policy allows you to specify both requireExplicitPolicy and inhibitPolicyMapping fields PKIX standard requires that if present in a CA certificate the extension must never consist o...

Page 222: ...whether the rule is enabled or disabled Check the box to enable the rule default Uncheck the box to disable the rule If you enable the rule and set the remaining parameters correctly the server adds...

Page 223: ...ifies that the field should not be set in the extension default 0 specifies that no subordinate CA certificates are permitted in the path before an explicit policy is required n must be an integer tha...

Page 224: ...ule and make the changes appropriate for your PKI setup For instructions see section Step 2 Modify Existing Policy Rules in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide For instr...

Page 225: ...rDomainPolicy equivalent to the subjectDomainPolicy of the subject CA The issuing CA s users may accept an issuerDomainPolicy for certain applications The policy mapping tells these users which polici...

Page 226: ...ectly the server adds the policy mappings extension to certificates specified by the predicate parameter If you disable the rule the server does not add the extension to certificates it ignores the va...

Page 227: ...ust be a integer greater than zero The default value is 1 Example 2 policyMap n issuerDomainPolicy Specifies the OID assigned to the policy statement n of the issuing CA that you want to map with the...

Page 228: ...setup For instructions see section Step 2 Modify Existing Policy Rules in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide For instructions on adding additional instances see sectio...

Page 229: ...guration Parameters of PrivateKeyUsagePeriodExt In the CMS configuration file the PrivateKeyUsagePeriodExt module is identified as subsystem Policy impl PrivateKeyUsagePeriodExt class com netscape cms...

Page 230: ...you disable the rule the server does not add the extension to certificates it ignores the values in the remaining fields predicate Specifies the predicate expression for this rule If you want this ru...

Page 231: ...n file the RemoveBasicConstraintsExt module is identified as ca Policy impl RemoveBasicConstraintsExt class com netscape cms policy RemoveBasicConstraintsExt In the CMS window the module is identified...

Page 232: ...Certificate Management System enables you to include values of certificate request attributes in the extension You can include any number of attributes as long as the attribute values conform to any o...

Page 233: ...e servlet level and set on the request before the request is passed to the policy subsystem In general you can configure which attributes should or shouldn t be stored in the request for example you c...

Page 234: ...entified as SubjectAltNameExt Figure 4 27 shows how the configurable parameters for the module are displayed in the CMS window Figure 4 27 Parameters defined in the SubjectAltNameExt module The config...

Page 235: ...d be marked critical or noncritical in certificates specified by the predicate parameter Check the box if you want the server to mark the extension critical Uncheck the box if you want the server to m...

Page 236: ...format default For example jdoe example com Select directoryName if the request attribute value is an X 500 directory name similar to the subject name in a certificate For example CN Jane Doe OU Sale...

Page 237: ...me is in the rfc822Name format generalName0 generalNameChoice rfc822Name The second alternative name is the value of the mailalternateaddress attribute in the certificate subject s directory entry gen...

Page 238: ...ut value that gets added to the request when a user uses the manual enrollment form for details see Enrollment Forms on page 53 If you enable the default policy rule the server automatically checks th...

Page 239: ...y attributes For details on defining new attributes see Extending Attribute Support on page 314 Note that during installation Certificate Management System does not create an instance of the subject d...

Page 240: ...e 4 27 provides details for each of these parameters Table 4 27 Description of parameters defined in the SubjectDirectoryAttributesExt module Parameter Description enable Specifies whether the rule is...

Page 241: ...must specify appropriate values for both otherwise the policy rule will return an error You can configure the server to include up to three attributes in the extension By default this field is set to...

Page 242: ...tity certificates the extension provides a means for identifying certificates containing the particular public key used in an application If an end entity has multiple certificates especially from mul...

Page 243: ...y subclassing the policy and overriding the following method formKeyIdentifier X509CertInfo certInfo IRequest req For details check the CMS SDK installed at this location server_root cms_sdk cms_jdk j...

Page 244: ...hould set the subject key identifier extension in all certificates Table 4 28 provides details for each of these parameters Table 4 28 Description of configuration parameters defined in the SubjectKey...

Page 245: ...expression see section Using Predicates in Policy Rules in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide Example HTTP_PARAMS certType ca critical Specifies whether the extension...

Page 246: ...if you re planning to issue multiple certificates to an end entity and want to assist applications in identifying the appropriate end entity certificate you should consider modifying the predicate ex...

Page 247: ...entry in the repository the Certificate Manager relies on object mapping rules and to update the located entry with relevant information the Certificate Manager relies on object publishing rules To en...

Page 248: ...e specific rules to map or locate a specific entry such as a CA s entry or an end entity s entry in a specified directory once the correct entry is located the server publishes the certificate or CRL...

Page 249: ...ory For details see LdapCaSimpleMap Plug in Module on page 250 LdapDNCompsMap Maps a certificate to a directory entry by formulating the entry s DN from components such as CN OU O and C in the certifi...

Page 250: ...configure a Certificate Manager to automatically create an entry for the CA in an LDAP directory and then map the CA s certificate to the directory entry by formulating the entry s DN from components...

Page 251: ...ldbm conf file This setting prevents the directory from having two entries with the same UID under that base DN For example it prevents the directory from having two entries under O example com with...

Page 252: ...ng Up LDAP Publishing of CMS Installation and Setup Guide Configuration Parameters of LdapCaSimpleMap In the CMS configuration file the LdapCaSimpleMap module is identified as ca publish mapper impl L...

Page 253: ...se to construct the DN in order to search for the CA s entry in the publishing directory The value of dnPattern can be a list of AVAs separated by commas An AVA can be a variable such as CN subj cn th...

Page 254: ...ectory By default the mapper is configured to create an entry for the CA in the directory and the default DN pattern for locating the CA s entry is as follows UID subj cn OU people O subj o LdapDNComp...

Page 255: ...in this directory server_root cms_sdk cms_jdk samples mappers The discussion below explains how mapping by DN components works It is recommended that you read this before configuring a Certificate Man...

Page 256: ...eading the DN attribute values from the certificate and uses the DN as the base for searching the directory CN Jane Doe OU Sales O Example Corporation C US Note the following A subject name does not n...

Page 257: ...tribute One entry s UID value is janedoe1 and the other entry s UID value is janedoe2 Because the UID attribute corresponds to the UID component in a DN you can set up the subject names of certificate...

Page 258: ...both the formed DN and base DN are null the server logs an error If the filter is null the server uses the baseDN value for the search If both the filter and base DN are null the server logs an error...

Page 259: ...r uses the filterComps values to form an LDAP search filter for the subtree The server constructs the filter by gathering values for these attributes from the certificate subject name it uses the filt...

Page 260: ...this UID jdoe O Example Corporation C US When searching the directory for the entry the Certificate Manager only searches for an entry whose DN is this UID jdoe O Example Corporation C US If no matchi...

Page 261: ...rectory documentation The simple mapper requires you to specify just one parameter which is named dnPattern The value of dnPattern can be a list of AVAs separated by commas An AVA can be a variable su...

Page 262: ...ails see LdapUserCertMap Mapper on page 263 It is important that you review and customize this mapper For instructions on modifying mappers or creating new mappers section Configuring a Certificate Ma...

Page 263: ...oe OU people O Example Corporation LdapSubjAttrMap Plug in Module The LdapSubjAttrMap plug in module implements the subject attribute mapper This mapper enables you to configure a Certificate Manager...

Page 264: ...n and Setup Guide Configuration Parameters of LdapSubjAttrMap In the configuration file the LdapSubjAttrMap module is identified as ca publish mapper impl LdapSubjAttrMap class com netscape cms publis...

Page 265: ...Parameter Description certSubjNameAttr Specifies the name of the LDAP attribute that contains a certificate subject name as its value Permissible values Must be certSubjectName Example certSubjectName...

Page 266: ...LdapSubjAttrMap Plug in Module 266 Netscape Certificate Management System Plug Ins Guide March 2002...

Page 267: ...mapping rules and to update the located entry with relevant information the Certificate Manager relies on object publishing rules To enable you to construct object publishing rules the Certificate Ma...

Page 268: ...ault the Certificate Manager provides publisher modules for publishing the CA certificate end entity certificates and CRLs Plug in modules are implemented as Java classes and are registered in the CMS...

Page 269: ...cates and CRLs to a flat file for exporting into other repositories For details see FileBasedPublisher Plug in Module on page 270 LdapCaCertPublisher Publishes or unpublishes a certificate to the caCe...

Page 270: ...ting the certificates and CRLs into any other repository By default the Certificate Manager does not create an instance of the FileBasedPublisher module The instructions covered in Chapter 20 Publishi...

Page 271: ...attribute of the mapped directory entry the mapper must locate the correct entry so the publisher can publish the certificate to the specified attribute The certificate is published as a DER encoded b...

Page 272: ...her In the CMS window the module is identified as LdapCaCertPublisher Figure 6 3 shows how the configurable parameters for the module are displayed in the CMS window Figure 6 3 Parameters defined in t...

Page 273: ...ed directory entry the mapper must locate the correct entry so the publisher can publish the certificate to the specified attribute The certificate is published as a DER encoded binary blob You can us...

Page 274: ...scape cms publish LdapUserCertPublisher In the CMS window the module is identified as LdapUserCertPublisher Figure 6 4 shows how the configurable parameters for the module are displayed in the CMS win...

Page 275: ...mapped directory entry the configured mapper must locate the CA s entry so that the publisher can publish the CRL to the certificateRevocationList binary attribute The CRL is published as a DER encod...

Page 276: ...entified as LdapCrlPublisher Figure 6 5 shows how the configurable parameters for the module are displayed in the CMS window Figure 6 5 Parameters defined in the LdapCrlPublisher module Table 6 4 desc...

Page 277: ...ents the OCSP publisher This module enables you to configure a Certificate Manager to publish its CRLs to a Online Certificate Status Manager the OCSP responder provided by Certificate Management Syst...

Page 278: ...ate Status Manager Permissible values Must be the fully qualified hostname of a Online Certificate Status Manager in this form machine _name your_domain com Example ocspResponder example com port Spec...

Page 279: ...tain CRL extensions To enable you to add these extensions to the CRL it generates the Certificate Manager provides a set of plug in modules These modules are implemented as Java classes and are regist...

Page 280: ...l the modules that are registered with a Certificate Manager When deciding whether to add CRL extensions keep in mind that not all applications support version 2 CRLs Among the applications that do su...

Page 281: ...w which key was used in the signature The extension if present in a certificate enables applications those that can use the extension to identify the correct key to use in situations when multiple key...

Page 282: ...ameters Table 7 2 Description of parameters defined in the AuthorityKeyIdentifierExt rule Parameter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the rul...

Page 283: ...ce number for each CRL issued by a CA allowing CRL users to easily determine when a particular CRL supersedes another CRL For general guidelines on setting the CRL number extension in CRLs see CRLNumb...

Page 284: ...rameter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the rule Uncheck the box to disable the rule default If you enable the rule and set the remaining p...

Page 285: ...meter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the rule default Uncheck the box to disable the rule If you enable the rule and set the remaining par...

Page 286: ...nstruction identifier the identifier indicates what action the validating application should take when it encounters a certificate that has been placed on hold For general guidelines on setting the CR...

Page 287: ...and set the remaining parameters correctly the server sets the Hold Instruction extension in CRLs If you disable the rule the server does not add the extension to CRLs it ignores the values in the rem...

Page 288: ...validityDate rule Parameter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the rule Uncheck the box to disable the rule default If you enable the rule and...

Page 289: ...a DNS name an IP address and a uniform resource indicator URI with the issuer of the CRL The IssuerAlternativeName rule enables you to associate the following identities with a CRL issuer by includin...

Page 290: ...box if you want the server to mark the extension critical Uncheck the box if you want the server to mark the extension noncritical default numNames Specifies the total number of alternative names or i...

Page 291: ...format see the definition of an rfc822Name as defined in RFC 822 http www ietf org rfc rfc0822 txt You may use upper and lower case letters in the mail address no significance is attached to the case...

Page 292: ...28 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form described in RFC 1884 http www ietf org rfc rfc1884 txt with netmask separated by a comma Examples of IPv6 addresses...

Page 293: ...the pointer can be in either of these forms The name of the X 500 directory that stores the CRL The URI to the location that contains the CRL Optionally each issuing point may contain a set of reason...

Page 294: ...int extension in CRLs If you disable the rule the server does not add the extension to CRLs it ignores the values in the remaining fields critical Specifies whether the extension should be marked crit...

Page 295: ...omeReasons Specifies the reason codes associated with the distribution point Permissible values A combination of reason codes unspecified keyCompromise cACompromise affiliationChanged superseded cessa...

Page 296: ...es whether the distribution point contains an indirect CRL Check the box if the distribution point contains an indirect CRL Uncheck the box if the distribution point doesn t contain an indirect CRL de...

Page 297: ...297 file Plug in Module page 299 NTEventLog Plug in Module page 304 Overview of Log Modules You can configure a CMS instance to log messages related to specific activities when events relevant to tho...

Page 298: ...module would be com netscape cms logging NTEventLogs After you take a look at the default log modules if you determine that they do not meet your requirements entirely you can develop a custom module...

Page 299: ...iration time for rotated logs During installation Certificate Management System automatically creates three instances of the file modules for logging audit error and system messages The listeners are...

Page 300: ...as file Figure 8 2 shows how configurable parameters for the module are displayed in the CMS window Figure 8 2 Parameters defined in the file module Table 8 2 gives details about each of these paramet...

Page 301: ...d its name will be appended with a timestamp For details see Timing of Log File Rotation in Chapter 23 Managing CMS Logs of CMS Installation and Setup Guide Permissible values Absolute path to the fil...

Page 302: ...le values As applicable The default value is 100 Example 100 rolloverInterval Specifies the frequency for rotating the active log file the file will be rotated when its age is equal to or older than t...

Page 303: ...Management System automatically creates this listener during installation By default the listener is configured as follows The rule is enabled The type is set to log error messages type system The lo...

Page 304: ...to 512 KB bufferSize 512 The interval for flushing the buffer to the file is set to 5 seconds flushInterval 5 The size limit for the active log file is set to 100 KB maxFileSize 100 The rollover inte...

Page 305: ...that by default both the listeners are enabled You need to review these listeners and make the changes appropriate for your PKI setup For instructions see Configuring CMS Logs in Chapter 23 Managing...

Page 306: ...ystem logs Example system enable Specifies whether the listener is enabled to log messages Check the box if you want the server to log messages of this type Leave the box unchecked if you do not want...

Page 307: ...the CMS instance that s logging the events For details on individual parameters defined in the listener see Table 8 3 on page 306 NTSystem Event Listener The event listener named NTSystem is an instan...

Page 308: ...NTEventLog Plug in Module 308 Netscape Certificate Management System Plug Ins Guide March 2002...

Page 309: ...ost part the information presented in this appendix is specific to Netscape Directory Server an LDAP compliant directory What Is a Distinguished Name Distinguished names DNs are string representations...

Page 310: ...txt Note that if used in conjunction with an LDAP compliant directory Certificate Management System by default recognizes components that are listed in Table A 2 Table A 1 Definitions of standard DN...

Page 311: ...he search base For example if you specify a base DN of OU people O example com for a client the LDAP search operation initiated by the client examines only the OU people subtree in the O example com d...

Page 312: ...Plug in Modules and Chapter 6 Publisher Plug in Modules In the absence of a base DN value Certificate Management System uses DN components in the certificate s subject name to construct the base DN so...

Page 313: ...E IA5String 1 2 840 113549 1 9 1 DC IA5String 0 9 2342 19200300 100 1 2 25 SERIALNUMBER for CEP support Printable String 2 5 4 5 UNSTRUCTUREDNAME for CEP support IA5String 1 2 840 113549 1 9 2 UNSTRU...

Page 314: ...ng Representation of Distinguished Names see http www ietf org rfc rfc2253 txt Certificate Management System conforms to all of this standard including support of using hex numbers to escape character...

Page 315: ...ollowing order from smaller character sets to broadest character set Printable IA5String BMPString Universal String For example X500Name MY_ATTR oid 1 2 3 4 5 6 X500Name MY_ATTR class netscape securit...

Page 316: ...u can verify whether they appear in certificate subject names For example you can enter the following values for the new attributes and look for them in the subject name MYATTR1 a_value MYATTR2 a Valu...

Page 317: ...gn TOP input type TEXT name DC size 30 onchange formulateDN this form this form subject td tr 4 Save your changes and close the file 5 Go to this directory server_root cert instance_id web apps ee 6 O...

Page 318: ...enrollment form in the browser and verify your changes 10 To verify that the Enroll for a certificate using the new attribute value Changing the DER Encoding Order You can also change the DER encoding...

Page 319: ...o the agent interface and approve your request 8 When you receive the certificate use the dumpasn1 tool to examine the encoding of the certificate For details about the dumpasn1 tool see CMS Command L...

Page 320: ...N corpDirectory example com OU Human Resources O Example Corporation C US When clients such as Netscape Navigator receive a server certificate they expect the CN component of the certificate s subject...

Page 321: ...ulated from the directory attributes and entry DN The dnpattern configuration variable of the automated enrollment modules such as UidPwdDirAuth and UidPwdPinDirAuth described in Chapter 1 Authenticat...

Page 322: ...e first mail LDAP attribute value in user s entry CN the first cn LDAP attribute value in the user s entry OU the second ou value in the user s entry DN O the first o value in the user s entry DN C th...

Page 323: ...e in the user s entry DN C the string US Example 4 If the configured DN pattern is CN attr cn OU dn ou 2 OU dn ou 1 O dn o C US LDAP entry dn UID jdoe OU IS OU people O example org LDAP attributes cn...

Page 324: ...DNs in Certificate Management System 324 Netscape Certificate Management System Plug Ins Guide March 2002...

Page 325: ...sion or a company s certificate practice statement OIDs are controlled by the International Standards Organization ISO registration authority In some cases this authority is delegated by ISO to region...

Page 326: ...c http www isi edu cgi bin iana enterprise pl To understand why you need to have a company arc check the information at this site http www alvestrand no objectid 2 16 840 1 113730 1 13 html The site c...

Page 327: ...te Extensions page 327 Recommendations for Certificate Extension Use page 331 Standard X 509 v3 Certificate Extensions page 337 Introduction to CRL Extensions page 357 Standard X 509 v3 CRL Extensions...

Page 328: ...he public key in the certificate Additional attributes Some organizations may find it convenient to store additional information in certificates for example for situations in which it s not possible t...

Page 329: ...was finalized certain kinds of certificates should include some of the Netscape extensions For details see Recommendations for Certificate Extension Use on page 331 Note that the X 500 and X 509 speci...

Page 330: ...her true or false assigned to this field indicates whether the extension is critical or noncritical to the certificate If the extension is critical and the certificate is sent to an application that d...

Page 331: ...te for example a certificate may contain only one subject key identifier extension Note that certificates that support these extensions have the version 0x2 which corresponds to version 3 Certificate...

Page 332: ...s plus others are described in detail in later sections of this appendix Additional extensions may be useful for a variety of purposes However the extensions listed above are either required or recomm...

Page 333: ...Sign cRLSign netscape cert type SSL CA if extension exists bit must be set subjectKeyIdentifier authorityKeyIdentifier basicConstraints true required cRLDistributionPoints extKeyUsage client auth keyU...

Page 334: ...fier authorityKeyIdentifier cRLDistributionPoints extKeyUsage Email keyUsage keyCertSign cRLSign netscape cert type S MIME CA if extension exists bit must be set subjectKeyIdentifier authorityKeyIdent...

Page 335: ...er cRLDistributionPoints extKeyUsage Email keyUsage keyCertSign cRLSign subjectKeyIdentifier authorityKeyIdentifier cRLDistributionPoints extKeyUsage Email keyUsage signing certificate digitalSignatur...

Page 336: ...xtKeyUsage Server Auth recommended Microsoft SGC and Netscape SGC required for step up keyUsage keyCertSign cRLSign netscape cert type SSL CA if extension exists bit must be set subjectKeyIdentifier a...

Page 337: ...that discusses the extension the object identifier OID for each extensions is also provided Object signing Authe nticode certificate authorityKeyIdentifier extKeyUsage Code Signing required for Authe...

Page 338: ...ember 4 1997 Certificate Management System CMS version support is listed for each extension Supported means that the indicated version of CMS ships with built in support for the extension via a policy...

Page 339: ...he CA chain than the issuer of the certificate using the extension The accessLocation field then typically contains a URL indicating the location and protocol LDAP HTTP FTP used to retrieve the list T...

Page 340: ...www ietf org rfc rfc2459 txt 4 2 1 1 Criticality This extension is always noncritical and is always evaluated Discussion The Authority Key Identifier extension identifies the public key corresponding...

Page 341: ...o AuthorityKeyIdentifierExt Plug in Module on page 141 CMS 4 1 Supported CMS 4 2 Supported CMS 4 2 SP2 Supported CMS 4 5 Supported CMS 6 0 Supported Note that Certificate Management System does not us...

Page 342: ...of CA certificates that have been processed so far starting with the end entity certificate and moving up the chain If pathLenConstraint is omitted then all of the higher level CA certificates in the...

Page 343: ...t PKIX Part 1 recommends that policies be identified with an OID only or if necessary only certain recommended qualifiers CMS Version Support Refer to CertificatePoliciesExt Plug in Module on page 148...

Page 344: ...If the distributionPoint omits reasons the CRL must include revocations for all reasons If the distributionPoint omits cRLIssuer the CRL must be issued by the CA that issued the certificate PKIX recom...

Page 345: ...tes validated by the responder is also the OCSP signing key The OCSP responder s certificate must be issued directly by the CA that signs certificates the responder will validate The Key Usage Extende...

Page 346: ...crosoft Recommendations Microsoft products interpret this extension as follows If the extension is not present the certificate is considered to be valid for any usage to support backward compatibility...

Page 347: ...y usages of all the certificates in the chain to its root as determined by both the Extended Key Usage extension for each certificate and the corresponding user settings To be valid for a particular u...

Page 348: ...urposes for which a certificate can be used For more information on interactions between these extensions in CA certificates see CA Certificates and Extension Interactions on page 368 If this extensio...

Page 349: ...t or not critical all types of usage are allowed If the keyUsage extension is present critical or not it is used to select from multiple certificates for a given operation For example it is used to di...

Page 350: ...ft products will interpret the extension in the same way whether marked critical or not If the extension is present the actual usage must conform to the specified usage The only Microsoft application...

Page 351: ...n be signed by the OCSP responder and the client would again request the validity status of the signing certificate This extension is null valued its meaning is determined by its presence or absence S...

Page 352: ...tension may be critical or noncritical Discussion This extension which is for CA certificates only constrains path validation in two ways It can be used to prohibit policy mapping or to require that e...

Page 353: ...are equivalent to policies of another CA It may be useful in the context of cross certification This extension may be supported by CAs and or applications CMS Version Support Refer to PolicyMappingsE...

Page 354: ...Supported CMS 4 2 SP2 Supported CMS 4 5 Supported CMS 6 0 Supported Netscape Recommendation Netscape recommends against the use of this extension Microsoft Recommendation Microsoft recommends against...

Page 355: ...ndation Netscape recommends the use of this extension with all certificates issued by a CA except for SSL client certificates Netscape products read only the first alternative name in this extension a...

Page 356: ...f the certificate It is not recommended as an essential part of the proposed PKIX standard but may be used in local environments CMS Version Support Refer to SubjectDirectoryAttributesExt Plug in Modu...

Page 357: ...in the Authority Key Identifier extension of the certificate being verified should match the key identifier of the CA s Subject Key Identifier extension It is not necessary for the verifier to recomp...

Page 358: ...r OID for the extension see Appendix B Object Identifiers This identifier uniquely identifies the extension It also determines the ASN 1 type of value in the value field and how the value is interpret...

Page 359: ...ificate Management System can display CRLs in human readable format as shown here As shown in the example CRL extensions appear in sequence and only one instance of a particular extension may appear i...

Page 360: ...ns the X 509 v3 proposed standard defines extensions to CRLs which provide methods for associating additional attributes with Internet CRLs These are of two kinds extensions to the CRL itself and exte...

Page 361: ...te extensions at authorityKeyIdentifier CMS Version Support Refer to AuthorityKeyIdentifier Rule on page 281 CMS 4 1 Not supported CMS 4 2 Supported CMS 4 2 SP2 Supported CMS 4 5 Supported CMS 6 0 Sup...

Page 362: ...cal if it exists Discussion The Delta CRL Indicator extension identifies a delta CRL The use of delta CRLs allows changes to be added to the local database while ignoring unchanged information that is...

Page 363: ...r to IssuerAlternativeName Rule on page 289 CMS 4 1 Not supported CMS 4 2 Supported CMS 4 2 SP2 Supported CMS 4 5 Supported CMS 6 0 Supported issuingDistributionPoint OID 2 5 29 28 Reference http www...

Page 364: ...these extensions are noncritical These are the CRL entry extensions described in the sections that follow certificateIssuer page 364 holdInstructionCode page 365 invalidityDate page 365 reasonCode pag...

Page 365: ...icate that has been placed on hold CMS Version Support Refer to HoldInstruction Rule on page 286 CMS 4 1 Not supported CMS 4 2 Supported CMS 4 2 SP2 Supported CMS 4 5 Supported CMS 6 0 Supported inval...

Page 366: ...r to CRLReason Rule on page 284 CMS 4 1 Not supported CMS 4 2 Supported CMS 4 2 SP2 Supported CMS 4 5 Supported CMS 6 0 Supported Netscape Defined Certificate Extensions Netscape has defined certain c...

Page 367: ...X 509 v3 extensions extKeyUsage and basicConstraints but must still be supported in deployments that include Navigator 3 x clients If the extension exists in a certificate it limits the certificate to...

Page 368: ...s contain the basicConstraints extension as this is the standard way to identify a CA certificate In addition to ensure support for Navigator 3 x CAs should also use netscape cert type These two exten...

Page 369: ...more CA bits set or both as described above If CAs issue multiple certificates for the same identity for example for separate signing and encryption keys they must include the keyUsage extension in th...

Page 370: ...CA Certificates and Extension Interactions 370 Netscape Certificate Management System Plug Ins Guide March 2002...

Page 371: ...ed 35 Authority Information Access extension policy 132 Authority Key Identifier extension policy 141 authorityKeyIdentifier 340 361 369 automated enrollment 18 B base DN 311 Basic Constraints extensi...

Page 372: ...rnativeName 289 IssuingDistributionPoint 293 list of 281 CRL publisher 275 cRLDistributionPoints 343 CRLNumber 361 CRLs extensions for 360 366 extension specific modules 357 supported versions 279 cus...

Page 373: ...oldInstructionCode 365 introduction to 328 invalidityDate 365 issuerAltName 347 363 issuingDistributionPoint 363 keyUsage 348 nameConstraints 350 netscape cert type 367 368 netscape comment 368 Netsca...

Page 374: ...plug in implementation 65 specifying schedule for 76 K Key Algorithm Constraints policy 97 Key Usage extension policy 186 keyUsage 348 L listing of CRL extension modules 281 of schedulable jobs 64 loc...

Page 375: ...orityKeyIdentifier 281 CRLNumber 283 CRLReason 284 HoldInstruction 286 InvalidityDate 287 IssuerAlternativeName 289 IssuingDistributionPoint 293 list of 281 for logging to file 300 for logging to NT E...

Page 376: ...269 publishers created during installation 271 273 275 publishers that can publish to CA s entry in the directory 271 275 files 270 OCSP responder 277 users entries in the directory 273 publishing ho...

Page 377: ...Unique Subject Name Constraints policy 117 user enrollment forms 55 user ID and password based authentication 22 configurable parameters 24 plug in module name 24 user ID password and PIN based authen...

Reviews: