background image

Extension-Specific Policy Module Reference

524

Netscape Certificate Management System Administrator’s Guide • February 2003

ExtendedKeyUsageExt

The 

ExtendedKeyUsageExt

 plug-in module enables you to add the Extended Key 

Usage Extension to certificates. The extension identifies one or more purposes—in 
addition to or in place of the basic purposes indicated in the key usage 
extension—for which the certified public key may be used. For example, if the key 

• Select 

URI

 if the value in the 

pointName

 field is a uniform resource indicator.

• Select 

RelativeToIssuer

 if the value in the 

pointName

 field is a location 

relative to the CRL Issuer.

reasons<n>

Specifies revocation reasons covered by the CRL maintained at the distribution point. 
Provide a comma-separated list of the following constants:

unused

keyCompromise

cACompromise

affiliationChanged

superseded

cessationOfOperation

certificateHold

 

issuerName<n>

Specifies the name of the issuer that has signed the CRL maintained at distribution 
point, the name can be in any of the following formats:

• An X.500 directory name in the RFC 2253 syntax. For example:

CN=CA Central, OU=Research Dept, O=Example Corporation, C=US

• A URI; for example, it would look similar to this: 

http://testCA.example.com:80

issuerType<n>

Specifies the general-name type of the CRL issuer that has signed the CRL maintained 
at distribution point.

Permissible values: 

DirectoryName

 or 

URI

. The value you specify for this 

parameter must correspond to the value in the 

issuerName

 field.

• Select 

DirectoryName

 if the value in the 

issuerName

 field is an X.500 directory 

name (default).

• Select 

URI

 if the value in the 

issuerName

 field is a uniform resource indicator.

Table  11-21

CRLDistributionPointsExt Configuration Parameters  (Continued)

Parameter

Description

Summary of Contents for Certificate Management System 6.1

Page 1: ...Administrator s Guide Netscape Certificate Management System Version6 1 February 2003...

Page 2: ...CUMENTATION INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS PROFITS USE OR DATA The Software and documentation are copyright 2001 Sun Microsystems Inc Portions copyright 1999 2003 20...

Page 3: ...er 1 Overview 29 Features 29 Subsystems 29 Certificate Manager Flexibility and Scalability 30 Interfaces 31 Logging 31 Auditing 32 Self Tests 32 Authorization 32 Authentication 32 Certificate Issuance...

Page 4: ...ta Recovery Manager 53 Certificate Manager Data Recovery Manager and Registration Manager 55 Cloned Certificate Manager 56 System Architecture 57 CMS Component 58 HTTP Engine 59 Service Interfaces 60...

Page 5: ...115 Changing Subsystem Security Setting 116 Changing Passwords or Storage Settings 116 Configuring Logs 116 Changing Internal Database Settings 116 Configuring Self Test 116 Setting Up a Mail Server 1...

Page 6: ...s 152 Configuring Authorization 153 Managing Certificates and the Certificate Database 154 Changing Ports and IP Addresses 155 Changing Subsystem Security Setting 155 Changing Passwords or Storage Set...

Page 7: ...rity Setting 192 Changing Passwords or Storage Settings 192 Configuring Logs 192 Changing Internal Database Settings 193 Configuring Self Test 193 Setting Up Jobs 193 Identifying the CA to the OCSP Re...

Page 8: ...Stored by the Server 252 Starting Stopping and Restarting CMS Instances 254 Starting a Server Instance 254 Stopping a Server Instance 255 Restarting a Server Instance 256 Subsystem Configuration Overv...

Page 9: ...the Certificate Database 298 Certificate Setup Wizard 298 Consideration When Getting New Certificates for the Subsystems 314 Tokens for Storing CMS Keys and Certificates 316 Internal Token 316 Extern...

Page 10: ...Server admin certificate 353 certServer admin request enrollment 353 certServer auth configuration 353 certServer ca certificate 354 certServer ca certificates 355 certServer ca configuration 355 cert...

Page 11: ...0 certServer log content SignedAudit 370 certServer log content 371 certServer ocsp ca 371 certServer ocsp cas 372 certServer ocsp certificate 372 certServer ocsp configuration 372 certServer ocsp crl...

Page 12: ...rver Certificates 411 Renewal of Server Certificates 412 Getting Certificates for Netscape Version 4 x and Later Servers 412 CEP Enrollment 414 About CEP Enrollment 414 Setting Up Automated CEP Enroll...

Page 13: ...gorithm Default 467 Subject Alternative Name Extension Default 467 Subject Key Identifier Extension Default 469 Subject Name Default 470 Token Supplied Subject Name Default 470 User Supplied Extension...

Page 14: ...ts 501 RenewalValidityConstraints 501 RevocationConstraints 502 RSAKeyConstraints 503 SigningAlgorithmConstraints 504 SubCANameConstraints 505 UniqueSubjectNameConstraints 506 ValidityConstraints 508...

Page 15: ...bs 577 Setting Up Automated Jobs 578 Types of Automated Jobs 578 Setting Up the Job Scheduler 579 Frequency Settings for Automated Jobs 579 Enabling and Configuring the Job Scheduler 580 Setting Up Sp...

Page 16: ...ifier 608 CRLNumber 609 CRLReason 609 DeltaCRLIndicator 610 FreshestCRL 610 HoldInstruction 611 InvalidityDate 612 IssuerAlternativeName 612 IssuingDistributionPoint 614 Chapter 15 Publishing 617 Abou...

Page 17: ...e IT Environment 665 Security Audit FAU 666 Cryptographic support FCS 669 User Data Protection FDP 669 Identification and authentication FIA 670 Security management FMT 671 Protection of the TSF FPT 6...

Page 18: ...with the Internal Database 690 CMS Administrative Console 690 Backup and Restore of a CMS Subsystem 690 Common Criteria Deployment Scenarios 691 Features That Are Not Part of the Common Criteria Envir...

Page 19: ...t Formats 712 Importing Certificate Chains 713 Importing Certificates into Netscape Communicator 713 Importing Certificates into Netscape Servers 714 Object Identifiers 714 Appendix G Certificate and...

Page 20: ...gital Signatures 769 Certificates and Authentication 770 A Certificate Identifies Someone or Something 771 Authentication Confirms an Identity 772 How Certificates Are Used 776 Contents of a Certifica...

Page 21: ...routers This preface has the following sections Who Should Read This Guide What You Should Know What s in This Guide Conventions Used in This Guide Documentation Who Should Read This Guide This guide...

Page 22: ...pe Console You are familiar with the basic concepts of public key cryptography and the Secure Sockets Layer SSL protocol including the following SSL cipher suites The purpose of and major steps in the...

Page 23: ...stems including working in the administrative interface starting and stopping the server working with logs working with self test managing the database and managing the certificate database Chapter 8...

Page 24: ...ng the Common Criteria Evaluated CMS Setup Provides information about running CMS in the Common Criteria Environment Appendix F Certificate Download Specification Provides information about the certif...

Page 25: ...e Rotation frequency From the drop down list select the interval at which the server should rotate the active error log file The available choices are Hourly Daily Weekly Monthly and Yearly The defaul...

Page 26: ...e CMS Administrator s Guide this guide Describes how to plan for install and administer CMS CMS Command Line Tools Guide Provides detailed reference information on CMS tools CMS Customization Guide Ex...

Page 27: ...led reference information on customizing the HTML based agent and end entity interfaces CMS Agent s Guide Provides detailed reference information on CMS agent interfaces To access this information fro...

Page 28: ...Documentation 28 Netscape Certificate Management System Administrator s Guide February 2003...

Page 29: ...obust scalable and high performance certificate management solution for your public key infrastructure PKI extranets and intranets This chapter contains the following sections Features How Certificate...

Page 30: ...vide flexibility in your PKI including support for multiple registration authorities tied to a single CA the ability to act as a root or subordinate CA and cloning of a CA to allow CAs with identical...

Page 31: ...nate CAs you can create multiple clones of a Certificate Manager and configure each clone to issue certificates that fall within a distinct range of serial numbers Because clone CAs use the same CA si...

Page 32: ...nd can be run on demand It ships with a set of self tests that are configurable and allows you to create additional self tests using the CMS SDK See Self Tests on page 282 for complete details Authori...

Page 33: ...Support for customized components in subject names Support for CEP enrollment Support for customized extensions Certificate Profiles CMS has a new feature called certificate profiles Certificate Prof...

Page 34: ...points so a CRL can be created for each issuing point defined You can issue CRLs for each type of certificate you issue or for a specific subset of a type of certificate you issue You can also configu...

Page 35: ...encrypting mail messages and other data To support separate key pairs for signing and encrypting data CMS supports generation of dual certificates for end entities capable of generating dual key pair...

Page 36: ...Supports multiple message formats such as KEYGEN SPAC CRMF CMMF CRS CEP SCEP and PKCS 10 and CMC for certificate requests All requests are delivered to CMS over HTTP or HTTPS in the case of CRS CEP SC...

Page 37: ...a flexible scalable system for issuing renewing and publishing certificates creating and publishing CRLs and providing key storage and retrieval capabilities CMS Basics CMS is installed on each host r...

Page 38: ...systems have an agent interface specific to that subsystem allowing agents to perform the tasks assigned to them A Certificate Manager and a Registration Manager have an end entity services interface...

Page 39: ...allowing you to select logging levels as well as what is logged You can also create custom logs so that events can be separated by the categories you choose See Logs on page 263 for complete details A...

Page 40: ...cial kind of administrator who is able to run the basic operations of the subsystem but is not able to configure any of the features See Chapter 8 Authorization for complete details Self Tests CMS con...

Page 41: ...is called Federal Bridge Certificate Authority FBCA This feature allows you to trust certificates issued by a CA outside of your PKI that shares a cross signed certificate with the CA in your PKI Cer...

Page 42: ...e CRLs that contain only the revoked certificates since the last CRL was produced See Chapter 14 Revocation and CRLs for complete details How the Certificate Manager Works This sections details the pr...

Page 43: ...r and then continues processing the request The Certificate Manger next evaluates the request to ensure that it meets either the policies set for this type of certificate or the certificate profile se...

Page 44: ...g it If publishing is set up a certificate is published to the correct location s whenever a certificate is issued See Chapter 15 Publishing for complete details Key Archival If you install a Data Rec...

Page 45: ...ed You can also provide delta CRLs allowing you to publish a list of only those certificates have been revoked since a certain date See Chapter 14 Revocation and CRLs for complete details About the Re...

Page 46: ...ticates against the authentication method set up See the Netscape Certificate Management System Customization Guide for details about customizing the end entity interface Authentication Methods CMS pr...

Page 47: ...method and certificate type to a set of constraints and certificate content and values for that content It allows you to configure a single module for a type of certificate that binds to an authentica...

Page 48: ...s part of the enrollment and stored in the Data Recover Manager See Chapter 6 Data Recovery Manager for complete details Storing Certificate Requests and Certificates When it issues a certificate the...

Page 49: ...ate encryption key The key is then stored in the Data Recovery Manager The Data Recovery Manager is configured to store keys in an encrypted format that can only be decrypted by several agents request...

Page 50: ...erification of certificates Note that an online certificate validation authority is often referred to as an OCSP responder The Online Certificate Status Manager can receive CRLs from multiple Certific...

Page 51: ...d a publishing directory The Certificate Manager can publish both end entity certificates and CRLs to a directory Certificate Manager and Registration Manager Figure 1 2 shows a Registration Manager a...

Page 52: ...or work in different geographic locations Each group of end entities interacts with a designated Registration Manager that processes requests from end entities and sends them to a Certificate Manager...

Page 53: ...that the Registration Manager is intended to serve and the physical location of the Certificate Manager agent Registration Manager agent and other persons responsible for administering the Certificat...

Page 54: ...ing the location of a Data Recovery Manager be sure to look into firewall considerations the physical security required for each subsystem and the physical location of the Certificate Manager agent Da...

Page 55: ...s Figure 1 4 illustrates some of the issues involved in deploying all three subsystems by showing the relationships among a single Certificate Manager a single Registration Manager and a single Data R...

Page 56: ...Certificate Manager or the Certificate Manager might also handle some end entity interactions It s also possible to set up both Certificate Managers and Registration Managers such that each has a hie...

Page 57: ...clone and confirm that you want to reuse the CA s signing key and certificate if the clone is on the same server you can also reuse the SSL server certificate If you store the CA key material on a har...

Page 58: ...t CMS is a set of pure Java classes This component provides a secure application platform where subsystems CA RA DRM and OCSP can be tightly integrated with a PKI infrastructure Depending on the insta...

Page 59: ...ded Event listeners where event listeners can be extended Publishing where publisher and its mapper can be extended Logging includes signed audit logs where logging mechanism can be extended Self test...

Page 60: ...derstands the protocol provided by the CMS Administration Interface Service Interfaces Each of the subsystems contains interfaces allowing interaction with various portions of the subsystem All four s...

Page 61: ...mmands coming from the administrative entry point Based on the information given at each command the administration servlets allow administrators to perform administrative tasks and configure plug in...

Page 62: ...d software devices intended for such purposes One or more PKCS 11 modules must be available to any CMS subsystem instance As shown in the figure a PKCS 11 module also called a cryptographic module or...

Page 63: ...tions and communication with the certX db and keyX db files Any PKCS 11 module can be used with CMS The server uses a file called secmod db to keep track of the modules that are available You can modi...

Page 64: ...AP database while user and group entries are stored in another subtree Except for the creation of a new CMS instances functionalities provided by this component are not fully utilized by CMS Note that...

Page 65: ...cifies how a device communicates with a CA including how to retrieve the CA s public key how to enroll a device with the CA and how to retrieve a CRL CEP uses PKCS 7 and PKCS 10 Certificate Request Me...

Page 66: ...nsport Protocol HTTP and Hypertext Transport Protocol Secure HTTPS Protocols used to communicate with web servers KEYGEN tag An HTML tag supported by Netscape browsers that generates a key pair for us...

Page 67: ...v1 v3 Digital certificate formats recommended by the International Telecommunications Union ITU Secure Sockets Layer SSL 2 0 3 0 A set of rules governing server authentication client authentication a...

Page 68: ...Support for Open Standards 68 Netscape Certificate Management System Administrator s Guide February 2003...

Page 69: ...bsystem You then configure the subsystem that will run on that host Once a subsystem is setup you can access its end entity interface agent services interface and its administrative interface and furt...

Page 70: ...e instructions on installing CMS 2 Configure each subsystem that will be running on each host CMS provides an installation wizard for configuring an instance of each of the subsystems Complete instruc...

Page 71: ...Once installation is complete you can use Netscape Console to view all your server settings make changes to those settings and configure CMS instances See The Administrative Interface on page 244 abou...

Page 72: ...nfiguration directory and the administration server The port for the administration server is the port used to log into Netscape Console Port numbers can be any number from 1 to 65535 Keep the followi...

Page 73: ...nobody account Also you should create a common group for the directory server files again you must not use the nobody group The user and group under which you will run Administration Server For insta...

Page 74: ...n This is the user ID and password you will use to log into Netscape Console Administration Server User and password You are prompted for this only during custom installations The Administration Serve...

Page 75: ...uration directory You normally will not store users in this configuration directory You only use this configuration directory to store configuration settings for the Administration Server and allow yo...

Page 76: ..._____________________ Directory Server Port Number ______________________________________ Directory server identifier myhost ______________________________________ Netscape configuration directory ser...

Page 77: ...The setup command has the following options The installation program launches The installation program will prompt you for series of configuration settings detailed in the following steps 4 Would you...

Page 78: ...ts 11 Specify the components you wish to install 1 2 Press Enter to accept the default components 12 Specify the components you wish to install 1 2 Press Enter to accept the default components 13 Spec...

Page 79: ...ter a unique identifier for the new instance of Directory Server If you are using an existing configuration directory enter its identifier 21 Netscape configuration directory server administrator ID a...

Page 80: ...directory and creates and starts instances of the Administration Server and Directory Server For specifics on installing each subsystem see Installing a Certificate Manager as a Root CA on page 91 Ins...

Page 81: ...containing the installed software 3 Type the following command uninstall 4 Specify the components you wish to uninstall All Accept the default value 5 Specify the components you wish to uninstall 1 2...

Page 82: ...Uninstalling CMS 82 Netscape Certificate Management System Administrator s Guide February 2003...

Page 83: ...allation instructions an overview of the Certificate Manager processes including information on configuring those processes information about FBCA and details on configuring a cloned CA This chapter c...

Page 84: ...o issue certificates is issued by another CA The CA that issued the subordinate CA signing certificate controls the CA through the contents of the CA signing certificate The CA can constrain the subor...

Page 85: ...ation it is completely unaware of its parents set up for these configurations A Certificate Manager cannot issue a certificate that has a validity period longer than the validity period of the CAs CA...

Page 86: ...of the certificate The Certificate Manager s status as a root or subordinate CA is determined by whether its CA signing certificate is self signed or is signed by another CA If the Certificate Manage...

Page 87: ...ubmitted the certificate signing request You might have submitted the request to the Certificate Manager itself another internally deployed CA or a public CA By default the Certificate Manager uses a...

Page 88: ...e Corporation ou Engineering c US Many combinations of name value pairs are possible for the Certificate Manager s DN The DN must be unique and readily identifiable since any end entity can examine it...

Page 89: ...Managing Servers with Netscape Console Certificate Manager Interfaces When you install a Certificate Manager three interfaces are enabled The installation wizard lets you choose the ports these inter...

Page 90: ...e through either HTTPS or HTTP there are two ports set up by default The default interface provides forms for the various types of enrollment and other tasks an end entity can perform and is completel...

Page 91: ...ard you can select from a list of already installed and available tokens For example SmartCard For installation instructions see External Token on page 316 Installing a Certificate Manager You install...

Page 92: ...information Click Next to continue The wizard sets up the new internal database which takes some time 6 Administrator Type the user ID name and password for the CMS administrator This user ID will be...

Page 93: ...cloned CAs you must make sure that the range of serial numbers does not overlap with any other CA server Click Next to continue 10 Internal OCSP Services Select to enable the internal OCSP services S...

Page 94: ...Next to continue 16 Validity Period for Certificate Manager CA Signing Certificate Select the validity period for the CA signing certificate The default validity is two years The validity period dete...

Page 95: ...sword you must do so in this screen See Tokens on page 91 for more information Key Type Choose RSA Key Length Available key sizes for RSA are 512 768 1024 2048 4096 or Custom Available key sizes for D...

Page 96: ...e Sign on Summary Check the summary and select whether to retain or delete the password conf file For details see Token Password Storage on page 252 Click Next to continue 27 Configuration Status This...

Page 97: ...nue 6 Administrator Type the user ID name and password for the CMS administrator This user ID will be set up as the administrator who can access the CMS window and control all CMS settings Allow Multi...

Page 98: ...pecify an upper limit For cloned CAs you must make sure that the range of serial numbers does not overlap with any other CA server Click Next to continue 10 Internal OCSP Services Select to enable the...

Page 99: ...ertificate Manager CA Signing Certificate Select the validity period for the subordinate CA signing certificate The default validity is two years The validity period determines how soon you will have...

Page 100: ...must submit to another CA 19 Submission of Request Select whether you want to submit the request manually or send the request to a remote Certificate Manager automatically To automatically submit the...

Page 101: ...o back to the wizard screen Step 20 To submit your certificate request manually to a remote Certificate Manager follow these steps I Open a web browser window II Go to the end entity URL for the remot...

Page 102: ...ate request manually to a third party CA follow these steps XI Make sure that the certificate request including BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST is highlighted and click t...

Page 103: ...uest and know the host name and end entity port number of the remote Certificate Manager that issued the certificate select the The certificate is at the CMS server where the request was sent option a...

Page 104: ...screen See Tokens on page 91 for more information Key Type Choose RSA Key Length Available key sizes for RSA are 512 768 1024 2048 4096 or Custom Available key sizes for DSA are 512 1024 or Custom whi...

Page 105: ...nate CA itself the wizard generates the SSL server certificate You ll be presented with the Create Single Sign on Password screen Step 35 If you chose to generate a request for submission to another C...

Page 106: ...he certificate is displayed scroll down to the base 64 encoded version of the certificate highlight all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a te...

Page 107: ...ssue the certificate To approve the request do the following In the web browser window enter the URL for the Certificate Manager s Agent Services page You must have a valid agent s certificate Select...

Page 108: ...st to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait days or weeks before you receive the certificate In this case you should click...

Page 109: ...ollow these steps a Go to the end entity URL for the remote Certificate Manager that issued the SSL server certificate b Select the Retrieval tab and then in the left hand frame click Import CA Certif...

Page 110: ...up are controlled by Access Control Instructions ACIs placed in Access Control Lists ACLs ACLs define points that need specific authorization Generally each defines a distinct set of functionality for...

Page 111: ...Manager See Certificate Manager Certificates on page 85 for more information about these certificates and the things you should consider before getting these certificates CMS contains a Certificate W...

Page 112: ...or the key pair and install the certificate in the Certificate Manager s certificate database For more information about the Certificate Database tool see http www mozilla org projects security pki ns...

Page 113: ...anager 3 Update the Certificate Manager s configuration to recognize the new key pair and certificate a In the Certificate Manager host machine go to this directory server_root cert instance_id config...

Page 114: ...install additional SSL server certificates for the Certificate Manager For example you can configure the Certificate Manager to use separate server certificates for authenticating to the End Entity S...

Page 115: ...both administrators and users to implement All certificates issued by the old CA including those that have not yet expired must be renewed by the new CA There are advantages and disadvantages to each...

Page 116: ...it logs that create audit trails that can only be read by a user with auditor privileges The log feature is configurable allowing you to change the settings for some of the logs See Logs on page 263 f...

Page 117: ...appears 3 Change the following fields in this tab Override validity nesting requirement Specifies if the Certificate Manager can issue certificates with validity periods beyond that of its CA signing...

Page 118: ...iguration or certificate profile configuration overrides the algorithm you select here 4 To save your changes click Save Setting Up Authentication The first step in configuring enrollment is setting u...

Page 119: ...w you to set up the kind of authentication you will use for authentication All of the authentication plug ins also enable an automated enrollment when they are enabled You can enable one of the authen...

Page 120: ...that are applicable to this type of request Any policy that has no predicate is evaluated against all certificate requests Those with predicates are evaluated against certificates requests that match...

Page 121: ...erated based on the inputs set in the certificate profile Each certificate profile that will be used is configured by an administrator The administrator configures defaults and constraints inputs outp...

Page 122: ...nder for information about both of these services Setting Up CRLs The CRL feature allows you to set up CRLs that are issued on a periodic basis You can also define issuing points so that a CRL from th...

Page 123: ...nd entity You can customize this interface by changing which forms are available and by changing the forms themselves You might change the look and feel of the form to fit in with your intranet you mi...

Page 124: ...icate profile You customize the dynamically created certificate profile forms by configuring the inputs associated with the certificate profile The Certificate Enrollment Process When an end entity en...

Page 125: ...that are used to collect this information The policies or certificate profile associated with the form determine aspects of the certificate that is issued Depending on the policies or certificate prof...

Page 126: ...tificates that have been issued and for the CA certificate chain Renewal The Certificate Manager allows for the renewal of certificates Certificates can be renewed if the policies associated with rene...

Page 127: ...of certificates by looking them up in the internal database and reporting on the status of the certificate You can set up an automated notifications that send an email message to the end entity when...

Page 128: ...ir Certificates CMS provides the capability to import the cross pair certificates from each of the CAs You use the Certificate Setup wizard to import both certificates When both certificates have been...

Page 129: ...KI to be a CA hierarchy comprising root and subordinate CAs you can create multiple clones of a Certificate Manager and configure each clone to issue certificates that fall within a distinct range of...

Page 130: ...tificates such as the CA signing certificate SSL server certificate agent s certificate and so on The master Certificate Manager will also need distinct serial numbers in the future for example when y...

Page 131: ...Certificate Manager to each clone Certificate Manager If the master Certificate Manager s keys and certificates are stored in the internal software token you need to copy the certificate and key datab...

Page 132: ...e master Certificate Manager Select the token name where the keys and certificate are stored and enter the token s password if required Clone key and certificate materials On this screen you choose wh...

Page 133: ...t expects a certificate that was already issued and chains properly to be presented when you access its agent interface 5 Restart the clone CA 6 Use Netscape Console and open the CMS window for the cl...

Page 134: ...t form for requesting the certificate the request you submitted is waiting in the agent queue for approval by an agent 3 Download the certificate to the browser 4 Revoke the certificate 5 Check master...

Page 135: ...ployment Considerations Installing a Registration Manager Configuring a Registration Manager How a Registration Manager Works Registration Manager Deployment Considerations This section describes the...

Page 136: ...all has a certificate identified as the Registration Manager signing certificate whose public key corresponds to the private key the Registration Manager uses to authenticate itself to the Certificate...

Page 137: ...ors using the Java based CMS Console GUI application An Agent Services interface that is accessible by default only to members of the Registration Manager Agent group Agents are users who can perform...

Page 138: ...ase Each Registration Manager instance contains an internal database that stores certificates certificate requests and the like During installation you set up this database by either choosing to creat...

Page 139: ...th to 4096 bits for certificates that provide access to highly sensitive data or services However the question of key length has no simple answers Every organization must make its own decision based o...

Page 140: ...ator who can access the CMS window and control all CMS settings Allow Multiple Roles for Users Select if you want to allow users to belong to more than one group thus assuming more than one role Desel...

Page 141: ...ts only See Signing Key Type and Length on page 138 for more information Click Next to continue 12 Message Digest Algorithm Select the algorithm to use for computing the certificate signature The choi...

Page 142: ...equest in PKCS 10 format select the Generate PKCS10 request option If you want the wizard to generate the certificate request in CMC format select the Generate CMC full enrollment request option This...

Page 143: ...te is displayed scroll down to the base 64 encoded version of the certificate highlight all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be s...

Page 144: ...Manager Note that you must be a designated CMS administrator as well as an agent for this option to work correctly X Type a user ID for the new Registration Manager This user ID can be the same that y...

Page 145: ...ith the configuration and resume after you receive the certificate The default selection is No Select Yes if you have the certificate ready in its base 64 encoded format Click Next to continue If you...

Page 146: ...server option and then click Submit d In the resulting page locate the CA certificate chain in its base 64 encoded format and copy the certificate chain to the clipboard e Return to the Installation W...

Page 147: ...given the choice to select the format for the certificate request Otherwise the request format will be PKCS 10 If you want the wizard to generate the certificate request in PKCS 10 format select the...

Page 148: ...te is displayed scroll down to the base 64 encoded version of the certificate highlight all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be s...

Page 149: ...nd issue the certificate To approve the request do the following In the web browser window enter the URL for the Certificate Manager s Agent Services page You must have a valid agent s certificate Sel...

Page 150: ...Wizard screen click Yes or No Select No if you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait days o...

Page 151: ...e from which you requested the singing certificate Follow these steps to import the remote Certificate Manager s CA chain a Go to the web browser window b Enter the end entity URL for the remote Certi...

Page 152: ...relationship when you issued this certificate by selecting this option in the agent services interface on the request page used to approve the request If you have done this you do not need to further...

Page 153: ...ACL Configuration The configuration set up for the Certificate Manager gives the following privileges to members of the following groups Members of the Administrator group can perform any operations...

Page 154: ...database and they must be configured as trusted see Changing the Trust Settings of a CA Certificate on page 296 and Installing a New CA Certificate in the Certificate Database on page 297 Certificate...

Page 155: ...r each of the interfaces when you install the Registration Manager You can change the ports that any of the interfaces listen on and you can remove the HTTP non SSL end entity port if you will not use...

Page 156: ...Settings You can change the configuration of the internal database after installation including restricting access to the internal database see The Internal Database on page 290 for information on doi...

Page 157: ...tion method to be agent approved or automated The agent approved enrollment in person agent initiated enrollment and CMC enroll methods are enabled and configured when you install the Registration Man...

Page 158: ...you like The authentication methods that you can configure are Directory Based Enrollment End entities are authenticated against an LDAP directory using their user ID or DN and password See Setting Up...

Page 159: ...rmation see Chapter 11 Policies If you set up and enable policies in the Registration Manager you must be careful how you set up policies in the Certificate Manager that issues certificates for this R...

Page 160: ...es interface for processing The agent can change some aspects of the request as long as they are within the constraints set in the certificate profile reject the request change the status of the reque...

Page 161: ...set up a trusted relationship between a Data Recovery Manager and a Registration Manager so that the end entities private encryption keys are archived during the certificate request See Chapter 6 Data...

Page 162: ...m The form creates a request that is then submitted to the Registration Manger The enrollment form can trigger the creation of the public and private keys for this request or for dual key pairs The en...

Page 163: ...ate request is either rejected at some point in the process either by an agent because it did not meet the policy certificate profile or authentication requirements or the request is signed and sent t...

Page 164: ...set up for a single method of renewal All requests are made to the renewal page of the end entity interface The end entity presents their old certificate and if they meet the policies for renewal a ne...

Page 165: ...agents can approve requests made by end entities to revoke their certificates but agents cannot revoke certificates on their own The Certificate Manager agent for the CA that issued the certificate w...

Page 166: ...How a Registration Manager Works 166 Netscape Certificate Management System Administrator s Guide February 2003...

Page 167: ...with OCSP Service Online Certificate Status Manager Deployment Considerations Installing an Online Certificate Status Manager Setting Up the OCSP Responder Configuring the Online Certificate Status M...

Page 168: ...ins all the information required by the responder to process it If it does not or if it is not enabled for the requested service a rejection notice is sent If it does have enough information it proces...

Page 169: ...st is subjected to policy checking see Configuring Policy Rules for a Subsystem on page 491 For more information about the certificates associated with OCSP see SSL Server Key Pair and Certificate on...

Page 170: ...real time status of all certificates it has issued this method of revocation checking is most accurate Since the internal OCSP service checks the status of certificates stored in the Certificate Mang...

Page 171: ...ublish the CRL As explained earlier the Online Certificate Status Manager stores each Certificate Manager s CRL in its internal database and uses it as the default CRL store for verifying certificates...

Page 172: ...you will have to create this policy and configure it for this service If you installed the Certificate Manager s with its OCSP service feature disabled a default policy rule named AuthInfoAccessExt i...

Page 173: ...alled The Online Certificate Status Manager s signing certificate was issued by the CA to which you submitted the certificate signing request SSL Server Key Pair and Certificate Every Online Certifica...

Page 174: ...I application An Agent Services interface that is accessible by default only to members of the Online Certificate Status Manager Agent group The agent s services interface is an HTML interface accessi...

Page 175: ...formation such as certificates and certificate requests used by the subsystem you will be installing in this CMS instance By default a separate internal database is created for each subsystem you conf...

Page 176: ...ngth to 4096 bits for certificates that provide access to highly sensitive data or services CMS signing keys up to 2048 bits in length are not subject to export restrictions However the question of ke...

Page 177: ...assuming more than one role Deselect if you want to restrict users from being able to belong to more than one role This setting only applies to the default administrator agent auditor roles Click Nex...

Page 178: ...manager Certificate Manager or Registration Manager automatically The wizard creates a certificate request that you must submit to a CA To automatically submit the request to a remote Certificate Man...

Page 179: ...u re required to paste the encoded certificate into the Installation Wizard next So once you ve copied the certificate go back to the wizard screen Step 13 Also note that you might be required to past...

Page 180: ...ght all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be sure to not make any changes to the certificate You re required to paste the encoded...

Page 181: ...p 17 14 Location of Certificate Specify the location of the certificate You can use one of these options If you noted the file path to the file that contains the certificate in its base 64 encoded for...

Page 182: ...o a text file Be sure to not make any changes to the certificate You re required to paste the encoded certificate into the Installation Wizard next So once you ve copied the certificate go back to the...

Page 183: ...icate Extensions for SSL Server Certificate Select the required extensions The default settings should work for most deployments If necessary you can add an additional extension by pasting its base 64...

Page 184: ...nd entity port uses SSL III Click Next to submit the request The Certificate Request Result screen appears confirming that the request has been submitted Note the request ID provided in the response m...

Page 185: ...entities III Click Manual Server Certificate Enrollment or click Agent Based Server Certificate Enrollment if you have an agent certificate If you choose Agent Based Server Certificate Enrollment and...

Page 186: ...click Approve Request 22 SSL Server Certificate Installation Depending on whether you have the certificate ready for pasting into the Installation Wizard screen click Yes or No If you have submitted...

Page 187: ...continue 25 Import Certificate Chain This screen appears only if you need to import the CA certificate chain Follow these steps to import the CA chain of a Certificate Manager a Go to the web browser...

Page 188: ...et up to read from that LDAP publishing directory 3 You must configure your policies or certificate profiles for every CA that will publish to the OCSP Responder to include the Authority Information A...

Page 189: ...can configure for the Online Certificate Status Manager and points you to specific information on configuring those sets of features Adding Users Once the Online Certificate Status Manager is installe...

Page 190: ...the signed audit log and can view configuration settings but cannot perform any other operations on configuration settings and do not have any access to the agent services interface Online Certificate...

Page 191: ...the Certificate Database on page 298 OCSP Certificates Depending on who signed your Online Certificate Status Manager s SSL server certificate you may need to perform the following actions to get that...

Page 192: ...during or after installation See Changing an IP Addresses on page 289 for details Changing Subsystem Security Setting You can configure the security of each subsystem by changing the SSL version used...

Page 193: ...Online Certificate Status Manager contains the framework for jobs but does not contain any prebuilt jobs You can build jobs using the CMS SDK For detailed information on setting up publishing see Cha...

Page 194: ...a value of zero 0 Verify Certificate Manager and Online Certificate Status Manager Connection When you restart the Certificate Manager it tries to connect to the Online Certificate Status Manager s en...

Page 195: ...ificate Status Manager and then select Revocation Info Stores The right pane shows the two repositories the Online Certificate Status Manager can use by default it uses the CRL in its internal databas...

Page 196: ...window to see the updated fields host n Type the fully qualified DNS hostname of the LDAP directory The name must be in the machine_name your_domain domain form For example corpDir1 example com port n...

Page 197: ...ement tab 7 Click Refresh Testing Your OCSP Setup To test whether the Certificate Manager can service OCSP requests properly follow these steps 1 Turn On Revocation Checking in your browser or client...

Page 198: ...cate Manager s OCSP service status again to verify that these things happened The browser sent an OCSP query to the Certificate Manager this response was initiated when you clicked the View button The...

Page 199: ...ply it for example has left the organization that owns the data This chapter explains how to use the Data Recovery Manager to archive end entity s encryption private keys and how to use the archived k...

Page 200: ...used to impersonate the digital identity of the original key owner Clients that generate single key pairs use the same private key for both signing and encrypting data so you cannot archive and recove...

Page 201: ...ce of the Data Recovery Manager For information on customizing this form see Step C Customize the Certificate Enrollment Form on page 231 Initiating the key recovery process also requires its own HTML...

Page 202: ...stored as a key record The archived copy of the key remains encrypted or wrapped with the Data Recovery Manager s storage key see Data Recovery Manager s Key Pairs and Certificates on page 215 It can...

Page 203: ...ata Recovery Manager uses two special key pairs A transport key pair and corresponding certificate A storage key pair Figure 6 1 illustrates how the key archival process occurs when an end entity s re...

Page 204: ...r decrypts it with the private key that corresponds to the public key in its transport certificate After confirming that the private encryption key corresponds to the end entity s public encryption ke...

Page 205: ...tate this by allowing each recovery agent to enter a password in the Data Recovery Manager during configuration They must be available to retrieve your end entity s encryption private keys if the need...

Page 206: ...y recovery agents m provide their identifiers and passwords After verifying the passwords the Data Recovery Manager reconstructs the PIN for the token based on the given information Interface for the...

Page 207: ...ery Manager retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS 12 package By default key recovery authorization is local Remote Key Recovery Auth...

Page 208: ...g the local authorization option in the Key Recovery form How Agent Initiated Key Recovery Works In an agent initiated key recovery the key is recovered by the collective efforts of a Data Recovery Ma...

Page 209: ...anager agent accesses the Key Recovery form using the appropriate client certificate types the identification information pertaining to the person whose encryption private key needs to be recovered an...

Page 210: ...sword for the PKCS 12 package and their individual identifiers and passwords The Data Recovery Manager agent submits the page to the Data Recovery Manager 5 The Data Recovery Manager matches the key r...

Page 211: ...orage key password Each password retrieves only a part of the private storage key You first specified the key recovery agent scheme when you installed the Data Recovery Manager Changing the Key Recove...

Page 212: ...rator s Guide February 2003 3 In the navigation tree select the Data Recovery Manager and in the right pane click the Scheme Management tab The Scheme Management tab shows the current key recovery sch...

Page 213: ...ion click Done You are returned to the Scheme Management tab Changing Key Recovery Agents Passwords As administrator you have the responsibility of safeguarding the security of each Data Recovery Mana...

Page 214: ...ars 5 Allow the agent to enter the appropriate information During installation the Data Recovery Manager prompts you to enter key recovery agent passwords by default they are set to agent n where n ca...

Page 215: ...ing key pairs and certificates Transport Key Pair and Certificate Storage Key Pair SSL Server Key Pair and Certificate Transport Key Pair and Certificate Every Data Recovery Manager you have installed...

Page 216: ...used see Chapter 6 Data Recovery Manager Note that the public component of the storage key pair is not certified there is no certificate that corresponds to the public key Keys encrypted with the sto...

Page 217: ...of already installed and available tokens For example SmartCard For installation instructions see External Token on page 316 Internal Database Each subsystem uses an internal database to store inform...

Page 218: ...tions permitting it may be a good rule of thumb to start with 1024 bits and consider increasing the length to 4096 bits for certificates that provide access to highly sensitive data or services Howeve...

Page 219: ...ant to restrict users from being able to belong to more than one role This setting only applies to the default administrator agent auditor and trusted manager roles Click Next to continue 7 Subsystems...

Page 220: ...rtificate extension text field accepts a single extension blob If you want to add multiple extensions you should use the ExtJoiner program which is also provided in the tools directory For details on...

Page 221: ...it for the remote Certificate Manager s agent to approve your request IV Open a web browser window V Enter the URL for the remote Certificate Manager s Agent Services page You must have a valid agent...

Page 222: ...tificate Manager s Agent Services page You must have a valid agent s certificate VII Select List Requests click Show Pending Requests and click Find VIII In the pending request list locate your reques...

Page 223: ...inue as far as you can with the configuration and resume after you receive the certificate The default is No Select Yes only if you have the certificate ready in its base 64 encoded format Click Next...

Page 224: ...n PKCS 7 for importing into a server option and click Submit e In the resulting page locate the CA certificate chain in its base 64 encoded format and copy it to the clipboard f Return to the Installa...

Page 225: ...fied host name of the machine on which you re installing the Data Recovery Manager Click Next to continue 24 Certificate Extensions for SSL Server Certificate Select the required extensions The defaul...

Page 226: ...you ve permission to access that Certificate Manager s Agent interface you can follow the instructions below to issue the certificate Otherwise you should wait for the remote Certificate Manager s age...

Page 227: ...f you used the Agent Based Server Certificate Enrollment and you have an agent certificate the certificate will be automatically issued once you submit the request If you used the Manual Server Certif...

Page 228: ...tificate request has been saved to a file You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA s signing certifica...

Page 229: ...red details Click Next to continue 29 Certificate Details This is an informational screen that displays the certificate so you can inspect its contents Notice the nickname assigned to the certificate...

Page 230: ...See Agent Certificates on page 337 for details Configuring Key Archival and Recovery Process By default the Data Recovery Manager is not configured to archive or recover end entity s encryption privat...

Page 231: ...t it initiates the key archival process and requests the service of the Data Recovery Manager for archiving the key For the enrollment authority to be able to request the service of the Data Recovery...

Page 232: ...required to update the following information only The Data Recovery Manager s transport certificate The algorithm length type and usage for end entity s key pairs When you update this information the...

Page 233: ...marker lines BEGIN CERTIFICATE and END CERTIFICATE to a text file An example is shown below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCV VMxLDAqBgNVBAoTI0 5ldHNjYXBlIENvbW11bmljYXRpb...

Page 234: ...es BEGIN CERTIFICATE and END CERTIFICATE to a text file The copied information should look like the example below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCV VMxLDAqBgNVBAoTI0 5ldHNj...

Page 235: ...BvcmF0aW9uMREw DwYDVQQ LEwhIYXJkY29yZTEnMCUGA1UEAxMeSGFyZGNvcmUgQ2VydGlmaWNhdGUgU2Vy dmVyIEl JMB4XDTk4MTExOTIzNDIxOVoXDTk5MDUxODIzNDIxOVowLjELMAkGA1UEBhMC VVMxETA PBgNVBAoTCG5ldHNjYXBlMQwwCgYDVQQDEwNL...

Page 236: ...ess on page 205 In particular you should be familiar with how the key archival process works If you are not see How Agent Initiated Key Recovery Works on page 208 The Data Recovery Manager supports ag...

Page 237: ...ode for Key Recovery The Data Recovery Manager allows key recovery agents to authorize recovery of an end entity s encryption private key locally or remotely The default configuration is local authori...

Page 238: ...ss using Netscape Communicator 4 7 with Personal Security Manager version 1 01 Step A Test Your Key Archival Setup To test whether you can successfully archive a key follow these instructions 1 Enroll...

Page 239: ...the value of the E attribute e Locate and approve the request 3 Check if the certificates have been issued To do this a Click the List Requests link again b In the form that appears select the Show co...

Page 240: ...gned and encrypted There should be a security icon at the top right corner of the message window and it should indicate that the message is signed and encrypted Step C Delete the Certificate To do thi...

Page 241: ...Recovery Works on page 208 The base 64 encoded certificate that corresponds to the private key you want to recover use the enrollment authority s end entity or agent interface to get this information...

Page 242: ...ocess 242 Netscape Certificate Management System Administrator s Guide February 2003 3 Open the test email that you couldn t verify after deleting the certificate from the browser s certificate databa...

Page 243: ...the internal database This chapter contains the following sections The Administrative Interface System Passwords Starting Stopping and Restarting CMS Instances Subsystem Configuration Overview Mail Se...

Page 244: ...u to configure CMS through Netscape Console You access Administration Server by entering its URL in the Netscape Console login screen and providing the user ID and password of the administrative user...

Page 245: ...d administration interface to the user directory You can accomplish various CMS specific tasks from the Console tab Launch the CMS console Install instances of CMS Remove an instance of CMS Clone an i...

Page 246: ...eges with Directory Server but does not allow you to create CMS server instances Password Type the password for this user ID Administration URL Specify the URL for the Administration Server you want t...

Page 247: ...e choices available in this tab will change depending on which subsystem is installed in this server instance The specifics of setting these configuration settings is contained in the appropriate sect...

Page 248: ...resented with a list of your certificates to choose from in order to login You will not be presented with the userID Password entry dialog 4 The CMS console opens Viewing Information About a CMS insta...

Page 249: ...rver s status whether it is started stopped or unknown normally unknown indicates that the server hasn t been configured properly 3 To change the name of the instance or its description Select the ins...

Page 250: ...you need to use certutil to initialize cert8 db and key3 db and to create certificate request make sure to set the LD_LIBRARY_PATH correctly To do this issue the following command setenv LD_LIBRARY_P...

Page 251: ...lientauth authType sslclientauth 20 Save the file 21 Open the file server xml 22 Change the clientauth off attribute to clientauth on in the SSLPARAMS section of the LS id admin LS id admin ip 0 0 0 0...

Page 252: ...d manages Passwords you enter for LDAP directory access are not subjected to quality checks The reason for this is the password quality is handled by the system that creates and manages the password I...

Page 253: ...rds because this file stores the passwords in a plain text file If you do delete the password conf file you must start the server instance using the command line You will be prompted for the token pas...

Page 254: ...CMS Instances Each instance of CMS is started stopped and restarted separately This section describes how to start stop and restart CMS instances and how to check its current status Starting a Server...

Page 255: ...etting in the CMS cfg file that allows you to set the absolute time out the amount of time before the between issuing the shutdown command and actual shutdown If this time is reached before all proces...

Page 256: ...ine To stop a CMS instance from the command line 1 Log in either as root or with the server s user account 2 Go to the following directory server_root cert instance_id 3 Type the following command sto...

Page 257: ...Managers you should install the root CA first You might also want to install a Certificate Manager that will develop a trusted relationship with other subsystems first Configuring Multiple CMS Instanc...

Page 258: ...a CMS instance from your host Removing a CMS instance is not the same as uninstalling CMS For instructions on uninstalling CMS see Uninstalling CMS on page 81 To remove a CMS instance 1 Log in to Net...

Page 259: ...k Save Configuration Files The runtime properties of CMS are governed by a set of configuration parameters These parameters are stored in a file that is read by the server during startup When you inst...

Page 260: ...editing the configuration file because your changes will be overwritten by the cached version when the server is stopped or restarted 2 Go to the following directory server_root cert instance_id conf...

Page 261: ...er The parameter names and their values are strings The parameter names can be hierarchically structured with notation with multiple levels for example ca Policy rule RSAKeyRule maxSize The entries co...

Page 262: ...enrollment form so that the server is able to determine the authentication method during end user enrollment Job Scheduler parameters All job specific information such as registered job modules and c...

Page 263: ...e Registration Managers and you want all these instances to have the same configuration you can accomplish this by configuring one of the instances and then replacing the configuration files of the ot...

Page 264: ...stance_id logs signedAudit You can change the default location for logs by modifying it in the configuration Error and Access Logs The error and access logs are created by Netscape Enterprise Server w...

Page 265: ...during this installation and configuration System Log This log records information about requests to the server all HTTP and HTTPS requests and the responses from the server Information recorded in t...

Page 266: ...Specifies logged events related to the Certificate Manager Database Specifies logged events related to this server s activity with the internal database HTTP Specifies logged events related to the HTT...

Page 267: ...l Message category Description 0 Debugging These messages contain debugging information Generally you would not want to set a log to the debugging level since it would yield far too much information f...

Page 268: ...logs and it holds the messages in these buffers for as long as possible The server flushes out the messages to the log files only when either of the following conditions occurs The buffer gets full t...

Page 269: ...the old file is named using the name of the file with an appended time stamp The appended time stamp is an integer that indicates the date and time the corresponding active log file was rotated The da...

Page 270: ...e a Click Add in the Log Event Listener Management tab The Select Log Event Listener Plug in Implementation window appears It lists registered log modules b Select a plug in module c Click Next The Lo...

Page 271: ...rval in seconds to flush the buffer to the file The default interval is 5 seconds The flushInterval is the amount of time before the contents of the buffer are flushed out and added to the log file ma...

Page 272: ...er Management tab 6 Click Refresh Configuring Logs in the CMS cfg File To modify the configuration settings for logs 1 Stop the CMS instance 2 Open the CMS cfg file located in the directory server_roo...

Page 273: ...for Security The default selection is 1 For more information see Log Levels Message Categories on page 267 maxFileSize Specify the file size in kilobytes KB for the error log The default size is 100...

Page 274: ...at match the search request If you enter zero 0 no messages are returned If you leave the field blank the server returns every matching entry no limit regardless of the number found Source Select the...

Page 275: ...udit Log on page 265 for details about signed audit logs For signing log files you use a command line utility called Netscape Signing Tool signtool For details about this utility check this site http...

Page 276: ...avigation tree select Logs and then in the right pane select the Log Event Listener Plug in Registration tab 4 Click Register The Register Log Event Listener Plug in Implementation window appears 5 Sp...

Page 277: ...d audit log feature is disabled by default You can also set this audit log up as a signed audit log You enable this by setting the logSigning parameter to enable and providing the nickname of the cert...

Page 278: ...ROFILE A change is made to the configuration settings for the CRL framework in other words any of the settings for CRLs including extensions frequency and CRL format CONFIG_OCSP_PROFILE A change is ma...

Page 279: ...stored in the Data Recovery Manager KEY_RECOVERY_AGENT_LOGIN DRM agents log in as recovery agents to approve key recovery requests KEY_RECOVERY_PROCESSED A key recovery has been processed KEY_GEN_ASYM...

Page 280: ...ed in the end entity interface of a Registration Manager enable the raAuditCert profile in that Registration Manager and enable the raAuditCert profile in that Certified Manager that processes the req...

Page 281: ...as the value of the signedAuditCertNickname parameter and specify the events that will be logged in the events parameter 6 Assign auditor users if you have not done so by creating the user and assigni...

Page 282: ...e self tests are run at start up and can also be run on demand The start up self tests run when the server starts up and will keep the server from starting up if a critical self test fails The on dema...

Page 283: ...se associated with which type of subsystem has been configured with this server instance You turn the self test off or change which self tests are considered critical by changing those setting in the...

Page 284: ...nes how large a log file can become before it is rotated Once it reaches this size the file is copied to a rotated file and the log file is started anew For more information see Log File Rotation on p...

Page 285: ...Save the file 6 Start CMS Ports About Ports CMS listens on different ports for requests from different types of users As illustrated in Figure 7 1 it listens on an administration port an agent port a...

Page 286: ...se requests from the appropriate Agent Services interface The Certificate Manager and Registration Manager agents use the agent port to process certificate issuance and management requests from end en...

Page 287: ...initiated PKI requests such as enrollment renewal and revocation enrollment requests can include requests from Cisco routers using the CEP protocol general certificate retrieval requests such as retri...

Page 288: ...this line and edit the value of the port attribute LS id agent ip 0 0 0 0 port 8100 security on acceptorthreads 1 blocking no To change the end entity HTTP port locate this line and edit the value of...

Page 289: ...ne IP address and the Data Recovery Manager is served on another address if the host is configured with more than one IP address To configure a CMS instance to listen to specific IP addresses 1 Stop t...

Page 290: ...between two or more instances You can change the internal database used by a CMS instance This section describes how to change that instance and how to restrict access to the internal database About...

Page 291: ...when you installed this server If you check the files installed under server_root the internal database instance appears like this slapd cms_instance_id db Keep in mind that the subsystems use the da...

Page 292: ...he host name of the machine in which Directory Server is installed Port number Type a TCP IP port number CMS uses this port for non SSL communications with the Directory Server instance that is functi...

Page 293: ...dministrators group 9 Click set Access Control Permission and then Click Add 10 Fill in the following information ACIName clientauth Check all the rights in the Rights tab Click This Entry in the Targ...

Page 294: ...tab 4 In the navigation tree expand Plug ins and then select Pass Through Authentication 5 In the right pane deselect Enable plugin option 6 Click Save to save your changes You are prompted to restart...

Page 295: ...ts of the certificate database and make sure that it doesn t include any unwanted CA certificates For example if the database includes CA certificates that you don t ever want to trust in your PKI set...

Page 296: ...anges click Save Changing the Trust Settings of a CA Certificate CMS relies on the CA certificates in its certificate database for validating certificates it receives during an SSL enabled communicati...

Page 297: ...utton named Change to Trusted 5 Click Change to Untrusted or Change to Trusted as appropriate 6 Click Close You are returned to the Certificate Database Management window The certificate now shows a d...

Page 298: ...CA Certificate Chain in the Certificate Database Any client or server software that supports certificates maintains a collection of trusted CA certificates in its certificate database These CA certifi...

Page 299: ...presents you with the screens appropriate to your choice and walks you through the entire process For installing certificates except for cases when the certificate is self signed by the CA you will ne...

Page 300: ...s CA signing OCSP signing and SSL server certificates If a Registration Manager is installed the list includes the Registration Manager s signing and SSL server certificates If a Data Recovery Manager...

Page 301: ...nformation Specify the key pair information for the certificate to be requested You need to identify the following The token that contains the key pair for generating the certificate request the drop...

Page 302: ...gth of the key pair you are required to provide this information only if you chose to generate the certificate request based on a new key pair For key type you can choose RSA or DSA Be sure to select...

Page 303: ...s is located For example Mountain View State or province enter the name of the state or province where your business is located For example California Country enter the name of the country where your...

Page 304: ...e type select this option if you want to set any of the Netscape Certificate Type extension bits in the certificate you are requesting When you select the option the associated fields are enabled You...

Page 305: ...in a base 64 encoded PKCS 10 format and is bounded by the marker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST An example is show below BEGIN NEW CERTIFICATE REQUEST MIICJzCCAZC...

Page 306: ...m Sending the CSR Automatically to a CMS Manager To send the certificate signing request CSR automatically to a Certificate Manager 1 Type the appropriate values in the following fields Send the reque...

Page 307: ...d to Install a Certificate or Certificate Chain on page 309 Sending the CSR Manually to an Internal CA The following instructions assume that your internally deployed CA is a Certificate Manager and t...

Page 308: ...t yourself 9 When you receive the certificate from the CA you ll need to install it following the instructions in Using the Wizard to Install a Certificate or Certificate Chain on page 309 Sending the...

Page 309: ...currently selected CMS instance Any of the certificates used by a Certificate Manager Registration Manager Data Recovery Manager and Online Certificate Status Manager Any other trusted CA certificate...

Page 310: ...ion briefly explains the data formats recognized by the wizard Binary Formats The wizard can recognize certificates and certificate chains in the following binary formats DER encoded certificate This...

Page 311: ...install a certificate Step 2 Select the Certificate or Certificate Chain Select the certificate you want to install The drop down list shows various options Depending on whether you want to install a...

Page 312: ...me information that will help you decide on the location Keeping the certificate or certificate chain in a text file the wizard can import a certificate or certificate chain from a text file in text a...

Page 313: ...ificate Chain The wizard shows the certificate or certificate chain information you have selected for installing You should check the information to make sure that you have chosen the correct one for...

Page 314: ...quest and install the new certificate Determine which certificate you want to get You can get CA signing OCSP signing CRL signing and SSL server certificates for the Certificate Manager signing and SS...

Page 315: ...e for a Registration Manager check whether the Registration Manager has been set up as a trusted manager for a Certificate Manager and Data Recovery Manager that is you must identify the subsystems th...

Page 316: ...ficates Certificate Management System automatically generates these files in the file system of its host machine when you choose to use the internal token for the first time These files were created f...

Page 317: ...be sure to use a name that will help you identify the token later Install the PKCS 11 Module PKCS 11 is a standard set of APIs and shared libraries used by Netscape and a number of encryption vendors...

Page 318: ...LL to add a UNIX shared dynamic library which on a Solaris machine is identified with the so extension e Click OK To install the PKCS 11 module using the modutil tool a Locate the CMS instance for whi...

Page 319: ...The token internal or external that stores the key pairs and certificates for the subsystems is protected encrypted by a password To decrypt the key pairs or to gain access to them you must enter that...

Page 320: ...gistration Manager or Certificate Manager Configuring the Server s Security Preferences Configuring a CMS manager s security preferences involves identifying the following The SSL server certificates...

Page 321: ...the list of SSL server certificates in the Encryption tab of the CMS window Step 2 Update the Configuration After you verify that the certificates are installed configure the server as follows 1 Stop...

Page 322: ...structions for requesting and installing an SSL client certificate for a Certificate Manager and configuring it to use that certificate for SSL client authentication to the publishing directory 1 Log...

Page 323: ...instance_id identifies the CMS instance in which the Certificate Manager is installed 9 After you ve installed the certificate successfully go to the Tasks tab and stop the Certificate Manager 10 Con...

Page 324: ...Configuring the Server s Security Preferences 324 Netscape Certificate Management System Administrator s Guide February 2003...

Page 325: ...ing access to certain tasks associated with Netscape Certificate Management System CMS The authorization model is very flexible allowing you to configure it to your needs In order to authorize users y...

Page 326: ...the database With certificate based authentication the server also checks that the certificate is valid and finds the group membership of the user by associating the DN of the certificate with a user...

Page 327: ...and adding them to the group called Administrators every member of this group has administrative privileges for this instance of CMS At least one administrator must be defined for each CMS instance t...

Page 328: ...its own agents whose role is defined by the subsystem Each subsystem installed in a CMS instance must have at least one agent and there is no limit to the number of agents a subsystem can have Authent...

Page 329: ...subsystem it trusts allowing it to communicate with the subsystem It does this by specifying the agent services port information for that subsystem Possible Trusted Relationships The Registration Man...

Page 330: ...ivileges For an agent or auditor you also need to get a certificate and store the certificate in the internal database If you set up the CMS console for SSL client authentication you must also import...

Page 331: ...list of users and the user ID now has the privileges of the group they are assigned in this instance of CMS 5 Click Refresh to view the updated configuration 6 Store the user s certificate if the user...

Page 332: ...st their certificate using the manual enrollment form The automated process is built into the request approval form in the Agent Services interface and it enables those who have both Certificate Manag...

Page 333: ...roups The user ID you specified for the new agent will be listed there 12 To view the certificate issued to the new agent select the user ID and click Certificates Setting Up a Trusted Manager You can...

Page 334: ...ppen The subsystem that will be trusted makes its signing certificate request to the Certificate Manager A user who has both administrator and agent privileges with the Certificate Manager providing t...

Page 335: ...you just added appears in the list of users Next you need to store the Registration Manager s signing certificate or Certificate Manager s SSL client certificate in the internal database of the subsy...

Page 336: ...n tree select Registration Manager or Certificate Manager The General Settings tab appears in the right pane 13 Select the Connectors tab 14 In the List of connectors select the connector If you are c...

Page 337: ...ement System on page 340 You can set up a feature that checks the revocation status of agent certificates See Revocation Status Checking of Agent Certificates on page 341 for details about setting up...

Page 338: ...istrator agent Organization unit Type the name of the organization unit to which the administrator agent belongs Organization Type the name of the company or organization the administrator agent works...

Page 339: ...ilable again Getting an Agent s Certificate from a Public CA The following general guidelines explain how a user can get a client certificate from a public CA and how you can copy that certificate in...

Page 340: ...t certificate in base 64 encoded form to the internal database of a subsystem 1 The user sends a client certificate request to CMS from the computer that they will use to access the subsystem from the...

Page 341: ...ntaining the user s certificate in base 64 encoded form 9 Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file 10 Save the text file and...

Page 342: ...CMS cfg includes a parameter named jss ocspcheck enable which enables you to specify whether a CMS manager should use Online Certificate Status Protocol OCSP to verify the revocation status of the ce...

Page 343: ...default the feature is enabled revocationChecking unknownStateInterval The default interval is 0 seconds revocationChecking validityInterval Specifies how long in seconds the cached certificates are...

Page 344: ...47 2 In the navigation tree select Users and Groups The Users tab appears in the right pane 3 In the User ID list select the user whose certificate information you want to change and click Certificate...

Page 345: ...Group description field To remove a user from the group select the user and click Delete To add users click Add User In the Select window that appears select the users you want to add and click OK You...

Page 346: ...on tree select Users and Groups 3 Select the Group tab 4 Click Edit The Edit Group Information window appears 5 Specify information in the following fields Group name Type a name for this group Group...

Page 347: ...CI also contains an evaluator expression The default implementation of ACLs specifies only users groups and IP addresses as possible evaluator types although you could create others using the CMS SDK...

Page 348: ...S console interface you create or modify ACIs in an editor that allows you to do this in a graphical environment You choose from allow or deny in the Allow and Deny field then you choose one of the op...

Page 349: ...cess to more than one operator in a single ACI select the first operator from the list and then hold down Ctrl while selecting other operators Syntax The syntax field of the ACI editor is where you sp...

Page 350: ...ion specified An IP address is specified using its numeric value DNS values are not permitted For example ipaddress 12 33 45 99 ipaddress 23 99 09 88 Stringing Values You can create a string with more...

Page 351: ...ation specified in this ACI to the group s user s or IP address es specified For more information about allowing or denying access see Allow and Deny on page 348 b Select one operator from the possibl...

Page 352: ...efault ACIs for each ACL resource defined Each subsystem you install will contain only those ACLs that are relevant to that subsystem certServer acl configuration Allow or deny a read or modify operat...

Page 353: ...uation TOE it is unavailable after the CA is up and running Allow or deny submit read or execute operations for an administrator enrollment request Operations Default ACIs allow submit user anybody al...

Page 354: ...interface Operations Default ACIs allow import unrevoke revoke read group Certificate Manager Agents Certificate Manager Agents can import unrevoke revoke and read a certificate read Viewing authenti...

Page 355: ...certificate revocation requests list Listing certificates based on a search Retrieving details about a range of certificates based on providing a range of serial numbers read Viewing CRL plug in info...

Page 356: ...Default ACIs allow submit group Trusted Managers Trusted Manager can submit requests to this interface certServer ca clone Allow or deny a submit operation for a connection to the CA by a cloned CA Op...

Page 357: ...ertificate Manager Agents Certificate Manager agents can update the directory certServer ca group Allow or deny an update operation to add a group Operations Default ACIs allow add group Administrator...

Page 358: ...group Certificate Manager Agents Certificate Manager agents can list certificate profiles certServer ca profile Allow or deny a read or approve operation for certificate profiles in the agent service...

Page 359: ...assign unassign group Certificate Manager Agents Anyone can submit an enrollment request only Certificate Manager Agents can read or execute enrollment requests certServer ca request profile Allow or...

Page 360: ...view statistics certServer ee certificate Allow or deny a renew revoke read or import operation in the end entity interface Operations Default ACIs allow renew revoke read import user anybody approve...

Page 361: ...ver ee certchain Allow or deny a download or read operation for the CA s certificate chain in the end entity interface Operations Default ACIs allow download read user anybody Anyone can read or downl...

Page 362: ...e profiles certServer ee profiles Allow or deny a list operation for certificate profiles in the end entity interface Operations Default ACIs allow list user anybody Anyone can list certificate profil...

Page 363: ...ions Default ACIs allow submit user anybody Anyone can submit an enrollment request certServer ee request facetofaceenrollment Allow or deny to submit face to face enrollment Operations Default ACIs a...

Page 364: ...ne can submit a revocation request certServer ee requestStatus Allow or deny a read operation for the request status available from the end entity interface Operations Default ACIs allow read user any...

Page 365: ...ng environment LDAP configuration SMTP configuration server statistics encryption token names subject name of certificates certificate nicknames all subsystems that have been loaded by the server get...

Page 366: ...iguration Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Cert...

Page 367: ...can read recover or retrieve key information certServer kra keys Allow or deny a list operation for the Data Recovery Manager Operations Default ACIs allow list group Data Recovery Manager Agents Onl...

Page 368: ...group Data Recovery Manager Agents Only Data Recovery Manager Agents can list key archival requests certServer kra request status Allow or deny a read operation for a Data Recovery Manager request Op...

Page 369: ...up Online Certificate Status Manager Agents allow modify group Administrators Administrators Agents and auditors are allowed to read the log configuration only administrators are allowed to modify the...

Page 370: ...me parameter of a log instance Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Age...

Page 371: ...all logs Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Cert...

Page 372: ...icate Authorities certServer ocsp certificate Allow or deny a validate operation for checking certificate revocation information Operations Default ACIs allow validate group Online Certificate Status...

Page 373: ...o modify OCSP configuration certServer ocsp crl Allow or deny an add operation for posting CRL to an OCSP Operations Default ACIs allow add group Online Certificate Status Manager Agents Online Certif...

Page 374: ...a Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators read Viewing policy plug ins and instances Listing policy plug ins and instanc...

Page 375: ...and agents are allowed to read publisher configuration only administrators are allowed to modify publisher configuration certServer ra configuration Allow or deny a read or modify operation for the c...

Page 376: ...import unrevoke revoke read group Registration Manager Agents Registration Manager agents can import unrevoke revoke and read certificates certServer ra connector Allow or deny a submit operation for...

Page 377: ...enable disable face to face enrollment certServer ra facetofaceenrollment enableHosts Allow or deny reading all hosts enabled for face to face registration Operations Default ACIs allow read group Re...

Page 378: ...can read and approve certificate profiles certServer ra profiles Allow or deny a list operation to certificate profiles in the agent services interface in a Registration Manager Operations Default AC...

Page 379: ...fault ACIs allow approve read group Registration Manager Agents Registration Manager agents can view and approve certificate profile based requests certServer ra requests Allow or deny a list operatio...

Page 380: ...stration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators auditors and agents are allowe...

Page 381: ...tration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read user a...

Page 382: ...ACL Reference 382 Netscape Certificate Management System Administrator s Guide February 2003...

Page 383: ...rollment Automated Enrollment Agent Initiated End User Enrollment Certificate Based Enrollment Issuing and Managing Server Certificates CEP Enrollment Testing Your Enrollment Setup Managing Authentica...

Page 384: ...g an instance of one of the authentication plug in modules You can also create plug ins for automatic enrollment using other forms of authentication such as a secure ID card or a relational database u...

Page 385: ...ficate Manager If the subsystem where the request is submitted is a Registration Manager the request must pass the policies and certificate profiles of both the Registration Manager and the Certificat...

Page 386: ...tyConstraints on page 501 If the renewal lead time does not permit renewing the server rejects the renewal request Also if the policy is disabled renewal of certificates fails If the certificate being...

Page 387: ...ent s approval An agent can change some aspects of the request change the status of the request reject the request or approve the request Once the request is approved the signed request is sent to the...

Page 388: ...and a pin you set up in their directory entry and then given to the end entity See Setting Up Pin Based Enrollment on page 395 Portal Enrollment End users are registered into an LDAP directory and iss...

Page 389: ...onality setting policies for specific certificates in the certificate profile see Chapter 10 Certificate Profiles for information about policies In the case of policy based enrollments customize the H...

Page 390: ...and entry DN See DNs in Certificate Management System on page 750 ldapStringAttributes Specifies the list of LDAP string attributes that should be considered authentic for the end entity If specified...

Page 391: ...Specifies the minimum number of connections permitted to the authentication directory Permissible values 1 to 3 ldap maxConns Specifies the maximum number of connections permitted to the authenticatio...

Page 392: ...SAuth Authentication plug in module and configure the instance See Setting Up the NISAuth Authentication on page 392 for details Customize the HTML enrollment forms Make sure the proper authentication...

Page 393: ...ctory attributes and entry DN See DNs in Certificate Management System on page 750 extendedDN Specifies the suffix that the server should add to the default subject DN when an LDAP directory is not sp...

Page 394: ...apconn port Specifies the TCP IP port on which the authentication LDAP directory listens to requests from CMS ldap ldapconn secureConn Specifies the type SSL or non SSL of the port on which the authen...

Page 395: ...t policies Alternatively you can enroll users through the certificate profile functionality setting policies for specific certificates in the certificate profile see Chapter 10 Certificate Profiles fo...

Page 396: ...Open the setpin conf file in a text editor 3 Follow the instructions outlined in the file and make the appropriate changes Typically you will need to update the Directory Server s host name Directory...

Page 397: ...need to enable the AttributePresentConstraints policy in the Certificate Manager that actually issues the certificates see AttributePresentConstraints on page 495 This policy forces the Certificate M...

Page 398: ...hould be considered authentic for the end entity If specified the values corresponding to these attributes will be copied from the authentication directory into the authentication token that is values...

Page 399: ...password cache and uses it for subsequent start ups You need to specify this parameter only if you ve selected removePin ldap ldapauth clientCertNickname Specifies the nickname of the certificate to b...

Page 400: ...not presently exist for that user and to issue the user a certificate Portal enrollment is useful when you have a portal and want to register users and have them later authenticate using a certificate...

Page 401: ...s Create an instance of the PortalEnroll Authentication plug in module and configure the instance See Setting Up the PortalEnroll Authentication on page 401 for details Customize the HTML enrollment f...

Page 402: ...e fully qualified DNS host name of the authentication directory ldap ldapconn port Specifies the TCP IP port on which the authentication directory listens to requests from CMS ldap ldapconn secureConn...

Page 403: ...N from the ldap ldapauth bindDN attribute to bind to the directory default SslClientAuth specifies SSL client authentication If you choose this option be sure to set the value of the ldap ldapconn sec...

Page 404: ...bout policies Alternatively you can enroll users through the certificate profile functionality setting policies for specific certificates in the certificate profile see Chapter 10 Certificate Profiles...

Page 405: ...C Enroll Utility The CMC Enroll utility CMCEnroll is used to sign a certificate request with an agent s certificate It is installed along with CMS and is available in the following directory server_ro...

Page 406: ...er 1 Go to the directory server root cert instance web apps ee ra 2 Open the file CMCEnrollment html 3 Find the following line form method post action enrollment onSubmit return validate document form...

Page 407: ...le the End Entity pages for CMC Enrollment on page 406 7 Submit your signed certificate using the end entity port a Go the End Entity port b Select CMC Enrollment from the main end entity page c Paste...

Page 408: ...ntDirEnrollment plug in is an instance of the HashAuth plug in You can turn this feature off by disabling or deleting the AgentDirEnrollment instance CMS provides the following form for agent initiate...

Page 409: ...e them available to users by some means Basically a user can get and use any pre initialized and certificate loaded hardware token Next each user uses the randomly picked token to enroll for a pair of...

Page 410: ...asedSingleEnroll html this form is provided as a sample It enables end users to request signing certificates by submitting pre issued certificates as authentication tokens when a user enrolls for a ce...

Page 411: ...o other servers and end users and to encrypt data In order to issue SSL server certificates the signing certificate for the Certificate Manager must be enabled for such issuance If the Certificate Man...

Page 412: ...y and in the internal database of CMS CMS allows server administrators to renew their certificates by using the server enrollment form hosted by a Certificate Manager or Registration Manager The renew...

Page 413: ...for approval by the Certificate Manager agent To submit the server certificate request to CMS manually 1 Open a web browser window 2 Go to the End Entity Services interface of the Certificate Manager...

Page 414: ...support for IPSec see the information available at this URL http www cisco com warp public cc cisco mkt security encryp prodlit 821_pp htm You can issue certificates to routers and CEP compliant Virt...

Page 415: ...configure the plug in See Authentication Token File on page 415 and Setting Up the CEP Plug In on page 416 Authentication Token File You create a text file with CEP enrollee information that is used...

Page 416: ...CMS SDK See the SDK documentation for information about this plug in and any additional programming you may need to do to it 2 Register the plug in the CMS authentication framework See the CMS SDK for...

Page 417: ...path name keyAttributes Specifies a comma separated list of attributes in the request which together uniquely identify an entry in the authentication token file The list of attributes you specify her...

Page 418: ...teway cep cep1 entryObjectClass cep eeGateway cep cep1 url cgi bin pkiclient exe eeGateway cep cep1 authName flatfile_router VPN configuration eeGateway cep cep2 url vpnenroll eeGateway cep cep2 authN...

Page 419: ...chema can accommodate VPN clients You may need to update the Directory Server s schema The reason for this is if you plan on publishing certificates from routers they may need to be published with the...

Page 420: ...nstance of the policy plug in named CRLDistributionPointsExt for router certificates This extension if present in a certificate enables the user of the certificate to find revocation information perta...

Page 421: ...cate an entry must already exist for the DN in the directory Enter true if you want the Certificate Manager to create an entry if one does not already exist true false Enter false if an entry already...

Page 422: ...ey length such as 512 or 1024 The longer the key length the more time the router takes to generate the key pair 6 Request the CA s Certificate In this part of the operation you identify the CA to the...

Page 423: ...authentication for routers the request will get processed by the CA The CA may return the certificate to the router in the same transaction If it doesn t the router checks with the CA at periodic inte...

Page 424: ...tity exit router config crypto ca authenticate test ca Certificate has the following attributes Fingerprint 24D34656 EB830C39 DD9E8179 0A4EBA98 Do you accept this certificate yes no yes router config...

Page 425: ...do it through profiles please read the instructions in Chapter 10 Certificate Profiles To test whether your end users can successfully enroll for a certificate using the authentication method you ve...

Page 426: ...ch the Directory Server is listening to authentication requests from the Certificate Manager base_dn with the DN to start searching for the user s entry and user_id with the ID of the user for whom yo...

Page 427: ...this class is part of a package be sure to include the package name For example if you are registering a class named customAuth and if this class is in a package named com customplugins type com custo...

Page 428: ...sers need to generate Software Publishing File SPC files for their object signing certificates you should ask them to use the Microsoft tool named cert2spc The SPC file enables them to execute command...

Page 429: ...ls AtoB cert b64 cert der converts the base 64 encoded certificate in the cert b64 file to its DER encoded format and writes the DER encoded certificate to a file named cert der 8 Next use the Microso...

Page 430: ...Generating Files Required By Third Party Object Signing Tools 430 Netscape Certificate Management System Administrator s Guide February 2003...

Page 431: ...content that can be contained in this type of certificate and the contents of the input and output forms associated with the certificate profile Enrollments requests are submitted to a particular cert...

Page 432: ...efaults the constraints used in each policy the values assigned to any of the parameters in a policy or the input and output You can also create other certificate profiles either for other types of ce...

Page 433: ...interface where end entity can enroll for a certificate using the certificate profile The Certificate Profile enrollment page contains links to each type of certificate profile enrollment that has be...

Page 434: ...aluated with the first certificate request and the second set is evaluated with the second certificate request There is no need for more than one set if you are issuing a single certificate or more th...

Page 435: ...by adding or deleting inputs in the certificate profile thus defining the fields on the input page Add or delete the single output Optionally you can modify existing defaults constraints inputs and o...

Page 436: ...his window Certificate Profile Instance ID Specify the instance ID of the certificate profile This name or number will be used by the system to identify the instance Certificate Profile Name Specify a...

Page 437: ...bmitted request is queued in the request queue of the agent services interface e Click Ok The new certificate profile appears in the Certificate Profile Instances Management tab 6 To modify an existin...

Page 438: ...e Certificate Profile Authentication Specify the authentication method Specify an automated authentication by providing the instance ID for the authentication instance that will be used If this field...

Page 439: ...the policies associated with each certificate Certificate Profile Policy ID Type a name or identifier for this certificate profile policy d Configure any parameters in the Default or Constraint tab S...

Page 440: ...e constraint applied to this policy Some values can be edited by clicking into the value field and changing the entry others have pull down menus associated with them where you can pick the values ava...

Page 441: ...puts tab of the Certificate Profile Rule Editor window You need to set up outputs for any certificate profile that uses an automated authentication method you do not need to set up outputs for any cer...

Page 442: ...for the types of certificates that are usually issued by a RA and a CA All certificate profiles are installed with a CA only those certificate profiles beginning with ra are installed with and RA The...

Page 443: ...red for enrollments for end user certificates using directory based authentication in a Certificate Manager caAgentServerCert Configured for enrollments for server certificates allowing for automatic...

Page 444: ...te profile up to match the certificate profile set up in the RA the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhe...

Page 445: ...certificate used by a subsystem to sign the signed audit logs Input Reference An input puts certain fields on the enrollment page associated with a particular certificate profile You define inputs fo...

Page 446: ...s field will display Not Supported on browsers other than Netscape 7 and above Key Generation Input The Key Generation Input input is used for enrollments in which a single key pair will be generated...

Page 447: ...certificate Requestor Phone This field is used to enter the phone number of the requestor of this certificate Output Reference An output represents the response to the end user of a successful enrollm...

Page 448: ...allows you to provide references to CRL locations For general information about this extension see authorityInfoAccess on page 723 You can define the following constraints with this default Extension...

Page 449: ...ue must be a valid domain name in the fully qualified DNS format For example testCA example com If you selected EDIPartyName the value must be an IA5String For example Example Corporation If you selec...

Page 450: ...uring the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints For general information about this extension see basicConstraints on...

Page 451: ...tension is set in end entity certificates Permissible values 0 or n Make sure that the value you choose is less than the path length specified in the Basic Constraints extension of the CA signing cert...

Page 452: ...arked with an n in the table to distinguish that the parameter is associated with one of the five possible locations Table 10 3 CRL Distribution Points Extension Configuration Parameters Parameter Des...

Page 453: ...any of the following formats An X 500 directory name in the RFC 2253 syntax For example CN CA Central OU Research Dept O Example Corporation C US A URIName for example it would look similar to this h...

Page 454: ...IDs 1 3 6 1 4 1 311 10 3 4 this OID is for the EFS certificate 1 3 6 1 4 1 311 10 3 4 1 this OID is for the EFS recovery certificate The EFS recovery certificate is used by a recovery agent when a use...

Page 455: ...f the five possible locations Table 10 5 Extended Key Usage Extension Default Configuration Parameters Parameter Description Critical Select true to mark this extension critical select false to mark t...

Page 456: ...nt Select from DirectoryName and URIName PointName_ n If pointType is set to directoryName the value must be a string form of X 500 name similar to the subject name in a certificate For example CN CAC...

Page 457: ...efully consider the legal consequences of its use before setting it for any certificate Select true to set select false to not set keyEncipherment Specifies whether to set the extension for SSL server...

Page 458: ...ify parameters for each of these location The parameters are marked with an n in the table to distinguish that the parameter is associated with one of the five possible locations decipherOnly Specifie...

Page 459: ...ed RFC822Name the value must be a valid Internet mail address in fully qualified DNS format For example testCA example com If you selected DirectoryName the value must be a string form of X 500 name s...

Page 460: ...nc othername txt PermittedSubtree Enable_ n Select true to enable this permitted subtree entry select false to disable this permitted subtree entry ExcludedSubtrees n min Specifies the minimum number...

Page 461: ...encoding rules The name must include both a scheme for example http and a fully qualified domain name or IP address of the host For example http testCA example com If you selected IPAddress the value...

Page 462: ...e certificate type for example it identifies whether the certificate is a CA certificate server SSL certificate client SSL certificate object signing certificate or S MIME certificate and thus enables...

Page 463: ...tions Select true to include this capability select false to not include this capability CertEmail Specifies that the certificate can be used to send secure email messages Select true to include this...

Page 464: ...sion Constraint on page 477 Extension Constraint see Extension Constraint on page 475 No Constraints see No Constraint on page 477 Policy Constraints Extension Default This default populates a policy...

Page 465: ...It specifies at the most n subordinate CA certificates are allowed in the path before an explicit policy is required Note that the number you specify affects the number of CA certificates to be used d...

Page 466: ...icy equivalent to the subjectDomainPolicy of the subject CA The issuing CA s users may accept an issuerDomainPolicy for certain applications The policy mapping tells these users which policies associa...

Page 467: ...me on page 732 The standard suggests that if the certificate subject field contains an empty sequence then the subject alternative name extension must contain the subject s alternative name and that t...

Page 468: ...checks the certificate request for configured attributes If the request contains an attribute the policy reads its value and sets it in the extension This way the extension that gets to added to cert...

Page 469: ...tory name similar to the subject name in a certificate For example CN Jane Doe OU Sales Dept O Example Corporation C US Select DNSName if the request attribute value is a DNS name For example corpDire...

Page 470: ...on page 477 Subject Name Default This default populates server side configurable subject name into the certificate request You provide a static subject name that is used as the subject name in the ce...

Page 471: ...certificate profile allows a user to define extensions No inputs are provided to add user supplied extensions to the enrollment form You can create an input for this purpose using the CMS SDK You can...

Page 472: ...d Subject Name Default This default populates a user supplied subject name into the certificate request If included in the certificate profile allows a user to supply a subject name for the certificat...

Page 473: ...if the basic constraint in the certificate request satisfies the criteria set in this constraint Table 10 17 Validity Default Configuration Parameters Parameter Description range Specifies the validi...

Page 474: ...ion of the CA signing certificate owned by the CA that will issue these certificates 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued that...

Page 475: ...guration Parameters Parameter Description Critical Specifies whether the extension can be marked critical or noncritical Select true to allow the extension to be marked critical select false to disall...

Page 476: ...constraints are placed for this parameter keyEncipherment Specifies whether to set the extension for SSL server certificates and S MIME encryption certificates Select true to allow this to be set sel...

Page 477: ...cifies whether to set the extension if the public key is to be used only for deciphering data If this bit is set keyAgreement should also be set Select true to allow this to be set select false to not...

Page 478: ...ch as Java applets and plug ins Select true to allow this capability select false to not allow this capability select to indicate no constraints are placed for this parameter CertSSLCA Specifies that...

Page 479: ...all of the following MD2withRSA MD5withRSA SHA1withRSA Table 10 24 Subject Name Constraint Configuration Parameters Parameter Description Pattern Specifies a regular expression specified as a string a...

Page 480: ...scape Certificate Management System Administrator s Guide February 2003 Table 10 25 Validity Constraint Configuration Parameters Parameter Description range The range parameter is of type integer And...

Page 481: ...ewer default certificate enrollment feature Certificate Enrollment Profiles see Chapter 10 Certificate Profiles The policies feature will be discontinued in the future release s To enable the feature...

Page 482: ...e revocation key archival and key recovery requests For example in the case of a certificate issuance request the outcome would be the certificate content A Certificate Manager s policy can include ru...

Page 483: ...o fall within a predetermined range say between 6 and 24 months A subsystem s policy configuration can consist of one or more policy rules each performing one or more of the following operations Valid...

Page 484: ...les on the request based on the request type The policy processor also filters the rules based on predicates see Using Predicates in Policy Rules on page 485 Note that the policy processor applies onl...

Page 485: ...rs AND or OR For example you could set up a predicate to put the CRL Distribution Point extension only in SSL client certificates or set different validity dates for certificates for users in differen...

Page 486: ...in the request Other attributes regarding the end entity such as the user ID are set on the request after successful authentication The servlets also interpret the form content for example retrieving...

Page 487: ...Attributes for predicates can come from any of the following Input form that is the HTML form that end entities use for submitting certificate requests Authentication token what the authentication su...

Page 488: ...ificate server SSL server certificate Enrollment doSslAuth Specifies whether the client is required to do SSL client authentication during enrollment Default values include the following on off Enroll...

Page 489: ...name attribute_name value attribute_value Enrollment cepsubstore Specifies the name of the CEP service for example cep1 and cep2 When setting up multiple CEP services you can use predicates to differ...

Page 490: ...s policy plug in implementation 2 Enter the appropriate values for all the attributes Assume you named the instance ValidityRule1 set the minimum validity period to 10 days set the maximum validity pe...

Page 491: ...AND HTTP_PARAMS orgunit Sales The new configuration would result in certificates with a validity period of six months for users in the Sales organizational unit and a validity period of three months...

Page 492: ...ameter In this way you can avoid re creating the rule in the future Because the subsystems subject end entity requests only to rules that are currently enabled keeping unwanted rules in the disabled s...

Page 493: ...f required To add a new policy rule to the CMS configuration 1 In the Policy Rules Management tab click Add The Select Policy Plugin Implementation window appears It lists registered policy plug in mo...

Page 494: ...onfigured policy rules in the order in which they are executed by the subsystem 2 To change the order of a rule select it in the list and click the Up or Down button as appropriate Keep in mind that t...

Page 495: ...ic Policy Module Reference Constraints specific policy plug in modules help you define rules or constraints that CMS uses to evaluate an incoming certificate enrollment renewal or revocation request E...

Page 496: ...olicy during installation Table 11 3 describes the configuration parameters of the AttributePresentConstraints policy Table 11 3 AttributePresentConstraints Configuration Parameters Parameter Descript...

Page 497: ...ntication type basic authentication or SSL client authentication required in order to check attributes in the LDAP directory BasicAuth specifies basic authentication default If you choose this option...

Page 498: ...maxConns Specifies the maximum number of connections permitted to the LDAP directory when needed connection pool can grow to this many multiplexed connections Permissible values 3 to 10 the default v...

Page 499: ...ize Specifies the minimum length in bits for the key the length of the modulus in bits The value must be smaller than or equal to the one specified by the maxSize parameter Permissible values 512 or 1...

Page 500: ...ts Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable default deselect to disable predicate Specifies the predicate expression for...

Page 501: ...rmissible values RSA or RSA Table 11 7 RenewalConstraints Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable the rule default Dese...

Page 502: ...instance of the revocation constraints policy named RevocationConstraintsRule that is enabled by default Table 11 9 describes the configuration parameters of the RevocationConstraints policy Table 11...

Page 503: ...ion parameters of the RSAKeyConstraints policy predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the field blank default...

Page 504: ...and renewal requests During installation CMS automatically creates an instance of the signing algorithm constraints policy named SigningAlgRule that is enabled by default minSize Specifies the minimum...

Page 505: ...rly You may apply this policy to CA certificate enrollment and renewal requests Table 11 11 SigningAlgorithmConstraintsConfiguration Parameters Parameter Description enable Specifies whether the rule...

Page 506: ...he server accordingly using the policy Alternatively if you want to allow your users to own multiple certificates each for a different use all having the same subject name you can do so easily using t...

Page 507: ...g Specifies whether the certificate request must be checked for the Key Usage extension Note that the policy can check the certificate request for the Key Usage extension only if you deselect the enab...

Page 508: ...implementation The ability to configure the value of the leadTime parameter in the policy rule allows you to prohibit end entities from requesting certificates whose validity starts too far in the fu...

Page 509: ...me when the policy rule is run The notBefore attribute value specifies the date on which the certificate validity begins validity dates through the year 2049 are encoded as UTCTime dates in 2050 or la...

Page 510: ...lications most likely will not understand your extension By default only noncritical extensions are added to certificates This ensures that the resulting certificates can be used with all clients If y...

Page 511: ...ation Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predicate expression for this rule If you w...

Page 512: ...pecifies the address or location to get additional information about the CA that has issued the certificate in which this extension appears Specifying the information based on the following If you sel...

Page 513: ...Pv4 address must be in the n n n n format for example 128 21 39 40 IPv4 address with netmask must be in the n n n n m m m m format For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the add...

Page 514: ...16 AuthorityKeyIdentifierExt Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predi...

Page 515: ...ng up the chain The maxPathLen parameter has no effect if the extension is set in end entity certificates Permissible values 0 or n Make sure that the value you choose is less than the path length spe...

Page 516: ...r this rule If you want this rule to be applied to all certificate requests leave the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 485 critical Speci...

Page 517: ...isplayText Specifies the textual statement to be included in certificates this parameter corresponds to the explicitText field of the user notice If you want to embed a textual statement for example y...

Page 518: ...To form a predicate expression see Using Predicates in Policy Rules on page 485 critical Specifies whether the extension should be marked critical or noncritical Select to mark critical deselect to ma...

Page 519: ...r future time in seconds by which the certificate must be renewed the endTime field of the extension will be set to the specified time since certificate issuance You can specify the time period in sec...

Page 520: ...ificate for client authentication the extension enables the certificate using application to restrict the release of individual certificates to web sites requesting SSL client authentication The certi...

Page 521: ...ry name Select dNSName if the site is a DNS name default Select ediPartyName if the site is a EDI party name Select URL if the site is a uniform resource identifier Select iPAddress if the site is an...

Page 522: ...40 IPv4 address with netmask must be in the n n n n m m m m format For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form with netmask separated by a comma Ex...

Page 523: ...ion points to be included in the extension it must be an integer greater than zero The default is 3 Note that when you set a number other than O each distribution point has its own set of configuratio...

Page 524: ...constants unused keyCompromise cACompromise affiliationChanged superseded cessationOfOperation certificateHold issuerName n Specifies the name of the issuer that has signed the CRL maintained at distr...

Page 525: ...he private key and the data encrypted with that key needs to be used CMS supports the above two OIDs and allows you to issue certificates containing extended key usage extension with these OIDs Normal...

Page 526: ...ecifying that no key usage purposes can be contained in the extension or n specifies the total number of key usage purposes to be included in the extension it must be an integer greater than zero The...

Page 527: ...ting and testing the server in a production environment you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs See Appendix H Object Identifiers for information on...

Page 528: ...allation CMS automatically creates an instance of the generic ASN 1 extension policy named GenericASN1Ext that is disabled by default Configuration Parameters of GenericASN1Ext The configuration defin...

Page 529: ...values A valid OID specified in dot separated numeric component notation see the example Although you can invent your own OIDs for the purposes of evaluating and testing this server in a production e...

Page 530: ...tring for extensions that have ASN 1 PrintableString values It s case insensitive and accepts any normal string as value Select UTCTime for site defined extensions that have ASN 1 UTCTime values Selec...

Page 531: ...ue For example 1234567890 If the data type is IA5String enter a normal string as value For example Test of IA5String If the data type is OctetString and if the data source is Value enter the value in...

Page 532: ...whether the extension should be marked critical or noncritical Select to mark critical default deselect to mark noncritical numGeneralNames Specifies the total number of alternative names or identiti...

Page 533: ...If you selected rfc822Name the value must be a valid Internet mail address in the local part domain format see the definition of an rfc822Name as defined in RFC 822 http www ietf org rfc rfc0822 txt...

Page 534: ...rmat For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form described in RFC 1884 http www ietf org rfc rfc1884 txt with netmask separated by a comma Examples...

Page 535: ...6 lists the bits and their designated purposes You can restrict the purposes for which a key pair and thus the corresponding certificate should be used by setting the appropriate key usage bits For ex...

Page 536: ...ing by editing the enrollment forms as you can do this easily by making the appropriate changes to the policy instance bits set on the server side override the ones set on the client side However if y...

Page 537: ...e enrollment form ManRAEnroll html for requesting Registration Manager signing certificates ServerCertKeyUsageExt This rule is for setting the appropriate key usage bits in SSL server certificates and...

Page 538: ...whether to set the digitalSignature bit or bit 0 of the key usage extension in certificates specified by the predicate parameter Permissible values true false or HTTP_INPUT Select true if you want the...

Page 539: ...e server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable correspon...

Page 540: ...ue if you want the server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input v...

Page 541: ...u don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corresponding to the decipherOnly bit and set the bit accor...

Page 542: ...ber of permitted subtrees to be included in the extension it must be an integer greater than zero The default value is 8 numExcludedSubtrees Specifies the total number of subtrees to be excluded in th...

Page 543: ...ryName permittedSubtrees n base generalNameValue Specifies the general name value for the permitted subtree you want to include in the extension Permissible values Depends on the general name type you...

Page 544: ...4 IPv4 the address should be in the form specified in RFC 791 http www ietf org rfc rfc0791 txt IPv4 address must be in the n n n n format for example 128 21 39 40 IPv4 address with netmask must be i...

Page 545: ...are allowed excludedSubtrees n base generalNameChoice Specifies the general name type for the excluded subtree you want to include in the extension Permissible values rfc822Name directoryName dNSName...

Page 546: ...9 For example CN SubCA OU Research Dept O Example Corporation C US If you selected dNSName the value must be a valid domain name in the preferred name syntax as specified by RFC 1034 http www ietf org...

Page 547: ...FFFF FFFF FFFF FFFF FFFF FF00 0000 If you selected OID the value must be a unique valid OID specified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 If you selected otherNa...

Page 548: ...ee section Using Predicates in Policy Rules in Chapter 18 Setting Up Policies of CMS Administrator s Guide Example HTTP_PARAMS certType client critical Specifies whether the extension should be marked...

Page 549: ...o default value displayText Specifies the textual statement that should be included in certificates If you want to embed a textual statement for example your company s legal notice in certificates the...

Page 550: ...d the extension by enabling the Netscape certificate type extension policy and which bits are to be set by adding the appropriate HTTP variables to the enrollment forms Bits set in the Netscape certif...

Page 551: ...quested using the form For example the server enrollment form embeds the ssl_server variable whereas the subordinate CA Certificate Manager enrollment form embeds the ssl_client email_ca ssl_ca and ob...

Page 552: ...tificate requests leave the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 485 setDefaultBits Specifies whether to set the Netscape certificate type ex...

Page 553: ...nt For general information about this extension see policyConstraints on page 731 During installation CMS automatically creates an instance of the policy constraints extension policy named PolicyConst...

Page 554: ...set in end entity certificates Permissible values 1 0 or n 1 specifies that the field should not be set in the extension default 0 specifies that no subordinate CA certificates are permitted in the pa...

Page 555: ...he rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the...

Page 556: ...u can invent your own OIDs for the purposes of evaluating and testing this server in a production environment you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs...

Page 557: ...t this extension see subjectAltName on page 732 notBefore Specifies the date on which the validity period for the private key associated with the certificate begins Permissible values A valid date spe...

Page 558: ...AMS in section JavaScript Used By All Interfaces of CMS Customization Guide You can also distinguish the attributes based on their origin that is whether they originated from the enrollment form or wh...

Page 559: ...ribute whose value is to be included in the extension The attribute value must conform to any of the supported general name types specified by the generalName n generalNameChoice parameter If the serv...

Page 560: ...uthentication instance is set to mail or mailalternateaddress or to both The third attribute HTTP_PARAMS csrRequestorEmail is the email component of the subject name in an enrollment request it is an...

Page 561: ...e extension you need to specify the attribute name and its value the name must be the X 500 directory attribute name itself and the attribute value can be derived from the request or directly entered...

Page 562: ...integer derived from the value you assign in this field For example if you set the numAttributes parameter to 2 n would be 0 and 1 attribute n attrib uteName Specifies the name of the directory attrib...

Page 563: ...s section explains how to use the CMS window to perform the following operations Table 11 41 SubjectKeyIdentifierExt Configuration Parameters Parameter Description enable Specifies whether the rule is...

Page 564: ...rk 1 Log in to the CMS window see Logging Into the CMS Console on page 247 2 Select the Configuration tab 3 In the navigation tree select the subsystem that will use the module you want to register 4...

Page 565: ...y framework 1 Log in to the CMS window see Logging Into the CMS Console on page 247 2 Select the Configuration tab 3 In the navigation tree select the subsystem that registers the module you want to d...

Page 566: ...Managing Policy Plug in Modules 566 Netscape Certificate Management System Administrator s Guide February 2003...

Page 567: ...d Notifications The automated notifications feature is an event driven system that sends email notifications when the specified event occurs The system uses listeners that monitor the system to determ...

Page 568: ...s of automated notifications are available Certificate Issued Request In Queue Certificate Revocation Certificate Issued A notification message is automatically sent to users who have been issued cert...

Page 569: ...d the notification is sent to the email address specified in the Sender s Email Address field specified when you set up this notifications as undeliverable notification You can customize the email res...

Page 570: ...is is the email address of the person who is notified of any delivery problems Subject Type the subject title for the notification Recipient s E Mail Address Type the recipient s full email address th...

Page 571: ...r notification message are explained in the procedure in the section Setting Up Automated Notifications on page 569 5 Save the file 6 Restart the server instance 7 If you set up a job that sends autom...

Page 572: ...e of HTML templates Tokens are variables identified with the dollar sign character in the message that are replaced by the current value when the message is constructed See Token Definitions on page 5...

Page 573: ...website http IT if you have any problems Notification Message Templates Notification message templates are located in the following directory server_root cert instance_id emails You can change the na...

Page 574: ...ir certificate is revoked certRequestRevoked_CA html Template for the Certificate Manager to send HTML based notifications to end entities when their certificate is revoked certRequestRevoked_RA Templ...

Page 575: ...he time the job instance was run HexSerialNumber Specifies the serial number of the certificate that has been issued in hexidecimal format HttpHost Specifies the fully qualified host name of the Certi...

Page 576: ...be displayed as a hexadecimal value in the resulting message Status Specifies the status of the request SubjectDN Specifies the distinguished name of the certificate subject SummaryItemList Specifies...

Page 577: ...execute specific jobs at specified times The job scheduler functions similar to a traditional Unix cron daemon in that it takes registered cron jobs and executes them at a preconfigured date and time...

Page 578: ...bs The types of automated jobs are RenewalNotification RequestInQueue and UnpublishExpired RenewalNotificationJob The RenewalNotification job checks for certificates that are about to expire in the in...

Page 579: ...tlined in section Updating Certificates and CRLs in a Directory on page 660 You can create additional automated jobs using the CMS SDK Setting Up the Job Scheduler The Certificate Manager and Registra...

Page 580: ...k to be valid For example the following entry specifies a job execution time of midnight on the first and fifteenth of every month and on every Monday 0 0 1 15 1 To specify one day type without the ot...

Page 581: ...hat meet the cron specification By default it is set to one minute See Frequency Settings for Automated Jobs on page 579 The window for entering this information may appear too small Drag the corners...

Page 582: ...in to the CMS console see Logging Into the CMS Console on page 247 3 Select the Configuration tab 4 In the navigation tree select Job Scheduler then select Jobs The Job Instance tab appears showing t...

Page 583: ...Configuration Parameters of UnpublishExpiredJob on page 587 for details about these parameters 8 Click Ok 9 Click Refresh 10 If you set up a job that sends automated messages check that your have corr...

Page 584: ...ith jobsScheduler job unpublishExpiredCerts see Configuration Parameters of UnpublishExpiredJob on page 587 for details about these parameters 5 Save the file 6 Restart the server instance 7 If you se...

Page 585: ...ery problems emailSubject Specifies the text of the subject line of the notification message emailTemplate Specifies the path including the filename to the directory that contains the template to be u...

Page 586: ...template to be used for formulating the summary report email notification For details see Customizing Notification Messages on page 589 Table 13 3 RequestInQueueJob Parameters Parameter Description e...

Page 587: ...e summary emailTemplate Specifies the path including the filename to the directory that contains the template to be used for creating the summary report For details see Customizing Notification Messag...

Page 588: ...he server to send the summary report summary emailSubject Specifies the subject line of the summary message summary emailTemplate Specifies the path including the filename to the directory that contai...

Page 589: ...essages by modifying the HTML commands included in the HTML template for that message type Templates for Summary Notifications Notification message templates are located in the following directory ser...

Page 590: ...to be sent to agents and administrators Uses the rnJob1Item txt template to format items in the message rnJob1Item txt Template for formatting the items to be included in the summary report Table 13 6...

Page 591: ...Date Specifies the date the certificate was revoked SenderEmail Specifies the email address of the sender SerialNumber Specifies the serial number of the certificate the serial number will be displaye...

Page 592: ...he Configuration tab 3 In the navigation tree select Job Scheduler then select Jobs The Job Instance tab appears It lists any currently configured jobs 4 Select the Job Plugin Registration tab The Job...

Page 593: ...cate a server administrator or by a Certificate Manager agent End users can revoke certificates by using the Revocation form provided in the end entity services interface Agents can revoke end entity...

Page 594: ...d to do so removes the revoked certificates from the publishing directory and updates the CRL in the publishing directory Authentication of End Users During Certificate Revocation When an end user sub...

Page 595: ...ial number of the certificate the user wants to revoke and the challenge password associated with the certificate The server verifies the authenticity of a revocation request by mapping the serial num...

Page 596: ...nd then send the signed request to the Certificate Manager The enabled instance of the CMCAuth plug in module also activates CMC revoke when it is enabled the default When this method is setup the Cer...

Page 597: ...hat exists d The directory where cert8 db key3 db and secmod db containing the agent certificate are located n The nickname of the agent s certificate i The issuer name of the certificate being revoke...

Page 598: ...rned page confirms that the certificate 22 has been revoked About CRLs Server and client applications that use public key certificates as tokens of identification need access to information about the...

Page 599: ...directory or an OCSP responder Note that the Registration Manager cannot create or publish CRLs although it can take revocation requests and pass them on to the Certificate Manager A CRL is issued and...

Page 600: ...he server End users are also required to authenticate to the server in order to revoke their certificate Whenever a certificate is revoked the Certificate Manager updates the status of the certificate...

Page 601: ...L issuing points specified in the certificate instead of the master or main CRL the application would check the CRL maintained at the issuing point which would be smaller in size compared to the maste...

Page 602: ...ince its creation For example if the numbering were as simple as 1 2 3 the first CRL would be CRL 1 The second CRL would be CRL 2 and the delta would be deltaCRL 2 The deltaCRL 2 would reference CRL 1...

Page 603: ...revoked certificates from the entire CA ARL Authority Revocation List containing only revoked CA certificates Master CRL and Expired Certificates Containing the list of revoked certificates from the...

Page 604: ...ect that issuing point and click Edit You can only change the description for the issuing point and change the status from enabled to disabled 4 To add an issuing point click Add The CRL Issuing Point...

Page 605: ...dragging at one of the corners some fields in this window do not appear large enough to read the content In the Update Frequency section specify the interval for publishing the CRL to the directory E...

Page 606: ...ed Include expired certificates Select if you want the server to include revoked certificates that have expired in the CRL If this is enabled information about revoked certificates will remain in the...

Page 607: ...n this step you modify the default rules to suit your organization s requirements To specify the CRL extensions 1 In the navigation tree select Certificate Manager and then select CRL Issuing Points N...

Page 608: ...ion is used to identify the public key that corresponds to the private key used by a CA to sign CRLs The PKIX standard recommends that the CA must include this extension in all CRLs it issues The reas...

Page 609: ...of a certificate included in the CRL For general guidelines on setting the CRL reason code in CRL entries see reasonCode on page 741 For a list of reason codes see Reasons for Revoking a Certificate o...

Page 610: ...efault critical Select if you want the server to mark the extension critical default deselect if you want the server to mark the extension noncritical Table 14 5 FreshestCRL Configuration Parameters P...

Page 611: ...olute pathname and must specify the host For example http testCA example com get your crls here Table 14 6 HoldInstruction Configuration Parameters Parameter Description enable Specifies whether the r...

Page 612: ...n enables binding of or associating alternative identities such as a mail address a DNS name an IP address and a uniform resource indicator URI with the issuer of the CRL For general guidelines on set...

Page 613: ...directoryName if the name is an X 500 directory name Select dNSName if the name is a DNS name Select ediPartyName if the name is a EDI party name Select URL if the name is a uniform resource identifi...

Page 614: ...suing distribution point extension in CRLs see issuingDistributionPoint on page 739 If the type is URL the value must be a non relative universal resource identifier URI For example http testCA exampl...

Page 615: ...he pointType parameter If the pointType attribute is set to DirectoryName the name must be an X 500 Name For example CN CRLCentral OU Research Dept O Example Corporation C US If the pointType attribut...

Page 616: ...es of revoked certificates default onlyContainsUserCerts Select if the distribution point contains user certificates only deselect if the distribution point contains all types of certificates default...

Page 617: ...an online validation authority using the appropriate protocol This chapter explains how to configure the Certificate Manager or Registration Manger to publish certificates and CRLs to a file to a dire...

Page 618: ...types of CRL files For example you can publish CA certificates to one location while publishing user certificates to a completely different location Similarly you can publish different types of certif...

Page 619: ...in LDAP publishing Mappers allow you to construct the DN for an entry based on information from the certificate or the certificate request The server needs to figure out the DN of the entry in which t...

Page 620: ...00 PST 2000 will be crl 949102696899 der About LDAP Publishing The ability of a server to publish certificates CRLs and other certificate related objects to a directory using the LDAP or LDAPS protoc...

Page 621: ...issued updated or revoked the publishing system is invoked and the certificate or CRL is evaluated by the rules to see if it matches the type and predicate set in the rule The type setting specifies...

Page 622: ...l replace any certificate or CRL that is already published to this attribute For rules that specify to publish to an Online Certificate Status Manager a CRL is published to this manager certificates a...

Page 623: ...you want to publish all CRLs If you are publishing different types of CRLS to separate locations create a publisher for each location you will publish to specifying the location you will publish You...

Page 624: ...You can set up rules for each object type CA certificate CRL user certificate and cross pair certificate or you can even further divide the rules so that you have different rules for different kinds...

Page 625: ...configure Publishers for LDAP publishing Configuring Publishers for Publishing to a File You need to create and configure a Publisher for each publishing location publishers are not automatically cre...

Page 626: ...he Select Publisher Plug in Implementation window appears It lists registered publisher modules 5 Select the module named FileBasedPublisher This is the only Publisher module that enables the Certific...

Page 627: ...s certificates 8 Click OK You are returned to the Publishers Management tab It should now list the publisher you just created 9 Repeat this procedure creating all the publishers you will need Configur...

Page 628: ...or the Certificate Manager see Logging Into the CMS Console on page 247 2 Select the Configuration tab 3 In the navigation tree select Certificate Manager select Publishing and then select Publishers...

Page 629: ...lphanumeric string with no spaces For example Ca1CrlToOcspResponder host Type the fully qualified DNS host name of the Online Certificate Status Manager For example ocspResponder example com port Type...

Page 630: ...o publish cross signed certificates to the LDAP directory The publishers are enabled and configured using the X 500 standard attributes for storing certificates and CRLs You do not need to modify the...

Page 631: ...lation the Certificate Manager automatically creates an instance of the LdapCaCertPublisher module for publishing the CA certificate to the directory that is already enabled and configured Table 15 1...

Page 632: ...the directory LdapCrlPublisher The LdapCrlPublisher plug in module enables you to configure a Certificate Manager to publish or unpublish the CRL to the certificateRevocationList binary attribute of...

Page 633: ...s not one already Similarly it also removes the certificationAuthority object class on unpublish if the CA has no other certificates During installation the Certificate Manager automatically creates...

Page 634: ...ate or some other input information This relationship can either be one in which the exact DN of the entry can be derived from the information using the mapper to derive this DN or one in which the in...

Page 635: ...each of these macros specifying the DN pattern used and whether or not you want CMS to create the CA entry in the directory To use other mappers create an instance of the mapper you want to use and th...

Page 636: ...ion window appears It lists registered mapper modules b Select a module For complete information about these modules see Mapper Plug in Modules Reference on page 637 c Click Next The Mapper Editor win...

Page 637: ...n AVAs check the directory documentation The CA certificate mapper allows you to specify whether to create an entry for the CA or to just map the certificate to an existing entry or to do both Note th...

Page 638: ...you select the Certificate Manager first attempts to create an entry for the CA in the directory If the Certificate Manager succeeds in creating the entry it then attempts to publish the CA s certific...

Page 639: ...automatically creates this mapper during installation You can use this mapper for creating an entry for the CA in the directory and for mapping the CRL to the CA s entry in the directory By default th...

Page 640: ...a certificate to an LDAP directory entry by deriving the entry s DN from components specified in the certificate request certificate s subject name certificate extension and attribute variable assert...

Page 641: ...re subject DN specified in the mapper configuration For example assume the certificate subject name is this UID jdoe O Example Corporation C US When searching the directory for the entry the Certifica...

Page 642: ...ents and filter components match an error is returned If the filter components are null a base search is performed Note that both DNComps and filterComps parameters accept valid DN components or attri...

Page 643: ...ll of these components CN OU O L ST and C to build a DN for searching the directory When creating a mapper rule you can specify the components the server should use to build a DN that is components to...

Page 644: ...nsider another example that shows how two directory entries with similar DNs can be differentiated by the value of the UID attribute Assume that the two Jane Doe entries are distinguished by the value...

Page 645: ...specified by that DN for entries matching the filter specified by filterComps parameter values Permissible values Valid DN components or attributes separated by commas filterComps Specifies component...

Page 646: ...ule and then where it is to be published Determining if the object meets the rule is done by matching the type and predicate set up in the rule with the object itself Determining where matching object...

Page 647: ...ter 15 Publishing 647 4 To edit an existing rule select that rule from the list and click Edit The Rule Editor window appears 5 To create a rule a Click Add The Select Rule Plugin Implementation windo...

Page 648: ...the only module If you have registered any custom modules they too will be available for selection c Click Next The Rule Editor window appears 6 Enter the appropriate information Rule ID Type a name...

Page 649: ...lisher you created that will be associated with this rule For example if this rule publishes user certificates to a file chose the publisher that publishes to a file in the location set up for user ce...

Page 650: ...r CRL set isDeltaCRL false in order to publish only the master CRL For example issuingPointId MasterCRL isDeltaCRL false To publish only the delta CRL set isDeltaCRL true in order to publish only the...

Page 651: ...Rule Configuration Parameters Parameter Value Description type xcert Specifies the type of certificate that will be published Select from the pull down menu predicate Specifies a predicate for this p...

Page 652: ...LdapUserCertMap Specifies the mapper used with this rule See LdapSimpleMap on page 640 for details on this mapper publisher LdapUserCertPublisher specifies the publisher used with this rule See LdapU...

Page 653: ...To enable LDAP publishing select both Enable Publishing and Enable Default LDAP Connection options In the Destination section identify the Directory Server instance Host name Type the fully qualified...

Page 654: ...certificate for this purpose LDAP version Select the version of LDAP protocol appropriate to your version of Directory Server If the directory you want the Certificate Manager to publish to is based...

Page 655: ...You should see a file with name similar to cert serial_number der where serial_number specifies the serial number of the certificate contained in the file 5 Convert the DER encoded certificate to its...

Page 656: ...orm using the Pretty Print Certificate tool see Chapter 9 Pretty Print Certificate Tool of CMS Command Line Tools Guide To convert the base 64 encoded certificate to a human readable form a Check the...

Page 657: ...e value derived from the time dependent variable named This Update of the CRL contained in the file If you don t see the file check your configuration 10 Convert the DER encoded CRL to its base 64 enc...

Page 658: ...tes If the directory object that it finds does not allow the userCertificate binary attribute the addition or removal of that specific certificate fails If you have created user entries as inetOrgPers...

Page 659: ...CA s distinguished name begins with the OU component create a new organizational unit entry for the CA Note that the entry you create doesn t have to be in the certificationAuthority object class The...

Page 660: ...ing methods of communication Publishing With Basic Authentication Publishing Over SSL Without Client Authentication Publishing Over SSL With Client Authentication See the Netscape Directory Server doc...

Page 661: ...ht be down for a while and be unable to receive changes from the Certificate Manager In such a situation use the forms provided in the Certificate Manager Agent Services interface to manually update t...

Page 662: ...te Manager is installed as a root CA when using the agent interface to update the directory with valid certificates the CA signing certificate may get published using the publishing rule set up for us...

Page 663: ...d in the update When the directory is updated the Certificate Manager will display a status report If the process gets interrupted for some reason the server logs an error message Be sure to check log...

Page 664: ...a plug in click Register 7 Specify information as appropriate Plugin name Type a name for the plug in module Class name Type the full name of the class for this module that is the path to the impleme...

Page 665: ...omponents Security Audit FAU FAU_GEN 1 Audit data generation iteration 1 FAU_GEN 2 User identity association iteration 1 FAU_SAR 1 Audit Review FAU_SAR 3 Selectable audit review FAU_SEL 1 Selective au...

Page 666: ...ity functions behavior iteration 1 FMT_MSA 1 Management of security attributes FMT_MSA 2 Secure security attributes FMT_MSA 3 Static attribute initialization FMT_MTD 1 Management of TSF data FMT_SMR 2...

Page 667: ...itionally the audit shall not include plaintext private or secret keys or other critical security parameters Table A 2 Auditable Events and Audit Data Section Function Component Event Additional Detai...

Page 668: ...The IT environment shall provide the ability to perform searches of audit data based on the type of event the user responsible for causing the event and as specified in Table A 3 below FAU_SEL 1 Selec...

Page 669: ...generation FCS_CKM 1 1 The FIPS 140 1 validated cryptographic module shall generate cryptographic keys in accordance with any FIPS approved or recommended cryptographic key generation algorithm that...

Page 670: ...tly deny access of subjects to objects based on the none FDP_ITT 1 Basic internal transfer protection iteration 1 FDP_ITT 1 1 The IT environment shall enforce the CIMC IT Environment Access Control Po...

Page 671: ...r security attributes FIA_UAU 1 Timing of authentication iteration 1 FIA_UAU 1 1 The IT environment shall allow HTTP and LDAP based services1 on behalf of the user to be performed before the user is a...

Page 672: ...onment Access Control Policy specified in CIMC TOE Access Control Policy on page 675 to provide restrictive default values for security attributes that are used to enforce the SFP FMT_MSA 3 2 The IT e...

Page 673: ...machine testing FPT_AMT 1 1 The IT environment shall run a suite of tests other conditions during initial start up periodically during normal operation or at the request of an authorized user to demo...

Page 674: ...ence and tampering by untrusted subjects FPT_SEP 1 2 Each operating system in the IT environment shall enforce separation between the security domains of subjects in its scope of control FPT_STM 1 Rel...

Page 675: ...he security objective O Integrity protection of user data and software and O Periodically check integrity Trusted path channels FTP FTP_TRP 1 Trusted path FTP_TRP 1 1 The IT environment shall provide...

Page 676: ...Individuals with different access authorizations Roles with different access authorizations Individuals assigned to one or more roles with different access authorizations Access type with explicit al...

Page 677: ...hapter contains the following sections PKI Overview Security Objectives TOE Security Environment Assumptions Security Requirements for the IT Environment IT Environment Assumptions CMS Privileged User...

Page 678: ...erified Implement automated notification or other responses to the TSF discovered attacks in order to identify attacks and create an attack deterrent Require inspection for downloads Respond to possib...

Page 679: ...vate and Secret Keys CMS certificate private keys and secret keys are to be generated and stored in a FIPS 140 1 level 3 certified hardware cryptographic token The CMS private asymmetric keys are Priv...

Page 680: ...bsystem and depend on which CMS subsystem has been installed All of the privileged roles see About Roles on page 683 for more information about privileges require SSL client authentication by presenti...

Page 681: ...on authorization mechanism Conceptually this role is not an actual privileged role that a user can be assigned to Rather the Trusted Manager role is a means of establishing trust between two CMS subsy...

Page 682: ...the subsystem from the command line Data Recovery Manager Agents Can approve recovery of subject private keys via SSL capable browsers to the DRM Agent interface Can export recovered subject private...

Page 683: ...command line Online Certificate Status Manager Agents Can add CRLs to the OCSP Responder Agent interface via SSL capable browsers Can define supported CAs via SSL capable browsers to the OCSP Responde...

Page 684: ...ment Setup and Installation Guide Understanding Setup of Common Criteria Evaluated Netscape CMS Appendix C Understanding the Common Criteria Evaluated CMS Setup provides a high level description of th...

Page 685: ...CMS Common Criteria Environment Setup and Installation Guide Appendix B Common Criteria Environment Setup and Operations 685...

Page 686: ...CMS Common Criteria Environment Setup and Installation Guide 686 Netscape Certificate Management System Administrator s Guide February 2003...

Page 687: ...contained in the document CMS Common Criteria Setup Procedure Understanding the Common Criteria Environment This section describes the environment before CMS is installed and configured Secure Enviro...

Page 688: ...or example the user Joe cannot be both the CA Administrator and Agent for the same CA subsystem See CMS Privileged Users and Groups Roles on page 680 for a description of the various CMS privileged ro...

Page 689: ...ser ID account preventing users from logging in with this user ID Understanding CMS Installation You must install CMS on each host on which a CMS subsystem is installed You can set up the environment...

Page 690: ...see The Administrative Interface on page 244 For instructions on how to set up SSL client authorization for the CMS console see Appendix I Introduction to SSL Backup and Restore of a CMS Subsystem CM...

Page 691: ...Recovery Manager to a Registration Manager is one possible CMS deployment scenario it is not currently part of the Common Criteria Evaluation You can install and configure an OCSP responder to any CA...

Page 692: ...he main guidance documents where detailed information is provided for each feature but you will need to follow the CMS Common Criteria Setup Procedure in order to set up a Netscape CMS Common Criteria...

Page 693: ...the Access Control feature are not part of the Common Criteria Environment Audit Logs The Common Criteria Environment requires that the signed audit log file feature be enabled and configured Signed...

Page 694: ...g up the CRL feature you cannot set up a CRL that does not have an update frequency specified in the Update at this frequency field Compliant CRLs must contain the nextUpdateTime extension which will...

Page 695: ...g it is highly recommended that you set it up using SSL client authentication and that you set up the Directory Server in SSL mode as well For information about publishing see Chapter 15 Publishing Se...

Page 696: ...t also provides features to recover the user private keys that it has archived Key recovery requires Data Recovery Manager Agents to work in cooperation You will be instructed to configure the key rec...

Page 697: ...es including security objectives for the TOE security objectives for the environment and security objectives for both the TOE and environment 1 1 Security Objectives for the TOE This section includes...

Page 698: ...tion Provide sufficient backup storage and effective restoration to ensure that the system can be recreated 1 1 3 Cryptography O Non repudiation Prevent user from avoiding accountability for sending a...

Page 699: ...s histories variations etc through enforced authentication data management Note this objective is not applicable to biometric authentication data O Communications Protection Protect the system against...

Page 700: ...sical Protection Those responsible for the TOE must ensure that the security relevant components of the TOE are protected from physical attack that might compromise IT security O Social Engineering Tr...

Page 701: ...y in accordance with security requirements recommended by the National Institute of Standards and Technology O Periodically check integrity Provide periodic integrity checks on both system and softwar...

Page 702: ...backup data O Individual accountability and audit records Provide individual accountability for audited events Record in audit records date and time of action and the entity responsible for the action...

Page 703: ...n the system O Require inspection for downloads Require inspection of downloads transfers O Respond to possible loss of stored audit records Respond to possible loss of audit records when audit trail...

Page 704: ...nt 704 Netscape Certificate Management System Administrator s Guide February 2003 O React to detected attacks Implement automated notification or other responses to the TSF discovered attacks in an ef...

Page 705: ...n Security Policies 1 1 Secure Usage Assumptions The usage assumptions are organized in three categories personnel assumptions about administrators and users of the system as well as any threat agents...

Page 706: ...nt CPS under which the TOE is operated A Disposal of Authentication Data Proper disposal of authentication data and associated privileges is performed after access has been removed e g job termination...

Page 707: ...y this CIMC to counter the perceived threats for the appropriate Security Level identified in this family of PPs This assumption has been copied directly from the CIMC PP In the context of this ST app...

Page 708: ...lure of one or more system components results in the loss of system critical functionality T Malicious code exploitation An authorized user IT system or hacker downloads and executes malicious code wh...

Page 709: ...undetected access to a system due to missing weak and or incorrectly implemented access control causing potential violations of integrity confidentiality or availability T Hacker physical access A ha...

Page 710: ...1 3 Organization Security Policies 710 Netscape Certificate Management System Administrator s Guide February 2003...

Page 711: ...Importing Certificate Chains Importing Certificates into Netscape Communicator on page 713 Importing Certificates into Netscape Servers on page 714 Object Identifiers on page 714 Data Formats Netscape...

Page 712: ...s It consists of a PKCS 7 ContentInfo structure wrapping a sequence of certificates The value of the contentType field should be netscape cert sequence see Object Identifiers on page 714 while the con...

Page 713: ...n as long as there is a trusted CA somewhere along the chain Importing Certificates into Netscape Communicator Communicator imports certificates via HTTP There are several MIME content types that are...

Page 714: ...a the server administration interface Certificates are pasted into a text input field in an HTML form and then the form is submitted to the administration server Since the certificates are pasted into...

Page 715: ...Object Identifiers Appendix F Certificate Download Specification 715 netscape data type OBJECT IDENTIFIER netscape 2 netscape cert sequence OBJECT IDENTIFIER netscape data type 5...

Page 716: ...Object Identifiers 716 Netscape Certificate Management System Administrator s Guide February 2003...

Page 717: ...Extensions Netscape Defined Certificate Extensions CA Certificates and Extension Interactions Introduction to Certificate Extensions An X 509 v3 certificate contains an extensions field that permits a...

Page 718: ...ways possible to check a certificate s revocation status against a directory or with the original certificate authority it is useful for certificates to include information about where to check CRLs E...

Page 719: ...ned with the international telecommunications network The Internet Engineering Task Force IETF which controls many of the standards that underlie the Internet is currently developing public key infras...

Page 720: ...he application must reject the certificate If the extension is not critical and the certificate is sent to an application that does not understand the extension based on the extension s ID the applica...

Page 721: ...9 1 1 5 Issuer CN Certificate Manager OU netscape O aol L MV ST CA C US Validity Not Before Friday February 21 2003 12 00 00 AM PST America Los_Angeles Not After Monday February 21 2005 12 00 00 AM PS...

Page 722: ...itical no Key Identifier 3B 46 83 85 27 BC F5 9D 8E 63 E3 BE 79 EF AF 79 9C 37 85 84 Identifier Key Usage 2 5 29 15 Critical yes Key Usage Digital Signature Key CertSign Crl Sign Signature Algorithm S...

Page 723: ...For other clients see their web sites for information Each extension in a certificate can be designated as critical or noncritical A certificate using system such as browser software must reject the...

Page 724: ...sion The Authority Key Identifier extension identifies the public key corresponding to the private key used to sign a certificate This extension is useful when an issuer has multiple signing keys for...

Page 725: ...ed during the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints The cA component should be set to true for all CA certificates P...

Page 726: ...n page 516 CRLDistributionPoints OID 2 5 29 31 Criticality PKIX recommends that this extension be marked noncritical and that it be supported for all certificates Discussion This extension defines how...

Page 727: ...an OCSP responder s certificate unless the CA signing key that signed the certificates validated by the responder is also the OCSP signing key The OCSP responder s certificate must be issued directly...

Page 728: ...The Issuer Alternative Name extension is used to associate Internet style identities with the certificate issuer Names must use the forms defined for subjectAltName CMS Version Support Supported sinc...

Page 729: ...carefully consider the legal consequences of its use before setting it for any certificate keyEncipherment 2 for SSL server certificates and S MIME encryption certificates dataEncipherment 3 when the...

Page 730: ...cates for users who have separate certificates and key pairs for these operations CMS Version Support Supported since CMS 4 1 Refer to KeyUsageExt on page 535 nameConstraints OID 2 5 29 30 Criticality...

Page 731: ...fully If the OCSP signing key is compromised the entire process of validating certificates in the PKI will be compromised for the duration of the validity period of the certificate Therefore certifica...

Page 732: ...pecify a different validity period for the private key than for the certificate itself This extension is intended for use with digital signature keys PKIX Part 1 recommends against the use of this ext...

Page 733: ...by PKCS 9 Software that supports S MIME must be able to read an email address from either the Subject Alternative Name extension or from the subject name field CMS Version Support Supported since CMS...

Page 734: ...xtension of the certificate being verified should match the key identifier of the CA s Subject Key Identifier extension It is not necessary for the verifier to recompute the key identifier in this cas...

Page 735: ...encoded structure appears as the value of the octet string extnValue see the examples in Sample Certificate Extensions on page 721 A flag or boolean field called critical The true or false value assi...

Page 736: ...r example a CRL may contain only one authority key identifier extension However CRL entry extensions appear in appropriate entries in the CRL Certificate Revocation List Data Version v2 Extensions Ide...

Page 737: ...associating additional attributes with Internet CRLs These are of two kinds extensions to the CRL itself and extensions to individual certificate entries in the CRL Extensions for CRLs CRL Entry Exte...

Page 738: ...each CRL issued by a CA It allows users to easily determine when a particular CRL supersedes another CRL PKIX requires that all CRLs have this extension CMS Version Support Supported since CMS 4 2 Re...

Page 739: ...issuerAltName OID 2 5 29 18 Discussion The Issuer Alternative Name extension allows additional identities to be associated with the issuer of the CRL For details see the discussion under certificate e...

Page 740: ...uer OID 2 5 29 29 Discussion The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL This extension is used only with indirect CRLs which are not...

Page 741: ...ndard All Netscape extensions should be tagged as noncritical so that their presence in a certificate does not make that certificate incompatible with other clients The specifications for all Netscape...

Page 742: ...cate bit 6 S MIME CA certificate bit 7 Object signing CA certificate CMS Version Support Supported since CMS 4 1 Refer to NSCertTypeExt on page 549 netscape comment OID 2 16 840 1 113730 13 Discussion...

Page 743: ...or both as described above If CAs issue multiple certificates for the same identity for example for separate signing and encryption keys they must include the keyUsage extension in the subject certifi...

Page 744: ...ys for their CA they must add the authorityKeyIdentifier extension to all subject certificates If the key ID is anything other than the SHA 1 hash of the CA certificates subjectPublicKeyInfo field the...

Page 745: ...extension or a company s certificate practice statement OIDs are controlled by the International Standards Organization ISO registration authority In some cases this authority is delegated by ISO to...

Page 746: ...ny arc http www isi edu cgi bin iana enterprise pl To understand why you need to have a company arc check the information at this site http www alvestrand no objectid 2 16 840 1 113730 1 13 html The s...

Page 747: ...or the most part the information presented in this appendix is specific to Netscape Directory Server an LDAP compliant directory What Is a Distinguished Name Distinguished names DNs are string represe...

Page 748: ...rg rfc rfc2253 txt Note that if used in conjunction with an LDAP compliant directory Certificate Management System by default recognizes components that are listed in Table I 2 Table I 1 Definitions o...

Page 749: ...he search base For example if you specify a base DN of OU people O example com for a client the LDAP search operation initiated by the client examines only the OU people subtree in the O example com d...

Page 750: ...absence of a base DN value Certificate Management System uses DN components in the certificate s subject name to construct the base DN so that it can search the directory in order to publish to or up...

Page 751: ...E IA5String 1 2 840 113549 1 9 1 DC IA5String 0 9 2342 19200300 100 1 2 25 SERIALNUMBER for CEP support Printable String 2 5 4 5 UNSTRUCTUREDNAME for CEP support IA5String 1 2 840 113549 1 9 2 UNSTRU...

Page 752: ...v3 UTF 8 String Representation of Distinguished Names see http www ietf org rfc rfc2253 txt Certificate Management System conforms to all of this standard including support of using hex numbers to es...

Page 753: ...order from smaller character sets to broadest character set Printable IA5String BMPString Universal String For example X500Name MY_ATTR oid 1 2 3 4 5 6 X500Name MY_ATTR class netscape security x509 Di...

Page 754: ...at you can verify whether they appear in certificate subject names For example you can enter the following values for the new attributes and look for them in the subject name MYATTR1 a_value MYATTR2 a...

Page 755: ...gn TOP input type TEXT name DC size 30 onchange formulateDN this form this form subject td tr 4 Save your changes and close the file 5 Go to this directory server_root cert instance_id web apps ee 6 O...

Page 756: ...nual enrollment form in the browser and verify your changes 10 To verify that the Enroll for a certificate using the new attribute value Changing the DER Encoding Order You can also change the DER enc...

Page 757: ...rm Use John_Doe for CN 7 Go to the agent interface and approve your request 8 When you receive the certificate use the dumpasn1 tool to examine the encoding of the certificate For details about the du...

Page 758: ...ple CN corpDirectory example com OU Human Resources O Example Corporation C US When clients such as Netscape Navigator receive a server certificate they expect the CN component of the certificate s su...

Page 759: ...s the certificate subject name The dnpattern configuration variable supports escaped commas and multiple attribute variable assertions AVAs in a RDN Below is the syntax for the DN pattern followed by...

Page 760: ...this example O the first o value in the user s entry DN C the string US Example 3 If the configured DN pattern is CN attr cn rdn 2 O dn o C US LDAP entry dn UID jdoe OU IS OU people O example com LDA...

Page 761: ...ue in the user s entry OU the second ou value in the user s entry DN followed by the first ou value in the user s entry note the multiple AVAs in a RDN in this example O the first o value in the user...

Page 762: ...DNs in Certificate Management System 762 Netscape Certificate Management System Administrator s Guide February 2003...

Page 763: ...tion Digital Signatures Certificates and Authentication Managing Certificates For more information on these topics and other aspects of cryptography see Security Resources at the following URL http de...

Page 764: ...tion is known as spoofing Misrepresentation A person or organization can misrepresent itself For example suppose the site www netscape com pretends to be a furniture store when it is really just a sit...

Page 765: ...it is intelligible again A cryptographic algorithm also called a cipher is a mathematical function used for encryption or decryption In most cases two related functions are employed one for encryptio...

Page 766: ...etric key Thus as long as the symmetric key is kept secret by the two parties using it to encrypt communications each party can be sure that it is communicating with the other as long as the decrypted...

Page 767: ...ly distribute a public key and only you will be able to read data encrypted using this key In general to send encrypted data to someone you encrypt the data with that person s public key and the perso...

Page 768: ...rs used with SSL see Appendix K Introduction to SSL Different ciphers may require different key lengths to achieve the same level of encryption strength The RSA cipher used for public key encryption f...

Page 769: ...ics The value of the hash is unique for the hashed data Any change in the data even deleting or altering a single character results in a different value The content of the hashed data cannot for all p...

Page 770: ...ublic key presented by the signer If the two hashes match the recipient can be certain that the public key used to decrypt the digital signature corresponds to the private key used to create the digit...

Page 771: ...their own certificate issuing server software such as Netscape Certificate Management System The methods used to validate an identity vary depending on the policies of a given CA just as the methods...

Page 772: ...entified by that certificate did indeed send that message Similarly a digital signature on an HTML form combined with a certificate that identifies the signer can provide evidence after the fact that...

Page 773: ...onse to an authentication request from the server the client displays a dialog box requesting the user s name and password for that server The user must supply a name and password separately for each...

Page 774: ...d with some data can be thought of as evidence provided by the client to the server The server authenticates the user s identity on the strength of this evidence Like Figure J 4 Figure J 5 assumes tha...

Page 775: ...on the basis of input from both the client and the server This data and the digital signature constitute evidence of the private key s validity The digital signature can be created only with that pri...

Page 776: ...ms based on the authenticated user identity are not affected How Certificates Are Used Types of Certificates SSL Protocol Signed and Encrypted Email Form Signing Single Sign On Object Signing Types of...

Page 777: ...company deploys combined S MIME and SSL certificates solely for the purpose of authenticating employee identities thus permitting signed email and client SSL authentication but not encrypted email Ano...

Page 778: ...to the server to authenticate the client s identity before the encrypted SSL session can be established For an overview of client authentication over SSL and how it differs from password based authen...

Page 779: ...the need for persistent authentication of financial transactions Form signing allows a user to associate a digital signature with web based data generated as the result of a transaction such as a purc...

Page 780: ...over the network This approach simplifies access for users because they don t need to enter passwords for each new server It also simplifies network management since administrators can control access...

Page 781: ...pported by Netscape and many other software companies are organized according to the X 509 v3 certificate specification which has been recommended by the International Telecommunications Union ITU an...

Page 782: ...r s public key including the algorithm used and a representation of the key itself The DN of the CA that issued the certificate The period during which the certificate is valid for example between 1 0...

Page 783: ...8 ce 7f 47 50 2c 93 36 7c 01 6e cb 89 06 41 72 b5 e9 73 49 38 76 ef b6 8f ac 49 bb 63 0f 9b ff 16 2a e3 0e 9d 3b af ce 9a 3e 48 65 de 96 61 d5 0a 11 2a a2 80 b0 7d d8 99 cb 0c 99 34 c9 ab 25 06 a8 31...

Page 784: ...r which it has a certificate It s also possible for a trusted CA certificate to be part of a chain of CA certificates each issued by the CA above it in a certificate hierarchy The sections that follow...

Page 785: ...onsibilities to subordinate CAs The X 509 standard includes a model for setting up a hierarchy of CAs like that shown in Figure J 6 Figure J 6 Example of a Hierarchy of Certificate Authorities In this...

Page 786: ...through two subordinate CA certificates to the CA certificate for the root CA based on the CA hierarchy shown in Figure J 6 Figure J 7 Example of a Certificate Chain A certificate chain traces a path...

Page 787: ...scape software uses the following procedure for forming and verifying a certificate chain starting with the certificate being presented for authentication 1 The certificate validity period is checked...

Page 788: ...A Figure J 8 shows what happens when only Root CA is included in the verifier s local database If a certificate for one of the intermediate CAs shown in Figure J 8 such as Engineering CA is found in t...

Page 789: ...ows how verification fails if neither the Root CA certificate nor any of the intermediate CA certificates are included in the verifier s local database Figure J 10 A Certificate Chain That Can t Be Ve...

Page 790: ...identity such as a utility bill with your address on it and a student identity card If you want to get a regular driving license you also need to take a test a driving test when you first get the lice...

Page 791: ...nd renewing and revoking certificates can be partially or fully automated with the aid of the directory Information stored in the directory can also be used with certificates to control access to vari...

Page 792: ...r authentication before or after its validity period will fail Therefore mechanisms for managing certificate renewal are essential for any certificate management strategy For example an administrator...

Page 793: ...ntities of end entities before responding to the requests In addition some requests need to be approved by authorized administrators or managers before being services As previously discussed the means...

Page 794: ...Managing Certificates 794 Managing Servers with Netscape Console December 2001...

Page 795: ...support the protocol in future versions This document is primarily intended for administrators of Netscape server products but the information it contains may also be useful for developers of applicat...

Page 796: ...rtant if the user for example is sending a credit card number over the network and wants to check the receiving server s identity SSL client authentication allows a server to confirm a user s identity...

Page 797: ...use in operations such as authenticating the server and client to each other transmitting certificates and establishing session keys Clients and servers may support different cipher suites or sets of...

Page 798: ...the use of the strongest ciphers available And when an domestic client or server is dealing with an international server or client it will negotiate the use of those ciphers that are permitted under...

Page 799: ...phers have 128 bit encryption they are the second strongest next to Triple DES Data Encryption Standard with 168 bit encryption RC4 and RC2 128 bit encryption permits approximately 3 4 1038 possible k...

Page 800: ...ported ciphers Both SSL 2 0 and SSL 3 0 support this cipher Netscape Console supports only the SSL 3 0 version of this cipher suite RC2 With 40 Bit Encryption and MD5 Message Authentication RC2 40 bit...

Page 801: ...te is supported by SSL 3 0 but not by SSL 2 0 RC4 With SKIPJACK 80 Bit Encryption and SHA 1 Message Authentication The SKIPJACK cipher is a classified symmetric key cryptographic algorithm implemented...

Page 802: ...using SSL 2 The server sends the client the server s SSL version number cipher settings randomly generated data and other information the client needs to communicate with the server over SSL The serve...

Page 803: ...the client informing it that future messages from the server will be encrypted with the session key It then sends a separate encrypted message indicating that the server portion of the handshake is f...

Page 804: ...server authentication or cryptographic validation by a client of the server s identity As explained in Step 2 of The SSL Handshake which begins on page 802 the server sends the client a certificate t...

Page 805: ...a on the right side of Figure K 3 This list determines which server certificates the client will accept If the distinguished name DN of the issuing CA matches the DN of a CA on the client s list of tr...

Page 806: ...son the server identified by the certificate cannot be authenticated and the user will be warned of the problem and informed that an encrypted and authenticated connection cannot be established If the...

Page 807: ...erver of the client s identity When a server configured this way requests client authentication see Step 6 of The SSL Handshake which begins on page 802 the client sends the server both a certificate...

Page 808: ...to create the signature and that the data has not been tampered with since it was signed At this point however the binding between the public key and the DN specified in the certificate has not yet b...

Page 809: ...icate the user s identity If the CA s digital signature can be validated the server treats the user s certificate as a valid letter of introduction from that CA and proceeds At this point the SSL prot...

Page 810: ...The SSL Handshake 810 Managing Servers with Netscape Console December 2001...

Page 811: ...les to be evaluated when a server receives a request for access to a particular resource See access control instructions ACI administrator The person who installs and configures one or more CMS manage...

Page 812: ...tication module A set of rules implemented as a Java class for authenticating an end entity agent administrator or any other entity that needs to interact with a CMS manager In the case of typical end...

Page 813: ...ntities enrolled in the PKI certificate authority CA A trusted entity that issues a certificate after verifying the identity of the person or entity the certificate is intended to identify A CA also r...

Page 814: ...re defined certificate fingerprint A one way hash associated with a certificate The number is not part of the certificate itself but is produced by applying a hash function to the contents of the cert...

Page 815: ...ity by allowing you to set up policies for a particular type of enrollment along with an authentication method in a certificate profile Certificate Request Message Format CRMF Format used for messages...

Page 816: ...administrator to control configuration settings for the corresponding CMS instance Common Criteria Environment The configuration settings used for the Common Criteria certification of CMS configurati...

Page 817: ...and one for digital signatures Data Recovery Manager agent A user who belongs to a group authorized to manage agent services for a Data Recovery Manager including managing the request queue and autho...

Page 818: ...r s public key and comparison with another hash of the same data provides tamper detection Verification of the certificate chain for the certificate containing the public key provides authentication o...

Page 819: ...s to each other and storing the two cross pair certificates as a certificate pair fingerprint See certificate fingerprint FIPS PUBS 140 1 Federal Information Standards Publications FIPS PUBS 140 1 is...

Page 820: ...cations and applets using the Java programming language Java Native Interface JNI A standard programming interface that provides binary compatibility across different implementations of the Java Virtu...

Page 821: ...eue after successful authentication module processing An agent with appropriate privileges must then approve each request individually before policy processing and certificate issuance can proceed MD5...

Page 822: ...rivate key is used to sign objects using the technology known as object signing OCSP Online Certificate Status Protocol one way hash A number of fixed length generated from data of arbitrary length wi...

Page 823: ...c key cryptography The private key is kept secret and is used to decrypt data encrypted with the corresponding public key proof of Archival POA Data signed with the private Data Recovery Manager trans...

Page 824: ...s the certificates to the end entities and typically publishes them to the appropriate directory Registration Manager agent A user who belongs to a group authorized to manage agent services for a Regi...

Page 825: ...udit log See audit log signing certificate A certificate whose public key corresponds to a private key used to create digital signatures For example Certificate Manager must have a signing certificate...

Page 826: ...can identify itself as a site called www netscape com when it is not Spoofing is one form of impersonation See also misrepresentation impersonation SSL See Secure Sockets Layer SSL subject The entity...

Page 827: ...thority CA that issued the certificate If you trust a CA you can generally trust valid certificates issued by that CA virtual private network VPN A way of connecting geographically distant divisions o...

Page 828: ...828 Netscape Certificate Management System Administrator s Guide February 2003...

Page 829: ...ting 345 modifying group membership 345 port used for operations 286 See also ports tools provided CMS console 247 Netscape Console 245 Agent Services interface URL for 286 AgentDirEnrollment instance...

Page 830: ...cate 86 88 changing trust settings of 296 deleting 295 getting a new one 299 314 nickname 86 renewing 299 viewing details of 295 CEP 65 CEP enrollment 414 setting up multiple services 418 certificate...

Page 831: ...s applications 92 97 how to revoke 600 installing 711 715 issuing of 790 and LDAP Directory 791 management formats and protocols 66 object signing 777 publishing to files 620 publishing to LDAP direct...

Page 832: ...Manager support for 34 defined 599 extensions for 737 extension specific modules 734 issuing or distribution points 601 publishing of 598 publishing to files 620 publishing to LDAP directory 600 620 r...

Page 833: ...rypted file system EFS 454 525 encryption defined 765 public key 767 symmetric key 766 end entities port used for operations 287 See also ports end entity certificate publisher 632 end entity certific...

Page 834: ...ware tokens See external tokens HashAuth authentication plug in 408 holdInstructionCode 740 host name for mail server used for notifications 259 how to revoke certificates 600 how to search for keys 2...

Page 835: ...eys defined 765 management and recovery 791 keyUsage 728 L LDAP 66 LDAP publishing defined 620 manual updates 661 when to do 661 who can do this 661 See CRLs linked CA 31 local vs remote key recovery...

Page 836: ...6 173 216 for transport certificate 215 for wTLS signing certificate 86 NIS server based authentication 391 notifications configuring the mail server host name 259 port 259 to agents about unpublishin...

Page 837: ...84 naming convention 493 predicates in 485 reordering 493 significance of ordering 493 See also predicates types of 483 what each rule does 483 policyConstraints 731 policyMappings 731 ports 285 for a...

Page 838: ...cate 215 Remove Basic Constraints extension policy 557 renewal of certificates See certificate renewal reordering policy rules 493 significance of ordering 493 restarting Certificate Management System...

Page 839: ...7 tasks you can accomplish 247 TCP IP defined 763 templates for notifications 573 589 timing log rotation 269 tokens changing password of 319 external 316 See also external tokens internal 316 managin...

Page 840: ...t System Administrator s Guide February 2003 wireless certificates 92 97 wizard See Certificate Setup Wizard writing policies in JavaScript 495 wTLS CA signing certificate 86 nickname 86 wTLS certific...

Reviews: