manualshive.com logo in svg

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5, Installation And Setup Manual

Share
Download
Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 Installation And Setup Manual Download Page 18

18

Netscape Certificate Management System Installation and Setup Guide • October 2001

Step 2. Install an OCSP-Compliant Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
Step 3. Identify the CA to the OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Step 4. Configure the Certificate Manager to Publish CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713

Step A. Specify CRL Format and Publishing Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
Step B. Set the CRL Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Step C. Create a Publisher for the CRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
Step D. Create a Publishing Rule for the CRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
Step E. Make Sure Publishing is Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720

Step 5. Configure Certificate Manager for Required Extension Policies . . . . . . . . . . . . . . . . . . . . . 721
Step 6. Configure the Online Certificate Status Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Step 7. Restart the Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Step 8. Restart the Online Certificate Status Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
Step 9. Verify Certificate Manager and Online Certificate Status Manager Connection . . . . . . . 728
Step 10. Test Your OCSP Responder Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729

Step A. Turn On Revocation Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Step B. Request a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730
Step C. Approve the Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730
Step D. Download the Certificate to the Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
Step E. Make Sure the CA is Trusted by the Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
Step F. Verify the Certificate in the Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
Step G. Check the Status of Online Certificate Status Manager . . . . . . . . . . . . . . . . . . . . . . . . . 732
Step H. Revoke the Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
Step I. Verify the Certificate in the Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
Step J. Check the Online Certificate Status Manager Status Again . . . . . . . . . . . . . . . . . . . . . . . 733

Chapter

22 Setting Up Key Archival and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735

PKI Setup for Key Archival and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735

Clients That Can Generate Dual Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Data Recovery Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Forms for Users and Key Recovery Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737

Key Archival Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737

Why You Should Archive Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737
Where the Keys are Stored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738
How Key Archival Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739

Key Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741

Key Recovery Agents and Their Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741

Secret Sharing of Storage Key Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
Interface for the Key Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742
Local Versus Remote Key Recovery Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743

How Agent-Initiated Key Recovery Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744
Key Recovery Agent Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747

Changing the Key Recovery Agent Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747
Changing Key Recovery Agents’ Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749

Summary of Contents for NETSCAPE MANAGEMENT SYSTEM 4.5

Page 1: ...Installation and Setup Guide Netscape Certificate Management System Version4 5 October 2001...

Page 2: ...ING FROM ANY ERROR IN THIS DOCUMENTATION INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS PROFITS USE OR DATA Software applications 2001 Sun Microsystems Inc Some software code 1999 2...

Page 3: ...ew of Key Features 34 Flexible end entity registration services framework 38 System Overview 41 Public Key Infrastructure 43 CMS Subsystems or Managers 44 Certificate Manager 45 Registration Manager 4...

Page 4: ...nt Formats and Protocols 77 Security and Directory Protocols 78 Chapter 2 Certificate Enrollment and Life Cycle Management 81 Steps in End Entity Enrollment 81 Some Enrollment Scenarios 84 Firewall Co...

Page 5: ...145 Step 1 Enable Directory Based Authentication 146 Step 2 Add a User to the Directory 147 Step 3 Enroll with Directory Based Authentication 149 Publish Certificates to an LDAP Directory 150 Configur...

Page 6: ...icate Status Manager Certificates 182 Authentication Decisions 183 Policy Decisions 183 Deployment Strategy and Port Assignments 184 Chapter 5 Installation Worksheet 187 Information for UNIX Installat...

Page 7: ...r Transport Certificate 204 Extensions for Transport Certificate 205 Transport Certificate Request 206 Storage Key and Recovery Agent Configuration 206 Storage Key Creation 206 Data Recovery Scheme 1...

Page 8: ...278 Stage 4 Further Configuration Options 281 Stage 5 Creating Additional Instances or CA Clones 282 Chapter 7 Installing and Uninstalling CMS Instances 283 Installing Multiple CMS Instances 284 Clon...

Page 9: ...Console 317 Starting From the Command Line 318 Starting From the Windows NT Services Panel 319 Stopping Certificate Management System 320 Stopping From Netscape Console 320 Stopping From the Command L...

Page 10: ...heck the Port Numbers 366 Step 3 Verify Key Pair and Certificates 366 Step 4 Set up Privileged Users 367 Step 5 Customize End Entity and Agent Forms 367 Step 6 Setup Authentication for End Users 367 S...

Page 11: ...03 Step 1 Find the Required Information 403 Step 2 Add the Information to the Internal Database 403 Setting Up Agents 406 Setting up Agents Using the Automated Process 406 Setting up Agents Using the...

Page 12: ...454 Changing a Token s Password 455 Hardware Cryptographic Accelerators 455 Certificate Setup Wizard 456 Using the Wizard to Request a Certificate 457 Step 1 Select the Operation 457 Step 2 Choose th...

Page 13: ...ager s Renewed CA Signing Certificate 498 Deploying Registration Manager s Renewed Signing Certificate 498 Deploying Data Recovery Manager s Renewed Transport Certificate 499 Deploying a Subsystem s R...

Page 14: ...542 Step 8 Test Your Authentication Setup 542 Step 9 Deliver PINs to End Users 544 Managing Authentication Instances 544 Deleting an Authentication Instance 544 Modifying an Authentication Instance 5...

Page 15: ...upport for Predicates 582 Attributes for Predicates 584 Policy Processor 588 Configuring Policy Rules for a Subsystem 589 Step 1 Before You Begin 590 Step 2 Modify Existing Policy Rules 590 Step 3 Del...

Page 16: ...and Publishing Rules 636 Step B Add Mappers Publishers and Publishing Rules 642 Step 4 Configure the Certificate Manager to Publish CRLs 648 Step A Specify CRL Details 649 Step B Set the CRL Extensio...

Page 17: ...692 How Online Certificate Status Manager Works 693 How to Get OCSP Compliant Clients 694 Setting Up a Certificate Manager with OCSP Service 695 Step 1 Before You Begin 695 Step 2 Install OCSP Complia...

Page 18: ...Step C Approve the Request 730 Step D Download the Certificate to the Browser 731 Step E Make Sure the CA is Trusted by the Browser 731 Step F Verify the Certificate in the Browser 732 Step G Check t...

Page 19: ...up 760 Step B Verify the Key 762 Step C Delete the Certificate 762 Step D Test Your Key Recovery Setup 762 Step D Restore the Key in the Browser s Database 763 Chapter 23 Managing CMS Logs 765 Introdu...

Page 20: ...te Request 801 Step 2 Submit the Server Certificate Request 802 Step 3 Install Your Server s SSL Certificate 803 Step 4 Accept a CA as Trusted in Your Server 803 Step 5 Verify Your Server s SSL and CA...

Page 21: ...Specification 829 Data Formats 829 Binary Formats 829 Text Formats 830 Importing Certificate Chains 831 Importing Certificates into Netscape Communicator 831 Importing Certificates into Netscape Serv...

Page 22: ...22 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 23: ...s in This Guide This guide covers topics that are listed below You should use this guide in conjunction with the other CMS documentation such as the ones that explain all the plug ins and command lin...

Page 24: ...ling CMS Instances Describes how to create multiple instances delete unwanted instances clone instances upgrade from a previous CMS version and so on Chapter 8 Starting and Stopping CMS Instances Desc...

Page 25: ...ificate content such as key size signing algorithm validity period extensions and so on Chapter 19 Setting Up LDAP Publishing Provides an overview of LDAP publishing and describes how to configure a C...

Page 26: ...tes This guide assumes that you Are familiar with the basic concepts of public key cryptography and the Secure Sockets Layer SSL protocol SSL cipher suites The purpose of and major steps in the SSL ha...

Page 27: ...rmissions the superadministrator has set up for you Text within quotation marks Indicates cross references to other topics within this guide Example For more information see Issuing a Certificate to a...

Page 28: ...Sidebar text marks important information Make sure you read the information before continuing with a task Examples Where to Go for Related Information This section summarizes the documentation that s...

Page 29: ...ide open this file server_root manual en cert plugin_guide contents htm To view the PDF version of this guide open this file server_root manual en cert pdf cms45plugin pdf CMS Command Line Tools Guide...

Page 30: ...etailed reference information on CMS end entity interfaces To access this information from the end entity pages click any help button To view the HTML version of this guide open this file server_root...

Page 31: ...31 Part 1 Overview and Demo Installation Chapter 1 Introduction to Certificate Management System Chapter 2 Certificate Enrollment and Life Cycle Management Chapter 3 Default Demo Installation...

Page 32: ...32 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 33: ...looking for a security solution for your enterprise or setting up an independent certificate authority CA service Certificate Management System offers a robust customizable and scalable foundation fo...

Page 34: ...with wireless applications Supports RSA public key algorithm for signing and encryption DSA public key algorithm for signing and MD2 MD5 and SHA 1 for hashing Supports signature key lengths of up to 1...

Page 35: ...n sign and revoke certificates and generate CRLs It can accept certificate requests directly from end entities and via Registration Managers to which it has delegated certain certificate management fu...

Page 36: ...he Certificate Manager located inside a firewall For more information see Trusted Managers on page 394 Ability to function as both a root and a subordinate CA in a CA hierarchy Certificate Management...

Page 37: ...nager and Data Recovery Manager key pairs reduces the risk of key compromise because hardware tokens don t reveal keys or provide means for them to be revealed once the keys are generated in the hardw...

Page 38: ...nts come with a set of default modules that enable you to configure Certificate Management System for your PKI requirements For example you can configure policy modules to determine the outcome of ope...

Page 39: ...certificate generation for dual key pairs separate key pairs for signing and encrypting mail messages To support separate key pairs for signing and encrypting data Certificate Management System suppo...

Page 40: ...rized key recovery agents The key repository is encrypted using a Data Recovery Manager s storage private key which is protected with one or more recovery agents passwords Only these designated recove...

Page 41: ...e from previous versions of Certificate Management System Certificate Management System provides an easy upgrade path from its previous version GUI based server installation and management An installa...

Page 42: ...e customized and configured to fit widely varying deployment scenarios permitting rapid integration with existing client and server software customer databases security systems and authentication proc...

Page 43: ...frastructure PKI In any PKI a certificate authority CA is a trusted entity that issues renews and revokes certificates An end entity EE is a person router server or other entity that uses a certificat...

Page 44: ...dependent installation of these four subsystems and each subsystem plays a distinct role in a PKI Each subsystem consists of built in system level components such as authentication framework for vario...

Page 45: ...ocument as Certificate Manager agent or automatically based entirely on customizable policies and procedures When set up to work with a separate Registration Manager the Certificate Manager processes...

Page 46: ...rtificates and CRLs RSA with MD2 RSA with MD5 RSA with SHA 1 and DSA with SHA 1 The Certificate Manager can issue X 509 v1 or v2 CRLs A CRL can be automatically updated whenever a certificate is revok...

Page 47: ...on Manager then distributes the certificates to the end entities Note that you can run multiple Registration Managers remotely all reporting to a single CA a Certificate Manager to verify user identit...

Page 48: ...w an end entity to get a new signing certificate and signing key pair without changing the encryption certificate or encryption key pair Note that the Data Recovery Manager archives encryption keys It...

Page 49: ...tificate validation authority is often referred to as an OCSP responder Table 1 1 Key pairs used by end entities and key pairs used by the Data Recovery Manager End entity key pairs Data Recovery Mana...

Page 50: ...the four independent CMS managers and various kinds of end entities To keep things simple the figure assumes that each manager is installed in a different CMS instance and on a different machine The...

Page 51: ...ed by Cisco Systems and VeriSign Inc CEP governs communication between routers or VPN clients and a Registration Manager or Certificate Manager KEYGEN tag An HTML tag supported by Netscape browsers th...

Page 52: ...covery Manager performs the long term archival and recovery of end users private encryption keys A Certificate Manager or Registration Manager can be configured to archive end users private encryption...

Page 53: ...Manager 6 The Certificate Manager issues the signing and encryption certificates and sends them back to the Registration Manager 7 The Registration Manager delivers the certificates to the end entity...

Page 54: ...ance of Directory Server replacing the Relational Database Management System RDBMS used in Certificate Server 1 0x Some deployments require installation of two subsystems in a single CMS instance on a...

Page 55: ...o CMS Plug ins Guide To locate this guide see Where to Go for Related Information on page 28 Authentication Plug in Modules An authentication module is a set of rules implemented as a Java class for a...

Page 56: ...ion module is hardwired you cannot configure it This ensures that when the server receives requests that lack authentication credentials it sends them to the request queue for agent approval It also m...

Page 57: ...adjusts the subject name in the request accordingly A validity constraints policy checks that the certificate validity period falls within a specified period and it rejects defers or adjusts the valid...

Page 58: ...me uniqueness and prevents issuance of multiple subordinate CA certificates with same issuer names UniqueSubjectNameConstraints Allows the server to check for certificate subject name uniqueness and p...

Page 59: ...ocations from where the application that is validating the certificate can obtain the CRL information ExtendedKeyUsageExt Adds the Extended Key Usage extension to certificates The extension identifies...

Page 60: ...f OIDs each pair identifying two policy statements of two CAs The pairing indicates that the corresponding policies of one CA are equivalent to policies of another CA PrivateKeyUsagePeriodExt Adds the...

Page 61: ...much the same way that you can write your own authentication and policy modules Plug in classes are provided out of the box for scheduling the following jobs Table 1 5 Plug in modules for schedulable...

Page 62: ...d CRLs to a directory The advantage of publishing certificates and CRLs to the directory is multifold You can keep users certificate related information with the rest of the user information This way...

Page 63: ...nfigure a Certificate Manager to publish certificates and CRLs to the mapped directory entries to files or to the Online Certificate Status Manager Table 1 6 Default mapper plug in modules for mapping...

Page 64: ...utilities or tools and Software Development Kit Table 1 7 Default publisher plug in modules for publishing certificates and CRLs Plug in module name Function FileBasedPublisher Publishes certificates...

Page 65: ...de of various plug in modules that are included in Certificate Management System out of the box This source code has been included for reference purposes only and is only used to demonstrate how a par...

Page 66: ...ation of ObjectSigning capabilities Examples of how to use Certificate Management System with some third party products Entry Points for Various Types of Users Certificate Management System provides e...

Page 67: ...nager or Online Certificate Status Manager serves the appropriate HTML forms for agent tasks For details see Agent Services Interface on page 68 Accessing Agent Services is a privileged operation agen...

Page 68: ...ces you made during installation a combination of the following agent services will be installed Certificate Manager Agent Services Registration Manager Agent Services Data Recovery Manager Agent Serv...

Page 69: ...es and process them Listing certificates issued by the server Searching for certificates issued by the server Revoking certificates issued by the server Updating certificates and certificate revocatio...

Page 70: ...ce Using the default forms a Registration Manager agent can list deferred certificate requests from end entities and process them Data Recovery Manager Agent Services The Data Recovery Manager Agent S...

Page 71: ...tion private keys from the key archive Key recovery requires authorization from key recovery agents see Key Recovery Process on page 741 Online Certificate Status Manager Agent Services Interface The...

Page 72: ...des HTML forms for various entities people routers servers and others that use certificates to identify themselves and that need to be able to request certificate issuance and management operations Th...

Page 73: ...services interface Note that the Data Recovery Manager and Online Certificate Status Manager do not provide end entity interfaces because end entities do not directly interact with these servers For a...

Page 74: ...hitecture PKCS 11 Public Key Cryptography Standard PKCS 11 specifies an API used to communicate with devices that hold cryptographic information and perform cryptographic operations Because it support...

Page 75: ...te Management System Default Netscape Internal PKCS 11 Module This comes with two built in tokens The Internal Crypto Services token performs all cryptographic operations such as encryption decryption...

Page 76: ...r Java layers JSS and the Java JNI Layer Java Security Services JSS provides a Java interface for security operations performed by NSS JSS and higher levels of the Certificate Management System archit...

Page 77: ...ters pkix charter html under Internet Drafts Certificate Enrollment Protocol CEP A certificate management protocol jointly developed by Cisco Systems and VeriSign Inc CEP is an early implementation of...

Page 78: ...parts as they are finalized For more information about PKIX Part 1 see ftp ftp isi edu in notes rfc2459 txt Security and Directory Protocols Certificate Management System supports the following securi...

Page 79: ...ed by RSA Data Security for certificate requests This format is supported by many server products and by Microsoft Internet Explorer Public Key Cryptography Standard PKCS 11 Specifies an API used to c...

Page 80: ...Standards Summary 80 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 81: ...nagement System Steps in End Entity Enrollment The following steps take place when a Registration Manager or a Certificate Manager handles an enrollment request from an end user Figure 2 1 shows a sim...

Page 82: ...d to the request for the purpose of formulating the contents of the certificate to be issued and to enforce certain rules such as name constraints Custom policy modules can be used to enforce speciali...

Page 83: ...Steps in End Entity Enrollment Chapter 2 Certificate Enrollment and Life Cycle Management 83 Figure 2 1 Roles of servlets authentication modules and policy modules in end entity enrollment...

Page 84: ...nd Revocation Router Enrollment and Revocation For the sake of simplicity these examples do not show the role of the Data Recovery Manager For more information about data recovery see Data Recovery Ma...

Page 85: ...cations each with their own firewalls In general Netscape recommends that the Certificate Manager handle all certificate and CRL publishing functions If it s necessary for some entries in a directory...

Page 86: ...personal details stored in the existing customer database 2 Custom authentication The Registration Manager uses a custom authentication module to verify the customer s account and status against the...

Page 87: ...tication to validate every certificate request personally before issuing the certificate Figure 2 3 illustrates the steps in this process 1 Request certificate The customer fills in and submits a cert...

Page 88: ...If all authentication procedures are successful the agent approves the request 4 Request certificate The Registration Manager performs policy processing and if the processing is successful sends the a...

Page 89: ...ct workers suppliers employees and others who routinely access parts of the company s internal network In general this can be achieved by using Kerberos or other non PKI security systems as the authen...

Page 90: ...ting extranet fills in and submits a certificate request over SSL using a customized form that requires a Kerberos ID and password 2 Authentication The Registration Manager uses a third party authenti...

Page 91: ...eed access to the extranet To register all these people at once Atlas uses the directory based PIN Generator tool that comes with Certificate Management System to generate PINs in bulk The PINs are th...

Page 92: ...em payroll stub invoice form or other out of band delivery mechanism 4 Request certificate using PIN The user goes to a specified Registration Manager URL fills in name and PIN and submits a certifica...

Page 93: ...ns on a user s desktop outside the firewall and uses the IP Key Management Protocol IPKMP or IP Security IPSec protocol to establish encrypted communication with VPN hardware that straddles the firewa...

Page 94: ...an be used during enrollment to authenticate the client 2 Issue certificate The Certificate Manager issues the certificate and the Registration Manager delivers it to the VPN client The VPN client can...

Page 95: ...nt and Life Cycle Management 95 Figure 2 6 VPN client enrollment and revocation The certificate includes information about a CRL distribution point which is a directory that the VPN hardware can check...

Page 96: ...tificates As part of the issuing process the Certificate Manager publishes the certificates to the directory Publishing occurs only if the router s DN exists in the publishing directory This is import...

Page 97: ...Some Enrollment Scenarios Chapter 2 Certificate Enrollment and Life Cycle Management 97 Figure 2 7 Router enrollment and revocation...

Page 98: ...ms that use different protocols and life cycle management procedures for different kinds of end entities For example end entities running Navigator 3 x and versions of Communicator earlier than 4 5 ne...

Page 99: ...th CMS subsystems occur over HTTPS Table 2 1 End entities message formats algorithms and key pairs supported by Certificate Management System End entity software Enrollment message format over HTTP or...

Page 100: ...entity interactions can take place over HTTP or HTTPS For example routers using CEP which includes its own encryption scheme uses HTTP rather than HTTPS For a more detailed discussion of these ports...

Page 101: ...The authentication module is used by the servlet to authenticate the end entity the output template is an HTML page that returns information from the servlet to the end entity Figure 2 9 shows the def...

Page 102: ...ular Personal Security Manager simplifies certificate deployment with Certificate Management System by taking advantage of the following CMS features One click issuance of certificates Forced certific...

Page 103: ...ards PKCS 12 Export and import of certificates and associated private keys CRMF CMMF Direct commmunication between Personal Security Manager and a CA simplifying enrollment processes and making one cl...

Page 104: ...End Entities and Life Cycle Management 104 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 105: ...scape Certificate Management System CMS procedures This chapter has the following sections System Requirements page 106 Overview of the Default Demo page 108 Installing the Default Demo page 112 Using...

Page 106: ...s Sun Solaris 8 for SPARC 32 bit operating environment with relevant Java 2 patches Microsoft Windows NT 4 0 Server with Service Pack 6a x86 only Other required software Netscape Administration Server...

Page 107: ...ack 6a Pentium 350 or faster NTFS or FAT 128 MB of RAM recommended Total required is approximately 350 MB broken down as follows Total transient space required during installation 100 MB Hard disk sto...

Page 108: ...otentially be separate from the user directory Netscape Administration Server This lightweight HTTP server acts as the back end to Netscape Console An instance of Administration Server manages operati...

Page 109: ...for information on the locations and contents of server groups on the network It also interacts with the Administration Server for each server group to perform some tasks such as managing SSL encrypt...

Page 110: ...ssigned for the default demo You will also be asked to provide additional information such as the name of each server instance to be installed the names and passwords of various types of administrator...

Page 111: ...if you plan to remove it after testing you should maintain the security of the demo system For this reason the installation procedure does not give specific passwords for each administrative user Howe...

Page 112: ...Run the Installation Script Windows NT Step 2 Run the Installation Wizard Step 3 Get the First User Certificate Step 1 Run the Installation Script UNIX These instructions assume that you have the init...

Page 113: ...the configuration user Directory Server process will run as Where your system supports it accept the default user nobody creating that user as necessary 12 System Group nobody Enter the group that the...

Page 114: ...installation is now complete The installation script has installed Netscape Console installed and started an Administration Server and its configuration directory and copied the files for Certificate...

Page 115: ...fault Demo Chapter 3 Default Demo Installation 115 2 Welcome Click Next 3 Software License Agreement Click Yes 4 Select Server or Console Installation Leave the default setting Netscape Servers select...

Page 116: ...e Management System Installation and Setup Guide October 2001 5 Choose the Installation Type Leave the default setting Typical selected and click Next 6 Choose Installation Directory Leave the default...

Page 117: ...er 3 Default Demo Installation 117 7 Select Products Leave all four components selected and click Next 8 Directory Server 4 13 Leave the default setting This instance will be the configuration directo...

Page 118: ...ted and click Next 10 Directory Server 4 13 Server Settings Type the following values then click Next Server identifier configdir Server port Accept the default which should be 389 Suffix Accept the d...

Page 119: ...ator ID admin Password admin password Password again admin password 12 Directory Server 4 13 Administration Domain Accept the default which should be your company s domain name in the form your_domain...

Page 120: ...tificate Management System Installation and Setup Guide October 2001 Directory Manager DN cn Directory Manager Password dir mgr password Password again dir mgr password 14 Administration Server Port S...

Page 121: ...e the value demoCA and click Next 16 Configuration Summary Click Next 17 Setup At this point the installation script extracts and installs the binaries for all of the servers in the server root direct...

Page 122: ...on of Certificate Management System by running the Installation Wizard Step 2 Run the Installation Wizard To begin running the Installation Wizard follow these steps 1 If Netscape Console is not runni...

Page 123: ...it alternatively you can also click the Open button on the Certificate Management System panel on the right After a few moments the Installation Wizard appears You use the wizard to get the initial ce...

Page 124: ...Setup Guide October 2001 1 Introduction Click Next 2 Internal Database Type the following values then click Next Instance ID Accept the default demoCA db Port number Accept the default 38900 Director...

Page 125: ...ation 125 At this point the system creates the internal database which can take some time 3 Administrator Type the following values then click Next Administrator ID CMSadmin Full name Accept the defau...

Page 126: ...ms Click Next to accept the default selection Certificate Manager only 5 Remote Data Recovery Manager Click Next to accept the default selection No At this point the system configures the internal dat...

Page 127: ...ity gateway then accept the default values listed below If one of the default ports is unavailable a different randomly selected port will appear in the form SSL administration port 8200 SSL agent por...

Page 128: ...ificate Manager CA Signing Certificate Type the following values then click Next Token Accept the default value Internal Password token password Password again token password Key type Accept the defau...

Page 129: ...CA Organization Unit OU CMS Demo Organization O name of your company Locality L name of your locality State ST name of your state province or territory Country C two letter code for your country 13 V...

Page 130: ...14 Certificate Extensions for Certificate Manager CA Signing Certificate Click Next to accept the default selections 15 Certificate Manager CA Signing Certificate Creation Click Next 16 SSL Server Cer...

Page 131: ...Next 18 Message Digest Algorithm Click Next to accept the default SHA1 19 Subject Name for SSL Server Certificate Type the following values then click Next Common name CN hostname in the machine domai...

Page 132: ...tificate Management System Installation and Setup Guide October 2001 20 Validity Period for SSL Server Certificate Modify year and month values of Expire on date to allow a validity period of one mont...

Page 133: ...te Click Next to accept the default selections 22 SSL Server Certificate Creation Click Next The generation of the certificate can take some time 23 Set Up Single Signon Password Type the following va...

Page 134: ...Installing the Default Demo 134 Netscape Certificate Management System Installation and Setup Guide October 2001 24 Configuration Status Click Done Certificate Management System starts automatically...

Page 135: ...cate that Certificate Management System issues The initial user is both an administrator and an agent This person can use Netscape Console to create additional agents with the appropriate user privile...

Page 136: ...ertificate that you just created during installation Because you just created it it is not on your list of trusted certificates A series of dialog boxes now appears that lets you add the CMS server ce...

Page 137: ...has now been designated as the first agent The certificate you just created allows you to access the Agent Services pages As an agent you can approve enrollment requests and start issuing new certifi...

Page 138: ...and issue a certificate Create a Policy page 143 Configuring the Certificate Manager to reject certificate requests that do not use at least 1024 bit key lengths Use an LDAP Directory page 145 Adding...

Page 139: ...use HTTPS to go to the URL for the SSL agent port that you specified For example https hostname 8100 2 Because this is an SSL connection you are prompted to present your client SSL certificate for aut...

Page 140: ...ur initial agent certificate CN CMS administrator 7 Use the browser s Back button to go back to the Services Summary page For example when using Communicator press and hold the mouse button while it s...

Page 141: ...cate your identity 2 If a dialog box appears requesting that you select a certificate select the certificate name that begins with CMS Administrator The first form for the Agent Services gateway appea...

Page 142: ...re the system Setting Your Browser to Use the Agent Certificate To verify that the User1 certificate really can access the agent pages you must first set your browser to use the User1 certificate to i...

Page 143: ...formulate your policies before installing any software and configure how the policies will be implemented before issuing any certificates For this demonstration you will implement a simple but very u...

Page 144: ...lect the CMS instance cert demoCA 5 In the Certificate Management System panel at the right click Open 6 Log in as CMSadmin giving the password CMS password Netscape Console s CMS window appears showi...

Page 145: ...to this Certificate Manager by setting enabled to true 11 Click OK to save the changes The RSAKeyRule should now be listed as enabled in the Policy Rules Management tab That is all you need to do The...

Page 146: ...Up End User Authentication Step 1 Enable Directory Based Authentication To enable directory based authentication for the Certificate Manager 1 If the CMS console window is not still open start Netsca...

Page 147: ...irectory s user and groups subtree Notice that this is a different operation from adding a user or group to the Certificate Manager s internal database NOTE If you leave the dnpattern field blank the...

Page 148: ...ole again or go back to the main window 2 Select the Users and Groups tab and click Create in the lower right corner 3 In the Select Organization Unit dialog box select People and click OK 4 In the Cr...

Page 149: ...he key length policy working you will request the certificate using a 512 bit key first then change the request to use a 1024 bit key 1 Open a browser window and go to the Certificate Manager s end en...

Page 150: ...ued Publish Certificates to an LDAP Directory In any PKI there are things that you need to publish to make them available to entities Certificate revocation lists CRLs for example can be made availabl...

Page 151: ...conditions The conditions may simply require a certain type of object such as a client certificate A condition may also assert some additional requirement a predicate that must be true about that type...

Page 152: ...rd again dir mgr password Version 3 Authentication Basic authentication 5 Click Save A dialog box appears that indicates whether Certificate Management System is able to connect authenticate and bind...

Page 153: ...in domain directory tree using the user ID from the certificate request To configure Certificate Management System to publish user certificates to an LDAP directory 1 Open the CMS console window and s...

Page 154: ...button and the LdapUserCertPublisher under Publishers Update the Publishing Directory Your Certificate Manager is now configured to automatically publish newly issued client certificates If you want t...

Page 155: ...e the Property Editor dialog box but leave the Edit Entry dialog box open if you can you will open the Property Editor again after you manually publish certificates To publish certificates to the dire...

Page 156: ...ficate expires In a real deployment of course you would probably not start reminding certificate holders to renew until 30 days before expiration You will see the email that is sent to a certificate h...

Page 157: ...r server uses for SMTP in the Port Number field If you are certain that your server uses a port number other than 25 for SMTP enter it in the Port number field However it is unlikely that any server u...

Page 158: ...expires so you will get notices for the certificates issued during this demonstration You will also send notices every minute instead of every day so that you get an immediate message and send a summa...

Page 159: ...eceiving email after one minute 11 After the scheduler has been running for a few minutes deselect the Enable Jobs Scheduler checkbox 12 Click Save 13 Check your email You will have at least two messa...

Page 160: ...set parameter and whether or not the Certificate Manager succeeded in sending a renewal notice The message content format and subject are all customizable so in a real deployment you can create messag...

Page 161: ...tallation Chapter 4 Planning Your Deployment Chapter 5 Installation Worksheet Chapter 6 Installing Certificate Management System Chapter 7 Installing and Uninstalling CMS Instances Chapter 8 Starting...

Page 162: ...162 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 163: ...of whether a Certificate Manager is subordinate affects its distinguished name DN as well as its validity period extensions and place in the CA hierarchy As you begin to make decisions about your depl...

Page 164: ...anager and Registration Manager page 166 Certificate Manager and Data Recovery Manager page 168 Certificate Manager Data Recovery Manager and Registration Manager page 170 Cloned Certificate Manager S...

Page 165: ...pabilities This Certificate Manager can use a signing certificate issued by a public certificate authority or its own self signed CA signing certificate to sign all the certificates it issues Figure 4...

Page 166: ...accept requests from both end entities and Registration Managers For example end entities at the home office might deal directly with the Certificate Manager while end entities at a branch office mig...

Page 167: ...a particular geographic area or within an organizational group Decisions about the number of locations of and relationships among Certificate Managers and Registration Managers depend on many factors...

Page 168: ...scenario sketched in Figure 4 2 a Data Recovery Manager can be installed either in the same CMS instance in which the Certificate Manager is installed or in a different CMS instance which can be loca...

Page 169: ...rowser that is using Netscape Personal Security Manager which supports dual keys The decision to keep the Data Recovery Manager in the same instance as the Certificate Manager or in a different instan...

Page 170: ...he Registration Manager is configured to request the end entity s private encryption key in encrypted form and send it to the Data Recovery Manager during the enrollment process Before the Registratio...

Page 171: ...tificate Management System assumes that most deployments will rely on a single Data Recovery Manager associated with either a Registration Manager or a Certificate Manager However it is also possible...

Page 172: ...trative effort and it creates more potential areas where the CA could become compromised so it should only be used when absolutely necessary The advantage of cloning is the ability to distribute the C...

Page 173: ...icate Manager s own identity The signing unit digitally signs certificates requested by end entities that use a specified enrollment process to establish their identities Regardless of how related Reg...

Page 174: ...lly strong Export and other regulations permitting it may be a good rule of thumb to start with 1024 bits and consider increasing the length to 2048 bits for certificates that provide access to highly...

Page 175: ...le for getting your root certificate into all the browsers used with the certificates you issue If you are using Netscape Communicator as your client you can accomplish this task within an intranet by...

Page 176: ...ew CA certificate with the same subject name and public and private key material as the old CA certificate but with an extended validity period As long as the new CA certificate is distributed to all...

Page 177: ...for a PKCS 11 module can in turn contain a token which is the hardware or software device that actually provides cryptographic services and optionally stores certificates and keys As shown in Figure 1...

Page 178: ...in the specified manner Note that it s not possible to configure the Registration Manager to publish certificates or CRLs The Certificate Manager has the complete record of issued certificates and th...

Page 179: ...SL For detailed information on LDAP publishing see Chapter 19 Setting Up LDAP Publishing Publishing CRLs to the Online Certificate Status Manager Certificate Management System supports the Online Cert...

Page 180: ...lled in a single instance they normally share a single SSL server certificate If one or more subsystems are installed in a separate instance from the other subsystems each instance requires a separate...

Page 181: ...ger also generates a few other certificates transparently during installation For details see Certificate Manager s Key Pairs and Certificates on page 437 Registration Manager Certificates Every Regis...

Page 182: ...d at the same time by m of n authorized agents The Data Recovery Manager also requires at least one SSL server certificate The Data Recovery Manager s SSL server certificate or certificates can be uni...

Page 183: ...ticated especially for operations related to certificate enrollment requires careful planning and control throughout the lifetime of a PKI deployment For examples of some different approaches to authe...

Page 184: ...tration Managers which can be configured to apply the policies uniformly in different geographic locations For a detailed discussion of policy management see Chapter 18 Setting Up Policies Deployment...

Page 185: ...Deployment Strategy and Port Assignments Chapter 4 Planning Your Deployment 185 Figure 4 5 Deploying servers on a single host...

Page 186: ...orts for each CMS instance to listen on That is each CMS instance will require at least four unique ports Internal database port for communication with internal database SSL administration port for co...

Page 187: ...te Management System This chapter has the following sections Information for UNIX Installation Script page 188 Information for NT Installation Script page 191 Initial Configuration page 194 Certificat...

Page 188: ...the fully qualified host name of the machine on which the installation is taking place For example mydirectory siroe com Do not attempt to install remotely Configuration Directory Server System user...

Page 189: ...must also supply the following information User directory host name___________________________________________ User directory port_____________________________________________ Bind as________________...

Page 190: ...uffix configured for your directory It also should not correspond to an actual entry stored in your directory For example cn Directory Manager Directory Manager password ________________________ The p...

Page 191: ...f Certificate Management System you must also install an Administration Server and Netscape Console application and have access to a configuration and user group directory For more information on the...

Page 192: ...s directory server _______________________________________ If you choose this option the installation script either adds a user group directory to the newly installed instance of Directory Server if y...

Page 193: ...u specify must not be used for any other purpose Suffix ____________________________________ If you are creating a new directory this should be the domain name of the current host For example o siroe...

Page 194: ...t the default number Certificate Management System Identifier You must specify a unique identifier for the CMS server instance that you are installing Certificate Management System server identifier__...

Page 195: ...logged in as root Directory Manager DN ____________________________________________ The default is CN Directory Manager You can enter something more meaningful such as CN Internal Directory Manager In...

Page 196: ...er___________________________________ Enable issuance of wTLS certificates _____________________ Registration Manager__________________________________ Data Recovery Manager___________________________...

Page 197: ...anager Configuration This section summarizes information required to configure a Certificate Manager as a root or subordinate CA either by itself or as part of a joint installation with a Data Recover...

Page 198: ...tokens For example SmartCard For installation instructions see Installing External Tokens on page 451 Token password_________________________________________________ The password for the token must b...

Page 199: ...Signing Certificate You can specify the validity period for a self signed CA signing certificate only The validity period for a subordinate CA signing certificate is determined by the issuing CA Valid...

Page 200: ..._________ S MIME CA Yes _________ S MIME No _________ Object signing CA Yes _________ SSL CA Yes _________ Authority Key Identifier Yes ________________ Subject Key Identifier Yes ________________ Ke...

Page 201: ...he certificate that the Registration Manager will use to sign certificate requests This certificate also functions as the Registration Manager s SSL client certificate The Installation Wizard formulat...

Page 202: ...Name CN _____________________________________ Organizational Unit OU ___________________________________ Organization O ________________________________________ Locality L ____________________________...

Page 203: ...Type and Length on page 174 Token for storing the transport certificate signing certificate and private key________________________________________ Enter either internal if you plan to use the intern...

Page 204: ...________________________________________ Locality L _____________________________________________ State ST ______________________________________________ Country C ___________________________________...

Page 205: ...sion by pasting its base 64 encoding in the space provided on this screen For more information about extensions see Appendix C Certificate and CRL Extensions of CMS Plug ins Guide Confirm that you wan...

Page 206: ...If you are submitting your certificate request to a Certificate Manager you need to know its URL End entity URL for issuing Certificate Manager___________________________ Enter the URL for the end en...

Page 207: ..._____________________ Password_________________________ User ID______________________ Password_________________________ User ID______________________ Password_________________________ User ID_________...

Page 208: ...ssword for the token must be at least one character long Key type_________________________________________________ RSA or DSA Key length_______________________________________________ Available key si...

Page 209: ...certificate For example http hostname 17006 Cloned Certificate Manager Configuration This section summarizes information required to configure a clone of a Certificate Manager You must have installed...

Page 210: ...enter the starting serial number When you configure cloned CAs you must specify upper and lower bounds for the serial numbers on all CAs and you must make sure the ranges do not overlap CA s starting...

Page 211: ...Management System you must supply information for the SSL server certificate used by that instance to identify itself The same SSL certificate is shared by all subsystems installed in that instance SS...

Page 212: ...__________________________________ Country C ____________________________________________ A DN is a series of name value pairs that in combination uniquely identify an entity The subject DN identifies...

Page 213: ...Guide Confirm that you want to include the following extensions Check off all that apply defaults are indicated in parentheses Basic constraints No _____________ CA Nos _________ Certification path le...

Page 214: ...instructions provided by that CA If you are submitting your certificate request to another Certificate Manager you need to know its URL End entity URL for issuing Certificate Manager__________________...

Page 215: ...d page 225 Stage 3 Enrolling for Administrator Agent Certificate page 275 Stage 4 Further Configuration Options page 281 Stage 5 Creating Additional Instances or CA Clones page 282 Installation Overvi...

Page 216: ...em in a single server root directory involves four stages Stage 1 Run the installation script setup on UNIX setup exe on NT to install Administration Server and Directory Server as necessary and perfo...

Page 217: ...which you ll submit the subordinate CA s CA signing certificate and SSL server certificate requests Make sure the CA is running and if required identify the forms you ll use to submit these requests I...

Page 218: ...e requests Make sure the CA is running and if required identify the forms you ll use to submit these requests For Online Certificate Status Manager s signing certificate to work properly it must conta...

Page 219: ...alization file and the installation prompts resume at the point in which you left off This initialization file applies only to the installation of the Administration Server and Directory Server If you...

Page 220: ...ts you wish to install 1 2 Enter the numbers corresponding to the Administration Services components you wish to install or press Enter to accept the default components 9 Specify the components you wi...

Page 221: ...If you are using an existing configuration directory enter its identifier 17 Netscape configuration directory server administrator ID admin Enter the name and password of the user who will authenticat...

Page 222: ...rver Directory Server Netscape Console and Certificate Management System and installs the binaries under the server root directory you have specified It creates one instance of Administration Server o...

Page 223: ...ice unless you want to set up the Directory Server Synchronization Service Click Next to accept the default selection 6 Directory Server 4 13 This instance will be the configuration directory server i...

Page 224: ...ou are using an existing configuration directory enter its administrator ID and password Click Next to continue 10 Directory Server 4 13 Administration Domain Click Next to accept the default value Th...

Page 225: ...onfiguration for this instance of Certificate Management System The Installation Wizard is the same for both UNIX and Windows NT In the last step of the installation script you were given an opportuni...

Page 226: ...rnal database which takes some time If you have previously installed an internal database for this instance the Recreate Internal Database screen appears In the Recreate Internal Database specify whet...

Page 227: ...r If you have already installed a remote Data Recovery Manager that you want the Certificate Manager to use for archiving end users encryption private keys select Yes Then enter the remote Data Recove...

Page 228: ...validity is two years The validity period determines how soon you will have to renew the certificate which can be a complex procedure Click Next to continue 10 Certificate Extensions for Certificate M...

Page 229: ...tinue 15 Subject Name for SSL Server Certificate Type the values for the subject DN components these values identify the root CA s SSL server certificate The CN must be the fully qualified host name o...

Page 230: ...Subordinate CA To install the Certificate Manager as a subordinate CA 1 Subsystems Select Certificate Manager If you want the Certificate Manager to issue certificates for wireless applications select...

Page 231: ...lect the Create subordinate CA certificate request option Click Next to continue 6 Key Pair Information for Certificate Manager CA signing certificate Select the token to store the CA signing certific...

Page 232: ...e Creation This is an informational screen that tells you that the wizard has all the information required to generate the key pair and certificate request In the previous screen if you chose to inclu...

Page 233: ...then click Show Pending Requests and click Find The pending request list is displayed g Locate your request click Details to see it and make any changes Then scroll down to the bottom of the form and...

Page 234: ...s Agent interface you can follow the instructions below to issue the certificate Otherwise you ll have to wait till the remote Certificate Manager s agent approves your request f In the web browser wi...

Page 235: ...n Wizard screen click Yes or No If you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait days or weeks...

Page 236: ...If the CA that issued the certificate is a Certificate Manager follow these steps a Go to the end entity URL for the Certificate Manager that issued the subordinate CA s signing certificate b Select...

Page 237: ...d on this screen For details see Step 10 of this section Click Next to continue 22 SSL Server Certificate Request Creation This is an informational screen that tells you that the wizard has all the in...

Page 238: ...rtificate Manager s agent If you ve permission to access that Certificate Manager s Agent interface you can follow the instructions below to issue the certificate Otherwise you should wait for the rem...

Page 239: ...n the CMC format click CMC Enrollment In the resulting form paste the request from the clipboard into the text area and fill in any other required information Be sure to select Server SSL Certificate...

Page 240: ...You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA s SSL server certificate b Submit your certificate request to...

Page 241: ...sent option and then specify the required details Click Next to continue 26 Certificate Details This is an informational screen that displays the certificate so you can inspect its contents Notice the...

Page 242: ...3 Enrolling for Administrator Agent Certificate on page 275 to create the first agent user for the Certificate Manager Installing a Standalone Registration Manager To install a standalone Registratio...

Page 243: ...er Signing Certificate Select the required extensions The default settings should work for most deployments If necessary you can add an additional extension by pasting its base 64 encoding in the spac...

Page 244: ...t number of the remote Certificate Manager and specify whether the end entity port is SSL enabled c Click Next to submit the request The Certificate Request Result screen appears confirming that the r...

Page 245: ...entities c In the left hand frame of the Enrollment tab choose the form appropriate for the request type If the request is in the PKCS 10 format under Server click Registration Manager In the resulti...

Page 246: ...ATE and END CERTIFICATE and copy it to the clipboard or to a text file Be sure to not make any changes to the certificate You re required to paste the encoded certificate into the Installation Wizard...

Page 247: ...he filename in the text field If you copied the certificate to the clipboard select the The certificate is located in the text area below option and then paste in a base 64 encoded certificate includi...

Page 248: ...ame for SSL Server Certificate Type the values for the subject DN components these values identify the Registration Manager s SSL server certificate The CN must be the fully qualified host name of the...

Page 249: ...ult screen appears confirming that the request has been submitted Note the request ID provided in the response message You can use it later to retrieve the certificate once it has been issued from the...

Page 250: ...c In the left hand frame of the Enrollment tab choose the form appropriate for the request type If the request is in the PKCS 10 format under Server click SSL Server In the resulting form paste the r...

Page 251: ...ies the certificate request to the clipboard In addition to the copy on the clipboard the screen informs you that the certificate request has been saved to a file You can use either the copy on the cl...

Page 252: ...request was sent option and then specify the required details Click Next to continue 23 Certificate Details This is an informational screen that displays the certificate so you can inspect its content...

Page 253: ...step Stage 3 Enrolling for Administrator Agent Certificate on page 275 to create the first agent user for the Registration Manager Installing a Standalone Data Recovery Manager To install a standalone...

Page 254: ...Joiner Tool of CMS Command Line Tools Guide Click Next to continue 7 Data Recovery Manager Transport Certificate Request Creation This informational screen tells you that the wizard has all the infor...

Page 255: ...k Show Pending Requests and click Find g In the pending request list locate your request click Details to see the request and make any changes Then scroll down to the bottom of the form and click Do I...

Page 256: ...access that Certificate Manager s Agent interface you can follow the instructions below to issue the certificate f In the web browser window enter the URL for the remote Certificate Manager s Agent S...

Page 257: ...Installation Wizard screen click Yes or No If you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait da...

Page 258: ...of the remote Certificate Manager a Go to the web browser window b Enter the end entity URL for the remote Certificate Manager that issued the transport certificate c Select the Retrieval tab and the...

Page 259: ...st be the fully qualified host name of the machine on which you re installing the Data Recovery Manager Click Next to continue 19 Certificate Extensions for SSL Server Certificate Select the required...

Page 260: ...t Certificate Manager s agent If you ve permission to access that Certificate Manager s Agent interface you can follow the instructions below to issue the certificate Otherwise you should wait for the...

Page 261: ...d information If the request is in the CMC format click CMC Enrollment In the resulting form paste the request from the clipboard into the text area and fill in any other required information Be sure...

Page 262: ...tificate request has been saved to a file You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA s signing certifica...

Page 263: ...e required details Click Next to continue 24 Certificate Details This is an informational screen that displays the certificate so you can inspect its contents Notice the nickname assigned to the certi...

Page 264: ...a Online Certificate Status Manager To install a standalone Online Certificate Status Manager 1 Subsystems Select Online Certificate Status Manager Click Next to continue 2 Network Configuration Type...

Page 265: ...Next to submit the request The Certificate Request Result screen appears confirming that the request has been submitted Note the request ID provided in the response message You can use it later to ret...

Page 266: ...rtificate For example if you assigned the port number 17006 to the non SSL end entity port for your CA you would go to the URL http hostname 17006 to bring up the Certificate Manager page for end enti...

Page 267: ...REQUEST is highlighted and click the Copy to Clipboard button This action copies the certificate request to the clipboard In addition to the copy on the clipboard the screen informs you that the cert...

Page 268: ...ficate is at the CMS where the request was sent option and supply the host name end entity port number and request ID Click Next to continue 9 Certificate Details This is an informational screen that...

Page 269: ...ect the token to store the SSL server certificate and key pair If you have not previously initialized the token s password you must do so in this screen Also specify the key type and length Click Next...

Page 270: ...rtificate you ll be given the choice to select the format for the certificate request Otherwise the request format will be PKCS 10 If you want the wizard to generate the certificate request in PKCS 10...

Page 271: ...sts then click Show Pending Requests and click Find The pending request list is displayed f Locate your request click Details to see it and make any changes Then scroll down to the bottom of the form...

Page 272: ...ce you can follow the instructions below to issue the certificate Otherwise you ll have to wait for the Certificate Manager s agent to approve your request and issue the certificate f In the web brows...

Page 273: ...he Installation Wizard screen click Yes or No If you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait...

Page 274: ...owser window b Enter the end entity URL for the Certificate Manager that issued the SSL server certificate c Select the Retrieval tab and then choose Import CA Certificate Chain d Select the Display t...

Page 275: ...icate automatically Follow the appropriate procedure for the subsystem you installed Agent Certificate for a Certificate Manager Agent Certificate for Other CMS Managers For more information about set...

Page 276: ...ion Because you just created it it is not on your browser s list of trusted certificates Before you see the Administrator Agent Certificate Enrollment form a series of dialog boxes appears that lets y...

Page 277: ...er who was named as the initial administrator for Certificate Management System during installation has been automatically designated as the first agent This certificate allows you to access the Agent...

Page 278: ...est to the CA and then install the certificate in the certificate database of the CMS instance Alternatively if you have agent privileges to any of the CMS managers for example to a Certificate Manage...

Page 279: ...instance for which you want to create the agent user and double click the icon The login screen for the CMS window appears 9 Enter your administrator ID and password The CMS window for the subsystem...

Page 280: ...de the text area and paste the agent s certificate in base 64 encoded form If you haven t copied the certificate go back to the browser window copy the certificate and then paste the certificate here...

Page 281: ...tance For more information about setting up and managing agents see Agents on page 387 Stage 4 Further Configuration Options When you have completed the initial configuration and installation of a CMS...

Page 282: ...Creating Additional Instances or CA Clones After the initial installation you can use Netscape Console to create additional instances of Certificate Management System in the same server root director...

Page 283: ...lation you specified a port number for the Administration Server instance you will use to administer Certificate Management System If Administration Server is shut down be sure to start it at this por...

Page 284: ...hen you install additional CMS instances on the same machine you are required to specify different ports for each CMS instance to listen on For example you will have to set up one server to listen on...

Page 285: ...entifier for the new instance For the name you can use any combination of letters aA to zZ digits 0 to 9 an underscore _ and a hyphen other characters and spaces are not allowed For example you can ty...

Page 286: ...e same CA functions you create another instance of a Certificate Manager and configure it to use the same CA signing key and certificate and issue certificates with serial numbers that do not conflict...

Page 287: ...ng a Certificate Manager s OCSP service see Setting Up a Certificate Manager with OCSP Service on page 695 So CAs organized in a flat structure using the cloning method eliminate the need for you to i...

Page 288: ...t s recommended that you start with say 0x100 as the starting lowest serial number This will ensure that the master Certificate Manager has sufficient serial numbers for its own certificates such as t...

Page 289: ...ending on your master Certificate Manager s installation there are three possible scenarios to install a clone Certificate Manager Installing Clone CA in Master CA s Server Group In this case you inst...

Page 290: ...spaces are not allowed For example you can type Clone1_of_root CA as the instance name but not Clone1 of root CA 5 Click OK The instance you created appears in the navigation tree Note that the instan...

Page 291: ...ance When prompted to specify a configuration directory select the option for an existing directory and specify the host name and port number of the Directory Server instance used by the master Certif...

Page 292: ...irectory server_root cert instance_id config b Locate files named cert7 db and key3 db c In the clone Certificate Manager s host machine go to this directory server_root cert instance_id config d Copy...

Page 293: ...erver certificate or create a new one If you created the clone Certificate Manager on the same host as the master Certificate Manager you can reuse the SSL server certificate To reuse the SSL server c...

Page 294: ...ther CA for example a third party CA you can locate the certificate in the certificate database by using the certutil command line tool For more information about this tool see Chapter 11 Certificate...

Page 295: ...ZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA4GBA Fi9FzyJlLmS kzsue0kTXawbwamGdYql2w4hIBgdR jWeLmD4CP4xzmKdvQ6IqD2q8DBs9lRQu9 END CERTIFICATE To locate the SSL server certificate in the master Certificat...

Page 296: ...5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn jgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA4GBA Fi9FzyJlLmS kzsue0kTXawbwamGdYql2w4hIBgdR jWeLmD4CP4xzmKdvQ6...

Page 297: ...ter Certificate Manager relies solely on its SSL server certificate which you will add in Step 3 for authentication User ID Type an ID that will help you identify this user in the list of privileged u...

Page 298: ...rt Certificate window appears 9 Click inside the text area and paste the master Certificate Manager s SSL server certificate in its base 64 encoded form Be sure to include the BEGIN CERTIFICATE and EN...

Page 299: ...onfigured the clone Certificate Manager for automated certificate issuance for example for directory based enrollment you may use the appropriate form and request a certificate To request a client or...

Page 300: ...e required attributes of a client certificate 6 Scroll to the bottom of the request form and approve the request You should see a confirmation page indicating that the certificate has been issued If y...

Page 301: ...okes the certificate updates the certificate status in its internal database and sends details about the revoked certificate to the master Certificate Manager Step E Check Master CA s CRL for the Revo...

Page 302: ...latest certificate revocation information use the browser s Back button to return to the previous page and click Update Step 10 Use Master CA s Agent Certificate in Clone CAs This step is optional Th...

Page 303: ...paste it as the agent certificate in the clone CA For step by step instructions to create an agent user see Setting up Agents Using the Manual Process on page 407 8 After creating the agent entry for...

Page 304: ...e You can change this description see Changing the Name of an Instance on page 305 Installation Date The date the server was installed Server Root The directory that holds all the files for the select...

Page 305: ...llation the name of a CMS instance is in the form CMS cert instance_id instance_id is the ID for this instance of Certificate Management System You first specified this when you installed this server...

Page 306: ...l help you identify this instance of Certificate Management System 4 Click OK You are returned to the previous screen The new name appears in the right pane Removing an Instance From a System If you a...

Page 307: ...elow 4 When the server has stopped from the Object menu choose Remove Server As shown in the figure below you can also right click to choose this option from the pop up menu 5 When prompted confirm th...

Page 308: ...From the command line locally only On a Windows NT system by using the Windows NT Add Remove Programs Utility Uninstalling From the Command Line To uninstall Certificate Management System from the com...

Page 309: ...ling CMS Instances 309 3 In the Add Remove Programs Properties window choose Netscape Server Products 4 2 server_root and click Add Remove 4 In the Netscape Server Uninstall window make sure all the c...

Page 310: ...Uninstalling Certificate Management System 310 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 311: ...12 Stopping Certificate Management System page 320 Restarting Certificate Management System page 322 Checking System Status page 324 Attending to an Unresponsive Server page 325 CMS Watchdog Process p...

Page 312: ...ate key pairs for the server The bind password used by Certificate Management System to access and update the internal database The bind password used by Certificate Management System to access and re...

Page 313: ...out the CMS keys and certificates see Chapter 14 Managing CMS Keys and Certificates Note that during CMS installation the watchdog stores all the passwords required by the server for starting up in a...

Page 314: ...a File Every time you start Certificate Management System you are required to enter either the single sign on password or all the passwords required by the server to startup see Required Start up Info...

Page 315: ...sr netscape server4 bin cert admin bin start i testCA r usr netscape server4 e classpath usr netscape server4 bin cert classes usr netscape server4 bin cert jars jss jar usr netscape server4 bin cert...

Page 316: ...cert jars certsrv jar usr netscape server4 java ldapjdk jar usr netscape server4 bin cert jre lib rt jar usr netscape server4 bin cert jre lib i18n jar usr netscape server4 bin cert jars jssjdk12 jar...

Page 317: ...jar C Netscape Server4 bin cert jre lib i18n jar C Netscape Server4 bin cert jars jssjdk12 jar C Netscape Server4 java swingall jar e Save your changes 5 Use your operating system s security feature t...

Page 318: ...for the server 5 Type the single sign on password you specified during installation and click OK Certificate Management System won t start until you provide this password For more information see Req...

Page 319: ...you installed this server 4 When prompted enter the single sign on password Certificate Management System won t start until you provide this password For more information see Required Start up Informa...

Page 320: ...cate Management System You can stop Certificate Management System in several ways From Netscape Console locally and remotely From the command line locally only On a Windows NT system from the Windows...

Page 321: ...m from the command line 1 Open a terminal window to your server 2 In a Unix system log in either as root or using the server s user account if that is how you started the server 3 At the command line...

Page 322: ...Services 4 Select the CMS instance and click Stop 5 When prompted click Yes The server is stopped Restarting Certificate Management System Whenever you change the CMS configuration you must save your...

Page 323: ...single sign on password you specified during installation and click OK Certificate Management System won t restart until you provide this password For more information see Required Start up Informatio...

Page 324: ...stance_id is the ID for this instance of Certificate Management System You first specified this when you installed this server 4 When prompted enter the single sign on password Certificate Management...

Page 325: ...ign on password In addition it manages the start up stop and restart states of Certificate Management System The watchdog process identified as cms_watchdog implements the following operations Starts...

Page 326: ...the password cache could look like this Password Cache Internal LDAP Database myIdbPwd Internal Key Storage Token myTokenPwd Authentication myPinAuthPwd LDAP Publishing myLdapPubPwd Note that in the...

Page 327: ...ality of passwords set within the CMS system All passwords used in Certificate Management System are checked by the password quality checker which by default checks that the length of a password is at...

Page 328: ...Password Quality Checker 328 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 329: ...tting Up Ports Chapter 12 Setting Up Internal Database Chapter 13 Managing Privileged Users and Groups Chapter 14 Managing CMS Keys and Certificates Chapter 15 Setting Up End User Authentication Chapt...

Page 330: ...allation and Setup Guide October 2001 Chapter 19 Setting Up LDAP Publishing Chapter 20 Publishing Certificates and CRLs to a File Chapter 21 Setting Up an OCSP Responder Chapter 22 Setting Up Key Arch...

Page 331: ...o enable system administrators to accomplish these server specific tasks quickly and easily Certificate Management System provides a GUI based administration tool called the CMS window within Netscape...

Page 332: ...tion interface to the user directory Figure 9 1 Netscape Console window with a CMS instance selected in the Console tab Console Tab For any given instance of Netscape Console the limits of the network...

Page 333: ...ment System uses file based configuration which is stored locally on the host system during installation the server registers only its SIE in the configuration directory For details about this file se...

Page 334: ...including Certificate Management System through Netscape Console Administration Server and the configuration directory must be running before you can configure any of these servers It is included with...

Page 335: ...g installation for monitoring Certificate Management System If you stopped Administration Server after installation you must start it before you can administer Certificate Management System from the C...

Page 336: ...ter the following line server_root admin instance_id stop admin Administration Server runs as a service in a Windows NT system you can use the Windows NT Services panel to stop the service directly Lo...

Page 337: ...password that you specified when you installed Administration Server on your computer during CMS installation Administration URL This field should show the URL to Administration Server If it doesn t o...

Page 338: ...to day operational and managerial duties for Certificate Management System You launch the CMS window from within Netscape Console Figure 9 3 Figure 9 3 Certificate Management System window launched f...

Page 339: ...perform tasks such as starting stopping and restarting the server and running the Certificate Setup Wizard For details see Chapter 8 Starting and Stopping CMS Instances and Certificate Setup Wizard on...

Page 340: ...tions such as the following Entering information about privileged users administrators agents and trusted managers into the CMS internal database Modifying user information Deleting users from the dat...

Page 341: ...tificate issuance and management policies This involves operations such as the following Viewing currently registered policy plug in modules for a Certificate Manager or Registration Manager Configuri...

Page 342: ...end users encryption private keys For details see Chapter 22 Setting Up Key Archival and Recovery Managing CMS logs This involves configuring system error and audit logs maintained by Certificate Mana...

Page 343: ...the Console tab select the Server Group that contains the CMS instance you want to use as your source 3 In the navigation tree locate the CMS instance you want to administer 4 Select the instance and...

Page 344: ...CMS window without having to create privileged user entries Otherwise type your privileged user ID administrator ID Password If you are logging in for the first time type the Certificate Administrator...

Page 345: ...plains how the installation affects the number of configuration files created in your machine and their contents It also explains ways in which you can modify the configuration and precautions you sho...

Page 346: ...e configuration files for the instances running on Host A one for each CMS instance Although the names of both the configuration files are the same the information included in the files differs accord...

Page 347: ...ration 347 Figure 10 1 How installation affects configuration Duplicating Configuration From One Instance to Another If you have deployed a large number of CMS instances that are identical for example...

Page 348: ...ck way of deploying multiple Registration Managers with the same configuration Figure 10 2 Duplicating a configuration Locating the Configuration File Each instance of Certificate Management System ha...

Page 349: ...how to change the various configuration parameter values from the CMS window Changing the Configuration by Editing the Configuration File This section explains how to change the CMS configuration by e...

Page 350: ...util Properties The following guidelines may help you interpret the information in the configuration file The format of the configuration file is as follows comment parameter value value parameter mul...

Page 351: ...is processed by the server all the parameters beginning with ca will be used The configuration file supports Unix style file separator the forward slash If the backward slash file separator is requir...

Page 352: ...ile Note the following All policy specific information such as registered policy plug in implementations configured rules and ordering appear in the Policy section of the configuration file If you hav...

Page 353: ...cessTemplate ca EnrollSuccess template agentGateway bulkissuance errorTemplate ca bulkissuance template agentGateway bulkissuance pendingTemplate ca bulkissuance template agentGateway bulkissuance rej...

Page 354: ...ca Policy impl _002 ca Policy impl AuthInfoAccessExt class com netscape certsrv policy AuthInfoAccessExt ca Policy impl AuthorityKeyIdentifierExt class com netscape certsrv policy AuthorityKeyIdentifi...

Page 355: ...ca Policy impl ValidityConstraints class com netscape certsrv policy ValidityConstraints ca Policy rule AuthorityKeyIdentifierExt enable true ca Policy rule AuthorityKeyIdentifierExt implName Authori...

Page 356: ...geExt implName KeyUsageExt ca Policy rule ClientCertKeyUsageExt keyEncipherment true ca Policy rule ClientCertKeyUsageExt nonRepudiation true ca Policy rule ClientCertKeyUsageExt predicate certType cl...

Page 357: ...le GenericASN1Ext attribute 5 value ca Policy rule GenericASN1Ext attribute 6 source ca Policy rule GenericASN1Ext attribute 6 type ca Policy rule GenericASN1Ext attribute 6 value ca Policy rule Gener...

Page 358: ...olicy rule NameConstraintsExt permittedSubtrees0 max 1 ca Policy rule NameConstraintsExt permittedSubtrees0 min 0 ca Policy rule NameConstraintsExt permittedSubtrees0 valueType ca Policy rule NameCons...

Page 359: ...eyRule implName RSAKeyConstraints ca Policy rule RSAKeyRule maxSize 2048 ca Policy rule RSAKeyRule minSize 512 ca Policy rule RSAKeyRule predicate ca Policy rule RenewalConstraintsRule enable true ca...

Page 360: ...reqInQueue html ca notification requestInQ enabled false ca notification requestInQ recipientEmail ca notification requestInQ senderEmail ca publish mapper impl LdapDNCompsMap class com netscape certs...

Page 361: ...publish rule instance LdapCrlRule mapper LdapCrlMap ca publish rule instance LdapCrlRule pluginName Rule ca publish rule instance LdapCrlRule predicate ca publish rule instance LdapCrlRule publisher L...

Page 362: ...Internal LDAP Database internaldb ldapconn host testCA siroe com internaldb ldapconn port 3602 internaldb ldapconn secureConn false jobsScheduler _000 jobsScheduler _001 jobScheduler jobsScheduler _0...

Page 363: ...eNotifier summary recipientEmail jobsScheduler job requestInQueueNotifier summary senderEmail jobsScheduler job unpublishExpiredCerts cron 0 0 6 jobsScheduler job unpublishExpiredCerts enabled false j...

Page 364: ...error log instance Error flushInterval 5 log instance Error level 3 log instance Error maxFileSize 100 log instance Error pluginName file log instance Error rolloverInterval 2592000 log instance Erro...

Page 365: ...9 8 oidmap netscape_comment class netscape security x509 NSCCommentExtension oidmap netscape_comment oid 2 16 840 1 113730 1 13 oidmap ocsp_no_check class com netscape certsrv cert OCSPNoCheckExtensi...

Page 366: ...install a CMS instance the server prompts you to create the certificates required for the subsystems in that instance to function You should check the certificates used by each subsystem and determine...

Page 367: ...es cannot interact with the Data Recovery Manager Similarly agents can interact with the appropriate subsystem using the agent forms Certificate Management System provides HTML forms based interfaces...

Page 368: ...expiration of a certificate that require action on the part of users and periodic activities such as removing expired certificates from the publishing directory For scheduling jobs follow the instruct...

Page 369: ...a Remote OCSP Responder on page 708 Step 11 Set up Key Archival and Recovery If you have installed the Data Recovery Manager follow the instructions in Configuring Key Archival and Recovery Process o...

Page 370: ...tep 13 Plan for Backing up CMS Configuration and Data It is a good practice to periodically back up the CMS data on to some backup media Creating backups will help you use them for data restoration in...

Page 371: ...nternal token and trust database for PKI operations SSL ciphers during SSL negotiation privileged users and log files to log messages to This chapter explains how to configure the ports for a CMS inst...

Page 372: ...cessible services are usually maintained in a file named services On Unix if you are not running as root or superuser when you install or start the server you will have to use a port number higher tha...

Page 373: ...ber can be any number between 1 and 65535 The number you choose for the agent port affects your agent users all agents access Certificate Management System by specifying the name of the server the CMS...

Page 374: ...ocation General certificate retrieval requests such as retrieving a single certificate identified by a serial number listing certificates based on certain criteria for example an LDAP search filter de...

Page 375: ...at can be waiting to be serviced at the administration port The default number is 15 The number you enter in this field is passed to the operating system s listen call To change the agent port number...

Page 376: ...te Manager is configured to service OCSP requests from OCSP compliant clients then this port must be enabled so that OCSP compliant clients can successfully query the Certificate Manager for the revoc...

Page 377: ...address and the Data Recovery Manager is served on another address To clarify this further consider the machine that hosts the Certificate Manager and Data Recovery Manager has two Ethernet cards tha...

Page 378: ...example If you entered an IP address as the value the parameter would look similar to this radm https host 197 1 137 98 If you entered the host name as the value the parameter would look similar to th...

Page 379: ...vileged users and log files to log messages to This chapter explains how to configure the internal database for a CMS instance The chapter has the following sections Internal Database page 379 Configu...

Page 380: ...ified this when you installed this server If you check the files installed under server_root the internal database instance appears like this slapd cms_instance_id db Keep in mind that the subsystems...

Page 381: ...the machine on which Netscape Directory Server is installed Certificate Management System uses this name to access the directory The format for the host name is as follows machine_name your_domain do...

Page 382: ...access control set up for this DN determines whether Certificate Management System can communicate with the directory Typically you would want to enter the directory manager s DN the root DN because t...

Page 383: ...n Chapter 2 Password Cache Utility of CMS Command Line Tools Guide 1 Log in to Netscape Console see Logging In to the CMS Window on page 343 2 In the Console tab select the server group that contains...

Page 384: ...e Directory Server window 10 When the server is restarted from Netscape Console open the Directory Server window The Login to Directory dialog box appears the Distinguished Name field displays the Dir...

Page 385: ...ted manager and granting access permissions to various CMS resources by adding the user to appropriate groups This chapter describes the types of privileged users you need to set up for a CMS instance...

Page 386: ...stration Manager For details see Trusted Managers on page 394 The role of a privileged user whether administrator agent or trusted manager is determined by the group to which the user belongs This is...

Page 387: ...red in a publishing directory Manage key archival and retrieval requests Manually add CRLs to the Online Certificate Status Manager See the list of OCSP requests processed by the Online Certificate St...

Page 388: ...stem for it to service requests from the agents For information about agents certificates see Agent s Certificate for SSL Client Authentication on page 389 For information on creating agents for a CMS...

Page 389: ...e exists in the subsystem s certificate or trust database and that the certificate is valid and trusted To check whether or not the CA s certificate exists in a subsystem s trust database follow the i...

Page 390: ...YXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzA VBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJ ARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngj...

Page 391: ...fter the user imports the certificate into the web browser you need to copy the certificate in base 64 encoded form in order to be able to add it to a subsystem s internal database To copy an agent s...

Page 392: ...figure a Certificate Manager and Registration Manager to check the revocation status of an agent s certificate the server receives during SSL client authentication You can configure a Data Recovery Ma...

Page 393: ...onChecking ra ra auths revocationChecking unknownStateInterval 0 auths revocationChecking validityInterval 120 If you have a Data Recovery Manager installed in the same instance in addition to the abo...

Page 394: ...erforming specific functions depending on the subsystem to which it is connected You establish this trust between the two subsystems by configuring them to function in certain way revocationChecking u...

Page 395: ...requests sent by this Registration Manager For example as illustrated in the figure below you might deploy one or more Registration Managers to process approve and forward certificate signing requests...

Page 396: ...Certificate Managers or Registration Managers to send key archival or recovery requests to a Data Recovery Manager Connectors for Linking Trusted Managers Certificate Management System supports propr...

Page 397: ...ers as privileged users to the internal database of that subsystem assigning them memberships in the appropriate group and identifying the certificates the managers must use for SSL client authenticat...

Page 398: ...nstallation the issuer is the CA from which you requested the renewed certificate Check the signing certificate for its issuer s name see Viewing the Certificate Database Content on page 502 You can a...

Page 399: ...e administrator ID of the CMS administrator you specified during installation If you don t remember this name see the installation worksheet you completed in preparation for installing the system see...

Page 400: ...tomatically adds the initial administrator as the agent and stores a copy of the agent certificate against that user entry The user ID for this agent user is the same as the certificate administrator...

Page 401: ...s a single user entry when you get the very first agent certificate from the Certificate Manager the server automatically adds the initial administrator as the agent and stores a copy of the agent cer...

Page 402: ...e Status Manager you need to do additional configurations See Setting Up Agents on page 406 Group for Trusted Managers When the Certificate Manager Registration Manager or Data Recovery Manager is ins...

Page 403: ...ors Setting Up Agents Setting Up Trusted Managers Setting Up Administrators You need at least one administrator for each instance of Certificate Management System To understand the role of an administ...

Page 404: ...rs 404 Netscape Certificate Management System Installation and Setup Guide October 2001 2 In the navigation tree select Users and Groups The Users tab appears on the right pane 3 Click Add The Select...

Page 405: ...o eight characters for the user Give this password to the user The user is required to enter this password in the login screen of the CMS window Confirm password Retype the password exactly as you typ...

Page 406: ...requests must belong to both Certificate Manager Agents and Administrators groups in the internal database of the Certificate Manager The request approval form includes a checkbox labeled This certif...

Page 407: ...pies the user s client certificate to the database and associates the certificate with the new user s entry 11 To verify log in to the CMS window for the Certificate Manager 12 In the navigation tree...

Page 408: ...If the user does not own a client certificate either issue the user a certificate or ask the user to get a certificate For details see Agent s Certificate for SSL Client Authentication on page 389 Id...

Page 409: ...ere is to help you keep track of your agent users the user never sees or uses it The server relies solely on the agent s client certificate which you will add next for authentication User ID Type the...

Page 410: ...r you have the agent s certificate If you copied the user s certificate in base 64 encoded form to a text file proceed to Step 3 For details on getting the user s certificate see Agent s Certificate f...

Page 411: ...k inside the text area and paste the user s certificate in base 64 encoded form Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE marker lines 4 Click OK You are returned to the Manage User...

Page 412: ...sts from the agent Make sure that this CA s certificate exists in the subsystem s certificate database internal or external and that it is trusted To check whether the CA s certificate exists in your...

Page 413: ...ves the subsystems certificate requests must belong to both the Certificate Manager Agents and Administrators groups in the user and group database of the Certificate Manager For more information abou...

Page 414: ...to function as a trusted manager to another CMS subsystem Note identifying information such as the instance ID and host name of the Registration Manager Make sure that the Registration Manager has th...

Page 415: ...is step you create a privileged user entry for the Registration Manager in the internal database of the subsystem As a part of creating this entry you also add the user entry to the Trusted Managers g...

Page 416: ...ely on the Registration Manager s SSL client certificate which you will add in Step 3 for authentication User ID Type the Registration Manager s instance ID or any other ID that will help you identify...

Page 417: ...skip to Step 5 You can add the certificate later following the instructions in Changing a Privileged User s Certificate on page 430 Step 3 Copy the Registration Manager s Certificate to the Internal...

Page 418: ...01 3 Click inside the text area and paste the Registration Manager s certificate in base 64 encoded form Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE marker lines 4 Click OK You are re...

Page 419: ...trusted To check whether the CA s certificate exists in the subsystem s certificate database follow the instructions in Viewing the Certificate Database Content on page 502 If the CA certificate isn t...

Page 420: ...ab 4 In the List of connectors select the connector If you are connecting the Registration Manager to a Certificate Manager select Certificate Manager Connector and click Edit If you are connecting th...

Page 421: ...e number of the TCP IP port at which the Certificate Manager will listen to requests from the trusted Registration Manager The default port designated for communication between a trusted Registration...

Page 422: ...ant it to use for SSL client authentication to the Data Recovery Manager that will trust it by default the Certificate Manager uses its SSL server certificate for this purpose The certificate must be...

Page 423: ...y with appropriate access privileges for a Certificate Manager 1 Log in to the CMS window for the Data Recovery Manager see Logging In to the CMS Window on page 343 2 In the navigation tree select Use...

Page 424: ...haracters Host name Type the fully qualified host name of the Certificate Manager The host name can be an alphanumeric string of up to 255 characters It must be in this form machine_name your_domain d...

Page 425: ...er s SSL server certificate in the internal database of the subsystem 1 In the Users tab select the user entry you just added for the Certificate Manager and click Certificates The Manage User Certifi...

Page 426: ...rchival requests initiated by the Certificate Manager Make sure that this CA s certificate exists in the Data Recovery Manager s certificate database internal and that it is trusted To check whether t...

Page 427: ...on of a Data Recovery Manager you were prompted to specify the host name and port number of the Certificate Manager to which the Data Recovery Manager will be connected If you specified this informati...

Page 428: ...domain domain form Port Type the number of the TCP IP port at which the Data Recovery Manager will listen to requests from the trusted Certificate Manager The port designated for communication between...

Page 429: ...To change the group membership or access permissions of a privileged user see Changing Members in a Group on page 431 Changing a Privileged User s Login Information To change a privileged user s login...

Page 430: ...certificate information you want to change and click Certificates The Manage User Certificate window appears 4 Take the appropriate action To view a certificate select the certificate and click View...

Page 431: ...remove members from all groups Keep in mind that the group for administrators must have at least one user entry For details see Groups and Their Privileges on page 398 To change a group s members 1 L...

Page 432: ...the users you want to add and click OK You are returned to the Edit Group Information window 6 Click OK when you are done with the changes You are returned to the Groups tab 7 Click Refresh to view t...

Page 433: ...tree select Users and Groups The Users tab appears in the right pane 3 In the User ID list select the user you want to delete and click Delete 4 When prompted confirm your action If you click OK the...

Page 434: ...Deleting a Privileged User 434 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 435: ...to install This chapter provides an overview of those certificates and it explains how to perform operations such as renewing the existing certificates before their validity period expires getting new...

Page 436: ...g them from unauthorized access or use The passwords that protect the tokens containing these keys must also be carefully guarded Access to the token itself should be limited If the keys are in the in...

Page 437: ...cate identified as the Certificate Manager CA signing certificate whose public key corresponds to the private key the Certificate Manager uses to sign the X 509 certificates it issues The first time y...

Page 438: ...t you generated for the CA signing certificate which is explained in section CA Signing Key Pair and Certificate on page 437 The subject name and validity period of the wTLS CA signing certificate wil...

Page 439: ...ager uses the private key that corresponds to the public key used to generate the OCSP signing certificate to sign the OCSP responses it sends to the OCSP compliant clients when queried about the revo...

Page 440: ...ing certificate in the Certificate Selection window select Other and specify caCrlSigning as the certificate type in the associated text field f Once you have the certificate request ready submit it t...

Page 441: ...th MD5withRSA MD2withRSA or SHA1withRSA if the key type is RSA or SHA1withDSA if the key type is DSA token_name with the name of the token used for generating the key pair and the certificate If you u...

Page 442: ...n configure the Certificate Manager to use separate server certificates for authenticating to the End Entity Services interface and Agent Services interface For instructions see Configuring the Server...

Page 443: ...e certificate is Remote Admin Server Cert cert instance_id where instance_id identifies the CMS instance in which the Certificate Manager is installed The CN component in both the subject name and iss...

Page 444: ...Public Key Modulus 00 f6 9e 71 37 62 af 7c 46 af cb bf 1e d8 1a 64 0b 5e 71 e2 d8 ec 88 18 6d eb 32 65 6f f2 18 4b ef b3 70 ae 61 de 6f 21 d5 4e 0e 7b 9b b7 42 98 94 1c d7 46 42 53 39 db 10 07 6c b8...

Page 445: ...cate was issued by the CA to which you submitted the certificate signing request You might have submitted the request to an internally deployed CA or a public CA To find out the issuer name follow the...

Page 446: ...ates for authenticating to Netscape Console the end entity services interface and the Registration Manager Agent Services interface For instructions see Configuring the Server to Use Separate SSL Serv...

Page 447: ...est You might have submitted the request to the Certificate Manager that is installed in the same instance internally deployed another CA or a public CA To find out the issuer name follow the instruct...

Page 448: ...ger uses its SSL server certificate to do SSL server side authentication to the following The end entity services interface the HTTPS port The Data Recovery Manager Agent Services interface By default...

Page 449: ...ch the Online Certificate Status Manager is installed The Online Certificate Status Manager s signing certificate was issued by the CA to which you submitted the certificate signing request You might...

Page 450: ...details see section Remote Administration Server Certificate on page 443 Tokens for Storing CMS Keys and Certificates A token is a hardware or software device that performs cryptographic functions and...

Page 451: ...ate Management System uses to generate and store its key pairs and certificates Certificate Management System supports any hardware tokens that are compliant with PKCS 11 version 2 01 For details see...

Page 452: ...support cryptographic devices supplied by many different manufacturers Specifically it allows Certificate Management System to plug in shared libraries or DLLs supplied by manufacturers of external en...

Page 453: ...indow c Go to the configuration directory of Administration Server it is located here server_root admin serv config d At the prompt enter this command server_root shared bin modutil dbdir nocertdb cre...

Page 454: ...d Viewing Tokens To view a list of the tokens currently installed for a CMS instance 1 Log in to the CMS window see Logging In to the CMS Window on page 343 2 Select the Configuration tab and then in...

Page 455: ...the single sign on password cache stores the passwords for tokens in order to start the server using a single password for details see Required Start up Information on page 312 Whenever you change th...

Page 456: ...ublic and private key pair Install CA certificates in the certificate or trust database of a CMS instance Install CA certificate chains in the certificate database of a CMS instance When you start the...

Page 457: ...in the currently selected CMS instance Using the wizard to request a certificate involves the following steps Step 1 Select the Operation Step 2 Choose the Certificate Step 3 Specify the Key Pair Inf...

Page 458: ...may see a combination of the following options If a Certificate Manager is installed the list includes the Certificate Manager s CA signing OCSP signing remote administration server and SSL server ce...

Page 459: ...ery Manager installed in the currently selected CMS instance Online Certificate Status Manager Signing Certificate choose this option if you want to request a signing certificate for the Online Certif...

Page 460: ...e drop down list shows the names of tokens currently installed for the selected CMS instance these are the tokens you can use now The internal token is identified as internal You should choose this op...

Page 461: ...hose private key has been compromised To generate a certificate request based on a new key pair select the token that can generate the key pair you want to use for generating the request For example i...

Page 462: ...nstructs the subject DN string If you want to enter values for individual DN components provide the following information Common name enter the name as appropriate Except for the SSL server certificat...

Page 463: ...te or province enter the name of the state or province where your business is located For example California Country enter the name of the country where your business is located For example US Step 5...

Page 464: ...de Also note that certificate extensions are required if you are setting up a hierarchy of certificate authorities CAs Subordinate CAs must have certificates that include the extension identifying the...

Page 465: ...critical as recommended by the PKIX standard and RFC 2459 see http www ietf org rfc rfc2459 txt for a description of the Key Usage extension Extension in MIME 64 DER encoding select this option if yo...

Page 466: ...gYDVQQKExdOZXRzY2FwZSBDb21tdW5pY2 F0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDA wMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFz...

Page 467: ...Sending the CSR Automatically to a CMS Manager To send the certificate signing request CSR automatically to a Certificate Manager 1 Type the appropriate values in the following fields Send the request...

Page 468: ...following the instructions in Using the Wizard to Install a Certificate or Certificate Chain on page 471 Sending the CSR Manually to an Internal CA The following instructions assume that your interna...

Page 469: ...rker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST 7 Submit the request 8 When the CA sends you a response save the information in a text file for future reference or inquiry Not...

Page 470: ...uired information and paste the CSR from the text file 6 Submit the request 7 When the CA sends you a response save the information in a text file for future reference or inquiry 8 When you receive th...

Page 471: ...ate in the chain is encoded as a separate DER encoded object When the wizard imports a certificate chain it imports these objects one after the other all the way up the chain to the last certificate w...

Page 472: ...g package surrounded by the delimiters BEGIN CERTIFICATE and END CERTIFICATE Netscape Certificate Sequence This is a simpler format for downloading certificate chains It consists of a PKCS 7 ContentIn...

Page 473: ...ing CMS Keys and Certificates 473 Step 1 Select the Operation Indicate whether you want to request a certificate or install a certificate For the sake of completing the instructions that follow assume...

Page 474: ...ted CMS instance OCSP Signing Certificate choose this option if you want to install an OCSP signing certificate for the Certificate Manager installed in the currently selected CMS instance Registratio...

Page 475: ...CMS instance Trusted CA Certificate Chain choose this option if you want to install a trusted CA certificate chain the CA certificate will be included in the chain Untrusted CA Certificate Chain choo...

Page 476: ...ed by the wizard This is a text input field so you can paste the certificate or certificate chain in text format only For example if you are installing a certificate it base 64 encoded certificate blo...

Page 477: ...r certificate chain information you have selected for installing You should check the information to make sure that you have chosen the correct one for installing After verifying that the certificate...

Page 478: ...lves identifying the following The SSL server certificates a server must use for authenticating to the end entity agent and administration interfaces For details see Configuring the Server to Use Sepa...

Page 479: ...particular CMS instance For instructions see Getting New Certificates for the Subsystems on page 485 Once you have installed the certificates you should be able to see them in the list of SSL server c...

Page 480: ...r authenticating to the administration interface Netscape Console locate the radm https nickName parameter and change its value to the nickname of the new SSL server certificate For example if the nic...

Page 481: ...equest and check the request for required extensions If you submitted the request to any other CA you must ask the person managing that CA to make the same changes to the request before approving it M...

Page 482: ...use the same ciphers A number of ciphers are available your server needs to be able to use the most popular ones SSL Ciphers Supported in Certificate Management System Figure 14 1 shows the ciphers s...

Page 483: ...s see Ciphers Used with SSL in Appendix E of Managing Servers with Netscape Console Previous US law prohibited the export of software with strong encryption so most browsers still in use outside of th...

Page 484: ...wsers to establish strong SSL sessions with domestic SSL servers if they have the appropriate step up certificates Because many of the features such as issuance of dual certificates for dual key pairs...

Page 485: ...L Communications on page 482 4 Click OK You are returned to the Encryption tab 5 To save your changes click Save The CMS configuration is modified If the changes you made require you to restart the se...

Page 486: ...server and remote administration certificates for the Certificate Manager signing SSL server and remote administration certificates for the Registration Manager transport SSL server and remote adminis...

Page 487: ...anager and if you have configured it to publish CRLs to a Online Certificate Status Manager you will need to identify the Certificate Manager to the Online Certificate Status Manager again For details...

Page 488: ...ailable read it it may help you decide whether to request the certificate from this CA Is the public CA s certificate already installed in the trusted CA in the trust database of Certificate Managemen...

Page 489: ...you want generate Also decide on details such as the key algorithm key size extensions and validity period for the certificate Step 2 Request the New Certificate Once you have all the information go...

Page 490: ...icates issued by the CA using its old key will work For example if the CA has issued certificates to subordinate Certificate Managers Registration Managers Data Recovery Managers Online Certificate St...

Page 491: ...trust this Registration Manager Here s what you must do 1 Install the new signing certificate in the subsystems certificate databases Because the Registration Manager uses its signing certificate for...

Page 492: ...base on page 507 If you find the CA certificate verify its trust status If it is untrusted change the status to trusted For instructions on changing the trust setting of a CA certificate see Changing...

Page 493: ...e listed there 4 Repeat steps 1 through 3 for any additional enrollment or key archival pages Deploying a Subsystem s SSL Server Certificate By default the Certificate Manager and Registration Manager...

Page 494: ...tificate Manager Registration Manager Data Recovery Manager or Online Certificate Status Manager before they expire For example if you generated these certificates during CMS installation with a valid...

Page 495: ...tects the token If the token is external make sure that the token is installed properly see Installing External Tokens on page 451 Decide on the validity period of the renewed certificate Decide on th...

Page 496: ...s located here server_root cert instance_id config The names of the text files vary depending on the certificate you choose for renewal Table 14 2 lists them NOTE When renewing a certificate be sure t...

Page 497: ...Renewed Certificate When you receive the renewed certificate from the CA you must install it in the token that contains the key pair for the certificate this is the token you used to generate the req...

Page 498: ...ends on this certificate for validation For example you ll need to add the renewed CA certificate to the certificate databases of clients that trust this CA Similarly if you have configured the Certif...

Page 499: ...or the CA certificate that signed the Registration Manager s renewed certificate If the subsystem does not find the CA as a trusted CA in its trust database it rejects the Registration Manager For ins...

Page 500: ...nd identify the parameter that corresponds to the Data Recovery Manager s transport certificate The default enrollment forms for end users embed this feature Figure 14 3 shows the default directory ba...

Page 501: ...thentication to all the CMS ports If a Certificate Manager is configured for SSL client authenticated communication with the publishing directory it also uses the SSL server certificate for authentica...

Page 502: ...ternal token You may need to add new certificates to the database remove unwanted certificates from the database or change the trust settings of CA certificates in the database This section explains h...

Page 503: ...e Database Chapter 14 Managing CMS Keys and Certificates 503 2 Select the Configuration tab and then in the right pane select the Encryption tab 3 Click Manage Certificate The Certificate Database Man...

Page 504: ...Database By default the CMS certificate database includes a few public or third party CA certificates As an administrator you should periodically check the contents of the certificate database and mak...

Page 505: ...that has sent a certificate signing request the Certificate Manager checks its certificate database to see whether the CA that has signed the certificate presented by the Registration Manager is inclu...

Page 506: ...ne select the Encryption tab 3 Click Manage Certificate The Certificate Database Management window appears The window lists the certificates currently installed for the selected CMS instance the list...

Page 507: ...server Installing a New CA Certificate in the Certificate Database You may need to install new trusted CA certificates in the certificate database of a CMS instance For example assume that you renewe...

Page 508: ...rusted CA certificates in its certificate database These CA certificates determine which other certificates the software can validate in other words which issuers of certificates the software can trus...

Page 509: ...ation for End User Enrollment page 521 Managing Authentication Instances page 544 Managing Authentication Plug in Modules page 547 Introduction to Authentication Authentication is the process of verif...

Page 510: ...System uses built in authentication mechanisms Authentication of Administrators When an administrator makes an administrative request to Certificate Management System from the CMS window within Netsca...

Page 511: ...its internal database 2 If the user ID and password bind successfully to a user entry authentication succeeds otherwise it fails If authentication fails the server logs an error message and sends a re...

Page 512: ...ssociating them with the corresponding users identification information for details see Setting Up Agents on page 406 When an agent makes a request to perform a privileged operation the server request...

Page 513: ...1 An agent opens a web browser and enters the URL to the Registration Manager Agent Services interface hosted by the Registration Manager The server requests the client for SSL client authentication T...

Page 514: ...nd that it has been issued by a CA that the Registration Manager trusts For details on configuring the Certificate Manager or Registration Manager to check the revocation status of its agents certific...

Page 515: ...ile Authentication of End Users During Certificate Renewal When an end user submits a certificate renewal request the first step in the renewal process is for the Certificate Manager or Registration M...

Page 516: ...d the server displays the URL for downloading the certificate This situation may occur if the end user forgets to download the renewed certificate It can also happen if the end user maintains two iden...

Page 517: ...or her own certificate not a certificate belonging to someone else Both Certificate Manager and Registration Manager support the following methods of revocation SSL client authenticated revocation Th...

Page 518: ...rds certificate revocation requests to this Certificate Manager For information on trusted managers see Trusted Managers on page 394 The certificate the user attempts to revoke must be currently valid...

Page 519: ...ates the password with the certificate stores both the certificate and password in its internal database and uses them later for authenticating any revocation requests In the challenge password based...

Page 520: ...a mismatch between the challenge password and serial number the server rejects the revocation request Certificate Revocation Forms The End Entity Services interface of the Certificate Manager and Reg...

Page 521: ...ble by clicking the Help button on the form For more information on customizing the form see CMS Customization Guide Configuring Authentication for End User Enrollment To set up a Certificate Manager...

Page 522: ...module note the authentication directory credentials such as the host name port number based DN the user entry to bind as and the corresponding password LDAP version number and minimum and maximum nu...

Page 523: ...t Complete this step only if you want to configure the server to use the directory and PIN based authentication method with or without PIN removal Otherwise skip to the next step To set up a directory...

Page 524: ...PIN from the directory after Certificate Management System successfully authenticates that user and thus prevents the user from enrolling for another certificate ACIs must be set up on the directory t...

Page 525: ...ACI for ou people o siroe com successful Step C Prepare the Input File This step is optional If you want to generate PINs for specific user entries or want to provide your own PINs use an input file t...

Page 526: ...put file for delivering PINs to users after you complete setting up the required authentication method see Step 9 Deliver PINs to End Users on page 544 Step 3 Enable the AttributePresentConstraints Po...

Page 527: ...utes When a user enrolls for a certificate using the End Entity Services interface of the Registration Manager it authenticates the user against the replica of the corporate directory If the user pres...

Page 528: ...n Chapter 3 Constraints Policy Plug in Modules of CMS Plug ins Guide Note that unlike some of the other policy rules Certificate Management System does not create an instance of the Attribute Present...

Page 529: ...configuration You are returned to the Policy Rules Management tab If required click the Reorder button and order the rules as appropriate For details see Step 5 Reorder Policy Rules on page 599 Step...

Page 530: ...instances are not created by default only the instance names are embedded in the forms for your convenience If you create authentication instances with the default names you can skip the step Step A...

Page 531: ...31 Figure 15 5 Authentication information in the default directory based enrollment form For information on locating and customizing the default end entity forms see CMS Customization Guide To add an...

Page 532: ...authentication instances 3 Click Add The Select Authentication Plugin Implementation window appears It lists the currently registered authentication plug in modules 4 Select a plug in module The follo...

Page 533: ...h Select this if you want to use the NIS server based authentication module PortalEnroll Select this if you want to use the portal authentication module For the purposes of this instruction assume tha...

Page 534: ...nges Step 5 Set Up the Enrollment Interface This step explains how to customize the end entity interface for the enrollment method you ve chosen for your users Step A Associate the Authentication Inst...

Page 535: ...tribute the VALUE field Make sure that it is same as the name or ID you assigned to the authentication instance you created in Step 5 If it is different replace it with the name of the authentication...

Page 536: ...r_root cert instance_id web ee 2 Locate the index html file 3 Open the file in a text editor 4 Follow instructions as appropriate If you want to enable the CertBasedDualEnroll html form search for Cer...

Page 537: ...w menuItem item CertBasedSingleEnroll html Certificate Uncomment the lines and then add lines for using the automated enrollment module you configured the server with Your edited lines should look lik...

Page 538: ...odules a link for the corresponding form is automatically created under the Browser section For example if you create an instance of the directory based authentication module you will notice a new lin...

Page 539: ...rtificate Manager is configured for end entity interaction the Registration Manager is not configured for end entity interaction Depending on the subsystem you re configuring follow the instructions i...

Page 540: ...wal request with validity period beyond June 10 2004 will have validity period truncated to end on June 10 2004 Validity periods of certificates during enrollment is determined by the policy explained...

Page 541: ...r s policy configuration overrides the algorithm you select here For information on a Certificate Manager s policy configuration see SigningAlgorithmConstraints policy plug in module in CMS Plug ins G...

Page 542: ...s you made require you to restart the server you will be prompted accordingly In that case restart the server Step 7 Turn on Automated Notification Both the Certificate Manager and the Registration Ma...

Page 543: ...ample you can point your browser to the portal directory and find out if an entry for the user for whom you requested the certificate exists In the URL field type ldap host_name port base_dn sub uid u...

Page 544: ...nge a secure means of delivering the password to the user or ask the user to collect it from you in person Managing Authentication Instances This section explains how to use the CMS window to do the f...

Page 545: ...cordingly In that case restart the server Modifying an Authentication Instance You can modify an authentication instance by editing its configuration parameter values you cannot edit the name of an in...

Page 546: ...pane shows the Authentication Instance tab which lists configured authentication instances 4 In the Instance Name list select the instance you want to modify and click Edit The Configure Authenticatio...

Page 547: ...the Configuration by Editing the Configuration File on page 349 Registering an Authentication Module You can register custom authentication plug in modules from the CMS window Registering a new authen...

Page 548: ...tered 4 Click Register The Register Authentication Plugin Implementation window appears 5 Specify which module you want to register Plugin name Type a name for the module Class name Type the full name...

Page 549: ...n Instance on page 544 You should also update the appropriate end entity enrollment forms To delete an authentication module from the CMS authentication framework 1 Log in to the CMS window see Loggin...

Page 550: ...Managing Authentication Plug in Modules 550 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 551: ...mizing Notification Messages page 554 Configuring a Subsytem to Send Notifications page 559 Automated Notifications You can configure the Certificate Manager and Registration Manager to send automated...

Page 552: ...ed as ca notification certIssued and for the Registration Manager it is defined as ra notification certIssued For more information on listeners check the samples directory server_root cms_sdk cms_jdk...

Page 553: ...roblems The location of the notification email template The subject line of the notification message Notification of New Request in Queue When a deferred end entity request enters the request queue of...

Page 554: ...ion message The email addresses of message recipients these should be subsystem agents whose task is to review deferred enrollment requests Customizing Notification Messages Notification and summary e...

Page 555: ...n text notifications to end entities upon issuance of certificates certIssued_RA html Template for the Registration Manager to send HTML based notifications to end entities upon issuance of certificat...

Page 556: ...tration Manager notification_name specifies the name of the event triggered notification certIssued for the certificate issuance notifications to end entities and requestInQ for the request in queue n...

Page 557: ...ems please send an email to cert_central siroe com Thank you Tokens Available in Message Templates This section explains the tokens provided in the templates used by the default job plug in and event...

Page 558: ...s This token enables you to construct the URL from which end entities can download their certificates see the example in Customizing Message Templates on page 556 InstanceID Specifies the ID assigned...

Page 559: ...on is sent by a Certificate Manager this will be ca If the notification is sent by a Registration Manager this will be ra RequestId Specifies the request ID Table 16 4 Tokens for the request in queue...

Page 560: ...Messages on page 554 and customize the message templates for the notifications your want to turn on Step 2 Turn On Certificate Issuance Notification Skip to the next step if you don t want to turn thi...

Page 561: ...at contains the template to be used for formulating the message content 6 To save your changes click Save The CMS configuration is modified If the changes you made require you to restart the server yo...

Page 562: ...subject title for the notification for example End Entity Request in Queue Recipient s E Mail Address Type the recipient s full email address this is the person who will check the queue You can speci...

Page 563: ...erwise type the full host name of the machine on which your mail server is installed Certificate Management System uses this name to access the mail server The format for the host name is as follows m...

Page 564: ...esses in the notification configuration to your email address 2 Go to the end entity interface and request a certificate using the manual enrollment form When the request gets queued for agent approva...

Page 565: ...for various job items appear in the configuration file The chapter has the following sections Configuring a Subsystem to Run Automated Jobs page 565 Managing Job Plug in Modules page 575 Configuring...

Page 566: ...tion Massages section to get familiar with the templates the server uses for formulating notification messages If you want to customize them do that before you start configuring a job plug in check th...

Page 567: ...ternatively you may keep it in the disabled state If you want to create a new job follow the instructions in Step 4 Add New Jobs on page 569 Figure 17 1 Default jobs created for a Certificate Manager...

Page 568: ...17 1 showing the default jobs 4 In the Instance Name list select a job that you want to modify For the purposes of this instruction assume that you selected the job named unpublishExpiredCerts 5 Clic...

Page 569: ...need to create a new job because jobs for all the default plug ins are created for you during installation However in certain circumstances for example if you deleted a default instance you might hav...

Page 570: ...nager To add a job to the CMS configuration 1 In the Job Instance tab click Add The Select Job Plugin Implementation window appears Table 17 2 Job modules registered with a Certificate Manager and Reg...

Page 571: ...n Job Instance ID Type a unique name that will help you identify the job Be sure to formulate the name using any combination of letters aA to zZ digits 0 to 9 an underscore _ and a hyphen For example...

Page 572: ...plate to be used for formulating the message content For example C Netscape Server4 cert testCA emails renewJob txt summary enabled Type true if you want the server to compile a summary report of rene...

Page 573: ...steps 1 through 5 and create additional rules if required Step 5 Schedule the Frequency The Certificate Manager and Registration Manager can execute a job only if the Job Scheduler is turned on or ena...

Page 574: ...ration is modified If the changes you made require you to restart the server you will be prompted accordingly In that case restart the server Step 6 Verify Mail Server Settings The Certificate Manager...

Page 575: ...uests Otherwise type the port number 3 To save your changes click Save The CMS configuration is modified If the changes you made require you to restart the server you will be prompted accordingly In t...

Page 576: ...of the Java class that implements the module For example you can add a job implementation named as follows com netscape jobscheduler unpublishUserCert Before registering a module be sure to put the Ja...

Page 577: ...type com myCompany myJob 7 Click OK The CMS configuration is modified If the changes you made require you to restart the server you will be prompted accordingly In that case restart the server Deleti...

Page 578: ...Job Plugin Registration tab appears It lists currently registered job modules 5 In the Plugin Name list select the module you want to delete and click Delete 6 When prompted confirm the delete action...

Page 579: ...Modules page 602 Introduction to Policy You can configure the main subsystems of Netscape Certificate Management System CMS the Certificate Manager Registration Manager and Data Recovery Manager to a...

Page 580: ...nd revocation requests from end entities in order to formulate the certificate content before forwarding the requests to a Certificate Manager for signing For example you can configure a Registration...

Page 581: ...validity period Enforce organizational constraints such as subject name key algorithm key size and validity period Determine whether the private key should be archived Keep in mind that the server app...

Page 582: ...using variables and relational operators AND or OR For example you could set up a predicate to put the CRL Distribution Point extension only in SSL client certificates or set different validity dates...

Page 583: ...equest Other attributes regarding the end entity such as the user ID are set on the request after successful authentication The servlets also interpret the form content for example retrieving the key...

Page 584: ...ca Attributes for Predicates Attributes for predicates can come from any of the following Input form that is the HTML form that end entities use for submitting certificate requests Authentication tok...

Page 585: ...ver certificate Enrollment doSslAuth Specifies whether the client is required to do SSL client authentication during enrollment Default values include the following on off Enrollment certauthEnroll Sp...

Page 586: ...Guide Enrollment cepsubstore Specifies the name of the CEP service for example cep1 and cep2 When setting up multiple CEP services you can use predicates to differentiate one service for another see...

Page 587: ...issue certificates with the appropriate validity periods you must formulate your predicate expression with the attribute you added Here s how you do this 1 Create a new instance of the ValidityConstra...

Page 588: ...lidityRule2 maxValidity 60 ca Policy rule ValidityRule2 minValidity 10 ca Policy rule ValidityRule2 predicate HTTP_PARAMS certType client AND HTTP_PARAMS orgunit Sales The new configuration would resu...

Page 589: ...es on the request 2 If at least one of the policy rules requires agent approval for the request that is if any of the policy rules returned a PolicyResult DEFERRED value the processor stores the reque...

Page 590: ...ed Information on page 28 This planning will help you configure a Certificate Manager and Registration Manager with the appropriate policy rules so that your end entities get the right kind of certifi...

Page 591: ...s certificate renewal requests if DefaultRenewalValidityRule is disabled If you don t want to use a rule delete it from the configuration as explained in Step 3 Delete Unwanted Policy Rules on page 59...

Page 592: ...fierExt Yes Yes CertificatePoliciesExt Yes Yes NSCCommentExt Yes Yes OCSPNoCheckExt No No OCSPSigningExt Yes Yes CODESigningExt Yes Yes GenericASN1Ext Yes Yes CRLDistributionPointsExt Yes Yes SubjectA...

Page 593: ...Select Policies The Policy Rules Management tab appears It lists configured policy rules 5 In the Policy Rule list select a rule that you want to modify For the purposes of this instruction assume tha...

Page 594: ...estart the server you will be prompted accordingly Don t restart the server yet you can do so after you ve made all the required changes Step 4 Add New Policy Rules Adding a policy rule to the CMS con...

Page 595: ...policy modules registered with a Certificate Manager Table 18 4 Policy modules of a Certificate Manager and Registration Manager Policy plug in module name Certificate Manager Registration Manager Att...

Page 596: ...No PrivateKeyUsagePeriodExt Yes Yes RemoveBasicConstraintsExt Yes No RenewalConstraints Yes Yes RenewalValidityConstraints Yes Yes RevocationConstraints Yes Yes RSAKeyConstraints Yes Yes SigningAlgor...

Page 597: ...plementation window appears It lists registered policy plug in modules If you have registered any custom policy modules see Registering a Policy Module on page 602 they too will be listed here 2 Selec...

Page 598: ...ficates The value must be an integer greater than zero and also greater than the value you typed for the minValidity parameter The default value is 730 days leadTime Type the lead time in minutes for...

Page 599: ...y category in the configuration file a policy configuration with a lower priority precedes one with a higher priority This simple linear listing avoids the need to have explicit locking on request att...

Page 600: ...to restart the server in any of the previous steps To restart the server from the CMS window 1 Click the Tasks tab 2 Click Restart the Server Step 7 Test Policy Configuration To make sure that you ve...

Page 601: ...generation process Step B Approve the Request This step is required if you used the manual enrollment form for requesting the certificate The request you submitted is waiting in the agent queue for ap...

Page 602: ...rhino To learn more about how to use JavaScript in Certificate Management System consult the sample policy js file included in the distribution server_root bin cert js policy js Managing Policy Plug...

Page 603: ...s policy framework 1 Log in to the CMS window see Logging In to the CMS Window on page 343 2 Select the Configuration tab 3 In the navigation tree select the subsystem that will use the module you wan...

Page 604: ...onfiguration click Refresh Deleting a Policy Module You can delete unwanted policy plug in modules using the CMS window Before deleting a module be sure to delete all the policy rules that are based o...

Page 605: ...er explains how to configure the Certificate Manager to publish certificates and CRLs to an LDAP directory The chapter also tells you how to update the directory manually if the need arises The chapte...

Page 606: ...ates to a directory for distribution Note that configuring the Certificate Manager for LDAP publishing is optional you can turn this feature off without affecting any of the certificate issuance renew...

Page 607: ...ia a Registration Manager get published to the directory Figure 19 3 Publishing of certificates requested via a Registration Manager Timing of Directory Updates If the LDAP directory is properly confi...

Page 608: ...y You need to configure the server to run the appropriate job For details see Configuring a Subsystem to Run Automated Jobs on page 565 When the certificate revocation list is created or updated eithe...

Page 609: ...ly published or not Directory Update Process As indicated in Table 19 1 on page 608 when a Certificate Manager is requested to issue a certificate update certificate information or publish a CRL it au...

Page 610: ...you can use the Update Directory option in the Certificate Manager Agent Services interface to synchronize the publishing directory with the internal database The following choices are available for s...

Page 611: ...two separate key pairs one for signing certificates and another one for signing CRLs The CA s function includes creating the CRLs periodically and distributing them to other applications For example t...

Page 612: ...o longer has the right to use the certificate The private key of a certificate owner has been compromised The certificate owner doesn t want to use the certificate The private key of the CA that issue...

Page 613: ...e Retrieval tab of the CMS end entity interface Netscape client users can manually check the revocation status of a particular certificate and automatically import the latest version of the CRL into t...

Page 614: ...matically updated in the publishing directory Note that the server publishes the CRL to the certificateRevocationList binary attribute of the CA s entry in the directory To locate the correct director...

Page 615: ...CRL and thus speed up the revocation status checking process CRL distribution points can be associated with certificates by setting the CRLDistributionPoint extension in them By default the Certifica...

Page 616: ...hes certificates and CRLs to the directory Read Chapter 5 Mapper Plug in Modules and Chapter 6 Publisher Plug in Modules of CMS Plug ins Guide Be sure to take a look at the default mappers and publish...

Page 617: ...rtificate Manager s Key Pairs and Certificates on page 437 By default the server uses its SSL server certificate see SSL Server Key Pair and Certificate on page 441 Depending on your PKI setup you may...

Page 618: ...ired Schema for Publishing End Entity Certificates The Certificate Manager publishes an end entity s certificate to the userCertificate binary attribute within the end entity s or subject s directory...

Page 619: ...ateRevocationList binary This attribute is an attribute of the object class certificationAuthority The value of the attribute is the DER encoded binary X 509 certificate revocation list The CA s entry...

Page 620: ...tes and CRLs 3 Double click the instance or select the instance and click Open This opens the Directory Server window 4 Select the Directory tab 5 Select the domain name right click select New and the...

Page 621: ...For example it may look like this CN testCA OU Research Dept O Siroe Corporation ST California C US For instructions on giving write access to the Certificate Manager s entry see your LDAP directory...

Page 622: ...Publishing With Basic Authentication To configure Directory Server for basic authentication 1 Go to the Directory Server window 2 Select the Configuration tab and then in the right pane select the En...

Page 623: ...rver certificate Trust the CA that issued the certificate the Certificate Manager will use for SSL client authentication Use a valid secure port number for communication with the Certificate Manager H...

Page 624: ...ctory Server from a CA that is trusted by the Certificate Manager You may get this certificate from the Certificate Manager itself The instructions that follow Step 2 through Step 9 explain how to do...

Page 625: ...select the Tasks tab and then click the Certificate Setup Wizard button b Select the token for generating the key pair and for storing the certificate Since you don t have the certificate select No If...

Page 626: ...anges to it As indicated in the message a copy of this information is also saved to the temp file in the host machine s file system BEGIN NEW CERTIFICATE REQUEST MMIIBnzCCAQgCAQAwXzELMAkGA1UEBhMCVXMxE...

Page 627: ...who will process this request e Click Submit 4 Approve the request you submitted Skip to the next step if you submitted the CSR to an external CA Complete this step if you submitted the CSR to the Ce...

Page 628: ...ls scroll down to the section that says Installing this certificate in a server b Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file o...

Page 629: ...Go to the end entity interface of the Certificate Manager or to the Registration Manager that s connected to the Certificate Manager b Click the Retrieval tab c In the left frame click Import CA Cert...

Page 630: ...ry Server listens for incoming requests a In the Directory Server window select the Configuration tab and then in the navigation tree select the root the topmost item b Select the Settings tab in the...

Page 631: ...section select the appropriate option Do not allow client authentication Select this if you want to configure the directory for basic authentication or for SSL based communication without client auth...

Page 632: ...ing the entry in the directory What certificate attributes the server should use as search criteria when searching for the entry in the directory Whether the server needs to go through any additional...

Page 633: ...the entire LDAP tree for entries matching the filter If there isn t a DNComps entry in the mapping the server uses either the CmapLdapAttr setting if present or the entire subject DN in the Certifica...

Page 634: ...MyGroup O MyCompany C US MyCA dnComps OU O C MyCA filterComps E MyCA verifycert on This file has two mappings a default one and another for MyCA When the Directory Server gets a certificate from anyo...

Page 635: ...r SSL client authentication by the Certificate Manager is myCA and that the issuer name or DN of the CA is CN rootCA O siroe com the server should use the FilterComps attributes to locate the entry If...

Page 636: ...and supply the PIN or password that protects the key pair you generated for the Directory Server s certificate For security reasons the dialog box that prompts you for this PIN appears only on the se...

Page 637: ...default publishers are as follows LdapCaCertPublisher LdapCrlPublisher LdapUserCertPublisher The Certificate Manager also creates a set of publishing rules using the default mappers and publishers The...

Page 638: ...hing and then select Mappers The right pane shows the Mappers Management tab which lists configured mappers 4 In the Mapper list select a mapper that you want to modify For the purposes of completing...

Page 639: ...e Corporation the pattern should look like this cn Certificate Authority o subj o This rule applies to all mappers 7 To modify the remaining mappers repeat steps Step 4 through Step 6 8 Click Refresh...

Page 640: ...w appears showing how this publisher is currently configured 4 Make the necessary changes and click OK You are returned to the Publishers Management tab 5 To modify the remaining publishers repeat ste...

Page 641: ...t Publishing and then select Rules The right pane shows the Rules Management tab which lists configured publishing rules 2 In the Rule list select a publishing rule that you want to modify For the pur...

Page 642: ...ublishers and publishing rules for a CA certificate and for end entity certificates Creating of new mappers publishers and publishing rules for CRLs is covered in Step 4 Configure the Certificate Mana...

Page 643: ...fied in the certificate subject name and attribute variable assertion AVA constants LdapSubjAttrMap Select this if you want the server to locate the CA s entry by searching for an LDAP attribute whose...

Page 644: ...ick the Help button 6 Click OK The Mappers Management tab appears listing the new mapper Creating a Mapper for End Entity Certificates Creating a mapper for end entity certificates involves creating a...

Page 645: ...y the object class for the CA s entry in the directory Leave it as it is If the field is empty type certificationAuthority 6 Click OK The Publishers Management tab appears listing the new publisher Cr...

Page 646: ...r the appropriate information Rule ID Type a unique name for the rule use an alphanumeric string with no spaces enable Select this option predicate Type HTTP_PARAMS certType ca indicating that the rul...

Page 647: ...appears It lists registered modules that enable creating of publishing rules 3 Select the module named Rule This is the default module If you have registered any custom modules they too will be avail...

Page 648: ...e directory that is currently configured for publishing the CA and end entity certificates A configured Certificate Manager will publish the CRL to the CA s entry in the specified directory replacing...

Page 649: ...er for the CRL Step D Create a Publisher for the CRL Step E Create a Publishing Rule for the CRL Step A Specify CRL Details You can specify information such as the publishing interval the CRL version...

Page 650: ...s at regular intervals In this case the server publishes the CRL to the configured directory at the interval you specify In the adjoining text field type the interval in minutes at which the Certifica...

Page 651: ...type is RSA select MD2 with RSA MD5 with RSA or SHA 1 with RSA If the Certificate Manager s signing key type is DSA select SHA 1 with DSA 5 To save your changes click Save If the changes you made requ...

Page 652: ...modify a rule select it and then click Edit View 3 Change the information as appropriate Be sure to supply all the required values Click the Help button for detailed information on individual paramet...

Page 653: ...ting an instance of the publisher module that enables the Certificate Manager to publish the CRL to the correct attribute in the CA s directory entry In the next step described in Step E Create a Publ...

Page 654: ...e module named LdapCrlPublisher Only this publisher module enables the Certificate Manager to publish the CRL to the certificateRevocationList binary attribute of the CA s directory entry If you have...

Page 655: ...r and publisher created for publishing CRLs n To create a new publishing rule 1 In the navigation tree click Rules The right pane shows the Rules Management tab which lists any currently configured pu...

Page 656: ...Rules Management tab appears listing the new rule Step 5 Identify the Publishing Directory To identify the directory to which the Certificate Manager should publish the CA certificate end entity cert...

Page 657: ...onfigured the Directory Server for basic authentication or for SSL communication without client authentication select Basic authentication and specify values for the Directory manager DN and password...

Page 658: ...nt the Certificate Manager to publish to is based on Netscape Directory Server 1 x select version 2 For Directory Server versions 3 x and later select LDAP version 3 4 To save your changes click Save...

Page 659: ...nt you can use the appropriate form and request a certificate To request a client or personal certificate from the Certificate Manager 1 Open a web browser window 2 Go to the end entity interface of t...

Page 660: ...s Installing this certificate in a client 2 Follow the on screen instructions and download the certificate to your browser s certificate database An alternative way to download the certificate is from...

Page 661: ...host name is corpDirectory port number is 389 base DN is O siroe com and user s ID is jdoe the URL would look like this ldap corpDirectory 389 O siroe com sub uid jdoe In the resulting page look for...

Page 662: ...ishing directory 2 Locate the CA s entry 3 Check the certificateRevocationList binary attribute You should find the CRL published Manually Updating Certificates and CRLs in a Directory Normally you do...

Page 663: ...it the proper certificate to get access to this page 3 Select the Update Directory Server link The Update Directory Server page appears 4 Select the appropriate options 5 When you are done specifying...

Page 664: ...certificates by changing the value of the predicate parameter to HTTP_PARAMS certType ca Use the LdapCaCertPublisher publisher plug in module to add another rule with the predicate parameter set to HT...

Page 665: ...Up LDAP Publishing 665 When the directory is updated the Certificate Manager will display a status report If the process gets interrupted for some reason the server logs an error message Be sure to c...

Page 666: ...Manually Updating Certificates and CRLs in a Directory 666 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 667: ...ficates and CRLs to a file Note that configuring the Certificate Manager for publishing is optional you can turn this feature off without affecting any of the certificate issuance and management opera...

Page 668: ...es follow these steps Step 1 Before You Begin Step 2 Configure the Certificate Manager Step 3 Test Publishing Step 1 Before You Begin Before configuring a Certificate Manager to publish the CA certifi...

Page 669: ...RLs Step D Specify CRL Details Step E Set the CRL Extensions Step F Make Sure Publishing is Enabled Step A Create a Publisher for the File Creating a publisher for the file involves creating an instan...

Page 670: ...pears It lists registered publisher modules 5 Select the module named FileBasedPublisher Only this publisher module enables the Certificate Manager to publish certificates and CRLs to flat files 6 Cli...

Page 671: ...create another publisher for example PublishCrlsToFile with the value of the directory parameter set to the file path to the other directory for example C crls Step B Create Publishing Rules for Certi...

Page 672: ...certType ca enable Select this option mapper Select NONE publisher Select the publisher you created in the previous step Step A For example PublishCertsToFile 6 Click OK The Rules Management tab appea...

Page 673: ...ct the module named Rule This is the default module If you have registered any custom modules they too will be available for selection Table 20 1 Certificate types and predicate expressions End entity...

Page 674: ...or example PublishCertsToFile type Select crl predicate Leave this field blank enable Select this option mapper Select NONE publisher Select the publisher you created in the previous step Step A 6 Cli...

Page 675: ...this case every time a certificate is revoked Publishing a CRL can be time consuming if the CRL is large Configuring the Certificate Manager to publish CRLs every time a certificate is revoked may eng...

Page 676: ...Include expired certificates Check this box if you want the server to include revoked certificates that have expired in the CRL Allow extensions Check this box if you want to allow extensions in the C...

Page 677: ...e CRL extensions the Certificate Manager should set 1 In the navigation tree select Certificate Manager and then select CRL Extensions The right pane shows the CRL Extensions Management tab which list...

Page 678: ...to publish certificates and CRLs to an LDAP directory 3 If you changed anything click Save to save the changes If the changes you made require you to restart the server you are prompted accordingly In...

Page 679: ...he client generates the key pair Do not interrupt the key generation process Step B Approve the Request Skip this step if you requested the certificate using any of the automated enrollment methods in...

Page 680: ...ate it automatically attempts to publish the certificate to the configured repository in this case the file To check whether the Certificate Manager published the correct certificate you need to do th...

Page 681: ...ZSBDb21tdW5pY2F0aWhfyyuougjgjjgmkgjkgmjg fjfgjjjgfyjfyj9ucyBDb3Jwb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyhgdfhbfdpffjphotoo gdhkBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0WjBXMQswCQYDVQQGEwJ V...

Page 682: ...ing the certificate make sure that you ve configured the Certificate Manager to publish the CRL every time a certificate is revoked In Step D Specify CRL Details on page 674 if you didn t configure th...

Page 683: ...specifies the value derived from the time dependent variable named This Update of the CRL contained in the file If you don t see the file check your configuration 2 Convert the DER encoded CRL to its...

Page 684: ...Tools Guide To convert the base 64 encoded CRL to a human readable form a Check the command window to make sure that your are at this directory server_root bin cert tools b At the prompt enter this P...

Page 685: ...example you can add a mapper implementation named as follows to the Certificate Manager s policy framework com netscape publishing customMapper Before registering a plug in module be sure to put the...

Page 686: ...6 Specify information as appropriate Plugin name Type a name for the plug in module Class name Type the full name of the class for this module that is the path to the implementing Java class If this...

Page 687: ...g framework 1 Log in to the CMS window see Logging In to the CMS Window on page 343 2 Select the Configuration tab 3 In the navigation tree select Certificate Manager and then select Publishing To del...

Page 688: ...Managing Mapper and Publisher Plug in Modules 688 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 689: ...CSP service built into the Certificate Manager for real time verification of certificates issued by the Certificate Manager The chapter also explains how to configure one or more Certificate Managers...

Page 690: ...applications which when trying to validate a certificate query the appropriate OCSP responder using the OCSP protocol for the status of the certificate The applications determine the location of the...

Page 691: ...following The CA that issued the certificate and whose status is being verified by the responder A responder whose public key which corresponds to the private key it uses to sign responses is trusted...

Page 692: ...d by the client Based on the status the client decides whether to validate the certificate How to Get an OCSP Responder To aid you in the process of setting up a OCSP compliant PKI setup Certificate M...

Page 693: ...to publish their CRLs to the Online Certificate Status Manager The Online Certificate Status Manager stores each Certificate Manager s CRL in its internal database and uses the appropriate CRL to ver...

Page 694: ...ant to set up an OCSP compliant PKI setup For this purpose you can use clients such as Netscape 6 or Netscape Communicator with Netscape Personal Security Manager Personal Security Manager is an OCSP...

Page 695: ...his If you are unfamiliar with Online Certificate Status Protocol OCSP read the PKIX draft RFC 2560 available at this web site http www ietf org rfc rfc2560 txt Read section What s an OCSP Compliant P...

Page 696: ...ains how to install the product and lists known issues and restrictions You must read this first for installation instructions Make sure you also have the cmcjavascriptapi html file handy It describes...

Page 697: ...formation Access extension in certificates a Select the Advanced tab b On the left side select Options and then click the OCSP Settings button c In the OCSP Settings window select the Use OCSP to veri...

Page 698: ...he CMS Window on page 343 2 Select the Configuration tab The Network tab appears 3 In the End Entity section select the Enable option and in the adjoining field type a TCP IP port number that is uniqu...

Page 699: ...need to follow the instructions below and enable the service To enable a Certificate Manager s OCSP service 1 In the navigation tree select Certificate Manager The General Setting tab appears 2 In the...

Page 700: ...to add the required extensions to these certificates During the installation of a Certificate Manager if you chose to enable its OCSP service a default policy rule named AuthInfoAccessExt is created...

Page 701: ...anager to add the extensions required in an OCSP compliant client certificate 1 In the navigation tree select Certificate Manager and then select Policies The Policy Rules Management tab appears It li...

Page 702: ...ample if the hostname of your Certificate Manager is demoCA siroe com and the end entity port number is 8000 the URL to type in the field would be http demoCA siroe com 8000 ocsp If you need details a...

Page 703: ...the Browser Step F Verify the Certificate in the Browser Step G Check the Status of Certificate Manager s OCSP Service Step H Revoke the Certificate Step I Verify the Certificate in the Browser Step...

Page 704: ...tificate Manager you configured or to the Registration Manager that s connected to this Certificate Manager The URL is in this form https hostname end_entity_HTTPS_port or http hostname end_entity_HTT...

Page 705: ...tificate details for the required extensions 3 Follow the on screen instructions and download the certificate to your browser s certificate database An alternative way to download the certificate is t...

Page 706: ...a message that says that the certificate is verified generally it s at the top Step G Check the Status of Certificate Manager s OCSP Service The Certificate Manager s Agent interface contains a form...

Page 707: ...OK The Certificate Manager revokes the certificate and updates the certificate status in its internal database Step I Verify the Certificate in the Browser To verify that the certificate has been revo...

Page 708: ...responder waits for queries about revocation status of certificates This section explains how to set up a Certificate Manager functioning as a root CA to publish CRLs to a remote Online Certificate St...

Page 709: ...cies Step 6 Configure the Online Certificate Status Manager Step 7 Restart the Certificate Manager Step 8 Restart the Online Certificate Status Manager Step 9 Verify Certificate Manager and Online Cer...

Page 710: ...whether you want the Certificate Manager to publish version 1 or version 2 CRLs to the directory If you decide to publish version 2 CRLs read Chapter 4 Certificate Extension Plug in Modules of CMS Pl...

Page 711: ...tificates in the CA certificate chain you can download the CA chain from the Retrieval tab of a Certificate Manager s end entity interface The steps below explain how to store the Certificate Manager...

Page 712: ...d in the left frame click Import CA Certificate Chain d In the resulting form select the Display certificates in the CA certificate chain for importing individually into a server option A list of cert...

Page 713: ...g that the Certificate Manager can communicate with the Online Certificate Status Manager Step 4 Configure the Certificate Manager to Publish CRLs In this step you configure the Certificate Manager to...

Page 714: ...te Frequency section select the Every time a certificate is revoked or taken off hold option This option enables the Certificate Manager to generate the CRL every time it revokes a certificate Keep in...

Page 715: ...CRL extensions as described in Step B Set the CRL Extensions on page 715 Revocation list signing algorithm Select the algorithm the server should use to sign the CRL If the Certificate Manager s signi...

Page 716: ...e Be sure to supply all the required values Click the Help button for detailed information on individual parameters 4 Click OK You are returned to the CRL Extensions Management tab 5 To modify other r...

Page 717: ...publisher instances 2 Click Add The Select Publisher Plugin Implementation window appears It lists registered publisher modules 3 Select the module named OCSPPublisher Only this publisher module enabl...

Page 718: ...ld shows the default path ocsp addCRL If necessary type it in 6 Click OK The Publishers Management tab appears listing the new publisher Step D Create a Publishing Rule for the CRL Creating a publishi...

Page 719: ...be sure to use an alphanumeric string with no spaces For example PublishCa1CrlToOcspResponder type Select crl predicate Leave this field blank enable Select this option mapper Select NONE publisher Se...

Page 720: ...DAP compliant directory to files or to an online validation authority 2 Make sure that the Enable Publishing option is selected If it is already selected leave it as it is If it isn t select it Leave...

Page 721: ...ificate it issues only if the corresponding policy is enabled and configured properly Hence before issuing the OCSP compliant client certificate you must verify that the Certificate Manager is configu...

Page 722: ...TP_PARAMS certType client critical Leave this option unchecked numADs Type 1 ad0_method Type ocsp or 1 3 6 1 5 5 7 48 1 ad0_location_type Select URL ad0_location Type the complete path to the location...

Page 723: ...default CRL store for verifying the revocation status of certificates You can also configure the Online Certificate Status Manager to use the CRL published to an LDAP directory instead of the CRL in...

Page 724: ...atabase 4 Select the appropriate option If you want to configure the Online Certificate Status Manager to use the CRLs in its internal database select defStore and click Edit View If you want to confi...

Page 725: ...e response will be UNKNOWN which when encountered by Netscape Personal Security Manager an OCSP compliant client results in an error message includeNextUpdate The Online Certificate Status Manager can...

Page 726: ...lds host n Type the fully qualified hostname of the LDAP directory The name must be in the machine_name your_domain domain form For example corpDir1 siroe com port n Type the nonSSL port of the LDAP d...

Page 727: ...ding to the OCSP protocol it is optional to include the time stamp of next CRL update in an OCSP response Select this option if you want the OCSP response to contain information about the next CRL upd...

Page 728: ...and Online Certificate Status Manager Connection When you restart the Certificate Manager it tries to connect to the Online Certificate Status Manager s agent port you specified this in Step C Create...

Page 729: ...the Browser Step F Verify the Certificate in the Browser Step G Check the Status of Online Certificate Status Manager Step H Revoke the Certificate Step I Verify the Certificate in the Browser Step J...

Page 730: ...he Registration Manager that s connected to this Certificate Manager The URL is in this form https hostname end_entity_HTTPS_port or http hostname end_entity_HTTP_port 2 In the left frame under Browse...

Page 731: ...details for the required extensions 3 Follow the on screen instructions and download the certificate to your browser s certificate database An alternative way to download the certificate is to go to...

Page 732: ...t says that the certificate is verified generally it s at the top Step G Check the Status of Online Certificate Status Manager To go to the Online Certificate Status Manager s status page and verify t...

Page 733: ...to revoke 5 Select the certificate you downloaded and click OK The Certificate Manager revokes the certificate constructs the CRL and publishes the CRL to the Online Certificate Status Manager Step I...

Page 734: ...not be verified To check the Online Certificate Status Manager status for verification 1 Go to the Online Certificate Status Manager s status page 2 Reload the page hold down the Shift key and click o...

Page 735: ...he organization that owns the data This chapter explains how to use the Data Recovery Manager to archive users encryption private keys and how to use the archived keys later in place of missing encryp...

Page 736: ...u cannot archive and recover a private key deriving from a single key pair By contrast clients that can generate dual key pairs use one private key for encrypting data and the other for signing data B...

Page 737: ...matically requests the service of the Data Recovery Manager For information on customizing this form see Step C Customize the Certificate Enrollment Form on page 753 Initiating the key recovery proces...

Page 738: ...se each key is stored as a key record The archived copy of the key remains encrypted or wrapped with the Data Recovery Manager s storage key see Storage Key Pair on page 447 It can be decrypted or unw...

Page 739: ...ager receives an encrypted copy of the user s private key and stores the key in its key repository To archive the key the Data Recovery Manager uses two special key pairs A transport key pair and corr...

Page 740: ...the Registration Manager the Data Recovery Manager decrypts it with the private key that corresponds to the public key in its transport certificate After confirming that the private encryption key co...

Page 741: ...You facilitate this by allowing each recovery agent to enter a password in the Data Recovery Manager configuration They must be available to retrieve your users encryption private keys if the need ar...

Page 742: ...ry agents m provide their identifiers and passwords After verifying the passwords the Data Recovery Manager reconstructs the PIN for the token based on the given information Interface for the Key Reco...

Page 743: ...ta Recovery Manager retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS 12 package By default key recovery authorization is local Remote Key Recov...

Page 744: ...n switch to remote authorization by deselecting the local authorization option in the Key Recovery form How Agent Initiated Key Recovery Works In an agent initiated key recovery the key is recovered b...

Page 745: ...ecovery Manager agent accesses the Key Recovery form using the appropriate client certificate types the identification information pertaining to the person whose encryption private key needs to be rec...

Page 746: ...sword for the PKCS 12 package and their individual identifiers and passwords The Data Recovery Manager agent submits the page to the Data Recovery Manager 5 The Data Recovery Manager matches the key r...

Page 747: ...al storage key password Each password retrieves only a part of the private storage key You first specified the key recovery agent scheme when you installed the Data Recovery Manager Changing the Key R...

Page 748: ...n and Setup Guide October 2001 3 In the navigation tree select the Data Recovery Manager and in the right pane click the Scheme Management tab The Scheme Management tab shows the current key recovery...

Page 749: ...nformation click Finish You are returned to the Scheme Management tab Changing Key Recovery Agents Passwords As administrator you have the responsibility of safeguarding the security of each Data Reco...

Page 750: ...ppears 5 Allow the agent to enter the appropriate information During installation the Data Recovery Manager prompts you to enter key recovery agent passwords by default they are set to agent n where n...

Page 751: ...and Recovery Process By default the Data Recovery Manager is not configured to archive or recover end users encryption private keys This section explains how to set up key archival and recovery proces...

Page 752: ...lment form served by an enrollment authority which can be either a Certificate Manager or a Registration Manager When the enrollment authority detects the key archival option in the request it initiat...

Page 753: ...fail to archive users keys All the end user enrollment forms provided by Certificate Management System for example the directory based enrollment form DirUserEnroll html directory and PIN based enroll...

Page 754: ...tificate in its base 64 encoded format The transport certificate is stored in the Data Recovery Manager s certificate database If the transport certificate is signed by a Certificate Manager then a co...

Page 755: ...y the base 64 encoded certificate excluding the marker lines BEGIN CERTIFICATE and END CERTIFICATE to a text file An example is shown below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMC...

Page 756: ...TIFICATE to a text file The copied information should look like the example below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCVVMxLDAqBgNVBAoTI0 5ldHNjYXBlIENvbW11bmljYXRpb25zIENvcnBvc...

Page 757: ...dHNjYXBlMQwwCgYDVQQDEwNLUmEwXDANBgkqhkiG9w0BAQEFAANLADB IAkEArrbDiYUI5SCdlCKKa0bEBn1m83kX6bdhytRYNkdHB95Bp85SR g Pass the kraTransportCert variable to the JavaScript method Replace null the fourth lin...

Page 758: ...initiated key recovery process in which end users encryption private keys are recovered by designated key recovery agents This section explains how to set up the key recovery process To set up agent...

Page 759: ...of an end user s encryption private key locally or remotely The default configuration is local authorization It is important that you evaluate both the authorization modes and choose the one that is...

Page 760: ...est Your Key Archival Setup To test whether you can successfully archive a key follow these instructions 1 Enroll for dual certificates To do this a Open a web browser window b Go to the end entity in...

Page 761: ...ests link again b In the form that appears select the Show completed requests option and click Find You should see two new certificates with consecutive serial numbers c Download the certificates to t...

Page 762: ...signed and encrypted There should be a security icon at the top right corner of the message window and it should indicate that the message is signed and encrypted Step C Delete the Certificate To do...

Page 763: ...ted Key Recovery Works on page 744 The base 64 encoded certificate that corresponds to the private key you want to recover use the enrollment authority s end entity or agent interface to get this info...

Page 764: ...ss 764 Netscape Certificate Management System Installation and Setup Guide October 2001 3 Open the test email that you couldn t verify after deleting the certificate from the browser s certificate dat...

Page 765: ...ts The chapter has the following sections Introduction to Logs page 765 Configuring CMS Logs page 773 Monitoring CMS Logs page 779 Archiving of Rotated Log Files page 789 Managing Log Modules page 792...

Page 766: ...messages to these files For example if you installed a Certificate Manager and a Data Recovery Manager together you will find log messages for both the subsystems in the same log file Table 23 1 Type...

Page 767: ...vents related to this server s administration activities that is HTTPS communication between the CMS window and Certificate Management System All Specifies logged events related to all the services Au...

Page 768: ...it means less detail because only events of high priority are logged A lower priority level a smaller digit means greater detail because more kinds of events are recorded in the log file Request Queue...

Page 769: ...server cannot send back the request it processed for a client through the same channel the request came from the client 4 Misconfiguration These messages indicate that a misconfiguration in the serve...

Page 770: ...mes the current log file and then creates a new log file with the original name The rotated log file is saved with the original file type and an appended timestamp The name of a rotated log file is in...

Page 771: ...out messages as they are generated to the log files Because the server performs an I O operation writing to the log file each time a message is generated configuring the server for unbuffered logging...

Page 772: ...cally Because the rotated log files are also saved in your local file system these files eventually take up a considerable amount of disk space You can avoid this problem by doing one of the following...

Page 773: ...e 765 Read Chapter 8 Log Plug in Modules of CMS Plug ins Guide Step 2 Modify the Existing Listeners When you create a CMS instance a set of log event listeners that you would most likely want to use a...

Page 774: ...exactly like the listener you want to rename except with a new name and delete the old listener As a part of editing a listener you can change its status from enabled to disabled or vice versa by chec...

Page 775: ...Listener Editor window appears showing how this listener is configured An example is shown below 5 Make the necessary changes and click OK You are returned to the Log Event Listener Management tab 6 R...

Page 776: ...gistered log plug in module assigning a unique name for the instance and entering appropriate values for the parameters that define the module you want to create an instance of When you add a listener...

Page 777: ...te Manager To add a new listener to the CMS configuration 1 In the Log Event Listener Management tab click Add The Select Log Event Listener Plugin Implementation window appears It lists registered lo...

Page 778: ...see Logs Maintained by the Server on page 766 enabled Select this box level From the drop down list select a log level The choices are Debug Information Warning Failure Misconfiguration Catastrophe a...

Page 779: ...n you have problems with Certificate Management System that require troubleshooting you may find it helpful to check the error or informational messages that the server has logged Also by examining th...

Page 780: ...ntered such as authentication failures malformed universal resource indicators URIs invalid database password indications and server start up and shut down messages Messages related to the status of c...

Page 781: ...has located that match the search request If you enter zero 0 no messages are returned If you leave the field blank the server returns every matching entry no limit regardless of the number found Sou...

Page 782: ...try you see the following details Source Indicates the CMS component or resource that logged the message Level Indicates the severity of the corresponding entry explained Table 23 3 on page 768 Date I...

Page 783: ...ted that match the search request If you enter zero 0 no messages are returned If you leave the field blank the server returns every matching entry no limit to the client regardless of the number foun...

Page 784: ...in Table 23 3 on page 768 Date Indicates the date on which the entry was logged Time Indicates the time at which the entry was logged Details Provides a brief description of the log 6 To view an entry...

Page 785: ...ction specify your viewing preferences Entries Type the maximum number of entries to be displayed When this limit is reached Certificate Management System returns any entries it has located that match...

Page 786: ...logical order with the most current log placed at the top Use the scroll arrows on the right edge of the panel to scroll through the log entries For each entry you see the following details Source Ind...

Page 787: ...r events related to your server For more information about the Event Viewer check your system documentation To monitor Certificate Management System by using Event Viewer 1 In the Administrative Tools...

Page 788: ...3 6 Error message indicating event log is full If you see this dialog box you must clean up the application log immediately Here s what you should do 1 From the Start menu on your desktop select Progr...

Page 789: ...ption 5 Click OK 6 Close the Event Viewer window Archiving of Rotated Log Files Log files especially the audit log file contain critical information So it is good practice to periodically archive rota...

Page 790: ...n signing the log files follow these guidelines Determine the key pair you want to use for signing the log directory Typically you should use the Certificate Manager s the CA s signing key pair Also f...

Page 791: ...e databases for the CA This must be the same path you used to copy the security module database in step 2 cert_nickname specifies the nickname of the certificate you want the utility to use for signin...

Page 792: ...dule be sure to put the Java class for the module in the classes directory the implementation must be on the class path To register a log plug in module with a CMS instance 1 Log in to the CMS window...

Page 793: ...a module be sure to delete all the listeners that are based on this module see Step 3 Delete Unwanted Listeners on page 775 To delete a module 1 Log in to the CMS window see Logging In to the CMS Wind...

Page 794: ...Managing Log Modules 794 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 795: ...795 Part 4 Issuing and Managing Certificates Chapter 24 Issuing and Managing Server Certificates Chapter 25 Setting Up CEP Enrollment...

Page 796: ...796 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 797: ...must receive the certificate signing request CSR from the server that needs the certificate This request must be initiated by the administrator of the specific server requiring the certificate SSL en...

Page 798: ...ry for the appropriate information On the other hand if the enrollment form specifies manual authentication the request gets queued and awaits approval by an agent 2 Subjects the request to policy che...

Page 799: ...er enrollment 2 The Registration Manager verifies the authenticity of the request Because the request requires manual authentication the Registration Manager stores the request in the queue for agent...

Page 800: ...s specified in the enrollment form Optionally the Registration Manager may publish the certificate to the corporate directory Getting Server SSL Certificates for Netscape Servers To enable a server to...

Page 801: ...r see the documentation for your server 4 Once you have generated a key pair follow the directions presented to generate a certificate signing request CSR 5 In the Certificate Authority field enter yo...

Page 802: ...NEW CERTIFICATE REQUEST marker lines In the contact information section enter values to identify yourself These values will be used by the CA if the need arises For example if there are any questions...

Page 803: ...ends with END CERTIFICATE and paste it into the text area in the form The encryption alias Enter the alias for your server 4 Follow the prompts and add the certificate to your server s certificate dat...

Page 804: ...dW5pY2F0aW9ucyBDb3Jwb3JhdGlvbjEaMBgGA1UE CxMRSXNzdWluZyBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzM0WjBXMQswCQYDVQ QGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yYXRpb24xGjAYBg...

Page 805: ...For Netscape version 4 x servers you can use the Certificate Setup Wizard provided by Netscape Console to get new certificates renew existing certificates and install certificates in the database of a...

Page 806: ...Manager agent To submit the server certificate request to Certificate Management System manually 1 Open a web browser window 2 Go to the End Entity Services interface of the Certificate Manager or a...

Page 807: ...rocess is similar to the enrollment process in that the administrators must manually generate the certificate signing request using the server s key pair paste that request in the manual enrollment fo...

Page 808: ...n revoke certificates based on a range of serial numbers or based on one or more subject name components Upon submission of the revocation request the agent receives a list of certificates from which...

Page 809: ...outers support the use of certificates for authentication encryption and tamper detection by using the IP Security IPSec protocol Certificate Management System supports Cisco s PKI protocol the Certif...

Page 810: ...irectory Server which is an LDAP compliant directory When you install Certificate Management System two instances of Netscape Directory Server are automatically created in the same server group in whi...

Page 811: ...ue 5 Follow the on screen instructions to set up CEP enrollment Setting up CEP Enrollment Manually The information covered in this section explains how to set up CEP enrollment manually Note that the...

Page 812: ...icate Manager publishes end entity certificates and CRLs For the configuration directory to support publishing of certificates and CRLs you need to verify two things The Directory Server schema verify...

Page 813: ...Once you create these instances you should create a publishing rule for publishing router certificates For instructions see Step B Add Mappers Publishers and Publishing Rules on page 642 Note that th...

Page 814: ...to the DN the router requests You must have a constant component in the DN which exists in the certificate to be able to publish createEntry Specifies whether to create an entry in the directory befo...

Page 815: ...st have already created three 3 directory entries for C US O Company C US OU Accounting O Company C US You can do this with the help of the ldapmodify command and an LDIF file with the following infor...

Page 816: ...figure the Certificate Manager to use either the challenge password or the subject name all or a part of it as an authentication token during a CEP enrollment thus enabling users to get router certifi...

Page 817: ...stance authentication plug in described in the auths instance configuration parameters If you want to turn off automated enrollment for CEP based requests delete this parameter from the configuration...

Page 818: ...uld set the keyAttributes parameter as follows auths instance flatfile keyAttributes UNSTRUCTUREDNAME UNSTRUCTURED ADDRESS This will force the server to use both these attributes to locate an entry in...

Page 819: ...n named pwd for the challenge password In this case you would set the authAttributes parameter as follows auths instance flatfile authAttributes pwd In summary to implement the automated CEP enrollmen...

Page 820: ...fy the full path to your authentication file and save your changes 4 Restart the Certificate Manager After changing the configuration file you must restart the server for the changes to take effect If...

Page 821: ...tance flatfile_VPN fileName full_path_to_the_authentication_file auths instance flatfile_VPN authAttributes pwd auths instance flatfile_VPN keyAttributes CN OU O auths instance flatfile_VPN pluginName...

Page 822: ...S window and verify whether the HTTP port is enabled If it isn t enable it for instructions see Configuring Port Numbers on page 374 If you are requesting the certificate for an earlier version of rou...

Page 823: ...gorithm and the key length for the certificate you want to request Find out the password that enables you to access the router in privileged mode In your router documentation locate instructions for r...

Page 824: ...nrollment URL you identified in Step 1 2 The router gets the CA certificate and displays its fingerprint on your screen 3 Verify the fingerprint on your screen with the one you noted down in Step 1 If...

Page 825: ...rollment or authentication the request gets queued and awaits approval by an agent Example The example below shows the commands and associated outputs for a Cisco router To perform certificate enrollm...

Page 826: ...e of it Password Re enter password The subject name in the certificate will be router domain com Include the router serial number in the subject name yes no yes The serial number in the certificate wi...

Page 827: ...827 Part 5 Appendix Appendix A Certificate Download Specification...

Page 828: ...828 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 829: ...ins page 831 Importing Certificates into Netscape Communicator page 831 Importing Certificates into Netscape Servers page 832 Object Identifiers page 832 Data Formats Netscape products can accept cert...

Page 830: ...ains It consists of a PKCS 7 ContentInfo structure wrapping a sequence of certificates The value of the contentType field should be netscape cert sequence see Object Identifiers on page 832 while the...

Page 831: ...n as long as there is a trusted CA somewhere along the chain Importing Certificates into Netscape Communicator Communicator imports certificates via HTTP There are several MIME content types that are...

Page 832: ...via the server administration interface Certificates are pasted into a text input field in an HTML form and then the form is submitted to the administration server Since the certificates are pasted i...

Page 833: ...Object Identifiers Appendix A Certificate Download Specification 833 netscape data type OBJECT IDENTIFIER netscape 2 netscape cert sequence OBJECT IDENTIFIER netscape data type 5...

Page 834: ...Object Identifiers 834 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 835: ...y ACE administrator The person who installs and configures one or more CMS managers and sets up privileged users or agents for them See also agent agent A user who belongs to a group authorized to man...

Page 836: ...f configuring a CMS manager that allows automatic authentication for the purposes of end entity enrollment without human intervention With this form of authentication a certificate request that comple...

Page 837: ...series of certificates signed by successive certificate authorities A CA certificate identifies a certificate authority CA and is used to sign certificates issued by that authority A CA certificate ca...

Page 838: ...subsumed by another proposed standard Certificate Management Messages over Cryptographic Message Syntax CMC For detailed information see http www ietf org internet drafts draft ietf pkix cmmf 02 txt C...

Page 839: ...CMS instance An instance of a CMS subsystem comprising both code and data and treated as a discrete entity CMS subsystem One of the three CMS Managers Certificate Manager Registration Manager or Data...

Page 840: ...gistration Manager can be configured to archive end entities encryption keys with a Data Recovery Manager before issuing new certificates The Data Recovery Manager is useful only if end entities are e...

Page 841: ...div897 pubs fip46 2 htm digital ID See certificate digital signature To create a digital signature the signing software first creates a one way hash from the data to be signed such as a newly issued c...

Page 842: ...ificate for use in a public key infrastructure PKI Also known as registration end entity In a public key infrastructure PKI a person router server or other entity that uses a certificate to identify i...

Page 843: ...programming interface that provides binary compatibility across different implementations of the Java Virtual Machine JVM on a given platform allowing existing code written in a language such as C or...

Page 844: ...rvlet forwards a certificate request to a request queue after successful authentication module processing An agent with appropriate privileges must then approve each request individually before policy...

Page 845: ...hash A number of fixed length generated from data of arbitrary length with the aid of a hashing algorithm The number also called a message digest has two characteristics 1 It is unique to the hashed d...

Page 846: ...f archival The signed proof of archival data is the response returned by the Data Recovery Manager to the Registration Manager or Certificate Manager after a successful key archival operation See also...

Page 847: ...certificate at the top of a certificate chain See also CA certificate subordinate CA RSA algorithm Short for Rivest Shamir Adleman a public key algorithm for both encryption and authentication It was...

Page 848: ...plus an encryption key and its equivalent public key constitute a dual key pair single sign on 1 In Certificate Management System a password that simplifies the way you sign on to Netscape Certificat...

Page 849: ...decrypt a given message tamper detection A mechanism ensuring that data received in electronic form has not been tampered with that is that the data received entirely corresponds with the original ve...

Page 850: ...850 Netscape Certificate Management System Installation and Setup Guide October 2001...

Page 851: ...nship to Netscape Console 334 relationship to server root 334 starting 335 from Netscape Console 335 from the command line 335 from the Windows NT Services panel 335 stopping 336 from Netscape Console...

Page 852: ...ned 509 during certificate enrollment 515 during certificate renewal 515 during certificate revocation 517 for administrators 510 for agents 512 managing from CMS window 532 authentication instances a...

Page 853: ...422 Data Recovery Manager and 168 173 Data Recovery Manager and Registration Manager and 170 173 demo and 108 enabling interaction with end entities 539 enabling OCSP service 699 features of 45 insta...

Page 854: ...oning 37 cloning a CA 286 CMC 78 CMMF 77 CMS administrator defined 54 CMS agent defined 54 CMS certificates renewal 436 CMS data where it s stored 379 CMS feature list 34 CMS instance changing the nam...

Page 855: ...gning certificate 439 611 nickname 439 481 CRLs Certificate Manager support for 46 defined 611 issuing or distribution points 615 publishing of 39 611 publishing to files 667 publishing to LDAP direct...

Page 856: ...A renewalCA renewal 176 177 distinguished name 173 extensions 175 176 root versus subordinate 174 signing certificate 174 signing key 174 certificate decisions Certificate Manager 180 Data Recovery Ma...

Page 857: ...rver certificate 213 214 tool for joining 465 tools for generating 465 transport certificate 205 external tokens defined installing 451 viewing contents of 502 F filenames for active log files 770 for...

Page 858: ...rksheet for 188 191 Installation Wizard initial configuration steps 194 197 procedures for using 225 running for demo 122 135 installing certificates 829 833 installing external hardware tokens 451 in...

Page 859: ...ternal CMS database demo and 109 publishing decisions 178 179 testing authentication with 145 160 LDAP publishing advantages 606 defined 605 manual updates 662 when to do 663 who can do this 662 See C...

Page 860: ...ries 63 master CA 172 message templates for notifications 554 modifying authentication instances 545 jobs 566 log event listeners 774 mappers 637 policy rules 590 privileged user s group membership 43...

Page 861: ...ace for agents 71 introduced 44 49 key pairs and certificates list of 449 protecting 436 remote admin server certificate 450 signing certificate 449 SSL server certificate 449 logging to Windows NT ev...

Page 862: ...ministration 372 for the mail server used for notifications 563 575 how to choose numbers 372 predicates attributes for 584 expression support 582 operators for 582 sample expressions 582 584 what are...

Page 863: ...certificate 448 450 Remote administration server certificate 443 nickname 443 removing unwanted CMS instances 306 renewal of certificates See certificate renewal renewal of CMS certificates 436 renew...

Page 864: ...12 when required 312 when specified 313 why change periodically 313 SMTP settings 563 574 575 software requirements for CMS installation 106 Solaris requirements for installation 107 Solaris requireme...

Page 865: ...ntents of 502 viewing which tokens are installed 454 what are they 450 topology decisions for deployment 164 173 transport certificate 447 changing trust settings of 505 deleting 504 getting a new one...

Page 866: ...25 when the server was installed 304 why should you revoke certificates 612 Windows NT event log logging audit and system messages 787 Windows NT requirements for installation 107 wireless CA certific...

Reviews:

No comments

Brands by name

Popular brands

Load more brands