background image

376

Netscape Certificate Management System Plug-Ins Guide • March 2002

UniqueSubjectNameConstraints 117
ValidityConstraints 120

for publishing 268

FileBasedPublisher 270
LdapCaCertPublisher 271
LdapCaSimpleMap 250
LdapCrlPublisher 275
LdapDNCompsMap 254
LdapDNExactMap 260
LdapSimpleMap 261
LdapSubjAttrMap 263
LdapUserCertPublisher 273
list of 249, 269
OCSPPublisher 277

for scheduling jobs

list of 64
RenewalNotificationJob 65
RequestInQJob 69
UnpublishExpiredJob 72

policy

built-in plug-in modules 83, 127, 325
constraints-specific modules 84
extension-specific modules 328
how to write custom plug-ins 131

Policy Constraints extension policy 217, 221
Policy Mappings extension policy 224
policyConstraints 352
policyMappings 353
portal enrollment 42

configurable parameters 45
plug-in module name 45

PQG parameters 58
Private Key Usage Period extension policy 228
privateKeyUsagePeriod 353
publisher modules

introduction 268
list of 269

publishers

created during installation 271, 273, 275

publishers that can publish to

CA’s entry in the directory 271, 275
files 270
OCSP responder 277
users’ entries in the directory 273

publishing

how to write custom plug-ins 269

publishing certificates and CRLs to directory entries

268

R

reasonCode 366
registering

custom OIDs 325

Registration Manager

enrollment forms for 57
logging to Windows NT event log 304

Remove Basic Constraints extension policy 230
Renewal Constraints policy 99
Renewal Validity Constraints policy 102
Revocation Constraints policy 106
root DN 311
RSA Key Constraints policy 108

S

server enrollment forms 56
setting CRL extensions 280
Signing Algorithm Constraints policy 111
Subject Alternative Name extension policy 232
subject attribute mapper 263
Subject Directory Attributes extension policy 238
Subject Key Identifier extension policy 242
subjectAltName 354
subjectDirectoryAttributes 356
subjectKeyIdentifier 356
subordinate CA

enrollment forms for 57

Subordinate CA Name Constraints policy 114
support for DN characters in CMS 312
System log

configuring 299
logging to Windows NT event log 304

Содержание Certificate Management System 6.0

Страница 1: ...Plug Ins Guide Netscape Certificate Management System Version6 0 March 2002...

Страница 2: ...DOCUMENTATION INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS PROFITS USE OR DATA The Software and documentation are copyright 2001 Sun Microsystems Inc Portions copyright 1999 2002...

Страница 3: ...Module 28 Configuration Parameters of UidPwdPinDirAuth 29 NISAuth Plug in Module 35 Configuration Parameters of NISAuth 37 PortalEnroll Plug in Module 42 Configuration Parameters of PortalAuth 45 Cert...

Страница 4: ...Constraints 92 DSAKeyRule Rule 94 IssuerConstraints Plug in Module 94 Configuration Parameters of IssuerConstraints 95 IssuerRule Rule 96 KeyAlgorithmConstraints Plug in Module 97 Configuration Parame...

Страница 5: ...lug in Module 148 Configuration Parameters of CertificatePoliciesExt 149 CertificatePoliciesExt Rule 152 CertificateRenewalWindowExt Plug in Module 153 Configuration Parameters of CertificateRenewalWi...

Страница 6: ...xt 225 PolicyMappingsExt Rule 228 PrivateKeyUsagePeriodExt Plug in Module 228 Configuration Parameters of PrivateKeyUsagePeriodExt 229 RemoveBasicConstraintsExt Plug in Module 230 Configuration Parame...

Страница 7: ...sher Publisher 275 LdapCrlPublisher Plug in Module 275 Configuration Parameters of LdapCrlPublisher 276 LdapCrlPublisher Publisher 277 OCSPPublisher Plug in Module 277 Configuration Parameters of OCSP...

Страница 8: ...icates 320 Selecting DNs for Certificates 321 DN Patterns and Certificate Subject Names 321 Appendix B Object Identifiers 325 What s an Object Identifier 325 Registration of Object Identifiers 325 App...

Страница 9: ...ions 360 Extensions for CRLs 360 authorityKeyIdentifier 361 CRLNumber 361 deltaCRLIndicator 362 issuerAltName 363 issuingDistributionPoint 363 CRL Entry Extensions 364 certificateIssuer 364 holdInstru...

Страница 10: ...10 Netscape Certificate Management System Plug Ins Guide March 2002...

Страница 11: ...Where to Go for Related Information page 15 What s in This Guide This guide covers topics that are listed below You should use this guide in conjunction with the other CMS documentation such as the on...

Страница 12: ...hapter 6 Publisher Plug in Modules Describes the plug in modules that enable you to configure a Certificate Manager to publish certificates to the correct attribute of the located directory entries Ch...

Страница 13: ...e of digital certificates in a secure enterprise These include the following topics Encryption and decryption Public keys private keys and symmetric keys Significance of key lengths Digital signatures...

Страница 14: ...in the glossary which can be found in CMS Installation and Setup Guide Example Rotation frequency From the drop down list select the interval at which the server should rotate the active error log fi...

Страница 15: ...agement System specified during installation The documentation set for Certificate Management System includes the following Managing Servers with Netscape Console Provides background information on ba...

Страница 16: ...n this file server_root manual en cert custom_guide contents htm CMS Agent s Guide Provides detailed reference information on CMS agent interfaces To access this information from the Agent Services pa...

Страница 17: ...er explains the authentication modules that are installed with the Certificate Manager and Registration Manager it lists and briefly describes the modules and then explains each one in detail The chap...

Страница 18: ...ificate issuance repositories such as directories supply part of the end entity information End entities only supply certain information for example a user ID and password contained in the repository...

Страница 19: ...an LDAP compliant directory such as Netscape Directory Server with end user data you can use that directory for any of the purposes mentioned above For example if you have an NIS server and LDAP direc...

Страница 20: ...llment in Chapter 15 Setting Up End User Authentication of CMS Installation and Setup Guide Keep in mind that in an automated certificate management setup the Certificate Manager and Registration Mana...

Страница 21: ...53 Note that the manual authentication method is hardcoded you cannot configure it in any other way This ensures that when the server receives requests that lack authentication credentials it sends th...

Страница 22: ...the agent approved request it subjects it to policy processing For details see Chapter 18 Setting Up Policies of CMS Installation and Setup Guide If the request fails any of the configured policies t...

Страница 23: ...nt Figure 1 3 User ID and password based authentication of an end user These are the steps shown in Figure 1 3 1 In the directory based certificate enrollment form the end user enters a user ID and pa...

Страница 24: ...olicies the server rejects the request logs an error message and sends a rejection notification to the end entity If the request passes all the configured policies the server issues the end user a cer...

Страница 25: ...idPwdDirAuth Plug in Module Chapter 1 Authentication Plug in Modules 25 Figure 1 4 Parameters defined in the UidPwdDirAuth module Table 1 2 gives details about each of these parameters and their value...

Страница 26: ...er uses E attr mail CN attr cn O dn o C dn c as the DN pattern This default DN pattern works well with Netscape Communicator and other browsers For Communicator if you leave out E in end user certific...

Страница 27: ...o which is included in the standard inetOrgPerson object class should be stored in the authentication token and be used to put the user s picture in his or her certificate ldap ldapconn host Specifies...

Страница 28: ...cifies LDAP version 2 If your authentication directory is based on Netscape Directory Server 1 x choose 2 3 specifies LDAP version 3 For Directory Server versions 3 x and later choose 3 Example 3 ldap...

Страница 29: ...user entries in directories do not contain PINs In order to use the UidPwdPinDirAuth module you must first populate the directory that you intend to use for authentication with unique PINs for users e...

Страница 30: ...to remove PINs from the authentication directory after end users successfully authenticate Removing PINs from the directory restricts users from enrolling more than once and thus prevents them from ge...

Страница 31: ...syntax is illustrated in the following example E attr mail 1 CN attr cn OU dn ou 2 O dn o C US This sample configuration specifies that the subject name should be formulated as follows E the first ma...

Страница 32: ...r use by other modules that is values retrieved from this parameter can be used by policy modules to make certain policy decisions or to add additional information to users certificates For example as...

Страница 33: ...r choose 3 default Example 3 ldap ldapauth bindDN Specifies the user entry to bind as when removing PINs from the authentication directory You need to specify this parameter only if you ve selected re...

Страница 34: ...or SslClientAuth BasicAuth specifies basic authentication If you choose this option be sure to enter the correct values for ldap ldapauth bindDN and password parameters the server uses the DN from th...

Страница 35: ...ch for and retrieve specific LDAP attribute values from the directory The ability of the module to use an LDAP directory to form certificate subject names is useful in cases where the NIS server only...

Страница 36: ...1 In the NIS server based certificate enrollment form the end user enters his or her user ID and password for the NIS server and submits the request to a Certificate Manager or Registration Manager 2...

Страница 37: ...shown below 30 Dec 1999 18 40 25 0700 conn 0 op 7 RESULT err 32 tag 101 nentries 0 etime 0 3 Next the server subjects the certificate request to policy processing For details see Chapter 18 Setting U...

Страница 38: ...values Table 1 4 Description of parameters defined in the NISAuth module Parameter Description nisserver Specifies the NIS server name In Unix use the ypwhich command to find the NIS server name Permi...

Страница 39: ...mail CN attr cn O dn o C dn c as the DN pattern This default DN pattern works well with Netscape Communicator and other browsers For Communicator if you leave out E in end user certificates S MIME may...

Страница 40: ...n for use by other modules that is values retrieved from this parameter can be used by policy modules to make certain policy decisions or to add additional information to users certificates For exampl...

Страница 41: ...lues true or false 2 specifies LDAP version 2 If your directory is based on Netscape Directory Server 1 x choose 2 3 specifies LDAP version 3 For Directory Server versions 3 x and later choose 3 Examp...

Страница 42: ...e user name as the only authentication token required to obtain a certificate Uses the information from the enrollment form to create new user entries and update directory entry attributes for unique...

Страница 43: ...r then queries the directory for the user name specified by the user and if it doesn t find a match it adds the entry with all the standard LDAP field names that match the directory attributes For exa...

Страница 44: ...mailing address and submits the request to the server 2 When the server receives the request it verifies that the required fields contain appropriate information for example the values entered in the...

Страница 45: ...gured policies the server rejects the request logs an error message and sends a rejection notification to the end user Note that if this happens the user won t be able to reregister using the same use...

Страница 46: ...Plug in Module 46 Netscape Certificate Management System Plug Ins Guide March 2002 Figure 1 9 Parameters defined in the PortalEnroll module Table 1 5 gives details about each of these parameters and...

Страница 47: ...s entry OU the second ou value in the user s entry DN O the first o value in the user s entry DN C the string US If this parameter value is empty or not set the server uses E attr mail CN attr cn O dn...

Страница 48: ...entries in the portal directory It is recommended that you create and use a separate user account that has permission to create user entries and modify user attributes in the directory For example don...

Страница 49: ...f the certificate to be used for SSL client authentication Example BasicAuth ldap basedn Specifies the base DN for searching the portal directory the server uses the value of the uid field from the HT...

Страница 50: ...the tokens are ready you make them available to users by some means for example from a vending machine like box in the break room Basically a user can get and use any pre initialized and certificate l...

Страница 51: ...a certificate the server verifies the CA that has issued the certificate the user uses for authentication uses the configured directory to formulate the subject name for the new certificate and issues...

Страница 52: ...e issuer DN in the authentication certificate must match the issuer DN specified in the policy configuration Here are a few things to keep in mind Enrollment requests for dual certificates must be sub...

Страница 53: ...e IssuerRule policy with the correct issuer DN and set the predicate expression so that the rule is applied to client certificates only On the client side you need to do the following Install drivers...

Страница 54: ...ab lists only those forms that are associated with the manual enrollment method it does not list the forms provided for the automated enrollment methods However when you create an instance of any of t...

Страница 55: ...nk and form filename Description Browser This section lists menu options for end user enrollments Manual ManUserEnroll html End users can use this form to request SSL client and S MIME certificates Re...

Страница 56: ...ubject name for the certificate from the directory As explained in PortalEnroll Plug in Module on page 42 if the user ID is unique the server issues a certificate and registers the user automatically...

Страница 57: ...der certificate Requests submitted using this form get queued for agent approval Other This section lists menu options for object signing enrollments ObjectSigning PKCS10 ObjSignPKCS10Enroll html Serv...

Страница 58: ...ending on the enrollment plug in you want to use for authenticating end users you may need to modify the KEYGEN tags in the following certificate enrollment forms DirPinUserEnroll html DirUserEnroll h...

Страница 59: ...z7iB7co04LCa0wDU7Z0x oTwmsd0 name subjectKeyGenInfo 10 Repeat steps 7 through 9 to modify any additional KEYGEN tags 11 Save your changes 12 Next configure the Certificate Manager to accept DSA key ba...

Страница 60: ...ctory in which you want the private key file created for example C myKey PVK Be sure to use the PVK extension and to enclose the path in double quotes 7 Optionally you may further edit the form to inc...

Страница 61: ...IN CERTIFICATE and END CERTIFICATE to the file 7 Convert the text based certificate to its DER encoded format using the ASCII to Binary tool explained in CMS Command Line Tools Guide For example the c...

Страница 62: ...Enrollment Forms 62 Netscape Certificate Management System Plug Ins Guide March 2002...

Страница 63: ...tion on the part of users and periodic activities such as updates of related directories This chapter describes the job plug in modules that are provided with Certificate Management System and explain...

Страница 64: ...of these notices to agents For more information see RenewalNotificationJob Plug in Module on page 65 RequestInQueueJob A schedulable job that notifies agents at regular intervals of the current state...

Страница 65: ...dministrators or issuing agents a summary of users who have received these reminders The RenewalNotificationJob plug in module is a schedulable job When an instance of the job is enabled it checks for...

Страница 66: ...resolved Whether a summary will be compiled and sent If a summary is to be sent you can configure the following The recipients of the summary message These can be for example agents who need to know t...

Страница 67: ...b is enabled or disabled Check the box to enable the job Uncheck the box to disable the job If you enable the job and set the remaining parameters correctly the server runs the job at scheduled interv...

Страница 68: ...ate to be used for formulating the message content Permissible values Template file path including the file name Example usr netscape servers cert testCA emails rnJob1 txt summary enabled Specifies wh...

Страница 69: ...as the following default location server_root cert instance_id emails summary emailSubject Specifies the subject line of the summary message Permissible values An alphanumeric string of up to 255 char...

Страница 70: ...see Schedule for Executing Jobs on page 76 The sender of the notification messages who will be notified of any delivery problems The file location of the notification email template The subject line...

Страница 71: ...ou enable the job and set the remaining parameters correctly the server runs the job at scheduled intervals cron Specifies the cron specification for when this job should be run This is the time at wh...

Страница 72: ...to set the remaining parameters these are required by the server to send the summary report summary emailSubject Specifies the subject line of the summary message Permissible values An alphanumeric s...

Страница 73: ...iguration The job constructs the summary message by using a template located in a configured directory This directory has the following default location server_root cert instance_id emails You can con...

Страница 74: ...ting Up LDAP Publishing of CMS Installation and Setup Guide Configuration Parameters of UnpublishExpiredJob In the CMS configuration file the UnpublishExpiredJob module is identified as jobsScheduler...

Страница 75: ...check the box be sure to set the remaining parameters these are required by the server to send the summary report summary emailSubject Specifies the subject line of the summary message Permissible val...

Страница 76: ...field can contain an asterisk rather than an integer Day fields can contain a comma separated list of values For example the following time entry specifies every hour at 15 minutes 1 15 2 15 3 15 and...

Страница 77: ...ls directory of a CMS instance This directory has the following default location server_root cert instance_id emails Both text an HTML templates are included by default They are listed in Table 2 6 Te...

Страница 78: ...hJobItem Template for formatting the items to be included in the summary table which is constructed using the ExpiredUnpublishJob template Templates for RequestInQueueJob module riq1Item html Template...

Страница 79: ...RENEWAL NOTIFICATION Your certificate will expire soon Serial Number SerialNumber SubjectDN SubjectDN IssuerDN IssuerDN Validity Period NotBefore NotAfter To renew your certificate please follow this...

Страница 80: ...r of items in the summary report succeeded Table 2 8 Tokens for items in renewal notification job s summary report Token Description CertType Specifies the type of certificate whether SSL client clien...

Страница 81: ...ival or key recovery request SerialNumber Specifies the serial number of the certificate the serial number will be displayed as a hexadecimal value in the resulting message Status Specifies whether th...

Страница 82: ...ectory in the summary report SummaryTotalSuccess Specifies how many of the total number of items in the summary report succeeded Table 2 11 Tokens for items in the unpublish expired job s summary repo...

Страница 83: ...overn the server s certificate generation and management operations The modules are categorized based on their functionality into two groups constraints specific policy modules and extension specific...

Страница 84: ...lug in modules help you define rules or constraints that Certificate Management System uses to evaluate an incoming certificate enrollment renewal or revocation request Each module enables you to conf...

Страница 85: ...pter 18 Setting Up Policies of CMS Installation and Setup Guide Keep in mind that the changes made to a request by a Registration Manager may be overwritten by a Certificate Manager when it subjects t...

Страница 86: ...ewalValidityConstraints Plug in Module on page 102 RevocationConstraints Allows or rejects requests for revocation of expired certificates For details see RevocationConstraints Plug in Module on page...

Страница 87: ...tribute parameter does not have the specified value the policy rejects the request In the case of multi valued attributes the request will be accepted if any of the values matches the specified value...

Страница 88: ...e specified LDAP directory Table 3 2 describes each of the parameters Table 3 2 Description of parameters defined in the AttributePresentConstraints module Parameter Description enable Specifies wheth...

Страница 89: ...apconn secureConn Specifies the type SSL or non SSL of the port at which the LDAP directory listens to requests from Certificate Management System Check the box if the port is an SSL HTTPS port If you...

Страница 90: ...ion default If you choose this option be sure to enter the correct values for ldap ldapauth bindDN and password parameters the plug in uses the DN from the ldap ldapauth bindDN attribute to bind to th...

Страница 91: ...to do so using the policy During installation Certificate Management System automatically creates an instance of the DSA key constraints policy See DSAKeyRule Rule on page 94 ldap ldapconn maxConns Sp...

Страница 92: ...a prefix identifying the subsystem In the CMS window the module is identified as DSAKeyConstraints Figure 3 3 shows how configurable parameters for the module are displayed in the CMS window Figure 3...

Страница 93: ...t be smaller than or equal to the one specified by the maxSize parameter In general a longer key size results in a key pair that is more difficult to crack You may want to enforce a minimum length to...

Страница 94: ...llation and Setup Guide For instructions on adding additional instances see section Step 4 Add New Policy Rules in the same chapter IssuerConstraints Plug in Module The IssuerConstraints plug in modul...

Страница 95: ...S window the module is identified as IssuerConstraints Figure 3 4 shows how the configurable parameters for the module are displayed in the CMS window Figure 3 4 Parameters of the IssuerConstraints mo...

Страница 96: ...le the rule default Uncheck the box to disable the rule If you enable the rule and set the remaining parameters correctly the server checks for certificates issued by the specified CA and enforces cer...

Страница 97: ...his policy allows you to set restrictions on the types of public keys certified by Certificate Management System You may apply this policy to end entity certificate enrollment and renewal requests For...

Страница 98: ...ecifies whether the rule is enabled or disabled Check the box to enable the rule default Uncheck the box to disable the rule If you enable the rule and set the remaining parameters correctly the serve...

Страница 99: ...n the same chapter RenewalConstraints Plug in Module The RenewalConstraints plug in module implements the renewal constraints policy This policy imposes constraints on renewal of expired certificates...

Страница 100: ...l renew all expired certificates that are submitted for renewal During installation Certificate Management System automatically creates an instance of the renewal constraints policy See RenewalConstra...

Страница 101: ...the rule and set the remaining parameters correctly the server verifies the validity period of the certificate being renewed checks the value assigned to the allowExpiredCerts parameter and according...

Страница 102: ...PKI using system beyond this validity period the entity owning the certificate must renew the certificate the new certificate generally contains a new validity time period and some updated attributes...

Страница 103: ...es For example if the CA signing certificate expires on June 10 2004 any renewal request with validity period beyond June 10 2004 will have validity period truncated to end on June 10 2004 However you...

Страница 104: ...d in the RenewalValidityConstraints module Parameter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the rule default Uncheck the box to disable the rule I...

Страница 105: ...details on individual parameters defined in the rule see Table 3 7 on page 104 You need to review this rule and make the changes appropriate for your PKI setup For instructions see section Step 2 Mod...

Страница 106: ...figure the server accordingly using the policy During installation Certificate Management System automatically creates an instance of the revocation constraints policy See Configuration Parameters of...

Страница 107: ...whether the rule is enabled or disabled Check the box to enable the rule default Uncheck the box to disable the rule If you enable the rule and set the remaining parameters correctly the server verif...

Страница 108: ...ertificate Management System 512 1024 or 2048 In other words the policy allows you to set up restrictions on the lengths of public keys certified by Certificate Management System You may apply this po...

Страница 109: ...ion enable Specifies whether the rule is enabled or disabled Check the box to enable the rule default Uncheck the box to disable the rule If you enable the rule and set the remaining parameters correc...

Страница 110: ...u may want to allow a minimum length to ensure a minimum level of security Permissible values 512 1024 or 2048 You may also enter a custom key size that is between 512 and 2048 bits The default value...

Страница 111: ...thms supported by Certificate Management System MD2 with RSA MD5 with RSA and SHA 1 with RSA if the Certificate Manager s signing key is RSA and SHA 1 with DSA if the Certificate Manager s signing key...

Страница 112: ...s where subsystem is ca or ra prefix identifying the subsystem In the CMS window the module is identified as SigningAlgorithmConstraints Figure 3 10 shows how the configurable parameters for the modul...

Страница 113: ...ndow predicate Specifies the predicate expression for this rule If you want the rule to be applied to all certificate requests leave the field blank default To form a predicate expression see section...

Страница 114: ...tional instances see section Step 4 Add New Policy Rules in the same chapter SubCANameConstraints Plug in Module The SubCANameConstraints plug in module implements the subordinate CA name constraints...

Страница 115: ...s In the CMS window the module is identified as SubCANameConstraints Figure 3 11 shows how configurable parameters for the module are displayed in the CMS window Figure 3 11 Parameters of the SubCANam...

Страница 116: ...ns on adding additional instances see section Step 4 Add New Policy Rules in the same chapter Table 3 11 Description of parameters defined in the SubCANameConstraints module Parameter Description enab...

Страница 117: ...s to own multiple certificates each for a different use all having the same subject name you can do so easily using the enableKeyUsageExtensionChecking parameter defined in this policy This parameter...

Страница 118: ...he rule is enabled or disabled Check the box to enable the rule Uncheck the box to disable the rule default If you enable the rule and set the remaining parameters correctly the server checks the cert...

Страница 119: ...agent approves the request Check the box if you want the server to check the certificate request for the Key Usage extension If you check the box the server checks its internal database for certifica...

Страница 120: ...e section Step 2 Modify Existing Policy Rules in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide For instructions on adding additional instances see section Step 4 Add New Policy Ru...

Страница 121: ...t to 1 25 p m would have passed however You may apply this policy to end entity certificate enrollment requests It can be useful to restrict the length of the validity period for certificates issued b...

Страница 122: ...on Certificate Management System automatically creates an instance of the validity constraints policy See DefaultValidityRule Rule on page 125 Configuration Parameters of ValidityConstraints In the CM...

Страница 123: ...y the predicate parameter If you disable the rule the server does not set the configured validity period in certificates it sets the validity period to the one specified in the request predicate Speci...

Страница 124: ...of the lagTime in the past relative to the time when the policy is run The notBefore attribute value specifies the date on which the certificate validity ends validity dates through the year 2049 are...

Страница 125: ...alidity 1 The maximum validity period allowed for certificates is 365 days maxValidity 365 The lead time allowed is 10 minutes leadTime 10 The lag time allowed is 10 minutes lagTime 10 The the number...

Страница 126: ...ValidityConstraints Plug in Module 126 Netscape Certificate Management System Plug Ins Guide March 2002...

Страница 127: ...of Extension Specific Policy Modules page 128 AuthInfoAccessExt Plug in Module page 132 AuthorityKeyIdentifierExt Plug in Module page 141 BasicConstraintsExt Plug in Module page 144 CertificatePolici...

Страница 128: ...a particular extension to a certificate request Plug in modules are implemented as Java classes and are registered in the CMS policy framework The Policy Plugin Registration tab of the CMS window Fig...

Страница 129: ...eyIdentifierExt BasicConstraintsExt NameConstraintsExt PolicyConstraintsExt PolicyMappingsExt You can use these modules to configure a Certificate Manager and Registration Manager to add extensions to...

Страница 130: ...see CertificateScopeOfUseExt Plug in Module on page 158 CRLDistributionPointsExt Adds the CRL Distribution Points extension to certificates For details see CRLDistributionPointsExt Plug in Module on p...

Страница 131: ...of Java Docs at this location server_root cms_sdk cms_jdk javadocs PolicyConstraintsExt Adds the Policy Constraints extension to certificates For details see PolicyConstraintsExt Plug in Module on pag...

Страница 132: ...CA that has issued the certificate in which the extension appears Note that this extension should not be used to point directly to the CRL location maintained by a CA the CRL Distribution Points exten...

Страница 133: ...it must use the OCSP protocol to access the location that contains additional information about the CA that has issued the certificate You should use the ocsp method when you want to reference to the...

Страница 134: ...Configuration Parameters of AuthInfoAccessExt In the CMS configuration file the AuthInfoAccessExt module is identified as subsystem Policy impl AuthInfoAccessExt class com netscape cms policy AuthInf...

Страница 135: ...xample com 8000 The extension is marked noncritical to comply with the PKIX recommendation Table 4 2 gives details about the configurable parameters defined in the AuthInfoAccessExt module Table 4 2 D...

Страница 136: ...ng the value assigned to this parameter there s no restriction on the total number of locations you can include in the extension Note that each location has its own set of configuration parameters and...

Страница 137: ...t rfc822Name if the location is an Internet mail address Select directoryName if the location is an X 500 directory name Select dNSName if the location is a DNS name Select ediPartyName if the locatio...

Страница 138: ...cted directoryName the value must be a string form of X 500 name similar to the subject name in a certificate in the RFC 2253 syntax see http www ietf org rfc rfc2253 txt Note that RFC 2253 replaces R...

Страница 139: ...version 6 IPv6 the address should be in the form described in RFC 1884 http www ietf org rfc rfc1884 txt with netmask separated by a comma Examples of IPv6 addresses with no netmask are 0 0 0 0 0 0 13...

Страница 140: ...the CA that has issued the certificate in which the extension appears is set to URL ad0_location_type URL The address or location to get additional information about the CA that has issued the certifi...

Страница 141: ...orrect key to use in situations when multiple keys exist the extension specifies the public key to be used to verify the signature on the certificate For general guidelines on setting the authority ke...

Страница 142: ...al enrollments after an agent approves the enrollment request the policy accepts any authority key identifier extension that is already there During installation Certificate Management System automati...

Страница 143: ...t ignores the values in the remaining fields predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the field blank default To...

Страница 144: ...r 18 Setting Up Policies of CMS Installation and Setup Guide For instructions on adding additional instances see section Step 4 Add New Policy Rules in the same chapter BasicConstraintsExt Plug in Mod...

Страница 145: ...icy again If there s a change in the configuration of the basic constraints extension the server may reject the agent approved request For the server to approve the request the user will have to resub...

Страница 146: ...xtension to certificates it ignores the values in the remaining fields predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave...

Страница 147: ...r n Make sure that the value you choose is less than the path length specified in the Basic Constraints extension of the CA signing certificate owned by the CA that will issue these certificates 0 spe...

Страница 148: ...e has been issued and identifying the purposes for which the certificate may be used Presence of this extension in certificates enables an application with specific policy requirements to compare its...

Страница 149: ...email messages from an employee To see an example of a CPS check this site http people netscape com shadow cps html A textual user notice which the application validating the certificate can interpret...

Страница 150: ...fies whether the rule is enabled or disabled Check the box to enable the rule default If you enable the rule and set the remaining parameters correctly the server adds the certificate policies extensi...

Страница 151: ...mber in the certificate by extracting the notice text that corresponds to the number from the file and display it to the relying party Permissible values A unique valid OID specified in dot separated...

Страница 152: ...stances see section Step 4 Add New Policy Rules in the displayText Specifies the textual statement to be included in certificates this parameter corresponds to the explicitText field of the user notic...

Страница 153: ...ir with a new validity time period and updated attributes Once a certificate is issued the owner of the certificate may attempt its renewal any time To prevent certificate owners from renewing their c...

Страница 154: ...which reminds users to renew their certificates before they expire The renewal constraints policy which determines whether expired certificates can be renewed see RenewalConstraints Plug in Module on...

Страница 155: ...WindowExt module Parameter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the rule default If you enable the rule and set the remaining parameters correct...

Страница 156: ...will be set to the time of certificate issuance n specifies a future time for certificate renewal the beginTime field of the extension will be set to the specified time since certificate issuance You...

Страница 157: ...inutes hours days or months Use the following suffixes to indicate the time unit s seconds m minutes h hours D days M months For example if you re issuing certificates with a validity period of two ye...

Страница 158: ...itself to the server This information may include the name and key information contained in the certificate It also releases the information that the client holds a certificate from a particular CA Th...

Страница 159: ...s ca or ra prefix identifying the subsystem In the CMS window the module is identified as CertificateScopeOfUseExt Figure 4 7 shows how the configurable parameters for the module are displayed in the...

Страница 160: ...he extension should be marked critical or noncritical in certificates specified by the predicate parameter Check the box if you want the server to mark the extension critical Uncheck the box if you wa...

Страница 161: ...rfc822Name the value must be a valid Internet mail address in the local part domain format see the definition of an rfc822Name as defined in RFC 822 http www ietf org rfc rfc0822 txt You may use upper...

Страница 162: ...escribed in RFC 1884 http www ietf org rfc rfc1884 txt with netmask separated by a comma Examples of IPv6 addresses with no netmask are 0 0 0 0 0 0 13 1 68 3 and FF01 43 Examples of IPv6 addresses wit...

Страница 163: ...RL or both Note that in the current implementation the policy supports only two name forms for distribution points X 500 Directory Name and URI URIs described in this document support two CRL retrieva...

Страница 164: ...ld set the CRL distribution point extension in router certificates the CRL location is a X 500 directory Table 4 8 gives details about each of these parameters Table 4 8 Description of parameters defi...

Страница 165: ...eld is set to 3 and the UI shows fields for configuring three distribution points You can change the total number of distribution points by changing the value assigned to this parameter there s no res...

Страница 166: ...pe attribute must be RelativeToIssuer pointType n Specifies the type of the CRL distribution point Permissible values DirectoryName URI or RelativeToIssuer The type you select must correspond to the v...

Страница 167: ...n point Permissible values Any supported name forms By default the name can be in any of the following formats An X 500 directory name in the RFC 2253 syntax see http www ietf org rfc rfc2253 txt note...

Страница 168: ...or more purposes in addition to or in place of the basic purposes indicated in the key usage extension for which the certified public key may be used For example if the key usage extension identifies...

Страница 169: ...should be created with only the EFS OID not the recovery OID For general guidelines on setting the extended key usage extension in certificates see extKeyUsage on page 344 The extended key usage exten...

Страница 170: ...re subsystem is ca or ra prefix identifying the subsystem In the CMS window the module is identified as ExtendedKeyUsageExt Figure 4 9 shows how the configurable parameters for the module are displaye...

Страница 171: ...hould be marked critical or noncritical in certificates specified by the predicate parameter Check the box if you want the server to mark the extension critical default Uncheck the box if you want the...

Страница 172: ...in the rule see Table 4 10 on page 171 You need to review this rule and make the changes appropriate for your PKI setup For instructions see section Step 2 Modify Existing Policy Rules in Chapter 18...

Страница 173: ...er certificate indicating that the associated key can be used for signing OCSP responses Here s some background information that will help you understand why you should set this extension in OCSP resp...

Страница 174: ...and it enables OCSP compliant applications to identify the responder as a CA designated responder a responder authorized to sign OCSP responses for all certificates issued by the CA The special marki...

Страница 175: ...ed extension values The resulting extension would look similar to the way a standard extension appears in certificates as defined in RFC 2459 Extension SEQUENCE extnID OBJECT IDENTIFIER critical BOOLE...

Страница 176: ...E SET or ASN 1 tagging During installation Certificate Management System automatically creates an instance of the generic ASN 1 extension policy See GenericASN1Ext Rule on page 181 Configuration Param...

Страница 177: ...in 1st sequence 437 04 10 OCTET STRING 11 22 33 44 A0 B0 C0 D0 E0 F0 449 30 37 SEQUENCE 451 17 13 UTCTime 000406070000Z 466 30 8 SEQUENCE 468 01 1 BOOLEAN TRUE 471 06 3 OBJECT IDENTIFIER 2 4 5 100 476...

Страница 178: ...critical if you want your certificates supported by other applications Other applications most likely will not understand your extension name Specifies the name of the extension The name is displayed...

Страница 179: ...t Integer for extensions that have ASN 1 INTEGER values default It s case insensitive and accepts an integer in decimal notation as value Select IA5String for extensions that have ASN 1 IA5String valu...

Страница 180: ...c attribute The value of n can be 0 to 9 Permissible values Depends on the data type and source you selected If the data type is Integer enter an integer in decimal notation as value For example 12345...

Страница 181: ...Policies of CMS Installation and Setup Guide For instructions on adding additional instances see section Step 4 Add New Policy Rules in the same chapter IssuerAltNameExt Plug in Module The IssuerAltNa...

Страница 182: ...e of the IssuerAltNameExt module and configure it For instructions see section Step 4 Add New Policy Rules in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide Configuration Parameter...

Страница 183: ...ies of CMS Installation and Setup Guide Example HTTP_PARAMS certType ca critical Specifies whether the extension should be marked critical or noncritical in certificates specified by the predicate par...

Страница 184: ...name is in any other name form Example rfc822Name generalName n general NameValue Specifies the general name value for the alternative name you want to include in the extension Permissible values Dep...

Страница 185: ...form specified in RFC 791 http www ietf org rfc rfc0791 txt IPv4 address must be in the n n n n format for example 128 21 39 40 IPv4 address with netmask must be in the n n n n m m m m format For exam...

Страница 186: ...termined purposes The key usage extension is a string of boolean bit flags each bit identifying the purpose for which a key is to be used Table 4 13 lists the bits and their designated purposes You ca...

Страница 187: ...Management System automatically creates multiple instances of the key usage extension policy suitable for various types of certificates that you may want the server to issue The default instances are...

Страница 188: ...riables that correspond to the key usage bits By default only variables that correspond to key usage bits that need to be set are included in the form Typically you won t have to change the key usage...

Страница 189: ...odule are displayed in the CMS window Figure 4 12 Parameters defined in the KeyUsageExt module The configuration shown in Figure 4 12 creates a policy rule named KeyUsageExtForClientCert which enforce...

Страница 190: ...ession see section Using Predicates in Policy Rules in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide Example HTTP_PARAMS certType client critical Specifies whether the extension s...

Страница 191: ...et the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corresponding to the k...

Страница 192: ...t the server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corre...

Страница 193: ...default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corresponding to the encipherOnl...

Страница 194: ...e Certificate Manager enrollment form RMCertKeyUsageExt Rule The policy rule named RMCertKeyUsageExt is an instance of the KeyUsageExt module This rule is for setting the appropriate key usage bits in...

Страница 195: ...d ServerCertKeyUsageExt is an instance of the KeyUsageExt module This rule is for setting the appropriate key usage bits in SSL server certificates By default the rule is configured as follows The rul...

Страница 196: ...ertificate requests The extension is marked noncritical to comply with the PKIX recommendation The server is configured to set digitalSignature nonRepudiation and keyEncipherment key usage bits in SSL...

Страница 197: ...n bits in the directory based enrollment form Keep in mind that for requesting client certificates there are many enrollment forms You may be using a combination of them Certificate based enrollment f...

Страница 198: ...sageExt is an instance of the KeyUsageExt module This rule is for setting the appropriate key usage bits in object signing certificates By default the rule is configured as follows The rule is enabled...

Страница 199: ...9 see http www ietf org rfc rfc2459 txt to certificates The extension is used in CA certificates to indicate a name space within which subject names or subject alternative names in subsequent certific...

Страница 200: ...aintsExt In the CMS window the module is identified as NameConstraintsExt Figure 4 18 shows how the configurable parameters for the module are displayed in the CMS window Figure 4 18 Parameters define...

Страница 201: ...sion should be marked critical or noncritical in certificates specified by the predicate parameter Check the box if you want the server to mark the extension critical default Uncheck the box if you wa...

Страница 202: ...luded subtrees can be contained in the extension n specifies the total number of excluded subtrees to be included in the extension it must be an integer greater than zero The default value is 8 Exampl...

Страница 203: ...3 txt Note that RFC 2253 replaces RFC 1779 For example CN SubCA OU Research Dept O Example Corporation C US If you selected dNSName the value must be a valid domain name in the preferred name syntax a...

Страница 204: ...and FF01 43 FFFF FFFF FFFF FFFF FFFF FFFF FF00 0000 If you selected OID the value must be a unique valid OID specified in dot separated numeric component notation Although you can invent your own OID...

Страница 205: ...subtree is a DNS name Select ediPartyName if the subtree is a EDI party name Select URL if the subtree is a uniform resource locator Select iPAddress if the subtree is an IP address Select OID if the...

Страница 206: ...hat is the name must include both a scheme for example http and a fully qualified domain name or IP address of the host For example http testCA example com If you selected iPAddress the value must be...

Страница 207: ...otherName the value must be the absolute path to the file that contains the base 64 encoded string of the subtree For example usr netscape servers ext nc othername txt excludedSubtrees n min Specifies...

Страница 208: ...dding additional instances see section Step 4 Add New Policy Rules in the same chapter NSCCommentExt Plug in Module The NSCCommentExt plug in module implements the Netscape certificate comment extensi...

Страница 209: ...dentifying the subsystem In the CMS window the module is identified as NSCCommentExt Figure 4 19 shows how the configurable parameters for the module are displayed in the CMS window Figure 4 19 Parame...

Страница 210: ...TTP_PARAMS certType client critical Specifies whether the extension should be marked critical or noncritical in certificates specified by the predicate parameter Check the box if you want the server t...

Страница 211: ...s in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide For instructions on adding additional instances see section Step 4 Add New Policy Rules in the same chapter displayText Specifie...

Страница 212: ...ape certificate type extension is a string of boolean bit flags each bit identifying the purpose for which a certificate to be used Table 4 18 lists the bits and their designated purposes The extensio...

Страница 213: ...on are to be set on the client side you specify whether to add the extension by enabling the Netscape certificate type extension policy and which bits are to be set by adding the appropriate HTTP vari...

Страница 214: ...ssl_client and email indicating that these bits be set in certificates requested using this form Figure 4 20 Netscape certificate type extension specific variables in enrollment forms Note that the de...

Страница 215: ...where subsystem is ca or ra prefix identifying the subsystem In the CMS window the module is identified as NSCertTypeExt Figure 4 21 shows how the configurable parameters for the module are displayed...

Страница 216: ...rtificate request and the status of the setDefaultBits parameter predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the fi...

Страница 217: ...ule The OCSPNoCheckExt plug in module implements the OCSP no check extension policy This policy enables you to configure Certificate Management System to add the OCSP No Check Extension defined in X 5...

Страница 218: ...CSP responder a certificate with the OCSP no check extension which indicates that the certificate can be trusted by the clients for its lifetime The OCSP no check policy of Certificate Management Syst...

Страница 219: ...class com netscape cms policy OCSPNoCheckExt where subsystem is ca or ra prefix identifying the subsystem In the CMS window the module is identified as OCSPNoCheckExt Figure 4 22 shows how the config...

Страница 220: ...the same chapter Table 4 21 Description of parameters defined in the OCSPNoCheckExt module Parameter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the ru...

Страница 221: ...509 definition The policy allows you to specify both requireExplicitPolicy and inhibitPolicyMapping fields PKIX standard requires that if present in a CA certificate the extension must never consist o...

Страница 222: ...whether the rule is enabled or disabled Check the box to enable the rule default Uncheck the box to disable the rule If you enable the rule and set the remaining parameters correctly the server adds...

Страница 223: ...ifies that the field should not be set in the extension default 0 specifies that no subordinate CA certificates are permitted in the path before an explicit policy is required n must be an integer tha...

Страница 224: ...ule and make the changes appropriate for your PKI setup For instructions see section Step 2 Modify Existing Policy Rules in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide For instr...

Страница 225: ...rDomainPolicy equivalent to the subjectDomainPolicy of the subject CA The issuing CA s users may accept an issuerDomainPolicy for certain applications The policy mapping tells these users which polici...

Страница 226: ...ectly the server adds the policy mappings extension to certificates specified by the predicate parameter If you disable the rule the server does not add the extension to certificates it ignores the va...

Страница 227: ...ust be a integer greater than zero The default value is 1 Example 2 policyMap n issuerDomainPolicy Specifies the OID assigned to the policy statement n of the issuing CA that you want to map with the...

Страница 228: ...setup For instructions see section Step 2 Modify Existing Policy Rules in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide For instructions on adding additional instances see sectio...

Страница 229: ...guration Parameters of PrivateKeyUsagePeriodExt In the CMS configuration file the PrivateKeyUsagePeriodExt module is identified as subsystem Policy impl PrivateKeyUsagePeriodExt class com netscape cms...

Страница 230: ...you disable the rule the server does not add the extension to certificates it ignores the values in the remaining fields predicate Specifies the predicate expression for this rule If you want this ru...

Страница 231: ...n file the RemoveBasicConstraintsExt module is identified as ca Policy impl RemoveBasicConstraintsExt class com netscape cms policy RemoveBasicConstraintsExt In the CMS window the module is identified...

Страница 232: ...Certificate Management System enables you to include values of certificate request attributes in the extension You can include any number of attributes as long as the attribute values conform to any o...

Страница 233: ...e servlet level and set on the request before the request is passed to the policy subsystem In general you can configure which attributes should or shouldn t be stored in the request for example you c...

Страница 234: ...entified as SubjectAltNameExt Figure 4 27 shows how the configurable parameters for the module are displayed in the CMS window Figure 4 27 Parameters defined in the SubjectAltNameExt module The config...

Страница 235: ...d be marked critical or noncritical in certificates specified by the predicate parameter Check the box if you want the server to mark the extension critical Uncheck the box if you want the server to m...

Страница 236: ...format default For example jdoe example com Select directoryName if the request attribute value is an X 500 directory name similar to the subject name in a certificate For example CN Jane Doe OU Sale...

Страница 237: ...me is in the rfc822Name format generalName0 generalNameChoice rfc822Name The second alternative name is the value of the mailalternateaddress attribute in the certificate subject s directory entry gen...

Страница 238: ...ut value that gets added to the request when a user uses the manual enrollment form for details see Enrollment Forms on page 53 If you enable the default policy rule the server automatically checks th...

Страница 239: ...y attributes For details on defining new attributes see Extending Attribute Support on page 314 Note that during installation Certificate Management System does not create an instance of the subject d...

Страница 240: ...e 4 27 provides details for each of these parameters Table 4 27 Description of parameters defined in the SubjectDirectoryAttributesExt module Parameter Description enable Specifies whether the rule is...

Страница 241: ...must specify appropriate values for both otherwise the policy rule will return an error You can configure the server to include up to three attributes in the extension By default this field is set to...

Страница 242: ...tity certificates the extension provides a means for identifying certificates containing the particular public key used in an application If an end entity has multiple certificates especially from mul...

Страница 243: ...y subclassing the policy and overriding the following method formKeyIdentifier X509CertInfo certInfo IRequest req For details check the CMS SDK installed at this location server_root cms_sdk cms_jdk j...

Страница 244: ...hould set the subject key identifier extension in all certificates Table 4 28 provides details for each of these parameters Table 4 28 Description of configuration parameters defined in the SubjectKey...

Страница 245: ...expression see section Using Predicates in Policy Rules in Chapter 18 Setting Up Policies of CMS Installation and Setup Guide Example HTTP_PARAMS certType ca critical Specifies whether the extension...

Страница 246: ...if you re planning to issue multiple certificates to an end entity and want to assist applications in identifying the appropriate end entity certificate you should consider modifying the predicate ex...

Страница 247: ...entry in the repository the Certificate Manager relies on object mapping rules and to update the located entry with relevant information the Certificate Manager relies on object publishing rules To en...

Страница 248: ...e specific rules to map or locate a specific entry such as a CA s entry or an end entity s entry in a specified directory once the correct entry is located the server publishes the certificate or CRL...

Страница 249: ...ory For details see LdapCaSimpleMap Plug in Module on page 250 LdapDNCompsMap Maps a certificate to a directory entry by formulating the entry s DN from components such as CN OU O and C in the certifi...

Страница 250: ...configure a Certificate Manager to automatically create an entry for the CA in an LDAP directory and then map the CA s certificate to the directory entry by formulating the entry s DN from components...

Страница 251: ...ldbm conf file This setting prevents the directory from having two entries with the same UID under that base DN For example it prevents the directory from having two entries under O example com with...

Страница 252: ...ng Up LDAP Publishing of CMS Installation and Setup Guide Configuration Parameters of LdapCaSimpleMap In the CMS configuration file the LdapCaSimpleMap module is identified as ca publish mapper impl L...

Страница 253: ...se to construct the DN in order to search for the CA s entry in the publishing directory The value of dnPattern can be a list of AVAs separated by commas An AVA can be a variable such as CN subj cn th...

Страница 254: ...ectory By default the mapper is configured to create an entry for the CA in the directory and the default DN pattern for locating the CA s entry is as follows UID subj cn OU people O subj o LdapDNComp...

Страница 255: ...in this directory server_root cms_sdk cms_jdk samples mappers The discussion below explains how mapping by DN components works It is recommended that you read this before configuring a Certificate Man...

Страница 256: ...eading the DN attribute values from the certificate and uses the DN as the base for searching the directory CN Jane Doe OU Sales O Example Corporation C US Note the following A subject name does not n...

Страница 257: ...tribute One entry s UID value is janedoe1 and the other entry s UID value is janedoe2 Because the UID attribute corresponds to the UID component in a DN you can set up the subject names of certificate...

Страница 258: ...both the formed DN and base DN are null the server logs an error If the filter is null the server uses the baseDN value for the search If both the filter and base DN are null the server logs an error...

Страница 259: ...r uses the filterComps values to form an LDAP search filter for the subtree The server constructs the filter by gathering values for these attributes from the certificate subject name it uses the filt...

Страница 260: ...this UID jdoe O Example Corporation C US When searching the directory for the entry the Certificate Manager only searches for an entry whose DN is this UID jdoe O Example Corporation C US If no matchi...

Страница 261: ...rectory documentation The simple mapper requires you to specify just one parameter which is named dnPattern The value of dnPattern can be a list of AVAs separated by commas An AVA can be a variable su...

Страница 262: ...ails see LdapUserCertMap Mapper on page 263 It is important that you review and customize this mapper For instructions on modifying mappers or creating new mappers section Configuring a Certificate Ma...

Страница 263: ...oe OU people O Example Corporation LdapSubjAttrMap Plug in Module The LdapSubjAttrMap plug in module implements the subject attribute mapper This mapper enables you to configure a Certificate Manager...

Страница 264: ...n and Setup Guide Configuration Parameters of LdapSubjAttrMap In the configuration file the LdapSubjAttrMap module is identified as ca publish mapper impl LdapSubjAttrMap class com netscape cms publis...

Страница 265: ...Parameter Description certSubjNameAttr Specifies the name of the LDAP attribute that contains a certificate subject name as its value Permissible values Must be certSubjectName Example certSubjectName...

Страница 266: ...LdapSubjAttrMap Plug in Module 266 Netscape Certificate Management System Plug Ins Guide March 2002...

Страница 267: ...mapping rules and to update the located entry with relevant information the Certificate Manager relies on object publishing rules To enable you to construct object publishing rules the Certificate Ma...

Страница 268: ...ault the Certificate Manager provides publisher modules for publishing the CA certificate end entity certificates and CRLs Plug in modules are implemented as Java classes and are registered in the CMS...

Страница 269: ...cates and CRLs to a flat file for exporting into other repositories For details see FileBasedPublisher Plug in Module on page 270 LdapCaCertPublisher Publishes or unpublishes a certificate to the caCe...

Страница 270: ...ting the certificates and CRLs into any other repository By default the Certificate Manager does not create an instance of the FileBasedPublisher module The instructions covered in Chapter 20 Publishi...

Страница 271: ...attribute of the mapped directory entry the mapper must locate the correct entry so the publisher can publish the certificate to the specified attribute The certificate is published as a DER encoded b...

Страница 272: ...her In the CMS window the module is identified as LdapCaCertPublisher Figure 6 3 shows how the configurable parameters for the module are displayed in the CMS window Figure 6 3 Parameters defined in t...

Страница 273: ...ed directory entry the mapper must locate the correct entry so the publisher can publish the certificate to the specified attribute The certificate is published as a DER encoded binary blob You can us...

Страница 274: ...scape cms publish LdapUserCertPublisher In the CMS window the module is identified as LdapUserCertPublisher Figure 6 4 shows how the configurable parameters for the module are displayed in the CMS win...

Страница 275: ...mapped directory entry the configured mapper must locate the CA s entry so that the publisher can publish the CRL to the certificateRevocationList binary attribute The CRL is published as a DER encod...

Страница 276: ...entified as LdapCrlPublisher Figure 6 5 shows how the configurable parameters for the module are displayed in the CMS window Figure 6 5 Parameters defined in the LdapCrlPublisher module Table 6 4 desc...

Страница 277: ...ents the OCSP publisher This module enables you to configure a Certificate Manager to publish its CRLs to a Online Certificate Status Manager the OCSP responder provided by Certificate Management Syst...

Страница 278: ...ate Status Manager Permissible values Must be the fully qualified hostname of a Online Certificate Status Manager in this form machine _name your_domain com Example ocspResponder example com port Spec...

Страница 279: ...tain CRL extensions To enable you to add these extensions to the CRL it generates the Certificate Manager provides a set of plug in modules These modules are implemented as Java classes and are regist...

Страница 280: ...l the modules that are registered with a Certificate Manager When deciding whether to add CRL extensions keep in mind that not all applications support version 2 CRLs Among the applications that do su...

Страница 281: ...w which key was used in the signature The extension if present in a certificate enables applications those that can use the extension to identify the correct key to use in situations when multiple key...

Страница 282: ...ameters Table 7 2 Description of parameters defined in the AuthorityKeyIdentifierExt rule Parameter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the rul...

Страница 283: ...ce number for each CRL issued by a CA allowing CRL users to easily determine when a particular CRL supersedes another CRL For general guidelines on setting the CRL number extension in CRLs see CRLNumb...

Страница 284: ...rameter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the rule Uncheck the box to disable the rule default If you enable the rule and set the remaining p...

Страница 285: ...meter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the rule default Uncheck the box to disable the rule If you enable the rule and set the remaining par...

Страница 286: ...nstruction identifier the identifier indicates what action the validating application should take when it encounters a certificate that has been placed on hold For general guidelines on setting the CR...

Страница 287: ...and set the remaining parameters correctly the server sets the Hold Instruction extension in CRLs If you disable the rule the server does not add the extension to CRLs it ignores the values in the rem...

Страница 288: ...validityDate rule Parameter Description enable Specifies whether the rule is enabled or disabled Check the box to enable the rule Uncheck the box to disable the rule default If you enable the rule and...

Страница 289: ...a DNS name an IP address and a uniform resource indicator URI with the issuer of the CRL The IssuerAlternativeName rule enables you to associate the following identities with a CRL issuer by includin...

Страница 290: ...box if you want the server to mark the extension critical Uncheck the box if you want the server to mark the extension noncritical default numNames Specifies the total number of alternative names or i...

Страница 291: ...format see the definition of an rfc822Name as defined in RFC 822 http www ietf org rfc rfc0822 txt You may use upper and lower case letters in the mail address no significance is attached to the case...

Страница 292: ...28 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form described in RFC 1884 http www ietf org rfc rfc1884 txt with netmask separated by a comma Examples of IPv6 addresses...

Страница 293: ...the pointer can be in either of these forms The name of the X 500 directory that stores the CRL The URI to the location that contains the CRL Optionally each issuing point may contain a set of reason...

Страница 294: ...int extension in CRLs If you disable the rule the server does not add the extension to CRLs it ignores the values in the remaining fields critical Specifies whether the extension should be marked crit...

Страница 295: ...omeReasons Specifies the reason codes associated with the distribution point Permissible values A combination of reason codes unspecified keyCompromise cACompromise affiliationChanged superseded cessa...

Страница 296: ...es whether the distribution point contains an indirect CRL Check the box if the distribution point contains an indirect CRL Uncheck the box if the distribution point doesn t contain an indirect CRL de...

Страница 297: ...297 file Plug in Module page 299 NTEventLog Plug in Module page 304 Overview of Log Modules You can configure a CMS instance to log messages related to specific activities when events relevant to tho...

Страница 298: ...module would be com netscape cms logging NTEventLogs After you take a look at the default log modules if you determine that they do not meet your requirements entirely you can develop a custom module...

Страница 299: ...iration time for rotated logs During installation Certificate Management System automatically creates three instances of the file modules for logging audit error and system messages The listeners are...

Страница 300: ...as file Figure 8 2 shows how configurable parameters for the module are displayed in the CMS window Figure 8 2 Parameters defined in the file module Table 8 2 gives details about each of these paramet...

Страница 301: ...d its name will be appended with a timestamp For details see Timing of Log File Rotation in Chapter 23 Managing CMS Logs of CMS Installation and Setup Guide Permissible values Absolute path to the fil...

Страница 302: ...le values As applicable The default value is 100 Example 100 rolloverInterval Specifies the frequency for rotating the active log file the file will be rotated when its age is equal to or older than t...

Страница 303: ...Management System automatically creates this listener during installation By default the listener is configured as follows The rule is enabled The type is set to log error messages type system The lo...

Страница 304: ...to 512 KB bufferSize 512 The interval for flushing the buffer to the file is set to 5 seconds flushInterval 5 The size limit for the active log file is set to 100 KB maxFileSize 100 The rollover inte...

Страница 305: ...that by default both the listeners are enabled You need to review these listeners and make the changes appropriate for your PKI setup For instructions see Configuring CMS Logs in Chapter 23 Managing...

Страница 306: ...ystem logs Example system enable Specifies whether the listener is enabled to log messages Check the box if you want the server to log messages of this type Leave the box unchecked if you do not want...

Страница 307: ...the CMS instance that s logging the events For details on individual parameters defined in the listener see Table 8 3 on page 306 NTSystem Event Listener The event listener named NTSystem is an instan...

Страница 308: ...NTEventLog Plug in Module 308 Netscape Certificate Management System Plug Ins Guide March 2002...

Страница 309: ...ost part the information presented in this appendix is specific to Netscape Directory Server an LDAP compliant directory What Is a Distinguished Name Distinguished names DNs are string representations...

Страница 310: ...txt Note that if used in conjunction with an LDAP compliant directory Certificate Management System by default recognizes components that are listed in Table A 2 Table A 1 Definitions of standard DN...

Страница 311: ...he search base For example if you specify a base DN of OU people O example com for a client the LDAP search operation initiated by the client examines only the OU people subtree in the O example com d...

Страница 312: ...Plug in Modules and Chapter 6 Publisher Plug in Modules In the absence of a base DN value Certificate Management System uses DN components in the certificate s subject name to construct the base DN so...

Страница 313: ...E IA5String 1 2 840 113549 1 9 1 DC IA5String 0 9 2342 19200300 100 1 2 25 SERIALNUMBER for CEP support Printable String 2 5 4 5 UNSTRUCTUREDNAME for CEP support IA5String 1 2 840 113549 1 9 2 UNSTRU...

Страница 314: ...ng Representation of Distinguished Names see http www ietf org rfc rfc2253 txt Certificate Management System conforms to all of this standard including support of using hex numbers to escape character...

Страница 315: ...ollowing order from smaller character sets to broadest character set Printable IA5String BMPString Universal String For example X500Name MY_ATTR oid 1 2 3 4 5 6 X500Name MY_ATTR class netscape securit...

Страница 316: ...u can verify whether they appear in certificate subject names For example you can enter the following values for the new attributes and look for them in the subject name MYATTR1 a_value MYATTR2 a Valu...

Страница 317: ...gn TOP input type TEXT name DC size 30 onchange formulateDN this form this form subject td tr 4 Save your changes and close the file 5 Go to this directory server_root cert instance_id web apps ee 6 O...

Страница 318: ...enrollment form in the browser and verify your changes 10 To verify that the Enroll for a certificate using the new attribute value Changing the DER Encoding Order You can also change the DER encoding...

Страница 319: ...o the agent interface and approve your request 8 When you receive the certificate use the dumpasn1 tool to examine the encoding of the certificate For details about the dumpasn1 tool see CMS Command L...

Страница 320: ...N corpDirectory example com OU Human Resources O Example Corporation C US When clients such as Netscape Navigator receive a server certificate they expect the CN component of the certificate s subject...

Страница 321: ...ulated from the directory attributes and entry DN The dnpattern configuration variable of the automated enrollment modules such as UidPwdDirAuth and UidPwdPinDirAuth described in Chapter 1 Authenticat...

Страница 322: ...e first mail LDAP attribute value in user s entry CN the first cn LDAP attribute value in the user s entry OU the second ou value in the user s entry DN O the first o value in the user s entry DN C th...

Страница 323: ...e in the user s entry DN C the string US Example 4 If the configured DN pattern is CN attr cn OU dn ou 2 OU dn ou 1 O dn o C US LDAP entry dn UID jdoe OU IS OU people O example org LDAP attributes cn...

Страница 324: ...DNs in Certificate Management System 324 Netscape Certificate Management System Plug Ins Guide March 2002...

Страница 325: ...sion or a company s certificate practice statement OIDs are controlled by the International Standards Organization ISO registration authority In some cases this authority is delegated by ISO to region...

Страница 326: ...c http www isi edu cgi bin iana enterprise pl To understand why you need to have a company arc check the information at this site http www alvestrand no objectid 2 16 840 1 113730 1 13 html The site c...

Страница 327: ...te Extensions page 327 Recommendations for Certificate Extension Use page 331 Standard X 509 v3 Certificate Extensions page 337 Introduction to CRL Extensions page 357 Standard X 509 v3 CRL Extensions...

Страница 328: ...he public key in the certificate Additional attributes Some organizations may find it convenient to store additional information in certificates for example for situations in which it s not possible t...

Страница 329: ...was finalized certain kinds of certificates should include some of the Netscape extensions For details see Recommendations for Certificate Extension Use on page 331 Note that the X 500 and X 509 speci...

Страница 330: ...her true or false assigned to this field indicates whether the extension is critical or noncritical to the certificate If the extension is critical and the certificate is sent to an application that d...

Страница 331: ...te for example a certificate may contain only one subject key identifier extension Note that certificates that support these extensions have the version 0x2 which corresponds to version 3 Certificate...

Страница 332: ...s plus others are described in detail in later sections of this appendix Additional extensions may be useful for a variety of purposes However the extensions listed above are either required or recomm...

Страница 333: ...Sign cRLSign netscape cert type SSL CA if extension exists bit must be set subjectKeyIdentifier authorityKeyIdentifier basicConstraints true required cRLDistributionPoints extKeyUsage client auth keyU...

Страница 334: ...fier authorityKeyIdentifier cRLDistributionPoints extKeyUsage Email keyUsage keyCertSign cRLSign netscape cert type S MIME CA if extension exists bit must be set subjectKeyIdentifier authorityKeyIdent...

Страница 335: ...er cRLDistributionPoints extKeyUsage Email keyUsage keyCertSign cRLSign subjectKeyIdentifier authorityKeyIdentifier cRLDistributionPoints extKeyUsage Email keyUsage signing certificate digitalSignatur...

Страница 336: ...xtKeyUsage Server Auth recommended Microsoft SGC and Netscape SGC required for step up keyUsage keyCertSign cRLSign netscape cert type SSL CA if extension exists bit must be set subjectKeyIdentifier a...

Страница 337: ...that discusses the extension the object identifier OID for each extensions is also provided Object signing Authe nticode certificate authorityKeyIdentifier extKeyUsage Code Signing required for Authe...

Страница 338: ...ember 4 1997 Certificate Management System CMS version support is listed for each extension Supported means that the indicated version of CMS ships with built in support for the extension via a policy...

Страница 339: ...he CA chain than the issuer of the certificate using the extension The accessLocation field then typically contains a URL indicating the location and protocol LDAP HTTP FTP used to retrieve the list T...

Страница 340: ...www ietf org rfc rfc2459 txt 4 2 1 1 Criticality This extension is always noncritical and is always evaluated Discussion The Authority Key Identifier extension identifies the public key corresponding...

Страница 341: ...o AuthorityKeyIdentifierExt Plug in Module on page 141 CMS 4 1 Supported CMS 4 2 Supported CMS 4 2 SP2 Supported CMS 4 5 Supported CMS 6 0 Supported Note that Certificate Management System does not us...

Страница 342: ...of CA certificates that have been processed so far starting with the end entity certificate and moving up the chain If pathLenConstraint is omitted then all of the higher level CA certificates in the...

Страница 343: ...t PKIX Part 1 recommends that policies be identified with an OID only or if necessary only certain recommended qualifiers CMS Version Support Refer to CertificatePoliciesExt Plug in Module on page 148...

Страница 344: ...If the distributionPoint omits reasons the CRL must include revocations for all reasons If the distributionPoint omits cRLIssuer the CRL must be issued by the CA that issued the certificate PKIX recom...

Страница 345: ...tes validated by the responder is also the OCSP signing key The OCSP responder s certificate must be issued directly by the CA that signs certificates the responder will validate The Key Usage Extende...

Страница 346: ...crosoft Recommendations Microsoft products interpret this extension as follows If the extension is not present the certificate is considered to be valid for any usage to support backward compatibility...

Страница 347: ...y usages of all the certificates in the chain to its root as determined by both the Extended Key Usage extension for each certificate and the corresponding user settings To be valid for a particular u...

Страница 348: ...urposes for which a certificate can be used For more information on interactions between these extensions in CA certificates see CA Certificates and Extension Interactions on page 368 If this extensio...

Страница 349: ...t or not critical all types of usage are allowed If the keyUsage extension is present critical or not it is used to select from multiple certificates for a given operation For example it is used to di...

Страница 350: ...ft products will interpret the extension in the same way whether marked critical or not If the extension is present the actual usage must conform to the specified usage The only Microsoft application...

Страница 351: ...n be signed by the OCSP responder and the client would again request the validity status of the signing certificate This extension is null valued its meaning is determined by its presence or absence S...

Страница 352: ...tension may be critical or noncritical Discussion This extension which is for CA certificates only constrains path validation in two ways It can be used to prohibit policy mapping or to require that e...

Страница 353: ...are equivalent to policies of another CA It may be useful in the context of cross certification This extension may be supported by CAs and or applications CMS Version Support Refer to PolicyMappingsE...

Страница 354: ...Supported CMS 4 2 SP2 Supported CMS 4 5 Supported CMS 6 0 Supported Netscape Recommendation Netscape recommends against the use of this extension Microsoft Recommendation Microsoft recommends against...

Страница 355: ...ndation Netscape recommends the use of this extension with all certificates issued by a CA except for SSL client certificates Netscape products read only the first alternative name in this extension a...

Страница 356: ...f the certificate It is not recommended as an essential part of the proposed PKIX standard but may be used in local environments CMS Version Support Refer to SubjectDirectoryAttributesExt Plug in Modu...

Страница 357: ...in the Authority Key Identifier extension of the certificate being verified should match the key identifier of the CA s Subject Key Identifier extension It is not necessary for the verifier to recomp...

Страница 358: ...r OID for the extension see Appendix B Object Identifiers This identifier uniquely identifies the extension It also determines the ASN 1 type of value in the value field and how the value is interpret...

Страница 359: ...ificate Management System can display CRLs in human readable format as shown here As shown in the example CRL extensions appear in sequence and only one instance of a particular extension may appear i...

Страница 360: ...ns the X 509 v3 proposed standard defines extensions to CRLs which provide methods for associating additional attributes with Internet CRLs These are of two kinds extensions to the CRL itself and exte...

Страница 361: ...te extensions at authorityKeyIdentifier CMS Version Support Refer to AuthorityKeyIdentifier Rule on page 281 CMS 4 1 Not supported CMS 4 2 Supported CMS 4 2 SP2 Supported CMS 4 5 Supported CMS 6 0 Sup...

Страница 362: ...cal if it exists Discussion The Delta CRL Indicator extension identifies a delta CRL The use of delta CRLs allows changes to be added to the local database while ignoring unchanged information that is...

Страница 363: ...r to IssuerAlternativeName Rule on page 289 CMS 4 1 Not supported CMS 4 2 Supported CMS 4 2 SP2 Supported CMS 4 5 Supported CMS 6 0 Supported issuingDistributionPoint OID 2 5 29 28 Reference http www...

Страница 364: ...these extensions are noncritical These are the CRL entry extensions described in the sections that follow certificateIssuer page 364 holdInstructionCode page 365 invalidityDate page 365 reasonCode pag...

Страница 365: ...icate that has been placed on hold CMS Version Support Refer to HoldInstruction Rule on page 286 CMS 4 1 Not supported CMS 4 2 Supported CMS 4 2 SP2 Supported CMS 4 5 Supported CMS 6 0 Supported inval...

Страница 366: ...r to CRLReason Rule on page 284 CMS 4 1 Not supported CMS 4 2 Supported CMS 4 2 SP2 Supported CMS 4 5 Supported CMS 6 0 Supported Netscape Defined Certificate Extensions Netscape has defined certain c...

Страница 367: ...X 509 v3 extensions extKeyUsage and basicConstraints but must still be supported in deployments that include Navigator 3 x clients If the extension exists in a certificate it limits the certificate to...

Страница 368: ...s contain the basicConstraints extension as this is the standard way to identify a CA certificate In addition to ensure support for Navigator 3 x CAs should also use netscape cert type These two exten...

Страница 369: ...more CA bits set or both as described above If CAs issue multiple certificates for the same identity for example for separate signing and encryption keys they must include the keyUsage extension in th...

Страница 370: ...CA Certificates and Extension Interactions 370 Netscape Certificate Management System Plug Ins Guide March 2002...

Страница 371: ...ed 35 Authority Information Access extension policy 132 Authority Key Identifier extension policy 141 authorityKeyIdentifier 340 361 369 automated enrollment 18 B base DN 311 Basic Constraints extensi...

Страница 372: ...rnativeName 289 IssuingDistributionPoint 293 list of 281 CRL publisher 275 cRLDistributionPoints 343 CRLNumber 361 CRLs extensions for 360 366 extension specific modules 357 supported versions 279 cus...

Страница 373: ...oldInstructionCode 365 introduction to 328 invalidityDate 365 issuerAltName 347 363 issuingDistributionPoint 363 keyUsage 348 nameConstraints 350 netscape cert type 367 368 netscape comment 368 Netsca...

Страница 374: ...plug in implementation 65 specifying schedule for 76 K Key Algorithm Constraints policy 97 Key Usage extension policy 186 keyUsage 348 L listing of CRL extension modules 281 of schedulable jobs 64 loc...

Страница 375: ...orityKeyIdentifier 281 CRLNumber 283 CRLReason 284 HoldInstruction 286 InvalidityDate 287 IssuerAlternativeName 289 IssuingDistributionPoint 293 list of 281 for logging to file 300 for logging to NT E...

Страница 376: ...269 publishers created during installation 271 273 275 publishers that can publish to CA s entry in the directory 271 275 files 270 OCSP responder 277 users entries in the directory 273 publishing ho...

Страница 377: ...Unique Subject Name Constraints policy 117 user enrollment forms 55 user ID and password based authentication 22 configurable parameters 24 plug in module name 24 user ID password and PIN based authen...

Отзывы: