Certificate-Based Enrollment
50
Netscape Certificate Management System Plug-Ins Guide • March 2002
Certificate-Based Enrollment
Certificate Management System supports certificate-based enrollment for browser
certificates. End users can use preissued certificates to authenticate to the server in
order to enroll for certificates. Below are two deployment scenarios that explain the
usefulness of certificate-based enrollment.
•
You have deployed a client that can generate dual key pairs and you want to
issue dual certificates (one for signing and another for encrypting data) to your
users. You also want to make sure that users put their key materials only on
hardware tokens.
One way to achieve this would be to initialize hardware tokens in bulk and
preload them with dual certificates issued by Certificate Management System
for dual key pairs. You generate these certificates with some generic-looking
common names, for example,
hardwaretoken1234
. This way, there’s no
one-to-one relation between users and the hardware tokens initially. Once the
tokens are ready, you make them available to users by some means, for
example, from a vending-machine-like box in the break room. Basically, a user
can get and use any pre-initialized and certificate-loaded hardware token.
Next, each user uses the randomly-picked token to enroll (strictly speaking,
renew) for a pair of certificates that have a subject name derived from their
LDAP attribute values; the certificates will be issued for the existing key pairs
preloaded into the token, but now the key pairs will be associated with the
user’s identity.
•
You want users use the signing certificate already in their possession to get an
encryption certificate.
For example, assume you have deployed Certificate Management System and
have issued single certificates (for single key pairs) to users. Recently, you
deployed a client application (such as Netscape Personal Security Manager)
that is capable of generating dual key pairs. Your CMS installation includes the
Data Recovery Manager, but you weren’t using it until now because you didn’t
have clients that were capable of generating dual-key pairs. Now, you want
your users to use their signing certificates as authentication tokens to request
another certificate that they’ll use for encrypting data.
Содержание Certificate Management System 6.0
Страница 1: ...Plug Ins Guide Netscape Certificate Management System Version6 0 March 2002...
Страница 10: ...10 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 62: ...Enrollment Forms 62 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 126: ...ValidityConstraints Plug in Module 126 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 266: ...LdapSubjAttrMap Plug in Module 266 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 308: ...NTEventLog Plug in Module 308 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 324: ...DNs in Certificate Management System 324 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 370: ...CA Certificates and Extension Interactions 370 Netscape Certificate Management System Plug Ins Guide March 2002...