Certificate-Based Enrollment
Chapter
9
Authentication
409
Certificate-Based Enrollment
Note: This feature is supported only in legacy enrollment. CMS supports
certificate-based enrollment for browser certificates. End users can use preissued
certificates to authenticate to the server in order to enroll for certificates. The
following are two deployment scenarios that explain the usefulness of
certificate-based enrollment:
•
You have deployed a client that can generate dual key pairs and you want to
issue dual certificates (one for signing and another for encrypting data) to your
users. You also want to make sure that users put their key materials only on
hardware tokens.
One way to achieve this would be to initialize hardware tokens in bulk and
preload them with dual certificates issued by CMS for dual key pairs. You
generate these certificates with some generic-looking common names, for
example,
hardwaretoken1234
. This way, there’s no one-to-one relation
between users and the hardware tokens initially. Once the tokens are ready,
you make them available to users by some means. Basically, a user can get and
use any pre-initialized and certificate-loaded hardware token.
Next, each user uses the randomly-picked token to enroll for a pair of
certificates that have a subject name derived from their LDAP attribute values;
the certificates will be issued for the existing key pairs preloaded into the
token, but now the key pairs will be associated with the user’s identity.
•
You want users use the signing certificate already in their possession to get an
encryption certificate.
For example, assume you have deployed CMS and have issued single
certificates (for single key pairs) to users. Recently, you deployed a client
application that is capable of generating dual key pairs. Your CMS installation
includes the Data Recovery Manager, but you weren’t using it until now
because you didn’t have clients that were capable of generating dual-key pairs.
Now, you want your users to use their signing certificates as authentication
tokens to request another certificate that they’ll use for encrypting data.
Setting Up Certificate Based Enrollment
General guidelines to set up certificate-based enrollment are as follows:
•
Customize the enrollment form you want your users to use for enrollment.
Содержание Certificate Management System 6.1
Страница 1: ...Administrator s Guide Netscape Certificate Management System Version6 1 February 2003...
Страница 28: ...Documentation 28 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 68: ...Support for Open Standards 68 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 82: ...Uninstalling CMS 82 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 166: ...How a Registration Manager Works 166 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 382: ...ACL Reference 382 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 566: ...Managing Policy Plug in Modules 566 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 710: ...1 3 Organization Security Policies 710 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 716: ...Object Identifiers 716 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 762: ...DNs in Certificate Management System 762 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 794: ...Managing Certificates 794 Managing Servers with Netscape Console December 2001...
Страница 810: ...The SSL Handshake 810 Managing Servers with Netscape Console December 2001...
Страница 828: ...828 Netscape Certificate Management System Administrator s Guide February 2003...