1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Software
  5. NETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION...
  6. Manual

Netscape MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION GUIDE Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Customization Guide
Netscape Certificate Management System
Version 4.5
October 2001

Advertisement

Table of Contents
loading

Related Manuals for Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION GUIDE

Summary of Contents for Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION GUIDE

  • Page 1 Customization Guide Netscape Certificate Management System Version 4.5 October 2001...
  • Page 2 Netscape Communications Corporation (“Netscape”), a subsidiary of America Online, Inc., and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as “Software”) and related documentation. Use of the Software and related documentation is governed by the license agreement accompanying the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.

  • Page 3: Table Of Contents

    Contents About This Guide ............. . . 9 What’s in This Guide .
  • Page 4 Forms for Certificate Enrollment ............32 Forms for Certificate Renewal .
  • Page 5 Response ................63 Get Certificate From Request Interface .
  • Page 6 Chapter 6 Agent Interface Reference ..........99 Overview of Agent Interfaces .
  • Page 7 Key Query Interface ..............128 Description .
  • Page 8 Request Parameters ..............164 Response .

  • Page 9: About This Guide

    About This Guide The Customization Guide provides reference information about the HTTP interface of Netscape Certificate Management System (CMS). The information helps you customize Certificate Management System, and use it for issuing and managing certificates to various end entities, such as web browsers (users), servers, Virtual Private Network (VPN) clients, and Cisco™...

  • Page 10: Conventions Used In This Guide

    Conventions Used in This Guide This guide assumes that you • Are familiar with the basic concepts of public-key cryptography and the Secure Sockets Layer (SSL) protocol. SSL cipher suites The purpose of and major steps in the SSL handshake •...
  • Page 11 Conventions Used in This Guide • Italic—Italic type is used for emphasis, book titles, and glossary terms. Example: This control depends on the access permissions the superadministrator has set up for you. • Text within “quotation marks”—Cross-references to other topics within this guide.

  • Page 12: Where To Go For Related Information

    Where to Go for Related Information Examples: NOTE You can use Netscape Console only when Netscape Administration Server is up and running. CAUTION A caution note documents a potential risk of losing data, damaging software or hardware, or otherwise disrupting system performance. Where to Go for Related Information This section summarizes the documentation that ships with Certificate Management System, using these conventions:...
  • Page 13 Where to Go for Related Information • CMS Plug-ins Guide Provides detailed reference information on CMS plug-in modules. To access this information from the CMS window within Netscape Console, click any help button. To view the HTML version of this guide, open this file: <server_root>/manual/en/cert/plugin_guide/contents.htm To view the PDF version of this guide, open this file: <server_root>/manual/en/cert/pdf/cms45plugin.pdf...
  • Page 14 Where to Go for Related Information To view the HTML version of this guide, open this file: <server_root>/cert-<instance_id>/web/ee/manual/ee_guide/ contents.htm NOTE Do not change the default location of any of the HTML files; they are used for online help. You may move the PDF files to another location.

  • Page 15: Chapter 1 Before You Begin

    Chapter 1 Before You Begin The services interfaces that come with Netscape Certificate Management System (CMS) make it possible for end-entities and agents to interact with the server. Your end-entities and agents can use the interface’s HTML-based forms to carry out various certificate and key-related operations, such as enrolling for, renewing, and revoking certificates.

  • Page 16: Http, Query Urls, And Html Forms

    How the Forms Work HTTP, Query URLs, and HTML Forms Requests from the end-entity services interface to Certificate Management System are submitted using the HTTP methods. Requests take the form of POST query URLs (in the case of the method) or data sent through standard output (in the case of the method).

  • Page 17: Requests Sent To The Cms Server

    How the Forms Work where designates the certificate (management) service portion, such as operation enrollment, retrieval, renewal, or revocation of the CMS server. Any HTTP operations with URIs that do not begin with the prefix are treated as /<operation> requests for other kinds of web service by the CMS server. See chapters Chapter 3, “End-Entity Interface Reference”...
  • Page 18 How the Forms Work The fragment of JavaScript code consists of a object that contains data result properties only (no methods). The properties of the object correspond to parts of the response. The template generally contains a combination of HTML and JavaScript code that processes and displays data.

  • Page 19: Errors And The Error Template

    How the Forms Work result.header = header; result.fixed = fixed; result.recordSet = recordSet; </SCRIPT> Notice how this code fragment defines an object named and puts the result resulting data from the operation in the properties of that object. Each certificate service operation returns an object named .

  • Page 20: Javascript Used By All Interfaces

    JavaScript Used By All Interfaces <SCRIPT LANGUAGE="JavaScript"> var header = new Object(); var result = new Object(); header.errorDetails = [a string describing the context of the error] header.errorDescription = [a string describing the error] result.header = header; </SCRIPT> The default CMS error template prints the information in the object error result along with some explanatory text.
  • Page 21 JavaScript Used By All Interfaces fixed.preserved = "foo"; var recordCount = 0; var record; record = new Object; record.HTTP_PARAMS = new Array; record.HTTP_HEADERS = new Array; record.AUTH_TOKEN = new Array; record.SERVER_ATTRS = new Array; recordSet[recordCount++] = record; result.header = header; result.fixed = fixed;...
  • Page 22 JavaScript Used By All Interfaces Table 1-1 Variables Returned by the Base JavaScript Variable Format/Type and Description array AUTH_TOKEN Each element in this array is a name-value pair. These pairs represent variables that were returned from an authentication plug-in used (internally) by the interface.
  • Page 23 JavaScript Used By All Interfaces Variables Returned by the Base JavaScript (Continued) Table 1-1 Variable Format/Type and Description number httpHeadersCount The number of HTTP_HEADERS objects returned in this response. Array HTTP_PARAMS Each element in this array is a name-value pair. These pairs represent variables and their values that were used in the HTTP request made to the interface.
  • Page 24 JavaScript Used By All Interfaces Variables Returned by the Base JavaScript (Continued) Table 1-1 Variable Format/Type and Description number recordCount The number of record objects returned in this response. Usually this is incremented for each record added to the recordSet array. For example, recordCount = 0;...

  • Page 25: Part 1 Customizing End-Entity Services Interface

    Part 1 Customizing End-Entity Services Interface Chapter 2, “Introduction to End-Entity Services Interface” Chapter 3, “End-Entity Interface Reference” Chapter 4, “Internationalization of End-Entity Interface...
  • Page 26 Netscape Certificate Management System Customization Guide • October 2001...

  • Page 27: Chapter 2 Introduction To End-Entity Services Interface

    Chapter 2 Introduction to End-Entity Services Interface The services interfaces that come with Netscape Certificate Management System (CMS) make it possible for end-entities to interact with the server. Your end-entities can use the interface’s HTML-based forms to carry out various certificate and key-related operations, such as enrolling for, renewing, and revoking certificates.
  • Page 28 End-Entity Services Interface Communicator versions earlier than 4.5 present an enrollment form based on the use of the HTML tag to generate keys; end entities running Internet KEYGEN Explorer present a form based on PKCS #10, the RSA standard for certificate request syntax.

  • Page 29: How Client Type Determines The End-Entity Interface

    End-Entity Services Interface How Client Type Determines the End-Entity Interface Each type of end-entity form provided by Certificate Management System is served by a servlet. This servlet determines which version of the form to present based on information about the end entity (the type, version, language, and so on), information in the form itself, and other factors.
  • Page 30 End-Entity Services Interface Table 2-1 Summary of end-entity forms, authentication methods and certificate request formats Form for end-entity operation Authentication method Supported certificate request formats Certificate enrollment Client (end user) certificates Manual, LDAP directory • KEYGEN for Navigator/Communicator based, and NIS server based •...

  • Page 31: Accessing The End-Entity Services Interface

    Accessing the End-Entity Services Interface Accessing the End-Entity Services Interface By default, access to the end-entity services interface of a Certificate Manager or Registration Manager is open to all users. To access the Agent Services interface for a particular subsystem: Open a web browser window.

  • Page 32: Forms For Certificate Enrollment

    End-Entity Forms and Templates Forms for Certificate Enrollment Table 2-2 lists the file names of forms that appear as menu options in the Enrollment tab of the end-entity interface. The forms are available on Certificate Manager instances and Registration Manager instances. The only exception is that the Certificate Manager enrollment form is available only on Certificate Manager instances.

  • Page 33: Forms For Certificate Renewal

    End-Entity Forms and Templates Forms for end-entity enrollment (Continued) Table 2-2 Form Type: Menu Link and Filename What form is used for... OCSP Responder Server administrators can use this form to request signing (OCSPResponder.html) certificates for OCSP Responder servers. Registration Manager Enrollment (lists menu options for Registration Manager enrollment) Registration Manager Registration Manager administrators can use this form to (ManRAEnroll.html)

  • Page 34: Forms For Certificate Revocation

    End-Entity Forms and Templates Forms for Certificate Revocation Table 2-4 lists the forms that correspond to the menu options in the Revocation tab of the end-entity services interface. Table 2-4 Forms for certificate revocation Menu Link and Filename What form is used for... Certificate (challenge phrase-based) End users can use this form to revoke their SSL client certificates (ChallengeRevoke1.html)

  • Page 35: Forms For Key Recovery

    End-Entity Forms and Templates Forms provided for certificate retrieval (Continued) Table 2-5 Menu Link and Filename What form is used for... Import CA Certificate Chain End users and administrators can use this form to import the (GetCAChain.html) certificate chain of a Certificate Manager (CA) into their browsers or servers.

  • Page 36: Output Templates For End-Entity Interfaces

    End-Entity Forms and Templates Table 2-7 Files and forms used by other forms Form filename What form is used for... This file loads and highlights the Enrollment tab. enrollMenu.html This file loads and highlights the Renewal tab. renewalMenu.html This file loads and highlights the Recovery tab. recoveryMenu.html This file loads and highlights the Retrieval tab.
  • Page 37 End-Entity Forms and Templates Response templates used by the end-entity interface (Continued) Table 2-8 Template filename Description Used to inform a user requesting a certificate that the request GenSvcPending.template has been queued for agent approval. Used to inform users when thay perform unauthorized GenUnauthorized.template operations.
  • Page 38 End-Entity Forms and Templates Netscape Certificate Management System Customization Guide • October 2001...

  • Page 39: Chapter 3 End-Entity Interface Reference

    Chapter 3 End-Entity Interface Reference This chapter provides a detailed reference of all the service interfaces available on an end-entity port of Netscape Certificate Management System. For each interface, there is a description including the URI used and the purpose, a list of forms that use the interface by default, a detailed description of valid input parameters and their values, and information about the response which lists the templates used and the additional JavaScript variables available.

  • Page 40: Overview Of End-Entity Interfaces

    Overview of End-Entity Interfaces Overview of End-Entity Interfaces The following table lists the end-entity interfaces and their functions. The sections that follow cover each interface in detail. Overview of End-Entity Interfaces Table 3-1 Interface Purpose Certificate Enrollment Process Simple Certificate Enrollment /pkiclient.exe Protocol Interface Protocol (SCEP) certificate requests from...

  • Page 41: Certificate Enrollment Protocol Interface

    Certificate Enrollment Protocol Interface Overview of End-Entity Interfaces (Continued) Table 3-1 Interface Purpose Revocation Interface Process requests for manual revocation or /revocation for revocation of a certificate presented to the interface using SSL client authentication. Certificate Enrollment Protocol Interface Description URI: /cgi-bin/pkiclient.exe Available on: Certificate Manager and Registration Manager...

  • Page 42: Challenge Revocation Interface

    Challenge Revocation Interface > enrollment url https://example:443/ > crypto ca enroll Example The router uses the CEP protocol and expects to find the interface at the URL named by the /cgi-bin/pkiclient.exe enrollment url command. The details of interacting with the interface are handled by the protocol itself.
  • Page 43 Challenge Revocation Interface Table 3-2 Parameters Accepted by the Challenge Revocation Interface Parameter Format and Description number (decimal or hexadecimal) certSerialToRevoke The serial number of the certificate to revoke. Either this parameter or subjectName are required. string challengePhrase The challenge phrase, set during certificate enrollment, that allows the certificate to be revoked.

  • Page 44: Response

    Display Certificate By Serial Number Interface Response The response from the Challenge Revocation interface will be identical to a response from the Revocation interface. See the Response section in “Revocation Interface” on page 82 for details on what JavaScript variables are returned in the response template.

  • Page 45: Response

    Display Certificate By Serial Number Interface Table 3-3 Parameters Accepted by the Display Certificate By Serial Number Interface Parameter Format and Description displayBySerial Specifies the operation to perform. The only valid value is displayBySerial. number serialNumber The serial number of the certificate to display. string templateName Filename relative to the template directory (web/ee, web/agent/ca,...

  • Page 46: Display Certificate From Request Interface

    Display Certificate From Request Interface Variables Returned by the Display Certificate By Serial Number Interface (Continued) Table 3-4 Variable Description string certPrettyPrint Contains details about the certificate in a human-readable form. This is the field used to show the certificate to a user in a page. number serialNumber The serial number of the certificate in decimal.

  • Page 47: Request Parameters

    Display Certificate From Request Interface Request Parameters The following table lists the parameters accepted by the Display Certificate From Request interface. Table 3-5 Parameters Accepted by the Display Certificate From Request Interface Parameter Format and Description number requestId The requestID returned in the JavaScript by the Enrollment or Renewal interface (fixed.requestID).
  • Page 48 Display Certificate From Request Interface Variables Returned by the Display Certificate From Request Interface (Continued) Table 3-6 Variable Description string errorDetails A message explaining the error that occurred while processing the enrollment request. This variable is only present if an error occurred while processing the request.

  • Page 49: Enrollment Interface

    Enrollment Interface Variables Returned by the Display Certificate From Request Interface (Continued) Table 3-6 Variable Description string certFingerprint A string of hexadecimal numbers separated by colons that represent the certificate fingerprints. There are three substrings: one each for the MD2, MD5, and SHA1 fingerprint.

  • Page 50: Default Forms

    Enrollment Interface NOTE The forms rely on a shared library called (downloaded xenroll.dll from the CMS server) to generate keys for Microsoft Internet Explorer browsers. By default, the keys generated by xenroll.dll have a “medium” security setting which means they will be stored unencrypted and that they can be used by the browser for signing without prompting the user for a password.

  • Page 51: Request Parameters

    Enrollment Interface Request Parameters The following table lists the parameters accepted by the enrollment interface. Table 3-7 Parameters Accepted by the Enrollment Interface Parameter Format and Description Subject Name Distinguished Name (DN) string. See RFC 2253. subject DN to be used for the certificate subject. Example: CN=Alice Apple, UID=alice, OU=People, O=Example, C=US Contact Information...
  • Page 52 Enrollment Interface Parameters Accepted by the Enrollment Interface (Continued) Table 3-7 Parameter Format and Description true | false object_signing Sets the object signing certificate bit (bit 3). true | false object_signing_ca Sets the object signing certificate issuer bit (bit 7). true | false ssl_ca Sets the SSL certificate issuer bit (bit 5).
  • Page 53 Enrollment Interface Parameters Accepted by the Enrollment Interface (Continued) Table 3-7 Parameter Format and Description true | false key_agreement Sets the keyUsage extension bit (4) indicating that the key may be used to encipher and decipher keys during key agreement. true | false key_certsign Sets the keyUsage extension bit (5) indicating that the key may be used to sign...
  • Page 54 Enrollment Interface Parameters Accepted by the Enrollment Interface (Continued) Table 3-7 Parameter Format and Description ca | CEP-Request | client | objSignClient | ra | server | other certType Specifies the type of certificate requested by the entity. The default is client. The certType is not associated with any certificate extensions.

  • Page 55: Response

    Enrollment Interface Parameters Accepted by the Enrollment Interface (Continued) Table 3-7 Parameter Format and Description clientAuth | crmf | keygen | pkcs10 requestFormat The value indicates the format used to submit the certificate request: • clientAuth - information for the new request is taken from the certificate presented by the client during SSL client authentication.
  • Page 56 Enrollment Interface Table 3-8 Enrollment Interface Response Templates Template File Name Request Status Description 2 (Success) Used only for requests that specify an authenticator. EnrollSuccess.template If authentication and subsequent policy processing are successful and importCert was "true" in the request, a certificate is generated (otherwise, see GenRejected.template).
  • Page 57 Enrollment Interface Variables Returned by the Enrollment Interface (Continued) Table 3-9 Variable Description Certificate Manager | Registration Manager authorityName The name of the system that handled the request. ca | CEP-Request | client | objSignClient | ra | server | other certType The type of certificate returned.
  • Page 58 Enrollment Interface Variables Returned by the Enrollment Interface (Continued) Table 3-9 Variable Description number requestStatus A code indicating the current status of the request: • 1 (Unauthorized): The request specified a value for an authenticator to perform an automated enrollment, and the authenticator did not authorize the request.

  • Page 59: Get Ca Chain Interface

    Get CA Chain Interface Variables Returned by the Enrollment Interface (Continued) Table 3-9 Variable Description string base64Cert The newly issued certificate in base-64 encoded format. This string includes the "-----BEGIN CERTIFICATE-----" header and "-----END CERTIFICATE-----" footer. string certFingerprint A string of hexadecimal numbers separated by colons that represent the certificate fingerprints.

  • Page 60: Default Forms

    Get CA Chain Interface Using the Get CA Chain interface to display certificates is useful for creating data that can be imported into another application such as an HTTP or LDAP server. Default Forms The Get CA Chain interface uses one default form: .

  • Page 61: Response

    Get Certificate By Serial Number Interface Table 3-10 Parameters Accepted by the Get CA Chain Interface (Continued) Parameter Format and Description display | displayIND | download | downloadBIN This required parameter specifies how the CA certificate chain should be returned: •...

  • Page 62: Default Forms

    Get Certificate By Serial Number Interface Function: Retrieves the certificate with the given serial number in a specified format. The certificate can be imported into a browser. This interface is used in the EnrollSuccess.template to download and import the newly issued certificate. RenewalSuccess.template also uses this interface to create “Import displayBySerial.template...

  • Page 63: Response

    Get Certificate By Serial Number Interface Table 3-11 Parameters Accepted by the Get Certificate By Serial Number Interface (Continued) Parameter Format and Description number serialNumber The serial number of the certificate to retrieve. string templateName Filename relative to the template directory (web/ee, web/agent/ca, web/agent/kra, or web/agent/ra) of a file to use as the response template.
  • Page 64 Get Certificate By Serial Number Interface Table 3-12 Variables Returned by the Get Certificate By Serial Number Interface (Continued) Variable Description base-64 encoded data cmmfResponse The CMMF response data containing the certificate (if cmmfResponse was true in the request). If the browser supports the Netscape Personal Security Manager crypto API, you can use this response with a call to importUserCertificates to import the certificate into a local database: importUserCertificates(result.fixed.nickname,...

  • Page 65: Get Certificate From Request Interface

    Get Certificate From Request Interface Table 3-12 Variables Returned by the Get Certificate By Serial Number Interface (Continued) Variable Description string base64Cert The newly issued certificate in base-64 encoded format. This string includes the "-----BEGIN CERTIFICATE-----" header and "-----END CERTIFICATE-----" footer. string certFingerprint A string of hexadecimal numbers separated by colons that represent the...

  • Page 66: Default Forms

    Get Certificate From Request Interface parameter from the response template is required: it identifies the requestID request from which to extract the certificate. A parameter can also be used to instruct the requesting browser to import the certificate into its database: (for browsers that support CMMF).

  • Page 67: Response

    Get Certificate From Request Interface Table 3-13 Parameters Accepted by the Get Certificate From Request Interface (Continued) Parameter Format and Description number requestId The requestID returned in the JavaScript by the Enrollment or Renewal interface (fixed.requestID). string templateName Filename relative to the template directory (web/ee, web/agent/ca, web/agent/kra, or web/agent/ra) of a file to use as the response template.
  • Page 68 Get Certificate From Request Interface Table 3-14 Variables Returned by the Get Certificate From Request Interface (Continued) Variable Description base-64 encoded data cmmfResponse The CMMF response data containing the certificate (if cmmfResponse was true in the request). If the browser supports the Netscape Personal Security Manager crypto API, you can use this response with a call to importUserCertificates to import the certificate into a local database: importUserCertificates(result.fixed.nickname,...

  • Page 69: Get Crl Interface

    Get CRL Interface Table 3-14 Variables Returned by the Get Certificate From Request Interface (Continued) Variable Description true | false noCertImport Indicates whether the certificate should not be imported. number requestId The request identification number that was requested. result.recordSet[i] Variables added to each record object. Each record object is added as an variables element of the recordSet array.

  • Page 70: Default Forms

    Get CRL Interface Function: Retrieves the current Certificate Revocation List (CRL) for this certificate authority. This interface can be used to retrieve a CRL for display or importing into an application and it can be used simply to check whether a certificate appears on the current CRL.

  • Page 71: Response

    Get CRL Interface Table 3-15 Parameters Accepted by the Get CRL Interface (Continued) Parameter Format and Description checkCRL | displayCRL | getCRL | importCRL This required parameter specifies the CRL operation to perform: • checkCRL instructs the Certificate Manager to look for the serial number specified in certSerialNumber on the CRL.

  • Page 72: List Certificates Interface

    List Certificates Interface Table 3-16 Variables Returned by the Get CRL Interface (Continued) Variable Description base-64 encoded data crlBase64 The base-64 encoded CRL data in PKCS #7 format. string crlPrettyPrint Contains the CRL formatted for human-readable display if op=displayCRL in the request.

  • Page 73: Default Forms

    List Certificates Interface Default Forms The List Certificates interface uses two default forms: • is a simple form that accepts a lower and upper bound queryBySerial.html for the range of serial numbers and the option to skip revoked or invalid certificates.
  • Page 74 List Certificates Interface Table 3-17 Parameters Accepted by the List Certificates Interface (Continued) Parameter Format and Description queryCertFilter ([<OP>]<FILTER>[<FILTER>...]) Details about building query filters are provided in the next table. The queryCertFilter must be enclosed in parentheses. The <OP> argument, required if there is more than one <FILTER>, specifies how the filters that follow should be logically evaluated: •...
  • Page 75 List Certificates Interface In a filter, the parameter name is compared to the expression value using one of the relational operators (matches), (less than), (less than or equal to), (greater < <= > than), or (greater than or equal to). Some expressions (such as >= ) accept the asterisk ( ) as a wildcard to match 0 or more...
  • Page 76 List Certificates Interface Table 3-18 List Certificates queryCertFilter Parameters (Continued) Parameter Expression Values Value: * | EXPIRED | INVALID | REVOKED | VALID | certStatus REVOKED_EXPIRED This parameter matches the current status of a certificate. The asterisk (*) matches any status. Value: * | number between 0 and 6 x509cert.certRevoInfo This parameter matches the reason for revocation code on a certificate.
  • Page 77 List Certificates Interface Table 3-18 List Certificates queryCertFilter Parameters (Continued) Parameter Expression Values Value: date (number of seconds since Jan 1, 1970) x509cert.notAfter A date object can be created using the JavaScript Date() constructor. This parameter matches the date when a certificate expires. See certCreateTime for an example of creating a date value in JavaScript Value: date (number of seconds since Jan 1, 1970) x509cert.notBefore...

  • Page 78: Response

    List Certificates Interface Table 3-18 List Certificates queryCertFilter Parameters (Continued) Parameter Expression Values Value: a pattern that may include the wildcard (*) x509cert.subject This parameter matches the certificate subject DN. You can use a single filter or connect multiple filters to build more complex DN patterns. The value is typically a string in the form *<TAG>=<VALUE>*.
  • Page 79 List Certificates Interface Table 3-19 Variables Returned by the List Certificates Interface (Continued) Variable Description The queryCertFilter parameter that was used to generate the current list of queryCertFilter certificates, and will be used for subsequent pages if the user requests to see more certificates.

  • Page 80: Renewal Interface

    Renewal Interface Table 3-19 Variables Returned by the List Certificates Interface (Continued) Variable Description The date when the certificate was revoked. See the description for issuedOn for revokedOn details on date values. The serial number of the certificate (in decimal). serialNumber The Object Identifier (OID) of the algorithm used to sign the certificate.

  • Page 81: Default Forms

    Renewal Interface Default Forms The only default form used by the Renewal interface is . This UserRenewal.html form allows a user to renew a certificate using SSL client authentication. Request Parameters The following table lists the parameters accepted by the Renewal interface. Table 3-20 Parameters Accepted by the Renewal Interface Parameter Format and Description...

  • Page 82: Revocation Interface

    Revocation Interface The only difference in the response is for a successful request. The Renewal interface uses the file by default instead of RenwalSuccess.template . The difference between these two files (by default) is EnrollSuccess.template superficial: the word “Enrollment” is replaced with the word “Renewal.” If you want to customize the renewal success message, customize the RenewalSuccess.template file.
  • Page 83 Revocation Interface Table 3-21 Parameters Accepted by the Revocation Interface Parameter Format and Description certType client Specifies the type of certificate to revoke. For automatic revocation, the certType must be client and doSslAuth must be on. string csrRequestorComments Additional comments to assist the agent who will process the revocation request.
  • Page 84 Revocation Interface Table 3-21 Parameters Accepted by the Revocation Interface (Continued) Parameter Format and Description reasonCode The reasonCode identifies the reason the certificate is being revoked. This information will be recorded on the Certificate Revocation List. The reasonCode is only valid for automatic revocation requests. Manual revocation requests can use the csrRequestorComments parameter to tell the processing agent why the certificate is being revoked.

  • Page 85: Response

    Revocation Interface Response The default response template is revocationResult.template. The base JavaScript for responses is inserted in place of the tag. In addition, the <CMS_TEMPLATE> Revocation interface adds the JavaScript variables listed in the following table: Table 3-22 Variables Returned by the Revocation Interface Variable Description Generic Variable...
  • Page 86 Revocation Interface Table 3-22 Variables Returned by the Revocation Interface (Continued) Variable Description yes | no updateCRL If present and equal to yes, this field indicates that the Certificate Manager has attempted to update the Certificate Revocation List (CRL). Check updateCRLSuccess to see if the update was successful.

  • Page 87: Chapter 4 Internationalization Of End-Entity Interface

    Chapter 4 Internationalization of End-Entity Interface The services interfaces that come with Netscape Certificate Management System (CMS) make it possible for end-entities and agents to interact with the server. Your end-entities and agents can use the interface’s HTML-based forms to carry out various certificate and key-related operations, such as enrolling for, renewing, and revoking certificates.
  • Page 88 Displaying Forms in Non-English Languages directory where the default form would be stored to see if there is a directory matching the first value in the header. If there is such a Accept-language directory, Certificate Management System looks for the correct form or template in the language-specific directory;...
  • Page 89 Displaying Forms in Non-English Languages Table 4-1 Languages and Default Character Sets Language Code Character set Language Code Character set Albanian ISO-8859-2 Arabic ISO-8859-6 Bulgarian ISO-8859-5 Byelorussian ISO-8859-5 Catalan (Spanish) ISO-8859-1 Chinese GB2312 (Simplified/Mainland) Chinese Big5 Croatian ISO-8859-2 (Traditional/Taiwan) Czech ISO-8859-2 Danish ISO-8859-1...
  • Page 90 Displaying Forms in Non-English Languages Netscape Certificate Management System Customization Guide • October 2001...

  • Page 91: Part 2 Customizing Agent Services Interface

    Part 2 Customizing Agent Services Interface Chapter 5, “Introduction to Agent Services Interface” Chapter 6, “Agent Interface Reference”...
  • Page 92 Netscape Certificate Management System Customization Guide • October 2001...

  • Page 93: Chapter 5 Introduction To Agent Services Interface

    Chapter 5 Introduction to Agent Services Interface Netscape Certificate Management System (CMS) provides HTML forms-based interfaces for agents to use in performing certificate- and key-related operations. This chapter introduces these forms and explains how they work. You can use the forms as they are provided out of the box or customize them to meet your organization’s requirements.

  • Page 94: Certificate Manager Agent Services

    Agent Services Interface This section gives an overview of these forms and explains how to access them. For a complete list of the agent forms and output templates that come with Certificate Management System, see “Agent Forms and Templates” on page 97. For step-by-step instructions on using the agent forms, see CMS Agent’s Guide.

  • Page 95: Registration Manager Agent Services

    Agent Services Interface Using the default forms, a Certificate Manager agent can accomplish tasks such as these: • Listing deferred certificate requests from end entities and process them • Listing certificates issued by the server • Searching for certificates issued by the server •...

  • Page 96: Data Recovery Manager Agent Services

    Accessing the Agent Services Interface Data Recovery Manager Agent Services The Data Recovery Manager Agent Services interface enables a Data Recovery Manager agent to interact with the Data Recovery Manager (the server). Figure 5-3 shows the Data Recovery Manager Agent Services interface. Figure 5-3 Data Recovery Manager Agent Services interface Using the default forms, a Data Recovery Manager agent can search for and...

  • Page 97: Agent Forms And Templates

    Agent Forms and Templates The default URL for this page is: https://<hostname>:<agent_port> is in the form: <hostname> <machine_name>.<your_domain>.<domain> If you have customized Certificate Management System, go to the page containing the agent forms that you would use to submit a request. In the Agent Services menu, choose the agent services you require: To access the agent services for the Certificate Manager, click the Certificate Manager Agent Services link.

  • Page 98: Locating Agent Forms And Templates

    Agent Forms and Templates Various parts of the Agent Services interface Figure 5-4 Menu Content Locating Agent Forms and Templates You can find the HTML forms specific to agent operations and the corresponding output templates at this location: <server_root>/cert-<instance_id>/web/agent/<subsystem> is the directory where the CMS binaries are kept, as specified <server_root>...

  • Page 99: Chapter 6 Agent Interface Reference

    Chapter 6 Agent Interface Reference This chapter provides a detailed reference of all the service interfaces available on an agent port of Netscape Certificate Management System. For each interface, there is a description including the URI used, the purpose, and which agents can use it, a list of forms that use the interface by default, a detailed description of valid input parameters and their values, and information about the response which lists the templates used and the additional JavaScript variables available.

  • Page 100: Overview Of Agent Interfaces

    Overview of Agent Interfaces • Remove Certificate Hold Interface (page 156) • Requests Query Interface (page 158) • Select for Revocation Interface (page 163) • Update CRL Interface (page 166) • Update Directory Interface (page 168) Overview of Agent Interfaces The following table lists the agent interfaces and their functions: Table 6-1 Agent Interfaces...

  • Page 101: Approve Revocation Interface

    Approve Revocation Interface Agent Interfaces (Continued) Table 6-1 Interface Purpose Key Recovery Query Display archived keys that meet query /kra/queryKeyForRecovery Interface criteria and get links to initiate recovery of these keys. Process Certificate Allows agents to accept or reject requests /ca/processCertReq Request Interface for enrollment, renewal, or revocation.

  • Page 102: Default Forms

    Approve Revocation Interface The Select for Revocation Interface is used to select a certificate or group of certificates for revocation based on some criteria. That interface returns a list of certificates using the file. The reasonToRevoke.template response contains a form that posts data to the reasonToRevoke.template Approve Revocation interface with the serial numbers and reasons to finally revoke the certificates.
  • Page 103 Approve Revocation Interface Parameters Accepted by the Approve Revocation Interface (Continued) Table 6-2 Parameter Format and Description 0 - 6 revocationReason The code for the reason the certificates are being revoked. The revocation codes are: • 0 - Reason not specified •...

  • Page 104: Response

    Approve Revocation Interface Parameters Accepted by the Approve Revocation Interface (Continued) Table 6-2 Parameter Format and Description number verifiedRecordCount Not presently used by the interface. Response The default response template is . The base revocationResult.template JavaScript for responses is inserted in place of the tag.

  • Page 105: Bulk Enrollment Interface

    Bulk Enrollment Interface Variables Returned by the Approve Revocation Interface (Continued) Table 6-3 Variable Description message updateCRLError If the CMS server attempted to update the CRL and encountered an error, this variable contains the text of the error message. yes | no updateCRLSuccess If the CMS server attempted to update the CRL, this variable will indicate whether the update was successful.

  • Page 106: Configuration Parameters

    Bulk Enrollment Interface The reply from the Bulk Enrollment interface can be just the certificate chain (in PKCS #7format), or it can be an HTML page. Configuration Parameters The Bulk Enrollment interface can be configured with parameters in the CMS.cfg configuration file.

  • Page 107: Default Forms

    Bulk Enrollment Interface Bulk Enrollment Interface Configuration File Parameters (Continued) Table 6-4 Parameter Format and Description filename svcpendingTemplate The template file to use when the response requestStatus = 4, meaning the request is pending a response from a Data Recovery Manager.
  • Page 108 Bulk Enrollment Interface Parameters Accepted by the Bulk Enrollment Interface (Continued) Table 6-5 Parameter Format and Description string csrRequestorName Name of the entity making a request; helps identify the requestor during manual enrollment. Example: Alice Apple string csrRequestorEmail Email address of the entity making a request. May be used to send out notification when a certificate has been issued.
  • Page 109 Bulk Enrollment Interface Parameters Accepted by the Bulk Enrollment Interface (Continued) Table 6-5 Parameter Format and Description true | false ssl_server Sets the SSL server authentication certificate bit (bit 1). Parameters for setting bits in the keyUsage certificate extension. A true value Key Usage sets the bit to 1;...
  • Page 110 Bulk Enrollment Interface Parameters Accepted by the Bulk Enrollment Interface (Continued) Table 6-5 Parameter Format and Description true | false non_repudiation Sets the keyUsage extension bit (1) indicating that the key may be used to create non-repudiable (by the signer) digital signatures. Non-repudiation service requires more infrastructure, planning, and policy than just setting this bit.
  • Page 111 Bulk Enrollment Interface Parameters Accepted by the Bulk Enrollment Interface (Continued) Table 6-5 Parameter Format and Description base-64 encoded data CRMFRequest If requestFormat = crmf, this parameter should be used to send the base-64 encoded CRMF request. true | false importCAChain Used only when importCert = true.

  • Page 112: Response

    Bulk Enrollment Interface Parameters Accepted by the Bulk Enrollment Interface (Continued) Table 6-5 Parameter Format and Description base-64 encoded data subjectKeyGenInfo If requestFormat=keygen, this parameter should be used to send the base-64 encoded keygen request. To use the keygen HTML tag to cause the browser to generate the request using this parameter, the format is <KEYGEN name="subjectKeyGenInfo">...
  • Page 113 Bulk Enrollment Interface Variables Returned by the Bulk Enrollment Interface (Continued) Table 6-6 Variable Description string errorDescription A message providing more details about the error described in errorDetails. This variable is only present if an error occurred while processing the request. string errorDetails A message explaining the error that occurred while processing the enrollment...
  • Page 114 Bulk Enrollment Interface Variables Returned by the Bulk Enrollment Interface (Continued) Table 6-6 Variable Description number requestStatus A code indicating the current status of the request: • 1 (Unauthorized): The request specified a value for an authenticator to perform an automated enrollment, and the authenticator did not authorize the request.

  • Page 115: Display Key By Serial Number Interface

    Display Key By Serial Number Interface Variables Returned by the Bulk Enrollment Interface (Continued) Table 6-6 Variable Description string base64Cert The newly issued certificate in base-64 encoded format. This string includes the "-----BEGIN CERTIFICATE-----" header and "-----END CERTIFICATE-----" footer. string certFingerprint A string of hexadecimal numbers separated by colons that represent the certificate fingerprints.

  • Page 116: Default Forms

    Display Key By Serial Number Interface Default Forms The Display Key By Serial Number interface is used in the queryKey.template file. Each key in the list of keys satisfying the query has a button the user can press to see the key in detail. This button submits data to the Display Key By Serial Number interface.
  • Page 117 Display Key By Serial Number Interface Table 6-8 Variables Returned by the Display Key By Serial Number Interface Variable Description Variables added to the header object. result.header variables user ID archivedBy The user ID of the agent that processed the key archival request. number of seconds since 1 January 1970 archivedOn The time when the key was stored in the archive (for completed Data Recovery...

  • Page 118: Display Key For Recovery Interface

    Display Key For Recovery Interface Display Key For Recovery Interface Description URI: /kra/displayBySerialForRecovery Available on: Data Recovery Manager Function: Displays a form for recovering a key. The Display Key For Recovery interface is typically used in the list returned by the Key Recovery Query Interface.

  • Page 119: Response

    Display Key For Recovery Interface Parameters Accepted by the Display Key For Recovery Interface (Continued) Table 6-9 Parameter Format and Description base-64 encoded certificate data publicKeyData This optional parameter allows you to pass the certificate corresponding to the key to revoke to the interface. The certificate will be required to recover the key, and passing it here allows the certificate to be automatically filled in on the resulting form.

  • Page 120: Examine Recovery Interface

    Examine Recovery Interface Table 6-10 Variables Returned by the Display Key For Recovery Interface (Continued) Variable Description number keyLength The number of bits in the archived key. number noOfRequiredAgents Indicates the number of authorized agents who must approve the request before the key can be recovered.

  • Page 121: Default Forms

    Examine Recovery Interface Available on: Data Recovery Manager Function: Checks to see if a recovery request identification number is valid. The Examine Recovery interface is an intermediate interface that validates a request identification number. The interface takes a request identification number and makes sure that it is associated with a valid recovery request on the CMS server.

  • Page 122: Response

    Get Approval Status Interface Response file is used to return any error messages. Successful GenError.template requests use the file. Since the interface is used to examineRecovery.template validate a request id, the is used by default to create a examineRecovery.template form to submit a user ID and password to the Grant Recovery Interface to approve that request.

  • Page 123: Default Forms

    Get Approval Status Interface The Get Approval Status interface accepts a recovery request number and returns the status of the request. The response includes the number of agents required to approve the recovery and the number that have already granted approval. While a request is pending, agents can use the Grant Recovery Interface to submit user IDs and passwords.

  • Page 124: Response

    Get Approval Status Interface Response The default response template depends on the status of the request. While the request is pending, the file is used. Once the getApprovalStatus.template request is completed the file is used. By default, these finishRecovery.template templates are identical except for the <META HTTP-EQUIV="Refresh"...

  • Page 125: Get Pkcs #12 Data Interface

    Get PKCS #12 Data Interface Get PKCS #12 Data Interface Description URI: /kra/getPk12 Available on: Data Recovery Manager Function: Retrieves the PKCS #12 data containing a recovered key and certificate. The Get PKCS #12 Data interface is used to retrieve the PKCS #12 blob containing a recovered key and its associated certificate.

  • Page 126: Response

    Grant Recovery Interface Response If the recovery has been granted, the response is to return a PKCS #12 blob with the MIME type . This blob is encrypted with a password application/x-pkcs12 (supplied when the recovery request was initiated) and contains the key and corresponding certificate.

  • Page 127: Response

    Grant Recovery Interface Table 6-16 Parameters Accepted by the Grant Recovery Interface Parameter Format and Description string agentID The key recovery agent id used by the agent making the request. Agent ids for key recovery are configured independently of agent user IDs, and so may be different.

  • Page 128: Key Query Interface

    Key Query Interface Table 6-17 Variables Returned by the Grant Recovery Interface (Continued) Variable Description number recoveryID The unique request identification number that was passed to the interface in the request. number serialNumber The serial number of the key in the archive. serviceURL /kra/grantRecovery The URL that was used to access the Grant Recovery interface.

  • Page 129: Request Parameters

    Key Query Interface Request Parameters The following table lists the parameters accepted by the Key Query interface. parameter must be a valid query filter. The syntax and valid queryFilter query parameters are too complex to describe in the parameter table. Details about valid parameters and values for query filters are in a separate table following the parameters.
  • Page 130 Key Query Interface Table 6-18 Parameters Accepted by the Key Query Interface (Continued) Parameter Format and Description string templateName Filename relative to the template directory (web/ee, web/agent/ca, web/agent/kra, or web/agent/ra) of a file to use as the response template. This template will be used for any response, overriding default template settings.

  • Page 131: Response

    Key Query Interface Table 6-19 Key Query queryFilter Parameters (Continued) Parameter Expression Values Value: serial number of a key keySerialNumber This matches the serial number assigned by the Data Recovery Manager to a key when it is archived. Note that this differs from the serial number of the certificate corresponding to the key.
  • Page 132 Key Query Interface Table 6-20 Variables Returned by the Key Query Interface Variable Description Variables added to the header object. result.header variables Distinguished Name (DN) string. See RFC 2253. archiverName The subject name on the Data Recovery Manager’s signing certificate. queryKey Indicates the operation that was requested.

  • Page 133: Key Recovery Query Interface

    Key Recovery Query Interface Table 6-20 Variables Returned by the Key Query Interface (Continued) Variable Description number of seconds since 1 January 1970 archivedOn The time when the key was stored in the archive (for completed Data Recovery Manager requests). OID string keyAlgorithm The object identifier (OID) used by the archived key corresponding to this...

  • Page 134: Default Forms

    Key Recovery Query Interface Function: Retrieves a set of archived keys, for the purpose of recovering them, based on a flexible query specification. The Key Recovery Query interface allows you to build query criteria much like an LDAP query. Criteria can be combined using logical AND or OR for flexibility. You can match keys in the archive based on the DRM serial number, the DN of the key owner, the certificate containing the corresponding public key, or the agent that archived the key.
  • Page 135 Key Recovery Query Interface Table 6-21 Parameters Accepted by the Key Recovery Query Interface (Continued) Parameter Format and Description base-64 encoded certificate publicKeyData The certificate containing the public key associated with a key to be matched in the archive. The publicKeyData should include the "-----BEGIN CERTIFICATE-----"...

  • Page 136: Response

    Key Recovery Query Interface Table 6-21 Parameters Accepted by the Key Recovery Query Interface (Continued) Parameter Format and Description number totalRecordCount The total number of keys in the archive that match the queryFilter. This number is returned by the interface in the initial response. This can be posted in subsequent calls to prevent the CMS server from calculating a number.
  • Page 137 Key Recovery Query Interface Table 6-22 Variables Returned by the Key Recovery Query Interface (Continued) Variable Description string templateName Indicates the name of the template that was used to display the response. By default it is queryKey.template, but it can be changed with the templateName request parameter.

  • Page 138: Process Certificate Request Interface

    Process Certificate Request Interface Table 6-22 Variables Returned by the Key Recovery Query Interface (Continued) Variable Description string publicKey A string of two-digit hexadecimal numbers separated by colon. Each number represents a byte in the public key corresponding to the private key to be archived.

  • Page 139: Default Forms

    Process Certificate Request Interface Default Forms No default forms use the Process Certificate Request Interface directly. The form calls the Requests Query Interface which returns data listRequests.html using the when pending requests are selected. processReq.template will create a link to the Process Certificate Request processReq.template Interface for all requests with .
  • Page 140 Process Certificate Request Interface Table 6-23 Parameters Accepted by the Process Certificate Request Interface (Continued) Parameter Format and Description yes | no certTypeSSLCA Specifies whether to set the Netscape certificate extension SSL certificate issuer bit (bit 5). yes | no certTypeSSLClient Specifies whether to set the Netscape certificate extension SSL client authentication certificate bit (bit 0).
  • Page 141 Process Certificate Request Interface Table 6-23 Parameters Accepted by the Process Certificate Request Interface (Continued) Parameter Format and Description yes | no grantTrustedManagerPri vilege Specifies whether the new certificate will be an SSL certificate used by a server that is trusted. For example, set this to yes when you issue the SSL server certificate for a new Registration Manager.

  • Page 142: Response

    Process Certificate Request Interface Table 6-23 Parameters Accepted by the Process Certificate Request Interface (Continued) Parameter Format and Description number of seconds validityLength The length of time, in seconds, for which the newly issued certificate will be valid. The following list shows the approximate number of seconds in some common time intervals: •...
  • Page 143 Process Certificate Request Interface Table 6-24 Variables Returned by the Process Certificate Request Interface (Continued) Variable Description number certsUpdated The number of certificates that were updated in the publishing directory if publishing is enabled (if result.header.dirEnabled = yes). ca | CEP-Request | client | objSignClient | ra | server | certType other Specifies the type of certificate request that was acted upon.
  • Page 144 Process Certificate Request Interface Table 6-24 Variables Returned by the Process Certificate Request Interface (Continued) Variable Description true | false ext_object_signing_ca Indicates whether or not the Netscape certificate extension object signing CA bit (bit 7) is set in the certificate or request that was processed. true | false ext_ssl_ca Indicates whether or not the Netscape certificate extension SSL CA bit (bit...
  • Page 145 Process Certificate Request Interface Table 6-24 Variables Returned by the Process Certificate Request Interface (Continued) Variable Description enrollment | getCAChain | getCertificates | requestType getRevocationInfo | renewal | revocation | unrevocation The requestType returns the type of request that was made to the interface returning this template.
  • Page 146 Process Certificate Request Interface Table 6-24 Variables Returned by the Process Certificate Request Interface (Continued) Variable Description accept | cancel | clone | reject toDo Indicates the action that was taken to produce this response (that is, this is the same as the value of the toDo request parameter). user ID updatedBy The user ID of the agent that updated the request.

  • Page 147: Process Drm Request Interface

    Process DRM Request Interface Process DRM Request Interface Description URI: /kra/processReq Available on: Data Recovery Manager Function: This interface allows an agent to view a request or assign the request to himself. The Process DRM Request interface is slightly different from the Process Request Interface used by Certificate Managers and Registration Managers.

  • Page 148: Response

    Process DRM Request Interface Table 6-25 Parameters Accepted by the Process DRM Request Interface (Continued) Parameter Format and Description string moreComments Specifies additional comments to be stored with the request. Comments may be useful for future reference or to provide data to another agent that needs to process the request.
  • Page 149 Process DRM Request Interface Table 6-26 Variables Returned by the Process DRM Request Interface Variable Description Variables added to the header object. result.header variables user ID archivedBy The user ID of the Data Recovery Agent that authorized the archival. This is sent only for completed archival requests.

  • Page 150: Process Request Interface

    Process Request Interface Table 6-26 Variables Returned by the Process DRM Request Interface (Continued) Variable Description enrollment | recovery requestType Indicates whether the request was made to archive (enrollment) or recover a key. number serialNumber A unique identification number that identifies a key in the archive. This differs from the certificate serial number and also from the request identifier (seqNum).

  • Page 151: Default Forms

    Process Request Interface This is an agent interface and requires SSL client authentication with a valid agent certificate. The Process Request Interface can be used to assign a certificate request (identified by a sequence number) to the agent user ID associated with the certificate presented for authentication or to assign the request to nobody (remove any existing assignment).

  • Page 152: Response

    Recover Key By Serial Number Interface Response The default response template is processReq.template. The base JavaScript for responses is inserted in place of the tag. <CMS_TEMPLATE> In addition, the Process Request interface adds the JavaScript variables listed in the following table. The table lists only the variables in the template related to the Process Request interface.

  • Page 153: Default Forms

    Recover Key By Serial Number Interface Available on: Data Recovery Manager Function: Displays a form for recovering a key. Once a key has been selected from the archive, the Recover Key By Serial Number Interface can be used to start the recovery operation. This interface accepts the serial number of an archived key and optionally the user ID and passwords of recovery agents.
  • Page 154 Recover Key By Serial Number Interface Table 6-29 Parameters Accepted by the Recover Key By Serial Number Interface (Continued) Parameter Format and Description yes | no localAgents Specifies whether agent user IDs and passwords have been entered locally (that is, submitted with this request), or will be entered remotely. If localAgents = no, agents will have to access the Examine Recovery interface with the request id and enter their passwords.

  • Page 155: Response

    Recover Key By Serial Number Interface Response If the request was for a local recovery ( in the request), and the localAgents = yes recovery is successful, the response will be the binary PKCS #12 blob containing the key and certificate. The MIME type of the response will be application/x-pkcs12 If the request was not local or if there was an error, the default response template is .

  • Page 156: Remove Certificate Hold Interface

    Remove Certificate Hold Interface Remove Certificate Hold Interface Description URI: /ca/doUnrevoke /ra/doUnrevoke Available on: Certificate Manager or Registration Manager agent ports. Function: Changes the status of a certificate that has been put on hold so that it is no longer considered revoked. A certificate can be temporarily rendered invalid --or “put on hold”-- by revoking it with a revocation reason code of 6.

  • Page 157: Response

    Remove Certificate Hold Interface Table 6-31 Parameters Accepted by the Remove Certificate Hold Interface (Continued) Parameter Format and Description number serialNumber The serial number (in decimal or hexadecimal) of the certificate to revoke. string templateName Filename relative to the template directory (web/ee, web/agent/ca, web/agent/kra, or web/agent/ra) of a file to use as the response template.

  • Page 158: Requests Query Interface

    Requests Query Interface Table 6-32 Variables Returned by the Remove Certificate Hold Interface (Continued) Variable Description yes | no publishCRLSuccess If the CMS server attempted to publish the CRL to a directory, this variable will indicate whether the update was successful. number serialNumber The decimal serial number of the certificate.

  • Page 159: Default Forms

    Requests Query Interface Default Forms form uses the Requests Query Interface. This form can be listRequests.html found in the Certificate Manager, Registration Manager, and Data Recovery Manager web directories. The form presents menus for listRequests.html choosing the request type and status as well as a field for setting the lowest request id to return.

  • Page 160: Response

    Requests Query Interface Table 6-33 Parameters Accepted by the Requests Query Interface (Continued) Parameter Format and Description number seqNumFrom Specifies the lowest request identification number to retrieve. This parameter is useful when the number of requests is more than maxCount and another page of data can be requested: set seqNumFrom to one more than the last request displayed on the current page and repost the request.
  • Page 161 Requests Query Interface Table 6-34 Variables Returned by the Requests Query Interface (Continued) Variable Description ca | kra | ra authorityId The type of server that generated the list of requests: ca for Certificate Manager, kra for Data Recovery Manager, or ra for Registration Manager. number currentRecordCount The number of request records displayed on the current page of output.
  • Page 162 Requests Query Interface Table 6-34 Variables Returned by the Requests Query Interface (Continued) Variable Description user ID archivedBy The user ID of the agent that processed the key archival request. number of seconds since 1 January 1970 archivedOn The time when the key was stored in the archive (for completed Data Recovery Manager requests).

  • Page 163: Select For Revocation Interface

    Select for Revocation Interface Table 6-34 Variables Returned by the Requests Query Interface (Continued) Variable Description number seqNum The request identification number for this request. The request ID is unique on any instance of a server. The seqNum is used for Registration Manager and Certificate Manager Requests.

  • Page 164: Default Forms

    Select for Revocation Interface Default Forms By default forms that use the Select for Revocation Interface are embedded as buttons on certificate lists returned from the List Certificates Interface accessed through an agent port ( ). These response are /ca/listCerts /ra/listCerts rendered using the discussed in the List Certificates...

  • Page 165: Response

    Select for Revocation Interface Response The default response template is . The base JavaScript reasonToRevoke.template for responses is inserted in place of the tag. In addition, the Select <CMS_TEMPLATE> for Revocation interface adds the JavaScript variables listed in the following table. Table 6-36 Variables Returned by the Select For Revocation Interface Variable Description...

  • Page 166: Update Crl Interface

    Update CRL Interface Table 6-36 Variables Returned by the Select For Revocation Interface (Continued) Variable Description number of seconds since 1 January, 1970 validNotAfter The date when the certificate expires. See the description for issuedOn for details on date values. number of seconds since 1 January, 1970 validNotBefore The date when the certificate became valid.

  • Page 167: Response

    Update CRL Interface Table 6-37 Parameters Accepted by the Update CRL Interface Parameter Format and Description crlIssuingPoint MasterCRL Specifies the issuing point maintained by the CMS server handling the CRL update. In the default case, the only issuing point for all CRL information is the master CRL.

  • Page 168: Update Directory Interface

    Update Directory Interface Update Directory Interface Description URI: /ca/updateDir /ra/updateDir Available on: Certificate Manager and Registration Manager. Function: If enabled, the publishing directory is automatically updated on a regular basis. If necessary, this interface can be used to force new information to be published to the directory.
  • Page 169 Update Directory Interface Table 6-39 Parameters Accepted by the Update Directory Interface (Continued) Parameter Format and Description number revokedTo The high end of the range of serial numbers of revoked certificates to be updated in the directory. For no upper bound, set this to null or omit the parameter.

  • Page 170: Response

    Update Directory Interface Table 6-39 Parameters Accepted by the Update Directory Interface (Continued) Parameter Format and Description number validFrom The low end of the range of serial numbers of valid certificates to be updated in the directory. For no lower bound, set this to null or omit the parameter. number validTo The high end of the range of serial numbers of valid certificates to be updated in...
  • Page 171 Update Directory Interface Table 6-40 Variables Returned by the Update Directory Interface (Continued) Variable Description string expiredCertsError A message explaining why the expired certificates could not be removed from the directory, if there was an error. Success | Failure expiredCertsUnpublished If removing expired certificates was requested, this variable will indicate whether the update was successful or not.
  • Page 172 Update Directory Interface Netscape Certificate Management System Customization Guide • October 2001...

  • Page 173: Index

    Index Approve Revocation 101 Agent Services interface 93 Approve Revocation 101 Bulk Enrollment 105 Display Key By Serial Number 115 Display Key For Recovery 118 bulkissuance 105 Examine Recovery 120 for Certificate Manager agents 94 for Data Recovery Manager agents 96 for Registration Manager agents 95 Get Approval Status 122 Get PKCS#12 Data 125...
  • Page 174 for key archival and recovery 30 for enrollment 32 for renewals 30 for renewal 33 for revocations 30 for retrieval 34 for revocation 34 certificate revocation supported authentication mechanisms 30 End-entity Interface supported request formats 30 Certificate Enrollment Protocol 41 Challenge Revocation 42 certificate revocation list Display Certificate By Serial Number 44...
  • Page 175 Get Certificate By Serial Number 61 Get Certificate From Request 65 List Certificates 72 Get CRL 69 list of Get PKCS#12 Data 125 agent forms and templates getApprovalStatus 122 end-entity forms and templates getBySerial listCerts 72 getCAChain location of getCertFromRequest agent forms 98 getCRL 69 CMS documentation 12...
  • Page 176 queryReq 158 templates for agents location 98 for end entities location 31 reasonToRevoke 163 for end-entity operations 36 Recover Key By Serial Number 152 type styles used in this book 10 recoverBySerial (DRM) 152 Registration Manager enrollment forms for 33 interface for agents 95 Remove Certificate Hold 156 renew certificates 80...

This manual is also suitable for:

Netscape management system 4.5

Table of Contents