1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Software
  5. NETSCAPE MANAGEMENT SYSTEM 4.5 - AGENT GUIDE
  6. Manual

Netscape MANAGEMENT SYSTEM 4.5 - AGENT GUIDE Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Agent's Guide
Netscape Certificate Management System
Version 4.5
October 2001

Advertisement

Table of Contents
loading

Related Manuals for Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - AGENT GUIDE

Summary of Contents for Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - AGENT GUIDE

  • Page 1 Agent’s Guide Netscape Certificate Management System Version 4.5 October 2001...
  • Page 2 Netscape Communications Corporation (“Netscape”), a subsidiary of America Online, Inc., and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as “Software”) and related documentation. Use of the Software and related documentation is governed by the license agreement accompanying the Software and applicable copyright law.

  • Page 3: Table Of Contents

    Contents About This Guide ............. . . 5 What You Should Already Know .
  • Page 4 Other Options for Handling Requests ........... . . 43 Chapter 3 Finding and Revoking Certificates .

  • Page 5: About This Guide

    About This Guide This guide describes the Agent Services interface that Netscape Certificate Management System (CMS) agent uses to administer a subsystem’s certificates and keys. This preface has the following sections: • What You Should Already Know (page 5) • What’s in This Guide (page 6) •...

  • Page 6: What's In This Guide

    What’s in This Guide • Digital signatures • The role of digital certificates in a public-key infrastructure (PKI) • Certificate hierarchies • SSL cipher suites • The purpose of and major steps in the SSL handshake For overviews of these topics, see Appendix D and Appendix E of Managing Servers with Netscape Console.

  • Page 7: Conventions Used In This Guide

    Conventions Used in This Guide • Chapter 6, “Managing OCSP Service Related Tasks” describes how to handle tasks related to the CMS OCSP responder, Online Certificate Status Manager. This service is only available when the Online Certificate Status Manager subsystem is installed. Conventions Used in This Guide This guide uses the following conventions: •...

  • Page 8: Where To Go For Related Information

    Where to Go for Related Information Where to Go for Related Information This section summarizes the documentation that ships with Certificate Management System, using these conventions: • is the directory where the CMS binaries are kept (specified <server_root> during installation). •...
  • Page 9 Where to Go for Related Information To view the HTML version of this guide, open this file: <server_root>/manual/en/cert/tools_guide/contents.htm To view the PDF version of this guide, open this file: <server_root>/manual/en/cert/pdf/cms45tools.pdf • CMS Customization Guide Provides detailed reference information on customizing the HTML-based agent and end-entity interfaces.
  • Page 10 Where to Go for Related Information Netscape Certificate Management System Agent’s Guide • October 2001...

  • Page 11: Chapter 1 Agent Services

    Chapter 1 Agent Services This chapter describes the role of the privileged users called agents in managing Netscape Certificate Management System (CMS). It also introduces the tools that agents use to administer service requests. The chapter has the following sections: •...
  • Page 12 Overview of Certificate Management System End entities and CAs may be in different geographic or organizational areas or in completely different organizations. CAs may include third parties that provide services through the Internet as well as the root CAs and subordinate CAs for individual organizations.
  • Page 13 Overview of Certificate Management System reliable authentication services and therefore trusts any signed requests it submits. The Certificate Manager processes the requests and issues the certificates. The Registration Manager then distributes the certificates to the end entities. • Data Recovery Manager—A Data Recovery Manager oversees the long-term archival and recovery of private encryption keys for end entities.
  • Page 14 Overview of Certificate Management System interactions with end entities and other aspects of the PKI. This guide describes the tasks that agents can perform. End entities access Registration Manager or Certificate Manager subsystems to enroll in a PKI and to take part in other life-cycle management operations, such as renewal or revocation.

  • Page 15: Agent Tasks

    Agent Tasks Agent Tasks The designated agents for each subsystem are responsible for the everyday management of end-entity requests and other aspects of the PKI: • Certificate Manager agents manage certificate requests received by the Certificate Manager subsystem, maintain and revoke certificates as necessary, and maintain global information about certificates.
  • Page 16 Agent Tasks Certificate Manager Agent Services page Figure 1-2 As a Certificate Manager agent, you can perform the following tasks: • Handle certificate requests. You can list the certificate service requests received by the Certificate Manager subsystem, assign requests to yourself, reject or cancel requests, and approve requests for certificate enrollment.

  • Page 17: Registration Manager Agent Services

    Agent Tasks • Revoke certificates. If a user’s key has been compromised, you need to revoke the user's certificate to ensure that the key is not misused. You may also need to revoke the certificates of users who have left the organization. You can use Certificate Manager Agent Services to find and revoke a specific certificate or a set of certificates.

  • Page 18: Data Recovery Manager Agent Services

    Agent Tasks Registration Manager Agent Services page Figure 1-3 As a Registration Manager agent, you can handle certificate requests. You can list the certificate service requests received by the Registration Manager subsystem, assign requests to yourself, reject or cancel requests, clone requests, and approve enrollment requests to be passed on to the Certificate Manager for issuance.

  • Page 19: Online Certificate Status Manager Agent Services

    Agent Tasks Data Recovery Manager Agent Services page Figure 1-4 As a Data Recovery Manager agent, you can perform the following tasks: • List key recovery requests from end entities. • List or search for archived keys. • Initiate the recovery of private data-encryption keys. Key recovery requires the authorization of one or more recovery agents.

  • Page 20: Forms For Performing Agent Operations

    Forms for Performing Agent Operations Online Certificate Status Manager Agent Services page Figure 1-5 As a Online Certificate Status Manager agent, you can perform the following tasks: • Checking which CAs are currently configured to publish their CRLs to the Online Certificate Status Manager.
  • Page 21 Forms for Performing Agent Operations As a subsystem agent with the proper certificate, you use the Agent Services page to access the forms you need to perform the agent tasks. Table 1-1 describes each of these HTML forms. Table 1-1 Forms used for agent operations Form name Description...
  • Page 22 Forms for Performing Agent Operations Forms used for agent operations (Continued) Table 1-1 Form name Description List Requests Use this form to find and examine requests for key services. Only Data (Data Recovery Manager) Recovery Manager agents can use this form. For instructions on using this form, see“Viewing Key Service Requests”...

  • Page 23: Accessing Agent Services

    Accessing Agent Services Forms used for agent operations (Continued) Table 1-1 Form name Description Check Certificate Status Use this form to check the status of OCSP service requests sent by (Online Certificate Status OCSP-compliant clients. Manager) For instructions, see “Checking the Revocation Status of a Certificate” on page 81 in Chapter 6.
  • Page 24 Accessing Agent Services To enroll for the first agent certificate, you should be working at the computer you intend to use as the agent, so that the new certificate will be installed in the browser you will be using to access the Agent Services pages. Follow these steps: Open a web browser window.
  • Page 25 Accessing Agent Services Email address. Email address of administrator/agent. Organization unit. Name of the organization unit to which the administrator/agent belongs. Organization. Name of the company or organization the administrator/agent works for. Country. Two-letter code for the administrator/agent’s country. User’s Key Length Information section: Key Length.

  • Page 26: Agent Services Entry Page

    Accessing Agent Services Go to this directory: <server_root>/cert-<instance_ID>/config Open the file in a text editor, and find the following line: CMS.cfg agentGateway.enableAdminEnroll=false Change , and save the file. false true Start the server from the CMS window where you stopped it. (Alternatively, right-click on the name of the instance in the left frame and choose Start Server.) At this point, the server asks you for the single signon password you specified during installation.

  • Page 27: Services Summary Page

    Accessing Agent Services If you do not yet have your certificate, click Services Summary to enroll for one. For more information, see “Services Summary Page” (the next section). Services Summary Page If you want to access another gateway without looking up the port number, click Services Summary on the Agent Services entry page.
  • Page 28 Accessing Agent Services Netscape Certificate Management System Agent’s Guide • October 2001...

  • Page 29: Chapter 2 Handling Certificate Requests

    Chapter 2 Handling Certificate Requests As a Certificate Manager or Registration Manager agent, you are responsible for handling both manual enrollment requests made by end entities (end users, server administrators, or other CMS subsystems) and automated enrollment requests that have been deferred. This chapter describes the general procedure for handling requests and explains how to handle different aspects of certificate request management.
  • Page 30 Managing Requests Process the request (see “Approving Requests” on page 35 and “Other Options for Handling Requests” on page 43). In processing a request for a certificate, you can choose to take one of the following actions: Approve the request. You can approve a request manually, or it can be approved automatically by policy modules if the request has been authenticated by an authentication module (and if the CMS administrator has configured the system to do this).
  • Page 31 Managing Requests The certificate request management process Figure 2-1 Chapter 2 Handling Certificate Requests...

  • Page 32: Listing Certificate Requests

    Listing Certificate Requests Listing Certificate Requests The Certificate Manager or Registration Manager keeps a queue of all certificate service requests that have been submitted to it. The queue records whether a request is pending, completed, canceled, or rejected. Four types of requests can be in the queue: •...
  • Page 33 Listing Certificate Requests Choose the type of requests you want to see by selecting one of the following from the “Request type” menu: Show enrollment requests Show renewal requests Show revocation requests Show all requests Choose the status of requests you want to see by selecting one of the following from the “Request status”...

  • Page 34: Selecting A Request

    Listing Certificate Requests Choose the number of matching requests you want to see. When you specify a number n, the system displays the first n requests after the starting sequence number that matches your specified criteria. Click Find to display the list of requests that match your specified criteria. The Request Queue form appears.

  • Page 35: Approving Requests

    Approving Requests When you have found the request you want, click Details at the left. The Request details form appears, showing detailed information about the selected request. Use this form to approve or otherwise handle the request. For more information, see “Approving Requests” on page 35 and “Other Options for Handling Requests”...

  • Page 36: Assigning A Request

    Approving Requests valid certificate. To do these things, use the Request Details form that appears when you examine a selected request (as described in “Selecting a Request” on page 34). If you want to reject or cancel the request, see “Other Options for Handling Requests”...
  • Page 37 Approving Requests If the request is already assigned to you, you can choose to cancel the assignment. To cancel the request’s assignment, click “cancel request assignment.” The form then shows that the request is unassigned. You can still act upon an unassigned request. If the request is assigned to another agent, you cannot act on the request unless you reassign it to yourself.
  • Page 38 Approving Requests Netscape certificate type extension (Continued) Table 2-1 Type Description Subordinate SSL CA Allows a CA to sign and issue personal and server (available only for CA certificates. certificate requests) Subordinate email CA Allows a CA to sign and issue certificates for use with (available only for CA signed and encrypted email.
  • Page 39 Approving Requests SHA-1 with RSA generates a 160-bit message digest. Before choosing SHA-1, make sure your applications support it. Netscape Navigator 3.0 (or later) and Enterprise Server 2.01 (or later) support SHA-1. If your users have previous versions of these applications, choose MD5 as the signature algorithm, or upgrade your users to the most recent version of these applications.

  • Page 40: Sending An Issued Certificate To The Requester

    Approving Requests If the certificate conforms to policy, a page containing the new certificate appears. It includes instructions on how to help the certificate requester install the new certificate. NOTE If, after verifying or attempting to issue the certificate, you receive the error message “The requested signature algorithm is not enabled,”...
  • Page 41 Approving Requests Depending on how your Certificate Management System is configured, an end user who requests a certificate might receive automatic email notification of the success of the request; this email message contains either the certificate itself or a URL from which the user can get the certificate. In this case, you need not take any further action.
  • Page 42 Approving Requests To copy and mail a new server certificate to the requester, follow these steps: Open a new email message composition window and address it to the requester. From the Agent Services window where the new certificate is displayed, copy only the base-64 encoded certificate.

  • Page 43: Other Options For Handling Requests

    Other Options for Handling Requests Other Options for Handling Requests If you do not want to issue the certificate in response to a certificate request, you can choose one of the other options from the command menu at the bottom of the Request Details form, then click Do It.
  • Page 44 Other Options for Handling Requests Netscape Certificate Management System Agent’s Guide • October 2001...

  • Page 45: Chapter 3 Finding And Revoking Certificates

    Chapter 3 Finding and Revoking Certificates As a Certificate Manager agent, you can use the Agent Services page to find a specific certificate issued by Netscape Certificate Management System or to retrieve a list of certificates that match specified criteria. You can examine certificates that you have retrieved.
  • Page 46 Basic Certificate Listing To find a certificate with a specific serial number, enter the serial number in both the upper limit and lower limit fields of the List Certificates form, in either decimal or hexadecimal form. to indicate the beginning of a hexadecimal number; for example, .

  • Page 47: Advanced Certificate Search

    Advanced Certificate Search Click Find. Certificate Management System displays a list of the certificates that match your search criteria. You can select a certificate in the list and examine it in more detail or perform various operations on it. For more information, see “Examining Certificates”...
  • Page 48 Advanced Certificate Search To search by particular criteria, use one or more of the sections of the Search for Certificates form. The form is quite long; scroll down to see the different sections. To use a section, select the appropriate checkbox, then fill in any necessary information. Serial Number Range.
  • Page 49 Advanced Certificate Search To list certificates revoked within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period. To list certificates revoked by a particular agent, enter the name of the agent.
  • Page 50 Advanced Certificate Search To find a certificate with a specific subject name, use the Subject Name section. Select the checkbox, then enter the subject name criteria. Enter values for the fields you want included in your search criteria and leave the others blank. The standard tags or components are as follows: Email address.
  • Page 51 Advanced Certificate Search Select Partial to search for all certificates with subject names that match at least the components you have specified but that may also have any values in the components you have left blank. You can specify wildcard patterns in this type of search by using the question mark character ( ) to match an arbitrary single character and the asterisk character (...

  • Page 52: Examining Certificates

    Advanced Certificate Search Examining Certificates To examine the details of a certificate, follow these steps: On the Agent Services page, click List Certificates or Search for Certificates, specify search criteria, and click Find to display a list of certificates. For details of how to specify criteria, see “Basic Certificate Listing” on page 45 and “Advanced Certificate Search”...

  • Page 53: Revoking Certificates

    Revoking Certificates The certificate is shown in base-64 encoded form at the bottom of the Certificate page, under the heading “Installing this certificate in a server.” In addition to its use with servers, this encoded form of the certificate can be used by CMS administrators and Data Recovery Manager agents for setting up new agents and recovering private encryption keys, respectively.

  • Page 54: Revoking One Or More Certificates

    Revoking Certificates Click Find. The search returns a list of matching certificates. You have the option of revoking one or all certificates in the list. Revoking One or More Certificates You can revoke an entire list of certificates returned by a search, or select and revoke one of the certificates from the list.

  • Page 55: Revoking Multiple Certificates

    Revoking Certificates Click the Revoke button next to the certificate that you want to revoke. Confirm the revocation in the resulting form (see “Confirming a Revocation” on page 55). Revoking Multiple Certificates To revoke all of the certificates found by a search: On the Certificate Manager’s Agent Services page, click Revoke Certificates, specify search criteria, and click Find to display a list of certificates.
  • Page 56 Revoking Certificates To confirm the revocation: Inspect the details of the certificate and verify that it is the one you want to revoke. If you are revoking more than one certificate, the form shows details of all the listed certificates. Select a reason for the revocation.

  • Page 57: Managing The Certificate Revocation List

    Managing the Certificate Revocation List Managing the Certificate Revocation List By revoking a certificate, you are notifying other users that the certificate is no longer valid. You make this notification by publishing a list of the revoked certificates, called the certificate revocation list (CRL), to an LDAP directory. This list is publicly available and ensures that revoked certificates are not misused.

  • Page 58: Updating The Crl

    Managing the Certificate Revocation List Updating the CRL Normally, when you revoke a certificate, the CRL is automatically updated. If you are using Certificate Management System with an LDAP directory server, the CRL in the directory is updated automatically. In some cases, you need to update the CRL manually. For example, you might want to remove expired certificates from the CRL to reduce its size.
  • Page 59 Managing the Certificate Revocation List SHA-1 with DSA generates a 160-bit message digest. Before choosing SHA-1 with DSA, make sure your applications support it. Communicator 4.0 (or later) and Netscape server products with a version number greater than 4.0 support it. Before selecting an algorithm, make sure that Certificate Management System has the algorithm enabled.
  • Page 60 Managing the Certificate Revocation List Netscape Certificate Management System Agent’s Guide • October 2001...

  • Page 61: Chapter 4 Publishing To A Directory

    Chapter 4 Publishing to a Directory This chapter describes the procedures for updating an LDAP directory with the current status of certificates. Only a Certificate Manager agent can update the directory. The chapter has the following sections: • Working with a Directory Server (page 61) •...

  • Page 62: Manual Directory Updates

    Updating the Directory with Changes • When Certificate Management System issues a new certificate, the certificate is published to the directory. • When Certificate Management System revokes a certificate, the certificate is removed from the directory. • When the CRL is created or updated, the list is published to the directory. Manual Directory Updates Normally you do not need to update a directory manually;...
  • Page 63 Updating the Directory with Changes Select “Skip certificates already marked as updated” to ignore certificates in the internal database that are maked as having been published already (or removed in the case of revoked certificates). For example, if you updated the directory once to revoke many certificates and it took several minutes, some new certificates may have been issued while the update was running.
  • Page 64 Updating the Directory with Changes Netscape Certificate Management System Agent’s Guide • October 2001...

  • Page 65: Chapter 5 Recovering Encrypted Data

    Chapter 5 Recovering Encrypted Data This chapter describes how to process key recovery requests and how to recover stored encrypted data when the encryption key has been lost. This service is available only when the Data Recovery Manager subsystem is installed. The Data Recovery Manager Agent Services page allows certified agents to accomplish these tasks.

  • Page 66: Finding Archived Keys

    Finding and Recovering Keys Finding Archived Keys You can search for archived keys to examine them or to initiate recovery. The process of selecting search criteria and selecting a key from the search results is the same in either case. To search for and list archived keys: Go to the Data Recovery Manager Agent Services page (see “Accessing Agent Services”...
  • Page 67 Finding and Recovering Keys Key identifiers. Use this section to find an archived key with a specific key identifier or to list all keys within a range of key identifiers. To find a key with a specific key identifier, enter the key identifier in both the upper limit and lower limit fields.

  • Page 68: Selecting A Key

    Finding and Recovering Keys Selecting a Key To select a key from the list returned by your key search: On the Data Recovery Manager’s Agent Services page, click Search for Keys, specify search criteria, and click Show Key to display a list of archived keys. For details, see “Finding Archived Keys”...

  • Page 69: Recovering Keys

    Recovering Keys Recovering Keys If you perform a search with the Recover Keys button, the Search Results form allows you to initiate the recovery of any key found. To initiate key recovery: On the Data Recovery Manager’s Agent Services page, click Recover Keys, specify search criteria, and click Show Key to display a list of archived keys.
  • Page 70 Recovering Keys The number of key recovery agent authorizations required to recover a key is configured by the system administrator using the CMS window in Netscape Console. The Key Recovery form has space for the required number of authorizations. Specify the password that the requester will use in importing the recovered certificate/key pair package.

  • Page 71: Remote Recovery Authorization

    Recovering Keys Choose whether to authorize recovery locally. If you select this option, assemble the required number of key recovery agents and have each agent fill in his or her user name and password. If you deselect this option, notify the key recovery agents that a recovery has been initiated, giving them the recovery authorization reference number indicated on this form.

  • Page 72: Viewing Key Service Requests

    Viewing Key Service Requests If you deselect the local authorization option, you are choosing remote authorization. When you click Recover Now, the key recovery agents must each access the Data Recovery Manager Agent Services pages at their own locations, and use the Authorize Recovery button to enter each authorization separately. You are informed of the status of the authorizations.

  • Page 73: Listing Key Service Requests

    Viewing Key Service Requests As a Data Recovery Manager agent, you can view these requests. You can search for and list key service requests with a particular status, such as completed or rejected. You can select a key service request from the returned list and examine it in detail.
  • Page 74 Viewing Key Service Requests Choose the statsu of requests you want to see by selecting one of the following choices from the “Request status” pull-down menu: Show canceled requests. Unless your system is specially configured for it, there will be no cancelled requests. Show rejected requests.

  • Page 75: Selecting A Request

    Viewing Key Service Requests Selecting a Request To select a request from the queue: On the Data Recovery Manager’s Agent Services page, click List Requests, specify search criteria, and click Find to display a list of key service requests. For details, see “Listing Key Service Requests” on page 73. On the Key Service Request Queue form, find a particular request.
  • Page 76 Viewing Key Service Requests Netscape Certificate Management System Agent’s Guide • October 2001...

  • Page 77: Chapter 6 Managing Ocsp Service Related Tasks

    Chapter 6 Managing OCSP Service Related Tasks This chapter describes how to perform Online Certificate Status Manager agent’s tasks, such as identifying a CA to the Online Certificate Status Manager, adding a CRL to the Online Certificate Status Manager’s internal datbase and so on. This service is available only when the Online Certificate Status Manager subsystem is installed.

  • Page 78: Identifying A Ca To Online Certificate Status Manager

    Identifying a CA to Online Certificate Status Manager To see the list of Certificate Managers: Open a web browser window. Go to the Online Certificate Status Manager’s Agent interface. The URL is in this format: h ttps://<hostname>:<port> The Online Certificate Status Manager Agent Services interface appears. In the left frame, click List Certificate Authorities.
  • Page 79 Identifying a CA to Online Certificate Status Manager In the resulting page, scroll to the section that says “Base 64 encoded certificate” and shows the CA signing certificate in its base-64 encoded format. Copy the base-64 encoded certificate, including the -----BEGIN marker lines, to the CERTIFICATE-----...

  • Page 80: Adding A Crl To Online Certificate Status Manager

    Adding a CRL to Online Certificate Status Manager Click Add. The certificate is added to the internal database of the Online Certificate Status Manager. To verify that the certificate is added successfully, in the left frame, click List Certificate Authorities. The resulting form should show information about the Certificate Manager (CA) you just added.

  • Page 81: Checking The Revocation Status Of A Certificate

    Checking the Revocation Status of a Certificate Copy the base-64 encoded CRL, including the -----BEGIN CRL----- marker lines, to the clipboard or a text file. -----END CRL----- The copied information should look similar to the following example: -----BEGIN CRL----- MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pYF 0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAw MnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzA VBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJ...
  • Page 82 Checking the Revocation Status of a Certificate Go to the Online Certificate Status Manager Agent Services page (see “Accessing Agent Services” on page 23). You must submit the proper client certificate to get access to this page. In the left frame, click Check Certificate Status. In the resulting form, paste the certificate inside the text area labeled “Base 64 encoded certificate.”...
  • Page 83 Index agent services forms 15, 20 built-in OCSP service 12 accessing end-entity gateways 14, 27 overview 12 accessing forms 23 certificate requests administrator/agent, initial enrollment 23 approving 35 assigning 36, 68, 75 agent services forms examining 34 accessing 23 handling process 29 Certificate Manager 15 listing 32 Data Recovery Manager 18...
  • Page 84 end entities 11 notification of issuance 40 end-entity gateways, accessing 27 enrollment requests approving 35 assigning 36 cloning 30, 43 examining 34 OCSP 13 handling process 29 OCSP responder listing 32 defined 13 statuses 33 Online Certificate Status Manager 77–82 enrollment, initial administrator/agent 23 agent services forms 19 overview 13...
  • Page 85 security concepts 5, 11 Services Summary page 27 Show canceled requests (request status) 33 Show completed requests (request status) 33 Show ending requests (request status) 33 Show rejected requests (request status) 33 status of requests 33 subsystems, overview 12 terms used in this book 7 typestyles used in this book 7 Index...

This manual is also suitable for:

Netscape management system 4.5

Table of Contents