Page 1 Installation and Setup Guide Netscape Certificate Management System Version 4.5 October 2001...
Page 2 Netscape Communications Corporation (“Netscape”), a subsidiary of America Online, Inc., and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as “Software”) and related documentation. Use of the Software and related documentation is governed by the license agreement accompanying the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.
Page 3: Table Of Contents
Contents About This Guide ............. . 23 What’s in This Guide .
Page 4 Auxiliary Components ..............64 Command-Line Utilities .
Page 5 Demo Passwords ..............111 Installing the Default Demo .
Page 6 CA Signing Key Type and Length ........... . 174 CA Signing Certificate’s Validity Period .
Page 7 Remote Data Recovery Manager ............196 Network Configuration .
Page 8 Single Sign-On Password ............. . . 214 Chapter 6 Installing Certificate Management System .
Page 9 Step 10. Use Master CA’s Agent Certificate in Clone CAs ....... . . 302 Viewing Instance Information .
Page 10 Configuration Tab ..............339 Status Tab .
Page 11 Chapter 13 Managing Privileged Users and Groups ......385 Privileged-User Types and Responsibilities ..........386 Administrators .
Page 12 Remote Administration Server Certificate ......... . . 443 Registration Manager’s Key Pairs and Certificates .
Page 13 Step 2: Update the Configuration ........... 479 Getting an SSL Client Certificate for a Subsystem .
Page 14 Step A. Check the Directory for User Entries ......... 523 Step B.
Page 15 Chapter 17 Scheduling Automated Jobs ........565 Configuring a Subsystem to Run Automated Jobs .
Page 16 Publishing of CRLs ..............610 What’s a CRL? .
Page 17 Step A. Create a Publisher for the File ..........669 Step B.
Page 18 Step 2. Install an OCSP-Compliant Client ..........710 Step 3.
Page 19 Configuring Key Archival and Recovery Process ......... . 751 Step 1.
Page 20 Monitoring Audit Logs ............. . 784 Using System Tools for Monitoring the Server (Windows NT Only) .
Page 21 Part 5 Appendix ............827 Appendix A Certificate Download Specification .
Page 22 Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 23: About This Guide
About This Guide The Installation and Setup Guide explains how to install, configure, and maintain Netscape Certificate Management System (CMS), and use it for issuing and managing certificates to various end entities, such as web browsers (users), servers, Virtual Private Network (VPN) clients, and Cisco™ routers. This preface has the following sections: •...
Page 24 What’s in This Guide • Chapter 2, “Certificate Enrollment and Life-Cycle Management” Provides sample deployment scenarios. • Chapter 3, “Default Demo Installation” Describes how to set up a simple pilot that demonstrates the basic capabilities of a Certificate Manager. Part 2, “Planning and Installation” •...
Page 25 What’s in This Guide • Chapter 15, “Setting Up End-User Authentication” Describes authentication methods for different types of CMS users, and explains how to configure a Certificate Manager or Registration Manager to use a specific authentication method for end-user enrollment. •...
Page 26: What You Should Already Know
What You Should Already Know Part 5, “Appendix” • Appendix A, “Certificate Download Specification” Describes the data formats used by Netscape Communicator 4.x for installing certificates. Glossary Summarizes terms used in this guide and other CMS documentation. What You Should Already Know This guide is intended for experienced system administrators who are planning to deploy Certificate Management System.
Page 27: Conventions Used In This Guide
Conventions Used in This Guide • Are familiar with the role of Netscape Console in managing Netscape version 4.x servers. Otherwise, see the accompanying manual, Managing Servers with Netscape Console. • Are reading this guide in conjunction with the documentation listed in section “Where to Go for Related Information”...
Page 28: Where To Go For Related Information
Where to Go for Related Information • —Angle brackets enclose variables or placeholders. When Monospaced <> following examples, replace the angle brackets and their text with text that applies to your situation. For example, when path names appear in angle brackets, substitute the path names used on your computer.
Page 29 Where to Go for Related Information • CMS Installation and Setup Guide (this guide) Describes how to plan for, install, and administer Certificate Management System. To access the installation and configuration information from within the CMS Installation Wizard or from the CMS window (within Netscape Console), click any help button.
Page 30 Where to Go for Related Information To view the HTML version of this guide, open this file: <server_root>/cert-<instance_id>/web/agent/manual/agent_guide/ contents.htm To view the PDF version of this guide, open this file: <server_root>/manual/en/cert/pdf/cms45agent.pdf • End-Entity Help Provides detailed reference information on CMS end-entity interfaces. To access this information from the end-entity pages, click any help button.
Page 31: Part 1 Overview And Demo Installation
Part 1 Overview and Demo Installation Chapter 1, “Introduction to Certificate Management System” Chapter 2, “Certificate Enrollment and Life-Cycle Management Chapter 3, “Default Demo Installation”...
Page 32 Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 33: Chapter 1 Introduction To Certificate Management System
Chapter 1 Introduction to Certificate Management System This chapter introduces Netscape Certificate Management System (CMS), a highly configurable set of software components and tools for creating, deploying, and managing certificates. Based on open standards for certificate management, Certificate Management System leverages Netscape Directory Server and Netscape Console to provide a complete, scalable, high-performance certificate management solution for extranets and intranets.
Page 34: Overview Of Key Features
Overview of Key Features Overview of Key Features Certificate Management System has many core features: Support for open standards With its support for open standards, Certificate Management System gives organizations confidence that they will be able to communicate within a heterogeneous computing environment.
Page 35 Overview of Key Features • Publishes certificates and CRLs to a flat file for importing into other resources. For example, the sample code for Flat File CRL and certificate publisher can be customized to store certificates and CRLs in an Oracle RDBMS .
Page 36 Overview of Key Features Single CA supports multiple registration authorities Certificate Management System lets you separate the registration process from the certificate-signing process with the help of Registration Managers. You can run multiple Registration Managers remotely, all reporting to a single Certificate Manager, to verify user identities and process certificate signing requests.
Page 37 Overview of Key Features CA scalability via cloning If you don’t want to create a CA hierarchy comprising root and subordinate CAs, you can create multiple clones of a Certificate Manager and configure each clone to issue certificates that fall within a distinct range of serial numbers. Because clone CAs use the same CA signing key and certificate (as that of the master CA) to sign the certificates they issue, the issuer name in all the certificates in your PKI setup would be the same (as if they’ve been issued by a single CA).
Page 38: Flexible End-Entity Registration Services Framework
Overview of Key Features Flexible end-entity registration services framework The registration services framework for end entities includes the most commonly expected PKI features: manual, directory-based, directory- and PIN-based, NIS-based, and portal enrollments; certificate-authenticated renewals and revocations (based on SSL client authentication); certificate life-cycle operations that include automated certificate renewal and expiration notifications.
Page 39 Overview of Key Features • Automatically delete expired and revoked certificates from the directory. • Connect to the directory using password-based (basic) or certificate-based (in the context of LDAP over SSL) authentication using a digital certificate. Supports many methods for verifying the revocation status of certificates Revocation status of a certificate can be made available to PKI entities by publishing the CRL to various repositories.
Page 40 Overview of Key Features Key archival and recovery for encryption private keys If your organization uses S/MIME to encrypt mail messages, you can use the key archival feature offered by Certificate Management System to back up users’ encryption private keys. This feature is useful when a key becomes unavailable—as, for instance, in the following cases: •...
Page 41: System Overview
System Overview Java SDK extension mechanism for customization The software development kit (SDK) provided with Certificate Management System includes APIs and tutorials for customizing different aspects of the system. You can write the following custom modules: • Authentication—for authenticating end entities during certificate enrollment. •...
Page 42 System Overview • Secure Sockets Layer (SSL) • Lightweight Directory Access Protocol (LDAP) • Online Certificate Status Protocol (OCSP) • Wireless Transport Layer Security (wTLS) • X.509 certificate formats recommended by the International Telecommunications Union (ITU) • Public-Key Infrastructure (X.509) (PKIX) standards proposed by the PKIX working group of the Internet Engineering Task Force (IETF).
Page 43: Public-Key Infrastructure
System Overview • Revoke certificates, and maintain and publish a list of revoked certificates. • Enable real-time verification of certificates by OCSP-compliant clients. • Search for certificates issued by the server. • Set up hierarchies of certificate authorities—multiple subordinate CAs chained up to a root CA.
Page 44: Cms Subsystems Or Managers
System Overview End entities and CAs may be in different geographic or organizational areas or in completely different organizations that are linked through an extranet (that is, the extension of a company’s internal network, or intranet) to selected customers, suppliers, and mobile employees via the Internet. CAs may include third parties that provide services through the Internet as well as the root CAs and subordinate CAs for individual organizations.
Page 45: Certificate Manager
System Overview machine outside the firewall. Others may have a single CA run by a single Certificate Manager and hundreds of Registration Managers in different geographic locations. Still others may have many different CAs or subordinate CAs, and only a few Registration Managers. The sections that follow explain each subsystem in detail.
Page 46 System Overview Note that the publishing tasks can be performed by the Certificate Manager only. The Certificate Manager also has a built-in OCSP service, enabling OCSP-compliant clients to directly query the Certificate Manager about the revocation status of a certificate that it has issued. For example, if you plan to deploy a PKI comprising a master CA and many clone CAs, you can enable the OCSP service of the master CA.
Page 47: Registration Manager
System Overview • Invalidity date. Indicates the date on which the private key corresponding to the public key certified by the certificate was (or is suspected to have been) compromised. Registration Manager A Registration Manager is an optional component in the PKI, enabling you to separate the registration process from the certificate-signing process.
Page 48: Data Recovery Manager
System Overview Data Recovery Manager A Data Recovery Manager performs the long-term archival and recovery of private encryption keys for end entities. A Certificate Manager or Registration Manager can be configured to archive end entities’ private encryption keys with a Data Recovery Manager as part of the process of issuing new certificates.
Page 49: Online Certificate Status Manager
System Overview Table 1-1 Key pairs used by end entities and key pairs used by the Data Recovery Manager End-entity key pairs Data Recovery Manager key pairs Signing key pair Encryption key pair Transport key pair Storage key pair Public signing key: Public encryption key: Public transport key: Public storage key:...
Page 50: Basic System Configuration
System Overview Basic System Configuration Figure 1-1 illustrates some of the data formats and protocols used among the four independent CMS managers and various kinds of end entities. To keep things simple, the figure assumes that each manager is installed in a different CMS instance and on a different machine.
Page 51 System Overview The end-entity data formats and transport methods shown in the figure are used to send enrollment and other requests to the Registration Manager (indicated by a right-pointing arrow) or to send responses back to the end entities (indicated by a left-pointing arrow).
Page 52 System Overview The Registration Manager communicates with the Data Recovery Manager and the Certificate Manager as necessary to facilitate certificate management operations such as enrollment, renewal, or key storage. When the four subsystems are installed in separate CMS instances (whether on the same machine or on different machines), they use proprietary connectors to communicate with each other over HTTPS—that is, HTTP over SSL, as shown in Figure 1-1.
Page 53 System Overview The Data Recovery Manager signs a proof-of-archival token with its private transport key and sends the token to the Registration Manager. The Registration Manager verifies the token and sends the certificate requests on to the Certificate Manager. The Certificate Manager issues the signing and encryption certificates and sends them back to the Registration Manager.
Page 54 System Overview The Data Recovery Manager indexes stored keys by owner name and a hash of the public key. This arrangement allows for highly efficient searching by name (all stored keys belonging to that owner are returned) or by public key (only the requested key is returned).
Page 55: Plug-In Modules
System Overview System administrators set up CMS subsystems through Netscape Console, and agents manage end-entity requests and certificates through HTML pages. For more information about facilities available to administrators and agents, see Chapter 13, “Managing Privileged Users and Groups.” Plug-in Modules Certificate Management System includes a plug-in architecture for code modules that authenticate user identities and code modules that enforce policies.
Page 56 System Overview Table 1-2 Authentication plug-in modules for end-user enrollments Plug-in module name Description Manual authentication Requires manual approval by an agent. This authentication module is hardwired; you cannot configure it. This ensures that when the server receives requests that lack authentication credentials, it sends them to the request queue for agent approval.
Page 57: Policy Plug-In Modules
System Overview Policy Plug-in Modules A policy module is a rule (implemented as a Java class) that validates the contents of a certificate request and formulates the contents of the certificate to be issued. Policy modules are also responsible for accepting, rejecting, or deferring the request.
Page 58 System Overview Policy plug-in modules for checking and formulating certificate contents (Continued) Table 1-3 Plug-in module name Description KeyAlgorithmConstraints Allows the server to certify only those keys that are generated using one of the specified algorithms, such as RSA or DSA. RenewalConstraints Allows or rejects requests for renewal of expired certificates.
Page 59 System Overview Policy plug-in modules for setting extensions in certificates (Continued) Table 1-4 Plug-in module name Description BasicConstraintsExt Adds the Basic Constraints extension to certificates of a specified type. This extension is used during the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints.
Page 60 System Overview Policy plug-in modules for setting extensions in certificates (Continued) Table 1-4 Plug-in module name Description NSCCommentExt Adds the Netscape Certificate Comment extension to certificates. The extension can be used to include textual comments in certificates. NSCertTypeExt Adds the Netscape Certificate Type extension to certificates of a specified type.
Page 61: Job Plug-In Modules
System Overview In addition to the modules listed above, sample code provided with Certificate Management System demonstrates how to support additional extensions. The sample code is provided in the CMS Software Development Kit (SDK). For details, see section “CMS SDK” on page 65. For detailed information about using certificate extensions, see Appendix C, “Certificate and CRL Extensions”...
Page 62: Mapper And Publisher Plug-In Modules
System Overview Mapper and Publisher Plug-in Modules Mapper and publisher plug-in modules enable Certificate Management System to establish a connection with the configured repository and publish certificates and CRLs. For example, LDAP-related mapper and publisher plug-in modules enable Certificate Management System to function seamlessly with an LDAP-compliant directory, such as Netscape Directory Server, that organizations typically use to maintain corporatewide data about user and group accounts and other network resources.
Page 63 System Overview • Independent CAs can issue and manage certificates to their users listed in any LDAP-compliant directory. For more information on setting up Certificate Management System to publish certificates and CRLs, see Chapter 19 through Chapter 21. Table 1-6 lists the mapper modules supported by Certificate Management System out of the box.
Page 64: Event-Driven Notifications
Auxiliary Components Table 1-7 Default publisher plug-in modules for publishing certificates and CRLs Plug-in module name Function FileBasedPublisher Publishes certificates and CRLs to a flat file (for exporting into other repositories). LdapCaCertPublisher Publishes or unpublishes a certificate to the caCertificate;binary attribute of the mapped directory entry as a DER encoded binary blob.
Page 65: Command-Line Utilities
Auxiliary Components Command-Line Utilities A number of command-line utilities or tools are bundled with Certificate Management System. These tools are useful for troubleshooting any problems that you may encounter with Certificate Management System. The binaries for all the utilities are located in this directory: <server_root>/bin/cert/tools For detailed information about these utilities, see CMS Command-Line Tools Guide.
Page 66: Entry Points For Various Types Of Users
Entry Points for Various Types of Users • Miscellaneous information about CMS features such as an AutoInstaller, an AutoRestart, script for UNIX, and a large zip file containing a sophisticated demonstration of ObjectSigning capabilities. • Examples of how to use Certificate Management System with some third-party products.
Page 67 Entry Points for Various Types of Users Table 1-8 Certificate Management System user entry points User type Component/Tool CMS interface End entity Web browser End Entity Services This interface provides the general front end for end-entity interactions with the server. Through this interface, the Certificate Manager or Registration Manager serves the appropriate HTML forms for end-entity operations (the Data Recovery Manager and Online Certificate Status Manager do not have an end-entity...
Page 68: Agent Services Interface
Entry Points for Various Types of Users Agent Services Interface As an administrator, you can designate privileged users, called agents, for each subsystem. Agents are responsible for the day-to-day operation of requests from end entities. For details, see “Agents” on page 387. To enable agents to accomplish their duties, Certificate Management System provides a set of HTML forms for Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager agents.
Page 69: Registration Manager Agent Services
Entry Points for Various Types of Users Certificate Manager Agent Services interface Figure 1-5 Using the default forms, a Certificate Manager agent can accomplish tasks such as these: • Listing deferred certificate requests from end entities and process them • Listing certificates issued by the server •...
Page 70: Data Recovery Manager Agent Services
Entry Points for Various Types of Users Registration Manager Agent Services interface Figure 1-6 Using the default forms, a Registration Manager agent can list deferred certificate requests from end entities and process them. Data Recovery Manager Agent Services The Data Recovery Manager Agent Services interface enables a Data Recovery Manager agent to interact with the Data Recovery Manager (the server).
Page 71: Online Certificate Status Manager Agent Services Interface
Entry Points for Various Types of Users Data Recovery Manager Agent Services interface Figure 1-7 Using the default forms, a Data Recovery Manager agent can search for and recover end users’ encryption private keys from the key archive. (Key recovery requires authorization from key recovery agents;...
Page 72: End-Entity Services Interface
Entry Points for Various Types of Users Online Certificate Status Manager Agent Services interface Figure 1-8 Using the default forms, a Online Certificate Status Manager agent can perform tasks such as checking which CAs are currently configured to publish their CRLs to the Online Certificate Status Manager, identifying a Certificate Manager to the Online Certificate Status Manager, adding CRLs directly to the Online Certificate Status Manager, and viewing the status of OCSP service requests submitted by...
Page 73: System Architecture
System Architecture For a summary of the various end entities, protocols, cryptographic algorithms, and key pairs (single or dual) supported by Certificate Management System, see “End Entities and Life-Cycle Management” on page 98. Figure 1-9 shows the end-entity services interface of a Certificate Manager. End-entity services interface Figure 1-9 Note that the Data Recovery Manager and Online Certificate Status Manager do...
Page 74: Pkcs #11
System Architecture CMS architecture Figure 1-10 PKCS #11 Public-Key Cryptography Standard (PKCS) #11 specifies an API used to communicate with devices that hold cryptographic information and perform cryptographic operations. Because it supports PKCS #11, Certificate Management System works with a wide range of hardware and software devices intended for such purposes.
Page 75 System Architecture One or more PKCS #11 modules must be available to any CMS subsystem instance. As shown in Figure 1-10, a PKCS #11 module (also called a cryptographic module or cryptographic service provider) manages cryptographic services such as encryption and decryption via the PKCS #11 interface.
Page 76: Nss
System Architecture Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled communications applications. Applications built with the NSS libraries support the SSL protocol for authentication, tamper detection, and encryption as well as the PKCS #11 interface for cryptographic token interfaces.
Page 77: Authentication And Policy Modules
Standards Summary Authentication and Policy Modules The top layer of Figure 1-10 consists of authentication and policy modules. Several default modules ship with Certificate Management System; third parties can create their own custom modules using the APIs provided above the middleware and subsystem layers.
Page 78: Security And Directory Protocols
Standards Summary • Certificate Management Messages over CMS (CMC). A general interface to public-key certification products based on CMS and PKCS #10, including a certificate enrollment protocol for DSA-signed certificates with Diffie-Hellman public keys. A proposed standard from the IETF PKIX working group. CMC incorporates CRMF and CMMF.
Page 79 Standards Summary • Public-Key Cryptography Standard (PKCS) #7. An encrypted data and message format developed by RSA Data Security to represent digital signatures, certificate chains, and encrypted data. This format is used to deliver certificates to end entities. • Public-Key Cryptography Standard (PKCS) #10. A message format developed by RSA Data Security for certificate requests.
Page 80 Standards Summary Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 81: Chapter 2 Certificate Enrollment And Life-Cycle Management
Chapter 2 Certificate Enrollment and Life-Cycle Management This chapter explains how you can use Netscape Certificate Management System (CMS) for issuing certificates to end entities such as we browsers, servers, routers, and so on. The chapter has the following sections: •...
Page 82 Steps in End-Entity Enrollment Authenticate user. Authentication can be either automatic or manual. If the CMS manager is configured for automatic authentication, the servlet uses the authentication module specified by the form to validate the information provided by the user. For example, the directory authentication module that comes with Certificate Management System validates the user ID and password by comparing it to the user’s entry in an LDAP directory.
Page 83 Steps in End-Entity Enrollment Roles of servlets, authentication modules, and policy modules in end-entity enrollment Figure 2-1 Chapter 2 Certificate Enrollment and Life-Cycle Management...
Page 84: Some Enrollment Scenarios
Some Enrollment Scenarios Some Enrollment Scenarios Successful PKI deployment requires flexible and easy enrollment for end entities as well as ongoing support for certificate life-cycle management—that is, management of each certificate from enrollment through encryption key storage (if necessary), renewal, and revocation. The preceding section describes the internal flow of control among servlets, authentication modules, and policy modules in a CMS manager (see Figure 2-1 for a summary).
Page 85: Extranet/E-Commerce: Acme Sales Corp
Some Enrollment Scenarios • The Registration Manager provides only a subset of the capabilities of the Certificate Manager—those required for processing end-user requests. If the Registration Manager is compromised, the Certificate Manager can revoke its signing certificate (thus invalidating all subsequent requests from that Registration Manager) and issue a new one after the problem has been addressed.
Page 86: Enrolling Existing Customers
Some Enrollment Scenarios The sections that follow describe how Acme uses Certificate Management System to achieve these goals: • Enrolling Existing Customers • Enrolling New Customers • Enrolling Extranet Users In all cases, Acme has decided to place its Certificate Manager behind the firewall and its Registration Manager outside the firewall, for reasons summarized in “Firewall Considerations”...
Page 87: Enrolling New Customers
Some Enrollment Scenarios Custom authentication against an existing customer database Figure 2-2 Enrolling New Customers The following process will be used for enrolling new Acme customers. In this case, the Registration Manager uses manual authentication to validate every certificate request personally before issuing the certificate. Figure 2-3 illustrates the steps in this process.
Page 88 Some Enrollment Scenarios Manual approval. The Registration Manager administrator may configure the Registration Manager to notify the agent via email whenever a new request is added to the request queue. In any case, when the agent processes the requests in the queue, he or she follows Acme’s procedure for processing credit checks and validating other customer information, including making a personal phone call.
Page 89: Enrolling Extranet Users
Some Enrollment Scenarios Manual authentication of new customers Figure 2-3 Enrolling Extranet Users Acme wants its new, certificate-enabled extranet applications to be available to contract workers, suppliers, employees, and others who routinely access parts of the company’s internal network. In general, this can be achieved by using Kerberos or other non-PKI security systems as the authentication mechanism for requesting a certificate.
Page 90 Some Enrollment Scenarios For example, to get a certificate, a contractor provides an ID and password to the Registration Manager, which uses the Kerberos system to verify them before passing on the certificate request to the Certificate Manager. This arrangement involves the following steps, illustrated in Figure 2-4.
Page 91: Pin Registration: Atlas Manufacturing
Some Enrollment Scenarios Custom authentication against an existing Kerberos security system Figure 2-4 PIN Registration: Atlas Manufacturing Atlas Manufacturing has decided to put information for its employees, suppliers, dealers, and customers—a total of nearly 500,000 people, including individual consumers and employees of several dozen other companies—on an extranet. Atlas already uses Netscape Directory Server to store names, addresses, and other information about the various groups of people who will need access to the extranet.
Page 92 Some Enrollment Scenarios results from salting and hashing. When customers use the PIN to enroll in the Atlas PKI, the PIN is automatically removed from the directory. Enrollment PINs are therefore more reliable than passwords, which must be protected over a long period of time.
Page 93: Vpn Client Enrollment And Revocation
Some Enrollment Scenarios PIN-based enrollment Figure 2-5 VPN Client Enrollment and Revocation Virtual private network (VPN) client software runs on a user’s desktop, outside the firewall, and uses the IP Key Management Protocol (IPKMP) or IP Security (IPSec) protocol to establish encrypted communication with VPN hardware that straddles the firewall.
Page 94 Some Enrollment Scenarios VPN client software can use several different protocols over HTTP or HTTPS to handle enrollment and other life-cycle management tasks. Certificate Management System supports the Certificate Enrollment Protocol (CEP) used by Cisco routers. CEP runs over HTTP and provides its own form of encryption. The following steps explain how VPN client software can use the Registration Manager and Certificate Manager to enroll in a PKI and what happens when the client’s certificate is revoked.
Page 95 Some Enrollment Scenarios VPN client enrollment and revocation Figure 2-6 The certificate includes information about a CRL distribution point, which is a directory that the VPN hardware can check for the latest CRL published by the Certificate Manager. Chapter 2 Certificate Enrollment and Life-Cycle Management...
Page 96: Router Enrollment And Revocation
Some Enrollment Scenarios Router Enrollment and Revocation Cisco routers support the use of certificates for authentication, encryption, and tamper detection with the IP Security (IPSec) protocol. Cisco routers also support CEP for certificate life-cycle management, as discussed in the previous section. The following steps describe how two routers can use a Certificate Manager to enroll in a PKI and what happens when a router’s certificate is revoked.
Page 97 Some Enrollment Scenarios Router enrollment and revocation Figure 2-7 Chapter 2 Certificate Enrollment and Life-Cycle Management...
Page 98: End Entities And Life-Cycle Management
End Entities and Life-Cycle Management End Entities and Life-Cycle Management Certificate Management System provides default web forms for all end-entity interactions involved in managing the life cycle of a certificate. It also provides forms, collectively called Agent Services, for agent interactions. These forms can be used as is or customized.
Page 99: Access To Subsystems
End Entities and Life-Cycle Management Table 2-1 End entities, message formats, algorithms, and key pairs supported by Certificate Management System End entity software Enrollment message Cryptographic algorithms No. of key pairs format over HTTP or HTTPS Navigator 3.x KEYGEN tag Signing and encryption: Single key pair Communicator 4.0 to 4.5...
Page 100 End Entities and Life-Cycle Management End-entity interactions can take place over HTTP or HTTPS. For example, routers using CEP, which includes its own encryption scheme, uses HTTP rather than HTTPS. For a more detailed discussion of these ports and examples of hands-on use, see Chapter 3, “Default Demo Installation.”...
Page 101: Html Forms For End Users
End Entities and Life-Cycle Management HTML Forms for End Users Each type of end-entity form provided by a Registration Manager or Certificate Manager determines the type of client, such as Communicator or Internet Explorer, and presents the appropriate input page. Each form also specifies both an authentication module and an output template.
Page 102: Netscape Personal Security Manager
End Entities and Life-Cycle Management Table 2-2 shows the protocols supported by the default CMS life-cycle management servlets. Any of the HTML forms and their HTML help text can be customized. The Registration Manager also supports the creation of new forms. Some output templates can also be customized.
Page 103 End Entities and Life-Cycle Management • Automatic storage of encryption private keys with the Data Recovery Manager at the time a certificate is issued, if requested by the Registration Manager. • Automatic revocation checking each time Personal Security Manager verifies a certificate.
Page 104 End Entities and Life-Cycle Management Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 105: Chapter 3 Default Demo Installation
Chapter 3 Default Demo Installation This chapter describes how to set up a simple installation that demonstrates the basic capabilities of a Certificate Manager with an integrated Registration Manager. It is intended for administrators who are already familiar with PKI concepts.
Page 106: System Requirements
System Requirements System Requirements This section summarizes the basic software and hardware requirements for any machine on which you intend to install Certificate Management System instances and related software: • Operating System and Software Required • Platform Requirements Be sure to check the Release Notes that came with the product. It NOTE would contain any last-minute changes to the information specified in this section.
Page 107 System Requirements Table 3-1 Software and hardware requirements Solaris Platform Requirements OS Version Solaris 2.6 or 8 (with relevant Java 2 patches) Machine Ultra 10 or faster 128 MB (required) broken down Hard disk storage space Total required is approximately 400 MB, as follows: requirements •...
Page 108: Overview Of The Default Demo
Overview of the Default Demo Overview of the Default Demo The default demo installation described in this chapter is intended to provide a quick, hands-on experience of the basic Certificate Management System interfaces. It is intended for demonstration purposes only and relies on a number of default settings that may not be appropriate for a mission-critical installation.
Page 109 Overview of the Default Demo • Internal Database (Netscape Directory Server) for Certificate Management System. For each instance of Certificate Management System you install an instance of Netscape Directory Server that acts as the internal database for certificate and request information. You use the main window of Netscape Console to perform basic tasks such as starting and stopping a server.
Page 110 Overview of the Default Demo Software installed and port numbers assigned for the default demo Figure 3-1 You will also be asked to provide additional information, such as the name of each server instance to be installed, the names and passwords of various types of administrators, and information related to the CA signing certificate and SSL server certificate that the Certificate Manager must have available before it can begin operation.
Page 111: Demo Passwords
Overview of the Default Demo To keep things simple for the default demo, most of the information requested during installation is set either to a default or to some arbitrary, convenient value. Before you attempt to install more sophisticated pilots or a full-scale deployment, you should read Chapter 4, “Planning Your Deployment”...
Page 112: Installing The Default Demo
Installing the Default Demo This password protects the <intdb password> and <single-signon <token password>. Use this password to start password> Certificate Management System. Installing the Default Demo The installation script installs and starts an Administration Server and a Directory Server; the process is slightly different for Windows NT and UNIX systems. The Installation Wizard, which is the same on both systems, installs Certificate Management System itself and creates the system’s certificates.
Page 113 Installing the Default Demo Server root [/usr/netscape/server4]: Press Enter to accept the default server root directory. (If you are not installing as , you probably will not have root permission to create directories in so you will have to choose another /usr location.) Specify the components you wish to install [All]: Press Enter to accept the...
Page 114: Step 1. Run The Installation Script-Windows Nt
Installing the Default Demo Suffix [o=mydomain.com]: Press Enter to accept the default. Directory Manager DN [cn=Directory Manager]: Press Enter to accept the default, then enter the <dir mgr password> Administration Domain [mydomain.com]: Press Enter to accept the default. Administration port [random #]: Type and press Enter.
Page 115 Installing the Default Demo Welcome. Click Next. Software License Agreement. Click Yes. Select Server or Console Installation. Leave the default setting ( Netscape ) selected and click Next. Servers Chapter 3 Default Demo Installation...
Page 116 Installing the Default Demo Choose the Installation Type. Leave the default setting ( ) selected and Typical click Next. Choose Installation Directory. Leave the default setting ) selected and click Next. C:\Netscape\Server4 Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 117 Installing the Default Demo Select Products. Leave all four components selected and click Next. Directory Server 4.13. Leave the default setting ( This instance will be the ) selected and click Next. configuration directory server Chapter 3 Default Demo Installation...
Page 118 Installing the Default Demo Directory Server 4.13. Leave the default setting ( Store data in this ) selected and click Next. directory server Directory Server 4.13 Server Settings. Type the following values, then click Next: Server identifier: configdir Server port: Accept the default, which should be Suffix: Accept the default, which should be your company’s domain name, in the form o=<your_domain>.<domain>...
Page 119 Installing the Default Demo Configuration Directory Administrator ID: admin Password: <admin password> Password (again): <admin password> Directory Server 4.13 Administration Domain. Accept the default, which should be your company’s domain name, in the form <your_domain>.<domain> Directory Server 4.13 Directory Manager Settings. Type the following values, then click Next: Chapter 3 Default Demo Installation...
Page 120 Installing the Default Demo Directory Manager DN: cn=Directory Manager Password: <dir mgr password> Password (again): <dir mgr password> Administration Server Port Selection. Type the value and click Next. 4444 Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 121 Installing the Default Demo Certificate Management System Server identifier. Type the value demoCA click Next. Configuration Summary. Click Next. Setup. At this point, the installation script extracts and installs the binaries for all of the servers in the server root directory and creates and starts instances of the Administration Server and Directory Server.
Page 122: Step 2. Run The Installation Wizard
Installing the Default Demo Setup Complete. Leave the default setting ( Launch the Netscape Console and click Finish. The first phase of the installation is now complete. The installation script has installed Netscape Console, installed and started an Administration Server and its configuration directory, and copied the files for Certificate Management System.
Page 123 Installing the Default Demo If the Administration URL is not filled in, enter http://<myhost>:4444 In the navigation tree at the left, open your computer, then open Server Group. Select and double-click it; alternatively, you can also click the cert-demoCA Open button on the Certificate Management System panel on the right. After a few moments, the Installation Wizard appears.
Page 124 Installing the Default Demo Introduction. Click Next. Internal Database. Type the following values, then click Next: Instance ID: Accept the default ( demoCA-db Port number: Accept the default ( 38900 Directory Manager DN: cn=Directory Manager Password: <intdb password> Password (again): <intdb password>...
Page 125 Installing the Default Demo At this point the system creates the internal database, which can take some time. Administrator. Type the following values, then click Next: Administrator ID: CMSadmin Full name: Accept the default value. Password: <CMS password> Password (again): <CMS password>...
Page 126 Installing the Default Demo Subsystems. Click Next to accept the default selection ( Certificate Manager only). Remote Data Recovery Manager. Click Next to accept the default selection At this point the system configures the internal database, which can take some time.
Page 127 Installing the Default Demo Internal OCSP Service. Click Next to accept the default (the option is selected). Network Configuration. Select the Enable checkbox to enable the non-SSL end-entity gateway, then accept the default values listed below. If one of the default ports is unavailable, a different, randomly selected port will appear in the form.
Page 128 Installing the Default Demo Key-Pair Information for Certificate Manager CA Signing Certificate. Type the following values, then click Next: Token: Accept the default value ( Internal Password: <token password> Password (again): <token password> Key type: Accept the default value ( Key length: Select 1024 and leave the custom key-length field blank.
Page 129 Installing the Default Demo Subject Name for Certificate Manager CA Signing Certificate. Type the following values, then click Next: Common name (CN=): Demo CA Organization Unit (OU=): CMS Demo Organization (O=): <name of your company> Locality (L=): <name of your locality> State (ST=): <name of your state, province, or territory>...
Page 130 Installing the Default Demo Certificate Extensions for Certificate Manager CA Signing Certificate. Click Next to accept the default selections. Certificate Manager CA Signing Certificate Creation. Click Next. SSL Server Certificate. Click Next to accept the default selection ( Sign SSL selected.).
Page 131 Installing the Default Demo Key-Pair Information for Server SSL Certificate. Change the Key length to 1024, accept the default values for other fields, then click Next. Message Digest Algorithm. Click Next to accept the default ( SHA1 Subject Name for SSL Server Certificate. Type the following values, then click Next.
Page 132 Installing the Default Demo Validity Period for SSL Server Certificate. Modify year and month values of “Expire on” date to allow a validity period of one month from the installation date, then click Next. Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 133 Installing the Default Demo Certificate Extensions for SSL Server Certificate. Click Next to accept the default selections. SSL Server Certificate Creation. Click Next. The generation of the certificate can take some time. Set Up Single Signon Password. Type the following values, then click Next. Single signon password: <single-signon password>...
Page 134 Installing the Default Demo Configuration Status. Click Done. Certificate Management System starts automatically. Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 135: Step 3. Get The First User Certificate
Installing the Default Demo The installation and configuration of Certificate Management System is now complete, and the Certificate Manager is running. The user interface of Certificate Management System is now available through the web gateways whose ports you specified during installation. You can access them directly in a web browser by going to those ports using the appropriate protocol.
Page 136 Installing the Default Demo The first time you access this port, the system opens the Administrator/Agent Certificate Enrollment form. Because you have accessed an SSL port, Certificate Management System presents its SSL server certificate to your browser for authentication. This is the SSL server certificate that you just created during installation.
Page 137: If You Need The First Agent Form Again
Installing the Default Demo Subject Name Full name: CMS Administrator Login name: CMSadmin Email address: <your email address> Organization unit: CMS Demo Organization: <name of your company> User’s Key Length Information Key Length: Select 1024 (High Grade) Note that the validity period of this initial agent certificate is hard-coded as one year.
Page 138: Using The Default Demo
Using the Default Demo Change , and save the file. false true Start the server from the CMS window where you stopped it. Alternatively, right-click on in the left frame and choose Start cert-demoCA Server. Enter your <single-signon password> The next time you access , the https://<hostname>:8100 Administrative/Agent Enrollment form will be available again.
Page 139: Viewing Issued Certificates From The Agent Gateway
Using the Default Demo • In “Enrolling for a Certificate From the End-Entity Gateway,” you will enroll for a certificate by using the manual enrollment procedure. • In “Finding and Approving a Certificate Request,” you will approve the new certificate enrollment request and issue a new agent certificate. •...
Page 140: Enrolling For A Certificate From The End-Entity Gateway
Using the Default Demo Click End Users Services. The Enrollment tab for the non-SSL end-entity gateway appears. Click the Retrieval tab. The form that appears is for the first option, List Certificates. Type into the field labeled “Lowest serial number,” then click Find to list the certificates that the Certificate Manager has issued so far.
Page 141: Finding And Approving A Certificate Request
Using the Default Demo Follow the instructions your browser presents as it generates a key pair. After the key pair has been generated, the Certificate Manager displays a notice that the certificate request has been submitted, including a request ID. Use the browser’s Back button to go back to the Services Summary page.
Page 142: Setting Your Browser To Use The Agent Certificate
Using the Default Demo Click Show Certificate to view the new certificate. At the bottom of the page is a button labeled Import Your Certificate. Normally, you would mail this page to the requestor, or the Certificate Manager would mail the requestor an automatic notification containing the certificate and instructions.
Page 143: Create A Policy
Using the Default Demo Before you continue, you might want to try accessing the new installation from another computer and with a different login. Try enrolling for user certificates from there, using both the SSL and non-SSL end-user gateways. If you wish, you can also enroll for additional agent certificates.
Page 144 Using the Default Demo Log in as , giving the password admin <admin password> The main window of Netscape Console appears. In the navigation tree on the left, open your computer, then open Server Group. Select the CMS instance ( cert-demoCA In the Certificate Management System panel at the right, click Open.
Page 145: Use An Ldap Directory
Using the Default Demo In the Policy Editor dialog box, provide the following information: minSize: 1024 maxSize: 2048 exponents: accept the default setting enable: true predicate: HTTP_PARAMS.certType==client indicates that this policy will be applied to certificate requests predicate for client certificates only. The sets the minimum allowed length for minSize the RSA key pair used to generate the request;...
Page 146: Step 1. Enable Directory-Based Authentication
Using the Default Demo You will first try to enroll using 512-bit keys; the enrollment will fail because of the policy requiring 1024-bit keys. After you submit a new request with a 1024-bit key, Certificate Management System should authenticate the user information in the directory and issue the certificate automatically.
Page 147: Step 2. Add A User To The Directory
Using the Default Demo ldap.ldapconn.version: ldap.basedn: o=<your domain>.<domain> ldap.minConns: ldap.maxConns: Click OK. NOTE If you leave the field blank, the used by dnpattern dnpattern default is . This E=$attr.mail,CN=$attr.cn,O=dn.o,C=$dn.c pattern works well with Communicator and other browsers. For the demo, you used a simpler dnpattern to avoid configuring other things.
Page 148 Using the Default Demo To add a user to the configuration directory’s subtree for users and groups: Start Netscape Console again, or go back to the main window. Select the Users and Groups tab and click Create (in the lower right corner). In the Select Organization Unit dialog box, select People and click OK.
Page 149: Step 3. Enroll With Directory-Based Authentication
Using the Default Demo Click OK. You can see that User Two has been added to the list of users. Step 3. Enroll with Directory-Based Authentication Now that there is a user in the authentication directory, you can test directory-based authentication. In order to show the key length policy working, you will request the certificate using a 512-bit key first, then change the request to use a 1024-bit key.
Page 150: Publish Certificates To An Ldap Directory
Using the Default Demo Click OK, and provide your key database password if requested. After the key is generated, your browser submits the certificate request to the Certificate Manager. The Certificate Manager verifies the request against all applicable policies (including the RSA key length policy for client certificates you configured earlier).
Page 151: Configure The Publishing Destination
Using the Default Demo Mappers translate objects (such as certificates) in the internal database into some other form for publishing. You will configure an LDAP mapper to translate the user name in a client certificate request to a distinguished name (DN) in the publishing directory.
Page 152 Using the Default Demo Enter information in the Destination area to identify the directory to which you want to publish (use the configuration directory, where User Two’s entry is stored): Host Name: <machine_name>.<your_domain>.<domain> Port Number: Directory Manager DN: cn=Directory Manager Password: <dir mgr password>...
Page 153: Set Rules For Publishing Certificates
Using the Default Demo Set Rules for Publishing Certificates In this section, you configure Certificate Management System to map client certificates to entries in the directory tree People o=<your_domain.<domain> using the user ID from the certificate request. To configure Certificate Management System to publish user certificates to an LDAP directory: Open the CMS console window and select the Configuration tab.
Page 154: Update The Publishing Directory
Using the Default Demo Change the parameter value to dnPattern UID=$req.UID, OU=people, O=<your domain>.<domain> This pattern will cause the mapper to formulate a DN using the user ID from the certificate request (the data entered in the User ID field on the end entity enrollment form) and fixed values for OU and O.
Page 155 Using the Default Demo To view the directory entry for User Two: Go to the Netscape Console main window, select the configuration directory ) in the navigation tree, and then click Open. configdir Click the Directory tab. The directory information trees are represented in the navigation tree on the left.
Page 156: Send Renewal Reminders
Using the Default Demo Return to the Edit Entry dialog for User Two (repeat the previous procedure if necessary) and click Advanced to open the Property Editor. The first attribute listed is now the Certificate for User Two. The certificate is in an unreadable binary form, so you do not see any actual data.
Page 157: Configuring A Mail Server For Certificate Management System
Using the Default Demo Configuring a Mail Server for Certificate Management System To configure the server from which Certificate Management System can send mail: Open the CMS console window and select the Configuration tab. Click the SMTP tab. Type the host name of your mail server in the “Server name” field. Enter the port number your server uses for SMTP in the Port Number field.
Page 158 Using the Default Demo Click Edit/View. The Job Instance Editor dialog box displays. By default this job is enabled and scheduled to notify end-entities 30 days before their certificates expire. You will change the settings so that renewal notices begin 400 days before the certificate expires (so you will get notices for the certificates issued during this demonstration).
Page 159 Using the Default Demo The next step will turn on the Job Scheduler. Once the scheduler is enabled you will receive at least two email messages every minute. Make sure you turn off the Job Scheduler after a few minutes to avoid a flood of email messages. Select the Enable Jobs Scheduler checkbox.
Page 160 Using the Default Demo Messages with the subject “Certificate Renewal Notification Summary” are examples of the summary report sent to the address in the job’s parameter (usually a CMS agent). These messages summaryRecipientEmail list all of the certificates that are about to expire (according to the job’s parameter) and whether or not the Certificate Manager notifyTriggerOffset succeeded in sending a renewal notice.
Page 161: Part 2 Planning And Installation
Part 2 Planning and Installation Chapter 4, “Planning Your Deployment” Chapter 5, “Installation Worksheet” Chapter 6, “Installing Certificate Management System” Chapter 7, “Installing and Uninstalling CMS Instances” Chapter 8, “Starting and Stopping CMS Instances”...
Page 162 Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 163: Chapter 4 Planning Your Deployment
Chapter 4 Planning Your Deployment Before installing Netscape Certificate Management System (CMS) in any real-life deployment, you first need to plan all aspects of the proposed installation. It’s important to consider all potential issues carefully before installation. Omissions or faulty assumptions in the planning process can cause severe problems later. This chapter provides an overview of the most important decisions you need to make.
Page 164: Topology Decisions
Topology Decisions Topology Decisions Certificate Management System allows you to install the Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager in many different configurations. Since CAs can delegate some responsibilities to subordinate CAs, a Certificate Manager might delegate responsibilities to one or more levels of subordinate Certificate Managers.
Page 165: Single Certificate Manager
Topology Decisions Single Certificate Manager Some deployments may require only a single Certificate Manager that handles all end-entity interactions and provides no key archival and recovery capabilities. This Certificate Manager can use a signing certificate issued by a public certificate authority or its own self-signed CA signing certificate to sign all the certificates it issues.
Page 166: Certificate Manager And Registration Manager
Topology Decisions The arrangement shown in Figure 4-1 is equivalent to the capabilities provided by Netscape Certificate Server 1.x—with the addition of new Certificate Management System features such as Digital Signature Algorithm (DSA) signing, support for PKCS #11, and support for a wider variety of end-entity protocols. Certificate Manager and Registration Manager Many organizations need to separate the role of the Registration Manager from the role of the Certificate Manager.
Page 167 Topology Decisions Certificate Manager and Registration Manager in different instances Figure 4-2 In many organizations, it may be desirable to deploy multiple Registration Managers that all communicate with a single Certificate Manager. Each separate Registration Manager, for example, might handle all end-entity interactions in a particular geographic area or within an organizational group.
Page 168: Certificate Manager And Data Recovery Manager
Topology Decisions Certificate Manager and Data Recovery Manager If an organization requires key archival and recovery capabilities—for example, if encrypted mail is widely used and the organization risks data loss if it is unable to recover encryption keys—it can install a Data Recovery Manager. This can be done without regard for the presence or absence of a separate Registration Manager.
Page 169 Topology Decisions Certificate Manager and Data Recovery Manager in different instances Figure 4-3 The Data Recovery Manager is intended for archival and recovery of private encryption keys only. Therefore end entities must be using either a browser that supports dual-key generation or a browser that is using Netscape Personal Security Manager, which supports dual keys.
Page 170: Certificate Manager, Data Recovery Manager, And Registration Manager
Topology Decisions Like a Certificate Manager, a Data Recovery Manager has special physical security requirements, since a compromised Data Recovery Manager would have devastating security consequences for your entire PKI. You may therefore want to keep the Data Recovery Manager in a special locked room or building, a choice that can affect your deployment strategy.
Page 171 Topology Decisions Certificate Manager, Registration Manager, and Data Recovery Manager in Figure 4-4 separate instances NOTE The current design of Certificate Management System assumes that most deployments will rely on a single Data Recovery Manager (associated with either a Registration Manager or a Certificate Manager).
Page 172: Cloned Certificate Manager
Topology Decisions You can choose to install either a Certificate Manager and Data Recovery Manager or a Registration Manager and Data Recovery Manager in a single instance. There is not need to install a Certificate Manager and Registration Manager in the same instance;...
Page 173: Certificate Authority Decisions
Certificate Authority Decisions A cloned Certificate Manager will have all the same features, agent gateway functions, and end entity gateway functions that a normal Certificate Manager has. You can then configure Registration Managers that point to different Certificate Manager servers but that appear to be serviced by the same CA. Certificate Authority Decisions This section covers some of the critical decisions you need to make about your certificate authority:...
Page 174: Ca Signing Key Type And Length
Certificate Authority Decisions CA Signing Key Type and Length If you wish, you can import the signing key and certificate used in a previous version of CMS installation rather than generating a new signing key pair. For information on how to do this, check the upgrading information. If you decide to generate a new signing key, one of the first decisions you need to make is whether to use the RSA or DSA algorithm.
Page 175: Cas And Certificate Extensions
Certificate Authority Decisions If you want your CA to chain up to a third-party public CA, you must carefully consider the restrictions that public CAs place on the kinds of certificates your CA can issue and the nature of the certificate chain. For example, a CA that chains up to a third-party CA might be restricted to issuing only Secure Multipurpose Internet Mail Extensions (S/MIME) and SSL client authentication certificates—not SSL server certificates.
Page 176: Ca Certificate Renewal Or Reissuance
Certificate Authority Decisions The Internet Engineering Task Force (IETF), which controls many of the standards that underlie the Internet, is currently developing public-key infrastructure X.509 (PKIX) standards. These proposed standards further refine the X.509 v3 approach to extensions for use on the Internet. PKIX working group recommendations should also be taken into account when planning extensions for CA certificates, subordinate CA certificates, and end-entity certificates.
Page 177: Cryptographic Token Decisions
Cryptographic Token Decisions For a discussion of CA certificate expiration issues in the context of Certificate Server 1.x, see http://help.netscape.com/products/server/certificate/cacertdoc/ Many of the same issues apply to Certificate Management System. For detailed information on certificate extensions, see Appendix C, “Certificate and CRL Extensions”...
Page 178: Publishing To Certificates And Crls To Files
Publishing Decisions Publishing to Certificates and CRLs to Files Any Certificate Manager that publishes certificates or CRLs to files need to specify the location for storing these files. There will be a file for each certificate and CRL, so the specified location must have sufficient disk space for storing these files. For detailed information on publishing certificates and CRLs to files, see Chapter 20, “Publishing Certificates and CRLs to a File.”...
Page 179: Publishing Crls To The Online Certificate Status Manager
Publishing Decisions • If authentication is based on SSL client authentication, the directory administrator needs to create an entry in the directory’s file. certmap.conf entry maps the DN in the subsystem’s client certificate to a certmap.conf directory entry that specifies write permission to the appropriate portion of the directory tree.
Page 180: Subsystem Certificate Decisions
Subsystem Certificate Decisions Subsystem Certificate Decisions Using a self-signed signing certificate for the Certificate Manager simplifies the deployment of an initial pilot. You can install the Certificate Manager without having to apply to a public certificate authority and waiting for it to issue, sign, and return your CA signing certificate.
Page 181: Registration Manager Certificates
Subsystem Certificate Decisions If the Certificate Manager is acting as a root CA, the CA certificate must be installed and trusted by each client that needs to validate certificates issued by the root Certificate Manager. In the context of a PKI, trust refers to the relationship between the user of a certificate and the CA that issued the certificate.
Page 182: Data Recovery Manager Certificate And Storage Key
Subsystem Certificate Decisions Data Recovery Manager Certificate and Storage The Data Recovery Manager needs a transport certificate and a storage key: • The Data Recovery Manager transport certificate has a public key used by end-entity software to encrypt the private encryption key belonging to an end entity so that it can be sent (via the Registration Manager) to the Data Recovery Manager.
Page 183: Authentication Decisions
Authentication Decisions The Online Certificate Status Manager also requires at least one SSL server certificate. For more information about the key pairs and certificates used by a Online Certificate Status Manager, see “Online Certificate Status Manager’s Key Pairs and Certificates” on page 449. Authentication Decisions CMS managers use authentication modules to verify the identity of a user requesting a service, such as certificate enrollment.
Page 184: Deployment Strategy And Port Assignments
Deployment Strategy and Port Assignments Policies configured for a Certificate Manager apply to all certificates issued by that Certificate Manager or its subordinates. Policies configured for a Registration Manager subsystem are local to the Registration Manager. This distinction can be used to model the levels of authority within an organization.
Page 185 Deployment Strategy and Port Assignments Deploying servers on a single host Figure 4-5 Chapter 4 Planning Your Deployment...
Page 186 Deployment Strategy and Port Assignments Each server root directory shown in Figure 4-5 has its own Administration Server and Netscape Console and access to a configuration directory. Each CMS instance has a corresponding instance of Directory Server that functions as the internal database for that CMS instance.
Page 187: Chapter 5 Installation Worksheet
Chapter 5 Installation Worksheet This chapter provides a worksheet to help you prepare for installing a single instance of Netscape Certificate Management System (CMS). Print this chapter and make as many copies as you need. Fill out one copy for each CMS instance you plan to install and refer to it during the installation and configuration process.
Page 188: Information For Unix Installation Script
Information for UNIX Installation Script Information for UNIX Installation Script The information summarized here must be provided once for each server root installation on a UNIX system. Installation Location To install an instance of Certificate Management System, you must also install an Administration Server and Netscape Console application and have access to a configuration and user/group directory.
Page 189: User/Group Directory Server
Information for UNIX Installation Script If you choose Yes, you must also supply the following information about the existing configuration directory: • Computer name_____________________________________________ The default should be the fully qualified host name of the machine on which the configuration directory is located. For example, mydirectory.siroe.com User/Group Directory Server Do you want to use another directory to store your data?
Page 190: Administration Server Information
Information for UNIX Installation Script • Configuration Directory Server Administrator ID________________________ The ID for the user who will authenticate to Netscape Console with full privileges. For example, diradmin1 • Configuration Directory Server Administrator Password___________________ The password must be at least eight characters long. •...
Page 191: Certificate Management System Identifier
Information for NT Installation Script Certificate Management System Identifier You must specify a unique identifier for the CMS server instance that you are installing. • Certificate Management System server identifier___________________________ Enter a unique identifier. For the name, you can use any combination of letters ), digits ( ), an underscore ( ), and a hyphen (...
Page 192: User/Group Directory Server
Information for NT Installation Script • Use existing configuration directory server._______________________________ If you choose to use an existing configuration directory, you must supply the following information: Host name___________________________________________ Port________________________________________________ Bind as______________________________________________ Password____________________________________________ User/Group Directory Server Choose one of these options: •...
Page 193: Configuration Directory Settings
Information for NT Installation Script Configuration Directory Settings You need to provide the following information about the configuration directory, whether it is an existing one or a new one to be created by the Installation Wizard: • Directory Server identifier_______________________________________ This unique identifier is required for each instance of a Directory Server.
Page 194: Administration Server Port
Initial Configuration This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory. For example, cn=Directory Manager • Directory Manager password ________________________ The password must be at least eight characters in length.
Page 195: Internal Database
Initial Configuration Internal Database For each instance of Certificate Management System, a new instance of Netscape Directory Server is created on the local host to act as the internal (local) database. Each subsystem must have access to this local database to store certificates, certificate requests, keys, and other information.
Page 196: Remote Certificate Manager
Initial Configuration Manager and Registration Manager together or Certificate Manager and Online Certificate Status Manager together. The Certificate Manager can be configured to perform all Registration Manager functions, so it’s not necessary or possible to install both managers in the same instance. In addition to x.509 certificates, the Certificate Manager can also issue Wireless Transport Layer Security (wTLS)-compliant certificates for wireless applications.
Page 197: Network Configuration
Certificate Manager Configuration Network Configuration Enter numbers for the ports to be used for various kinds of communications. On UNIX, you must be to assign ports less than 1024. The default values are root well-known ports, which are used only if they are not already in use. If these defaults are not available, a randomly chosen port number is given as the default.
Page 198: Key-Pair Information For Ca Signing Certificate
Certificate Manager Configuration • CA’s ending serial number __________________________ Enter the highest serial number available for this CA. You can enter the number in decimal or hexadecimal (0xnn). The default is no upper limit (blank). Key-Pair Information for CA Signing Certificate For a discussion of related issues, see “CA Signing Key Type and Length”...
Page 199: Validity Period For Ca Signing Certificate
Certificate Manager Configuration • Common Name (CN=) _____________________________________ • Organizational Unit (OU=) ___________________________________ • Organization (O=) ________________________________________ • Locality (L=) _____________________________________________ • State (ST=) ______________________________________________ • Country (C=) ____________________________________________ A DN is a series of name-value pairs that in combination uniquely identify an entity.
Page 200: Ca Signing Certificate Request
Certificate Manager Configuration CA (Yes)_________ Certification path length (Null)_______________________ The certificate chain path length, if specified, determines the maximum number of certificates in a chain, starting with the end-entity certificate. If you do not specify this attribute, the length of the chain is unlimited. •...
Page 201: Registration Manager Configuration
Registration Manager Configuration If you are submitting your certificate request to a third-party CA, follow the instructions provided by that CA. If you are submitting your certificate request to another Certificate Manager, you need to know its URL: • End-entity URL for issuing Certificate Manager___________________________ Enter the URL for the end-entity gateway of the Certificate Manager that will issue the subordinate CA’s signing certificate.
Page 202: Subject Name For Registration Manager Signing Certificate
Registration Manager Configuration • Key type_________________________________________________ RSA or DSA. • Key length_______________________________________________ Available key sizes for RSA are 512, 1024, 2048, 4096, or custom. Available key sizes for DSA are 512, 1024, or custom (in increments of 64 bits only). In general, longer keys are considered to be cryptographically stronger than shorter keys.
Page 203: Data Recovery Manager Configuration
Data Recovery Manager Configuration If you are submitting your certificate request to another Certificate Manager, you need to know its URL: • End-entity URL for issuing a Certificate Manager__________________________ Enter the URL for the end-entity gateway of the Certificate Manager that will issue the Registration Manager’s signing certificate.
Page 204: Subject Name For Transport Certificate
Data Recovery Manager Configuration • Key type_________________________________________________ RSA or DSA. • Key length_______________________________________________ Available key sizes for RSA are 512, 1024, 2048, 4096, or custom. Available key sizes for DSA are 512, 1024, or custom (in increments of 64 bits only). In general, longer keys are considered to be cryptographically stronger than shorter keys.
Page 205: Extensions For Transport Certificate
Data Recovery Manager Configuration • Validity period______________________ to _______________________ Enter beginning and ending dates for the transport certificate’s validity period. Extensions for Transport Certificate You can specify the extensions for a transport certificate only if you are installing the Certificate Manager and Data Recovery Manager at the same time and you have decided to have the Certificate Manager that you just installed issue the certificate.
Page 206: Transport Certificate Request
Data Recovery Manager Configuration • Key usage (No)_____________ If you decide to include the key usage extension, the keyEncipherment usage bit is set by default. • Additional Extension (No)___________________________ To add extensions not included by default by Certificate Management System, you will need to paste the base64 encoding of a sequence of extensions into the wizard.
Page 207: Data Recovery Scheme-2
Online Certificate Status Manager Configuration Decide how you want to set up your m of n data recovery scheme (n > m): • Number of recovery agents required to recover a key (m, default 2) _______________________________________ • Total number of designated recovery agents (n, default 3)_______________________________________ Data Recovery Scheme—2 Specify user IDs and passwords for the total number of designated recovery agents...
Page 208: Key-Pair Information For Online Certificate Status Manager Signing Certificate
Online Certificate Status Manager Configuration Key-Pair Information for Online Certificate Status Manager Signing Certificate • Token for storing the Online Certificate Status Manager signing certificate and private key____________________________________ Enter either (if you plan to use the internal token) or the name of an internal external token.
Page 209: Online Certificate Status Manager Signing Certificate Issuer
Cloned Certificate Manager Configuration • Country (C=) ____________________________________________ A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the Online Certificate Status Manager signing certificate. For more information about distinguished names, see Apendix A, “Distinguished Names,”...
Page 210: Ca Signing Certificate
Cloned Certificate Manager Configuration If the cloned Certificate Manager has the same hostname as the original server, the clone can use the same SSL server certificate. The SSL server certificate DN contains the hostname as the common name (CN) attribute, so a clone with a different hostname must enroll for a new SSL server certificate.
Page 211: Ssl Server Key And Certificate
SSL Server Certificate Configuration • Token password ___________________________________________ SSL Server Key and Certificate If the clone uses the same hostname, you can use the same SSL server certificate and key copied from the original server. Otherwise, answer no and continue with the next section, “SSL Server Certificate Configuration.”...
Page 212: Subject Name For Ssl Server Certificate
SSL Server Certificate Configuration • Key length_______________________________________________ For domestic versions of Netscape Certificate Management System, available settings for RSA are 512, 1024, 2048, 4096, or custom, and available settings for DSA are 512, 1024, or custom (in increments of 64 bits only). •...
Page 213: Extensions For Ssl Server Certificate
SSL Server Certificate Configuration Extensions for SSL Server Certificate You can specify the extensions for an SSL server certificate only if you are installing a Certificate Manager and you have decided to have that local Certificate Manager issue the certificate. If the SSL server certificate is issued by a remote CA, its extensions are determined by the issuing CA.
Page 214: Ssl Certificate Request
Single Sign-On Password keyEncipherment • Additional Extension (No)___________________________ To add extensions not included by default by Certificate Management System, you will need to paste the base64 encoding of a sequence of extensions into the wizard. SSL Certificate Request If you are obtaining your SSL server certificate from another CA, you need to know where to submit your certificate request.
Page 215: Chapter 6 Installing Certificate Management System
Chapter 6 Installing Certificate Management System This chapter describes the procedure for installing a Netscape Certificate Management System (CMS) instance. Before you use this chapter to guide you through an installation, you should have read Chapter 1 through Chapter 5 and filled out the worksheet provided by Chapter 5, “Installation Worksheet.”...
Page 216: Installation Stages
Installation Overview You must have an Administration Server in each server root directory. Administration Server can use a local configuration directory or refer to an existing configuration directory installed elsewhere. You must install the Certificate Management System internal database directory locally. The initial installation script installs Netscape Console and the binaries for the servers, and it creates and starts instances of Administration Server and Directory Server.
Page 217: Before You Begin The Installation
Installation Overview Before You Begin the Installation Before you start installing Certificate Management System, follow these instructions: • If you’re not familiar with Certificate Management System, you might find it useful to run a demo installation first; see Chapter 3, “Default Demo Installation.”...
Page 218 Installation Overview Identify the CA to which you’ll submit the Data Recovery Manager’s transport certificate and SSL server certificate requests. Make sure the CA is running and, if required, identify the forms you’ll use to submit these requests. If you plan to use hardware tokens for generating and storing Data Recovery Manager’s key pairs, you’ll need at least two tokens: one exclusively for the storage key pair and the other for the remaining key pairs.
Page 219: Stage 1. Running The Installation Script
Stage 1. Running the Installation Script Stage 1. Running the Installation Script program extracts files for the Administration Server, Directory Server, setup Netscape Console, and Certificate Management System and installs the binaries under the server root directory you have specified. It creates one instance of the Administration Server, one instance of the Directory Server, and one instance of the Certificate Management System, which is not yet configured.
Page 220 Stage 1. Running the Installation Script Select the items you would like to install [1]: Accept the default to install the Netscape servers. Install location [/usr/netscape/server4]: Enter a full pathname to the location where you want to install the servers. The location that you enter must be different from the directory from which you are running the setup program.
Page 221 Stage 1. Running the Installation Script Do you want to use another directory to store your data? [No]: If you accept the default setting, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you accepted the default in step 13) or installs a new instance of Directory Server for use as a user/group directory.
Page 222: Running The Installation Script On Windows Nt
Stage 1. Running the Installation Script Run Administration Server as [current login]: Enter the user ID for the Administration Server process. If you are running as , you can accept the root default to run the server as root Certificate Management System identifier [certificate]: Enter a unique identifier for the new instance of Certificate Management System.
Page 223 Stage 1. Running the Installation Script Select Server or Console Installation. “Netscape Servers” is selected by default. Click Next to accept the default selection. Choose Installation Directory. The default installation directory is . To specify a server root directory different from the C:\Netscape\Server4 default, click Browse.
Page 224 Stage 1. Running the Installation Script Directory Server 4.13 Server Settings Server Identifier. Enter a unique identifier for the new instance of the configuration directory. If you are using an existing configuration directory, enter its identifier. Server Port. Accept the default, or enter any port number that is not and will not be used for another purpose.
Page 225: Stage 2. Running The Installation Wizard
Stage 2. Running the Installation Wizard Setup. At this point, the installation script extracts and installs the binaries for all of the servers in the server root directory, and creates and starts instances of the Administration Server and Directory Server. Setup Complete.
Page 226 Stage 2. Running the Installation Wizard In the Certificate Management System panel at the right, click Open. After a few moments, the Introduction screen for the Installation Wizard appears. Click Next to continue. The Internal Database screen appears. In the Internal Database screen, specify the Directory Server instance that Certificate Management System should use as its internal database—you may choose to create a new Directory Server instance or use an existing Directory Server instance.
Page 227: Installing The Certificate Manager As A Root Ca
Stage 2. Running the Installation Wizard Installing the Certificate Manager as a Root CA To install the Certificate Manager as a root CA: Subsystems. Select Certificate Manager. If you want the Certificate Manager to issue certificates for wireless applications, select the “In addition to X.509 v3 certificates, do you want the Certificate Manager to support issuance of Wireless Transport Layer Support (wTLS)-compliant certificates”...
Page 228 Stage 2. Running the Installation Wizard Key-Pair Information for Certificate Manager CA Signing Certificate. Select the token to store the root CA signing certificate and key pair. If you have not previously initialized the token’s password, you must do so in this screen. Also specify the key type and length.
Page 229 Stage 2. Running the Installation Wizard SSL Server Certificate. Select the “Sign SSL certificate with my CA signing certificate” option. This option enables the wizard to generate an SSL Server Certificate signed with the local CA signing certificate, the root Certificate Manager’s CA signing certificate you just created.
Page 230: Installing The Certificate Manager As A Subordinate Ca
Stage 2. Running the Installation Wizard Create Single Signon Password. Type the single signon password. The single signon password simplifies the way you subsequently sign on to Certificate Management System by storing the passwords for the internal database, tokens, publishing directory, and so on. Each time you log on, you’re only required to enter this single password.
Page 231 Stage 2. Running the Installation Wizard Network Configuration. Type the port numbers for the ports to be used by the CMS instance. If you want to enable the non-SSL end-entity port, be sure to check the “Enable” checkbox. Click Next to continue. CA’s serial number range.
Page 232 Stage 2. Running the Installation Wizard Certificate Extensions for Certificate Manager CA Signing Certificate. Select the required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. Certificate Management System provides command-line tools for generating extensions to include in CA and other certificate requests.
Page 233 Stage 2. Running the Installation Wizard Click Next to submit the request. The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.) Note that the request you submitted gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s...
Page 234 Stage 2. Running the Installation Wizard In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type: If the request is in the PKCS #10 format, under Server, click Certificate Manager. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.
Page 235 Stage 2. Running the Installation Wizard To submit your certificate request manually to a third-party CA, follow these steps: Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- -----END NEW CERTIFICATE REQUEST is highlighted, and click the Copy to Clipboard button. -----) This action copies the certificate request to the clipboard.
Page 236 Stage 2. Running the Installation Wizard If you noted the request ID of your request and know the host name and end-entity port number of the remote Certificate Manager that issued the certificate, select the “The certificate is at the CMS server where the request was sent”...
Page 237 Stage 2. Running the Installation Wizard Key-Pair Information for SSL Server Certificate. Select the token to store the SSL server certificate and key pair. If you have not previously initialized the token’s password, you must do so in this screen. Also specify the key type and length.
Page 238 Stage 2. Running the Installation Wizard Submission of Request. Select whether you want to submit the request manually or send the request automatically to a remote Certificate Manager. To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps: Select the “Send the request to a remote CMS now”...
Page 239 Stage 2. Running the Installation Wizard To submit your certificate request manually to a remote Certificate Manager, follow these steps: Open a web browser window. Go to the end-entity URL for the remote Certificate Manager that will issue the subordinate CA’s SSL server certificate. For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL to bring up the Certificate Manager page for...
Page 240 Stage 2. Running the Installation Wizard When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it to CERTIFICATE ----- -----END CERTIFICATE----- the clipboard or to a text file. Be sure to not make any changes to the certificate.
Page 241 Stage 2. Running the Installation Wizard Location of Certificate. Specify the location of the certificate. You can use any of these options: If you copied the encoded certificate to a file, select the “The certificate is located in this file” option and then type the file path, including the filename, in the text field.
Page 242: Installing A Standalone Registration Manager
Stage 2. Running the Installation Wizard Create Single Signon Password. Type the single signon password. The single signon password simplifies the way you subsequently sign on to Certificate Management System by storing the passwords for the internal database, tokens, publishing directory, and so on. Each time you log on, you’re only required to enter this single password.
Page 243 Stage 2. Running the Installation Wizard Network Configuration. Type the numbers for the ports to be used by the CMS instance. If you want to enable the non-SSL end-entity port, be sure to check the “Enable” checkbox. Click Next to continue. Key-Pair Information for Registration Manager Signing Certificate.
Page 244 Stage 2. Running the Installation Wizard If you want the wizard to generate the certificate request in PKCS #10 format, select the “Generate PKCS10 request” option. If you want the wizard to generate the certificate request in CMC format, select the “Generate CMC full enrollment request” option. (This option is available only if you selected to add the Subject Key Identifier extension to the certificate in the previous.) Click Next.
Page 245 Stage 2. Running the Installation Wizard When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it to CERTIFICATE ----- -----END CERTIFICATE----- the clipboard or to a text file. Be sure to not make any changes to the certificate.
Page 246 Stage 2. Running the Installation Wizard In the pending request list, locate your request, click Details to see it. After checking the certificate request and making required changes, scroll down to the last section, labeled Privileges. Select the checkbox labeled “This certificate is for a Trusted Manager.” (Note that you must be a designated CMS administrator as well as an agent for this option to work correctly.) Type a user ID for the new Registration Manager.
Page 247 Stage 2. Running the Installation Wizard If you have submitted your request to a third-party CA or to a remote Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate.
Page 248 Stage 2. Running the Installation Wizard In the resulting form, select the “Display the CA certificate chain in PKCS#7 for importing into a server” option, and then click Submit. In the resulting page, locate the CA certificate chain in its base-64 encoded format, and copy the certificate chain to the clipboard.
Page 249 Stage 2. Running the Installation Wizard If you want the wizard to generate the certificate request in CMC format, select the “Generate CMC full enrollment request” option. Click Next. The wizard creates the certificate request that you must submit to another CA.
Page 250 Stage 2. Running the Installation Wizard When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it to CERTIFICATE ----- -----END CERTIFICATE----- the clipboard or to a text file. Be sure to not make any changes to the certificate.
Page 251 Stage 2. Running the Installation Wizard Locate your request, click Details to see it, and make any changes. Then, scroll down to the bottom of the form and click Do It. After the certificate is generated, click Show Certificate. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it to...
Page 252 Stage 2. Running the Installation Wizard If you selected No, you will be presented with the “Create Single Signon Password” screen (Step 25). Location of Certificate. Specify the location of the certificate. You can use any of these options: If you copied the encoded certificate to a file, select the “The certificate is located in this file”...
Page 253: Installing A Standalone Data Recovery Manager
Stage 2. Running the Installation Wizard Paste the CA certificate chain into the text box. Click Next to continue. Create Single Signon Password. Type the single signon password. The single signon password simplifies the way you subsequently sign on to Certificate Management System by storing the passwords for the internal database, tokens, and so on.
Page 254 Stage 2. Running the Installation Wizard Subject Name for Data Recovery Manager Transport Certificate. Type the values for the subject DN components; these values identify the transport certificate. Click Next to continue. Certificate Extensions for Data Recovery Manager Transport Certificate. Select the required extensions.
Page 255 Stage 2. Running the Installation Wizard Click Next to submit the request. The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.) Note that your request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent.
Page 256 Stage 2. Running the Installation Wizard In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type: If the request is in the PKCS #10 format, under Server, click SSL Server. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.
Page 257 Stage 2. Running the Installation Wizard To submit the transport certificate request manually to a third-party CA, follow these steps: Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- -----END NEW CERTIFICATE REQUEST is highlighted, and click the Copy to Clipboard button. -----) This action copies the certificate request to the clipboard.
Page 258 Stage 2. Running the Installation Wizard If you noted the request ID of your request and know the host name and end-entity port number of the remote Certificate Manager that issued the certificate, select the “The certificate is at the CMS server where the request was sent”...
Page 259 Stage 2. Running the Installation Wizard Data Recovery Key Scheme - 2. The number of table rows correspond to the total number of agents you specified in the previous screen. Type the user ID and password for each agent in the table. Click Next to continue.
Page 260 Stage 2. Running the Installation Wizard Submission of Request. Select whether you want to submit the request manually or send the request automatically to a remote Certificate Manager. To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps: Select the “Send the request to a remote CMS now”...
Page 261 Stage 2. Running the Installation Wizard To submit your certificate request manually to a Certificate Manager, follow these steps: Open a web browser window. Go to the end-entity URL for the Certificate Manager that will issue the SSL server certificate. For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL to bring up the Certificate Manager page for...
Page 262 Stage 2. Running the Installation Wizard When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it to CERTIFICATE ----- -----END CERTIFICATE----- the clipboard or to a text file. Be sure to not make any changes to the certificate.
Page 263 Stage 2. Running the Installation Wizard Location of Certificate. Specify the location of the certificate. You can use any of these options: If you copied the encoded certificate to a file, select the “The certificate is located in this file” option and then type the file path, including the filename, in the text field.
Page 264: Installing A Online Certificate Status Manager
Stage 2. Running the Installation Wizard Create Single Signon Password. Type the single signon password. The single signon password simplifies the way you subsequently sign on to Certificate Management System by storing the passwords for the internal database, tokens, and so on. Each time you log on, you’re only required to enter this single password.
Page 265 Stage 2. Running the Installation Wizard Online Certificate Status Manager Signing Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request. Click Next to generate them. Submission of Request.
Page 266 Stage 2. Running the Installation Wizard When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it to CERTIFICATE ----- -----END CERTIFICATE----- the clipboard or to a text file. Be sure to not make any changes to the certificate.
Page 267 Stage 2. Running the Installation Wizard After checking the rest of the certificate request and making any changes, scroll to the bottom, and click Do It. After the certificate is generated, click Show Certificate. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it to...
Page 268 Stage 2. Running the Installation Wizard If you selected Yes, the “Location of Certificate” screen appears (Step 8). If you selected No, you will be presented with the “Key-Pair Information for SSL Server Certificate” screen (Step 11). Location of Certificate. Specify the location of the certificate. You can use one of these options: If you noted the file path to the file that contains the certificate (in its base 64-encoded format), select the “The certificate is located in this file”...
Page 269 Stage 2. Running the Installation Wizard Paste the certificate chain into the text box. Click Next to continue. If you closed the end-entity interface, you can get the CA certificate chain this way: Open a web browser window. Go to the end-entity URL for the Certificate Manager that issued the Online Certificate Status Manager’s signing certificate.
Page 270 Stage 2. Running the Installation Wizard Note that the certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the program, ExtJoiner which is also provided in the directory. For details on using the tools program, see Chapter 5, “Extension Joiner Tool”...
Page 271 Stage 2. Running the Installation Wizard Click Next to submit the request. The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.) Note that your request gets added to the agent queue of the Certificate Manager for approval by that Certificate Manager’s agent.
Page 272 Stage 2. Running the Installation Wizard In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type: If the request is in the PKCS #10 format, under Server, click SSL Server. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.
Page 273 Stage 2. Running the Installation Wizard To submit your certificate request manually to a third-party CA, follow these steps: Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- -----END NEW CERTIFICATE REQUEST is highlighted, and click the Copy to Clipboard button. -----) This action copies the certificate request to the clipboard.
Page 274 Stage 2. Running the Installation Wizard If you know the request ID of your request and the host name and end-entity port number of the Certificate Manager that issued the SSL server certificate, select the “The certificate is at the CMS server where the request was sent”...
Page 275: Stage 3. Enrolling For Administrator/Agent Certificate
Stage 3. Enrolling for Administrator/Agent Certificate Proceed to the next step, “Stage 3. Enrolling for Administrator/Agent Certificate” on page 275, to create an agent user for the Online Certificate Status Manager. Stage 3. Enrolling for Administrator/Agent Certificate Immediately after installing any CMS instance, the administrator must enroll for the initial administrator/agent certificate.
Page 276 Stage 3. Enrolling for Administrator/Agent Certificate Go to the URL for the SSL agent port. By default, this is a URL of the following form: https://<hostname>:<agent_port> , provide the fully qualified name of the machine on which <hostname> Certificate Management System is installed; for example, CAmachine.siroe.com is the TCP port specified during installation for agent <agent_port>...
Page 277 Stage 3. Enrolling for Administrator/Agent Certificate Organization unit. Type the name of the organization unit to which the administrator/agent belongs. Organization. Type the name of the company or organization the administrator/agent works for. Country. Type the two-letter code for the administrator/agent’s country. User’s Key Length Information Key Length.
Page 278: Agent Certificate For Other Cms Managers
Stage 3. Enrolling for Administrator/Agent Certificate Open the configuration file ( ) in a text editor. CMS.cfg Locate the following line: agentGateway.enableAdminEnroll=false Change , and save the file. false true Start the server from the CMS window where you stopped it. (Alternatively, right-click on the name of the instance in the left frame and choose Start Server.) At this point, the server asks you for the single signon password you specified during installation.
Page 279 Stage 3. Enrolling for Administrator/Agent Certificate Log in to Netscape Console (see “Logging In to Netscape Console” on page 336). In the navigation tree, locate the CMS instance for which you want to create the agent user, and double-click the icon. The login screen for the CMS window appears.
Page 280 Stage 3. Enrolling for Administrator/Agent Certificate Click Import. The Import Certificate window appears. Click inside the text area, and paste the agent’s certificate in base-64 encoded form. (If you haven’t copied the certificate, go back to the browser window, copy the certificate, and then paste the certificate here.) Be sure to include the -----BEGIN CERTIFICATE----- -----END...
Page 281: Stage 4. Further Configuration Options
Stage 4. Further Configuration Options To view the certificate you imported, select it and click View. The certificate information appears. Click Done. You are returned to the Users tab. Click Refresh to view the updated configuration. You have now designated an agent for the specified manager. You can now present the certificate you installed for that agent to access the Agent Services pages for that manager in the new instance.
Page 282: Stage 5. Creating Additional Instances Or Ca Clones
Stage 5. Creating Additional Instances or CA Clones For detailed information about the many CMS configuration options available, check the chapters in Part 3, “Configuration.” You might find it useful to read “Road Map to Configuring Subsystems” on page 366. Stage 5.
Page 283: Chapter 7 Installing And Uninstalling Cms Instances
Chapter 7 Installing and Uninstalling CMS Instances After the initial installation of Netscape Certificate Management System (CMS), you may need to install additional instances, remove unwanted instances, or duplicate configuration in multiple instances. This chapter describes how to manage these tasks by using Netscape Console, the single, unified administration interface for your network.
Page 284: Installing Multiple Cms Instances
Installing Multiple CMS Instances Installing Multiple CMS Instances Multiple instances of Certificate Management System can run on the same machine. You might, for example, install multiple Registration Managers, all reporting to the same Certificate Manager, to handle requests from different types of users (end users, servers, and routers) or from users from different domains.
Page 285 Installing Multiple CMS Instances From the Object menu, choose the Create Instance Of option and, in the pop-up menu that appears, choose Certificate Management System. As shown in this figure, you can also right-click to choose this option from the pop-up menu.
Page 286: Cloning A Certificate Manager
Cloning a Certificate Manager To start the installation wizard, double-click the new instance in the navigation tree, and then use the installation wizard to finish configuring the new instance. Create the first agent for the new CMS instance. When you have finished setting up an additional CMS instance, you need to create at least one agent for that instance.
Page 287: Step 1. Before You Begin
Cloning a Certificate Manager communication is SSL-client authenticated. This way, the master Certificate Manager has the complete list of certificates revoked by all clone Certificate Managers and is able to generate a consolidated list of revoked certificates or a complete CRL. Because the master Certificate Manager has the complete CRL, if you enable the OCSP-service feature built into the Certificate Manager, it can function as a full-fledged OCSP responder for your PKI—that is, irrespective of which clone...
Page 288 Cloning a Certificate Manager • Check the master Certificate Manager’s serial number range. The “Next serial number” field should be set to the next serial number of the certificate the CA will issue and the “Last serial number” field must be blank. To locate the panel that enables you to do this, see “Enabling End-Entity Interaction with a Certificate Manager”...
Page 289: Step 2. Create Instances For Clone Cas
Cloning a Certificate Manager During the cloning process, the master Certificate Manager’s SSL server certificate is automatically copied to the certificate database of the clone Certificate Manager. The clone Certificate Manager uses this certificate for SSL-client-authenticated communication with the master Certificate Manager.
Page 290: Installing Clone Ca In A Different Server Group
Cloning a Certificate Manager From the Object menu, choose the Create Instance Of option and, in the pop-up menu that appears, choose Certificate Management System. As shown in this figure, you can also right-click to choose this option from the pop-up menu.
Page 291: Installing Clone Ca On A Separate Host
Cloning a Certificate Manager If you want to install your clone Certificate Manager on the same host on which the master Certificate Manager is installed, but in a different server group: In the master Certificate Manager host machine, go to the directory that contains the CMS program.
Page 292: Step 4. Copy Master Ca's Certificate And Key Database
Cloning a Certificate Manager Step 4. Copy Master CA’s Certificate and Key Database Because you want the clone Certificate Manager to own the same keys and certificates as that of the master Certificate Manager, you need to make available the keys and certificates used by the master Certificate Manager to each clone Certificate Manager.
Page 293: Step 8. Establish Trust Between Master Ca And Clone Cas
Cloning a Certificate Manager To configure a clone Certificate Manager: Log in to or go to Netscape Console that shows the clone Certificate Manager instance. In the navigation tree, locate the instance ID for the clone you created, and double-click the instance. The CMS Installation Wizard starts.
Page 294: Step A. Locate The Master Ca's Ssl Server Certificate
Cloning a Certificate Manager The setup process involves the following steps: • Step A. Locate the Master CA’s SSL Server Certificate • Step B. Create a Privileged-User Entry for Clone CAs Step A. Locate the Master CA’s SSL Server Certificate Depending on which CA issued/signed the master Certificate Manager’s SSL server certificate, you can locate the certificate in either the internal database or the certificate database (...
Page 295 Cloning a Certificate Manager Copy the base-64 encoded certificate, including the -----BEGIN marker lines, to the CERTIFICATE----- -----END CERTIFICATE----- clipboard or a text file. (Alternatively, you can keep the browser window open and copy the certificate later in the procedure.) The copied information should look similar to the following example: -----BEGIN CERTIFICATE----- MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pYF...
Page 296: Step B. Create A Privileged-User Entry For Clone Cas
Cloning a Certificate Manager Copy the base-64 encoded certificate, including the marker lines -----BEGIN , to the clipboard or to a CERTIFICATE----- -----END CERTIFICATE----- text file. The copied information should look like the example below: -----BEGIN CERTIFICATE----- MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pYF 0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAw MnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzA VBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJ ARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn jgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA4GBA...
Page 297 Cloning a Certificate Manager Click Add. The Select User Type window appears. Select Trusted Manager and click OK. The Edit User Information window appears. Specify information as appropriate. The information you enter here is to help you keep track of the clone Certificate Managers.
Page 298 Cloning a Certificate Manager Click OK. You are returned to the Users tab. The user you just added is displayed in the list of users. Select the user entry you just added for the clone Certificate Managers and click Certificates. The Manage User Certificates window appears.
Page 299: Step 9. Test Clone-Master Connection
Cloning a Certificate Manager Step 9. Test Clone-Master Connection To test whether your clone-master CA setup is complete and functional, repeat these steps for each clone Certificate Manager. • Step A. Request a Certificate from the Clone CA • Step B. Approve the Request •...
Page 300: Step B. Approve The Request
Cloning a Certificate Manager Step B. Approve the Request Skip this step if you requested the certificate using any of the automated enrollment methods. Complete this step if you used the manual enrollment form for requesting the certificate; the request you submitted is waiting in the agent queue for approval by an agent.
Page 301: Step D. Revoke The Certificate
Cloning a Certificate Manager Click Details. Scroll to down to the section that enables you to download the certificate to the browser, and download the certificate. Step D. Revoke the Certificate To revoke the certificate you issued: Go to the end-entity interface for the Certificate Manager. Select the Revocation tab.
Page 302: Step 10. Use Master Ca's Agent Certificate In Clone Cas
Cloning a Certificate Manager SHA-1 with DSA generates a 160-bit message digest. Before choosing SHA-1 with DSA, make sure your applications support it. Communicator 4.0 (or later) and Netscape server products with a version number greater than 4.0 support it. Before selecting an algorithm, make sure that Certificate Manager has the algorithm enabled.
Page 303: Viewing Instance Information
Viewing Instance Information Go to the “Users and Groups” section, create a new agent user, and add the master CA’s agent certificate to the clone CA’s certificate database. To add the correct certificate, check the serial number of the master CA’s agent certificate;...
Page 304 Viewing Instance Information In the list of server instances, select the CMS instance you want to view. The right pane shows information about the selected CMS instance. The information displayed includes the following: Server Name. A descriptive name of the CMS instance. You can change this name;...
Page 305: Changing The Name Of An Instance
Changing the Name of an Instance Version. The version number. Build Number. The number that identifies the build that was used for this installation. Security Level. The server’s security level—whether the server is meant for use in the United States and Canada (domestic) or any other part of the world (export).
Page 306: Removing An Instance From A System
Removing an Instance From a System Click Edit. Details about the selected CMS instance appear in the right pane. Specify the appropriate information: Server Name. Type a descriptive name for the server. Description. Type any additional description for the server. For example, you may want to type information that will help you identify this instance of Certificate Management System.
Page 307 Removing an Instance From a System To remove a CMS instance from your machine: Log in to Netscape Console (see “Logging In to Netscape Console” on page 336). In the Console tab, select the CMS instance you want to remove. From the Object menu, choose Stop;...
Page 308: Uninstalling Certificate Management System
Uninstalling Certificate Management System Uninstalling Certificate Management System To remove files pertaining to Certificate Management System from a host system, run the uninstallation program. Uninstalling Certificate Management System removes all the corresponding CMS instances from the navigation tree of Netscape Console.
Page 309 Uninstalling Certificate Management System In the Add/Remove Programs Properties window, choose Netscape Server , and click Add/Remove. Products 4.2 <server_root> In the Netscape Server Uninstall window, make sure all the components are selected, and click Uninstall. The uninstallation program starts. Chapter 7 Installing and Uninstalling CMS Instances...
Page 310 Uninstalling Certificate Management System Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 311: Chapter 8 Starting And Stopping Cms Instances
Chapter 8 Starting and Stopping CMS Instances This chapter describes how to start, stop, and restart Netscape Certificate Management System (CMS) and how to check its current status. The chapter also explains the CMS watchdog process, a native bootstrapping program that enables Certificate Management System to start up with a single password instead of multiple ones.
Page 312: Starting Certificate Management System
Starting Certificate Management System Starting Certificate Management System Once Certificate Management System is installed, it runs constantly, listening for and accepting requests. You can start Certificate Management System in several ways: • From Netscape Console (locally and remotely) • From the command line (locally only) •...
Page 313: Configuring The Server To Start Without The Single Sign-On Password
Starting Certificate Management System You first specified these passwords when you installed Certificate Management System. Keep in mind that the passwords you provide for the tokens unlock a combination of the following private keys: • If you have installed a Certificate Manager in the currently selected CMS instance, the token password unlocks the private keys for the Certificate Manager’s CA signing and SSL server certificates.
Page 314: Configuring The Server To Read The Single Sign-On Password From A File
Starting Certificate Management System Here’s how you can do it: Go to this directory: <server_root>/cert-<instance_id>/config Locate the file. pwcache.p12 Either rename or delete the file. Start the server from the command line; see “Starting From the Command Line” on page 318. You are prompted for all the required passwords.
Page 315 Starting Certificate Management System CAUTION The instructions that follow explain how to configure Certificate Management System to start by reading the single sign-on password from a file. Note that the password is stored in a plain text file and you must use your operating system’s security feature to secure this file.
Page 316 Starting Certificate Management System Edit the script to include the file path to the file: to the end of the pwfile line that begins $NETSITE_ROOT/bin/cert/admin/bin/cert -f $NETSITE_ROOT/cert-<instance_id>/config/pwfile Be sure to include the file path as shown (in bold) in the example. #!/bin/sh /usr/netscape/server4/bin/cert/admin/bin/start -i testCA -f /usr/netscape/server4/cert-testCA/config/pwfile -r...
Page 317: Starting From Netscape Console
Starting Certificate Management System Edit the script to include the file path to the file: to the end of the pwfile line that begins net start cert-<instance_id> /fC:%NETSITE_ROOT%\cert-<instance_id>\config\pwfile Be sure to include the file path as shown in the example (shown in bold). net start cert-testCA /fC:\Netscape\Server4\cert- testCA\config\pwfile /cC:\Netscape\Server4\ cert-testCA\classes\;C:\Netscape\Server4\bin\cert\classes\;...
Page 318: Starting From The Command Line
Starting Certificate Management System Select the instance, right-click, and select the Start Server option from the pop-up menu. When you start Certificate Management System, you are prompted to supply the single sign-on password for the server. Type the single sign-on password you specified during installation and click Certificate Management System won’t start until you provide this password.
Page 319: Starting From The Windows Nt Services Panel
Starting Certificate Management System At the command-line prompt, enter the following line: <server_root>/cert-<instance_id>/start-cert[.bat] specifies the file extension; this is required only when running the .bat utility on a Windows NT system. is the directory where the CMS binaries are kept. You first <server_root>...
Page 320: Stopping Certificate Management System
Stopping Certificate Management System To start Certificate Management System from the Windows NT Services panel: Click the Start button on your desktop. Select Control Panel from Settings. In the Control Panel window that appears, click Services. Select the CMS instance and click Start. You are prompted to supply the single sign-on password for the server.
Page 321: Stopping From The Command Line
Stopping Certificate Management System In the navigation tree, select the CMS instance you want to stop, right-click, and select the Stop Server option from the pop-up menu. The server is stopped. Stopping From the Command Line You can stop a CMS instance running on a local host by entering the appropriate command at the command prompt.
Page 322: Stopping From The Windows Nt Services Panel
Restarting Certificate Management System Stopping From the Windows NT Services Panel You can stop a CMS instance running on a local host by stopping the corresponding service; it is identified by the following in the Windows NT Services panel (see Figure 8-1 on page 319): Netscape Certificate Management System (cert-<instance_id>...
Page 323: Restarting From The Command Line
Restarting Certificate Management System In the Tasks tab, click Restart the Server. When you restart Certificate Management System, you are prompted to supply the single sign-on password for the server. Type the single sign-on password you specified during installation and click Certificate Management System won’t restart until you provide this password.
Page 324: Checking System Status
Checking System Status At the command-line prompt, enter the following line: <server_root>/cert-<instance_id>/restart-cert[.bat] specifies the file extension; this is required only when running the .bat utility on a Windows NT system. is the directory where the CMS binaries are kept. You first <server_root>...
Page 325: Attending To An Unresponsive Server
Attending to an Unresponsive Server In the right pane, check the Server Status field. If the selected instance of Certificate Management System is running, the status will be Started. Otherwise it will be Stopped or Unknown. Attending to an Unresponsive Server If an error causes Certificate Management System to become unresponsive, and all attempts to stop it from Netscape Console fail, it may be necessary to kill the server processes manually.
Page 326: Password Cache
Password Cache Password Cache During CMS installation, the installation program creates a password cache which the CMS watchdog uses to store all the passwords required by the server during start up (see “Required Start-up Information” on page 312). For example, when you specify the cryptographic token password and the bind password for the internal directory during installation, the watchdog adds these passwords into the password cache;...
Page 327: Password-Quality Checker
Password-Quality Checker Except for the string , you can change any of the above Internal LDAP Database prompts by modifying the corresponding value in the configuration file and then replacing (delete the old item and add the new item) the current entry in the password cache with the new prompt and the password using the PasswordCache utility explained in the CMS Command-Line Tools Guide.
Page 328 Password-Quality Checker Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 329: Part 3 Configuration
Part 3 Configuration Chapter 9, “Administration Tasks and Tools” Chapter 10, “CMS Configuration” Chapter 11, “Setting Up Ports” Chapter 12, “Setting Up Internal Database” Chapter 13, “Managing Privileged Users and Groups” Chapter 14, “Managing CMS Keys and Certificates” Chapter 15, “Setting Up End-User Authentication” Chapter 16, “Setting Up Automated Notifications”...
Page 330 Chapter 19, “Setting Up LDAP Publishing” Chapter 20, “Publishing Certificates and CRLs to a File” Chapter 21, “Setting Up an OCSP Responder” Chapter 22, “Setting Up Key Archival and Recovery” Chapter 23, “Managing CMS Logs” Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 331: Chapter 9 Administration Tasks And Tools
Chapter 9 Administration Tasks and Tools In administering Netscape Certificate Management System (CMS), you perform server-specific tasks such as starting, stopping, and restarting the server; changing configuration; configuring certificate issuance and management policies; adding or modifying privileged-user and group information; setting up authentication mechanisms for users who may request services from the server;...
Page 332: Netscape Console
Netscape Console Netscape Console Netscape Console is a stand-alone Java application that provides a GUI-based front end to all network resources registered in an organization’s configuration directory. This unified administration interface (shown in Figure 9-1) simplifies network administration by supplying access points to all Netscape version 4.x server instances installed across a network.
Page 333: Users And Groups Tab
Netscape Console The Console tab displays all servers registered in a particular configuration directory, giving you a consolidated view of all the server software and resources under your control. What you control is determined by the access permissions the superadministrator has set up for you. From this view you can perform tasks across arbitrary groups or a cluster of servers in a single operation.
Page 334: Netscape Administration Server
Netscape Console Users and Groups tab of Netscape Console Figure 9-2 From this tab, you can accomplish various user- and group-specific tasks, such as these: • Add, modify, and delete user and group information in the user directory. • Search for specific user and group entries in the user directory. Netscape Administration Server Netscape Administration Server is a web-based (HTTP) server that enables you to configure all your Netscape version 4.x servers, including Certificate Management...
Page 335: Starting Administration Server
Netscape Console Whenever you try to gain access to Administration Server, you will be prompted to authenticate yourself to the configuration directory by entering your user ID and password. These are the administrator user name and password that you specified when you installed Certificate Management System (or the first server in the server group) and Administration Server on your computer.
Page 336: Shutting Down Administration Server
Logging In to Netscape Console Shutting Down Administration Server It is good security practice to shut down Administration Server when you are not using it. This minimizes the chances of someone else changing your configuration. You can shut down the server from Netscape Console, the command line, or the Windows NT Services panel.
Page 337 Logging In to Netscape Console Open the Netscape Console application by using the appropriate option: For local access on a Unix machine, at the command-line prompt, enter the following line: <server_root>/admin-<instance_id>/start-console Local access on a Windows NT machine, double-click the Netscape Console icon on your desktop;...
Page 338: The Cms Window
The CMS Window The CMS Window The CMS window is a GUI-based administration interface that allows you to perform day-to-day operational and managerial duties for Certificate Management System. You launch the CMS window from within Netscape Console (Figure 9-3). Figure 9-3 Certificate Management System window, launched from Netscape Console You can use the CMS window to access the server locally or remotely.
Page 339: Tasks Tab
The CMS Window Tasks Tab The Tasks tab enables you to perform tasks such as starting, stopping, and restarting the server, and running the Certificate Setup Wizard. For details, see Chapter 8, “Starting and Stopping CMS Instances” and “Certificate Setup Wizard” on page 456.
Page 340 The CMS Window Table 9-1 provides details about the tasks you can accomplish from this tab. You access specific settings by selecting an entry in the navigation tree and working with the tabs that appear in the right pane. Table 9-1 Tasks you can accomplish from the Configuration tab Task Description...
Page 341 The CMS Window Tasks you can accomplish from the Configuration tab (Continued) Table 9-1 Task Description Enabling automated email This involves operations such as the following: notifications • Entering the information required by the server to send automated notifications to one or more agents when a request enters the agent queue. •...
Page 342: Status Tab
The CMS Window Tasks you can accomplish from the Configuration tab (Continued) Table 9-1 Task Description Configuring the Data This involves configuring the Data Recovery Manager for archival and Recovery Manager recovery of end users’ encryption private keys. For details, see Chapter 22, “Setting Up Key Archival and Recovery.”...
Page 343: Logging In To The Cms Window
Logging In to the CMS Window Logging In to the CMS Window You access the CMS window from Netscape Console. For details on Netscape Console, see “Netscape Console” on page 332. The Console tab of Netscape Console contains a list of network resources that are under your control.
Page 344 Logging In to the CMS Window Enter the appropriate information: User ID. If you are logging in for the first time, type the Certificate ; you specified this user ID during installation (so that you Administrator ID could log in to the CMS window without having to create privileged-user entries).
Page 345: Chapter 10 Cms Configuration
Chapter 10 CMS Configuration The runtime properties of Netscape Certificate Management System (CMS) are governed by a set of configuration parameters. These parameters are stored in a file that is read by the server during startup. When you install Certificate Management System, the installer creates an ASCII file, named , and populates it with the appropriate configuration CMS.cfg...
Page 346 Effects of Installation Type on Configuration A CMS instance can include a single subsystem or two subsystems in one of the following combinations: • A single Certificate Manager, Registration Manager, Data Recovery Manager, or Online Certificate Status Manager • A Certificate Manager and Data Recovery Manager together •...
Page 347: Duplicating Configuration From One Instance To Another
Effects of Installation Type on Configuration How installation affects configuration Figure 10-1 Duplicating Configuration From One Instance to Another If you have deployed a large number of CMS instances that are identical—for example, multiple Registration Managers—and you want all these instances to Chapter 10 CMS Configuration...
Page 348: Locating The Configuration File
Locating the Configuration File have the same configuration, you can accomplish this by configuring one of the instances and then replacing the configuration files of the other instances with the one that contains the required configuration. Figure 10-2 illustrates this quick way of deploying multiple Registration Managers with the same configuration.
Page 349: Modifying The Configuration
Modifying the Configuration Modifying the Configuration You can modify the CMS configuration in two ways: • By changing the configuration parameter values from the CMS window. This is the recommended method for changing configuration. See “Changing the Configuration From the CMS Window” on page 349. •...
Page 350: Guidelines For Editing The Configuration File
Modifying the Configuration To modify the configuration file directly: Stop the CMS instance whose configuration file you want to edit (see “Stopping Certificate Management System” on page 320). Open a terminal window. Go to this directory: <server_root>/cert-<instance_id>/config Open the configuration file, , in a text editor.
Page 351 Modifying the Configuration • The parameter names and their values are strings. The parameter names can be hierarchically structured with notation with multiple levels—for example, . The entries corresponding to a lower level ca.Policy.rule.RSAKeyRule.maxSize (such as in the example) can be requested from the configuration Policy corresponding to its higher level ( in the example).
Page 352 Modifying the Configuration • The sample shown on page 362 shows how Job Scheduler-specific information appears in the configuration file. Note the following: All job-specific information, such as registered job modules and configured instances, appears in the Job Scheduler section of the configuration file. Each registered job module is identified by its implementation name and the corresponding Java class.
Page 353: Sample Configuration File
Modifying the Configuration Sample Configuration File The following sample configuration is of a Certificate Manager. NOTE This sample file includes some of the parameters used by Certificate Management System. However, there is no guarantee that an arbitrary set of options you create will work. _000=## _001=## File Created On : Sun Jan 02 23:02:35 PST 2000...
Page 354 Modifying the Configuration auths.impl.NISAuth.class=com.netscape.certsrv.authentication.NISAuth auths.impl.PortalEnroll.class=com.netscape.certsrv.authentication.PortalEnroll auths.impl.UidPwdDirAuth.class=com.netscape.certsrv.authentication. UidPwdDirAuthentication auths.impl.UidPwdPinDirAuth.class=com.netscape.certsrv.authentication. UidPwdPinDirAuthentication auths.revocationChecking.bufferSize=5 auths.revocationChecking.ca=ca auths.revocationChecking.enabled=true auths.revocationChecking.unknownStateInterval=0 auths.revocationChecking.validityInterval=120 ca.id=ca ca.local=true ca.Policy.order=KeyAlgRule, RSAKeyRule, DefaultValidityRule, RenewalConstraintsRule, DefaultRenewalValidityRule, RevocationConstraintsRule, DefaultRevocationRule, NSCertTypeExt, CMCertKeyUsageExt, RMCertKeyUsageExt, ClientCertKeyUsageExt, ServerCertKeyUsageExt, ObjSignCertKeyUsageExt, SubjectKeyIdentifierExt, CertificatePoliciesExt, NSCComment, OCSPNoCheckExt, OCSPSigningExt, CODESigningExt, GenericASN1Ext, CRLDistributionPointsExt, SubjectAltNameExt, SigningAlgRule, AuthorityKeyIdentifierExt, BasicConstraintsExt, UniqueSubjectName, NameConstraintsExt, PolicyConstraintsExt, SubCANameCheck, PolicyMappingsExt, IssuerRule ca.Policy.processor=classic ca.Policy.impl._000=##...
Page 355 Modifying the Configuration ca.Policy.impl.PolicyConstraintsExt.class=com.netscape.certsrv.policy. PolicyConstraintsExt ca.Policy.impl.PolicyMappingsExt.class=com.netscape.certsrv.policy.PolicyMappingsExt ca.Policy.impl.PrivateKeyUsagePeriodExt.class=com.netscape.certsrv.policy. PrivateKeyUsagePeriodExt ca.Policy.impl.RSAKeyConstraints.class=com.netscape.certsrv.policy.RSAKeyConstraints ca.Policy.impl.RenewalConstraints.class=com.netscape.certsrv.policy.RenewalConstraints ca.Policy.impl.RenewalValidityConstraints.class=com.netscape.certsrv.policy. RenewalValidityConstraints ca.Policy.impl.RevocationConstraints.class=com.netscape.certsrv.policy. RevocationConstraints ca.Policy.impl.SigningAlgorithmConstraints.class=com.netscape.certsrv.policy. SigningAlgorithmConstraints ca.Policy.impl.SubCANameCheck.class=com.netscape.certsrv.policy.SubCANameCheck ca.Policy.impl.SubjectAltNameExt.class=com.netscape.certsrv.policy.SubjAltNameExt ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.certsrv.policy. SubjectDirectoryAttributesExt ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.certsrv.policy. SubjectKeyIdentifierExt ca.Policy.impl.UniqueSubjectName.class=com.netscape.certsrv.policy.UniqueSubjectName ca.Policy.impl.ValidityConstraints.class=com.netscape.certsrv.policy. ValidityConstraints ca.Policy.rule.AuthorityKeyIdentifierExt.enable=true ca.Policy.rule.AuthorityKeyIdentifierExt.implName=AuthorityKeyIdentifierExt ca.Policy.rule.AuthorityKeyIdentifierExt.predicate= ca.Policy.rule.BasicConstraintsExt.enable=true ca.Policy.rule.BasicConstraintsExt.implName=BasicConstraintsExt ca.Policy.rule.BasicConstraintsExt.predicate=HTTP_PARAMS.certType == ca ca.Policy.rule.BasicConstraintsExt.removeBasicExt=true ca.Policy.rule.CMCertKeyUsageExt.crlSign=true ca.Policy.rule.CMCertKeyUsageExt.digitalSignature=true ca.Policy.rule.CMCertKeyUsageExt.enable=true ca.Policy.rule.CMCertKeyUsageExt.implName=KeyUsageExt ca.Policy.rule.CMCertKeyUsageExt.keyCertsign=true ca.Policy.rule.CMCertKeyUsageExt.nonRepudiation=true ca.Policy.rule.CMCertKeyUsageExt.predicate=certType==ca ca.Policy.rule.CODESigningExt.critical=false ca.Policy.rule.CODESigningExt.enable=true...
Page 356 Modifying the Configuration ca.Policy.rule.CRLDistributionPointsExt.issuerType1= ca.Policy.rule.CRLDistributionPointsExt.issuerType2= ca.Policy.rule.CRLDistributionPointsExt.numPoints=0 ca.Policy.rule.CRLDistributionPointsExt.pointName0= ca.Policy.rule.CRLDistributionPointsExt.pointName1= ca.Policy.rule.CRLDistributionPointsExt.pointName2= ca.Policy.rule.CRLDistributionPointsExt.pointType0= ca.Policy.rule.CRLDistributionPointsExt.pointType1= ca.Policy.rule.CRLDistributionPointsExt.pointType2= ca.Policy.rule.CRLDistributionPointsExt.predicate= ca.Policy.rule.CRLDistributionPointsExt.reasons0= ca.Policy.rule.CRLDistributionPointsExt.reasons1= ca.Policy.rule.CRLDistributionPointsExt.reasons2= ca.Policy.rule.CertificatePoliciesExt.enable=false ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt ca.Policy.rule.CertificatePoliciesExt.policyId= ca.Policy.rule.CertificatePoliciesExt.predicate= ca.Policy.rule.ClientCertKeyUsageExt.digitalSignature=true ca.Policy.rule.ClientCertKeyUsageExt.enable=true ca.Policy.rule.ClientCertKeyUsageExt.implName=KeyUsageExt ca.Policy.rule.ClientCertKeyUsageExt.keyEncipherment=true ca.Policy.rule.ClientCertKeyUsageExt.nonRepudiation=true ca.Policy.rule.ClientCertKeyUsageExt.predicate=certType==client ca.Policy.rule.DSAKeyRule.enable=true ca.Policy.rule.DSAKeyRule.implName=DSAKeyConstraints ca.Policy.rule.DSAKeyRule.maxSize=2048 ca.Policy.rule.DSAKeyRule.minSize=512 ca.Policy.rule.DSAKeyRule.predicate= ca.Policy.rule.DefaultRenewalValidityRule.enable=true ca.Policy.rule.DefaultRenewalValidityRule.implName=RenewalValidityConstraints ca.Policy.rule.DefaultRenewalValidityRule.maxValidity=365 ca.Policy.rule.DefaultRenewalValidityRule.minValidity=30 ca.Policy.rule.DefaultRenewalValidityRule.predicate= ca.Policy.rule.DefaultRenewalValidityRule.renewalInterval=15 ca.Policy.rule.DefaultRevocationRule.enable=true ca.Policy.rule.DefaultRevocationRule.implName=DefaultRevocation ca.Policy.rule.DefaultRevocationRule.predicate= ca.Policy.rule.DefaultValidityRule.enable=true ca.Policy.rule.DefaultValidityRule.implName=ValidityConstraints ca.Policy.rule.DefaultValidityRule.maxValidity=365...
Page 357 Modifying the Configuration ca.Policy.rule.GenericASN1Ext.name= ca.Policy.rule.GenericASN1Ext.oid= ca.Policy.rule.GenericASN1Ext.pattern= ca.Policy.rule.GenericASN1Ext.predicate= ca.Policy.rule.GenericASN1Ext.attribute.0.source= ca.Policy.rule.GenericASN1Ext.attribute.0.type= ca.Policy.rule.GenericASN1Ext.attribute.0.value= ca.Policy.rule.GenericASN1Ext.attribute.1.source= ca.Policy.rule.GenericASN1Ext.attribute.1.type= ca.Policy.rule.GenericASN1Ext.attribute.1.value= ca.Policy.rule.GenericASN1Ext.attribute.2.source= ca.Policy.rule.GenericASN1Ext.attribute.2.type= ca.Policy.rule.GenericASN1Ext.attribute.2.value= ca.Policy.rule.GenericASN1Ext.attribute.3.source= ca.Policy.rule.GenericASN1Ext.attribute.3.type= ca.Policy.rule.GenericASN1Ext.attribute.3.value= ca.Policy.rule.GenericASN1Ext.attribute.4.source= ca.Policy.rule.GenericASN1Ext.attribute.4.type= ca.Policy.rule.GenericASN1Ext.attribute.4.value= ca.Policy.rule.GenericASN1Ext.attribute.5.source= ca.Policy.rule.GenericASN1Ext.attribute.5.type= ca.Policy.rule.GenericASN1Ext.attribute.5.value= ca.Policy.rule.GenericASN1Ext.attribute.6.source= ca.Policy.rule.GenericASN1Ext.attribute.6.type= ca.Policy.rule.GenericASN1Ext.attribute.6.value= ca.Policy.rule.GenericASN1Ext.attribute.7.source= ca.Policy.rule.GenericASN1Ext.attribute.7.type= ca.Policy.rule.GenericASN1Ext.attribute.7.value= ca.Policy.rule.GenericASN1Ext.attribute.8.source= ca.Policy.rule.GenericASN1Ext.attribute.8.type= ca.Policy.rule.GenericASN1Ext.attribute.8.value= ca.Policy.rule.GenericASN1Ext.attribute.9.source= ca.Policy.rule.GenericASN1Ext.attribute.9.type= ca.Policy.rule.GenericASN1Ext.attribute.9.value= ca.Policy.rule.IssuerRule.enable=false ca.Policy.rule.IssuerRule.implName=IssuerConstraints ca.Policy.rule.IssuerRule.issuerDN= ca.Policy.rule.IssuerRule.predicate=certType==client AND certauthEnroll==on ca.Policy.rule.KeyAlgRule.algorithms=RSA ca.Policy.rule.KeyAlgRule.enable=true...
Page 358 Modifying the Configuration ca.Policy.rule.NSCertTypeExt.predicate=certType!=CEP-Request ca.Policy.rule.NameConstraintsExt.critical=true ca.Policy.rule.NameConstraintsExt.enable=false ca.Policy.rule.NameConstraintsExt.implName=NameConstraintsExt ca.Policy.rule.NameConstraintsExt.numExcludedSubtrees=3 ca.Policy.rule.NameConstraintsExt.numPermittedSubtrees=3 ca.Policy.rule.NameConstraintsExt.predicate=certType == ca ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base= ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.max=-1 ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.min=0 ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.valueType= ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base= ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.max=-1 ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.min=0 ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.valueType= ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base= ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.max=-1 ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.min=0 ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.valueType= ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base= ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.max=-1 ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.min=0 ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.valueType= ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base= ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.max=-1 ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.min=0 ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.valueType= ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base= ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.max=-1 ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.min=0 ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.valueType= ca.Policy.rule.OCSPNoCheckExt.critical=false ca.Policy.rule.OCSPNoCheckExt.enable=true ca.Policy.rule.OCSPNoCheckExt.implName=OCSPNoCheckExt ca.Policy.rule.OCSPNoCheckExt.predicate=certType==ocspResponder ca.Policy.rule.OCSPSigningExt.critical=false ca.Policy.rule.OCSPSigningExt.enable=true ca.Policy.rule.OCSPSigningExt.id0=1.3.6.1.5.5.7.3.9...
Page 359 Modifying the Configuration ca.Policy.rule.PolicyConstraintsExt.enable=false ca.Policy.rule.PolicyConstraintsExt.implName=PolicyConstraintsExt ca.Policy.rule.PolicyConstraintsExt.inhibitPolicyMapping=0 ca.Policy.rule.PolicyConstraintsExt.predicate=certType==ca ca.Policy.rule.PolicyConstraintsExt.reqExplicitPolicy=0 ca.Policy.rule.PolicyMappingsExt.critical=false ca.Policy.rule.PolicyMappingsExt.enable=false ca.Policy.rule.PolicyMappingsExt.implName=PolicyMappingsExt ca.Policy.rule.PolicyMappingsExt.numPolicyMappings=1 ca.Policy.rule.PolicyMappingsExt.predicate=certType==ca ca.Policy.rule.PolicyMappingsExt.policyMap0.issuerDomainPolicy= ca.Policy.rule.PolicyMappingsExt.policyMap0.subjectDomainPolicy= ca.Policy.rule.RMCertKeyUsageExt.digitalSignature=true ca.Policy.rule.RMCertKeyUsageExt.enable=true ca.Policy.rule.RMCertKeyUsageExt.implName=KeyUsageExt ca.Policy.rule.RMCertKeyUsageExt.nonRepudiation=true ca.Policy.rule.RMCertKeyUsageExt.predicate=certType==ra ca.Policy.rule.RSAKeyRule.enable=false ca.Policy.rule.RSAKeyRule.exponents=3,7,17,65537 ca.Policy.rule.RSAKeyRule.implName=RSAKeyConstraints ca.Policy.rule.RSAKeyRule.maxSize=2048 ca.Policy.rule.RSAKeyRule.minSize=512 ca.Policy.rule.RSAKeyRule.predicate= ca.Policy.rule.RenewalConstraintsRule.enable=true ca.Policy.rule.RenewalConstraintsRule.implName=RenewalConstraints ca.Policy.rule.RenewalConstraintsRule.predicate= ca.Policy.rule.RevocationConstraintsRule.enable=true ca.Policy.rule.RevocationConstraintsRule.implName=RevocationConstraints ca.Policy.rule.RevocationConstraintsRule.predicate= ca.Policy.rule.ServerCertKeyUsageExt.dataEncipherment=true ca.Policy.rule.ServerCertKeyUsageExt.digitalSignature=true ca.Policy.rule.ServerCertKeyUsageExt.enable=true ca.Policy.rule.ServerCertKeyUsageExt.implName=KeyUsageExt ca.Policy.rule.ServerCertKeyUsageExt.keyEncipherment=true ca.Policy.rule.ServerCertKeyUsageExt.nonRepudiation=true ca.Policy.rule.ServerCertKeyUsageExt.predicate=certType==server ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA1withDSA ca.Policy.rule.SigningAlgRule.enable=true ca.Policy.rule.SigningAlgRule.implName=SigningAlgorithmConstraints ca.Policy.rule.SigningAlgRule.predicate=...
Page 360 Modifying the Configuration ca.Policy.rule.SubjectAltNameExt.enableManualValues=false ca.Policy.rule.SubjectAltNameExt.implName=SubjectAltNameExt ca.Policy.rule.SubjectKeyIdentifierExt.enable=true ca.Policy.rule.SubjectKeyIdentifierExt.implName=SubjectKeyIdentifierExt ca.Policy.rule.SubjectKeyIdentifierExt.predicate=certType==ca ca.Policy.rule.UniqueSubjectName.enable=false ca.Policy.rule.UniqueSubjectName.implName=UniqueSubjectName ca.Policy.rule.UniqueSubjectName.predicate= ca.crl._000=## ca.crl._001=## CA CRL ca.crl._002=## ca.crl.MasterCRL.allowExtensions=false ca.crl.MasterCRL.autoUpdateInterval=20 ca.crl.MasterCRL.class=com.netscape.certsrv.ca.CRLIssuingPoint ca.crl.MasterCRL.description=CA's complete Certificate Revocation List ca.notification.certIssued.emailSubject=Your Certificate Request ca.notification.certIssued.emailTemplate=/usr/netscape/cert-testCA/emails/ certIssued_CA.html ca.notification.certIssued.enabled=false ca.notification.certIssued.senderEmail= ca.notification.requestInQ.emailSubject=Certificate Request in Queue ca.notification.requestInQ.emailTemplate=/usr/netscape/cert-testCA/emails/ reqInQueue.html ca.notification.requestInQ.enabled=false ca.notification.requestInQ.recipientEmail= ca.notification.requestInQ.senderEmail= ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.certsrv.ldap.LdapCertCompsMap ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.certsrv.ldap.LdapCertExactMap ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.certsrv.ldap.LdapSimpleMap...
Page 361 Modifying the Configuration ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=caCertificate;binary ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=certificationAuthority ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=LdapCaCertPublisher ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=userCertificate;binary ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=LdapUserCertPublisher ca.publish.rule.impl.Rule.class=com.netscape.certsrv.ldap.LdapRule ca.publish.rule.instance.LdapCaCertRule.enable=true ca.publish.rule.instance.LdapCaCertRule.mapper=LdapCaCertMap ca.publish.rule.instance.LdapCaCertRule.pluginName=Rule ca.publish.rule.instance.LdapCaCertRule.predicate= ca.publish.rule.instance.LdapCaCertRule.publisher=LdapCaCertPublisher ca.publish.rule.instance.LdapCaCertRule.type=ca ca.publish.rule.instance.LdapCrlRule.enable=true ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap ca.publish.rule.instance.LdapCrlRule.pluginName=Rule ca.publish.rule.instance.LdapCrlRule.predicate= ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher ca.publish.rule.instance.LdapCrlRule.type=crl ca.publish.rule.instance.LdapObjSignCertRule.enable=true ca.publish.rule.instance.LdapObjSignCertRule.mapper=LdapUserCertMap ca.publish.rule.instance.LdapObjSignCertRule.pluginName=Rule ca.publish.rule.instance.LdapObjSignCertRule.predicate= ca.publish.rule.instance.LdapObjSignCertRule.publisher=LdapUserCertPublisher ca.publish.rule.instance.LdapObjSignCertRule.type=objSignClient ca.publish.rule.instance.LdapUserCertRule.enable=true ca.publish.rule.instance.LdapUserCertRule.mapper=LdapUserCertMap ca.publish.rule.instance.LdapUserCertRule.pluginName=Rule ca.publish.rule.instance.LdapUserCertRule.predicate= ca.publish.rule.instance.LdapUserCertRule.publisher=LdapUserCertPublisher ca.publish.rule.instance.LdapUserCertRule.type=client ca.signing.cacertnickname=caSigningCert cert-testCA ca.signing.defaultSigningAlgorithm=MD5withRSA ca.signing.tokenname=Internal Key Storage Token cms.version=4.22 dbs.ldap=internaldb dbs.newSchemaEntryAdded=true...
Page 362 Modifying the Configuration eeGateway.authority=ca eeGateway.docRoot=/usr/netscape/cert-testCA/web/ee eeGateway.dynamicVariables=serverdate=serverdate(),subsystemname=subsystemname(), http=http() eeGateway.enableConnector=true eeGateway.keepAliveOn=true eeGateway.mimeTypeConf=/usr/netscape/cert-testCA/config/mime.types eeGateway.numServices=2 eeGateway.service0=http eeGateway.service1=https eeGateway.http.backlog=15 eeGateway.http.enable=true eeGateway.http.port=4603 eeGateway.http.type=http eeGateway.https.backlog=15 eeGateway.https.nickName=Server-Cert cert-testCA eeGateway.https.port=4604 eeGateway.https.type=https internaldb._000=## internaldb._001=## Internal Database internaldb._002=## internaldb.maxConns=15 internaldb.minConns=3 internaldb.ldapauth.authtype=BasicAuth internaldb.ldapauth.bindDN=cn=Directory Manager internaldb.ldapauth.bindPWPrompt=Internal LDAP Database internaldb.ldapconn.host=testCA.siroe.com internaldb.ldapconn.port=3602 internaldb.ldapconn.secureConn=false jobsScheduler._000=## jobsScheduler._001=## jobScheduler jobsScheduler._002=## jobsScheduler.enabled=false jobsScheduler.interval=1...
Page 363 Modifying the Configuration Notification Summary jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=/usr/netscape/cert-testCA/ emails/rnJob1Summary.txt jobsScheduler.job.certRenewalNotifier.summary.enabled=true jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=/usr/netscape/ cert-testCA/emails/rnJob1Item.txt jobsScheduler.job.certRenewalNotifier.summary.recipientEmail= jobsScheduler.job.certRenewalNotifier.summary.senderEmail= jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0 jobsScheduler.job.requestInQueueNotifier.enabled=false jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob jobsScheduler.job.requestInQueueNotifier.subsystemId=ca jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=/usr/netscape/ cert-testCA/emails/riq1Summary.html jobsScheduler.job.requestInQueueNotifier.summary.enabled=true jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail= jobsScheduler.job.requestInQueueNotifier.summary.senderEmail= jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6 jobsScheduler.job.unpublishExpiredCerts.enabled=false jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs Unpublished Summary jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=/usr/netscape/ cert-testCA/emails/euJob1.html jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true...
Page 364 Modifying the Configuration log.impl.NTEventLog.class=com.netscape.certsrv.logging.NTEventLog log.impl.file.class=com.netscape.certsrv.logging.RollingLogFile log.instance.Audit.bufferSize=512 log.instance.Audit.enable=true log.instance.Audit.expirationTime=2592000 log.instance.Audit.fileName=/usr/netscape/cert-testCA/logs/audit log.instance.Audit.flushInterval=5 log.instance.Audit.level=1 log.instance.Audit.maxFileSize=100 log.instance.Audit.pluginName=file log.instance.Audit.rolloverInterval=2592000 log.instance.Audit.type=audit log.instance.Error.bufferSize=512 log.instance.Error.enable=true log.instance.Error.expirationTime=2592000 log.instance.Error.fileName=/usr/netscape/cert-testCA/logs/error log.instance.Error.flushInterval=5 log.instance.Error.level=3 log.instance.Error.maxFileSize=100 log.instance.Error.pluginName=file log.instance.Error.rolloverInterval=2592000 log.instance.Error.type=system log.instance.NTAudit.NTEventSourceName=cert-testCA log.instance.NTAudit.enable=true log.instance.NTAudit.level=1 log.instance.NTAudit.pluginName=NTEventLog log.instance.NTAudit.type=audit log.instance.NTSystem.NTEventSourceName=cert-testCA log.instance.NTSystem.enable=true log.instance.NTSystem.level=2 log.instance.NTSystem.pluginName=NTEventLog log.instance.NTSystem.type=system log.instance.System.bufferSize=512 log.instance.System.enable=true log.instance.System.expirationTime=2592000 log.instance.System.fileName=/usr/netscape/cert-testCA/logs/system log.instance.System.flushInterval=5 log.instance.System.level=3 log.instance.System.maxFileSize=100 log.instance.System.pluginName=file...
Page 365 Modifying the Configuration oidmap.auth_info_access.class=com.netscape.certsrv.cert.AuthInfoAccessExtension oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 oidmap.challenge_password.class=com.netscape.certsrv.cmsgateway.cert. crs.ChallengePassword oidmap.challenge_password.oid=1.2.840.113549.1.9.7 oidmap.extended_key_usage.class=com.netscape.certsrv.cert.ExtendedKeyUsageExtension oidmap.extended_key_usage.oid=2.5.29.37 oidmap.extensions_requested_pkcs9.class=com.netscape.certsrv.cmsgateway.cert. crs.ExtensionsRequested oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 oidmap.extensions_requested_vsgn.class=com.netscape.certsrv.cmsgateway.cert. crs.ExtensionsRequested oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 oidmap.ocsp_no_check.class=com.netscape.certsrv.cert.OCSPNoCheckExtension oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 os.serverName=cert-testCA os.userid=nobody radm._000=## radm._001=## Remote Admin radm._002=## radm.keepAliveOn=true radm.mimeTypeConf=/usr/netscape/cert-testCA/config/mime.types radm.numServices=1 radm.service0=https radm.https.backlog=15 radm.https.maxThreads=10 radm.https.minThreads=3 radm.https.nickName=Server-Cert cert-testCA radm.https.port=4606 radm.https.timeout=0 radm.https.type=https smtp.host=localhost smtp.port=25 subsystem._000=## subsystem._001=## Loadable Subsystems...
Page 366: Road Map To Configuring Subsystems
Road Map to Configuring Subsystems Road Map to Configuring Subsystems This section outlines how to configure an instance of Certificate Management System and indicates where to find the information required to accomplish the task. Step 1. Check Which Subsystems are Installed in the Instance Log in to the CMS window for the CMS instance you installed, and check the navigation tree to see which subsystems are installed in that instance;...
Page 367: Step 4. Set Up Privileged Users
Road Map to Configuring Subsystems • Check the certificate database to see which CA certificates are trusted. Delete any unwanted CA certificates, change the trust settings of CA certificates that you don’t want to trust to untrusted, and install any new CA certificate or certificate chains.
Page 368: Step 7: Enable Event-Driven Notifications
Road Map to Configuring Subsystems Step 7: Enable Event-Driven Notifications You can also configure both Certificate Manager and Registration Manager to send email notifications automatically to end entities, agents, or administrators when certain events occur. Unlike jobs that are executed at preconfigured schedule, these notifications are event-driven—that is, whenever an event occurs, the server notifies the user.
Page 369: Step 10. Set Up Publishing
Road Map to Configuring Subsystems For instructions to do all of the above tasks, see “Configuring Policy Rules for a Subsystem” on page 589. Step 10. Set up Publishing This step is optional, and is applicable to the Certificate Manager only—you need to do this only if you want the Certificate Manager to publish certificates and CRLs to any of the supported repositories.
Page 370: Step 13. Plan For Backing Up Cms Configuration And Data
Road Map to Configuring Subsystems Step 13. Plan for Backing up CMS Configuration and Data It is a good practice to periodically back up the CMS data on to some backup media. Creating backups will help you use them for data restoration in the event of data loss.
Page 371: Chapter 11 Setting Up Ports
Chapter 11 Setting Up Ports Subsystems installed in an instance of Netscape Certificate Management System (CMS) share certain configuration information. For example, they use the same administration, agent, and end-entity ports; internal database for data storage; mail server for automated notifications; internal token and trust database for PKI operations;...
Page 372: Remote Administration Port
CMS Ports CMS ports for administration, agent, and end-entity operations Figure 11-1 When choosing ports for Certificate Management System, be sure to choose ports that are unique on the host system—that is, no other application can be using, or attempting to use, the port numbers you assign to Certificate Management System. To verify that a port is available for use, check the appropriate file for your operating system;...
Page 373: Agent Port
CMS Ports Agent Port The agent port is an SSL (encrypted) port at which Certificate Management System listens to requests from agents; agents make these requests from the appropriate Agent Services interface. • The Certificate Manager and Registration Manager agents use the agent port to process certificate issuance and management requests from end entities and to perform certain other privileged operations over HTTPS.
Page 374: Configuring Port Numbers
Configuring Port Numbers Certificate Management System provides the following services through the HTTP and HTTPS ports: • The HTTP port can be used to service end-entity-initiated PKI requests, such as enrollment, renewal, and revocation; enrollment requests can include requests from Cisco routers (using the CEP protocol). You have the choice of keeping this port enabled or disabled.
Page 375 Configuring Port Numbers Select the Configuration tab. The Network tab appears. To change the administration port number, enter the port number in the Administration section: SSL port. Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the CMS window—that is, HTTPS requests from administrators.
Page 376 Configuring Port Numbers To change the end-entity port numbers, enter the port numbers in the End Entity section. Certificate Management System is capable of simultaneous SSL and non-SSL communications at the end-entity port. This means that you do not have to choose between SSL and non-SSL communications;...
Page 377: Step 2: Specify Ip Addresses
Configuring Port Numbers Backlog. Type the number of connections that can be waiting to be serviced at the end-entity HTTPS port. The default number is 15. The number you enter in this field is passed to the operating system’s call. listen() To save your changes, click Save.
Page 378 Configuring Port Numbers Add the IP address or the host name or interface name as the value for the parameter you just added. For example, If you entered an IP address as the value, the parameter would look similar to this: radm.https.host=197.1.137.98 If you entered the host name as the value, the parameter would look similar to this:...
Page 379: Chapter 12 Setting Up Internal Database
Chapter 12 Setting Up Internal Database Subsystems installed in an instance of Netscape Certificate Management System (CMS) share certain configuration information. For example, they use the same administration, agent, and end-entity ports; internal database for data storage; mail server for automated notifications; internal token and trust database for PKI operations;...
Page 380: Configuring The Internal Database
Configuring the Internal Database To fulfill these functions, Certificate Management System maintains a persistent store—a preconfigured Netscape Directory Server—referred to as the internal database or local database. The internal database is installed automatically as a part of the CMS installation. It is used as an embedded database exclusively by Certificate Management System and can be managed using Directory management tools that come with Netscape Directory Server.
Page 381: Step 1. Identify The Directory Server Instance
Configuring the Internal Database Step 1. Identify the Directory Server Instance To identify the Directory Server instance that a CMS instance should use as its internal database: Log in to the CMS window (see “Logging In to the CMS Window” on page 343).
Page 382: Step 2. Restrict Access To The Internal Database
Configuring the Internal Database You can configure the host name to something other than if you localhost know what you are doing and you think you can limit the visibility of the internal database to a local subnet. For example, if you installed Certificate Management System and Directory Server on separate machines for load balancing, you will have to specify the host name of the machine in which Directory Server is installed.
Page 383 Configuring the Internal Database If you are concerned about this, you can restrict access to the internal database to only those users who know its Directory Manager DN and corresponding password. You can change this password by modifying the single sign-on password cache.
Page 384 Configuring the Internal Database Click the Tasks tab and click “Restart the Directory Server.” Close the Directory Server window. When the server is restarted, from Netscape Console, open the Directory Server window. The “Login to Directory” dialog box appears; the Distinguished Name field displays the Directory Manager DN and you’re required to enter the password that corresponds to this entry.
Page 385: Chapter 13 Managing Privileged Users And Groups
Chapter 13 Managing Privileged Users and Groups Privileged users are users who are designated to perform privileged operations on Netscape Certificate Management System (CMS); these operations are privileged because no one else can perform them. You assign privileged-user status to a user by storing the user’s login information in the internal database of Certificate Management System, associating the user’s login information with a personal certificate (if the user is an agent or a trusted manager), and granting access...
Page 386: Privileged-User Types And Responsibilities
Privileged-User Types and Responsibilities Privileged-User Types and Responsibilities After you install Certificate Management System, your first task is to set up privileged users. There are three types of privileged users: administrators, agents, and trusted managers. • Administrators are users (people) who manage server-specific tasks for the CMS maangers, the Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager.
Page 387: Agents
Privileged-User Types and Responsibilities Agents Agents are users who have been assigned end-entity certificate- and key-management privileges. Certificate Management System defines four agent roles, one for each of its subsystems: Certificate Manager agents, Registration Manager agents, Data Recovery Manager agents, and Online Certificate Status Manager agents.
Page 388 Privileged-User Types and Responsibilities Agents use the HTML forms-based interface called Agent Services Figure 13-1 Each subsystem installed in a CMS instance must have at least one agent. You can also have more than one individual managing agent services. You create agents by adding them to the internal database of a CMS instance, assigning membership in the appropriate agent groups, and identifying certificates that the agents must use for SSL client authentication to the subsystem (for it to service requests from the agents).
Page 389: Agent's Certificate For Ssl Client Authentication
Privileged-User Types and Responsibilities Agent’s Certificate for SSL Client Authentication To make a user an agent for a subsystem, one of the things you must do is store the user’s client (personal) certificate information in the internal database of the subsystem.
Page 390 Privileged-User Types and Responsibilities When the user receives the certificate from the public CA, the user imports the certificate into the web browser that he or she will use to access the subsystem. It is a good idea to ask the user to inform you that the certificate has been installed.
Page 391 Privileged-User Types and Responsibilities Depending on how your Certificate Management System is configured for certificate issuance, one of the following events happen: If Certificate Management System is configured for manual certification, an issuing agent must process the request and approve it for issuance. Once the request is approved, the server issues the client certificate to the user.
Page 392: Revocation Status Checking Of Agent Certificates
Privileged-User Types and Responsibilities Copy the base-64 encoded certificate, including the -----BEGIN marker lines, to a text CERTIFICATE----- -----END CERTIFICATE----- file. The copied information should look similar to the following example: -----BEGIN CERTIFICATE----- MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pY2 F0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDA wMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFz AVBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3Dbndg JARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngj njgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSq -----END CERTIFICATE----- Save the text file and use it to store a copy of the certificate in a subsystem’s internal database (see “Step 3.
Page 393 Privileged-User Types and Responsibilities The configuration files of both Certificate Manager and Registration Manager include parameters that enable you to specify whether the server should do the revocation checking and if it should, at what interval. Note that the revocation-status verification works for only those agent certificates that have been issued by the Certificate Manager (and not by any third-party CAs).
Page 394: Trusted Managers
Privileged-User Types and Responsibilities Table 13-1 Configuration parameters for checking the revocation status of agents’ certificates (Continued) Parameter name Description The default interval is o seconds. revocationChecking. unknownStateInterval Specifies how long, in seconds, the cached certificates are revocationChecking. considered valid. Be judicious when choosing the interval, validityInterval especially when configuring a Registration Manager.
Page 395: Subsystems That Can Function As Trusted Managers
Privileged-User Types and Responsibilities Subsystems That Can Function as Trusted Managers In Certificate Management System, the Registration Manager and Certificate Manager can function as a trusted manager; the Data Recovery Manager and Online Certificate Status Manager cannot function as a trusted manager. You can configure a Certificate Manager to delegate its end-entity interactions to a trusted Registration Manager, for reasons of localizability (proximity to end entities), customizability, and CA scalability;...
Page 396: Connectors For Linking Trusted Managers
Privileged-User Types and Responsibilities You can configure a Data Recovery Manager to delegate its end-entity interactions to a trusted Certificate Manager or Registration Manager for security reasons; the Data Recovery Manager trusts the Certificate Manager or Registration Manager and services all key archival and recovery requests initiated by this subsystem. For example, as illustrated in figure below, you might deploy one or more Certificate Managers or Registration Managers to send key archival or recovery requests to a Data Recovery Manager.
Page 397: Trusted Manager's Certificate For Ssl Client Authentication
Privileged-User Types and Responsibilities Connectivity service between a trusted Registration Manager and other Figure 13-2 subsystems Keep in mind that a trusted manager does not take on the main functions of the subsystem that trusts it. For example, if a Registration Manager is connected to a Certificate Manager, the Registration Manager has no authority to issue (sign) certificates or CRLs.
Page 398: Groups And Their Privileges
Groups and Their Privileges When you set up a trusted manager for a CMS subsystem, it is important to know which CA has issued the certificate the trusted manager will use for SSL client authentication to the subsystem. The certificate must be issued by a CA that the subsystem trusts.
Page 399: Group For Administrators
Groups and Their Privileges When you installed Certificate Management System, it automatically created the following groups for the subsystems you installed: • Group for Administrators • Groups for Agents • Group for Trusted Managers These default groups are created in the internal database of the appropriate CMS instance.
Page 400: Groups For Agents
Groups and Their Privileges Groups for Agents Depending on the subsystems you chose to install, Certificate Management System automatically creates a combination of the following groups for a CMS instance: • group, if you have installed the Certificate Certificate Manager Agents Manager •...
Page 401: Group For Data Recovery Manager Agents
Groups and Their Privileges group has access rights to agent-specific Registration Manager Agents resources of the Registration Manager; that is, privileged users you add to this group automatically inherit access rights to the agent ports of the Registration Manager. For information on ports, see “CMS Ports” on page 371. After installation, you should add to this group the privileged users to whom you want to assign Registration Manager agent privileges.
Page 402: Group For Trusted Managers
Groups and Their Privileges group has access rights to Online Certificate Status Manager Agents agent-specific resources of the Online Certificate Status Manager; that is, privileged users you add to this group automatically inherit access rights to the agent ports of the Online Certificate Status Manager.
Page 403: Setting Up Privileged Users
Setting Up Privileged Users Setting Up Privileged Users Setting up privileged users for a CMS instance involves adding the appropriate user information to the internal database of that instance. You can set up any number of privileged users for a CMS instance. If the user is a person (that is, an administrator or agent), you can put that user into as many groups as you like.
Page 404 Setting Up Privileged Users In the navigation tree, select Users and Groups. The Users tab appears on the right pane. Click Add. The Select User Type window appears. Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 405 Setting Up Privileged Users Select Administrator and click OK. The Edit User Information window appears. Specify information as appropriate: User ID. Type a user ID or login name for the user. The ID can be an alphanumeric string of up to 255 characters. Give this ID to the user. The user is required to enter this ID in the login screen of the CMS window;...
Page 406: Setting Up Agents
Setting Up Privileged Users Setting Up Agents You need an agent for each subsystem installed in a given CMS instance. To understand the role of an agent, see “Agents” on page 387. This section explains how to add agents to a CMS instance. You can set up agents for a CMS instance in two ways: •...
Page 407: Setting Up Agents Using The Manual Process
Setting Up Privileged Users In the page that displays, select the “Show pending requests”, and click Find. In the list of certificate signing requests that displays, select the request you submitted. In the request approval form for user enrollment requests, verify the request. If required, adjust some of the parameters such as the subject name and validity period.
Page 408 Setting Up Privileged Users Step 1. Find the Required Information Before adding an agent to the internal database of a CMS instance: • Note the user’s corporate information, such as name, login ID, password, email address, and phone number. • Make sure the user has one or more client certificates that are currently valid;...
Page 409 Setting Up Privileged Users Click Add. The Select User Type window appears. Select Agent and click OK. The Edit User Information window appears. Specify information as appropriate. The information you enter here is to help you keep track of your agent users; the user never sees or uses it.
Page 410 Setting Up Privileged Users Group. Choose the appropriate agent group; for more information about this group, see “Groups for Agents” on page 400. When you set up a user, you can add her or him to only one group. To add the user to another group, see “Changing Members in a Group”...
Page 411 Setting Up Privileged Users Click inside the text area, and paste the user’s certificate in base-64 encoded form. Be sure to include the -----BEGIN CERTIFICATE----- -----END marker lines. CERTIFICATE----- Click OK. You are returned to the Manage User Certificates window. The certificate you imported should now be listed in this window.
Page 412 Setting Up Privileged Users To view the certificate you imported, select it and click View. The certificate information appears. Click Done. You are returned to the Users tab. Click Refresh to view the updated configuration. Step 4. Check the Certificate Database for the CA Certificate The CA that signed the agent’s SSL client certificate must be trusted by the subsystem that services requests from the agent.
Page 413: Setting Up Trusted Managers
Setting Up Privileged Users Setting Up Trusted Managers You can set up a Registration Manager or Certificate Manager to function as a trusted manager to another CMS instance. This section explains how to do this. • Setting up Trusted Managers Using the Automated Process •...
Page 414: Setting Up A Registration Manager As A Trusted Manager
Setting Up Privileged Users Note that for a Certificate Manager to add the Registration Manager this way, the Certificate Manager agent who approves the Registration Manager signing certificate request must belong to both the Certificate Manager Agents and Administrators groups in the internal database of the Certificate Manager. For more information about these groups, see “Groups and Their Privileges”...
Page 415 Setting Up Privileged Users opportunity to add the Registration Manager as a trusted manager to that Certificate Manager’s database. If you chose this option, then the Registration Manager is already set up to function as a trusted manager to that Certificate Manager—in this case, you are not required to go through these steps.
Page 416 Setting Up Privileged Users Click Add. The Select User Type window appears. Select Trusted Manager and click OK. The Edit User Information window appears. Specify information as appropriate. The information you enter here is to help you keep track of the Registration Manager;...
Page 417 Setting Up Privileged Users Click OK. You are returned to the Users tab. The Registration Manager you just added appears in the list of users. What you do next depends on whether you have the Registration Manager’s SSL client certificate: •...
Page 418 Setting Up Privileged Users Click inside the text area, and paste the Registration Manager’s certificate in base-64 encoded form. Be sure to include the -----BEGIN CERTIFICATE----- -----END marker lines. CERTIFICATE----- Click OK. You are returned to the Manage User Certificates window. The certificate you imported should now be listed in this window.
Page 419 Setting Up Privileged Users To view the certificate you imported, select it and click View. The certificate information appears. Verify that the certificate you added is the correct one. Click Done. You are returned to the Users tab. Step 4. Check the Certificate Database for the CA Certificate The issuer of the Registration Manager’s certificate that you added in Step 3 must be trusted by the subsystem that services certificate requests approved by the Registration Manager.
Page 420 Setting Up Privileged Users Log in to the CMS window for the Registration Manager (see “Logging In to the CMS Window” on page 343). In the navigation tree, select Registration Manager. The General Settings tab appears in the right pane. Select the Connectors tab.
Page 421 Setting Up Privileged Users The Edit Connector dialog box appears. Select the Enable checkbox to enable the connector configuration. Select Remote, and enter the appropriate information: Host. Type the full host name of the subsystem that trusts this Registration Manager; in this case, it would be the host name of the Certificate Manager. The Registration Manager uses this name to locate the Certificate Manager.
Page 422: Setting Up A Certificate Manager As A Trusted Manager
Setting Up Privileged Users Setting Up a Certificate Manager as a Trusted Manager You can set up a Certificate Manager to function as a trusted manager to a remote Data Recovery Manager. The setup process involves the following steps: • Step 1.
Page 423 Setting Up Privileged Users To create a user entry with appropriate access privileges for a Certificate Manager: Log in to the CMS window for the Data Recovery Manager (see “Logging In to the CMS Window” on page 343). In the navigation tree, select Users and Groups. The Users tab appears in the right pane.
Page 424 Setting Up Privileged Users Select Trusted Manager and click OK. The Edit User Information window appears. Specify information as appropriate. The information you enter here is to help you keep track of the Certificate Manager; the Data Recovery Manager never uses it. The Data Recovery Manager relies solely on the Certificate Manager’s SSL server certificate (which you will add in Step 3) for authentication.
Page 425 Setting Up Privileged Users Step 3. Copy the Certificate Manager’s Certificate to the Internal Database In this step, you add the Certificate Manager’s SSL server certificate to the internal database of the Data Recovery Manager and associate the certificate with the user entry you created in Step 2.
Page 426 Setting Up Privileged Users To view the certificate you imported, select it and click View. The certificate information appears. Verify that the certificate you added is the correct one. Click Done. You are returned to the Users tab. Step 4. Check the Certificate Database for the CA Certificate The issuer of the Certificate Manager’s certificate that you added in Step 3 must be trusted by the Data Recovery Manager that services the key archival requests initiated by the Certificate Manager.
Page 427 Setting Up Privileged Users Step 5. Configure Certificate Manager’s Connector Settings In this step you configure the connector settings of the Certificate Manager. This enables the Certificate Manager to utilize the proprietary HTTPS connectors to communicate with the Data Recovery Manager (following successful SSL client authentication).
Page 428 Setting Up Privileged Users In the “List of connectors” select Data Recovery Manager Connector and click Edit. The Edit Connector dialog box appears. Select the Enable checkbox to the enable the connector configuration. Select Remote, and enter the appropriate information: Host.
Page 429: Changing Privileged-User Information
Changing Privileged-User Information Changing Privileged-User Information You can change privileged-user information in several ways: • To change the login information of a privileged user, see “Changing a Privileged User’s Login Information” on page 429. • To add or remove certificates of a privileged user, see “Changing a Privileged User’s Certificate”...
Page 430: Changing A Privileged User's Certificate
Changing Privileged-User Information Click OK. You are returned to the Users tab. Click Refresh to view the updated configuration. Changing a Privileged User’s Certificate To change a privileged user’s certificate: Log in to the CMS window (see “Logging In to the CMS Window” on page 343).
Page 431: Changing Members In A Group
Changing Privileged-User Information Click Refresh to view the updated configuration. Changing Members in a Group You can add or remove members from all groups. Keep in mind that the group for administrators must have at least one user entry. For details, see “Groups and Their Privileges”...
Page 432: Deleting A Privileged User
Deleting a Privileged User In the Group Name list, select the group you want to change, and click Edit. The Edit Group Information window appears. Make the appropriate changes: To change the group description, type a new description in the “Group description”...
Page 433 Deleting a Privileged User In the navigation tree, select Users and Groups. The Users tab appears in the right pane. In the User ID list, select the user you want to delete, and click Delete. When prompted, confirm your action. If you click OK, the user entry is deleted from the internal database.
Page 434 Deleting a Privileged User Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 435: Chapter 14 Managing Cms Keys And Certificates
Chapter 14 Managing CMS Keys and Certificates The main subsystems of Netscape Certificate Management System (CMS)—the Certificate Manager, Registration Manager, Data Recovery Manager and Online Certificate Status Manager—use certificates for various purposes, including authentication during SSL-enabled communication. For example, when a Registration Manager forwards a certificate issuance request to a Certificate Manager for signing, the Certificate Manager expects the Registration Manager to have performed SSL client authentication before processing the request.
Page 436: Keys And Certificates For The Main Subsystems
Keys and Certificates for the Main Subsystems Keys and Certificates for the Main Subsystems This section explains the various certificates required and used by the CMS managers: • Certificate Manager’s Key Pairs and Certificates • Registration Manager’s Key Pairs and Certificates •...
Page 437: Certificate Manager's Key Pairs And Certificates
Keys and Certificates for the Main Subsystems All key pairs associated with CMS certificates must be well protected to ensure that they are never compromised. However, if you know or suspect that a key pair has been compromised, reissue the certificate with a new key pair. For instructions to get a new CMS certificate, see section “Getting New Certificates for the Subsystems”...
Page 438: Wtls Ca Signing Certificate
Keys and Certificates for the Main Subsystems • If the Certificate Manager is a subordinate CA, its CA signing certificate is signed by another CA, usually the one that is a level above in the CA hierarchy (which may or may not be a root CA). If you have deployed the Certificate Manager as a subordinate CA in a CA hierarchy, you must import your root CA’s signing certificate into individual clients and servers before you can use the Certificate Manager to issue certificates to them.
Page 439: Crl Signing Key Pair And Certificate
Keys and Certificates for the Main Subsystems Irrespective of whether you chose to enable the OCSP service feature, the Installation Wizard transparently generates a key pair and a corresponding certificate identified as the OCSP signing certificate. The reason for generating this certificate even if you chose to not enable the OCSP service is that you can enable the OCSP service feature in the CMS window after installation.
Page 440 Keys and Certificates for the Main Subsystems Use the Key Database ( ) tool to generate a key pair, the Certificate keyutil Database ( ) tool to request a certificate for the key pair and install certutil the certificate in the Certificate Manager’s certificate database. For more information about the Key Database and Certificate Database tools, see CMS Command-Line Tools Guide.
Page 441: Ssl Server Key Pair And Certificate
Keys and Certificates for the Main Subsystems After you’ve installed the certificate successfully, go to the Tasks tab and stop the Certificate Manager. Update the Certificate Manager’s configuration to recognize the new key pair and certificate. In the Certificate Manager host machine, go to this directory: <server_root>/cert-<instance_id>/config Open the configuration file ( ) in a text editor.
Page 442 Keys and Certificates for the Main Subsystems The Certificate Manager’s SSL server certificate was issued by the CA to which you submitted the certificate signing request. You might have submitted the request to the Certificate Manager itself, another internally deployed CA, or a public CA. To find out the issuer name, follow the instructions in “Viewing the Certificate Database Content”...
Page 443: Remote Administration Server Certificate
Keys and Certificates for the Main Subsystems Remote Administration Server Certificate Netscape Console (version 4.2) does not support the DSA key algorithm. To workaround this problem, during the installation of a Certificate Manager, the Installation Wizard transparently generates an SSL server certificate identified as the Remote Administration Server Certificate.
Page 444 Keys and Certificates for the Main Subsystems Stop Certificate Management System. Open a command window. Go to this directory: <server_root>/cert-<instance_id>/config Enter the command below, replacing with the name of the remote <certname> administration SSL server certificate. You may use the -h <tokenname>...
Page 445: Registration Manager's Key Pairs And Certificates
Keys and Certificates for the Main Subsystems Registration Manager’s Key Pairs and Certificates The Registration Manager uses the following certificates: • Signing Key Pair and Certificate • SSL Server Key Pair and Certificate • Remote Administration Server Certificate Signing Key Pair and Certificate Every Registration Manager you have installed has a certificate, identified as the Registration Manager signing certificate, whose public key corresponds to the private key the Registration Manager uses to sign certificate requests before sending them...
Page 446: Remote Administration Server Certificate
Keys and Certificates for the Main Subsystems The Registration Manager uses its SSL server certificate to do SSL server-side authentication to the following: • The end entity services interface (the HTTPS port) • The Registration Manager Agent Services interface By default, the Registration Manager uses a single SSL server certificate for authentication purposes.
Page 447: Transport Key Pair And Certificate
Keys and Certificates for the Main Subsystems Transport Key Pair and Certificate Every Data Recovery Manager you have installed has a Data Recovery Manager transport certificate. The public key of the key pair that is used to generate the transport certificate is used by the client software to encrypt an end user’s encryption private key before it is sent to the Data Recovery Manager for archival;...
Page 448: Ssl Server Key Pair And Certificate
Keys and Certificates for the Main Subsystems SSL Server Key Pair and Certificate Every Data Recovery Manager you have installed has at least one SSL server certificate. The first time you generated this certificate is when you installed the Data Recovery Manager. The default nickname for the certificate is , where identifies the CMS Server-Cert cert-<instance_id>...
Page 449: Online Certificate Status Manager's Key Pairs And Certificates
Keys and Certificates for the Main Subsystems Online Certificate Status Manager’s Key Pairs and Certificates The Online Certificate Status Manager uses the following certificates: • OCSP Signing Key Pair and Certificate • SSL Server Key Pair and Certificate • Remote Administration Server Certificate OCSP Signing Key Pair and Certificate Every Online Certificate Status Manager you have installed has a certificate, identified as the Online Certificate Status Manager signing certificate, whose public...
Page 450: Remote Administration Server Certificate
Tokens for Storing CMS Keys and Certificates By default, the Online Certificate Status Manager uses a single SSL server certificate for authentication purposes. However, you can request and install additional SSL server certificates for the Online Certificate Status Manager. For example, you can configure the Online Certificate Status Manager to use separate server certificates for authenticating to Netscape Console and the Online Certificate Status Manager Agent Services interface.
Page 451: Internal Token
Tokens for Storing CMS Keys and Certificates Internal Token An internal (software) token refers to a pair of software files, usually called certificate database and key database, that Certificate Management System uses to generate and store its key pairs and certificates. Certificate Management System automatically generates these files in the file system of its host machine when you choose to use the internal token for the first time.
Page 452 Tokens for Storing CMS Keys and Certificates Step 2. Install the PKCS #11 Module PKCS #11 is a standard set of APIs and shared libraries used by Netscape and a number of encryption vendors. PKCS #11 isolates an application from the details of the cryptographic device, thus enabling the application to provide a unified interface for PKCS #11-compliant cryptographic devices.
Page 453 Tokens for Storing CMS Keys and Certificates Enter information as appropriate. If you choose JAR as your file type, you are required to provide the path to the JAR file that contains the DLLs. If you choose DLL as your file type, in addition to the path to the DLL you are also required to provide a name for the module you’re attempting to install (so as to help you identify it easily later).
Page 454: Managing Tokens Used By The Subsystems
Tokens for Storing CMS Keys and Certificates Managing Tokens Used by the Subsystems There are two main tasks involved in managing the tokens used by Certificate Management System: • Viewing Tokens • Changing a Token’s Password Viewing Tokens To view a list of the tokens currently installed for a CMS instance: Log in to the CMS window (see “Logging In to the CMS Window”...
Page 455: Changing A Token's Password
Hardware Cryptographic Accelerators Changing a Token’s Password The token, internal or external, that stores the key pairs and certificates for the subsystems is protected (encrypted) by a password. To decrypt the key pairs or to gain access to them, you must enter that password. The first time you specified this password is when you used the token the first time, most likely during CMS installation.
Page 456: Certificate Setup Wizard
Certificate Setup Wizard Certificate Setup Wizard Certificate Management System provides a wizard, called the Certificate Setup Wizard, which automates the process of requesting and installing the certificates required by the CMS managers—Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager—installed in the currently selected CMS instance.
Page 457: Using The Wizard To Request A Certificate
Certificate Setup Wizard Using the Wizard to Request a Certificate The Certificate Setup Wizard allows you to request any of the certificates used by the Certificate Manager, Registration Manager, Data Recovery Manager, or Online Certificate Status Manager installed in the currently selected CMS instance. Using the wizard to request a certificate involves the following steps: •...
Page 458: Step 2. Choose The Certificate
Certificate Setup Wizard For the purposes of completing the instructions that follow, assume that you chose to request a certificate. Step 2. Choose the Certificate Choose the certificate (by name) that you want to request. The drop-down list shows various certificates used by the currently selected CMS instance.
Page 459 Certificate Setup Wizard • If a Online Certificate Status Manager is installed, the list includes the Online Certificate Status Manager’s signing, remote administration server, and SSL server certificate. For details, see “Online Certificate Status Manager’s Key Pairs and Certificates” on page 449. Depending on the certificate you want to generate, choose the one in the drop-down list: •...
Page 460: Step 3. Specify The Key-Pair Information
Certificate Setup Wizard default only two certificate types are supported: for the CRL caCrlSigning signing certificate (see “CRL Signing Key Pair and Certificate” on page 439) for SSL client certificate (see “Getting an SSL Client Certificate for a client Subsystem” on page 480) Step 3.
Page 461 Certificate Setup Wizard • The key pair for generating the certificate request—you can choose to generate the certificate request based on an existing or a new key pair. If you want to renew the certificate you selected in the previous step, use the existing key pair for generating the request.
Page 462: Step 4. Specify The Subject Name For The Certificate
Certificate Setup Wizard Step 4. Specify the Subject Name for the Certificate Specify the subject name, in distinguished name (DN) format, for the certificate to be requested. Note that you will see this screen only if you chose to generate the certificate for a new key pair.
Page 463: Step 5. Specify The Validity Period
Certificate Setup Wizard • Organizational unit—enter the organizational unit the server belongs to. For example, Corporate Security • Organization—enter a description that identifies your organization. For example, Siroe Corporation • Locality—enter the name of the city where your business is located. For example, Mountain View •...
Page 464: Step 6. Specify Extensions
Certificate Setup Wizard Step 6. Specify Extensions You need to complete this step only if you chose to generate a CA signing certificate request for a Certificate Manager (deployed as either the root CA or a subordinate CA). This screen allows you to set the standard X.509 version 3 extensions and Netscape-defined extensions for the certificate to be requested.
Page 465 Certificate Setup Wizard • Netscape certificate type—select this option if you want to set any of the Netscape Certificate Type extension bits in the certificate you are requesting. When you select the option, the associated fields are enabled. You should select the ones you want to set.
Page 466: Step 7. Copy The Certificate Signing Request
Certificate Setup Wizard Step 7. Copy the Certificate Signing Request Based on the information you’ve entered in the previous steps, the wizard now displays the certificate signing request (CSR). The request is in a base-64 encoded PKCS #10 format and is bounded by the marker lines -----BEGIN NEW CERTIFICATE REQUEST----- -----END NEW...
Page 467 Certificate Setup Wizard Table 14-1 Names of files created for certificate signing requests Filename Certificate Signing Request Certificate Manager CA signing certificate cacsr.txt Certificate Manager OCSP signing certificate ocspcsr.txt Registration Manager signing certificate racsr.txt Data Recovery Manager transport certificate kracsr.txt Online Certificate Status Manager signing certificate ocspcsr.txt SSL server certificate...
Page 468 Certificate Setup Wizard Yes, it’s the SSL secure server port. Select this option if the end entity port number you specified is the SSL port for end entities. Click Next to submit your request to the CA. The Certificate Manager returns a request ID for your request. Note the request ID as you can use it later to get the certificate from the Certificate Manager to which you submitted the request.
Page 469 Certificate Setup Wizard Click the Enrollment tab. In the menu list, click the appropriate link: If the CSR is for a subordinate CA certificate, in the Server section, click the Certificate Manager link. If the CSR is for a Registration Manager’s signing certificate, in the Server section, click the Registration Manager link.
Page 470: Step 8. Check The Certificate Request Status
Certificate Setup Wizard To send the CSR manually to an external or third-party CA: Copy the CSR, including the marker lines -----BEGIN NEW CERTIFICATE , to a text file. REQUEST----- -----END NEW CERTIFICATE REQUEST----- If you are running the wizard on a Windows NT system, you can also copy the CSR to the Windows clipboard.
Page 471: Using The Wizard To Install A Certificate Or Certificate Chain
Certificate Setup Wizard Using the Wizard to Install a Certificate or Certificate Chain The Certificate Setup Wizard allows you to install or import the following certificates into either an internal or external token used by the currently selected CMS instance: •...
Page 472: Data Formats For Installing Certificates And Certificate Chains
Certificate Setup Wizard Data Formats for Installing Certificates and Certificate Chains The wizard can accept certificates and certificate chains in several data formats. This section briefly explains the data formats recognized by the wizard. Binary Formats The wizard can recognize certificates and certificate chains in the following binary formats: •...
Page 473: Step 1. Select The Operation
Certificate Setup Wizard Step 1. Select the Operation Indicate whether you want to request a certificate or install a certificate. For the sake of completing the instructions that follow, assume that you chose to install a certificate. Chapter 14 Managing CMS Keys and Certificates...
Page 474: Step 2. Select The Certificate Or Certificate Chain
Certificate Setup Wizard Step 2. Select the Certificate or Certificate Chain Select the certificate you want to install. The drop-down list shows various options. Depending on whether you want to install a CMS certificate, any other trusted CA certificate, or a CA certificate chain, choose the appropriate option from the list box: •...
Page 475: Step 3. Specify The Location Of The Certificate
Certificate Setup Wizard • SSL Server Certificate—choose this option if you want to install an SSL server certificate for the CMS managers installed in the currently selected CMS instance. • SSL Server Certificate Remote Admin—choose this option if you want to install a remote administration server certificate for the Certificate Manager, Registration Manager, Data Recovery Manager, or Online Certificate Status Manager installed in the currently selected CMS instance.
Page 476 Certificate Setup Wizard • Keeping the certificate or certificate chain in a text file—the wizard can import a certificate or certificate chain from a text file in text as well as binary formats; see “Data Formats for Installing Certificates and Certificate Chains” on page 472.
Page 477: Step 4. View The Certificate Or Certificate Chain
Certificate Setup Wizard Step 4. View the Certificate or Certificate Chain The wizard displays the certificate or certificate chain you have chosen to install. Make sure you have chosen the right one; otherwise, use the Back button to go back and locate the right one.
Page 478: Step 6. Verify The Certificate Status
Configuring the Server’s Security Preferences • If you installed (or imported) a certificate chain, the wizard adds (to the local trust database) the first certificate in the chain as a trusted CA certificate and any subsequent certificates as untrusted CA certificates. For more information on how the wizard installs a certificate chain, see “Using the Wizard to Install a Certificate or Certificate Chain”...
Page 479: Step 1. Get The Required Ssl Server Certificates
Configuring the Server’s Security Preferences This configuration involves the following steps: • Step 1. Get the Required SSL Server Certificates • Step 2: Update the Configuration Step 1. Get the Required SSL Server Certificates You must first request and install the required number of SSL server certificates for the particular CMS instance.
Page 480: Getting An Ssl Client Certificate For A Subsystem
Configuring the Server’s Security Preferences Change the configuration: To change the certificate used for authenticating to the Agent Services interface, locate the parameter and agentGateway.https.nickName change its value to the nickname of the new SSL server certificate. For example, if the nickname of the SSL server certificate is ServerCert_agt the configuration should look like this: agentGateway.https.nickName=ServerCert_agt cert-<instance_id>...
Page 481 Configuring the Server’s Security Preferences Locate the CMS instance for the Certificate Manager, make sure it’s started, and then log in to the CMS window of the Certificate Manager. Select the Configuration tab, and then select the Encryption tab. Click the Certificate Setup Wizard button to launch the wizard, which is explained in “Certificate Setup Wizard”...
Page 482: Setting Up Cipher Preferences For Ssl Communications
Configuring the Server’s Security Preferences Setting Up Cipher Preferences for SSL Communications A cipher is the algorithm used in encryption. Some ciphers have stronger encryption capabilities than others. Generally speaking, the more bits a cipher uses during encryption, the harder it is to decrypt the data. When a client initiates an SSL connection with Certificate Management System, it lets the server know what ciphers it prefers to use to encrypt information.
Page 483 Configuring the Server’s Security Preferences SSL version 2.0 and 3.0 cipher suites supported (in the domestic version) Figure 14-1 You can choose ciphers from the SSL 2.0 protocol, as well as from SSL 3.0. To specify which ciphers your server can use, check them in the list of ciphers to enable them.
Page 484: Configuring The Server To Use Specific Ciphers
Configuring the Server’s Security Preferences Note that Netscape Communicator too has received retail status from the United States Department of Commerce Bureau of Export Administration; under new regulations, retail status makes it possible to export Communicator with the same encryption and cryptographic features available in the US and Canada. Prior to the retail status, international users of Netscape Communicator (with encryption capability restricted to 40-bit encryption) could use Netscape’s International Step-Up program to step up to stronger encryption, 56-bit, 128-bit, or...
Page 485: Getting New Certificates For The Subsystems
Getting New Certificates for the Subsystems Select the Configuration tab, and then in the right pane, select the Encryption tab. Click SSL Cipher Preferences, and choose the appropriate options. For details, see “Setting Up Cipher Preferences for SSL Communications” on page 482.
Page 486: Step 1. Plan For The New Certificate
Getting New Certificates for the Subsystems The sections that follow explain how to get new certificates for the Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager using the Certificate Setup Wizard. Alternatively, you can use the command-line utilities called the Key Database Tool and Certificate Database Tool.
Page 487 Getting New Certificates for the Subsystems Before getting a new self-signed certificate for the Certificate Manager, therefore, you must address issues involved in deploying the new root CA certificate across your enterprise. It is beyond the scope of this document to explain how you should deploy the new CA certificate.
Page 488 Getting New Certificates for the Subsystems Also determine whether the Certificate Manager is configured to publish certificates and CRLs to an LDAP directory and whether it uses the SSL server certificate for SSL client authentication to the directory. If it does, you will have to request the certificate with the appropriate extensions, and after installing the certificate you will have to configure the publishing directory to use this certificate.
Page 489: Step 2. Request The New Certificate
Getting New Certificates for the Subsystems • How long will the public CA take to deliver the certificate, and how will the certificate be delivered to you? (The most common delivery mechanism is by email.) Determine the token for generating the key pair Identify the token, internal or external, that you want to use to generate the key pair for the certificate and to store the certificate.
Page 490: Step 4. Deploy The New Certificate
Getting New Certificates for the Subsystems Step 4. Deploy the New Certificate In this step, follow the instructions appropriate for the certificate you installed: • If you installed a new CA signing certificate for a Certificate Manager, see “Deploying Certificate Manager’s CA Signing Certificate” on page 490. •...
Page 491: Deploying Registration Manager's Signing Certificate
Getting New Certificates for the Subsystems Go to the Certificate Manager’s agent interface. The URL is in this format: https://<hostname>:<agent_port> Enter all the information and request a new certificate. If you need more information on getting the first agent certificate, see “Stage 3. Enrolling for Administrator/Agent Certificate”...
Page 492: Deploying Data Recovery Manager's Transport Certificate
Getting New Certificates for the Subsystems Ensure that the CA that signed the Registration Manager’s certificate is in the certificate database of the subsystem. When a Registration Manager does SSL client authentication using its new certificate, the subsystem, as a part of validating the certificate presented by the Registration Manager, checks its trust database for the CA (certificate) that signed the Registration Manager’s new certificate.
Page 493: Deploying A Subsystem's Ssl Server Certificate
Getting New Certificates for the Subsystems Data Recovery Manager’s transport certificate in the enrollment form Figure 14-2 Replace the current MIME-64 string with the one for the new transport certificate. To copy the MIME-64 string for the new transport certificate, locate the new transport certificate;...
Page 494: Renewing Certificates For The Subsystems
Renewing Certificates for the Subsystems • To configure the server to use this certificate for authenticating to one of the clients, see “Configuring the Server to Use Separate SSL Server Certificates” on page 478. • To configure the Certificate Manager to use this certificate for authenticating to the publishing directory, see “Step 5.
Page 495: Step 1. Plan For Certificate Renewal
Renewing Certificates for the Subsystems Step 1. Plan for Certificate Renewal Renewing a CMS manager’s certificate requires careful planning. This section provides some guidelines that will help you renew the certificate smoothly. Before renewing a certificate: • Note the subject DN and nickname of the certificate you want to renew. If you are planning on renewing the CA signing certificate of a Certificate Manager, make sure that the Certificate Manager has updated your LDAP directory, file, and OCSP responder with the most current certificate and CRL...
Page 496: Step 2. Renew The Existing Certificate
Renewing Certificates for the Subsystems Step 2. Renew the Existing Certificate Once you have all the information, go ahead and renew the certificate. The Certificate Setup Wizard built into the CMS window automates the process of renewing certificates used by the CMS managers. The wizard can generate a certificate request based on the existing key pair and submit the request to a CA for signing.
Page 497: Step 3. Install The Renewed Certificate
Renewing Certificates for the Subsystems Table 14-2 Names of backup files created for old CMS certificates (Continued) Filename Renewed Certificate SSL client prevClientCert.txt.<timestamp> The wizard also deletes the old certificate from the server’s certificate database and adds the renewed certificate to the database, so that the server is able to use the renewed certificate upon restart.
Page 498: Deploying Certificate Manager's Renewed Ca Signing Certificate
Renewing Certificates for the Subsystems • If you installed a renewed transport certificate for a Data Recovery Manager, see section “Deploying Data Recovery Manager’s Renewed Transport Certificate” on page 499. • If you installed a renewed SSL server certificate, see section “Deploying a Subsystem’s Renewed SSL Server Certificate”...
Page 499: Deploying Data Recovery Manager's Renewed Transport Certificate
Renewing Certificates for the Subsystems To add the renewed certificate to a subsystem’s internal database: Note the instance ID and host name of the Registration Manager for which you got the signing certificate; this information will help you to identify the Registration Manager in a subsystem’s list of privileged users.
Page 500 Renewing Certificates for the Subsystems In general, here’s what you need to do: Locate the page that embeds the key archival feature. View the HTML source, and identify the parameter that corresponds to the Data Recovery Manager’s transport certificate. The default enrollment forms for end users embed this feature. Figure 14-3 shows the default directory-based user enrollment form with the transport certificate-related information.
Page 501: Deploying A Subsystem's Renewed Ssl Server Certificate
Renewing Certificates for the Subsystems Replace the current MIME-64 string with the one for the renewed transport certificate. To copy the MIME-64 string for the renewed transport certificate, locate the certificate; the MIME-64 string for the certificate will be listed there. Repeat steps 1 through 3 for any additional key archival or enrollment pages.
Page 502: Managing The Certificate Database
Managing the Certificate Database Managing the Certificate Database Each CMS instance has a certificate database ( ), which is maintained in its cert7.db internal token. This database contains certificates belonging to the subsystems installed in the CMS instance (see “Keys and Certificates for the Main Subsystems” on page 436) and various CA certificates the subsystems use for validating the certificates they receive.
Page 503 Managing the Certificate Database Select the Configuration tab, and then in the right pane, select the Encryption tab. Click Manage Certificate. The Certificate Database Management window appears. Chapter 14 Managing CMS Keys and Certificates...
Page 504: Deleting A Certificate From The Certificate Database
Managing the Certificate Database The window lists the certificates in a table, with each certificate occupying a row. The certificates are listed in alphabetical order. If the database contains multiple certificates with the same nickname, they are sorted by their validity periods;...
Page 505: Changing The Trust Settings Of A Ca Certificate
Managing the Certificate Database Click Manage Certificate. The Certificate Database Management window appears. The window lists all the certificates for the selected instance of Certificate Management System; the list is a table, with each certificate occupying a row. Select the CA certificate you want to delete, and click Delete. When prompted, confirm the delete action.
Page 506 Managing the Certificate Database Select the Configuration tab, and then in the right pane, select the Encryption tab. Click Manage Certificate. The Certificate Database Management window appears. The window lists the certificates currently installed for the selected CMS instance; the list is a table, with each certificate occupying a row. Select the CA certificate whose trust setting you want to modify, and click Edit.
Page 507: Installing A New Ca Certificate In The Certificate Database
Managing the Certificate Database The window shows detailed information about the selected certificate, including serial number, validity period, subject name, issuer name, certificate fingerprint, and trust status. If the certificate you selected is currently trusted, the window shows a button named “Change to Untrusted.”...
Page 508: Installing A Ca Certificate Chain In The Certificate Database
Managing the Certificate Database The Certificate Setup Wizard built into the CMS window automates the process of installing trusted CA certificates in the certificate database. For instructions on using the wizard, see “Using the Wizard to Install a Certificate or Certificate Chain”...
Page 509: Chapter 15 Setting Up End-User Authentication
Chapter 15 Setting Up End-User Authentication Netscape Certificate Management System (CMS) provides a customizable authentication component that supports various methods for authenticating end users. This chapter provides an introduction to various parts of Certificate Management System that require authentication and explains how to configure a Certificate Manager and Registration Manager to use specific authentication plug-in modules for authenticating end users during certificate enrollment.
Page 510: Privileged-User Authentication
Introduction to Authentication • Administrators—privileged users who connect to the server to do system or server administration tasks • Agents—privileged users who connect to the server to do agent operations This section explains how Certificate Management System identifies and authenticates these users, and it provides details about the various authentication methods supported by the server.
Page 511 Introduction to Authentication CMS authentication of a user with administrator privileges Figure 15-1 These are the steps shown in Figure 15-1: An administrator opens Netscape Console and attempts to log in to the CMS window by entering the user ID and password at the login prompt. The server takes the administrator’s user ID and password and binds them to privileged-user entries in its internal database.
Page 512: Authentication Of Agents
Introduction to Authentication Authentication of Agents When an agent makes a request to Certificate Management System (from the appropriate Agent Services interface), the server needs to authenticate the agent before processing the request. To facilitate this, Certificate Management System supports a certificate-based authentication method. Certificate Management System identifies and authenticates a user with agent privileges by checking the user’s SSL client certificate in its internal database.
Page 513 Introduction to Authentication Registration Manager authentication of a user with Registration Manager agent privileges Figure 15-2 This example shows these steps: An agent opens a web browser and enters the URL to the Registration Manager Agent Services interface hosted by the Registration Manager. The server requests the client for SSL client authentication.
Page 514 Introduction to Authentication Upon receiving the certificate, the Registration Manager performs the following authentication and authorization process: First, it verifies that the certificate exists in its internal database. Next, it verifies that the certificate is a valid client certificate. If the certificate is valid, the Registration Manager proceeds.
Page 515: End-Entity Authentication
Introduction to Authentication End-Entity Authentication This section provides an overview of how Certificate Management System authenticates end entities during certificate enrollment, renewal, and revocation processes. Authentication of End Entities During Certificate Enrollment When an end entity submits a certificate request, a Certificate Manager or Registration Manager’s first task is to identify and authenticate the end entity.
Page 516 Introduction to Authentication • The certificate being presented by the end user for renewal must be currently valid or must have expired; it cannot have been revoked. • The validity period of a renewed certificate is determined by the policy rule explained in “RenewalValidityConstraints Plug-in Module”...
Page 517: Authentication Of End Users During Certificate Revocation
Introduction to Authentication If you want to change the form content to suit your organization’s requirements, edit the following file: <server_root>/cert-<instance_id>/web/ee/UserRenewal.html For details on individual form elements, see the online help available by clicking the Help button on the form. For more information on customizing the form, see CMS Customization Guide.
Page 518 Introduction to Authentication Revoking a certificate using the challenge password is useful in certain situations. For example, if you issue a single certificate to a user and the user is unable to use the certificate due to loss of corresponding key pair, it’s not possible for the user to revoke his or her own certificate using the SSL client authenticated revocation method.
Page 519 Introduction to Authentication Here are a few things, in addition to the ones listed on page 518, to keep in mind about SSL client authenticated revocation: • The certificate being presented by the user for revocation must be issued by a Certificate Manager.
Page 520 Introduction to Authentication • The user must have requested the certificate using the manual enrollment method—only the default manual enrollment form includes fields for entering the challenge password when requesting a certificate. • The user can revoke only those certificates that contain the specified serial number with the corresponding challenge password.
Page 521: Configuring Authentication For End-User Enrollment
Configuring Authentication for End-User Enrollment If you want to change the forms to suit your organization’s requirements, you can edit the following files: • (the form that allows challenge password based ChallengeRevoke1.html revocation of client or personal certificates) • (the form that allows SSL client authenticated UserRevocation.html revocation of client or personal certificates) Both the files are located here:...
Page 522: Step 1. Before You Begin
Configuring Authentication for End-User Enrollment NOTE If you do not configure a Certificate Manager or Registration Manager to use any of the registered authentication plug-in modules, the server uses manual authentication for end-user enrollment. This means that all end-user enrollment requests are queued for agent approval.
Page 523: Step 2. Set Up The Directory For Pin-Based Enrollment
Configuring Authentication for End-User Enrollment If you decided to use the portal authentication module, note the LDAP directory-specific information. • Determine the enrollment form you want your users to use. Decide whether you want to customize it. The next step depends on the authentication module you chose: •...
Page 524: Step B. Update The Directory
Configuring Authentication for End-User Enrollment Step B. Update the Directory By default, the PIN Generator modifies the attribute in a directory’s user entry. Because this attribute is not part of the standard , it’s likely organizationalPerson that the user entries in your directory do not contain the attribute.
Page 525: Step C. Prepare The Input File
Configuring Authentication for End-User Enrollment The tool modifies the schema with a new attribute (by default, ) and a new object class (by default, ), creates a user, and sets the pinPerson pinmanager ACI to allow only the user to modify the attribute.
Page 526: Step E. Check The Output File
Configuring Authentication for End-User Enrollment Step E. Check the Output File Check the output file to be sure it contains PINs for your users; the output should look similar to the one specified in PIN Generator documentation. Next, verify that the tool has assigned PINs to the correct users and that the PINs conform to the length and character-set restrictions you specified.
Page 527 Configuring Authentication for End-User Enrollment The above mentioned process works smoothly if a Certificate Manager or Registration Manager is configured to use the master directory for authenticating users. The process may not work smoothly in deployment scenarios that involve replicated directories. In these scenarios, you need to use the Attribute Present Constraints policy to verify that the PIN has been removed from the directory.
Page 528 Configuring Authentication for End-User Enrollment certificates, successive certificate requests would fail because the PIN has been removed from the master directory. This way, even if the Registration Manager authenticates successive requests, the Certificate Manager rejects them, thus ensuring that a user has only one certificate. If you are not familiar with the Attribute Present Constraints policy, see section “AttributePresentConstraints Plug-in Module”...
Page 529: Step 4: Add An Authentication Instance
Configuring Authentication for End-User Enrollment Select and click Next. AttributePresentConstraints The Policy Rule Editor window appears. It lists the configuration information required for this policy rule. Enter the appropriate information. Click OK to save your configuration. You are returned to the Policy Rules Management tab. If required, click the Reorder button and order the rules as appropriate.
Page 530 Configuring Authentication for End-User Enrollment When naming an authentication instance (or rule), be sure to formulate the name using any combination of letters (aA to zZ), digits (0 to 9), an underscore (_), and a hyphen (-); other characters and spaces are not allowed. For example, you can type as the instance name, but not My_Auth_Rule MyAuthRule...
Page 531 Configuring Authentication for End-User Enrollment Authentication information in the default directory-based enrollment form Figure 15-5 For information on locating and customizing the default end-entity forms, see CMS Customization Guide. To add an authentication instance to the CMS configuration: In the CMS window, select the Configuration tab. Chapter 15 Setting Up End-User Authentication...
Page 532 Configuring Authentication for End-User Enrollment In the navigation tree, select Authentication. The right pane shows the Authentication Instance tab, which lists any currently configured authentication instances. Click Add. The Select Authentication Plugin Implementation window appears. It lists the currently registered authentication plug-in modules. Select a plug-in module.
Page 533 Configuring Authentication for End-User Enrollment UidPwdPinDirAuth. Select this if you want to use the directory- and PIN-based authentication module (with or without PIN removal). To configure Certificate Management System for PIN-based enrollment method, you must have completed “Step 2. Set Up the Directory for PIN-Based Enrollment” on page 523.
Page 534: Step 5. Set Up The Enrollment Interface
Configuring Authentication for End-User Enrollment If you don’t want to use the default instance name, in the Authentication Instance ID field, type a unique name for this instance that will help you identify it. For the name, be sure to use an alphanumeric string with no spaces. If you chose to use a different name, be sure to edit the default name in the enrollment form in the next step, “Step 5.
Page 535: Step B. Customize The Form
Configuring Authentication for End-User Enrollment Locate the file that corresponds to the authentication module you chose in “Step 4: Add an Authentication Instance” on page 529; use Table 15-1 for guidance. Open the file in a text editor. Locate the attribute that associates the authentication instance with the enrollment form.
Page 536 Configuring Authentication for End-User Enrollment By default, the form named is hooked up to the CertBasedDualEnroll.html Enrollment tab of the end-entity interface. You can replace this form with either of the other two forms, CertBasedEncryptionEnroll.html ; you can do this by uncommenting the script CertBasedSingleEnroll.html relevant to either of the forms in the index file and by commenting out the script for —thus, effectively unhook the old one and hook the...
Page 537 Configuring Authentication for End-User Enrollment count++; if (http != 'true') { // this one is directory based cert-based if ( isAuthMgrEnabled("UidPwdDirAuth") ) { item = 'certBasedEncEnroll'; menuItems[count] = top.EnrollMenu[count] = new menuItem(item, 'CertBasedEncryptionEnroll.html', 'Certificate'); If you want to enable the form, search for CertBasedSingleEnroll.html .
Page 538: Step D. Remove Unwanted Enrollment Options
Configuring Authentication for End-User Enrollment By default, a link named will be created under the Browser Certificate section. If you want to rename the link, replace in the following Certificate line with the new name: new menuItem(item, 'CertBasedDualEnroll.html', 'Certificate'); Save your changes and close the file. Step D.
Page 539: Step 6. Enable End-Entity Interaction
Configuring Authentication for End-User Enrollment Step 6. Enable End-Entity Interaction You can configure end-entity interaction with a Certificate Manager or a Registration Manager, or with both. End entities cannot interact with a Data Recovery Manager directly; they must interact through a Certificate Manager or Registration Manager.
Page 540 Configuring Authentication for End-User Enrollment In the Web Access section, check the “Enable end-entity interaction” option if you want end entities to be able to interact with the selected Certificate Manager via the HTTPS port; leave it unchecked to disable end-entity interaction with the server.
Page 541: Enabling End-Entity Interaction With A Registration Manager
Configuring Authentication for End-User Enrollment In the Default Signing Algorithm section, select the signing algorithm the Certificate Manager should use for signing certificates. The choices are “MD2 with RSA,” “MD5 with RSA,” and “SHA1 with RSA,” if the CA’s signing key type is RSA and “SHA1 with DSA,”...
Page 542: Step 7. Turn On Automated Notification
Configuring Authentication for End-User Enrollment In the Web Access section, check the “Enable end-entity interaction” option if you want end entities to be able to interact with the selected Registration Manager via the HTTPS port; leave it unchecked to disable end-entity interaction with the server.
Page 543 Configuring Authentication for End-User Enrollment When you enter the correct password, the client generates the key pair. Do not interrupt the key-generation process. Upon completion of the key generation, the request is submitted to the server for certificate issuance. The server subjects the request to the currently configured policy rules and issues the certificate only if the request passes all the policy rules.
Page 544: Step 9. Deliver Pins To End Users
Managing Authentication Instances Step 9. Deliver PINs to End Users This step is applicable for directory- and PIN-based authentication with or without PIN removal. After you have confirmed that the PIN-based enrollment works (as it should), deliver the PINs to users so they can use them during enrollment. To protect the privacy of PINs, be sure to use a secure, out-of-band method for delivery.
Page 545: Modifying An Authentication Instance
Managing Authentication Instances To delete an authentication instance from the CMS configuration: Log in to the CMS window (see “Logging In to the CMS Window” on page 343). Select the Configuration tab. In the navigation tree, click Authentication. The right pane shows the Authentication Instance tab, which lists currently configured authentication instances.
Page 546 Managing Authentication Instances In the navigation tree, click Authentication. The right pane shows the Authentication Instance tab, which lists configured authentication instances. In the Instance Name list, select the instance you want to modify and click Edit. The Configure Authentication Instance Parameters window appears, showing the current configuration of this instance.
Page 547: Managing Authentication Plug-In Modules
Managing Authentication Plug-in Modules Make changes as appropriate. If you need description for any of the parameters, click the Help button or check the CMS Plug-ins Guide. Click OK. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly.
Page 548 Managing Authentication Plug-in Modules In the navigation tree, click Authentication, and in the right pane, click the Authentication Plugin Registration tab. The tab lists modules that are already registered. Click Register. The Register Authentication Plugin Implementation window appears. Specify which module you want to register: Plugin name.
Page 549: Deleting An Authentication Module
Managing Authentication Plug-in Modules Click OK. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server. Deleting an Authentication Module You can delete an authentication plug-in module that you no longer need by using the CMS window.
Page 550 Managing Authentication Plug-in Modules Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 551: Chapter 16 Setting Up Automated Notifications
Chapter 16 Setting Up Automated Notifications Netscape Certificate Management System can send email notifications automatically when certain events occur. Unlike jobs that are executed on a preconfigured schedule, these notifications are event-driven—that is, whenever an event occurs, the server notifies the user. Notifiable events include certificate issuance and pending requests in an agent queue.
Page 552: Notifications Of Certificate Issuance To End Entities
Automated Notifications • Notification of New Request in Queue—agents are notified by email that a request has been added to the request queue. Alternatively (or in addition) a schedulable job can notify agents at regular intervals of the current state of the request queue;...
Page 553: Notification Of New Request In Queue
Automated Notifications Note that you can customize the email resolver using the class included as a sample at this location: ReqCertSANameEmailResolver.java <server_root>/cms_sdk/cms_jdk/samples/resolvers The template that the listener uses to construct the email notification message is located in the configured directory. This directory has the following default location: <server_root>/cert-<instance_id>/emails You can configure both the path and filename of the template file.
Page 554: Customizing Notification Messages
Customizing Notification Messages The template that the listener uses to construct the email notification message is located in the configured directory. This directory has the following default location: <server_root>/cert-<instance_id>/emails You can configure both the path and filename of the template file. You can also modify the template to customize the contents and appearance of the messages;...
Page 555 Customizing Notification Messages Table 16-1 Default templates for event-triggered notifications (Continued) Filename Description certIssued_CA.html Template for the Certificate Manager to send HTML-based notifications to end entities upon issuance of certificates. Template for the Registration Manager to send plain-text certIssued_RA notifications to end entities upon issuance of certificates. Template for the Registration Manager to send HTML-based certIssued_RA.html notifications to end entities upon issuance of certificates.
Page 556: Customizing Message Templates
Customizing Notification Messages file is named , the file must be named certIssued_CA.htm certRequestRejected . The HTML file extensions permitted are certRequestRejected.htm .htm .html , and . Template files with any other extension (or no extension) are .HTM .HTML treated as text files. If you change the name of any of these files, be sure to make the appropriate changes to the configuration (see the “Content template file”...
Page 557: Tokens Available In Message Templates
Customizing Notification Messages For example, a certificate-issuance-notification message can make use of tokens as follows: ------------------------------------ CERTIFICATE ISSUANCE NOTIFICATION ------------------------------------ Your certificate request ($RequestId) has been processed successfully. Details of your certificate are as follows: Serial Number= $SerialNumber SubjectDN= $SubjectDN IssuerDN= $IssuerDN Validity Period= $NotBefore - $NotAfter To get your certificate, please follow this URL:...
Page 558: Tokens For Rejection Notifications To End Entities
Customizing Notification Messages Table 16-2 Tokens defined in templates used for certificate-issuance notifications Token Description Specifies the fully qualified host name of the Certificate Manager or $HttpHost Registration Manager to which end entities should connect to retrieve their certificates. (This token enables you to construct the URL from which end entities can download their certificates;...
Page 559: Tokens For Request In Queue Notification Messages
Configuring a Subsytem to Send Notifications Table 16-3 Tokens defined in templates used for request-rejection notifications Token Description Specifies the ID assigned to the subsystem that sent this notification. $InstanceID • If the notification is sent by a Certificate Manager, this will be ca. •...
Page 560: Step 1. Before You Begin
Configuring a Subsytem to Send Notifications • Step 3. Turn on Request in Queue Notification • Step 4. Verify Mail Server Settings • Step 5. Test Your Configuration Step 1. Before You Begin • Read section “Automated Notifications” on page 551 and decide which of the two notification features you want to turn on.
Page 561: Step 3. Turn On Request In Queue Notification
Configuring a Subsytem to Send Notifications To enable the notification feature, check the “Enable Certificate Issued notification” option. In the Email Information Settings section, enter information as appropriate: Sender’s E-mail Address. Type the sender’s full email address (this is the person who should be notified of any delivery problems).
Page 562 Configuring a Subsytem to Send Notifications To enable the notification feature, check the “Enable Request In Queue notification” option. Enter information as appropriate: Sender’s E-Mail Address. Type the sender’s full email address (this is the person who should be notified of any delivery problems). Subject.
Page 563: Step 4. Verify Mail Server Settings
Configuring a Subsytem to Send Notifications Step 4. Verify Mail Server Settings To identify the mail server that the Certificate Manager or Registration Manager should use for routing email notifications: In the CMS window, select the Configuration tab, and then in the right pane, select the SMTP tab.
Page 564: Step 5. Test Your Configuration
Configuring a Subsytem to Send Notifications Step 5. Test Your Configuration To test whether the subsystem you configured sends email notifications: Change the email addresses in the notification configuration to your email address. Go to the end-entity interface and request a certificate using the manual enrollment form.
Page 565: Chapter 17 Scheduling Automated Jobs
Chapter 17 Scheduling Automated Jobs Netscape Certificate Management System (CMS) provides a customizable Job Scheduler component that supports various mechanisms for scheduling jobs. cron This chapter explains how to configure Certificate Management System to use specific job plug-in modules for accomplishing jobs. The chapter also shows how plug-in implementations and configured instances for various job items appear in the configuration file.
Page 566: Step 1. Before You Begin
Configuring a Subsystem to Run Automated Jobs For information on adding or changing job-specific information in the configuration file, see “Changing the Configuration by Editing the Configuration File” on page 349. Step 1. Before You Begin Before configuring a Certificate Manager or Registration Manager to run jobs, be sure to do the following: •...
Page 567 Configuring a Subsystem to Run Automated Jobs After installation, you must verify whether you want to use these jobs, check how these jobs are configured, and make the appropriate configuration changes. If you don’t want to use a job, delete it from the configuration following the instructions in “Step 3.
Page 568 Configuring a Subsystem to Run Automated Jobs In the navigation tree, select Job Scheduler, then select Jobs. The Job Instance tab appears (Figure 17-1) showing the default jobs. In the Instance Name list, select a job that you want to modify. For the purposes of this instruction, assume that you selected the job named unpublishExpiredCerts Click Edit/View.
Page 569: Step 3. Delete Unwanted Jobs
Configuring a Subsystem to Run Automated Jobs Step 3. Delete Unwanted Jobs You can delete unwanted jobs from the CMS configuration, by using the CMS window. If you think you might need a job in the future, instead of deleting it from the configuration you should disable it by setting the parameter value to enable...
Page 570 Configuring a Subsystem to Run Automated Jobs Default job modules registered with a Certificate Manager Figure 17-2 Table 17-2 Job modules registered with a Certificate Manager and Registration Manager Job plug-in module name Provided with Provided with Certificate Manager Registration Manager RenewalNotificationJob RequestInQueueJob UnpublishExpiredJob...
Page 571 Configuring a Subsystem to Run Automated Jobs Select a module. For the purposes of this instruction, assume that you selected the module. RenewalNotificationJob Click Next. The Configure Job Instance Parameters window appears. It lists the configuration information required for this job. Enter the appropriate information.
Page 572 Configuring a Subsystem to Run Automated Jobs notifyTriggerOffset. Type the number of days before certificate expiration the first notification should be sent. For example, if you want the server to send renewal notifications to users 30 days before their certificates expire, type 30. notifyEndOffset.
Page 573: Step 5. Schedule The Frequency
Configuring a Subsystem to Run Automated Jobs summary.emailTemplate. Type the path, including the filename, to the directory that contains the template to be used for formulating the summary report. For example, C:/Netscape/Server4/cert-testCA/emails/ renewJobSummary.txt Click OK. You are returned to the Policy Rules Management tab. Repeat steps 1 through 5 and create additional rules, if required.
Page 574: Step 6. Verify Mail Server Settings
Configuring a Subsystem to Run Automated Jobs Enter information as appropriate: Enable Job Scheduler. Check this option to enable the Job Scheduler. To disable the Job Scheduler uncheck the option; disabling turns off all the jobs. Check Frequency. Type the frequency at which the Job Scheduler daemon thread should wake up and call the configured jobs that meet the cron specification.
Page 575: Step 7. Test Your Configuration
Managing Job Plug-in Modules Identify the mail server by providing the following details: Server name. Make sure the field shows the correct host name for your mail server. Otherwise, type the full host name of the machine on which your mail server is installed.
Page 576: Registering A Job Module
Managing Job Plug-in Modules For information on adding or changing job-specific information in the configuration file, see “Changing the Configuration by Editing the Configuration File” on page 349. Registering a Job Module You can register custom job plug-in modules from the CMS window. Registering a new module involves specifying the name of the module and the full name of the Java class that implements the module.
Page 577: Deleting A Job Module
Managing Job Plug-in Modules Click Register. The Register Job Scheduler Plugin Implementation window appears. Specify information as appropriate: Plugin name. Type a name for the plug-in module. Class name. Type the full name of the class for this module—that is, the path to the implementing Java class.
Page 578 Managing Job Plug-in Modules Select the Job Plugin Registration tab. The Job Plugin Registration tab appears. It lists currently registered job modules. In the Plugin Name list, select the module you want to delete and click Delete. When prompted, confirm the delete action. The CMS configuration is modified.
Page 579: Chapter 18 Setting Up Policies
Chapter 18 Setting Up Policies Netscape Certificate Management System (CMS) provides a customizable policy framework for its main subsystems, the Certificate Manager, Registration Manager, and Data Recovery Manager. This chapter explains how to configure these subsystems to apply organizational and other policies on incoming certificate and key-related requests.
Page 580: What Is Policy
Introduction to Policy What Is Policy? Policy refers to a set of rules that Certificate Management System uses to evaluate or verify an incoming request from an end entity and to determine the outcome; the incoming requests that are governed by policies include certificate issuance, certificate renewal, certificate revocation, key archival, and key recovery requests.
Page 581: Policy Rules
Introduction to Policy Policy Rules A policy rule refers to a uniquely configured instance of any policy plug-in implementation. For example, you can use the plug-in module provided for setting validity periods on certificates to configure a policy rule that forces validity periods for all client certificates issued by a Certificate Manager to fall within a predetermined range, say between 6 and 24 months.
Page 582: Using Predicates In Policy Rules
Introduction to Policy For general guidelines on developing custom policy modules and adding them to the CMS policy framework, take a look at the samples installed at this location: <server_root>/cms_sdk/cms_jdk/samples/policy Using Predicates in Policy Rules You can use predicates in a policy rule. A predicate indicates whether the rule that contains the predicate applies to a request.
Page 583 Introduction to Policy Policy expressions are formed with the following rules: PrimitiveExpression | AndExpression | OrExpression is equal to: Attribute Value, where PrimitiveExpression Attribute can be a string can be any of these operators: Value can be a string is equal to: Expression Expression AndExpression is equal to: Expression...
Page 584: Attributes For Predicates
Introduction to Policy Be aware that if the same name is in a HTTP form input and authentication token (authentication result) the authentication result can override the HTTP form input. For example, if is in a HTTP input and an authentication module also puts email in the authentication result (that is, authtoken) the value from the...
Page 585 Introduction to Policy Table 18-2 Attributes supported by request object implementations (Continued) Request type Variable name Description Enrollment Specifies the certificate type. Default values include the certType following: • ca (Certificate Manager’s CA signing certificate) • caCrlSigning (Certificate Manager’s CRL signing certificate) •...
Page 586 Introduction to Policy Table 18-2 Attributes supported by request object implementations (Continued) Request type Variable name Description Enrollment cepsubstore Specifies the name of the CEP service; for example, cep1 and cep2. When setting up multiple CEP services, you can use predicates to differentiate one service for another;...
Page 587 Introduction to Policy Note that to define a new attribute in any of the HTML forms, all you need to do is to add the following line to the corresponding HTML form: <input type="HIDDEN" name="attribute_name" value="attribute_value"> Assuming that the new attribute you define for the organizational unit is orgunit the line you would add to the enrollment form would be: <input type="HIDDEN"...
Page 588: Policy Processor
Introduction to Policy Now, for setting the validity period in certificates of users who are not in the Sales organization—in this case, this would be Manufacturing—you would create another instance of policy rule as before with a different set ValidityConstraints values.
Page 589: Configuring Policy Rules For A Subsystem
Configuring Policy Rules for a Subsystem Note that the policy processor applies only the enabled policy rules, in the order in which they are configured, before determining the final outcome. Each rule the processor executes returns a object. Three return values are PolicyResult possible: •...
Page 590: Step 1. Before You Begin
Configuring Policy Rules for a Subsystem • Step 6. Restart the Server • Step 7. Test Policy Configuration For information on adding or changing policy-specific information in the configuration file, see “Changing the Configuration by Editing the Configuration File” on page 349. Step 1.
Page 591 Configuring Policy Rules for a Subsystem After installation, you must verify whether you want to use these rules, check how these rules are configured, and make the appropriate configuration changes. Keep in mind some of these policy rules are essential for the server to process requests. For example, the server won’t be able to process certificate-issuance requests if is disabled.
Page 592 Configuring Policy Rules for a Subsystem Table 18-3 Default policy rules of a Certificate Manager and Registration Manager Policy rule name Certificate Manager Registration Manager DefaultRenewalValidityRule RevocationConstranitsRule NSCertTypeExt CMCertKeyUsageExt RMCertKeyUsageExt ClientCertKeyUsageExt ServerCertKeyUsageExt ObjSignCertKeyUsageExt CRLSignCertKeyUsageExt SubjectKeyIdentifierExt CertificatePoliciesExt NSCCommentExt OCSPNoCheckExt OCSPSigningExt CODESigningExt GenericASN1Ext CRLDistributionPointsExt SubjectAltNameExt...
Page 593 Configuring Policy Rules for a Subsystem To modify a policy rule in the CMS configuration: Log in to the CMS window (see “Logging In to the CMS Window” on page 343). Select the Configuration tab. In the navigation tree, select the subsystem to which the policy rule you want to modify belongs.
Page 594: Step 3. Delete Unwanted Policy Rules
Configuring Policy Rules for a Subsystem Step 3. Delete Unwanted Policy Rules You can delete any unwanted policy rules from the CMS configuration. If you think you might need a rule in the future, instead of deleting it from the configuration you should disable it by unchecking the parameter.
Page 595 Configuring Policy Rules for a Subsystem Figure 18-2 shows the policy modules registered with a Certificate Manager. The Registration Manager also has a similar list. Table 18-4 summarizes the default modules registered with both Certificate Manager and Registration Manager. Figure 18-2 Default policy modules registered with a Certificate Manager Table 18-4 Policy modules of a Certificate Manager and Registration Manager Policy plug-in module name...
Page 596 Configuring Policy Rules for a Subsystem Table 18-4 Policy modules of a Certificate Manager and Registration Manager (Continued) Policy plug-in module name Certificate Manager Registration Manager IssuerAltNameExt IssuerConstraints KeyAlgorithmConstraints KeyUsageExt NameConstraintsExt NSCComment NSCertTypeExt OCSPNoCheckExt PolicyConstraintExt PolicyMappingsExt PrivateKeyUsagePeriodExt RemoveBasicConstraintsExt RenewalConstraints RenewalValidityConstraints RevocationConstraints RSAKeyConstraints SigningAlgorithmConstraints...
Page 597 Configuring Policy Rules for a Subsystem To add a new policy rule to the CMS configuration: In the Policy Rules Management tab, click Add. The Select Policy Plugin Implementation window appears. It lists registered policy plug-in modules. If you have registered any custom policy modules (see “Registering a Policy Module”...
Page 598 Configuring Policy Rules for a Subsystem Enter the appropriate information. Policy Rule ID. Type a unique name that will help you identify the rule; be sure to use an alphanumeric string without spaces. enable. Check the box to enable the rule (default). If you enable the rule and set the remaining parameters correctly, the server sets the configured validity period in certificates specified by the parameter.
Page 599: Step 5. Reorder Policy Rules
Configuring Policy Rules for a Subsystem certificate cannot be used for 10 minutes. Setting the value of the parameter to 10 minutes would adjust the value of the notBeforeSkew notBefore parameter to 11:20 a.m.—thus making the certificate usable following the down load. The default value is 5 minutes. Click OK.
Page 600: Step 6. Restart The Server
Configuring Policy Rules for a Subsystem To change the order of a rule, select it in the list and click the Up or Down button, as appropriate. Keep in mind that the server executes the rules on a first-come-first-served basis, overwriting the configuration determined by the previous rule, if any. When you have the correct order, click OK.
Page 601: Step B. Approve The Request
Configuring Policy Rules for a Subsystem To request a client or personal certificate from the Certificate Manager: Open a web browser window. Go to the End Entity Services interface of the Certificate Manager you configured (or the Registration Manager that’s connected to this Certificate Manager).
Page 602: Using Javascript For Policies
Using JavaScript for Policies Using JavaScript for Policies Certificate Management System includes a facility for complex scripting of the policy plug-in instances via JavaScript . Using the JavaScript policy processor allows you to: • Determine the call sequence of existing Java plug-ins •...
Page 603 Managing Policy Plug-in Modules Before registering a plug-in module, be sure to put the Java class for the module in directory (the implementation must be on the class path). classes To register a policy module in a subsystem’s policy framework: Log in to the CMS window (see “Logging In to the CMS Window”...
Page 604: Deleting A Policy Module
Managing Policy Plug-in Modules Specify information as appropriate: Plugin name. Type a name for the plug-in module. Class name. Type the full name of the class for this module—that is, the path to the implementing Java class. If this class is part of a package, be sure to include the package name.
Page 605: Chapter 19 Setting Up Ldap Publishing
Chapter 19 Setting Up LDAP Publishing Netscape Certificate Management System (CMS) provides a customizable publishing framework for the Certificate Manager, enabling it to publish certificates, certificate revocation lists (CRLs), and other certificate-related objects to any of the supported repositories—an LDAP-compliant directory, a flat file, and an online validation authority—using the appropriate protocol.
Page 606 Publishing of Certificates to a Directory information to that directory. For example, if you have configured the Certificate Management System to employ directory-based authentication, you should consider publishing the CA and end-entity certificates to the same directory. This way, you can keep your users’ security credentials with the rest of the user information (see Figure 19-1).
Page 607: Timing Of Directory Updates
Publishing of Certificates to a Directory Publishing by a Certificate Manager Figure 19-2 Figure 19-3 illustrates how certificates requested via a Registration Manager get published to the directory. Figure 19-3 Publishing of certificates requested via a Registration Manager Timing of Directory Updates If the LDAP directory is properly configured to work with the Certificate Manager (and vice versa), any changes to the certificate information in the Certificate Manager are automatically made also in the publishing directory.
Page 608 Publishing of Certificates to a Directory The publishing directory is updated at these times: • When the Certificate Manager starts up, it publishes its CA signing certificate to the directory. • When the Certificate Manager issues a new certificate (the request may originate from Registration Managers that’re connected to the Certificate Manager), it stores a copy of the certificate in its internal database and then publishes the certificate to the configured directory.
Page 609: Directory Update Process
Publishing of Certificates to a Directory The Certificate Manager cannot update the directory in the following cases: • If an end-entity entry is not present or if an entry cannot be found to publish the certificate. • If the directory’s schema doesn’t include the appropriate attributes. To configure the directory for LDAP publishing, see “Step 2.
Page 610: Directory Synchronization
Publishing of CRLs Directory Synchronization The Certificate Manager and the publishing directory can become out of sync if certificates are issued or revoked while Directory Server is down. Certificates that were issued or revoked need to be published or unpublished manually when Directory Server comes back up.
Page 611: What's A Crl
Publishing of CRLs What’s a CRL? Server and client applications that use public-key certificates as tokens of identification need access to information about the validity of a certificate; because one of the factors that determines the validity of a certificate is its revocation status, these applications need to know whether the certificate being validated has been revoked.
Page 612: Reasons For Revoking A Certificate
Publishing of CRLs Manager is configured to do so. In addition to certificates, the Certificate Manager also maintains a CRL in its internal database. You can configure the Certificate Manager to generate the CRL every time a certificate is revoked and at periodic intervals.
Page 613: Revocation Checking By Netscape Clients
Publishing of CRLs Revocation Checking by Netscape Clients At the time of this writing, Netscape Communicator versions 4.7 and later, when used in conjunction with the security module called Netscape Personal Security Manager, enable automatic revocation-status verification of certificates using the OCSP protocol.
Page 614: Publishing Of Crls To An Ldap Directory
Publishing of CRLs Publishing of CRLs to an LDAP Directory The Certificate Manager can publish the CRL to an LDAP-compliant directory using the LDAP protocol or LDAP over SSL (LDAPS) protocol, and applications can retrieve the CRL over HTTP. Support for retrieving CRLs over HTTP enables some browsers, such as Netscape Communicator, to automatically import the latest CRL from the directory that receives regular updates from the Certificate Manager.
Page 615: Crl Issuing Points
Configuring a Certificate Manager to Publish Certificates and CRLs CRL Issuing Points Because CRLs can grow very large, several methods have been developed to minimize the overhead of retrieving and delivering large CRLs. One of these methods is based on partitioning the entire certificate space and associating a separate CRL with every partition.
Page 616: Step 1. Before You Begin
Configuring a Certificate Manager to Publish Certificates and CRLs To configure a Certificate Manager to publish certificates and CRLs to a directory, follow these steps: • Step 1. Before You Begin • Step 2. Set Up the Directory for Publishing •...
Page 617 Configuring a Certificate Manager to Publish Certificates and CRLs • Identify your publishing directory. If you’ve already configured the Certificate Manager to use an LDAP directory for authenticating users (for example, if you’re using the directory-based or directory- and PIN-based authentication), you should consider publishing certificates and CRLs to the same directory.
Page 618: Step 2. Set Up The Directory For Publishing
Configuring a Certificate Manager to Publish Certificates and CRLs Step 2. Set Up the Directory for Publishing For a Certificate Manager to publish certificates and CRLs to an LDAP directory, the directory needs to be set up to receive certificate- and CRL-related information from the Certificate Manager.
Page 619: Step B. Add An Entry For The Ca
Configuring a Certificate Manager to Publish Certificates and CRLs Required Schema for Publishing the CA Certificate The Certificate Manager publishes its own CA certificate in the attribute of the CA’s directory object when the server is caCertificate;binary started; this is the object that corresponds to the Certificate Manager’s issuer name. This is a required attribute of the object class.
Page 620 Configuring a Certificate Manager to Publish Certificates and CRLs After you select the correct entry type, you need to specify the required information to create the entry. Note that the entry you create doesn’t have to be in object class. The Certificate Manager will convert certificationAuthority this entry to the object class automatically by...
Page 621: Step C. Identify An Entry That Has Write Access
Configuring a Certificate Manager to Publish Certificates and CRLs Step C. Identify an Entry That Has Write Access When you configure the Certificate Manager to work with Directory Server, you’ll be required to specify a distinguished name in the directory that has read-write permissions to the directory.
Page 622: Step E. Specify The Directory Authentication Method
Configuring a Certificate Manager to Publish Certificates and CRLs Step E. Specify the Directory Authentication Method Depending on how you want the Certificate Manager to authenticate to the directory, you must set up Directory Server for one of the following methods of communication: •...
Page 623 Configuring a Certificate Manager to Publish Certificates and CRLs In the Client Authentication section, select the “Allow client authentication” option. Be sure not to select the “Require client authentication” option. If you do, Netscape Console will not be able to communicate with the directory. Click Save.
Page 624 Configuring a Certificate Manager to Publish Certificates and CRLs Scroll through the list to see if it contains the SSL server certificate that you want to use. If the server has an SSL server certificate, check the CA that has issued the certificate.
Page 625 Configuring a Certificate Manager to Publish Certificates and CRLs Submit the CSR as an email to the CA’s administrator; to use this method, you need to know the email address of the person who processes certificate requests for the CA and you need to copy the CSR the wizard generates. Submit the CSR manually by pasting it into the Certificate Manager’s SSL server enrollment form;...
Page 626 Configuring a Certificate Manager to Publish Certificates and CRLs The choices for submitting the CSR to the CA include the following: To CA’s email address. Select this if you want to send the CSR to the CA administrator’s email address. Type the administrator’s email address (for ) in the adjoining field.
Page 627 Configuring a Certificate Manager to Publish Certificates and CRLs Go to the end-entity interface of the Certificate Manager (or to the Registration Manager that’s connected to the Certificate Manager). In the left frame, under Server, click SSL Server. In the server enrollment form that appears, enter the required information: PKCS#10 Request.
Page 628 Configuring a Certificate Manager to Publish Certificates and CRLs Copy the SSL server certificate. You must go through this step, irrespective of whether you submitted the CSR to the Certificate Manager or to an external CA. To install the certificate in the Directory Server’s database, you need to have a copy of the certificate in its base 64-encoded format: If you submitted the CSR to an external CA, wait till you receive the certificate.
Page 629 Configuring a Certificate Manager to Publish Certificates and CRLs In the second step, select the “The certificate is located in the following text field” option and paste the certificate blob, including the -----BEGIN marker lines, you CERTIFICATE----- -----END CERTIFICATE----- copied earlier. Follow the prompts and add the certificate to the certificate database.
Page 630 Configuring a Certificate Manager to Publish Certificates and CRLs Confirm that the new certificates are installed. To verify that the certificates are installed in the certificate database of Directory Server: In the Directory Server window, select the Tasks tab. From the Console menu, select Manage Certificates. The Certificate Management dialog box appears showing a list of certificates installed for Directory Server.
Page 631 Configuring a Certificate Manager to Publish Certificates and CRLs Turn on SSL-enabled communication. To turn on SSL-enabled communication in Directory Server: In the Directory Server window, select the Configuration tab, and then in the right pane, select the Encryption tab. Check the Enable SSL box.
Page 632: Step F. Modify The Certificate Mapping File
Configuring a Certificate Manager to Publish Certificates and CRLs Step F. Modify the Certificate Mapping File This step explains how to modify the file to add a certificate certmap.conf mapping rule for the CA’s entry you created. You need to go through this step only if you configured the directory for SSL client authenticated communication.
Page 633 Configuring a Certificate Manager to Publish Certificates and CRLs The second and subsequent lines in the named mapping match properties with values. The file has six default properties, but the ones that should certmap.conf be of use to you are explained below. For in depth detail about the certmap.conf file, see Managing Servers with Netscape Console.
Page 634 Configuring a Certificate Manager to Publish Certificates and CRLs • —This tells the server whether it should compare the certificate the verifycert Certificate Manager presents during client authentication with the certificate found in the Certificate Manager’s entry in the directory. It takes one of the two values: .
Page 635 Configuring a Certificate Manager to Publish Certificates and CRLs Follow the instructions in the file and add the mapping information for the entry you added. The figure above shows the following mapping rule being added to the file: certmap myCA CN=rootCA, O=siroe.com #myCA:DNComps myCA:FilterComps...
Page 636: Step G. Restart Directory Server
Configuring a Certificate Manager to Publish Certificates and CRLs Step G. Restart Directory Server For all your changes to take effect, you must restart Directory Server. • Starting Directory Server If you configured the Directory Server for basic authentication or SSL-enabled communication without client authentication, you can start the server from the Directory Server window from within Netscape Console: Click the Tasks tab.
Page 637 Configuring a Certificate Manager to Publish Certificates and CRLs During installation, the Certificate Manager automatically creates a set of mappers that you would most likely want to use. The names of the default mappers are as follows: —for locating the correct attribute of user entries in the •...
Page 638 Configuring a Certificate Manager to Publish Certificates and CRLs In the navigation tree, select Publishing, and then select Mappers. The right pane shows the Mappers Management tab, which lists configured mappers. In the Mapper list, select a mapper that you want to modify. For the purposes of completing this instruction, assume that you selected the mapper named LdapUserCertMap...
Page 639 Configuring a Certificate Manager to Publish Certificates and CRLs Make the necessary changes and click OK. Note that if your CA certificate does not have the component in its subject name, be sure to adjust the CA certificate mapping DN pattern to reflect the DN of the entry in the directory where the CA certificate is to be published.
Page 640 Configuring a Certificate Manager to Publish Certificates and CRLs In the Publisher list, select a publisher that you want to modify. For the purposes of this instruction, assume that you selected the publisher named LdapUserCertPublisher Click Edit/View. The Publisher Editor window appears, showing how this publisher is currently configured.
Page 641 Configuring a Certificate Manager to Publish Certificates and CRLs To modify a publishing rule: In the navigation tree, select Publishing, and then select Rules. The right pane shows the Rules Management tab, which lists configured publishing rules. In the Rule list, select a publishing rule that you want to modify. For the purposes of this instruction, assume that you selected the rule named LdapUserCertRule Click Edit/View.
Page 642: Step B. Add Mappers, Publishers, And Publishing Rules
Configuring a Certificate Manager to Publish Certificates and CRLs Make the necessary changes and click OK. You are returned to the Rules Management tab. To modify the remaining rules, repeat steps Step 2 through Step 4. Click Refresh to see the update status of all the rules. Step B.
Page 643 Configuring a Certificate Manager to Publish Certificates and CRLs Click Add. The Select Mapper Plugin Implementation window appears. It lists registered mapper modules. Select a module. The following choices are the ones provided by default with the Certificate Manager for mapping a CA’s certificate to the CA’s directory entry. (If you have registered any custom mapper modules, they too will be available here for selection.) LdapDNCompsMap.
Page 644 Configuring a Certificate Manager to Publish Certificates and CRLs example, if the subject name of your CA’s certificate is , and you set to use the CN=testCA, O=siroe.com, C=US dnComps attributes of the DN, the server starts the search from the O=siroe.com C=US entry in the directory.
Page 645 Configuring a Certificate Manager to Publish Certificates and CRLs Click Add. The Select Publisher Plugin Implementation window appears. It lists registered publisher modules. Select the module named LdapCaCertPublisher Only this module publishes the CA certificate to caCertificate;binary attribute in the CA’s directory entry. (If you have registered any custom publisher modules, they too will be available here for selection.) Click Next.
Page 646 Configuring a Certificate Manager to Publish Certificates and CRLs To create a publishing rule: In the navigation tree, under Publishing, select Rules. The right pane shows the Rules Management tab, which lists configured publishing rules. Click Add. The Select Rule Plugin Implementation window appears. It lists registered modules that enable creating of publishing rules.
Page 647 Configuring a Certificate Manager to Publish Certificates and CRLs • Object signing certificates • Registration Manager signing certificates • OCSP responder certificates • Router certificates You need to create a rule for each type of certificate using the mapper and publisher that you created for end-entity certificates.
Page 648: Step 4. Configure The Certificate Manager To Publish Crls
Configuring a Certificate Manager to Publish Certificates and CRLs Click OK. The Rules Management tab appears, listing the new rule you just created for publishing end users’ client certificates. Repeat steps 1 through 6 for each type of end-entity certificate the Certificate Manager will issue.
Page 649: Step A. Specify Crl Details
Configuring a Certificate Manager to Publish Certificates and CRLs To configure a Certificate Manager to publish CRLs to the directory, follow these steps: • Step A. Specify CRL Details • Step B. Set the CRL Extensions • Step C. Create a Mapper for the CRL •...
Page 650 Configuring a Certificate Manager to Publish Certificates and CRLs In the Update Frequency section, specify the interval for publishing the CRL to the directory: Every time a certificate is revoked, or taken off-hold. Select this option if you want the Certificate Manager to generate the CRL every time it revokes a certificate.
Page 651: Step B. Set The Crl Extensions
Configuring a Certificate Manager to Publish Certificates and CRLs Allow extensions. Check this box if you want to allow extensions in the CRL. If you enable this option, the server generates and publishes CRLs conforming to X.509 version 2 standard. If you disable this option, the server generates and publishes CRLs conforming to X.509 version 1 standard.
Page 652: Step C. Create A Mapper For The Crl
Configuring a Certificate Manager to Publish Certificates and CRLs To specify the CRL extensions the Certificate Manager should set: In the navigation tree, under Certificate Manager, select CRL Extensions. The right pane shows the CRL Extensions Management tab, which lists configured extensions.
Page 653: Step D. Create A Publisher For The Crl
Configuring a Certificate Manager to Publish Certificates and CRLs Since you already created a mapper for locating the CA’s entry (either in “Step A. Modify the Default Mappers, Publishers, and Publishing Rules” on page 636 or in “Creating a Mapper for the CA Certificate” on page 642), you can configure the Certificate Manager to use that mapper to locate the CA’s entry for publishing the CRL;...
Page 654 Configuring a Certificate Manager to Publish Certificates and CRLs Click Add. The Select Publisher Plugin Implementation window appears. It lists registered publisher modules. Select the module named LdapCrlPublisher Only this publisher module enables the Certificate Manager to publish the CRL to the attribute of the CA’s directory certificateRevocationList;binary...
Page 655: Step E. Create A Publishing Rule For The Crl
Configuring a Certificate Manager to Publish Certificates and CRLs crlAttr. Make sure this field shows the directory attribute to publish the CRL, . If necessary, type it in. certificateRevocationList;binary Click OK. The Publishers Management tab appears, listing the new publisher. Step E.
Page 656: Step 5. Identify The Publishing Directory
Configuring a Certificate Manager to Publish Certificates and CRLs type. Select mapper. Select the mapper you added for locating the CA’s entry in the directory. publisher. Select the publisher you added for publishing the CRL. Click OK. The Rules Management tab appears, listing the new rule. Step 5.
Page 657 Configuring a Certificate Manager to Publish Certificates and CRLs In the Destination section, identify the Directory Server instance. Host name. Type the full host name of the Directory Server instance in this format: < machine_name>.<your_domain>.<domain> The Certificate Manager uses this name to locate the directory. If you configured the Directory Server for SSL client authenticated communication (in “Step E.
Page 658: Step 6. Test Certificate And Crl Publishing
Configuring a Certificate Manager to Publish Certificates and CRLs Typically, you would want to enter the directory manager’s DN because it has read-write permission to the entire directory tree (the root DN). For more information on root DN, see Appendix A, “Distinguished Names” in CMS Plug-ins Guide.
Page 659: Step A. Decide A Directory Entry For Requesting A Certificate
Configuring a Certificate Manager to Publish Certificates and CRLs Step A. Decide a Directory Entry for Requesting a Certificate Decide on a user entry for which you will request a certificate. This way, you can check whether the Certificate Manager published the certificate to that entry. The entry you choose could be any end-entity’s directory entry, as long as it supports attribute.
Page 660: Step D. Download The Certificate To The Browser
Configuring a Certificate Manager to Publish Certificates and CRLs To approve the request: Go to the Certificate Manager’s Agent Services interface. The URL is in this format: https://<hostname>:<agent_port> In the left frame, click List Requests. In the form that appears, select the “Show pending requests” option and click Find.
Page 661: Step F. Revoke The Certificate
Configuring a Certificate Manager to Publish Certificates and CRLs Locate the user entry for which you requested the certificate. Double-click the entry and check if the entry has a attribute. certificate You should find the certificate published to the attribute. You won’t be able to see anything interesting about the certificate;...
Page 662: Step G. Check The Directory For The Crl
Manually Updating Certificates and CRLs in a Directory In the left frame, select User Certificate. The User Certificate Revocation form appears. In the Revocation Reason section, select Unspecified and click Submit. The client displays the “Select a Certificate” dialog box and prompts you to choose the certificate you want to revoke.
Page 663: Manually Updating Certificates In The Directory
Manually Updating Certificates and CRLs in a Directory Manually Updating Certificates in the Directory The Update Directory Server form in the Certificate Manager Agent Services interface enables you to manually update the directory with certificate-related information. This form lets you initiate a combination of the following operations: •...
Page 664: Manually Updating The Crl In The Directory
Manually Updating Certificates and CRLs in a Directory Note that if the Certificate Manager is installed as a root CA, when using the agent interface to update the directory with valid certificates, the CA signing certificate may get published using the publishing rule set up for user certificates and you may get an object class violation error (or other errors in the mapper).
Page 665 Manually Updating Certificates and CRLs in a Directory When the directory is updated, the Certificate Manager will display a status report. If the process gets interrupted for some reason, the server logs an error message. Be sure to check logs if that happens; for details, see “Monitoring CMS Logs”...
Page 666 Manually Updating Certificates and CRLs in a Directory Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 667: Chapter 20 Publishing Certificates And Crls To A File
Chapter 20 Publishing Certificates and CRLs to a File Netscape Certificate Management System (CMS) provides a customizable publishing framework for the Certificate Manager, enabling it to publish certificates, certificate revocation lists (CRLs), and other certificate-related objects to any of the supported repositories—an LDAP-compliant directory, a flat file, and an online validation authority—using the appropriate protocol.
Page 668: Step 1. Before You Begin
Configuring Certificate Manager to Publish to Files • For each certificate the server issues, it creates a file that contains the certificate in its DER-encoded format. Each file is named as cert-<serial_number>.der where specifies the serial number of the certificate <serial_number>...
Page 669: Step 2. Configure The Certificate Manager
Configuring Certificate Manager to Publish to Files • Decide the interval for publishing CRLs—configuring the server to publish every time a certificate is revoked will result in that many CRL files. • Determine the backup media and schedule for these files. Step 2.
Page 670 Configuring Certificate Manager to Publish to Files Click Add. The Select Publisher Plugin Implementation window appears. It lists registered publisher modules. Select the module named FileBasedPublisher Only this publisher module enables the Certificate Manager to publish certificates and CRLs to flat files. Click Next.
Page 671: Step B. Create Publishing Rules For Certificates
Configuring Certificate Manager to Publish to Files directory. Type the complete path to the directory in which the Certificate Manager should create the DER-encoded files; the path can be an absolute path or can be relative to the CMS instance directory. For example, C:\certificates Click OK.
Page 672 Configuring Certificate Manager to Publish to Files Click Next. Enter the appropriate information: Rule ID. Type a name for the rule that will help you identify it later; use an alphanumeric string with no spaces. For example, PublishCaCertToFile type. Select cacert predicate.
Page 673: Step C. Create A Publishing Rule For Crls
Configuring Certificate Manager to Publish to Files Table 20-1 Certificate types and predicate expressions End-entity certificate type “type” field value “predicate” field value SSL client certificate certs HTTP_PARAMS.certType==client SSL server certificate certs HTTP_PARAMS.certType==server Object signing certificate certs HTTP_PARAMS.certType==objSignClient Certificate Manager signing cacert HTTP_PARAMS.certType==ca certificate (subordinate CA)
Page 674: Step D. Specify Crl Details
Configuring Certificate Manager to Publish to Files Click Next. The Rule Editor window appears. Enter the appropriate information: Rule ID. Type a name for the rule that will help you identify it later; use an alphanumeric string with no spaces. For example, PublishCertsToFile type.
Page 675 Configuring Certificate Manager to Publish to Files To specify the details for the CRL: In the navigation tree, select Certificate Manager, and then in the right pane, select the Revocation List tab. In the Update Frequency section, specify the interval for publishing the CRL to the directory: Every time a certificate is revoked, or taken off-hold.
Page 676: Step E. Set The Crl Extensions
Configuring Certificate Manager to Publish to Files In the adjoining text field, type the interval, in minutes, at which the Certificate Manager should publish CRLs. For example, if you want the server to publish CRLs every day, you should type 1440 in this field. with a skew of.
Page 677 Configuring Certificate Manager to Publish to Files During installation, the Certificate Manager creates default CRL extension rules. Note that the server is configured to add the CRL Reason extension only; all the other rules are in the disabled state. In this step, you modify the default rules to suit your organization’s requirements.
Page 678: Step F. Make Sure Publishing Is Enabled
Configuring Certificate Manager to Publish to Files Step F. Make Sure Publishing is Enabled To make sure that the Certificate Manager is configured for publishing: In the navigation tree, select Certificate Manager, then select Publishing. The right pane shows the publishing details necessary for the server to publish to an LDAP-compliant directory, to flat files, or to an online validation authority.
Page 679: Step B. Approve The Request
Configuring Certificate Manager to Publish to Files To request a client or personal certificate from the Certificate Manager: Open a web browser window. Go to the end-entity interface of the Certificate Manager you configured (or to the Registration Manager that’s connected to this Certificate Manager). The URL is in this form: https://<hostname>:<end_entity_HTTPS_port>...
Page 680: Step C. Download The Certificate To The Browser
Configuring Certificate Manager to Publish to Files Step C. Download the Certificate to the Browser To download the certificate into your browser’s certificate database: In the confirmation page, scroll down to the section that says “Installing this certificate in a client.” Follow the on-screen instructions and download the certificate to your browser’s certificate database.
Page 681 Configuring Certificate Manager to Publish to Files At the prompt, enter this: BtoA[.bat] <input_file> <output_file> substituting with the path to the file that contains the DER <input_file> encoded certificate and with the path to the file to write <output_file> the base-64 encoded certificate. (The optional specifies the file .bat extension;...
Page 682: Step E. Revoke The Certificate
Configuring Certificate Manager to Publish to Files For example, if the base-64 encoded certificate is in and you want the human-readable C:\certificates\cert-1234.txt form of the certificate to be displayed on your screen, the command would look like this: PrettyPrintCert.bat C:\certificates\cert-1234.txt When the conversion is complete, you should see the certificate you issued in human-readable form.
Page 683: Step F. Check The File For The Crl
Configuring Certificate Manager to Publish to Files Step F. Check the File for the CRL Whenever the Certificate Manager generates a CRL, it automatically attempts to publish the CRL to the configured repository—in this case, the flat file. The CRL it publishes is a binary blob, in the DER-encoded format.
Page 684 Configuring Certificate Manager to Publish to Files When the conversion is complete, open the file in a text editor. crl.txt You should see a base-64 encoded CRL similar to this: -----BEGIN CRL----- MIIBkjCBAIBATANBgkqhkiG9w0BAQQFADAsMREwDwYDVQQKEwhOZXRzY2FwZTEXMBUGA1UEAxOQ2Vy dDQwIFRlc3QgQ0EXDTk4MTIxNzIyMzcyNFowgaowIAIBExcNOTgxMjE1MTMxODMyWjAMMAoGA1UdFQ DCgEBMCACARIXDTk4MTIxNTEzMjA0MlowDDAKBgNVHRUEAwoBAjAgAgERFw05ODEyMTYxMjUxNTRaM AwwCgYDVR0VBAMKAQEwIAIBEBcNOTgxMjE3MTAzNzI0WjAMMAoGA1UdFQQDCgEDMCACAQoXDTk4MTE yNTEzMTExOFowDDAKBgNVHRUEAwoBATANBgkqhkiG9w0BAQQFAAOBgQBCN85O0GPTnHfImYPROvoor x7HyFz2ZsuKsVblTcemsX0NL7DtOa+MyY0pPrkXgm157JrkxEJ7GBOeogbAS6iFbmeSqPHj8+JBH5s tJNnfTCuhaM6Wx63Wc9LwZXOXTPsvpGxq0YYI0+DPfBZlI3z4lCsNczxJV+9NkeMrheEg== -----END CRL----- Convert the base 64-encoded CRL to a human-readable form using the Pretty Print CRL tool (see Chapter 10, “Pretty Print CRL Tool”...
Page 685: Managing Mapper And Publisher Plug-In Modules
Managing Mapper and Publisher Plug-in Modules Managing Mapper and Publisher Plug-in Modules This section explains how to use the CMS window to perform the following operations: • Registering a Mapper or Publisher Module • Deleting a Mapper or Publisher Module Registering a Mapper or Publisher Module You can register new mapper or publisher plug-in modules in a Certificate Manager’s publishing framework.
Page 686 Managing Mapper and Publisher Plug-in Modules This tab lists registered plug-in modules. Click Register. If you selected Mapper, the Register Mapper Plugin Implementation window appears. If you selected Publisher, the Register Publisher Plugin Implementation window appears. Specify information as appropriate: Plugin name.
Page 687: Deleting A Mapper Or Publisher Module
Managing Mapper and Publisher Plug-in Modules Deleting a Mapper or Publisher Module You can delete unwanted mapper or publisher plug-in modules using the CMS window. Before deleting a module, be sure to delete all the rules that are based on this module.
Page 688 Managing Mapper and Publisher Plug-in Modules Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 689: Chapter 21 Setting Up An Ocsp Responder
Chapter 21 Setting Up an OCSP Responder Netscape Certificate Management System (CMS) provides a customizable publishing framework for the Certificate Manager, enabling it to publish certificates and certificate revocation lists (CRLs) to any of the supported repositories—an LDAP-compliant directory, a flat file, and an online validation authority—using the appropriate protocol.
Page 690: What's An Ocsp-Compliant Pki Setup
What’s an OCSP-Compliant PKI Setup? What’s an OCSP-Compliant PKI Setup? Certificate Management System supports the Online Certificate Status Protocol (OCSP) as defined in the PKIX standard RFC 2560 (see ). The OCSP protocol enables http://www.ietf.org/rfc/rfc2560.txt OCSP-compliant applications to determine the state of a certificate, including the revocation status, without having to directly check a CRL published by a CA to the validation authority.
Page 691 What’s an OCSP-Compliant PKI Setup? If the request lacks any information required by the responder to process it or if the responder is not configured to provide the requested service to the client, the responder sends a rejection notification to the client. The responder also writes an appropriate error message to its log file.
Page 692: How To Get An Ocsp Responder
What’s an OCSP-Compliant PKI Setup? The OCSP response that the client receives indicates the current status of the certificate as determined by the OCSP responder. The response could be any of the following: • Good or Verified—specifying a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate has not been revoked, but it does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate’s...
Page 693: How Online Certificate Status Manager Works
What’s an OCSP-Compliant PKI Setup? Manager. That is, clients can verify only those certificates that are issued by the Certificate Manager. In addition, you also need to keep the Certificate Manager’s nonSSL end-entity port enabled because the server can service OCSP requests only via its HTTP port.
Page 694: How To Get Ocsp-Compliant Clients
What’s an OCSP-Compliant PKI Setup? As explained earlier, the Online Certificate Status Manager stores each Certificate Manager’s CRL in its internal database and uses it as the default CRL store for verifying certificates. You can also configure the Online Certificate Status Manager to use the CRL published to an LDAP directory.
Page 695: Setting Up A Certificate Manager With Ocsp Service
Setting Up a Certificate Manager with OCSP Service Setting Up a Certificate Manager with OCSP Service The Certificate Manager has a built-in OCSP service feature that can be used by OCSP-compliant clients to do real-time verification of certificates issued by the Certificate Manager.
Page 696: Step 2. Install Ocsp-Compliant Client
Setting Up a Certificate Manager with OCSP Service • Read “Publishing of CRLs” on page 610. Determine whether you want the Certificate Manager to publish version 1 or version 2 CRLs to the directory. If you decide to publish version 2 CRLs, read Chapter 4, “Certificate Extension Plug-in Modules”...
Page 697: Step 3. Enable Certificate Manager's Http Port
Setting Up a Certificate Manager with OCSP Service Verify that Personal Security Manager is installed. In the menu bar, click Communicator, and from the Tools menu, select Security Info. You should see the Personal Security Manager interface. Configure Personal Security Manager to verify certificates by using the OCSP service URL identified by the Authority Information Access extension in certificates.
Page 698 Setting Up a Certificate Manager with OCSP Service To enable the end-entity port used by the Certificate Manager for non-SSL communications: Log in to the CMS window for the Certificate Manager (see “Logging In to the CMS Window” on page 343). Select the Configuration tab.
Page 699: Step 4. Enable Certificate Manager's Ocsp Service
Setting Up a Certificate Manager with OCSP Service Step 4. Enable Certificate Manager’s OCSP Service During the installation of a Certificate Manager, you are given an opportunity to specify whether you want to enable Certificate Manager’s OCSP service. If you chose to enable it, you just need to verify that the OCSP service is still on.
Page 700: Step 5. Configure Certificate Manager For Extensions
Setting Up a Certificate Manager with OCSP Service Step 5. Configure Certificate Manager for Extensions In order for OCSP-compliant clients to query the Certificate Manager about the revocation status of a certificate, the certificate being validated must contain the Authority Information Access extension pointing to the location at which the Certificate Manager listens for OCSP service requests.
Page 701 Setting Up a Certificate Manager with OCSP Service To verify the status of policy rules that enable the Certificate Manager to add the extensions required in an OCSP-compliant client certificate: In the navigation tree, select Certificate Manager, and then select Policies. The Policy Rules Management tab appears.
Page 702: Step 6. Restart The Certificate Manager
Setting Up a Certificate Manager with OCSP Service Make sure the following values are assigned: Enable. Checked or selected. predicate. Shows HTTP_PARAMS.certType==client critical. Unchecked. numADs. Shows ad0_method. Shows ocsp 1.3.6.1.5.5.7.48.1 ad0_location_type. Shows ad0_location. Shows the complete path to the location where the Certificate Manager listens to calls from OCSP-compliant clients.
Page 703: Step 7. Test Your Ca's Ocsp Service Setup
Setting Up a Certificate Manager with OCSP Service Type the single sign-on password you specified during installation and click Certificate Management System won’t restart until you provide this password. For more information, see “Required Start-up Information” on page 312. Step 7. Test Your CA’s OCSP Service Setup To test whether the Certificate Manager can service OCSP requests properly, follow these steps: •...
Page 704: Step B. Request A Certificate
Setting Up a Certificate Manager with OCSP Service Click the OCSP Settings button. The OCSP Setting window appears. Select the “Use OCSP to verify only certificates that specify an OCSP service URL” option, and click OK. Click the Close button. Step B.
Page 705: Step D. Download The Certificate To The Browser
Setting Up a Certificate Manager with OCSP Service In the form that appears, select the “Show pending requests” option and click Find. In the list of pending requests, identify the request you submitted and click Details. Check the request to make sure that it has all the required attributes of a client certificate, including the Authority Information Access extension.
Page 706: Step F. Verify The Certificate In The Browser
Setting Up a Certificate Manager with OCSP Service Locate the Certificate Manager’s CA signing certificate, select it, and click Edit. The Edit Security Certificate Settings window appears. Make sure all the three options are selected and click OK. Step F. Verify the Certificate in the Browser To verify that the certificate has been downloaded into the certificate database of Personal Security Manager: Click the Certificates tab and, in the left pane, click Mine.
Page 707: Step H. Revoke The Certificate
Setting Up a Certificate Manager with OCSP Service Step H. Revoke the Certificate To revoke the certificate you issued: Go to the end-entity interface for the Certificate Manager you configured (or to the Registration Manager that’s connected to this Certificate Manager). Be sure to go to the HTTPS interface.
Page 708: Setting Up A Remote Ocsp Responder
Setting Up a Remote OCSP Responder To check the Certificate Manager’s OCSP-service status for verification: Go to the Certificate Manager’s status page. Reload the page (hold down the Shift key and click on the browser’s Reload icon.) Compare the information to the one you noted in Step G above. The updated statistics should indicate that Personal Security Manager queried the Certificate Manager about the status of the certificate and in response, the Certificate Manager informed Personal Security Manager that the certificate is...
Page 709: Step 1. Before You Begin
Setting Up a Remote OCSP Responder To import a CA certificate into the certificate database of a subordinate Certificate Manager, you can use the Certificate Setup Wizard. For instructions, see “Using the Wizard to Install a Certificate or Certificate Chain” on page 471. After you install the certificate, you can follow the instructions in see “Changing the Trust Settings of a CA Certificate”...
Page 710: Step 2. Install An Ocsp-Compliant Client
Setting Up a Remote OCSP Responder • Check whether you’ve installed the Online Certificate Status Manager, the OCSP responder provided with Certificate Management System. If you haven’t, first identify a host machine for installing it and then follow the installation instructions in Chapter 6, “Installing Certificate Management System”...
Page 711: Step 3. Identify The Ca To The Ocsp Responder
Setting Up a Remote OCSP Responder Step 3. Identify the CA to the OCSP Responder Before you configure a Certificate Manager to publish CRLs to the Online Certificate Status Manager, you must identify the Certificate Manager to the Online Certificate Status Manager. You do this by storing the Certificate Manager’s CA signing certificate in the internal database of the Online Certificate Status Manager.
Page 712 Setting Up a Remote OCSP Responder Copy the base-64 encoded certificate, including the -----BEGIN marker lines, to the CERTIFICATE----- -----END CERTIFICATE----- clipboard or a text file. The copied information should look similar to the following example: -----BEGIN CERTIFICATE----- MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2Fw ZSBDb21tdW5pYF0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgy NzE5MDAwMFoXDTk5MDIyMzE5MDAwMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvb W11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzAVBgoJkiaJkIsZAEBEwdzdXByaX lhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJA...
Page 713: Step 4. Configure The Certificate Manager To Publish Crls
Setting Up a Remote OCSP Responder In the resulting form, paste the encoded CA signing certificate inside the text area labeled “Base 64 encoded certificate (including header and footer).” Click Add. The certificate is added to the internal database of the Online Certificate Status Manager.
Page 714 Setting Up a Remote OCSP Responder To specify CRL details: Log in to the CMS window for the Certificate Manager (see “Logging In to the CMS Window” on page 343). Select the Configuration tab. In the navigation tree, select Certificate Manager, and then in the right pane, select the Revocation List tab.
Page 715: Step B. Set The Crl Extensions
Setting Up a Remote OCSP Responder In the CRL Cache section, specify whether to enable CRL caching: Enable cache. Check this box to enable CRL caching. Leave the box unchecked if you don’t want the server to maintain a cache. Update interval.
Page 716: Step C. Create A Publisher For The Crl
Setting Up a Remote OCSP Responder To specify the CRL extensions the Certificate Manager should set: In the navigation tree, under Certificate Manager, select CRL Extensions. The right pane shows the CRL Extensions Management tab, which lists configured extensions. To modify a rule, select it and then click Edit/View. Change the information as appropriate.
Page 717 Setting Up a Remote OCSP Responder To create a publisher for the CRL: In the navigation tree, click Publishers. The right pane shows the Publishers Management tab, which lists configured publisher instances. Click Add. The Select Publisher Plugin Implementation window appears. It lists registered publisher modules.
Page 718: Step D. Create A Publishing Rule For The Crl
Setting Up a Remote OCSP Responder Enter the appropriate information: Publisher ID. Type a name for the rule; use an alphanumeric string with no spaces. For example, Ca1CrlToOcspResponder host. Type the fully-qualified host name of the Online Certificate Status Manager. The name must be in the form .
Page 719 Setting Up a Remote OCSP Responder Click Next. The Rule Editor window appears. Enter the appropriate information: Rule ID. Type a name for the rule; be sure to use an alphanumeric string with no spaces. For example, PublishCa1CrlToOcspResponder type. Select predicate.
Page 720: Step E. Make Sure Publishing Is Enabled
Setting Up a Remote OCSP Responder Step E. Make Sure Publishing is Enabled To make sure that the Certificate Manager is configured for publishing: In the navigation tree, select Certificate Manager, then select Publishing. The right pane shows the publishing details necessary for the server to publish to an LDAP-compliant directory, to files, or to an online validation authority.
Page 721: Step 5. Configure Certificate Manager For Required Extension Policies
Setting Up a Remote OCSP Responder Step 5. Configure Certificate Manager for Required Extension Policies In order for OCSP-compliant clients to query the Online Certificate Status Manager about the revocation status of a certificate, the certificate being validated must contain the Authority Information Access extension pointing to the location at which the Online Certificate Status Manager listens for OCSP service requests.
Page 722 Setting Up a Remote OCSP Responder In the Policy Rule list, select the rule named and click AuthInfoAccessExt Edit; this rule was created by default during installation. The Policy Rule Editor window appears, showing how this rule is currently configured. Assign the following values: Enable.
Page 723: Step 6. Configure The Online Certificate Status Manager
Setting Up a Remote OCSP Responder If you need details about any of the configuration parameters, click the Help button. Click OK. You are returned to the Policy Rules Management tab. Make any other changes, if necessary. Click Refresh. The Certificate Manager is ready to request client certificates with Authority Information Access extension.
Page 724 Setting Up a Remote OCSP Responder In the navigation tree, select Online Certificate Status Manager, and then select Revocation Info Stores. The right pane shows the two repositories the Online Certificate Status Manager can use; by default, it uses the CRL in its internal database. Select the appropriate option: If you want to configure the Online Certificate Status Manager to use the CRLs in its internal database, select...
Page 725 Setting Up a Remote OCSP Responder If you selected , fill in values as below: defStore notFoundAsGood. A certificate’s status can typically be indicated by three possible OCSP responses, namely GOOD, REVOKED, and UNKNOWN. Select this option if you want the Online Certificate Status Manager to return an OCSP response of GOOD if the certificate in question cannot be found in the certificate repository.
Page 726 Setting Up a Remote OCSP Responder If you selected , fill in values as below: ldapStore numConns. Type the total number of LDAP directories the Online Certificate Status Manager should check. By default, this is set to 0. If you change the value to a postive integer, for example 1, 2, or 3, you will see that many sets of , and...
Page 727: Step 7. Restart The Certificate Manager
Setting Up a Remote OCSP Responder notFoundAsGood. A certificate’s status can typically be indicated by three possible OCSP responses, namely GOOD, REVOKED, and UNKNOWN. Select this option if you want the Online Certificate Status Manager to return an OCSP response of GOOD if the certificate in question cannot be found in the certificate repository.
Page 728: Step 8. Restart The Online Certificate Status Manager
Setting Up a Remote OCSP Responder Step 8. Restart the Online Certificate Status Manager For all your changes to take effect, you must restart the Online Certificate Status Manager. You can use the CMS window to restart the Online Certificate Status Manager: Select the Tasks tab.
Page 729: Step 10. Test Your Ocsp Responder Setup
Setting Up a Remote OCSP Responder The “Requests Served Since Startup” field should show a value of zero (0), indicating that no OCSP-compliant client has queried the Online Certificate Status Manager yet for revocation status of a certificate. Step 10. Test Your OCSP Responder Setup To test whether the Certificate Manager is publishing to the Online Certificate Status Manager properly and to test that the online validation of certificates is taking place, follow these steps:...
Page 730: Step B. Request A Certificate
Setting Up a Remote OCSP Responder Select the “Use OCSP to verify only certificates that specify an OCSP service URL” option, and click OK. Click on the Close button. Step B. Request a Certificate The steps outlined below explain how to request a client certificate from the Certificate Manager using the manual enrollment method.
Page 731: Step D. Download The Certificate To The Browser
Setting Up a Remote OCSP Responder In the form that appears, select the “Show pending requests” option and click Find. In the list of pending requests, identify the request you submitted and click Details. Check the request to make sure that it has all the required attributes of a client certificate, including the Authority Information Access extension.
Page 732: Step F. Verify The Certificate In The Browser
Setting Up a Remote OCSP Responder Locate the Certificate Manager’s CA signing certificate, select it, and click Edit. The Edit Security Certificate Settings window appears. Make sure all the three options are selected and click OK. Step F. Verify the Certificate in the Browser To verify that the certificate has been downloaded into the certificate database of Personal Security Manager: Click the Certificates tab and, in the left pane, click Mine.
Page 733: Step H. Revoke The Certificate
Setting Up a Remote OCSP Responder Step H. Revoke the Certificate To revoke the certificate you issued so that the Certificate Manager publishes the CRL to the Online Certificate Status Manager: Go to the end-entity interface for the Certificate Manager you configured (or to the Registration Manager that’s connected to this Certificate Manager).
Page 734 Setting Up a Remote OCSP Responder • The Online Certificate Status Manager sent an OCSP response to the browser. • The browser used that response to validate the certificate and informed you of its status (that the certificate could not be verified). To check the Online Certificate Status Manager status for verification: Go to the Online Certificate Status Manager’s status page.
Page 735: Chapter 22 Setting Up Key Archival And Recovery
Chapter 22 Setting Up Key Archival and Recovery When data is stored in encrypted form, you must have the private key that corresponds to the public key that was used to encrypt the data in order to decrypt and read it. If the private key is lost, the data cannot be retrieved. A private key can be lost because of a hardware failure, for example, or because the key’s owner forgets the password or loses the hardware token in which the key is stored.
Page 736: Clients That Can Generate Dual Key Pairs
PKI Setup for Key Archival and Recovery • HTML forms with which your users can request dual certificates (based on dual keys) and key recovery agents can request key recovery The sections that follow explain these elements in detail. For step-by-step instructions on setting up your PKI environment for key archival and recovery, see “Configuring Key Archival and Recovery Process”...
Page 737: Forms For Users And Key Recovery Agents
Key Archival Process Certificate Management System does not provide any policy plug-in modules for the Data Recovery Manager. However, you can write custom policy plug-in modules (that is, write Java classes that implement these rules), register them in the Data Recovery Manager’s policy framework, and create policy rules using these plug-in implementations.
Page 738: Where The Keys Are Stored
Key Archival Process Here are a few situations in which you might need to recover a user’s encryption private key: • An employee loses the encryption private key (for example, after a disk crash or by forgetting the password to the key file) and cannot read encrypted mail messages.
Page 739: How Key Archival Works
Key Archival Process How Key Archival Works When a Certificate Manager or Registration Manager receives a certificate request that contains the key archival option, it automatically requests the service of the Data Recovery Manager to archive the user’s encryption private key. The Data Recovery Manager receives an encrypted copy of the user’s private key and stores the key in its key repository.
Page 740 Key Archival Process These are the steps shown in Figure 22-1: A user uses a client capable of generating dual key pairs to access the certificate enrollment form served by the Registration Manager, fills in all the information, and submits the request. The Registration Manager detects the key archival option in the user’s request and asks the client for the user’s encryption private key.
Page 741: Key Recovery Process
Key Recovery Process Key Recovery Process The Data Recovery Manager supports agent-initiated key recovery. In this method of key recovery, designated recovery agents use the Key Recovery form provided in the Data Recovery Manager Agent Services interface to process key recovery requests, list archived keys, and approve recovery.
Page 742: Interface For The Key Recovery Process
Key Recovery Process splitting or sharing, whereby it splits the PIN that protects the token in which the storage key pair resides among n number of key recovery agents and reconstructs the PIN only if m number of recovery agents provide their individual passwords; n must be an integer greater than 1 and m must be an integer less than or equal to n.
Page 743: Local Versus Remote Key Recovery Authorization
Key Recovery Process Local Versus Remote Key Recovery Authorization Key recovery agents can authorize the recovery of a key locally or remotely. The overview of local and remote authorization provided in this section is intended to help you determine which to use for your organization. You may find it useful to take a look at the Data Recovery Manager agent-specific information in the CMS Agent’s Guide.
Page 744: How Agent-Initiated Key Recovery Works
Key Recovery Process The Data Recovery Manager informs the agent who initiated the key recovery process of the status of the authorizations. When all of the authorizations are entered, the Data Recovery Manager checks the information. If the information presented is correct, it retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS #12 package to the agent who initiated the key recovery process.
Page 745 Key Recovery Process The agent-initiated key recovery process Figure 22-2 These are the steps shown in Figure 22-2: The Data Recovery Manager agent accesses the Key Recovery form using the appropriate client certificate, types the identification information pertaining to the person whose encryption private key needs to be recovered, and submits the request.
Page 746 Key Recovery Process If the request passes all the policy rules, the Data Recovery Manager sends a confirmation HTML page to the web browser the agent used. If the request fails any of the policy checks, the server logs an appropriate error message. The confirmation page contains information and input sections: The information section includes the user’s information.
Page 747: Key Recovery Agent Scheme
Key Recovery Process CAUTION The PKCS #12 package contains the private key. To minimize the risk of key compromise, the recovery agent must use any secure, out-of-band means to deliver the PKCS #12 package and password to the key recipient. As an administrator, you should recommend the recovery agent to use a good password for encrypting the PKCS #12 package, and also consider setting up an appropriate delivery mechanism.
Page 748 Key Recovery Process In the navigation tree, select the Data Recovery Manager, and in the right pane, click the Scheme Management tab. The Scheme Management tab shows the current key recovery scheme. Click Change scheme. The Change Recovery Key Scheme window appears. Netscape Certificate Management System Installation and Setup Guide •...
Page 749: Changing Key Recovery Agents' Passwords
Key Recovery Process In the New Scheme section, make the appropriate changes: Number of recovery agents required. Type the number of agents required to authorize a key recovery process. The number cannot be zero and must be equal to or less than the total number of recovery agents. Total number of recovery agents.
Page 750 Key Recovery Process The tab shows current key recovery agents in the Available Agents list. Select the agent whose password needs to be changed, and click Change Password. The Change Password dialog box appears. Allow the agent to enter the appropriate information. During installation, the Data Recovery Manager prompts you to enter key recovery agent passwords (by default, they are set to , where...
Page 751: Configuring Key Archival And Recovery Process
Configuring Key Archival and Recovery Process field you must enter the recovery agent password you specified during installation. Then in the remaining fields, allow the key recovery agent to enter the new password information. If you have more than one key recovery agent, repeat this procedure for all the agents.
Page 752: Step A. Deploy Clients That Can Generate Dual Key Pairs
Configuring Key Archival and Recovery Process Step A. Deploy Clients That Can Generate Dual Key Pairs You can use the Data Recovery Manager to archive and recover keys only from clients that support dual key-pair generation, the key archival option, and the CMC protocol.
Page 753: Step C. Customize The Certificate Enrollment Form
Configuring Key Archival and Recovery Process Otherwise, follow the instructions in “Setting Up Trusted Managers” on page 413 and set up the enrollment authority as a trusted front end to the Data Recovery Manager. Step C. Customize the Certificate Enrollment Form For the enrollment authority to automatically initiate the key archival process at the time key pairs are generated, a certificate request must include the following information:...
Page 754 Configuring Key Archival and Recovery Process The steps that follow explain how to do this. Figure 22-3 Data Recovery Manager’s transport certificate in the enrollment form Copy the transport certificate in its base-64 encoded format. The transport certificate is stored in the Data Recovery Manager’s certificate database.
Page 755 Configuring Key Archival and Recovery Process Click the Retrieval tab. List or search for the transport certificate. Click Details, and view the certificate information. Make sure that the certificate you are looking at is the correct one; the certificate shows the DN that was specified for the transport certificate during the installation of Data Recovery Manager.
Page 756 Configuring Key Archival and Recovery Process Use the command-line tool called to retrieve the transport certutil certificate from the Data Recovery Manager’s certificate database. (For information on the tool, see Chapter 11 , “Certificate Database certutil Tool” of CMS Command-Line Tools Guide.) First, go to this directory: <server_root>/cert-<instance_id>/config Next, run this command:...
Page 757: Step D. Configure Key Archival Policies
Configuring Key Archival and Recovery Process Paste the certificate as the value of the variable. kraTransportCert Paste the certificate in front of the sign, remove any line breaks, enclose the certificate within double-quotation marks ( ), and end the string with “”...
Page 758: Step 2. Set Up The Key Recovery Process
Configuring Key Archival and Recovery Process Unlike Certificate Manager and Registration Manager, no policy plug-in modules are provided for the Data Recovery Manager. If you have implemented any custom policy modules for the Data Recovery Manager’s key archival process, you should make sure that they are configured properly.
Page 759: Step B. Facilitate The Key Recovery Agents To Change The Passwords
Configuring Key Archival and Recovery Process Step B. Facilitate the Key Recovery Agents to Change the Passwords During the installation of Data Recovery Manager, after you specified the m of n scheme, you were also prompted to provide unique passwords for each recovery agent.
Page 760: Step 3. Test Your Key Archival And Recovery Setup
Configuring Key Archival and Recovery Process Unlike Certificate Manager and Registration Manager, no policy plug-in modules are provided for the Data Recovery Manager. If you have implemented any custom policies for the Data Recovery Manager’s key recovery process, you should make sure that they are configured properly.
Page 761 Configuring Key Archival and Recovery Process Go to the enrollment authority’s Agent Services interface. The default URL is as follows: https://<hostname>:<agent_port> Click the link that says List Requests. In the form that appears, select the “Show pending requests” option and click Find.
Page 762: Step B. Verify The Key
Configuring Key Archival and Recovery Process If the key has been archived successfully, you should see the information pertaining to that key. If you don’t see the key archived, check the logs and correct the problem before proceeding to the next step. If the key has been successfully archived, exit the client completely—that is, from the File menu, select Exit;...
Page 763: Step D. Restore The Key In The Browser's Database
Configuring Key Archival and Recovery Process The key owner’s name The serial number of the key The public key that corresponds to the private key (in the form of base-64 encoded certificate) The instance ID of the enrollment authority that initiated the key archival process If you need more information about any of the fields in this form, click the Help button.
Page 764 Configuring Key Archival and Recovery Process Open the test email that you couldn’t verify after deleting the certificate from the browser’s certificate database; you should be able to verify it again. Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 765: Chapter 23 Managing Cms Logs
Chapter 23 Managing CMS Logs Each instance of Netscape Certificate Management System (CMS) maintains its own system, error, and audit log files. These files record events related to various CMS activities. By configuring logs, you can customize the contents in the log files. This chapter explains how to use the CMS window to configure the system, error, and audit logs maintained by Certificate Management System, and how to monitor its activities by viewing log contents.
Page 766: Logs Maintained By The Server
Introduction to Logs • Log Levels (Message Categories) • Log File Locations • Log File Naming Conventions • Buffered Versus Unbuffered Logging • Rotation of Log Files • Deletion of Log Files Logs Maintained by the Server While Certificate Management System is running, it keeps a log of information and error messages on all the components it manages.
Page 767: Services That Are Logged
Introduction to Logs Table 23-1 Types of logs maintained by Certificate Management System (Continued) Log type Description Audit This log records messages specific to the certificate service—messages such as certificate requests, certificate renewal and revocation requests, and CRL publication—and enables you to detect any unauthorized access or activity.
Page 768: Log Levels (Message Categories)
Introduction to Logs Table 23-2 Services logged by Certificate Management System (Continued) Service Description Request Queue Specifies logged events related to the request queue activity of this server. User and Group Specifies logged events related to users and groups managed by this server. Log Levels (Message Categories) For identification and filtering purposes, events logged by all CMS-supported services are classified into various categories.
Page 769: Log File Locations
Introduction to Logs Table 23-3 Classification of log entries or messages (Continued) Log level Message category Description Failure These messages indicate errors and failures that prevent the server (default selection for from operating normally. system and error logs) Examples of messages that fall into this category include failures to perform a certificate service operation (“User authentication failed”...
Page 770: Log File Naming Conventions
Introduction to Logs Log File Naming Conventions All log files created by Certificate Management System use one or the other of two naming conventions. There is one naming convention for active log files and one for rotated log files. Active Log File Naming Convention All active log files created by Certificate Management System use an identical naming convention.
Page 771: Rotation Of Log Files
Introduction to Logs If you configure Certificate Management System for buffered logging, the server creates buffers for the corresponding logs, and it holds the messages in these buffers for as long as possible. The server flushes out the messages to the log files—which are maintained in your local file system—only when either of the following conditions occurs: •...
Page 772: Location Of Rotated Log Files
Introduction to Logs • The age limit for the corresponding file is reached—the corresponding log file is equal to or older than the interval specified by the rolloverInterval configuration parameter. The default value for this parameter is 2592000 seconds (every hour). Both these parameters can be specified from the CMS window;...
Page 773: Configuring Cms Logs
Configuring CMS Logs Configuring CMS Logs This section explains how to configure Certificate Management System to log messages so that you can monitor the server: • Step 1. Before You Begin • Step 2. Modify the Existing Listeners • Step 3. Delete Unwanted Listeners •...
Page 774 Configuring CMS Logs Default log-event listeners of a Certificate Manager Figure 23-1 After installation, you must verify whether you want to use these listeners, check how these listeners are configured, and make the appropriate configuration changes. You can modify a log-event listener by editing its configuration parameter values; you cannot edit the name of a listener.
Page 775: Step 3. Delete Unwanted Listeners
Configuring CMS Logs In the navigation tree, select Logs. On the right pane, the Log Event Listener Management tab appears. It lists the currently configured listeners. In the Log Event Listener list, select a listener that you want to modify. For the purposes of this instruction, assume that you selected the listener named Audit...
Page 776: Step 4. Create New Listeners
Configuring CMS Logs To delete a listener from the CMS configuration: In the Log Event Listener Management tab, select the listener you want to delete and click Delete. When prompted, confirm the delete action. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly.
Page 777 Configuring CMS Logs Default log modules registered with a Certificate Manager Figure 23-2 To add a new listener to the CMS configuration: In the Log Event Listener Management tab, click Add. The Select Log Event Listener Plugin Implementation window appears. It lists registered log modules.
Page 778 Configuring CMS Logs Click Next. The Log Event Listener Editor window appears. It lists the configuration information required for this listener. Enter the appropriate information: Log Event Listener ID. Type a unique name that will help you identify the listener; be sure to use an alphanumeric string without spaces. type.
Page 779: Monitoring Cms Logs
Monitoring CMS Logs maxFileSize. Type the file size in kilobytes (KB) for the error log. The default size is 100 KB. For more information, see “Timing of Log File Rotation” on page 771. rolloverInterval. From the drop-down list, select the frequency at which the server should rotate the active error log file.
Page 780: Monitoring System Logs
Monitoring CMS Logs • Monitoring Audit Logs • Using System Tools for Monitoring the Server (Windows NT Only) Monitoring System Logs Certificate Management System maintains extensive system logs. These logs record various events and system errors for system monitoring and debugging. A system log records details such as the following: •...
Page 781 Monitoring CMS Logs System log entries displayed in the CMS window Figure 23-3 To view the contents of an active or rotated system log file: Log in to the CMS window (see “Logging In to the CMS Window” on page 343). Select the Status tab.
Page 782: Monitoring Error Logs
Monitoring CMS Logs Level. Select a message category that represents the log level for filtering messages. For more information on log levels, see “Log Levels (Message Categories)” on page 768. Filename. Select the log file you want to view. Choose Current to view the currently active system log file.
Page 783 Monitoring CMS Logs Error log entries displayed in the CMS window Figure 23-4 To view the contents of an active or rotated error log file: Log in to the CMS window (see “Logging In to the CMS Window” on page 343). Select the Status tab.
Page 784: Monitoring Audit Logs
Monitoring CMS Logs Level. Select a message category that represents the level of logging to filter messages. For more information, see “Log Levels (Message Categories)” on page 768. Filename. Select the log file you want to view. Choose Current to view the currently active error log file.
Page 785 Monitoring CMS Logs You can view the contents of currently active as well as rotated audit log files from the CMS window (see Figure 23-5). Figure 23-5 Audit log entries displayed in the CMS window To view the contents of an active or rotated audit log file: Log in to the CMS window (see “Logging In to the CMS Window”...
Page 786: Using System Tools For Monitoring The Server (Windows Nt Only)
Monitoring CMS Logs Database, Authentication, Administration, LDAP, Request Queue, ACLs, User and Group, OCSP, and Others. If you choose All, messages logged by all components that log to this file are displayed. For more information, see “Services That Are Logged” on page 767. Level.
Page 787: Logging To Windows Nt Event Log
Monitoring CMS Logs Logging to Windows NT Event Log In addition to logging messages to the log files maintained in your local file system, Certificate Management System can also log audit messages and system errors to the Windows NT Event log. The CMS window allows you to turn this feature on or off and to specify the levels for logging.
Page 788: Avoiding Event Log From Getting Filled
Monitoring CMS Logs Table 23-4 Mapping between Windows NT log event type and CMS logs (Continued) Windows NT log event type CMS log level Error Misconfiguration (4) Error Catastrophic failure (5) Error Security-related events (6) Avoiding Event Log From Getting Filled When running Certificate Management System on a Windows NT system, if you don’t configure the NT Event Log properly, the event log will get full.
Page 789: Archiving Of Rotated Log Files
Archiving of Rotated Log Files From the Log menu, select Log Settings. This opens the Event Log Settings window. Enter the appropriate values: Change Settings for. Make sure that the Application log is selected in this box. Maximum Log Size. Select a reasonable size so that the event log doesn’t get full in a short period of time.
Page 790: Signing Log Files
Archiving of Rotated Log Files Certificate Management System does, however, provide a command-line utility, called , that allows you to sign log files before archiving them. This gives signtool you a means of tamper detection. For details, see “Signing Log Files” on page 790. Signing Log Files Certificate Management System allows you to digitally sign log files before you archive them or distribute them for audit purposes.
Page 791 Archiving of Rotated Log Files Copy the security module database ( file) from the Administration secmod.db Server configuration directory to the CMS configuration directory. The security module database is in this directory: <server_root>/admin-serv/config Copy it to this directory: <server_root>/cert-<instance_id>/config Open a terminal window. At the command prompt, run the following command with the appropriate information: signtool -d <secdb_dir>...
Page 792: Managing Log Modules
Managing Log Modules Managing Log Modules This section explains how to use the CMS window to perform the following operations: • Registering a Log Module • Deleting a Log Module For information on adding or changing policy-specific information in the configuration file, see “Changing the Configuration by Editing the Configuration File”...
Page 793: Deleting A Log Module
Managing Log Modules Click OK. You are returned to the Log Event Listener Plugin Registration tab. To view the updated configuration, click Refresh. Deleting a Log Module You can delete unwanted log plug-in modules using the CMS window. Before deleting a module, be sure to delete all the listeners that are based on this module; see “Step 3.
Page 794 Managing Log Modules Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 795: Part 4 Issuing And Managing Certificates
Part 4 Issuing and Managing Certificates Chapter 24, “Issuing and Managing Server Certificates” Chapter 25, “Setting Up CEP Enrollment”...
Page 796 Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 797: Chapter 24 Issuing And Managing Server Certificates
Chapter 24 Issuing and Managing Server Certificates This chapter explains how you can use Netscape Certificate Management System (CMS) to issue and manage SSL server certificates. The chapter has the following sections: • Certificate Issuance to Servers (page 797) • Getting Server SSL Certificates for Netscape Servers (page 800) •...
Page 798: How The Manual Server Enrollment Process Works
Certificate Issuance to Servers Once an administrator generates a CSR for a server, he or she must paste it into the appropriate server enrollment form hosted by a Registration Manager or Certificate Manager, and then submit the request. Upon receipt of the request, Certificate Management System responds as follows: Verifies the validity and authenticity of the request.
Page 799 Certificate Issuance to Servers Server (or site) certificate issuance Figure 24-1 These are the steps shown in Figure 24-1: The server administrator goes to the manual enrollment form hosted by the Registration Manager, pastes in the certificate signing request in PKCS #10 format, completes the other information in the enrollment form, and submits the form.
Page 800: Getting Server Ssl Certificates For Netscape Servers
Getting Server SSL Certificates for Netscape Servers If the request passes Certificate Manager’s policy, it signs the request immediately and returns the certificate to the Registration Manager. The Registration Manager then delivers the certificate to the administrator. Optionally, the Certificate Manager may publish the certificate to the corporate directory.
Page 801: Step 1. Generate The Server Certificate Request
Getting Server SSL Certificates for Netscape Servers • Step 2. Submit the Server Certificate Request • Step 3. Install Your Server’s SSL Certificate • Step 4. Accept a CA as Trusted in Your Server • Step 5. Verify Your Server’s SSL and CA Certificates Step 1.
Page 802: Step 2. Submit The Server Certificate Request
Getting Server SSL Certificates for Netscape Servers Step 2. Submit the Server Certificate Request To submit the server certificate request to Certificate Management System: Open a web browser. Go to the server enrollment form (the page that allows you to submit a server certificate request).
Page 803: Step 3. Install Your Server's Ssl Certificate
Getting Server SSL Certificates for Netscape Servers Step 3. Install Your Server’s SSL Certificate To install the server SSL certificate on your server: Open a web browser window. Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.
Page 804 Getting Server SSL Certificates for Netscape Servers Specify how you want Certificate Management System to display the certificate chain. You can choose to display the entire certificate chain (in a single block) or individual certificates in the chain. The entire certificate chain is in PKCS #7 format.
Page 805: Step 5. Verify Your Server's Ssl And Ca Certificates
Getting Server SSL Certificates for Netscape Servers Step 5. Verify Your Server’s SSL and CA Certificates Before activating your server for SSL connections, you can verify whether you have installed your server's SSL and CA certificates correctly. Open a web browser window. Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.
Page 806 Getting Server SSL Certificates for Netscape Servers To CA’s email address. This option allows you to send the CSR to the CA administrator’s email address. The administrator will then be required to submit the request to the CA by pasting the CSR in the CA’s server enrollment form.
Page 807: Renewal Of Server Certificates
Renewal of Server Certificates Renewal of Server Certificates Every certificate issued by Certificate Management System has a validity period that determines its expiration date. The validity period of a certificate is determined by the validity constraints policy settings at the time the certificate was issued (see section “ValidityConstraints Plug-in Module”...
Page 808 Revocation of Server Certificates belonging to the end user. The end user can then select the certificate to be revoked or can revoke all certificates in the list. The end user can also specify additional details, such as the date of revocation and revocation reason for each certificate or for the list as a whole.
Page 809: Chapter 25 Setting Up Cep Enrollment
Chapter 25 Setting Up CEP Enrollment Netscape Certificate Management System (CMS) can issue certificates to a a wide variely of entities, such as web browsers, SSL-enables servers, routers, virtual private network (VPN) clients, and so on. This chapter explains how you can configure Certificate Management System to issue router and VPN-client certificates.
Page 810: Cep Enrollment Using The Script
CEP Enrollment Using the Script Note that Certificate Management System by default supports issuance of certificates to routers and VPN clients using the CEP-based enrollment. However, publishing of these certificates to an LDAP-compliant directory is not turned on by default because routers and VPN clients need to have access to an LDAP directory in order to fully support various functions, such as certificate and CRL retrieval.
Page 811: Setting Up Cep Enrollment Manually
Setting up CEP Enrollment Manually The main menu shows up. CEPCONFIG This script can be used to configure any instance of CMS. Configuration tasks include the following: - Adding/removing CEP services You can configure different services, responding to different URLs in CMS.
Page 812: Step 1. Set Up The Directory For Publishing Certificates And Crls
Setting up CEP Enrollment Manually If you want to publish to any other LDAP-compliant directory, read Chapter 19, “Setting Up LDAP Publishing.” To set up CEP enrollment manually, follow these steps: • Step 1. Set up the Directory for Publishing Certificates and CRLs •...
Page 813: Step 2. Configure The Certificate Manager For Publishing Certificates And Crls
Setting up CEP Enrollment Manually • The Directory Server port—note the port number assigned to the configuration directory; it must be 389. If you installed Certificate Management System with the default choices, you may skip this step; the default port assigned to the configuration directory is 389.
Page 814 Setting up CEP Enrollment Manually • Stop the Certificate Manager and edit the configuration file to include the following lines: eeGateway.cep.cep1.appendDN=O=<BASE DN> eeGateway.cep.cep1.createEntry=true eeGateway.cep.cep1.entryObjectClass=cep eeGateway.cep.cep1.url=/cgi-bin/pkiclient.exe A description for each of the above parameters are provided in Table 25-1. Table 25-1 CEP service-related configuration parameters in the configuration file Parameter Description Specifies the DN component appended to the DN the router requests.
Page 815 Setting up CEP Enrollment Manually Table 25-1 CEP service-related configuration parameters in the configuration file (Continued) Parameter Description Specifies the type of object to assign to the new entry. By default, this is cep, and should entryObject not be changed. Note that when createEntry=true, the Certificate Manager will Class attempt to create an entry for the user.
Page 816: Step 3. Set Up Automated Enrollment
Setting up CEP Enrollment Manually Step 3. Set Up Automated Enrollment As a part of enrolling for a certificate (via CEP), a router administrator or VPN-client user needs to start the enrollment process, which in turn asks the user for information such as the following: •...
Page 817 Setting up CEP Enrollment Manually eeGateway.cep.cep1.authName=flatfile auths.instance.flatfile.fileName=<full_pathname_of_password_file> auths.instance.flatfile.authAttributes=pwd auths.instance.flatfile.keyAttributes=UNSTRUCTUREDNAME auths.instance.flatfile.pluginName=flatfilePlugin auths.instance.flatfile.deferOnFailure=false auths.impl.flatfilePlugin.class=com.netscape.certsrv.authentication .FlatFileAuth A description for each of the above listed parameters are provided in Table 25-2. Table 25-2 Configuration parameters defined in the FlatFileAuth plug-in Configuration parameter Description Provides a reference to the auths.instance authentication plug-in described in the authName auths.instance.* configuration parameters.
Page 818 Setting up CEP Enrollment Manually in the authentication-token file before it does any checking of the password, you must identify attributes that are unique in each router request. You do this by setting the parameter of the plug-in keyAttributes FlatFileAuth implementation to the list of attributes which will be unique in the CEP request.
Page 819 Setting up CEP Enrollment Manually There’s an added advantage in determining unique attributes for it allows you to enforce a rule on the attributes that must be present in the CEP enrollment request. For example, if you would like to enforce that a particular router be assigned to an IP address and host name, you could set the parameter as follows: keyAttributes...
Page 820: Step 4. Set Up Multiple Cep Services
Setting up CEP Enrollment Manually UNSTRUCTUREDNAME: router33.siroe.com UNSTRUCTUREDADDRESS: 101.22.33.125 SERIALNUMBER: 233455 pwd: 35pww3a Note that if you specify a DN for a CEP enrollee in the authentication file, the Certificate Manager replaces the subject name requested by that user (router or VPN client) with the one specified in the file.
Page 821: Certificate Issuance To Routers Or Vpn Clients
Certificate Issuance to Routers or VPN Clients ## Router configuration eeGateway.cep.cep1.appendDN=O=*BASE_DN* eeGateway.cep.cep1.createEntry=true eeGateway.cep.cep1.entryObjectClass=cep eeGateway.cep.cep1.url=/cgi-bin/pkiclient.exe eeGateway.cep.cep1.authName=flatfile_router ## VPN configuration eeGateway.cep.cep2.url=/vpnenroll eeGateway.cep.cep2.authName=flatfile_VPN ## Router authentication parameters in the configuration file auths.instance.flatfile_router.fileName= <full_path_to_the_authentication_file> auths.instance.flatfile_router.authAttributes=pwd auths.instance.flatfile_router.keyAttributes=UNSTRUCTUREDNAME auths.instance.flatfile_router.pluginName=flatfile auths.instance.flatfile_router.deferOnFailure=true ## VPN authentication parameters in the configuration file auths.instance.flatfile_VPN.fileName= <full_path_to_the_authentication_file>...
Page 822: Step 1. Before You Begin
Certificate Issuance to Routers or VPN Clients Step 1. Before You Begin • Decide whether you want to submit the certificate request for your router to the Certificate Manager (CA) directly or through a Registration Manager. • Open Netscape Console, and locate the CMS instance that corresponds to the subsystem of your interest.
Page 823: Step 2. Generate The Key Pair For The Router
Certificate Issuance to Routers or VPN Clients Scroll down to the section that says “Certificate fingerprint.” • In your router documentation, locate the information specific to requesting certificates for routers. Check the signing algorithm, such as RSA or DSA, and key lengths, such as 512 and 1024, supported by the router.
Page 824: Step 3. Request The Ca's Certificate
Certificate Issuance to Routers or VPN Clients Step 3. Request the CA’s Certificate In this part of the operation, you identify the CA to the router, thus enabling the router to authenticate the CA from which it will request the certificate. You also verify whether the router is talking to the right CA;...
Page 825: Example
Certificate Issuance to Routers or VPN Clients This step depends on your CA’s configuration for router enrollment. If the CA to which the router submitted the request employs automatic enrollment (or authentication) for routers, the request will get processed by the CA.
Page 826 Certificate Issuance to Routers or VPN Clients router(ca-identity)#exit router(config)#crypto ca authenticate test-ca Certificate has the following attributes: Fingerprint: 24D34656 EB830C39 DD9E8179 0A4EBA98 % Do you accept this certificate? [yes/no]: yes router(config)#crypto ca enroll test-ca % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
Page 827: Part 5 Appendix
Part 5 Appendix Appendix A, “Certificate Download Specification””...
Page 828 Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 829: Appendix A Certificate Download Specification
Appendix A Certificate Download Specification This appendix describes the data formats used by Netscape Communicator 4.x for installing certificates. It also describes how certificates are imported into different environments. • Data Formats (page 829) • Importing Certificate Chains (page 831) •...
Page 830: Text Formats
Data Formats • PKCS #7 certificate chain This is a PKCS #7 object. The only significant field in the SignedData object is the certificates. In particular, the signature and the SignedData contents are ignored. In future versions of the software, the CRLs will also be used.
Page 831: Importing Certificate Chains
Importing Certificate Chains Importing Certificate Chains Several of the supported formats can contain multiple certificates. When the Netscape certificate decoder encounters a collection of certificates, it handles them as follows: • The first certificate is processed in a context-specific manner, which varies according to how it is being imported.
Page 832: Importing Certificates Into Netscape Servers
Importing Certificates into Netscape Servers If a certificate chain is being imported, the first certificate in the chain must be the CA certificate, and Communicator adds any subsequent certificates in the chain to the local database as untrusted CA certificates. •...
Page 833 Object Identifiers netscape-data-type OBJECT IDENTIFIER :: = { netscape 2 } netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 Appendix A Certificate Download Specification...
Page 834 Object Identifiers Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 835: Glossary
Glossary access control The process of controlling who is allowed to do what. For example, access control to servers is typically based on an identity, established by a password or a certificate, and on rules regarding what that entity can do. See also access control list (ACL).
Page 836 authentication Confident identification; that is, assurance that a party to some computerized transaction is not an impostor. Authentication typically involves the use of a password, certificate, PIN, or other information that can be used to validate identity over a computer network. See also password-based authentication, certificate-based authentication, client authentication, server authentication.
Page 837 authority (CA). A certificate’s validity can be verified by checking the CA’s digital signature using the techniques of public-key cryptography. To be trusted within a public-key infrastructure (PKI), a certificate must be issued and signed by a CA that is trusted by other entities enrolled in the PKI. certificate authority (CA) A trusted entity that issues a certificate after verifying the identity of the person or entity the certificate is intended to identify.
Page 838 certificate fingerprint A one-way hash associated with a certificate. The number is not part of the certificate itself, but is produced by applying a hash function to the contents of the certificate. If the contents of the certificate changes, even by a single character, the same function produces a different number.
Page 839 chain of trust See certificate chain. chained CA See linked CA. cipher See cryptographic algorithm. client authentication The process of identifying a client to a server, for example, with a name and password or with a certificate and some digitally signed data. See certificate-based authentication, password-based authentication, server authentication.
Page 840 cryptographic algorithm A set of rules or directions used to perform cryptographic operations such as encryption and decryption. Cryptographic Message Syntax (CMS) The syntax used to digitally sign, digest, authenticate, or encrypt arbitrary messages, such as CMMF. cryptographic module See PKCS #11 module. A cryptographic module that performs cryptographic service provider (CSP) cryptographic services, such as key generation, key storage, and encryption, on...
Page 841 Data Recovery Manager transport certificate Certifies the public key used by an end entity to encrypt the entity’s encryption key for transport to the Data Recovery Manager. The Data Recovery Manager uses the private key corresponding to the certified public key to decrypt the end entity’s key before encrypting it with the Data Recovery Manager storage key.
Page 842 dual key pair Two public-private key pairs--four keys altogether--corresponding to two separate certificates. The private key of one pair is used for signing operations, and the public and private keys of the other pair are used for encryption and decryption operations. Each pair corresponds to a separate certificate.
Page 843 IP spoofing The forgery of client IP addresses. JAR file A digital envelope for a compressed collection of files organized according to the Java archive (JAR) format. Java archive (JAR) format A set of conventions for associating digital signatures, installer scripts, and other information with files in a directory. Java Cryptography Architecture (JCA) The API specification and reference developed by Sun Microsystems for cryptographic services.
Page 844 Lightweight Directory Access Protocol (LDAP) A directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP is a simplified version of Directory Access Protocol (DAP), used to access X.500 directories. LDAP is under IETF change control and has evolved to meet Internet requirements. linked CA An internally deployed certificate authority (CA) whose certificate is signed by a public, third-party CA.
Page 845 Netscape Security Services (NSS) A set of libraries designed to support cross-platform development of security-enabled communications applications. Applications built using the NSS libraries support the Secure Sockets Layer (SSL) protocol for authentication, tamper detection, and encryption, and the PKCS #11 protocol for cryptographic token interfaces.
Page 846 conceptual slots in software. Each slot for a PKCS #11 module can in turn contain a token, which is the hardware or software device that actually provides cryptographic services and optionally stores certificates and keys. Netscape provides a built-in PKCS #11 module with Certificate Management System. PCKS #12 The public-key cryptography standard that governs key portability.
Page 847 Registration Manager An optional, independent CMS subsystem that performs tasks involving end entities, such as enrollment or renewal, on behalf of a Certificate Manager. The Registration Manager can be configured to process requests and approve them either manually (that is, with the aid of a human being) or automatically (based entirely on customizable policies and procedures).
Page 848 servlet Java code that handles a particular kind of interaction with end entities on behalf of a CMS manager. For example, certificate enrollment, renewal, revocation, and key recovery requests are each handled by separate servlets. SHA-1 Secure Hash Algorithm, a hash function used by the US Government. signature algorithm A cryptographic algorithm used to create digital signatures.
Page 849 spoofing The act of pretending to be someone else. For example, a person can pretend to have the email address , or a computer can identify jdoe@siroe.com itself as a site called when it is not. Spoofing is one form of www.netscape.com impersonation.
Page 850 Netscape Certificate Management System Installation and Setup Guide • October 2001...
Page 851: Index
Index from the command line 335 from the Windows NT Services panel 335 accelerators 455 stopping 336 active logs from Netscape Console 336 default file location 769 from the command line 336 frequency for rotating 771 from the Windows NT Services panel 336 message categories 768 Unix setup 190 naming convention 770...
Page 852 for Data Recovery Manager agents 70 naming convention 530 for Online Certificate Status Manager agents 71 authentication modules 55–??, 55, ??–56, 77, 81–93 for Registration Manager agents 69 deleting 549 URL for 373 registering new ones 547 agents authorizing remote key recovery 743 deleting 432 designated groups 400 modifying 429...
Page 853 URL 822 Data Recovery Manager and Registration using a script 810 Manager and 170–173 demo and 108 certificate chains enabling interaction with end entities 539 installing in the certificate database 471 enabling OCSP service 699 why you should install 508 features of 45 certificate database installed by itself 165–166...
Page 854 for wireless applications 227, 230 CMS data how to revoke 612 where it’s stored 379 installing 829–833 CMS feature list 34 life-cycle management 98–102 CMS instance management formats and protocols 77–78 changing the name 305, 306 Online Certificate Status Manager 182 character set for the name 191, 194, 285, 290 publishing of 605 format for the name 305...
Page 855 configuration directory server defined 611 Unix setup 188 issuing or distribution points 615 publishing of 39, 611 configuration file 345 publishing to files 667 copying from one instance to another 348 publishing to LDAP directory 614, 615 effects of installation on 346 required schema 618 format 350 publishing to online validation authority 179, 690,...
Page 856 storage key pair 447 Certificate Manager 180 transport certificate 447 Data Recovery Manager 182 logging to Windows NT event log 787 Online Certificate Status Manager 182 recovery agents for 206–207 Registration Manager 181 setting up enrollment scenarios 84–97 key archival 751 file-based publishing decisions 178 key recovery 758 firewall considerations 84...
Page 857 life-cycle management and 98–102 port used for operations 373 filenames See also ports for active log files 770 end-entity certificates for rotated log files 770 renewal 807 FIPS PUBS 140-1 78 revocation 807 firewalls 84 End-Entity Services Interface flush interval for logs 770 introduced 72 fonts used in this book 27 enrollment forms...
Page 858 instances, CMS agents for additional ??–281, 286–?? installation 215–281 creating additional 284 additional instances 284 internal CMS database 109 demo 105–160 internal database first user certificate for 135–138 default host name 381 Installation Wizard and 122–135 precaution for changing the host name 381 NT installation script for 114–122 defined 379 overview of 108–112...
Page 859 managing 565 DN pattern for authentication 146 managing from CMS window 565 internal CMS database, demo and 109 modifying 566 publishing decisions 178–179 naming 569 testing authentication with 145–160 naming convention 569 LDAP publishing setting frequency 573 advantages 606 turning on scheduler 573 defined 605 JSS 76 manual updates 662...
Page 860 log levels 768 authentication instances 545 default selection 769 jobs 566 how they relate to message categories 768 log event listeners 774 how they’re represented 768 mappers 637 significance of choosing the right level 769 policy rules 590 what it means 768 privileged user’s group membership 431 managing from CMS window 779 privileged-user information 429...
Page 861 viewing CMS instance information 303 logging to Windows NT event log 787 nickname online certificate validation authority for CA signing certificate 437 defined 49 for CRL signing certificate 439, 481 operating systems supported 106 for OCSP signing certificate 439 for remote administration server certificate 443 for signing certificate 445, 449 for SSL server certificate 441, 445, 448, 449 for transport certificate 447...
Page 862 configuration parameters 352 what are they 582 defined 580 why would you use 582 managing 589 privileged users 385, 386 managing from CMS window 589 deleting 432 processor 588 groups 398 how it applies rules 589 modifying privileges 429 JavaScript 602 certificate information 430 result of processing 589 group membership 431...
Page 863 significance of ordering 599 restarting reasons for revoking certificates 612 Certificate Management System 322 recovering users’ private keys 741 from Netscape Console 322, 702, 727, 728 registering from the command line 323 authentication modules 547 revocation checking of agent certificates 514 job modules 576 revocation-status checking for agent certificates 392 log modules 792...
Page 864 server group 164 when specified 313 why change periodically 313 server groups 164 SMTP settings 563, 574, 575 server instance finding out details 303 software requirements for CMS installation 106 server name Solaris changing 305 requirements for installation 107 server root 164 Solaris requirements for installation 107 default for Unix 304 specifying IP address 377...
Page 865 subject name 187 deleting 504 getting a new one 456, 485 subordinate CA 36 nickname 447 subsystem certificate decisions 180–183 renewing 456, 494 subsystem certificate decisions, for deployment viewing details of 502 Certificate Manager 180 when used 740 Data Recovery Manager 182 transport certificate, for Data Recovery Manager SSL server 180 203–206...
Page 866 viewing contents of a token 502 viewing CMS instance information 303 VPN clients getting certificates for 809 watchdog 325 when the server was installed 304 why should you revoke certificates 612 Windows NT event log logging audit and system messages 787 Windows NT, requirements for installation 107 wireless CA certificate 227, 230 wireless certificates 227, 230...

Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual

About this Guide

Part 1 Overview and Demo Installation

Chapter 1 Introduction to Certificate Management System

Chapter 2 Certificate Enrollment and Life-Cycle Management

Chapter 3 Default Demo Installation

Part 2 Planning and Installation

Chapter 4 Planning Your Deployment

Chapter 5 Installation Worksheet

Chapter 6 Installing Certificate Management System

Chapter 7 Installing and Uninstalling CMS Instances

Chapter 8 Starting and Stopping CMS Instances

Part 3 Configuration

Chapter 9 Administration Tasks and Tools

Chapter 10 CMS Configuration

Chapter 11 Setting up Ports

Quick Links

Related Manuals for Netscape NETSCAPE MANAGEMENT SYSTEM 4.5

Summary of Contents for Netscape NETSCAPE MANAGEMENT SYSTEM 4.5