Step C. Customize The Certificate Enrollment Form - Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual

Otherwise, follow the instructions in "Setting Up Trusted Managers" on page 413
and set up the enrollment authority as a trusted front end to the Data Recovery
Manager.

Step C. Customize the Certificate Enrollment Form

For the enrollment authority to automatically initiate the key archival process at
the time key pairs are generated, a certificate request must include the following
information:
• The key archival option—this must be included in the certificate enrollment
form that your users use to request certificates.
• The Data Recovery Manager's transport certificate—this must also be included
in the certificate enrollment form. The Data Recovery Manager uses it to
encrypt the user's encryption private key with the public key in the transport
certificate before sending the user's key to its key repository. For information
about the key repository, see "Where the Keys are Stored" on page 738.
Make sure that the transport certificate, in its base-64 encoded format, is
embedded in the form. Otherwise, the Data Recovery Manager will fail to
archive users' keys.
All the end user enrollment forms provided by Certificate Management
System—for example, the directory-based enrollment form
(
DirUserEnroll.html
(
DirPinUserEnroll.html
(
ManUserEnroll.html
key archival process. If you are using any of these forms for end-user enrollment,
make sure to update the
to use custom enrollment forms for users, be sure to include the required JavaScript
code in those forms.
Figure 22-3 shows the default directory-based enrollment form with the
information related to the
highlighted. Note that the JavaScript method includes parameters for specifying
various things. You are required to update the following information only:
• The Data Recovery Manager's transport certificate.
• The algorithm, length, type, and usage for end users' key pairs. When you
update this information, the key archival option is automatically set. For
information on specifying the key type, length, and algorithm, see
generateCRMFRequest()
This document is located where you extracted Personal Security Manager files
after downloading it from the web site.
), directory- and PIN-based enrollment form
), and manual enrollment form
)—contain the necessary JavaScript code for initiating the
generateCRMFRequest()
generateCRMFRequest()
in Javascript API for Client Certificate Management.
Chapter 22
Configuring Key Archival and Recovery Process
JavaScript method. If you plan
JavaScript method
Setting Up Key Archival and Recovery 753