Netscape MANAGEMENT SYSTEM 6.01 - PLUG-IN Manual

page of 377

/ 377
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

Plug-Ins Guide

Netscape Certificate Management System

Version 6.01

May 2002

Table of Contents

Summary of Contents for Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - PLUG-IN

Page 1 Plug-Ins Guide Netscape Certificate Management System Version 6.01 May 2002...
Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.
Page 3: Table Of Contents
Contents About This Guide ............. . 11 What’s in This Guide .
Page 4 Configuration Parameters of RequestInQJob ..........70 UnpublishExpiredJob Plug-in Module .
Page 5 UniqueSubjectNameConstraints Plug-in Module ......... . 117 Configuration Parameters of UniqueSubjectNameConstraints .
Page 6 ObjSignCertKeyUsageExt Rule ............198 CRLSignCertKeyUsageExt .
Page 7 LdapSimpleMap Plug-in Module ............261 Configuration Parameters of LdapSimpleMap .
Page 8 NTSystem Event Listener ............307 Appendix A Distinguished Names .
Page 9 subjectDirectoryAttributes ............356 subjectKeyIdentifier .
Page 10 Netscape Certificate Management System Plug-Ins Guide • May 2002...
Page 11: About This Guide
About This Guide The Plug-Ins Guide provides reference information about all the plug-in modules provided with Netscape Certificate Management System (CMS). Plug-in modules help you configure and customize Certificate Management System, and use it for issuing and managing certificates to various end entities, such as web browsers (users), servers, Virtual Private Network (VPN) clients, and Cisco™...
Page 12 What’s in This Guide • Chapter 2, “Job Plug-in Modules” Describes the plug-in modules that enable you to automate certain certificate-related tasks—such as notifying agents when a request gets queued, notifying users before their certificates expire, and removing expired certificates from the directrory—to ease administration overheads.
Page 13: What You Should Already Know
What You Should Already Know What You Should Already Know This guide is intended for experienced system administrators who are planning to deploy Certificate Management System. CMS agents should refer to CMS Agent’s Guide for information on how to perform agent tasks, such as handling certificate requests and revoking certificates.
Page 14: Conventions Used In This Guide
Conventions Used in This Guide Conventions Used in This Guide The following conventions are used in this guide: • font—This typeface is used for any text that appears on the Monospaced computer screen or text that you should type. It’s also used for filenames, functions, and examples.
Page 15: Where To Go For Related Information
Where to Go for Related Information • —A slash is used to separate directories in a path. If you use the Windows NT operating system, you should replace / with \ in paths. Example: Except for the Security Module Database Tool, you can find all the other command-line utilities at this location: <server_root>/bin/cert/tools •...
Page 16 Where to Go for Related Information • CMS Plug-Ins Guide (this guide) Provides detailed reference information on CMS plug-ins. To access this information from the CMS window within Netscape Console, click any help button. To view the HTML version of this guide, open this file: <server_root>/manual/en/cert/plugin_guide/contents.htm •...
Page 17: Chapter 1 Authentication Plug-In Modules
Chapter 1 Authentication Plug-in Modules Netscape Certificate Management System (CMS) provides a set of authentication plug-in modules that enable you to configure a Certificate Manager or Registration Manager to authenticate end users, based on specified criteria, when they enroll for a certificate.
Page 18: Overview Of Authentication Modules
Overview of Authentication Modules Overview of Authentication Modules Certificate Management System supports both manual and automated certificate issuance. • In the manual method of certificate issuance, end entities supply most of the information required by the server to formulate certificate requests and issue certificates.
Page 19 Overview of Authentication Modules Table 1-1 lists the authentication modules provided for the Certificate Manager and Registration Manager; no authentication modules are provided for the Data Recovery Manager as it does not function as an enrollment authority in a PKI. You can use these modules to configure a Certificate Manager and Registration Manager to employ a specific authentication method during certificate enrollments.
Page 20 Overview of Authentication Modules If you don’t have a directory deployed, you may use the Netscape Directory Server instance created at the time of CMS installation; in the documentation, this instance is identified as the Configuration Directory. For a demonstration on how to use this directory for issuing certificates to end users, see Chapter 3, “Default Demo Installation”...
Page 21: Manual Authentication
Manual Authentication Manual Authentication Manual authentication refers to operations which must be approved by a CMS agent, where no automated operation is possible. That is, a real person must log in to approve or reject request. By default, Certificate Management System provides manual-enrollment forms that enable you to request many types of certificates from the server.
Page 22: Uidpwddirauth Plug-In Module
UidPwdDirAuth Plug-in Module These are the steps shown in Figure 1-2: In the manual enrollment form, the end entity enters the information needed to request a certificate and submits the request to the server. When the server receives the request, it automatically lists the request in a certificate request queue for an agent to process.
Page 23 UidPwdDirAuth Plug-in Module directory in an HTML form that is served by a Certificate Manager or Registration Manager (see “Enrollment Forms” on page 53). Once the server successfully authenticates an end user, it retrieves the rest of the information required to formulate the certificate from the directory.
Page 24: Configuration Parameters Of Uidpwddirauth
UidPwdDirAuth Plug-in Module If the end user has a valid entry in the directory, the server retrieves all the information required to construct the subject name for the user’s certificate. If, for some reason, the directory to which the server binds for authenticating the user ID and password is unavailable, the server returns an LDAP error code and writes it to the log.
Page 25 UidPwdDirAuth Plug-in Module Parameters defined in the UidPwdDirAuth module Figure 1-4 Table 1-2 gives details about each of these parameters and their values. Chapter 1 Authentication Plug-in Modules...
Page 26 UidPwdDirAuth Plug-in Module Table 1-2 Description of parameters defined in the UidPwdDirAuth module Parameter Description Specifies a string representing a subject name pattern to formulate from the dnpattern directory attributes and entry DN. Permissible values: Any valid DN string composed from standard DN attributes, which must be separated by commas;...
Page 27 UidPwdDirAuth Plug-in Module Description of parameters defined in the UidPwdDirAuth module (Continued) Table 1-2 Parameter Description Specifies the list of LDAP byte (binary) attributes that should be considered ldapByteAttributes authentic for the end entity. If specified, the values corresponding to these attributes will be copied from the authentication directory into the authentication token for use by other modules—that is, values retrieved from this parameter can be used by policy modules to make certain policy decisions...
Page 28: Uidpwdpindirauth Plug-In Module
UidPwdPinDirAuth Plug-in Module Description of parameters defined in the UidPwdDirAuth module (Continued) Table 1-2 Parameter Description Specifies the LDAP protocol version. ldap.ldapconn. version Permissible values: 2 or 3. • 2 specifies LDAP version 2. If your authentication directory is based on Netscape Directory Server 1.x, choose 2.
Page 29: Configuration Parameters Of Uidpwdpindirauth
UidPwdPinDirAuth Plug-in Module Here’s how the enrollment method works: as a part of setting up a Certificate Manager or a Registration Manager, or both for end-user authentication, you specify the LDAP directory that the server must use to authenticate end users. End users enroll for a certificate by entering their user IDs, passwords, and PINs in an HTML form that is served by the Certificate Manager or Registration Manager (see “Enrollment Forms”...
Page 30 UidPwdPinDirAuth Plug-in Module Parameters defined in the UidPwdPinDirAuth module Figure 1-5 Table 1-3 gives details about each of these parameters. Table 1-3 Description of parameters defined in the UidPwdPinDirAuth module Parameter Description Specifies whether to remove PINs from the authentication directory (after end removePin users successfully authenticate).
Page 31 UidPwdPinDirAuth Plug-in Module Description of parameters defined in the UidPwdPinDirAuth module (Continued) Table 1-3 Parameter Description Specifies the authentication directory attribute for PINs. If you used the PIN pinAttr Generator utility (provided with Certificate Management System), the attribute is specified by the value of the objectclass parameter; the default value for this parameter is pin.
Page 32 UidPwdPinDirAuth Plug-in Module Description of parameters defined in the UidPwdPinDirAuth module (Continued) Table 1-3 Parameter Description Specifies the list of LDAP string attributes that should be considered authentic ldapStringAttributes for the end entity. If specified, the values corresponding to these attributes will be copied from the authentication directory into the authentication token—that is, values retrieved from this parameter can be used by policy modules to formulate subject names for certificates or to make other policy...
Page 33 UidPwdPinDirAuth Plug-in Module Description of parameters defined in the UidPwdPinDirAuth module (Continued) Table 1-3 Parameter Description Specifies the type—SSL or non-SSL—of the port at which the authentication ldap.ldapconn. directory listens to requests from Certificate Management System. secureConn • Check the box if the port is an SSL (HTTPS) port. If your authentication directory is configured for SSL-enabled communication (with or without SSL client authentication), choose this option.
Page 34 UidPwdPinDirAuth Plug-in Module Description of parameters defined in the UidPwdPinDirAuth module (Continued) Table 1-3 Parameter Description Specifies the nickname or the friendly name of the certificate to be used for ldap.ldapauth. SSL client authentication to the authentication directory in order to remove clientCertNickname PINs.
Page 35: Nisauth Plug-In Module
NISAuth Plug-in Module Description of parameters defined in the UidPwdPinDirAuth module (Continued) Table 1-3 Parameter Description Specifies the maximum number of connections permitted to the ldap.maxConns authentication directory. Permissible values: 3 to 10. Example: 9 NISAuth Plug-in Module module implements the NIS server-based authentication. You can NISAuth use the module for authenticating unprivileged users in the NIS domain during certificate enrollment.
Page 36 NISAuth Plug-in Module NIS server-based authentication of an end user Figure 1-6 These are the steps shown in Figure 1-6: In the NIS server-based certificate enrollment form, the end user enters his or her user ID and password for the NIS server and submits the request to a Certificate Manager or Registration Manager.
Page 37: Configuration Parameters Of Nisauth
NISAuth Plug-in Module If the end user does not have a valid entry in the NIS server, the Certificate Manager or Registration Manager rejects the request, logs an error message, and sends a rejection notification to the user. If the end user has a valid entry in the NIS server, the Certificate Manager or Registration Manager checks to see if any LDAP directory has been configured for retrieving attributes for constructing the certificate subject name.
Page 38 NISAuth Plug-in Module Parameters defined in the NISAuth module Figure 1-7 Table 1-4 gives details about each of these parameters and their values. Table 1-4 Description of parameters defined in the NISAuth module Parameter Description Specifies the NIS server name. (In Unix, use the ypwhich command to find nisserver the NIS server name.) Permissible values: A valid server name.
Page 39 NISAuth Plug-in Module Description of parameters defined in the NISAuth module (Continued) Table 1-4 Parameter Description Specifies a string representing a subject name pattern to formulate from the dnpattern directory attributes and entry DN. Permissible values: Any valid DN string composed from standard DN attributes, which must be separated by commas;...
Page 40 NISAuth Plug-in Module Description of parameters defined in the NISAuth module (Continued) Table 1-4 Parameter Description Specifies the list of LDAP string attributes that should be considered authentic ldapStringAttributes for the end entity. If specified, the values corresponding to these attributes will be copied from the authentication directory into the authentication token—that is, values retrieved from this parameter can be used by policy modules to formulate subject names for certificates or to make other policy...
Page 41 NISAuth Plug-in Module Description of parameters defined in the NISAuth module (Continued) Table 1-4 Parameter Description Specifies the type—SSL or non-SSL—of the port at which the LDAP directory ldap.ldapconn. listens to requests from Certificate Management System. secureConn Permissible values: true or false. •...
Page 42: Portalenroll Plug-In Module
PortalEnroll Plug-in Module PortalEnroll Plug-in Module module implements portal enrollment. This module enables PortalEnroll you to issue certificates and create directory entries for users who do not yet have an entry in the directory. For example, if your company runs a portal service, such as Netscape Netcenter , you can use the module to issue...
Page 43 PortalEnroll Plug-in Module assume you have an extranet deployed for your partners. You have no prior knowledge of people who will register as your partners, but you want them to register and you want to trust the information they provide during registration.
Page 44 PortalEnroll Plug-in Module Portal authentication of an end user Figure 1-8 These are the steps shown in Figure 1-8: In the portal enrollment form, the end user enters registration information, such as a user name or ID, password, first name, last name, and mailing address, and submits the request to the server.
Page 45: Configuration Parameters Of Portalauth
PortalEnroll Plug-in Module If the server fails to find a matching user name in the directory, it uses the registration information to create a user entry for the new user and add relevant attributes. The server also retrieves information required to construct the subject name for the certificate.
Page 46 PortalEnroll Plug-in Module Parameters defined in the PortalEnroll module Figure 1-9 Table 1-5 gives details about each of these parameters and their values. Netscape Certificate Management System Plug-Ins Guide • May 2002...
Page 47 PortalEnroll Plug-in Module Table 1-5 Description of parameters defined in the PortalEnroll module Parameter Description Specifies a string representing a subject name pattern to formulate from the dnpattern directory attributes and entry DN. Permissible values: Any valid DN string composed from standard DN attributes, which must be separated by commas;...
Page 48 PortalEnroll Plug-in Module Description of parameters defined in the PortalEnroll module (Continued) Table 1-5 Parameter Description Specifies the type—SSL or non-SSL—of the port at which the portal directory ldap.ldapconn. listens to requests from Certificate Management System. secureConn • Check the box if the port is an SSL (HTTPS) port. If your portal directory is configured for SSL-enabled communication (with or without SSL client authentication), choose this option.
Page 49 PortalEnroll Plug-in Module Description of parameters defined in the PortalEnroll module (Continued) Table 1-5 Parameter Description Specifies the authentication type—basic authentication or SSL client ldap.ldapauth. authentication—required to communicate with the portal directory. authtype Permissible values: BasicAuth or SslClientAuth. • BasicAuth specifies basic authentication. If you choose this option, be sure to enter the correct values for ldap.ldapauth.bindDN and password parameters;...
Page 50: Certificate-Based Enrollment
Certificate-Based Enrollment Certificate-Based Enrollment Certificate Management System supports certificate-based enrollment for browser certificates. End users can use preissued certificates to authenticate to the server in order to enroll for certificates. Below are two deployment scenarios that explain the usefulness of certificate-based enrollment. •...
Page 51 Certificate-Based Enrollment To enable you to configure Certificate Management System for certificate-based enrollment, the following three enrollment forms are provided: • l—this form enables end users to request dual CertBasedDualEnroll.htm certificates—one for signing another for encryption—by submitting pre-issued certificates as authentication tokens; when a user enrolls for a certificate, the server verifies the CA that has issued the certificate the user uses for authentication, uses the configured directory to formulate subject names for the new certificates, and issues the certificates.
Page 52 Certificate-Based Enrollment • —this variable specifies whether the server should request the client doSslAuth for SSL client authentication. You must set the value of this parameter to and make sure that the port number specified in the authentication instance is an SSL port.
Page 53: Enrollment Forms
Enrollment Forms General guidelines to set up certificate-based enrollment (for dual certificates) are as follows: • On the server side you need do the following: Customize the enrollment form you want your users to use for enrollment. Enable the appropriate enrollment option, such as directory-based enrollment or NIS-server based enrollment.
Page 54 Enrollment Forms enrollment for end users requires them to enter information such as name, email ID, department, organization, and the state and the country in which the organization is located, and submit the request for a personal certificate. Manual enrollment for server certificates requires the server administrator to paste the certificate signing request (in the PKCS#10 format) from the server into the specified area in the enrollment form;...
Page 55 Enrollment Forms End Entity Services interface of a Certificate Manager Figure 1-10 Table 1-6 lists the forms that correspond to the menu options in the Enrollment tab of the End Entity Services interface of the Certificate Manager and Registration Manager. Table 1-6 Default forms for end-entity enrollment Menu link and form filename...
Page 56 Enrollment Forms Default forms for end-entity enrollment (Continued) Table 1-6 Menu link and form filename Description Directory and PIN This form works with the UidPwdPinDirAuth module, enabling end (DirPinUserEnroll.html) users to request SSL client and S/MIME certificates by entering their user IDs, passwords, and PINs for the configured directory;...
Page 57 Enrollment Forms Default forms for end-entity enrollment (Continued) Table 1-6 Menu link and form filename Description Registration Manager Registration Manager administrators can use this form to request a (ManRAEnroll.html) signing certificate for a Registration Manager; see section “Signing Key Pair and Certificate” in Chapter 14, “Managing CMS Keys and Certificates”...
Page 58: Customizing Enrollment Forms For Generating Dsa Key Pairs
Enrollment Forms Customizing Enrollment Forms for Generating DSA Key Pairs Netscape Communicator (version 4.x and later) can successfully obtain and use DSA client certificates for SSL client authentication. These versions of Communicator can also recognize the signature on SSL certificates signed by a DSA CA.
Page 59: Generating Files Required By Third-Party Object Signing Tools
Enrollment Forms Search for the tag. KEYGEN Insert the cursor at the end of the word , add a space after the word KEYGEN , and type the following: KEYGEN keytype="DSA" PQG= Paste the value of the entry following the equal to ( ) sign and DSSParms enclose the value you pasted in double quotes (...
Page 60 Enrollment Forms To generate the private-key file: Go to this directory: <server_root>/cert-<instance_id>/web-apps/ee Locate the file named ManObjSignEnroll.html Open it in an editor. Search for this line: Enroll.GenKeyFlags = 1 ' key exportable Type the following line below it: Enroll.PVKFilename = "<pvk_file_path>" Your changes should look like this: Enroll.GenKeyFlags = 1 ' key exportable...
Page 61 Enrollment Forms Scroll down the page (that shows the certificate information in detail) to find the certificate in base-64 encoded format. It looks like this: -----BEGIN CERTIFICATE----- MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2FwZSBD b21tdW5pY2F0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDw MFoXDTk5MDIyMzE5MDAwMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb 25zMQ8wDQYDVQQLEwZQZW9wbGUxFzAVBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDw5 TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJA -----END CERTIFICATE----- Create an ASCII file named cert.b64 Copy and paste the base-64 encoded certificate blob, including the marker lines to the file.
Page 62 Enrollment Forms Netscape Certificate Management System Plug-Ins Guide • May 2002...
Page 63: Chapter 2 Job Plug-In Modules
Chapter 2 Job Plug-in Modules Netscape Certificate Management System (CMS) includes a component called Job Scheduler that can execute specific jobs at specified times. The job scheduler functions similar to a traditional Unix cron daemon in that it takes registered cron jobs and executes them at a preconfigured date and time.
Page 64 Overview of Job Plug-in Modules Default job modules for the Certificate Manager Figure 2-1 Table 2-1 lists these modules. Schedulable job plug-in modules for Certificate Manager and Registration Manager Table 2-1 Plug-in module name Description A schedulable job that notifies end entities by email that their certificates RenewalNotificationJob are about to expire and must be renewed, and optionally sends a summary of these notices to agents.
Page 65: Renewalnotificationjob Plug-In Module
RenewalNotificationJob Plug-in Module Jobs are implemented as Java classes, which are then registered with Certificate Management System as plug-in modules. You can use a given implementation of a job module and configure multiple instances of it. Each instance must have a unique name (an alphanumeric string with no spaces) and can contain different input parameter values to apply to different jobs.
Page 66: Configuration Parameters Of Renewalnotificationjob
RenewalNotificationJob Plug-in Module For each instance of the class, you can configure the RenewalNotificationJob following: • The schedule of times when the job will be run; see “Schedule for Executing Jobs” on page 76. • How long before expiration the first notification will be sent. •...
Page 67 RenewalNotificationJob Plug-in Module Parameters defined in the RenewalNotificationJob module Figure 2-2 Table 2-2 gives details about each of these parameters. Description of parameters defined in the RenewalNotificationJob module Table 2-2 Parameter Description Specifies whether the job is enabled or disabled. Check the box to enable the enabled job.
Page 68 RenewalNotificationJob Plug-in Module Description of parameters defined in the RenewalNotificationJob module (Continued) Table 2-2 Parameter Description Specifies how long (in days) before certificate expiration the first notification notifyTriggerOffset will be sent. Permissible values: As applicable. Example: 30 Specifies how long (in days) after the certificate expire notifications will notifyEndOffset continue to be sent, if the certificate is not renewed.
Page 69: Requestinqjob Plug-In Module
RequestInQJob Plug-in Module Description of parameters defined in the RenewalNotificationJob module (Continued) Table 2-2 Parameter Description Specifies the subject line of the summary message. summary. emailSubject Permissible values: An alphanumeric string of up to 255 characters. Example: Certificate Renewal Notification Summary Specifies the path, including the filename, to the directory that contains the summary.
Page 70: Configuration Parameters Of Requestinqjob
RequestInQJob Plug-in Module You can configure the path and filename of the template file for each job and modify the templates to customize the contents and appearance of the messages. Messages can be sent as HTML or plain text. class, you can configure the following: For each instance of the RequestInQJob •...
Page 71 RequestInQJob Plug-in Module Parameters defined in the RequestInQJob module Figure 2-3 Table 2-3 gives details for each of these parameters. Description of parameters defined in the RequestInQJob module Table 2-3 Parameter Description Specifies whether the job is enabled or disabled. Check the box to enable the enabled job.
Page 72: Unpublishexpiredjob Plug-In Module
UnpublishExpiredJob Plug-in Module Description of parameters defined in the RequestInQJob module (Continued) Table 2-3 Parameter Description Specifies whether a summary of the job accomplished should be compiled and summary.enabled sent. Check the box if you want the server to compose and send a summary report.
Page 73 UnpublishExpiredJob Plug-in Module been updated, the job can collect a summary report of the certificates that have been removed and send it to people who need to have this information. Typically, you would want to send this notification to certificate issuing agents or the administrator of the publishing directory.
Page 74: Configuration Parameters Of Unpublishexpiredjob
UnpublishExpiredJob Plug-in Module Note that the job automates removal of expired certificates from the directory. You can also remove expired certificates manually following the instructions outlined in section “Manually Updating Certificates and CRLs in a Directory” in Chapter 19, “Setting Up LDAP Publishing” of CMS Installation and Setup Guide. Configuration Parameters of UnpublishExpiredJob In the CMS configuration file, the...
Page 75 UnpublishExpiredJob Plug-in Module Table 2-4 Description of parameters defined in the UnpublishExpiredJob module Parameter Description Specifies whether the job is enabled or disabled. Check the box to enable the enabled job. Uncheck the box to disable the job. If you enable the job and set the remaining parameters correctly, the server runs the job at scheduled intervals.
Page 76: Schedule For Executing Jobs
UnpublishExpiredJob Plug-in Module Description of parameters defined in the UnpublishExpiredJob module (Continued) Table 2-4 Parameter Description Specifies the recipients of the summary message. These can be, for example, summary. agents who need to know the status of user certificates. recipientEmail Permissible values: Complete email addresses, separated by commas.
Page 77: Customizing Notification Messages
Customizing Notification Messages The day-of-month and day-of-week fields can contain a comma-separated list of values to specify more than one day. If both day fields are specified, the specification is inclusive; that is, the day of the month is not required to fall on the day of the week to be valid.
Page 78 Customizing Notification Messages Table 2-6 Default templates for summary notifications Filename Description Templates for UnpublishExpiredJob module Template for formulating the summary report or table that summarizes ExpiredUnpublishJob removal of expired certificates from the directory. Template for formatting the items to be included in the summary table, ExpiredUnpublishJobItem which is constructed using the ExpiredUnpublishJob template.
Page 79: Customizing Message Templates
Customizing Notification Messages Customizing Message Templates You can modify the templates to customize the contents and appearance of messages. The message body can contain HTML or plain text. In the body of the message, you can use tokens or keywords as variables. A token is indicated by the dollar character ( ) and is replaced by its current variable value in the constructed message.
Page 80 Customizing Notification Messages Table 2-7 lists the tokens that you can use for formulating this job’s summary report. You can customize the content and format of the items in the report by using the tokens defined in Table 2-8. Table 2-7 Tokens for the renewal-notification job’s summary report Token Description...
Page 81: Tokens For Request In Queue Notification Messages
Customizing Notification Messages Tokens for items in renewal-notification job’s summary report (Continued) Table 2-8 Token Description Specifies the requestor’s email address. $RequestorEmail Specifies the request type—whether it is a certificate enrollment, certificate $RequestType renewal, certificate revocation, key archival, or key recovery request. Specifies the serial number of the certificate;...
Page 82 Customizing Notification Messages Table 2-10 Tokens for the unpublish-expired job’s summary report Token Description Specifies the name of the job instance that generated this summary report. $InstanceID Specifies the time the job (instance) was run. $ExecutionTime Specifies the list of items in the summary notification. Each item $SummaryItemList corresponds to a certificate the job detects for removal from the publishing directory.
Page 83: Chapter 3 Constraints Policy Plug-In Modules
Chapter 3 Constraints Policy Plug-in Modules You can configure Netscape Certificate Management System (CMS) to apply certain organizational policies to an end entity’s certificate enrollment, renewal, and revocation requests before servicing them. For example, some of the policies you might want Certificate Management System to apply to these requests may include setting a minimum and maximum limit on validity period and key length of certificates, setting extensions based on the end entity’s role within an organization, setting signing algorithms, and so on.
Page 84: Overview Of Constraints-Specific Policy Modules
Overview of Constraints-Specific Policy Modules • RevocationConstraints Plug-in Module (page 106) • RSAKeyConstraints Plug-in Module (page 108) • SigningAlgorithmConstraints Plug-in Module (page 111) • SubCANameConstraints Plug-in Module (page 114) • UniqueSubjectNameConstraints Plug-in Module (page 117) • ValidityConstraints Plug-in Module (page 120) Overview of Constraints-Specific Policy Modules Constraints-specific policy plug-in modules help you define rules or constraints that Certificate Management System uses to evaluate an incoming certificate...
Page 85 Overview of Constraints-Specific Policy Modules Table 3-1 lists constraints-specific policy modules that are installed with a Certificate Manager. An installation of a Registration Manager also includes all these modules, expect for the ones noted below: • IssuerConstraints • SubCANameConstraints • UniqueSubjectNameConstraints Note that the name of the Java class for a policy plug-in module is in this format: com.netscape.cms.policy.<plugin_name>...
Page 86: Attributepresentconstraints Plug-In Module
AttributePresentConstraints Plug-in Module Default constraints-specific policy plug-in modules (Continued) Table 3-1 Plug-in module name Function Enforces the number of days before which a currently active RenewalValidityConstraints certificate can be renewed and sets a new validity period for the renewed certificate. For details, see “RenewalValidityConstraints Plug-in Module”...
Page 87: Configuration Parameters Of Attributepresentconstraints
AttributePresentConstraints Plug-in Module If you enable the policy and configure it correctly, it first searches for the user under the base specified in the l parameter with the filter dap.ldapconn.basedn ) for the user’s entry. uid=HTTP_PARAMS.UID • If the parameter is empty, the policy checks the parameter: value attribute...
Page 88 AttributePresentConstraints Plug-in Module Parameters of the AttributePresentConstraints module Figure 3-2 The configuration shown in Figure 3-2 creates a policy rule named , which enforces a rule that the server should check for PinCheckForClientCerts users PINs in the specified LDAP directory. Table 3-2 describes each of the parameters.
Page 89 AttributePresentConstraints Plug-in Module Description of parameters defined in the AttributePresentConstraints module (Continued) Table 3-2 Parameter Description Specifies the predicate expression for this rule. If you want the rule to be applied to predicate all certificate requests, leave the field blank (default). To form a predicate expression, see section “Using Predicates in Policy Rules”...
Page 90 AttributePresentConstraints Plug-in Module Description of parameters defined in the AttributePresentConstraints module (Continued) Table 3-2 Parameter Description Specifies the nickname or the friendly name of the certificate to be used for SSL client ldap.ldapauth. authentication to the LDAP directory in order to check attributes. Make sure that the clientCertNick certificate is valid and has been signed by a CA that is trusted in the directory’s name...
Page 91: Dsakeyconstraints Plug-In Module
DSAKeyConstraints Plug-in Module Description of parameters defined in the AttributePresentConstraints module (Continued) Table 3-2 Parameter Description Specifies the maximum number of connections permitted to the LDAP directory; ldap.ldapconn. when needed, connection pool can grow to this many (multiplexed) connections. maxConns Permissible values: 3 to 10;...
Page 92: Configuration Parameters Of Dsakeyconstraints
DSAKeyConstraints Plug-in Module Configuration Parameters of DSAKeyConstraints In the CMS configuration file, the module is identified as DSAKeyConstraints <subsystem>.Policy.impl.DSAKeyConstraints.class= , where com.netscape.cms.policy.DSAKeyConstraints <subsystem> (prefix identifying the subsystem). In the CMS window, the module is identified as . Figure 3-3 DSAKeyConstraints shows how configurable parameters for the module are displayed in the CMS window.
Page 93 DSAKeyConstraints Plug-in Module Table 3-3 Description of parameters defined in the DSAKeyConstraints module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the rule enable (default). Uncheck the box to disable the rule. • If you enable the rule and set the remaining parameters correctly, the server applies the rule to certificates specified by the predicate expression.
Page 94: Dsakeyrule Rule
IssuerConstraints Plug-in Module DSAKeyRule Rule The rule named is an instance of the module. DSAKeyRule DSAKeyConstraints Certificate Management System automatically creates this rule during installation. By default, the rule is configured as follows: • The rule is enabled. • The predicate expression is left blank so that the rule is applied to all certificate enrollment and renewal requests processed by the server.
Page 95: Configuration Parameters Of Issuerconstraints
IssuerConstraints Plug-in Module Configuration Parameters of IssuerConstraints In the CMS configuration file, the module is identified as IssuerConstraints ca.Policy.impl.IssuerConstraints.class=com.netscape.cms. policy.IssuerConstraints In the CMS window, the module is identified as . Figure 3-4 IssuerConstraints shows how the configurable parameters for the module are displayed in the CMS window.
Page 96: Issuerrule Rule
IssuerConstraints Plug-in Module Table 3-4 Description of parameters defined in the IssuerConstraints module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the rule enable (default). Uncheck the box to disable the rule. • If you enable the rule and set the remaining parameters correctly, the server checks for certificates issued by the specified CA and enforces certificate-based enrollment.
Page 97: Keyalgorithmconstraints Plug-In Module
KeyAlgorithmConstraints Plug-in Module For details on individual parameters defined in the rule, see Table 3-4 on page 96. You need to review this rule and make the changes appropriate for your PKI setup. For instructions, see section “Step 2. Modify Existing Policy Rules” in Chapter 18, “Setting Up Policies”...
Page 98 KeyAlgorithmConstraints Plug-in Module Parameters of the KeyAlgorithmConstraints module Figure 3-5 The configuration shown in Figure 3-5 creates a policy rule named , which enforces a rule that the server should restrict KeyAlgForClientServerCert the key algorithm of all client and server certificates to RSA. Table 3-5 gives details about each of the parameters.
Page 99: Keyalgrule Rule
RenewalConstraints Plug-in Module Description of parameters defined in the KeyAlgorithmConstraints module (Continued) Table 3-5 Parameter Description Specifies the key type the server should certify. The default is RSA. algorithms Permissible values: RSA, DSA, or RSA,DSA. Example: RSA KeyAlgRule Rule The rule named is an instance of the KeyAlgRule KeyAlgorithmConstraints...
Page 100: Configuration Parameters Of Renewalconstraints
RenewalConstraints Plug-in Module weeks of validity of the certificate. However, if the interval specified in the policy rule is not sufficient for renewal to occur, some of your users may not be able to renew their certificates prior to the expiration time and end up owning expired certificates.
Page 101: Renewalconstraintsrule Rule
RenewalConstraints Plug-in Module The configuration shown in Figure 3-6 creates a policy rule named , which specifies that the server should allow renewal of RenewExpiredClientCert expired client certificates, if it’s done within 30 days from the expiry date. Table 3-6 gives details about each of the parameters. Description of parameters defined in the RenewalConstraints module Table 3-6 Parameter...
Page 102: Renewalvalidityconstraints Plug-In Module
RenewalValidityConstraints Plug-in Module • The server allows renewal of expired certificates within 30 days, starting from the date they expire. For details on individual parameters defined in the rule, see Table 3-6 on page 101. You need to review this rule and make the changes appropriate for your PKI setup. For instructions, see section “Step 2.
Page 103: Configuration Parameters Of Renewalvalidityconstraints
RenewalValidityConstraints Plug-in Module Note that you may apply this policy to certificate renewal requests only, and the renewal process to which this policy is applied can be manual (a request needs to be approved by an agent) or automated. In both cases, the currently issued certificate must be either presented during SSL client authentication by the end entity or selected by the agent approving the renewal request.
Page 104 RenewalValidityConstraints Plug-in Module Parameters of the RenewalValidityConstraints module Figure 3-7 The configuration shown in Figure 3-7 creates a policy rule named , which enforces a rule that the server should renew RenewalRuleForClientCert only those client certificates that are due to expire within the next 15 days. The renewed certificates are valid for at least 60 days (two months) and require renewing after 180 days (six months).
Page 105: Defaultrenewalvalidityrule Rule
RenewalValidityConstraints Plug-in Module Description of parameters defined in the RenewalValidityConstraints module (Continued) Table 3-7 Parameter Description minValidity Specifies the minimum validity period, in days, for renewed certificates. Permissible values: As applicable. The default value is 180 days. Example: 60 maxValidity Specifies the maximum validity period, in days, for renewed certificates.
Page 106: Revocationconstraints Plug-In Module
RevocationConstraints Plug-in Module RevocationConstraints Plug-in Module plug-in module implements the revocation RevocationConstraints constraints policy. This policy imposes constraints on revocation of expired certificates—it allows or restricts the server from revoking expired certificates. You may apply this policy to end-entity certificate revocation requests. For example, if you don’t want to allow revocation of expired certificates in your PKI setup, you can configure the server accordingly using the policy.
Page 107: Revocationconstraintsrule Rule
RevocationConstraints Plug-in Module The configuration shown in Figure 3-8 creates a policy rule named , which specifies that the server should allow RevokeExpiredClientCert revocation of expired client certificates. Table 3-8 gives details about each of the parameters. Description of parameters defined in the RevocationConstraints module Table 3-8 Parameter Description...
Page 108: Rsakeyconstraints Plug-In Module
RSAKeyConstraints Plug-in Module For details on individual parameters defined in the rule, see Table 3-8 on page 107. You need to review this rule and make the changes appropriate for your PKI setup. For instructions, see section “Step 2. Modify Existing Policy Rules” in Chapter 18, “Setting Up Policies”...
Page 109 RSAKeyConstraints Plug-in Module Parameters of the RSAKeyConstraints module Figure 3-9 The configuration shown in Figure 3-9 creates a policy rule named , which enforces a rule that the server should restrict RSAKeySizeForClientCert the minimum and maximum key sizes for all RSA key-based client certificates to 512 and 2048, respectively.
Page 110: Rsakeyrule Rule
RSAKeyConstraints Plug-in Module Description of parameters defined in the RSAKeyConstraints module (Continued) Table 3-9 Parameter Description Specifies the minimum length, in bits, for the key (the length of the modulus in bits). minSize The value must be smaller than or equal to the one specified by the maxSize parameter.
Page 111: Signingalgorithmconstraints Plug-In Module
SigningAlgorithmConstraints Plug-in Module • The maximum key size permitted for certificates is 2048 bits ( maxSize=2048 • The exponents allowed are 3, 7, 17, and 65537 ( exponents=3,7,17,65537 For details on individual parameters defined in the rule, see Table 3-9 on page 109. You need to review this rule and make the changes appropriate for your PKI setup.
Page 112: Configuration Parameters Of Signingalgorithmconstraints
SigningAlgorithmConstraints Plug-in Module Configuration Parameters of SigningAlgorithmConstraints In the CMS configuration file, the module is SigningAlgorithmConstraints identified as <subsystem>.Policy.impl.SigningAlgorithmConstraints.class , where =com.netscape.cms.policy.SigningAlgorithmConstraints (prefix identifying the subsystem). <subsystem> In the CMS window, the module is identified as SigningAlgorithmConstraints Figure 3-10 shows how the configurable parameters for the module are displayed in the CMS window.
Page 113 SigningAlgorithmConstraints Plug-in Module Table 3-10 Description of parameters defined in the SigningAlgorithmConstraints module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the rule enable (default). Uncheck the box to disable the rule. • If you enable the rule and set the remaining parameters correctly, the server uses the configured algorithms to sign certificates specified by the predicate parameter.
Page 114: Signingalgrule Rule
SubCANameConstraints Plug-in Module SigningAlgRule Rule The rule named is an instance of the SigningAlgRule module. Certificate Management System SigningAlgorithmConstraints automatically creates this rule during installation. By default, the rule is configured as follows: • The rule is enabled. • The predicate expression is left blank so that the rule is applied to all certificate enrollment and renewal requests processed by the server.
Page 115: Configuration Parameters Of Subcanameconstraints
SubCANameConstraints Plug-in Module Configuration Parameters of SubCANameConstraints In the CMS configuration file, the module is identified as SubCANameConstraints ca.Policy.impl.SubCANameConstraints.class=com.netscape.cms.policy. SubCANameConstraints In the CMS window, the module is identified as . Figure SubCANameConstraints 3-11 shows how configurable parameters for the module are displayed in the CMS window.
Page 116: Subcanameconstraints Rule
SubCANameConstraints Plug-in Module Table 3-11 Description of parameters defined in the SubCANameConstraints module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the rule. enable Uncheck the box to disable the rule (default). • If you enable the rule and set the remaining parameters correctly, the server checks the certificate requests for issuer name uniqueness.
Page 117: Uniquesubjectnameconstraints Plug-In Module
UniqueSubjectNameConstraints Plug-in Module UniqueSubjectNameConstraints Plug-in Module plug-in module implements the unique UniqueSubjectNameConstraints subject name constraints policy. This policy restricts the server from issuing multiple certificates with same subject names. Optionally, you can also configure the server to allow multiple certificates with the same subject name if the key usages are different.
Page 118 UniqueSubjectNameConstraints Plug-in Module Parameters of the UniqueSubjectNameConstraints module Figure 3-12 The configuration shown in Figure 3-12 creates a policy rule named , which enforces a rule that all certificates must have UniqueNameForAllCert unique subject names. Table 3-12 describes each of the parameters. Table 3-12 Description of parameters defined in the UniqueSubjectNameConstraints module Parameter Description...
Page 119 UniqueSubjectNameConstraints Plug-in Module Table 3-12 Description of parameters defined in the UniqueSubjectNameConstraints module (Continued) Parameter Description Specifies whether the request must be checked for the subject name uniqueness on enablePreAgent submission by the user, before the request gets queued for agent approval. ApprovalChecki •...
Page 120: Uniquesubjectnameconstraints Rule
ValidityConstraints Plug-in Module UniqueSubjectNameConstraints Rule The rule named is an instance of the UniqueSubjectNameConstraints module. Certificate Management System UniqueSubjectNameConstraints automatically creates this rule during installation. By default, the rule is configured as follows: • The rule is disabled; for the rule to be effective, it must be enabled and configured appropriately.
Page 121 ValidityConstraints Plug-in Module The rule checks that the value of the attribute in the request is not more notBefore than minutes in the future; the is a configurable parameter in leadTime leadTime the plug-in implementation. The ability to configure the value of the leadTime parameter in the policy rule allows you to prohibit end entities from requesting certificates whose validity starts too far in the future, and yet allows some amount...
Page 122: Configuration Parameters Of Validityconstraints
ValidityConstraints Plug-in Module However, you can configure the Certificate Manager to issue certificates with validity periods beyond that of its CA signing certificate by selecting the “Override validity nesting requirement” option; see section “Step 6. Enable End-Entity Interaction” in Chapter 18, “Setting Up Policies” of CMS Installation and Setup Guide.
Page 123 ValidityConstraints Plug-in Module The configuration shown in Figure 3-13 creates a policy rule named , which enforces a rule that all client certificates requested ValidityForClientCert by end users in an organizational unit ( ) called Marketing are valid for at least 60 days (two months) and require renewing after 180 days (six months).
Page 124 ValidityConstraints Plug-in Module Table 3-13 Description of parameters defined in the ValidityConstraints module (Continued) Parameter Description Specifies the lead time, in minutes, for certificates. For a certificate renewal request to leadTime pass the renewal validity constraints policy, the value of the notBefore attribute in the certificate request must not be more than value of the leadTime parameter in the future, relative to the time when the policy rule is run.
Page 125: Defaultvalidityrule Rule
ValidityConstraints Plug-in Module DefaultValidityRule Rule The rule named is an instance of the DefaultValidityRule module. Certificate Management System automatically ValidityConstraints creates this rule during installation. By default, the rule is configured as follows: • The rule is enabled. • The predicate expression is left blank so that the rule is applied to all certificate enrollment and renewal requests processed by the server.
Page 126 ValidityConstraints Plug-in Module Netscape Certificate Management System Plug-Ins Guide • May 2002...
Page 127: Chapter 4 Certificate Extension Plug-In Modules
Chapter 4 Certificate Extension Plug-in Modules Netscape Certificate Management System (CMS) comes with a set of policy plug-in modules that enable you to add X.509 certificate extensions to certificates the server issues. This chapter explains those modules—it lists and briefly describes the modules that are installed with a Certificate Manager and Registration Manager, and then explains each one in detail.
Page 128: Overview Of Extension-Specific Policy Modules
Overview of Extension-Specific Policy Modules • OCSPNoCheckExt Plug-in Module (page 217) • PolicyConstraintsExt Plug-in Module (page 221) • PolicyMappingsExt Plug-in Module (page 224) • PrivateKeyUsagePeriodExt Plug-in Module (page 228) • RemoveBasicConstraintsExt Plug-in Module (page 230) • SubjectAltNameExt Plug-in Module (page 232) •...
Page 129 Overview of Extension-Specific Policy Modules Extension policy modules registered with a Certificate Manager Figure 4-1 Table 4-1 lists extension-specific policy modules that are installed with a Certificate Manager. A Registration Manager installation also includes all the modules, expect for the ones noted below: •...
Page 130 Overview of Extension-Specific Policy Modules Table 4-1 Default extension-specific policy plug-in modules Plug-in module Function Adds the Authority Information Access extension to certificates. AuthInfoAccessExt For details, see “AuthInfoAccessExt Plug-in Module” on page 132. Adds the Authority Key Identifier extension to certificates. For AuthorityKeyIdentifierExt details, see “AuthorityKeyIdentifierExt Plug-in Module”...
Page 131 Overview of Extension-Specific Policy Modules Default extension-specific policy plug-in modules (Continued) Table 4-1 Plug-in module Function Adds the Policy Constraints extension to certificates. For details, PolicyConstraintsExt see “PolicyConstraintsExt Plug-in Module” on page 221. Adds the Policy Mappings extension to certificates. For details, see PolicyMappingsExt “PolicyMappingsExt Plug-in Module”...
Page 132: Authinfoaccessext Plug-In Module
AuthInfoAccessExt Plug-in Module For general guidelines on developing custom policy modules and adding them to the CMS policy framework, take a look at the samples installed at these locations: <server_root>/cms_sdk/cms_jdk/samples/policies For instructions to configure a Certificate Manager and Registration Manager to use one or more of the policy modules, see section “Configuring Policy Rules for a Subsystem”...
Page 133 AuthInfoAccessExt Plug-in Module By default, the policy supports three access methods: • (this method is also identified by its OID, 1.3.6.1.5.5.7.48.2). caIssuers As specified in the PKIX standard, you should use the method caIssuers when the additional information is a list of parent CAs or CAs that have issued certificates superior to the CA that issued the certificate containing the extension.
Page 134: Configuration Parameters Of Authinfoaccessext
AuthInfoAccessExt Plug-in Module If you configure a Certificate Manager to publish CRLs to an OCSP responder and want to include the authority information access extension referencing to the responder, you should configure an instance of this policy as follows: access method is set to , name type is set to URI, and name value is set to the URL at ocsp...
Page 135 AuthInfoAccessExt Plug-in Module Parameters defined in the AuthInfoAccessExt module Figure 4-2 The configuration shown in Figure 4-2 creates a policy rule named , which enforces a rule that the server should AuthInfoAccessExtForClientCert add the authority information access extension to client certificates. The extension indicates that the online validation service (or the OSCSP responder) for the CA that has issued these certificates is at this URL: http://ocspResponder.example.com:8000...
Page 136 AuthInfoAccessExt Plug-in Module Description of parameters defined in the AuthInfoAccessExt module (Continued) Table 4-2 Parameter Description Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default). To form a predicate expression, see section “Using Predicates in Policy Rules”...
Page 137 AuthInfoAccessExt Plug-in Module Description of parameters defined in the AuthInfoAccessExt module (Continued) Table 4-2 Parameter Description Specifies the general-name type for the location that contains additional information ad<n>_location about the CA that has issued the certificate in which this extension appears. _type Permissible values: rfc822Name, directoryName, dNSName, ediPartyName, URL, iPAddress, OID, or otherName.
Page 138 AuthInfoAccessExt Plug-in Module Description of parameters defined in the AuthInfoAccessExt module (Continued) Table 4-2 Parameter Description Specifies the address or location to get additional information about the CA that has ad<n>_location issued the certificate in which this extension appears. Permissible values: Depends on the location type you specified in the ad<n>_location_type field.
Page 139 AuthInfoAccessExt Plug-in Module Description of parameters defined in the AuthInfoAccessExt module (Continued) Table 4-2 Parameter Description • If you selected URL, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules specified in RFC 1738 (http://www.ietf.org/rfc/rfc1738.txt).
Page 140: Authinfoaccessext Rule
AuthInfoAccessExt Plug-in Module AuthInfoAccessExt Rule The rule named is an instance of the AuthInfoAccessExt AuthInfoAccessExt module. Certificate Management System automatically creates this rule during installation. By default, the rule is configured as follows: • The rule is disabled. • The predicate expression ( predicate=HTTP_PARAMS.certType==client ensures that the policy is to be applied to client certificate requests processed by the server.
Page 141: Authoritykeyidentifierext Plug-In Module
AuthorityKeyIdentifierExt Plug-in Module AuthorityKeyIdentifierExt Plug-in Module plug-in module implements the authority key AuthorityKeyIdentifierExt identifier extension policy. This policy enables you to configure Certificate Management System to add the Authority Key Identifier Extension defined in X.509 and PKIX standard RFC 2459 (see ) to http://www.ietf.org/rfc/rfc2459.txt certificates.
Page 142: Configuration Parameters Of Authoritykeyidentifierext
AuthorityKeyIdentifierExt Plug-in Module Uses the SHA-1 hash of the CA’s subject public key information as the key identifier. This option is compatible with Netscape Communicator when the CA does not have a subject public key identifier extension. Does not set the authority key identifier extension. •...
Page 143 AuthorityKeyIdentifierExt Plug-in Module The configuration shown in Figure 4-3 creates a policy rule named , which enforces a rule that the server should set the AuthKeyIDExtForCACert authority key identifier extension in all CA certificates. Table 4-3 gives details about each of these parameters. Description of parameters defined in the AuthorityKeyIdentifierExt module Table 4-3 Parameter...
Page 144: Authoritykeyidentifierext Rule
BasicConstraintsExt Plug-in Module AuthorityKeyIdentifierExt Rule The rule named is an instance of the AuthorityKeyIdentifierExt module. Certificate Management System AuthorityKeyIdentifierExt automatically creates this rule during installation. By default, the rule is configured as follows: • The rule is enabled. • The predicate expression is left blank so that the extension gets added to all certificates the server issues.
Page 145: Configuration Parameters Of Basicconstraintsext
BasicConstraintsExt Plug-in Module Because the basic constraints extension is a critical extension and is used by applications to determine the path length during certificate validation to chain up to the trusted CA, it’s important that you set this extension correctly. Also note that when a user submits a certificate request using the manual-enrollment method, the basic constraints extension is set on that request as per the configured policy, and then the request is queued for agent approval.
Page 146 BasicConstraintsExt Plug-in Module The configuration shown in Figure 4-4 creates a policy rule named , which enforces a rule that the server should set the basic BasicConsExtForCACert constraints extension in all CA certificates. Table 4-4 gives details about each of these parameters. Description of parameters defined in the BasicConstraintsExt module Table 4-4 Parameter...
Page 147: Basicconstraintsext Rule
BasicConstraintsExt Plug-in Module Description of parameters defined in the BasicConstraintsExt module (Continued) Table 4-4 Parameter Description Specifies the path length, the maximum number of CA certificates that may be maxPathLen chained below (subordinate to) the subordinate CA certificate being issued. Note that the path length you specify affects the number of CA certificates to be used during certificate validation.
Page 148: Certificatepoliciesext Plug-In Module
CertificatePoliciesExt Plug-in Module • The path length field ( ) is left blank so that it defaults to a value maxPathLen that is determined by the path length set on the Basic Constraints extension in the issuer’s certificate. For details on individual parameters defined in the rule, see Table 4-4 on page 146. You need to review this rule and make the changes appropriate for your PKI setup.
Page 149: Configuration Parameters Of Certificatepoliciesext
CertificatePoliciesExt Plug-in Module The certificate policies extension policy in Certificate Management System enables you to set the extension with the following information: • The name of the your company or organization. • The OID assigned to the policy statement you want to include in the certificate. •...
Page 150 CertificatePoliciesExt Plug-in Module Parameters defined in the CertificatePoliciesExt module Figure 4-5 The configuration shown in Figure 4-5 creates a policy rule named , which enforces a rule that the server should set CertPoliciesExtForClientCert the certificate policies extension in all client certificates. Table 4-5 gives details about each of these parameters.
Page 151 CertificatePoliciesExt Plug-in Module Description of parameters defined in the CertificatePoliciesExt module (Continued) Table 4-5 Parameter Description Specifies whether the extension should be marked critical or noncritical in critical certificates specified by the predicate parameter. Check the box if you want the server to mark the extension critical.
Page 152: Certificatepoliciesext Rule
CertificatePoliciesExt Plug-in Module Description of parameters defined in the CertificatePoliciesExt module (Continued) Table 4-5 Parameter Description Specifies the textual statement to be included in certificates; this parameter displayText corresponds to the explicitText field of the user notice. If you want to embed a textual statement (for example, your company’s legal notice) in certificates, then add that statement here.
Page 153: Certificaterenewalwindowext Plug-In Module
CertificateRenewalWindowExt Plug-in Module same chapter. For example, if you want to include different policy statements in different types of certificates, you should create multiple instances of the policy module and configure each instance with the appropriate policy OID and predicate expression.
Page 154: Configuration Parameters Of Certificaterenewalwindowext
CertificateRenewalWindowExt Plug-in Module Because the renewal process requires end users to remember when their certificates expire and renew them before the expiry date, some clients provide built-in support for automated renewal. Inclusion of the certificate renewal window extension in certificates is useful in a PKI setup with such clients; such a setup eliminates the need for the owner of the certificate to manually submit a renewal request to the CA and install the renewed certificate.
Page 155 CertificateRenewalWindowExt Plug-in Module Parameters defined in the CertificateRenewalWindowExt module Figure 4-6 The configuration shown in Figure 4-6 creates a policy rule named , which enforces a rule that the server should CertRenewWindowExtForClientCert set the certificate renewal window extension in client certificates only; the renewal window starts 30 days before a certificate expires and ends with certificate expiration.
Page 156 CertificateRenewalWindowExt Plug-in Module Description of parameters defined in the CertificateRenewalWindowExt module (Continued) Table 4-6 Parameter Description Specifies whether the extension should be marked critical or noncritical in critical certificates specified by the predicate parameter. Check the box if you want the server to mark the extension critical.
Page 157 CertificateRenewalWindowExt Plug-in Module Description of parameters defined in the CertificateRenewalWindowExt module (Continued) Table 4-6 Parameter Description Specifies the last opportunity for automatic renewal of the certificate that contains relativeEndTime this extension. Specifying a value for this parameter is optional; if you leave the field blank, the certificate-using application is expected to use the expiration date (notAfter value) in the certificate.
Page 158: Certificatescopeofuseext Plug-In Module
CertificateScopeOfUseExt Plug-in Module CertificateScopeOfUseExt Plug-in Module plug-in module implements the certificate scope CertificateScopeOfUseExt of use extension policy. This policy enables you to configure Certificate Management System to add the Certificate Scope of Use Extension to certificates. The extension enables you to specify a list of web sites that may request the use of a particular certificate for SSL client authentication, thus aiding certificate-using applications to select certificates to present to web sites and to control release of these certificates.
Page 159: Configuration Parameters Of Certificatescopeofuseext
CertificateScopeOfUseExt Plug-in Module Configuration Parameters of CertificateScopeOfUseExt In the CMS configuration file, the module is CertificateScopeOfUseExt identified as <subsystem>.Policy.impl.CertificateScopeOfUseExt.class= , where com.netscape.cms.policy.CertificateScopeOfUseExt <subsystem> (prefix identifying the subsystem). In the CMS window, the module is identified as CertificateScopeOfUseExt Figure 4-7 shows how the configurable parameters for the module are displayed in the CMS window.
Page 160 CertificateScopeOfUseExt Plug-in Module Table 4-7 Description of parameters defined in the CertificateScopeOfUseExt module Parameter Description Specifies whether the rule is enabled or disabled. enable • Check the box to enable the rule (default). If you enable the rule and set the remaining parameters correctly, the server adds the certificate scope of use extension to certificates specified by the predicate parameter.
Page 161 CertificateScopeOfUseExt Plug-in Module Description of parameters defined in the CertificateScopeOfUseExt module (Continued) Table 4-7 Parameter Description Specifies the general-name type for the site that you want to include in the entry<n>_name_type extension. Permissible values: rfc822Name, directoryName, dNSName, ediPartyName, URL, iPAddress, OID, or otherName. •...
Page 162 CertificateScopeOfUseExt Plug-in Module Description of parameters defined in the CertificateScopeOfUseExt module (Continued) Table 4-7 Parameter Description • If you selected ediPartyName, the value must be an IA5String. For example, Example Corporation. • If you selected URL, the value must be a non-relative URI, including both a scheme (for example, http) and a fully qualified domain name or IP address of the host.
Page 163: Crldistributionpointsext Plug-In Module
CRLDistributionPointsExt Plug-in Module CRLDistributionPointsExt Plug-in Module plug-in module implements the CRL CRLDistributionPointsExt distribution points extension policy. This policy enables you to configure Certificate Management System to add the CRL Distribution Points Extension defined in X.509 and PKIX standard RFC 2459 (see ) to certificates.
Page 164 CRLDistributionPointsExt Plug-in Module In the CMS window, the module is identified as CRLDistributionPointsExt Figure 4-8 shows how the configurable parameters for the module are displayed in the CMS window. Figure 4-8 Description of parameters defined in the CRLDistributionPointsExt module The configuration shown in Figure 4-8 creates a policy rule named , which enforces a rule that the server should set CRLDistPtsExtForRouterCert the CRL distribution point extension in router certificates;...
Page 165 CRLDistributionPointsExt Plug-in Module Description of parameters defined in the CRLDistributionPointsExt module (Continued) Table 4-8 Parameter Description Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default). To form a predicate expression, see section “Using Predicates in Policy Rules”...
Page 166 CRLDistributionPointsExt Plug-in Module Description of parameters defined in the CRLDistributionPointsExt module (Continued) Table 4-8 Parameter Description Specifies the name of the CRL distribution point. pointName<n> Permissible values: Any supported name forms. By default, the name can be in any of the following formats: •...
Page 167: Crldistributionpointsext Rule
CRLDistributionPointsExt Plug-in Module Description of parameters defined in the CRLDistributionPointsExt module (Continued) Table 4-8 Parameter Description Specifies the name of the issuer that has signed the CRL maintained at distribution issuerName<n> point. Permissible values: Any supported name forms. By default, the name can be in any of the following formats: •...
Page 168: Extendedkeyusageext Plug-In Module
ExtendedKeyUsageExt Plug-in Module For details on individual parameters defined in the rule, see Table 4-8 on page 164. It is important that you review this rule and make the appropriate changes required by your PKI setup. For instructions, see section “Step 2. Modify Existing Policy Rules”...
Page 169 ExtendedKeyUsageExt Plug-in Module Table 4-9 PKIX usage definitions for the extended key usage extension Usage Server authentication 1.3.6.1.5.5.7.3.1 Client authentication 1.3.6.1.5.5.7.3.2 Code signing 1.3.6.1.5.5.7.3.3 Email 1.3.6.1.5.5.7.3.4 IPSec end system 1.3.6.1.5.5.7.3.5 IPSec tunnel 1.3.6.1.5.5.7.3.6 IPSec user 1.3.6.1.5.5.7.3.7 Timestamping 1.3.6.1.5.5.7.3.8 Note that Windows 2000 allows you to encrypt files on the hard disk, a feature known as encrypted file system (EFS), using certificates that contain the Extended Key Usage extension with the following two OIDs:...
Page 170: Configuration Parameters Of Extendedkeyusageext
ExtendedKeyUsageExt Plug-in Module Configuration Parameters of ExtendedKeyUsageExt In the CMS configuration file, the module is identified as ExtendedKeyUsageExt <subsystem>.Policy.impl.ExtendedKeyUsageExt.class=com.netscape. , where (prefix cms.policy.ExtendedKeyUsageExt <subsystem> identifying the subsystem). In the CMS window, the module is identified as . Figure 4-9 ExtendedKeyUsageExt shows how the configurable parameters for the module are displayed in the CMS window.
Page 171 ExtendedKeyUsageExt Plug-in Module Table 4-10 Description of parameters defined in the ExtendedKeyUsageExt module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the rule enable (default). Uncheck the box to disable the rule. • If you enable the rule and set the remaining parameters correctly, the server adds the extended key usage extension to certificates specified by the predicate parameter.
Page 172: Codesigningext Rule
ExtendedKeyUsageExt Plug-in Module Table 4-10 Description of parameters defined in the ExtendedKeyUsageExt module (Continued) Parameter Description Specifies the OID that identifies a key-usage purpose. id<n> Permissible values: A unique, valid OID specified in the dot-separated numeric component notation. Depending on the key-usage purposes, you may choose to use the OIDs designated by PKIX (listed in Table 4-9 on page 169) or define your own OIDs.
Page 173: Ocspsigningext Rule
ExtendedKeyUsageExt Plug-in Module OCSPSigningExt Rule The rule named is an instance of the OCSPSigningExt ExtendedKeyUsageExt module. Certificate Management System automatically creates this rule during installation. By default, the rule is configured as follows: • The rule is enabled. • The predicate expression is set ( ) so HTTP_PARAMS.certType==ocspResponder that the extension gets added to an OCSP responder certificate only—the...
Page 174: Genericasn1Ext Plug-In Module
GenericASN1Ext Plug-in Module When queried by an application on the status of a certificate, the OCSP responder sends a digitally signed response. To generate the signature, the responder needs to use a key. Because the signature needs to be verified by the application that sought the response, RFC 2560 recommends that the key used for signing an OCSP response must belong to one of the following: •...
Page 175 GenericASN1Ext Plug-in Module The generic extension policy in Certificate Management System accepts custom extensions in the form of object identifiers (OIDs) and values as DER-encoded extension values. That is, for the server to add a custom extension to certificates it issues, you need to first define the extension and then configure the server with extension details.
Page 176: Configuration Parameters Of Genericasn1Ext
GenericASN1Ext Plug-in Module Note that each instance of the policy can be configured to add one custom extension only. To configure the server to add multiple custom extensions, create multiple instances of the module, each with a distinct name and appropriate configuration values.
Page 177 GenericASN1Ext Plug-in Module The configuration shown in Figure 4-10 defines a custom extension named with OID 2.4.5.99. The extension is non-critical, and it will be testGenASN1Ext added to all certificates issued by the server. The expected output (see dumpasn1 “dumpasn1 Tool” in CMS Command-Line Tools Guide) of the resulting extension, would look like this: 337 30 148: .
Page 178 GenericASN1Ext Plug-in Module Table 4-11 Description of parameters defined in the GenericASN1Ext module (Continued) Parameter Description Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default). To form a predicate expression, see section “Using Predicates in Policy Rules”...
Page 179 GenericASN1Ext Plug-in Module Table 4-11 Description of parameters defined in the GenericASN1Ext module (Continued) Parameter Description Specifies the pattern of the extension. pattern Permissible values: The pattern can be any sequence of supported ASN.1 type. Rules for formulating the pattern are as follows: •...
Page 180 GenericASN1Ext Plug-in Module Table 4-11 Description of parameters defined in the GenericASN1Ext module (Continued) Parameter Description Specifies the data source for attribute n in the extension, where n is an identifier attribute.<n>. assigned to identify parameters pertaining to a specific attribute. The value of n can source be 0 to 9.
Page 181: Genericasn1Ext Rule
IssuerAltNameExt Plug-in Module GenericASN1Ext Rule The rule named is an instance of the module. GenericASN1Ext GenericASN1Ext Certificate Management System automatically creates this rule during installation. By default, the rule is configured as follows: • The rule is disabled; for the rule to be effective, it must be enabled and configured appropriately.
Page 182: Configuration Parameters Of Issueraltnameext
IssuerAltNameExt Plug-in Module • A DNS name • An EDI party name • A uniform resource indicator (URI) • An IP address • An object identifier (OID) • Other Name Unlike some of the other policy modules, Certificate Management System does not create an instance of the issuer alternative name extension policy during installation.
Page 183 IssuerAltNameExt Plug-in Module The configuration shown in Figure 4-11 creates a policy rule named , which enforces a rule that the server should set the IssuerAltNameExtForCACert issuer alternative name extension in CA certificates only. Table 4-12 gives details about each of these parameters. Table 4-12 Description of parameters defined in the IssuerAltNameExt module Parameter Description...
Page 184 IssuerAltNameExt Plug-in Module Table 4-12 Description of parameters defined in the IssuerAltNameExt module (Continued) Parameter Description Specifies the general-name type for the alternative name you want to generalName<n>.general include in the extension. NameChoice Permissible values: rfc822Name, directoryName, dNSName, ediPartyName, URL, iPAddress, OID, or otherName. •...
Page 185 IssuerAltNameExt Plug-in Module Table 4-12 Description of parameters defined in the IssuerAltNameExt module (Continued) Parameter Description • If you selected dNSName, the value must be a valid domain name in the preferred-name syntax as specified by RFC 1034 (http://www.ietf.org/rfc/rfc1034.txt). You may use upper and lower case letters in the domain name;...
Page 186: Keyusageext Plug-In Module
KeyUsageExt Plug-in Module KeyUsageExt Plug-in Module plug-in module implements the key usage extension policy. This KeyUsageExt policy enables you to configure Certificate Management System to add the Key Usage Extension defined in X.509 and PKIX standard RFC 2459 (see ) to certificates. The extension specifies http://www.ietf.org/rfc/rfc2459.txt the purposes for which the key contained in a certificate should be used—for example, it specifies whether the key should be used for data signing, key...
Page 187 KeyUsageExt Plug-in Module Note that you can specify which bits in the extension are to be set on both server and client sides: • On the server side, you set the bits by modifying the appropriate configuration parameters that are defined in the key usage extension policy. •...
Page 188: Configuration Parameters Of Keyusageext
KeyUsageExt Plug-in Module • ServerCertKeyUsageExt (For details, see “ServerCertKeyUsageExt Rule” on page 195.) • ClientCertKeyUsageExt (For details, see “ClientCertKeyUsageExt Rule” on page 196.) • ObjSignCertKeyUsageExt (For details, see “ObjSignCertKeyUsageExt Rule” on page 198.) • CRLSignCertKeyUsageExt (For details, see “CRLSignCertKeyUsageExt” on page 199.) It is important that you review each policy instance and make the appropriate changes required by your PKI setup.
Page 189 KeyUsageExt Plug-in Module In the CMS window, the module is identified as . Figure 4-12 shows KeyUsageExt how the configurable parameters for the module are displayed in the CMS window. Figure 4-12 Parameters defined in the KeyUsageExt module The configuration shown in Figure 4-12 creates a policy rule named , which enforces a rule that the server should set the KeyUsageExtForClientCert key usage extension (...
Page 190 KeyUsageExt Plug-in Module Table 4-15 Description of parameters defined in the KeyUsageExt module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the rule enable (default). Uncheck the box to disable the rule. • If you enable the rule, the server checks the key usage extension bits specified in the remaining fields, and adds the extension with those bits to certificates specified by the predicate parameter.
Page 191 KeyUsageExt Plug-in Module Table 4-15 Description of parameters defined in the KeyUsageExt module (Continued) Parameter Description Specifies whether to set the nonRepudiation bit (or bit 1) of the key usage nonRepudiation extension in certificates specified by the predicate parameter. Permissible values: true, false, or HTTP_INPUT. •...
Page 192 KeyUsageExt Plug-in Module Table 4-15 Description of parameters defined in the KeyUsageExt module (Continued) Parameter Description Specifies whether to set the keyAgreement bit (or bit 4) of the key usage extension keyAgreement in certificates specified by the predicate parameter. Permissible values: true, false, or HTTP_INPUT. •...
Page 193: Cmcertkeyusageext Rule
KeyUsageExt Plug-in Module Table 4-15 Description of parameters defined in the KeyUsageExt module (Continued) Parameter Description Specifies whether to set the encipherOnly bit (or bit 7) of the key usage extension encipherOnly in certificates specified by the predicate parameter. Permissible values: true, false, or HTTP_INPUT. •...
Page 194: Rmcertkeyusageext Rule
KeyUsageExt Plug-in Module • The server is configured to set digitalSignature nonRepudiation , and bits in CA signing certificates. Notice that the keyCertsign cRLSign key-usage bits specified in the default policy rule match the bits specified in the enrollment form ( ) for requesting CA signing certificates ManCAEnroll.html (see Figure 4-13).
Page 195: Servercertkeyusageext Rule
KeyUsageExt Plug-in Module • The server is configured to set bits digitalSignature nonRepudiation in Registration Manager signing certificates. Notice that the key-usage bits specified in the default policy rule match the bits specified in the enrollment form ( ) for requesting Registration Manager signing ManRAEnroll.html certificates (see Figure 4-14).
Page 196: Clientcertkeyusageext Rule
KeyUsageExt Plug-in Module Key usage bit-specific variables in the SSL server certificate enrollment form Figure 4-15 ClientCertKeyUsageExt Rule The policy rule named is an instance of the ClientCertKeyUsageExt KeyUsageExt module. This rule is for setting the appropriate key-usage bits in SSL client certificates.
Page 197 KeyUsageExt Plug-in Module Additionally, also notice the HTTP variables for the Netscape certificate type extension: the values indicate that the certificate is meant for S/MIME and SSL client authentication use only. (For details on Netscape certificate type extension, see “NSCertTypeExt Plug-in Module” on page 212.) Figure 4-16 Key usage extension bits in the directory-based enrollment form Keep in mind that for requesting client certificates, there are many enrollment...
Page 198: Objsigncertkeyusageext Rule
KeyUsageExt Plug-in Module Each of these forms embed HTTP input variables (for key-usage bits) that are considered appropriate for the certificate being requested using that form. If you want, you may create additional instances of the key usage extension policy, one each for each client certificate enrollment form and configure these instances as appropriate.
Page 199: Crlsigncertkeyusageext
NameConstraintsExt Plug-in Module CRLSignCertKeyUsageExt The policy rule named is an instance of the CrlSignCertKeyUsageExt module. This rule is for setting the appropriate key-usage bits in a KeyUsageExt CRL signing certificate. By default, the rule is configured as follows: • The rule is enabled. •...
Page 200: Configuration Parameters Of Nameconstraintsext
NameConstraintsExt Plug-in Module Configuration Parameters of NameConstraintsExt In the CMS configuration file, the module is identified as NameConstraintsExt ca.Policy.impl.NameConstraintsExt.class=com.netscape.cms.policy. NameConstraintsExt In the CMS window, the module is identified as . Figure 4-18 NameConstraintsExt shows how the configurable parameters for the module are displayed in the CMS window.
Page 201 NameConstraintsExt Plug-in Module Table 4-16 Description of parameters defined in the NameConstraintsExt module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable enable the rule (default). Uncheck the box to disable the rule. • If you enable the rule and set the remaining parameters correctly, the server adds the name constraints extension to all certificates specified by the predicate parameter.
Page 202 NameConstraintsExt Plug-in Module Table 4-16 Description of parameters defined in the NameConstraintsExt module (Continued) Parameter Description Specifies the total number of subtrees to be excluded in the extension. Note numExcludedSubtrees that each excluded subtree has a set of configuration parameters and you must specify appropriate values for each of these parameters;...
Page 203 NameConstraintsExt Plug-in Module Table 4-16 Description of parameters defined in the NameConstraintsExt module (Continued) Parameter Description Specifies the general-name value for the permitted subtree you want to permittedSubtrees<n>. include in the extension. base.generalNameValue Permissible values: Depends on the general-name type you selected in the permittedSubtrees<n>.base.generalNameChoice field.
Page 204 NameConstraintsExt Plug-in Module Table 4-16 Description of parameters defined in the NameConstraintsExt module (Continued) Parameter Description • If you selected iPAddress, the value must be a valid IP address (IPv4 or IPv6) specified in the dot-separated numeric component notation. The syntax for specifying the IP address is as follows: For IP version 4 (IPv4), the address should be in the form specified in RFC 791 (http://www.ietf.org/rfc/rfc0791.txt).
Page 205 NameConstraintsExt Plug-in Module Table 4-16 Description of parameters defined in the NameConstraintsExt module (Continued) Parameter Description Specifies the maximum number of permitted subtrees. permittedSubtrees<n>. Permissible values: -1, 0, or n. • -1 specifies that the field should not be set in the extension (default). •...
Page 206 NameConstraintsExt Plug-in Module Table 4-16 Description of parameters defined in the NameConstraintsExt module (Continued) Parameter Description • If you selected directoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate, in the RFC 2253 syntax (see http://www.ietf.org/rfc/rfc2253.txt).
Page 207: Nameconstraintsext Rule
NameConstraintsExt Plug-in Module Table 4-16 Description of parameters defined in the NameConstraintsExt module (Continued) Parameter Description • If you selected otherName, the value must be the absolute path to the file that contains the base-64 encoded string of the subtree. For example, /usr/netscape/servers/ext/nc/othername.txt.
Page 208: Nsccommentext Plug-In Module
NSCCommentExt Plug-in Module • The total number of excluded subtrees to be contained in the extension is set to numExcludedSubtrees=3 • The maximum number of permitted subtrees is set to ) and the minimum number of permitted permittedSubtrees<n>.max=-1 subtrees is set to permittedSubtrees<n>.min=0 •...
Page 209: Configuration Parameters Of Nsccommentext
NSCCommentExt Plug-in Module Configuration Parameters of NSCCommentExt In the CMS configuration file, the module is identified as NSCCommentExt <subsystem>.Policy.impl.NSCCommentExt.class=com.netscape. , where (prefix identifying cms.policy.NSCCommentExt <subsystem> the subsystem). In the CMS window, the module is identified as . Figure 4-19 NSCCommentExt shows how the configurable parameters for the module are displayed in the CMS window.
Page 210 NSCCommentExt Plug-in Module Table 4-17 Description of parameters defined in the NSCCommentExt module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the rule. enable Uncheck the box to disable the rule (default). • If you enable the rule and set the remaining parameters correctly, the server adds the Netscape certificate comment extension to certificates specified by the predicate parameter.
Page 211: Nsccommentext Rule
NSCCommentExt Plug-in Module Table 4-17 Description of parameters defined in the NSCCommentExt module (Continued) Parameter Description Specifies the textual statement that should be included in certificates. If you want to displayText embed a textual statement (for example, your company’s legal notice) in certificates, then add that statement here.
Page 212: Nscerttypeext Plug-In Module
NSCertTypeExt Plug-in Module NSCertTypeExt Plug-in Module plug-in module implements the Netscape certificate type NSCertTypeExt extension policy. This policy enables you to configure Certificate Management System to add the Netscape Certificate Type extension to certificates. The extension identifies the certificate type—for example, it identifies whether the certificate is a CA certificate, server SSL certificate, client SSL certificate, object signing certificate, or S/MIME certificate—and thus enables you to restrict the usage of a certificate to predetermined purposes.
Page 213 NSCertTypeExt Plug-in Module The Netscape certificate type extension policy has been implemented in such a way that it enables you to set the appropriate certificate-type bits for certificates being issued by Certificate Management System. This way, you can restrict the purposes for which a certificate should be used by adding the extension, with the appropriate bits set, to the certificate at the time of issuance.
Page 214 NSCertTypeExt Plug-in Module Additionally, the default enrollment forms—the directory-based, directory- and PIN-based, manual, Kerberos server-based, and NIS server-based enrollment forms—for various types of certificates also include the appropriate HTTP input variables corresponding to Netscape certificate type extension bits. For details about these forms, see “Enrollment Forms”...
Page 215: Configuration Parameters Of Nscerttypeext
NSCertTypeExt Plug-in Module where can be any of the variables listed in Table 4-19. variable_name Configuration Parameters of NSCertTypeExt In the CMS configuration file, the module is identified as NSCertTypeExt <subsystem>.Policy.impl.NSCertTypeExt.class=com.netscape. , where (prefix identifying cms.policy.NSCertTypeExt <subsystem> the subsystem). In the CMS window, the module is identified as .
Page 216 NSCertTypeExt Plug-in Module Table 4-20 Description of parameters defined in the NSCertTypeExt module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the rule. enable Uncheck the box to disable the rule (default). • If you enable the rule, be sure to review the enrollment forms for Netscape certificate type extension-specific variables and to set the remaining parameters of this policy correctly.
Page 217: Nscerttypeext Rule
OCSPNoCheckExt Plug-in Module NSCertTypeExt Rule The policy rule named is an instance of the NSCertTypeExt NSCertTypeExt module. Certificate Management System automatically creates this rule during installation. By default, the rule is configured as follows: • The rule is enabled. • The predicate expression is set so that the extension gets added to all certificates except the ones issued to routers predicate=HTTP_PARAMS.certType!=CEP-Request...
Page 218 OCSPNoCheckExt Plug-in Module responder only if the certificate being validated includes the authority information access extension indicating the location of the OCSP responder; for information on adding this extension to certificates, see “AuthInfoAccessExt Plug-in Module” on page 132. When queried by an application on the status of a certificate, the OCSP responder sends a digitally signed response.
Page 219: Configuration Parameters Of Ocspnocheckext
OCSPNoCheckExt Plug-in Module During installation, Certificate Management System automatically creates an instance of the OCSP no check extension policy. See “OCSPNoCheckExt Rule” on page 220. Configuration Parameters of OCSPNoCheckExt In the CMS configuration file, the module is identified as OCSPNoCheckExt <subsystem>.Policy.impl.OCSPNoCheckExt.class=com.netscape.
Page 220: Ocspnocheckext Rule
OCSPNoCheckExt Plug-in Module Table 4-21 Description of parameters defined in the OCSPNoCheckExt module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the rule enable (default). Uncheck the box to disable the rule. • If you enable the rule and set the remaining parameters correctly, the server adds the OCSP no check extension to certificates specified by the predicate parameter.
Page 221: Policyconstraintsext Plug-In Module
PolicyConstraintsExt Plug-in Module PolicyConstraintsExt Plug-in Module plug-in module implements the policy constraints PolicyConstraintsExt extension policy. This policy enables you to configure Certificate Management System to add the Policy Constraints Extension defined in X.509 and PKIX standard RFC 2459 (see ) to certificates. The http://www.ietf.org/rfc/rfc2459.txt extension, which can be used in CA certificates only, constrains path validation in two ways—either to prohibit policy mapping or to require that each certificate in a...
Page 222 PolicyConstraintsExt Plug-in Module Parameters defined in the PolicyConstraintsExt module Figure 4-23 The configuration shown in Figure 4-23 creates a policy rule named , which enforces a rule that the server should set the PolicyConsExtForCACert policy constraints extension in CA certificates only. Table 4-22 gives details about each of these parameters.
Page 223 PolicyConstraintsExt Plug-in Module Table 4-22 Description of parameters defined in the PolicyConstraintsExt module (Continued) Parameter Description Specifies whether the extension should be marked critical or noncritical in certificates critical specified by the predicate parameter. Check the box if you want the server to mark the extension critical.
Page 224: Policyconstraintsext Rule
PolicyMappingsExt Plug-in Module PolicyConstraintsExt Rule The policy rule named is an instance of the PolicyConstraintsExt module. Certificate Management System automatically PolicyConstraintsExt creates this rule during installation. By default, the rule is configured as follows: • The rule is disabled; for the rule to be effective, it must be enabled and configured appropriately.
Page 225: Configuration Parameters Of Policymappingsext
PolicyMappingsExt Plug-in Module The policy mappings extension policy in Certificate Management System allows setting of the policy mappings extension as defined in its X.509 definition. The policy allows you to map policy statements of one CA to that of another by pairing the OIDs assigned to their policy statements.
Page 226 PolicyMappingsExt Plug-in Module The configuration shown in Figure 4-24 creates a policy rule named , which enforces a rule that the server should set the PolicyMapExtForCACert policy mappings extension in CA certificates only. Table 4-23 provides details for each of these parameters. Table 4-23 Description of parameters defined in the PolicyMappingsExt module Parameter Description...
Page 227 PolicyMappingsExt Plug-in Module Table 4-23 Description of parameters defined in the PolicyMappingsExt module (Continued) Parameter Description Specifies the total number of policy mapping (pairs) to be contained or allowed numPolicyMappings in the extension. Note that each policy mapping represents a pair of policies—specified by policyMap<n>.issuerDomainPolicy and policyMap<n>.subjectDomainPolicy—and each policy in the pair belongs to a specific CA.
Page 228: Policymappingsext Rule
PrivateKeyUsagePeriodExt Plug-in Module PolicyMappingsExt Rule The rule named is an instance of the PolicyMappingsExt PolicyMappingsExt module. Certificate Management System automatically creates this rule during installation. By default, the rule is configured as follows: • The rule is enabled. • The predicate expression is set ( ) so predicate=HTTP_PARAMS.certType==ca that the extension gets added to CA certificates only.
Page 229: Configuration Parameters Of Privatekeyusageperiodext
PrivateKeyUsagePeriodExt Plug-in Module The private key usage period extension policy in Certificate Management System allows setting of the private key usage period extension as defined in its X.509 definition. The policy enables you to specify values for the notBefore components. When included in a certificate, the notAfter notBefore components define the time before and after which the private key...
Page 230: Removebasicconstraintsext Plug-In Module
RemoveBasicConstraintsExt Plug-in Module Table 4-24 provides details for each of these parameters. Table 4-24 Description of parameters defined in the PrivateKeyUsagePeriodExt module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the rule. enable Uncheck the box to disable the rule (default).
Page 231: Configuration Parameters Of Removebasicconstraintsext
RemoveBasicConstraintsExt Plug-in Module The policy can be useful in certain enrollment scenarios. For example, enrollment requests from customized clients that can generate CRMF requests can include extensions, including the Basic Constraints extension, and the policy can detect the presence of the Basic Constraints extension and remove it. Configuration Parameters of RemoveBasicConstraintsExt In the CMS configuration file, the...
Page 232: Subjectaltnameext Plug-In Module
SubjectAltNameExt Plug-in Module Table 4-25 Description of parameters defined in the RemoveBasicConstraintsExt module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the enable rule (default). Uncheck the box to disable the rule. • If you enable the rule and set the remaining parameters correctly, the server checks certificate requests for Basic Constraints extension and removes it.
Page 233 SubjectAltNameExt Plug-in Module Attributes in a certificate request are filled in by servlets from the HTTP input forms used for request submission. Some attributes, such as passwords typed in the form are not stored in the request. Other attributes regarding the end entity, such as the user ID, are set on the request after successful authentication.
Page 234: Configuration Parameters Of Subjectaltnameext
SubjectAltNameExt Plug-in Module Configuration Parameters of SubjectAltNameExt In the CMS configuration file, the module is identified as SubjectAltNameExt <subsystem>.Policy.impl.SubjectAltNameExt.class=com.netscape. , where (prefix cms.policy.SubjectAltNameExt <subsystem> identifying the subsystem). In the CMS window, the module is identified as . Figure 4-27 SubjectAltNameExt shows how the configurable parameters for the module are displayed in the CMS window.
Page 235 SubjectAltNameExt Plug-in Module Table 4-26 Description of parameters defined in the SubjectAltNameExt module Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the enable rule (default). Uncheck the box to disable the rule. • If you enable the rule and set the remaining parameters correctly, the server adds the subject alternative name extension to certificates specified by the predicate parameter.
Page 236 SubjectAltNameExt Plug-in Module Table 4-26 Description of parameters defined in the SubjectAltNameExt module (Continued) Parameter Description Specifies the request attribute whose value is to be included in the extension. The generalName<n>. attribute value must conform to any of the supported general-name types requestAttr (specified by the generalName<n>.generalNameChoice parameter).
Page 237: Subjectaltnameext Rule
SubjectAltNameExt Plug-in Module SubjectAltNameExt Rule The policy rule named is an instance of the SubjectAltNameExt module. Certificate Management System automatically SubjectAltNameExt creates this rule during installation. By default, the rule is configured as follows: • The rule is enabled. • The predicate expression is left blank so that the extension gets added to all certificates the server issues.
Page 238: Subjectdirectoryattributesext Plug-In Module
SubjectDirectoryAttributesExt Plug-in Module The first two attributes, AUTH_TOKEN.mail , are standard LDAP attributes typically used AUTH_TOKEN.mailalternateaddress for storing end users’ email addresses in an LDAP directory. These attributes enable you to include a user’s email address as an alternative name in the certificate.
Page 239: Configuration Parameters Of Subjectdirectoryattributesext
SubjectDirectoryAttributesExt Plug-in Module The subject directory attributes extension policy in Certificate Management System allows you to include up to three directory attributes in the extension. For each attribute that you want to include in the extension, you need to specify the attribute name and its value—the name must be the X.500 directory attribute name itself and the attribute value can be derived from the request or directly entered in the policy configuration as a string value.
Page 240 SubjectDirectoryAttributesExt Plug-in Module Parameters defined in the SubjectDirectoryAttributesExt module Figure 4-28 The configuration shown in Figure 4-28 creates a policy rule named , which enforces a rule that the server should set the SubDirAttrForClientCert subject directory attributes extension in client certificates. Table 4-27 provides details for each of these parameters.
Page 241 SubjectDirectoryAttributesExt Plug-in Module Table 4-27 Description of parameters defined in the SubjectDirectoryAttributesExt module (Continued) Parameter Description Specifies the predicate expression for this rule. If you want this rule to be predicate applied to all certificate requests, leave the field blank (default). To form a predicate expression, see section “Using Predicates in Policy Rules”...
Page 242: Subjectkeyidentifierext Plug-In Module
SubjectKeyIdentifierExt Plug-in Module Table 4-27 Description of parameters defined in the SubjectDirectoryAttributesExt module (Continued) Parameter Description Specifies from where to get the value for the selected directory attribute. attribute<n>.whereT oGetValue Permissible values: Request Attribute or Fixed Value. • Select Request Attribute if you want the server to read the value from the request attribute.
Page 243: Configuration Parameters Of Subjectkeyidentifierext
SubjectKeyIdentifierExt Plug-in Module The subject key identifier extension policy in Certificate Management System allows setting of the subject key identifier extension as defined in its X.509 definition. It enables you to specify the method for forming the Key Identifier. By default, the policy supports three types of methods for deriving the Key Identifier;...
Page 244 SubjectKeyIdentifierExt Plug-in Module In the CMS window, the module is identified as SubjectKeyIdentifierExt Figure 4-29 shows how the configurable parameters for the module are displayed in the CMS window. Figure 4-29 Parameters defined in the SubjectKeyIdentifierExt module The configuration shown in Figure 4-29 creates a policy rule named , which enforces a rule that the server should set the SubKeyIDExtForAllCert subject key identifier extension in all certificates.
Page 245: Subjectkeyidentifierext Rule
SubjectKeyIdentifierExt Plug-in Module Table 4-28 Description of configuration parameters defined in the SubjectKeyIdentifierExt module Parameter Description Specifies the predicate expression for this rule. If you want this rule to be applied predicate to all certificate requests, leave the field blank (default). To form a predicate expression, see section “Using Predicates in Policy Rules”...
Page 246 SubjectKeyIdentifierExt Plug-in Module For details on individual parameters defined in the rule, see Table 4-28 on page 244. It is important that you review this rule and make the appropriate changes required by your PKI setup. For example, if you’re planning to issue multiple certificates to an end entity and want to assist applications in identifying the appropriate end-entity certificate, you should consider modifying the predicate expression to add this extension to all end-entity certificates.
Page 247: Chapter 5 Mapper Plug-In Modules
Chapter 5 Mapper Plug-in Modules You can configure a Certificate Manager to publish certificates to an LDAP directory or flat file, and to publish CRLs to a directory, online validation authority, or flat file. If you configure the Certificate Manager to publish to any of these repositories, when the Certificate Manager is requested to issue a certificate or to update certificate information, it automatically updates the corresponding entry in the configured repository with relevant information.
Page 248: Overview Of Mapper Modules
Overview of Mapper Modules Overview of Mapper Modules If you configure a Certificate Manager to publish to a directory, whenever the server issues a certificate or updates a certificate or CRL, it needs to locate the entry in the directory in order to update it. For example, to find the correct directory entry to update, the Certificate Manager needs to present Directory Server with search criteria (so that it can initiate an LDAP search operation);...
Page 249 Overview of Mapper Modules Default mapper modules registered with a Certificate Manager Figure 5-1 Table 5-1 lists the mapper modules provided for the Certificate Manager. Default mapper plug-in modules for mapping certificates and CRLs Table 5-1 Plug-in module name Function Maps the CA certificate to the CA’s directory entry by formulating the entry’s DN LdapCaSimpleMap from components specified in the certificate’s issuer name and attribute variable...
Page 250: Ldapcasimplemap Plug-In Module
LdapCaSimpleMap Plug-in Module Default mapper plug-in modules for mapping certificates and CRLs (Continued) Table 5-1 Plug-in module name Function Maps a certificate to a directory entry by searching for the entry that contains the LdapSubjAttrMap LDAP attribute named certSubjNameAttr whose value exactly matches the certificate subject name.
Page 251 LdapCaSimpleMap Plug-in Module Note that if you already have one CA entry created in the publishing directory and if you change the value assigned to the parameter of this mapper to dnPattern something different, but with the same UID and O attributes, the mapper will fail to create the second CA entry.
Page 252: Configuration Parameters Of Ldapcasimplemap
LdapCaSimpleMap Plug-in Module It is important that you review and customize these mappers. For instructions on modifying mappers or creating new mappers, section “Configuring a Certificate Manager to Publish Certificates and CRLs” in Chapter 19, “Setting Up LDAP Publishing” of CMS Installation and Setup Guide. Configuration Parameters of LdapCaSimpleMap In the CMS configuration file, the module is identified as...
Page 253 LdapCaSimpleMap Plug-in Module Table 5-2 Description of parameters defined in the LdapCaSimpleMap module Parameter Description Specifies whether the Certificate Manager should create an entry for the CA in the createCAEntry publishing directory. Check the box if you want the server to create a CA’s entry (default).
Page 254: Ldapcacertmap Mapper
LdapDNCompsMap Plug-in Module LdapCaCertMap Mapper The mapper named is an instance of the LdapCaCertMap LdapCaSimpleMap module. The Certificate Manager automatically creates this mapper during installation. You can use this mapper for creating an entry for the CA in the directory and for mapping the CA certificate to the CA’s entry in the directory.
Page 255 LdapDNCompsMap Plug-in Module begin a subtree search and the filter components to form a search filter for the subtree. If none of the DN components are configured, the server uses the base DN for the subtree. If the base DN is null and none of the DN components match, an error is returned.
Page 256 LdapDNCompsMap Plug-in Module The Certificate Manager uses the components in subject names to construct a DN that it can use as the base for searching specific directory entries in order to publish the corresponding certificate information. For example, suppose the subject name in the certificate is in this form: CN=Jane Doe, OU=Sales, O=Example Corporation, L=Mountain View, ST=California, C=US The Certificate Manager can use some or all of these components (...
Page 257: Configuration Parameters Of Ldapdncompsmap
LdapDNCompsMap Plug-in Module To specify the components the Certificate Manager must use to distinguish between different entries in the directory, use the parameter; for filterComps details, see Table 5-3 on page 258. For example, if you entered , and values for the parameter, enter for the parameter only if...
Page 258 LdapDNCompsMap Plug-in Module Parameters defined in the LdapDNCompsMap module Figure 5-4 With this configuration, a Certificate Manager maps its certificates with the ones in the LDAP directory by using the values to form a DN and the dnComps values to form a search filter for the subtree. filterComps •...
Page 259 LdapDNCompsMap Plug-in Module Description of parameters defined in the LdapDNCompsMap module (Continued) Table 5-3 Parameter Description Specifies where in the publishing directory the Certificate Manager should start dnComps searching for an LDAP entry that matches the CA’s or the end entity’s information (that is, the owner of the certificate).
Page 260: Ldapdnexactmap Plug-In Module
LdapDNExactMap Plug-in Module LdapDNExactMap Plug-in Module plug-in module implements the subject name mapper. This LdapDNExactMap mapper enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by searching for the LDAP entry DN that matches the certificate subject name.
Page 261: Ldapsimplemap Plug-In Module
LdapSimpleMap Plug-in Module The LdapDNExactMap module Figure 5-5 LdapSimpleMap Plug-in Module plug-in module implements the simple mapper. This mapper LdapSimpleMap enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by formulating the entry’s DN from components specified in the certificate request, certificate’s subject name, certificate extension, and attribute variable assertion (AVA) constants.
Page 262: Configuration Parameters Of Ldapsimplemap
LdapSimpleMap Plug-in Module By default, the Certificate Manager uses mapper rules that are based on the simple mapper. During installation, the Certificate Manager automatically creates an instance (called a mapper) of the simple mapper module. The mapper is named (see Figure 5-2 on page 251). You can use the default mapper to LdapUserCertMap map various types of end-entity certificates the server will issue to their corresponding directory entries.
Page 263: Ldapusercertmap Mapper
LdapSubjAttrMap Plug-in Module LdapUserCertMap Mapper The rule named is an instance of the module. LdapUserCertMap LdapSimpleMap The Certificate Manager automatically creates this mapper during installation. You can use this mapper for mapping end-user certificates to users’ directory entries. The default DN pattern for locating end-user entries is as follows: UID=$subj.UID, OU=people, O=$subj.o The default pattern indicates that the Certificate Manager should use the values from the certificate subject name and a constant...
Page 264: Configuration Parameters Of Ldapsubjattrmap
LdapSubjAttrMap Plug-in Module If no matching entries are found, the server returns an error and writes it to the log; see section “Monitoring CMS Logs” in Chapter 23, “Managing CMS Logs” of CMS Installation and Setup Guide. Configuration Parameters of LdapSubjAttrMap In the configuration file, the module is identified as LdapSubjAttrMap...
Page 265 LdapSubjAttrMap Plug-in Module Table 5-4 Description of parameters defined in the LdapSubjAttrMap module Parameter Description Specifies the name of the LDAP attribute that contains a certificate subject name as certSubjNameAttr its value. Permissible values: Must be certSubjectName. Example: certSubjectName Specifies the base DN for starting the attribute search. searchBase Permissible values: A valid DN of an LDAP entry.
Page 266 LdapSubjAttrMap Plug-in Module Netscape Certificate Management System Plug-Ins Guide • May 2002...
Page 267: Chapter 6 Publisher Plug-In Modules
Chapter 6 Publisher Plug-in Modules You can configure a Certificate Manager to publish certificates to an LDAP directory or flat file, and to publish CRLs to a directory, online validation authority, or flat file. If you configure the Certificate Manager to publish to any of these repositories, when the Certificate Manager is requested to issue a certificate or to update certificate information, it automatically updates the corresponding entry in the configured repository with relevant information.
Page 268: Overview Of Publisher Modules
Overview of Publisher Modules Overview of Publisher Modules Publisher modules help you configure the Certificate Manager to publish a CA certificate, end-entity certificates, or CRLs to the following: • A mapped entry in the directory (entries are mapped by one of the mapper modules explained in Chapter 5, “Mapper Plug-in Modules.”) •...
Page 269 Overview of Publisher Modules Table 6-1 Default publisher plug-in modules for publishing certificates and CRLs Plug-in module name Function Publishes certificates and CRLs to a flat file (for exporting into other FileBasedPublisher repositories). For details, see “FileBasedPublisher Plug-in Module” on page 270.
Page 270: Filebasedpublisher Plug-In Module
FileBasedPublisher Plug-in Module For instructions on how to configure a Certificate Manager to use a publisher module, see section “Configuring a Certificate Manager to Publish Certificates and CRLs” in Chapter 19, “Setting Up LDAP Publishing” of CMS Installation and Setup Guide.
Page 271: Ldapcacertpublisher Plug-In Module
LdapCaCertPublisher Plug-in Module Configuration parameters defined in the FileBasedPublisher module Figure 6-2 The configuration shown in Figure 6-2 creates a publisher named , which can publish certificate and CRL files to a directory at PublishCertsToFile C:\certificates LdapCaCertPublisher Plug-in Module plug-in module implements the CA certificate LdapCaCertPublisher publisher.
Page 272: Configuration Parameters Of Ldapcacertpublisher
LdapCaCertPublisher Plug-in Module Configuration Parameters of LdapCaCertPublisher In the CMS configuration file, the module is identified as LdapCaCertPublisher ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape. cms.publish.LdapCaCertPublisher In the CMS window, the module is identified as . Figure 6-3 LdapCaCertPublisher shows how the configurable parameters for the module are displayed in the CMS window.
Page 273: Ldapcacertpublisher Publisher
LdapUserCertPublisher Plug-in Module Description of parameters defined in the LdapCaCertPublisher module (Continued) Table 6-2 Parameter Description Specifies the object class for the CA’s entry in the directory. caObjectClass Permissible values: Must be certificationAuthority. Example: certificationAuthority LdapCaCertPublisher Publisher The publisher named is an instance of the LdapCaCertPublisher module.
Page 274: Configuration Parameters Of Ldapusercertpublisher
LdapUserCertPublisher Plug-in Module Configuration Parameters of LdapUserCertPublisher In the CMS configuration file, the module is identified as LdapUserCertPublisher ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape. cms.publish.LdapUserCertPublisher In the CMS window, the module is identified as . Figure LdapUserCertPublisher 6-4 shows how the configurable parameters for the module are displayed in the CMS window.
Page 275: Ldapusercertpublisher Publisher
LdapCrlPublisher Plug-in Module Table 6-3 Description of parameters defined in the LdapUserCertPublisher module Parameter Description Specifies the directory attribute of the mapped entry to which the Certificate certAttr Manager should publish the certificate. Permissible values: Must be userCertificate;binary. Example: userCertificate;binary LdapUserCertPublisher Publisher The publisher named is an instance of the...
Page 276: Configuration Parameters Of Ldapcrlpublisher
LdapCrlPublisher Plug-in Module Configuration Parameters of LdapCrlPublisher In the CMS configuration file, the module is identified as LdapCrlPublisher ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape. cms.publish.LdapCrlPublisher In the CMS window, the module is identified as . Figure 6-5 LdapCrlPublisher shows how the configurable parameters for the module are displayed in the CMS window.
Page 277: Ldapcrlpublisher Publisher
OCSPPublisher Plug-in Module LdapCrlPublisher Publisher The publisher named is an instance of the LdapCrlPublisher LdapCrlPublisher module. The Certificate Manager automatically creates this publisher during installation. You can use this publisher for publishing the CRL to attribute of the CA’s entry in the directory. certificateRevocationList;binary OCSPPublisher Plug-in Module plug-in module implements the OCSP publisher.
Page 278 OCSPPublisher Plug-in Module Parameters defined in the OCSPPublisher module Figure 6-6 Table 6-5 describes these parameters. Table 6-5 Description of parameters defined in the OCSPPublisher module Parameter Description Specifies the hostname of the Online Certificate Status Manager. host Permissible values: Must be the fully-qualified hostname of a Online Certificate Status Manager in this form: <machine)_name>.<your_domain>.com Example: ocspResponder.example.com Specifies the port number at which the Online Certificate Status Manager is listening...
Page 279: Chapter 7 Crl Extension Plug-In Modules
Chapter 7 CRL Extension Plug-in Modules You can configure a Certificate Manager to generate CRLs and publish them to repositories such as an LDAP directory, a flat file, or an OCSP responder which other applications may use for checking the revocation status of a certificate or from which other applications can retrieve the CRL.
Page 280: Overview Of Crl Extension Modules
Overview of CRL Extension Modules Overview of CRL Extension Modules To enable you issue or publish X.509 v2 CRLs (that is, CRLs with extensions), Certificate Management System provides a set of plug-in modules; each module enables you to configure the Certificate Manager to set a particular CRL or CRL-entry extension in CRLs it issues.
Page 281: Authoritykeyidentifier Rule
AuthorityKeyIdentifier Rule Table 7-1 Default CRL extension modules Plug-in module name Function Sets the Authority Key Identifier extension in CRLs. For details, see AuthorityKeyIdentifier “AuthorityKeyIdentifier Rule” on page 281. Sets the CRL Number extension in CRLs. For details, see “CRLNumber CRLNumber Rule”...
Page 282 AuthorityKeyIdentifier Rule For general guidelines on setting the authority key identifier extension in CRLs, see “authorityKeyIdentifier” on page 361. Figure 7-2 shows how configurable parameters for the AuthorityKeyIdentifier rule are displayed in the CMS window. Parameters defined in the AuthorityKeyIdentifier rule Figure 7-2 The configuration shown in Figure 7-2 specifies that the server should not set the authority key identifier extension in CRLs.
Page 283: Crlnumber Rule
CRLNumber Rule CRLNumber Rule rule enables you to configure a Certificate Manager to set the CRL CRLNumber Number Extension defined in X.509 and PKIX standard RFC 2459 (see ) in CRLs. This extension specifies a http://www.ietf.org/rfc/rfc2459.txt monotonically increasing sequence number for each CRL issued by a CA, allowing CRL users to easily determine when a particular CRL supersedes another CRL.
Page 284: Crlreason Rule
CRLReason Rule Table 7-3 Description of parameters defined in the CRLNumber rule Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the rule. enable Uncheck the box to disable the rule (default). • If you enable the rule and set the remaining parameters correctly, the server sets the CRL number extension in CRLs.
Page 285 CRLReason Rule Figure 7-4 shows how the configurable parameters for the rule are CRLReason displayed in the CMS window. Figure 7-4 Parameters defined in the CRLReason rule The configuration shown in Figure 7-4 specifies that the server should set the CRL reason code extension in CRL entries.
Page 286: Holdinstruction Rule
HoldInstruction Rule HoldInstruction Rule rule enables you to configure a Certificate Manager to set HoldInstruction the CRL Hold Instruction Extension defined in X.509 and PKIX standard RFC 2459 (see ) in CRLs. The extension is a http://www.ietf.org/rfc/rfc2459.txt non-critical CRL entry extension that is used to specify a registered instruction identifier—the identifier indicates what action the validating application should take when it encounters a certificate that has been placed on hold.
Page 287: Invaliditydate Rule
InvalidityDate Rule Table 7-6 Description of parameters defined in the HoldInstruction rule Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable the rule. enable Uncheck the box to disable the rule (default). • If you enable the rule and set the remaining parameters correctly, the server sets the Hold Instruction extension in CRLs.
Page 288 InvalidityDate Rule Figure 7-6 shows how the configurable parameters for the rule InvalidityDate are displayed in the CMS window. Figure 7-6 Parameters defined in the InvalidityDate rule The configuration shown in Figure 7-6 specifies that the server should not set the invalidity date extension in CRL entries.
Page 289: Issueralternativename Rule
IssuerAlternativeName Rule IssuerAlternativeName Rule rule enables you to configure a Certificate Manager IssuerAlternativeName to set the Issuer Alternative Name Extension defined in X.509 and PKIX standard RFC 2459 (see ) in CRLs. This extension http://www.ietf.org/rfc/rfc2459.txt enables binding of or associating alternative identities, such as Internet electronic mail address, a DNS name, an IP address, and a uniform resource indicator (URI), with the issuer of the CRL.
Page 290 IssuerAlternativeName Rule The configuration shown in Figure 7-7 specifies that the server should not set the issuing point extension in CRLs. Table 7-8 describes these parameters. Table 7-8 Description of parameters defined in the IssuerAlternativeName rule Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable enable the rule.
Page 291 IssuerAlternativeName Rule Description of parameters defined in the IssuerAlternativeName rule (Continued) Table 7-8 Parameter Description Specifies the general-name type. nameType<n> Permissible values: rfc822Name, directoryName, dNSName ediPartyName, URL, iPAddress, OID, or otherName. • Select rfc822Name if the name is an Internet mail address. •...
Page 292 IssuerAlternativeName Rule Description of parameters defined in the IssuerAlternativeName rule (Continued) Table 7-8 Parameter Description • If the type is ediPartyName, the name must be an IA5String. For example, Example Corporation. • If the type is URL, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules specified in RFC 1738 (http://www.ietf.org/rfc/rfc1738.txt).
Page 293: Issuingdistributionpoint Rule
IssuingDistributionPoint Rule IssuingDistributionPoint Rule rule enables you to configure a Certificate IssuingDistributionPoint Manager to set the Issuing Distribution Point Extension defined in X.509 and PKIX standard RFC 2459 (see ) in CRLs. The http://www.ietf.org/rfc/rfc2459.txt CRL issuing point extension enables you to specify a pointer to a particular CRL and to include additional information about the CRL at that location—whether it covers revocation of end-entity certificates only, CA certificates only, or revoked certificates that have a limited set of reason codes.
Page 294 IssuingDistributionPoint Rule The configuration shown in Figure 7-8 specifies that the server should not set the issuing point extension in CRLs. Table 7-9 describes these parameters. Table 7-9 Description of parameters defined in the IssuingDistributionPoint rule Parameter Description Specifies whether the rule is enabled or disabled. Check the box to enable enable the rule.
Page 295 IssuingDistributionPoint Rule Description of parameters defined in the IssuingDistributionPoint rule (Continued) Table 7-9 Parameter Description Specifies the name of the issuing distribution point. The name of the pointName distribution point can be in any of the following formats: Permissible values: Depends on the value specified for the pointType parameter.
Page 296 IssuingDistributionPoint Rule Description of parameters defined in the IssuingDistributionPoint rule (Continued) Table 7-9 Parameter Description Specifies whether the distribution point contains an indirect CRL. Check indirectCRL the box if the distribution point contains an indirect CRL. Uncheck the box if the distribution point doesn’t contain an indirect CRL (default). Netscape Certificate Management System Plug-Ins Guide •...
Page 297: Chapter 8 Log Plug-In Modules
Chapter 8 Log Plug-in Modules Netscape Certificate Management System (CMS) can record events related to its activities, such as administration, communications using any of the protocols the server supports, and various other processes employed by all the subsystems that the server manages. To monitor these events, you need to capture them in to a repository.
Page 298 Overview of Log Modules Default log modules Figure 8-1 Table 8-1 lists the log modules provided for a CMS instance. Log plug-in modules Table 8-1 Plug-in module name Function Logs messages to a file. For details, see “file Plug-in Module” on page 299. file Logs messages to Windows NT Event log (when you run a CMS instance on a NTEventLog...
Page 299: File Plug-In Module
file Plug-in Module file Plug-in Module module enables you to configure Certificate Management System to log file audit, error, and system messages to a file. The module also enables you to specify the following: • Filename • Log level or message category •...
Page 300: Configuration Parameters Of File
file Plug-in Module Configuration Parameters of file In the CMS configuration file, the module is identified as file log.impl.file.class=com.netscape.cms.logging.RollingLogFile In the CMS window, the module is identified as file. Figure 8-2 shows how configurable parameters for the module are displayed in the CMS window. Parameters defined in the file module Figure 8-2 Table 8-2 gives details about each of these parameters and their values.
Page 301 file Plug-in Module Description of parameters defined in the file module (Continued) Table 8-2 Parameter Description Specifies whether the listener is enabled to log messages. enabled • Check the box if you want the server to log messages of the type specified in the type field.
Page 302: Audit Log Event Listener
file Plug-in Module Description of parameters defined in the file module (Continued) Table 8-2 Parameter Description Specifies the file size, in kilobytes (KB), for the active log file; the file will be maxFileSize rotated when its size reaches or exceeds the specified value. For details, see “Timing of Log File Rotation”...
Page 303: Error Log Event Listener
file Plug-in Module • The buffer size for the active log file is set to 512 KB ( bufferSize=512 • The interval for flushing the buffer to the file is set to 5 seconds flushInterval=5 • The size limit for the active log file is set to 100 KB ( maxFileSize=100 •...
Page 304: System Log Event Listener
NTEventLog Plug-in Module System Log Event Listener The event listener named is an instance of the module. Certificate System file Management System automatically creates this listener during installation. By default, the listener is configured as follows: • The rule is enabled. •...
Page 305: Configuration Parameters Of Nteventlog
NTEventLog Plug-in Module During installation, Certificate Management System automatically creates two instances or listeners of the modules for logging audit and system NTEventLog messages. The listeners are named as follows: • NTAudit (see “NTAudit Event Listener” on page 307) • NTSystem (see “NTSystem Event Listener”...
Page 306 NTEventLog Plug-in Module Parameters defined in the NTEventLog module Figure 8-3 Table 8-3 gives details about each of these parameters and their values. Table 8-3 Description of parameters defined in the NTEventLog module Parameter Description Specifies the log (or event) type. type Permissible values: audit or system.
Page 307: Ntaudit Event Listener
NTEventLog Plug-in Module NTAudit Event Listener The event listener named is an instance of the module. NTAudit NTEventLog Certificate Management System automatically creates this listener during installation. By default, the listener is configured as follows: • The rule is enabled. •...
Page 308 NTEventLog Plug-in Module Netscape Certificate Management System Plug-Ins Guide • May 2002...
Page 309: Appendix A Distinguished Names
Appendix A Distinguished Names This appendix explains what a distinguished name is and how Netscape Certificate Management System (CMS) uses distinguished names to automatically update certificate information in your corporate LDAP directory. The appendix has the following sections: • What Is a Distinguished Name? (page 309) •...
Page 310: Distinguished Name Components
What Is a Distinguished Name? Distinguished Name Components A DN identifies an entry in an LDAP directory. Because directories are hierarchical, DNs identify the entry by its location as a path in a hierarchical tree (much as a path in a file system identifies a file). Generally, a DN begins with a specific common name, and proceeds with increasingly broader areas of identification until the country name is specified.
Page 311: Root Distinguished Name
What Is a Distinguished Name? Definitions of standard DN components (Continued) Table A-1 Component Name Definition Locality Identifies the place where the entry resides. The locality can be a city, county, township, or other geographic region. For example: • L=Mountain View •...
Page 312: Dns In Certificate Management System
DNs in Certificate Management System Typically, an LDAP search consists of the following components: • The base DN—for example, , which initiates a subtree O=example.com C=US search through all entries below this entry in the directory (in other words, all entries with the suffix O=example.com C=US...
Page 313 DNs in Certificate Management System Allowed characters for value types (Continued) Table A-2 Attribute Value type Object identifier Printable String of 2.5.4.6 length 2 Directory String 2.5.4.7 Directory String 2.5.4.8 STREET Directory String 2.5.4.9 TITLE Directory String 2.5.4.12 Directory String 0.9.2342.19200300.100.1.1 MAIL IA5String...
Page 314: Extending Attribute Support
DNs in Certificate Management System Explanation of character sets for DNs (Continued) Table A-3 Value type Character set allowed Directory String Any character in format as specified in Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names (see http://www.ietf.org/rfc/rfc2253.txt).
Page 315: Adding New Or Proprietary Attributes
DNs in Certificate Management System Note the following: • Value converter class converts a string to a ASN.1 value. • It must implement n interface. etscape.security.x509.AVAValueConverter The string-to-value converter class can be one of these: • —converts a string to a netscape.security.x509.PrintableConverter Printable String value.
Page 316: Adding Attributes To An Enrollment Form
DNs in Certificate Management System IA5StringConverter X500Name.attr.MYATTR3.oid=111.222.333.444.555.666 X500Name.attr.MYATTR3.class=netscape.security.x509. PrintableConverter Save your changes and close the file. Next, add each new attribute or component (for example, MYATTR1 MYATTR2 ) to the enrollment form. For instructions, see “Adding Attributes MYATTR3 to an Enrollment Form” on page 316. Restart the Certificate Manager.
Page 317 DNs in Certificate Management System <tr> <td valign="TOP"> <div align="RIGHT"> <font face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif" size="-1">Organization unit: </font> </div> </td> <td valign="TOP"> <input type="TEXT" name="OU" size="30" onchange="formulateDN(this.form, this.form.subject)"> </td> </tr> <tr> <td valign="TOP"> <div align="RIGHT"> <font face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif"...
Page 318: Changing The Der Encoding Order
DNs in Certificate Management System distinguishedName.value += 'OU=' + escapeDNComponent(OU.value); if (form.DC != null) { if (DC.value != '') { if (doubleQuotes(DC.value) == true) { alert('Double quotes are not allowed in DC field'); DC.value = ''; DC.focus(); return; if (distinguishedName.value != '') distinguishedName.value += ', ';...
Page 319: Role Of Distinguished Names In Certificates
DNs in Certificate Management System To change the DirectoryString encoding: Stop the Certificate Manager. Go to this directory: <server_root>/cert-<instance_id>/config Open the configuration file, , in a text editor. CMS.cfg Add the encoding order to the configuration file. For example, if you want to specify two encoding values, PrintableString , and the encoding order is first and...
Page 320: Dns In End-Entity Certificates
DNs in Certificate Management System DNs in End-Entity Certificates In end-entity certificates issued by Certificate Management System, DNs are used to identify the end entity that owns the certified key pair. The end entity is one of the following: • The individual who owns the certified key pair (for personal or client certificates—to form this type of DN, use the component to specify the...
Page 321: Selecting Dns For Certificates
DNs in Certificate Management System For example: CN=Example Corporation Certificate Authority, O=Example Corporation, C=US Selecting DNs for Certificates Figure A-1 illustrates the structure of distinguished names you might select for CA certificates, server certificates, and personal certificates. Sample directory hierarchy Figure A-1 DN Patterns and Certificate Subject Names You can configure Certificate Management System to issue certificates with subject...
Page 322 DNs in Certificate Management System Syntax dnPattern := rdnPattern *[ "," rdnPattern ] rdnPattern := avaPattern *[ "+" avaPattern ] avaPattern := name "=" value | name "=" "$attr" "." attrName [ "." attrNumber ] | name "=" "$dn" "." attrName [ "." attrNumber ] | "$dn" "." "$rdn" "." number Example 1 If the configured DN pattern is E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US...
Page 323 DNs in Certificate Management System Example 3 If the configured DN pattern is CN=$attr.cn, $rdn.2, O=$dn.o, C=US LDAP entry: dn: UID=jdoe, OU=IS+OU=people, O=example.com LDAP attributes: cn: Jane Doe LDAP attributes: mail: jdoe@example.com The subject name formulated will be as follows: CN=Jane Doe, OU=IS+OU=people, O=example.com, C=US the (first) ‘...
Page 324 DNs in Certificate Management System Netscape Certificate Management System Plug-Ins Guide • May 2002...
Page 325: Appendix B Object Identifiers
Appendix B Object Identifiers Netscape Certificate Management System (CMS) comes with a set of extension-specific policy plug-in modules that enable you to add X.509 certificate extensions to the certificates the server issues. Some of the extensions contain fields for specifing object identifiers. This appendix explain what’s an object indentifier (OID) and the significance of registering it.
Page 326 Registration of Object Identifiers a certificate practice statement (CPS) of your company. To implement this, you need to compose the policy statement you want to include in the extension, define an OID for the policy statement, and configure Certificate Management System with the OID so that it can add that to the certificate it issues.
Page 327: Appendix C Certificate And Crl Extensions
Appendix C Certificate and CRL Extensions This appendix explains both the standard certificate extensions defined by X.509 v3 and the extensions defined by Netscape that were used in versions of products released before X.509 v3 was finalized. It also provides recommendations for extensions to use with specific kinds of certificates, including both PKIX Part 1 recommendations and Netscape extensions that must be supported for compatibility with early versions of Netscape products.
Page 328 Introduction to Certificate Extensions The X.509 v1 certificate specification was originally designed to bind public keys to names in an X.500 directory. As certificates began to be used on the Internet and extranets, and directory lookups could not always be performed, problem areas such as the following emerged that were not foreseen in the original specification: Trust—...
Page 329 Introduction to Certificate Extensions The X.509 v3 standard for certificates also suggests that you can define your own extensions and include them in certificates you issue. These extensions are called private, proprietary, or custom extensions and they carry information unique to your organization or business.
Page 330: Structure Of Certificate Extensions
Introduction to Certificate Extensions Structure of Certificate Extensions In RFC 2459, an X.509 certificate extension is defined as follows: Extension SEQUENCE extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING Which means, a certificate extension consists of the following: •...
Page 331: Sample Certificate Extensions
Recommendations for Certificate Extension Use Note that not all applications support certificates with version 3 extensions. Applications that do support these extensions may not be able to interpret some or all of these specific extensions. Sample Certificate Extensions The following is an example of the section of a certificate containing X.509 v3 extensions.
Page 332 Recommendations for Certificate Extension Use cRLDistributionPoints. Defines how CRL information for the certificate is to be obtained. extKeyUsage. Indicates purpose or purposes for which the certificate may be used, either in addition to or instead of the purposes indicated by the keyUsage extension.
Page 333 Recommendations for Certificate Extension Use Table C-1 Recommendations for Use of Certificate Extensions with CMS Certificate type CA root Intermediate CA Issued certificate SSL client authorityKeyIdentifier authorityKeyIdentifier authorityKeyIdentifier certificate basicConstraints: basicConstraints: true true (required) (required) cRLDistributionPoints cRLDistributionPoints extKeyUsage: client auth extKeyUsage: extKeyUsage: client auth...
Page 334 Recommendations for Certificate Extension Use Recommendations for Use of Certificate Extensions with CMS (Continued) Table C-1 Certificate type CA root Intermediate CA Issued certificate authorityKeyIdentifier S/MIME client authorityKeyIdentifier authorityKeyIdentifier certificate (single key pair) cRLDistributionPoints cRLDistributionPoints extKeyUsage: extKeyUsage: extKeyUsage: Email Email Email keyUsage: keyUsage:...
Page 335 Recommendations for Certificate Extension Use Recommendations for Use of Certificate Extensions with CMS (Continued) Table C-1 Certificate type CA root Intermediate CA Issued certificate S/MIME client authorityKeyIdentifier authorityKeyIdentifier authorityKeyIdentifier certificate (dual key pair) cRLDistributionPoints cRLDistributionPoints extKeyUsage: extKeyUsage: extKeyUsage: Email Email Email keyUsage: keyUsage:...
Page 336 Recommendations for Certificate Extension Use Recommendations for Use of Certificate Extensions with CMS (Continued) Table C-1 Certificate type CA root Intermediate CA Issued certificate SSL server authorityKeyIdentifier authorityKeyIdentifier authorityKeyIdentifier certificate cRLDistributionPoints cRLDistributionPoints extKeyUsage: extKeyUsage: extKeyUsage: Server Server Server Auth Auth (recommended), Auth (recommended), (recommended), Microsoft Microsoft SGC and...
Page 337: Standard X.509 V3 Certificate Extensions
Standard X.509 v3 Certificate Extensions Recommendations for Use of Certificate Extensions with CMS (Continued) Table C-1 Certificate type CA root Intermediate CA Issued certificate Object authorityKeyIdentifier authorityKeyIdentifier authorityKeyIdentifier signing/Authe nticode certificate cRLDistributionPoints cRLDistributionPoints extKeyUsage: extKeyUsage: extKeyUsage: Code Code Code Signing Signing (required for Signing (required for (required for Authenticode)
Page 338 Standard X.509 v3 Certificate Extensions Each extension in a certificate can be designated as critical or noncritical. A certificate-using system, such as browser software, must reject the certificate if it encounters a critical extension it does not recognize; however, a noncritical extension can be ignored if it is not recognized.
Page 339: Authorityinfoaccess
Standard X.509 v3 Certificate Extensions authorityInfoAccess 1.3.6.1.5.5.7.1.1 Reference 4.2.2.1 http://www.ietf.org/rfc/rfc2459.txt Criticality This extension must be noncritical. Discussion The Authority Information Access extension indicates how and where to access information about the issuer of the certificate. The extension contains an and an field.
Page 340: Authoritykeyidentifier
Standard X.509 v3 Certificate Extensions OCSP signing certificates and CA signing certificates should only use the extension to point to an OCSP responder if that responder authorityInfoAccess has been configured to verify them. For example, if there is a hierarchy of responders, a subordinate responder may point to its parent for verification.
Page 341: Basicconstraints
Standard X.509 v3 Certificate Extensions PKIX Part 1 requires this extension for all certificates except self-signed root CA certificates. Where a key identifier has not been previously established, PKIX recommends that the authorityCertIssuer authorityCertSerialNumber fields be specified. These fields permit construction of a complete certificate chain by matching the fields in the SubjectName...
Page 342: Certificatepolicies
Standard X.509 v3 Certificate Extensions Criticality PKIX Part 1 requires that this extension be marked critical. This extension is evaluated regardless of its criticality. Discussion This extension is used during the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints. The component should be set to true for all CA certificates.
Page 343: Crldistributionpoints
Standard X.509 v3 Certificate Extensions Criticality This extension may be critical or noncritical. Discussion The Certificate Policies extension defines one or more policies, each of which consists of an OID and optional qualifiers. The extension can include a URI to the issuer’s Certificate Practice Statement or can embed issuer policy information, such as a user notice in text form.
Page 344: Extkeyusage
Standard X.509 v3 Certificate Extensions Discussion This extension defines how CRL information for this certificate is to be obtained. It should be used if the system is configured to use CRL issuing points. of type URI, the URI is If the extension contains a DistributionPointName assumed to be a pointer to the current CRL for the associated reasons and will be issued by the associated...
Page 345 Standard X.509 v3 Certificate Extensions Criticality If this extension is marked critical, the certificate must be used for one of the indicated purposes only. If it is not marked critical, it is treated as an advisory field that may be used to identify keys but does not restrict the use of the certificate to the indicated purposes.
Page 346 Standard X.509 v3 Certificate Extensions Table C-3 Private Extended Key Usage Extension Uses Certificate trust list signing 1.3.6.1.4.1.311.10.3.1 Microsoft Server Gated 1.3.6.1.4.1.311.10.3.3 Crypto (SGC) Microsoft Encrypted File 1.3.6.1.4.1.311.10.3.4 System Netscape SGC 2.16.840.1.113730.4.1 CMS Version Support Refer to “ExtendedKeyUsageExt Plug-in Module” on page 168. •...
Page 347: Issueraltname
Standard X.509 v3 Certificate Extensions Microsoft allows users to control certificate properties that correspond to Extended Key Usage specifications. For example, from the Internet Explorer 4.0 user interface, the user may deselect a CA certificate in a list of CA certificates otherwise trusted for a given usage.
Page 348: Keyusage
Standard X.509 v3 Certificate Extensions Microsoft Recommendation Microsoft products do not examine this extension. Microsoft recommends that, for the purposes of building certificate chains, authorityKeyIdentifier be used rather than issuerAltName or the certificate’s issuer name. keyUsage 2.5.29.15 Reference 4.2.1.3 http://www.ietf.org/rfc/rfc2459.txt Criticality This extension may be critical or noncritical.
Page 349 Standard X.509 v3 Certificate Extensions • ) if the public key is to be used only for enciphering data. If encipherOnly this bit is set, should also be set. keyAgreement • ) if the public key is to be used only for deciphering data. If decipherOnly this bit is set, should also be set.
Page 350: Nameconstraints
Standard X.509 v3 Certificate Extensions Netscape Recommendation Netscape recommends this extension for all certificates if their intended purpose or purposes are known. Netscape requires this extension for all dual-key signing certificates. Microsoft Recommendation Microsoft recommends this extension for all certificates if their intended purpose or purposes are known.
Page 351: Ocspnocheck
Standard X.509 v3 Certificate Extensions Netscape Recommendation Netscape products do not currently examine this extension. Microsoft Recommendation Microsoft products do not currently examine this extension. OCSPNocheck 1.3.6.1.5.5.7.48.4 Reference 4.2.2.2.1 http://www.ietf.org/rfc/rfc2560.txt Criticality This extension should be noncritical. Discussion The extension is meant to be included in an OCSP responder’s signing certificate. The extension tells an OCSP client that the signing certificate can be trusted without querying the OCSP responder (since the reply would again be signed by the OCSP responder, and the client would again request the validity status of the...
Page 352: Policyconstraints
Standard X.509 v3 Certificate Extensions Netscape Recommendation Netscape recommends using this extension in OCSP responder signing certificates. The validity period should be short enough to minimize the potential impact of a compromised OCSP responder signing key to your organization. Microsoft Recommendation Microsoft products do not currently use online status checking.
Page 353: Policymappings
Standard X.509 v3 Certificate Extensions policyMappings 2.5.29.33 References 4.2.1.6 http://www.ietf.org/rfc/rfc2459.txt Criticality This extension must be noncritical. Discussion The Policy Mappings extension is used in CA certificates only. It lists one or more pairs of OIDs used to indicate that the corresponding policies of one CA are equivalent to policies of another CA.
Page 354: Subjectaltname
Standard X.509 v3 Certificate Extensions Discussion The Private Key Usage Period extension allows the certificate issuer to specify a different validity period for the private key than for the certificate itself. This extension is intended for use with digital signature keys. PKIX Part 1 recommends against the use of this extension.
Page 355 Standard X.509 v3 Certificate Extensions PKIX requires this extension for entities that are identified by name forms other than the X.500 distinguished name (DN) used in the subject field. PKIX Part 1 describes additional rules for the relationship between this extension and the subject field.
Page 356: Subjectdirectoryattributes
Standard X.509 v3 Certificate Extensions subjectDirectoryAttributes 2.5.29.9 Reference 4.2.1.9 http://www.ietf.org/rfc/rfc2459.txt Criticality PKIX Part 1 requires that this extension be marked noncritical. Discussion The Subject Directory Attributes extension conveys any desired directory attribute values for the subject of the certificate. It is not recommended as an essential part of the proposed PKIX standard, but may be used in local environments.
Page 357: Introduction To Crl Extensions
Introduction to CRL Extensions Discussion The Subject Key Identifier extension identifies the public key certified by this certificate. This extension provides a way of distinguishing public keys if more than one is available for a given subject name, for example after the certificate has been renewed with a new key.
Page 358: Structure Of Crl Extensions
Introduction to CRL Extensions The extensions defined by ANSI X9 and ISO/IEC/ITU for X.509 v2 CRLs [X.509] [X9.55] enable you to associate additional attributes with CRLs. The Internet X.509 Public Key Infrastructure Certificate and CRL Profile (see ) recommends a set of extensions to be http://www.ietf.org/rfc/rfc2459.txt used in CRLs.
Page 359: Sample Crl And Crl Entry Extensions
Introduction to CRL Extensions If the extension is not critical and the CRL is sent to an application that does not understand the extension (based on the extension’s ID), the application can ignore the extension and accept the CRL. • An octet string containing the DER encoding of the value of the extension.
Page 360: Standard X.509 V3 Crl Extensions
Standard X.509 v3 CRL Extensions Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Key_Compromise Serial Number: 0x10 Revocation Date: Thursday, December 17, 1998 2:37:24 AM Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Affiliation_Changed Serial Number: 0xA Revocation Date: Wednesday, November 25, 1998 5:11:18 AM Standard X.509 v3 CRL Extensions In addition to certificate extensions, the X.509 v3 proposed standard defines extensions to CRLs, which provide methods for associating additional attributes...
Page 361: Authoritykeyidentifier
Standard X.509 v3 CRL Extensions authorityKeyIdentifier 2.5.29.35 Reference 5.2.1 http://www.ietf.org/rfc/rfc2459.txt Discussion The Authority Key Identifier extension for a CRL identifies the public key corresponding to the private key used to sign the CRL. For details, see the discussion under certificate extensions at authorityKeyIdentifier. CMS Version Support Refer to “AuthorityKeyIdentifier Rule”...
Page 362: Deltacrlindicator
Standard X.509 v3 CRL Extensions CMS Version Support Refer to “CRLNumber Rule” on page 283. • CMS 4.1: Not supported • CMS 4.2: Supported • CMS 4.2-SP2: Supported • CMS 4.5: Supported • CMS 6.0: Supported deltaCRLIndicator 2.5.29.27 Reference 5.2.4 http://www.ietf.org/rfc/rfc2459.txt Criticality PKIX requires that this extension be critical if it exists.
Page 363: Issueraltname
Standard X.509 v3 CRL Extensions issuerAltName 2.5.29.18 Reference 5.2.2 http://www.ietf.org/rfc/rfc2459.txt Discussion The Issuer Alternative Name extension allows additional identities to be associated with the issuer of the CRL. For details, see the discussion under certificate extensions at issuerAltName CMS Version Support Refer to “IssuerAlternativeName Rule”...
Page 364: Crl Entry Extensions
Standard X.509 v3 CRL Extensions • CMS 4.1: Not supported • CMS 4.2: Supported • CMS 4.2-SP2: Supported • CMS 4.5: Supported • CMS 6.0: Supported CRL Entry Extensions The sections that follow lists the CRL entry extension types that are defined as part of the Internet X.509 v3 Public Key Infrastructure proposed standard, as of September 1998.
Page 365: Holdinstructioncode
Standard X.509 v3 CRL Extensions • CMS 4.5: Supported • CMS 6.0: Supported holdInstructionCode 2.5.29.23 Reference 5.3.2 http://www.ietf.org/rfc/rfc2459.txt Discussion The Hold Instruction Code extension indicates the action to be taken after encountering a certificate that has been placed on hold. CMS Version Support Refer to “HoldInstruction Rule”...
Page 366: Reasoncode
Netscape-Defined Certificate Extensions • CMS 4.2: Supported • CMS 4.2-SP2: Supported • CMS 4.5: Supported • CMS 6.0: Supported reasonCode 2.5.29.21 Reference 5.3.1 http://www.ietf.org/rfc/rfc2459.txt Discussion The Reason Code extension identifies the reason for certificate revocation. CMS Version Support Refer to “CRLReason Rule” on page 284. •...
Page 367: Netscape-Cert-Type
Netscape-Defined Certificate Extensions The specifications for all Netscape-defined extensions are defined at . For most http://home.netscape.com/eng/security/comm4-cert-exts.html CMS deployments, only need to be netscape-cert-type netscape-comment supported to maintain compatibility with Navigator 3.x. Therefore, only these two Netscape certificate extensions are described here. netscape-cert-type 2.16.840.1.113730.1 Discussion...
Page 368: Netscape-Comment
CA Certificates and Extension Interactions • CMS 4.5: Supported • CMS 6.0: Supported netscape-comment 2.16.840.1.113730.13 Discussion The value of this extension is an IA5String. It is a comment that can be displayed to the user when the certificate is viewed. CMS Version Support Refer to “NSCCommentExt Plug-in Module”...
Page 369 CA Certificates and Extension Interactions Extensions Present Description Neither extension The certificate is not a CA. Both extensions The certificate is a CA certificate if the cA component of basicConstraints is true. If one or more of the SSL CA (5), S/MIME CA (6), or object-signing CA (7) bits are set in the netscape-cert-type extension, then the CA will be limited to issuing certificates for the specified application...
Page 370 CA Certificates and Extension Interactions Netscape Certificate Management System Plug-Ins Guide • May 2002...
Page 371: Index
Index adding extensions base DN 311 to CRLs 280 Basic Constraints extension policy 144 to end-entity certificates 128 basicConstraints 341, 368 adding new directory attributes 315 built-in plug-in modules Attribute Present Constraints policy 86 See plug-in modules Audit log configuring 299 logging to Windows NT event log 304 authentication automated vs.
Page 372 extensions for 327–369 for policy 131 for publishing to a directory 269 challenge password 20 changing DER encoding order of DirectoryString 318 Chapter Single Template 309, 325 client certificates for DSA key pairs 58 Data Recovery Manager CMC request enrollment 57 logging to Windows NT event log 304 common features in extension policies 131 defining custom OIDs 325...
Page 373 issuerAltName 347, 363 issuingDistributionPoint 363 encrypted file system (EFS) 169 keyUsage 348 end-entity certificate publisher 273 nameConstraints 350 netscape-cert-type 367, 368 end-entity enrollment forms 53 netscape-comment 368 automated 54 Netscape-defined 366–369 manual 53 policyConstraints 352 end-entity forms policyMappings 353 for enrollment 55 privateKeyUsagePeriod 353 enrollment reasonCode 366...
Page 374 file-based logging Key Algorithm Constraints policy 97 configurable parameters 300 Key Usage extension policy 186 plug-in module name 300 keyUsage 348 file-based publisher 270 fonts used in this book 14 listing of CRL extension modules 281 Generic ASN.1 extension policy 174 of schedulable jobs 64 locating directory entries for publishing how to write custom plug-ins 250...
Page 375 UidPwdPinDirAuth 29 for CRL extensions Name Constraints extension policy 199 AuthorityKeyIdentifier 281 nameConstraints 350 CRLNumber 283 CRLReason 284 Netscape Certificate Comment extension policy 208 HoldInstruction 286 Netscape Certificate Type extension policy 212 InvalidityDate 287 netscape-cert-type 367, 368 IssuerAlternativeName 289 netscape-comment 368 IssuingDistributionPoint 293 NIS server-based authentication 35 list of 281...
Page 376 UniqueSubjectNameConstraints 117 how to write custom plug-ins 269 ValidityConstraints 120 publishing certificates and CRLs to directory entries for publishing 268 FileBasedPublisher 270 LdapCaCertPublisher 271 LdapCaSimpleMap 250 LdapCrlPublisher 275 LdapDNCompsMap 254 LdapDNExactMap 260 reasonCode 366 LdapSimpleMap 261 registering LdapSubjAttrMap 263 custom OIDs 325 LdapUserCertPublisher 273 Registration Manager list of 249, 269...
Page 377 templates for notifications 77 customizing 79 token list 79 templates for automated notifications 77 type styles used in this book 14 Unique Subject Name Constraints policy 117 user enrollment forms 55 user ID and password based authentication 22 configurable parameters 24 plug-in module name 24 user ID, password, and PIN based authentication 28 configurable parameters 29...

This manual is also suitable for:

Certificate management system 6.01

Netscape MANAGEMENT SYSTEM 6.01 - PLUG-IN Manual

About this Guide

Chapter 1 Authentication Plug-In Modules

Chapter 2 Job Plug-In Modules

Chapter 3 Constraints Policy Plug-In Modules

Chapter 4 Certificate Extension Plug-In Modules

Chapter 5 Mapper Plug-In Modules

Chapter 6 Publisher Plug-In Modules

Chapter 7 CRL Extension Plug-In Modules

Chapter 8 Log Plug-In Modules

Appendix A Distinguished Names

Appendix B Object Identifiers

Appendix C Certificate and CRL Extensions

Index

Quick Links

Related Manuals for Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - PLUG-IN

Summary of Contents for Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - PLUG-IN