End-Entity Authentication; Authentication Of End Entities During Certificate Enrollment; Authentication Of End Users During Certificate Renewal - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual

End-Entity Authentication

This section provides an overview of how Certificate Management System
authenticates end entities during certificate enrollment, renewal, and revocation
processes.

Authentication of End Entities During Certificate Enrollment

When an end entity submits a certificate request, a Certificate Manager or
Registration Manager's first task is to identify and authenticate the end entity. The
server must perform this task before it can register the end entity for certificate
issuance. This task includes verifying the end entity's identity based on
information the end entity provides and returning enough information about the
end entity so that the subject name for the certificate can be constructed.
To cater to a variety of end-entity enrollment scenarios, Certificate Management
System supports both manual and automated certificate issuance. For detailed
description of authentication methods supported by the Certificate Manager and
Registration Manager, see Chapter 1, "Authentication Plug-in Modules" of CMS
Plug-Ins Guide. To locate an online version of this guide, open the
<server_root>/manual/index.html

Authentication of End Users During Certificate Renewal

When an end user submits a certificate renewal request, the first step in the
renewal process is for the Certificate Manager or Registration Manager to identify
and authenticate the end user. This step includes making sure that the end user's
current certificate is either "valid" or "expired" ("revoked" is not acceptable).
Certificate Management System verifies the authenticity of a certificate renewal
request by mapping the subject name in the certificate being presented for renewal
to certificates in its internal database. The server renews the certificate only if the
subject name maps successfully to a certificate in its internal database. If the
internal database contains more than one certificate with matching subject name as
that the one presented by the end entity for client authentication, the server lists all
the matching certificates and expects the end entity to pick one for renewal.
Here are a few things to keep in mind about certificate renewal:
• The certificate being presented by the end user for renewal must be issued by a
Certificate Manager.
• If the renewal request is processed by a Registration Manager, the end-user
certificate presented must be issued by a Certificate Manager that the
Registration Manager knows and is connected to; the Registration Manager
forwards certificate requests to this Certificate Manager for signing.
file.
Chapter 15 Setting Up End-User Authentication
Introduction to Authentication
495