1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Software
  5. NETSCAPE DIRECTORY SERVER 6.01
  6. Installation and setup manual

Netscape MANAGEMENT SYSTEM 6.01 Installation And Setup Manual

Hide thumbs Also See for NETSCAPE MANAGEMENT SYSTEM 6.01:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administrator's Manual, Configuration Manual
Installation and Setup Guide
Netscape Certificate Management System
Version 6.01
May 2002

Advertisement

Table of Contents
loading

Related Manuals for Netscape NETSCAPE MANAGEMENT SYSTEM 6.01

Summary of Contents for Netscape NETSCAPE MANAGEMENT SYSTEM 6.01

  • Page 1 Installation and Setup Guide Netscape Certificate Management System Version 6.01 May 2002...
  • Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.

  • Page 3: Table Of Contents

    Contents About This Guide ............. . 23 What’s in This Guide .
  • Page 4 Auxiliary Components ..............64 Command-Line Utilities .
  • Page 5 Step 1. Run the Installation Script — UNIX ..........110 Step 1.
  • Page 6 Self-Signed Root Versus Subordinate CA ..........171 CAs and Certificate Extensions .
  • Page 7 Network Configuration ............. . 193 Certificate Manager Configuration .
  • Page 8 Chapter 6 Installing Certificate Management System ......211 Installation Overview ..............211 Installation Stages .
  • Page 9 Removing an Instance From a System ........... . 302 Uninstalling Certificate Management System .
  • Page 10 Chapter 10 CMS Configuration ..........335 Effects of Installation Type on Configuration .
  • Page 11 Agents ................373 Agent’s Certificate for SSL Client Authentication .
  • Page 12 Transport Key Pair and Certificate ..........428 Storage Key Pair .
  • Page 13 Step 3. Install the New Certificate ........... . . 469 Step 4.
  • Page 14 Step 5. Set Up the Enrollment Interface ..........514 Step A.
  • Page 15 Step 4. Add New Jobs ............. . . 549 Step 5.
  • Page 16 Revocation Checking by Netscape Servers ..........593 Publishing of CRLs to an LDAP Directory .
  • Page 17 Step E. Set the CRL Extensions ........... . . 656 Step F.
  • Page 18 Step A. Specify CRL Format and Publishing Interval ........693 Step B.
  • Page 19 Step B. Connect the Enrollment Authority and the Data Recovery Manager ....732 Step C. Customize the Certificate Enrollment Form ........733 Step D.
  • Page 20 Using Event Viewer ............. . 767 Avoiding Event Log From Getting Filled .
  • Page 21 Part 5 Appendix ............807 Certificate Download Specification .
  • Page 22 Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 23: About This Guide

    About This Guide The Installation and Setup Guide explains how to install, configure, and maintain Netscape Certificate Management System (CMS), and use it for issuing and managing certificates to various end entities, such as web browsers (users), servers, Virtual Private Network (VPN) clients, and Cisco™ routers. This preface has the following sections: •...
  • Page 24 What’s in This Guide • Chapter 2, “Certificate Enrollment and Life-Cycle Management” Provides sample deployment scenarios. • Chapter 3, “Default Demo Installation” Describes how to set up a simple pilot that demonstrates the basic capabilities of a Certificate Manager. Part 2, “Planning and Installation” •...
  • Page 25 What’s in This Guide • Chapter 15, “Setting Up End-User Authentication” Describes authentication methods for different types of CMS users, and explains how to configure a Certificate Manager or Registration Manager to use a specific authentication method for end-user enrollment. •...

  • Page 26: What You Should Already Know

    What You Should Already Know Part 5, “Appendix” • Appendix A, “Certificate Download Specification” Describes the data formats used by Netscape Communicator 4.x for installing certificates. Glossary Summarizes terms used in this guide and other CMS documentation. What You Should Already Know This guide is intended for experienced system administrators who are planning to deploy Certificate Management System.

  • Page 27: Conventions Used In This Guide

    Conventions Used in This Guide • Are familiar with the role of Netscape Console in managing Netscape servers. Otherwise, see the accompanying manual, Managing Servers with Netscape Console. • Are reading this guide in conjunction with the documentation listed in section “Where to Go for Related Information”...

  • Page 28: Where To Go For Related Information

    Where to Go for Related Information • —Angle brackets enclose variables or placeholders. When Monospaced <> following examples, replace the angle brackets and their text with text that applies to your situation. For example, when path names appear in angle brackets, substitute the path names used on your computer.
  • Page 29 Where to Go for Related Information • CMS Installation and Setup Guide (this guide) Describes how to plan for, install, and administer Certificate Management System. To access the installation and configuration information from within the CMS Installation Wizard or from the CMS window (within Netscape Console), click any help button.
  • Page 30 Where to Go for Related Information Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 31: Part 1 Overview And Demo Installation

    Part 1 Overview and Demo Installation Chapter 1, “Introduction to Certificate Management System” Chapter 2, “Certificate Enrollment and Life-Cycle Management Chapter 3, “Default Demo Installation”...
  • Page 32 Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 33: Chapter 1 Introduction To Certificate Management System

    Chapter 1 Introduction to Certificate Management System This chapter introduces Netscape Certificate Management System (CMS), a highly configurable set of software components and tools for creating, deploying, and managing certificates. Based on open standards for certificate management, Certificate Management System leverages Netscape Directory Server and Netscape Console to provide a complete, scalable, high-performance certificate management solution for extranets and intranets.

  • Page 34: Overview Of Key Features

    Overview of Key Features Overview of Key Features Certificate Management System has many core features: Support for open standards With its support for open standards, Certificate Management System gives organizations confidence that they will be able to communicate within a heterogeneous computing environment.
  • Page 35 Overview of Key Features • Publishes CRLs to an online validation authority (or OCSP responder), enabling real-time verification of certificates by OCSP-compliant clients. For more information, see Chapter 21, “Setting Up an OCSP Responder.” Separate subsystems for certificate and key operations Certificate Management System includes four servers, the Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager.
  • Page 36 Overview of Key Features The Certificate Manager’s ability to support multiple Registration Managers makes it more scalable and also adds an extra layer of security for the CA. For example, you can set a policy that requires all clients to go through a remote Registration Manager, and then have the remote Registration Manager route all client requests to the Certificate Manager located inside a firewall.

  • Page 37: Flexible End-Entity Registration Services Framework

    Overview of Key Features PKCS #11 hardware support for smart cards and crypto accelerators Certificate Management System supports smart cards and crypto accelerators provided by various third-party vendors of PKCS #11 version 2.01-compliant products. You can configure the server to use different PKCS #11 modules to generate and store key pairs (and certificates) for the Certificate Manager, Registration Manager, and Data Recovery Manager.
  • Page 38 Overview of Key Features For information on enrollment, renewal, and revocation operations, see Chapter 15, “Setting Up End-User Authentication.” For information on automated notifications, ee Chapter 16, “Setting Up Automated Notifications.” Built-in plug-in modules for authentication, policy, job scheduling, and publishing Certificate Management System simplifies the details involved in certificate issuance and management with its built-in, configurable, and extensible...
  • Page 39 Overview of Key Features Supports many methods for verifying the revocation status of certificates Revocation status of a certificate can be made available to PKI entities by publishing the CRL to various repositories. To aid you in this process, the Certificate Manager supports publishing of CRLs to the following repositories: •...
  • Page 40 Overview of Key Features Key archival and recovery for encryption private keys If your organization uses S/MIME to encrypt mail messages, you can use the key archival feature offered by Certificate Management System to back up users’ encryption private keys. This feature is useful when a key becomes unavailable—as, for instance, in the following cases: •...

  • Page 41: System Overview

    System Overview Java SDK extension mechanism for customization The software development kit (SDK) provided with Certificate Management System includes APIs and tutorials for customizing different aspects of the system. You can write the following custom modules: • Authentication—for authenticating end entities during certificate enrollment. •...
  • Page 42 System Overview • Secure Sockets Layer (SSL) • Lightweight Directory Access Protocol (LDAP) • Online Certificate Status Protocol (OCSP) • X.509 certificate formats recommended by the International Telecommunications Union (ITU) • Public-Key Infrastructure (X.509) (PKIX) standards proposed by the PKIX working group of the Internet Engineering Task Force (IETF).

  • Page 43: Public-Key Infrastructure

    System Overview • Search for certificates issued by the server. • Set up hierarchies of certificate authorities—multiple subordinate CAs chained up to a root CA. (Certificate Management System can also chain under popular public CAs that are already pretrust in popular client and server products.) •...

  • Page 44: Cms Subsystems Or Managers

    System Overview End entities and CAs may be in different geographic or organizational areas or in completely different organizations that are linked through an extranet (that is, the extension of a company’s internal network, or intranet) to selected customers, suppliers, and mobile employees via the Internet. CAs may include third parties that provide services through the Internet as well as the root CAs and subordinate CAs for individual organizations.

  • Page 45: Certificate Manager

    System Overview machine outside the firewall. Others may have a single CA run by a single Certificate Manager and hundreds of Registration Managers in different geographic locations. Still others may have many different CAs or subordinate CAs, and only a few Registration Managers. The sections that follow explain each subsystem in detail.
  • Page 46 System Overview Note that the publishing tasks can be performed by the Certificate Manager only. The Certificate Manager also has a built-in OCSP service, enabling OCSP-compliant clients to directly query the Certificate Manager about the revocation status of a certificate that it has issued. For example, if you plan to deploy a PKI comprising a master CA and many clone CAs, you can enable the OCSP service of the master CA.

  • Page 47: Registration Manager

    System Overview • Invalidity date. Indicates the date on which the private key corresponding to the public key certified by the certificate was (or is suspected to have been) compromised. Registration Manager A Registration Manager is an optional component in the PKI, enabling you to separate the registration process from the certificate-signing process.

  • Page 48: Data Recovery Manager

    System Overview Data Recovery Manager A Data Recovery Manager performs the long-term archival and recovery of private encryption keys for end entities. A Certificate Manager or Registration Manager can be configured to archive end entities’ private encryption keys with a Data Recovery Manager as part of the process of issuing new certificates.

  • Page 49: Online Certificate Status Manager

    System Overview Table 1-1 Key pairs used by end entities and key pairs used by the Data Recovery Manager End-entity key pairs Data Recovery Manager key pairs Signing key pair Encryption key pair Transport key pair Storage key pair Public signing key: Public encryption key: Public transport key: Public storage key:...

  • Page 50: Basic System Configuration

    System Overview Basic System Configuration Figure 1-1 illustrates some of the data formats and protocols used among the four independent CMS managers and various kinds of end entities. To keep things simple, the figure assumes that each manager is installed in a different CMS instance and on a different machine.
  • Page 51 System Overview The end-entity data formats and transport methods shown in the figure are used to send enrollment and other requests to the Registration Manager (indicated by a right-pointing arrow) or to send responses back to the end entities (indicated by a left-pointing arrow).
  • Page 52 System Overview The Registration Manager communicates with the Data Recovery Manager and the Certificate Manager as necessary to facilitate certificate management operations such as enrollment, renewal, or key storage. When the four subsystems are installed in separate CMS instances (whether on the same machine or on different machines), they use proprietary connectors to communicate with each other over HTTPS—that is, HTTP over SSL, as shown in Figure 1-1.
  • Page 53 System Overview The Data Recovery Manager signs a proof-of-archival token with its private transport key and sends the token to the Registration Manager. The Registration Manager verifies the token and sends the certificate requests on to the Certificate Manager. The Certificate Manager issues the signing and encryption certificates and sends them back to the Registration Manager.
  • Page 54 System Overview The Data Recovery Manager indexes stored keys by owner name and a hash of the public key. This arrangement allows for highly efficient searching by name (all stored keys belonging to that owner are returned) or by public key (only the requested key is returned).

  • Page 55: Plug-In Modules

    System Overview System administrators set up CMS subsystems through Netscape Console, and agents manage end-entity requests and certificates through HTML pages. For more information about facilities available to administrators and agents, see Chapter 13, “Managing Privileged Users and Groups.” Plug-in Modules Certificate Management System includes a plug-in architecture for code modules that authenticate user identities and code modules that enforce policies.
  • Page 56 System Overview Table 1-2 Authentication plug-in modules for end-user enrollments Plug-in module name Description Manual authentication Requires manual approval by an agent. This authentication module is hardwired; you cannot configure it. This ensures that when the server receives requests that lack authentication credentials, it sends them to the request queue for agent approval.

  • Page 57: Policy Plug-In Modules

    System Overview Policy Plug-in Modules A policy module is a rule (implemented as a Java class) that validates the contents of a certificate request and formulates the contents of the certificate to be issued. Policy modules are also responsible for accepting, rejecting, or deferring the request.
  • Page 58 System Overview Policy plug-in modules for checking and formulating certificate contents (Continued) Table 1-3 Plug-in module name Description KeyAlgorithmConstraints Allows the server to certify only those keys that are generated using one of the specified algorithms, such as RSA or DSA. RenewalConstraints Allows or rejects requests for renewal of expired certificates.
  • Page 59 System Overview Policy plug-in modules for setting extensions in certificates (Continued) Table 1-4 Plug-in module name Description BasicConstraintsExt Adds the Basic Constraints extension to certificates of a specified type. This extension is used during the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints.
  • Page 60 System Overview Policy plug-in modules for setting extensions in certificates (Continued) Table 1-4 Plug-in module name Description NSCCommentExt Adds the Netscape Certificate Comment extension to certificates. The extension can be used to include textual comments in certificates. NSCertTypeExt Adds the Netscape Certificate Type extension to certificates of a specified type.

  • Page 61: Job Plug-In Modules

    System Overview In addition to the modules listed above, sample code provided with Certificate Management System demonstrates how to support additional extensions. The sample code is provided in the CMS Software Development Kit (SDK). For details, see section “CMS SDK” on page 65. For detailed information about using certificate extensions, see Appendix C, “Certificate and CRL Extensions”...

  • Page 62: Mapper And Publisher Plug-In Modules

    System Overview Mapper and Publisher Plug-in Modules Mapper and publisher plug-in modules enable Certificate Management System to establish a connection with the configured repository and publish certificates and CRLs. For example, LDAP-related mapper and publisher plug-in modules enable Certificate Management System to function seamlessly with an LDAP-compliant directory, such as Netscape Directory Server, that organizations typically use to maintain corporatewide data about user and group accounts and other network resources.
  • Page 63 System Overview • Independent CAs can issue and manage certificates to their users listed in any LDAP-compliant directory. For more information on setting up Certificate Management System to publish certificates and CRLs, see Chapter 19 through Chapter 21. Table 1-6 lists the mapper modules supported by Certificate Management System out of the box.

  • Page 64: Event-Driven Notifications

    Auxiliary Components Table 1-7 Default publisher plug-in modules for publishing certificates and CRLs Plug-in module name Function FileBasedPublisher Publishes certificates and CRLs to a flat file (for exporting into other repositories). LdapCaCertPublisher Publishes or unpublishes a certificate to the caCertificate;binary attribute of the mapped directory entry as a DER encoded binary blob.

  • Page 65: Command-Line Utilities

    Auxiliary Components Command-Line Utilities A number of command-line utilities or tools are bundled with Certificate Management System. These tools are useful for troubleshooting any problems that you may encounter with Certificate Management System. The binaries for all the utilities are located in this directory: <server_root>/bin/cert/tools For detailed information about these utilities, see CMS Command-Line Tools Guide.

  • Page 66: Entry Points For Various Types Of Users

    Entry Points for Various Types of Users • Miscellaneous information about CMS features such as an AutoInstaller, an AutoRestart, script for UNIX, and a large zip file containing a sophisticated demonstration of ObjectSigning capabilities. • Examples of how to use Certificate Management System with some third-party products.
  • Page 67 Entry Points for Various Types of Users Table 1-8 Certificate Management System user entry points User type Component/Tool CMS interface End entity Web browser End Entity Services This interface provides the general front end for end-entity interactions with the server. Through this interface, the Certificate Manager or Registration Manager serves the appropriate HTML forms for end-entity operations (the Data Recovery Manager and Online Certificate Status Manager do not have an end-entity...

  • Page 68: Agent Services Interface

    Entry Points for Various Types of Users Agent Services Interface As an administrator, you can designate privileged users, called agents, for each subsystem. Agents are responsible for the day-to-day operation of requests from end entities. For details, see “Agents” on page 373. To enable agents to accomplish their duties, Certificate Management System provides a set of HTML forms for Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager agents.

  • Page 69: Registration Manager Agent Services

    Entry Points for Various Types of Users Certificate Manager Agent Services interface Figure 1-5 Using the default forms, a Certificate Manager agent can accomplish tasks such as these: • Listing deferred certificate requests from end entities and process them • Listing certificates issued by the server •...

  • Page 70: Data Recovery Manager Agent Services

    Entry Points for Various Types of Users Registration Manager Agent Services interface Figure 1-6 Using the default forms, a Registration Manager agent can list deferred certificate requests from end entities and process them. Data Recovery Manager Agent Services The Data Recovery Manager Agent Services interface enables a Data Recovery Manager agent to interact with the Data Recovery Manager (the server).

  • Page 71: Online Certificate Status Manager Agent Services Interface

    Entry Points for Various Types of Users Data Recovery Manager Agent Services interface Figure 1-7 Using the default forms, a Data Recovery Manager agent can search for and recover end users’ encryption private keys from the key archive. (Key recovery requires authorization from key recovery agents;...

  • Page 72: End-Entity Services Interface

    Entry Points for Various Types of Users Online Certificate Status Manager Agent Services interface Figure 1-8 Using the default forms, a Online Certificate Status Manager agent can perform tasks such as checking which CAs are currently configured to publish their CRLs to the Online Certificate Status Manager, identifying a Certificate Manager to the Online Certificate Status Manager, adding CRLs directly to the Online Certificate Status Manager, and viewing the status of OCSP service requests submitted by...
  • Page 73 Entry Points for Various Types of Users For a summary of the various end entities, protocols, cryptographic algorithms, and key pairs (single or dual) supported by Certificate Management System, see “End Entities and Life-Cycle Management” on page 98. Figure 1-9 shows the end-entity services interface of a Certificate Manager. End-entity services interface Figure 1-9 Note that the Data Recovery Manager and Online Certificate Status Manager do...

  • Page 74: System Architecture

    System Architecture System Architecture Figure 1-10 shows the internal architecture of Certificate Management System. The sections that follow describe the basic elements of this architecture, starting at the bottom of the figure. Figure 1-10 CMS architecture Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 75: Pkcs #11

    System Architecture PKCS #11 Public-Key Cryptography Standard (PKCS) #11 specifies an API used to communicate with devices that hold cryptographic information and perform cryptographic operations. Because it supports PKCS #11, Certificate Management System works with a wide range of hardware and software devices intended for such purposes.

  • Page 76: Nss

    System Architecture Any PKCS #11 module can be used with Certificate Management System. The server uses a file called to keep track of the modules that are available. secmod.db You can modify this file using the tool, which is explained at the modutil site.

  • Page 77: Middleware/Java 2 Layers

    Standards Summary Middleware/Java 2 Layers A middleware layer above JSS and the Java/JNI layer provides a range of services required by the Registration Manager, Certificate Manager, Data Recovery Manager, and Online Certificate Status Manager. The middleware layer is based on Java 2.0 SDK, and it underlies both the manager subsystems and the APIs available to third-party developers for building custom authentication and policy modules.

  • Page 78: Security And Directory Protocols

    Standards Summary • Certificate Request Message Format (CRMF). A message format used to convey a request for a certificate to a Registration Manager or Certificate Manager. A proposed standard from the Internet Engineering Task Force (IETF) PKIX working group. • Certificate Management Message Formats (CMMF).
  • Page 79 Standards Summary • KEYGEN tag. An HTML tag supported by Netscape browsers that generates a key pair for use with a certificate. For more information, see http://www.netscape.com/eng/security/comm4-keygen.html • Lightweight Directory Access Protocol (LDAP) v2, v3. A directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP is a simplified version of Directory Access Protocol (DAP), used to access X.500 directories.
  • Page 80 Standards Summary Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 81: Chapter 2 Certificate Enrollment And Life-Cycle Management

    Chapter 2 Certificate Enrollment and Life-Cycle Management This chapter explains how you can use Netscape Certificate Management System (CMS) for issuing certificates to end entities such as we browsers, servers, routers, and so on. The chapter has the following sections: •...
  • Page 82 Steps in End-Entity Enrollment Authenticate user. Authentication can be either automatic or manual. If the CMS manager is configured for automatic authentication, the servlet uses the authentication module specified by the form to validate the information provided by the user. For example, the directory authentication module that comes with Certificate Management System validates the user ID and password by comparing it to the user’s entry in an LDAP directory.
  • Page 83 Steps in End-Entity Enrollment Roles of servlets, authentication modules, and policy modules in end-entity enrollment Figure 2-1 Chapter 2 Certificate Enrollment and Life-Cycle Management...

  • Page 84: Some Enrollment Scenarios

    Some Enrollment Scenarios Some Enrollment Scenarios Successful PKI deployment requires flexible and easy enrollment for end entities as well as ongoing support for certificate life-cycle management—that is, management of each certificate from enrollment through encryption key storage (if necessary), renewal, and revocation. The preceding section describes the internal flow of control among servlets, authentication modules, and policy modules in a CMS manager (see Figure 2-1 for a summary).

  • Page 85: Extranet/E-Commerce: Examplecorp

    Some Enrollment Scenarios • The Registration Manager provides only a subset of the capabilities of the Certificate Manager—those required for processing end-user requests. If the Registration Manager is compromised, the Certificate Manager can revoke its signing certificate (thus invalidating all subsequent requests from that Registration Manager) and issue a new one after the problem has been addressed.

  • Page 86: Enrolling Existing Customers

    Some Enrollment Scenarios The sections that follow describe how ExampleCorp uses Certificate Management System to achieve these goals: • Enrolling Existing Customers • Enrolling New Customers • Enrolling Extranet Users In all cases, ExampleCorp has decided to place its Certificate Manager behind the firewall and its Registration Manager outside the firewall, for reasons summarized in “Firewall Considerations”...

  • Page 87: Enrolling New Customers

    Some Enrollment Scenarios Custom authentication against an existing customer database Figure 2-2 Enrolling New Customers The following process will be used for enrolling new ExampleCorp customers. In this case, the Registration Manager uses manual authentication to validate every certificate request personally before issuing the certificate. Figure 2-3 illustrates the steps in this process.
  • Page 88 Some Enrollment Scenarios Manual approval. The Registration Manager administrator may configure the Registration Manager to notify the agent via email whenever a new request is added to the request queue. In any case, when the agent processes the requests in the queue, he or she follows ExampleCorp’s procedure for processing credit checks and validating other customer information, including making a personal phone call.

  • Page 89: Enrolling Extranet Users

    Some Enrollment Scenarios Manual authentication of new customers Figure 2-3 Enrolling Extranet Users ExampleCorp wants its new, certificate-enabled extranet applications to be available to contract workers, suppliers, employees, and others who routinely access parts of the company’s internal network. In general, this can be achieved by using Kerberos or other non-PKI security systems as the authentication mechanism for requesting a certificate.
  • Page 90 Some Enrollment Scenarios For example, to get a certificate, a contractor provides an ID and password to the Registration Manager, which uses the Kerberos system to verify them before passing on the certificate request to the Certificate Manager. This arrangement involves the following steps, illustrated in Figure 2-4.

  • Page 91: Pin Registration: Atlas Manufacturing

    Some Enrollment Scenarios Custom authentication against an existing Kerberos security system Figure 2-4 PIN Registration: Atlas Manufacturing Atlas Manufacturing has decided to put information for its employees, suppliers, dealers, and customers—a total of nearly 500,000 people, including individual consumers and employees of several dozen other companies—on an extranet. Atlas already uses Netscape Directory Server to store names, addresses, and other information about the various groups of people who will need access to the extranet.
  • Page 92 Some Enrollment Scenarios results from salting and hashing. When customers use the PIN to enroll in the Atlas PKI, the PIN is automatically removed from the directory. Enrollment PINs are therefore more reliable than passwords, which must be protected over a long period of time.

  • Page 93: Vpn Client Enrollment And Revocation

    Some Enrollment Scenarios PIN-based enrollment Figure 2-5 VPN Client Enrollment and Revocation Virtual private network (VPN) client software runs on a user’s desktop, outside the firewall, and uses the IP Key Management Protocol (IPKMP) or IP Security (IPSec) protocol to establish encrypted communication with VPN hardware that straddles the firewall.
  • Page 94 Some Enrollment Scenarios VPN client software can use several different protocols over HTTP or HTTPS to handle enrollment and other life-cycle management tasks. Certificate Management System supports the Certificate Enrollment Protocol (CEP) used by Cisco routers. CEP runs over HTTP and provides its own form of encryption. The following steps explain how VPN client software can use the Registration Manager and Certificate Manager to enroll in a PKI and what happens when the client’s certificate is revoked.
  • Page 95 Some Enrollment Scenarios VPN client enrollment and revocation Figure 2-6 The certificate includes information about a CRL distribution point, which is a directory that the VPN hardware can check for the latest CRL published by the Certificate Manager. Chapter 2 Certificate Enrollment and Life-Cycle Management...

  • Page 96: Router Enrollment And Revocation

    Some Enrollment Scenarios Router Enrollment and Revocation Cisco routers support the use of certificates for authentication, encryption, and tamper detection with the IP Security (IPSec) protocol. Cisco routers also support CEP for certificate life-cycle management, as discussed in the previous section. The following steps describe how two routers can use a Certificate Manager to enroll in a PKI and what happens when a router’s certificate is revoked.
  • Page 97 Some Enrollment Scenarios Router enrollment and revocation Figure 2-7 Chapter 2 Certificate Enrollment and Life-Cycle Management...

  • Page 98: End Entities And Life-Cycle Management

    End Entities and Life-Cycle Management End Entities and Life-Cycle Management Certificate Management System provides default web forms for all end-entity interactions involved in managing the life cycle of a certificate. It also provides forms, collectively called Agent Services, for agent interactions. These forms can be used as is or customized.

  • Page 99: Access To Subsystems

    End Entities and Life-Cycle Management Table 2-1 End entities, message formats, algorithms, and key pairs supported by Certificate Management System End entity software Enrollment message Cryptographic algorithms No. of key pairs format over HTTP or HTTPS Communicator 4.0 to 4.5 KEYGEN tag Signing and encryption: Single key pair...
  • Page 100 End Entities and Life-Cycle Management End-entity interactions can take place over HTTP or HTTPS. For example, routers using CEP, which includes its own encryption scheme, uses HTTP rather than HTTPS. For a more detailed discussion of these ports and examples of hands-on use, see Chapter 3, “Default Demo Installation.”...

  • Page 101: Html Forms For End Users

    End Entities and Life-Cycle Management HTML Forms for End Users Each type of end-entity form provided by a Registration Manager or Certificate Manager determines the type of client, such as Communicator or Internet Explorer, and presents the appropriate input page. Each form also specifies both an authentication module and an output template.

  • Page 102: Netscape Personal Security Manager

    End Entities and Life-Cycle Management Table 2-2 shows the protocols supported by the default CMS life-cycle management servlets. Any of the HTML forms and their HTML help text can be customized. The Registration Manager also supports the creation of new forms. Some output templates can also be customized.
  • Page 103 End Entities and Life-Cycle Management • Automatic storage of encryption private keys with the Data Recovery Manager at the time a certificate is issued, if requested by the Registration Manager. • Automatic revocation checking each time Personal Security Manager verifies a certificate.
  • Page 104 End Entities and Life-Cycle Management Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 105: Chapter 3 Default Demo Installation

    Chapter 3 Default Demo Installation This chapter describes how to set up a simple installation that demonstrates the basic capabilities of a Certificate Manager with an integrated Registration Manager. It is intended for administrators who are already familiar with PKI concepts.

  • Page 106: Overview Of The Default Demo

    Overview of the Default Demo Overview of the Default Demo The default demo installation described in this chapter is intended to provide a quick, hands-on experience of the basic Certificate Management System interfaces. It is intended for demonstration purposes only and relies on a number of default settings that may not be appropriate for a mission-critical installation.
  • Page 107 Overview of the Default Demo • Internal Database (Netscape Directory Server) for Certificate Management System. For each instance of Certificate Management System you install an instance of Netscape Directory Server that acts as the internal database for certificate and request information. You use the main window of Netscape Console to perform basic tasks such as starting and stopping a server.
  • Page 108 Overview of the Default Demo Software installed and port numbers assigned for the default demo Figure 3-1 You will also be asked to provide additional information, such as the name of each server instance to be installed, the names and passwords of various types of administrators, and information related to the CA signing certificate and SSL server certificate that the Certificate Manager must have available before it can begin operation.

  • Page 109: Demo Passwords

    Overview of the Default Demo To keep things simple for the default demo, most of the information requested during installation is set either to a default or to some arbitrary, convenient value. Before you attempt to install more sophisticated pilots or a full-scale deployment, you should read Chapter 4, “Planning Your Deployment”...

  • Page 110: Installing The Default Demo

    Installing the Default Demo Password for the CMS key database. The same password <token password>/ is used as the single sign-on password during server <single-signon startup. This password is used to protect a special cache password> maintained for other passwords used by Certificate Management System;...
  • Page 111 Installing the Default Demo Select the items you would like to install [1]: Press Enter. Server root [/usr/netscape/servers]: Press Enter to accept the default server root directory. (If you are not installing as , you probably will not have root permission to create directories in so you will have to choose another /usr...

  • Page 112: Step 1. Run The Installation Script-Windows Nt

    Installing the Default Demo Netscape configuration directory server administrator ID [admin]: Press Enter to accept the default, then enter the <admin password> Suffix [ou=mydomain, ou=com]: Press Enter to accept the default. Directory Manager DN [cn=Directory Manager]: Press Enter to accept the default, then enter the <dir mgr password>...
  • Page 113 Installing the Default Demo Welcome. Click Next. Software License Agreement. Click Yes. Select Server or Console Installation. Leave the default setting ( Netscape ) selected and click Next. Servers Chapter 3 Default Demo Installation...
  • Page 114 Installing the Default Demo Type of Installation. Leave the default setting ( ) selected and click Typical Next. Location of Installation. Leave the default setting ( C:\netscape\servers selected and click Next. Netscape Certificate Management System Installation and Setup Guide • May 2002...
  • Page 115 Installing the Default Demo Components to Install. Leave all four components selected and click Next. Directory Server 6.0. Leave the default setting ( This instance will be the ) selected and click Next. configuration directory server Chapter 3 Default Demo Installation...
  • Page 116 Installing the Default Demo Directory Server 6.0. Leave the default setting ( Store data in this ) selected and click Next. directory server Directory Server 6.0 Server Settings. Type the following values, then click Next: Server identifier: configDir Server port: Accept the default, which should be Suffix: Accept the default, which should be your company’s domain name, in the form dc=<domain_component1>, dc=<domain_component2>...
  • Page 117 Installing the Default Demo Configuration Directory Administrator ID: admin Password: <admin password> Password (again): <admin password> Directory Server 6.0 Administration Domain. Accept the default, which should be your company’s domain name, in the form <your_domain>.<domain> Directory Server 6.0 Directory Manager Settings. Type the following values, then click Next: Chapter 3 Default Demo Installation...
  • Page 118 Installing the Default Demo Directory Manager DN: cn=Directory Manager Password: <dir mgr password> Password (again): <dir mgr password> Administration Server Port Selection. Type the value and click Next. 4444 Netscape Certificate Management System Installation and Setup Guide • May 2002...
  • Page 119 Installing the Default Demo Netscape Certificate Management System 6.0 Server identifier. Type the value and click Next. demoCA Configuration Summary. Click Next. Setup. At this point, the installation script extracts and installs the binaries for all of the servers in the server root directory and creates and starts instances of the Administration Server and Directory Server.

  • Page 120: Step 2. Run The Installation Wizard

    Installing the Default Demo Completetion of Installation. Leave the default setting ( Launch Netscape ) and click Finish. Console The first phase of the installation is now complete. The installation script has installed Netscape Console, installed and started an Administration Server and its configuration directory, and copied the files for Certificate Management System.
  • Page 121 Installing the Default Demo If the Administration URL is not filled in, enter http://<myhost>:4444 In the navigation tree at the left, open your computer, then open Server Group. Select and double-click it; alternatively, you can also click the cert-demoCA Open button on the Certificate Management System panel on the right. After a few moments, the Installation Wizard appears.
  • Page 122 Installing the Default Demo Introduction. Click Next. Logon Token. Enter the password for the cryptographic token or the key database. The same password will also be used as the single signon password for starting Certificate Management System. Password: <token password> Password (again): <token password>...
  • Page 123 Installing the Default Demo Instance ID: Accept the default ( demoCA-db Port number: Accept the default ( 38900 Directory Manager DN: cn=Directory Manager Password: <intdb password> Password (again): <intdb password> At this point the system creates the internal database, which can take some time.
  • Page 124 Installing the Default Demo Administrator. Type the following values, then click Next: Administrator ID: CMSadmin Full name: Accept the default value. Password: <CMS password> Password (again): <CMS password> Subsystems. Click Next to accept the default selection ( Certificate Manager Remote Data Recovery Manager. Click Next to accept the default selection Netscape Certificate Management System Installation and Setup Guide •...
  • Page 125 Installing the Default Demo At this point the system configures the internal database, which can take some time. CA’s serial number range. Click Next to accept the default (start at 0x1 with no upper limit). Internal OCSP Service. Click Next to accept the default (the option is selected). Network Configuration.
  • Page 126 Installing the Default Demo CA Signing Certificate. Click Next to accept the default selection ( Create self-signed CA certificate Key-Pair Information for Certificate Manager CA Signing Certificate. Type the following values, then click Next: Token: Accept the default value ( Internal Password: <token password>...
  • Page 127 Installing the Default Demo Message Digest Algorithm. Click Next to accept the default ( SHA1 Subject Name for Certificate Manager CA Signing Certificate. Type the following values, then click Next: Common name (CN=): Demo CA Organization Unit (OU=): Demo CMS Organization (O=): <name of your company>...
  • Page 128 Installing the Default Demo Certificate Extensions for Certificate Manager CA Signing Certificate. Click Next to accept the default selections. Certificate Manager CA Signing Certificate Creation. Click Next. SSL Server Certificate. Click Next to accept the default selection ( Sign SSL selected.).
  • Page 129 Installing the Default Demo Key-Pair Information for Server SSL Certificate. Change the Key length to 1024, accept the default values for other fields, then click Next. Message Digest Algorithm. Click Next to accept the default ( SHA1 Subject Name for SSL Server Certificate. Type the following values, then click Next.
  • Page 130 Installing the Default Demo Validity Period for SSL Server Certificate. Modify year and month values of “Expire on” date to allow a validity period of one month from the installation date, then click Next. Netscape Certificate Management System Installation and Setup Guide • May 2002...
  • Page 131 Installing the Default Demo Certificate Extensions for SSL Server Certificate. Click Next to accept the default selections. SSL Server Certificate Creation. Click Next. The generation of the certificate can take some time. Single Signon Summary. Review the summary and then click Next. Chapter 3 Default Demo Installation...
  • Page 132 Installing the Default Demo Configuration Status. Click Done. Certificate Management System starts automatically. The installation and configuration of Certificate Management System is now complete, and the Certificate Manager is running. The end-entity interface of Certificate Management System is now available through the web gateways whose ports you specified during installation.

  • Page 133: Step 3. Get The First User Certificate

    Installing the Default Demo • The SSL agent gateway URL is: https://<machine_name>.<your_domain>.<domain>:8100 • The SSL end-user gateway URL is: https://<machine_name>.<your_domain>.<domain>:443 • The non-SSL end-user gateway URL is: http://<machine_name>.<your_domain>.<domain>:80 Step 3. Get the First User Certificate After you complete configuration of Certificate Management System with the Installation Wizard, you must enroll for a certificate for the first agent.
  • Page 134 Installing the Default Demo The first time you access this port, the system opens the Administrator/Agent Certificate Enrollment form. Because you have accessed an SSL port, Certificate Management System presents its SSL server certificate to your browser for authentication. This is the SSL server certificate that you just created during installation.

  • Page 135: If You Need The First Agent Form Again

    Installing the Default Demo Subject Name Full name: CMS Administrator Login name: CMSadmin Email address: <your email address> Organization unit: CMS Demo Organization: <name of your company> User’s Key Length Information Key Length: Select 1024 (High Grade) Note that the validity period of this initial agent certificate is hard-coded as one year.

  • Page 136: Using The Default Demo

    Using the Default Demo Change , and save the file. false true Start the server from the CMS window where you stopped it. Alternatively, right-click on in the left frame and choose Start cert-demoCA Server. The next time you access https://<hostname>:8200/ca/adminEnroll.html the Administrative/Agent Enrollment form will be available again.

  • Page 137: Viewing Issued Certificates From The Agent Gateway

    Using the Default Demo • In “Finding and Approving a Certificate Request” you will approve the new certificate enrollment request and issue a new agent certificate. • In “Testing Your New Certificate” on page 140 you will use the new agent certificate to access the agent gateway.

  • Page 138: Enrolling For A Certificate From The End-Entity Gateway

    Using the Default Demo Click End Users Services. The Enrollment tab for the non-SSL end-entity gateway appears. Click the Retrieval tab. The form that appears is for the option, List Certificates. Type into the field labeled “Lowest serial number,” then click Find to list the certificates that the Certificate Manager has issued so far.

  • Page 139: Finding And Approving A Certificate Request

    Using the Default Demo Follow the instructions your browser presents as it generates a key pair. After the key pair has been generated, the Certificate Manager displays a notice that the certificate request has been submitted, including a request ID. Use the browser’s Back button to go back to the Services Summary page.

  • Page 140: Setting Your Browser To Use The Agent Certificate

    Using the Default Demo Click Show Certificate to view the new certificate. At the bottom of the page is a button labeled Import Your Certificate. Normally, you would mail this page to the requestor, or the Certificate Manager would mail the requestor an automatic notification containing the certificate and instructions.

  • Page 141: Create A Policy

    Using the Default Demo Before you continue, you might want to try accessing the new installation from another computer and with a different login. Try enrolling for user certificates from there, using both the SSL and non-SSL end-user gateways. If you wish, you can also enroll for additional agent certificates.
  • Page 142 Using the Default Demo Log in as , giving the password admin <admin password> The main window of Netscape Console appears. In the navigation tree on the left, open your computer, then open Server Group. Select the CMS instance ( cert-demoCA In the Certificate Management System panel at the right, click Open.

  • Page 143: Use An Ldap Directory

    Using the Default Demo In the Policy Editor dialog box, provide the following information: minSize: 1024 maxSize: 2048 exponents: accept the default setting enable: true predicate: HTTP_PARAMS.certType==client indicates that this policy will be applied to certificate requests predicate for client certificates only. The sets the minimum allowed length for minSize the RSA key pair used to generate the request;...

  • Page 144: Step 1. Enable Directory-Based Authentication

    Using the Default Demo You will first try to enroll using 512-bit keys; the enrollment will fail because of the policy requiring 1024-bit keys. After you submit a new request with a 1024-bit key, Certificate Management System should authenticate the user information in the directory and issue the certificate automatically.

  • Page 145: Step 2. Add A User To The Directory

    Using the Default Demo ldap.ldapconn.version: ldap.basedn: o=<your domain>.<domain> ldap.minConns: ldap.maxConns: Click OK. NOTE If you leave the field blank, the used by dnpattern dnpattern default is . This E=$attr.mail,CN=$attr.cn,O=dn.o,C=$dn.c pattern works well with Communicator and other browsers. For the demo, you used a simpler dnpattern to avoid configuring other things.
  • Page 146 Using the Default Demo To add a user to the configuration directory’s subtree for users and groups: Start Netscape Console again, or go back to the main window. Select the Users and Groups tab and click Create (in the lower right corner). In the Select Organization Unit dialog box, select People and click OK.

  • Page 147: Step 3. Enroll With Directory-Based Authentication

    Using the Default Demo Click OK. You can see that User Two has been added to the list of users. Step 3. Enroll with Directory-Based Authentication Now that there is a user in the authentication directory, you can test directory-based authentication. In order to show the key length policy working, you will request the certificate using a 512-bit key first, then change the request to use a 1024-bit key.

  • Page 148: Publish Certificates To An Ldap Directory

    Using the Default Demo Click OK, and provide your key database password if requested. After the key is generated, your browser submits the certificate request to the Certificate Manager. The Certificate Manager verifies the request against all applicable policies (including the RSA key length policy for client certificates you configured earlier).

  • Page 149: Configure The Publishing Destination

    Using the Default Demo Mappers translate objects (such as certificates) in the internal database into some other form for publishing. You will configure an LDAP mapper to translate the user name in a client certificate request to a distinguished name (DN) in the publishing directory.

  • Page 150: Set Rules For Publishing Certificates

    Using the Default Demo Click Save. A dialog box appears that indicates whether Certificate Management System is able to connect, authenticate, and bind to the directory. If your configuration is not successful, make sure that the entries you make in the Destination area correspond to how you configured the Configuration Directory Server when you ran the program.
  • Page 151 Using the Default Demo Below Publishing in the navigation tree, click Mappers. In the Mappers Management tab, select and click LdapUserCertMap Edit/View. Change the parameter value to dnPattern UID=$req.UID, OU=people, O=<your domain>.<domain> This pattern will cause the mapper to formulate a DN using the user ID from the certificate request (the data entered in the User ID field on the end entity enrollment form) and fixed values for OU and O.

  • Page 152: Update The Publishing Directory

    Using the Default Demo Click OK. Certificate Management System can now publish user certificates in the configuration directory. You do not need to configure the Publisher or Rule. If you under want to see more about how the rule works, look at the LdapUserCertRule Rules (using the Edit/View button) and the under...

  • Page 153: Send Renewal Reminders

    Using the Default Demo Click Cancel to close the Property Editor dialog box, but leave the Edit Entry dialog box open if you can: you will open the Property Editor again after you manually publish certificates. To publish certificates to the directory manually: In a browser, go to the URL for the SSL agent port.

  • Page 154: Configuring A Mail Server For Certificate Management System

    Using the Default Demo This exercise will show you how to use the jobs facility to send out automatic renewal reminders to entities. You will configure Certificate Management System to send email to entities starting 400 days before the certificate expires. In a real deployment, of course, you would probably not start reminding certificate holders to renew until 30 days before expiration.

  • Page 155: Configuring Certificate Management System To Send Renewal Reminders

    Using the Default Demo Click Save. Configuring Certificate Management System to Send Renewal Reminders To configure Certificate Management System to send renewal reminders: Open the CMS console window and select the Configuration tab. Open Job Scheduler in the navigation tree. Select Jobs.
  • Page 156 Using the Default Demo Make sure the following parameters have the listed values: enabled: true cron: (include spaces between the asterisks) * * * * * notifyTriggerOffset: senderEmail: <your email address> summary.enabled: true summary.recipientEmail: <your email address> summary.senderEmail: <your email address> Click OK.
  • Page 157 Using the Default Demo Select the Enable Jobs Scheduler checkbox. Click Save. You should begin receiving email after one minute. After the scheduler has been running for a few minutes, deselect the Enable Jobs Scheduler checkbox. Click Save. Check your email. You will have at least two messages.
  • Page 158 Using the Default Demo The message content, format, and subject are all customizable, so in a real deployment you can create messages that better suit your organization. You have now completed the default demo. Before you attempt to install more sophisticated pilots or a full-scale deployment, you should read Chapter 4, “Planning Your Deployment”...

  • Page 159: Part 2 Planning And Installation

    Part 2 Planning and Installation Chapter 4, “Planning Your Deployment” Chapter 5, “Installation Worksheet” Chapter 6, “Installing Certificate Management System” Chapter 7, “Installing and Uninstalling CMS Instances” Chapter 8, “Starting and Stopping CMS Instances”...
  • Page 160 Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 161: Chapter 4 Planning Your Deployment

    Chapter 4 Planning Your Deployment Before installing Netscape Certificate Management System (CMS) in any real-life deployment, you first need to plan all aspects of the proposed installation. It’s important to consider all potential issues carefully before installation. Omissions or faulty assumptions in the planning process can cause severe problems later. This chapter provides an overview of the most important decisions you need to make.

  • Page 162: Topology Decisions

    Topology Decisions Topology Decisions Certificate Management System allows you to install the Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager in many different configurations. Since CAs can delegate some responsibilities to subordinate CAs, a Certificate Manager might delegate responsibilities to one or more levels of subordinate Certificate Managers.

  • Page 163: Certificate Manager And Registration Manager

    Topology Decisions Figure 4-1 shows the relationships among a single Certificate Manager, end entities, and a publishing directory. The Certificate Manager can publish both end-entity certificates and CRLs to a directory. Certificate Manager Figure 4-1 Single root Certificate Manager and Registration Manager Many organizations need to separate the role of the Registration Manager from the role of the Certificate Manager.
  • Page 164 Topology Decisions Each group of end entities interacts with a designated Registration Manager that processes requests from end entities and sends them to a Certificate Manager. The Certificate Manager can accept requests from both end entities and Registration Managers. For example, end entities at the home office might deal directly with the Certificate Manager, while end entities at a branch office might deal with their own Registration Manager.

  • Page 165: Certificate Manager And Data Recovery Manager

    Topology Decisions In many organizations, it may be desirable to deploy multiple Registration Managers that all communicate with a single Certificate Manager. Each separate Registration Manager, for example, might handle all end-entity interactions in a particular geographic area or within an organizational group. Decisions about the number of, locations of, and relationships among Certificate Managers and Registration Managers depend on many factors.
  • Page 166 Topology Decisions Certificate Manager and Data Recovery Manager in different instances Figure 4-3 The Data Recovery Manager is intended for archival and recovery of private encryption keys only. Therefore end entities must be using either a browser that supports dual-key generation or a browser that is using Netscape Personal Security Manager, which supports dual keys.

  • Page 167: Certificate Manager, Data Recovery Manager, And Registration Manager

    Topology Decisions Certificate Manager, Data Recovery Manager, and Registration Manager The three CMS subsystems can be deployed in many different relationships. Figure 4-4 illustrates some of the issues involved in deploying all three subsystems by showing the relationships among a single Certificate Manager, a single Registration Manager, and a single Data Recovery Manager, each installed in a different CMS instance on a different machine.
  • Page 168 Topology Decisions Certificate Manager, Registration Manager, and Data Recovery Manager in Figure 4-4 separate instances NOTE The current design of Certificate Management System assumes that most deployments will rely on a single Data Recovery Manager (associated with either a Registration Manager or a Certificate Manager).

  • Page 169: Cloned Certificate Manager

    Certificate Authority Decisions Cloned Certificate Manager A cloned Certificate Manager is a CMS server instance that uses the same CA signing key and certificate as another Certificate Manager, identified as the master Certificate Manager. Each Certificate Manager issues certificates with serial numbers in a restricted range so that all of the servers together act as a single Certificate Authority (operating in several server processes).

  • Page 170: Ca's Distinguished Name

    Certificate Authority Decisions • CAs and Certificate Extensions • CA Certificate Renewal or Reissuance CA’s Distinguished Name The core elements of a CA consist of a signing unit and the Certificate Manager’s own identity. The signing unit digitally signs certificates requested by end entities that use a specified enrollment process to establish their identities.

  • Page 171: Ca Signing Certificate's Validity Period

    Certificate Authority Decisions Many people no longer consider an RSA key of length less than 1024 bits to be cryptographically strong. Export and other regulations permitting, it may be a good rule of thumb to start with 1024 bits and consider increasing the length to 4096 bits for certificates that provide access to highly sensitive data or services.

  • Page 172: Cas And Certificate Extensions

    Certificate Authority Decisions your root certificate into all the browsers used with the certificates you issue. If you are using Netscape Communicator as your client, you can accomplish this task within an intranet by using tools such as Mission Control Desktop or with the aid of Personal Security Manager, but extranet deployments can be more complicated.

  • Page 173: Cryptographic Token Decisions

    Cryptographic Token Decisions • Renewing a CA certificate involves issuing a new CA certificate with the same subject name and public and private key material as the old CA certificate, but with an extended validity period. As long as the new CA certificate is distributed to all users well before the old CA certificate expires, this approach allows certificates issued under the old CA certificate to continue working for the full duration of their validity periods.

  • Page 174: Publishing Decisions

    Publishing Decisions third-party hardware tokens and accelerator boards. Certificate Management System support for PKCS #11 also allows you to store critical keys, such as the root CA signing key, on smart cards or other hardware tokens to facilitate strong physical security measures. Cryptographic hardware tokens manufactured by many vendors are compatible with Certificate Management System.

  • Page 175: Publishing Crls To The Online Certificate Status Manager

    Publishing Decisions Note that it’s not possible to configure the Registration Manager to publish certificates or CRLs. The Certificate Manager has the complete record of issued certificates and that the publishing tasks be performed by the Certificate Manager only. If it’s necessary for some entries in a directory to be available outside the firewall, Netscape recommends using the partial replication feature of Directory Server to replicate the relevant portion of the directory to which the Certificate Manager publishes.

  • Page 176: Subsystem Certificate Decisions

    Subsystem Certificate Decisions revocation status, without having to directly check a CRL published by a CA to the validation authority. The validation authority, which is also called an OCSP responder, does the checking for the application. For more information, see “What’s an OCSP-Compliant PKI Setup?”...

  • Page 177: Certificate Manager Certificates

    Subsystem Certificate Decisions Certificate Manager Certificates Every Certificate Manager must have a CA signing certificate whose public key corresponds to the private key the Certificate Manager uses to sign the certificates it issues. This certificate is also used for SSL client authentication to the publishing directory (LDAP over SSL) if the Certificate Manager is set up to publish certificates or CRLs.

  • Page 178: Data Recovery Manager Certificate And Storage Key

    Subsystem Certificate Decisions Data Recovery Manager Certificate and Storage The Data Recovery Manager needs a transport certificate and a storage key: • The transport certificate has a public key used by end-entity software to encrypt the private encryption key belonging to an end entity so that it can be sent (via the Registration Manager) to the Data Recovery Manager.

  • Page 179: Authentication Decisions

    Authentication Decisions Authentication Decisions CMS managers use authentication modules to verify the identity of a user requesting a service, such as certificate enrollment. For example, a user can be prompted to provide a name and password, and the authentication module can check a directory entry to confirm that they are correct.

  • Page 180: Deployment Strategy And Port Assignments

    Deployment Strategy and Port Assignments Thus, a policy for a Certificate Manager might be that all subject names have to end with . Registration Managers for individual departments o=Example Corporation can enforce this policy and can also define their own, local naming policies, such as ou=Engineering Another variation is to have the Certificate Manager enforce the companywide policies and have subordinate Certificate Managers, instead of Registration...
  • Page 181 Deployment Strategy and Port Assignments Deploying servers on a single host Figure 4-5 Chapter 4 Planning Your Deployment...
  • Page 182 Deployment Strategy and Port Assignments Each server root directory shown in Figure 4-5 has its own Administration Server and Netscape Console and access to a configuration directory. Each CMS instance has a corresponding instance of Directory Server that functions as the internal database for that CMS instance.

  • Page 183: Chapter 5 Installation Worksheet

    Chapter 5 Installation Worksheet This chapter provides a worksheet to help you prepare for installing a single instance of Netscape Certificate Management System (CMS). Print this chapter and make as many copies as you need. Fill out one copy for each CMS instance you plan to install and refer to it during the installation and configuration process.

  • Page 184: Information For Unix Installation Script

    Information for UNIX Installation Script Information for UNIX Installation Script The information summarized here must be provided once for each server root installation on a UNIX system. Installation Location To install an instance of Certificate Management System, you must also install an Administration Server and Netscape Console application and have access to a configuration and user/group directory.

  • Page 185: User/Group Directory Server

    Information for UNIX Installation Script If you choose Yes, you must also supply the following information about the existing configuration directory: • Computer name_____________________________________________ The default should be the fully qualified host name of the machine on which the configuration directory is located. For example, mydirectory.example.com User/Group Directory Server Do you want to use another directory to store your data?

  • Page 186: Administration Server Information

    Information for UNIX Installation Script • Configuration Directory Server Administrator ID________________________ The ID for the user who will authenticate to Netscape Console with full privileges. For example, diradmin1 • Configuration Directory Server Administrator Password___________________ The password must be at least eight characters long. •...

  • Page 187: Certificate Management System Identifier

    Information for NT Installation Script Certificate Management System Identifier You must specify a unique identifier for the CMS server instance that you are installing. • Certificate Management System server identifier___________________________ Enter a unique identifier. For the name, you can use any combination of letters ), digits ( ), an underscore ( ), and a hyphen (...

  • Page 188: User/Group Directory Server

    Information for NT Installation Script • Use existing configuration directory server._______________________________ If you choose to use an existing configuration directory, you must supply the following information: Host name___________________________________________ Port________________________________________________ Bind as______________________________________________ Password____________________________________________ User/Group Directory Server Choose one of these options: •...

  • Page 189: Configuration Directory Settings

    Information for NT Installation Script Configuration Directory Settings You need to provide the following information about the configuration directory, whether it is an existing one or a new one to be created by the Installation Wizard: • Directory Server identifier_______________________________________ This unique identifier is required for each instance of a Directory Server.

  • Page 190: Administration Server Port

    Initial Configuration This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory. For example, cn=Directory Manager • Directory Manager password ________________________ The password must be at least eight characters in length.

  • Page 191: Token Logon Or Single Sign-On Password

    Token Logon or Single Sign-On Password Token Logon or Single Sign-On Password The Installation Wizard asks you to specify the password for the cryptographic token. The password you enter also works as the single signon password—it simplifies the way you subsequently sign on to Netscape Certificate Management System.

  • Page 192: Subsystems

    Token Logon or Single Sign-On Password • CMS Administrator full name________________________________ For example, Certificate Management System Administrator • CMS Administrator password________________________________ Subsystems Choose the subsystem you will install in this instance. • Certificate Manager___________________________________ • Registration Manager__________________________________ • Data Recovery Manager________________________________ •...

  • Page 193: Network Configuration

    Certificate Manager Configuration Network Configuration Enter numbers for the ports to be used for various kinds of communications. On UNIX, you must be to assign ports less than 1024. The default values are root well-known ports, which are used only if they are not already in use. If these defaults are not available, a randomly chosen port number is given as the default.

  • Page 194: Key-Pair Information For Ca Signing Certificate

    Certificate Manager Configuration • CA’s ending serial number __________________________ Enter the highest serial number available for this CA. You can enter the number in decimal or hexadecimal (0xnn). The default is no upper limit (blank). Key-Pair Information for CA Signing Certificate For a discussion of related issues, see “CA Signing Key Type and Length”...

  • Page 195: Validity Period For Ca Signing Certificate

    Certificate Manager Configuration You may fill in the attribute template or simply enter the DN as a string of attribute-value pairs. • Common Name (CN=) _____________________________________ • Organizational Unit (OU=) ___________________________________ • Organization (O=) ________________________________________ • Locality (L=) _____________________________________________ • State (ST=) ______________________________________________ •...
  • Page 196 Certificate Manager Configuration Confirm that you want to include the following extensions. Check off all that apply; defaults are indicated in parentheses. • Basic constraints (Yes)_____________ CA (Yes)_________ Certification path length (Null)_______________________ The certificate chain path length, if specified, determines the maximum number of certificates in a chain, starting with the end-entity certificate.

  • Page 197: Ca Signing Certificate Request

    Registration Manager Configuration CA Signing Certificate Request If you are installing a subordinate CA, you need to specify where to send your request for a CA signing certificate. If you are submitting your certificate request to a third-party CA, follow the instructions provided by that CA.

  • Page 198: Subject Name For Registration Manager Signing Certificate

    Registration Manager Configuration • Token password_________________________________________________ The password for the token must be at least one character long. • Key type_________________________________________________ RSA or DSA. • Key length_______________________________________________ Available key sizes for RSA are 512, 768, 1024, 2048, 4096, or Custom. Available key sizes for DSA are 512, 1024, or Custom (which must be in increments of 64 bits only).

  • Page 199: Registration Manager Signing Certificate Issuer

    Data Recovery Manager Configuration Registration Manager Signing Certificate Issuer If you are submitting your certificate request to a third-party CA, follow the instructions provided by that CA. If you are submitting your certificate request to another Certificate Manager, you need to know its URL: •...

  • Page 200: Subject Name For Transport Certificate

    Data Recovery Manager Configuration • Token password_________________________________________________ The password for the token must be at least one character long. • Key type_________________________________________________ RSA or DSA. • Key length_______________________________________________ Available key sizes for RSA are 512, 768, 1024, 2048, 4096, or Custom. Available key sizes for DSA are 512, 1024, or Custom (in increments of 64 bits only).

  • Page 201: Validity Period For Transport Certificate

    Data Recovery Manager Configuration Validity Period for Transport Certificate You can specify the validity period for a transport certificate only if you are installing the Certificate Manager and Data Recovery Manager at the same time and you want the Certificate Manager that you just installed issue the transport certificate.

  • Page 202: Transport Certificate Request

    Data Recovery Manager Configuration Object-signing CA (No)_________ SSL CA (No)_________ • Authority Key Identifier (Yes) ________________ • Subject Key Identifier (No) • Key usage (No)_____________ If you decide to include the key usage extension, the keyEncipherment usage bit is set by default. •...

  • Page 203: Data Recovery Scheme-1

    Online Certificate Status Manager Configuration Data Recovery Scheme—1 The number of agents you enter here is determined by your organization’s policies with respect to data recovery. If you enter a larger number than the default of 2 for the number of recovery agents required to recover a key, you’re reducing the chances of inappropriate recovery but increasing the complexity of the recovery process.

  • Page 204: Online Certificate Status Manager Signing Certificate Request

    Online Certificate Status Manager Configuration Online Certificate Status Manager Signing Certificate Request When you install a Online Certificate Status Manager, you must supply information for the certificate that the Online Certificate Status Manager will use to sign OCSP responses. The Installation Wizard formulates a certificate request on the basis of information you provide.

  • Page 205: Online Certificate Status Manager Signing Certificate Issuer

    Cloned Certificate Manager Configuration • Organizational Unit (OU=) ___________________________________ • Organization (O=) ________________________________________ • Locality (L=) _____________________________________________ • State (ST=) ______________________________________________ • Country (C=) ____________________________________________ A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the Online Certificate Status Manager signing certificate.

  • Page 206: Ca Signing Certificate

    Cloned Certificate Manager Configuration You can clone a Certificate Manager instance to have two server processes perfoming the same CA functions using the same keys and certificates. Each cloned Certificate Manager, including the original, must only issue certificates with serial numbers that do not conflict with the serial numbers issued by other clones.

  • Page 207: Ssl Server Key And Certificate

    SSL Server Certificate Configuration • Use existing key and certificate? ___________________ Answer yes, otherwise you are creating a new Certificate Manager and not a clone. • Instance name of the original server ____________________________ • Token name where copied keys are stored _______________________ •...

  • Page 208: Subject Name For Ssl Server Certificate

    SSL Server Certificate Configuration • Token password_________________________________________________ The password for the token must be at least one character long. • Key type_________________________________________________ RSA or DSA. • Key length_______________________________________________ For domestic versions of Netscape Certificate Management System, available settings for RSA are 512, 768, 1024, 2048, 4096, or Custom, and available settings for DSA are 512, 1024, or Custom (in increments of 64 bits only).

  • Page 209: Extensions For Ssl Server Certificate

    SSL Server Certificate Configuration • Validity period___________________ to __________________________ Enter beginning and ending dates for the certificate’s validity period. Extensions for SSL Server Certificate You can specify the extensions for an SSL server certificate only if you are installing a Certificate Manager and you have decided to have that local Certificate Manager issue the certificate.

  • Page 210: Ssl Certificate Request

    SSL Server Certificate Configuration • Key usage (No)_____________ If you decide to include the key usage extension, the following key usage bits are set by default: digitalSignature keyEncipherment • Additional Extension (No)___________________________ To add extensions not included by default by Certificate Management System, you will need to paste the base64 encoding of a sequence of extensions into the wizard.

  • Page 211: Chapter 6 Installing Certificate Management System

    Chapter 6 Installing Certificate Management System This chapter describes the procedure for installing a Netscape Certificate Management System (CMS) instance. Before you use this chapter to guide you through an installation, you should have read Chapter 1 through Chapter 5 and filled out the worksheet provided by Chapter 5, “Installation Worksheet.”...

  • Page 212: Installation Stages

    Installation Overview You must have an Administration Server in each server root directory. Administration Server can use a local configuration directory or refer to an existing configuration directory installed elsewhere. You must install the Certificate Management System internal database directory locally. The initial installation script installs Netscape Console and the binaries for the servers, and it creates and starts instances of Administration Server and Directory Server.

  • Page 213: Before You Begin The Installation

    Installation Overview Before You Begin the Installation Before you start installing Certificate Management System, follow these instructions: • If you’re not familiar with Certificate Management System, you might find it useful to run a demo installation first; see Chapter 3, “Default Demo Installation.”...
  • Page 214 Installation Overview Identify the CA to which you’ll submit the Data Recovery Manager’s transport certificate and SSL server certificate requests. Make sure the CA is running and, if required, identify the forms you’ll use to submit these requests. If you plan to use hardware tokens for generating and storing Data Recovery Manager’s key pairs, you’ll need at least two tokens: one exclusively for the storage key pair and the other for the remaining key pairs.

  • Page 215: Stage 1. Running The Installation Script

    Stage 1. Running the Installation Script Stage 1. Running the Installation Script program extracts files for the Administration Server, Directory Server, setup Netscape Console, and Certificate Management System and installs the binaries under the server root directory you have specified. It creates one instance of the Administration Server, one instance of the Directory Server, and one instance of the Certificate Management System, which is not yet configured.
  • Page 216 Stage 1. Running the Installation Script Select the items you would like to install [1]: Accept the default to install the Netscape servers. Install location [/usr/netscape/servers]: Enter a full pathname to the location where you want to install the servers. The location that you enter must be different from the directory from which you are running the setup program.
  • Page 217 Stage 1. Running the Installation Script Do you want to use another directory to store your data? [No]: If you accept the default setting, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you accepted the default in step 13) or installs a new instance of Directory Server for use as a user/group directory.

  • Page 218: Running The Installation Script On Windows Nt

    Stage 1. Running the Installation Script Run Administration Server as [current login]: Enter the user ID for the Administration Server process. If you are running as , you can accept the root default to run the server as root Certificate Management System identifier [certificate]: Enter a unique identifier for the new instance of Certificate Management System.
  • Page 219 Stage 1. Running the Installation Script Select Server or Console Installation. “Netscape Servers” is selected by default. Click Next to accept the default selection. Choose Installation Directory. The default installation directory is . To specify a server root directory different from the C:\Netscape\Servers default, click Browse.
  • Page 220 Stage 1. Running the Installation Script Directory Server 6.0 Server Settings Server Identifier. Enter a unique identifier for the new instance of the configuration directory. If you are using an existing configuration directory, enter its identifier. Server Port. Accept the default, or enter any port number that is not and will not be used for another purpose.

  • Page 221: Stage 2. Running The Installation Wizard

    Stage 2. Running the Installation Wizard Setup. At this point, the installation script extracts and installs the binaries for all of the servers in the server root directory, and creates and starts instances of the Administration Server and Directory Server. Setup Complete.
  • Page 222 Stage 2. Running the Installation Wizard In the Certificate Management System panel at the right, click Open. After a few moments, the Introduction screen for the Installation Wizard appears. Click Next to continue. The Internal Database screen appears. In the Internal Database screen, specify the Directory Server instance that Certificate Management System should use as its internal database—you may choose to create a new Directory Server instance or use an existing Directory Server instance.

  • Page 223: Installing The Certificate Manager As A Root Ca

    Stage 2. Running the Installation Wizard Installing the Certificate Manager as a Root CA To install the Certificate Manager as a root CA: Subsystems. Select Certificate Manager. Click Next to continue. Remote Data Recovery Manager. Select the appropriate options: Select No, if you don’t want to connect the Certificate Manager to a remote Data Recovery Manager.
  • Page 224 Stage 2. Running the Installation Wizard Message Digest Algorithm. Select the algorithm to use for computing the certificate signature. The choices are: MD2, MD5, or SHA-1. Click Next to continue. Subject Name for Certificate Manager CA Signing Certificate. Type values for the subject DN components;...
  • Page 225 Stage 2. Running the Installation Wizard Key-Pair Information for SSL Server Certificate. Select the token to store the SSL server certificate and key pair. If you have not previously initialized the token’s password, you must do so in this screen. Also specify the key type and length.

  • Page 226: Installing The Certificate Manager As A Subordinate Ca

    Stage 2. Running the Installation Wizard Configuration Status. This screen should indicate that your configuration has been successful. Click Done to exit the Installation Wizard. Proceed to the next step, “Stage 3. Enrolling for Administrator/Agent Certificate” on page 271, to create the first agent user for the Certificate Manager.
  • Page 227 Stage 2. Running the Installation Wizard CA Signing Certificate. Select the “Create subordinate CA certificate request” option. Click Next to continue. Key-Pair Information for Certificate Manager CA signing certificate. Select the token to store the CA signing certificate and key pair. If you have not previously initialized the token’s password, you must do so in this screen.
  • Page 228 Stage 2. Running the Installation Wizard Certificate Manager CA Signing Certificate Creation. This is an informational screen that tells you that the wizard has all the information required to generate the key pair and certificate request. In the previous screen, if you chose to include the Subject Key Identifier extension in the certificate, you’ll be given the choice to select the format for the certificate request.
  • Page 229 Stage 2. Running the Installation Wizard Locate your request, click Details to see it, and make any changes. Then, scroll down to the bottom of the form and click Do It. After the certificate is generated, click Show Certificate. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it to...
  • Page 230 Stage 2. Running the Installation Wizard In the web browser window, enter the URL for the remote Certificate Manager’s Agent Services page. (You must use the same computer where you got your agent certificate.) Select List Requests, then click Show Pending Requests and click Find. In the pending request list, locate your request, click Details to see the request, and make any changes.
  • Page 231 Stage 2. Running the Installation Wizard Select Yes, only if you have the certificate ready in its base-64 encoded format. Click Next to continue. If you selected No, you will be presented with the “SSL Server Certificate” screen (Step 17). If you selected Yes, the “Location of Certificate”...
  • Page 232 Stage 2. Running the Installation Wizard Paste the certificate chain into the text box. Click Next to continue. SSL Server Certificate. Select the appropriate option: If you want to get the SSL server certificate signed by the subordinate CA itself, select the “Sign SSL certificate with my CA signing certificate” option.
  • Page 233 Stage 2. Running the Installation Wizard If you want the wizard to generate the certificate request in PKCS #10 format, select the “Generate PKCS10 request” option. If you want the wizard to generate the certificate request in CMC format, select the “Generate CMC full enrollment request” option. Click Next to generate the certificate or the request: If you chose to get the certificate signed by the subordinate CA itself, the wizard generates the SSL server certificate.
  • Page 234 Stage 2. Running the Installation Wizard In the pending request list, locate your request, click Details to see the request, and make any changes. Then, scroll down to the bottom of the form, and click Do It. After the certificate is generated, click Show Certificate. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN...
  • Page 235 Stage 2. Running the Installation Wizard In the web browser window, enter the URL for the remote Certificate Manager’s Agent Services page. (You must use the same computer where you got your agent certificate.) Select List Requests, click Show Pending Requests, and click Find. In the pending request list, locate your request, click Details to see it, and make any changes.
  • Page 236 Stage 2. Running the Installation Wizard If you have submitted your request to a third-party CA or to a remote Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate.

  • Page 237: Installing A Standalone Registration Manager

    Stage 2. Running the Installation Wizard Select the Retrieval tab, and then in the left-hand frame, click Import CA Certificate Chain. Select the “Display the CA certificate chain in PKCS#7 for importing into a server” option, and then click Submit. In the resulting form, locate the CA certificate chain, in its base-64 encoded format, to the clipboard.
  • Page 238 Stage 2. Running the Installation Wizard Remote Data Recovery Manager. Select the appropriate options: Select No, if you don’t want to connect the Registration Manager to a remote Data Recovery Manager. If you have already installed a remote Data Recovery Manager that you want the Registration Manager to use for archiving end users’...
  • Page 239 Stage 2. Running the Installation Wizard Note that the certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the program, ExtJoiner which is also provided in the directory. For details on using the tools program, see Chapter 5, “Extension Joiner Tool”...
  • Page 240 Stage 2. Running the Installation Wizard Click Next to submit the request. The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.) Note that your request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent.
  • Page 241 Stage 2. Running the Installation Wizard In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type: If the request is in the PKCS #10 format, under Server, click Registration Manager. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.
  • Page 242 Stage 2. Running the Installation Wizard When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it to CERTIFICATE ----- -----END CERTIFICATE----- the clipboard or to a text file. Be sure to not make any changes to the certificate.
  • Page 243 Stage 2. Running the Installation Wizard If you copied the encoded certificate to a file, select the “The certificate is located in this file” option and then type the file path, including the filename, in the text field. If you copied the certificate to the clipboard, select the “The certificate is located in the text area below”...
  • Page 244 Stage 2. Running the Installation Wizard Message Digest Algorithm. Select the algorithm to use for computing the certificate signature. The choices are: SHA-1, MD2, or MD5. Click Next to continue. Subject Name for SSL Server Certificate. Type the values for the subject DN components;...
  • Page 245 Stage 2. Running the Installation Wizard Click Next to submit the request. The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.) Note that your request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent.
  • Page 246 Stage 2. Running the Installation Wizard In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type: If the request is in the PKCS #10 format, under Server, click SSL Server. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.
  • Page 247 Stage 2. Running the Installation Wizard To submit your certificate request manually to a third-party CA, follow these steps: Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- -----END NEW CERTIFICATE REQUEST is highlighted, and click the Copy to Clipboard button. -----) This action copies the certificate request to the clipboard.
  • Page 248 Stage 2. Running the Installation Wizard If you noted the request ID of your request and know the host name and end-entity port number of the Certificate Manager that issued the certificate, select the “The certificate is at the CMS server where the request was sent”...

  • Page 249: Installing A Standalone Data Recovery Manager

    Stage 2. Running the Installation Wizard Configuration Status. This screen should indicate that your configuration has been successful. Click Done to exit the Installation Wizard. Proceed to the next step, “Stage 3. Enrolling for Administrator/Agent Certificate” on page 271, to create the first agent user for the Registration Manager.
  • Page 250 Stage 2. Running the Installation Wizard Certificate Management System provides command-line tools for generating extensions to include in CA and other certificate requests. For details about these tools, check this directory: <server_root>/bin/cert/tools Note that the certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the program, ExtJoiner...
  • Page 251 Stage 2. Running the Installation Wizard Click Next to submit the request. The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.) Note that your request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent.
  • Page 252 Stage 2. Running the Installation Wizard In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type: If the request is in the PKCS #10 format, under Server, click SSL Server. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.
  • Page 253 Stage 2. Running the Installation Wizard To submit the transport certificate request manually to a third-party CA, follow these steps: Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- -----END NEW CERTIFICATE REQUEST is highlighted, and click the Copy to Clipboard button. -----) This action copies the certificate request to the clipboard.
  • Page 254 Stage 2. Running the Installation Wizard If you noted the request ID of your request and know the host name and end-entity port number of the remote Certificate Manager that issued the certificate, select the “The certificate is at the CMS server where the request was sent”...
  • Page 255 Stage 2. Running the Installation Wizard Data Recovery Key Scheme - 2. The number of table rows correspond to the total number of agents you specified in the previous screen. Type the user ID and password for each agent in the table. Click Next to continue.
  • Page 256 Stage 2. Running the Installation Wizard Submission of Request. Select whether you want to submit the request manually or send the request automatically to a remote Certificate Manager. To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps: Select the “Send the request to a remote CMS now”...
  • Page 257 Stage 2. Running the Installation Wizard To submit your certificate request manually to a Certificate Manager, follow these steps: Open a web browser window. Go to the end-entity URL for the Certificate Manager that will issue the SSL server certificate. For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL to bring up the Certificate Manager page for...
  • Page 258 Stage 2. Running the Installation Wizard When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it to CERTIFICATE ----- -----END CERTIFICATE----- the clipboard or to a text file. Be sure to not make any changes to the certificate.
  • Page 259 Stage 2. Running the Installation Wizard Location of Certificate. Specify the location of the certificate. You can use any of these options: If you copied the encoded certificate to a file, select the “The certificate is located in this file” option and then type the file path, including the filename, in the text field.

  • Page 260: Installing A Online Certificate Status Manager

    Stage 2. Running the Installation Wizard Single Sign-on Summary. Check the summary and select whether to retain or delete the file. password.conf The single signon password simplifies the way you subsequently sign on to Certificate Management System by storing the passwords for the internal database, tokens, and so on.
  • Page 261 Stage 2. Running the Installation Wizard Subject Name for Online Certificate Status Manager Signing Certificate. Type the values for the subject DN components; these values identify the Online Certificate Status Manager’s signing certificate. Click Next to continue. Online Certificate Status Manager Signing Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request.
  • Page 262 Stage 2. Running the Installation Wizard Locate your request, click Details to see it, and make any changes. Then, scroll down to the bottom of the form and click Do It. After the certificate is generated, click Show Certificate. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it to...
  • Page 263 Stage 2. Running the Installation Wizard Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed. Locate your request, click Details to see it. After checking the rest of the certificate request and making any changes, scroll to the bottom, and click Do It.
  • Page 264 Stage 2. Running the Installation Wizard Select Yes, only if you have the certificate ready in its base-64 encoded format. Click Next to continue. If you selected Yes, the “Location of Certificate” screen appears (Step 8). If you selected No, you will be presented with the “Key-Pair Information for SSL Server Certificate”...
  • Page 265 Stage 2. Running the Installation Wizard Highlight all the encoded blob (including -----BEGIN CERTIFICATE ), and copy it to the clipboard or ----- -----END CERTIFICATE----- to a text file. Be sure to not make any changes to the certificate. You’re required to paste the encoded certificate into the Installation Wizard next.
  • Page 266 Stage 2. Running the Installation Wizard Certificate Extensions for SSL Server Certificate. Select the required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. Certificate Management System provides command-line tools for generating extensions to include in CA and other certificate requests.
  • Page 267 Stage 2. Running the Installation Wizard Click Next to submit the request. The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.) Note that your request gets added to the agent queue of the Certificate Manager for approval by that Certificate Manager’s agent.
  • Page 268 Stage 2. Running the Installation Wizard In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type: If the request is in the PKCS #10 format, under Server, click SSL Server. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.
  • Page 269 Stage 2. Running the Installation Wizard To submit your certificate request manually to a third-party CA, follow these steps: Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- -----END NEW CERTIFICATE REQUEST is highlighted, and click the Copy to Clipboard button. -----) This action copies the certificate request to the clipboard.
  • Page 270 Stage 2. Running the Installation Wizard If you know the request ID of your request and the host name and end-entity port number of the Certificate Manager that issued the SSL server certificate, select the “The certificate is at the CMS server where the request was sent”...

  • Page 271: Stage 3. Enrolling For Administrator/Agent Certificate

    Stage 3. Enrolling for Administrator/Agent Certificate Configuration Status. This screen should indicate that your configuration has been successful and that you need to create an agent for the Online Certificate Status Manager. Click Done to exit the Installation Wizard. Proceed to the next step, “Stage 3. Enrolling for Administrator/Agent Certificate”...
  • Page 272 Stage 3. Enrolling for Administrator/Agent Certificate Open a web browser window. Type the following in the URL field: https://<hostname>:<admin_port>/ca/adminEnroll.html , provide the fully qualified name of the machine on which <hostname> Certificate Management System is installed; for example, CAmachine.example.com is the TCP port specified during installation for <admin_port>...
  • Page 273 Stage 3. Enrolling for Administrator/Agent Certificate Organization unit. Type the name of the organization unit to which the administrator/agent belongs. Organization. Type the name of the company or organization the administrator/agent works for. Country. Type the two-letter code for the administrator/agent’s country. User’s Key Length Information Key Length.

  • Page 274: Agent Certificate For Other Cms Managers

    Stage 3. Enrolling for Administrator/Agent Certificate Open the configuration file ( ) in a text editor. CMS.cfg Locate the following line: cmsGateway.enableAdminEnroll=false Change , and save the file. false true Start the server from the CMS window where you stopped it. (Alternatively, right-click on the name of the instance in the left frame and choose Start Server.) At this point, the server asks you for the single signon password you specified during installation.
  • Page 275 Stage 3. Enrolling for Administrator/Agent Certificate Log in to Netscape Console (see “Logging In to Netscape Console” on page 326). In the navigation tree, locate the CMS instance for which you want to create the agent user, and double-click the icon. The login screen for the CMS window appears.
  • Page 276 Stage 3. Enrolling for Administrator/Agent Certificate Click Import. The Import Certificate window appears. Click inside the text area, and paste the agent’s certificate in base-64 encoded form. (If you haven’t copied the certificate, go back to the browser window, copy the certificate, and then paste the certificate here.) Be sure to include the -----BEGIN CERTIFICATE----- -----END...

  • Page 277: Stage 4. Further Configuration Options

    Stage 4. Further Configuration Options To view the certificate you imported, select it and click View. The certificate information appears. Click Done. You are returned to the Users tab. Click Refresh to view the updated configuration. You have now designated an agent for the specified manager. You can now present the certificate you installed for that agent to access the Agent Services pages for that manager in the new instance.

  • Page 278: Stage 5. Creating Additional Instances Or Ca Clones

    Stage 5. Creating Additional Instances or CA Clones For detailed information about the many CMS configuration options available, check the chapters in Part 3, “Configuration.” You might find it useful to read “Road Map to Configuring Subsystems” on page 354. Stage 5.

  • Page 279: Chapter 7 Installing And Uninstalling Cms Instances

    Chapter 7 Installing and Uninstalling CMS Instances After the initial installation of Netscape Certificate Management System (CMS), you may need to install additional instances, remove unwanted instances, or duplicate configuration in multiple instances. This chapter describes how to manage these tasks by using Netscape Console, the single, unified administration interface for your network.

  • Page 280: Installing Multiple Cms Instances

    Installing Multiple CMS Instances Installing Multiple CMS Instances Multiple instances of Certificate Management System can run on the same machine. You might, for example, install multiple Registration Managers, all reporting to the same Certificate Manager, to handle requests from different types of users (end users, servers, and routers) or from users from different domains.
  • Page 281 Installing Multiple CMS Instances From the Object menu, choose the Create Instance Of option and, in the pop-up menu that appears, choose Certificate Management System. As shown in this figure, you can also right-click to choose this option from the pop-up menu.

  • Page 282: Cloning A Certificate Manager

    Cloning a Certificate Manager To start the installation wizard, double-click the new instance in the navigation tree, and then use the installation wizard to finish configuring the new instance. Create the first agent for the new CMS instance. When you have finished setting up an additional CMS instance, you need to create at least one agent for that instance.

  • Page 283: Step 1. Before You Begin

    Cloning a Certificate Manager communication is SSL-client authenticated. This way, the master Certificate Manager has the complete list of certificates revoked by all clone Certificate Managers and is able to generate a consolidated list of revoked certificates or a complete CRL. Because the master Certificate Manager has the complete CRL, if you enable the OCSP-service feature built into the Certificate Manager, it can function as a full-fledged OCSP responder for your PKI—that is, irrespective of which clone...
  • Page 284 Cloning a Certificate Manager • Check the master Certificate Manager’s serial number range. The “Next serial number” field should be set to the next serial number of the certificate the CA will issue and the “Last serial number” field must be blank. To locate the panel that enables you to do this, see “Enabling End-Entity Interaction with a Certificate Manager”...

  • Page 285: Step 2. Create Instances For Clone Cas

    Cloning a Certificate Manager During the cloning process, the master Certificate Manager’s SSL server certificate is automatically copied to the certificate database of the clone Certificate Manager. The clone Certificate Manager uses this certificate for SSL-client-authenticated communication with the master Certificate Manager.

  • Page 286: Installing Clone Ca In A Different Server Group

    Cloning a Certificate Manager From the Object menu, choose the Create Instance Of option and, in the pop-up menu that appears, choose Certificate Management System. As shown in this figure, you can also right-click to choose this option from the pop-up menu.

  • Page 287: Installing Clone Ca On A Separate Host

    Cloning a Certificate Manager If you want to install your clone Certificate Manager on the same host on which the master Certificate Manager is installed, but in a different server group: In the master Certificate Manager host machine, go to the directory that contains the CMS program.

  • Page 288: Step 4. Copy Master Ca's Certificate And Key Database

    Cloning a Certificate Manager Step 4. Copy Master CA’s Certificate and Key Database Because you want the clone Certificate Manager to own the same keys and certificates as that of the master Certificate Manager, you need to make available the keys and certificates used by the master Certificate Manager to each clone Certificate Manager.

  • Page 289: Step 6. Configure The Clone Ca

    Cloning a Certificate Manager Step 6. Configure the Clone CA Depending on how many CMS instances you’ve created for clone Certificate Managers, you should repeat the instructions in this step to configure each clone Certificate Manager. To configure a clone Certificate Manager: Log in to or go to Netscape Console that shows the clone Certificate Manager instance.

  • Page 290: Step 8. Establish Trust Between Master Ca And Clone Cas

    Cloning a Certificate Manager Step 8. Establish Trust Between Master CA and Clone CAs For the master Certificate Manager to trust the clone Certificate Manager, you associate the clone Certificate Manager as a trusted manager to the master Certificate Manager. For details about trusted managers, see “Trusted Managers” on page 380. The setup process involves the following steps: •...
  • Page 291 Cloning a Certificate Manager Click Details. In the resulting page, scroll to the section that says “Base 64 encoded certificate” and shows the certificate in its base-64 encoded format. Copy the base-64 encoded certificate, including the -----BEGIN marker lines, to the CERTIFICATE----- -----END CERTIFICATE----- clipboard or a text file.

  • Page 292: Step B. Create A Privileged-User Entry For Clone Cas

    Cloning a Certificate Manager Copy the base-64 encoded certificate, including the marker lines -----BEGIN , to the clipboard or to a CERTIFICATE----- -----END CERTIFICATE----- text file. The copied information should look like the example below: -----BEGIN CERTIFICATE----- MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pYF 0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAw MnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzA VBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJ ARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn jgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA4GBA...
  • Page 293 Cloning a Certificate Manager Click Add. The Select User Type window appears. Select Trusted Manager and click OK. The Edit User Information window appears. Specify information as appropriate. The information you enter here is to help you keep track of the clone Certificate Managers.
  • Page 294 Cloning a Certificate Manager Click OK. You are returned to the Users tab. The user you just added is displayed in the list of users. Select the user entry you just added for the clone Certificate Managers and click Certificates. The Manage User Certificates window appears.

  • Page 295: Step 9. Test Clone-Master Connection

    Cloning a Certificate Manager Step 9. Test Clone-Master Connection To test whether your clone-master CA setup is complete and functional, repeat these steps for each clone Certificate Manager. • Step A. Request a Certificate from the Clone CA • Step B. Approve the Request •...

  • Page 296: Step B. Approve The Request

    Cloning a Certificate Manager Step B. Approve the Request Skip this step if you requested the certificate using any of the automated enrollment methods. Complete this step if you used the manual enrollment form for requesting the certificate; the request you submitted is waiting in the agent queue for approval by an agent.

  • Page 297: Step D. Revoke The Certificate

    Cloning a Certificate Manager Click Details. Scroll to down to the section that enables you to download the certificate to the browser, and download the certificate. Step D. Revoke the Certificate To revoke the certificate you issued: Go to the end-entity interface for the Certificate Manager. Select the Revocation tab.

  • Page 298: Step 10. Use Master Ca's Agent Certificate In Clone Cas

    Cloning a Certificate Manager SHA-1 with DSA generates a 160-bit message digest. Before choosing SHA-1 with DSA, make sure your applications support it. Communicator 4.0 (or later) and Netscape server products with a version number greater than 4.0 support it. Before selecting an algorithm, make sure that Certificate Manager has the algorithm enabled.

  • Page 299: Viewing Instance Information

    Viewing Instance Information Go to the “Users and Groups” section, create a new agent user, and add the master CA’s agent certificate to the clone CA’s certificate database. To add the correct certificate, check the serial number of the master CA’s agent certificate;...
  • Page 300 Viewing Instance Information In the list of server instances, select the CMS instance you want to view. The right pane shows information about the selected CMS instance. The information displayed includes the following: Server Name. A descriptive name of the CMS instance. You can change this name;...

  • Page 301: Changing The Name Of An Instance

    Changing the Name of an Instance Version. The version number. Build Number. The number that identifies the build that was used for this installation. Security Level. The server’s security level—whether the server is meant for use in the United States and Canada (domestic) or any other part of the world (export).

  • Page 302: Removing An Instance From A System

    Removing an Instance From a System Click OK. You are returned to the previous screen. The new name appears in the right pane. Removing an Instance From a System If you are sure you won’t need a particular CMS instance anymore, you can use Netscape Console to remove the server instance from your machine.

  • Page 303: Uninstalling Certificate Management System

    Uninstalling Certificate Management System When prompted, confirm that you want to remove the server instance. The selected CMS instance is removed. The corresponding internal database is not removed. If you want to remove it, select the instance, and repeat steps 3 through 5.

  • Page 304: Uninstalling By Using The Windows Nt Add/Remove Programs Utility

    Uninstalling Certificate Management System Uninstalling by Using the Windows NT Add/Remove Programs Utility To remove Certificate Management System by using the Windows NT Add/Remove Programs utility: From the Start menu, choose Settings, then Control Panel. In the Control Panel, choose Add/Remove Programs. In the Add/Remove Programs Properties window, choose Netscape Server , and click Add/Remove.

  • Page 305: Chapter 8 Starting And Stopping Cms Instances

    Chapter 8 Starting and Stopping CMS Instances This chapter describes how to start, stop, and restart Netscape Certificate Management System (CMS) and how to check its current status. The chapter has the following sections: • Significance of password.conf File (page 306) •...

  • Page 306: Significance Of Password.conf File

    Significance of password.conf File Significance of password.conf File During CMS installation, the Installation Wizard creates a text file named in the directory. password.conf <server_root>/cert-<instance_id>/config This file is used for storing plaintext versions of the single sign-on password as well as all passwords located on external hardware tokens. Before completing the installation, the wizard gives you the option to retain or remove this text file.

  • Page 307: Required Start-Up Information

    Starting Certificate Management System Required Start-up Information In the absence of file, when you start Certificate Management passowrd.conf System, you will be prompted to enter the token logon or single sign-on password you specified during installation. This password enables the Certificate Management System to retrieve all the passwords required by the server to start.

  • Page 308: Starting From Netscape Console

    Starting Certificate Management System • If a Data Recovery Manager is installed in the currently selected CMS instance, the token password unlocks the private keys for the Data Recovery Manager’s storage keys and transport and SSL server certificates. • If a Online Certificate Status Manager is installed in the currently selected CMS instance, the token password unlocks the private keys for the Online Certificate Status Manager’s signing and SSL server certificates.

  • Page 309: Starting From The Command Line

    Starting Certificate Management System Select the instance, right-click, and select the Start Server option from the pop-up menu. Starting From the Command Line To start Certificate Management System from the command line: Open a terminal window to your server. In a Unix system, log in as if the server runs on ports less than 1024;...

  • Page 310: Starting From The Windows Nt Services Panel

    Stopping Certificate Management System Starting From the Windows NT Services Panel If you have installed Certificate Management System on a Windows NT system, you can start the server (as a service) from the Windows NT Services panel (see Figure 8-1). The CMS service has the following name: Netscape CMS (<instance_id>) CMS service in the Windows NT Services panel Figure 8-1...

  • Page 311: Stopping From Netscape Console

    Stopping Certificate Management System In the absence of the file, Certificate Management System can be password.conf stopped in the following ways, and you will be prompted to enter the single sign-on password: • From the command line (locally only) • On a Windows system, from the Windows Services panel (locally only) Stopping Certificate Management System shuts down all the subsystems completely, interrupting service until the server is started again.

  • Page 312: Stopping From The Command Line

    Restarting Certificate Management System Stopping From the Command Line You can stop a CMS instance running on a local host by entering the appropriate command at the command prompt. To stop a Certificate Management System from the command line: Open a terminal window to your server. In a Unix system, log in either as or using the server’s user account (if that root...

  • Page 313: Restarting From The Cms Window

    Restarting Certificate Management System If the file is present (“Significance of password.conf File” on password.conf page 306), Certificate Management System can be restarted in the following ways and you will not be prompted to enter any password: • From Netscape Console (locally and remotely) •...

  • Page 314: Restarting From The Command Line

    Checking System Status Restarting From the Command Line To restart Certificate Management System from the command line: Open a terminal window to your server. In a Unix system, log in either as or using the server’s user account (if that root is how you started the server).

  • Page 315: Attending To An Unresponsive Server

    Attending to an Unresponsive Server In the right pane, check the Server Status field. If the selected instance of Certificate Management System is running, the status will be Started. Otherwise it will be Stopped or Unknown. Attending to an Unresponsive Server If an error causes Certificate Management System to become unresponsive, and all attempts to stop it from Netscape Console fail, it may be necessary to kill the server processes manually.

  • Page 316: Password-Quality Checker

    Password-Quality Checker Note that in the above example: • The string is the default value assigned to the Internal LDAP Database parameter in the CMS configuration internaldb.ldapauth.bindPWPrompt file; it provides a descriptive usage for the password Certificate Management System uses to bind to the internal database. •...
  • Page 317 Password-Quality Checker at least 8 characters long; there are no checks regarding which characters are valid or invalid. If you use a password that doesn’t meet the quality rules, you will get an error message indicating that the password didn’t meet the password-quality rules.
  • Page 318 Password-Quality Checker Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 319: Part 3 Configuration

    Part 3 Configuration Chapter 9, “Administration Tasks and Tools” Chapter 10, “CMS Configuration” Chapter 11, “Setting Up Ports” Chapter 12, “Setting Up Internal Database” Chapter 13, “Managing Privileged Users and Groups” Chapter 14, “Managing CMS Keys and Certificates” Chapter 15, “Setting Up End-User Authentication” Chapter 16, “Setting Up Automated Notifications”...
  • Page 320 Chapter 19, “Setting Up LDAP Publishing” Chapter 20, “Publishing Certificates and CRLs to a File” Chapter 21, “Setting Up an OCSP Responder” Chapter 22, “Setting Up Key Archival and Recovery” Chapter 23, “Managing CMS Logs” Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 321: Chapter 9 Administration Tasks And Tools

    Chapter 9 Administration Tasks and Tools In administering Netscape Certificate Management System (CMS), you perform server-specific tasks such as starting, stopping, and restarting the server; changing configuration; configuring certificate issuance and management policies; adding or modifying privileged-user and group information; setting up authentication mechanisms for users who may request services from the server;...

  • Page 322: Netscape Console

    Netscape Console Netscape Console Netscape Console is a stand-alone Java application that provides a GUI-based front end to all network resources registered in an organization’s configuration directory. This unified administration interface (shown in Figure 9-1) simplifies network administration by supplying access points to all Netscape server instances installed across a network.

  • Page 323: Users And Groups Tab

    Netscape Console The Console tab displays all servers registered in a particular configuration directory, giving you a consolidated view of all the server software and resources under your control. What you control is determined by the access permissions the superadministrator has set up for you. From this view you can perform tasks across arbitrary groups or a cluster of servers in a single operation.

  • Page 324: Netscape Administration Server

    Netscape Console Users and Groups tab of Netscape Console Figure 9-2 From this tab, you can accomplish various user- and group-specific tasks, such as these: • Add, modify, and delete user and group information in the user directory. • Search for specific user and group entries in the user directory. Netscape Administration Server Netscape Administration Server is a web-based (HTTP) server that enables you to configure all your Netscape servers, including Certificate Management System,...

  • Page 325: Starting Administration Server

    Netscape Console Whenever you try to gain access to Administration Server, you will be prompted to authenticate yourself to the configuration directory by entering your user ID and password. These are the administrator user name and password that you specified when you installed Certificate Management System (or the first server in the server group) and Administration Server on your computer.

  • Page 326: Shutting Down Administration Server

    Logging In to Netscape Console Shutting Down Administration Server It is good security practice to shut down Administration Server when you are not using it. This minimizes the chances of someone else changing your configuration. You can shut down the server from Netscape Console, the command line, or the Windows NT Services panel.

  • Page 327: The Cms Window

    The CMS Window Open the Netscape Console application by using the appropriate option: For local access on a Unix machine, at the command-line prompt, enter the following line: <server_root>/start-console Local access on a Windows NT machine, double-click the Netscape Console icon on your desktop; this icon was created when you installed your first Netscape version 6.x server.
  • Page 328 The CMS Window Certificate Management System window, launched from Netscape Console Figure 9-3 You can use the CMS window to access the server locally or remotely. The window has three separate tabs—Tasks, Configuration, and Status—each addressing specific administrative areas. Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 329: Tasks Tab

    The CMS Window Tasks Tab The Tasks tab enables you to perform tasks such as starting, stopping, and restarting the server, and running the Certificate Setup Wizard. For details, see Chapter 8, “Starting and Stopping CMS Instances” and “Certificate Setup Wizard” on page 436.
  • Page 330 The CMS Window Table 9-1 provides details about the tasks you can accomplish from this tab. You access specific settings by selecting an entry in the navigation tree and working with the tabs that appear in the right pane. Table 9-1 Tasks you can accomplish from the Configuration tab Task Description...
  • Page 331 The CMS Window Tasks you can accomplish from the Configuration tab (Continued) Table 9-1 Task Description Enabling automated email This involves operations such as the following: notifications • Entering the information required by the server to send automated notifications to one or more agents when a request enters the agent queue. •...

  • Page 332: Status Tab

    The CMS Window Tasks you can accomplish from the Configuration tab (Continued) Table 9-1 Task Description Configuring the Data This involves configuring the Data Recovery Manager for archival and Recovery Manager recovery of end users’ encryption private keys. For details, see Chapter 22, “Setting Up Key Archival and Recovery.”...

  • Page 333: Logging In To The Cms Window

    Logging In to the CMS Window Logging In to the CMS Window You access the CMS window from Netscape Console. For details on Netscape Console, see “Netscape Console” on page 322. The Console tab of Netscape Console contains a list of network resources that are under your control.
  • Page 334 Logging In to the CMS Window Enter the appropriate information: User ID. If you are logging in for the first time, type the Certificate ; you specified this user ID during installation (so that you Administrator ID could log in to the CMS window without having to create privileged-user entries).

  • Page 335: Chapter 10 Cms Configuration

    Chapter 10 CMS Configuration The runtime properties of Netscape Certificate Management System (CMS) are governed by a set of configuration parameters. These parameters are stored in a file that is read by the server during startup. When you install Certificate Management System, the installer creates an ASCII file, named , and populates it with the appropriate configuration CMS.cfg...
  • Page 336 Effects of Installation Type on Configuration Figure 10-1 illustrates a deployment scenario involving two instances of Certificate Management System running on the same host (Host A) and a single instance running on another host (Host B). Notice the two separate configuration files for the instances running on Host A, one for each CMS instance.

  • Page 337: Duplicating Configuration From One Instance To Another

    Locating the Configuration File Duplicating Configuration From One Instance to Another If you have deployed a large number of CMS instances that are identical—for example, multiple Registration Managers—and you want all these instances to have the same configuration, you can accomplish this by configuring one of the instances and then replacing the configuration files of the other instances with the one that contains the required configuration.

  • Page 338: Modifying The Configuration

    Modifying the Configuration Modifying the Configuration You can modify the CMS configuration in two ways: • By changing the configuration parameter values from the CMS window. This is the recommended method for changing configuration. See “Changing the Configuration From the CMS Window” on page 338. •...

  • Page 339: Guidelines For Editing The Configuration File

    Modifying the Configuration To modify the configuration file directly: Stop the CMS instance whose configuration file you want to edit (see “Stopping Certificate Management System” on page 310). Open a terminal window. Go to this directory: <server_root>/cert-<instance_id>/config Open the configuration file, , in a text editor.
  • Page 340 Modifying the Configuration • The values that need to be localized (such as distinguished names in multibyte format) should be entered in format. For more information on this format, utf8 see the document UTF-8, a transformation format of Unicode and ISO 10646, available at this URL: ttp://info.internet.isi.edu:80/in-notes/rfc/files/rfc2044.txt •...

  • Page 341: Sample Configuration File

    Modifying the Configuration Each job (or configured instance of a job module) is identified by the name specified when the job was created. You can create as many instances of an implementation as you like; each instance must have a unique name. •...
  • Page 342 Modifying the Configuration auths._002=## auths.impl._000=## auths.impl._001=## authentication manager implementations auths.impl._002=## auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication. UidPwdPinDirAuthentication auths.revocationChecking.bufferSize=5 auths.revocationChecking.ca=ca auths.revocationChecking.enabled=true auths.revocationChecking.unknownStateInterval=0 auths.revocationChecking.validityInterval=120 authz._000=## authz._001=## new authorizatioin authz._002=## authz.sourceType=web.xml authz.impl._000=## authz.impl._001=## authorization manager implementations authz.impl._002=## authz.impl.BasicAclAuthz.class=com.netscape.cms.authorization.BasicAclAuthz authz.impl.DirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz authz.instance.BasicAclAuthz.pluginName=BasicAclAuthz authz.instance.DirAclAuthz.ldap=internaldb authz.instance.DirAclAuthz.pluginName=DirAclAuthz authz.instance.DirAclAuthz.ldap._000=## authz.instance.DirAclAuthz.ldap._001=## Internal Database authz.instance.DirAclAuthz.ldap._002=## authz.instance.DirAclAuthz.ldap.basedn=o=NetscapeCertificateServer authz.instance.DirAclAuthz.ldap.maxConns=15...
  • Page 343 Modifying the Configuration ca.Policy.processor=classic ca.Policy.impl._000=## ca.Policy.impl._001=## Policy Implementations ca.Policy.impl._002=## ca.Policy.impl.AuthInfoAccessExt.class=com.netscape.cms.policy.AuthInfoAccessExt ca.Policy.impl.AuthorityKeyIdentifierExt.class=com.netscape.cms.policy. AuthorityKeyIdentifierExt ca.Policy.impl.BasicConstraintsExt.class=com.netscape.cms.policy.BasicConstraintsExt ca.Policy.impl.CRLDistributionPointsExt.class=com.netscape.cms.policy. CRLDistributionPointsExt ca.Policy.impl.CertificatePoliciesExt.class=com.netscape.cms.policy. CertificatePoliciesExt ca.Policy.impl.DSAKeyConstraints.class=com.netscape.cms.policy.DSAKeyConstraints ca.Policy.impl.DefaultRevocation.class=com.netscape.cms.policy.DefaultRevocation ca.Policy.impl.ExtendedKeyUsageExt.class=com.netscape.cms.policy.ExtendedKeyUsageExt ca.Policy.impl.GenericASN1Ext.class=com.netscape.cms.policy.GenericASN1Ext ca.Policy.impl.IssuerAltNameExt.class=com.netscape.cms.policy.IssuerAltNameExt ca.Policy.impl.IssuerConstraints.class=com.netscape.cms.policy.IssuerConstraints ca.Policy.impl.KeyAlgorithmConstraints.class=com.netscape.cms.policy. KeyAlgorithmConstraints ca.Policy.impl.KeyUsageExt.class=com.netscape.cms.policy.KeyUsageExt ca.Policy.impl.NSCComment.class=com.netscape.cms.policy.NSCComment ca.Policy.impl.NSCertTypeExt.class=com.netscape.cms.policy.NSCertTypeExt ca.Policy.impl.NameConstraintsExt.class=com.netscape.cms.policy.NameConstraintsExt ca.Policy.impl.OCSPNoCheckExt.class=com.netscape.cms.policy.OCSPNoCheckExt ca.Policy.impl.AttributePresent.class=com.netscape.cms.policy.AttributePresent ca.Policy.impl.PolicyConstraintsExt.class=com.netscape.cms.policy.PolicyConstraintsExt ca.Policy.impl.PolicyMappingsExt.class=com.netscape.cms.policy.PolicyMappingsExt ca.Policy.impl.PrivateKeyUsagePeriodExt.class=com.netscape.cms.policy. PrivateKeyUsagePeriodExt ca.Policy.impl.RSAKeyConstraints.class=com.netscape.cms.policy.RSAKeyConstraints ca.Policy.impl.RenewalConstraints.class=com.netscape.cms.policy.RenewalConstraints ca.Policy.impl.RenewalValidityConstraints.class=com.netscape.cms.policy. RenewalValidityConstraints ca.Policy.impl.RevocationConstraints.class=com.netscape.cms.policy. RevocationConstraints ca.Policy.impl.SigningAlgorithmConstraints.class=com.netscape.cms.policy.
  • Page 344 Modifying the Configuration ca.Policy.rule.BasicConstraintsExt.enable=true ca.Policy.rule.BasicConstraintsExt.implName=BasicConstraintsExt ca.Policy.rule.BasicConstraintsExt.predicate=HTTP_PARAMS.certType == ca ca.Policy.rule.BasicConstraintsExt.removeBasicExt=true ca.Policy.rule.CMCertKeyUsageExt.crlSign=true ca.Policy.rule.CMCertKeyUsageExt.digitalSignature=true ca.Policy.rule.CMCertKeyUsageExt.enable=true ca.Policy.rule.CMCertKeyUsageExt.implName=KeyUsageExt ca.Policy.rule.CMCertKeyUsageExt.keyCertsign=true ca.Policy.rule.CMCertKeyUsageExt.nonRepudiation=true ca.Policy.rule.CMCertKeyUsageExt.predicate=certType==ca ca.Policy.rule.CODESigningExt.critical=false ca.Policy.rule.CODESigningExt.enable=true ca.Policy.rule.CODESigningExt.id0=1.3.6.1.5.5.7.3.3 ca.Policy.rule.CODESigningExt.implName=ExtendedKeyUsageExt ca.Policy.rule.CODESigningExt.predicate=certType==codeSignClient ca.Policy.rule.CRLDistributionPointsExt.enable=false ca.Policy.rule.CRLDistributionPointsExt.implName=CRLDistributionPointsExt ca.Policy.rule.CRLDistributionPointsExt.issuerName0= ca.Policy.rule.CRLDistributionPointsExt.issuerName1= ca.Policy.rule.CRLDistributionPointsExt.issuerName2= ca.Policy.rule.CRLDistributionPointsExt.issuerType0= ca.Policy.rule.CRLDistributionPointsExt.issuerType1= ca.Policy.rule.CRLDistributionPointsExt.issuerType2= ca.Policy.rule.CRLDistributionPointsExt.numPoints=0 ca.Policy.rule.CRLDistributionPointsExt.pointName0= ca.Policy.rule.CRLDistributionPointsExt.pointName1= ca.Policy.rule.CRLDistributionPointsExt.pointName2= ca.Policy.rule.CRLDistributionPointsExt.pointType0= ca.Policy.rule.CRLDistributionPointsExt.pointType1= ca.Policy.rule.CRLDistributionPointsExt.pointType2= ca.Policy.rule.CRLDistributionPointsExt.predicate= ca.Policy.rule.CRLDistributionPointsExt.reasons0= ca.Policy.rule.CRLDistributionPointsExt.reasons1= ca.Policy.rule.CRLDistributionPointsExt.reasons2= ca.Policy.rule.CertificatePoliciesExt.enable=false ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt ca.Policy.rule.CertificatePoliciesExt.policyId=...
  • Page 345 Modifying the Configuration ca.Policy.rule.DSAKeyRule.enable=true ca.Policy.rule.DSAKeyRule.implName=DSAKeyConstraints ca.Policy.rule.DSAKeyRule.maxSize=2048 ca.Policy.rule.DSAKeyRule.minSize=512 ca.Policy.rule.DSAKeyRule.predicate= ca.Policy.rule.DefaultRenewalValidityRule.enable=true ca.Policy.rule.DefaultRenewalValidityRule.implName=RenewalValidityConstraints ca.Policy.rule.DefaultRenewalValidityRule.maxValidity=365 ca.Policy.rule.DefaultRenewalValidityRule.minValidity=30 ca.Policy.rule.DefaultRenewalValidityRule.predicate= ca.Policy.rule.DefaultRenewalValidityRule.renewalInterval=15 ca.Policy.rule.DefaultRevocationRule.enable=true ca.Policy.rule.DefaultRevocationRule.implName=DefaultRevocation ca.Policy.rule.DefaultRevocationRule.predicate= ca.Policy.rule.DefaultValidityRule.enable=true ca.Policy.rule.DefaultValidityRule.implName=ValidityConstraints ca.Policy.rule.DefaultValidityRule.maxValidity=365 ca.Policy.rule.DefaultValidityRule.minValidity=30 ca.Policy.rule.DefaultValidityRule.predicate= ca.Policy.rule.GenericASN1Ext.critical=false ca.Policy.rule.GenericASN1Ext.enable=false ca.Policy.rule.GenericASN1Ext.implName=GenericASN1Ext ca.Policy.rule.GenericASN1Ext.name= ca.Policy.rule.GenericASN1Ext.oid= ca.Policy.rule.GenericASN1Ext.pattern= ca.Policy.rule.GenericASN1Ext.predicate= ca.Policy.rule.GenericASN1Ext.attribute.0.source= ca.Policy.rule.GenericASN1Ext.attribute.0.type= ca.Policy.rule.GenericASN1Ext.attribute.0.value= ca.Policy.rule.GenericASN1Ext.attribute.1.source= ca.Policy.rule.GenericASN1Ext.attribute.1.type= ca.Policy.rule.GenericASN1Ext.attribute.1.value= ca.Policy.rule.GenericASN1Ext.attribute.2.source= ca.Policy.rule.GenericASN1Ext.attribute.2.type= ca.Policy.rule.GenericASN1Ext.attribute.2.value= ca.Policy.rule.GenericASN1Ext.attribute.3.source= ca.Policy.rule.GenericASN1Ext.attribute.3.type= ca.Policy.rule.GenericASN1Ext.attribute.3.value= ca.Policy.rule.GenericASN1Ext.attribute.4.source= ca.Policy.rule.GenericASN1Ext.attribute.4.type=...
  • Page 346 Modifying the Configuration ca.Policy.rule.GenericASN1Ext.attribute.7.type= ca.Policy.rule.GenericASN1Ext.attribute.7.value= ca.Policy.rule.GenericASN1Ext.attribute.8.source= ca.Policy.rule.GenericASN1Ext.attribute.8.type= ca.Policy.rule.GenericASN1Ext.attribute.8.value= ca.Policy.rule.GenericASN1Ext.attribute.9.source= ca.Policy.rule.GenericASN1Ext.attribute.9.type= ca.Policy.rule.GenericASN1Ext.attribute.9.value= ca.Policy.rule.IssuerRule.enable=false ca.Policy.rule.IssuerRule.implName=IssuerConstraints ca.Policy.rule.IssuerRule.issuerDN= ca.Policy.rule.IssuerRule.predicate=certType==client AND certauthEnroll==on ca.Policy.rule.KeyAlgRule.algorithms=RSA ca.Policy.rule.KeyAlgRule.enable=true ca.Policy.rule.KeyAlgRule.implName=KeyAlgorithmConstraints ca.Policy.rule.KeyAlgRule.predicate= ca.Policy.rule.NSCComment.enable=false ca.Policy.rule.NSCComment.implName=NSCComment ca.Policy.rule.NSCComment.policyId= ca.Policy.rule.NSCComment.predicate= ca.Policy.rule.NSCertTypeExt.enable=true ca.Policy.rule.NSCertTypeExt.implName=NSCertTypeExt ca.Policy.rule.NSCertTypeExt.predicate=certType!=CEP-Request ca.Policy.rule.NameConstraintsExt.critical=true ca.Policy.rule.NameConstraintsExt.enable=false ca.Policy.rule.NameConstraintsExt.implName=NameConstraintsExt ca.Policy.rule.NameConstraintsExt.numExcludedSubtrees=3 ca.Policy.rule.NameConstraintsExt.numPermittedSubtrees=3 ca.Policy.rule.NameConstraintsExt.predicate=certType == ca ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base= ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.max=-1 ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.min=0 ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.valueType= ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base= ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.max=-1 ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.min=0...
  • Page 347 Modifying the Configuration ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.min=0 ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.valueType= ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base= ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.max=-1 ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.min=0 ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.valueType= ca.Policy.rule.OCSPNoCheckExt.critical=false ca.Policy.rule.OCSPNoCheckExt.enable=true ca.Policy.rule.OCSPNoCheckExt.implName=OCSPNoCheckExt ca.Policy.rule.OCSPNoCheckExt.predicate=certType==ocspResponder ca.Policy.rule.OCSPSigningExt.critical=false ca.Policy.rule.OCSPSigningExt.enable=true ca.Policy.rule.OCSPSigningExt.id0=1.3.6.1.5.5.7.3.9 ca.Policy.rule.OCSPSigningExt.implName=ExtendedKeyUsageExt ca.Policy.rule.OCSPSigningExt.predicate=certType==ocspResponder ca.Policy.rule.ObjSignCertKeyUsageExt.digitalSignature=true ca.Policy.rule.ObjSignCertKeyUsageExt.enable=true ca.Policy.rule.ObjSignCertKeyUsageExt.implName=KeyUsageExt ca.Policy.rule.ObjSignCertKeyUsageExt.keyCertsign=true ca.Policy.rule.ObjSignCertKeyUsageExt.predicate=certType==objSignClient ca.Policy.rule.PolicyConstraintsExt.critical=false ca.Policy.rule.PolicyConstraintsExt.enable=false ca.Policy.rule.PolicyConstraintsExt.implName=PolicyConstraintsExt ca.Policy.rule.PolicyConstraintsExt.inhibitPolicyMapping=0 ca.Policy.rule.PolicyConstraintsExt.predicate=certType==ca ca.Policy.rule.PolicyConstraintsExt.reqExplicitPolicy=0 ca.Policy.rule.PolicyMappingsExt.critical=false ca.Policy.rule.PolicyMappingsExt.enable=false ca.Policy.rule.PolicyMappingsExt.implName=PolicyMappingsExt ca.Policy.rule.PolicyMappingsExt.numPolicyMappings=1 ca.Policy.rule.PolicyMappingsExt.predicate=certType==ca ca.Policy.rule.PolicyMappingsExt.policyMap0.issuerDomainPolicy= ca.Policy.rule.PolicyMappingsExt.policyMap0.subjectDomainPolicy= ca.Policy.rule.RMCertKeyUsageExt.digitalSignature=true ca.Policy.rule.RMCertKeyUsageExt.enable=true ca.Policy.rule.RMCertKeyUsageExt.implName=KeyUsageExt ca.Policy.rule.RMCertKeyUsageExt.nonRepudiation=true ca.Policy.rule.RMCertKeyUsageExt.predicate=certType==ra ca.Policy.rule.RSAKeyRule.enable=false ca.Policy.rule.RSAKeyRule.exponents=3,7,17,65537...
  • Page 348 Modifying the Configuration ca.Policy.rule.RenewalConstraintsRule.enable=true ca.Policy.rule.RenewalConstraintsRule.implName=RenewalConstraints ca.Policy.rule.RenewalConstraintsRule.predicate= ca.Policy.rule.RevocationConstraintsRule.enable=true ca.Policy.rule.RevocationConstraintsRule.implName=RevocationConstraints ca.Policy.rule.RevocationConstraintsRule.predicate= ca.Policy.rule.ServerCertKeyUsageExt.dataEncipherment=true ca.Policy.rule.ServerCertKeyUsageExt.digitalSignature=true ca.Policy.rule.ServerCertKeyUsageExt.enable=true ca.Policy.rule.ServerCertKeyUsageExt.implName=KeyUsageExt ca.Policy.rule.ServerCertKeyUsageExt.keyEncipherment=true ca.Policy.rule.ServerCertKeyUsageExt.nonRepudiation=true ca.Policy.rule.ServerCertKeyUsageExt.predicate=certType==server ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA1withDSA ca.Policy.rule.SigningAlgRule.enable=true ca.Policy.rule.SigningAlgRule.implName=SigningAlgorithmConstraints ca.Policy.rule.SigningAlgRule.predicate= ca.Policy.rule.SubCANameCheck.enable=true ca.Policy.rule.SubCANameCheck.implName=SubCANameCheck ca.Policy.rule.SubCANameCheck.predicate= ca.Policy.rule.SubjectAltNameExt.enable=true ca.Policy.rule.SubjectAltNameExt.enableManualValues=false ca.Policy.rule.SubjectAltNameExt.implName=SubjectAltNameExt ca.Policy.rule.SubjectKeyIdentifierExt.enable=true ca.Policy.rule.SubjectKeyIdentifierExt.implName=SubjectKeyIdentifierExt ca.Policy.rule.SubjectKeyIdentifierExt.predicate=certType==ca ca.Policy.rule.UniqueSubjectName.enable=false ca.Policy.rule.UniqueSubjectName.implName=UniqueSubjectName ca.Policy.rule.UniqueSubjectName.predicate= ca.crl._000=## ca.crl._001=## CA CRL ca.crl._002=## ca.crl.MasterCRL.allowExtensions=false ca.crl.MasterCRL.autoUpdateInterval=20 ca.crl.MasterCRL.cacheUpdateInterval=5 ca.crl.MasterCRL.class=com.netscape.cmscore.ca.CRLIssuingPoint ca.crl.MasterCRL.description=CA's complete Certificate Revocation List ca.crl.MasterCRL.enableCRLCache=true...
  • Page 349 Modifying the Configuration CMSCRLNumberExtension ca.crl.MasterCRL.extension.CRLNumber.critical=false ca.crl.MasterCRL.extension.CRLNumber.enable=true ca.crl.MasterCRL.extension.CRLNumber.type=CRLExtension ca.crl.MasterCRL.extension.CRLReason.class=com.netscape.cmscore.ca. CMSCRLReasonExtension ca.crl.MasterCRL.extension.CRLReason.critical=false ca.crl.MasterCRL.extension.CRLReason.enable=true ca.crl.MasterCRL.extension.CRLReason.type=CRLEntryExtension ca.crl.MasterCRL.extension.DeltaCRLIndicator.class=com.netscape.cmscore.ca. CMSDeltaCRLIndicatorExtension ca.crl.MasterCRL.extension.DeltaCRLIndicator.critical=true ca.crl.MasterCRL.extension.DeltaCRLIndicator.enable=false ca.crl.MasterCRL.extension.DeltaCRLIndicator.type=CRLExtension ca.crl.MasterCRL.extension.HoldInstruction.class=com.netscape.cmscore.ca. CMSHoldInstructionExtension ca.crl.MasterCRL.extension.HoldInstruction.critical=false ca.crl.MasterCRL.extension.HoldInstruction.enable=false ca.crl.MasterCRL.extension.HoldInstruction.instruction=none ca.crl.MasterCRL.extension.HoldInstruction.type=CRLEntryExtension ca.crl.MasterCRL.extension.InvalidityDate.class=com.netscape.cmscore.ca. CMSInvalidityDateExtension ca.crl.MasterCRL.extension.InvalidityDate.critical=false ca.crl.MasterCRL.extension.InvalidityDate.enable=true ca.crl.MasterCRL.extension.InvalidityDate.type=CRLEntryExtension ca.crl.MasterCRL.extension.IssuerAlternativeName.class=com.netscape.cmscore.ca. CMSIssuerAlternativeNameExtension ca.crl.MasterCRL.extension.IssuerAlternativeName.critical=false ca.crl.MasterCRL.extension.IssuerAlternativeName.enable=false ca.crl.MasterCRL.extension.IssuerAlternativeName.name0= ca.crl.MasterCRL.extension.IssuerAlternativeName.nameType0= ca.crl.MasterCRL.extension.IssuerAlternativeName.numNames=0 ca.crl.MasterCRL.extension.IssuerAlternativeName.type=CRLExtension ca.crl.MasterCRL.extension.IssuingDistributionPoint.class=com.netscape.cmscore.ca. CMSIssuingDistributionPointExtension ca.crl.MasterCRL.extension.IssuingDistributionPoint.critical=true ca.crl.MasterCRL.extension.IssuingDistributionPoint.enable=false ca.crl.MasterCRL.extension.IssuingDistributionPoint.indirectCRL=false ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsCACerts=false ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsUserCerts=false...
  • Page 350 Modifying the Configuration ca.notification.requestInQ.enabled=false ca.notification.requestInQ.recipientEmail= ca.notification.requestInQ.senderEmail= ca.ocsp_signing.cacertnickname=ocspSigningCert cert-testCA ca.ocsp_signing.defaultSigningAlgorithm=MD5withRSA ca.ocsp_signing.tokenname=internal ca.publish.mapper.impl.LdapCaSimpleMap.class=com.netscape.cms.publish.LdapCaSimpleMap ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.cms.ldap.LdapCertCompsMap ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.cms.ldap.LdapCertExactMap ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.cms.ldap.LdapSimpleMap ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.cms.ldap.LdapCertSubjMap ca.publish.mapper.instance.LdapCaCertMap.dnPattern=UID=$cert.cn,OU=people,O=$cert.o ca.publish.mapper.instance.LdapCaCertMap.pluginName=LdapSimpleMap ca.publish.mapper.instance.LdapCrlMap.dnPattern=UID=$cert.cn,OU=people,O=$cert.o ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapSimpleMap ca.publish.mapper.instance.LdapUserCertMap.dnPattern=UID=$cert.UID,OU=people,O=$cert.o ca.publish.mapper.instance.LdapUserCertMap.pluginName=LdapSimpleMap ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.cms.ldap. FileBasedPublisher ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape.cms.ldap. LdapCaCertPublisher ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape.cms.ldap.LdapCrlPublisher ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape.cms.ldap. LdapUserCertPublisher ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=caCertificate;binary ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=certificationAuthority ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=LdapCaCertPublisher ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=userCertificate;binary ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=LdapUserCertPublisher ca.publish.rule.impl.Rule.class=com.netscape.certsrv.ldap.LdapRule ca.publish.rule.instance.LdapCaCertRule.enable=true ca.publish.rule.instance.LdapCaCertRule.mapper=LdapCaCertMap ca.publish.rule.instance.LdapCaCertRule.pluginName=Rule ca.publish.rule.instance.LdapCaCertRule.predicate= ca.publish.rule.instance.LdapCaCertRule.publisher=LdapCaCertPublisher ca.publish.rule.instance.LdapCaCertRule.type=ca ca.publish.rule.instance.LdapCrlRule.enable=true...
  • Page 351 Modifying the Configuration ca.publish.rule.instance.LdapObjSignCertRule.mapper=LdapUserCertMap ca.publish.rule.instance.LdapObjSignCertRule.pluginName=Rule ca.publish.rule.instance.LdapObjSignCertRule.predicate= ca.publish.rule.instance.LdapObjSignCertRule.publisher=LdapUserCertPublisher ca.publish.rule.instance.LdapObjSignCertRule.type=objSignClient ca.publish.rule.instance.LdapUserCertRule.enable=true ca.publish.rule.instance.LdapUserCertRule.mapper=LdapUserCertMap ca.publish.rule.instance.LdapUserCertRule.pluginName=Rule ca.publish.rule.instance.LdapUserCertRule.predicate= ca.publish.rule.instance.LdapUserCertRule.publisher=LdapUserCertPublisher ca.publish.rule.instance.LdapUserCertRule.type=client ca.signing.cacertnickname=caSigningCert cert-testCA ca.signing.defaultSigningAlgorithm=MD5withRSA ca.signing.tokenname=internal cert7.db=d:/usr/netscape/servers/alias/cert-testCA-d9816-cert7.db cms.version=6.0 cmsgateway.enableAdminEnroll=false cmsgateway.wirelessSupport=false dbs.ldap=internaldb dbs.newSchemaEntryAdded=true dbs.nextSerialNumber=103 internaldb._000=## internaldb._001=## Internal Database internaldb._002=## internaldb.basedn=o=NetscapeCertificateServer internaldb.maxConns=15 internaldb.minConns=3 internaldb.ldapauth.authtype=BasicAuth internaldb.ldapauth.bindDN=cn=Directory Manager internaldb.ldapauth.bindPWPrompt=Internal LDAP Database internaldb.ldapconn.host=localhost internaldb.ldapconn.port=3602 internaldb.ldapconn.secureConn=false jobsScheduler._000=##...
  • Page 352 Modifying the Configuration rnJob1.txt jobsScheduler.job.certRenewalNotifier.enabled=false jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30 jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30 jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob jobsScheduler.job.certRenewalNotifier.senderEmail= jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal Notification Summary jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=/usr/netscape/cert-testCA/ emails/rnJob1Summary.txt jobsScheduler.job.certRenewalNotifier.summary.enabled=true jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=/usr/netscape/ cert-testCA/emails/rnJob1Item.txt jobsScheduler.job.certRenewalNotifier.summary.recipientEmail= jobsScheduler.job.certRenewalNotifier.summary.senderEmail= jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0 jobsScheduler.job.requestInQueueNotifier.enabled=false jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob jobsScheduler.job.requestInQueueNotifier.subsystemId=ca jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue Summary Report jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=/usr/netscape/ cert-testCA/emails/riq1Summary.html jobsScheduler.job.requestInQueueNotifier.summary.enabled=true jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail= jobsScheduler.job.requestInQueueNotifier.summary.senderEmail= jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6 jobsScheduler.job.unpublishExpiredCerts.enabled=false jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs...
  • Page 353 Modifying the Configuration key3.db=/usr/netscape/servers/alias/cert-testCA-d9816-key3.db logAudit._000=## logAudit._001=## Logging logAudit._002=## log.Error._000=## log.Error._001=## Logging log.Error._002=## log.System._000=## log.System._001=## Logging log.System._002=## log.impl.NTEventLog.class=com.netscape.cms.logging.NTEventLog log.impl.file.class=com.netscape.cms.logging.RollingLogFile log.instance.Audit.bufferSize=512 log.instance.Audit.enable=true log.instance.Audit.expirationTime=2592000 log.instance.Audit.fileName=/usr/netscape/cert-testCA/logs/audit log.instance.Audit.flushInterval=5 log.instance.Audit.level=1 log.instance.Audit.maxFileSize=100 log.instance.Audit.pluginName=file log.instance.Audit.rolloverInterval=2592000 log.instance.Audit.type=audit log.instance.Error.bufferSize=512 log.instance.Error.enable=true log.instance.Error.expirationTime=2592000 log.instance.Error.fileName=/usr/netscape/cert-testCA/logs/error log.instance.Error.flushInterval=5 log.instance.Error.level=3 log.instance.Error.maxFileSize=100 log.instance.Error.pluginName=file log.instance.Error.rolloverInterval=2592000 log.instance.Error.type=system log.instance.NTAudit.NTEventSourceName=cert-testCA log.instance.NTAudit.enable=true log.instance.NTAudit.level=1 log.instance.NTAudit.pluginName=NTEventLog log.instance.NTAudit.type=audit...

  • Page 354: Road Map To Configuring Subsystems

    Road Map to Configuring Subsystems log.instance.System.fileName=/usr/netscape/cert-testCA/logs/system log.instance.System.flushInterval=5 log.instance.System.level=3 log.instance.System.maxFileSize=100 log.instance.System.pluginName=file log.instance.System.rolloverInterval=2592000 log.instance.System.type=system oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1 oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword oidmap.challenge_password.oid=1.2.840.113549.1.9.7 oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension oidmap.extended_key_usage.oid=2.5.29.37 oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep. ExtensionsRequested oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14 oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep. ExtensionsRequested oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8 oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension oidmap.netscape_comment.oid=2.16.840.1.113730.1.13 oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5 os.serverName=cert-testCA os.userid=nobody smtp.host=localhost smtp.port=25 subsystem._000=## subsystem._001=## Loadable Subsystems subsystem._002=## subsystem.0.class=com.netscape.cmsstore.ca.CertificateAuthority subsystem.0.id=ca usrgrp._000=## usrgrp._001=## User/Group usrgrp._002=## usrgrp.ldap=internaldb...

  • Page 355: Step 1. Check Which Subsystem Is Installed In The Instance

    Road Map to Configuring Subsystems Step 1. Check Which Subsystem is Installed in the Instance Log in to the CMS window for the CMS instance you installed, and check the navigation tree to see which subsystem is installed in that instance. To log in to the CMS window, see “Logging In to the CMS Window”...

  • Page 356: Step 5. Customize End-Entity And Agent Forms

    Road Map to Configuring Subsystems If you have installed remote Registration Managers that have certificates signed by third-party CAs (that is, not by a Certificate Manager), you should add their certificates to the Certificate Manager’s database to facilitate SSL client authenticated communication.

  • Page 357: Step 8. Schedule Jobs

    Road Map to Configuring Subsystems Step 8. Schedule Jobs Each CMS instance includes a Job Scheduler component that can execute specific jobs at specified times. The Job Scheduler functions similar to a traditional Unix cron daemon in that it takes registered cron jobs and executes them at a preconfigured date and time.

  • Page 358: Step 11. Set Up Key Archival And Recovery

    Road Map to Configuring Subsystems • To configure a Certificate Manager to publish certificates and CRLs to a flat file, see “Configuring Certificate Manager to Publish to Files” on page 647. • To configure a Certificate Manager to publish CRLs to the Online Certificate Status Manager (an online validation authority), see “Setting Up a Remote OCSP Responder”...

  • Page 359: Chapter 11 Setting Up Ports

    Chapter 11 Setting Up Ports Subsystems installed in an instance of Netscape Certificate Management System (CMS) share certain configuration information. For example, they use the same administration, agent, and end-entity ports; internal database for data storage; mail server for automated notifications; internal token and trust database for PKI operations;...

  • Page 360: Remote Administration Port

    CMS Ports CMS ports for administration, agent, and end-entity operations Figure 11-1 When choosing ports for Certificate Management System, be sure to choose ports that are unique on the host system—that is, no other application can be using, or attempting to use, the port numbers you assign to Certificate Management System. To verify that a port is available for use, check the appropriate file for your operating system;...

  • Page 361: Agent Port

    CMS Ports Agent Port The agent port is an SSL (encrypted) port at which Certificate Management System listens to requests from agents; agents make these requests from the appropriate Agent Services interface. • The Certificate Manager and Registration Manager agents use the agent port to process certificate issuance and management requests from end entities and to perform certain other privileged operations over HTTPS.

  • Page 362: Configuring Port Numbers

    Configuring Port Numbers • The HTTP port can be used to service end-entity-initiated PKI requests, such as enrollment, renewal, and revocation; enrollment requests can include requests from Cisco routers (using the CEP protocol). You have the choice of keeping this port enabled or disabled. •...
  • Page 363 Configuring Port Numbers Be sure to enter TCP/IP port numbers that are unique on the host system. Certificate Management System is capable of simultaneous SSL and non-SSL communications at the end-entity port. This means that you do not have to choose between SSL and non-SSL communications;...

  • Page 364: Step 2: Specify Ip Addresses

    Configuring Port Numbers Similarly, for issuing certificates to routers (using the CEP protocol), the port must be enabled. For details, see Chapter 25, “Setting Up CEP Enrollment.” To change the end-entity HTTPS port, locate this line and edit the value assigned to port <LS id="eeSSL"...

  • Page 365: Chapter 12 Setting Up Internal Database

    Chapter 12 Setting Up Internal Database Each instance of Netscape Certificate Management System (CMS) uses an instance of Netscape Directory Server as its private database for data storage. This chapter explains how to configure the private/internal database. The chapter has the following sections: •...

  • Page 366: Configuring The Internal Database

    Configuring the Internal Database The Directory Server instance used for the internal database is different from the LDAP-compliant directory that you use to manage your corporatewide data (users and groups, their certificates, CRLs, and so on). • In Netscape Console, you can distinguish an internal database instance from other Directory Server instances.
  • Page 367 Configuring the Internal Database Select the Configuration tab, and then in the right pane, select the Internal Database tab. Identify a Directory Server instance by providing the following details: Host name. Type the full host name of the machine on which Netscape Directory Server is installed.

  • Page 368: Step 2. Restrict Access To The Internal Database

    Configuring the Internal Database Port number. Type a TCP/IP port number; Certificate Management System uses this port for non-SSL communications with the Directory Server instance that is functioning as the internal database. Make sure that the port you specify is unique on the host system. Directory manager DN.
  • Page 369 Configuring the Internal Database In the Console tab, select the server group that contains the CMS instance you want. Select the entry that corresponds to the internal database to which you want to restrict access, and click Open. The Directory Server window appears. Select the Configuration tab.
  • Page 370 Configuring the Internal Database When the server is restarted, from Netscape Console, open the Directory Server window. The “Login to Directory” dialog box appears; the Distinguished Name field displays the Directory Manager DN and you’re required to enter the password that corresponds to this entry.

  • Page 371: Chapter 13 Managing Privileged Users And Groups

    Chapter 13 Managing Privileged Users and Groups Privileged users are users who are designated to perform privileged operations on Netscape Certificate Management System (CMS); these operations are privileged because no one else can perform them. You assign privileged-user status to a user by storing the user’s login information in the internal database of Certificate Management System, associating the user’s login information with a personal certificate (if the user is an agent or a trusted manager), and granting access...

  • Page 372: Privileged-User Types And Responsibilities

    Privileged-User Types and Responsibilities Privileged-User Types and Responsibilities After you install Certificate Management System, your first task is to set up privileged users. There are three types of privileged users: administrators, agents, and trusted managers. • Administrators are users (people) who manage server-specific tasks for the CMS maangers, the Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager.

  • Page 373: Agents

    Privileged-User Types and Responsibilities Agents Agents are users who have been assigned end-entity certificate- and key-management privileges. Certificate Management System defines four agent roles, one for each of its subsystems: Certificate Manager agents, Registration Manager agents, Data Recovery Manager agents, and Online Certificate Status Manager agents.
  • Page 374 Privileged-User Types and Responsibilities Agents use the HTML forms-based interface called Agent Services Figure 13-1 Each subsystem installed in a CMS instance must have at least one agent. You can also have more than one individual managing agent services. You create agents by adding them to the internal database of a CMS instance, assigning membership in the appropriate agent groups, and identifying certificates that the agents must use for SSL client authentication to the subsystem (for it to service requests from the agents).

  • Page 375: Agent's Certificate For Ssl Client Authentication

    Privileged-User Types and Responsibilities Agent’s Certificate for SSL Client Authentication To make a user an agent for a subsystem, one of the things you must do is store the user’s client (personal) certificate information in the internal database of the subsystem.
  • Page 376 Privileged-User Types and Responsibilities When the user receives the certificate from the public CA, the user imports the certificate into the web browser that he or she will use to access the subsystem. It is a good idea to ask the user to inform you that the certificate has been installed.
  • Page 377 Privileged-User Types and Responsibilities Depending on how your Certificate Management System is configured for certificate issuance, one of the following events happen: If Certificate Management System is configured for manual certification, an issuing agent must process the request and approve it for issuance. Once the request is approved, the server issues the client certificate to the user.

  • Page 378: Revocation Status Checking Of Agent Certificates

    Privileged-User Types and Responsibilities Copy the base-64 encoded certificate, including the -----BEGIN marker lines, to a text CERTIFICATE----- -----END CERTIFICATE----- file. The copied information should look similar to the following example: -----BEGIN CERTIFICATE----- MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pY2 F0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDA wMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFz AVBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3Dbndg JARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngj njgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSq -----END CERTIFICATE----- Save the text file and use it to store a copy of the certificate in a subsystem’s internal database (see “Step 3.
  • Page 379 Privileged-User Types and Responsibilities The configuration files of both Certificate Manager and Registration Manager include parameters that enable you to specify whether the server should do the revocation checking and if it should, at what interval. Note that the revocation-status verification works for only those agent certificates that have been issued by the Certificate Manager (and not by any third-party CAs).

  • Page 380: Trusted Managers

    Privileged-User Types and Responsibilities Table 13-1 Configuration parameters for checking the revocation status of agents’ certificates (Continued) Parameter name Description The default interval is o seconds. revocationChecking. unknownStateInterval Specifies how long, in seconds, the cached certificates are revocationChecking. considered valid. Be judicious when choosing the interval, validityInterval especially when configuring a Registration Manager.

  • Page 381: Subsystems That Can Function As Trusted Managers

    Privileged-User Types and Responsibilities Subsystems That Can Function as Trusted Managers In Certificate Management System, the Registration Manager and Certificate Manager can function as a trusted manager; the Data Recovery Manager and Online Certificate Status Manager cannot function as a trusted manager. You can configure a Certificate Manager to delegate its end-entity interactions to a trusted Registration Manager, for reasons of localizability (proximity to end entities), customizability, and CA scalability;...

  • Page 382: Connectors For Linking Trusted Managers

    Privileged-User Types and Responsibilities Connectors for Linking Trusted Managers Certificate Management System supports proprietary HTTPS connectors for linking CMS subsystems. You can use these connectors to make the following connections: • Registration Manager to Certificate Manager • Registration Manager to Data Recovery Manager •...

  • Page 383: Trusted Manager's Certificate For Ssl Client Authentication

    Privileged-User Types and Responsibilities During installation, Certificate Management System automatically creates a group with trusted manager privileges. For more information about this group, see “Group for Trusted Managers” on page 387. Trusted Manager’s Certificate for SSL Client Authentication By default, a Registration Manager that has been set up to function as a trusted manager uses its signing certificate for SSL client authentication to the subsystem that trusts it.

  • Page 384: Groups And Their Privileges

    Groups and Their Privileges Groups and Their Privileges In Certificate Management System, a group refers to a collection of privileged users—administrators, agents, or trusted Registration Managers. Each group has predetermined privileges, based on its access control. All users belonging to a group automatically inherit the privileges of that group.

  • Page 385: Groups For Agents

    Groups and Their Privileges Depending on the components you installed, create one or more privileged users and add them to the appropriate groups. It is recommended that you add at least one more user to the group. For instructions on Administrators creating privileged users and adding them to one or more groups, see “Setting Up Privileged Users”...

  • Page 386: Group For Registration Manager Agents

    Groups and Their Privileges For an agent to be able to carry on SSL client-authenticated communication with a Certificate Manager, you need to do additional configurations. See “Setting Up Agents” on page 391. Group for Registration Manager Agents When the Registration Manager is installed, a group called Registration is automatically created in its internal database.

  • Page 387: Group For Online Certificate Status Manager Agents

    Groups and Their Privileges For an agent to be able to carry on SSL client-authenticated communication with a Data Recovery Manager, you need to do additional configurations. See “Setting Up Agents” on page 391. Group for Online Certificate Status Manager Agents When the Online Certificate Status Manager is installed, a group called Online is automatically created in its internal...

  • Page 388: Setting Up Privileged Users

    Setting Up Privileged Users For a Registration Manager to be able to do SSL client-authenticated communication with a subsystem, you need to do additional configurations. See “Setting Up Trusted Managers” on page 397. Setting Up Privileged Users Setting up privileged users for a CMS instance involves adding the appropriate user information to the internal database of that instance.
  • Page 389 Setting Up Privileged Users In the navigation tree, select Users and Groups. The Users tab appears on the right pane. Click Add. The Select User Type window appears. Chapter 13 Managing Privileged Users and Groups...
  • Page 390 Setting Up Privileged Users Select Administrator and click OK. The Edit User Information window appears. Specify information as appropriate: User ID. Type a user ID or login name for the user. The ID can be an alphanumeric string of up to 255 characters. Give this ID to the user. The user is required to enter this ID in the login screen of the CMS window;...

  • Page 391: Setting Up Agents

    Setting Up Privileged Users Setting Up Agents You need an agent for each subsystem installed in a given CMS instance. To understand the role of an agent, see “Agents” on page 373. This section explains how to add agents to a CMS instance. You can set up agents for a CMS instance in two ways: •...

  • Page 392: Setting Up Agents Using The Manual Process

    Setting Up Privileged Users In the page that displays, select the “Show pending requests”, and click Find. In the list of certificate signing requests that displays, select the request you submitted. In the request approval form for user enrollment requests, verify the request. If required, adjust some of the parameters such as the subject name and validity period.
  • Page 393 Setting Up Privileged Users Step 1. Find the Required Information Before adding an agent to the internal database of a CMS instance: • Note the user’s corporate information, such as name, login ID, password, email address, and phone number. • Make sure the user has one or more client certificates that are currently valid;...
  • Page 394 Setting Up Privileged Users Click Add. The Select User Type window appears. Select Agent and click OK. The Edit User Information window appears. Specify information as appropriate. The information you enter here is to help you keep track of your agent users; the user never sees or uses it.
  • Page 395 Setting Up Privileged Users Group. Choose the appropriate agent group; for more information about this group, see “Groups for Agents” on page 385. When you set up a user, you can add her or him to only one group. To add the user to another group, see “Changing Members in a Group”...
  • Page 396 Setting Up Privileged Users Click inside the text area, and paste the user’s certificate in base-64 encoded form. Be sure to include the -----BEGIN CERTIFICATE----- -----END marker lines. CERTIFICATE----- Click OK. You are returned to the Manage User Certificates window. The certificate you imported should now be listed in this window.

  • Page 397: Setting Up Trusted Managers

    Setting Up Privileged Users Click Refresh to view the updated configuration. Step 4. Check the Certificate Database for the CA Certificate The CA that signed the agent’s SSL client certificate must be trusted by the subsystem that services requests from the agent. Make sure that this CA’s certificate exists in the subsystem’s certificate database (internal or external) and that it is trusted.

  • Page 398: Setting Up A Registration Manager As A Trusted Manager

    Setting Up Privileged Users • The request-approval form for Certificate Manager’s SSL server certificate request includes a checkbox labeled “This certificate is for a Trusted Manager.” • Similarly, The request-approval form for Registration Manager’s signing certificate request includes a checkbox labeled “This certificate is for a Trusted Manager.”...
  • Page 399 Setting Up Privileged Users • Make sure that the Registration Manager has the certificate you want it to use for SSL client authentication to the subsystem that will trust it; by default, the Registration Manager uses its signing certificate for this purpose. The certificate must be currently valid;...
  • Page 400 Setting Up Privileged Users In the navigation tree, select Users and Groups. The Users tab appears. Click Add. The Select User Type window appears. Netscape Certificate Management System Installation and Setup Guide • May 2002...
  • Page 401 Setting Up Privileged Users Select Trusted Manager and click OK. The Edit User Information window appears. Specify information as appropriate. The information you enter here is to help you keep track of the Registration Manager; the subsystem never uses it. The subsystem relies solely on the Registration Manager’s SSL client certificate (which you will add in Step 3) for authentication.
  • Page 402 Setting Up Privileged Users Step 3. Copy the Registration Manager’s Certificate to the Internal Database In this step, you add a copy of the Registration Manager’s SSL client authentication certificate to the internal database of the subsystem and associate the certificate with the user entry you created in Step 2.
  • Page 403 Setting Up Privileged Users Click OK. You are returned to the Manage User Certificates window. The certificate you imported should now be listed in this window. To view the certificate you imported, select it and click View. The certificate information appears. Verify that the certificate you added is the correct one.
  • Page 404 Setting Up Privileged Users Step 5. Configure Registration Manager’s Connector Settings In this step, you configure the connector settings of the Registration Manager. This enables the Registration Manager to utilize the proprietary HTTPS connectors to communicate with the subsystem (following successful SSL client authentication). Log in to the CMS window for the Registration Manager (see “Logging In to the CMS Window”...
  • Page 405 Setting Up Privileged Users The Edit Connector dialog box appears. Select the Enable option to enable the connector configuration, and enter the appropriate information: Host. Type the full host name of the subsystem that trusts this Registration Manager; in this case, it would be the host name of the Certificate Manager. The Registration Manager uses this name to locate the Certificate Manager.

  • Page 406: Setting Up A Certificate Manager As A Trusted Manager

    Setting Up Privileged Users Setting Up a Certificate Manager as a Trusted Manager You can set up a Certificate Manager to function as a trusted manager to a remote Data Recovery Manager. The setup process involves the following steps: • Step 1.
  • Page 407 Setting Up Privileged Users To create a user entry with appropriate access privileges for a Certificate Manager: Log in to the CMS window for the Data Recovery Manager (see “Logging In to the CMS Window” on page 333). In the navigation tree, select Users and Groups. The Users tab appears in the right pane.
  • Page 408 Setting Up Privileged Users Select Trusted Manager and click OK. The Edit User Information window appears. Specify information as appropriate. The information you enter here is to help you keep track of the Certificate Manager; the Data Recovery Manager never uses it. The Data Recovery Manager relies solely on the Certificate Manager’s SSL server certificate (which you will add in Step 3) for authentication.
  • Page 409 Setting Up Privileged Users Step 3. Copy the Certificate Manager’s Certificate to the Internal Database In this step, you add the Certificate Manager’s SSL server certificate to the internal database of the Data Recovery Manager and associate the certificate with the user entry you created in Step 2.
  • Page 410 Setting Up Privileged Users To view the certificate you imported, select it and click View. The certificate information appears. Verify that the certificate you added is the correct one. Click Done. You are returned to the Users tab. Step 4. Check the Certificate Database for the CA Certificate The issuer of the Certificate Manager’s certificate that you added in Step 3 must be trusted by the Data Recovery Manager that services the key archival requests initiated by the Certificate Manager.
  • Page 411 Setting Up Privileged Users Step 5. Configure Certificate Manager’s Connector Settings In this step you configure the connector settings of the Certificate Manager. This enables the Certificate Manager to utilize the proprietary HTTPS connectors to communicate with the Data Recovery Manager (following successful SSL client authentication).
  • Page 412 Setting Up Privileged Users In the list of connectors, select and click Data Recovery Manager Connector Edit. The Edit Connector dialog box appears. Select Enable to the enable the connector configuration. Select Remote, and enter the appropriate information: Host. Type the full host name of the Data Recovery Manager that trusts this Certificate Manager.

  • Page 413: Changing Privileged-User Information

    Changing Privileged-User Information Changing Privileged-User Information You can change privileged-user information in several ways: • To change the login information of a privileged user, see “Changing a Privileged User’s Login Information” on page 413. • To add or remove certificates of a privileged user, see “Changing a Privileged User’s Certificate”...

  • Page 414: Changing A Privileged User's Certificate

    Changing Privileged-User Information Click OK. You are returned to the Users tab. Click Refresh to view the updated configuration. Changing a Privileged User’s Certificate To change a privileged user’s certificate: Log in to the CMS window (see “Logging In to the CMS Window” on page 333).

  • Page 415: Changing Members In A Group

    Changing Privileged-User Information Click Refresh to view the updated configuration. Changing Members in a Group You can add or remove members from all groups. Keep in mind that the group for administrators must have at least one user entry. For details, see “Groups and Their Privileges”...

  • Page 416: Deleting A Privileged User

    Deleting a Privileged User In the Group Name list, select the group you want to change, and click Edit. The Edit Group Information window appears. Make the appropriate changes: To change the group description, type a new description in the “Group description”...
  • Page 417 Deleting a Privileged User In the navigation tree, select Users and Groups. The Users tab appears in the right pane. In the User ID list, select the user you want to delete, and click Delete. When prompted, confirm your action. If you click OK, the user entry is deleted from the internal database.
  • Page 418 Deleting a Privileged User Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 419: Chapter 14 Managing Cms Keys And Certificates

    Chapter 14 Managing CMS Keys and Certificates The main subsystems of Netscape Certificate Management System (CMS)—the Certificate Manager, Registration Manager, Data Recovery Manager and Online Certificate Status Manager—use certificates for various purposes, including authentication during SSL-enabled communication. For example, when a Registration Manager forwards a certificate issuance request to a Certificate Manager for signing, the Certificate Manager expects the Registration Manager to have performed SSL client authentication before processing the request.

  • Page 420: Keys And Certificates For The Main Subsystems

    Keys and Certificates for the Main Subsystems Keys and Certificates for the Main Subsystems This section explains the various certificates required and used by the CMS managers: • Certificate Manager’s Key Pairs and Certificates • Registration Manager’s Key Pairs and Certificates •...

  • Page 421: Certificate Manager's Key Pairs And Certificates

    Keys and Certificates for the Main Subsystems All key pairs associated with CMS certificates must be well protected to ensure that they are never compromised. However, if you know or suspect that a key pair has been compromised, reissue the certificate with a new key pair. For instructions to get a new CMS certificate, see section “Getting New Certificates for the Subsystems”...

  • Page 422: Ocsp Signing Key Pair And Certificate

    Keys and Certificates for the Main Subsystems NOTE You cannot change the CA name; doing so would make all previously issued certificates invalid. Similarly, reissuing a Certificate Manager’s CA signing certificate with a new key pair invalidates all certificates that have been signed by the old key pair. OCSP Signing Key Pair and Certificate During the installation of a Certificate Manager, you’re given the option to enable its OCSP-service feature.

  • Page 423: Crl Signing Key Pair And Certificate

    Keys and Certificates for the Main Subsystems CRL Signing Key Pair and Certificate By default, a Certificate Manager you have installed uses the same key pair, the one that corresponds to the CA signing certificate explained in “CA Signing Key Pair and Certificate”...
  • Page 424 Keys and Certificates for the Main Subsystems Once you have the certificate request ready, submit it to the Certificate Manager so that it can issue a certificate—in the request submission screen of the wizard, use the auto-submission feature by entering the Certificate Manager’s hostname and port number so that the request gets added to the Certificate Manager’s agent queue.

  • Page 425: Ssl Server Key Pair And Certificate

    Keys and Certificates for the Main Subsystems with the name of the token used for generating the key pair <token_name> and the certificate. If you used the internal/software token, use Internal as the value. Key Storage Token For example, your edited entries might look like this: ca.crl_signing.cacertnickname=crlSigningCert cert-demoCA ca.crl_signing.defaultSigningAlgorithm=MD5withRSA ca.crl_signing.tokenname=Internal Key Storage Token...

  • Page 426: Registration Manager's Key Pairs And Certificates

    Keys and Certificates for the Main Subsystems If you configure the Certificate Manager for SSL-enabled communication with a publishing directory, the Certificate Manager also uses its SSL server certificate for SSL client authentication to the publishing directory. This is the default configuration.

  • Page 427: Ssl Server Key Pair And Certificate

    Keys and Certificates for the Main Subsystems SSL Server Key Pair and Certificate Every Registration Manager you have installed has at least one SSL server certificate. The first time you generated this certificate is when you installed the Registration Manager. The default nickname for the certificate is , where identifies the CMS Server-Cert cert-<instance_id>...

  • Page 428: Transport Key Pair And Certificate

    Keys and Certificates for the Main Subsystems Transport Key Pair and Certificate Every Data Recovery Manager you have installed has a Data Recovery Manager transport certificate. The public key of the key pair that is used to generate the transport certificate is used by the client software to encrypt an end user’s encryption private key before it is sent to the Data Recovery Manager for archival;...

  • Page 429: Ssl Server Key Pair And Certificate

    Keys and Certificates for the Main Subsystems SSL Server Key Pair and Certificate Every Data Recovery Manager you have installed has at least one SSL server certificate. The first time you generated this certificate is when you installed the Data Recovery Manager. The default nickname for the certificate is , where identifies the CMS Server-Cert cert-<instance_id>...

  • Page 430: Ssl Server Key Pair And Certificate

    Keys and Certificates for the Main Subsystems OCSP-compliant client that the Online Certificate Status Manager has processed the request. The first time you generated this certificate is when you installed the Online Certificate Status Manager. The default nickname for the certificate is , where identifies the ocspSigningCert cert-<instance_id>...

  • Page 431: Tokens For Storing Cms Keys And Certificates

    Tokens for Storing CMS Keys and Certificates Tokens for Storing CMS Keys and Certificates A token is a hardware or software device that performs cryptographic functions and optionally stores public-key certificates, cryptographic keys, and data defined by the application using the cryptographic services. Alternatively, a token can also be considered as a device that you can use to generate and store your key pairs and corresponding certificates.

  • Page 432: Installing External Tokens

    Tokens for Storing CMS Keys and Certificates http://developer.netscape.com/support/faqs/pkcs_11.html If you haven’t already done so, consider using external tokens for generating and storing the key pairs and certificates used by Certificate Management System. These devices represent another security measure you can take to safeguard private keys because hardware tokens are sometimes considered more secure than software tokens.
  • Page 433 Tokens for Storing CMS Keys and Certificates From the Console menu, choose Manage PKCS#11. The PKCS #11 Management window appears. Click Add. The Add PKCS #11 Module window appears. Enter information as appropriate. If you choose JAR as your file type, you are required to provide the path to the JAR file that contains the DLLs.

  • Page 434: Managing Tokens Used By The Subsystems

    Tokens for Storing CMS Keys and Certificates At the prompt, enter this command: <server_root>/shared/bin/modutil -dbdir . -nocertdb -create This creates the required security module database file ( ) in the secmod.db Administration Server’s configuration directory. At the prompt, enter this command: <server_root>/shared/bin/modutil -dbdir .

  • Page 435: Changing A Token's Password

    Tokens for Storing CMS Keys and Certificates Select the Configuration tab, and then in the right pane, select the Encryption tab. In the Map To section, check the Token drop-down list. It shows the names (as specified when the tokens were installed) of external tokens installed for the currently selected CMS instance.

  • Page 436: Hardware Cryptographic Accelerators

    Hardware Cryptographic Accelerators Hardware Cryptographic Accelerators Certificate Management System allows you to use hardware cryptographic accelerators with external tokens. Many of the accelerators provide the following security features: • Fast SSL connections—speed is important if you want your Certificate Manager, Registration Manager, or Data Recovery Manager to be able to accommodate a high number of simultaneous enrollment or service requests.

  • Page 437: Using The Wizard To Request A Certificate

    Certificate Setup Wizard When you start the wizard, which you do by clicking the Certificate Setup Wizard button in the Encryption tab of the CMS window (see the figure on page 434), you are asked to specify whether you want to request or install a certificate. The wizard presents you with the screens appropriate to your choice and walks you through the entire process.

  • Page 438: Step 1. Select The Operation

    Certificate Setup Wizard Step 1. Select the Operation Indicate whether you want to request a certificate or install a certificate. For the purposes of completing the instructions that follow, assume that you chose to request a certificate. Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 439: Step 2. Choose The Certificate

    Certificate Setup Wizard Step 2. Choose the Certificate Choose the certificate (by name) that you want to request. The drop-down list shows various certificates used by the currently selected CMS instance. Choose the one you want to request—which certificates you see in the list depends on the subsystems installed in the currently selected CMS instance.
  • Page 440 Certificate Setup Wizard Depending on the certificate you want to generate, choose the one in the drop-down list: • Certificate Manager Signing Certificate—choose this option if you want to request a signing certificate for the Certificate Manager. If you choose this option, you must also specify whether the certificate request is for a self-signed CA (also known as the root CA) or a subordinate CA.

  • Page 441: Step 3. Specify The Key-Pair Information

    Certificate Setup Wizard Step 3. Specify the Key-Pair Information Specify the key-pair information for the certificate to be requested. You need to identify the following: • The token that contains the key pair for generating the certificate request—the drop-down list shows the names of tokens currently installed for the selected CMS instance;...
  • Page 442 Certificate Setup Wizard • The key pair for generating the certificate request—you can choose to generate the certificate request based on an existing or a new key pair. If you want to renew the certificate you selected in the previous step, use the existing key pair for generating the request.

  • Page 443: Step 4. Specify The Subject Name For The Certificate

    Certificate Setup Wizard Step 4. Specify the Subject Name for the Certificate Specify the subject name, in distinguished name (DN) format, for the certificate to be requested. Note that you will see this screen only if you chose to generate the certificate for a new key pair.

  • Page 444: Step 5. Specify The Validity Period

    Certificate Setup Wizard • Organizational unit—enter the organizational unit the server belongs to. For example, Marketing • Organization—enter a description that identifies your organization. For example, Example Corporation • Locality—enter the name of the city where your business is located. For example, Mountain View •...

  • Page 445: Step 6. Specify Extensions

    Certificate Setup Wizard Step 6. Specify Extensions You need to complete this step only if you chose to generate a CA signing certificate request for a Certificate Manager (deployed as either the root CA or a subordinate CA). This screen allows you to set the standard X.509 version 3 extensions and Netscape-defined extensions for the certificate to be requested.
  • Page 446 Certificate Setup Wizard • Netscape certificate type—select this option if you want to set any of the Netscape Certificate Type extension bits in the certificate you are requesting. When you select the option, the associated fields are enabled. You should select the ones you want to set.

  • Page 447: Step 7. Copy The Certificate Signing Request

    Certificate Setup Wizard Step 7. Copy the Certificate Signing Request Based on the information you’ve entered in the previous steps, the wizard now displays the certificate signing request (CSR). The request is in a base-64 encoded PKCS #10 format and is bounded by the marker lines -----BEGIN NEW CERTIFICATE REQUEST----- -----END NEW...
  • Page 448 Certificate Setup Wizard Table 14-1 Names of files created for certificate signing requests Filename Certificate Signing Request Certificate Manager CA signing certificate cacsr.txt Certificate Manager OCSP signing certificate ocspcsr.txt Registration Manager signing certificate racsr.txt Data Recovery Manager transport certificate kracsr.txt Online Certificate Status Manager signing certificate ocspcsr.txt SSL server certificate...
  • Page 449 Certificate Setup Wizard Yes, it’s the SSL secure server port. Select this option if the end entity port number you specified is the SSL port for end entities. Click Next to submit your request to the CA. The Certificate Manager returns a request ID for your request. Note the request ID as you can use it later to get the certificate from the Certificate Manager to which you submitted the request.
  • Page 450 Certificate Setup Wizard Click the Enrollment tab. In the menu list, click the appropriate link: If the CSR is for a subordinate CA certificate, in the Server section, click the Certificate Manager link. If the CSR is for a Registration Manager’s signing certificate, in the Server section, click the Registration Manager link.

  • Page 451: Step 8. Check The Certificate Request Status

    Certificate Setup Wizard To send the CSR manually to an external or third-party CA: Copy the CSR, including the marker lines -----BEGIN NEW CERTIFICATE , to a text file. REQUEST----- -----END NEW CERTIFICATE REQUEST----- If you are running the wizard on a Windows NT system, you can also copy the CSR to the Windows clipboard.

  • Page 452: Using The Wizard To Install A Certificate Or Certificate Chain

    Certificate Setup Wizard Using the Wizard to Install a Certificate or Certificate Chain The Certificate Setup Wizard allows you to install or import the following certificates into either an internal or external token used by the currently selected CMS instance: •...

  • Page 453: Data Formats For Installing Certificates And Certificate Chains

    Certificate Setup Wizard Data Formats for Installing Certificates and Certificate Chains The wizard can accept certificates and certificate chains in several data formats. This section briefly explains the data formats recognized by the wizard. Binary Formats The wizard can recognize certificates and certificate chains in the following binary formats: •...

  • Page 454: Step 1. Select The Operation

    Certificate Setup Wizard Step 1. Select the Operation Indicate whether you want to request a certificate or install a certificate. For the sake of completing the instructions that follow, assume that you chose to install a certificate. Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 455: Step 2. Select The Certificate Or Certificate Chain

    Certificate Setup Wizard Step 2. Select the Certificate or Certificate Chain Select the certificate you want to install. The drop-down list shows various options. Depending on whether you want to install a CMS certificate, any other trusted CA certificate, or a CA certificate chain, choose the appropriate option from the list box: •...

  • Page 456: Step 3. Specify The Location Of The Certificate

    Certificate Setup Wizard • SSL Server Certificate—choose this option if you want to install an SSL server certificate for the CMS managers installed in the currently selected CMS instance. • Trusted CA Certificate Chain—choose this option if you want to install a trusted CA certificate chain;...
  • Page 457 Certificate Setup Wizard will be required to provide the wizard with the absolute path to that file. The file must be located in the host system the wizard is running. If the file is located elsewhere, exit from the wizard, copy the file to the local disk, and restart the wizard.

  • Page 458: Step 4. View The Certificate Or Certificate Chain

    Certificate Setup Wizard Step 4. View the Certificate or Certificate Chain The wizard displays the certificate or certificate chain you have chosen to install. Make sure you have chosen the right one; otherwise, use the Back button to go back and locate the right one.

  • Page 459: Step 6. Verify The Certificate Status

    Configuring the Server’s Security Preferences • If you installed (or imported) a certificate chain, the wizard adds (to the local trust database) the first certificate in the chain as a trusted CA certificate and any subsequent certificates as untrusted CA certificates. For more information on how the wizard installs a certificate chain, see “Using the Wizard to Install a Certificate or Certificate Chain”...

  • Page 460: Step 1. Get The Required Ssl Server Certificates

    Configuring the Server’s Security Preferences This configuration involves the following steps: • Step 1. Get the Required SSL Server Certificates • Step 2: Update the Configuration Step 1. Get the Required SSL Server Certificates You must first request and install the required number of SSL server certificates for the particular CMS instance.

  • Page 461: Getting An Ssl Client Certificate For A Subsystem

    Configuring the Server’s Security Preferences To change the certificate used for authenticating to the end-entity services interface, edit the value assigned to the parameter in servercertnickname section. id="ee_nonSSL" To change the certificate used for authenticating to the SSL-enabled end-entity services interface, edit the value assigned to the parameter in the section.

  • Page 462: Setting Up Cipher Preferences For Ssl Communications

    Configuring the Server’s Security Preferences Once you have the certificate request ready, submit it to a CA so that it can issue a certificate. For general instructions to use the wizard to request a certificate, see section “Using the Wizard to Request a Certificate” on page 437. If you submitted the request to a Certificate Manager and if you have agent privileges for that Certificate Manager, log in to its Agent Services interface, locate the request, and check the request for required extensions.

  • Page 463: Ssl Ciphers Supported In Certificate Management System

    Configuring the Server’s Security Preferences SSL Ciphers Supported in Certificate Management System Figure 14-1 shows the ciphers supported by Certificate Management System (on the server side). The figure shows SSL 2.0 and 3.0 ciphers supported in the domestic (US and Canada) version of Certificate Management System. Note that Certificate Management System has received retail status from the United States Department of Commerce Bureau of Export Administration;...

  • Page 464: Configuring The Server To Use Specific Ciphers

    Configuring the Server’s Security Preferences CAUTION You might not want to check the options that say “No Encryption, only MD5 message authentication” and “No Encryption, only Fortezza and SHA message authentication.” The reason for this is, if no other ciphers are available on the client side, the server will use these and no encryption will occur.

  • Page 465: Getting New Certificates For The Subsystems

    Getting New Certificates for the Subsystems Select the Configuration tab, and then in the right pane, select the Encryption tab. Click SSL Cipher Preferences, and choose the appropriate options. For details, see “Setting Up Cipher Preferences for SSL Communications” on page 462.

  • Page 466: Step 1. Plan For The New Certificate

    Getting New Certificates for the Subsystems The sections that follow explain how to get new certificates for a Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager using the Certificate Setup Wizard. Alternatively, you can use the command-line utility called the Certificate Database tool ( ).
  • Page 467 Getting New Certificates for the Subsystems Before getting a new self-signed certificate for the Certificate Manager, therefore, you must address issues involved in deploying the new root CA certificate across your enterprise. Because each deployment would have very specific requirements, it is beyond the scope of this document to explain how you should deploy the new CA certificate.
  • Page 468 Getting New Certificates for the Subsystems • You can get any number of SSL server certificates. Decide on the CA that will sign the certificate If you want to get a new self-signed CA certificate, you don’t have to make this decision, because the CA itself signs it.

  • Page 469: Step 2. Request The New Certificate

    Getting New Certificates for the Subsystems Determine the token for generating the key pair Identify the token, internal or external, that you want to use to generate the key pair for the certificate and to store the certificate. For details, see “Tokens for Storing CMS Keys and Certificates”...

  • Page 470: Step 4. Deploy The New Certificate

    Getting New Certificates for the Subsystems Step 4. Deploy the New Certificate In this step, follow the instructions appropriate for the certificate you installed: • If you installed a new CA signing certificate for a Certificate Manager, see “Deploying Certificate Manager’s CA Signing Certificate” on page 470. •...

  • Page 471: Deploying Registration Manager's Signing Certificate

    Getting New Certificates for the Subsystems Open the enrollment page by going to this URL: https://<hostname>:<admin_port>/ca/adminEnroll.html Enter all the information and request a new certificate. If you need more information on getting the first agent certificate, see “Stage 3. Enrolling for Administrator/Agent Certificate” on page 271. Once you get the certificate, install it in your browser.

  • Page 472: Deploying Data Recovery Manager's Transport Certificate

    Getting New Certificates for the Subsystems Ensure that the CA that signed the Registration Manager’s certificate is in the certificate database of the subsystem. When a Registration Manager does SSL client authentication using its new certificate, the subsystem, as a part of validating the certificate presented by the Registration Manager, checks its trust database for the CA (certificate) that signed the Registration Manager’s new certificate.

  • Page 473: Deploying A Subsystem's Ssl Server Certificate

    Getting New Certificates for the Subsystems Data Recovery Manager’s transport certificate in the enrollment form Figure 14-2 Replace the current MIME-64 string with the one for the new transport certificate. To copy the MIME-64 string for the new transport certificate, locate the new transport certificate;...

  • Page 474: Renewing Certificates For The Subsystems

    Renewing Certificates for the Subsystems • To configure the server to use this certificate for authenticating to one of the clients, see “Configuring the Server to Use Separate SSL Server Certificates” on page 459. • To configure the Certificate Manager to use this certificate for authenticating to the publishing directory, see “Step 5.

  • Page 475: Step 1. Plan For Certificate Renewal

    Renewing Certificates for the Subsystems Step 1. Plan for Certificate Renewal Renewing a CMS manager’s certificate requires careful planning. This section provides some guidelines that will help you renew the certificate smoothly. Before renewing a certificate: • Note the subject DN and nickname of the certificate you want to renew. If you are planning on renewing the CA signing certificate of a Certificate Manager, make sure that the Certificate Manager has updated your LDAP directory, file, and OCSP responder with the most current certificate and CRL...

  • Page 476: Step 2. Renew The Existing Certificate

    Renewing Certificates for the Subsystems Step 2. Renew the Existing Certificate Once you have all the information, go ahead and renew the certificate. The Certificate Setup Wizard built into the CMS window automates the process of renewing certificates used by the CMS managers. The wizard can generate a certificate request based on the existing key pair and submit the request to a CA for signing.

  • Page 477: Step 3. Install The Renewed Certificate

    Renewing Certificates for the Subsystems The wizard also deletes the old certificate from the server’s certificate database and adds the renewed certificate to the database, so that the server is able to use the renewed certificate upon restart. This feature restricts you to set the value of the attribute of the renewed certificate to either the current time or any time notBefore in the past, but not in the future.

  • Page 478: Deploying Certificate Manager's Renewed Ca Signing Certificate

    Renewing Certificates for the Subsystems For all certificates, make sure the that CA-chain verification takes place smoothly. For example, if you requested the certificate from a different CA, be sure to import a CA certificate into the certificate database of the subsystem using the Certificate Setup Wizard.

  • Page 479: Deploying Data Recovery Manager's Renewed Transport Certificate

    Renewing Certificates for the Subsystems Ensure that the CA that signed the Registration Manager’s certificate is in the trust database of the subsystem. When a Registration Manager does SSL client authentication using its renewed certificate, the subsystem, as a part of validating the certificate presented by the Registration Manager, checks its trust database for the CA (certificate) that signed the Registration Manager’s renewed certificate.

  • Page 480: Deploying A Subsystem's Renewed Ssl Server Certificate

    Renewing Certificates for the Subsystems Data Recovery Manager’s transport certificate in the enrollment form Figure 14-3 Replace the current MIME-64 string with the one for the renewed transport certificate. To copy the MIME-64 string for the renewed transport certificate, locate the certificate;...

  • Page 481: Step 5. Restart The Server

    Managing the Certificate Database By default, the Certificate Manager and Registration Manager use a single SSL server certificate to do server-side authentication to all the CMS ports. If a Certificate Manager is configured for SSL client authenticated communication with the publishing directory, it also uses the SSL server certificate for authenticating to the publishing directory.

  • Page 482: Viewing The Certificate Database Content

    Managing the Certificate Database NOTE Certificate Management System also provides a command-line utility called for managing its certificate database. For certutil details about this tool, check this site: http://www.mozilla.org/projects/security/pki/nss/tools/ Viewing the Certificate Database Content Each CMS instance has a certificate database that contains the list of certificates the server uses.
  • Page 483 Managing the Certificate Database Click Manage Certificate. The Certificate Database Management window appears. The window lists the certificates in a table, with each certificate occupying a row. The certificates are listed in alphabetical order. If the database contains multiple certificates with the same nickname, they are sorted by their validity periods;...

  • Page 484: Deleting A Certificate From The Certificate Database

    Managing the Certificate Database Deleting a Certificate From the Certificate Database By default, the CMS certificate database includes a few public or third-party CA certificates. As an administrator, you should periodically check the contents of the certificate database and make sure that it doesn’t include any unwanted CA certificates.

  • Page 485: Changing The Trust Settings Of A Ca Certificate

    Managing the Certificate Database Changing the Trust Settings of a CA Certificate Certificate Management System relies on the CA certificates in its certificate database for validating certificates it receives during an SSL-enabled communication. For example, when a Certificate Manager is authenticating a Registration Manager that has sent a certificate signing request, the Certificate Manager checks its certificate database to see whether the CA that has signed the certificate presented by the Registration Manager is included in the database as a...
  • Page 486 Managing the Certificate Database Select the CA certificate whose trust setting you want to modify, and click Edit. The Certificate Information window appears. The window shows detailed information about the selected certificate, including serial number, validity period, subject name, issuer name, certificate fingerprint, and trust status.

  • Page 487: Installing A New Ca Certificate In The Certificate Database

    Managing the Certificate Database Installing a New CA Certificate in the Certificate Database You may need to install new trusted CA certificates in the certificate database of a CMS instance. For example, assume that you renewed the signing certificate of a Registration Manager.
  • Page 488 Managing the Certificate Database Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 489: Chapter 15 Setting Up End-User Authentication

    Chapter 15 Setting Up End-User Authentication Netscape Certificate Management System (CMS) provides a customizable authentication component that supports various methods for authenticating end users. This chapter provides an introduction to various parts of Certificate Management System that require authentication and explains how to configure a Certificate Manager and Registration Manager to use specific authentication plug-in modules for authenticating end users during certificate enrollment.

  • Page 490: Privileged-User Authentication

    Introduction to Authentication • Administrators—privileged users who connect to the server to do system or server administration tasks • Agents—privileged users who connect to the server to do agent operations This section explains how Certificate Management System identifies and authenticates these users, and it provides details about the various authentication methods supported by the server.
  • Page 491 Introduction to Authentication CMS authentication of a user with administrator privileges Figure 15-1 These are the steps shown in Figure 15-1: An administrator opens Netscape Console and attempts to log in to the CMS window by entering the user ID and password at the login prompt. The server takes the administrator’s user ID and password and binds them to privileged-user entries in its internal database.

  • Page 492: Authentication Of Agents

    Introduction to Authentication Authentication of Agents When an agent makes a request to Certificate Management System (from the appropriate Agent Services interface), the server needs to authenticate the agent before processing the request. To facilitate this, Certificate Management System supports a certificate-based authentication method. Certificate Management System identifies and authenticates a user with agent privileges by checking the user’s SSL client certificate in its internal database.
  • Page 493 Introduction to Authentication Registration Manager authentication of a user with Registration Manager agent privileges Figure 15-2 This example shows these steps: An agent opens a web browser and enters the URL to the Registration Manager Agent Services interface hosted by the Registration Manager. The server requests the client for SSL client authentication.
  • Page 494 Introduction to Authentication Upon receiving the certificate, the Registration Manager performs the following authentication and authorization process: First, it verifies that the certificate exists in its internal database. Next, it verifies that the certificate is a valid client certificate. If the certificate is valid, the Registration Manager proceeds.

  • Page 495: End-Entity Authentication

    Introduction to Authentication End-Entity Authentication This section provides an overview of how Certificate Management System authenticates end entities during certificate enrollment, renewal, and revocation processes. Authentication of End Entities During Certificate Enrollment When an end entity submits a certificate request, a Certificate Manager or Registration Manager’s first task is to identify and authenticate the end entity.
  • Page 496 Introduction to Authentication • The certificate being presented by the end user for renewal must be currently valid or must have expired; it cannot have been revoked. • The validity period of a renewed certificate is determined by the policy rule explained in “RenewalValidityConstraints Plug-in Module”...

  • Page 497: Authentication Of End Users During Certificate Revocation

    Introduction to Authentication If you want to change the form content to suit your organization’s requirements, edit the following file: <server_root>/cert-<instance_id>/web-apps/ee/<subsystem>/UserRenewa l.html For details on individual form elements, see the online help available by clicking the Help button on the form. For more information on customizing the form, see CMS Customization Guide.
  • Page 498 Introduction to Authentication Revoking a certificate using the challenge password is useful in certain situations. For example, if you issue a single certificate to a user and the user is unable to use the certificate due to loss of corresponding key pair, it’s not possible for the user to revoke his or her own certificate using the SSL client authenticated revocation method.
  • Page 499 Introduction to Authentication Here are a few things, in addition to the ones listed on page 498, to keep in mind about SSL client authenticated revocation: • The certificate being presented by the user for revocation must be issued by a Certificate Manager.
  • Page 500 Introduction to Authentication • The user must have requested the certificate using the manual enrollment method—only the default manual enrollment form includes fields for entering the challenge password when requesting a certificate. • The user can revoke only those certificates that contain the specified serial number with the corresponding challenge password.

  • Page 501: Configuring Authentication For End-User Enrollment

    Configuring Authentication for End-User Enrollment If you want to change the forms to suit your organization’s requirements, you can edit the following files: • (the form that allows challenge password based ChallengeRevoke1.html revocation of client or personal certificates) • (the form that allows SSL client authenticated UserRevocation.html revocation of client or personal certificates) Both the files are located here:...

  • Page 502: Step 1. Before You Begin

    Configuring Authentication for End-User Enrollment NOTE If you do not configure a Certificate Manager or Registration Manager to use any of the registered authentication plug-in modules, the server uses manual authentication for end-user enrollment. This means that all end-user enrollment requests are queued for agent approval.

  • Page 503: Step 2. Set Up The Directory For Pin-Based Enrollment

    Configuring Authentication for End-User Enrollment If you decided to use the portal authentication module, note the LDAP directory-specific information. • Determine the enrollment form you want your users to use. Decide whether you want to customize it. The next step depends on the authentication module you chose: •...

  • Page 504: Step B. Update The Directory

    Configuring Authentication for End-User Enrollment Step B. Update the Directory By default, the PIN Generator modifies the attribute in a directory’s user entry. Because this attribute is not part of the standard , it’s likely organizationalPerson that the user entries in your directory do not contain the attribute.

  • Page 505: Step C. Prepare The Input File

    Configuring Authentication for End-User Enrollment The tool modifies the schema with a new attribute (by default, ) and a new object class (by default, ), creates a user, and sets the pinPerson pinmanager ACI to allow only the user to modify the attribute.

  • Page 506: Step E. Check The Output File

    Configuring Authentication for End-User Enrollment Step E. Check the Output File Check the output file to be sure it contains PINs for your users; the output should look similar to the one specified in PIN Generator documentation. Next, verify that the tool has assigned PINs to the correct users and that the PINs conform to the length and character-set restrictions you specified.
  • Page 507 Configuring Authentication for End-User Enrollment The above mentioned process works smoothly if a Certificate Manager or Registration Manager is configured to use the master directory for authenticating users. The process may not work smoothly in deployment scenarios that involve replicated directories. In these scenarios, you need to use the Attribute Present Constraints policy to verify that the PIN has been removed from the directory.
  • Page 508 Configuring Authentication for End-User Enrollment certificates, successive certificate requests would fail because the PIN has been removed from the master directory. This way, even if the Registration Manager authenticates successive requests, the Certificate Manager rejects them, thus ensuring that a user has only one certificate. If you are not familiar with the Attribute Present Constraints policy, see section “AttributePresentConstraints Plug-in Module”...

  • Page 509: Step 4: Add An Authentication Instance

    Configuring Authentication for End-User Enrollment Select and click Next. AttributePresentConstraints The Policy Rule Editor window appears. It lists the configuration information required for this policy rule. Enter the appropriate information. Click OK to save your configuration. You are returned to the Policy Rules Management tab. If required, click the Reorder button and order the rules as appropriate.
  • Page 510 Configuring Authentication for End-User Enrollment When naming an authentication instance (or rule), be sure to formulate the name using any combination of letters (aA to zZ), digits (0 to 9), an underscore (_), and a hyphen (-); other characters and spaces are not allowed. For example, you can type as the instance name, but not My_Auth_Rule MyAuthRule...
  • Page 511 Configuring Authentication for End-User Enrollment Figure 15-5 shows the default directory-based enrollment form configured to use an authentication instance named UserDirEnrollment Figure 15-5 Authentication information in the default directory-based enrollment form For information on locating and customizing the default end-entity forms, see CMS Customization Guide.
  • Page 512 Configuring Authentication for End-User Enrollment Click Add. The Select Authentication Plugin Implementation window appears. It lists the currently registered authentication plug-in modules. Select a plug-in module. The following choices are the ones provided by default with Certificate Management System. If you have registered any custom authentication plug-in modules, they too will be available for selection.
  • Page 513 Configuring Authentication for End-User Enrollment NISAuth. Select this if you want to use the NIS server-based authentication module. PortalEnroll. Select this if you want to use the portal authentication module. For the purposes of this instruction, assume that you selected UidPwdPinDirAuth Click Next.

  • Page 514: Step 5. Set Up The Enrollment Interface

    Configuring Authentication for End-User Enrollment If you don’t want to use the default instance name, in the Authentication Instance ID field, type a unique name for this instance that will help you identify it. For the name, be sure to use an alphanumeric string with no spaces. If you chose to use a different name, be sure to edit the default name in the enrollment form in the next step, “Step 5.

  • Page 515: Step B. Customize The Form

    Configuring Authentication for End-User Enrollment Locate the file that corresponds to the authentication module you chose in “Step 4: Add an Authentication Instance” on page 509; use Table 15-1 for guidance. Open the file in a text editor. Locate the attribute that associates the authentication instance with the enrollment form.
  • Page 516 Configuring Authentication for End-User Enrollment By default, the form named is hooked up to the CertBasedDualEnroll.html Enrollment tab of the end-entity interface. You can replace this form with either of the other two forms, CertBasedEncryptionEnroll.html ; you can do this by uncommenting the script CertBasedSingleEnroll.html relevant to either of the forms in the index file and by commenting out the script for —thus, effectively unhook the old one and hook the...
  • Page 517 Configuring Authentication for End-User Enrollment count++; if (http != 'true') { // this one is directory based cert-based if ( isAuthMgrEnabled("UidPwdDirAuth") ) { item = 'certBasedEncEnroll'; menuItems[count] = top.EnrollMenu[count] = new menuItem(item, 'CertBasedEncryptionEnroll.html', 'Certificate'); If you want to enable the form, search for CertBasedSingleEnroll.html .

  • Page 518: Step D. Remove Unwanted Enrollment Options

    Configuring Authentication for End-User Enrollment By default, a link named will be created under the Browser Certificate section. If you want to rename the link, replace in the following Certificate line with the new name: new menuItem(item, 'CertBasedDualEnroll.html', 'Certificate'); Save your changes and close the file. Step D.

  • Page 519: Step 6. Enable End-Entity Interaction

    Configuring Authentication for End-User Enrollment Step 6. Enable End-Entity Interaction You can configure end-entity interaction with a Certificate Manager or a Registration Manager, or with both. End entities cannot interact with a Data Recovery Manager directly; they must interact through a Certificate Manager or Registration Manager.
  • Page 520 Configuring Authentication for End-User Enrollment In the Certificate Validity section, check the “Override validity nesting requirement” option, if you want the Certificate Manager to issue certificates with validity periods beyond that of its CA signing certificate; see “CA Signing Key Pair and Certificate” on page 421). If you leave the box unchecked and if the Certificate Manager (CA) finds a request with validity period extending beyond that of its CA signing certificate, it automatically truncates the validity period to end on the day the...

  • Page 521: Enabling End-Entity Interaction With A Registration Manager

    Configuring Authentication for End-User Enrollment Note that the signing algorithm specified in the Certificate Manager’s policy configuration overrides the algorithm you select here. For information on a Certificate Manager’s policy configuration, see policy plug-in module in CMS Plug-Ins SigningAlgorithmConstraints Guide. To save your changes, click Save.

  • Page 522: Step 7. Turn On Automated Notification

    Configuring Authentication for End-User Enrollment To save your changes, click Save. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server. Step 7. Turn on Automated Notification Both the Certificate Manager and the Registration Manager can send certificate-issuance notification to end users.

  • Page 523: Step 9. Deliver Pins To End Users

    Configuring Authentication for End-User Enrollment If you’ve set up the directory- and PIN-based authentication with PIN removal, reenroll for another certificate using the same PIN. Your request should get rejected. If you’ve set up the portal enrollment, verify that an entry for the user is created in the directory.

  • Page 524: Setting Up Agent Initiated End User Enrollment

    Setting Up Agent Initiated End User Enrollment • Mail—you can mail PINs to users, for example along with their pay stubs or slips. • Personal delivery—you can arrange a secure means of delivering the password to the user, or ask the user to collect it from you in person. Setting Up Agent Initiated End User Enrollment The Registration Manager enables end users to enroll for a certificate in person by going to a Registration Manager agent.

  • Page 525: Deleting An Authentication Instance

    Managing Authentication Instances For information on adding or changing authentication-specific information in the configuration file, see “Changing the Configuration by Editing the Configuration File” on page 338. Deleting an Authentication Instance You can delete an authentication instance that you no longer need from the CMS configuration.
  • Page 526 Managing Authentication Instances When you modify an authentication instance, the CMS configuration is updated to include the modifications. Because you are not changing the name of the authentication instance, you do not have to make any changes to the end-user servlet configuration.

  • Page 527: Managing Authentication Plug-In Modules

    Managing Authentication Plug-in Modules For the purposes of completing these instructions, assume you selected UserDirEnrollment Make changes as appropriate. If you need description for any of the parameters, click the Help button or check the CMS Plug-Ins Guide. Click OK. The CMS configuration is modified.

  • Page 528: Registering An Authentication Module

    Managing Authentication Plug-in Modules Registering an Authentication Module You can register custom authentication plug-in modules from the CMS window. Registering a new authentication module involves specifying the name of the module and the full name of the Java class that implements the authentication interface.

  • Page 529: Deleting An Authentication Module

    Managing Authentication Plug-in Modules Click Register. The Register Authentication Plugin Implementation window appears. Specify which module you want to register: Plugin name. Type a name for the module. Class name. Type the full name of the class for this module—that is, the path to the implementing Java class.
  • Page 530 Managing Authentication Plug-in Modules In the Plugin Name list, select the module you want to delete and click Delete. When prompted, confirm the delete action. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

  • Page 531: Chapter 16 Setting Up Automated Notifications

    Chapter 16 Setting Up Automated Notifications Netscape Certificate Management System can send email notifications automatically when certain events occur. Unlike jobs that are executed on a preconfigured schedule, these notifications are event-driven—that is, whenever an event occurs, the server notifies the user. Notifiable events include certificate issuance and pending requests in an agent queue.

  • Page 532: Notifications Of Certificate Issuance To End Entities

    Automated Notifications • Notification of New Request in Queue—agents are notified by email that a request has been added to the request queue. Alternatively (or in addition) a schedulable job can notify agents at regular intervals of the current state of the request queue;...

  • Page 533: Notification Of New Request In Queue

    Automated Notifications Note that you can customize the email resolver using the class included as a sample at this location: ReqCertSANameEmailResolver.java <server_root>/cms_sdk/cms_jdk/samples/resolvers The template that the listener uses to construct the email notification message is located in the configured directory. This directory has the following default location: <server_root>/cert-<instance_id>/emails You can configure both the path and filename of the template file.

  • Page 534: Customizing Notification Messages

    Customizing Notification Messages The template that the listener uses to construct the email notification message is located in the configured directory. This directory has the following default location: <server_root>/cert-<instance_id>/emails You can configure both the path and filename of the template file. You can also modify the template to customize the contents and appearance of the messages;...
  • Page 535 Customizing Notification Messages Table 16-1 Default templates for event-triggered notifications (Continued) Filename Description certIssued_CA.html Template for the Certificate Manager to send HTML-based notifications to end entities upon issuance of certificates. Template for the Registration Manager to send plain-text certIssued_RA notifications to end entities upon issuance of certificates. Template for the Registration Manager to send HTML-based certIssued_RA.html notifications to end entities upon issuance of certificates.

  • Page 536: Customizing Message Templates

    Customizing Notification Messages file is named , the file must be named certIssued_CA.htm certRequestRejected . The HTML file extensions permitted are certRequestRejected.htm .htm .html , and . Template files with any other extension (or no extension) are .HTM .HTML treated as text files. If you change the name of any of these files, be sure to make the appropriate changes to the configuration (see the “Content template file”...

  • Page 537: Tokens Available In Message Templates

    Customizing Notification Messages For example, a certificate-issuance-notification message can make use of tokens as follows: ------------------------------------ CERTIFICATE ISSUANCE NOTIFICATION ------------------------------------ Your certificate request ($RequestId) has been processed successfully. Details of your certificate are as follows: Serial Number= $SerialNumber SubjectDN= $SubjectDN IssuerDN= $IssuerDN Validity Period= $NotBefore - $NotAfter To get your certificate, please follow this URL:...

  • Page 538: Tokens For Rejection Notifications To End Entities

    Customizing Notification Messages Table 16-2 Tokens defined in templates used for certificate-issuance notifications Token Description Specifies the fully qualified host name of the Certificate Manager or $HttpHost Registration Manager to which end entities should connect to retrieve their certificates. (This token enables you to construct the URL from which end entities can download their certificates;...

  • Page 539: Tokens For Request In Queue Notification Messages

    Configuring a Subsytem to Send Notifications Table 16-3 Tokens defined in templates used for request-rejection notifications Token Description Specifies the ID assigned to the subsystem that sent this notification. $InstanceID • If the notification is sent by a Certificate Manager, this will be ca. •...

  • Page 540: Step 1. Before You Begin

    Configuring a Subsytem to Send Notifications • Step 3. Turn on Request in Queue Notification • Step 4. Verify Mail Server Settings • Step 5. Test Your Configuration Step 1. Before You Begin • Read section “Automated Notifications” on page 531 and decide which of the two notification features you want to turn on.

  • Page 541: Step 3. Turn On Request In Queue Notification

    Configuring a Subsytem to Send Notifications To enable the notification feature, check the “Enable Certificate Issued notification” option. In the Email Information Settings section, enter information as appropriate: Sender’s E-mail Address. Type the sender’s full email address (this is the person who should be notified of any delivery problems).
  • Page 542 Configuring a Subsytem to Send Notifications To enable the notification feature, check the “Enable Request In Queue notification” option. Enter information as appropriate: Sender’s E-Mail Address. Type the sender’s full email address (this is the person who should be notified of any delivery problems). Subject.

  • Page 543: Step 4. Verify Mail Server Settings

    Configuring a Subsytem to Send Notifications Step 4. Verify Mail Server Settings To identify the mail server that the Certificate Manager or Registration Manager should use for routing email notifications: In the CMS window, select the Configuration tab, and then in the right pane, select the SMTP tab.

  • Page 544: Step 5. Test Your Configuration

    Configuring a Subsytem to Send Notifications Step 5. Test Your Configuration To test whether the subsystem you configured sends email notifications: Change the email addresses in the notification configuration to your email address. Go to the end-entity interface and request a certificate using the manual enrollment form.

  • Page 545: Chapter 17 Scheduling Automated Jobs

    Chapter 17 Scheduling Automated Jobs Netscape Certificate Management System (CMS) provides a customizable Job Scheduler component that supports various mechanisms for scheduling jobs. cron This chapter explains how to configure Certificate Management System to use specific job plug-in modules for accomplishing jobs. The chapter also shows how plug-in implementations and configured instances for various job items appear in the configuration file.

  • Page 546: Step 1. Before You Begin

    Configuring a Subsystem to Run Automated Jobs For information on adding or changing job-specific information in the configuration file, see “Changing the Configuration by Editing the Configuration File” on page 338. Step 1. Before You Begin Before configuring a Certificate Manager or Registration Manager to run jobs, be sure to do the following: •...
  • Page 547 Configuring a Subsystem to Run Automated Jobs After installation, you must verify whether you want to use these jobs, check how these jobs are configured, and make the appropriate configuration changes. If you don’t want to use a job, delete it from the configuration following the instructions in “Step 3.
  • Page 548 Configuring a Subsystem to Run Automated Jobs In the navigation tree, select Job Scheduler, then select Jobs. The Job Instance tab appears (Figure 17-1) showing the default jobs. In the Instance Name list, select a job that you want to modify. For the purposes of this instruction, assume that you selected the job named unpublishExpiredCerts Click Edit/View.

  • Page 549: Step 3. Delete Unwanted Jobs

    Configuring a Subsystem to Run Automated Jobs Step 3. Delete Unwanted Jobs You can delete unwanted jobs from the CMS configuration, by using the CMS window. If you think you might need a job in the future, instead of deleting it from the configuration you should disable it by setting the parameter value to enable...
  • Page 550 Configuring a Subsystem to Run Automated Jobs Default job modules registered with a Certificate Manager Figure 17-2 Table 17-2 Job modules registered with a Certificate Manager and Registration Manager Job plug-in module name Provided with Provided with Certificate Manager Registration Manager RenewalNotificationJob RequestInQueueJob UnpublishExpiredJob...
  • Page 551 Configuring a Subsystem to Run Automated Jobs Select a module. For the purposes of this instruction, assume that you selected the module. RenewalNotificationJob Click Next. The Configure Job Instance Parameters window appears. It lists the configuration information required for this job. Enter the appropriate information.
  • Page 552 Configuring a Subsystem to Run Automated Jobs notifyTriggerOffset. Type the number of days before certificate expiration the first notification should be sent. For example, if you want the server to send renewal notifications to users 30 days before their certificates expire, type 30. notifyEndOffset.

  • Page 553: Step 5. Schedule The Frequency

    Configuring a Subsystem to Run Automated Jobs summary.emailTemplate. Type the path, including the filename, to the directory that contains the template to be used for formulating the summary report. For example, /usr/netscape/servers/cert-testCA/emails/ renewJobSummary.txt Click OK. You are returned to the Policy Rules Management tab. Repeat steps 1 through 5 and create additional rules, if required.

  • Page 554: Step 6. Verify Mail Server Settings

    Configuring a Subsystem to Run Automated Jobs Enter information as appropriate: Enable Job Scheduler. Check this option to enable the Job Scheduler. To disable the Job Scheduler uncheck the option; disabling turns off all the jobs. Check Frequency. Type the frequency at which the Job Scheduler daemon thread should wake up and call the configured jobs that meet the cron specification.

  • Page 555: Step 7. Test Your Configuration

    Managing Job Plug-in Modules Identify the mail server by providing the following details: Server name. Make sure the field shows the correct host name for your mail server. Otherwise, type the full host name of the machine on which your mail server is installed.

  • Page 556: Registering A Job Module

    Managing Job Plug-in Modules For information on adding or changing job-specific information in the configuration file, see “Changing the Configuration by Editing the Configuration File” on page 338. Registering a Job Module You can register custom job plug-in modules from the CMS window. Registering a new module involves specifying the name of the module and the full name of the Java class that implements the module.

  • Page 557: Deleting A Job Module

    Managing Job Plug-in Modules Click Register. The Register Job Scheduler Plugin Implementation window appears. Specify information as appropriate: Plugin name. Type a name for the plug-in module. Class name. Type the full name of the class for this module—that is, the path to the implementing Java class.
  • Page 558 Managing Job Plug-in Modules Select the Job Plugin Registration tab. The Job Plugin Registration tab appears. It lists currently registered job modules. In the Plugin Name list, select the module you want to delete and click Delete. When prompted, confirm the delete action. The CMS configuration is modified.

  • Page 559: Chapter 18 Setting Up Policies

    Chapter 18 Setting Up Policies Netscape Certificate Management System (CMS) provides a customizable policy framework for its main subsystems, the Certificate Manager, Registration Manager, and Data Recovery Manager. This chapter explains how to configure these subsystems to apply organizational and other policies on incoming certificate and key-related requests.

  • Page 560: What Is Policy

    Introduction to Policy What Is Policy? Policy refers to a set of rules that Certificate Management System uses to evaluate or verify an incoming request from an end entity and to determine the outcome; the incoming requests that are governed by policies include certificate issuance, certificate renewal, certificate revocation, key archival, and key recovery requests.

  • Page 561: Policy Rules

    Introduction to Policy Policy Rules A policy rule refers to a uniquely configured instance of any policy plug-in implementation. For example, you can use the plug-in module provided for setting validity periods on certificates to configure a policy rule that forces validity periods for all client certificates issued by a Certificate Manager to fall within a predetermined range, say between 6 and 24 months.

  • Page 562: Using Predicates In Policy Rules

    Introduction to Policy For general guidelines on developing custom policy modules and adding them to the CMS policy framework, take a look at the samples installed at this location: <server_root>/cms_sdk/cms_jdk/samples/policy Using Predicates in Policy Rules You can use predicates in a policy rule. A predicate indicates whether the rule that contains the predicate applies to a request.
  • Page 563 Introduction to Policy Policy expressions are formed with the following rules: PrimitiveExpression | AndExpression | OrExpression is equal to: Attribute Value, where PrimitiveExpression Attribute can be a string can be any of these operators: Value can be a string is equal to: Expression Expression AndExpression is equal to: Expression...

  • Page 564: Attributes For Predicates

    Introduction to Policy Be aware that if the same name is in a HTTP form input and authentication token (authentication result) the authentication result can override the HTTP form input. For example, if is in a HTTP input and an authentication module also puts email in the authentication result (that is, authtoken) the value from the...
  • Page 565 Introduction to Policy Table 18-2 Attributes supported by request object implementations (Continued) Request type Variable name Description Enrollment Specifies the certificate type. Default values include the certType following: • ca (Certificate Manager’s CA signing certificate) • caCrlSigning (Certificate Manager’s CRL signing certificate) •...
  • Page 566 Introduction to Policy Table 18-2 Attributes supported by request object implementations (Continued) Request type Variable name Description Enrollment cepsubstore Specifies the name of the CEP service; for example, cep1 and cep2. When setting up multiple CEP services, you can use predicates to differentiate one service for another;...
  • Page 567 Introduction to Policy Note that to define a new attribute in any of the HTML forms, all you need to do is to add the following line to the corresponding HTML form: <input type="HIDDEN" name="attribute_name" value="attribute_value"> Assuming that the new attribute you define for the organizational unit is orgunit the line you would add to the enrollment form would be: <input type="HIDDEN"...

  • Page 568: Policy Processor

    Introduction to Policy Now, for setting the validity period in certificates of users who are not in the Sales organization—in this case, this would be Manufacturing—you would create another instance of policy rule as before with a ValidityConstraints different set values. Assume you named the instance , set the maximum validity ValidityRule1...

  • Page 569: Configuring Policy Rules For A Subsystem

    Configuring Policy Rules for a Subsystem Note that the policy processor applies only the enabled policy rules, in the order in which they are configured, before determining the final outcome. Each rule the processor executes returns a object. Three return values are PolicyResult possible: •...

  • Page 570: Step 1. Before You Begin

    Configuring Policy Rules for a Subsystem • Step 6. Restart the Server • Step 7. Test Policy Configuration For information on adding or changing policy-specific information in the configuration file, see “Changing the Configuration by Editing the Configuration File” on page 338. Step 1.
  • Page 571 Configuring Policy Rules for a Subsystem After installation, you must verify whether you want to use these rules, check how these rules are configured, and make the appropriate configuration changes. Keep in mind some of these policy rules are essential for the server to process requests. For example, the server won’t be able to process certificate-issuance requests if is disabled.
  • Page 572 Configuring Policy Rules for a Subsystem Table 18-3 Default policy rules of a Certificate Manager and Registration Manager Policy rule name Certificate Manager Registration Manager DefaultRenewalValidityRule RevocationConstranitsRule NSCertTypeExt CMCertKeyUsageExt RMCertKeyUsageExt ClientCertKeyUsageExt ServerCertKeyUsageExt ObjSignCertKeyUsageExt CRLSignCertKeyUsageExt SubjectKeyIdentifierExt CertificatePoliciesExt NSCCommentExt OCSPNoCheckExt OCSPSigningExt CODESigningExt GenericASN1Ext CRLDistributionPointsExt SubjectAltNameExt...
  • Page 573 Configuring Policy Rules for a Subsystem To modify a policy rule in the CMS configuration: Log in to the CMS window (see “Logging In to the CMS Window” on page 333). Select the Configuration tab. In the navigation tree, select the subsystem to which the policy rule you want to modify belongs.

  • Page 574: Step 3. Delete Unwanted Policy Rules

    Configuring Policy Rules for a Subsystem Step 3. Delete Unwanted Policy Rules You can delete any unwanted policy rules from the CMS configuration. If you think you might need a rule in the future, instead of deleting it from the configuration you should disable it by unchecking the parameter.
  • Page 575 Configuring Policy Rules for a Subsystem Figure 18-2 shows the policy modules registered with a Certificate Manager. The Registration Manager also has a similar list. Table 18-4 summarizes the default modules registered with both Certificate Manager and Registration Manager. Figure 18-2 Default policy modules registered with a Certificate Manager Table 18-4 Policy modules of a Certificate Manager and Registration Manager Policy plug-in module name...
  • Page 576 Configuring Policy Rules for a Subsystem Table 18-4 Policy modules of a Certificate Manager and Registration Manager (Continued) Policy plug-in module name Certificate Manager Registration Manager IssuerAltNameExt IssuerConstraints KeyAlgorithmConstraints KeyUsageExt NameConstraintsExt NSCComment NSCertTypeExt OCSPNoCheckExt PolicyConstraintExt PolicyMappingsExt PrivateKeyUsagePeriodExt RemoveBasicConstraintsExt RenewalConstraints RenewalValidityConstraints RevocationConstraints RSAKeyConstraints SigningAlgorithmConstraints...
  • Page 577 Configuring Policy Rules for a Subsystem To add a new policy rule to the CMS configuration: In the Policy Rules Management tab, click Add. The Select Policy Plugin Implementation window appears. It lists registered policy plug-in modules. If you have registered any custom policy modules (see “Registering a Policy Module”...
  • Page 578 Configuring Policy Rules for a Subsystem Enter the appropriate information. Policy Rule ID. Type a unique name that will help you identify the rule; be sure to use an alphanumeric string without spaces. enable. Check the box to enable the rule (default). If you enable the rule and set the remaining parameters correctly, the server sets the configured validity period in certificates specified by the parameter.

  • Page 579: Step 5. Reorder Policy Rules

    Configuring Policy Rules for a Subsystem certificate cannot be used for 10 minutes. Setting the value of the parameter to 10 minutes would adjust the value of the notBeforeSkew notBefore parameter to 11:20 a.m.—thus making the certificate usable following the down load. The default value is 5 minutes. Click OK.

  • Page 580: Step 6. Restart The Server

    Configuring Policy Rules for a Subsystem To change the order of a rule, select it in the list and click the Up or Down button, as appropriate. Keep in mind that the server executes the rules on a first-come-first-served basis, overwriting the configuration determined by the previous rule, if any. When you have the correct order, click OK.

  • Page 581: Step B. Approve The Request

    Configuring Policy Rules for a Subsystem To request a client or personal certificate from the Certificate Manager: Open a web browser window. Go to the End Entity Services interface of the Certificate Manager you configured (or the Registration Manager that’s connected to this Certificate Manager).

  • Page 582: Using Javascript For Policies

    Using JavaScript for Policies Using JavaScript for Policies Certificate Management System includes a facility for complex scripting of the policy plug-in instances via JavaScript . Using the JavaScript policy processor allows you to: • Determine the call sequence of existing Java plug-ins •...
  • Page 583 Managing Policy Plug-in Modules Before registering a plug-in module, be sure to put the Java class for the module in directory (the implementation must be on the class path). classes To register a policy module in a subsystem’s policy framework: Log in to the CMS window (see “Logging In to the CMS Window”...

  • Page 584: Deleting A Policy Module

    Managing Policy Plug-in Modules Specify information as appropriate: Plugin name. Type a name for the plug-in module. Class name. Type the full name of the class for this module—that is, the path to the implementing Java class. If this class is part of a package, be sure to include the package name.

  • Page 585: Chapter 19 Setting Up Ldap Publishing

    Chapter 19 Setting Up LDAP Publishing Netscape Certificate Management System (CMS) provides a customizable publishing framework for the Certificate Manager, enabling it to publish certificates, certificate revocation lists (CRLs), and other certificate-related objects to any of the supported repositories—an LDAP-compliant directory, a flat file, and an online validation authority—using the appropriate protocol.
  • Page 586 Publishing of Certificates to a Directory information to that directory. For example, if you have configured the Certificate Management System to employ directory-based authentication, you should consider publishing the CA and end-entity certificates to the same directory. This way, you can keep your users’ security credentials with the rest of the user information (see Figure 19-1).

  • Page 587: Timing Of Directory Updates

    Publishing of Certificates to a Directory Publishing by a Certificate Manager Figure 19-2 Figure 19-3 illustrates how certificates requested via a Registration Manager get published to the directory. Figure 19-3 Publishing of certificates requested via a Registration Manager Timing of Directory Updates If the LDAP directory is properly configured to work with the Certificate Manager (and vice versa), any changes to the certificate information in the Certificate Manager are automatically made also in the publishing directory.
  • Page 588 Publishing of Certificates to a Directory The publishing directory is updated at these times: • When the Certificate Manager starts up, it publishes its CA signing certificate to the directory. • When the Certificate Manager issues a new certificate (the request may originate from Registration Managers that’re connected to the Certificate Manager), it stores a copy of the certificate in its internal database and then publishes the certificate to the configured directory.

  • Page 589: Directory Update Process

    Publishing of Certificates to a Directory The Certificate Manager cannot update the directory in the following cases: • If an end-entity entry is not present or if an entry cannot be found to publish the certificate. • If the directory’s schema doesn’t include the appropriate attributes. To configure the directory for LDAP publishing, see “Step 2.

  • Page 590: Directory Synchronization

    Publishing of CRLs Directory Synchronization The Certificate Manager and the publishing directory can become out of sync if certificates are issued or revoked while Directory Server is down. Certificates that were issued or revoked need to be published or unpublished manually when Directory Server comes back up.

  • Page 591: What's A Crl

    Publishing of CRLs What’s a CRL? Server and client applications that use public-key certificates as tokens of identification need access to information about the validity of a certificate; because one of the factors that determines the validity of a certificate is its revocation status, these applications need to know whether the certificate being validated has been revoked.

  • Page 592: Reasons For Revoking A Certificate

    Publishing of CRLs Manager is configured to do so. In addition to certificates, the Certificate Manager also maintains a CRL in its internal database. You can configure the Certificate Manager to generate the CRL every time a certificate is revoked and at periodic intervals.

  • Page 593: Revocation Checking By Netscape Clients

    Publishing of CRLs Revocation Checking by Netscape Clients At the time of this writing, Netscape Communicator versions 4.7 and later, when used in conjunction with the security module called Netscape Personal Security Manager, enable automatic revocation-status verification of certificates using the OCSP protocol.

  • Page 594: Publishing Of Crls To An Ldap Directory

    Publishing of CRLs Publishing of CRLs to an LDAP Directory The Certificate Manager can publish the CRL to an LDAP-compliant directory using the LDAP protocol or LDAP over SSL (LDAPS) protocol, and applications can retrieve the CRL over HTTP. Support for retrieving CRLs over HTTP enables some browsers, such as Netscape Communicator, to automatically import the latest CRL from the directory that receives regular updates from the Certificate Manager.

  • Page 595: Crl Issuing Points

    Configuring a Certificate Manager to Publish Certificates and CRLs CRL Issuing Points Because CRLs can grow very large, several methods have been developed to minimize the overhead of retrieving and delivering large CRLs. One of these methods is based on partitioning the entire certificate space and associating a separate CRL with every partition.

  • Page 596: Step 1. Before You Begin

    Configuring a Certificate Manager to Publish Certificates and CRLs To configure a Certificate Manager to publish certificates and CRLs to a directory, follow these steps: • Step 1. Before You Begin • Step 2. Set Up the Directory for Publishing •...
  • Page 597 Configuring a Certificate Manager to Publish Certificates and CRLs • Identify your publishing directory. If you’ve already configured the Certificate Manager to use an LDAP directory for authenticating users (for example, if you’re using the directory-based or directory- and PIN-based authentication), you should consider publishing certificates and CRLs to the same directory.

  • Page 598: Step 2. Set Up The Directory For Publishing

    Configuring a Certificate Manager to Publish Certificates and CRLs Step 2. Set Up the Directory for Publishing For a Certificate Manager to publish certificates and CRLs to an LDAP directory, the directory needs to be set up to receive certificate- and CRL-related information from the Certificate Manager.

  • Page 599: Step B. Add An Entry For The Ca

    Configuring a Certificate Manager to Publish Certificates and CRLs Required Schema for Publishing the CA Certificate The Certificate Manager publishes its own CA certificate in the attribute of the CA’s directory object when the server is caCertificate;binary started; this is the object that corresponds to the Certificate Manager’s issuer name. This is a required attribute of the object class.
  • Page 600 Configuring a Certificate Manager to Publish Certificates and CRLs After you select the correct entry type, you need to specify the required information to create the entry. Note that the entry you create doesn’t have to be in object class. The Certificate Manager will convert certificationAuthority this entry to the object class automatically by...

  • Page 601: Step C. Identify An Entry That Has Write Access

    Configuring a Certificate Manager to Publish Certificates and CRLs Step C. Identify an Entry That Has Write Access When you configure the Certificate Manager to work with Directory Server, you’ll be required to specify a distinguished name in the directory that has read-write permissions to the directory.

  • Page 602: Step E. Specify The Directory Authentication Method

    Configuring a Certificate Manager to Publish Certificates and CRLs Step E. Specify the Directory Authentication Method Depending on how you want the Certificate Manager to authenticate to the directory, you must set up Directory Server for one of the following methods of communication: •...
  • Page 603 Configuring a Certificate Manager to Publish Certificates and CRLs In the Client Authentication section, select the “Allow client authentication” option. Be sure not to select the “Require client authentication” option. If you do, Netscape Console will not be able to communicate with the directory. Click Save.
  • Page 604 Configuring a Certificate Manager to Publish Certificates and CRLs Scroll through the list to see if it contains the SSL server certificate that you want to use. If the server has an SSL server certificate, check the CA that has issued the certificate.
  • Page 605 Configuring a Certificate Manager to Publish Certificates and CRLs Submit the CSR as an email to the CA’s administrator; to use this method, you need to know the email address of the person who processes certificate requests for the CA and you need to copy the CSR the wizard generates. Submit the CSR manually by pasting it into the Certificate Manager’s SSL server enrollment form;...
  • Page 606 Configuring a Certificate Manager to Publish Certificates and CRLs The choices for submitting the CSR to the CA include the following: To CA’s email address. Select this if you want to send the CSR to the CA administrator’s email address. Type the administrator’s email address (for ) in the adjoining field.
  • Page 607 Configuring a Certificate Manager to Publish Certificates and CRLs Go to the end-entity interface of the Certificate Manager (or to the Registration Manager that’s connected to the Certificate Manager). In the left frame, under Server, click SSL Server. In the server enrollment form that appears, enter the required information: PKCS#10 Request.
  • Page 608 Configuring a Certificate Manager to Publish Certificates and CRLs Copy the SSL server certificate. You must go through this step, irrespective of whether you submitted the CSR to the Certificate Manager or to an external CA. To install the certificate in the Directory Server’s database, you need to have a copy of the certificate in its base 64-encoded format: If you submitted the CSR to an external CA, wait till you receive the certificate.
  • Page 609 Configuring a Certificate Manager to Publish Certificates and CRLs In the second step, select the “The certificate is located in the following text field” option and paste the certificate blob, including the -----BEGIN marker lines, you CERTIFICATE----- -----END CERTIFICATE----- copied earlier. Follow the prompts and add the certificate to the certificate database.
  • Page 610 Configuring a Certificate Manager to Publish Certificates and CRLs Confirm that the new certificates are installed. To verify that the certificates are installed in the certificate database of Directory Server: In the Directory Server window, select the Tasks tab. From the Console menu, select Manage Certificates. The Certificate Management dialog box appears showing a list of certificates installed for Directory Server.
  • Page 611 Configuring a Certificate Manager to Publish Certificates and CRLs Turn on SSL-enabled communication. To turn on SSL-enabled communication in Directory Server: In the Directory Server window, select the Configuration tab, and then in the right pane, select the Encryption tab. Check the Enable SSL box.

  • Page 612: Step F. Modify The Certificate Mapping File

    Configuring a Certificate Manager to Publish Certificates and CRLs Step F. Modify the Certificate Mapping File This step explains how to modify the file to add a certificate certmap.conf mapping rule for the CA’s entry you created. You need to go through this step only if you configured the directory for SSL client authenticated communication.
  • Page 613 Configuring a Certificate Manager to Publish Certificates and CRLs The second and subsequent lines in the named mapping match properties with values. The file has six default properties, but the ones that should certmap.conf be of use to you are explained below. For in depth detail about the certmap.conf file, see Managing Servers with Netscape Console.
  • Page 614 Configuring a Certificate Manager to Publish Certificates and CRLs • —This tells the server whether it should compare the certificate the verifycert Certificate Manager presents during client authentication with the certificate found in the Certificate Manager’s entry in the directory. It takes one of the two values: .
  • Page 615 Configuring a Certificate Manager to Publish Certificates and CRLs Follow the instructions in the file and add the mapping information for the entry you added. The figure above shows the following mapping rule being added to the file: certmap myCA CN=rootCA, O=example.com #myCA:DNComps myCA:FilterComps...

  • Page 616: Step G. Restart Directory Server

    Configuring a Certificate Manager to Publish Certificates and CRLs Step G. Restart Directory Server For all your changes to take effect, you must restart Directory Server. • Starting Directory Server If you configured the Directory Server for basic authentication or SSL-enabled communication without client authentication, you can start the server from the Directory Server window from within Netscape Console: Click the Tasks tab.
  • Page 617 Configuring a Certificate Manager to Publish Certificates and CRLs During installation, the Certificate Manager automatically creates a set of mappers that you would most likely want to use. The names of the default mappers are as follows: —for locating the correct attribute of user entries in the •...
  • Page 618 Configuring a Certificate Manager to Publish Certificates and CRLs In the navigation tree, select Publishing, and then select Mappers. The right pane shows the Mappers Management tab, which lists configured mappers. In the Mapper list, select a mapper that you want to modify. For the purposes of completing this instruction, assume that you selected the mapper named LdapUserCertMap...
  • Page 619 Configuring a Certificate Manager to Publish Certificates and CRLs Make the necessary changes and click OK. Note that if your CA certificate does not have the component in its subject name, be sure to adjust the CA certificate mapping DN pattern to reflect the DN of the entry in the directory where the CA certificate is to be published.
  • Page 620 Configuring a Certificate Manager to Publish Certificates and CRLs In the Publisher list, select a publisher that you want to modify. For the purposes of this instruction, assume that you selected the publisher named LdapUserCertPublisher Click Edit/View. The Publisher Editor window appears, showing how this publisher is currently configured.
  • Page 621 Configuring a Certificate Manager to Publish Certificates and CRLs To modify a publishing rule: In the navigation tree, select Publishing, and then select Rules. The right pane shows the Rules Management tab, which lists configured publishing rules. In the Rule list, select a publishing rule that you want to modify. For the purposes of this instruction, assume that you selected the rule named LdapUserCertRule Click Edit/View.

  • Page 622: Step B. Add Mappers, Publishers, And Publishing Rules

    Configuring a Certificate Manager to Publish Certificates and CRLs Make the necessary changes and click OK. You are returned to the Rules Management tab. To modify the remaining rules, repeat steps Step 2 through Step 4. Click Refresh to see the update status of all the rules. Step B.
  • Page 623 Configuring a Certificate Manager to Publish Certificates and CRLs Click Add. The Select Mapper Plugin Implementation window appears. It lists registered mapper modules. Select a module. The following choices are the ones provided by default with the Certificate Manager for mapping a CA’s certificate to the CA’s directory entry. (If you have registered any custom mapper modules, they too will be available here for selection.) LdapDNCompsMap.
  • Page 624 Configuring a Certificate Manager to Publish Certificates and CRLs example, if the subject name of your CA’s certificate is , and you set to use the CN=testCA, O=example.com, C=US dnComps attributes of the DN, the server starts the search from the O=example.com C=US entry in the directory.
  • Page 625 Configuring a Certificate Manager to Publish Certificates and CRLs Click Add. The Select Publisher Plugin Implementation window appears. It lists registered publisher modules. Select the module named LdapCaCertPublisher Only this module publishes the CA certificate to caCertificate;binary attribute in the CA’s directory entry. (If you have registered any custom publisher modules, they too will be available here for selection.) Click Next.
  • Page 626 Configuring a Certificate Manager to Publish Certificates and CRLs To create a publishing rule: In the navigation tree, under Publishing, select Rules. The right pane shows the Rules Management tab, which lists configured publishing rules. Click Add. The Select Rule Plugin Implementation window appears. It lists registered modules that enable creating of publishing rules.
  • Page 627 Configuring a Certificate Manager to Publish Certificates and CRLs • Object signing certificates • Registration Manager signing certificates • OCSP responder certificates • Router certificates You need to create a rule for each type of certificate using the mapper and publisher that you created for end-entity certificates.

  • Page 628: Step 4. Configure The Certificate Manager To Publish Crls

    Configuring a Certificate Manager to Publish Certificates and CRLs Click OK. The Rules Management tab appears, listing the new rule you just created for publishing end users’ client certificates. Repeat steps 1 through 6 for each type of end-entity certificate the Certificate Manager will issue.

  • Page 629: Step A. Specify Crl Details

    Configuring a Certificate Manager to Publish Certificates and CRLs To configure a Certificate Manager to publish CRLs to the directory, follow these steps: • Step A. Specify CRL Details • Step B. Set the CRL Extensions • Step C. Create a Mapper for the CRL •...
  • Page 630 Configuring a Certificate Manager to Publish Certificates and CRLs In the Update Frequency section, specify the interval for publishing the CRL to the directory: Every time a certificate is revoked, or taken off-hold. Select this option if you want the Certificate Manager to generate the CRL every time it revokes a certificate.

  • Page 631: Step B. Set The Crl Extensions

    Configuring a Certificate Manager to Publish Certificates and CRLs Allow extensions. Check this box if you want to allow extensions in the CRL. If you enable this option, the server generates and publishes CRLs conforming to X.509 version 2 standard. If you disable this option, the server generates and publishes CRLs conforming to X.509 version 1 standard.

  • Page 632: Step C. Create A Mapper For The Crl

    Configuring a Certificate Manager to Publish Certificates and CRLs To specify the CRL extensions the Certificate Manager should set: In the navigation tree, under Certificate Manager, select CRL Extensions. The right pane shows the CRL Extensions Management tab, which lists configured extensions.

  • Page 633: Step D. Create A Publisher For The Crl

    Configuring a Certificate Manager to Publish Certificates and CRLs Since you already created a mapper for locating the CA’s entry (either in “Step A. Modify the Default Mappers, Publishers, and Publishing Rules” on page 616 or in “Creating a Mapper for the CA Certificate” on page 622), you can configure the Certificate Manager to use that mapper to locate the CA’s entry for publishing the CRL;...
  • Page 634 Configuring a Certificate Manager to Publish Certificates and CRLs Click Add. The Select Publisher Plugin Implementation window appears. It lists registered publisher modules. Select the module named LdapCrlPublisher Only this publisher module enables the Certificate Manager to publish the CRL to the attribute of the CA’s directory certificateRevocationList;binary...

  • Page 635: Step E. Create A Publishing Rule For The Crl

    Configuring a Certificate Manager to Publish Certificates and CRLs crlAttr. Make sure this field shows the directory attribute to publish the CRL, . If necessary, type it in. certificateRevocationList;binary Click OK. The Publishers Management tab appears, listing the new publisher. Step E.

  • Page 636: Step 5. Identify The Publishing Directory

    Configuring a Certificate Manager to Publish Certificates and CRLs type. Select mapper. Select the mapper you added for locating the CA’s entry in the directory. publisher. Select the publisher you added for publishing the CRL. Click OK. The Rules Management tab appears, listing the new rule. Step 5.
  • Page 637 Configuring a Certificate Manager to Publish Certificates and CRLs In the Destination section, identify the Directory Server instance. Host name. Type the full host name of the Directory Server instance in this format: < machine_name>.<your_domain>.<domain> The Certificate Manager uses this name to locate the directory. If you configured the Directory Server for SSL client authenticated communication (in “Step E.

  • Page 638: Step 6. Test Certificate And Crl Publishing

    Configuring a Certificate Manager to Publish Certificates and CRLs Typically, you would want to enter the directory manager’s DN because it has read-write permission to the entire directory tree (the root DN). For more information on root DN, see Appendix A, “Distinguished Names” in CMS Plug-Ins Guide.

  • Page 639: Step A. Decide A Directory Entry For Requesting A Certificate

    Configuring a Certificate Manager to Publish Certificates and CRLs Step A. Decide a Directory Entry for Requesting a Certificate Decide on a user entry for which you will request a certificate. This way, you can check whether the Certificate Manager published the certificate to that entry. The entry you choose could be any end-entity’s directory entry, as long as it supports attribute.

  • Page 640: Step D. Download The Certificate To The Browser

    Configuring a Certificate Manager to Publish Certificates and CRLs To approve the request: Go to the Certificate Manager’s Agent Services interface. The URL is in this format: https://<hostname>:<agent_port> In the left frame, click List Requests. In the form that appears, select the “Show pending requests” option and click Find.

  • Page 641: Step F. Revoke The Certificate

    Configuring a Certificate Manager to Publish Certificates and CRLs Locate the user entry for which you requested the certificate. Double-click the entry and check if the entry has a attribute. certificate You should find the certificate published to the attribute. You won’t be able to see anything interesting about the certificate;...

  • Page 642: Step G. Check The Directory For The Crl

    Manually Updating Certificates and CRLs in a Directory In the left frame, select User Certificate. The User Certificate Revocation form appears. In the Revocation Reason section, select Unspecified and click Submit. The client displays the “Select a Certificate” dialog box and prompts you to choose the certificate you want to revoke.

  • Page 643: Manually Updating Certificates In The Directory

    Manually Updating Certificates and CRLs in a Directory Manually Updating Certificates in the Directory The Update Directory Server form in the Certificate Manager Agent Services interface enables you to manually update the directory with certificate-related information. This form lets you initiate a combination of the following operations: •...

  • Page 644: Manually Updating The Crl In The Directory

    Manually Updating Certificates and CRLs in a Directory Note that if the Certificate Manager is installed as a root CA, when using the agent interface to update the directory with valid certificates, the CA signing certificate may get published using the publishing rule set up for user certificates and you may get an object class violation error (or other errors in the mapper).
  • Page 645 Manually Updating Certificates and CRLs in a Directory When the directory is updated, the Certificate Manager will display a status report. If the process gets interrupted for some reason, the server logs an error message. Be sure to check logs if that happens; for details, see “Monitoring CMS Logs”...
  • Page 646 Manually Updating Certificates and CRLs in a Directory Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 647: Chapter 20 Publishing Certificates And Crls To A File

    Chapter 20 Publishing Certificates and CRLs to a File Netscape Certificate Management System (CMS) provides a customizable publishing framework for the Certificate Manager, enabling it to publish certificates, certificate revocation lists (CRLs), and other certificate-related objects to any of the supported repositories—an LDAP-compliant directory, a flat file, and an online validation authority—using the appropriate protocol.

  • Page 648: Step 1. Before You Begin

    Configuring Certificate Manager to Publish to Files • For each certificate the server issues, it creates a file that contains the certificate in its DER-encoded format. Each file is named as cert-<serial_number>.der where specifies the serial number of the certificate <serial_number>...

  • Page 649: Step 2. Configure The Certificate Manager

    Configuring Certificate Manager to Publish to Files • Decide the interval for publishing CRLs—configuring the server to publish every time a certificate is revoked will result in that many CRL files. • Determine the backup media and schedule for these files. Step 2.
  • Page 650 Configuring Certificate Manager to Publish to Files Click Add. The Select Publisher Plugin Implementation window appears. It lists registered publisher modules. Select the module named FileBasedPublisher Only this publisher module enables the Certificate Manager to publish certificates and CRLs to flat files. Click Next.

  • Page 651: Step B. Create Publishing Rules For Certificates

    Configuring Certificate Manager to Publish to Files directory. Type the complete path to the directory in which the Certificate Manager should create the DER-encoded files; the path can be an absolute path or can be relative to the CMS instance directory. For example, C:\certificates Click OK.
  • Page 652 Configuring Certificate Manager to Publish to Files Click Next. Enter the appropriate information: Rule ID. Type a name for the rule that will help you identify it later; use an alphanumeric string with no spaces. For example, PublishCaCertToFile type. Select cacert predicate.

  • Page 653: Step C. Create A Publishing Rule For Crls

    Configuring Certificate Manager to Publish to Files Table 20-1 Certificate types and predicate expressions End-entity certificate type “type” field value “predicate” field value SSL client certificate certs HTTP_PARAMS.certType==client SSL server certificate certs HTTP_PARAMS.certType==server Object signing certificate certs HTTP_PARAMS.certType==objSignClient Certificate Manager signing cacert HTTP_PARAMS.certType==ca certificate (subordinate CA)

  • Page 654: Step D. Specify Crl Details

    Configuring Certificate Manager to Publish to Files Click Next. The Rule Editor window appears. Enter the appropriate information: Rule ID. Type a name for the rule that will help you identify it later; use an alphanumeric string with no spaces. For example, PublishCertsToFile type.
  • Page 655 Configuring Certificate Manager to Publish to Files To specify the details for the CRL: In the navigation tree, select Certificate Manager, and then in the right pane, select the Revocation List tab. In the Update Frequency section, specify the interval for publishing the CRL to the directory: Every time a certificate is revoked, or taken off-hold.

  • Page 656: Step E. Set The Crl Extensions

    Configuring Certificate Manager to Publish to Files In the adjoining text field, type the interval, in minutes, at which the Certificate Manager should publish CRLs. For example, if you want the server to publish CRLs every day, you should type 1440 in this field. with a skew of.
  • Page 657 Configuring Certificate Manager to Publish to Files During installation, the Certificate Manager creates default CRL extension rules. Note that the server is configured to add the CRL Reason extension only; all the other rules are in the disabled state. In this step, you modify the default rules to suit your organization’s requirements.

  • Page 658: Step F. Make Sure Publishing Is Enabled

    Configuring Certificate Manager to Publish to Files Step F. Make Sure Publishing is Enabled To make sure that the Certificate Manager is configured for publishing: In the navigation tree, select Certificate Manager, then select Publishing. The right pane shows the publishing details necessary for the server to publish to an LDAP-compliant directory, to flat files, or to an online validation authority.

  • Page 659: Step B. Approve The Request

    Configuring Certificate Manager to Publish to Files To request a client or personal certificate from the Certificate Manager: Open a web browser window. Go to the end-entity interface of the Certificate Manager you configured (or to the Registration Manager that’s connected to this Certificate Manager). The URL is in this form: https://<hostname>:<end_entity_HTTPS_port>...

  • Page 660: Step C. Download The Certificate To The Browser

    Configuring Certificate Manager to Publish to Files Step C. Download the Certificate to the Browser To download the certificate into your browser’s certificate database: In the confirmation page, scroll down to the section that says “Installing this certificate in a client.” Follow the on-screen instructions and download the certificate to your browser’s certificate database.
  • Page 661 Configuring Certificate Manager to Publish to Files At the prompt, enter this: BtoA[.bat] <input_file> <output_file> substituting with the path to the file that contains the DER <input_file> encoded certificate and with the path to the file to write <output_file> the base-64 encoded certificate. (The optional specifies the file .bat extension;...

  • Page 662: Step E. Revoke The Certificate

    Configuring Certificate Manager to Publish to Files For example, if the base-64 encoded certificate is in and you want the human-readable C:\certificates\cert-1234.txt form of the certificate to be displayed on your screen, the command would look like this: PrettyPrintCert.bat C:\certificates\cert-1234.txt When the conversion is complete, you should see the certificate you issued in human-readable form.

  • Page 663: Step F. Check The File For The Crl

    Configuring Certificate Manager to Publish to Files Step F. Check the File for the CRL Whenever the Certificate Manager generates a CRL, it automatically attempts to publish the CRL to the configured repository—in this case, the flat file. The CRL it publishes is a binary blob, in the DER-encoded format.
  • Page 664 Configuring Certificate Manager to Publish to Files When the conversion is complete, open the file in a text editor. crl.txt You should see a base-64 encoded CRL similar to this: -----BEGIN CRL----- MIIBkjCBAIBATANBgkqhkiG9w0BAQQFADAsMREwDwYDVQQKEwhOZXRzY2FwZTEXMBUGA1UEAxOQ2Vy dDQwIFRlc3QgQ0EXDTk4MTIxNzIyMzcyNFowgaowIAIBExcNOTgxMjE1MTMxODMyWjAMMAoGA1UdFQ DCgEBMCACARIXDTk4MTIxNTEzMjA0MlowDDAKBgNVHRUEAwoBAjAgAgERFw05ODEyMTYxMjUxNTRaM AwwCgYDVR0VBAMKAQEwIAIBEBcNOTgxMjE3MTAzNzI0WjAMMAoGA1UdFQQDCgEDMCACAQoXDTk4MTE yNTEzMTExOFowDDAKBgNVHRUEAwoBATANBgkqhkiG9w0BAQQFAAOBgQBCN85O0GPTnHfImYPROvoor x7HyFz2ZsuKsVblTcemsX0NL7DtOa+MyY0pPrkXgm157JrkxEJ7GBOeogbAS6iFbmeSqPHj8+JBH5s tJNnfTCuhaM6Wx63Wc9LwZXOXTPsvpGxq0YYI0+DPfBZlI3z4lCsNczxJV+9NkeMrheEg== -----END CRL----- Convert the base 64-encoded CRL to a human-readable form using the Pretty Print CRL tool (see Chapter 10, “Pretty Print CRL Tool”...

  • Page 665: Managing Mapper And Publisher Plug-In Modules

    Managing Mapper and Publisher Plug-in Modules Managing Mapper and Publisher Plug-in Modules This section explains how to use the CMS window to perform the following operations: • Registering a Mapper or Publisher Module • Deleting a Mapper or Publisher Module Registering a Mapper or Publisher Module You can register new mapper or publisher plug-in modules in a Certificate Manager’s publishing framework.
  • Page 666 Managing Mapper and Publisher Plug-in Modules This tab lists registered plug-in modules. Click Register. If you selected Mapper, the Register Mapper Plugin Implementation window appears. If you selected Publisher, the Register Publisher Plugin Implementation window appears. Specify information as appropriate: Plugin name.

  • Page 667: Deleting A Mapper Or Publisher Module

    Managing Mapper and Publisher Plug-in Modules Deleting a Mapper or Publisher Module You can delete unwanted mapper or publisher plug-in modules using the CMS window. Before deleting a module, be sure to delete all the rules that are based on this module.
  • Page 668 Managing Mapper and Publisher Plug-in Modules Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 669: Chapter 21 Setting Up An Ocsp Responder

    Chapter 21 Setting Up an OCSP Responder Netscape Certificate Management System (CMS) provides a customizable publishing framework for the Certificate Manager, enabling it to publish certificates and certificate revocation lists (CRLs) to any of the supported repositories—an LDAP-compliant directory, a flat file, and an online validation authority—using the appropriate protocol.

  • Page 670: What's An Ocsp-Compliant Pki Setup

    What’s an OCSP-Compliant PKI Setup? What’s an OCSP-Compliant PKI Setup? Certificate Management System supports the Online Certificate Status Protocol (OCSP) as defined in the PKIX standard RFC 2560 (see ). The OCSP protocol enables http://www.ietf.org/rfc/rfc2560.txt OCSP-compliant applications to determine the state of a certificate, including the revocation status, without having to directly check a CRL published by a CA to the validation authority.
  • Page 671 What’s an OCSP-Compliant PKI Setup? If the request lacks any information required by the responder to process it or if the responder is not configured to provide the requested service to the client, the responder sends a rejection notification to the client. The responder also writes an appropriate error message to its log file.

  • Page 672: How To Get An Ocsp Responder

    What’s an OCSP-Compliant PKI Setup? The OCSP response that the client receives indicates the current status of the certificate as determined by the OCSP responder. The response could be any of the following: • Good or Verified—specifying a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate has not been revoked, but it does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate’s...

  • Page 673: How Online Certificate Status Manager Works

    What’s an OCSP-Compliant PKI Setup? Manager. That is, clients can verify only those certificates that are issued by the Certificate Manager. In addition, you also need to keep the Certificate Manager’s nonSSL end-entity port enabled because the server can service OCSP requests only via its HTTP port.

  • Page 674: How To Get Ocsp-Compliant Clients

    What’s an OCSP-Compliant PKI Setup? As explained earlier, the Online Certificate Status Manager stores each Certificate Manager’s CRL in its internal database and uses it as the default CRL store for verifying certificates. You can also configure the Online Certificate Status Manager to use the CRL published to an LDAP directory.

  • Page 675: Setting Up A Certificate Manager With Ocsp Service

    Setting Up a Certificate Manager with OCSP Service Setting Up a Certificate Manager with OCSP Service The Certificate Manager has a built-in OCSP service feature that can be used by OCSP-compliant clients to do real-time verification of certificates issued by the Certificate Manager.

  • Page 676: Step 2. Install Ocsp-Compliant Client

    Setting Up a Certificate Manager with OCSP Service • Read “Publishing of CRLs” on page 590. Determine whether you want the Certificate Manager to publish version 1 or version 2 CRLs to the directory. If you decide to publish version 2 CRLs, read Chapter 4, “Certificate Extension Plug-in Modules”...

  • Page 677: Setting Up Personal Security Manager For Ocsp-Based Certificate Validation

    Setting Up a Certificate Manager with OCSP Service In the Preferences window, expand Privacy & Security, and then select Validation. On the right pane, under the OCSP section, select the “Use OCSP to verify only certificates that specify an OCSP service URL” option and click OK. Setting Up Personal Security Manager for OCSP-Based Certificate Validation If you have Communicator version 4.7x installed and want to install Personal...
  • Page 678 Setting Up a Certificate Manager with OCSP Service generation, key archival, import of user certificates, key recovery, and revocation requests. You’ll need to refer to this when setting up a Data Recovery Manager for key archival and recovery, which is covered in Chapter 22, “Setting Up Key Archival and Recovery.”...

  • Page 679: Step 3. Enable Certificate Manager's Http Port

    Setting Up a Certificate Manager with OCSP Service Select the Advanced tab. On the left side, select Options, and then click the OCSP Settings button. In the OCSP Settings window, select the “Use OCSP to verify only certificates that specify an OCSP service URL.” option and click OK. Step 3.
  • Page 680 Setting Up a Certificate Manager with OCSP Service • If you installed the Certificate Manager’s with its OCSP service feature disabled, a default policy rule (named ) is created, but it AuthInfoAccessExt may not have the correct attributes for adding the Authority Information Access extension to certificates.
  • Page 681 Setting Up a Certificate Manager with OCSP Service In the Policy Rule list, select the rule named and click AuthInfoAccessExt Edit; this rule was created by default during installation. Make sure the following values are assigned: Enable. Checked or selected. predicate.

  • Page 682: Step 5. Restart The Certificate Manager

    Setting Up a Certificate Manager with OCSP Service Make any other policy changes, if necessary. Click Refresh. The Certificate Manager is ready to request client certificates with Authority Information Access extension. Step 5. Restart the Certificate Manager For all your changes to take effect, you must restart the Certificate Manager. You can use the CMS window to restart the Certificate Manager.

  • Page 683: Step A. Turn On Revocation Checking In The Browser

    Setting Up a Certificate Manager with OCSP Service • Step J. Check the Certificate Manager’s OCSP Service Status Again Step A. Turn On Revocation Checking in the Browser To ensure that Personal Security Manager (the OCSP-compliant client) is configured to verify the revocation status of certificates using the OCSP protocol: Open a web browser window.

  • Page 684: Step C. Approve The Request

    Setting Up a Certificate Manager with OCSP Service When you enter the correct password, the client generates the key pairs. Do not interrupt the key-generation process. Step C. Approve the Request Skip this step if you requested the certificate using any of the automated enrollment methods.

  • Page 685: Step E. Make Sure The Ca Is Trusted By The Browser

    Setting Up a Certificate Manager with OCSP Service Step E. Make Sure the CA is Trusted by the Browser When you downloaded the client certificate to the browser, the Certificate Manager’s certificate chain also was downloaded to the browser’s certificate database.

  • Page 686: Step H. Revoke The Certificate

    Setting Up a Certificate Manager with OCSP Service Go to the web browser window and enter the URL for the Certificate Manager’s Agent interface. The URL is in this format: h . The Certificate ttps://<hostname>:<port> Manager Agent Services interface appears. In the left frame, click OCSP Service.

  • Page 687: Step J. Check The Certificate Manager's Ocsp Service Status Again

    Setting Up a Remote OCSP Responder Select the certificate you revoked and click View. In the View Security Certificate dialog box that appears, look for a message that says that the certificate could not be verified. Step J. Check the Certificate Manager’s OCSP Service Status Again Check the Certificate Manager’s OCSP-service status again to verify that these things happened: •...
  • Page 688 Setting Up a Remote OCSP Responder The procedure for setting up a Certificate Manager functioning as a subordinate CA to publish CRLs to a remote Online Certificate Status Manager would be the same, except that you would have to perform extra steps to make sure the that CA chain verification takes place smoothly.

  • Page 689: Step 1. Before You Begin

    Setting Up a Remote OCSP Responder Step 1. Before You Begin Before you configure a Certificate Manager (CA) to publish CRLs to an OCSP responder, do the following: • If you are unfamiliar with Online Certificate Status Protocol (OCSP), read the PKIX draft RFC 2560 available at this site: http://www.ietf.org/rfc/rfc2560.txt •...

  • Page 690: Step 2. Install An Ocsp-Compliant Client

    Setting Up a Remote OCSP Responder Step 2. Install an OCSP-Compliant Client Follow the instructions as appropriate. • If you don’t want to install Netscape 6x or Personal Security Manager, skip to the next step, “Step 3. Identify the CA to the OCSP Responder” on page 690. •...
  • Page 691 Setting Up a Remote OCSP Responder In the list of certificates, locate the Certificate Manager’s CA signing certificate by looking at the subject name of the certificate. Typically, the CA signing certificate is the first certificate the Certificate Manager issues. Click Details and, in the resulting page, scroll to the section that says “Base 64 encoded certificate”...

  • Page 692: Step 4. Configure The Certificate Manager To Publish Crls

    Setting Up a Remote OCSP Responder Go to the Online Certificate Status Manager’s Agent interface. The URL is in this format: h ttps://<hostname>:<port> The Online Certificate Status Manager Agent Services interface appears. In the left frame, click Add Certificate Authority. In the resulting form, paste the encoded CA signing certificate inside the text area labeled “Base 64 encoded certificate (including header and footer).”...

  • Page 693: Step A. Specify Crl Format And Publishing Interval

    Setting Up a Remote OCSP Responder Step A. Specify CRL Format and Publishing Interval You can specify information, such as the publishing interval, the CRL version (whether to include CRL extensions), and the signing algorithm the Certificate Manager should use for signing the CRL object. To specify CRL details: Log in to the CMS window for the Certificate Manager (see “Logging In to the CMS Window”...

  • Page 694: Step B. Set The Crl Extensions

    Setting Up a Remote OCSP Responder In the CRL Cache section, specify whether to enable CRL caching: Enable cache. Check this box to enable CRL caching. Leave the box unchecked if you don’t want the server to maintain a cache. Update interval.

  • Page 695: Step C. Create A Publisher For The Crl

    Setting Up a Remote OCSP Responder To specify the CRL extensions the Certificate Manager should set: In the navigation tree, under Certificate Manager, select CRL Extensions. The right pane shows the CRL Extensions Management tab, which lists configured extensions. To modify a rule, select it and then click Edit/View. Change the information as appropriate.
  • Page 696 Setting Up a Remote OCSP Responder To create a publisher for the CRL: In the navigation tree, click Publishers. The right pane shows the Publishers Management tab, which lists configured publisher instances. Click Add. The Select Publisher Plugin Implementation window appears. It lists registered publisher modules.

  • Page 697: Step D. Create A Publishing Rule For The Crl

    Setting Up a Remote OCSP Responder Enter the appropriate information: Publisher ID. Type a name for the rule; use an alphanumeric string with no spaces. For example, Ca1CrlToOcspResponder host. Type the fully-qualified host name of the Online Certificate Status Manager. The name must be in the form .
  • Page 698 Setting Up a Remote OCSP Responder Click Next. The Rule Editor window appears. Enter the appropriate information: Rule ID. Type a name for the rule; be sure to use an alphanumeric string with no spaces. For example, PublishCa1CrlToOcspResponder type. Select predicate.

  • Page 699: Step E. Make Sure Publishing Is Enabled

    Setting Up a Remote OCSP Responder Step E. Make Sure Publishing is Enabled To make sure that the Certificate Manager is configured for publishing: In the navigation tree, select Certificate Manager, then select Publishing. The right pane shows the publishing details necessary for the server to publish to an LDAP-compliant directory, to files, or to an online validation authority.

  • Page 700: Step 5. Configure Certificate Manager For Required Extension Policies

    Setting Up a Remote OCSP Responder Step 5. Configure Certificate Manager for Required Extension Policies In order for OCSP-compliant clients to query the Online Certificate Status Manager about the revocation status of a certificate, the certificate being validated must contain the Authority Information Access extension pointing to the location at which the Online Certificate Status Manager listens for OCSP service requests.
  • Page 701 Setting Up a Remote OCSP Responder In the Policy Rule list, select the rule named and click AuthInfoAccessExt Edit; this rule was created by default during installation. The Policy Rule Editor window appears, showing how this rule is currently configured. Assign the following values: Enable.

  • Page 702: Step 6. Configure The Online Certificate Status Manager

    Setting Up a Remote OCSP Responder If you need details about any of the configuration parameters, click the Help button. Click OK. You are returned to the Policy Rules Management tab. Make any other changes, if necessary. Click Refresh. The Certificate Manager is ready to request client certificates with Authority Information Access extension.
  • Page 703 Setting Up a Remote OCSP Responder In the navigation tree, select Online Certificate Status Manager, and then select Revocation Info Stores. The right pane shows the two repositories the Online Certificate Status Manager can use; by default, it uses the CRL in its internal database. Select the appropriate option: If you want to configure the Online Certificate Status Manager to use the CRLs in its internal database, select...
  • Page 704 Setting Up a Remote OCSP Responder If you selected , fill in values as below: defStore notFoundAsGood. A certificate’s status can typically be indicated by three possible OCSP responses, namely GOOD, REVOKED, and UNKNOWN. Select this option if you want the Online Certificate Status Manager to return an OCSP response of GOOD if the certificate in question cannot be found in the certificate repository.
  • Page 705 Setting Up a Remote OCSP Responder If you selected , fill in values as below: ldapStore numConns. Type the total number of LDAP directories the Online Certificate Status Manager should check. By default, this is set to 0. If you change the value to a postive integer, for example 1, 2, or 3, you will see that many sets of , and...

  • Page 706: Step 7. Restart The Certificate Manager

    Setting Up a Remote OCSP Responder notFoundAsGood. A certificate’s status can typically be indicated by three possible OCSP responses, namely GOOD, REVOKED, and UNKNOWN. Select this option if you want the Online Certificate Status Manager to return an OCSP response of GOOD if the certificate in question cannot be found in the certificate repository.

  • Page 707: Step 8. Restart The Online Certificate Status Manager

    Setting Up a Remote OCSP Responder Step 8. Restart the Online Certificate Status Manager For all your changes to take effect, you must restart the Online Certificate Status Manager. You can use the CMS window to restart the Online Certificate Status Manager: Select the Tasks tab.

  • Page 708: Step 10. Test Your Ocsp Responder Setup

    Setting Up a Remote OCSP Responder The Requests Served Since Startup field should show a value of zero (0), indicating that no OCSP-compliant client has queried the Online Certificate Status Manager yet for revocation status of a certificate. Step 10. Test Your OCSP Responder Setup To test whether the Certificate Manager is publishing to the Online Certificate Status Manager properly and to test that the online validation of certificates is taking place, follow these steps:...

  • Page 709: Step B. Request A Certificate

    Setting Up a Remote OCSP Responder Select the “Use OCSP to verify only certificates that specify an OCSP service URL” option, and click OK. Click on the Close button. Step B. Request a Certificate The steps outlined below explain how to request a client certificate from the Certificate Manager using the manual enrollment method.

  • Page 710: Step D. Download The Certificate To The Browser

    Setting Up a Remote OCSP Responder In the form that appears, select the “Show pending requests” option and click Find. In the list of pending requests, identify the request you submitted and click Details. Check the request to make sure that it has all the required attributes of a client certificate, including the Authority Information Access extension.

  • Page 711: Step F. Verify The Certificate In The Browser

    Setting Up a Remote OCSP Responder Locate the Certificate Manager’s CA signing certificate, select it, and click Edit. The Edit Security Certificate Settings window appears. Make sure all the three options are selected and click OK. Step F. Verify the Certificate in the Browser To verify that the certificate has been downloaded into the certificate database of Personal Security Manager: Click the Certificates tab and, in the left pane, click Mine.

  • Page 712: Step H. Revoke The Certificate

    Setting Up a Remote OCSP Responder Step H. Revoke the Certificate To revoke the certificate you issued so that the Certificate Manager publishes the CRL to the Online Certificate Status Manager: Go to the end-entity interface for the Certificate Manager you configured (or to the Registration Manager that’s connected to this Certificate Manager).
  • Page 713 Setting Up a Remote OCSP Responder • The Online Certificate Status Manager sent an OCSP response to the browser. • The browser used that response to validate the certificate and informed you of its status (that the certificate could not be verified). To check the Online Certificate Status Manager status for verification: Go to the Online Certificate Status Manager’s status page.
  • Page 714 Setting Up a Remote OCSP Responder Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 715: Chapter 22 Setting Up Key Archival And Recovery

    Chapter 22 Setting Up Key Archival and Recovery When data is stored in encrypted form, you must have the private key that corresponds to the public key that was used to encrypt the data in order to decrypt and read it. If the private key is lost, the data cannot be retrieved. A private key can be lost because of a hardware failure, for example, or because the key’s owner forgets the password or loses the hardware token in which the key is stored.

  • Page 716: Clients That Can Generate Dual Key Pairs

    PKI Setup for Key Archival and Recovery • HTML forms with which your users can request dual certificates (based on dual keys) and key recovery agents can request key recovery The sections that follow explain these elements in detail. For step-by-step instructions on setting up your PKI environment for key archival and recovery, see “Configuring Key Archival and Recovery Process”...

  • Page 717: Forms For Users And Key Recovery Agents

    Key Archival Process Certificate Management System does not provide any policy plug-in modules for the Data Recovery Manager. However, you can write custom policy plug-in modules (that is, write Java classes that implement these rules), register them in the Data Recovery Manager’s policy framework, and create policy rules using these plug-in implementations.

  • Page 718: Where The Keys Are Stored

    Key Archival Process Here are a few situations in which you might need to recover a user’s encryption private key: • An employee loses the encryption private key (for example, after a disk crash or by forgetting the password to the key file) and cannot read encrypted mail messages.

  • Page 719: How Key Archival Works

    Key Archival Process How Key Archival Works When a Certificate Manager or Registration Manager receives a certificate request that contains the key archival option, it automatically requests the service of the Data Recovery Manager to archive the user’s encryption private key. The Data Recovery Manager receives an encrypted copy of the user’s private key and stores the key in its key repository.
  • Page 720 Key Archival Process These are the steps shown in Figure 22-1: A user uses a client capable of generating dual key pairs to access the certificate enrollment form served by the Registration Manager, fills in all the information, and submits the request. The Registration Manager detects the key archival option in the user’s request and asks the client for the user’s encryption private key.

  • Page 721: Key Recovery Process

    Key Recovery Process Key Recovery Process The Data Recovery Manager supports agent-initiated key recovery. In this method of key recovery, designated recovery agents use the Key Recovery form provided in the Data Recovery Manager Agent Services interface to process key recovery requests, list archived keys, and approve recovery.

  • Page 722: Interface For The Key Recovery Process

    Key Recovery Process splitting or sharing, whereby it splits the PIN that protects the token in which the storage key pair resides among n number of key recovery agents and reconstructs the PIN only if m number of recovery agents provide their individual passwords; n must be an integer greater than 1 and m must be an integer less than or equal to n.

  • Page 723: Local Versus Remote Key Recovery Authorization

    Key Recovery Process Local Versus Remote Key Recovery Authorization Key recovery agents can authorize the recovery of a key locally or remotely. The overview of local and remote authorization provided in this section is intended to help you determine which to use for your organization. You may find it useful to take a look at the Data Recovery Manager agent-specific information in the CMS Agent’s Guide.

  • Page 724: How Agent-Initiated Key Recovery Works

    Key Recovery Process The Data Recovery Manager informs the agent who initiated the key recovery process of the status of the authorizations. When all of the authorizations are entered, the Data Recovery Manager checks the information. If the information presented is correct, it retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS #12 package to the agent who initiated the key recovery process.
  • Page 725 Key Recovery Process The agent-initiated key recovery process Figure 22-2 These are the steps shown in Figure 22-2: The Data Recovery Manager agent accesses the Key Recovery form using the appropriate client certificate, types the identification information pertaining to the person whose encryption private key needs to be recovered, and submits the request.
  • Page 726 Key Recovery Process If the request passes all the policy rules, the Data Recovery Manager sends a confirmation HTML page to the web browser the agent used. If the request fails any of the policy checks, the server logs an appropriate error message. The confirmation page contains information and input sections: The information section includes the user’s information.

  • Page 727: Key Recovery Agent Scheme

    Key Recovery Process CAUTION The PKCS #12 package contains the private key. To minimize the risk of key compromise, the recovery agent must use any secure, out-of-band means to deliver the PKCS #12 package and password to the key recipient. As an administrator, you should recommend the recovery agent to use a good password for encrypting the PKCS #12 package, and also consider setting up an appropriate delivery mechanism.
  • Page 728 Key Recovery Process In the navigation tree, select the Data Recovery Manager, and in the right pane, click the Scheme Management tab. The Scheme Management tab shows the current key recovery scheme. Click Change scheme. The Change Recovery Key Scheme window appears. Netscape Certificate Management System Installation and Setup Guide •...

  • Page 729: Changing Key Recovery Agents' Passwords

    Key Recovery Process In the New Scheme section, make the appropriate changes: Number of recovery agents required. Type the number of agents required to authorize a key recovery process. The number cannot be zero and must be equal to or less than the total number of recovery agents. Total number of recovery agents.
  • Page 730 Key Recovery Process The tab shows current key recovery agents in the Available Agents list. Select the agent whose password needs to be changed, and click Change Password. The Change Password dialog box appears. Allow the agent to enter the appropriate information. During installation, the Data Recovery Manager prompts you to enter key recovery agent passwords (by default, they are set to , where...

  • Page 731: Configuring Key Archival And Recovery Process

    Configuring Key Archival and Recovery Process field you must enter the recovery agent password you specified during installation. Then in the remaining fields, allow the key recovery agent to enter the new password information. If you have more than one key recovery agent, repeat this procedure for all the agents.

  • Page 732: Step A. Deploy Clients That Can Generate Dual Key Pairs

    Configuring Key Archival and Recovery Process Step A. Deploy Clients That Can Generate Dual Key Pairs You can use the Data Recovery Manager to archive and recover keys only from clients that support dual key-pair generation, the key archival option, and the CMC protocol.

  • Page 733: Step C. Customize The Certificate Enrollment Form

    Configuring Key Archival and Recovery Process Otherwise, follow the instructions in “Setting Up Trusted Managers” on page 397 and set up the enrollment authority as a trusted front end to the Data Recovery Manager. Step C. Customize the Certificate Enrollment Form For the enrollment authority to automatically initiate the key archival process at the time key pairs are generated, a certificate request must include the following information:...
  • Page 734 Configuring Key Archival and Recovery Process The steps that follow explain how to do this. Figure 22-3 Data Recovery Manager’s transport certificate in the enrollment form Copy the transport certificate in its base-64 encoded format. The transport certificate is stored in the Data Recovery Manager’s certificate database.
  • Page 735 Configuring Key Archival and Recovery Process Click the Retrieval tab. List or search for the transport certificate. Click Details, and view the certificate information. Make sure that the certificate you are looking at is the correct one; the certificate shows the DN that was specified for the transport certificate during the installation of Data Recovery Manager.
  • Page 736 Configuring Key Archival and Recovery Process Use the command-line tool called to retrieve the transport certutil certificate from the Data Recovery Manager’s certificate database. (For information on the tool, check this site: certutil http://www.mozilla.org/projects/security/pki/nss/tools/ First, go to this directory: <server_root>/cert-<instance_id>/config Next, run this command: <server_root>/bin/cert/tools/certutil -L -d .

  • Page 737: Step D. Configure Key Archival Policies

    Configuring Key Archival and Recovery Process Paste the certificate as the value of the variable. kraTransportCert Paste the certificate in front of the sign, remove any line breaks, enclose the certificate within double-quotation marks ( ), and end the string with “”...

  • Page 738: Step 2. Set Up The Key Recovery Process

    Configuring Key Archival and Recovery Process Unlike Certificate Manager and Registration Manager, no policy plug-in modules are provided for the Data Recovery Manager. If you have implemented any custom policy modules for the Data Recovery Manager’s key archival process, you should make sure that they are configured properly.

  • Page 739: Step B. Facilitate The Key Recovery Agents To Change The Passwords

    Configuring Key Archival and Recovery Process Step B. Facilitate the Key Recovery Agents to Change the Passwords During the installation of Data Recovery Manager, after you specified the m of n scheme, you were also prompted to provide unique passwords for each recovery agent.

  • Page 740: Step 3. Test Your Key Archival And Recovery Setup

    Configuring Key Archival and Recovery Process Unlike Certificate Manager and Registration Manager, no policy plug-in modules are provided for the Data Recovery Manager. If you have implemented any custom policies for the Data Recovery Manager’s key recovery process, you should make sure that they are configured properly.
  • Page 741 Configuring Key Archival and Recovery Process Go to the enrollment authority’s Agent Services interface. The default URL is as follows: https://<hostname>:<agent_port> Click the link that says List Requests. In the form that appears, select the “Show pending requests” option and click Find.

  • Page 742: Step B. Verify The Key

    Configuring Key Archival and Recovery Process If the key has been archived successfully, you should see the information pertaining to that key. If you don’t see the key archived, check the logs and correct the problem before proceeding to the next step. If the key has been successfully archived, exit the client completely—that is, from the File menu, select Exit;...

  • Page 743: Step D. Restore The Key In The Browser's Database

    Configuring Key Archival and Recovery Process The key owner’s name The serial number of the key The public key that corresponds to the private key (in the form of base-64 encoded certificate) The instance ID of the enrollment authority that initiated the key archival process If you need more information about any of the fields in this form, click the Help button.
  • Page 744 Configuring Key Archival and Recovery Process Open the test email that you couldn’t verify after deleting the certificate from the browser’s certificate database; you should be able to verify it again. Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 745: Chapter 23 Managing Cms Logs

    Chapter 23 Managing CMS Logs Each instance of Netscape Certificate Management System (CMS) maintains its own system, error, and audit log files. These files record events related to various CMS activities. By configuring logs, you can customize the contents in the log files. This chapter explains how to use the CMS window to configure the system, error, and audit logs maintained by Certificate Management System, and how to monitor its activities by viewing log contents.

  • Page 746: Logs Maintained By The Server

    Introduction to Logs • Log Levels (Message Categories) • Log File Locations • Log File Naming Conventions • Buffered Versus Unbuffered Logging • Rotation of Log Files • Deletion of Log Files Logs Maintained by the Server While Certificate Management System is running, it keeps a log of information and error messages on all the components it manages.

  • Page 747: Services That Are Logged

    Introduction to Logs Table 23-1 Types of logs maintained by Certificate Management System (Continued) Log type Description Audit This log records messages specific to the certificate service—messages such as certificate requests, certificate renewal and revocation requests, and CRL publication—and enables you to detect any unauthorized access or activity.

  • Page 748: Log Levels (Message Categories)

    Introduction to Logs Table 23-2 Services logged by Certificate Management System (Continued) Service Description Request Queue Specifies logged events related to the request queue activity of this server. User and Group Specifies logged events related to users and groups managed by this server. Log Levels (Message Categories) For identification and filtering purposes, events logged by all CMS-supported services are classified into various categories.

  • Page 749: Log File Locations

    Introduction to Logs Table 23-3 Classification of log entries or messages (Continued) Log level Message category Description Failure These messages indicate errors and failures that prevent the server (default selection for from operating normally. system and error logs) Examples of messages that fall into this category include failures to perform a certificate service operation (“User authentication failed”...

  • Page 750: Log File Naming Conventions

    Introduction to Logs Log File Naming Conventions All log files created by Certificate Management System use one or the other of two naming conventions. There is one naming convention for active log files and one for rotated log files. Active Log File Naming Convention All active log files created by Certificate Management System use an identical naming convention.

  • Page 751: Rotation Of Log Files

    Introduction to Logs If you configure Certificate Management System for buffered logging, the server creates buffers for the corresponding logs, and it holds the messages in these buffers for as long as possible. The server flushes out the messages to the log files—which are maintained in your local file system—only when either of the following conditions occurs: •...

  • Page 752: Location Of Rotated Log Files

    Introduction to Logs • The age limit for the corresponding file is reached—the corresponding log file is equal to or older than the interval specified by the rolloverInterval configuration parameter. The default value for this parameter is 2592000 seconds (every hour). Both these parameters can be specified from the CMS window;...

  • Page 753: Configuring Cms Logs

    Configuring CMS Logs Configuring CMS Logs This section explains how to configure Certificate Management System to log messages so that you can monitor the server: • Step 1. Before You Begin • Step 2. Modify the Existing Listeners • Step 3. Delete Unwanted Listeners •...
  • Page 754 Configuring CMS Logs Default log-event listeners of a Certificate Manager Figure 23-1 After installation, you must verify whether you want to use these listeners, check how these listeners are configured, and make the appropriate configuration changes. You can modify a log-event listener by editing its configuration parameter values; you cannot edit the name of a listener.

  • Page 755: Step 3. Delete Unwanted Listeners

    Configuring CMS Logs In the navigation tree, select Logs. On the right pane, the Log Event Listener Management tab appears. It lists the currently configured listeners. In the Log Event Listener list, select a listener that you want to modify. For the purposes of this instruction, assume that you selected the listener named Audit...

  • Page 756: Step 4. Create New Listeners

    Configuring CMS Logs To delete a listener from the CMS configuration: In the Log Event Listener Management tab, select the listener you want to delete and click Delete. When prompted, confirm the delete action. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly.
  • Page 757 Configuring CMS Logs Default log modules registered with a Certificate Manager Figure 23-2 To add a new listener to the CMS configuration: In the Log Event Listener Management tab, click Add. The Select Log Event Listener Plugin Implementation window appears. It lists registered log modules.
  • Page 758 Configuring CMS Logs Click Next. The Log Event Listener Editor window appears. It lists the configuration information required for this listener. Enter the appropriate information: Log Event Listener ID. Type a unique name that will help you identify the listener; be sure to use an alphanumeric string without spaces. type.

  • Page 759: Monitoring Cms Logs

    Monitoring CMS Logs maxFileSize. Type the file size in kilobytes (KB) for the error log. The default size is 100 KB. For more information, see “Timing of Log File Rotation” on page 751. rolloverInterval. From the drop-down list, select the frequency at which the server should rotate the active error log file.

  • Page 760: Monitoring System Logs

    Monitoring CMS Logs • Monitoring Audit Logs • Using System Tools for Monitoring the Server (Windows NT Only) Monitoring System Logs Certificate Management System maintains extensive system logs. These logs record various events and system errors for system monitoring and debugging. A system log records details such as the following: •...
  • Page 761 Monitoring CMS Logs System log entries displayed in the CMS window Figure 23-3 To view the contents of an active or rotated system log file: Log in to the CMS window (see “Logging In to the CMS Window” on page 333). Select the Status tab.

  • Page 762: Monitoring Error Logs

    Monitoring CMS Logs Level. Select a message category that represents the log level for filtering messages. For more information on log levels, see “Log Levels (Message Categories)” on page 748. Filename. Select the log file you want to view. Choose Current to view the currently active system log file.
  • Page 763 Monitoring CMS Logs Error log entries displayed in the CMS window Figure 23-4 To view the contents of an active or rotated error log file: Log in to the CMS window (see “Logging In to the CMS Window” on page 333). Select the Status tab.

  • Page 764: Monitoring Audit Logs

    Monitoring CMS Logs Level. Select a message category that represents the level of logging to filter messages. For more information, see “Log Levels (Message Categories)” on page 748. Filename. Select the log file you want to view. Choose Current to view the currently active error log file.
  • Page 765 Monitoring CMS Logs You can view the contents of currently active as well as rotated audit log files from the CMS window (see Figure 23-5). Figure 23-5 Audit log entries displayed in the CMS window To view the contents of an active or rotated audit log file: Log in to the CMS window (see “Logging In to the CMS Window”...

  • Page 766: Using System Tools For Monitoring The Server (Windows Nt Only)

    Monitoring CMS Logs Database, Authentication, Administration, LDAP, Request Queue, ACLs, User and Group, OCSP, and Others. If you choose All, messages logged by all components that log to this file are displayed. For more information, see “Services That Are Logged” on page 747. Level.

  • Page 767: Logging To Windows Nt Event Log

    Monitoring CMS Logs Logging to Windows NT Event Log In addition to logging messages to the log files maintained in your local file system, Certificate Management System can also log audit messages and system errors to the Windows NT Event log. The CMS window allows you to turn this feature on or off and to specify the levels for logging.

  • Page 768: Avoiding Event Log From Getting Filled

    Monitoring CMS Logs Table 23-4 Mapping between Windows NT log event type and CMS logs (Continued) Windows NT log event type CMS log level Error Misconfiguration (4) Error Catastrophic failure (5) Error Security-related events (6) Avoiding Event Log From Getting Filled When running Certificate Management System on a Windows NT system, if you don’t configure the NT Event Log properly, the event log will get full.

  • Page 769: Archiving Of Rotated Log Files

    Archiving of Rotated Log Files From the Log menu, select Log Settings. This opens the Event Log Settings window. Enter the appropriate values: Change Settings for. Make sure that the Application log is selected in this box. Maximum Log Size. Select a reasonable size so that the event log doesn’t get full in a short period of time.

  • Page 770: Signing Log Files

    Archiving of Rotated Log Files Certificate Management System does, however, provide a command-line utility, called , that allows you to sign log files before archiving them. This gives signtool you a means of tamper detection. For details, see “Signing Log Files” on page 770. Signing Log Files Certificate Management System allows you to digitally sign log files before you archive them or distribute them for audit purposes.
  • Page 771 Archiving of Rotated Log Files Copy the security module database ( file) from the Administration secmod.db Server configuration directory to the CMS configuration directory. The security module database is in this directory: <server_root>/admin-serv/config Copy it to this directory: <server_root>/cert-<instance_id>/config Open a terminal window. At the command prompt, run the following command with the appropriate information: signtool -d <secdb_dir>...

  • Page 772: Managing Log Modules

    Managing Log Modules Managing Log Modules This section explains how to use the CMS window to perform the following operations: • Registering a Log Module • Deleting a Log Module For information on adding or changing policy-specific information in the configuration file, see “Changing the Configuration by Editing the Configuration File”...

  • Page 773: Deleting A Log Module

    Managing Log Modules Click OK. You are returned to the Log Event Listener Plugin Registration tab. To view the updated configuration, click Refresh. Deleting a Log Module You can delete unwanted log plug-in modules using the CMS window. Before deleting a module, be sure to delete all the listeners that are based on this module; see “Step 3.
  • Page 774 Managing Log Modules Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 775: Part 4 Issuing And Managing Certificates

    Part 4 Issuing and Managing Certificates Chapter 24, “Issuing and Managing Server Certificates” Chapter 25, “Setting Up CEP Enrollment”...
  • Page 776 Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 777: Chapter 24 Issuing And Managing Server Certificates

    Chapter 24 Issuing and Managing Server Certificates This chapter explains how you can use Netscape Certificate Management System (CMS) to issue and manage SSL server certificates. The chapter has the following sections: • Certificate Issuance to Servers (page 777) • Getting Server SSL Certificates for Netscape Servers (page 780) •...

  • Page 778: How The Manual Server Enrollment Process Works

    Certificate Issuance to Servers Once an administrator generates a CSR for a server, he or she must paste it into the appropriate server enrollment form hosted by a Registration Manager or Certificate Manager, and then submit the request. Upon receipt of the request, Certificate Management System responds as follows: Verifies the validity and authenticity of the request.
  • Page 779 Certificate Issuance to Servers Server (or site) certificate issuance Figure 24-1 These are the steps shown in Figure 24-1: The server administrator goes to the manual enrollment form hosted by the Registration Manager, pastes in the certificate signing request in PKCS #10 format, completes the other information in the enrollment form, and submits the form.

  • Page 780: Getting Server Ssl Certificates For Netscape Servers

    Getting Server SSL Certificates for Netscape Servers If the request passes Certificate Manager’s policy, it signs the request immediately and returns the certificate to the Registration Manager. The Registration Manager then delivers the certificate to the administrator. Optionally, the Certificate Manager may publish the certificate to the corporate directory.

  • Page 781: Step 1. Generate The Server Certificate Request

    Getting Server SSL Certificates for Netscape Servers • Step 2. Submit the Server Certificate Request • Step 3. Install Your Server’s SSL Certificate • Step 4. Accept a CA as Trusted in Your Server • Step 5. Verify Your Server’s SSL and CA Certificates Step 1.

  • Page 782: Step 2. Submit The Server Certificate Request

    Getting Server SSL Certificates for Netscape Servers Step 2. Submit the Server Certificate Request To submit the server certificate request to Certificate Management System: Open a web browser. Go to the server enrollment form (the page that allows you to submit a server certificate request).

  • Page 783: Step 3. Install Your Server's Ssl Certificate

    Getting Server SSL Certificates for Netscape Servers Step 3. Install Your Server’s SSL Certificate To install the server SSL certificate on your server: Open a web browser window. Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.
  • Page 784 Getting Server SSL Certificates for Netscape Servers Specify how you want Certificate Management System to display the certificate chain. You can choose to display the entire certificate chain (in a single block) or individual certificates in the chain. The entire certificate chain is in PKCS #7 format.

  • Page 785: Step 5. Verify Your Server's Ssl And Ca Certificates

    Getting Server SSL Certificates for Netscape Servers Step 5. Verify Your Server’s SSL and CA Certificates Before activating your server for SSL connections, you can verify whether you have installed your server’s SSL and CA certificates correctly. Open a web browser window. Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.
  • Page 786 Getting Server SSL Certificates for Netscape Servers To CA’s email address. This option allows you to send the CSR to the CA administrator’s email address. The administrator will then be required to submit the request to the CA by pasting the CSR in the CA’s server enrollment form.

  • Page 787: Renewal Of Server Certificates

    Renewal of Server Certificates Renewal of Server Certificates Every certificate issued by Certificate Management System has a validity period that determines its expiration date. The validity period of a certificate is determined by the validity constraints policy settings at the time the certificate was issued (see section “ValidityConstraints Plug-in Module”...
  • Page 788 Revocation of Server Certificates belonging to the end user. The end user can then select the certificate to be revoked or can revoke all certificates in the list. The end user can also specify additional details, such as the date of revocation and revocation reason for each certificate or for the list as a whole.

  • Page 789: Chapter 25 Setting Up Cep Enrollment

    Chapter 25 Setting Up CEP Enrollment Netscape Certificate Management System (CMS) can issue certificates to a a wide variely of entities, such as web browsers, SSL-enables servers, routers, virtual private network (VPN) clients, and so on. This chapter explains how you can configure Certificate Management System to issue router and VPN-client certificates.

  • Page 790: Setting Up Cep Enrollment Manually

    Setting up CEP Enrollment Manually Note that Certificate Management System by default supports issuance of certificates to routers and VPN clients using the CEP-based enrollment. However, publishing of these certificates to an LDAP-compliant directory is not turned on by default because routers and VPN clients need to have access to an LDAP directory in order to fully support various functions, such as certificate and CRL retrieval.

  • Page 791: Step 1. Set Up The Directory For Publishing Certificates And Crls

    Setting up CEP Enrollment Manually • Step 1. Set up the Directory for Publishing Certificates and CRLs • Step 2. Configure the Certificate Manager for Publishing Certificates and CRLs • Step 3. Set Up Automated Enrollment (optional) • Step 4. Set Up Multiple CEP Services (optional) Step 1.

  • Page 792: Step 2. Configure The Certificate Manager For Publishing Certificates And Crls

    Setting up CEP Enrollment Manually Step 2. Configure the Certificate Manager for Publishing Certificates and CRLs In this step, you configure the Certificate Manager to issue router and VPN-client certificates with CRL Distribution Point Extension and to publish the certificates to a directory.
  • Page 793 Setting up CEP Enrollment Manually Table 25-1 CEP service-related configuration parameters in the configuration file (Continued) Parameter Description Specifies whether to create an entry in the directory before publishing the certificate. createEntry Note that to publish a certificate, an entry must already exist for the DN in the directory. •...
  • Page 794 Setting up CEP Enrollment Manually Table 25-1 CEP service-related configuration parameters in the configuration file (Continued) Parameter Description Specifies the type of object to assign to the new entry. By default, this is cep, and should entryObject not be changed. Note that when createEntry=true, the Certificate Manager will Class attempt to create an entry for the user.

  • Page 795: Step 3. Set Up Automated Enrollment

    Setting up CEP Enrollment Manually Step 3. Set Up Automated Enrollment As a part of enrolling for a certificate (via CEP), a router administrator or VPN-client user needs to start the enrollment process, which in turn asks the user for information such as the following: •...
  • Page 796 Setting up CEP Enrollment Manually eeGateway.cep.cep1.authName=flatfile auths.instance.flatfile.fileName=<full_pathname_of_password_file> auths.instance.flatfile.authAttributes=pwd auths.instance.flatfile.keyAttributes=UNSTRUCTUREDNAME auths.instance.flatfile.pluginName=flatfilePlugin auths.instance.flatfile.deferOnFailure=false auths.impl.flatfilePlugin.class=com.netscape.certsrv.authentication .FlatFileAuth A description for each of the above listed parameters are provided in Table 25-2. Table 25-2 Configuration parameters defined in the FlatFileAuth plug-in Configuration parameter Description Provides a reference to the auths.instance authentication plug-in described in the authName auths.instance.* configuration parameters.
  • Page 797 Setting up CEP Enrollment Manually in the authentication-token file before it does any checking of the password, you must identify attributes that are unique in each router request. You do this by setting the parameter of the plug-in keyAttributes FlatFileAuth implementation to the list of attributes which will be unique in the CEP request.
  • Page 798 Setting up CEP Enrollment Manually There’s an added advantage in determining unique attributes for it allows you to enforce a rule on the attributes that must be present in the CEP enrollment request. For example, if you would like to enforce that a particular router be assigned to an IP address and host name, you could set the parameter as follows: keyAttributes...

  • Page 799: Step 4. Set Up Multiple Cep Services

    Setting up CEP Enrollment Manually UNSTRUCTUREDNAME: router33.example.com UNSTRUCTUREDADDRESS: 101.22.33.125 SERIALNUMBER: 233455 pwd: 35pww3a Note that if you specify a DN for a CEP enrollee in the authentication file, the Certificate Manager replaces the subject name requested by that user (router or VPN client) with the one specified in the file.

  • Page 800: Certificate Issuance To Routers Or Vpn Clients

    Certificate Issuance to Routers or VPN Clients ## Router configuration eeGateway.cep.cep1.appendDN=O=*BASE_DN* eeGateway.cep.cep1.createEntry=true eeGateway.cep.cep1.entryObjectClass=cep eeGateway.cep.cep1.url=/cgi-bin/pkiclient.exe eeGateway.cep.cep1.authName=flatfile_router ## VPN configuration eeGateway.cep.cep2.url=/vpnenroll eeGateway.cep.cep2.authName=flatfile_VPN ## Router authentication parameters in the configuration file auths.instance.flatfile_router.fileName= <full_path_to_the_authentication_file> auths.instance.flatfile_router.authAttributes=pwd auths.instance.flatfile_router.keyAttributes=UNSTRUCTUREDNAME auths.instance.flatfile_router.pluginName=flatfile auths.instance.flatfile_router.deferOnFailure=true ## VPN authentication parameters in the configuration file auths.instance.flatfile_VPN.fileName= <full_path_to_the_authentication_file>...

  • Page 801: Step 1. Before You Begin

    Certificate Issuance to Routers or VPN Clients Step 1. Before You Begin • Decide whether you want to submit the certificate request for your router to the Certificate Manager (CA) directly or through a Registration Manager. • Open Netscape Console, and locate the CMS instance that corresponds to the subsystem of your interest.

  • Page 802: Step 2. Generate The Key Pair For The Router

    Certificate Issuance to Routers or VPN Clients Scroll down to the section that says “Certificate fingerprint.” • In your router documentation, locate the information specific to requesting certificates for routers. Check the signing algorithm, such as RSA or DSA, and key lengths, such as 512 and 1024, supported by the router.

  • Page 803: Step 3. Request The Ca's Certificate

    Certificate Issuance to Routers or VPN Clients Step 3. Request the CA’s Certificate In this part of the operation, you identify the CA to the router, thus enabling the router to authenticate the CA from which it will request the certificate. You also verify whether the router is talking to the right CA;...

  • Page 804: Example

    Certificate Issuance to Routers or VPN Clients This step depends on your CA’s configuration for router enrollment. If the CA to which the router submitted the request employs automatic enrollment (or authentication) for routers, the request will get processed by the CA.
  • Page 805 Certificate Issuance to Routers or VPN Clients router(ca-identity)#exit router(config)#crypto ca authenticate test-ca Certificate has the following attributes: Fingerprint: 24D34656 EB830C39 DD9E8179 0A4EBA98 % Do you accept this certificate? [yes/no]: yes router(config)#crypto ca enroll test-ca % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
  • Page 806 Certificate Issuance to Routers or VPN Clients Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 807: Part 5 Appendix

    Part 5 Appendix Appendix A, “Certificate Download Specification”...
  • Page 808 Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 809: Certificate Download Specification

    Appendix A Certificate Download Specification This appendix describes the data formats used by Netscape Communicator 4.x for installing certificates. It also describes how certificates are imported into different environments. • Data Formats (page 809) • Importing Certificate Chains (page 811) •...

  • Page 810: Text Formats

    Data Formats • PKCS #7 certificate chain This is a PKCS #7 object. The only significant field in the SignedData object is the certificates. In particular, the signature and the SignedData contents are ignored. In future versions of the software, the CRLs will also be used.

  • Page 811: Importing Certificate Chains

    Importing Certificate Chains Importing Certificate Chains Several of the supported formats can contain multiple certificates. When the Netscape certificate decoder encounters a collection of certificates, it handles them as follows: • The first certificate is processed in a context-specific manner, which varies according to how it is being imported.

  • Page 812: Importing Certificates Into Netscape Servers

    Importing Certificates into Netscape Servers If a certificate chain is being imported, the first certificate in the chain must be the CA certificate, and Communicator adds any subsequent certificates in the chain to the local database as untrusted CA certificates. •...
  • Page 813 Object Identifiers netscape-data-type OBJECT IDENTIFIER :: = { netscape 2 } netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 Appendix A Certificate Download Specification...
  • Page 814 Object Identifiers Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 815: Glossary

    Glossary access control The process of controlling who is allowed to do what. For example, access control to servers is typically based on an identity, established by a password or a certificate, and on rules regarding what that entity can do. See also access control list (ACL).
  • Page 816 authentication Confident identification; that is, assurance that a party to some computerized transaction is not an impostor. Authentication typically involves the use of a password, certificate, PIN, or other information that can be used to validate identity over a computer network. See also password-based authentication, certificate-based authentication, client authentication, server authentication.
  • Page 817 authority (CA). A certificate’s validity can be verified by checking the CA’s digital signature using the techniques of public-key cryptography. To be trusted within a public-key infrastructure (PKI), a certificate must be issued and signed by a CA that is trusted by other entities enrolled in the PKI. certificate authority (CA) A trusted entity that issues a certificate after verifying the identity of the person or entity the certificate is intended to identify.
  • Page 818 certificate fingerprint A one-way hash associated with a certificate. The number is not part of the certificate itself, but is produced by applying a hash function to the contents of the certificate. If the contents of the certificate changes, even by a single character, the same function produces a different number.
  • Page 819 chain of trust See certificate chain. chained CA See linked CA. cipher See cryptographic algorithm. client authentication The process of identifying a client to a server, for example, with a name and password or with a certificate and some digitally signed data. See certificate-based authentication, password-based authentication, server authentication.
  • Page 820 cryptographic algorithm A set of rules or directions used to perform cryptographic operations such as encryption and decryption. Cryptographic Message Syntax (CMS) The syntax used to digitally sign, digest, authenticate, or encrypt arbitrary messages, such as CMMF. cryptographic module See PKCS #11 module. A cryptographic module that performs cryptographic service provider (CSP) cryptographic services, such as key generation, key storage, and encryption, on...
  • Page 821 Data Recovery Manager transport certificate Certifies the public key used by an end entity to encrypt the entity’s encryption key for transport to the Data Recovery Manager. The Data Recovery Manager uses the private key corresponding to the certified public key to decrypt the end entity’s key before encrypting it with the Data Recovery Manager storage key.
  • Page 822 dual key pair Two public-private key pairs--four keys altogether--corresponding to two separate certificates. The private key of one pair is used for signing operations, and the public and private keys of the other pair are used for encryption and decryption operations. Each pair corresponds to a separate certificate.
  • Page 823 IP spoofing The forgery of client IP addresses. JAR file A digital envelope for a compressed collection of files organized according to the Java archive (JAR) format. Java archive (JAR) format A set of conventions for associating digital signatures, installer scripts, and other information with files in a directory. Java Cryptography Architecture (JCA) The API specification and reference developed by Sun Microsystems for cryptographic services.
  • Page 824 linked CA An internally deployed certificate authority (CA) whose certificate is signed by a public, third-party CA. The internal CA acts as the root CA for certificates it issues, and the third-party CA acts as the root CA for certificates issued by other CAs that are linked to the same third-party root CA.
  • Page 825 object signing A technology that allows software developers to sign Java code, JavaScript scripts, or any kind of file and allows users to identify the signers and control access by signed code to local system resources. object-signing certificate A certificate whose associated private key is used to sign objects using the technology known as object signing.
  • Page 826 private key One of a pair of keys used in public-key cryptography. The private key is kept secret and is used to decrypt data encrypted with the corresponding public key. proof-of-Archival (POA) Data signed with the private Data Recovery Manager transport key that contains information about an archived end-entity key, including key serial number, name of the Data Recovery Manager, subject name of the corresponding certificate, and date of archival.
  • Page 827 Registration Manager agent A user who belongs to a group authorized to manage agent services for a Registration Manager, including the ability to access and modify (approve and reject) certificate requests. root CA The certificate authority (CA) with a self-signed certificate at the top of a certificate chain.
  • Page 828 signing certificate A certificate whose public key corresponds to a private key used to create digital signatures. For example, Certificate Manager must have a signing certificate whose public key corresponds to the private key it uses to sign the certificates it issues. A Registration Manager must have a signing certificate whose public key corresponds to the private key it uses to sign the certificate requests it sends to the Certificate Manager.
  • Page 829 subordinate CA A certificate authority whose certificate is signed by another subordinate CA or by the root CA. See CA certificate, root CA. symmetric encryption An encryption method that uses the same cryptographic key to encrypt and decrypt a given message. tamper detection A mechanism ensuring that data received in electronic form has not been tampered with;...
  • Page 830 Netscape Certificate Management System Installation and Setup Guide • May 2002...

  • Page 831: Index

    Index from the command line 325 from the Windows NT Services panel 325 accelerators 436 stopping 326 active logs from Netscape Console 326 default file location 749 from the command line 326 frequency for rotating 751 from the Windows NT Services panel 326 message categories 748 Unix setup 186 naming convention 750...
  • Page 832 for Registration Manager agents 69 modifying 525 URL for 361 naming convention 510 AgentDirEnrollment instance 524 authentication modules 55–56, 77, 81–93 agent initiated user enrollment 524 agents deleting 529 authorizing remote key recovery 723 directory based 56 defined 54 directory-based 502 deleting 416 manual 56 designated groups 385...
  • Page 833 nickname 421 configuration of 193–197 renewing 436, 474 configuring viewing details of 482 SMTP settings for notifications 543, 554, 555 to use separate SSL server certificates 459 CEP 77, 93–95, 96, 100 to use specific ciphers 464 CEP enrollment 789 connecting to a Data Recovery Manager 406 manual 790 Data Recovery Manager and 165–169...
  • Page 834 certificates CMS certificates Certificate Manager 177 renewal 420 Data Recovery Manager 178 CMS data for subsystems, summarized 176–178 where it’s stored 365 how to revoke 592 CMS feature list 34 installing 809–813 CMS instance life-cycle management 98–102 changing the name 301 management formats and protocols 77–78 character set for the name 187, 190, 281, 286 Online Certificate Status Manager 178...
  • Page 835 Unix setup 185 Certificate Manager support for 46 defined 591 configuration directory server issuing or distribution points 595 Unix setup 184 publishing of 39, 591 configuration file 335 publishing to files 647 copying from one instance to another 337 publishing to LDAP directory 594, 595 effects of installation on 335 required schema 598 format 339...
  • Page 836 storage key pair 428 Certificate Manager 177 transport certificate 428 Data Recovery Manager 178 logging to Windows NT event log 767 Online Certificate Status Manager 178 recovery agents for 202–203 Registration Manager 177 setting up enrollment scenarios 84–97 key archival 731 file-based publishing decisions 174 key recovery 738 firewall considerations 84...
  • Page 837 life-cycle management and 98–102 port used for operations 361 filenames See also ports for active log files 750 end-entity certificates for rotated log files 750 renewal 787 FIPS PUBS 140-1 78 revocation 787 firewalls 84 End-Entity Services Interface flush interval for logs 750 introduced 72 fonts used in this book 27 enrollment...
  • Page 838 defined 365 how to distinguish from other Directory Server installation 211–277 instances 366, 368 additional instances 280 introduced 54 demo 105–158 name format 366, 368 first user certificate for 133–136 schema 366 Installation Wizard and 120–133 what you shouldn’t do 366 NT installation script for 112–120 what is it used for 365 overview of 106–110...
  • Page 839 turning on scheduler 553 defined 585 manual updates 642 JSS 76 when to do 643 who can do this 642 See CRLs linked CA 36 linking subsystems See connecting subsystems key archival 717 how it works 719 local vs. remote key recovery 723 how keys are stored 718 location of how to set up 731...
  • Page 840 what it means 748 privileged user’s group membership 415 managing from CMS window 759 privileged-user information 413 monitoring publishers 619, 620 Audit log 764 monitoring logs 759 Error log 762 Audit log 764 System log 760 Error log 762 using system tools in Windows NT 766 System log 760 parameters in the configuration file 341 things you can monitor 759...
  • Page 841 for OCSP signing certificate 422 password cache filename 308, 315 for signing certificate 426, 430 password cache location 308, 315 for SSL server certificate 425, 427, 429, 430 password.conf file 306 for transport certificate 428 PasswordCache utility 316 notifications password-quality checker 308, 316 configuring the mail server 554 passwords host name 543, 555...
  • Page 842 how it applies rules 569 modifying privileges 413 JavaScript 582 certificate information 414 result of processing 569 group membership 415 when used 568 login information 413 what can you use it for 560 setting up 388 administrators 388 policy modules 57–83 agents 391 decisions for deployment 179–180 trusted managers 397...
  • Page 843 recovering users’ private keys 721 reasons 592 who can do this 592 registering authentication modules 528 road map to configuring subsystems 354 job modules 556 roles log modules 772 administrator 372 mapper modules 665 agent 373 policy modules 582 determining factor 372 publisher modules 665 key recovery agents 721 Registration Manager...
  • Page 844 default for Unix 300 deleting 484 default for Windows NT 300 getting a new one 436, 465 defined 300 nickname 425, 427, 429, 430 how many on a single host 300 renewing 436, 474 relationship with Administration Server 324 viewing details of 482 server status starting off 301...
  • Page 845 how to monitor 760 modifying 413 logging to Windows NT event log 767 certificate information 414 See also logging group membership 415 login information 413 role defined 380 setting up 397 type styles used in this book 27 Tasks tab 329 tasks you can accomplish 329 templates for notifications 534...
  • Page 846 wizard See Certificate Setup Wizard writing policies in JavaScript 582 X.509 certificates 79 Netscape Certificate Management System Installation and Setup Guide • May 2002...

This manual is also suitable for:

Certificate management system 6.01

Table of Contents