1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Software
  5. NETSCAPE MANAGEMENT SYSTEM 6.1 -...
  6. Administrator's manual

Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual

Hide thumbs
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
Table of Contents

Advertisement

Quick Links

Download this manual
Administrator's Guide
Netscape Certificate Management System
Version 6.1
February 2003

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NETSCAPE MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR and is the answer not in the manual?

Questions and answers

Related Manuals for Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR

Summary of Contents for Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR

  • Page 1 Administrator’s Guide Netscape Certificate Management System Version 6.1 February 2003...
  • Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.

  • Page 3: Table Of Contents

    Contents About This Guide ............. . 21 Who Should Read This Guide .
  • Page 4 Java SDK Extension Mechanism for Customization ........37 How Certificate Management System Works .
  • Page 5 Chapter 3 Certificate Manager ..........83 Certificate Manager Deployment Considerations .
  • Page 6 Cloning Considerations ............. 130 Setting Up a Clone CA .
  • Page 7 OCSP Responses ..............169 CMS OCSP Services .
  • Page 8 Tokens ................217 Internal Database .
  • Page 9 Setting Up Signed Audit Logs ............280 Audit Logging Failures .
  • Page 10 Getting an Agent’s Certificate from Certificate Management System ..... . 340 Revocation Status Checking of Agent Certificates ........341 Modifying CMS User Entries .
  • Page 11 certServer.ee.request.ocsp ............363 certServer.ee.request.revocation .
  • Page 12 Chapter 9 Authentication ........... . 383 Enrollment Overview .
  • Page 13 certOutputImpl ..............447 Defaults Reference .
  • Page 14 Policy Processor ..............484 Using Predicates in Policy Rules .
  • Page 15 SubjectDirectoryAttributesExt ............561 SubjectKeyIdentifierExt .
  • Page 16 Setting Up CMC Revocation ............596 Testing CMC Revoke .
  • Page 17 Modifying Publishing Rules for Certificates and CRLs ........646 Rule Instance Reference .
  • Page 18 About Roles ............... 683 CMS Common Criteria Environment Setup and Installation Guide .
  • Page 19 1.2.2 IT security objectives for the environment ......... 701 1.3 Security Objectives for both the TOE and the Environment .
  • Page 20 Appendix I Distinguished Names ..........747 What Is a Distinguished Name? .

  • Page 21: About This Guide

    About This Guide This Administrator’s Guide explains how to install, configure, and maintain Netscape Certificate Management System (CMS), and use it for issuing and managing certificates to various end entities, such as web browsers (users), servers, Virtual Private Network (VPN) clients, and Cisco™ routers. This preface has the following sections: •...

  • Page 22: What's In This Guide

    What’s in This Guide • You understand the concepts of intranet, extranet, and Internet security and the role of digital certificates in a secure enterprise, including the following topics: Encryption and decryption Public keys, private keys, and symmetric keys Significance of key lengths Digital signatures Digital certificates, including various types of digital certificates The role of digital certificates in a public-key infrastructure (PKI)
  • Page 23 What’s in This Guide Chapter 4, Provides information about installing a Registration “Registration Manager, step-by-step instructions for installing a Manager” Registration Manager, and an overview of the configuration options for a Registration Manager. Chapter 5, “OCSP Provides information about installing an Online Responder”...
  • Page 24 What’s in This Guide Chapter 15, Provides information and procedures for configuring “Publishing” the publishing feature. Appendix A, Provides security requirements for running CMS in the “Common Criteria Common Criteria Environment. Environment: Security Requirements” Appendix B, Provides details on setting up CMS in the Common “Common Criteria Criteria Environment.

  • Page 25: Conventions Used In This Guide

    Conventions Used in This Guide Conventions Used in This Guide The following conventions are used in this guide: This typeface is used for any text that appears on the Monospaced font computer screen or text that you should type. It’s also used for filenames, functions, and examples.

  • Page 26: Documentation

    Documentation Example: Using Netscape Communicator 4.7 or later, enter the URL for the Netscape Administration Server: http://<hostname>:<port_number> A slash is used to separate directories in a path. Example: Except for the Security Module Database Tool, you can find all the other command-line utilities at this location: <server_root>/bin/cert/tools Notes and Cautions:...
  • Page 27 Documentation Provides detailed reference information on customizing the HTML-based agent and end-entity interfaces. CMS Agent’s Guide Provides detailed reference information on CMS agent interfaces. To access this information from the Agent Services pages, click any help button. About This Guide...
  • Page 28 Documentation Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 29: Chapter 1 Overview

    Chapter 1 Overview This chapter provides an overview of Netscape Certificate Management System (CMS), a highly configurable set of software components and tools for creating, deploying, and managing certificates. Based on open standards for certificate management, Certificate Management System provides a complete, customizable, robust, scalable, and high-performance certificate management solution for your public-key infrastructure (PKI), extranets and intranets.

  • Page 30: Certificate Manager Flexibility And Scalability

    Features • The Certificate Manager is the subsystem that provides Certificate Authority functionality for issuing, renewing, revoking, and publishing certificates and creating and publishing CRLs. See Chapter 3, “Certificate Manager” for complete details. • The Registration Manager is an optional subsystem that provides Registration Authority functionality.

  • Page 31: Interfaces

    Features Root or Subordinate CA CMS can function as a root CA; in this case, the server signs its own CA signing certificate as well as other CA signing certificates, enabling you to create your own CA hierarchy. You can also install the server to function as a subordinate CA; in this case, the server gets its CA signing key signed by another CA in an existing CA hierarchy.

  • Page 32: Auditing

    Features Supports Signing of Logs CMS allows you to sign log files digitally before archiving them or distributing them for audit purposes. This feature enables you to check whether the log files were tampered with after being signed. See “Signing Log Files,” on page 275 for complete details.

  • Page 33: Certificate Issuance

    Features certificate. CMC enrollment is also supported allowing a request signed by an agent to be automatically processed. A set of prebuilt authentication plug-ins are available to enable and configure. You can create additional Authentication plug-in modules using the CMS SDK. See Chapter 9, “Authentication” for complete details. Certificate Issuance CMS supports the enrollment and certificate issuance to a wide variety of end-entities.

  • Page 34: Policy

    Features profile are met before acting on the request, and will use the certificate profile to determine the content of the issued certificate. You can create additional Certificate Profile plug-in modules using the CMS SDK. See Chapter 10, “Certificate Profiles” for complete details.

  • Page 35: Notifications

    Features Notifications Notifications is a feature that allows you to set up automated messages when a particular event occurs, such as when a certificate is issued or revoked. The notification framework comes with default modules that you can enable and configure.

  • Page 36: Support For Open Standards

    Features Support for Open Standards With its support for open standards, CMS gives organizations confidence that they will be able to communicate within a heterogeneous computing environment. CMS supports standards in the following ways: • Formulates, signs, and issues industry-standard X.509 version 3 public-key certificates;...

  • Page 37: Java Sdk Extension Mechanism For Customization

    How Certificate Management System Works Java SDK Extension Mechanism for Customization The software development kit (SDK) provided with CMS includes APIs and tutorials for customizing different aspects of the system. You can write the following custom modules: • Authentication • Authorization •...
  • Page 38 How Certificate Management System Works • The Certificate Manager is the subsystem that provides Certificate Authority functionality for issuing, renewing, revoking, and publishing certificates and creating and publishing CRLs. See Chapter 3, “Certificate Manager” for complete details. • The Registration Manager is an optional subsystem that provides Registration Authority functionality.
  • Page 39 How Certificate Management System Works • End-Entity Services Interface—The end-entity interface is a customizable HTML interface that can be used for end-entities to enroll in your PKI, renew certificates, revoke their own certificates, and pick up issued certificates. It contains forms for different types of enrollments, and for the enrollment different types of end-entities.

  • Page 40: About The Certificate Manager

    How Certificate Management System Works • Agents who can edit and approve requests. • Auditors who can view and configure audit logs. • Trusted Managers which are subsystems that have a trusted relationship with another subsystem. CMS allows you to create users, and assign them the privileges of whichever group in which they are members.
  • Page 41 How Certificate Management System Works The Certificate Manger acts as a Certificate Authority (CA). It can be configured as a self-signing CA, where it is the root CA, or it can act as a subordinate CA, where it obtains its own signing certificate from a public CA. Scalability You can configure more than one CA either forming a vertical or horizontal chain of CAs.

  • Page 42: How The Certificate Manager Works

    How Certificate Management System Works Revocation and CRLs CMS provides the framework for revoking certificates which can either be initiated by an agent or by the end user themselves. An administrator can also revoke the certificates of any of the subsystems or agents. CMS also support CMC Revocation.
  • Page 43 How Certificate Management System Works Authentication Methods CMS provides authentication plug-ins that allow you to set up automated enrollment and configure the particular method(s) you set up; it provides agent-approved enrollment, where an agent must approve the request by default. Each end-entity form is associated with a particular authentication method, either one of the automated methods or the agent-approved method.
  • Page 44 How Certificate Management System Works Certificate Creation The Certificate Manger issues certificates when it receives signed requests from either its own agents (user’s who are assigned privileges to approve enrollment, renewal, and revocation requests), from a trusted Registration Manger, or from a third-party application that sends a signed request that is set up for CMC enroll with the Certificate Manager.

  • Page 45: About The Registration Manager

    How Certificate Management System Works An agent can also revoke a certificate if the owner of the certificate is unwilling or unable to do so. When the certificate is revoked, it is marked revoked in the internal database, and is marked revoked in the publishing system. The certificate is also added to the Certificate Revocation List (CRL) produced by the Certificate Manager.

  • Page 46: How The Registration Manger Works

    How Certificate Management System Works How the Registration Manger Works This sections details the processes that a Registration Manager goes through, and the various configuration settings involved in those processes. Accepting Enrollment Requests Similar to the Certificate Manger, the Registration Manger contains an end-entity interface with various forms associated with various types of certificates and various types of users.
  • Page 47 How Certificate Management System Works Request Processing When the Registration Manger processes requests from its own end-entity interface, it first considers the authentication method. If it is an agent-approved enrollment method, the request is queued in the agent services interface where it awaits agent approval.
  • Page 48 How Certificate Management System Works Publishing of Certificates Certificates can be published to a file or an LDAP directory. You set up the publishing feature and set up rules that determine which certificates are published using which method, and where exactly they are published. The publishing system is flexible allowing you many options in configuring it.

  • Page 49: Data Recovery Manager

    How Certificate Management System Works An agent can also revoke a certificate. They might do this if someone leaves the company. When the certificate is revoked, it is marked revoked in the internal database, and is marked revoked in the publishing system. The certificate is also added to the Certificate Revocation List (CRL) produced by the Certificate Manager.

  • Page 50: Online Certificate Status Manager

    Deployment Scenarios Online Certificate Status Manager The Online Certificate Status Manager is an optional subsystem of CMS that can act as a stand-alone OCSP service. The Certificate Manager is configured with an internal OCSP service. An external OCSP Responder is offered as a separate subsystem in case you want the OCSP service provided outside a firewall while the Certificate Manager resides inside a firewall, or to take the load of requests off the Certificate Manager.

  • Page 51: Certificate Manager And Registration Manager

    Deployment Scenarios Certificate Manager Figure 1-1 Single root Figure 1-1 shows the relationships among a single Certificate Manager, end entities, and a publishing directory. The Certificate Manager can publish both end-entity certificates and CRLs to a directory. Certificate Manager and Registration Manager Figure 1-2 shows a Registration Manager and its Certificate Manager in separate instances on separate machines.
  • Page 52 Deployment Scenarios Certificate Manager Figure 1-2 and Registration Manager in different instances Many organizations need to separate the role of the Registration Manager from the role of the Certificate Manager. This separation can be useful, for example, if different groups of end entities are subject to different authentication policies or work in different geographic locations.

  • Page 53: Certificate Manager And Data Recovery Manager

    Deployment Scenarios A Registration Manager can be installed in one CMS instance and its related Certificate Manager in another CMS instance. The separate instances can be located in the same server group, in different server groups on the same machine, or in different server groups on different machines.
  • Page 54 Deployment Scenarios Figure 1-3 Certificate Manager and Data Recovery Manager in different instances The Data Recovery Manager is intended for archival and recovery of private encryption keys only. Therefore end entities must be using either a browser that supports dual-key generation or a browser that is using Netscape Personal Security Manager, which supports dual keys.

  • Page 55: Certificate Manager, Data Recovery Manager, And Registration Manager

    Deployment Scenarios Certificate Manager, Data Recovery Manager, and Registration Manager The three CMS subsystems can be deployed in many different relationships. Figure 1-4 illustrates some of the issues involved in deploying all three subsystems by showing the relationships among a single Certificate Manager, a single Registration Manager, and a single Data Recovery Manager, each installed in a different CMS instance on a different machine.

  • Page 56: Cloned Certificate Manager

    Deployment Scenarios The Registration Manager handles all end-entity interactions and communicates with the Certificate Manager and the Data Recovery Manager over HTTPS. The Registration Manager is configured to request the end entity’s private encryption key (in encrypted form) and send it to the Data Recovery Manager during the enrollment process.

  • Page 57: System Architecture

    System Architecture To create a cloned Certificate Manager, you must first install and configure at least one Certificate Manager and specify a definite upper, but no lower bound for the serial numbers it will use. You then install or create a new instance of a Certificate Manager (but do not configure it).

  • Page 58: Cms Component

    System Architecture Figure 1-5 CMS Architecture CMS Component The CMS component is the main component in the CMS product. CMS is a set of pure Java classes. This component provides a secure application platform where subsystems (CA, RA, DRM, and OCSP) can be tightly integrated with a PKI infrastructure.

  • Page 59: Http Engine

    System Architecture Within the CMS component, a set of common modules (all can be extended with customized JAVA plug-ins) are provided for all subsystems (although some may not be utilized by default setting, they are all available for further customization): •...

  • Page 60: Service Interfaces

    System Architecture responder only takes OCSP request format, while a DRM does not provide any end-entity services. The client applications used to access this entry point must have the capability to act as an SSL client. A common client application is a browser such as the Netscape browser.

  • Page 61: Jss And The Java/Jni Layer

    System Architecture Agent Services Interface The agent services interface provides JAVA servlets to process HTML form submissions coming from the agent entry-point. Based on the information given in each form submission, the agent servlets allow agents to perform agent tasks, such as editing and approving requests for certificate approval, certificate renewal, and certificate revocation, and approving certificate profiles.

  • Page 62: Nss

    System Architecture http://www.mozilla.org/projects/security/pki/jss/index.html Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled communications applications. Applications built with the NSS libraries support the SSL protocol for authentication, tamper detection, and encryption as well as the PKCS #11 interface for cryptographic token interfaces.

  • Page 63: Management Tools

    System Architecture The Internal Key Storage token (“Certificate DB token” in Figure 1-5 on page 58) handles all communication with the certificate and key database files (called certX.db and keyX.db, respectively, where X is a version number) that store certificates and keys. •...

  • Page 64: Internal Ldap Database

    CMS SDK Internal LDAP Database CMS employs Netscape Directory Server as its internal database for storing information such as certificates, requests, users, roles, ACLs, as well as other miscellaneous internal information. CMS communicates with the internal LDAP database securely by means of SSL client authentication. Administration Server The Netscape Administration Server comes with all Netscape server products, including CMS.

  • Page 65: Support For Open Standards

    Support for Open Standards • Tutorials—“How To” tutorial to help demonstrate how you can create your own plug-in modules for CMS. Each tutorial includes sample Java source code, environment and build script and a detailed “cookbook” describing how to build and install these plug-in modules. Additionally, some tutorials may also contain sample configuration files.

  • Page 66: Security And Directory Protocols

    Support for Open Standards • Cryptographic Message Syntax (CMS). A superset of PKCS #7 syntax used for digital signatures and encryption. A proposed standard from the IETF PKIX working group. • PKIX Certificate and CRL Profile (PKIX Part 1). The first part of the four-part standard under development by the IETF for a public-key infrastructure for the Internet.
  • Page 67 Support for Open Standards • X.509 v1, v3. Digital certificate formats recommended by the International Telecommunications Union (ITU). • Secure Sockets Layer (SSL) 2.0, 3.0. A set of rules governing server authentication, client authentication, and encrypted communication between servers and clients. Chapter 1 Overview...
  • Page 68 Support for Open Standards Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 69: Chapter 2 Installation

    Chapter 2 Installation This chapter explains how to install Netscape Certificate Management System (CMS). This chapter contains the following sections: • Installation and Configuration Overview • Installation Overview • Installing CMS • Uninstalling CMS Installation and Configuration Overview You install Netscape Certificate Management System (CMS) on each host on which you will be setting up a CMS subsystem.

  • Page 70: Installation And Configuration Process

    Installation and Configuration Overview One of your deployment decisions is which subsystems you will install, how many of each type of subsystem you will configure, and on which hosts they will be installed. Once you decide this, you install CMS on each host you will be using, install each subsystem that will be run on that host, and then configure each of the subsystems on each host.

  • Page 71: Installation Overview

    Installation Overview Installation Overview This section provides information about the CMS installation, and provides information about things you need to consider and decide when installing CMS. About the Installation Program The installation program installs Administration Server, Directory Server, Netscape Console, and CMS in the server root directory you specify. It creates one instance of Administration Server, one instance of Directory Server, and one instance of CMS.
  • Page 72 Installation Overview Server Groups A server group is created when you install Administration Server. All servers are then installed in that server group. You can create more than one server group and install servers in each. You must have an Administration Server for each server group.
  • Page 73 Installation Overview Deciding the User and Group for Your Netscape Servers For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run the servers with root privileges. However, you will have to run Directory Server with root privileges if you are using the default Directory Server ports.
  • Page 74 Installation Overview • Directory Manager DN and password. The Directory Manager DN is the special directory entry to which access control does not apply. Think of the directory manager as your directory's superuser. The default Directory Manager DN is . Because the cn=Directory Manager Directory Manager DN is a special entry, the Directory Manager DN does not have to conform to any suffix configured for your Directory Server.
  • Page 75 Installation Overview For the purposes of CMS, this suffix usually does not matter, unless you plan to store user information in this configuration directory. You normally will not store users in this configuration directory. You only use this configuration directory to store configuration settings for the Administration Server and allow you to use Netscape Console to manage CMS.

  • Page 76: Installation Worksheet

    Installation Overview Installation Worksheet You can use the following worksheet to specify the information you will be prompted for during the installation. The default setting is indicated in square brackets. Install location [/usr/netscape/servers] ______________________________________ Computer name [myhost.mydomain.com] ______________________________________ System User [nobody] ______________________________________ System Group [nobody] ______________________________________...

  • Page 77: Installing Cms

    Installing CMS Installing CMS To install CMS: Log in to the host system as the user ID you will be running the servers as. You must be logged into the host locally, do not install remotely. See “Deciding the User and Group for Your Netscape Servers,” on page 73 for more information.
  • Page 78 Installing CMS Do you agree to the license terms? [No]: Type and press Enter. Select the component you would like to install [1]: Accept the default to install the Netscape servers. Choose an installation type [2]: Accept the default for a typical installation. Install location [/usr/netscape/servers]: Enter the full path to the location in which you want to install the servers.
  • Page 79 Installing CMS Do you want to use another directory to store your data? [No]: If you accept the default setting, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you accepted the default in step 17) or installs a new instance of Directory Server for use as a user/group directory.
  • Page 80 Installing CMS Administration Domain [mydomain.com]: Accept the default value. This domain name identifies the collection of servers that use the same configuration directory. Administration port [random #]: Accept the default port number, which is randomly generated, or enter any port number that is not and will not be used for another purpose.

  • Page 81: Uninstalling Cms

    Uninstalling CMS Uninstalling CMS To remove CMS from a host system, run the uninstall program. To remove a specific CMS instance, follow the instructions provided in “Removing an Instance From a System” on page 258. To uninstall CMS: Log in as the user account under which the server is running. Go to the server root directory containing the installed software.
  • Page 82 Uninstalling CMS Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 83: Chapter 3 Certificate Manager

    Chapter 3 Certificate Manager The Certificate Manager subsystem provides the services of a Certificate Authority (CA) in the PKI. It can issue, renew, and revoke certificates; create and issue CRLs; and publish certificates and CRLs. This chapter discusses the Certificate Manager subsystem. It provides an overview of the subsystem including the decisions you need to make before installing the subsystem, complete installation instructions, an overview of the Certificate Manager processes including information on configuring those processes,...

  • Page 84: Self-Signed Root Vs. Subordinate Ca

    Certificate Manager Deployment Considerations Self-Signed Root vs. Subordinate CA A Certificate Manager can be set up as a self-signing root CA. You set up a self-signing root CA by choosing this option when you install. A self-signing root CA issues and signs its own certificates. The subsystems are then issued certificates by this self-signing CA.

  • Page 85: Cloned Ca

    Certificate Manager Deployment Considerations One benefit of chaining up to a public CA is that the third party is responsible for getting the root CA certificate into the browser or other client software. This can be a major advantage if you are deploying an extranet that involves certificates used by different companies whose browsers you cannot control.
  • Page 86 Certificate Manager Deployment Considerations About the CA Key Pairs and Certificates This section describes the key pairs and certificates associated with the Certificate Manager. CA Signing Key Pair and Certificate Every Certificate Manager you install has a Certificate Manager CA signing certificate, whose public key corresponds to the private key the Certificate Manager uses to sign the X.509 certificates and CRLs it issues.
  • Page 87 Certificate Manager Deployment Considerations The wizard uses the key type, key size, key algorithm, and validity period you provided for the CA signing key pair to generate the OCSP signing key pair. The subject name of the OCSP signing certificate is in the form CN=OCSP , and it contains extensions, such as cert-<cms_instance_id>...
  • Page 88 Certificate Manager Deployment Considerations Certificate Considerations This section explains some of the decisions you need to make about the certificates you get for the Certificate Manager when you install the subsystem. CA’s Distinguished Name The core elements of a CA consist of a signing unit and the Certificate Manager’s own identity.

  • Page 89: Certificate Manager Interfaces

    Certificate Manager Deployment Considerations If you decide to generate a new signing key, one of the first decisions you need to make is whether to use the RSA or DSA algorithm. If you use DSA, the software can generate and verify the PQG value. PQG values are used to create the DSA signing key pair.

  • Page 90: Password Storage

    Certificate Manager Deployment Considerations and approve and configure certificate profiles. The agent’s services interface is an HTML interface accessible through HTTPS that authenticates agents using their certificate. The default interface provides all the functionality needed by agents for a Certificate Manager and is completely customizable. The agent services interface listens to requests and communicates on the SSL Agent Services Port.

  • Page 91: Tokens

    Installing a Certificate Manager specifying this when running the installation wizard to configure that subsystem. You should carefully consider whether you want to store this information in a separate internal database for each subsystem or use one internal database for all subsystems installed on the host.
  • Page 92 Installing a Certificate Manager Select the CMS instance and then either click Open, or double click this instance. The Installation Wizard launches. Installation Wizard Introduction. Click Next to continue. Logon Token. Choose either (if you plan to use the internal internal/software token) or the name of an external token to store the Certificate Manager signing certificate and key pair.
  • Page 93 Installing a Certificate Manager Select Yes if you have already installed a remote Data Recovery Manager that you want the Certificate Manager to use for archiving end users’ encryption private keys. Then, enter the remote Data Recovery Manager’s host name, agent SSL port number, and the Time-out in seconds in the associated fields.
  • Page 94 Installing a Certificate Manager Key Length. Available key sizes for RSA are 512, 768, 1024, 2048, 4096, or Custom. Available key sizes for DSA are 512, 1024, or Custom (which must be in increments of 64 bits only). See “Signing Key Type and Length” on page 88 for more information. Click Next to continue.
  • Page 95 Installing a Certificate Manager For more information about extensions, see Appendix G, “Certificate and CRL Extensions.” Click Next to continue. Certificate Manager CA Signing Certificate Creation. Click Next to generate and install the certificate. SSL Server Certificate. Select the “Sign SSL certificate with my CA signing certificate”...

  • Page 96: Installing A Certificate Manager As A Subordinate Ca

    Installing a Certificate Manager Certificate Extensions for SSL Server Certificate. Select the required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen (see Step 17). Click Next to continue.
  • Page 97 Installing a Certificate Manager Logon Token. Enter either (if you plan to use the internal/software internal token) or the name of an external token to store the Certificate Manager signing certificate and key pair. If you have not previously initialized the token’s password, you must do so in this screen.
  • Page 98 Installing a Certificate Manager Select Yes if you have already installed a remote Data Recovery Manager that you want the Certificate Manager to use for archiving end users’ encryption private keys. Then, enter the remote Data Recovery Manager’s host name, agent SSL port number, and the Time-out in seconds in the associated fields.
  • Page 99 Installing a Certificate Manager Key Length. Available key sizes for RSA are 512, 768, 1024, 2048, 4096, or Custom. Available key sizes for DSA are 512, 1024, or Custom (which must be in increments of 64 bits only). See “Signing Key Type and Length” on page 88 for more information. Click Next to continue.
  • Page 100 Installing a Certificate Manager For more information about extensions, see Appendix G, “Certificate and CRL Extensions.” Click Next to continue. Certificate Manager CA Signing Certificate Creation. This is an informational screen that tells you that the wizard has all the information required to generate the key pair and certificate request.
  • Page 101 Installing a Certificate Manager Enter the URL for the remote Certificate Manager’s Agent Services page. (You must have a valid agent’s certificate.) Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed. Locate your request, click Details to see it, and make any changes. VII.
  • Page 102 Installing a Certificate Manager In the web browser window, enter the URL for the remote Certificate Manager’s Agent Services page. (You must have a valid agent’s certificate.) Select List Requests, then click Show Pending Requests and click Find. VII. In the pending request list, locate your request, click Details to see the VIII.
  • Page 103 Installing a Certificate Manager Select Yes if you have the certificate ready in its base-64 encoded format. Click Next to continue. If you selected No, you will be presented with the “SSL Server Certificate” screen (Step 24). If you selected Yes, the “Location of Certificate” screen appears (Step 21). Location of Certificate.
  • Page 104 Installing a Certificate Manager Paste the certificate chain into the text box. Click Next to continue. SSL Server Certificate. Select the appropriate option: If you want to get the SSL server certificate signed by the subordinate CA itself, select the “Sign SSL certificate with my CA signing certificate” option.
  • Page 105 Installing a Certificate Manager Click Next to continue. SSL Server Certificate Request Creation. This is an informational screen that tells you that the wizard has all the information required to generate the key pair and certificate request. In the previous screens, if you chose to generate a certificate request and include the Subject Key Identifier extension in the certificate, you’ll be given the choice to select the format for the certificate request.
  • Page 106 Installing a Certificate Manager Note that the request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the remote Certificate Manager’s agent to approve your request and issue the certificate.
  • Page 107 Installing a Certificate Manager In the resulting form, choose the type of request from the pull down menu, paste the request in the request field, and fill in the other fields on the form. Click Submit. If you used the Agent-Based Server Certificate Enrollment and you have an agent certificate, the certificate will be automatically issued once you submit the request.
  • Page 108 Installing a Certificate Manager Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- -----END NEW CERTIFICATE is highlighted, and click the Copy to Clipboard REQUEST -----) button. This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file.
  • Page 109 Installing a Certificate Manager If you noted the request ID of your request and know the host name and end-entity port number of the remote Certificate Manager that issued the certificate, select the “The certificate is at the CMS server where the request was sent”...

  • Page 110: Configuring The Certificate Manager

    Configuring the Certificate Manager Configuring the Certificate Manager This section lists the areas that you can configure for the Certificate Manager, gives a description of that area, and points you to specific information on configuring that set of features. Adding Users Once the Certificate Manager is installed, you need to add users and assign them to the administrator, agent, or auditor roles.

  • Page 111: Managing Certificates And The Certificate Database

    Configuring the Certificate Manager • Members of the Auditor group can view the signed audit log, and can view configuration settings, but cannot perform any other operations on configuration settings and do not have access to the agent services interface. •...
  • Page 112 Configuring the Certificate Manager Getting a CRL Signing Key Pair and Certificate A Certificate Manager uses the key pair corresponding to the CA signing certificate for signing certificates and certificate revocation lists (CRLs). If you want a Certificate Manager to use a separate key pair for signing the CRLs it generates, you can do so after installation.
  • Page 113 Configuring the Certificate Manager Log in to the Agent Services interface, check the request for required extensions. For example, the CRL signing certificate must contain the Key Usage extension with the bit set. (By default, the Certificate crlSigning Manager’s policy is configured to add the Key Usage extension with correct bits to the CRL signing certificate;...
  • Page 114 Configuring the Certificate Manager For example, your edited entries might look like this: ca.crl_signing.cacertnickname=crlSigningCert cert-demoCA ca.crl_signing.defaultSigningAlgorithm=MD5withRSA ca.crl_signing.tokenname=Internal Key Storage Token Save your changes and close the file. Restart the Certificate Manager. Now the Certificate Manager is ready to use the CRL signing certificate to sign the CRLs it generates. Getting Additional SSL Server Certificates The Certificate Manager uses its SSL server certificate to do SSL server-side authentication to the following:...

  • Page 115: Changing Ports And Ip Addresses

    Configuring the Certificate Manager CA Certificate Renewal or Reissuance When a CA signing certificate expires, all certificates signed with the CA’s corresponding signing key become invalid. End entities use information in the CA certificate to verify the certificate’s authenticity. If the CA certificate itself has expired, applications cannot chain the certificate to a trusted CA.

  • Page 116: Changing Subsystem Security Setting

    Configuring the Certificate Manager Changing Subsystem Security Setting You can configure the security of each subsystem by changing the SSL version used by the subsystem and enabling or disabling ciphers, see “Configuring the Server’s Security Preferences,” on page 320. Changing Passwords or Storage Settings Each subsystem stores passwords for its internal database, and for the tokens containing its keys and certificates.

  • Page 117: Setting Up A Mail Server

    Configuring the Certificate Manager Setting Up a Mail Server If the subsystem will be sending out email notifications, you can configure the subsystem to use a mail server, see “Mail Server,” on page 259. Changing the Certificate Issuance Rules You can change some of the rules about certificate issuance that were either determined during installation, or are the system defaults.

  • Page 118: Setting Up Authentication

    Configuring the Certificate Manager The serial number range enables you to deploy multiple CAs, balancing the number of certificates each CA issues. Note that the combination of an issuer name and a serial number uniquely identifies a certificate. To ensure that two distinct certificates issued by the same authority doesn’t contain the same serial number, make sure the serial number range does not overlap among cloned CAs.
  • Page 119 Configuring the Certificate Manager The agent-approved enrollment and CMC enroll methods are enabled and configured when you install the Certificate Manager. In order to enable and configure one of the automated enrollment methods, you need to enable and configure that authentication instance. You can also provide certificate based authentication for either agent-approved or automated enrollments.

  • Page 120: Configuring Policies

    Configuring the Certificate Manager • Portal Enrollment. End users are registered into an LDAP directory and issued a certificate. If user already has an entry in the directory, they are authenticated against the directory and then issued a certificate. See “Setting Up Portal Enrollment,”...

  • Page 121: Configuring Certificate Profiles

    Configuring the Certificate Manager Configuring Certificate Profiles The Certificate Profile feature uses instances of certificate profile plug-ins that can be configured to issue a type of certificate. The certificate profile contains defaults that specify the contents and the value of that content for this type of certificate, constraints that constrain the content of this type of certificate, associate the certificate profile with a set up authentication method, and define the contents of the enrollment page and the output page when an automated authentication...

  • Page 122: Configuring Ocsp Services

    Configuring the Certificate Manager For detailed information, see Chapter 15, “Publishing.” Configuring OCSP Services The Certificate Manager contains an internal OCSP responder which is installed by default. The OCSP responder receives standard OCSP requests via the non-SSL end-entity port. It checks the status of certificates in the internal database and then reports back on the status of the certificate.

  • Page 123: Setting Up Jobs

    How The Certificate Manager Works You need to enable and configure notifications in order to use this feature. For detailed information on setting up notifications, see Chapter 12, “Automated Notifications.” Setting Up Jobs The jobs feature that allows you to run automated jobs is disabled after installation. You need to enable and configure jobs in order to use this feature.

  • Page 124: Enrollment

    How The Certificate Manager Works Enrollment An end entity can enroll in your PKI by submitting an enrollment request via the end-entity interface. You can create more than one type of enrollment that either uses a different enrollment method, has different certificate issuance policies, or requires a different method of authentication, or all three.
  • Page 125 How The Certificate Manager Works The agent-approved process, which involves no end-entity authentication, sends the request to the request queue in the agent services interface where an agent must processes the request. An agent can then change the status of the request, reject the request, or approve the request. The agent can also change some aspects of the request.

  • Page 126: Renewal

    How The Certificate Manager Works If the notification feature is setup, the link, where certificate can be obtained, will be sent to the end user. • You can send an automated certificate issuance notification to the end entity when the certificate is issued. You can also send an automated certificate rejected notification if the request was rejected.

  • Page 127: Federal Bridge Ca

    Federal Bridge CA When an end entity makes the request, they are asked to present their certificate. If they have the certificate and the key materials, the request is processed and sent to the Certificate Manager and the certificate is revoked. Once approved, the signed request is sent to the Certificate Manager and the certificate is revoked.

  • Page 128: Issuing Cross-Pair Certificates

    Federal Bridge CA Issuing Cross-Pair Certificates The policy feature allows you to configure the policy CertificatePoliciesExt and provide as the predicate value, and then set HTTP_PARAMS.certType==fbca up any other necessary policies for this kind of certificate. You would then associate an end-entity enrollment page, customized to enroll for cross-pair certificates, providing the hidden value , thus activating policies certType==fbca...

  • Page 129: Cloning A Ca

    Cloning a CA CMS also provides a publishing mapper for CA certificates that can be used for publishing cross-pair certificates, , designating which LDAP entry should LDAPCA be used to store the . A publisher, crossCertificatePair , is also set up specifying the attribute used to store the LDAPCrossPairPublisher cross-pair certificate in the CA entry.

  • Page 130: Cloning Considerations

    Cloning a CA Cloning Considerations Before you start cloning a Certificate Manager: • Check the master Certificate Manager’s serial number range. The “Next serial number” field should be set to the next serial number of the certificate the CA will issue and the “Last serial number” field must be blank. •...

  • Page 131: Setting Up A Clone Ca

    Cloning a CA During the cloning process, the master Certificate Manager’s SSL server certificate is automatically copied to the certificate database of the clone Certificate Manager. The clone Certificate Manager uses this certificate for SSL-client-authenticated communication with the master Certificate Manager.
  • Page 132 Cloning a CA Start the Master CA. See “Starting, Stopping, and Restarting CMS Instances” on page 254. Create instances for each clone CA you create. You need to create a CMS instance for each clone CA on the host where the CA will run. If CMS is already installed, you can simply create another instance.
  • Page 133 Cloning a CA clone CA, assigning this user to the Trusted Manager Group, and storing the SSL server certificate for the master CA in the user entry for the clone CA that you just created. For details about setting up users, assigning them to groups, and storing certificates for them, see Chapter 8, “Authorization.”...

  • Page 134: Testing The Clone-Master Connection

    Cloning a CA Testing the Clone-Master Connection To test whether your clone-master CA setup is complete and functional, repeat these steps for each clone Certificate Manager. Request a certificate from the clone CA Approve the request. Skip this step if you requested the certificate using any of the automated enrollment methods.

  • Page 135: Chapter 4 Registration Manager

    Chapter 4 Registration Manager The Registration Manager is an optional subsystem that provides Registration Authority functionality. It establishes a trusted relationship with a Certificate Manager in which its requests are processed. This chapter details how to install and configure a Registration Manager and includes the following sections: •...
  • Page 136 Registration Manager Deployment Considerations You submit this request either to a CMS CA, or you submit the request to a third party public CA and then install the certificate you receive from the CA during the rest of the installation. If you submit the request to a CMS CA, the installation program will allow you submit the request to the CA in the install wizard, and pick up the certificate once it is approved.

  • Page 137: Registration Manager Interfaces

    Registration Manager Deployment Considerations Registration Manager Interfaces When you install a Registration Manager, three interfaces are enabled. The installation wizard lets you choose the ports these interfaces listen on. The following interfaces, and associated ports will be created: • An Administrative interface that is accessible by default only to members of the Administrator and Auditor group.

  • Page 138: Password Storage

    Registration Manager Deployment Considerations • An End-Entity interface that is accessible by anyone who can access that URL. The end-entity interface is an HTML interface accessible through either HTTPS or HTTP (there are two ports set up by default). The default interface provides forms for the various types of enrollment and other tasks an end entity can perform and is completely customizable.

  • Page 139: Tokens

    Installing a Registration Manager If you decide to generate a new signing key, one of the first decisions you need to make is whether to use the RSA or DSA algorithm. If you use DSA, the software can generate and verify the PQG value. PQG values are used to create the DSA signing key pair.
  • Page 140 Installing a Registration Manager Logon Token. Enter either (if you plan to use the internal/software internal token) or the name of an external token to store the Registration Manager signing certificate and key pair. If you have not previously initialized the token’s password, you must do so in this screen.
  • Page 141 Installing a Registration Manager Network Configuration. Type the numbers for the ports to be used by the CMS instance. See “Registration Manager Interfaces” on page 137 for more information. Click Next to continue. Key-Pair Information for Registration Manager Signing Certificate. Token.
  • Page 142 Installing a Registration Manager Note that the certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the program, ExtJoiner which is also provided in the directory. For details on using the tools program, see Chapter 5, “Extension Joiner Tool”...
  • Page 143 Installing a Registration Manager Note that your request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the remote Certificate Manager’s agent to approve your request.
  • Page 144 Installing a Registration Manager The request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you’ll have to wait till the remote Certificate Manager’s agent approves your request.
  • Page 145 Installing a Registration Manager This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the Registration Manager’s signing certificate.
  • Page 146 Installing a Registration Manager Certificate Details. This is an informational screen that displays the certificate so you can inspect its contents. Notice the nickname assigned to the certificate and verify that you’re installing the correct certificate. Click Next to continue. Import Certificate Chain.
  • Page 147 Installing a Registration Manager Subject Name for SSL Server Certificate. Type the values for the subject DN components; these values identify the Registration Manager’s SSL server certificate. The CN must be the fully-qualified host name of the machine on which you’re installing the Registration Manager. Click Next to continue.
  • Page 148 Installing a Registration Manager Note that your request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the remote Certificate Manager’s agent to approve your request.
  • Page 149 Installing a Registration Manager In the resulting form, choose the type of request from the pull down menu, paste the request in the request field, and fill in the other fields on the form. Click Submit. If you used the Agent-Based Server Certificate Enrollment and you have an agent certificate, the certificate will be automatically issued once you submit the request.
  • Page 150 Installing a Registration Manager Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- -----END NEW CERTIFICATE is highlighted, and click the Copy to Clipboard REQUEST -----) button. This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file.
  • Page 151 Installing a Registration Manager If you noted the request ID of your request and know the host name and end-entity port number of the Certificate Manager that issued the certificate, select the “The certificate is at the CMS server where the request was sent”...

  • Page 152: Configuring A Registration Manager

    Configuring a Registration Manager You now need to create the first agent user for the Registration Manager. See “Agent Certificates,” on page 337 for details. You also need to set up a trusted relationship with the CA that will issue certificates for this Registration Manager.

  • Page 153: Configuring Authorization

    Configuring a Registration Manager Configuring Authorization Each subsystem has a set of predefined roles that are assigned a default set of privileges. You create users in the CMS database and then assign them to a group to give them the privileges of that group. The privileges assigned to a group are controlled by Access Control Instructions (ACIs) placed in Access Control Lists (ACLs).

  • Page 154: Managing Certificates And The Certificate Database

    Configuring a Registration Manager Managing Certificates and the Certificate Database The signing certificate and SSL encryption certificate are created and installed during the installation of the Registration Manager. See “Registration Managers Certificates,” on page 135 for more information about these certificates and the things you should consider before getting these certificates.

  • Page 155: Changing Ports And Ip Addresses

    Configuring a Registration Manager If you configure the Registration Manager for SSL-enabled communication with a publishing directory, the Registration Manager also uses its SSL server certificate for SSL client authentication to the publishing directory. This is the default configuration. You can configure the Registration Manager to use an alternate certificate for this purpose;...

  • Page 156: Configuring Logs

    Configuring a Registration Manager Configuring Logs Each subsystem creates a number of logs that detail various events and errors. Each subsystem also has the ability to create signed audit logs that create audit trails that can only be read by a user with auditor privileges. The log feature is configurable allowing you to change the settings for some of the logs.

  • Page 157: Setting Up Authentication

    Configuring a Registration Manager Setting Up Authentication The first step in configuring enrollment is setting up authentication. You can set up more than one type of authentication. Each type you set up must be associated with a particular form in the interface. If you are using the certificate profile feature for enrollments, the forms are dynamically generated with the content being determined by the inputs you set for a particular certificate profile.

  • Page 158: Configuring Policies

    Configuring a Registration Manager If you use an agent-approved enrollment process, you can use the agent services interface forms that are provided, or you can customize those forms to change the look and feel, or to change some of the default functionality provided in the forms. See the Netscape Certificate Management System Customization Guide for details.

  • Page 159: Configuring Certificate Profiles

    Configuring a Registration Manager enrollment request is processed, it is evaluated against all policies that are applicable to this type of request. Any policy that has no predicate is evaluated against all certificate requests. Those with predicates are evaluated against certificates requests that match the predicate value of the policy.

  • Page 160: Crls

    Configuring a Registration Manager Each certificate profile that will be used is configured by an administrator. The administrator configures defaults and constraints, inputs, outputs, and specifies the authentication method for each certificate profile. The certificate profiles that have been configured are listed in the agent services interface where the agent has to approve the certificate profile to enable it.

  • Page 161: Setting Up Jobs

    How a Registration Manager Works Setting Up Jobs The jobs feature that allows you to send automated jobs is disabled after installation. You need to enable and configure jobs in order to use this feature. For detailed information on setting up jobs, see Chapter 13, “Automated Jobs.” Customizing the End Entity Interface CMS provides you with a set of forms that are available at the end entity interface and are preconfigured for various types of interaction with the end entity.
  • Page 162 How a Registration Manager Works change the content and the look and feel of the forms. You can also do this by creating certificate profiles for each with a dynamically generated form associated with each certificate profile. You customize the dynamically created certificate profile forms by configuring the inputs associated with the certificate profile.
  • Page 163 How a Registration Manager Works • The form can collect information about the end entity from an LDAP directory when the form is submitting. You can set up policies using predicates that request this information from the LDAP directory when the user authenticates using an LDAP user ID and password.

  • Page 164: Renewal

    How a Registration Manager Works • The certificate that was issued is stored in the internal database of the Certificate Manager. • You can set up publishing in the Certificate Manager, in which case the certificate will be published according to the rules set up in the Certificate Manager.
  • Page 165 How a Registration Manager Works Registration Manager agents can approve requests made by end entities to revoke their certificates, but agents cannot revoke certificates on their own. The Certificate Manager agent for the CA that issued the certificate would have to revoke a certificate.
  • Page 166 How a Registration Manager Works Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 167: Chapter 5 Ocsp Responder

    Chapter 5 OCSP Responder This chapter provides an overview of an Online Certificate Status Protocol (OCSP) service, and explains how you can use the OCSP service built into the Certificate Manager for real-time verification of certificates issued by the Certificate Manager. The chapter also explains how to install and configure an Online Certificate Status Managers to publish CRLs.

  • Page 168: How Ocsp Services Work

    About OCSP Services How OCSP Services Work An OCSP service works as follows: A CA is set up to issue certificates that include the Authority Information Access Extension whose value identifies an OCSP responder that can be queried for the status of the certificate. One or more CAs periodically publishes CRLs to an OCSP responder.

  • Page 169: Ocsp Responses

    About OCSP Services • A responder that holds a specially marked certificate issued to it directly by the CA that revokes the certificates and publishes the CRL. Possession of this certificate by a responder indicates that the CA has authorized the responder to issue OCSP responses for certificates revoked by the CA.

  • Page 170: Cms Ocsp Services

    CMS OCSP Services CMS OCSP Services To aid you in the process of setting up a OCSP-compliant PKI setup, CMS provides two options: • The OCSP-service feature built into the Certificate Manager • The Online Certificate Status Manager How Certificate Manager’s OCSP-Service Feature Works The Certificate Manager has a built-in OCSP-service feature, which when configured, can be used by OCSP-compliant clients to directly query the Certificate Manager about the revocation status of the certificate being validated.

  • Page 171: Setting Up A Certificate Manager With Ocsp Service

    Setting Up a Certificate Manager with OCSP Service service. The internal OCSP service checks certificate status by checking the internal database of the Certificate Manager. The Online Certificate Status Manager checks certificate status by checking CRLs provided by the Certificate Manger that it stores in its own internal database.) You can configure the Certificate Manager to generate and publish CRLs whenever a certificate is revoked and at specified intervals, say every 20 minutes.

  • Page 172: Online Certificate Status Manager Deployment Considerations

    Online Certificate Status Manager Deployment Considerations Set up CRLs. You need to configure the Certificate Manger to issue CRLs. See Chapter 14, “Revocation and CRLs” for details on configuring CRLs. You must configure your policies or certificate profiles to include the Authority Information Access extension pointing to the location at which the Certificate Manager listens for OCSP service requests (identified as the instance in the policy framework.) in certificates that are...
  • Page 173 Online Certificate Status Manager Deployment Considerations You submit this request either to a CMS CA, or you submit the request to a third party public CA and then install the certificate you receive from the CA during the rest of the installation. If you submit the request to a CMS CA, the installation program will allow you submit the request to the CA in the install wizard, and pick up the certificate once it is approved.

  • Page 174: Interfaces

    Online Certificate Status Manager Deployment Considerations Interfaces When you install an Online Certificate Status Manager, three interfaces are enabled. The installation wizard lets you choose the ports these interfaces listen on. The following interfaces, and associated ports will be created: •...

  • Page 175: Password Storage

    Online Certificate Status Manager Deployment Considerations Password Storage Each subsystem stores passwords for its internal database, and for the tokens containing its keys and certificates. See “System Passwords,” on page 252 for information on how these passwords are stored. Tokens You choose either the token (if you plan to use the internal/software internal...

  • Page 176: Installing An Online Certificate Status Manager

    Installing an Online Certificate Status Manager If you decide to generate a new signing key, one of the first decisions you need to make is whether to use the RSA or DSA algorithm. If you use DSA, the software can generate and verify the PQG value. PQG values are used to create the DSA signing key pair.
  • Page 177 Installing an Online Certificate Status Manager Internal Database. Choose to either create a new internal database for this instance or to use an existing Directory Server instance as the internal database for this instance. Next, specify the information for that Directory Server instance.
  • Page 178 Installing an Online Certificate Status Manager Key Length. Available key sizes for RSA are 512, 768, 1024, 2048, 4096, or Custom. Available key sizes for DSA are 512, 1024, or Custom (which must be in increments of 64 bits only). See “Signing Key Type and Length”...
  • Page 179 Installing an Online Certificate Status Manager Enter the URL for the Certificate Manager’s Agent Services page. (You must authenticate using your agent certificate.) Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed. Locate your request, click Details to see it, and make any changes.
  • Page 180 Installing an Online Certificate Status Manager If the request contains all the required information, you’ll get a notification of request being successfully added to the agent queue of that Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate.
  • Page 181 Installing an Online Certificate Status Manager Online Certificate Status Manager Signing Certificate Installation. Depending on whether you have the certificate ready for pasting into the Installation Wizard screen, click Yes or No. Select No if you have submitted your request to a third-party CA or to a remote Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate.
  • Page 182 Installing an Online Certificate Status Manager Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to import the CA chain of a Certificate Manager: Go back to the web browser window from which you copied the Online Certificate Status Manager’s signing certificate (in its base-64 encoded format).
  • Page 183 Installing an Online Certificate Status Manager Token. Enter either (if you plan to use the internal/software internal token) or the name of an external token to store the SSL server certificate and key pair. If you have not previously initialized the token’s password, you must do so in this screen.
  • Page 184 Installing an Online Certificate Status Manager If you want the wizard to generate the certificate request in PKCS #10 format, select the “Generate PKCS10 request” option. If you want the wizard to generate the certificate request in CMC format, select the “Generate CMC full enrollment request” option. Click Next.
  • Page 185 Installing an Online Certificate Status Manager When the certificate is displayed, scroll down to the base-64 encoded VIII. version of the certificate, highlight all the text (including -----BEGIN ), and copy it CERTIFICATE ----- -----END CERTIFICATE----- to the clipboard or to a text file. Be sure to not make any changes to the certificate.
  • Page 186 Installing an Online Certificate Status Manager In the web browser window, enter the URL for the Certificate Manager’s Agent Services page. (You must have a valid agent’s certificate.) Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed. Locate your request, click Details to see it, and make any changes.
  • Page 187 Installing an Online Certificate Status Manager If you copied the certificate to the clipboard, select the “The certificate is located in the text area below” option and then paste in a base-64 encoded certificate (including the header and footer) in the text area provided. If you know the request ID of your request and the host name and end-entity port number of the Certificate Manager that issued the SSL server certificate, select the “The certificate is at the CMS server where the...

  • Page 188: Setting Up The Ocsp Responder

    Setting Up the OCSP Responder Configuration Status. This screen should indicate that your configuration has been successful and that you need to create an agent for the Online Certificate Status Manager. Click Done to exit the Installation Wizard. You now need to create the first agent user for the Online Certificate Status Manager.

  • Page 189: Configuring The Online Certificate Status Manager

    Configuring the Online Certificate Status Manager Configure the Revocation Info stores. See “Configure the Revocation Info Stores,” on page 195. Identify every Certificate Manager that will publish to the OCSP Responder to the OCSP Responder. “Identifying the CA to the OCSP Responder,”...

  • Page 190: Managing Certificates And The Certificate Database

    Configuring the Online Certificate Status Manager can also create new groups and assign privileges to those groups by adding ACI entries for that group in the ACLs. For complete details about creating users, assigning users to groups, creating groups, and changing ACIs and ACLs, see Chapter 8, “Authorization.”...

  • Page 191: Ocsp Certificates

    Configuring the Online Certificate Status Manager Trust Settings and CA Certificates The trusted database also contains the CA certificates for those CAs that the subsystem trusts. If your subsystem has certificates from a CA or accepts certificates that are issued by a CA, it must have a copy of those CA certificates in the trusted database, and they must be configured as trusted, see “Changing the Trust Settings of a CA Certificate,”...

  • Page 192: Changing Ports And Ip Addresses

    Configuring the Online Certificate Status Manager Changing Ports and IP Addresses You set up the ports for each of the interfaces when you install the Online Certificate Status Manager. You can change the ports that any of the interfaces listen on, and you can disable the HTTP (non-SSL) end-entity port if you will not use it.

  • Page 193: Changing Internal Database Settings

    Configuring the Online Certificate Status Manager Changing Internal Database Settings You can change the configuration of the internal database after installation including restricting access to the internal database, see “The Internal Database,” on page 290 for information on doing this, and for information about viewing the internal database.
  • Page 194 Configuring the Online Certificate Status Manager Go to the Online Certificate Status Manager’s Agent interface. The URL is: ttps://<hostname>:<port> The Online Certificate Status Manager Agent Services interface appears. In the left frame, click Add Certificate Authority. In the form, paste the encoded CA signing certificate inside the text area labeled “Base 64 encoded certificate (including the header and footer).”...

  • Page 195: Configure The Revocation Info Stores

    Configuring the Online Certificate Status Manager Configure the Revocation Info Stores The Online Certificate Status Manager stores each Certificate Manager’s CRL in its internal database and uses it as the default CRL store for verifying the revocation status of certificates. You can also configure the Online Certificate Status Manager to use the CRL published to an LDAP directory, instead of the CRL in its internal database.
  • Page 196 Configuring the Online Certificate Status Manager includeNextUpdate. The Online Certificate Status Manager can include the time stamp of next CRL update—a future update time for the CRL or the revocation information—in the OCSP response that it sends to OCSP-compliant clients. (According to the OCSP protocol, it is optional to include the time stamp of next CRL update in an OCSP response.) Select this option if you want the OCSP response to contain information about the next CRL update.

  • Page 197: Testing Your Ocsp Setup

    Testing Your OCSP Setup includeNextUpdate. The Online Certificate Status Manager can include the time stamp of next CRL update—a future update time for the CRL or the revocation information—in the OCSP response that it sends to OCSP-compliant clients. (According to the OCSP protocol, it is optional to include the time stamp of next CRL update in an OCSP response.) Select this option if you want the OCSP response to contain information about the next CRL update.
  • Page 198 Testing Your OCSP Setup Check the Status of Online Certificate Status Manager (stand-alone OCSP service). Go to the agent services interface for the Online Certificate Status Manager and then go to the List Certificate Authorities page found in the left frame. The resulting form should show information about the Certificate Manager (CA) you configured to publish CRls to the Online Certificate Status Manager.

  • Page 199: Chapter 6 Data Recovery Manager

    Chapter 6 Data Recovery Manager When data is stored in encrypted form, you must have the private key that corresponds to the public key that was used to encrypt the data in order to decrypt and read it. If the private key is lost, the data cannot be retrieved. A private key can be lost because of a hardware failure, for example, or because the key’s owner forgets the password or loses the hardware token in which the key is stored.

  • Page 200: Clients That Can Generate Dual Key Pairs

    PKI Setup for Key Archival and Recovery • Clients that can generate dual keys and that support the key archival option (using the CRMF/CMMF protocol). These include Netscape 6.2 and Netscape 7.0 and higher. • An installed and configured Data Recovery Manager •...

  • Page 201: Forms For Users And Key Recovery Agents

    Key Archival Process CMS does not provide any policy plug-in modules for the Data Recovery Manager. However, you can write custom policy plug-in modules (that is, write Java classes that implement these rules), register them in the Data Recovery Manager’s policy framework, and create policy rules using these plug-in implementations.

  • Page 202: Where The Keys Are Stored

    Key Archival Process Here are a few situations in which you might need to recover a end-entity’s encryption private key: • An employee loses the encryption private key (for example, after a disk crash or by forgetting the password to the key file) and cannot read encrypted mail messages.

  • Page 203: How Key Archival Works

    Key Archival Process How Key Archival Works When a Certificate Manager or Registration Manager receives a certificate request that contains the key archival option, it automatically forwards the request to the Data Recovery Manager to archive the end-entity’s encryption private key. The Data Recovery Manager receives an encrypted copy of the end-entity’s private key and stores the key in its key repository.
  • Page 204 Key Archival Process The client detects the JavaScript option and exports only the end-entity’s encryption private key, not the signing private key. The Registration Manager detects the key archival option in the end-entity’s request and asks the client for the end-entity’s encryption private key. The client encrypts the end-entity’s encryption private key with the public key from the Data Recovery Manager’s transport certificate;...

  • Page 205: Key Recovery Process

    Key Recovery Process Key Recovery Process The Data Recovery Manager supports agent-initiated key recovery. In this method of key recovery, designated recovery agents use the Key Recovery form provided in the Data Recovery Manager Agent Services interface to process key recovery requests, list archived keys, and approve recovery.
  • Page 206 Key Recovery Process whereby it splits the PIN that protects the token in which the storage key pair resides among n number of key recovery agents and reconstructs the PIN only if m number of recovery agents provide their individual passwords; n must be an integer greater than 1 and m must be an integer less than or equal to n.
  • Page 207 Key Recovery Process Local Versus Remote Key Recovery Authorization Key recovery agents can authorize the recovery of a key locally or remotely. The overview of local and remote authorization provided in this section is intended to help you determine which to use for your organization. You may find it useful to take a look at the Data Recovery Manager agent-specific information in the CMS Agent’s Guide.

  • Page 208: How Agent-Initiated Key Recovery Works

    Key Recovery Process The Data Recovery Manager informs the agent who initiated the key recovery process of the status of the authorizations. When all of the authorizations are entered, the Data Recovery Manager checks the information. If the information presented is correct, it retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS #12 package to the agent who initiated the key recovery process.
  • Page 209 Key Recovery Process Figure 6-2 The agent-initiated key recovery process These are the steps shown in Figure 6-2: The Data Recovery Manager agent accesses the Key Recovery form using the appropriate client certificate, types the identification information pertaining to the person whose encryption private key needs to be recovered, and submits the request.
  • Page 210 Key Recovery Process If the request passes all the policy rules, the Data Recovery Manager sends a confirmation HTML page to the web browser the agent used. If the request fails any of the policy checks, the server logs an appropriate error message. The confirmation page contains information and input sections: The information section includes the end-entity’s information.

  • Page 211: Key Recovery Agent Scheme

    Key Recovery Process CAUTION The PKCS #12 package contains the private key. To minimize the risk of key compromise, the recovery agent must use any secure, out-of-band means to deliver the PKCS #12 package and password to the key recipient. As an administrator, you should recommend the recovery agent to use a good password for encrypting the PKCS #12 package, and also consider setting up an appropriate delivery mechanism.
  • Page 212 Key Recovery Process In the navigation tree, select the Data Recovery Manager, and in the right pane, click the Scheme Management tab. The Scheme Management tab shows the current key recovery scheme. Click Change scheme. The Change Recovery Key Scheme window appears. Netscape Certificate Management System Administrator’s Guide •...
  • Page 213 Key Recovery Process In the New Scheme section, make the appropriate changes: Number of recovery agents required. Type the number of agents required to authorize a key recovery process. The number cannot be zero and must be equal to or less than the total number of recovery agents. Total number of recovery agents.
  • Page 214 Key Recovery Process The tab shows current key recovery agents in the Available Agents list. Select the agent whose password needs to be changed, and click Change Password. The Change Password dialog box appears. Allow the agent to enter the appropriate information. During installation, the Data Recovery Manager prompts you to enter key recovery agent passwords (by default, they are set to , where...

  • Page 215: Installing A Standalone Data Recovery Manager

    Installing a Standalone Data Recovery Manager field you must enter the recovery agent password you specified during installation. Then in the remaining fields, allow the key recovery agent to enter the new password information. If you have more than one key recovery agent, repeat this procedure for all the agents.
  • Page 216 Installing a Standalone Data Recovery Manager The transport certificate was issued by the CA to which you submitted the certificate signing request. You might have submitted the request to the Certificate Manager that is installed in the same instance, internally deployed another CA, or a public CA.

  • Page 217: Tokens

    Installing a Standalone Data Recovery Manager By default, the Data Recovery Manager uses a single SSL server certificate for authentication purposes. However, you can request and install additional SSL server certificates for the Data Recovery Manager. For example, you can configure the Data Recovery Manager to use separate server certificates for authenticating to Netscape Console, the end entity services interface, and the Data Recovery Manager Agent Services interface.

  • Page 218: Installing The Data Recovery Manager

    Installing a Standalone Data Recovery Manager If you decide to generate a new signing key, one of the first decisions you need to make is whether to use the RSA or DSA algorithm. If you use DSA, the software can generate and verify the PQG value. PQG values are used to create the DSA signing key pair.
  • Page 219 Installing a Standalone Data Recovery Manager Internal Database. Choose to either create a new internal database for this instance or to use an existing Directory Server instance as the internal database for this instance. Next, specify the information for that Directory Server instance.
  • Page 220 Installing a Standalone Data Recovery Manager Key Length. Available key sizes for RSA are 512, 768, 1024, 2048, 4096, or Custom. Available key sizes for DSA are 512, 1024, or Custom (which must be in increments of 64 bits only). See “Key Type and Length”...
  • Page 221 Installing a Standalone Data Recovery Manager To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps: Select the “Send the request to a remote CMS now” option. Enter the host name and end-entity port number, and specify whether the end-entity port is SSL enabled.
  • Page 222 Installing a Standalone Data Recovery Manager For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL to bring up the Certificate Manager page http://<hostname>:17006 for end entities. Click Manual Data Recovery Manager Transport Certificate III.
  • Page 223 Installing a Standalone Data Recovery Manager This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the Data Recovery Manager’s transport certificate.
  • Page 224 Installing a Standalone Data Recovery Manager Certificate Details. This informational screen displays the certificate so you can inspect its contents. Notice the nickname assigned to the certificate and verify that you’re installing the correct certificate. Click Next to continue. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain.
  • Page 225 Installing a Standalone Data Recovery Manager Token. Enter either (if you plan to use the internal/software internal token) or the name of an external token to store the SSL server and key pair. If you have not previously initialized the token’s password, you must do so in this screen.
  • Page 226 Installing a Standalone Data Recovery Manager Submission of Request. Select whether you want to submit the request manually or send the request automatically to a remote Certificate Manager. To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps: Select the “Send the request to a remote CMS now”...
  • Page 227 Installing a Standalone Data Recovery Manager Open a web browser window. Go to the end-entity URL for the Certificate Manager that will issue the SSL server certificate. For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL to bring up the Certificate Manager page http://<hostname>:17006 for end entities.
  • Page 228 Installing a Standalone Data Recovery Manager When the certificate is displayed, scroll down to the base-64 encoded VII. version of the certificate, highlight all the text (including -----BEGIN ), and copy it CERTIFICATE ----- -----END CERTIFICATE----- to the clipboard or to a text file. Be sure to not make any changes to the certificate.
  • Page 229 Installing a Standalone Data Recovery Manager Location of Certificate. Specify the location of the certificate. You can use any of these options: If you copied the encoded certificate to a file, select the “The certificate is located in this file” option and then type the file path, including the filename, in the text field.

  • Page 230: Configuring Key Archival And Recovery Process

    Configuring Key Archival and Recovery Process Single Sign-on Summary. Check the summary and select whether to retain or delete the file. password.conf The single signon password simplifies the way you subsequently sign on to CMS by storing the passwords for the internal database, tokens, and so on. Each time you log on, you’re only required to enter this single password.
  • Page 231 Configuring Key Archival and Recovery Process Step A. Deploy Clients That Can Generate Dual Key Pairs You can use the Data Recovery Manager to archive and recover keys only from clients that support dual key-pair generation, the key archival option, and the CMC protocol.
  • Page 232 Configuring Key Archival and Recovery Process • The key archival option—this must be included in the certificate enrollment form that your users use to request certificates. • The Data Recovery Manager’s transport certificate—this must also be included in the certificate enrollment form (ProfileSelect.template). The Data Recovery Manager uses it to encrypt the end-entity’s encryption private key with the public key in the transport certificate before sending the end-entity’s key to its key repository.
  • Page 233 Configuring Key Archival and Recovery Process Click Details, and view the certificate information. Make sure that the certificate you are looking at is the correct one; the certificate shows the DN that was specified for the transport certificate during the installation of Data Recovery Manager. Scroll down to the section that says “Installing this certificate in a server.”...
  • Page 234 Configuring Key Archival and Recovery Process Use the command-line tool called to retrieve the transport certutil certificate from the Data Recovery Manager’s certificate database. (For information on the tool, check this site: certutil http://www.mozilla.org/projects/security/pki/nss/tools/ First, go to this directory: <server_root>/cert-<instance_id>/config Next, run this command: <server_root>/bin/cert/tools/certutil -L -d .
  • Page 235 Configuring Key Archival and Recovery Process Open the text file that has the Data Recovery Manager’s transport certificate (the one you copied earlier) and copy the certificate. Paste the certificate as the value of the variable. kraTransportCert Paste the certificate in front of the sign, remove any line breaks, enclose the certificate within double-quotation marks ( ), and end the string with...

  • Page 236: Step 2. Set Up The Key Recovery Process

    Configuring Key Archival and Recovery Process The method triggers the client to generate two RSA key pairs—one key of length 512 for encrypting data and another key of length 1024 for signing data. Save your changes. Step D. Configure Key Archival Policies This step is optional.
  • Page 237 Configuring Key Archival and Recovery Process Verify that the current m of n scheme is appropriate for your PKI setup. If it isn’t, change the scheme following the instructions in “Changing the Key Recovery Agent Scheme” on page 211. Step B. Facilitate the Key Recovery Agents to Change the Passwords During the installation of Data Recovery Manager, after you specified the m of n scheme, you were also prompted to provide unique passwords for each recovery...

  • Page 238: Step 3. Test Your Key Archival And Recovery Setup

    Configuring Key Archival and Recovery Process Step E. Configure Key Recovery Policies This step is optional. Unlike Certificate Manager and Registration Manager, no policy plug-in modules are provided for the Data Recovery Manager. If you have implemented any custom policies for the Data Recovery Manager’s key recovery process, you should make sure that they are configured properly.
  • Page 239 Configuring Key Archival and Recovery Process Approve the request. This step is required only if you used the manual enrollment form for requesting the certificate. Go to the enrollment authority’s Agent Services interface. The default URL is as follows: https://<hostname>:<agent_port> Click the link that says List Requests.
  • Page 240 Configuring Key Archival and Recovery Process If the key has been archived successfully, you should see the information pertaining to that key. If you don’t see the key archived, check the logs and correct the problem before proceeding to the next step. If the key has been successfully archived, exit the client completely—that is, from the File menu, select Exit;...
  • Page 241 Configuring Key Archival and Recovery Process The key owner’s name The serial number of the key The public key that corresponds to the private key (in the form of base-64 encoded certificate) The instance ID of the enrollment authority that initiated the key archival process If you need more information about any of the fields in this form, click the Help button.
  • Page 242 Configuring Key Archival and Recovery Process Open the test email that you couldn’t verify after deleting the certificate from the browser’s certificate database; you should be able to verify it again. Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 243: Chapter 7 Administrative Basics

    Chapter 7 Administrative Basics This chapter discusses the Netscape Certificate Management System (CMS) user interface, the configuration file, and other basic administrative tasks like starting and stopping the server, managing logs, changing port assignments, and changing the internal database. This chapter contains the following sections: •...

  • Page 244: The Administrative Interface

    The Administrative Interface The Administrative Interface CMS provides a GUI-based administration tool called the CMS console that is accessible from Netscape Console. Netscape Console is a GUI-based front-end for Netscape Administration Server and allows you to manager servers as well as users.

  • Page 245: Netscape Console

    The Administrative Interface Netscape Console Netscape Console is a stand-alone Java application that provides a GUI-based front end to all network resources registered in an organization’s configuration directory. This unified administration interface simplifies network administration by supplying access points to all Netscape server instances installed across a network.
  • Page 246 The Administrative Interface Log into Netscape Console by filling in the following field: User ID. Type the administrator user ID. You should login using the administrator user ID, using the Manager user ID allows you cn=Directory full privileges with Directory Server, but does not allow you to create CMS server instances.

  • Page 247: The Cms Console

    The Administrative Interface The CMS Console The CMS console is a GUI-based administration interface that allows you to perform day-to-day operational and managerial duties for CMS and configure the server. You launch the CMS console from within Netscape Console. You can use the CMS console to access the server locally or remotely. The console has the following tabs: •...
  • Page 248 The Administrative Interface You must login into CMS as an administrator user of CMS. Provide the administrator user ID and password in the following fields: User ID. Provide a user ID that has CMS administrator privileges. Password. Type the password for this user ID. Note: If SSL client authentication is set up for this server, you will be presented with a list of your certificates to choose from in order to login.

  • Page 249: Setting Up Certificate Authentication For The Cms Console

    The Administrative Interface Description. Additional information that helps you identify the CMS instance. You can change this description. Installation Date. The date the server was installed. Server Root. The directory in which all servers are installed. Product Name. The complete product name. Vendor.
  • Page 250 The Administrative Interface Storing an Administrator’s Client Certificates You must store the certificates for any of administrator using this system. The certificate should be either from the CA itself, or from whichever CA signed the certificate for the subsystem. Make sure the client certificate is good for SSL client authentication, otherwise, the server will not accept the client certificate and will post the following error message in the error log located in the directory <server_root>/cert-<instanceID>/logs/errors...
  • Page 251 The Administrative Interface Go to the Configuration tab, and then select the Users tab in the left hand panel. Click Certificates to add the client certificate. The Manager User Certificates window appears. Paste the certificate into the window. Click Import. Repeat from step 6 for each administrator until the certificates for all administrators have been imported.

  • Page 252: System Passwords

    System Passwords System Passwords CMS has a password-quality checker for internal passwords that you can configure to your needs. It stores token passwords in a plain text file, and stores all other passwords in an encrypted password cache file. Password-Quality Checker CMS comes with a plug-in, called password-quality checker, to monitor the quality of passwords set within the CMS system.
  • Page 253 System Passwords • For a Certificate Manager the token password unlocks the private keys for the Certificate Manager’s CA signing and SSL server certificates. If the Certificate Manager’s OCSP option was enabled during installation, then the password also unlocks the private key for the Certificate Manager’s OCSP signing certificate.

  • Page 254: Starting, Stopping, And Restarting Cms Instances

    Starting, Stopping, and Restarting CMS Instances • The bind password used by CMS to access and remove PINs from the authentication directory, if you’ve configured CMS to remove PINs from the authentication directory. • The bind password used by CMS to access and create/modify user entries in the directory used for portal registration, if you’ve configured CMS for portal enrollment.

  • Page 255: Stopping A Server Instance

    Starting, Stopping, and Restarting CMS Instances NOTE If you chose to delete the file during installation, password.conf you must start the server instance on the command line; you cannot start the server instance from the CMS console. For more information, see “Passwords Stored by the Server,” on page 252.

  • Page 256: Restarting A Server Instance

    Starting, Stopping, and Restarting CMS Instances Select the CMS instance you want to stop from the Netscape Console navigation tab and then right-click your mouse selecting the Stop Server option from the pop-up menu. Alternatively Log in to Netscape Console (see “Logging Into Netscape Console” on page 245).

  • Page 257: Subsystem Configuration Overview

    Subsystem Configuration Overview Go to the following directory: <server_root>/cert-<instance_id> Type the following command: ./restart-cert Subsystem Configuration Overview Once you install CMS on a host, you are ready to configure any subsystems that will run on that host. You can configure multiple subsystems on a host, or multiple instances of a single subsystem.

  • Page 258: Removing An Instance From A System

    Subsystem Configuration Overview Type a unique name or identifier for the new instance. You can use any combination of letters ( ), digits ( ), an underscore ), and a hyphen ( ); other characters and spaces are not allowed. For example, you can type as the instance name, but not Pilot_root-CA...

  • Page 259: Mail Server

    Mail Server Mail Server The notifications and jobs features use the mail server set up in the CMS instance to send its notification messages. You set up a mail server using the following procedure: In the CMS window, select the Configuration tab, and then in the right pane, select the SMTP tab.

  • Page 260: Editing The Configuration File

    Configuration Files <server_root>/cert-<instance_id>/config where: Specifies the directory in which CMS is installed <server_root> Specifies the name of the CMS instance <instance_id> Editing the Configuration File CAUTION Do not edit the configuration file directly if you are not familiar with the configuration parameters or if you are not sure that the changes you intend to make are acceptable by the server.

  • Page 261: Guidelines For Editing The Configuration File

    Configuration Files Guidelines for Editing the Configuration File The following are guidelines for editing the configuration file: • The format for parameters is as follows: #comment [parameter]=value • Comment lines begin with the pound character and are ignored. • A line beginning with white space is considered a continuation of the previous line.
  • Page 262 Configuration Files All authentication-specific information, such as names of registered authentication plug-in modules and any configured instances, appears in the Authentication section of the configuration file. Each registered authentication plug-in module is identified by its implementation name and the corresponding Java class. Each configured instance of an authentication module is identified by the name or ID you specified when creating it.

  • Page 263: Duplicating Configuration From One Instance To Another

    Logs Each configured rule of a policy module is identified by the name specified when the rule was created. You can create multiple rules out of an implementation; each rule must have a unique name. To do this, you would copy all of the parameters belonging to the module used to create the instance.

  • Page 264: About Logs

    Logs About Logs CMS creates log files that record events related to its activities, such as administration, communications using any of the protocols the server supports, and various other processes employed by the subsystems the server manages. While CMS is running, it keeps a log of information and error messages on all the components it manages.
  • Page 265 Logs Installation and Setup Logs The following logs are created when the CMS instance is installed, the information about logs in this section does not pertain to these logs: config_cgi.log. Created by that forwards configuration daemon config_cgi cgi client (Java UI) requests to the configuration daemon. daemon.err.

  • Page 266: Services That Are Logged

    Logs Services That Are Logged All major components and protocols (or services) of CMS log messages to log files. Table 7-1 lists services that are logged by default. If you want to view messages logged by a specific service, you can customize log settings accordingly. For details, see “Monitoring Logs”...

  • Page 267: Log Levels (Message Categories)

    Logs Log Levels (Message Categories) For identification and filtering purposes, events logged by all CMS-supported services are classified into various categories. These are listed in Table 7-2. Each category represents messages that are of the same or a similar nature or that belong to a specific functional area.

  • Page 268: Buffered Versus Unbuffered Logging

    Logs Table 7-2 Classification of Log Entries or Messages (Continued) Log level Message category Description Misconfiguration These messages indicate that a misconfiguration in the server is causing an error. Catastrophic failure These messages indicate that because of an error, the service cannot continue running.
  • Page 269 Logs • When current logs are read from CMS console—the server retrieves the latest log when it is queried for current logs. If you configure the server for unbuffered logging, the server flushes out messages as they are generated to the log files. Because the server performs an I/O operation (writing to the log file) each time a message is generated, configuring the server for unbuffered logging decreases performance.

  • Page 270: Configuring Logs In The Cms Console

    Logs Configuring Logs in the CMS Console This procedure describes how to configure system, transaction, and audit logs. To configure logs for a CMS instance: Log in to the CMS console (see “Logging Into the CMS Console” on page 247). In the navigation tree, select Logs.
  • Page 271 Logs Use any combination of letters ( ), digits (0 to 9), an underscore (_), and a hyphen (-); Do not use other characters or spaces. type. Select to create a listener that records audit logs. For error transaction and system logs, select system enabled.

  • Page 272: Configuring Logs In The Cms.cfg File

    Logs logSigning. Set to true to enable signed logging; set to false to disable signed logging. When you enable this parameter, you must also provide a value for parameter. When this feature is enabled, this signedAuditCertNickname log can only be viewed by an auditor. See “Signed Audit Log,” on page 265 for more information about signed audit logs.
  • Page 273 Logs expirationTime. Specify, in seconds, the age limit for deleting the rotated log files. The default value is 0 seconds, which indicates that the rotated log files should not be deleted. If you provide a value, the rotated log will be deleted from your system after that time has elapsed.

  • Page 274: Monitoring Logs

    Logs Monitoring Logs When you have problems with CMS that require troubleshooting, you may find it helpful to check the error or informational messages that the server has logged. Also, by examining the log files you can monitor many aspects of the server’s operation.

  • Page 275: Signing Log Files

    Logs Date. Indicates the date on which the entry was logged. Time. Indicates the time at which the entry was logged. Details. Provides a brief description of the log. To view an entry in its entirety, either double-click it or select the entry and click View.

  • Page 276: Registering A Log Module

    Logs Specifies the nickname of the certificate you want the <cert_nickname> utility to use for signing. Specifies the name of the JAR file (a signed zip file). <output> Specifies the path to the directory that contains the <input> log files. Registering a Log Module You can create new log modules using the CMS SDK.

  • Page 277: Deleting A Log Module

    Signed Audit Log Deleting a Log Module You can delete unwanted log plug-in modules using the CMS console. Before deleting a module, be sure to delete all the listeners that are based on this module; see “Log File Rotation” on page 269. To delete a module: Log in to the CMS console (see “Logging Into the CMS Console”...
  • Page 278 Signed Audit Log Table 7-3 Signed-Audit Log Events Logging Event Type of Log Messages are Generated The startup of the subsystem, and thus the start of AUDIT_LOG_STARTUP the startup of the audit function. The shutdown of the subsystem, and thus the start AUDIT_LOG_SHUTDOWN of the startup of the audit function.
  • Page 279 Signed Audit Log Table 7-3 Signed-Audit Log Events Logging Event Type of Log Messages are Generated The signed audit log expires or is deleted. Note: AUDIT_LOG_DELETE The authorization system should not allow such a deletion. The path or name for the signed audit, system, LOG_PATH_CHANGE transaction or any customized log is changed.

  • Page 280: Setting Up Signed Audit Logs

    Signed Audit Log Table 7-3 Signed-Audit Log Events Logging Event Type of Log Messages are Generated user does not successfully authenticate. AUTH_FAIL user does successfully authenticate. AUTH_SUCCESS A certificate profile sent by an administrator is CERT_PROFILE_APPROVAL approved by an agent. When proof of possession is checked during PROOF_OF_POSSESSION certificate enrollment.

  • Page 281: Audit Logging Failures

    Signed Audit Log Use the Certificate Setup Wizard to obtain a certificate request for the private keys and certificates that will be used to sign the log files. When running the certificate wizard, specify that the request is of type Other, and request that the output be a certificate request in PKCS#10 format.

  • Page 282: Self Tests

    Self Tests When this happens, CMS administrator(s) and CMS auditor(s) should work together with the Operating System administrator to resolve the disk space or file permission issue(s). When the IT problem is resolved, the auditor should make sure that the last audit log entries are signed. If not, they should be preserved by manual signing (see “Signing Log Files”...

  • Page 283: Self Test Configuration

    Self Tests Self Test Configuration The self tests feature, and individual self tests, are registered and configured in the file. Self tests can either be “enable” or “disable”, meaning that a cms.cfg particular self test is listed for either on-demand or start up self test, and it can have two states, “nothing”...
  • Page 284 Self Tests expirationTime. Specify, in seconds, the age limit for deleting the rotated log files. The default value is 0 seconds, which indicates that the rotated log files should not be deleted. If you provide a value, the rotated log will be deleted from your system after that time has elapsed.

  • Page 285: Ports

    Ports Save the file. Start CMS. Ports About Ports CMS listens on different ports for requests from different types of users. As illustrated in Figure 7-1, it listens on an administration port, an agent port, and an end-entity port. Figure 7-1 CMS Ports Chapter 7 Administrative Basics...
  • Page 286 Ports Port Considerations When choosing ports for CMS consider the following: • Be sure to choose ports that are unique on the host system. • To verify that a port is available for use, check the appropriate file for your operating system;...
  • Page 287 Ports For example, the URL to a Certificate Manager agent interface would look like this: https://demoCA.example.com:5600/ca If you change the agent port number, be sure to inform your agent users. End-Entity Ports For requests from end entities, CMS can listen to two ports, an SSL (encrypted) port and a non-SSL port.

  • Page 288: Changing A Port Number

    Ports Changing a Port Number To change a port number: Stop the CMS instance; see “Starting, Stopping, and Restarting CMS Instances” on page 254. Go to the CMS configuration directory: <server_root>/cert-<instance_id>/config Open the file in a text editor and edit the appropriate port server.xml numbers: To change the administration port, locate this line and edit the value of the...

  • Page 289: Changing An Ip Addresses

    Changing an IP Addresses <VS id="ee-vs" state="on" urlhosts="<hostname>.<dopmainame>" mime="mime1" aclids="acl1" connections="eeSSL_default"> If you don’t want end-entity interaction with a subsystem, for example, if you don’t want end entities to interact with a Certificate Manager, you can remove this port too (in addition to the HTTP port). Save your changes.

  • Page 290: The Internal Database

    The Internal Database To change the end-entity HTTPS ip address, locate this line and edit the value of the attribute: <LS id="eeSSL" ip="0.0.0.0" port="443" security="on" acceptorthreads="1" blocking="no"> Save your changes and close the file. Restart the CMS instance; see “Starting, Stopping, and Restarting CMS Instances”...

  • Page 291: Changing The Internal Database Configuration

    The Internal Database To fulfill these functions, CMS maintains a persistent store—a preconfigured Netscape Directory Server—referred to as the internal database or local database. The internal database is installed automatically as a part of the CMS installation. It is used as an embedded database exclusively by CMS and can be managed using Directory management tools that come with Netscape Directory Server.

  • Page 292: Enable Ssl Client Authentication With The Internal Database

    The Internal Database By default, the host name of the Directory Server instance being used as the internal database is shown as instead of the actual host name (for localhost example, ). This is done on purpose to insulate certificates.example.com the internal database from being visible outside the system—that is, a server on can only be accessed from the local machine.

  • Page 293: Restricting Access To The Internal Database

    The Internal Database internaldb.ldapconn.port=<ldap_httpsport> internaldb.ldapconn.secureConn=true internaldb.ldapauth.clientCertNickname=Server-Cert cert-<instance_name> Go to the Directory Server console. Create an entry for the suffix which matches the subject DN of the CMS subsystem certificate for the subsystem using this internal database. For example if your CA server certificate has a the subject name c=jupiter.example.com,ou=marketing,o=example,l=mv,c=us then create a suffix .

  • Page 294: Managing The Certificate Database

    Managing the Certificate Database If you are concerned about this, you can restrict access to the internal database to only those users who know its Directory Manager DN and corresponding password. You can change this password by modifying the single sign-on password cache.

  • Page 295: Viewing And Deleting Certificate Database Content

    Managing the Certificate Database Whether you use an internal token or an external token for generating and storing key pairs, CMS always maintains its list of trusted and untrusted CA certificates in its internal token. You may need to add new certificates to the database, remove unwanted certificates from the database, or change the trust settings of CA certificates in the database.

  • Page 296: Changing The Trust Settings Of A Ca Certificate

    Managing the Certificate Database Click Manage Certificate. The Certificate Database Management window appears. The window lists the certificates. For each certificate, you see the following information: Certificate Name. Specifies the nickname of the certificate. Expiry Date. Specifies the date (and time) on which the certificate expires. Trust Status.

  • Page 297: Installing A New Ca Certificate In The Certificate Database

    Managing the Certificate Database Click Manage Certificate. The Certificate Database Management window appears. The window lists the certificates currently installed for the selected CMS instance; the list is a table, with each certificate occupying a row. Select the CA certificate whose trust setting you want to modify, and click Edit. The Certificate Information window appears.

  • Page 298: Installing A Ca Certificate Chain In The Certificate Database

    Managing the Certificate Database When the Registration Manager attempts to request a service from the Certificate Manager (using the renewed certificate for SSL client authentication), the Certificate Manager fails to authenticate the Registration Manager. This happens because, as a part of validating the certificate presented by the Registration Manager, the Certificate Manager checks its certificate database for the CA that signed the Registration Manager’s certificate.
  • Page 299 Managing the Certificate Database The Certificate Setup Wizard is integrated into the CMS window, enabling you to accomplish the following tasks: • Renew certificates of the CMS managers installed in a CMS instance; renewing a certificate means getting a new certificate with the same subject name and public and private key material as that of the existing certificate, but with an extended validity period.
  • Page 300 Managing the Certificate Database • Step 6. Specify Extensions • Step 7. Copy the Certificate Signing Request • Step 8. Check the Certificate Request Status Step 1. Select the Operation Indicate whether you want to request a certificate or install a certificate. For the purposes of completing the instructions that follow, assume that you chose to request a certificate.
  • Page 301 Managing the Certificate Database • Online Certificate Status Manager Signing Certificate—choose this option if you want to request a signing certificate for the Online Certificate Status Manager. • Registration Manager Signing Certificate—choose this option if you want to request a signing certificate for the Registration Manager. •...
  • Page 302 Managing the Certificate Database To generate a certificate request based on an existing key pair, select the token that contains the key pair you want to use for generating the request. The wizard automatically selects the key pair that corresponds to the certificate you chose in the previous step.
  • Page 303 Managing the Certificate Database • Common name—enter the name as appropriate. Except for the SSL server certificate, the common name format can be a descriptive name of up to 255 characters. For example, you can name the Certificate Manager’s signing certificate as “Root CA for Example Corporation”;...
  • Page 304 Managing the Certificate Database Also note that certificate extensions are required if you are setting up a hierarchy of certificate authorities (CAs). Subordinate CAs must have certificates that include the extension identifying them as either a subordinate SSL CA (which allows them to issue certificates for SSL) or a subordinate email CA (which allows them to issue certificates for secure email).
  • Page 305 Managing the Certificate Database CMS provides tools that generate MIME-64 encoded blobs for many standard extensions. You can use these tools for generating MIME-64 encoded blobs for any extensions that you may want to include in CA and other certificate requests.
  • Page 306 Managing the Certificate Database Table 7-4 Names of files created for certificate signing requests (Continued) Filename Certificate Signing Request Certificate Manager OCSP signing certificate ocspcsr.txt Registration Manager signing certificate racsr.txt Data Recovery Manager transport certificate kracsr.txt Online Certificate Status Manager signing certificate ocspcsr.txt SSL server certificate sslcsr.txt...
  • Page 307 Managing the Certificate Database Click Next to submit your request to the CA. The Certificate Manager returns a request ID for your request. Note the request ID as you can use it later to get the certificate from the Certificate Manager to which you submitted the request.
  • Page 308 Managing the Certificate Database In the form that appears, enter the required information and paste the CSR from either the clipboard or text file. For information on how a form works, click the Help button provided on the form. Be sure to include the marker lines, -----BEGIN NEW CERTIFICATE REQUEST----- -----END NEW CERTIFICATE REQUEST-----...
  • Page 309 Managing the Certificate Database When you receive the certificate from the CA, install it following the instructions in “Using the Wizard to Install a Certificate or Certificate Chain” on page 309. Step 8. Check the Certificate Request Status The wizard now informs you of the status of the request. •...
  • Page 310 Managing the Certificate Database The certificate or certificate chain you provide to the wizard for installation must be in one of the data formats supported by the wizard. This is explained in “Data Formats for Installing Certificates and Certificate Chains” on page 310. Using the wizard to install a certificate or certificate chain involves the following steps, described in detail on page 311: •...
  • Page 311 Managing the Certificate Database Text Formats The wizard can also import certificates and certificate chains in text formats. Here’s what you should be aware of when using the wizard to install a certificate or certificate chain in text format: The text format must begin with the following line: -----BEGIN CERTIFICATE----- Following this line should be the certificate data, which can be in any of the binary formats described in “Binary Formats”...
  • Page 312 Managing the Certificate Database • Online Certificate Status Manager Signing Certificate—choose this option if you want to install a signing certificate for the Online Certificate Status Manager installed in the currently selected CMS instance. • SSL Server Certificate—choose this option if you want to install an SSL server certificate for the CMS managers installed in the currently selected CMS instance.
  • Page 313 Managing the Certificate Database UGA1UEAxMOU3Vwcml5 YSBTaGV0dHkwgZ8wDQYJKoZIhdfNAQEBBQADgY0AMIGJAoGBAMr6eZiPGfjX3uRJ gEjmKiqG7SdATYzBcA Bu1AVyd7chRFOGD3wNktbf6hRo6EAmM5R1Askzf8AW7LiQZBcrXpc0k4du+2j6xJ u2MPm8WKuMOTuvzpo+ SGXelmHVChEqooCwfdiZywyZNmgaMa2MS6pUkfQVAgMBAAGjNjA0MBEGCWCGSAGG +EIBAQQEAwIAgD -----END CERTIFICATE----- • The certificate is at the CMS where your request was sent— if you have previously sent the certificate request to a remote Certificate Manager automatically and have noted the request ID that you received in return, you can use it to retrieve the certificate from the Certificate Manager.

  • Page 314: Consideration When Getting New Certificates For The Subsystems

    Managing the Certificate Database After you install a certificate chain in the trust database of a CMS instance, check the trust status of each certificate that got installed, and make sure that the correct CA certificates are trusted. For instructions, see “Changing the Trust Settings of a CA Certificate”...
  • Page 315 Managing the Certificate Database Before getting a new self-signed certificate for the Certificate Manager, therefore, you must address issues involved in deploying the new root CA certificate across your enterprise. Because each deployment would have very specific requirements, it is beyond the scope of this document to explain how you should deploy the new CA certificate.

  • Page 316: Tokens For Storing Cms Keys And Certificates

    Tokens for Storing CMS Keys and Certificates Tokens for Storing CMS Keys and Certificates A token is a hardware or software device that performs cryptographic functions and optionally stores public-key certificates, cryptographic keys, and data defined by the application using the cryptographic services. Alternatively, a token can also be considered as a device that you can use to generate and store your key pairs and corresponding certificates.
  • Page 317 Tokens for Storing CMS Keys and Certificates http://developer.netscape.com/support/faqs/pkcs_11.html If you haven’t already done so, consider using external tokens for generating and storing the key pairs and certificates used by Certificate Management System. These devices represent another security measure you can take to safeguard private keys because hardware tokens are sometimes considered more secure than software tokens.
  • Page 318 Tokens for Storing CMS Keys and Certificates From the Console menu, choose Manage PKCS#11. The PKCS #11 Management window appears. Click Add. The Add PKCS #11 Module window appears. Enter information as appropriate. If you choose JAR as your file type, you are required to provide the path to the JAR file that contains the DLLs.

  • Page 319: Managing Tokens Used By The Subsystems

    Tokens for Storing CMS Keys and Certificates Managing Tokens Used by the Subsystems There are two main tasks involved in managing the tokens used by Certificate Management System: • Viewing Tokens • Changing a Token’s Password Viewing Tokens To view a list of the tokens currently installed for a CMS instance: Log in to the CMS window (see “Logging Into the CMS Console”...

  • Page 320: Hardware Cryptographic Accelerators

    Hardware Cryptographic Accelerators Hardware Cryptographic Accelerators Certificate Management System allows you to use hardware cryptographic accelerators with external tokens. Many of the accelerators provide the following security features: • Fast SSL connections—speed is important if you want your Certificate Manager, Registration Manager, or Data Recovery Manager to be able to accommodate a high number of simultaneous enrollment or service requests.

  • Page 321: Configuring The Server To Use Separate Ssl Server Certificates

    Configuring the Server’s Security Preferences Configuring the Server to Use Separate SSL Server Certificates You can configure a CMS instance to use separate SSL server certificates for authenticating to Netscape Console, the Agent Services interface, and the end entity services interface. This configuration involves the following steps: •...

  • Page 322: Getting An Ssl Client Certificate For A Subsystem

    Configuring the Server’s Security Preferences To change the certificate used for authenticating to the administration interface, Netscape Console, edit the value assigned to the parameter in the section. servercertnickname id="admin" Save your changes and close the file. Start the server; see “Starting, Stopping, and Restarting CMS Instances” on page 254.
  • Page 323 Configuring the Server’s Security Preferences If you submitted the request to a Certificate Manager and if you have agent privileges for that Certificate Manager, log in to its Agent Services interface, locate the request, and check the request for required extensions. (If you submitted the request to any other CA, you must ask the person managing that CA to make the same changes to the request before approving it.) Make sure that only the...
  • Page 324 Configuring the Server’s Security Preferences Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 325: Chapter 8 Authorization

    Chapter 8 Authorization This chapter explains how to set up authorization for access to the administrative, agent services, and end-entity interfaces and contains the following sections: • About Authorization • Setting up Administrators, Agents, and Auditors • Setting Up a Trusted Manager •...

  • Page 326: How Authorization Works

    About Authorization authorization check before allowing an operation to be performed in that area. Access Control Instructions (ACI s) in each of the ACLs are created that specifically allow or deny one or more possible operations for that ACL to specified users, groups, or IP addresses.
  • Page 327 About Authorization Administrators. This group is given full access to all of the tasks available in the administrative interface. Agents. This group is given full access to all of the tasks available in the agent services interface. Note: There is more than one agent group. A separate agent group is created for each of the subsystem with a different name.
  • Page 328 About Authorization Authentication of Auditors Auditors are authenticated into the CMS console by using their login and password. Once authenticated, they can only view the audit logs, they are not able to edit other parts of the system. You can change the method of authentication for an auditor to SSL client authentication.
  • Page 329 About Authorization • Data Recovery Manager Agents group is the agent group for a Data Recovery Manager. No members are added to this group during installation, you must add members after installation. • Online Certificate Status Manager Agents group is the agent group for an Online Certificate Status Manager.

  • Page 330: Setting Up Administrators, Agents, And Auditors

    Setting up Administrators, Agents, and Auditors You can configure a Data Recovery Manager to delegate its end-entity interactions to a trusted Certificate Manager or Registration Manager for security reasons; the Data Recovery Manager trusts the Certificate Manager or Registration Manager and services all key archival and recovery requests initiated by this subsystem.

  • Page 331: Storing A User's Certificate

    Setting up Administrators, Agents, and Auditors Full name. Type the user’s full name. The name can be an alphanumeric string of up to 255 characters. Password. Type a password of up to eight characters for the user. This is the password used to log into the CMS console for this user ID.

  • Page 332: Setting Up Agents Using The Automated Process

    Setting up Administrators, Agents, and Auditors Click inside the text area, and paste the user’s certificate in base-64 encoded form. Be sure to include the -----BEGIN CERTIFICATE----- -----END marker lines. CERTIFICATE----- Click OK. You are returned to the Manage User Certificates window. The certificate you imported should now be listed in this window.

  • Page 333: Setting Up A Trusted Manager

    Setting Up a Trusted Manager In the page that displays, select “Show pending requests” and click Find. In the list of certificate signing requests that displays, select the request the agent submitted. In the request approval form for user enrollment requests, verify the request. If required, adjust some of the parameters such as the subject name and validity period.
  • Page 334 Setting Up a Trusted Manager certificate request, and the request has been approved, the Certificate Manager automatically creates a user ID for the subsystem, adds this user ID to the Trusted Managers group, copies the certificate to the database, and associates the certificate with the subsystem’s user entry.
  • Page 335 Setting Up a Trusted Manager Specify information as appropriate. The information you enter here is to help you keep track of the Registration Manager or Certificate Manager; the subsystem never uses it. The subsystem relies solely on the Registration Manager’s signing certificate or Certificate Manager’s SSL client certificate for authentication.
  • Page 336 Setting Up a Trusted Manager You are returned to the Users tab. Next, you configure the connector settings of the Registration Manager or Certificate Manager. This enables the Registration Manager or Certificate Manager to utilize the agent port to communicate with the subsystem. Note that during the installation of a Certificate Manager, you were prompted to specify the host name and port number of the Data Recovery Manager to which the Certificate Manager will be connected.

  • Page 337: Agent Certificates

    Agent Certificates Agent Certificates All agents must have an agent’s certificate. This certificate is used to sign all requests made by the agent. This section details the procedure for getting agent certificates, and turning on the revocation status checking of agents’ certificates. There is a special form for an administrator to get the first agent certificate from CMS for the Certificate Manger administrator set up during installation to be able to access the agent’s services interface.
  • Page 338 Agent Certificates Fill in the following fields of the Administrator/Agent Certificate Enrollment form: Authentication Information User ID. Type the ID you entered for the CMS administrator during installation. Password. Type the password you specified for the CMS administrator during installation. Subject Name The subject name is the distinguished name (DN) that identifies the certified owner of the certificate.

  • Page 339: Getting An Agent's Certificate From A Public Ca

    Agent Certificates Important After you submit the initial Administrative Enrollment form and the certificate is issued, the form is no longer available from the administration port. If something goes wrong and you are unable to obtain the administrator/agent certificate, you must reset a parameter in the configuration file to make the initial administrative enrollment form available again.

  • Page 340: Getting An Agent's Certificate From Certificate Management System

    Agent Certificates Ask the user to send you the certificate information sent by the public CA. In the information that you receive, locate the user’s certificate in base-64 encoded form. You can also get the user’s certificate from the public CA that issued it. Access the public CA site, search for the user’s certificate, and locate the certificate in base-64 encoded form.

  • Page 341: Revocation Status Checking Of Agent Certificates

    Agent Certificates When the user receives the certificate, the user must import the certificate into the web browser they will use to access the subsystem. It is a good idea to ask the user to inform you that the certificate has been installed. After the user imports the certificate into the web browser, you need to copy the certificate (in base-64 encoded form) in order to be able to add it to a subsystem’s internal database.
  • Page 342 Agent Certificates NOTE The CMS configuration file ( ) includes a parameter named CMS.cfg , which enables you to specify whether a jss.ocspcheck.enable CMS manager should use Online Certificate Status Protocol (OCSP) to verify the revocation status of the certificate it receives as a part of SSL client or server authentication (from clients or servers it makes connections with).

  • Page 343: Modifying Cms User Entries

    Modifying CMS User Entries Specifies whether revocation checking is revocationChecking.enabled enabled or disabled. To enable the feature, enter true; to disable the feature, enter false. By default, the feature is enabled. The default interval is 0 seconds. revocationChecking. unknownStateInterval Specifies how long, in seconds, the cached revocationChecking.

  • Page 344: Changing A Cms User's Certificate

    Modifying CMS User Entries In the navigation tree, select Users and Groups. The Users tab appears in the right pane. In the User ID list, select the user you want to edit, and click Edit. The Edit User Information dialog opens. Make the appropriate modifications.

  • Page 345: Changing Members In A Group

    Modifying CMS User Entries Changing Members in a Group You can add or remove members from all groups. Keep in mind that the group for administrators must have at least one user entry. To change a group’s members: Log in to the CMS console (see “Logging Into the CMS Console” on page 247). In the navigation tree, select Users and Groups.

  • Page 346: Creating A New Group

    Creating a New Group In the navigation tree, select Users and Groups. The Users tab appears in the right pane. In the User ID list, select the user you want to delete, and click Delete. When prompted, confirm your action. If you click YES, the user entry is deleted from the internal database.

  • Page 347: Authorization For Cms Users

    Authorization for CMS Users Authorization for CMS Users Authorization is the mechanism that checks whether or not a user is allowed to perform a certain operation. Authorization points are defined in certain groups of operations that requiring an authorization check of the user. Access Control Lists (ACLs) Access Control Lists (ACLs) are the mechanism that specifies the authorization to each of the sets of operations that require authorization.

  • Page 348: How Acis Are Formed

    Authorization for CMS Users How ACIs are Formed You change the access for a user, group, or IP address by editing the ACI entries in the ACLs. You can change who is allowed or denied access by adding a user, group, or IP address to the ACIs in an ACL entry.
  • Page 349 Authorization for CMS Users As you can see, there usually is not a need to include a deny statement. There might, however, be cases where you would need to specify one. For example, say that user has just been fired. was a member of the Administrators JohnB JohnB...

  • Page 350: Editing Acls

    Authorization for CMS Users For example: user=”BobC” user!=”JaneK” Note: To specify all users, provide the value . For example: anybody user=”anybody” IP Address Syntax The syntax for an IP address is: to specify that the IP address specified is to be allowed or ipaddress=”ipaddress”...
  • Page 351 Authorization for CMS Users To edit the existing ACLs: Log in to the CMS console (see “Logging Into the CMS Console” on page 247). In the navigation tree, select Access Control List. The Access Control List tab appears in the right pane. Select the ACL and then click Edit.

  • Page 352: Acl Reference

    ACL Reference Specify the user, group, or IP address that will be granted or denied access to the selected operators by providing the correct syntax in the Syntax field. See “Syntax,” on page 349 for details on syntax. Click OK. Click Refresh when you are done.

  • Page 353: Certserver.admin.certificate

    ACL Reference certServer.admin.certificate This entry is associated with the CA administration interface and is ONLY available during the setup configuration of the target of evaluation (TOE), and is unavailable after the CA is up and running. Operations import Importing a Certificate Authority administrator certificate. Default ACIs allow (import) user="anybody"...

  • Page 354: Certserver.ca.certificate

    ACL Reference Operations read Viewing authentication plug-ins, authentication type, configured authentication manager plug-ins, and authentication instances. Listing authentication manager plug-ins and authentication manager instances. modify Adding or deleting authentication plug-in and authentication instance. Modifying authentication instance. Default ACIs allow (read) group="Administrators" || group=”Certificate Manager Agents”...

  • Page 355: Certserver.ca.certificates

    ACL Reference certServer.ca.certificates Allow or deny a revoke or list operation to certificates in the agent services interface. Operations revoke Revoking certificates, or approving certificate revocation requests. list Listing certificates based on a search. Retrieving details about a range of certificates based on providing a range of serial numbers. Default ACIs allow (revoke,list) group="Certificate Manager Agents"...

  • Page 356: Certserver.ca.connector

    ACL Reference allow (modify) group="Administrators" Administrators, auditors, and agents are allowed to read CA configuration; only administrators are allowed to modify CA configuration. certServer.ca.connector Allow or deny a submit operation for a connection to the CA. Operations submit Submitting requests from remote trusted managers. Default ACIs allow (submit) group="Trusted Managers"...

  • Page 357: Certserver.ca.directory

    ACL Reference Operations read Displaying CRLs. update Updating CRLs. Default ACIs allow (read,update) group="Certificate Manager Agents" Certificate Manager agents can read or update CRLs. certServer.ca.directory Allow or deny an update operation to the directory. Operations update Publishing CA certificates and user certificates to the LDAP directory.

  • Page 358: Certserver.ca.profiles

    ACL Reference Operations read Retrieving OCSP usage statistics. Default ACIs allow (read) group="Certificate Manager Agents" Only Certificate Manager Agents can read OCSP usage statistics. certServer.ca.profiles Allow or deny a list operation for certificate profiles in the agent services interface. Operations list Listing certificate profiles.

  • Page 359: Certserver.ca.request.enrollment

    ACL Reference Operations list Retrieving details on a range of requests. Default ACIs allow (list) group="Certificate Manager Agents" Only Certificate Manager Agents can list requests. certServer.ca.request.enrollment Allow or deny a submit, read, execute, assign, or unassign operation for enrollment requests. Operations submit Submitting an enrollment request.

  • Page 360: Certserver.ca.systemstatus

    ACL Reference Operations approve Modifying the approval state of a certificate profile-based certificate request. read Viewing a certificate profile-based certificate request. Default ACIs allow (approve,read) group="Certificate Manager Agents" Only Certificate Manager agents can view or modify the approval state of certificate profile-based requests.

  • Page 361: Certserver.ee.certificates

    ACL Reference Anyone can request a renewal or revocation, anyone can import and read a certificate certServer.ee.certificates Allow or deny a revoke or list operation in the end-entity interface. Operations revoke Submitting a revocation of a list of certificates. list Search for certificates matching specified criteria.

  • Page 362: Certserver.ee.profile

    ACL Reference Operations read Retrieving and viewing the certificate revocation list. Adding CRL to the OCSP server. Default ACIs allow (read,add) user="anybody" Anyone can add or read a CRL. certServer.ee.profile Allow or deny a submit or read operation for certificate profiles in the end-entity interface.

  • Page 363: Certserver.ee.request.enrollment

    ACL Reference Operations read Read face to face enrollment page. Default ACIs allow (read) user="anybody" Anyone can read face to face enrollment page. certServer.ee.request.enrollment Allow or deny a submit operation for certificate enrollment in the end-entity interface. Operations submit Submitting a request for a new certificate. Default ACIs allow (submit) user="anybody"...

  • Page 364: Certserver.ee.request.revocation

    ACL Reference Operations submit Submitting OCSP requests. Default ACIs allow (submit) user="anybody" Any clients can submit OCSP requests certServer.ee.request.revocation Allow or deny a submit operation for certificate revocation requests in the end-entity interface. Operations submit Submitting a request to revoke a certificate. Default ACIs allow (submit) user="anybody"...

  • Page 365: Certserver.job.configuration

    ACL Reference Operations read Viewing operating environment, LDAP configuration, SMTP configuration, server statistics, encryption, token names, subject name of certificates, certificate nicknames, all subsystems that have been loaded by the server, get CA certificates, and get all certificates for management. modify Modifying LDAP database configuration, SMTP configuration, and encryption.

  • Page 366: Certserver.kra.certificate.transport

    ACL Reference allow (modify) group="Administrators" Administrators, agents, and auditors are allowed to read job configuration; only administrators are allowed to modify job configuration. certServer.kra.certificate.transport Allow or deny a read operation to display the key transport certificate. Operations read Displaying the Key Transport Certificate. Default ACIs allow (read) user="anybody"...

  • Page 367: Certserver.kra.connector

    ACL Reference certServer.kra.connector Allow or deny to submit requests. Operations submit Submitting requests. Default ACIs allow (submit) group="Trusted Managers" Only Trusted Managers can submit requests. certServer.kra.key Allow or deny a read, recover, or download operation for the Data Recovery Manager. Operations read Displaying a key recovery request.

  • Page 368: Certserver.kra.request

    ACL Reference certServer.kra.request Allow or deny a read operation for a Data Recovery Manager request. Operations read Assigning a request to a Data Recovery Manager Agent. Default ACIs allow (read) group="Data Recovery Manager Agents" Data Recovery Manager Agents can read requests. certServer.kra.requests Allow or deny a list operation for a Data Recovery Manager request.

  • Page 369: Certserver.log.configuration

    ACL Reference Operations read Displaying system statistics for a Data Recovery Manager. Default ACIs allow (read) group="Data Recovery Manager Agents" Only Data Recovery Manager agents can read system status. certServer.log.configuration Allow or deny a read or modify operation to the log configuration. Operations read Viewing log plug-in information, log plug-in configuration, log...

  • Page 370: Certserver.log.configuration.filename

    ACL Reference Operations read Viewing the value of the parameter. expirationTime modify Modifying the value of the parameter. expirationTime Default ACIs allow (read) group="Administrators" || group="Auditors" || group=”Certificate Manager Agents” || group=”Registration Manager Agents” || group=”Data Recovery Manager Agents” || group=”Online Certificate Status Manager Agents”...

  • Page 371: Certserver.log.content

    ACL Reference Operations read Viewing log content. Listing logs. Default ACIs deny (read) group="Administrators"|| group=”Certificate Manager Agents” || group=”Registration Manager Agents” || group=”Data Recovery Manager Agents” || group=”Online Certificate Status Manager Agents” Only an auditor is allowed to view the audit log. Note: All other groups need to be specifically denied access to this log since they are given access to all logs in the ACL.

  • Page 372: Certserver.ocsp.cas

    ACL Reference certServer.ocsp.cas Allow or deny a list operation for listing the CAs that publish to an Online Certificate Status Manager responder. Operations list Listing the CA’s for which the OCSP responder maintains revocation status information. Default ACIs allow (list) group="Online Certificate Status Manager Agents" Online Certificate Status Manager agents can list Certificate Authorities.

  • Page 373: Certserver.ocsp.crl

    ACL Reference Operations read Viewing OCSP plug-in information, OCSP configuration, OCSP stores configuration. Listing OCSP stores configuration. modify Modifying OCSP configuration, OCSP stores configuration, and default OCSP store. Default ACIs allow (read) group="Administrators" || group=”Certificate Manager Agents” || group=”Registration Manager Agents” || group=”Data Recovery Manager Agents”...

  • Page 374: Certserver.profile.configuration

    ACL Reference Operations read Viewing policy plug-ins and instances. Listing policy plug-ins and instances. modify Adding and delete policy plug-ins and policy instances. Modifying policy plug-ins and policy instances. Default ACIs allow (read) group="Administrators" || group=”Certificate Manager Agents” || group=”Registration Manager Agents” || group=”Data Recovery Manager Agents”...

  • Page 375: Certserver.publisher.configuration

    ACL Reference Administrators, agents, and auditors are allowed to read certificate profile configuration; only administrators are allowed to modify certificate profile configuration. certServer.publisher.configuration Allow or deny a read or modify operation for the publishing configuration. Operations read View LDAP server destination information, publisher plug-in configuration, publisher instance configuration, mapper plug-in configuration, mapper instance configuration, rules plug-in configuration, and rules instance configuration.

  • Page 376: Certserver.ra.certificate

    ACL Reference Operations read Viewing general RA configuration, connector configuration, notification request completion, notification revocation completion, and notification request in queue. modify Modifying general RA configuration, connector configuration, notification request completion, notification revocation completion, and notification request in queue. Default ACIs allow (read) group="Administrators"...

  • Page 377: Certserver.ra.facetofaceenrollment

    ACL Reference Operations submit Submitting requests from remote Trusted Managers. Default ACIs allow (submit) group="Trusted Managers" Only Trusted Manager can submit requests to this interface. certServer.ra.facetofaceenrollment Allow or deny to read face to face enrollment page. Operations enable Enable face to face enrollment. disable Disable face to face enrollment.

  • Page 378: Certserver.ra.profile

    ACL Reference Operations Adding groups. Default ACIs allow (add) group="Administrators" Only administrators are allowed to add group. certServer.ra.profile Allow or deny a read or approve operation to certificate profiles in the agent services interface of a Registration Manager. Operations read Displaying the details of a certificate profile.

  • Page 379: Certserver.ra.request.profile

    ACL Reference Operations submit Submitting an enrollment request for processing. read Viewing the details of an enrollment request. execute Modifying the approval state of an enrollment request. assign Assigning an enrollment request. unassign Unassigning an enrollment request. Default ACIs allow (submit) user="anybody" allow (read,execute,assign,unassign) group="Registration Manager Agents"...

  • Page 380: Certserver.registry.configuration

    ACL Reference Operations list Viewing details on a range of requests. Default ACIs allow (list) group="Registration Manager Agents" Only Registration Manager agents can list requests. certServer.registry.configuration Allow or deny a read or modify operation to the administration registry, the file that is used to register plug-in modules.

  • Page 381: Certserver.usrgrp.administration

    ACL Reference certServer.usrgrp.administration Allow or deny a read or modify operation to the user and group configuration. Operations read Viewing users, groups, and user’s certificates. Finding users and groups. modify Adding, modifying and deleting groups, and users. Add and modify a user certificate attribute. Default ACIs allow (read) group="Administrators"...
  • Page 382 ACL Reference Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 383: Chapter 9 Authentication

    Chapter 9 Authentication This chapter discusses the authentication methods available in Netscape Certificate Management System (CMS) during the enrollment of end entities, and details how to set up those authentication methods. This chapter contains the following sections: • Enrollment Overview •...
  • Page 384 Enrollment Overview • Agent-approved enrollment is the method in which end-entity enrollment requests are sent to an agent for approval. The agent approves the certificate request. • Automatic enrollment is the method in which end-entity enrollment requests are authenticated using a plug-in for that type of authentication, and then the certificate request is processed;...

  • Page 385: How Authentication Works

    Enrollment Overview How Authentication Works An end entity submits a request for enrollment. The form or method used to submit the request identifies the method of authentication and enrollment. If the HTML end-entity interface is used to submit the request, the form used by the end entity to make the request contains hidden values that associate this form, and thus this submission, with an authentication method.

  • Page 386: About Renewal

    Dual-Key Pairs About Renewal When an end entity requests a certificate renewal, the end entity presents its current certificate. The certificate itself is used to authenticate the user. The process for renewal is automatic; if the certificate is presented a new certificate is issued. There is no agent intervention in this process.

  • Page 387: Agent-Approved Enrollment

    Agent-Approved Enrollment To create dual-key pairs, and the resultant certificates associated with each key, you need to enable this function by changing the javascript found in the enrollment page. You use any method of authentication, chaining it to enable dual-key pairs by modifying the javascript on that enrollment page.

  • Page 388: Automated Enrollment

    Automated Enrollment • Customize the HTML enrollment forms for your deployment. For policy-based enrollment, you edit the forms directly. For certificate profile-based enrollment, you configure inputs that are used to dynamically create the HTML enrollment form. Automated Enrollment Automated enrollment is the method in which an end-entity enrollment request is processed upon the successful authentication of the end entity as defined by an instance of an authentication plug-in module;...

  • Page 389: Setting Up Directory Based Enrollment

    Automated Enrollment You can create custom plug-in modules for other methods of authentication using the CMS SDK. You must register and enable any custom plug-ins you create. Setting Up Directory Based Enrollment and the plug-in modules implement the UidPwdDirAuth UdnPwdDirAuth directory-based authentication method.
  • Page 390 Automated Enrollment In the CMS window of the Certificate Manager or Registration Manager that processes certificate requests, select the Configuration tab. Select Authentication in the navigation tree. The right pane shows the Authentication Instance tab listing currently configured authentication instances. Click Add.

  • Page 391: Setting Up Nis Based Enrollment

    Automated Enrollment Entering values for this parameter is optional. ldap.ldapconn.host. Specifies the fully-qualified DNS host name of the authentication directory. ldap.ldapconn.port. Specifies the TCP/IP port on which the authentication directory listens to requests from CMS. ldap.ldapconn.secureConn. Specifies the type—SSL or non-SSL—of the port on which the authentication directory listens to requests from CMS.
  • Page 392 Automated Enrollment In the absence of an LDAP directory, subject names of all certificates issued by the server will be of the form , where CN=<FirstName LastName>,UID=<UserID> is a user’s first and last names as specified in the NIS First Name Last Name directory, and is the user’s NIS ID.
  • Page 393 Automated Enrollment The right pane shows the Authentication Instance tab listing currently configured authentication instances. Click Add. The Select Authentication Plug-in Implementation window appears. Select the plug-in. NISAuth Click Next. The Authentication Instance Editor window appears. Fill in the following fields in the Authentication Instance Editor window: Authentication Instance ID.
  • Page 394 Automated Enrollment ldapByteAttributes. Specifies the list of LDAP byte (binary) attributes that should be considered authentic for the end entity. If specified, the values corresponding to these attributes will be copied from the authentication directory into the authentication token for use by other modules—that is, values retrieved from this parameter can be used by policy modules to make certain policy decisions or to add additional information to users’...

  • Page 395: Setting Up Pin Based Enrollment

    Automated Enrollment Setting Up Pin Based Enrollment Pin based authentication involves setting up pins for each of your users in the LDAP directory, distributing those pins to your users, and then having the users provide their pin along with their user ID and password when they fill out a certificate request.
  • Page 396 Automated Enrollment Creating Pins The pin tool performs the following functions: • Adds the necessary schema for pins to the LDAP directory. • Adds a pin manger user who has read-write permissions to the pins that are set • Sets up ACIs to allow for pin removal once the pin has been used, giving read-write permissions for pins to the pin manager, and preventing users from creating or changing pins.
  • Page 397 Automated Enrollment ./setpin host=yourhost port=9446 length=11 input=infile output=outfile write "binddn=cn=pinmanager,o=example.com" bindpw="netscape" basedn=o=netscape.com "filter=(uid=u*)" Use the output file for delivering PINs to users after you complete setting up the required authentication method. After you have confirmed that the PIN-based enrollment works, deliver the PINs to users so they can use them during enrollment.
  • Page 398 Automated Enrollment Fill in the following fields in the Authentication Instance Editor window: Authentication Instance ID. Accept the default instance name, or enter a new name. If you chose to use a different name, be sure to edit this name in the enrollment forms.
  • Page 399 Automated Enrollment ldap.ldapconn.secureConn. Specifies the type—SSL or non-SSL—of the port on which the authentication directory listens to requests from CMS. Select if this is an SSL port, deselect if this is a non-SSL port. ldap.ldapconn.version. Specifies the LDAP protocol version. specifies LDAP version 2.

  • Page 400: Setting Up Portal Enrollment

    Automated Enrollment ldap.basedn. Specifies the base DN for searching the authentication directory—the server uses the value of the field from the HTTP input (what a user enters in the enrollment from) and the base DN to construct an LDAP search filter. ldap.minConns.
  • Page 401 Automated Enrollment Note that the portal authentication module by default uses the standard LDAP object class named to create and update user entries. The input inetOrgPerson fields defined in the default portal enrollment form correspond to the attributes defined in this object class as defined in Netscape Directory Server 4.x. The module is capable of reading and writing these attributes only.
  • Page 402 Automated Enrollment The right pane shows the Authentication Instance tab listing currently configured authentication instances. Click Add. The Select Authentication Plug-in Implementation window appears. Select the plug-in module. PortalEnroll Click Next. The Authentication Instance Editor window appears. Fill in the following fields in the Authentication Instance Editor window: Authentication Instance ID.
  • Page 403 Automated Enrollment ldap.ldapauth.clientCertNickname. Specifies the nickname name of the certificate to be used for SSL client authentication to the authentication directory in order to remove PINs. Make sure that the certificate is valid and has been signed by a CA that is trusted in the authentication directory’s certificate database, and that the authentication directory’s file certmap.conf...

  • Page 404: Setting Up Cmc Enrollment

    Automated Enrollment Setting Up CMC Enrollment CMC enroll allows you to set up your own enrollment client, sign the certificate request with your agent certificate, and then send the signed request to the Certificate Manager. When this method is setup, the Certificate Manager will automatically issue certificates when a valid request signed with the agent certificate is received.
  • Page 405 Automated Enrollment The Select Authentication Plug-in Implementation window appears. Select the plug-in module. CMCAuth Click Next. The Authentication Instance Editor window appears. If you don’t want to use the default instance name, in the Authentication Instance ID field, type a unique name for this instance that will help you identify it.
  • Page 406 Automated Enrollment Enable the End Entity pages for CMC Enrollment You submit signed requests to the Certificate Manager by submitting them directly to the Certificate Manager. You can also submit them using the end-entity interface of the Certificate Manager or a Registration Manager. CMS provides a CMC Enrollment form called .
  • Page 407 Automated Enrollment Go to the following directory: <server_root>/bin/cert/tools Type the following command: CMCEnroll -d<directory_containing_agent_cert> -n<the certificate_common_name> -r<certificate_request_file> -p<certificate_DB_passwd> For example, if the input file created in step 3 is called , your request34.txt agent’s certificate is stored in the directory , the certificate /netscape/certs common name of your agent’s certificate for this CA is...

  • Page 408: Agent Initiated End User Enrollment

    Agent Initiated End User Enrollment Agent Initiated End User Enrollment The Registration Manager is enabled for in person enrollment of end users. The end user goes to the Registration Manager agent, who then processes the enrollment request. The Registration Manager agent authenticates the user through some physical means, such as a passport or drivers licence, and then the agent fills in the enrollment form for the end user and processes the request.

  • Page 409: Certificate-Based Enrollment

    Certificate-Based Enrollment Certificate-Based Enrollment Note: This feature is supported only in legacy enrollment. CMS supports certificate-based enrollment for browser certificates. End users can use preissued certificates to authenticate to the server in order to enroll for certificates. The following are two deployment scenarios that explain the usefulness of certificate-based enrollment: •...
  • Page 410 Certificate-Based Enrollment • Enable the appropriate enrollment option, such as directory-based enrollment or NIS-server based enrollment. Be sure to configure the authentication module to compose the desired DN pattern. • To enable you to configure CMS for certificate-based enrollment, the following three enrollment forms are provided: l—this form enables end users to request dual CertBasedDualEnroll.htm...

  • Page 411: Issuing And Managing Server Certificates

    Issuing and Managing Server Certificates —this variable specifies one of the three certauthEnrollType certificate-based-enrollment types: , or dual single encryption dual specifies that the enrollment request is for dual certificates; single specifies that the enrollment request is for a signing certificate; and specifies that the enrollment request is for an encryption encryption certificate.

  • Page 412: Renewal Of Server Certificates

    Issuing and Managing Server Certificates The certificate profile feature offers an automated sever enrollment. Using this certificate profile, an agent makes the request for the SSL server certificate in the certificate profile and is authenticated using their agent certificate. If the agent is authenticated, the SSL server certificate request is automatically processed, and the issued certificate is returned to the agent via an HTML form.
  • Page 413 Issuing and Managing Server Certificates When the wizard generates the certificate signing request for the key size and type you specified, you’re presented with the opportunity to choose how you want to submit the request to the CA. The choices include the following: To CA’s email address.

  • Page 414: Cep Enrollment

    CEP Enrollment Click Submit. CEP Enrollment Note: This feature is supported in legacy enrollment only. CMS can issue certificates to a wide variety of entities, such as web browsers, SSL-enables servers, routers, virtual private network (VPN) clients, and so on. This section explains how you can configure CMS to issue router and VPN-client certificates.

  • Page 415: Setting Up Automated Cep Enrollment

    CEP Enrollment Setting Up Automated CEP Enrollment You can configure the Certificate Manager to use either the challenge password or the subject name (all or a part of it) as an authentication token during a CEP enrollment, thus enabling users to get router certificates without any action on the part of the Certificate Manager agent.
  • Page 416 CEP Enrollment Specifies the serial number of the router (for example, SERIALNUMBER 239333). This can sometimes be found on a label on the back of the router. It is also available by typing the show version command. This may not be in the request—a user may not want to include this in the subject name of the router certificate, and hence choose not to specify one during enrollment.
  • Page 417 CEP Enrollment In the CMS window of the Certificate Manager or Registration Manager that processes certificate requests, select the Configuration tab. Select Authentication in the navigation tree. The right pane shows the Authentication Instance tab listing currently configured authentication instances. Click Add.
  • Page 418 CEP Enrollment Setting Up Multiple CEP Services This step is optional. By default, the CEP service runs on this URL: /cgi-bin/pkiclient.exe It is possible to set up multiple instances of CEP, each with a different configuration, each listening on a different URL. This is useful if you have different requirements for different types of users.

  • Page 419: Setting Up Publishing Of Cep Certificates And Crls

    CEP Enrollment When setting up multiple CEP services, you can use the attribute to cepsubstore differentiate one CEP service from another. For example, if you’re setting up separate CEP services for router and VPN-client certificates and want to set different extensions in these certificates, you can make that happen with the help of predicates.
  • Page 420 CEP Enrollment Configure the Certificate Manager for Publishing Certificates and CRLs In this step, you configure the Certificate Manager to issue router and VPN-client certificates with CRL Distribution Point Extension and to publish the certificates to a directory. • Create an instance of the mapper plug-in named and of the LdapExactMapper publisher plug-in named...

  • Page 421: Certificate Issuance To Routers Or Vpn Clients

    CEP Enrollment Table 9-1 CEP service-related configuration parameters in the configuration file Parameter Description Specifies whether to create an entry in the directory before publishing createEntry the certificate. Note that to publish a certificate, an entry must already exist for the DN in the directory. •...
  • Page 422 CEP Enrollment In your router documentation, locate the information specific to requesting certificates for routers. Check the signing algorithm, such as RSA or DSA, and key lengths, such as 512 and 1024, supported by the router. Based on that information, determine the signing algorithm and the key length for the certificate you want to request.

  • Page 423: Example

    CEP Enrollment Run the appropriate command. The command will ask you for certain information: The CA’s identity. You specified this in Step 3. Challenge password. If you enter one, write it down; you will be required to specify this password to revoke the certificate. The CEP enrollment URL.
  • Page 424 CEP Enrollment router> enable router% config terminal router(config)#crypto key generate rsa The name for the keys will be: netscape.mcom.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

  • Page 425: Testing Your Enrollment Setup

    Testing Your Enrollment Setup Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The ’show crypto ca certificate’ command will also show the fingerprint. router(config)# exit router#show crypto ca certificates CA Certificate Status: Available Certificate Serial Number: 1...

  • Page 426: Managing Authentication Plug-Ins

    Managing Authentication Plug-ins Upon receipt of a notification about the certificate issuance, install the certificate in your browser. Verify that the certificate is installed in the browser’s certificate database; for example, in Communicator you can open the Security Info window and verify that the certificate is listed in there.

  • Page 427: Generating Files Required By Third-Party Object Signing Tools

    Generating Files Required By Third-Party Object Signing Tools Log in to the CMS window (see “Logging Into the CMS Console” on page 247). Select the Configuration tab. In the navigation tree, click Authentication, and in the right pane, click the Authentication Plug-in Registration tab.
  • Page 428 Generating Files Required By Third-Party Object Signing Tools Type the following line below it: Enroll.PVKFilename = "<pvk_file_path>" Your changes should look like this: Enroll.GenKeyFlags = 1 ’ key exportable Enroll.PVKFilename = "<pvk_file_path>" szCertReq = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2") Replace with the absolute path, including the filename, to <pvk_file_path>...
  • Page 429 Generating Files Required By Third-Party Object Signing Tools -----END CERTIFICATE----- Create an ASCII file named cert.b64 Copy and paste the base-64 encoded certificate blob, including the marker lines to the file. -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Convert the text-based certificate to its DER-encoded format using the ASCII to Binary tool, explained in CMS Command-Line Tools Guide.
  • Page 430 Generating Files Required By Third-Party Object Signing Tools Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 431: Chapter 10 Certificate Profiles

    Chapter 10 Certificate Profiles This chapter describes how to configure certificate profiles. This chapter contains the following sections: • About Certificate Profiles • Setting Up Certificate Profiles • Certificate Profile Reference • Input Reference • Output Reference • Defaults Reference •...
  • Page 432 About Certificate Profiles For example, you could set up a certificate profile for user certificates that defines all aspects of that certificate including the validity period of the issued certificate. You can set a default that defines the default validity period as two years. You would also set up a constraint that the validity period for certificates issued from requests submitted to this certificate profile cannot exceed two years.

  • Page 433: How Certificate Profiles Work

    About Certificate Profiles inputs using the CMS SDK. The inputs provide a certificate request field that can be added to any of the forms so that certificate requests can be pasted into this field, allowing a request to be created outside the input form with any of the request information you need.

  • Page 434: Setting Up Certificate Profiles

    Setting Up Certificate Profiles When a certificate profile is associated with an authentication method, the request is approved immediately and generates a certificate automatically if the user successfully authenticates, all the information required is provided, and the request does not violate any of the constraints set up for the certificate profile. The issued certificate contains the content defined in the defaults for this certificate profile, such as the extensions and validity period for the certificate, and the content of the certificate is constrained by the constraints set up for each default.

  • Page 435: Modifying A Certificate Profile

    Setting Up Certificate Profiles • Create any certificate profiles you will need that are not among the pre built certificate profiles. • Modify the existing certificate profiles and any certificate profiles you have created by changing the following: Changing the defaults set up in the certificate profile, the values of the parameters set in the defaults, or the constraints associated with the default to set the content of the issued certificate and the value of that content.
  • Page 436 Setting Up Certificate Profiles To create a new certificate profile: Click Add. The Select Certificate Profile Plugin Implementation window appears. Select if this is a Certificate Authority Enrollment Profile Certificate Manager or Registration Authority Enrollment Profile this is a Registration Manager. Click Next.
  • Page 437 Setting Up Certificate Profiles Manager that correlates to the certificate profile you set up in the Registration Manager. It is set to false allowing a signed request to be processed through the Certificate Manager’s Certificate Profile framework, rather than through the input page for this certificate profile. Certificate Profile Authentication.
  • Page 438 Setting Up Certificate Profiles End User Certificate Profile. Specifies whether or not the request must be made to the input form associated with this certificate profile. Generally, you will set this to true. If you have set up a Registration Manager, you will set this to false in the certificate profile you set up in the Certificate Manager that correlates to the certificate profile you set up in the Registration Manager.
  • Page 439 Setting Up Certificate Profiles Fill in the following fields: Policy Set Id. Type a name or identifier for this set of policies. When you are issuing dual key pairs, you can use separate sets to define the policies associated with each certificate. Certificate Profile Policy ID.
  • Page 440 Setting Up Certificate Profiles The Policy Rule Editor window contains two tabs, Defaults and Constraints. Defaults define attributes that populate the certificate request that will be used to create the issued certificate. These can be extensions, validity periods, or other fields contained in the certificates. Constraints define valid values for the defaults.
  • Page 441 Setting Up Certificate Profiles To add an input: Click Add. The Certificate Profile Input Editor window appears. Choose the input you want to add from the list and then click OK. See “Input Reference,” on page 445 for complete details of the default inputs. The New Certificate Profile Editor window appears.

  • Page 442: Certificate Profile Reference

    Certificate Profile Reference This output will be listed in the output tab. You can edit it to provide values to the parameters in this output. To delete an output: Select the output. Click delete. Delete any certificate profiles you don’t want approved by an agent. Any certificate profile that appears in the Certificate Profile Instance Management tab also appears on the Certificate Profiles page in the agent services interface.
  • Page 443 Certificate Profile Reference • caCACert Configured for enrollments for a CA signing certificate in a Certificate Manager. • caRACert Configured for enrollments for an RA signing certificate in a Certificate Manager. • caOCSPCert Configured for enrollments for an OCSP signing certificate in a Certificate Manager.
  • Page 444 Certificate Profile Reference Configured for enrollments for dual key pairs in a Registration Manager. Two keys will be generated, a signing key and an encryption key, and two certificates will be issued, one for each of those keys. This certificate profile will only work with the Netscape 7 or later browser.

  • Page 445: Input Reference

    Input Reference Configured for enrollments for a transport signing certificate, used by the Data Recovery Manager, in a Registration Manager. When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false.

  • Page 446: Dual Key Generation Input

    Input Reference Dual Key Generation Input input is used for enrollments in which dual Dual Key Geneneration Input key pairs will be generated, and thus two certificates issued, one for the signing certificate and one for the encryption certificate. The generation of dual key pairs using the certificate profile interface is only supported for the Netscape 7 and later browsers.

  • Page 447: Submitter Information Input

    Output Reference Organizational Unit. This field is for entering the organizational unit to which the user belongs. Organization. This field is for entering the organization name. Country. This field is for entering the country to which the user belongs. Submitter Information Input input is used to collect the certificate Submitter Information Input requestor’s information such as name, email and phone.

  • Page 448: Defaults Reference

    Defaults Reference Defaults Reference Defaults are used to define the contents of a certificate and the values associated with that content. This section lists the pre built defaults with complete definitions of each. Authority Info Access Extension Default This default populates the Authority Info Access extension. This extension specifies how an application validating a certificate can access information, such as on-line validation services and CA policy statements, about the CA that has issued the certificate.
  • Page 449 Defaults Reference Table 10-1 Authority Info Access Extension Default Configuration Parameters Parameter Description Specifies the general-name type for the location that contains LocationType_<n> additional information about the CA that has issued the certificate in which this extension appears. Select one of the following types from the drop down menu: DirectoryName, DNSName, EDIPartyName, IPAddress, OID, RFC822Name, or URI.

  • Page 450: Authority Key Identifier Extension Default

    Defaults Reference Table 10-1 Authority Info Access Extension Default Configuration Parameters Parameter Description • If you selected URI, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules. That is, the name must include both a scheme (for example, http) and a fully qualified domain name or IP address of the host.
  • Page 451 Defaults Reference Table 10-2 Basic Constraints Extension Default Configuration Parameters Parameter Description Select true to mark this extension critical; select false to mark Critical the extension noncritical. Specifies whether the certificate subject is a CA. If you select IsCA true, the server checks the PathLen parameter and sets the specified path length in the certificate.

  • Page 452: Crl Distribution Points Extension Default

    Defaults Reference CRL Distribution Points Extension Default This default populates the CRL Distribution points extension in the certificate request. This extension, when present in a certificate, identifies one or more locations from which an application that is validating the certificate can obtain the CRL information (to verify the revocation status of the certificate).

  • Page 453: Extended Key Usage Extension Default

    Defaults Reference Table 10-3 CRL Distribution Points Extension Configuration Parameters (Continued) Parameter Description Specifies revocation reasons covered by the CRL Reasons_<n> maintained at the distribution point. Provide a comma-separated list of the following constants: • unused • keyCompromise • cACompromise •...
  • Page 454 Defaults Reference For general information about this extension, see “extKeyUsage” on page 727. The extension identifies one or more purposes—in addition to or in place of the basic purposes indicated in the key usage extension—for which the certified public key may be used. For example, if the key usage extension identifies a key to be used for signing, the extended key usage extension can further narrow down the usage of the key for signing OCSP responses only or for signing Java applets only.

  • Page 455: Freshest Crl Extension Default

    Defaults Reference • Extension Constraint, see “Extension Constraint,” on page 475 • No Constraints, see “No Constraint,” on page 477. Table 10-5 Extended Key Usage Extension Default Configuration Parameters Parameter Description Select true to mark this extension critical; select false to mark the Critical extension noncritical.

  • Page 456: Key Usage Extension Default

    Defaults Reference Table 10-6 Freshest CRL Extension Default Configuration Parameters Parameter Description Select true to mark this extension critical; select false to mark the Critical extension noncritical. Select true to enable this point; select false to disable this point. PointEnable_<n> Specifies the type of issuing point.
  • Page 457 Defaults Reference For general information about this extension, see “keyUsage” on page 728. You can define the following constraints with this default: • Key Usage Constraint, see “Key Usage Extension Constraint,” on page 475. • Extension Constraint, see “Extension Constraint,” on page 475. •...

  • Page 458: Name Constraints Extension Default

    Defaults Reference Table 10-7 Key Usage Extension Default Configuration Parameters (Continued) Parameter Description Specifies whether to set the extension if the public key is to be decipherOnly used only for deciphering data. If this bit is set, keyAgreement should also be set. Select true to set, select false to not set. Name Constraints Extension Default This default populates a name constraint extension in the certificate request.
  • Page 459 Defaults Reference Table 10-8 Name Constraints Extension Default Configuration Parameters (Continued) Parameter Description Specifies the maximum number of permitted subtrees. permittedSubtrees max_<n> • -1 specifies that the field should not be set in the extension. • 0 specifies that the maximum number of subtrees is zero. •...
  • Page 460 Defaults Reference Table 10-8 Name Constraints Extension Default Configuration Parameters (Continued) Parameter Description • If you selected IPAddress, the value must be a valid IP address (IPv4 or IPv6). IPv4 address must be in n.n.n.n format, with netmask must be in n.n.n.n,m.m.m.m format. For example: 128.21.39.40.
  • Page 461 Defaults Reference Table 10-8 Name Constraints Extension Default Configuration Parameters (Continued) Parameter Description Specifies the general-name value for the permitted subtree you ExcludedSubtrees want to include in the extension. NameValue_<n> • If you selected RFC822Name, the value must be a valid Internet mail address in fully-qualified DNS format.

  • Page 462: Netscape Comment Extension Default

    Defaults Reference Table 10-8 Name Constraints Extension Default Configuration Parameters (Continued) Parameter Description Select true to enable this excluded subtree entry, select false to ExcludedSubtree disable this excluded subtree entry. Enable_<n> Netscape Comment Extension Default This default populates a Netscape comment extension in the certificate request. The extension can be used to include textual comments in certificates.
  • Page 463 Defaults Reference You can define the following constraints with this default: • Netscape Certificate Type Extension Constraint, see “Netscape Certificate Type Extension Constraint,” on page 477. • Extension Constraint, see “Extension Constraint,” on page 475. • No Constraints, see “No Constraint,” on page 477. Table 10-10 Netscape Certificate Type Extension Default Configuration Parameters Parameter Description...

  • Page 464: No Default Extension

    Defaults Reference No Default Extension This default can be used to set constraints when no defaults are being used. This default has not settings and sets no defaults, but does allow you to set all of the constraints available. OCSP No Check Extension Default This default populates an OCSP No Check extension in the certificate request.
  • Page 465 Defaults Reference • Extension Constraint, see “Extension Constraint,” on page 475. • No Constraints, see “No Constraint,” on page 477. Table 10-12 Policy Constraints Extension Default Configuration Parameters Parameter Description Select true to mark this extension critical; select false to mark the critical extension noncritical.

  • Page 466: Policy Mappers Extension Default

    Defaults Reference Policy Mappers Extension Default This default populates a policy mappings extension in the certificate request. The extension lists one or more pairs of OIDs, each pair identifying two policy statements of two CAs. The pairing indicates that the corresponding policies of one CA are equivalent to policies of another CA.

  • Page 467: Signing Algorithm Default

    Defaults Reference Signing Algorithm Default This default populates a signing algorithm in the certificate request. This default presents an agent with the possible algorithms that can be used for signing the certificate in a list that the agent can select from. You can define the following constraints with this default: •...
  • Page 468 Defaults Reference In general, you can configure which attributes should or shouldn’t be stored in the request; for example, you can exclude sensitive attributes such as passwords from getting stored in the request with the help of the parameter named defined in the CMS configuration file.

  • Page 469: Subject Key Identifier Extension Default

    Defaults Reference Table 10-15 Subject Alternative Name Extension Default Configuration Parameters Parameter Description Specifies the general-name type for the request attribute. Type • Select RFC822Name if the request-attribute value is an Internet mail address in the local-part@domain format. For example, jdoe@example.com.

  • Page 470: Subject Name Default

    Defaults Reference If enabled, the policy adds a Subject Key Identifier Extension to an enrollment request if the extension does not already exist. If the extension exists in the request, for example from a CRMF request, the default replaces the extension. In case of agent-approved enrollments, after an agent approves the enrollment request, the policy accepts any Subject Key Identifier Extension that is already there.

  • Page 471: User Supplied Extension Default

    Defaults Reference In addition, the directory-based authentication manager will formulate the subject name of the issuing certificate (It will forms the subject name by using the dnPattern attribute), and it will place the subject name into an internal data structured called AuthToken. This default is responsible for reading the subject name from the AuthToken and place it into the certificate request so that the final certificate will contain the subject name.

  • Page 472: User Signing Algorithm Default

    Defaults Reference User Signing Algorithm Default This default implements an enrollment default policy that populates a user-supplied signing algorithm into the certificate request. If included in the certificate profile, allows a user to choose a signing algorithm for the certificate, subject to the constraint set.

  • Page 473: Validity Default

    Constraints Reference Validity Default This default populates a server-side configurable validity into the certificate request. You can define the following constraints with this default: • Validity Constraint, see “Validity Constraint,” on page 479. • No Constraints, see “No Constraint,” on page 477. Table 10-17 Validity Default Configuration Parameters Parameter Description...

  • Page 474: Extended Key Usage Extension Constraint

    Constraints Reference Table 10-18 Basic Constraints Extension Constraint Configuration Parameters (Continued) Parameter Description Specifies the maximum allowable path length, the maximum PathLen number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. Note that the path length you specify affects the number of CA certificates to be used during certificate validation.

  • Page 475: Extension Constraint

    Constraints Reference Table 10-19 Extended Key Usage Extension Constraint Configuration Parameters Parameter Description Specifies whether the extension can be marked critical or Critical noncritical. Select true to allow the extension to be marked critical, select false to disallow the extension from being marked critical; select “-”...
  • Page 476 Constraints Reference Table 10-21 Key Usage Extension Constraint Configuration Parameters Parameter Description Select true allow this extension to be marked critical; select false critical to keep this extension from being marked critical. Select true to allow this to be set; select false to not allow this to be set; select “-”...

  • Page 477: No Constraint

    Constraints Reference Table 10-21 Key Usage Extension Constraint Configuration Parameters (Continued) Parameter Description Specifies whether to set the extension if the public key is to be encipherOnly used only for enciphering data. If this bit is set, keyAgreement should also be set. Select true to allow this to be set; select false to not allow this to be set;...

  • Page 478: Signing Algorithm Constraint

    Constraints Reference Table 10-22 Netscape Certificate Type Extension Constraint Configuration Parameters Parameter Description Specifies that the certificate can be used by servers for SSLServer authentication during SSL connections. Select true to allow this capability; select false to not allow this capability; select “-”...

  • Page 479: Subject Name Constraint

    Constraints Reference Table 10-23 Signing Algorithms Constraint Configuration Parameters Parameter Description List the signing algorithms that can be specified for use in signingAlgsAllowed signing this certificate. Specify any or all of the following: MD2withRSA,MD5withRSA,SHA1withRSA Subject Name Constraint This constraint implements the subject name constraint. It checks if the subject name in the certificate request satisfies the criteria.
  • Page 480 Constraints Reference Table 10-25 Validity Constraint Configuration Parameters Parameter Description The range parameter is of type integer. And the unit of this range value is day. Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 481: Chapter 11 Policies

    Chapter 11 Policies Netscape Certificate Management System (CMS) provides a customizable policy framework for the Certificate Manager, Registration Manager, and Data Recovery Manager. This chapter explains how to configure these subsystems to apply organizational and other policies on incoming certificate and key-related requests. Note: This feature is provided for legacy purposes.

  • Page 482: Introduction To Policy

    Introduction to Policy Introduction to Policy You can configure the main subsystems of CMS—the Certificate Manager, Registration Manager, and Data Recovery Manager—to apply certain organizational policies on an end-entity’s certificate enrollment and management requests before servicing them. For example, some of the policies you might want a Certificate Manager to impose on these requests may include setting a minimum and maximum limit on validity period and key length of certificates, setting extensions based on the end entity's role within an organization, setting signing...

  • Page 483: Policy Rules

    Introduction to Policy • Screen the request for specific content, and modify, reject, or defer (for agent approval) it accordingly. For example, the request might be checked for the inclusion of organizational constraints, such as key algorithm, key size, validity period, or a particular signing algorithm; if it did not meet the requirement, the subsystem would modify the request or return an error, depending on the severity of the problem.

  • Page 484: Policy Processor

    Introduction to Policy • Revocation policies • Key-archival policies • Key-recovery policies To facilitate this classification, CMS supports a parent interface for a generic policy rule and other operation-specific interfaces that extend the parent interface. Check the CMS SDK. Policy Processor Each subsystem—the Certificate Manager, Registration Manager, or Data Recovery Manager—has its own policy processor.

  • Page 485: Using Predicates In Policy Rules

    Introduction to Policy If the request passes all the policy rules (that is, all policy rules returned a value), the request gets serviced—for example the PolicyResult.ACCEPTED certificate is issued or renewed. Using Predicates in Policy Rules You can use predicates in a policy rule. A predicate indicates whether the rule that contains the predicate applies to a request.
  • Page 486 Introduction to Policy Policy expressions are formed with the following rules: PrimitiveExpression | AndExpression | OrExpression is equal to: Attribute Value, where PrimitiveExpression Attribute can be a string can be any of these operators: Value can be a string is equal to: Expression Expression AndExpression is equal to: Expression...
  • Page 487 Introduction to Policy Be aware that if the same name is in an HTTP form input and authentication token (authentication result) the authentication result can override the HTTP form input. For example, if is in an HTTP input and an authentication module also puts email in the authentication result (that is, authtoken) the value from the...
  • Page 488 Introduction to Policy Table 11-2 Attributes supported by request object implementations (Continued) Request type Variable name Description Enrollment Specifies the certificate type. Default values include the certType following: • ca (Certificate Manager’s CA signing certificate) • caCrlSigning (Certificate Manager’s CRL signing certificate) •...
  • Page 489 Introduction to Policy Table 11-2 Attributes supported by request object implementations (Continued) Request type Variable name Description Enrollment Specifies the name of the CEP service; for example, cep1 and cepsubstore cep2. When setting up multiple CEP services, you can use predicates to differentiate one service for another;...
  • Page 490 Introduction to Policy Assuming that the new attribute you define for the organizational unit is orgunit the line you would add to the enrollment form would be: <input type="HIDDEN" name="orgunit" value="Sales"> To add this line to an enrollment form, you would: Open the corresponding HTML file in a text editor.

  • Page 491: Configuring Policy Rules For A Subsystem

    Configuring Policy Rules for a Subsystem Assume you named the instance , set the maximum validity ValidityRule1 period to 60 days, set the minimum validity period to 10 days, defined the predicate expression as HTTP_PARAMS.certType==client AND . (This expression specifies that the policy be HTTP_PARAMS.orgunit!=Sales applied to only client certificate requests from users who are not in the organizational unit named Sales.)

  • Page 492: Deleting Policy Rules

    Configuring Policy Rules for a Subsystem In the Policy Rule list, select a rule that you want to modify. For the purposes of this instruction, assume that you selected the rule named DefaultValidityRule Click Edit/View. The Policy Rule Editor window appears, showing how this rule is configured. Make the necessary changes and click OK.

  • Page 493: Reordering Policy Rules

    Configuring Policy Rules for a Subsystem When you add a policy rule, the CMS configuration gets updated with policy-specific information. Keep the following points in mind: • When naming a policy instance (or rule), be sure to formulate the name using any combination of letters (aA to ), digits (0 to 9), an underscore (_), and a hyphen (-);...

  • Page 494: Testing Policy Configuration

    Configuring Policy Rules for a Subsystem on request attributes to prevent conflicting changes. By ordering the rules, you introduce a concurrency control whereby a higher-priority rule configuration overwrites any changes made by a lower-priority rule configuration that precedes You may want to specify policies at different priority levels for the same operation depending on the end-entity information.

  • Page 495: Using Javascript For Policies

    Using JavaScript for Policies Using JavaScript for Policies CMS includes a facility for complex scripting of the policy plug-in instances via JavaScript . Using the JavaScript policy processor allows you to: • Determine the call sequence of existing Java plug-ins •...
  • Page 496 Constraints-Specific Policy Module Reference If the attribute named in the parameter is present in the attribute request, the policy accepts the request. If the attribute named in the parameter is not present in the attribute request, the policy rejects the request. •...
  • Page 497 Constraints-Specific Policy Module Reference Table 11-3 AttributePresentConstraints Configuration Parameters (Continued) Parameter Description Specifies the LDAP protocol version: ldap.ldapconn. version • 2 specifies LDAP version 2. If your directory is based on Netscape Directory Server 1.x, choose 2. • 3 specifies LDAP version 3. For Directory Server versions 3.x and later, choose 3 (default).

  • Page 498: Dsakeyconstraints

    Constraints-Specific Policy Module Reference Table 11-3 AttributePresentConstraints Configuration Parameters (Continued) Parameter Description Specifies the maximum number of connections permitted to the LDAP directory; ldap.ldapconn. when needed, connection pool can grow to this many (multiplexed) connections. maxConns Permissible values: 3 to 10; the default value is 5. Specifies the LDAP attribute, the presence of which is to be checked in the attribute certificate-enrollment request.

  • Page 499: Issuerconstraints

    Constraints-Specific Policy Module Reference Table 11-4 DSAKeyConstraints Configuration Parameters (Continued) Parameter Description Specifies the minimum length, in bits, for the key (the length of the modulus in bits). minSize The value must be smaller than or equal to the one specified by the maxSize parameter.

  • Page 500: Keyalgorithmconstraints

    Constraints-Specific Policy Module Reference Table 11-5 IssuerConstraints Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable (default), deselect to enable disable. Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default).

  • Page 501: Renewalconstraints

    Constraints-Specific Policy Module Reference Table 11-6 KeyAlgorithmConstraints Configuration Parameters (Continued) Parameter Description Specifies the key type the server should certify. The default is RSA. algorithms Permissible values: RSA or RSA. RenewalConstraints plug-in module imposes constraints on renewal of RenewalConstraints expired certificates—it allows or restricts the server from renewing expired certificates.

  • Page 502: Revocationconstraints

    Constraints-Specific Policy Module Reference The renewal validity constraints policy enables you to enforce certain restrictions on certificate-renewal requests, when end entities attempt to renew their certificates. During installation, CMS automatically creates an instance of the renewal validity constraints policy, named , that is enabled by DefaultRenewalValidityRule default.

  • Page 503: Rsakeyconstraints

    Constraints-Specific Policy Module Reference Table 11-9 RevocationConstraints Configuration Parameters (Continued) Parameter Description Specifies the predicate expression for this rule. If you want this rule to be applied predicate to all certificate requests, leave the field blank (default). To form a predicate expression, see “Using Predicates in Policy Rules”...

  • Page 504: Signingalgorithmconstraints

    Constraints-Specific Policy Module Reference Table 11-10 RSAKeyConstraints Configuration Parameters (Continued) Parameter Description Specifies the minimum length, in bits, for the key (the length of the modulus in bits). minSize The value must be smaller than or equal to the one specified by the maxSize parameter.

  • Page 505: Subcanameconstraints

    Constraints-Specific Policy Module Reference Table 11-11 describes the configuration parameters of the policy. SigningAlgorithmConstraints Table 11-11 SigningAlgorithmConstraintsConfiguration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable (default), deselect to enable disable. Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default).

  • Page 506: Uniquesubjectnameconstraints

    Constraints-Specific Policy Module Reference During installation, CMS automatically creates an instance of the subordinate CA name constraints policy, named , that is enabled by SubCANameConstraints default. Table 11-12 describes the configuration parameters of the SubCANameConstraints policy. Table 11-12 SubCANameConstraints Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled.
  • Page 507 Constraints-Specific Policy Module Reference Table 11-13 describes the configuration parameters of the policy. UniqueSubjectNameConstraints Table 11-13 UniqueSubjectNameConstraints Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable, deselect to disable enable (default). Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default).

  • Page 508: Validityconstraints

    Constraints-Specific Policy Module Reference ValidityConstraints plug-in module enforces minimum and maximum ValidityConstraints validity periods for certificates and changes them if the policy is not met. Specifically, the policy imposes constraints on the following: • The duration of a certificate’s validity period (based on supported minimum and maximum validity periods).
  • Page 509 Constraints-Specific Policy Module Reference During installation, CMS automatically creates an instance of the validity constraints policy, named , that is enabled by default. DefaultValidityRule Table 11-14 describes the configuration parameters of the ValidityConstraints policy. Table 11-14 ValidityConstraints Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled.

  • Page 510: Extension-Specific Policy Module Reference

    Extension-Specific Policy Module Reference Extension-Specific Policy Module Reference To enable you to add standard and private extensions to end-entity certificates, CMS provides a set of policy plug-in modules; each module enables you to add a particular extension to a certificate request. When deciding whether to add any of the X.509 v3 certificate extensions, keep in mind that not all applications support X.509 v3 extensions.
  • Page 511 Extension-Specific Policy Module Reference Note that if you installed the Certificate Manager with it’s built-in OCSP service enabled, the policy rule will be enabled and the address location ( ad0_location= will be pointed to the Certificate Manager’s non-SSL end-entity port. For example, if the non-SSL end-entity port of your Certificate Manager is 80, the URL would look like this: http://ocspResponder.example.com:80/ocsp...
  • Page 512 Extension-Specific Policy Module Reference Table 11-15 AuthInfoAccessExt Configuration Parameters (Continued) Parameter Description Permissible values: • ocsp (or 1.3.6.1.5.5.7.48.1). • caIssuers (or 1.3.6.1.5.5.7.48.2). • renewal (or 2.16.840.1.113730.16.1) Specifies the general-name type for the location that contains additional information ad<n>_location about the CA that has issued the certificate in which this extension appears. Select one _type type from the following: •...

  • Page 513: Authoritykeyidentifierext

    Extension-Specific Policy Module Reference Table 11-15 AuthInfoAccessExt Configuration Parameters (Continued) Parameter Description • If you selected URL, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules. That is, the name must include both a scheme (for example, http) and a fully qualified domain name or IP address of the host.

  • Page 514: Basicconstraintsext

    Extension-Specific Policy Module Reference During installation, CMS automatically creates an instance of the authority key identifier extension policy, named , that is enabled AuthorityKeyIdentifierExt by default. Table 11-16 AuthorityKeyIdentifierExt Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable, deselect to disable. enable Specifies the predicate expression for this rule.
  • Page 515 Extension-Specific Policy Module Reference Table 11-17 BasicConstraintsExt Configuration Parameters (Continued) Parameter Description Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default). To form a predicate expression, see “Using Predicates in Policy Rules”...

  • Page 516: Certificatepoliciesext

    Extension-Specific Policy Module Reference CertificatePoliciesExt plug-in module enables you to add the Certificate CertificatePoliciesExt Policies Extension in certificates. The extension contains a sequence of one or more policy statements, each indicating the policy under which the certificate has been issued and identifying the purposes for which the certificate may be used. Presence of this extension in certificates enables an application with specific policy requirements to compare its list of policies to the ones contained in a certificate during its validation;...

  • Page 517: Certificaterenewalwindowext

    Extension-Specific Policy Module Reference Table 11-18 CertificatePoliciesExt Configuration Parameters (Continued) Parameter Description Example: 2.16.840.1.113730.1.99 Specifies the name of the organization that owns the OID or is the owner of the organizationName policy statement referenced by the OID. Example: Example Corporation Specifies the location where the Certification Practice Statement published by the cpsURI CA (that has issued the certificate) can be found.
  • Page 518 Extension-Specific Policy Module Reference Because the renewal process requires end users to remember when their certificates expire and renew them before the expiry date, some clients provide built-in support for automated renewal. Inclusion of the certificate renewal window extension in certificates is useful in a PKI setup with such clients. Unlike some of the other policy modules, CMS does not create an instance of the certificate renewal window extension policy during installation.

  • Page 519: Certificatescopeofuseext

    Extension-Specific Policy Module Reference Table 11-19 CertificateRenewalWindowExt Configuration Parameters (Continued) Parameter Description Specifies the last opportunity for automatic renewal of the certificate that contains relativeEndTime this extension. Specifying a value for this parameter is optional; if you leave the field blank, the certificate-using application is expected to use the expiration date (notAfter value) in the certificate.
  • Page 520 Extension-Specific Policy Module Reference The SSL protocol provides a way for a client application to authenticate itself to a web site or server. SSL client authentication occurs upon request of the server, and proceeds by providing a certificate and a signature to the server. The client may have more than one certificate that could be used to perform this authentication.
  • Page 521 Extension-Specific Policy Module Reference Table 11-20 CertificateScopeOfUseExt Configuration Parameters (Continued) Parameter Description Specifies the total number of sites to be contained or allowed in the extension. numEntries This can be set to 0 specifying that no sites can be contained in the extension or ton specifies the total number of sites to be included in the extension;...

  • Page 522: Crldistributionpointsext

    Extension-Specific Policy Module Reference Table 11-20 CertificateScopeOfUseExt Configuration Parameters (Continued) Parameter Description • If you selected ediPartyName, the value must be an IA5String. For example, Example Corporation. • If you selected URL, the value must be a non-relative URI, including both a scheme (for example, http) and a fully qualified domain name or IP address of the host.
  • Page 523 Extension-Specific Policy Module Reference For general information about this extension, see “CRLDistributionPoints” on page 726. During installation, CMS automatically creates an instance of the CRL distribution points extension policy, named , that is disabled by CRLDistributionPointsExt default. Table 11-21 CRLDistributionPointsExt Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled.

  • Page 524: Extendedkeyusageext

    Extension-Specific Policy Module Reference Table 11-21 CRLDistributionPointsExt Configuration Parameters (Continued) Parameter Description • Select URI if the value in the pointName field is a uniform resource indicator. • Select RelativeToIssuer if the value in the pointName field is a location relative to the CRL Issuer.
  • Page 525 Extension-Specific Policy Module Reference usage extension identifies a key to be used for signing, the extended key usage extension can further narrow down the usage of the key for signing OCSP responses only or for signing Java applets only. (For information on key usage extension, see “KeyUsageExt”...
  • Page 526 Extension-Specific Policy Module Reference Note that the policy rule must remain enabled if your PKI setup OCSPSigningExt includes a CA-delegated OCSP responder and you want to issue an OCSP responder certificate to that server; the rule adds the extended key usage extension to an OCSP responder certificate indicating that the associated key can be used for signing OCSP responses.

  • Page 527: Genericasn1Ext

    Extension-Specific Policy Module Reference GenericASN1Ext plug-in module enables you to add custom extensions to GenericASN1Ext certificates. Using this policy, you can add as many ASN.1 type based-extensions as required without having to write any code. Further, it eliminates the dependency on the command-line tools for generating base-64 encoded standard extensions from the x.509 extension classes.
  • Page 528 Extension-Specific Policy Module Reference application validating the certificate must be able to interpret the extension, or else it must reject the certificate. Since it’s unlikely that all applications will be able to interpret your custom extensions, you should consider marking these extensions noncritical.
  • Page 529 Extension-Specific Policy Module Reference Table 11-24 GenericASN1Ext Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable, deselect to disable. enable n specifies the total number of key-usage purposes to be included in the extension; it predicate must be an integer greater than zero.
  • Page 530 Extension-Specific Policy Module Reference Table 11-24 GenericASN1Ext Configuration Parameters (Continued) Parameter Description Specifies the data type for attribute n, where n is an identifier assigned to identify attribute.<n>. parameters pertaining to a specific attribute. The value of n can be 0 to 9. type Permissible values: Integer, IA5String, OctetString, PrintableString, UTCtime, OID, or Boolean.

  • Page 531: Issueraltnameext

    Extension-Specific Policy Module Reference Table 11-24 GenericASN1Ext Configuration Parameters (Continued) Parameter Description Specifies the data value for attribute n, where n is an identifier assigned to identify attribute.<n>. parameters pertaining to a specific attribute. The value of n can be 0 to 9. value Permissible values: Depends on the data type and source you selected.
  • Page 532 Extension-Specific Policy Module Reference Unlike some of the other policy modules, CMS does not create an instance of the issuer alternative name extension policy during installation. If you want the server to add this extension to certificates, you must create an instance of the module and configure it.
  • Page 533 Extension-Specific Policy Module Reference Table 11-25 IssuerAltNameExt Configuration Parameters (Continued) Parameter Description Permissible values: rfc822Name, directoryName, dNSName, ediPartyName, URL, iPAddress, OID, or otherName. • Select rfc822Name if the alternative name is an Internet mail address (default). • Select directoryName if the alternative name is an X.500 directory name.
  • Page 534 Extension-Specific Policy Module Reference Table 11-25 IssuerAltNameExt Configuration Parameters (Continued) Parameter Description • If you selected ediPartyName, the value must be an IA5String. For example, Example Corporation. • If you selected URL, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules specified in RFC 1738.

  • Page 535: Keyusageext

    Extension-Specific Policy Module Reference KeyUsageExt plug-in module enables you to add the Key Usage Extension to KeyUsageExt certificates. The extension specifies the purposes for which the key contained in a certificate should be used—for example, it specifies whether the key should be used for data signing, key encipherment, or data encipherment—and thus enables you to restrict the usage of a key pair to predetermined purposes.
  • Page 536 Extension-Specific Policy Module Reference • On the client side, bits set in the key usage extension are formed from pre-defined HTTP input variables that can be embedded as hidden values in the enrollment forms. You specify which bits are to be set by adding the appropriate HTTP variables to the enrollment forms.
  • Page 537 Extension-Specific Policy Module Reference During installation, CMS automatically creates multiple instances of the key usage extension policy suitable for various types of certificates that you may want the server to issue. The default instances are named as follows: • This rule is for setting the appropriate key-usage bits in CMCertKeyUsageExt Certificate Manager CA signing certificates and is enabled by default.
  • Page 538 Extension-Specific Policy Module Reference The value of an HTTP input variable corresponding to a key-usage bit must be either ; any other value is considered equivalent to . For true false false example, a value would be interpreted as by the server. Note that tree false values...
  • Page 539 Extension-Specific Policy Module Reference Table 11-28 KeyUsageExt Configuration Parameters (Continued) Parameter Description Specifies whether to set the keyEncipherment bit (or bit 2) of the key usage keyEncipherment extension in certificates specified by the predicate parameter. Permissible values: true, false, or HTTP_INPUT. •...
  • Page 540 Extension-Specific Policy Module Reference Table 11-28 KeyUsageExt Configuration Parameters (Continued) Parameter Description Specifies whether to set the keyCertSign bit (or bit 5) of the key usage extension keyCertsign in certificates specified by the predicate parameter. Permissible values: true, false, or HTTP_INPUT. •...

  • Page 541: Nameconstraintsext

    Extension-Specific Policy Module Reference Table 11-28 KeyUsageExt Configuration Parameters (Continued) Parameter Description Specifies whether to set the decipherOnly bit (or bit 8) of the key usage extension decipherOnly in certificates specified by the predicate parameter. Permissible values: true, false, or HTTP_INPUT. •...
  • Page 542 Extension-Specific Policy Module Reference Table 11-29 NameConstraintsExt Configuration Parameters (Continued) Parameter Description Specifies the total number of subtrees to be permitted in the extension. numPermittedSubtrees Note that each permitted subtree has a set of configuration parameters and you must specify appropriate values for each of these parameters; otherwise the policy rule will return an error.
  • Page 543 Extension-Specific Policy Module Reference Table 11-29 NameConstraintsExt Configuration Parameters (Continued) Parameter Description Specifies the general-name type for the permitted subtree you want to permittedSubtrees<n>. include in the extension. base.generalNameChoice Permissible values: rfc822Name, directoryName, dNSName, ediPartyName, URI, iPAddress, registeredID, or otherName. •...
  • Page 544 Extension-Specific Policy Module Reference Table 11-29 NameConstraintsExt Configuration Parameters (Continued) Parameter Description • If you selected dNSName, the value must be a valid domain name in the preferred-name syntax as specified by RFC 1034 (http://www.ietf.org/rfc/rfc1034.txt). You may use upper and lower case letters in the domain name; no significance is attached to the case.
  • Page 545 Extension-Specific Policy Module Reference Table 11-29 NameConstraintsExt Configuration Parameters (Continued) Parameter Description Specifies the minimum number of permitted subtrees. permittedSubtrees<n>. Permissible values: -1, 0, or n. • -1 specifies that the field should not be set in the extension. • 0 specifies that the minimum number of subtrees is zero (default). •...
  • Page 546 Extension-Specific Policy Module Reference Table 11-29 NameConstraintsExt Configuration Parameters (Continued) Parameter Description Permissible values: Depends on the general-name type you selected in the excludedSubtrees<n>.base.generalNameChoice field. • If you selected rfc822Name, the value must be a valid Internet mail address in the local-part@domain format; see the definition of an rfc822Name as defined in RFC 822 (http://www.ietf.org/rfc/rfc0822.txt).
  • Page 547 Extension-Specific Policy Module Reference Table 11-29 NameConstraintsExt Configuration Parameters (Continued) Parameter Description • If you selected iPAddress, the value must be a valid IP address (IPv4 or IPv6) specified in the dot-separated numeric component notation. The syntax for specifying the IP address is as follows: For IP version 4 (IPv4), the address should be in the form specified in RFC 791 (http://www.ietf.org/rfc/rfc0791.txt).

  • Page 548: Nsccommentext

    Extension-Specific Policy Module Reference NSCCommentExt plug-in module enables you to add the Netscape Certificate NSCCommentExt Comment Extension to certificates. The extension can be used to include textual comments in certificates. Applications that are capable of interpreting the comment may display it to a relying party when the certificate is used or viewed. For general information about this extension, see “netscape-comment”...

  • Page 549: Nscerttypeext

    Extension-Specific Policy Module Reference Table 11-30 NSCCommentExt Configuration Parameters (Continued) Parameter Description Specifies the textual statement that should be included in certificates. If you want to displayText embed a textual statement (for example, your company’s legal notice) in certificates, then add that statement here. The text you enter here will be displayed to a relying party when the certificate is used or viewed.
  • Page 550 Extension-Specific Policy Module Reference Table 11-31 Netscape certificate type extension bits and designated purposes (Continued) Purpose Description SSL Server Specifies that the certificate can be used by servers for authentication during SSL connections. S/MIME Specifies that the certificate can be used to send secure email messages.
  • Page 551 Extension-Specific Policy Module Reference Table 11-32 HTTP input variables for Netscape certificate type extension bits HTTP input variable Netscape certificate type extension bit SSL Client (bit 0) ssl_client SSL Server (bit 1) ssl_server S/MIME (bit 2) email Object Signing (bit 3) object_signing Reserved for future use (bit 4) SSL CA (bit 5)

  • Page 552: Ocspnocheckext

    Extension-Specific Policy Module Reference Table 11-33 NSCertTypeExt Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable, deselect to disable enable (default). Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default).

  • Page 553: Policyconstraintsext

    Extension-Specific Policy Module Reference Table 11-34 OCSPNoCheckExt Configuration Parameters (Continued) Parameter Description Select to mark critical, deselect to mark noncritical (default). critical PolicyConstraintsExt plug-in module enables you to add the Policy PolicyConstraintsExt Constraints Extension to certificates. The extension, which can be used in CA certificates only, constrains path validation in two ways—either to prohibit policy mapping or to require that each certificate in a path contain an acceptable policy identifier.

  • Page 554: Policymappingsext

    Extension-Specific Policy Module Reference Table 11-35 PolicyConstraintsExt Configuration Parameters (Continued) Parameter Description Specifies the total number of certificates permitted in the path before an explicit reqExplicit policy is required—that is, the number of CA certificates that can be chained below Policy (subordinate to) the subordinate CA certificate being issued before an acceptable policy is required.
  • Page 555 Extension-Specific Policy Module Reference extension may be useful in the context of cross-certification. If supported, the extension is to be included in CA certificates only. The policy allows you to map policy statements of one CA to that of another by pairing the OIDs assigned to their policy statements Each pair is defined by two parameters, issuerDomainPolicy...

  • Page 556: Privatekeyusageperiodext

    Extension-Specific Policy Module Reference Table 11-36 PolicyMappingsExt Configuration Parameters (Continued) Parameter Description Specifies the OID assigned to the policy statement<n> of the issuing CA that policyMap<n>. you want to map with the policy statement of another CA. issuerDomainPolicy Permissible values: Any valid OID specified in dot-separated numeric component notation (see the example).

  • Page 557: Removebasicconstraintsext

    Extension-Specific Policy Module Reference Table 11-37 PrivateKeyUsagePeriodExt Configuration Parameters (Continued) Parameter Description Specifies the date on which the validity period for the private key associated with the notBefore certificate begins. Permissible values: A valid date specified in the MM/DD/YYYY format. Example: 03/30/2002 Specifies the date on which the validity period for the private key associated with the notAfter...
  • Page 558 Extension-Specific Policy Module Reference The standard suggests that if the certificate subject field contains an empty sequence, then the subject alternative name extension must contain the subject’s alternative name and that the extension be marked critical. If you’re using any of the directory-based authentication methods, you can configure CMS to retrieve values for any string and byte attributes from the directory and set them in the certificate request during authentication—you specify these attributes by entering them in the...
  • Page 559 Extension-Specific Policy Module Reference Table 11-39 SubjectAltNameExt Configuration Parameters (Continued) Parameter Description Specifies the total number of alternative names or identities permitted in the numGeneralNames extension. Note that each name has a set of configuration parameters—generalName<n>.requestAttr and generalName<n>.generalNameChoice—and you must specify appropriate values for each of those parameters;...
  • Page 560 Extension-Specific Policy Module Reference Table 11-39 SubjectAltNameExt Configuration Parameters (Continued) Parameter Description • Select dNSName if the request-attribute value is a DNS name. For example, corpDirectory.example.com. • Select ediPartyName if the request-attribute value is a EDI party name. For example, Example Corporation. •...

  • Page 561: Subjectdirectoryattributesext

    Extension-Specific Policy Module Reference If you enable the default policy rule, the server automatically checks the certificate request for attributes AUTH_TOKEN.mail AUTH_TOKEN.mailalternateaddress . If the server finds any of the attributes, it HTTP_PARAMS.csrRequestorEmail sets the attribute value in the extension and then adds the extension to certificates specified by the parameter.

  • Page 562: Subjectkeyidentifierext

    Extension-Specific Policy Module Reference Table 11-40 SubjectDirectoryAttributesExt Configuration Parameters (Continued) Parameter Description Specifies whether the extension should be marked critical or noncritical. Select critical to mark critical, deselect to mark noncritical (default). Specifies the total number of directory attributes to be contained or allowed in numAttributes the extension.

  • Page 563: Managing Policy Plug-In Modules

    Managing Policy Plug-in Modules For general information about this extension, see “authorityKeyIdentifier” on page 737. You can also customize the method for deriving the Key Identifier using the CMS SDK by subclassing the policy and overriding the following method: formKeyIdentifier(X509CertInfo certInfo, IRequest req) If enabled, the policy adds a Subject Key Identifier Extension to an enrollment request if the extension does not already exist.

  • Page 564: Registering A Policy Module

    Managing Policy Plug-in Modules • Registering a Policy Module • Deleting a Policy Module Registering a Policy Module You can register new policy plug-in modules in a subsystem’s policy framework. Registering a new policy module involves specifying the name of the module and the full name of the Java class that implements the policy interface.

  • Page 565: Deleting A Policy Module

    Managing Policy Plug-in Modules Deleting a Policy Module You can delete unwanted policy plug-in modules using the CMS window. Before deleting a module, be sure to delete all the policy rules that are based on this module. To delete a policy module from a subsystem’s policy framework: Log in to the CMS window (see “Logging Into the CMS Console”...
  • Page 566 Managing Policy Plug-in Modules Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 567: Chapter 12 Automated Notifications

    Chapter 12 Automated Notifications Netscape Certificate Management System (CMS) can be configured to send automatic email notifications to end users when certificates are issued and revoked, or to an agent when a new request has arrived in the agent request queue. This chapter describes automated notifications, details how to enable and configure them, and details how to customize the notification email messages that are sent.

  • Page 568: Setting Up Automated Notifications

    About Automated Notifications Setting Up Automated Notifications The automated notifications feature is set up by performing the following tasks: • Enabling and configuring one of the notification types and setting preferences for that notification type; see “Setting Up Automated Notifications” on page 569 for complete details.

  • Page 569: Determining End-Entity Email Addresses

    Setting Up Automated Notifications Determining End-Entity Email Addresses The notification system determines the email address of an end entity by checking in the certificate request or revocation request itself, then in the subject name of the certificate, and last in the Subject Alternative Name extension of the certificate—if the certificate contains this extension.
  • Page 570 Setting Up Automated Notifications To enable Certificate Issued notifications, go to the Certificate Issued tab and specify information in the following fields: Enable Certificate Issued notification. Select this field to enable Certificate Issued notifications. Sender’s E-mail Address. Type the sender’s full email address; this is the email address of the person who is notified of any delivery problems.

  • Page 571: Configuring Specific Notifications By Editing The Configuration File

    Setting Up Automated Notifications Customize the notification message templates. See “Customizing Notification Messages,” on page 572. Test your configuration. See “Testing Your Configuration,” on page 571. Configuring Specific Notifications By Editing the Configuration File Stop the server instance whose configuration file you will be editing. Open the file for that server instance in a text editor.

  • Page 572: Customizing Notification Messages

    Customizing Notification Messages Login to the agent interface and approve the request. When the server issues a certificate, you should receive a Certificate Issued email notification. Check the message to see if has the correct information. Login to the agent interface and revoke the certificate. You should receive an email message notifying you that the certificate has been revoked.

  • Page 573: Notification Message Templates

    Customizing Notification Messages You could change the message by changing the text and tokens, shown as follows: THE EXAMPLE COMPANY CERTIFICATE ISSUANCE CENTER Your certificate has been issued! You can pick up your new certficate at the following website: https://$HttpHost:$HttpPort/displayBySerial?op=displayBySerial&seri alNumber=$SerialNumber This certificate has been issued with the following information: Serial Number= 0x$HexSerialNumber...
  • Page 574 Customizing Notification Messages Table 12-1 Notification Templates (Continued) Filename Description Template for the Certificate Manager to send certIssued_CA.html HTML-based notifications to end entities upon issuance of certificates. Template for the Registration Manager to send certIssued_RA plain-text notifications to end entities upon issuance of certificates.

  • Page 575: Token Definitions

    Customizing Notification Messages Table 12-1 Notification Templates (Continued) Filename Description Template for the Certificate Manager or reqInQueue_RA.html Registration Manager to send plain-text notifications to agents when a request enters the queue. Token Definitions Table 12-2 lists and defines the tokens that can be used in the notification message templates.
  • Page 576 Customizing Notification Messages Table 12-2 Notification Tokens (Continued) Token Description Specifies the NotBefore attribute. $NotBefore Specifies the email address of the recipient. $RecipientEmail Specifies the request ID. $RequestId Specifies the email address of the requestor. $RequestorEmail Specifies the type of request that was made. $RequestType Specifies the date the certificate was revoked.

  • Page 577: Chapter 13 Automated Jobs

    Chapter 13 Automated Jobs Netscape Certificate Management System (CMS) provides a customizable Job Scheduler component that supports various mechanisms for scheduling jobs. cron This chapter explains how to configure CMS to use specific job plug-in modules for accomplishing jobs. This chapter contains the following sections: •...

  • Page 578: Setting Up Automated Jobs

    About Automated Jobs Setting Up Automated Jobs The automated jobs feature is set up by performing the following tasks: • Enabling and configuring the Job Scheduler; see “Setting Up the Job Scheduler” on page 579 for complete details. • Enabling and configuring one or more of the job modules and setting preferences for those job module;...

  • Page 579: Setting Up The Job Scheduler

    Setting Up the Job Scheduler UnpublishExpiredJob Expired certificates are not automatically removed from the publishing directory. If you configure a Certificate Manager or Registration Manager to publish certificates to an LDAP directory, over time the directory will contain expired certificates. job checks for certificates that have expired and are still UnpublishExpiredJob marked as published in the internal database at the configured time interval.

  • Page 580: Enabling And Configuring The Job Scheduler

    Setting Up the Job Scheduler Table 13-1 Time Format for Scheduling Jobs Field Value Minute 0-59 Hour 0-23 Day of month 1-31 Month of year 1-12 Day of week 0-6 (where 0=Sunday) For example, the following time entry specifies every hour at 15 minutes (1:15, 2:15, 3:15 and so on): 15 * * * * The following example specifies a job execution time of noon on April 12:...

  • Page 581: Setting Up Specific Jobs

    Setting Up Specific Jobs Enter information as appropriate: Enable Jobs Scheduler. Select this option to enable the Job Scheduler; deselect to disable the Job Scheduler. Disabling turns off all the jobs. Check Frequency. Type the frequency at which the Job Scheduler daemon thread should wake up and call the configured jobs that meet the cron specification.

  • Page 582: Enabling And Configuring Specific Jobs Using The Cms Console

    Setting Up Specific Jobs Enabling and Configuring Specific Jobs Using the CMS Console To enable and configure an automated job using the CMS console: Ensure that the Jobs Scheduler is enabled and configured; see “Setting Up the Job Scheduler,” on page 579 for more information. Log in to the CMS console (see “Logging Into the CMS Console”...

  • Page 583: Enabling Configuring Specific Jobs By Editing The Configuration File

    Setting Up Specific Jobs Click Edit/View. The Job Instance Editor window appears, showing how this job is currently configured. Select Enable and set each of the configuration settings by specifying them in the fields for this dialog. see “Configuration Parameters of RenewalNotifier RenewalNotificationJob,”...

  • Page 584: Configuration Parameters Of Renewalnotificationjob

    Setting Up Specific Jobs Edit all of the configuration parameters for the job module you are enabling and configuring. To configure , edit all parameters that begin with RenewalNotifier ; see “Configuration Parameters jobsScheduler.job.certRenewalNotifier of RenewalNotificationJob,” on page 584 for details about these parameters. To configure RequestInQueueJob, edit all parameters that begin with ;...
  • Page 585 Setting Up Specific Jobs Table 13-2 RenewalNotificationJob Parameters (Continued) Parameter Description Specifies the cron string specifying the schedule of when cron this job should be run. In other words, it specifies the time at which the Job Scheduler daemon thread should check the certificates for sending renewal notifications.

  • Page 586: Configuration Parameters Of Requestinqueuejob

    Setting Up Specific Jobs Table 13-2 RenewalNotificationJob Parameters (Continued) Parameter Description Specifies the path, including the filename, to the directory summary. that contains the template to be used to create the content itemTemplate and format of each item to be collected for the summary report (see the summary.emailTemplate parameter below).

  • Page 587: Configuration Parameters Of Unpublishexpiredjob

    Setting Up Specific Jobs Table 13-3 RequestInQueueJob Parameters (Continued) Parameter Description Specifies whether a summary of the job accomplished summary.enabled should be compiled and sent. Specify the value of this parameter as true to enable; specify the value of this parameter as false to disable.
  • Page 588 Setting Up Specific Jobs Table 13-4 UnpublishExpiredJob Parameters (Continued) Parameter Description Specifies the cron specification for when this job should be cron run. This is the time at which the Job Scheduler daemon thread checks the certificates for removing expired certificates from the publishing directory.

  • Page 589: Customizing Notification Messages

    Customizing Notification Messages Customizing Notification Messages The email notifications that are sent are constructed using a template for each type of message that is sent. Each type of message has an HTML template and a plain text template associated with it. Messages are constructed from text and tokens, and HTML markup in the case of HTML templates.

  • Page 590: Token Definitions

    Customizing Notification Messages Table 13-5 Notification Templates (Continued) Filename Description Template for formulating the summary report or riq1Summary.html table that summarizes how many requests are pending in the agent queue of a Certificate Manager or Registration Manager. RenewalNotificationJob Template for formulating the message content to be rnJob1.txt sent to end entities to inform them that their certificates are about to expire and that they should...
  • Page 591 Customizing Notification Messages Table 13-6 Tokens for the renewal-notification job’s summary report (Continued) Token Description Specifies the port number on which the Certificate $HttpPort Manager or Registration Manager is listening to certificate-renewal requests from end entities. Specifies the name of the job instance. $InstanceID Specifies the distinguished name of the certificate issuer.

  • Page 592: Managing Job Plug-Ins

    Managing Job Plug-ins Managing Job Plug-ins You can register a new job plug-in module or delete a job plug-in module. This section details how to perform these tasks. Registering or Deleting a Job Module You can register custom job plug-in modules from the CMS window. Registering a new module involves specifying the name of the module and the full name of the Java class that implements the module.

  • Page 593: Chapter 14 Revocation And Crls

    Chapter 14 Revocation and CRLs Netscape Certificate Management System (CMS) provides methods for revoking certificates and for producing lists of revoked certificates, called certificate revocation lists (CRLs). This chapter describes the methods for revoking a certificate, describes CMC Revocation, and provides details about CRLs and setting up CRLs.

  • Page 594: Authentication Of End Users During Certificate Revocation

    Revocation revoked or can revoke all certificates in the list. The end user can also specify additional details, such as the date of revocation and revocation reason for each certificate or for the list as a whole. For instructions on how end users revoke their certificates, see the online help available by clicking the Help buttons in the end-entity forms.

  • Page 595: Certificate Revocation Forms

    Revocation After successful authentication, if the server detects only one valid or expired certificate with matching subject name as that of the one presented for client authentication, it revokes the certificate. If the server detects more than one valid or expired certificate with matching subject name, it lists all those certificates.

  • Page 596: Cmcrevocation

    CMCRevocation If you want to change the forms to suit your organization’s requirements, you can edit the following files: • (the form that allows challenge password based ChallengeRevoke1.html revocation of client or personal certificates) • (the form that allows SSL client authenticated UserRevocation.html revocation of client or personal certificates) Both the files are located in the following directory:...

  • Page 597: Testing Cmc Revoke

    CMCRevocation <server_root>/bin/cert/tools This utility has the following syntax: CMCRevoke -d<dir to cert8.db, key3.db> -n<nickname> -i<issuerName> -s<serialName> -m<reason to revoke> -c<comment> where The directory where , and containing cert8.db key3.db secmod.db the agent certificate are located. The nickname of the agent’s certificate. The issuer name of the certificate being revoked.

  • Page 598: About Crls

    About CRLs .\CMCRevoke -d<dir to cert8.db, key3.db> -n<nickname> -i<issuerName> -s<serialName> -m<reason to revoke> -c<comment> For example, if the directory containing the agent certificate is , the .netscape nickname of the certificate is , and the serial RegistartionManagerAgentCert number of the certificate is , the command would look like this: .\CMCRevoke -d".\.netscape"...

  • Page 599: Reasons For Revoking A Certificate

    About CRLs One of the standard methods for conveying the revocation status of certificates is by publishing a list of revoked certificates. This list is known as a certificate revocation list (CRL). A CRL is a publicly available list of certificates that have been revoked.

  • Page 600: Revocation Checking By Netscape Servers

    About CRLs = Affiliation Changed—The owner of the certificate is no longer affiliated with the issuer of the certificate, and either no longer has rights to the access gained with the certificate or no longer needs it. = Certificate Superseded—Another certificate replaces the use of this one. = Cessation of Operation—The CA that issued the certificate ceases to operate.

  • Page 601: Crl Issuing Points

    About CRLs For information on setting up an OCSP responder, see Chapter 5, “OCSP Responder.” CRL Issuing Points Because CRLs can grow very large, several methods have been developed to minimize the overhead of retrieving and delivering large CRLs. One of these methods is based on partitioning the entire certificate space and associating a separate CRL with every partition.
  • Page 602 About CRLs When the CRL feature is enabled by enabling one or more issuing points, the server collects revocation information as certificates are revoked. The server attempts to match the revoked certificate against all issuing points that are set up. A given certificate can match none of the issuing points, one of the issuing points, several of the issuing points, or all of the issuing points.

  • Page 603: Setting Up The Issuance Of Crls

    Setting Up the Issuance of CRLs Setting Up the Issuance of CRLs The process of setting up the CRL feature includes the following tasks: The Certificate Manager will use its CA signing key to sign CRLs. If you want to use a separate signing key pair for CRLs, you need to set up a CRL singing key and change the Certificate Manager configuration to allow it to use this key to sign CRLs.

  • Page 604: Configuring Issuing Points

    Setting Up the Issuance of CRLs Setting up publishing of CRLs to files, and LDAP directory, or to an OCSP responder. See Chapter 15, “Publishing” for complete details about setting up publishing. Configuring Issuing Points You can create Issuing Points that define which certificates are included in new a CRL that is generated.

  • Page 605: Configuring Crls For Each Issuing Point

    Setting Up the Issuance of CRLs You need to configure this new issuing point, and set up any CRL extensions that will be used in this CRL. See “Configuring CRLs for Each Issuing Point,” on page 605 for details on configuring an issuing point. See “Setting CRL Extensions,”...
  • Page 606 Setting Up the Issuance of CRLs In the adjoining text field, type the interval, in minutes, at which the Certificate Manager should publish CRLs. For example, if you want the server to publish CRLs every day, you should type 1440 in this field. with a skew of.

  • Page 607: Setting Crl Extensions

    Setting Up the Issuance of CRLs If you selected Allow extensions for this issuing point, you need to configure the extensions for this issuing point. See “Setting CRL Extensions,” on page 607 for details. Setting CRL Extensions Complete this step only if you configured the Certificate Manager to create version 2 CRLs in the previous step—that is, if you selected the “Allow extensions”...

  • Page 608: Crl Extension Reference

    CRL Extension Reference CRL Extension Reference To enable you to issue or publish X.509 v2 CRLs (that is, CRLs with extensions), CMS provides a set of extension rules; each rule enables you to configure the Certificate Manager to set a particular CRL or CRL-entry extension in CRLs it issues.

  • Page 609: Crlnumber

    CRL Extension Reference CRLNumber rule enables you to configure a Certificate Manager to set the CRL CRLNumber Number Extension in CRLs. This extension specifies a monotonically increasing sequence number for each CRL issued by a CA, allowing CRL users to easily determine when a particular CRL supersedes another CRL.

  • Page 610: Deltacrlindicator

    CRL Extension Reference DeltaCRLIndicator rule enables you to configure a Certificate Manager to set the CRL DeltaCRL DeltaCRLIndicator Extension in CRLs. The extension is included in generated deltas, which constitutes them and provides reference to the base CRL. Enabling this extension also enables the generation of delta CRLs for this issuing point.

  • Page 611: Holdinstruction

    CRL Extension Reference Table 14-5 FreshestCRL Configuration Parameters (Continued) Parameter Description • If pointType is set to directoryName, the value must be a pointName<n> string in the form of X.500 name, similar to the subject name in a certificate. For example, CN=CACentral,OU=Research Dept,O=Example Corporation,C=US.

  • Page 612: Invaliditydate

    CRL Extension Reference InvalidityDate rule enables you to configure a Certificate Manager to set the InvalidityDate Invalidity Date Extension in CRL entries. The extension is a non-critical CRL entry extension that is used to specify the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid.
  • Page 613 CRL Extension Reference Table 14-8 IssuerAlternativeName Configuration Parameters (Continued) Parameter Description Specifies the total number of alternative names or identities permitted in numNames the extension. Note that each name has a set of configuration parameters— nameType and name—and you must specify appropriate values for each of those parameters;...

  • Page 614: Issuingdistributionpoint

    CRL Extension Reference Table 14-8 IssuerAlternativeName Configuration Parameters (Continued) Parameter Description • If the type is URL, the value must be a non-relative universal resource identifier (URI). For example: http://testCA.example.com. • If the type is iPAddress, the value must be a valid IP address specified in dot-separated numeric component notation.
  • Page 615 CRL Extension Reference Table 14-9 IssuingDistributionPoint Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable enable, deselect to disable (default). Select you want the server to mark the extension critical critical (default); deselect if you want the server to mark the extension noncritical.
  • Page 616 CRL Extension Reference Table 14-9 IssuingDistributionPoint Configuration Parameters (Continued) Parameter Description Select if the distribution point contains CA certificates onlyContainsCACerts only; deselect if the distribution point contains all types of revoked certificates (default). Select if the distribution point contains user certificates onlyContainsUserCerts only;...

  • Page 617: Chapter 15 Publishing

    Chapter 15 Publishing Netscape Certificate Management System (CMS) provides a customizable publishing framework for the Certificate Manager and the Registration Manager, enabling them to publish certificates, certificate revocation lists (CRLs), and other certificate-related objects to any of the supported repositories—an LDAP-compliant directory, a flat file, and an online validation authority—using the appropriate protocol.

  • Page 618: About Publishing

    About Publishing About Publishing CMS is capable of publishing certificates to a file or an LDAP directory, and CRLs to a file, an LDAP directory, or to an OSCP responder. The publishing feature is very flexible allowing you to publish to a file, publish to an LDAP directory, to an OSCP responder, or all three.

  • Page 619: About Publishers

    About Publishing About Publishers Publishers specify the location in which certificates and CRLs are published. In the case of publishing to a file, publishers specify the publishing directory. In the case of LDAP publishing, publishers specify the attribute in the directory that will store the certificate or CRL;...

  • Page 620: About Publishing To Files

    About Publishing About Publishing to Files The server can publish certificates and CRLs to flat files, which can then be imported into any repository, for example, into a relational database. If you configure the server to publish certificates and CRLs to flat files, it publishes them to files as DER-encoded binary blobs.

  • Page 621: About Ocsp Publishing

    About Publishing If the server and publishing directory become out of sync for some reason, privileged users (administrators and agents) can also manually initiate the publishing process. For instructions, see “Manually Updating the CRL in the Directory” on page 662. About OCSP Publishing CMS provides two forms of OCSP services, an internal service and the Online Certificate Status Manager subsystem.

  • Page 622: Setting Up Publishing

    Setting Up Publishing When a rule is matched, the certificate or CRL is published according to the method and location specified in the publisher associated with that rule. For example, if a rule matches all certificates issued to users, and the rule has a publisher that publishes to a file in the location , the /etc/cms/certificates...
  • Page 623 Setting Up Publishing If you are publishing everything to one location, create one publisher specifying the location where you want to publish all files. If you are publishing to separate locations, create a publisher for each location you will publish to specifying the location you will publish. You can split these up by certificates and CRLs, or by even finer definitions.
  • Page 624 Setting Up Publishing For LDAP publishing, you need to set up Mappers to enable an entries’ DN to be derived from the certificate’s subject name. Generally, you will need to set one up for the CA certificate, CRLs and for user certificates. You can also set more than one up for a particular type.

  • Page 625: Publishers

    Publishers Publishers Publishers allow you to specify the location where you want a particular object published. In the case of publishing to a file, a publisher specifies a particular location in which you want to publish the files. You can publish everything to one location, or you can create publishers for each location you want to publish to.
  • Page 626 Publishers Click Add. The Select Publisher Plug-in Implementation window appears. It lists registered publisher modules. Select the module named FileBasedPublisher This is the only Publisher module that enables the Certificate Manager to publish certificates and CRLs to files. Click Next. The Publisher Editor window appears.

  • Page 627: Configuring Publishers For Publishing To Ocsp

    Publishers Fill in the following fields in this window: Publisher ID. Type a name for the rule. Be sure to use an alphanumeric string with no spaces. For example, PublishCertsToFile directory. Type the complete path to the directory in which the Certificate Manager should create the DER-encoded files;...
  • Page 628 Publishers Creating a Publisher for File Publishing To create publishers for publishing to files: Log in to the CMS console for the Certificate Manager (see “Logging Into the CMS Console” on page 247). Select the Configuration tab. In the navigation tree, select Certificate Manager, select Publishing, and then select Publishers.
  • Page 629 Publishers Select the module named OCSPPublisher This is the only Publisher module that enables the Certificate Manager to publish CRLs to the Online Certificate Status Manager. Click Next. The Publisher Editor window appears. Fill in the following fields in this window: Publisher ID.

  • Page 630: Configuring Publishers For Ldap Publishing

    Publishers Configuring Publishers for LDAP Publishing The Certificate Manager creates, configures, and enables a set of publishers that are associated with LDAP publishing as follows: • Used to publish Certificate Authrority certificates to LdapCaCertPublisher the LDAP directory. • Used to publish CRLs to the LDAP directory. LdapCrlPublisher •...
  • Page 631 Publishers FileBasedPublisher plug-in module enables you to configure a Certificate FileBasedPublisher Manager to publish certificates and CRLs to files. By default, the Certificate Manager does not create an instance of the module. FileBasedPublisher Table 15-1 FileBasedPublisher Configuration Parameters Parameter Description Specifies a name for the publisher.
  • Page 632 Publishers LdapUserCertPublisher plug-in module enables you to configure a LdapUserCertPublisher Certificate Manager to publish or unpublish a user certificate to the attribute of the user’s directory entry. userCertificate;binary You can use this module to publish any end-entity certificate to an LDAP directory. Types of end-entity certificates include SSL client, S/MIME, SSL server, object signing, router, and OCSP responder.
  • Page 633 Publishers LdapDeltaCrlPublisher plug-in module enables you to configure a LdapDeltaCrlPublisher Certificate Manager to publish or unpublish a delta CRL to the attribute of a directory entry. deltaRevocationList;binary During installation, the Certificate Manager automatically creates an instance of module for publishing CRLs to the directory. LdapDeltaCrlPublisher Table 15-5 LdapDeltaCrlPublisher Configuration Parameters Parameter...

  • Page 634: Mappers

    Mappers OCSPPublisher plug-in module enables you to configure a Certificate OCSPPublisher Manager to publish its CRLs to an Online Certificate Status Manager. During installation, the Certificate Manager does not create any instances of the module. OCSPPublisher Table 15-7 OCSPPublisher Parameters Parameter Description Specifies the fully qualified hostname of the Online Certificate...
  • Page 635 Mappers • —for locating the correct attribute of the CA’s entry in the LdapCrlMap directory in order to publish the CRL. • —for locating the correct attribute of the CA’s entry in the LdapCaCertMap directory in order to publish the CA certificate. You can use these mappers, or create instances of the other LDAP mapper plug-ins available and configure those.
  • Page 636 Mappers To modify an existing mapper: In the Mapper list, select a mapper that you want to modify. Click Edit/View. The Mapper Editor window appears. Go to step 6. To create a new mapper instance: Click Add. The Select Mapper Plugin Implementation window appears. It lists registered mapper modules.

  • Page 637: Mapper Plug-In Modules Reference

    Mappers Mapper Plug-in Modules Reference This section describes the mapper plug-in modules provided for the Certificate Manager. You can use these modules to configure a Certificate Manager to enable and configure specific Mapper instances. The available mapper plug-in modules include the following: •...
  • Page 638 Mappers If the mapper fails to create a second CA entry, be sure to check the base DN that the uid uniqueness plug-in is set to (in the file) and also check if slapd.ldbm.conf an entry with the same UID already exists in the directory. If it’s true, adjust the mapper setting, remove the old CA entry, comment out the plug-in, or create the entry manually using the Console window.
  • Page 639 Mappers Table 15-8 LdapCaSimpleMap Configuration Parameters (Continued) Parameter Description Example 1: uid=CertMgr, o=Example Corporation Example 2: CN=$subj.cn,OU=$subj.ou,O=$subj.o,C=US Example 3: uid=$req.HTTP_PARAMS.uid, E=$ext.SubjectAlternativeName.RFC822Name,ou=$subj. In the above examples, $req means take the attribute from the certificate request, $subj means take the attribute from the certificate subject name, and $ext means take the attribute from the certificate extension.
  • Page 640 Mappers LdapDNExactMap plug-in module enables you to configure a Certificate LdapDNExactMap Manager to map a certificate to an LDAP directory entry by searching for the LDAP entry DN that matches the certificate subject name. Note that to be able to use this mapper, each certificate subject name must exactly match a DN in a directory entry.
  • Page 641 Mappers In the above examples, means take the attribute from the certificate request, $req means take the attribute from the certificate subject name, and means $subj $ext take the attribute from the certificate extension. LdapSubjAttrMap plug-in module enables you to configure a Certificate LdapSubjAttrMap Manager to map a certificate to an LDAP directory entry by using the LDAP attribute named...
  • Page 642 Mappers LdapDNCompsMap plug-in module implements the DN components mapper. LdapDNCompsMap This mapper enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by constructing the entry’s distinguished name from components (such as , and ) specified in the certificate subject name, and then using it as the search DN to locate the entry in the directory.
  • Page 643 Mappers • , which represents an organization in the directory • , which represents a locality in the directory • , which represents a state in the directory • , which represents a country in the directory For example, the following DN represents the user named Jane Doe who works for the Sales department at Example Corporation, which is located in Mountain View in the state of California, United States: CN=Jane Doe, E=jdoe@example.com, OU=Sales, O=Example Corporation,...
  • Page 644 Mappers In general, for the parameter, you should enter those DN components that dnComps the Certificate Manager can use to form the LDAP DN exactly. In certain situations, however, the subject name in a certificate may match more than one entry in the directory.
  • Page 645 Mappers Table 15-10 LdapDNCompsMap Configuration Parameters Parameter Description Specifies the DN to start searching for an entry in the publishing baseDN directory. If you leave the dnComps field blank, the server uses the base DN value to start its search in the directory. Specifies where in the publishing directory the Certificate dnComps Manager should start searching for an LDAP entry that matches...

  • Page 646: Rules

    Rules Rules You set up Rules to determine what exactly gets published where. Rules work independently, not in tandem. A certificate or CRL that is being published is matched against every rule. Any rule to which it matches is activated. In this way, the same certificate can be published to a file, to an Online Certificate Status Manager, and to an LDAP directory by matching a file-based rule, an OCSP rule, and matching a directory-based rule.
  • Page 647 Rules To edit an existing rule, select that rule from the list and click Edit. The Rule Editor window appears. To create a rule: Click Add. The Select Rule Plugin Implementation window appears. Chapter 15 Publishing...
  • Page 648 Rules Select the module named Rule This is the only module. (If you have registered any custom modules, they too will be available for selection.) Click Next. The Rule Editor window appears. Enter the appropriate information: Rule ID. Type a name for the rule that will help you identify it later; use an alphanumeric string with no spaces.
  • Page 649 Rules type. Select the type value from the list. The type value depends on which type of certificate this rule applies. For a Certificate Manager signing certificate, the value is . For a cross-signed certificate, the value is . For all other cacert xcert types of certificates, the value is...

  • Page 650: Rule Instance Reference

    Rules Table 15-12 lists the predicates that can be used to identify CRL issuing points and delta CRLs. Table 15-12 CRL Predicate Expressions Predicate Type Predicate CRL Issuing issuingPointId=Issuing_Point_Instance_ID && isDeltaCRL=[true|false] Point To publish only the master CRL, set isDeltaCRL=false in order to publish only the master CRL.
  • Page 651 Rules Table 15-13 LdapCaCert Rule Configuration Parameters Parameter Value Description publisher LdapCaCertPublisher Specifies the publisher used with this rule. See “LdapCaCertPublisher,” on page 631 for details on this publisher. LdapXCertRule can be used to publish cross-pair certificates to an LDAP LdapXCertRule directory.
  • Page 652 Rules Table 15-15 LdapXCert Rule Configuration Parameters Parameter Value Description type certs Specifies the type of certificate that will be published. Select from the pull down menu. predicate Specifies a predicate for this publisher. enable Select to enable. mapper LdapUserCertMap Specifies the mapper used with this rule.

  • Page 653: Enabling Publishing

    Enabling Publishing Table 15-16 LdapCRL Rule Configuration Parameters Parameter Value Description publisher LdapCrlPublisher specifies the publisher used with this rule. See “LdapCrlPublisher,” on page 632 for details on this publisher. Enabling Publishing You can enable just file publishing, or both LDAP and file publishing. You should enable publishing after setting up publishers, rules, and mappers.
  • Page 654 Enabling Publishing Directory manager DN. Type the distinguished name (DN) of the directory entry that has directory manager privileges. The Certificate Manager uses this DN to access the directory tree and to publish to the directory. The access control set up for this DN determines whether the Certificate Manager can perform publishing.

  • Page 655: Testing Publishing To Files

    Testing Publishing to Files Testing Publishing to Files To verify that the Certificate Manager is publishing certificates and CRLs correctly to files, follow these steps: Go to the end-entity interface and request a certificate. Go to the agent services interface and approve the request if you have an agent-approved enrollment configuration.
  • Page 656 Testing Publishing to Files When the conversion is complete, open the file in a text editor. cert.txt You should see a base-64 encoded certificate similar to this: -----BEGIN CERTIFICATE----- MMIIBtgYJYIZIAYb4QgIFoIIBpzCCAZ8wggGbMIIBRaADAgEAAgEBMA0GCSqG SIb3DQEBBAUAMFcxC AJBgNVBAYTAlVTMSwwKgYDVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aWhfyyu ougjgjjgmkgjkgmjg fjfgjjjgfyjfyj9ucyBDb3Jwb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyh gdfhbfdpffjphotoo gdhkBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0Wj BXMQswCQYDVQQGEwJ VUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yY2F0 aW9ucyBDb3Jwb3Jhd GlvbjpMEaMBgGA1UECxMRSXNzdWluZyBBdXRob3JpdHkwHh -----END CERTIFICATE----- Convert the base 64-encoded certificate to a human-readable form using the Pretty Print Certificate tool (see Chapter 9, “Pretty Print Certificate Tool”...

  • Page 657: Configuring The Directory For Ldap Publishing

    Configuring the Directory for LDAP Publishing Compare the output with the certificate you issued; be sure to check the serial number in the certificate with the one used in the filename. If everything matches, the Certificate Manager is configured correctly to publish certificates to files.

  • Page 658: Schema

    Configuring the Directory for LDAP Publishing Schema For a Certificate Manager to publish certificates and CRLs to a directory, it must be configured with specific attributes and object classes. This section discusses those basic schema requirements. Required Schema for Publishing End-Entity Certificates The Certificate Manager publishes an end entity’s certificate to the attribute within the end entity’s or subject’s directory userCertificate;binary...

  • Page 659: Entry For The Ca

    Configuring the Directory for LDAP Publishing Entry for the CA You can have the Certificate Manager automatically create an entry for the CA in your directory. You specify this option in both the CA and CRL mapper instance you set up; it is enabled by default in both mappers. If you have restricted your directory in such a way that the Certificate Manager is not allowed to create entries in the directory, you will have to tun off this option in those mapper instances and add an entry for the CA manually in the directory.

  • Page 660: Directory Authentication Method

    Updating Certificates and CRLs in a Directory • Use the DN of an existing entry that has write access. For example, you can use the entry of the Directory Manager or choose an alternative. • Give write access to a user entry created for this purpose. The entry can be identified by the Certificate Manager’s DN.

  • Page 661: Manually Updating Certificates In The Directory

    Updating Certificates and CRLs in a Directory The following choices are available for synchronizing the directory with the internal database: • Search the internal database for certificates that are out of sync and publish or unpublish accordingly. • Publish certificates that were issued from time A to time B while Directory Server was down.

  • Page 662: Manually Updating The Crl In The Directory

    Updating Certificates and CRLs in a Directory Select the Update Directory Server link. The Update Directory Server page appears. Select the appropriate options. When you are done specifying the changes that you want updated, click Update Directory. The Certificate Manager starts updating the directory with the certificate information in its internal database.

  • Page 663: Registering And Deleting Mapper And Publisher Plug-In Modules

    Registering and Deleting Mapper and Publisher Plug-in Modules To manually update the CRL information in the directory: Go to the Certificate Manager Agent Services page. You must submit the proper client certificate to get access to this page. Select Update Revocation List. The Update Certificate Revocation List page appears.
  • Page 664 Registering and Deleting Mapper and Publisher Plug-in Modules To register or delete a publisher module, select Publishers, and then in the right pane, select the Publisher Plugin Registration tab. To delete a plug-in, select the plug-in and click delete. Confirm the deletion in the popup window that appears.

  • Page 665: Appendix A Common Criteria Environment: Security Requirements

    Appendix A Common Criteria Environment: Security Requirements The text in this document is copied directly from the ST (Security Target). Security Requirements for the IT Environment This chapter specifies the security functional requirements that are applicable to the IT environment. Table A-1 IT Environment Functional Security Requirements Security Functional Class...

  • Page 666: Security Audit (Fau)

    Security Requirements for the IT Environment Table A-1 IT Environment Functional Security Requirements Security Functional Class Security Functional Components FDP_ITT.1 Basic internal transfer protection (iterations 1 and 2) FDP_UCT.1 Basic data exchange confidentiality (iteration 1) Identification and authentication FIA_AFL.1 Authentication failure handling (FIA) FIA_ATD.1 User attribute definition FIA_UAU.1 Timing of authentication (iteration 1)
  • Page 667 Security Requirements for the IT Environment FAU_GEN.1.1 The IT environment shall be able to generate an audit record of the following auditable events: Start-up and shutdown of the audit functions; All auditable events for the minimum level of audit; and The events listed in Table 2 below.
  • Page 668 Security Requirements for the IT Environment Table A-2 Auditable Events and Audit Data Section/Function Component Event Additional Details An Administrator changes the type of authenticator, e.g., from password to biometrics Account Roles and users are added or Administration deleted The access control privileges of a user account or a role are modified FAU_GEN.2 User identity association (iteration 1)

  • Page 669: Cryptographic Support (Fcs)

    Security Requirements for the IT Environment FAU_SEL.1.1 The IT environment shall be able to include or exclude auditable events from the set of audited events based on the following attributes: [event type]. FAU_STG.1 Protected audit trail storage (iteration 1) FAU_STG.1.1 The IT environment shall protect the stored audit records from unauthorized deletion.

  • Page 670: Identification And Authentication (Fia)

    Security Requirements for the IT Environment FDP_ACF.1 Security attribute based access control (iteration 1) FDP_ACF.1.1 The IT environment shall enforce the CIMC IT Environment Access Control Policy specified in “CIMC TOE Access Control Policy,” on page 675 to objects based on the identity of the subject and the set of roles that the subject is authorized to assume.

  • Page 671: Security Management (Fmt)

    Security Requirements for the IT Environment FIA_AFL.1.1 If authentication is not performed in a cryptographic module that has been FIPS 140-1 validated to an overall Level of 2 or higher with Level 3 or higher for Roles and Services, the IT environment shall detect when an Administrator configurable maximum authentication attempts unsuccessful authentication attempts have occurred since the last successful authentication for the indicated user identity.
  • Page 672 Security Requirements for the IT Environment FMT_MOF.1.1 The IT environment shall restrict the ability to modify the behavior of the functions listed in Table 4 to the authorized roles as specified in Table A-4. Authorized Roles for Management of Security Functions Behavior Table A-4 Section/Function Function/Authorized Role...

  • Page 673: Protection Of The Tsf (Fpt)

    Security Requirements for the IT Environment FMT_MTD.1.1 The IT environment shall restrict the ability to view (read) or delete the audit logs to Auditors. FMT_SMR.2 Restrictions on security roles FMT_SMR.2.1 The IT environment shall maintain the roles: Administrator, Auditor, and Officer. FMT_SMR.2.2 The IT environment shall be able to associate users with roles.
  • Page 674 Security Requirements for the IT Environment FPT_ITT.1 Basic internal TSF data transfer protection (iteration 1) FPT_ITT.1.1 The IT environment shall protect security-relevant IT environment data from modification when it is transmitted between separate parts of the IT environment. FPT_ITT.1 Basic internal TSF data transfer protection (iteration 2) FPT_ITT.1.1 The IT environment shall protect confidential IT environment data from disclosure when it is transmitted between separate parts of the IT...

  • Page 675: Trusted Path/Channels (Ftp)

    Security Requirements for the IT Environment FPT_TST_CIMC.3 Software/firmware load test FPT_TST_CIMC.3.1 A cryptographic mechanism using a FIPS-approved or recommended authentication technique (e.g., an authentication code, keyed hash, or digital signature algorithm) shall be applied to all security-relevant software and firmware that can be externally loaded into the CIMC. FPT_TST_CIMC.3.2 The IT environment shall verify the authentication code, keyed hash, or digital signature whenever the software or firmware is externally...
  • Page 676 Security Requirements for the IT Environment Content of the access request, and, Possession of a secret or private key, if required. Subject identification includes: • Individuals with different access authorizations • Roles with different access authorizations • Individuals assigned to one or more roles with different access authorizations Access type, with explicit allow or deny: •...

  • Page 677: Appendix B Common Criteria Environment: Setup And Operations

    Appendix B Common Criteria Environment: Setup and Operations This chapter provides information about the configuration used to set up Netscape Certificate Management System (CMS) in the Common Criteria Environment. For an overview of PKI, see Appendix J, “Introduction to Public-Key Cryptography.” This chapter contains the following sections: •...

  • Page 678: Toe Security Environment Assumptions

    TOE Security Environment Assumptions TOE Security Environment Assumptions For information about the TOE Security Environment, see Appendix E, “Common Criteria Environment: TOE Security Environment Assumptions”. Security Requirements for the IT Environment The security requirements for the IT environment are detailed in Appendix A, “Common Criteria Environment: Security Requirements.”...

  • Page 679: Password And Certificate Storage

    IT Environment Assumptions Password and Certificate Storage Plan for the storage of any passwords and certificates. Also plan your user password policy. Make sure everyone knows and adheres to these policies. Hardware Token This environment requires a FIPS 140-1 level 3 certified hardware cryptographic module.

  • Page 680: Supported Operating Systems

    Note: CMS does not store user secret keys, and it does not support the export of component (subsystem) private or secret keys. Supported Operating Systems CMS runs on the Solaris 2.8 and RedHat Advanced Server 2.1 operating systems. Supported Browsers The browsers that are supported in the Common Criteria Environment are Netscape 4.79, Netscape 6.2, and Netscape 7.x.
  • Page 681 CMS Privileged Users and Groups (Roles) Can approve fields/extensions (to be included in a certificate) of certificate profiles that have been enabled and configured by the Administrator (via SSL-capable browsers to the CA Agent interface). Can run tools (CMCEnroll and CMCRevoke) to pre-approve certificate enrollment and revocation requests.

  • Page 682: Drm

    CMS Privileged Users and Groups (Roles) Can approve fields/extensions (to be included in a certificate) of certificate profiles that have been enabled and configured by the Administrator (via SSL-capable browsers to the RA Agent interface). • Auditors Can view signed audit logs (from the IT environment). This is the only role allowed this privilege.

  • Page 683: Ocsp

    CMS Privileged Users and Groups (Roles) communicate with the DRM securely, the DRM administrator creates a CA user in the DRM with the Trusted Manager role. All communications between the CA and DRM are then made through this special user with the CA’s certificate over SSL client-authentication and Trusted Manager role authorization.

  • Page 684: Cms Common Criteria Environment Setup And Installation Guide

    CMS Common Criteria Environment Setup and Installation Guide • Administrator The Administrator role is divided into finer-grained sub-roles, each bearing different responsibilities: Administrators for the CA, RA, DRM, and OCSP subsystems Online Certificate Status Manager Agents • Officer Certificate Manager Agents Data Recovery Manager Agents Registration Manager Agents •...
  • Page 685 CMS Common Criteria Environment Setup and Installation Guide Appendix B Common Criteria Environment: Setup and Operations...
  • Page 686 CMS Common Criteria Environment Setup and Installation Guide Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 687: Appendix C Understanding The Common Criteria Evaluated Cms Setup

    Appendix C Understanding the Common Criteria Evaluated CMS Setup This document describes at a high level the steps for setup, installation, and configuration of the Netscape Certificate Management System (CMS) in an IT environment of the kind described in “IT Environment Assumptions” on page 678. It gives administrators an idea of what's ahead before starting them on the exact setup steps involved in installation and setup.

  • Page 688: Cms Roles Assignment

    Understanding the Common Criteria Environment Operating System Environment Because CMS relies on the IT environment to provide the basic operating system file system security, inter-process communication, and process space protection, it is highly recommended that you install and run CMS on an operation system certified at a Common Criteria assurance level no less than the level of CMS itself.

  • Page 689: Understanding Cms Installation

    Understanding CMS Installation When you begin installation, you will be instructed to create a special user ID, which you will then use to log in to the Operating System when you install CMS. This user ID will be the effective user ID of the CMS server itself during runtime. You will then need to create groups for the auditor and administrator roles, which you must then assign to the actual user IDs for the CMS administrators and CMS auditor users on the operating system.

  • Page 690: Ssl Client Authentication With The Internal Database

    Understanding CMS Installation SSL Client Authentication with the Internal Database In the Common Criteria Environment, the internal LDAP database used by the subsystem must be set up for SSL client authentication. You will be instructed on how to set this up when you follow instructions in the document CMS Common Criteria Setup Procedure.

  • Page 691: Common Criteria Deployment Scenarios

    Common Criteria Deployment Scenarios Common Criteria Deployment Scenarios As long as the subsystems you install are installed and configured following the Common Criteria Environment rules and guidelines contained in this chapter, you can deploy CMS in any deployment scenario you wish. You can set up a root CA, for example, a CA subordinate to a CMS CA, a CA subordinate to a public third-party CA, or have any number of CAs in vertical or horizontal chains as long as they follow the constraints contained in the CA signing certificate.

  • Page 692: Understanding Subsystem Setup

    Understanding Subsystem Setup • Adding a custom plug-in, which in essence breaks the Common Criteria assurance. If adding custom plug-ins is inevitable, it is the responsibility of all role users to carefully evaluate these plug-ins before making them part of the system.

  • Page 693: Audit Logs

    Understanding Subsystem Setup You can also configure new groups and assign them privileges other than the default privileges assigned to the default groups, thus creating new roles in the subsystem. You do this by creating a group, setting up ACIs for this group in the ACLs pertinent to the privileges you want to define for this group.

  • Page 694: Certificate Policies

    Understanding Subsystem Setup Certificate Policies The non-profiles policy feature is not part of the Common Criteria Environment. All enrollments are set up using the certificate profiles feature. Authentication In the Common Criteria Environment, you can enable and configure the agent-approved authentication method or any of the authentication plug-ins in conjunction with a certificate profile.

  • Page 695: Notifications

    Understanding Subsystem Setup Notifications Automated email notifications are event-driven tasks that send out an email via SMTP when a specified event occurs. You can set up any of the available Notification plug-ins in the Common Criteria Environment. Custom plug-ins for the Notification feature are not part of the Common Criteria Environment, however.

  • Page 696: Key Archival And Recovery

    Common Criteria Environment Setup Procedures The first scenario involves setting up a user in the Certificate Manager for the Registration Manager. This user is assigned to the trusted managers group, and its certificate is stored in the database for the Certificate Manager. You can then set up the Registration Manger to communicate with the Certificate Manager.

  • Page 697: Appendix D Common Criteria Environment: Security Objectives

    1.1 Security Objectives for the TOE Appendix D Common Criteria Environment: Security Objectives The text in this document is copied directly from the ST (Security Target). This section includes the security objectives including security objectives for the TOE, security objectives for the environment, and security objectives for both the TOE and environment.

  • Page 698: 1.1.2 System

    1.2 Security Objectives for the Environment 1.1.2 System O. Preservation/trusted recovery of secure state Preserve the secure state of the system in the event of a secure component failure and/or recover to a secure state. Sufficient backup storage and effective restoration Provide sufficient backup storage and effective restoration to ensure that the system can be recreated.

  • Page 699: Non-It Security Objectives For The Environment

    1.2 Security Objectives for the Environment 1.2.1 Non-IT security objectives for the environment O. Administrators, Operators, Officers and Auditors guidance documentation Deter Administrator, Operator, Officer or Auditor errors by providing adequate documentation on securely configuring and operating the CIMC. O. Auditors Review Audit Logs Identify and monitor security-relevant events by requiring auditors to review audit logs on a frequency sufficient to address level of risk.
  • Page 700 1.2 Security Objectives for the Environment O. Installation Those responsible for the TOE must ensure that the TOE is delivered, installed, managed, and operated in a manner which maintains IT security. O. Malicious Code Not Signed Protect the TOE from malicious code by ensuring all code is signed by a trusted entity prior to loading it into the system.

  • Page 701: 1.2.2 It Security Objectives For The Environment

    1.3 Security Objectives for both the TOE and the Environment 1.2.2 IT security objectives for the environment O. Cryptographic functions The TOE must implement approved cryptographic algorithms for encryption/decryption, authentication, and signature generation/verification; approved key generation techniques and use validated cryptographic modules. (Validated is defined as FIPS 140-1 validated.) O.
  • Page 702 1.3 Security Objectives for both the TOE and the Environment O. Configuration Management Implement a configuration management plan. Implement configuration management to assure identification of system connectivity (software, hardware, and firmware), and components (software, hardware, and firmware), auditing of configuration data, and controlling changes to configuration items. O.
  • Page 703 1.3 Security Objectives for both the TOE and the Environment O. Object and data recovery free from malicious code Recover to a viable state after malicious code is introduced and damage occurs. That state must be free from the original malicious code. O.
  • Page 704 1.3 Security Objectives for both the TOE and the Environment O. React to detected attacks Implement automated notification (or other responses) to the TSF-discovered attacks in an effort to identify attacks and to create an attack deterrent Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 705: Appendix E Common Criteria Environment: Toe Security Environment Assumptions

    1.1 Secure Usage Assumptions Appendix E Common Criteria Environment: TOE Security Environment Assumptions The text in this document is copied directly from the ST (Security Target). This section includes the following: • 1.1 Secure Usage Assumptions • 1.2 Threats • 1.3 Organization Security Policies 1.1 Secure Usage Assumptions The usage assumptions are organized in three categories: personnel (assumptions...
  • Page 706 1.1 Secure Usage Assumptions A. Authentication Data Management An authentication data management policy is enforced to ensure that users change their authentication data at appropriate intervals and to appropriate values (e.g., proper lengths, histories, variations, etc.) (Note: this assumption is not applicable to biometric authentication data.) A.

  • Page 707: 1.1.2 Physical Assumptions

    1.2 Threats 1.1.2 Physical Assumptions A. Communications Protection The system is adequately physically protected against loss of communications i.e., availability of communications. A. Physical Protection The TOE hardware, software, and firmware critical to security policy enforcement will be protected from unauthorized physical modification. 1.1.3 Connectivity Assumptions A.

  • Page 708: 1.2.2 System

    1.2 Threats T. User error makes data inaccessible User accidentally deletes user data rendering user data inaccessible. T. Administrators, Operators, Officers and Auditors commit errors or hostile actions An Administrator, Operator, Officer or Auditor commits errors that change the intended security policy of the system or application or maliciously modify the system’s configuration to allow security violations to occur.

  • Page 709: 1.2.4 External Attacks

    1.3 Organization Security Policies T. Modification of private/secret keys A secret/private key is modified. T. Sender denies sending information The sender of a message denies sending the message to avoid accountability for sending the message and for subsequent action or inaction. 1.2.4 External Attacks T.
  • Page 710 1.3 Organization Security Policies Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 711: Appendix F Certificate Download Specification

    Appendix F Certificate Download Specification This appendix describes the data formats used by Netscape Communicator 4.x for installing certificates. It also describes how certificates are imported into different environments. This appendix contains the following sections: • “Data Formats,” on page 711 •...

  • Page 712: Text Formats

    Data Formats • PKCS #7 certificate chain This is a PKCS #7 object. The only significant field in the SignedData object is the certificates. In particular, the signature and the SignedData contents are ignored. In future versions of the software, the CRLs will also be used.

  • Page 713: Importing Certificate Chains

    Importing Certificate Chains Importing Certificate Chains Several of the supported formats can contain multiple certificates. When the Netscape certificate decoder encounters a collection of certificates, it handles them as follows: • The first certificate is processed in a context-specific manner, which varies according to how it is being imported.

  • Page 714: Importing Certificates Into Netscape Servers

    Importing Certificates into Netscape Servers If a certificate chain is being imported, the first certificate in the chain must be the CA certificate, and Communicator adds any subsequent certificates in the chain to the local database as untrusted CA certificates. •...
  • Page 715 Object Identifiers netscape-data-type OBJECT IDENTIFIER :: = { netscape 2 } netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 Appendix F Certificate Download Specification...
  • Page 716 Object Identifiers Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 717: Appendix G Certificate And Crl Extensions

    Appendix G Certificate and CRL Extensions This appendix explains both the standard certificate extensions defined by X.509 v3 and the extensions defined by Netscape that were used in versions of products released before X.509 v3 was finalized. It also provides recommendations for extensions to use with specific kinds of certificates, including both PKIX Part 1 recommendations and Netscape extensions that must be supported for compatibility with early versions of Netscape products.
  • Page 718 Introduction to Certificate Extensions • Trust— The X.500 specification establishes trust by means of a strict directory hierarchy. By contrast, Internet and extranet deployments frequently involve distributed trust models that do not conform to the hierarchical X.500 approach. • Certificate use—Some organizations may wish to restrict the use of certificates for policy reasons.

  • Page 719: Structure Of Certificate Extensions

    Introduction to Certificate Extensions Before the X.509 v3 standard was finalized, Netscape and other companies had to address some of the most pressing issues listed above with their own extension definitions. For example, Netscape applications (Netscape Navigator 3.0 or higher, and Enterprise Server 2.01 or higher) support an extension known as Netscape Certificate Type Extension that specifies the type of certificate issued, such as client, server, or object signing.
  • Page 720 Introduction to Certificate Extensions This identifier uniquely identifies the extension. It also determines the ASN.1 type of value in the value field and how the value is interpreted. That is, when an extension appears in a certificate, the OID appears as the extension ID field ) and the corresponding ASN.1 encoded structure appears as the value extnID of the octet string (...

  • Page 721: Sample Certificate Extensions

    Introduction to Certificate Extensions Sample Certificate Extensions The following is an example of the section of a certificate containing X.509 v3 extensions. (CMS can display certificates in human-readable format, as shown here.) As shown in the example, certificate extensions appear in sequence and only one instance of a particular extension may appear in a particular certificate;...
  • Page 722 Introduction to Certificate Extensions Secure Email CA ObjectSigning CA Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 3B:46:83:85:27:BC:F5:9D:8E:63:E3:BE:79:EF:AF:79: 9C:37:85:84 Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 3B:46:83:85:27:BC:F5:9D:8E:63:E3:BE:79:EF:AF:79:...

  • Page 723: Standard X.509 V3 Certificate Extensions

    Standard X.509 v3 Certificate Extensions Standard X.509 v3 Certificate Extensions This section summarizes the extension types that are defined as part of the Internet X.509 Version 3 standard, as of September 1998, and indicates which types are recommended by the PKIX working group. This section summarizes important information about each certificate.
  • Page 724 Standard X.509 v3 Certificate Extensions PKIX Part 1 defines one ) to get a list of CAs that accessMethod id-ad-caIssuers have issued certificates higher in the CA chain than the issuer of the certificate using the extension. The field then typically contains a URL accessLocation indicating the location and protocol (LDAP, HTTP, FTP) used to retrieve the list.
  • Page 725 Standard X.509 v3 Certificate Extensions by matching the fields in the SubjectName CertificateSerialNumber issuer’s certificate against the authortiyCertIssuer in the extension of the authorityCertSerialNumber AuthorityKeyIdentifier subject certificate. CMS Version Support Supported since CMS 4.1. Refer to “AuthorityKeyIdentifierExt” on page 513. Note that CMS does not use or support the field in authorityCertSerialNumber...
  • Page 726 Standard X.509 v3 Certificate Extensions Criticality This extension may be critical or noncritical. Discussion The Certificate Policies extension defines one or more policies, each of which consists of an OID and optional qualifiers. The extension can include a URI to the issuer’s Certificate Practice Statement or can embed issuer policy information, such as a user notice in text form.
  • Page 727 Standard X.509 v3 Certificate Extensions extKeyUsage 2.5.29.37 Criticality If this extension is marked critical, the certificate must be used for one of the indicated purposes only. If it is not marked critical, it is treated as an advisory field that may be used to identify keys but does not restrict the use of the certificate to the indicated purposes.
  • Page 728 Standard X.509 v3 Certificate Extensions * OCSP Signing is not defined in PKIX Part 1, but in RFC 2560, “X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP.” Private Extended Key Usage Extension Uses Table G-2 Certificate trust list signing 1.3.6.1.4.1.311.10.3.1 Microsoft Server Gated 1.3.6.1.4.1.311.10.3.3...
  • Page 729 Standard X.509 v3 Certificate Extensions Discussion The Key Usage extension defines the purpose of the key contained in the certificate. The Key Usage, Extended Key Usage, Basic Constraints, and Netscape Certificate Type extensions act together to specify the purposes for which a certificate can be used.
  • Page 730 Standard X.509 v3 Certificate Extensions Table G-3 Certificate uses and corresponding Key Usage bits (Continued) Purpose of certificate Required Key Usage bit S/MIME Encryption keyEncipherment Certificate Signing keyCertSign Object Signing digitalSignature If the extension is present and is marked critical, then it will be used to keyUsage enforce the usage of the certificate and key.
  • Page 731 Standard X.509 v3 Certificate Extensions Criticality This extension should be noncritical. Discussion The extension is meant to be included in an OCSP responder’s signing certificate. The extension tells an OCSP client that the signing certificate can be trusted without querying the OCSP responder (since the reply would again be signed by the OCSP responder, and the client would again request the validity status of the signing certificate).
  • Page 732 Standard X.509 v3 Certificate Extensions Criticality This extension must be noncritical. Discussion The Policy Mappings extension is used in CA certificates only. It lists one or more pairs of OIDs used to indicate that the corresponding policies of one CA are equivalent to policies of another CA.
  • Page 733 Standard X.509 v3 Certificate Extensions PKIX requires this extension for entities that are identified by name forms other than the X.500 distinguished name (DN) used in the subject field. PKIX Part 1 describes additional rules for the relationship between this extension and the subject field.

  • Page 734: Introduction To Crl Extensions

    Introduction to CRL Extensions Discussion The Subject Key Identifier extension identifies the public key certified by this certificate. This extension provides a way of distinguishing public keys if more than one is available for a given subject name, for example after the certificate has been renewed with a new key.

  • Page 735: Structure Of Crl Extensions

    Introduction to CRL Extensions The standard also suggests that you can define your own extensions and include them in CRLs you issue. These extensions are called private, proprietary, or custom CRL extensions and they carry information unique to your organization or business.

  • Page 736: Sample Crl And Crl Entry Extensions

    Introduction to CRL Extensions Typically, the application receiving the CRL checks the extension ID to determine if it can recognize the ID. If it can, it uses the extension ID to determine the type of value used. Sample CRL and CRL Entry Extensions The following is an example of the section of a CRL containing X.509 v2 extensions.

  • Page 737: Standard X.509 V3 Crl Extensions

    Standard X.509 v3 CRL Extensions Serial Number: 0xA Revocation Date: Wednesday, November 25, 1998 5:11:18 AM Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Affiliation_Changed Standard X.509 v3 CRL Extensions In addition to certificate extensions, the X.509 v3 proposed standard defines extensions to CRLs, which provide methods for associating additional attributes with Internet CRLs.
  • Page 738 Standard X.509 v3 CRL Extensions Discussion The Authority Key Identifier extension for a CRL identifies the public key corresponding to the private key used to sign the CRL. For details, see the discussion under certificate extensions at authorityKeyIdentifier. CMS Version Support Supported since CMS 4.2.
  • Page 739 Standard X.509 v3 CRL Extensions FreshestCRL 2.5.29.27 Criticality PKIX requires that this extension must be non-critical. Discussion The freshest CRL extension identifies how delta CRL information is obtained. The FreshestCRL extension is placed in the full CRL to indicate where to find latest delta CRL.

  • Page 740: Crl Entry Extensions

    Standard X.509 v3 CRL Extensions CMS Version Support Supported since CMS 4.2. Refer to “IssuingDistributionPoint” on page 614. CRL Entry Extensions The sections that follow lists the CRL entry extension types that are defined as part of the Internet X.509 v3 Public Key Infrastructure proposed standard, as of September 1998.

  • Page 741: Netscape-Defined Certificate Extensions

    Netscape-Defined Certificate Extensions CMS Version Support Supported since CMS 4.2. Refer to “InvalidityDate” on page 612. reasonCode 2.5.29.21 Discussion The Reason Code extension identifies the reason for certificate revocation. CMS Version Support Supported since CMS 4.2. Refer to “CRLReason” on page 609. Netscape-Defined Certificate Extensions Netscape has defined certain certificate extensions for use with Navigator and Communicator.

  • Page 742: Ca Certificates And Extension Interactions

    CA Certificates and Extension Interactions If the extension exists in a certificate, it limits the certificate to the uses specified in it. If the extension is not present, the certificate can be used for all applications except object signing. The value is a bit-string, where the individual bit positions, when set, certify the certificate for particular uses as follows: •...
  • Page 743 CA Certificates and Extension Interactions Extensions Present Description Only The certificate is a CA certificate if the cA component is true. Path length processing is done as described above. basicConstraints Only The certificate is a CA if at least one of the CA bits is set: SSL CA (5), S/MIME CA (6), or object-signing CA (7).
  • Page 744 CA Certificates and Extension Interactions • If CAs ever intend to generate new keys for their CA, they must add the extension to all subject certificates. If the authorityKeyIdentifier key ID anything other than the SHA-1 hash of the CA certificates field, then the CA certificate should contain the subjectPublicKeyInfo extension.

  • Page 745: Appendix H Object Identifiers

    Appendix H Object Identifiers Netscape Certificate Management System (CMS) comes with a set of extension-specific policy plug-in modules that enable you to add X.509 certificate extensions to the certificates the server issues. Some of the extensions contain fields for specifying object identifiers. This appendix explain what’s an object indentifier (OID) and the significance of registering it.
  • Page 746 Registration of Object Identifiers a certificate practice statement (CPS) of your company. To implement this, you need to compose the policy statement you want to include in the extension, define an OID for the policy statement, and configure Certificate Management System with the OID so that it can add that to the certificate it issues.

  • Page 747: What Is A Distinguished Name

    Appendix I Distinguished Names This appendix explains what a distinguished name is and how Netscape Certificate Management System (CMS) uses distinguished names to automatically update certificate information in your corporate LDAP directory. This appendix contains the following sections: • “What Is a Distinguished Name?,” on page 747 •...

  • Page 748: Distinguished Name Components

    What Is a Distinguished Name? Distinguished Name Components A DN identifies an entry in an LDAP directory. Because directories are hierarchical, DNs identify the entry by its location as a path in a hierarchical tree (much as a path in a file system identifies a file). Generally, a DN begins with a specific common name, and proceeds with increasingly broader areas of identification until the country name is specified.
  • Page 749 What Is a Distinguished Name? Table I-1 Definitions of standard DN components (Continued) Component Name Definition Locality Identifies the place where the entry resides. The locality can be a city, county, township, or other geographic region. For example: • L=Mountain View •...

  • Page 750: Dns In Certificate Management System

    DNs in Certificate Management System Typically, an LDAP search consists of the following components: • The base DN—for example, , which initiates a subtree O=example.com C=US search through all entries below this entry in the directory (in other words, all entries with the suffix O=example.com C=US...
  • Page 751 DNs in Certificate Management System Table I-2 Allowed characters for value types (Continued) Attribute Value type Object identifier Printable String of 2.5.4.6 length 2 Directory String 2.5.4.7 Directory String 2.5.4.8 STREET Directory String 2.5.4.9 TITLE Directory String 2.5.4.12 Directory String 0.9.2342.19200300.100.1.1 MAIL IA5String...

  • Page 752: Extending Attribute Support

    DNs in Certificate Management System Table I-3 Explanation of character sets for DNs (Continued) Value type Character set allowed Directory String Any character in format as specified in Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names (see http://www.ietf.org/rfc/rfc2253.txt).
  • Page 753 DNs in Certificate Management System • Value converter class converts a string to a ASN.1 value. • It must implement n interface. etscape.security.x509.AVAValueConverter The string-to-value converter class can be one of these: • —converts a string to a netscape.security.x509.PrintableConverter Printable String value. The string must have only printable characters. •...
  • Page 754 DNs in Certificate Management System IA5StringConverter X500Name.attr.MYATTR3.oid=111.222.333.444.555.666 X500Name.attr.MYATTR3.class=netscape.security.x509. PrintableConverter Save your changes and close the file. Next, add each new attribute or component (for example, MYATTR1 MYATTR2 ) to the enrollment form. For instructions, see “Adding Attributes MYATTR3 to an Enrollment Form” on page 754. Restart the Certificate Manager.
  • Page 755 DNs in Certificate Management System <tr> <td valign="TOP"> <div align="RIGHT"> <font face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif" size="-1">Organization unit: </font> </div> </td> <td valign="TOP"> <input type="TEXT" name="OU" size="30" onchange="formulateDN(this.form, this.form.subject)"> </td> </tr> <tr> <td valign="TOP"> <div align="RIGHT"> <font face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif"...
  • Page 756 DNs in Certificate Management System distinguishedName.value += ’OU=’ + escapeDNComponent(OU.value); if (form.DC != null) { if (DC.value != ’’) { if (doubleQuotes(DC.value) == true) { alert(’Double quotes are not allowed in DC field’); DC.value = ’’; DC.focus(); return; if (distinguishedName.value != ’’) distinguishedName.value += ’, ’;...

  • Page 757: Role Of Distinguished Names In Certificates

    DNs in Certificate Management System To change the DirectoryString encoding: Stop the Certificate Manager. Go to this directory: <server_root>/cert-<instance_id>/config Open the configuration file, , in a text editor. CMS.cfg Add the encoding order to the configuration file. For example, if you want to specify two encoding values, PrintableString , and the encoding order is first and...
  • Page 758 DNs in Certificate Management System DNs in End-Entity Certificates In end-entity certificates issued by Certificate Management System, DNs are used to identify the end entity that owns the certified key pair. The end entity is one of the following: • The individual who owns the certified key pair (for personal or client certificates—to form this type of DN, use the component to specify the...
  • Page 759 DNs in Certificate Management System For example: CN=Example Corporation Certificate Authority, O=Example Corporation, C=US DN Patterns and Certificate Subject Names You can configure Certificate Management System to issue certificates with subject names that are formulated from the directory attributes and entry DN. The configuration variable of the automated-enrollment modules enable dnpattern you to configure the server to issue certificates with required subject names.
  • Page 760 DNs in Certificate Management System Example 2 If the configured DN pattern is E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US LDAP entry: dn: UID=jdoe, OU=IS+OU=people, O=example.com LDAP attributes: cn: Jane Doe LDAP attributes: mail: jdoe@example.com The subject name formulated will be as follows: E=jdoe@example.com, CN=Jane Doe, OU=people, O=example.com, C=US the first ‘...
  • Page 761 DNs in Certificate Management System the (first) ‘ ’ LDAP attribute value in the user’s entry. the second ‘ ’ value in the user’s entry DN followed by the first ‘ ’ value in the user’s entry; note the multiple AVAs in a RDN in this example. the (first) ‘...
  • Page 762 DNs in Certificate Management System Netscape Certificate Management System Administrator’s Guide • February 2003...

  • Page 763: Internet Security Issues

    Appendix J Introduction to Public-Key Cryptography Public-key cryptography and related standards and techniques underlie security features of many Netscape products, including signed and encrypted email, form signing, object signing, single sign-on, and the Secure Sockets Layer (SSL) protocol. This document introduces the basic concepts of public-key cryptography. •...
  • Page 764 Internet Security Issues The great flexibility of TCP/IP has led to its worldwide acceptance as the basic Internet and intranet communications protocol. At the same time, the fact that TCP/IP allows information to pass through intermediate computers makes it possible for a third party to interfere with communications in the following ways: •...

  • Page 765: Encryption And Decryption

    Encryption and Decryption • Authentication allows the recipient of information to determine its origin—that is, to confirm the sender’s identity. • Nonrepudiation prevents the sender of information from claiming at a later date that the information was never sent. The sections that follow introduce the concepts of public-key cryptography that underlie these capabilities.

  • Page 766: Symmetric-Key Encryption

    Encryption and Decryption Symmetric-Key Encryption With symmetric-key encryption, the encryption key can be calculated from the decryption key and vice versa. With most symmetric algorithms, the same key is used for both encryption and decryption, as shown in Figure J-1. Figure J-1 Symmetric-Key Encryption Implementations of symmetric-key encryption can be highly efficient, so that users...

  • Page 767: Public-Key Encryption

    Encryption and Decryption Public-Key Encryption The most commonly used implementations of public-key encryption are based on algorithms patented by RSA Data Security. Therefore, this section describes the RSA approach to public-key encryption. Public-key encryption (also called asymmetric encryption) involves a pair of keys—a public key and a private key—associated with an entity that needs to authenticate its identity electronically or to sign or encrypt data.

  • Page 768: Key Length And Encryption Strength

    Encryption and Decryption cryptography. Client software such as Communicator can then use your public key to confirm that the message was signed with your private key and that it hasn’t been tampered with since being signed. “Digital Signatures” (beginning on page 769) and subsequent sections describe how this confirmation process works.

  • Page 769: Digital Signatures

    Digital Signatures Digital Signatures Encryption and decryption address the problem of eavesdropping, one of the three Internet security issues mentioned at the beginning of this document. But encryption and decryption, by themselves, do not address the other two problems mentioned in “Internet Security Issues” (beginning on page 763): tampering and impersonation.

  • Page 770: Certificates And Authentication

    Certificates and Authentication Figure J-3 shows two items transferred to the recipient of some signed data: the original data and the digital signature, which is basically a one-way hash (of the original data) that has been encrypted with the signer’s private key. To validate the integrity of the data, the receiving software first uses the signer’s public key to decrypt the hash.

  • Page 771: A Certificate Identifies Someone Or Something

    Certificates and Authentication A Certificate Identifies Someone or Something A certificate is an electronic document used to identify an individual, a server, a company, or some other entity and to associate that identity with a public key. Like a driver’s license, a passport, or other commonly used personal IDs, a certificate provides generally recognized proof of a person’s identity.

  • Page 772: Authentication Confirms An Identity

    Certificates and Authentication Authentication Confirms an Identity Authentication is the process of confirming an identity. In the context of network interactions, authentication involves the confident identification of one party by another party. Authentication over networks can take many forms. Certificates are one way of supporting authentication.
  • Page 773 Certificates and Authentication Password-Based Authentication Figure J-4 shows the basic steps involved in authenticating a client by means of a name and password. Figure J-4 assumes the following: • The user has already decided to trust the server, either without authentication or on the basis of server authentication via SSL.
  • Page 774 Certificates and Authentication As shown in the next section, one of the advantages of certificate-based authentication is that it can be used to replace the first three steps in Figure J-4 with a mechanism that allows the user to supply just one password (which is not sent across the network) and allows the administrator to control user authentication centrally.
  • Page 775 Certificates and Authentication assumptions are true only if unauthorized personnel have not gained access to the user’s machine or password, the password for the client software’s private key database has been set, and the software is set up to request the password at reasonable frequent intervals.

  • Page 776: How Certificates Are Used

    Certificates and Authentication evaluation process can employ a variety of standard authorization mechanisms, potentially using additional information in an LDAP directory, company databases, and so on. If the result of the evaluation is positive, the server allows the client to access the requested resource. As you can see by comparing Figure J-5 to Figure J-4, certificates replace the authentication portion of the interaction between the client and the server.
  • Page 777 Certificates and Authentication • Server SSL certificates. Used to identify servers to clients via SSL (server authentication). Server authentication may be used with or without client authentication. Server authentication is a requirement for an encrypted SSL session. For more information, see “SSL Protocol” on page 778. Example: Internet sites that engage in electronic commerce (commonly known as e-commerce) usually support certificate-based server authentication, at a minimum, to establish an encrypted SSL session and to assure customers that...
  • Page 778 Certificates and Authentication SSL Protocol The Secure Sockets Layer (SSL) protocol is a set of rules governing server authentication, client authentication, and encrypted communication between servers and clients. SSL is widely used on the Internet, especially for interactions that involve exchanging confidential information such as credit card numbers. SSL requires a server SSL certificate, at a minimum.
  • Page 779 Certificates and Authentication known as nonrepudiation. In other words, signed email makes it very difficult for the sender to deny having sent the message. This is important for many forms of business communication. (For information about the way digital signatures work, see “Digital Signatures,”...
  • Page 780 Certificates and Authentication keeping track of different passwords, tend to choose poor ones, and tend to write them down in obvious places. Administrators must keep track of a separate password database on each server and deal with potential security problems related to the fact that passwords are sent over the network routinely and frequently.
  • Page 781 Certificates and Authentication The “objects” signed with object signing technology can be applets or other Java code, JavaScript scripts, plug-ins, or any kind of file. The “signature” is a digital signature. Signed objects and their signatures are typically stored in a special file called a JAR file.
  • Page 782 Certificates and Authentication DNs may include a variety of other name-value pairs. They are used to identify both certificate subjects and entries in directories that support the Lightweight Directory Access Protocol (LDAP). The rules governing the construction of DNs can be quite complex and are beyond the scope of this document.
  • Page 783 Certificates and Authentication Here are the data and signature sections of a certificate in human-readable format: Certificate: Data: Version: v3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: OU=Ace Certificate Authority, O=Ace Industry, C=US Validity: Not Before: Fri Oct 17 18:36:25 1997 After: Sun Oct 17 18:36:25 1999...

  • Page 784: How Ca Certificates Are Used To Establish Trust

    Certificates and Authentication Here is the same certificate displayed in the 64-byte-encoded form interpreted by software: -----BEGIN CERTIFICATE----- MIICKzCCAZSgAwIBAgIBAzANBgkqhkiG9w0BAQQFADA3MQswCQYDVQQGEwJVUzER MA8GA1UEChMITmV0c2NhcGUxFTATBgNVBAsTDFN1cHJpeWEncyBDQTAeFw05NzEw MTgwMTM2MjVaFw05OTEwMTgwMTM2MjVaMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQK EwhOZXRzY2FwZTENMAsGA1UECxMEUHViczEXMBUGA1UEAxMOU3Vwcml5YSBTaGV0 dHkwgZ8wDQYJKoZIhvcNAQEFBQADgY0AMIGJAoGBAMr6eZiPGfjX3uRJgEjmKiqG 7SdATYazBcABu1AVyd7chRkiQ31FbXFOGD3wNktbf6hRo6EAmM5/R1AskzZ8AW7L iQZBcrXpc0k4du+2Q6xJu2MPm/8WKuMOnTuvzpo+SGXelmHVChEqooCwfdiZywyZ NMmrJgaoMa2MS6pUkfQVAgMBAAGjNjA0MBEGCWCGSAGG+EIBAQQEAwIAgDAfBgNV HSMEGDAWgBTy8gZZkBhHUfWJM1oxeuZc+zYmyTANBgkqhkiG9w0BAQQFAAOBgQBt I6/z07Z635DfzX4XbAFpjlRl/AYwQzTSYx8GfcNAqCqCwaSDKvsuj/vwbf91o3j3 UkdGYpcd2cYRCgKi4MwqdWyLtpuHAH18hHZ5uvi00mJYw8W2wUOsY0RC/a/IDy84 hW3WWehBUqVK5SY4/zJ4oTjx7dwNMdGwbWfpRqjd1A== -----END CERTIFICATE----- How CA Certificates Are Used to Establish Trust Certificate authorities (CAs) are entities that validate identities and issue certificates.
  • Page 785 Certificates and Authentication CA Hierarchies In large organizations, it may be appropriate to delegate the responsibility for issuing certificates to several different certificate authorities. For example, the number of certificates required may be too large for a single CA to maintain; different organizational units may have different policy requirements;...
  • Page 786 Certificates and Authentication Certificate Chains CA hierarchies are reflected in certificate chains. A certificate chain is series of certificates issued by successive CAs. Figure J-7 shows a certificate chain leading from a certificate that identifies some entity through two subordinate CA certificates to the CA certificate for the root CA (based on the CA hierarchy shown in Figure J-6).
  • Page 787 Certificates and Authentication In Figure J-7, the Engineering CA certificate contains the DN of the CA (that is, USA CA), that issued that certificate. USA CA’s DN is also the subject name of the next certificate in the chain. • Each certificate is signed with the private key of its issuer.
  • Page 788 Certificates and Authentication Figure J-8 Verifying a Certificate Chain All the Way to the Root CA Figure J-8 shows what happens when only Root CA is included in the verifier’s local database. If a certificate for one of the intermediate CAs shown in Figure J-8, such as Engineering CA, is found in the verifier’s local database, verification stops with that certificate, as shown in Figure J-9.
  • Page 789 Certificates and Authentication Expired validity dates, an invalid signature, or the absence of a certificate for the issuing CA at any point in the certificate chain causes authentication to fail. For example, Figure J-10 shows how verification fails if neither the Root CA certificate nor any of the intermediate CA certificates are included in the verifier’s local database.

  • Page 790: Managing Certificates

    Managing Certificates Managing Certificates The set of standards and services that facilitate the use of public-key cryptography and X.509 v3 certificates in a network environment is called the public key infrastructure (PKI). PKI management is complex topic beyond the scope of this document.

  • Page 791: Certificates And The Ldap Directory

    Managing Certificates Netscape Certificate Management System allows an organization to set up its own certificate authority and issue certificates. Issuing certificates is one of several managements tasks that can be handled by separate Registration Authorities. Certificates and the LDAP Directory The Lightweight Directory Access Protocol (LDAP) for accessing directory services supports great flexibility in the management of certificates within an organization.

  • Page 792: Renewing And Revoking Certificates

    Managing Certificates Keys can be generated by client software or generated centrally by the CA and distributed to users via an LDAP directory. There are trade-offs involved in choosing between local and centralized key generation. For example, local key generation provides maximum nonrepudiation, but may involve more participation by the user in the issuing process.

  • Page 793: Registration Authorities

    Managing Certificates intervals and checking the list as part of the authentication process. For some organizations, it may be preferable to check directly with the issuing CA each time a certificate is presented for authentication. This procedure is sometimes called real-time status checking.
  • Page 794 Managing Certificates Managing Servers with Netscape Console • December 2001...

  • Page 795: The Ssl Protocol

    Appendix K Introduction to SSL This document introduces the Secure Sockets Layer (SSL) protocol. Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. • The SSL Protocol •...
  • Page 796 The SSL Protocol Figure K-1 Where SSL Runs The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP. It uses TCP/IP on behalf of the higher-level protocols, and in the process allows an SSL-enabled server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection.

  • Page 797: Ciphers Used With Ssl

    Ciphers Used with SSL The SSL protocol includes two sub-protocols: the SSL record protocol and the SSL handshake protocol. The SSL record protocol defines the format used to transmit data. The SSL handshake protocol involves using the SSL record protocol to exchange a series of messages between an SSL-enabled server and an SSL-enabled client when they first establish an SSL connection.
  • Page 798 Ciphers Used with SSL Decisions about which cipher suites a particular organization decides to enable depend on trade-offs among the sensitivity of the data involved, the speed of the cipher, and the applicability of export rules. Some organizations may want to disable the weaker ciphers to prevent SSL connections with weaker encryption.
  • Page 799 Ciphers Used with SSL Table K-1 Cipher Suites Supported by the SSL Protocol That Use the RSA Key-Exchange Algorithm Strength Category and Cipher Suites Recommended Use Strongest Cipher Suite Triple DES With 168-Bit Encryption and SHA-1 Message Authentication Permitted for deployments within the United States only.
  • Page 800 Ciphers Used with SSL Table K-1 Cipher Suites Supported by the SSL Protocol That Use the RSA Key-Exchange Algorithm Strength Category and Cipher Suites Recommended Use Exportable Cipher Suites RC4 With 40-Bit Encryption and MD5 Message Authentication These cipher suites are not as RC4 40-bit encryption permits approximately 1.1 * 10 (a trillion) strong as those listed above, but...
  • Page 801 Ciphers Used with SSL Table K-2 Cipher Suites Supported by Netscape When Using Fortezza for SSL 3.0 Strength Category and Cipher Suites Recommended Use Strong Fortezza Cipher Suites RC4 With 128-bit Encryption and SHA-1 Message Authentication Permitted for deployments Like RC4 with 128-bit encryption and MD5 message authentication, within the United States only.
  • Page 802 The SSL Handshake The SSL Handshake The SSL protocol uses a combination of public-key and symmetric key encryption. Symmetric key encryption is much faster than public-key encryption, but public-key encryption provides better authentication techniques. An SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection...
  • Page 803 The SSL Handshake If the server has requested client authentication, the server attempts to authenticate the client (for details, see “Client Authentication,” which begins on page 807). If the client cannot be authenticated, the session is terminated. If the client can be successfully authenticated, the server uses its private key to decrypt the premaster secret, then performs a series of steps (which the client also performs, starting from the same premaster secret) to generate the master secret.
  • Page 804 The SSL Handshake • In the case of client authentication, the client encrypts some random data with the client’s private key—that is, it creates a digital signature. The public key in the client’s certificate can correctly validate the digital signature only if the corresponding private key was used.
  • Page 805 The SSL Handshake Figure K-2 Authentication of a Client Certificate An SSL-enabled client goes through these steps to authenticate a server’s identity: Is today’s date within the validity period? The client checks the server certificate’s validity period. If the current date and time are outside of that range, the authentication process won’t go any further.

  • Page 806: Man-In-The-Middle Attack

    The SSL Handshake doesn’t correspond to the private key used by the CA to sign the server certificate, the client won’t authenticate the server’s identity. If the CA’s digital signature can be validated, the server treats the user’s certificate as a valid “letter of introduction”...
  • Page 807 The SSL Handshake The encrypted information exchanged at the beginning of the SSL handshake is actually encrypted with the rogue program’s public key or private key, rather than the client’s or server’s real keys. The rogue program ends up establishing one set of session keys for use with the real server, and a different sent of session keys for use with the client.
  • Page 808 The SSL Handshake Figure K-3 Authentication and Verification of a Client Certificate An SSL-enabled server goes through these steps to authenticate a user’s identity: Does the user’s public key validate the user’s digital signature? The server checks that the user’s digital signature can be validated with the public key in the certificate.
  • Page 809 The SSL Handshake Is the issuing CA a trusted CA? Each SSL-enabled server maintains a list of trusted CA certificates, represented by the shaded area on the right side of Figure K-3. This list determines which certificates the server will accept. If the DN of the issuing CA matches the DN of a CA on the server’s list of trusted CAs, the answer to this question is yes, and the server goes on to Step 4.
  • Page 810 The SSL Handshake Managing Servers with Netscape Console • December 2001...
  • Page 811 Glossary access control The process of controlling who is allowed to do what. For example, access control to servers is typically based on an identity, established by a password or a certificate, and on rules regarding what that entity can do. See also access control list (ACL).
  • Page 812 attribute value assertion (AVA) An assertion of the form attribute = value, where attribute consists of a tag, such as o (organization) or (user ID), and value consists of a value, such as “Netscape Communications Corp.” or a login name. AVAs are used to form the distinguished name (DN) that identifies the subject of a certificate (called the subject name of the certificate).
  • Page 813 CA hierarchy A hierarchy of CAs in which a root CA delegates the authority to issue certificates to subordinate CAs. Subordinate CAs can also expand the hierarchy by delegating issuing status to other CAs. See also certificate authority (CA), subordinate CA, root CA. CA server key The SSL server key of the server providing a CA service.
  • Page 814 Certificate Enrollment Protocol (CEP) A certificate management protocol jointly developed by Cisco Systems and VeriSign, Inc. CEP is an early implementation of Certificate Management Messages over Cryptographic Message Syntax (CMC). CEP specifies how a device communicates with a CA, including how to retrieve the CA’s public key, how to enroll a device with the CA, and how to retrieve a CRL.
  • Page 815 Certificate Manager An independent CMS subsystem capable of acting as a stand-alone certificate authority. A Certificate Manager instance issues, renews, and revokes certificates, which it can publish along with CRLs to an LDAP directory. It can be configured to accept requests from end entities, Registration Managers, or both.
  • Page 816 CMC Enrollment Features that allow you to send either signed enrollment or signed revocation requests to a Certificate Manager using an agents signing certificate. These requests are then automatically processed by the Certificate Manager. CMMF See Certificate Management Message Formats (CMMF). CMS See Netscape Certificate Management System (CMS), Cryptographic Message Syntax (CMS).
  • Page 817 Cryptographic Message Syntax (CMS) The syntax used to digitally sign, digest, authenticate, or encrypt arbitrary messages, such as CMMF. cryptographic module See PKCS #11 module. cryptographic service provider (CSP) A cryptographic module that performs cryptographic services, such as key generation, key storage, and encryption, on behalf of software that uses a standard interface such as that defined by PKCS #11 to request such services.
  • Page 818 Data Encryption Standard (DES) A FIPS-approved cryptographic algorithm required by FIPS 140-1 and specified by FIPS PUBS 46-2. DES, which uses 56-bit keys, is a standard encryption and decryption algorithm that has been used successfully throughout the world for more than 20 years. See also FIPS PUBS 140-1.
  • Page 819 eavesdropping Surreptitious interception of information sent over a network by an entity for which the information is not intended. encryption The process of scrambling information in a way that disguises its meaning. See decryption. encryption key A private key used for encryption only. An encryption key and its equivalent public key, plus a signing key and its equivalent public key, constitute a dual key pair.
  • Page 820 intermediate CA A CA whose certificate is located between the root CA and the issued certificate in a certificate chain. IP spoofing The forgery of client IP addresses. JAR file A digital envelope for a compressed collection of files organized according to the Java archive (JAR) format.
  • Page 821 Lightweight Directory Access Protocol (LDAP) A directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP is a simplified version of Directory Access Protocol (DAP), used to access X.500 directories. LDAP is under IETF change control and has evolved to meet Internet requirements. linked CA An internally deployed certificate authority (CA) whose certificate is signed by a public, third-party CA.
  • Page 822 Netscape Security Services (NSS) A set of libraries designed to support cross-platform development of security-enabled communications applications. Applications built using the NSS libraries support the Secure Sockets Layer (SSL) protocol for authentication, tamper detection, and encryption, and the PKCS #11 protocol for cryptographic token interfaces.
  • Page 823 PKCS #11 The public-key cryptography standard that governs cryptographic tokens such as smart cards. PKCS #11 module A driver for a cryptographic device that provides cryptographic services, such as encryption and decryption, via the PKCS #11 interface. A PKCS #11 module (also called a cryptographic module or cryptographic service provider) can be implemented in either hardware or software.
  • Page 824 public-key infrastructure (PKI) The standards and services that facilitate the use of public-key cryptography and X.509 v3 certificates in a networked environment. RC2, RC4 Cryptographic algorithms developed for RSA Data Security by Rivest. See also cryptographic algorithm. registration See enrollment. Registration Manager An optional, independent CMS subsystem that performs tasks involving end entities, such as enrollment or renewal, on behalf of a Certificate Manager.
  • Page 825 server authentication The process of identifying a server to a client. See also client authentication. server group The servers in a server root directory managed by a single instance of Netscape Administration Server. server root The directory used to store Certificate Management System and other Netscape Server binaries that make up a server group.
  • Page 826 Certificates support single sign-on within a public-key infrastructure (PKI). A user can log in once to a local client’s private-key database and thereafter, as long as the client software is running, rely on certificate-based authentication to access each server within an organization that the user is allowed to access. slot The portion of a PKCS #11 module (implemented in either hardware or software) that contains a token.
  • Page 827 trust Confident reliance on a person or other entity. In a public-key infrastructure (PKI), trust refers to the relationship between the user of a certificate and the certificate authority (CA) that issued the certificate. If you trust a CA, you can generally trust valid certificates issued by that CA.
  • Page 828 Netscape Certificate Management System Administrator’s Guide • February 2003...
  • Page 829 Index tools provided CMS console 247 accelerators 320 Netscape Console 245 active logs Agent Services interface default file location 264 URL for 286 message categories 267 AgentDirEnrollment instance 408 See also logging agents adding authorizing remote key recovery 207 agents deleting 345 automated process 332 enrolling users in person 409, 596...
  • Page 830 managing from CMS window 390, 393, 397, 402, CA signing certificate 86, 88 404, 417 changing trust settings of 296 NIS server-based 391 deleting 295 password-based 773–774 getting a new one 299, 314 See also client authentication nickname 86 See also server authentication renewing 299 viewing details of 295 authentication modules...
  • Page 831 OCSP signing certificate 86 revocation reasons 599 SSL server certificate 87 revoking 792 wTLS CA signing certificate 86 S/MIME 777 manual updates to publishing directory 661 self-signed 785 master CA 56 serial numbers Registration Manager and 52–53 what to do when a CA exhausts all 118 serial number range 117 verifying a certificate chain 787 specifying IP address for 289...
  • Page 832 CMS. See Certificate Management System, required schema 658 Cryptographic Message Syntax publishing to online validation authority 167 supported extensions 599 command-line utilities when automated updates take place 598 for adding extensions to CMS certificates 305 when generated 599 configuration file 259 who generates it 599 copying from one instance to another 263 CRMF 65...
  • Page 833 policy rules 492 encryption privileged users 345 defined 765 publisher modules 663 public-key 767 symmetric-key 766 deltaCRLIndicator 738 end entities deployment planning port used for operations 287 CA decisions See also ports CA renewalCA renewal 115–?? distinguished name 88 end-entity certificate publisher 632 root versus subordinate 84 end-entity certificates signing certificate 88...
  • Page 834 policyMappings 731 holdInstructionCode 740 privateKeyUsagePeriod 732 host name reasonCode 741 for mail server used for notifications 259 structure of 719 how to revoke certificates 600 subjectAltName 732 how to search for keys 202 subjectDirectoryAttributes 733 subjectKeyIdentifier 733 tool for joining 305 tools for generating 305 X.509 certificate, summarized 723–?? X.509 CRL, summarized 737–??
  • Page 835 JavaScript policy processor 495 LDAP 66 job modules LDAP publishing registering new ones 592 defined 620 manual updates 661 jobs when to do 661 built-in modules who can do this 661 UnpublishExpiredJob 579 See CRLs compared to plug-in implementation 577 setting frequency 579 linked CA 31 specifying schedule for 579...
  • Page 836 policy plug-in modules 563 mapper modules object identifiers 745 deleting 663 object signing 780 registering new ones 663 object signing certificates mappers for third-party tools 427 created during installation 634, 638, 640 OCSP 50 mappers that use OCSP publisher 634 CA certificate 637 DN components 642 OCSP responder 167...
  • Page 837 HoldInstruction 611 policyConstraints 731 InvalidityDate 612 policyMappings 731 IssuerAlternativeName 612 ports 285 IssuingDistributionPoint 614 for agent operations 286 for policy 745 for end-entity operations 287 managing 563 for remote administration 286 RemoveBasicConstraintsExt 557 for the mail server used for notifications 259 for publishing how to choose numbers 286 FileBasedPublisher 631...
  • Page 838 to LDAP directory 600, 620 reasons 599 to online validation authority 167 who can do this 600 publishing directory roles defined 620 agent 328 key recovery agents 205 root CA 31 root DN 749 root versus subordinate CA 84 rotating log files RA, See Registration Authority archiving files 269 reasonCode 741...
  • Page 839 nickname 136, 173 See also external tokens renewing 299 internal 316 viewing details of 295 managing 319 viewing which tokens are installed 319 signing key, for CA 88, 138, 175, 217 what are they 316 single sign-on 779 topology decisions, for deployment ??–57 SMTP settings 259 transport certificate 215 specifying IP address 289...
  • Page 840 wireless certificates 92, 97 wizard See Certificate Setup Wizard writing policies in JavaScript 495 wTLS CA signing certificate 86 nickname 86 wTLS certificates 92, 97 X.509 certificates 67 Netscape Certificate Management System Administrator’s Guide • February 2003...

This manual is also suitable for:

Certificate management system 6.1

Table of Contents