1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Software
  5. NETSCAPE MANAGEMENT SYSTEM 6.2 -...
  6. Administrator's manual

Netscape MANAGEMENT SYSTEM 6.2 - ADMINISTRATOR Administrator's Manual

Hide thumbs
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
Table of Contents

Advertisement

Quick Links

Download this manual
Administrator's Guide
Netscape Certificate Management System
Version 6.2
June 2003

Advertisement

Table of Contents
loading

Related Manuals for Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - ADMINISTRATOR

Summary of Contents for Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - ADMINISTRATOR

  • Page 1 Administrator’s Guide Netscape Certificate Management System Version 6.2 June 2003...
  • Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.

  • Page 3: Table Of Contents

    Contents About This Guide ............. . 23 Who Should Read This Guide .
  • Page 4 Java SDK Extension Mechanism for Customization ........39 How Certificate Management System Works .
  • Page 5 Chapter 3 Certificate Manager ..........85 Certificate Manager Deployment Considerations .
  • Page 6 Chapter 4 Registration Manager ..........133 Registration Manager Deployment Considerations .
  • Page 7 Interfaces ................172 Password Storage .
  • Page 8 Step 1. Set Up the Key Archival Process ..........228 Step 2.
  • Page 9 Modifying Self Test Configuration ........... . 281 Ports .
  • Page 10 Changing Members in a Group ............343 Deleting a CMS User .
  • Page 11 certServer.kra.certificate.transport ........... . 364 certServer.kra.configuration .
  • Page 12 Setting Up Agent-Approved Enrollment ..........385 Automated Enrollment .
  • Page 13 Extended Key Usage Extension Default ..........451 Freshest CRL Extension Default .
  • Page 14 Reordering Policy Rules ............. 491 Testing Policy Configuration .
  • Page 15 Chapter 12 Automated Notifications ..........565 About Automated Notifications .
  • Page 16 Delta CRLs ............... . 599 How CRLs Work .
  • Page 17 Bind DN ................657 Directory Authentication Method .
  • Page 18 Appendix B Common Criteria Environment: Setup and Operations ....711 PKI Overview ............... . 711 Security Objectives .
  • Page 19 CRLs ................728 Jobs .
  • Page 20 Appendix G Certificate and CRL Extensions ........751 Introduction to Certificate Extensions .
  • Page 21 Renewing and Revoking Certificates ..........826 Registration Authorities .
  • Page 22 Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 23: About This Guide

    About This Guide This Administrator’s Guide explains how to install, configure, and maintain Netscape Certificate Management System (CMS), and use it for issuing and managing certificates to various end entities, such as web browsers (users), servers, Virtual Private Network (VPN) clients, and Cisco™ routers. This preface has the following sections: •...

  • Page 24: What's In This Guide

    What’s in This Guide • You understand the concepts of intranet, extranet, and Internet security and the role of digital certificates in a secure enterprise, including the following topics: Encryption and decryption Public keys, private keys, and symmetric keys Significance of key lengths Digital signatures Digital certificates, including various types of digital certificates The role of digital certificates in a public-key infrastructure (PKI)
  • Page 25 What’s in This Guide Chapter 4, Provides information about installing a Registration “Registration Manager, step-by-step instructions for installing a Manager” Registration Manager, and an overview of the configuration options for a Registration Manager. Chapter 5, “OCSP Provides information about installing an Online Responder”...
  • Page 26 What’s in This Guide Chapter 15, Provides information and procedures for configuring “Publishing” the publishing feature. Chapter 16, Provides information about clones, failover, and “Configuring CMS for configuring CMS for failover support. High Availability” Appendix A, Provides security requirements for running CMS in the “Common Criteria Common Criteria Environment.

  • Page 27: Conventions Used In This Guide

    Conventions Used in This Guide Conventions Used in This Guide The following conventions are used in this guide: This typeface is used for any text that appears on the Monospaced font computer screen or text that you should type. It’s also used for filenames, functions, and examples.

  • Page 28: Documentation

    Documentation Example: Using Netscape Communicator 4.7 or later, enter the URL for the Netscape Administration Server: http://<hostname>:<port_number> A slash is used to separate directories in a path. Example: Except for the Security Module Database Tool, you can find all the other command-line utilities at this location: <server_root>/bin/cert/tools Notes and Cautions:...
  • Page 29 Documentation Provides detailed reference information on customizing the HTML-based agent and end-entity interfaces. CMS Agent’s Guide Provides detailed reference information on CMS agent interfaces. To access this information from the Agent Services pages, click any help button. About This Guide...
  • Page 30 Documentation Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 31: Chapter 1 Overview

    Chapter 1 Overview This chapter provides an overview of Netscape Certificate Management System (CMS), a highly configurable set of software components and tools for creating, deploying, and managing certificates. Based on open standards for certificate management, Certificate Management System provides a complete, customizable, robust, scalable, and high-performance certificate management solution for your public-key infrastructure (PKI), extranets and intranets.

  • Page 32: Certificate Manager Flexibility And Scalability

    Features • The Certificate Manager is the subsystem that provides Certificate Authority functionality for issuing, renewing, revoking, and publishing certificates and creating and publishing CRLs. See Chapter 3, “Certificate Manager” for complete details. • The Registration Manager is an optional subsystem that provides Registration Authority functionality.

  • Page 33: Interfaces

    Features Root or Subordinate CA CMS can function as a root CA; in this case, the server signs its own CA signing certificate as well as other CA signing certificates, enabling you to create your own CA hierarchy. You can also install the server to function as a subordinate CA; in this case, the server gets its CA signing key signed by another CA in an existing CA hierarchy.

  • Page 34: Logging

    Features Logging CMS produces extensive logs that record system events and errors. Logs are configurable, allowing you to create logs for specific types of events, and for the logging level you desire. See “Logs,” on page 261 for complete details. Supports Signing of Logs CMS allows you to sign log files digitally before archiving them or distributing them for audit purposes.

  • Page 35: Authentication

    Features Authentication CMS provides authentication options for certificate enrollment including agent-approved enrollment in which an agent processes the request, and several automated enrollments, in which an authentication method is used, and upon successful authentication of the end-entity, the CA automatically issues a certificate.

  • Page 36: Policy

    Features enabled for use. A dynamically generated HTML form for the certificate profile is used in the end-entity interface for enrollment which triggers this certificate profile. The server will verify that the defaults and constraints set in the certificate profile are met before acting on the request, and will use the certificate profile to determine the content of the issued certificate.

  • Page 37: Notifications

    Features Notifications Notifications is a feature that allows you to set up automated messages when a particular event occurs, such as when a certificate is issued or revoked. The notification framework comes with default modules that you can enable and configure.

  • Page 38: Support For Open Standards

    Features Support for Open Standards With its support for open standards, CMS gives organizations confidence that they will be able to communicate within a heterogeneous computing environment. CMS supports standards in the following ways: • Formulates, signs, and issues industry-standard X.509 version 3 public-key certificates;...

  • Page 39: Java Sdk Extension Mechanism For Customization

    How Certificate Management System Works Java SDK Extension Mechanism for Customization The software development kit (SDK) provided with CMS includes APIs and tutorials for customizing different aspects of the system. You can write the following custom modules: • Authentication • Authorization •...
  • Page 40 How Certificate Management System Works • The Certificate Manager is the subsystem that provides Certificate Authority functionality for issuing, renewing, revoking, and publishing certificates and creating and publishing CRLs. See Chapter 3, “Certificate Manager” for complete details. • The Registration Manager is an optional subsystem that provides Registration Authority functionality.
  • Page 41 How Certificate Management System Works • End-Entity Services Interface—The end-entity interface is a customizable HTML interface that can be used for end-entities to enroll in your PKI, renew certificates, revoke their own certificates, and pick up issued certificates. It contains forms for different types of enrollments, and for the enrollment different types of end-entities.

  • Page 42: About The Certificate Manager

    How Certificate Management System Works • Agents who can edit and approve requests. • Auditors who can view and configure audit logs. • Trusted Managers which are subsystems that have a trusted relationship with another subsystem. CMS allows you to create users, and assign them the privileges of whichever group in which they are members.
  • Page 43 How Certificate Management System Works The Certificate Manager acts as a Certificate Authority (CA). It can be configured as a self-signing CA, where it is the root CA, or it can act as a subordinate CA, where it obtains its own signing certificate from a public CA. Scalability You can configure more than one CA either forming a vertical or horizontal chain of CAs.

  • Page 44: How The Certificate Manager Works

    How Certificate Management System Works Revocation and CRLs CMS provides the framework for revoking certificates which can either be initiated by an agent or by the end user themselves. An administrator can also revoke the certificates of any of the subsystems or agents. CMS also support CMC Revocation.
  • Page 45 How Certificate Management System Works Authentication Methods CMS provides authentication plug-ins that allow you to set up automated enrollment and configure the particular method(s) you set up; it provides agent-approved enrollment, where an agent must approve the request by default. Each end-entity form is associated with a particular authentication method, either one of the automated methods or the agent-approved method.
  • Page 46 How Certificate Management System Works Certificate Creation The Certificate Manager issues certificates when it receives signed requests from either its own agents (user’s who are assigned privileges to approve enrollment, renewal, and revocation requests), from a trusted Registration Manager, or from a third-party application that sends a signed request that is set up for CMC enroll with the Certificate Manager.

  • Page 47: About The Registration Manager

    How Certificate Management System Works An agent can also revoke a certificate if the owner of the certificate is unwilling or unable to do so. When the certificate is revoked, it is marked revoked in the internal database, and is marked revoked in the publishing system. The certificate is also added to the Certificate Revocation List (CRL) produced by the Certificate Manager.

  • Page 48: How The Registration Manager Works

    How Certificate Management System Works How the Registration Manager Works This sections details the processes that a Registration Manager goes through, and the various configuration settings involved in those processes. Accepting Enrollment Requests Similar to the Certificate Manager, the Registration Manager contains an end-entity interface with various forms associated with various types of certificates and various types of users.
  • Page 49 How Certificate Management System Works Request Processing When the Registration Manager processes requests from its own end-entity interface, it first considers the authentication method. If it is an agent-approved enrollment method, the request is queued in the agent services interface where it awaits agent approval.
  • Page 50 How Certificate Management System Works Publishing of Certificates Certificates can be published to a file or an LDAP directory. You set up the publishing feature and set up rules that determine which certificates are published using which method, and where exactly they are published. The publishing system is flexible allowing you many options in configuring it.

  • Page 51: Data Recovery Manager

    How Certificate Management System Works An agent can also revoke a certificate. They might do this if someone leaves the company. When the certificate is revoked, it is marked revoked in the internal database, and is marked revoked in the publishing system. The certificate is also added to the Certificate Revocation List (CRL) produced by the Certificate Manager.

  • Page 52: Online Certificate Status Manager

    Deployment Scenarios Online Certificate Status Manager The Online Certificate Status Manager is an optional subsystem of CMS that can act as a stand-alone OCSP service. The Certificate Manager is configured with an internal OCSP service. An external OCSP Responder is offered as a separate subsystem in case you want the OCSP service provided outside a firewall while the Certificate Manager resides inside a firewall, or to take the load of requests off the Certificate Manager.

  • Page 53: Certificate Manager And Registration Manager

    Deployment Scenarios Certificate Manager Figure 1-1 Single root Figure 1-1 shows the relationships among a single Certificate Manager, end entities, and a publishing directory. The Certificate Manager can publish both end-entity certificates and CRLs to a directory. Certificate Manager and Registration Manager Figure 1-2 shows a Registration Manager and its Certificate Manager in separate instances on separate machines.
  • Page 54 Deployment Scenarios Certificate Manager Figure 1-2 and Registration Manager in different instances Many organizations need to separate the role of the Registration Manager from the role of the Certificate Manager. This separation can be useful, for example, if different groups of end entities are subject to different authentication policies or work in different geographic locations.

  • Page 55: Certificate Manager And Data Recovery Manager

    Deployment Scenarios A Registration Manager can be installed in one CMS instance and its related Certificate Manager in another CMS instance. The separate instances can be located in the same server group, in different server groups on the same machine, or in different server groups on different machines.
  • Page 56 Deployment Scenarios Figure 1-3 Certificate Manager and Data Recovery Manager in different instances The Data Recovery Manager is intended for archival and recovery of private encryption keys only. Therefore end entities must be using either a browser that supports dual-key generation or a browser that is using Netscape Personal Security Manager, which supports dual keys.

  • Page 57: Certificate Manager, Data Recovery Manager, And Registration Manager

    Deployment Scenarios Certificate Manager, Data Recovery Manager, and Registration Manager The three CMS subsystems can be deployed in many different relationships. Figure 1-4 illustrates some of the issues involved in deploying all three subsystems by showing the relationships among a single Certificate Manager, a single Registration Manager, and a single Data Recovery Manager, each installed in a different CMS instance on a different machine.

  • Page 58: Cloned Certificate Manager

    Deployment Scenarios The Registration Manager handles all end-entity interactions and communicates with the Certificate Manager and the Data Recovery Manager over HTTPS. The Registration Manager is configured to request the end entity’s private encryption key (in encrypted form) and send it to the Data Recovery Manager during the enrollment process.

  • Page 59: System Architecture

    System Architecture To create a cloned Certificate Manager, you must first install and configure at least one Certificate Manager and specify a definite upper, but no lower bound for the serial numbers it will use. You then install or create a new instance of a Certificate Manager (but do not configure it).

  • Page 60: Cms Component

    System Architecture Figure 1-5 CMS Architecture CMS Component The CMS component is the main component in the CMS product. CMS is a set of pure Java classes. This component provides a secure application platform where subsystems (CA, RA, DRM, and OCSP) can be tightly integrated with a PKI infrastructure.

  • Page 61: Http Engine

    System Architecture Within the CMS component, a set of common modules (all can be extended with customized JAVA plug-ins) are provided for all subsystems (although some may not be utilized by default setting, they are all available for further customization): •...

  • Page 62: Service Interfaces

    System Architecture responder only takes OCSP request format, while a DRM does not provide any end-entity services. The client applications used to access this entry point must have the capability to act as an SSL client. A common client application is a browser such as the Netscape browser.

  • Page 63: Jss And The Java/Jni Layer

    System Architecture Agent Services Interface The agent services interface provides JAVA servlets to process HTML form submissions coming from the agent entry-point. Based on the information given in each form submission, the agent servlets allow agents to perform agent tasks, such as editing and approving requests for certificate approval, certificate renewal, and certificate revocation, and approving certificate profiles.

  • Page 64: Nss

    System Architecture http://www.mozilla.org/projects/security/pki/jss/index.html Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled communications applications. Applications built with the NSS libraries support the SSL protocol for authentication, tamper detection, and encryption as well as the PKCS #11 interface for cryptographic token interfaces.

  • Page 65: Management Tools

    System Architecture The Internal Key Storage token (“Certificate DB token” in Figure 1-5 on page 60) handles all communication with the certificate and key database files (called certX.db and keyX.db, respectively, where X is a version number) that store certificates and keys. •...

  • Page 66: Internal Ldap Database

    CMS SDK Internal LDAP Database CMS employs Netscape Directory Server as its internal database for storing information such as certificates, requests, users, roles, ACLs, as well as other miscellaneous internal information. CMS communicates with the internal LDAP database securely by means of SSL client authentication. Administration Server The Netscape Administration Server comes with all Netscape server products, including CMS.

  • Page 67: Support For Open Standards

    Support for Open Standards • Tutorials—“How To” tutorial to help demonstrate how you can create your own plug-in modules for CMS. Each tutorial includes sample Java source code, environment and build script and a detailed “cookbook” describing how to build and install these plug-in modules. Additionally, some tutorials may also contain sample configuration files.

  • Page 68: Security And Directory Protocols

    Support for Open Standards • Cryptographic Message Syntax (CMS). A superset of PKCS #7 syntax used for digital signatures and encryption. A proposed standard from the IETF PKIX working group. • PKIX Certificate and CRL Profile (PKIX Part 1). The first part of the four-part standard under development by the IETF for a public-key infrastructure for the Internet.
  • Page 69 Support for Open Standards • X.509 v1, v3. Digital certificate formats recommended by the International Telecommunications Union (ITU). • Secure Sockets Layer (SSL) 2.0, 3.0. A set of rules governing server authentication, client authentication, and encrypted communication between servers and clients. Chapter 1 Overview...
  • Page 70 Support for Open Standards Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 71: Chapter 2 Installation

    Chapter 2 Installation This chapter explains how to install Netscape Certificate Management System (CMS). This chapter contains the following sections: • Installation and Configuration Overview • Installation Overview • Installing CMS • Uninstalling CMS Installation and Configuration Overview You install Netscape Certificate Management System (CMS) on each host on which you will be setting up a CMS subsystem.

  • Page 72: Installation And Configuration Process

    Installation and Configuration Overview One of your deployment decisions is which subsystems you will install, how many of each type of subsystem you will configure, and on which hosts they will be installed. Once you decide this, you install CMS on each host you will be using, install each subsystem that will be run on that host, and then configure each of the subsystems on each host.

  • Page 73: Installation Overview

    Installation Overview Installation Overview This section provides information about the CMS installation, and provides information about things you need to consider and decide when installing CMS. About the Installation Program The installation program installs Administration Server, Directory Server, Netscape Console, and CMS in the server root directory you specify. It creates one instance of Administration Server, one instance of Directory Server, and one instance of CMS.
  • Page 74 Installation Overview Server Groups A server group is created when you install Administration Server. All servers are then installed in that server group. You can create more than one server group and install servers in each. You must have an Administration Server for each server group.
  • Page 75 Installation Overview Deciding the User and Group for Your Netscape Servers For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run the servers with root privileges. However, you will have to run Directory Server with root privileges if you are using the default Directory Server ports.
  • Page 76 Installation Overview • Directory Manager DN and password. The Directory Manager DN is the special directory entry to which access control does not apply. Think of the directory manager as your directory's superuser. The default Directory Manager DN is . Because the cn=Directory Manager Directory Manager DN is a special entry, the Directory Manager DN does not have to conform to any suffix configured for your Directory Server.
  • Page 77 Installation Overview For the purposes of CMS, this suffix usually does not matter, unless you plan to store user information in this configuration directory. Normally you will not store users in this configuration directory. You only use this configuration directory to store configuration settings for the Administration Server that allow you to use Netscape Console to manage CMS.

  • Page 78: Installation Worksheet

    Installation Overview Installation Worksheet You can use the following worksheet to specify the information you will be prompted for during the installation. The default setting is indicated in square brackets. Install location [/usr/netscape/servers] ______________________________________ Computer name [myhost.mydomain.com] ______________________________________ System User [nobody] ______________________________________ System Group [nobody] ______________________________________...

  • Page 79: Installing Cms

    Installing CMS Installing CMS To install CMS: Log in to the host system as the user ID you will be running the servers as. Note that you must be logged into the host locally. Do not install remotely. See “Deciding the User and Group for Your Netscape Servers,” on page 75 for more information.
  • Page 80 Installing CMS Do you agree to the license terms? [No]: Type and press Enter. Select the component you would like to install [1]: Accept the default to install the Netscape servers. Choose an installation type [2]: Accept the default for a typical installation. Install location [/usr/netscape/servers]: Enter the full path to the location in which you want to install the servers.
  • Page 81 Installing CMS Do you want to use another directory to store your data? [No]: If you accept the default setting, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you accepted the default in step 17) or installs a new instance of Directory Server for use as a user/group directory.
  • Page 82 Installing CMS Administration Domain [mydomain.com]: Accept the default value. This domain name identifies the collection of servers that use the same configuration directory. Administration port [random #]: Accept the default port number, which is randomly generated, or enter any port number that is not and will not be used for another purpose.

  • Page 83: Uninstalling Cms

    Uninstalling CMS Uninstalling CMS To remove CMS from a host system, run the uninstall program. To remove a specific CMS instance, follow the instructions provided in “Removing an Instance From a System” on page 256. To uninstall CMS: Log in as the user account under which the server is running. Go to the server root directory containing the installed software.
  • Page 84 Uninstalling CMS Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 85: Chapter 3 Certificate Manager

    Chapter 3 Certificate Manager The Certificate Manager subsystem provides the services of a Certificate Authority (CA) in the PKI. It can issue, renew, and revoke certificates; create and issue CRLs; and publish certificates and CRLs. This chapter discusses the Certificate Manager subsystem. It provides an overview of the subsystem including the decisions you need to make before installing the subsystem, complete installation instructions, an overview of the Certificate Manager processes including information on configuring those processes,...

  • Page 86: Self-Signed Root Vs. Subordinate Ca

    Certificate Manager Deployment Considerations Self-Signed Root vs. Subordinate CA A Certificate Manager can be set up as a self-signing root CA. You set up a self-signing root CA by choosing this option when you install. A self-signing root CA issues and signs its own certificates. The subsystems are then issued certificates by this self-signing CA.

  • Page 87: Cloned Ca

    Certificate Manager Deployment Considerations One benefit of chaining up to a public CA is that the third party is responsible for getting the root CA certificate into the browser or other client software. This can be a major advantage if you are deploying an extranet that involves certificates used by different companies whose browsers you cannot control.
  • Page 88 Certificate Manager Deployment Considerations You submit this request either as a self-signing request to the CA itself which will then issue the certificates, this is how you create a self-signing root CA, or you submit the request to a third party public CA and then install the certificate you receive from the CA during the rest of the installation.
  • Page 89 Certificate Manager Deployment Considerations OCSP Signing Key Pair and Certificate Irrespective of whether you chose to enable the OCSP service feature, the Installation Wizard transparently generates a key pair and a corresponding certificate identified as the OCSP signing certificate. The wizard uses the key type, key size, key algorithm, and validity period you provided for the CA signing key pair to generate the OCSP signing key pair.
  • Page 90 Certificate Manager Deployment Considerations If you configure the Certificate Manager to function as a trusted manager to a Data Recovery Manager, the Certificate Manager also uses its SSL server certificate for SSL client authentication to the Data Recovery Manager. For details on trusted managers, see “Trusted Managers”...

  • Page 91: Certificate Manager Interfaces

    Certificate Manager Deployment Considerations Serial Number Ranges for the CA You can designate the starting and ending serial numbers that a CA can issue during the configure of the CA. This is especially useful when you are installing cloned CAs. Each cloned CA is given a specific range of serial numbers that it can issue.
  • Page 92 Certificate Manager Deployment Considerations • An Administrative interface that is accessible by default only to members of the Administrator and Auditor group. You specify the first administrator when you install the subsystem. Administrators can configure any of the settings of the server. Most basic functionality and subsystem specific configuration to the subsystem can be done using the administrative interface.

  • Page 93: Password Storage

    Installing a Certificate Manager Password Storage Each subsystem stores passwords for its internal database, and for the tokens containing its keys and certificates. See “System Passwords,” on page 250 for information on how these passwords are stored. Internal Database Each Certificate Manager instance contains an internal database that stores certificates, certificate requests and the like.

  • Page 94: Installing A Certificate Manager As A Root Ca

    Installing a Certificate Manager installing in a particular instance, and allows you to make some configuration choices for the subsystem, and get and install the certificates used by the subsystem. Once the Certificate Manager is installed, it is set up with a default set of configuration settings.
  • Page 95 Installing a Certificate Manager Administrator. Type the user ID, name, and password for the CMS administrator. This user ID will be set up as the administrator who can access the CMS window and control all CMS settings. Allow Multiple Roles for Users. Select if you want to allow users to belong to more than one group, thus assuming more than one role.
  • Page 96 Installing a Certificate Manager Internal OCSP Services. Select to enable the internal OCSP services. See “Setting Up a Certificate Manager with OCSP Service,” on page 169 for more information. Click Next to continue. Network Configuration. Type the port numbers for the ports used by this instance, or accept the defaults.
  • Page 97 Installing a Certificate Manager Subject Name for Certificate Manager CA Signing Certificate. Type values for the subject DN components; these values identify the root CA signing certificate. A DN is a series of name-value pairs that in combination uniquely identify an entity.
  • Page 98 Installing a Certificate Manager SSL Server Certificate. Select the “Sign SSL certificate with my CA signing certificate” option. This option enables the wizard to generate an SSL Server Certificate signed with the local CA signing certificate, the root Certificate Manager’s CA signing certificate you just created. Click Next to continue.

  • Page 99: Installing A Certificate Manager As A Subordinate Ca

    Installing a Certificate Manager SSL Server Certificate Creation. This informational screen tells you that the configuration wizard has all the required information to generate a key pair and its corresponding certificate. Click Next to generate the certificate. Single Sign-on Summary. Check the summary and select whether to retain or delete the file.
  • Page 100 Installing a Certificate Manager Internal Database. Choose to either create a new internal database for this instance or to use an existing Directory Server instance as the internal database for this instance. Next, specify the information for that Directory Server instance.
  • Page 101 Installing a Certificate Manager CA’s serial number range. Specify range for the serial numbers for the certificates that this CA will issue. In the “Starting serial number” field, type the lowest serial number the CA should assign to a certificate. If you only use one CA server, you can leave the “Ending serial number”...
  • Page 102 Installing a Certificate Manager Subject Name for Certificate Manager CA Signing Certificate. Type values for the subject DN components; these values identify the subordinate CA signing certificate. A DN is a series of name-value pairs that in combination uniquely identify an entity.
  • Page 103 Installing a Certificate Manager If you want the wizard to generate the certificate request in PKCS #10 format, select the “Generate PKCS10 request” option. If you want the wizard to generate the certificate request in CMC format, select the “Generate CMC full enrollment request” option. Click Next to generate the request.
  • Page 104 Installing a Certificate Manager When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it CERTIFICATE ----- -----END CERTIFICATE----- to the clipboard or to a text file. Be sure to not make any changes to the certificate.
  • Page 105 Installing a Certificate Manager When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN ), and copy it CERTIFICATE ----- -----END CERTIFICATE----- to the clipboard or to a text file. Be sure to not make any changes to the certificate.
  • Page 106 Installing a Certificate Manager If you copied the encoded certificate to a file, select the “The certificate is located in this file” option and then type the file path, including the filename, in the text field. If you copied the certificate to the clipboard, select the “The certificate is located in the text area below”...
  • Page 107 Installing a Certificate Manager If you want to submit the SSL server certificate request to another CA, for example to the CA that signed the subordinate CA’s signing certificate, select the “Create request for submission to another CA” option. Click Next to continue. Key-Pair Information for SSL Server Certificate.
  • Page 108 Installing a Certificate Manager If you want the wizard to generate the certificate request in PKCS #10 format, select the “Generate PKCS10 request” option. If you want the wizard to generate the certificate request in CMC format, select the “Generate CMC full enrollment request” option. Click Next to generate the certificate or the request: If you chose to get the certificate signed by the subordinate CA itself, the wizard generates the SSL server certificate.
  • Page 109 Installing a Certificate Manager In the pending request list, locate your request, click Details to see the VII. request, and make any changes. Then, scroll down to the bottom of the form, and click Do It. After the certificate is generated, click Show Certificate. VIII.
  • Page 110 Installing a Certificate Manager If you used the Manual Server Certificate Enrollment request, the request gets added to the agent queue of that Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate.
  • Page 111 Installing a Certificate Manager Submit your certificate request to a third-party CA, following the instructions provided by that CA. Click Next when you are ready to proceed to the next screen. SSL Server Certificate Installation. Depending on whether you have the certificate ready for pasting into the Installation Wizard screen, click Yes or No.

  • Page 112: Configuring The Certificate Manager

    Configuring the Certificate Manager Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. If the CA that issued the certificate is a Certificate Manager, follow these steps: Go to the end-entity URL for the remote Certificate Manager that issued the SSL server certificate.

  • Page 113: Adding Users

    Configuring the Certificate Manager Adding Users Once the Certificate Manager is installed, you need to add users and assign them to the administrator, agent, or auditor roles. If you selected the option to have the administrator created during installation also act as an agent, then the administrator is your first agent.

  • Page 114: Managing Certificates And The Certificate Database

    Configuring the Certificate Manager • Members of the Certificate Manager Agent group can view configuration settings in the administrative interface, but cannot perform any other operations on the configuration settings. They can perform all operations for all tasks associated with the agent services interface. They are allowed to communicate with the CA via the agent services port.
  • Page 115 Configuring the Certificate Manager If you want a Certificate Manager to use a separate key pair for signing the CRLs it generates, you can do so after installation. Note that a Certificate Manager’s CRL signing certificate must be signed or issued by itself; make sure you submit the request to the Certificate Manager itself.
  • Page 116 Configuring the Certificate Manager Once you have the CRL signing certificate ready, restart the wizard and install the certificate in the Certificate Manager’s database. Stop the Certificate Manager. Update the Certificate Manager’s configuration to recognize the new key pair and certificate. In the Certificate Manager host machine, go to this directory: <server_root>/cert-<instance_id>/config Open the...
  • Page 117 Configuring the Certificate Manager Getting Additional SSL Server Certificates The Certificate Manager uses its SSL server certificate to do SSL server-side authentication to the following: • The End-Entity Services interface (the HTTPS port) • The Certificate Manager Agent Services interface •...

  • Page 118: Changing Ports And Ip Addresses

    Configuring the Certificate Manager • Renewing a CA certificate involves issuing a new CA certificate with the same subject name and public and private key material as the old CA certificate, but with an extended validity period. As long as the new CA certificate is distributed to all users well before the old CA certificate expires, this approach allows certificates issued under the old CA certificate to continue working for the full duration of their validity periods.

  • Page 119: Changing Passwords Or Storage Settings

    Configuring the Certificate Manager Changing Passwords or Storage Settings Each subsystem stores passwords for its internal database, and for the tokens containing its keys and certificates. See “System Passwords,” on page 250 for information on how these passwords are stored. Configuring Logs Each subsystem creates a number of logs that detail various events and errors.

  • Page 120: Changing The Certificate Issuance Rules

    Configuring the Certificate Manager Changing the Certificate Issuance Rules You can change some of the rules about certificate issuance that were either determined during installation, or are the system defaults. These include: • Whether certificates can be issued that are for validity periods longer than the Certificate Managers CA signing certificate, the default is to not allow.

  • Page 121: Setting Up Authentication

    Configuring the Certificate Manager Also note that when a CA exhausts all its serial numbers, you can revive it by changing the values in the “Next serial number” and “Ending serial number” fields, followed by restarting the Certificate Manager. Default Signing Algorithm section. Specifies the signing algorithm the Certificate Manager should use for signing certificates.
  • Page 122 Configuring the Certificate Manager Agent-Approved Enrollment The Certificate Manager is enabled by default for agent-approved enrollment. The agent-approved enrollment forms are used to enroll end entities that require manual approval and whose requests have been sent to the agent services interface for processing.

  • Page 123: Configuring Policies

    Configuring the Certificate Manager Configuring Policies The Policy feature is a set of plug-ins that you create instances of and then configure. These instances define certificate content and the values for that content and constraints for the content that can either be associated with all certificates, or with a subset of certificates defined using predicates.

  • Page 124: Configuring Publishing

    Configuring the Certificate Manager chooses the certificate profile when submitting the request. You can customize this form. Any enabled certificate profiles will appear as links on this form. Those links take the user to a dynamically created HTML page that is generated based on the inputs set in the certificate profile.

  • Page 125: Setting Up Crls

    Configuring the Certificate Manager See Chapter 5, “OCSP Responder” for information about both of these services. Setting Up CRLs The CRL feature allows you to set up CRLs that are issued on a periodic basis. You can also define issuing points so that a CRL from that issuing point contains only the list of revoked certificates associated with that issuing point.

  • Page 126: Customizing The End Entity Interface

    How The Certificate Manager Works Customizing the End Entity Interface CMS provides you with a set of forms that are available at the end entity interface and are preconfigured for various types of interaction with the end entity. You can customize this interface by changing which forms are available, and by changing the forms themselves.
  • Page 127 How The Certificate Manager Works The Certificate Enrollment Process When an end-entity enrolls in your PKI requesting a certificate, a number of things can happen depending on your configuration and the subsystems you have installed. The following lists those events in the approximate order they occur: •...
  • Page 128 How The Certificate Manager Works • The policies or certificate profile associated with the form determine aspects of the certificate that is issued. Depending on the policies or certificate profile that are associated with the form, the request is evaluated against these to determine if the request meets the constraints set, if the required information is provided, and what the resultant certificate will contain.

  • Page 129: Renewal

    How The Certificate Manager Works Renewal The Certificate Manager allows for the renewal of certificates. Certificates can be renewed if the policies associated with renewal are enabled and if the request meets the criteria of those policies. The Certificate Manager is set up for a single method of renewal.

  • Page 130: Federal Bridge Ca

    Federal Bridge CA Federal Bridge CA CMS supports Federal Bridge Certificate Authority (FBCA) by providing the capability to issue, import, and publish cross-pair CA certificates. With cross-pair certificates, one CA signs and issues a cross-pair certificate to a second CA, and the second CA signs and issues a cross-pair certificate to the first CA.

  • Page 131: Publishing Cross-Pair Certificates

    Cloning a CA ./ldapsearch -h <yourHostName> -p <yourCAInternalDBPort > -b "o=netscapeCertificateServer" -D "cn=Directory Manager" -w <DirectoryManagerPassword> "cn=crossCerts" See “Certificate Setup Wizard,” on page 296” for more information about the Certificate Setup Wizard. Publishing Cross-Pair Certificates You can publish cross-pair certificates (as a ) to either an crossCertificatePair LDAP directory or to a file.
  • Page 132 Cloning a CA When you setup a Certificate Manager clone, the clone and the master share the the revocation status of the certificates they have issued. Though the cloned CA cannot generate the CRL itself, it can revoke certificates, display, import, and download previously generated CRL lists.

  • Page 133: Chapter 4 Registration Manager

    Chapter 4 Registration Manager The Registration Manager is an optional subsystem that provides Registration Authority functionality. It establishes a trusted relationship with a Certificate Manager in which its requests are processed. This chapter details how to install and configure a Registration Manager and includes the following sections: •...
  • Page 134 Registration Manager Deployment Considerations You submit this request either to a CMS CA, or you submit the request to a third party public CA and then install the certificate you receive from the CA during the rest of the installation. If you submit the request to a CMS CA, the installation program will allow you submit the request to the CA in the install wizard, and pick up the certificate once it is approved.

  • Page 135: Registration Manager Interfaces

    Registration Manager Deployment Considerations Registration Manager Interfaces When you install a Registration Manager, three interfaces are enabled. The installation wizard lets you choose the ports these interfaces listen on. The following interfaces, and associated ports will be created: • An Administrative interface that is accessible by default only to members of the Administrator and Auditor group.

  • Page 136: Password Storage

    Registration Manager Deployment Considerations • An End-Entity interface that is accessible by anyone who can access that URL. The end-entity interface is an HTML interface accessible through either HTTPS or HTTP (there are two ports set up by default). The default interface provides forms for the various types of enrollment and other tasks an end entity can perform and is completely customizable.

  • Page 137: Tokens

    Installing a Registration Manager If you decide to generate a new signing key, one of the first decisions you need to make is whether to use the RSA or DSA algorithm. If you use DSA, the software can generate and verify the PQG value. PQG values are used to create the DSA signing key pair.
  • Page 138 Installing a Registration Manager Logon Token. Enter either (if you plan to use the internal/software internal token) or the name of an external token to store the Registration Manager signing certificate and key pair. If you have not previously initialized the token’s password, you must do so in this screen.
  • Page 139 Installing a Registration Manager Network Configuration. Type the numbers for the ports to be used by the CMS instance. See “Registration Manager Interfaces” on page 135 for more information. Click Next to continue. Key-Pair Information for Registration Manager Signing Certificate. Token.
  • Page 140 Installing a Registration Manager Note that the certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the program, ExtJoiner which is also provided in the directory. For details on using the tools program, see Chapter 5, “Extension Joiner Tool”...
  • Page 141 Installing a Registration Manager Note that your request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the remote Certificate Manager’s agent to approve your request.
  • Page 142 Installing a Registration Manager The request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you’ll have to wait till the remote Certificate Manager’s agent approves your request.
  • Page 143 Installing a Registration Manager This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the Registration Manager’s signing certificate.
  • Page 144 Installing a Registration Manager Certificate Details. This is an informational screen that displays the certificate so you can inspect its contents. Notice the nickname assigned to the certificate and verify that you’re installing the correct certificate. Click Next to continue. Import Certificate Chain.
  • Page 145 Installing a Registration Manager Subject Name for SSL Server Certificate. Type the values for the subject DN components; these values identify the Registration Manager’s SSL server certificate. The CN must be the fully-qualified host name of the machine on which you’re installing the Registration Manager. Click Next to continue.
  • Page 146 Installing a Registration Manager Note that your request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the remote Certificate Manager’s agent to approve your request.
  • Page 147 Installing a Registration Manager In the resulting form, choose the type of request from the pull down menu, paste the request in the request field, and fill in the other fields on the form. Click Submit. If you used the Agent-Based Server Certificate Enrollment and you have an agent certificate, the certificate will be automatically issued once you submit the request.
  • Page 148 Installing a Registration Manager Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- -----END NEW CERTIFICATE is highlighted, and click the Copy to Clipboard REQUEST -----) button. This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file.
  • Page 149 Installing a Registration Manager If you noted the request ID of your request and know the host name and end-entity port number of the Certificate Manager that issued the certificate, select the “The certificate is at the CMS server where the request was sent”...

  • Page 150: Configuring A Registration Manager

    Configuring a Registration Manager You now need to create the first agent user for the Registration Manager. See “Agent Certificates,” on page 335 for details. You also need to set up a trusted relationship with the CA that will issue certificates for this Registration Manager.

  • Page 151: Configuring Authorization

    Configuring a Registration Manager Configuring Authorization Each subsystem has a set of predefined roles that are assigned a default set of privileges. You create users in the CMS database and then assign them to a group to give them the privileges of that group. The privileges assigned to a group are controlled by Access Control Instructions (ACIs) placed in Access Control Lists (ACLs).

  • Page 152: Managing Certificates And The Certificate Database

    Configuring a Registration Manager Managing Certificates and the Certificate Database The signing certificate and SSL encryption certificate are created and installed during the installation of the Registration Manager. See “Registration Managers Certificates,” on page 133 for more information about these certificates and the things you should consider before getting these certificates.

  • Page 153: Changing Ports And Ip Addresses

    Configuring a Registration Manager If you configure the Registration Manager for SSL-enabled communication with a publishing directory, the Registration Manager also uses its SSL server certificate for SSL client authentication to the publishing directory. This is the default configuration. You can configure the Registration Manager to use an alternate certificate for this purpose;...

  • Page 154: Configuring Logs

    Configuring a Registration Manager Configuring Logs Each subsystem creates a number of logs that detail various events and errors. Each subsystem also has the ability to create signed audit logs that create audit trails that can only be read by a user with auditor privileges. The log feature is configurable allowing you to change the settings for some of the logs.

  • Page 155: Setting Up Authentication

    Configuring a Registration Manager Setting Up Authentication The first step in configuring enrollment is setting up authentication. You can set up more than one type of authentication. Each type you set up must be associated with a particular form in the interface. If you are using the certificate profile feature for enrollments, the forms are dynamically generated with the content being determined by the inputs you set for a particular certificate profile.

  • Page 156: Configuring Policies

    Configuring a Registration Manager If you use an agent-approved enrollment process, you can use the agent services interface forms that are provided, or you can customize those forms to change the look and feel, or to change some of the default functionality provided in the forms. See the Netscape Certificate Management System Customization Guide for details.

  • Page 157: Configuring Certificate Profiles

    Configuring a Registration Manager enrollment request is processed, it is evaluated against all policies that are applicable to this type of request. Any policy that has no predicate is evaluated against all certificate requests. Those with predicates are evaluated against certificates requests that match the predicate value of the policy.

  • Page 158: Crls

    Configuring a Registration Manager Each certificate profile that will be used is configured by an administrator. The administrator configures defaults and constraints, inputs, outputs, and specifies the authentication method for each certificate profile. The certificate profiles that have been configured are listed in the agent services interface where the agent has to approve the certificate profile to enable it.

  • Page 159: Setting Up Jobs

    How a Registration Manager Works Setting Up Jobs The jobs feature that allows you to send automated jobs is disabled after installation. You need to enable and configure jobs in order to use this feature. For detailed information on setting up jobs, see Chapter 13, “Automated Jobs.” Customizing the End Entity Interface CMS provides you with a set of forms that are available at the end entity interface and are preconfigured for various types of interaction with the end entity.
  • Page 160 How a Registration Manager Works change the content and the look and feel of the forms. You can also do this by creating certificate profiles for each with a dynamically generated form associated with each certificate profile. You customize the dynamically created certificate profile forms by configuring the inputs associated with the certificate profile.
  • Page 161 How a Registration Manager Works • The form can collect information about the end entity from an LDAP directory when the form is submitting. You can set up policies using predicates that request this information from the LDAP directory when the user authenticates using an LDAP user ID and password.

  • Page 162: Renewal

    How a Registration Manager Works • The certificate that was issued is stored in the internal database of the Certificate Manager. • You can set up publishing in the Certificate Manager, in which case the certificate will be published according to the rules set up in the Certificate Manager.
  • Page 163 How a Registration Manager Works Registration Manager agents can approve requests made by end entities to revoke their certificates, but agents cannot revoke certificates on their own. The Certificate Manager agent for the CA that issued the certificate would have to revoke a certificate.
  • Page 164 How a Registration Manager Works Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 165: Chapter 5 Ocsp Responder

    Chapter 5 OCSP Responder This chapter provides an overview of an Online Certificate Status Protocol (OCSP) service, and explains how you can use the OCSP service built into the Certificate Manager for real-time verification of certificates issued by the Certificate Manager. The chapter also explains how to install and configure an Online Certificate Status Managers to publish CRLs.

  • Page 166: How Ocsp Services Work

    About OCSP Services How OCSP Services Work An OCSP service works as follows: A CA is set up to issue certificates that include the Authority Information Access Extension whose value identifies an OCSP responder that can be queried for the status of the certificate. One or more CAs periodically publishes CRLs to an OCSP responder.

  • Page 167: Ocsp Responses

    About OCSP Services • A responder that holds a specially marked certificate issued to it directly by the CA that revokes the certificates and publishes the CRL. Possession of this certificate by a responder indicates that the CA has authorized the responder to issue OCSP responses for certificates revoked by the CA.

  • Page 168: Cms Ocsp Services

    CMS OCSP Services CMS OCSP Services To aid you in the process of setting up a OCSP-compliant PKI setup, CMS provides two options: • The OCSP-service feature built into the Certificate Manager • The Online Certificate Status Manager How Certificate Manager’s OCSP-Service Feature Works The Certificate Manager has a built-in OCSP-service feature, which when configured, can be used by OCSP-compliant clients to directly query the Certificate Manager about the revocation status of the certificate being validated.

  • Page 169: Setting Up A Certificate Manager With Ocsp Service

    Setting Up a Certificate Manager with OCSP Service service. The internal OCSP service checks certificate status by checking the internal database of the Certificate Manager. The Online Certificate Status Manager checks certificate status by checking CRLs provided by the Certificate Manager that it stores in its own internal database.) You can configure the Certificate Manager to generate and publish CRLs whenever a certificate is revoked and at specified intervals, say every 20 minutes.

  • Page 170: Online Certificate Status Manager Deployment Considerations

    Online Certificate Status Manager Deployment Considerations Set up CRLs. You need to configure the Certificate Manager to issue CRLs. See Chapter 14, “Revocation and CRLs” for details on configuring CRLs. You must configure your policies or certificate profiles to include the Authority Information Access extension pointing to the location at which the Certificate Manager listens for OCSP service requests (identified as the instance in the policy framework.) in certificates that are...
  • Page 171 Online Certificate Status Manager Deployment Considerations You submit this request either to a CMS CA, or you submit the request to a third party public CA and then install the certificate you receive from the CA during the rest of the installation. If you submit the request to a CMS CA, the installation program will allow you submit the request to the CA in the install wizard, and pick up the certificate once it is approved.

  • Page 172: Interfaces

    Online Certificate Status Manager Deployment Considerations Interfaces When you install an Online Certificate Status Manager, three interfaces are enabled. The installation wizard lets you choose the ports these interfaces listen on. The following interfaces, and associated ports will be created: •...

  • Page 173: Password Storage

    Online Certificate Status Manager Deployment Considerations Password Storage Each subsystem stores passwords for its internal database, and for the tokens containing its keys and certificates. See “System Passwords,” on page 250 for information on how these passwords are stored. Tokens You choose either the token (if you plan to use the internal/software internal...

  • Page 174: Installing An Online Certificate Status Manager

    Installing an Online Certificate Status Manager If you decide to generate a new signing key, one of the first decisions you need to make is whether to use the RSA or DSA algorithm. If you use DSA, the software can generate and verify the PQG value. PQG values are used to create the DSA signing key pair.
  • Page 175 Installing an Online Certificate Status Manager Internal Database. Choose to either create a new internal database for this instance or to use an existing Directory Server instance as the internal database for this instance. Next, specify the information for that Directory Server instance.
  • Page 176 Installing an Online Certificate Status Manager Key Length. Available key sizes for RSA are 512, 768, 1024, 2048, 4096, or Custom. Available key sizes for DSA are 512, 1024, or Custom (which must be in increments of 64 bits only). See “Signing Key Type and Length”...
  • Page 177 Installing an Online Certificate Status Manager Enter the URL for the Certificate Manager’s Agent Services page. (You must authenticate using your agent certificate.) Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed. Locate your request, click Details to see it, and make any changes.
  • Page 178 Installing an Online Certificate Status Manager If the request contains all the required information, you’ll get a notification of request being successfully added to the agent queue of that Certificate Manager for approval by that Certificate Manager’s agent. If you’ve permission to access that Certificate Manager’s Agent interface, you can follow the instructions below to issue the certificate.
  • Page 179 Installing an Online Certificate Status Manager Online Certificate Status Manager Signing Certificate Installation. Depending on whether you have the certificate ready for pasting into the Installation Wizard screen, click Yes or No. Select No if you have submitted your request to a third-party CA or to a remote Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate.
  • Page 180 Installing an Online Certificate Status Manager Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to import the CA chain of a Certificate Manager: Go back to the web browser window from which you copied the Online Certificate Status Manager’s signing certificate (in its base-64 encoded format).
  • Page 181 Installing an Online Certificate Status Manager Token. Enter either (if you plan to use the internal/software internal token) or the name of an external token to store the SSL server certificate and key pair. If you have not previously initialized the token’s password, you must do so in this screen.
  • Page 182 Installing an Online Certificate Status Manager If you want the wizard to generate the certificate request in PKCS #10 format, select the “Generate PKCS10 request” option. If you want the wizard to generate the certificate request in CMC format, select the “Generate CMC full enrollment request” option. Click Next.
  • Page 183 Installing an Online Certificate Status Manager When the certificate is displayed, scroll down to the base-64 encoded VIII. version of the certificate, highlight all the text (including -----BEGIN ), and copy it CERTIFICATE ----- -----END CERTIFICATE----- to the clipboard or to a text file. Be sure to not make any changes to the certificate.
  • Page 184 Installing an Online Certificate Status Manager In the web browser window, enter the URL for the Certificate Manager’s Agent Services page. (You must have a valid agent’s certificate.) Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed. Locate your request, click Details to see it, and make any changes.
  • Page 185 Installing an Online Certificate Status Manager If you copied the certificate to the clipboard, select the “The certificate is located in the text area below” option and then paste in a base-64 encoded certificate (including the header and footer) in the text area provided. If you know the request ID of your request and the host name and end-entity port number of the Certificate Manager that issued the SSL server certificate, select the “The certificate is at the CMS server where the...

  • Page 186: Setting Up The Ocsp Responder

    Setting Up the OCSP Responder Configuration Status. This screen should indicate that your configuration has been successful and that you need to create an agent for the Online Certificate Status Manager. Click Done to exit the Installation Wizard. You now need to create the first agent user for the Online Certificate Status Manager.

  • Page 187: Configuring The Online Certificate Status Manager

    Configuring the Online Certificate Status Manager Configure the Revocation Info stores. See “Configure the Revocation Info Stores,” on page 193. Identify every Certificate Manager that will publish to the OCSP Responder to the OCSP Responder. “Identifying the CA to the OCSP Responder,”...

  • Page 188: Managing Certificates And The Certificate Database

    Configuring the Online Certificate Status Manager can also create new groups and assign privileges to those groups by adding ACI entries for that group in the ACLs. For complete details about creating users, assigning users to groups, creating groups, and changing ACIs and ACLs, see Chapter 8, “Authorization.”...

  • Page 189: Ocsp Certificates

    Configuring the Online Certificate Status Manager Trust Settings and CA Certificates The trusted database also contains the CA certificates for those CAs that the subsystem trusts. If your subsystem has certificates from a CA or accepts certificates that are issued by a CA, it must have a copy of those CA certificates in the trusted database, and they must be configured as trusted, see “Changing the Trust Settings of a CA Certificate,”...

  • Page 190: Changing Ports And Ip Addresses

    Configuring the Online Certificate Status Manager Changing Ports and IP Addresses You set up the ports for each of the interfaces when you install the Online Certificate Status Manager. You can change the ports that any of the interfaces listen on, and you can disable the HTTP (non-SSL) end-entity port if you will not use it.

  • Page 191: Changing Internal Database Settings

    Configuring the Online Certificate Status Manager Changing Internal Database Settings You can change the configuration of the internal database after installation including restricting access to the internal database, see “The Internal Database,” on page 288 for information on doing this, and for information about viewing the internal database.
  • Page 192 Configuring the Online Certificate Status Manager Go to the Online Certificate Status Manager’s Agent interface. The URL is: ttps://<hostname>:<port> The Online Certificate Status Manager Agent Services interface appears. In the left frame, click Add Certificate Authority. In the form, paste the encoded CA signing certificate inside the text area labeled “Base 64 encoded certificate (including the header and footer).”...

  • Page 193: Configure The Revocation Info Stores

    Configuring the Online Certificate Status Manager Configure the Revocation Info Stores The Online Certificate Status Manager stores each Certificate Manager’s CRL in its internal database and uses it as the default CRL store for verifying the revocation status of certificates. You can also configure the Online Certificate Status Manager to use the CRL published to an LDAP directory, instead of the CRL in its internal database.
  • Page 194 Configuring the Online Certificate Status Manager includeNextUpdate. The Online Certificate Status Manager can include the time stamp of next CRL update—a future update time for the CRL or the revocation information—in the OCSP response that it sends to OCSP-compliant clients. (According to the OCSP protocol, it is optional to include the time stamp of next CRL update in an OCSP response.) Select this option if you want the OCSP response to contain information about the next CRL update.

  • Page 195: Testing Your Ocsp Setup

    Testing Your OCSP Setup includeNextUpdate. The Online Certificate Status Manager can include the time stamp of next CRL update—a future update time for the CRL or the revocation information—in the OCSP response that it sends to OCSP-compliant clients. (According to the OCSP protocol, it is optional to include the time stamp of next CRL update in an OCSP response.) Select this option if you want the OCSP response to contain information about the next CRL update.
  • Page 196 Testing Your OCSP Setup Check the Status of Online Certificate Status Manager (stand-alone OCSP service). Go to the agent services interface for the Online Certificate Status Manager and then go to the List Certificate Authorities page found in the left frame. The resulting form should show information about the Certificate Manager (CA) you configured to publish CRls to the Online Certificate Status Manager.

  • Page 197: Chapter 6 Data Recovery Manager

    Chapter 6 Data Recovery Manager When data is stored in encrypted form, you must have the private key that corresponds to the public key that was used to encrypt the data in order to decrypt and read it. If the private key is lost, the data cannot be retrieved. A private key can be lost because of a hardware failure, for example, or because the key’s owner forgets the password or loses the hardware token in which the key is stored.

  • Page 198: Clients That Can Generate Dual Key Pairs

    PKI Setup for Key Archival and Recovery • Clients that can generate dual keys and that support the key archival option (using the CRMF/CMMF protocol). These include Netscape 6.2 and Netscape 7.0 and higher. • An installed and configured Data Recovery Manager •...

  • Page 199: Forms For Users And Key Recovery Agents

    Key Archival Process CMS does not provide any policy plug-in modules for the Data Recovery Manager. However, you can write custom policy plug-in modules (that is, write Java classes that implement these rules), register them in the Data Recovery Manager’s policy framework, and create policy rules using these plug-in implementations.

  • Page 200: Where The Keys Are Stored

    Key Archival Process Here are a few situations in which you might need to recover a end-entity’s encryption private key: • An employee loses the encryption private key (for example, after a disk crash or by forgetting the password to the key file) and cannot read encrypted mail messages.

  • Page 201: How Key Archival Works

    Key Archival Process How Key Archival Works When a Certificate Manager or Registration Manager receives a certificate request that contains the key archival option, it automatically forwards the request to the Data Recovery Manager to archive the end-entity’s encryption private key. The Data Recovery Manager receives an encrypted copy of the end-entity’s private key and stores the key in its key repository.
  • Page 202 Key Archival Process The client detects the JavaScript option and exports only the end-entity’s encryption private key, not the signing private key. The Registration Manager detects the key archival option in the end-entity’s request and asks the client for the end-entity’s encryption private key. The client encrypts the end-entity’s encryption private key with the public key from the Data Recovery Manager’s transport certificate;...

  • Page 203: Key Recovery Process

    Key Recovery Process Key Recovery Process The Data Recovery Manager supports agent-initiated key recovery. In this method of key recovery, designated recovery agents use the Key Recovery form provided in the Data Recovery Manager Agent Services interface to process key recovery requests, list archived keys, and approve recovery.
  • Page 204 Key Recovery Process whereby it splits the PIN that protects the token in which the storage key pair resides among n number of key recovery agents and reconstructs the PIN only if m number of recovery agents provide their individual passwords; n must be an integer greater than 1 and m must be an integer less than or equal to n.
  • Page 205 Key Recovery Process Local Versus Remote Key Recovery Authorization Key recovery agents can authorize the recovery of a key locally or remotely. The overview of local and remote authorization provided in this section is intended to help you determine which to use for your organization. You may find it useful to take a look at the Data Recovery Manager agent-specific information in the CMS Agent’s Guide.

  • Page 206: How Agent-Initiated Key Recovery Works

    Key Recovery Process The Data Recovery Manager informs the agent who initiated the key recovery process of the status of the authorizations. When all of the authorizations are entered, the Data Recovery Manager checks the information. If the information presented is correct, it retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS #12 package to the agent who initiated the key recovery process.
  • Page 207 Key Recovery Process Figure 6-2 The agent-initiated key recovery process These are the steps shown in Figure 6-2: The Data Recovery Manager agent accesses the Key Recovery form using the appropriate client certificate, types the identification information pertaining to the person whose encryption private key needs to be recovered, and submits the request.
  • Page 208 Key Recovery Process If the request passes all the policy rules, the Data Recovery Manager sends a confirmation HTML page to the web browser the agent used. If the request fails any of the policy checks, the server logs an appropriate error message. The confirmation page contains information and input sections: The information section includes the end-entity’s information.

  • Page 209: Key Recovery Agent Scheme

    Key Recovery Process CAUTION The PKCS #12 package contains the private key. To minimize the risk of key compromise, the recovery agent must use any secure, out-of-band means to deliver the PKCS #12 package and password to the key recipient. As an administrator, you should recommend the recovery agent to use a good password for encrypting the PKCS #12 package, and also consider setting up an appropriate delivery mechanism.
  • Page 210 Key Recovery Process In the navigation tree, select the Data Recovery Manager, and in the right pane, click the Scheme Management tab. The Scheme Management tab shows the current key recovery scheme. Click Change scheme. The Change Recovery Key Scheme window appears. Netscape Certificate Management System Administrator’s Guide •...
  • Page 211 Key Recovery Process In the New Scheme section, make the appropriate changes: Number of recovery agents required. Type the number of agents required to authorize a key recovery process. The number cannot be zero and must be equal to or less than the total number of recovery agents. Total number of recovery agents.
  • Page 212 Key Recovery Process The tab shows current key recovery agents in the Available Agents list. Select the agent whose password needs to be changed, and click Change Password. The Change Password dialog box appears. Allow the agent to enter the appropriate information. During installation, the Data Recovery Manager prompts you to enter key recovery agent passwords (by default, they are set to , where...

  • Page 213: Installing A Standalone Data Recovery Manager

    Installing a Standalone Data Recovery Manager field you must enter the recovery agent password you specified during installation. Then in the remaining fields, allow the key recovery agent to enter the new password information. If you have more than one key recovery agent, repeat this procedure for all the agents.
  • Page 214 Installing a Standalone Data Recovery Manager The transport certificate was issued by the CA to which you submitted the certificate signing request. You might have submitted the request to the Certificate Manager that is installed in the same instance, internally deployed another CA, or a public CA.

  • Page 215: Tokens

    Installing a Standalone Data Recovery Manager By default, the Data Recovery Manager uses a single SSL server certificate for authentication purposes. However, you can request and install additional SSL server certificates for the Data Recovery Manager. For example, you can configure the Data Recovery Manager to use separate server certificates for authenticating to Netscape Console, the end entity services interface, and the Data Recovery Manager Agent Services interface.

  • Page 216: Installing The Data Recovery Manager

    Installing a Standalone Data Recovery Manager If you decide to generate a new signing key, one of the first decisions you need to make is whether to use the RSA or DSA algorithm. If you use DSA, the software can generate and verify the PQG value. PQG values are used to create the DSA signing key pair.
  • Page 217 Installing a Standalone Data Recovery Manager Internal Database. Choose to either create a new internal database for this instance or to use an existing Directory Server instance as the internal database for this instance. Next, specify the information for that Directory Server instance.
  • Page 218 Installing a Standalone Data Recovery Manager Key Length. Available key sizes for RSA are 512, 768, 1024, 2048, 4096, or Custom. Available key sizes for DSA are 512, 1024, or Custom (which must be in increments of 64 bits only). See “Key Type and Length”...
  • Page 219 Installing a Standalone Data Recovery Manager To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps: Select the “Send the request to a remote CMS now” option. Enter the host name and end-entity port number, and specify whether the end-entity port is SSL enabled.
  • Page 220 Installing a Standalone Data Recovery Manager For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL to bring up the Certificate Manager page http://<hostname>:17006 for end entities. Click Manual Data Recovery Manager Transport Certificate III.
  • Page 221 Installing a Standalone Data Recovery Manager This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the Data Recovery Manager’s transport certificate.
  • Page 222 Installing a Standalone Data Recovery Manager Certificate Details. This informational screen displays the certificate so you can inspect its contents. Notice the nickname assigned to the certificate and verify that you’re installing the correct certificate. Click Next to continue. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain.
  • Page 223 Installing a Standalone Data Recovery Manager Token. Enter either (if you plan to use the internal/software internal token) or the name of an external token to store the SSL server and key pair. If you have not previously initialized the token’s password, you must do so in this screen.
  • Page 224 Installing a Standalone Data Recovery Manager Submission of Request. Select whether you want to submit the request manually or send the request automatically to a remote Certificate Manager. To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps: Select the “Send the request to a remote CMS now”...
  • Page 225 Installing a Standalone Data Recovery Manager Open a web browser window. Go to the end-entity URL for the Certificate Manager that will issue the SSL server certificate. For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL to bring up the Certificate Manager page http://<hostname>:17006 for end entities.
  • Page 226 Installing a Standalone Data Recovery Manager When the certificate is displayed, scroll down to the base-64 encoded VII. version of the certificate, highlight all the text (including -----BEGIN ), and copy it CERTIFICATE ----- -----END CERTIFICATE----- to the clipboard or to a text file. Be sure to not make any changes to the certificate.
  • Page 227 Installing a Standalone Data Recovery Manager Location of Certificate. Specify the location of the certificate. You can use any of these options: If you copied the encoded certificate to a file, select the “The certificate is located in this file” option and then type the file path, including the filename, in the text field.

  • Page 228: Configuring Key Archival And Recovery Process

    Configuring Key Archival and Recovery Process Single Sign-on Summary. Check the summary and select whether to retain or delete the file. password.conf The single signon password simplifies the way you subsequently sign on to CMS by storing the passwords for the internal database, tokens, and so on. Each time you log on, you’re only required to enter this single password.
  • Page 229 Configuring Key Archival and Recovery Process Step A. Deploy Clients That Can Generate Dual Key Pairs You can use the Data Recovery Manager to archive and recover keys only from clients that support dual key-pair generation, the key archival option, and the CMC protocol.
  • Page 230 Configuring Key Archival and Recovery Process • The key archival option—this must be included in the certificate enrollment form that your users use to request certificates. • The Data Recovery Manager’s transport certificate—this must also be included in the certificate enrollment form (ProfileSelect.template). The Data Recovery Manager uses it to encrypt the end-entity’s encryption private key with the public key in the transport certificate before sending the end-entity’s key to its key repository.
  • Page 231 Configuring Key Archival and Recovery Process Click Details, and view the certificate information. Make sure that the certificate you are looking at is the correct one; the certificate shows the DN that was specified for the transport certificate during the installation of Data Recovery Manager. Scroll down to the section that says “Installing this certificate in a server.”...
  • Page 232 Configuring Key Archival and Recovery Process Use the command-line tool called to retrieve the transport certutil certificate from the Data Recovery Manager’s certificate database. (For information on the tool, check this site: certutil http://www.mozilla.org/projects/security/pki/nss/tools/ First, go to this directory: <server_root>/cert-<instance_id>/config Next, run this command: <server_root>/bin/cert/tools/certutil -L -d .
  • Page 233 Configuring Key Archival and Recovery Process Open the text file that has the Data Recovery Manager’s transport certificate (the one you copied earlier) and copy the certificate. Paste the certificate as the value of the variable. kraTransportCert Paste the certificate in front of the sign, remove any line breaks, enclose the certificate within double-quotation marks ( ), and end the string with...

  • Page 234: Step 2. Set Up The Key Recovery Process

    Configuring Key Archival and Recovery Process The method triggers the client to generate two RSA key pairs—one key of length 512 for encrypting data and another key of length 1024 for signing data. Save your changes. Step D. Configure Key Archival Policies This step is optional.
  • Page 235 Configuring Key Archival and Recovery Process Verify that the current m of n scheme is appropriate for your PKI setup. If it isn’t, change the scheme following the instructions in “Changing the Key Recovery Agent Scheme” on page 209. Step B. Facilitate the Key Recovery Agents to Change the Passwords During the installation of Data Recovery Manager, after you specified the m of n scheme, you were also prompted to provide unique passwords for each recovery...

  • Page 236: Step 3. Test Your Key Archival And Recovery Setup

    Configuring Key Archival and Recovery Process Step E. Configure Key Recovery Policies This step is optional. Unlike Certificate Manager and Registration Manager, no policy plug-in modules are provided for the Data Recovery Manager. If you have implemented any custom policies for the Data Recovery Manager’s key recovery process, you should make sure that they are configured properly.
  • Page 237 Configuring Key Archival and Recovery Process Approve the request. This step is required only if you used the manual enrollment form for requesting the certificate. Go to the enrollment authority’s Agent Services interface. The default URL is as follows: https://<hostname>:<agent_port> Click the link that says List Requests.
  • Page 238 Configuring Key Archival and Recovery Process If the key has been archived successfully, you should see the information pertaining to that key. If you don’t see the key archived, check the logs and correct the problem before proceeding to the next step. If the key has been successfully archived, exit the client completely—that is, from the File menu, select Exit;...
  • Page 239 Configuring Key Archival and Recovery Process The key owner’s name The serial number of the key The public key that corresponds to the private key (in the form of base-64 encoded certificate) The instance ID of the enrollment authority that initiated the key archival process If you need more information about any of the fields in this form, click the Help button.
  • Page 240 Configuring Key Archival and Recovery Process Open the test email that you couldn’t verify after deleting the certificate from the browser’s certificate database; you should be able to verify it again. Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 241: Chapter 7 Administrative Basics

    Chapter 7 Administrative Basics This chapter discusses the Netscape Certificate Management System (CMS) user interface, the configuration file, and other basic administrative tasks like starting and stopping the server, managing logs, changing port assignments, and changing the internal database. This chapter contains the following sections: •...

  • Page 242: The Administrative Interface

    The Administrative Interface The Administrative Interface CMS provides a GUI-based administration tool called the CMS console that is accessible from Netscape Console. Netscape Console is a GUI-based front-end for Netscape Administration Server and allows you to manager servers as well as users.

  • Page 243: Netscape Console

    The Administrative Interface Netscape Console Netscape Console is a stand-alone Java application that provides a GUI-based front end to all network resources registered in an organization’s configuration directory. This unified administration interface simplifies network administration by supplying access points to all Netscape server instances installed across a network.
  • Page 244 The Administrative Interface Log into Netscape Console by filling in the following field: User ID. Type the administrator user ID. You should login using the administrator user ID, using the Manager user ID allows you cn=Directory full privileges with Directory Server, but does not allow you to create CMS server instances.

  • Page 245: The Cms Console

    The Administrative Interface The CMS Console The CMS console is a GUI-based administration interface that allows you to perform day-to-day operational and managerial duties for CMS and configure the server. You launch the CMS console from within Netscape Console. You can use the CMS console to access the server locally or remotely. The console has the following tabs: •...
  • Page 246 The Administrative Interface You must login into CMS as an administrator user of CMS. Provide the administrator user ID and password in the following fields: User ID. Provide a user ID that has CMS administrator privileges. Password. Type the password for this user ID. Note: If SSL client authentication is set up for this server, you will be presented with a list of your certificates to choose from in order to login.

  • Page 247: Setting Up Certificate Authentication For The Cms Console

    The Administrative Interface Description. Additional information that helps you identify the CMS instance. You can change this description. Installation Date. The date the server was installed. Server Root. The directory in which all servers are installed. Product Name. The complete product name. Vendor.
  • Page 248 The Administrative Interface Storing an Administrator’s Client Certificates You must store the certificates for any of administrator using this system. The certificate should be either from the CA itself, or from whichever CA signed the certificate for the subsystem. Make sure the client certificate is good for SSL client authentication, otherwise, the server will not accept the client certificate and will post the following error message in the error log located in the directory <server_root>/cert-<instanceID>/logs/errors...
  • Page 249 The Administrative Interface Go to the Configuration tab, and then select the Users tab in the left hand panel. Click Certificates to add the client certificate. The Manager User Certificates window appears. Paste the certificate into the window. Click Import. Repeat from step 6 for each administrator until the certificates for all administrators have been imported.

  • Page 250: System Passwords

    System Passwords System Passwords CMS has a password-quality checker for internal passwords that you can configure to your needs. It stores token passwords in a plain text file, and stores all other passwords in an encrypted password cache file. Password-Quality Checker CMS comes with a plug-in, called password-quality checker, to monitor the quality of passwords set within the CMS system.
  • Page 251 System Passwords • For a Certificate Manager the token password unlocks the private keys for the Certificate Manager’s CA signing and SSL server certificates. If the Certificate Manager’s OCSP option was enabled during installation, then the password also unlocks the private key for the Certificate Manager’s OCSP signing certificate.

  • Page 252: Starting, Stopping, And Restarting Cms Instances

    Starting, Stopping, and Restarting CMS Instances • The bind password used by CMS to access and remove PINs from the authentication directory, if you’ve configured CMS to remove PINs from the authentication directory. • The bind password used by CMS to access and create/modify user entries in the directory used for portal registration, if you’ve configured CMS for portal enrollment.

  • Page 253: Stopping A Server Instance

    Starting, Stopping, and Restarting CMS Instances NOTE If you chose to delete the file during installation, password.conf you must start the server instance on the command line; you cannot start the server instance from the CMS console. For more information, see “Passwords Stored by the Server,” on page 250.

  • Page 254: Restarting A Server Instance

    Starting, Stopping, and Restarting CMS Instances Select the CMS instance you want to stop from the Netscape Console navigation tab and then right-click your mouse selecting the Stop Server option from the pop-up menu. Alternatively Log in to Netscape Console (see “Logging Into Netscape Console” on page 243).

  • Page 255: Subsystem Configuration Overview

    Subsystem Configuration Overview Go to the following directory: <server_root>/cert-<instance_id> Type the following command: ./restart-cert Subsystem Configuration Overview Once you install CMS on a host, you are ready to configure any subsystems that will run on that host. You can configure multiple subsystems on a host, or multiple instances of a single subsystem.

  • Page 256: Removing An Instance From A System

    Subsystem Configuration Overview Type a unique name or identifier for the new instance. You can use any combination of letters ( ), digits ( ), an underscore ), and a hyphen ( ); other characters and spaces are not allowed. For example, you can type as the instance name, but not Pilot_root-CA...

  • Page 257: Mail Server

    Mail Server Mail Server The notifications and jobs features use the mail server set up in the CMS instance to send its notification messages. You set up a mail server using the following procedure: In the CMS window, select the Configuration tab, and then in the right pane, select the SMTP tab.

  • Page 258: Editing The Configuration File

    Configuration Files <server_root>/cert-<instance_id>/config where: Specifies the directory in which CMS is installed <server_root> Specifies the name of the CMS instance <instance_id> Editing the Configuration File CAUTION Do not edit the configuration file directly if you are not familiar with the configuration parameters or if you are not sure that the changes you intend to make are acceptable by the server.

  • Page 259: Guidelines For Editing The Configuration File

    Configuration Files Guidelines for Editing the Configuration File The following are guidelines for editing the configuration file: • The format for parameters is as follows: #comment [parameter]=value • Comment lines begin with the pound character and are ignored. • A line beginning with white space is considered a continuation of the previous line.
  • Page 260 Configuration Files All authentication-specific information, such as names of registered authentication plug-in modules and any configured instances, appears in the Authentication section of the configuration file. Each registered authentication plug-in module is identified by its implementation name and the corresponding Java class. Each configured instance of an authentication module is identified by the name or ID you specified when creating it.

  • Page 261: Duplicating Configuration From One Instance To Another

    Logs Each configured rule of a policy module is identified by the name specified when the rule was created. You can create multiple rules out of an implementation; each rule must have a unique name. To do this, you would copy all of the parameters belonging to the module used to create the instance.

  • Page 262: About Logs

    Logs About Logs CMS creates log files that record events related to its activities, such as administration, communications using any of the protocols the server supports, and various other processes employed by the subsystems the server manages. While CMS is running, it keeps a log of information and error messages on all the components it manages.
  • Page 263 Logs Installation and Setup Logs The following logs are created when the CMS instance is installed, the information about logs in this section does not pertain to these logs: config_cgi.log. Created by that forwards configuration daemon config_cgi cgi client (Java UI) requests to the configuration daemon. daemon.err.

  • Page 264: Services That Are Logged

    Logs Services That Are Logged All major components and protocols (or services) of CMS log messages to log files. Table 7-1 lists services that are logged by default. If you want to view messages logged by a specific service, you can customize log settings accordingly. For details, see “Monitoring Logs”...

  • Page 265: Log Levels (Message Categories)

    Logs Log Levels (Message Categories) For identification and filtering purposes, events logged by all CMS-supported services are classified into various categories. These are listed in Table 7-2. Each category represents messages that are of the same or a similar nature or that belong to a specific functional area.

  • Page 266: Buffered Versus Unbuffered Logging

    Logs Table 7-2 Classification of Log Entries or Messages (Continued) Log level Message category Description Misconfiguration These messages indicate that a misconfiguration in the server is causing an error. Catastrophic failure These messages indicate that because of an error, the service cannot continue running.
  • Page 267 Logs • When current logs are read from CMS console—the server retrieves the latest log when it is queried for current logs. If you configure the server for unbuffered logging, the server flushes out messages as they are generated to the log files. Because the server performs an I/O operation (writing to the log file) each time a message is generated, configuring the server for unbuffered logging decreases performance.

  • Page 268: Configuring Logs In The Cms Console

    Logs Configuring Logs in the CMS Console This procedure describes how to configure system, transaction, and audit logs. To configure logs for a CMS instance: Log in to the CMS console (see “Logging Into the CMS Console” on page 245). In the navigation tree, select Logs.
  • Page 269 Logs Use any combination of letters ( ), digits (0 to 9), an underscore (_), and a hyphen (-); Do not use other characters or spaces. type. Select to create a listener that records audit logs. For error transaction and system logs, select system enabled.

  • Page 270: Configuring Logs In The Cms.cfg File

    Logs logSigning. Set to true to enable signed logging; set to false to disable signed logging. When you enable this parameter, you must also provide a value for parameter. When this feature is enabled, this signedAuditCertNickname log can only be viewed by an auditor. See “Signed Audit Log,” on page 263 for more information about signed audit logs.
  • Page 271 Logs expirationTime. Specify, in seconds, the age limit for deleting the rotated log files. The default value is 0 seconds, which indicates that the rotated log files should not be deleted. If you provide a value, the rotated log will be deleted from your system after that time has elapsed.

  • Page 272: Monitoring Logs

    Logs Monitoring Logs When you have problems with CMS that require troubleshooting, you may find it helpful to check the error or informational messages that the server has logged. Also, by examining the log files you can monitor many aspects of the server’s operation.

  • Page 273: Signing Log Files

    Logs Date. Indicates the date on which the entry was logged. Time. Indicates the time at which the entry was logged. Details. Provides a brief description of the log. To view an entry in its entirety, either double-click it or select the entry and click View.

  • Page 274: Registering A Log Module

    Logs Specifies the nickname of the certificate you want the <cert_nickname> utility to use for signing. Specifies the name of the JAR file (a signed zip file). <output> Specifies the path to the directory that contains the <input> log files. Registering a Log Module You can create new log modules using the CMS SDK.

  • Page 275: Deleting A Log Module

    Signed Audit Log Deleting a Log Module You can delete unwanted log plug-in modules using the CMS console. Before deleting a module, be sure to delete all the listeners that are based on this module; see “Log File Rotation” on page 267. To delete a module: Log in to the CMS console (see “Logging Into the CMS Console”...
  • Page 276 Signed Audit Log Table 7-3 Signed-Audit Log Events Logging Event Type of Log Messages are Generated The startup of the subsystem, and thus the start of AUDIT_LOG_STARTUP the startup of the audit function. The shutdown of the subsystem, and thus the start AUDIT_LOG_SHUTDOWN of the startup of the audit function.
  • Page 277 Signed Audit Log Table 7-3 Signed-Audit Log Events Logging Event Type of Log Messages are Generated The signed audit log expires or is deleted. Note: AUDIT_LOG_DELETE The authorization system should not allow such a deletion. The path or name for the signed audit, system, LOG_PATH_CHANGE transaction or any customized log is changed.

  • Page 278: Setting Up Signed Audit Logs

    Signed Audit Log Table 7-3 Signed-Audit Log Events Logging Event Type of Log Messages are Generated user does not successfully authenticate. AUTH_FAIL user does successfully authenticate. AUTH_SUCCESS A certificate profile sent by an administrator is CERT_PROFILE_APPROVAL approved by an agent. When proof of possession is checked during PROOF_OF_POSSESSION certificate enrollment.

  • Page 279: Audit Logging Failures

    Signed Audit Log Use the Certificate Setup Wizard to obtain a certificate request for the private keys and certificates that will be used to sign the log files. When running the certificate wizard, specify that the request is of type Other, and request that the output be a certificate request in PKCS#10 format.

  • Page 280: Self Tests

    Self Tests When this happens, CMS administrator(s) and CMS auditor(s) should work together with the Operating System administrator to resolve the disk space or file permission issue(s). When the IT problem is resolved, the auditor should make sure that the last audit log entries are signed. If not, they should be preserved by manual signing (see “Signing Log Files”...

  • Page 281: Self Test Configuration

    Self Tests Self Test Configuration The self tests feature, and individual self tests, are registered and configured in the file. Self tests can either be “enable” or “disable”, meaning that a cms.cfg particular self test is listed for either on-demand or start up self test, and it can have two states, “nothing”...
  • Page 282 Self Tests expirationTime. Specify, in seconds, the age limit for deleting the rotated log files. The default value is 0 seconds, which indicates that the rotated log files should not be deleted. If you provide a value, the rotated log will be deleted from your system after that time has elapsed.

  • Page 283: Ports

    Ports Save the file. Start CMS. Ports About Ports CMS listens on different ports for requests from different types of users. As illustrated in Figure 7-1, it listens on an administration port, an agent port, and an end-entity port. Figure 7-1 CMS Ports Chapter 7 Administrative Basics...
  • Page 284 Ports Port Considerations When choosing ports for CMS consider the following: • Be sure to choose ports that are unique on the host system. • To verify that a port is available for use, check the appropriate file for your operating system;...
  • Page 285 Ports For example, the URL to a Certificate Manager agent interface would look like this: https://demoCA.example.com:5600/ca If you change the agent port number, be sure to inform your agent users. End-Entity Ports For requests from end entities, CMS can listen to two ports, an SSL (encrypted) port and a non-SSL port.

  • Page 286: Changing A Port Number

    Ports Changing a Port Number To change a port number: Stop the CMS instance; see “Starting, Stopping, and Restarting CMS Instances” on page 252. Go to the CMS configuration directory: <server_root>/cert-<instance_id>/config Open the file in a text editor and edit the appropriate port server.xml numbers: To change the administration port, locate this line and edit the value of the...

  • Page 287: Changing An Ip Addresses

    Changing an IP Addresses <VS id="ee-vs" state="on" urlhosts="<hostname>.<dopmainame>" mime="mime1" aclids="acl1" connections="eeSSL_default"> If you don’t want end-entity interaction with a subsystem, for example, if you don’t want end entities to interact with a Certificate Manager, you can remove this port too (in addition to the HTTP port). Save your changes.

  • Page 288: The Internal Database

    The Internal Database To change the end-entity HTTPS ip address, locate this line and edit the value of the attribute: <LS id="eeSSL" ip="0.0.0.0" port="443" security="on" acceptorthreads="1" blocking="no"> Save your changes and close the file. Restart the CMS instance; see “Starting, Stopping, and Restarting CMS Instances”...

  • Page 289: Changing The Internal Database Configuration

    The Internal Database To fulfill these functions, CMS maintains a persistent store—a preconfigured Netscape Directory Server—referred to as the internal database or local database. The internal database is installed automatically as a part of the CMS installation. It is used as an embedded database exclusively by CMS and can be managed using Directory management tools that come with Netscape Directory Server.

  • Page 290: Enable Ssl Client Authentication With The Internal Database

    The Internal Database By default, the host name of the Directory Server instance being used as the internal database is shown as instead of the actual host name (for localhost example, ). This is done on purpose to insulate certificates.example.com the internal database from being visible outside the system—that is, a server on can only be accessed from the local machine.

  • Page 291: Restricting Access To The Internal Database

    The Internal Database internaldb.ldapconn.port=<ldap_httpsport> internaldb.ldapconn.secureConn=true internaldb.ldapauth.clientCertNickname=Server-Cert cert-<instance_name> Go to the Directory Server console. Create an entry for the suffix which matches the subject DN of the CMS subsystem certificate for the subsystem using this internal database. For example if your CA server certificate has a the subject name c=jupiter.example.com,ou=marketing,o=example,l=mv,c=us then create a suffix .

  • Page 292: Managing The Certificate Database

    Managing the Certificate Database If you are concerned about this, you can restrict access to the internal database to only those users who know its Directory Manager DN and corresponding password. You can change this password by modifying the single sign-on password cache.

  • Page 293: Viewing And Deleting Certificate Database Content

    Managing the Certificate Database Whether you use an internal token or an external token for generating and storing key pairs, CMS always maintains its list of trusted and untrusted CA certificates in its internal token. You may need to add new certificates to the database, remove unwanted certificates from the database, or change the trust settings of CA certificates in the database.

  • Page 294: Changing The Trust Settings Of A Ca Certificate

    Managing the Certificate Database Click Manage Certificate. The Certificate Database Management window appears. The window lists the certificates. For each certificate, you see the following information: Certificate Name. Specifies the nickname of the certificate. Expiry Date. Specifies the date (and time) on which the certificate expires. Trust Status.

  • Page 295: Installing A New Ca Certificate In The Certificate Database

    Managing the Certificate Database Click Manage Certificate. The Certificate Database Management window appears. The window lists the certificates currently installed for the selected CMS instance; the list is a table, with each certificate occupying a row. Select the CA certificate whose trust setting you want to modify, and click Edit. The Certificate Information window appears.

  • Page 296: Installing A Ca Certificate Chain In The Certificate Database

    Managing the Certificate Database When the Registration Manager attempts to request a service from the Certificate Manager (using the renewed certificate for SSL client authentication), the Certificate Manager fails to authenticate the Registration Manager. This happens because, as a part of validating the certificate presented by the Registration Manager, the Certificate Manager checks its certificate database for the CA that signed the Registration Manager’s certificate.
  • Page 297 Managing the Certificate Database The Certificate Setup Wizard is integrated into the CMS window, enabling you to accomplish the following tasks: • Renew certificates of the CMS managers installed in a CMS instance; renewing a certificate means getting a new certificate with the same subject name and public and private key material as that of the existing certificate, but with an extended validity period.
  • Page 298 Managing the Certificate Database • Step 6. Specify Extensions • Step 7. Copy the Certificate Signing Request • Step 8. Check the Certificate Request Status Step 1. Select the Operation Indicate whether you want to request a certificate or install a certificate. For the purposes of completing the instructions that follow, assume that you chose to request a certificate.
  • Page 299 Managing the Certificate Database • Online Certificate Status Manager Signing Certificate—choose this option if you want to request a signing certificate for the Online Certificate Status Manager. • Registration Manager Signing Certificate—choose this option if you want to request a signing certificate for the Registration Manager. •...
  • Page 300 Managing the Certificate Database To generate a certificate request based on an existing key pair, select the token that contains the key pair you want to use for generating the request. The wizard automatically selects the key pair that corresponds to the certificate you chose in the previous step.
  • Page 301 Managing the Certificate Database • Common name—enter the name as appropriate. Except for the SSL server certificate, the common name format can be a descriptive name of up to 255 characters. For example, you can name the Certificate Manager’s signing certificate as “Root CA for Example Corporation”;...
  • Page 302 Managing the Certificate Database Also note that certificate extensions are required if you are setting up a hierarchy of certificate authorities (CAs). Subordinate CAs must have certificates that include the extension identifying them as either a subordinate SSL CA (which allows them to issue certificates for SSL) or a subordinate email CA (which allows them to issue certificates for secure email).
  • Page 303 Managing the Certificate Database CMS provides tools that generate MIME-64 encoded blobs for many standard extensions. You can use these tools for generating MIME-64 encoded blobs for any extensions that you may want to include in CA and other certificate requests.
  • Page 304 Managing the Certificate Database Table 7-4 Names of files created for certificate signing requests (Continued) Filename Certificate Signing Request Certificate Manager OCSP signing certificate ocspcsr.txt Registration Manager signing certificate racsr.txt Data Recovery Manager transport certificate kracsr.txt Online Certificate Status Manager signing certificate ocspcsr.txt SSL server certificate sslcsr.txt...
  • Page 305 Managing the Certificate Database Click Next to submit your request to the CA. The Certificate Manager returns a request ID for your request. Note the request ID as you can use it later to get the certificate from the Certificate Manager to which you submitted the request.
  • Page 306 Managing the Certificate Database In the form that appears, enter the required information and paste the CSR from either the clipboard or text file. For information on how a form works, click the Help button provided on the form. Be sure to include the marker lines, -----BEGIN NEW CERTIFICATE REQUEST----- -----END NEW CERTIFICATE REQUEST-----...
  • Page 307 Managing the Certificate Database When you receive the certificate from the CA, install it following the instructions in “Using the Wizard to Install a Certificate or Certificate Chain” on page 307. Step 8. Check the Certificate Request Status The wizard now informs you of the status of the request. •...
  • Page 308 Managing the Certificate Database The certificate or certificate chain you provide to the wizard for installation must be in one of the data formats supported by the wizard. This is explained in “Data Formats for Installing Certificates and Certificate Chains” on page 308. Using the wizard to install a certificate or certificate chain involves the following steps, described in detail on page 309: •...
  • Page 309 Managing the Certificate Database Text Formats The wizard can also import certificates and certificate chains in text formats. Here’s what you should be aware of when using the wizard to install a certificate or certificate chain in text format: The text format must begin with the following line: -----BEGIN CERTIFICATE----- Following this line should be the certificate data, which can be in any of the binary formats described in “Binary Formats”...
  • Page 310 Managing the Certificate Database • Online Certificate Status Manager Signing Certificate—choose this option if you want to install a signing certificate for the Online Certificate Status Manager installed in the currently selected CMS instance. • SSL Server Certificate—choose this option if you want to install an SSL server certificate for the CMS managers installed in the currently selected CMS instance.
  • Page 311 Managing the Certificate Database UGA1UEAxMOU3Vwcml5 YSBTaGV0dHkwgZ8wDQYJKoZIhdfNAQEBBQADgY0AMIGJAoGBAMr6eZiPGfjX3uRJ gEjmKiqG7SdATYzBcA Bu1AVyd7chRFOGD3wNktbf6hRo6EAmM5R1Askzf8AW7LiQZBcrXpc0k4du+2j6xJ u2MPm8WKuMOTuvzpo+ SGXelmHVChEqooCwfdiZywyZNmgaMa2MS6pUkfQVAgMBAAGjNjA0MBEGCWCGSAGG +EIBAQQEAwIAgD -----END CERTIFICATE----- • The certificate is at the CMS where your request was sent— if you have previously sent the certificate request to a remote Certificate Manager automatically and have noted the request ID that you received in return, you can use it to retrieve the certificate from the Certificate Manager.

  • Page 312: Consideration When Getting New Certificates For The Subsystems

    Managing the Certificate Database After you install a certificate chain in the trust database of a CMS instance, check the trust status of each certificate that got installed, and make sure that the correct CA certificates are trusted. For instructions, see “Changing the Trust Settings of a CA Certificate”...
  • Page 313 Managing the Certificate Database Before getting a new self-signed certificate for the Certificate Manager, therefore, you must address issues involved in deploying the new root CA certificate across your enterprise. Because each deployment would have very specific requirements, it is beyond the scope of this document to explain how you should deploy the new CA certificate.

  • Page 314: Tokens For Storing Cms Keys And Certificates

    Tokens for Storing CMS Keys and Certificates Tokens for Storing CMS Keys and Certificates A token is a hardware or software device that performs cryptographic functions and optionally stores public-key certificates, cryptographic keys, and data defined by the application using the cryptographic services. Alternatively, a token can also be considered as a device that you can use to generate and store your key pairs and corresponding certificates.
  • Page 315 Tokens for Storing CMS Keys and Certificates http://developer.netscape.com/support/faqs/pkcs_11.html If you haven’t already done so, consider using external tokens for generating and storing the key pairs and certificates used by Certificate Management System. These devices represent another security measure you can take to safeguard private keys because hardware tokens are sometimes considered more secure than software tokens.
  • Page 316 Tokens for Storing CMS Keys and Certificates From the Console menu, choose Manage PKCS#11. The PKCS #11 Management window appears. Click Add. The Add PKCS #11 Module window appears. Enter information as appropriate. If you choose JAR as your file type, you are required to provide the path to the JAR file that contains the DLLs.

  • Page 317: Managing Tokens Used By The Subsystems

    Tokens for Storing CMS Keys and Certificates Managing Tokens Used by the Subsystems There are two main tasks involved in managing the tokens used by Certificate Management System: • Viewing Tokens • Changing a Token’s Password Viewing Tokens To view a list of the tokens currently installed for a CMS instance: Log in to the CMS window (see “Logging Into the CMS Console”...

  • Page 318: Hardware Cryptographic Accelerators

    Hardware Cryptographic Accelerators Hardware Cryptographic Accelerators Certificate Management System allows you to use hardware cryptographic accelerators with external tokens. Many of the accelerators provide the following security features: • Fast SSL connections—speed is important if you want your Certificate Manager, Registration Manager, or Data Recovery Manager to be able to accommodate a high number of simultaneous enrollment or service requests.

  • Page 319: Configuring The Server To Use Separate Ssl Server Certificates

    Configuring the Server’s Security Preferences Configuring the Server to Use Separate SSL Server Certificates You can configure a CMS instance to use separate SSL server certificates for authenticating to Netscape Console, the Agent Services interface, and the end entity services interface. This configuration involves the following steps: •...

  • Page 320: Getting An Ssl Client Certificate For A Subsystem

    Configuring the Server’s Security Preferences To change the certificate used for authenticating to the administration interface, Netscape Console, edit the value assigned to the parameter in the section. servercertnickname id="admin" Save your changes and close the file. Start the server; see “Starting, Stopping, and Restarting CMS Instances” on page 252.
  • Page 321 Configuring the Server’s Security Preferences If you submitted the request to a Certificate Manager and if you have agent privileges for that Certificate Manager, log in to its Agent Services interface, locate the request, and check the request for required extensions. (If you submitted the request to any other CA, you must ask the person managing that CA to make the same changes to the request before approving it.) Make sure that only the...
  • Page 322 Configuring the Server’s Security Preferences Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 323: Chapter 8 Authorization

    Chapter 8 Authorization This chapter explains how to set up authorization for access to the administrative, agent services, and end-entity interfaces and contains the following sections: • About Authorization • Setting up Administrators, Agents, and Auditors • Setting Up a Trusted Manager •...

  • Page 324: How Authorization Works

    About Authorization authorization check before allowing an operation to be performed in that area. Access Control Instructions (ACI s) in each of the ACLs are created that specifically allow or deny one or more possible operations for that ACL to specified users, groups, or IP addresses.
  • Page 325 About Authorization Administrators. This group is given full access to all of the tasks available in the administrative interface. Agents. This group is given full access to all of the tasks available in the agent services interface. Note: There is more than one agent group. A separate agent group is created for each of the subsystem with a different name.
  • Page 326 About Authorization Authentication of Auditors Auditors are authenticated into the CMS console by using their login and password. Once authenticated, they can only view the audit logs, they are not able to edit other parts of the system. You can change the method of authentication for an auditor to SSL client authentication.
  • Page 327 About Authorization • Data Recovery Manager Agents group is the agent group for a Data Recovery Manager. No members are added to this group during installation, you must add members after installation. • Online Certificate Status Manager Agents group is the agent group for an Online Certificate Status Manager.

  • Page 328: Setting Up Administrators, Agents, And Auditors

    Setting up Administrators, Agents, and Auditors You can configure a Data Recovery Manager to delegate its end-entity interactions to a trusted Certificate Manager or Registration Manager for security reasons; the Data Recovery Manager trusts the Certificate Manager or Registration Manager and services all key archival and recovery requests initiated by this subsystem.

  • Page 329: Storing A User's Certificate

    Setting up Administrators, Agents, and Auditors Full name. Type the user’s full name. The name can be an alphanumeric string of up to 255 characters. Password. Type a password of up to eight characters for the user. This is the password used to log into the CMS console for this user ID.

  • Page 330: Setting Up Agents Using The Automated Process

    Setting up Administrators, Agents, and Auditors Click inside the text area, and paste the user’s certificate in base-64 encoded form. Be sure to include the -----BEGIN CERTIFICATE----- -----END marker lines. CERTIFICATE----- Click OK. You are returned to the Manage User Certificates window. The certificate you imported should now be listed in this window.

  • Page 331: Setting Up A Trusted Manager

    Setting Up a Trusted Manager In the page that displays, select “Show pending requests” and click Find. In the list of certificate signing requests that displays, select the request the agent submitted. In the request approval form for user enrollment requests, verify the request. If required, adjust some of the parameters such as the subject name and validity period.
  • Page 332 Setting Up a Trusted Manager certificate request, and the request has been approved, the Certificate Manager automatically creates a user ID for the subsystem, adds this user ID to the Trusted Managers group, copies the certificate to the database, and associates the certificate with the subsystem’s user entry.
  • Page 333 Setting Up a Trusted Manager Specify information as appropriate. The information you enter here is to help you keep track of the Registration Manager or Certificate Manager; the subsystem never uses it. The subsystem relies solely on the Registration Manager’s signing certificate or Certificate Manager’s SSL client certificate for authentication.
  • Page 334 Setting Up a Trusted Manager You are returned to the Users tab. Next, you configure the connector settings of the Registration Manager or Certificate Manager. This enables the Registration Manager or Certificate Manager to utilize the agent port to communicate with the subsystem. Note that during the installation of a Certificate Manager, you were prompted to specify the host name and port number of the Data Recovery Manager to which the Certificate Manager will be connected.

  • Page 335: Agent Certificates

    Agent Certificates Agent Certificates All agents must have an agent’s certificate. This certificate is used to sign all requests made by the agent. This section details the procedure for getting agent certificates, and turning on the revocation status checking of agents’ certificates. There is a special form for an administrator to get the first agent certificate from CMS for the Certificate Manager administrator set up during installation to be able to access the agent’s services interface.
  • Page 336 Agent Certificates Fill in the following fields of the Administrator/Agent Certificate Enrollment form: Authentication Information User ID. Type the ID you entered for the CMS administrator during installation. Password. Type the password you specified for the CMS administrator during installation. Subject Name The subject name is the distinguished name (DN) that identifies the certified owner of the certificate.

  • Page 337: Getting An Agent's Certificate From A Public Ca

    Agent Certificates Important After you submit the initial Administrative Enrollment form and the certificate is issued, the form is no longer available from the administration port. If something goes wrong and you are unable to obtain the administrator/agent certificate, you must reset a parameter in the configuration file to make the initial administrative enrollment form available again.

  • Page 338: Getting An Agent's Certificate From Certificate Management System

    Agent Certificates Ask the user to send you the certificate information sent by the public CA. In the information that you receive, locate the user’s certificate in base-64 encoded form. You can also get the user’s certificate from the public CA that issued it. Access the public CA site, search for the user’s certificate, and locate the certificate in base-64 encoded form.

  • Page 339: Revocation Status Checking Of Agent Certificates

    Agent Certificates When the user receives the certificate, the user must import the certificate into the web browser they will use to access the subsystem. It is a good idea to ask the user to inform you that the certificate has been installed. After the user imports the certificate into the web browser, you need to copy the certificate (in base-64 encoded form) in order to be able to add it to a subsystem’s internal database.
  • Page 340 Agent Certificates NOTE The CMS configuration file ( ) includes a parameter named CMS.cfg , which enables you to specify whether a jss.ocspcheck.enable CMS manager should use Online Certificate Status Protocol (OCSP) to verify the revocation status of the certificate it receives as a part of SSL client or server authentication (from clients or servers it makes connections with).

  • Page 341: Modifying Cms User Entries

    Modifying CMS User Entries Specifies whether revocation checking is revocationChecking.enabled enabled or disabled. To enable the feature, enter true; to disable the feature, enter false. By default, the feature is enabled. The default interval is 0 seconds. revocationChecking. unknownStateInterval Specifies how long, in seconds, the cached revocationChecking.

  • Page 342: Changing A Cms User's Certificate

    Modifying CMS User Entries In the navigation tree, select Users and Groups. The Users tab appears in the right pane. In the User ID list, select the user you want to edit, and click Edit. The Edit User Information dialog opens. Make the appropriate modifications.

  • Page 343: Changing Members In A Group

    Modifying CMS User Entries Changing Members in a Group You can add or remove members from all groups. Keep in mind that the group for administrators must have at least one user entry. To change a group’s members: Log in to the CMS console (see “Logging Into the CMS Console” on page 245). In the navigation tree, select Users and Groups.

  • Page 344: Creating A New Group

    Creating a New Group In the navigation tree, select Users and Groups. The Users tab appears in the right pane. In the User ID list, select the user you want to delete, and click Delete. When prompted, confirm your action. If you click YES, the user entry is deleted from the internal database.

  • Page 345: Authorization For Cms Users

    Authorization for CMS Users Authorization for CMS Users Authorization is the mechanism that checks whether or not a user is allowed to perform a certain operation. Authorization points are defined in certain groups of operations that requiring an authorization check of the user. Access Control Lists (ACLs) Access Control Lists (ACLs) are the mechanism that specifies the authorization to each of the sets of operations that require authorization.

  • Page 346: How Acis Are Formed

    Authorization for CMS Users How ACIs are Formed You change the access for a user, group, or IP address by editing the ACI entries in the ACLs. You can change who is allowed or denied access by adding a user, group, or IP address to the ACIs in an ACL entry.
  • Page 347 Authorization for CMS Users As you can see, there usually is not a need to include a deny statement. There might, however, be cases where you would need to specify one. For example, say that user has just been fired. was a member of the Administrators JohnB JohnB...

  • Page 348: Editing Acls

    Authorization for CMS Users For example: user=”BobC” user!=”JaneK” Note: To specify all users, provide the value . For example: anybody user=”anybody” IP Address Syntax The syntax for an IP address is: to specify that the IP address specified is to be allowed or ipaddress=”ipaddress”...
  • Page 349 Authorization for CMS Users To edit the existing ACLs: Log in to the CMS console (see “Logging Into the CMS Console” on page 245). In the navigation tree, select Access Control List. The Access Control List tab appears in the right pane. Select the ACL and then click Edit.

  • Page 350: Acl Reference

    ACL Reference Specify the user, group, or IP address that will be granted or denied access to the selected operators by providing the correct syntax in the Syntax field. See “Syntax,” on page 347 for details on syntax. Click OK. Click Refresh when you are done.

  • Page 351: Certserver.admin.certificate

    ACL Reference certServer.admin.certificate This entry is associated with the CA administration interface and is ONLY available during the setup configuration of the target of evaluation (TOE), and is unavailable after the CA is up and running. Operations import Importing a Certificate Authority administrator certificate. Default ACIs allow (import) user="anybody"...

  • Page 352: Certserver.ca.certificate

    ACL Reference Operations read Viewing authentication plug-ins, authentication type, configured authentication manager plug-ins, and authentication instances. Listing authentication manager plug-ins and authentication manager instances. modify Adding or deleting authentication plug-in and authentication instance. Modifying authentication instance. Default ACIs allow (read) group="Administrators" || group=”Certificate Manager Agents”...

  • Page 353: Certserver.ca.certificates

    ACL Reference certServer.ca.certificates Allow or deny a revoke or list operation to certificates in the agent services interface. Operations revoke Revoking certificates, or approving certificate revocation requests. list Listing certificates based on a search. Retrieving details about a range of certificates based on providing a range of serial numbers. Default ACIs allow (revoke,list) group="Certificate Manager Agents"...

  • Page 354: Certserver.ca.connector

    ACL Reference allow (modify) group="Administrators" Administrators, auditors, and agents are allowed to read CA configuration; only administrators are allowed to modify CA configuration. certServer.ca.connector Allow or deny a submit operation for a connection to the CA. Operations submit Submitting requests from remote trusted managers. Default ACIs allow (submit) group="Trusted Managers"...

  • Page 355: Certserver.ca.directory

    ACL Reference Operations read Displaying CRLs. update Updating CRLs. Default ACIs allow (read,update) group="Certificate Manager Agents" Certificate Manager agents can read or update CRLs. certServer.ca.directory Allow or deny an update operation to the directory. Operations update Publishing CA certificates and user certificates to the LDAP directory.

  • Page 356: Certserver.ca.profiles

    ACL Reference Operations read Retrieving OCSP usage statistics. Default ACIs allow (read) group="Certificate Manager Agents" Only Certificate Manager Agents can read OCSP usage statistics. certServer.ca.profiles Allow or deny a list operation for certificate profiles in the agent services interface. Operations list Listing certificate profiles.

  • Page 357: Certserver.ca.request.enrollment

    ACL Reference Operations list Retrieving details on a range of requests. Default ACIs allow (list) group="Certificate Manager Agents" Only Certificate Manager Agents can list requests. certServer.ca.request.enrollment Allow or deny a submit, read, execute, assign, or unassign operation for enrollment requests. Operations submit Submitting an enrollment request.

  • Page 358: Certserver.ca.systemstatus

    ACL Reference Operations approve Modifying the approval state of a certificate profile-based certificate request. read Viewing a certificate profile-based certificate request. Default ACIs allow (approve,read) group="Certificate Manager Agents" Only Certificate Manager agents can view or modify the approval state of certificate profile-based requests.

  • Page 359: Certserver.ee.certificates

    ACL Reference Anyone can request a renewal or revocation, anyone can import and read a certificate certServer.ee.certificates Allow or deny a revoke or list operation in the end-entity interface. Operations revoke Submitting a revocation of a list of certificates. list Search for certificates matching specified criteria.

  • Page 360: Certserver.ee.profile

    ACL Reference Operations read Retrieving and viewing the certificate revocation list. Adding CRL to the OCSP server. Default ACIs allow (read,add) user="anybody" Anyone can add or read a CRL. certServer.ee.profile Allow or deny a submit or read operation for certificate profiles in the end-entity interface.

  • Page 361: Certserver.ee.request.enrollment

    ACL Reference Operations read Read face to face enrollment page. Default ACIs allow (read) user="anybody" Anyone can read face to face enrollment page. certServer.ee.request.enrollment Allow or deny a submit operation for certificate enrollment in the end-entity interface. Operations submit Submitting a request for a new certificate. Default ACIs allow (submit) user="anybody"...

  • Page 362: Certserver.ee.request.revocation

    ACL Reference Operations submit Submitting OCSP requests. Default ACIs allow (submit) user="anybody" Any clients can submit OCSP requests certServer.ee.request.revocation Allow or deny a submit operation for certificate revocation requests in the end-entity interface. Operations submit Submitting a request to revoke a certificate. Default ACIs allow (submit) user="anybody"...

  • Page 363: Certserver.job.configuration

    ACL Reference Operations read Viewing operating environment, LDAP configuration, SMTP configuration, server statistics, encryption, token names, subject name of certificates, certificate nicknames, all subsystems that have been loaded by the server, get CA certificates, and get all certificates for management. modify Modifying LDAP database configuration, SMTP configuration, and encryption.

  • Page 364: Certserver.kra.certificate.transport

    ACL Reference allow (modify) group="Administrators" Administrators, agents, and auditors are allowed to read job configuration; only administrators are allowed to modify job configuration. certServer.kra.certificate.transport Allow or deny a read operation to display the key transport certificate. Operations read Displaying the Key Transport Certificate. Default ACIs allow (read) user="anybody"...

  • Page 365: Certserver.kra.connector

    ACL Reference certServer.kra.connector Allow or deny to submit requests. Operations submit Submitting requests. Default ACIs allow (submit) group="Trusted Managers" Only Trusted Managers can submit requests. certServer.kra.key Allow or deny a read, recover, or download operation for the Data Recovery Manager. Operations read Displaying a key recovery request.

  • Page 366: Certserver.kra.request

    ACL Reference certServer.kra.request Allow or deny a read operation for a Data Recovery Manager request. Operations read Assigning a request to a Data Recovery Manager Agent. Default ACIs allow (read) group="Data Recovery Manager Agents" Data Recovery Manager Agents can read requests. certServer.kra.requests Allow or deny a list operation for a Data Recovery Manager request.

  • Page 367: Certserver.log.configuration

    ACL Reference Operations read Displaying system statistics for a Data Recovery Manager. Default ACIs allow (read) group="Data Recovery Manager Agents" Only Data Recovery Manager agents can read system status. certServer.log.configuration Allow or deny a read or modify operation to the log configuration. Operations read Viewing log plug-in information, log plug-in configuration, log...

  • Page 368: Certserver.log.configuration.filename

    ACL Reference Operations read Viewing the value of the parameter. expirationTime modify Modifying the value of the parameter. expirationTime Default ACIs allow (read) group="Administrators" || group="Auditors" || group=”Certificate Manager Agents” || group=”Registration Manager Agents” || group=”Data Recovery Manager Agents” || group=”Online Certificate Status Manager Agents”...

  • Page 369: Certserver.log.content

    ACL Reference Operations read Viewing log content. Listing logs. Default ACIs deny (read) group="Administrators"|| group=”Certificate Manager Agents” || group=”Registration Manager Agents” || group=”Data Recovery Manager Agents” || group=”Online Certificate Status Manager Agents” Only an auditor is allowed to view the audit log. Note: All other groups need to be specifically denied access to this log since they are given access to all logs in the ACL.

  • Page 370: Certserver.ocsp.cas

    ACL Reference certServer.ocsp.cas Allow or deny a list operation for listing the CAs that publish to an Online Certificate Status Manager responder. Operations list Listing the CA’s for which the OCSP responder maintains revocation status information. Default ACIs allow (list) group="Online Certificate Status Manager Agents" Online Certificate Status Manager agents can list Certificate Authorities.

  • Page 371: Certserver.ocsp.crl

    ACL Reference Operations read Viewing OCSP plug-in information, OCSP configuration, OCSP stores configuration. Listing OCSP stores configuration. modify Modifying OCSP configuration, OCSP stores configuration, and default OCSP store. Default ACIs allow (read) group="Administrators" || group=”Certificate Manager Agents” || group=”Registration Manager Agents” || group=”Data Recovery Manager Agents”...

  • Page 372: Certserver.profile.configuration

    ACL Reference Operations read Viewing policy plug-ins and instances. Listing policy plug-ins and instances. modify Adding and delete policy plug-ins and policy instances. Modifying policy plug-ins and policy instances. Default ACIs allow (read) group="Administrators" || group=”Certificate Manager Agents” || group=”Registration Manager Agents” || group=”Data Recovery Manager Agents”...

  • Page 373: Certserver.publisher.configuration

    ACL Reference Administrators, agents, and auditors are allowed to read certificate profile configuration; only administrators are allowed to modify certificate profile configuration. certServer.publisher.configuration Allow or deny a read or modify operation for the publishing configuration. Operations read View LDAP server destination information, publisher plug-in configuration, publisher instance configuration, mapper plug-in configuration, mapper instance configuration, rules plug-in configuration, and rules instance configuration.

  • Page 374: Certserver.ra.certificate

    ACL Reference Operations read Viewing general RA configuration, connector configuration, notification request completion, notification revocation completion, and notification request in queue. modify Modifying general RA configuration, connector configuration, notification request completion, notification revocation completion, and notification request in queue. Default ACIs allow (read) group="Administrators"...

  • Page 375: Certserver.ra.facetofaceenrollment

    ACL Reference Operations submit Submitting requests from remote Trusted Managers. Default ACIs allow (submit) group="Trusted Managers" Only Trusted Manager can submit requests to this interface. certServer.ra.facetofaceenrollment Allow or deny to read face to face enrollment page. Operations enable Enable face to face enrollment. disable Disable face to face enrollment.

  • Page 376: Certserver.ra.profile

    ACL Reference Operations Adding groups. Default ACIs allow (add) group="Administrators" Only administrators are allowed to add group. certServer.ra.profile Allow or deny a read or approve operation to certificate profiles in the agent services interface of a Registration Manager. Operations read Displaying the details of a certificate profile.

  • Page 377: Certserver.ra.request.profile

    ACL Reference Operations submit Submitting an enrollment request for processing. read Viewing the details of an enrollment request. execute Modifying the approval state of an enrollment request. assign Assigning an enrollment request. unassign Unassigning an enrollment request. Default ACIs allow (submit) user="anybody" allow (read,execute,assign,unassign) group="Registration Manager Agents"...

  • Page 378: Certserver.registry.configuration

    ACL Reference Operations list Viewing details on a range of requests. Default ACIs allow (list) group="Registration Manager Agents" Only Registration Manager agents can list requests. certServer.registry.configuration Allow or deny a read or modify operation to the administration registry, the file that is used to register plug-in modules.

  • Page 379: Certserver.usrgrp.administration

    ACL Reference certServer.usrgrp.administration Allow or deny a read or modify operation to the user and group configuration. Operations read Viewing users, groups, and user’s certificates. Finding users and groups. modify Adding, modifying and deleting groups, and users. Add and modify a user certificate attribute. Default ACIs allow (read) group="Administrators"...
  • Page 380 ACL Reference Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 381: Chapter 9 Authentication

    Chapter 9 Authentication This chapter discusses the authentication methods available in Netscape Certificate Management System (CMS) during the enrollment of end entities, and details how to set up those authentication methods. This chapter contains the following sections: • Enrollment Overview •...
  • Page 382 Enrollment Overview • Agent-approved enrollment is the method in which end-entity enrollment requests are sent to an agent for approval. The agent approves the certificate request. • Automatic enrollment is the method in which end-entity enrollment requests are authenticated using a plug-in for that type of authentication, and then the certificate request is processed;...

  • Page 383: How Authentication Works

    Enrollment Overview How Authentication Works An end entity submits a request for enrollment. The form or method used to submit the request identifies the method of authentication and enrollment. If the HTML end-entity interface is used to submit the request, the form used by the end entity to make the request contains hidden values that associate this form, and thus this submission, with an authentication method.

  • Page 384: About Renewal

    Dual-Key Pairs About Renewal When an end entity requests a certificate renewal, the end entity presents its current certificate. The certificate itself is used to authenticate the user. The process for renewal is automatic; if the certificate is presented a new certificate is issued. There is no agent intervention in this process.

  • Page 385: Agent-Approved Enrollment

    Agent-Approved Enrollment To create dual-key pairs, and the resultant certificates associated with each key, you need to enable this function by changing the javascript found in the enrollment page. You use any method of authentication, chaining it to enable dual-key pairs by modifying the javascript on that enrollment page.

  • Page 386: Automated Enrollment

    Automated Enrollment • Customize the HTML enrollment forms for your deployment. For policy-based enrollment, you edit the forms directly. For certificate profile-based enrollment, you configure inputs that are used to dynamically create the HTML enrollment form. Automated Enrollment Automated enrollment is the method in which an end-entity enrollment request is processed upon the successful authentication of the end entity as defined by an instance of an authentication plug-in module;...

  • Page 387: Setting Up Directory Based Enrollment

    Automated Enrollment You can create custom plug-in modules for other methods of authentication using the CMS SDK. You must register and enable any custom plug-ins you create. Setting Up Directory Based Enrollment and the plug-in modules implement the UidPwdDirAuth UdnPwdDirAuth directory-based authentication method.
  • Page 388 Automated Enrollment In the CMS window of the Certificate Manager or Registration Manager that processes certificate requests, select the Configuration tab. Select Authentication in the navigation tree. The right pane shows the Authentication Instance tab listing currently configured authentication instances. Click Add.

  • Page 389: Setting Up Nis Based Enrollment

    Automated Enrollment Entering values for this parameter is optional. ldap.ldapconn.host. Specifies the fully-qualified DNS host name of the authentication directory. ldap.ldapconn.port. Specifies the TCP/IP port on which the authentication directory listens to requests from CMS. ldap.ldapconn.secureConn. Specifies the type—SSL or non-SSL—of the port on which the authentication directory listens to requests from CMS.
  • Page 390 Automated Enrollment In the absence of an LDAP directory, subject names of all certificates issued by the server will be of the form , where CN=<FirstName LastName>,UID=<UserID> is a user’s first and last names as specified in the NIS First Name Last Name directory, and is the user’s NIS ID.
  • Page 391 Automated Enrollment The right pane shows the Authentication Instance tab listing currently configured authentication instances. Click Add. The Select Authentication Plug-in Implementation window appears. Select the plug-in. NISAuth Click Next. The Authentication Instance Editor window appears. Fill in the following fields in the Authentication Instance Editor window: Authentication Instance ID.
  • Page 392 Automated Enrollment ldapByteAttributes. Specifies the list of LDAP byte (binary) attributes that should be considered authentic for the end entity. If specified, the values corresponding to these attributes will be copied from the authentication directory into the authentication token for use by other modules—that is, values retrieved from this parameter can be used by policy modules to make certain policy decisions or to add additional information to users’...

  • Page 393: Setting Up Pin Based Enrollment

    Automated Enrollment Setting Up Pin Based Enrollment Pin based authentication involves setting up pins for each of your users in the LDAP directory, distributing those pins to your users, and then having the users provide their pin along with their user ID and password when they fill out a certificate request.
  • Page 394 Automated Enrollment Creating Pins The pin tool performs the following functions: • Adds the necessary schema for pins to the LDAP directory. • Adds a pin manager user who has read-write permissions to the pins that are set up. • Sets up ACIs to allow for pin removal once the pin has been used, giving read-write permissions for pins to the pin manager, and preventing users from creating or changing pins.
  • Page 395 Automated Enrollment ./setpin host=yourhost port=9446 length=11 input=infile output=outfile write "binddn=cn=pinmanager,o=example.com" bindpw="netscape" basedn=o=netscape.com "filter=(uid=u*)" Use the output file for delivering PINs to users after you complete setting up the required authentication method. After you have confirmed that the PIN-based enrollment works, deliver the PINs to users so they can use them during enrollment.
  • Page 396 Automated Enrollment Fill in the following fields in the Authentication Instance Editor window: Authentication Instance ID. Accept the default instance name, or enter a new name. If you chose to use a different name, be sure to edit this name in the enrollment forms.
  • Page 397 Automated Enrollment ldap.ldapconn.secureConn. Specifies the type—SSL or non-SSL—of the port on which the authentication directory listens to requests from CMS. Select if this is an SSL port, deselect if this is a non-SSL port. ldap.ldapconn.version. Specifies the LDAP protocol version. specifies LDAP version 2.

  • Page 398: Setting Up Portal Enrollment

    Automated Enrollment ldap.basedn. Specifies the base DN for searching the authentication directory—the server uses the value of the field from the HTTP input (what a user enters in the enrollment from) and the base DN to construct an LDAP search filter. ldap.minConns.
  • Page 399 Automated Enrollment Note that the portal authentication module by default uses the standard LDAP object class named to create and update user entries. The input inetOrgPerson fields defined in the default portal enrollment form correspond to the attributes defined in this object class as defined in Netscape Directory Server 4.x. The module is capable of reading and writing these attributes only.
  • Page 400 Automated Enrollment The right pane shows the Authentication Instance tab listing currently configured authentication instances. Click Add. The Select Authentication Plug-in Implementation window appears. Select the plug-in module. PortalEnroll Click Next. The Authentication Instance Editor window appears. Fill in the following fields in the Authentication Instance Editor window: Authentication Instance ID.
  • Page 401 Automated Enrollment ldap.ldapauth.clientCertNickname. Specifies the nickname name of the certificate to be used for SSL client authentication to the authentication directory in order to remove PINs. Make sure that the certificate is valid and has been signed by a CA that is trusted in the authentication directory’s certificate database, and that the authentication directory’s file certmap.conf...

  • Page 402: Setting Up Cmc Enrollment

    Automated Enrollment Setting Up CMC Enrollment CMC enroll allows you to set up your own enrollment client, sign the certificate request with your agent certificate, and then send the signed request to the Certificate Manager. When this method is setup, the Certificate Manager will automatically issue certificates when a valid request signed with the agent certificate is received.
  • Page 403 Automated Enrollment The Select Authentication Plug-in Implementation window appears. Select the plug-in module. CMCAuth Click Next. The Authentication Instance Editor window appears. If you don’t want to use the default instance name, in the Authentication Instance ID field, type a unique name for this instance that will help you identify it.
  • Page 404 Automated Enrollment Enable the End Entity pages for CMC Enrollment You submit signed requests to the Certificate Manager by submitting them directly to the Certificate Manager. You can also submit them using the end-entity interface of the Certificate Manager or a Registration Manager. CMS provides a CMC Enrollment form called .
  • Page 405 Automated Enrollment Go to the following directory: <server_root>/bin/cert/tools Type the following command: CMCEnroll -d<directory_containing_agent_cert> -n<the certificate_common_name> -r<certificate_request_file> -p<certificate_DB_passwd> For example, if the input file created in step 3 is called , your request34.txt agent’s certificate is stored in the directory , the certificate /netscape/certs common name of your agent’s certificate for this CA is...

  • Page 406: Agent Initiated End User Enrollment

    Agent Initiated End User Enrollment Agent Initiated End User Enrollment The Registration Manager is enabled for in person enrollment of end users. The end user goes to the Registration Manager agent, who then processes the enrollment request. The Registration Manager agent authenticates the user through some physical means, such as a passport or drivers licence, and then the agent fills in the enrollment form for the end user and processes the request.

  • Page 407: Certificate-Based Enrollment

    Certificate-Based Enrollment Certificate-Based Enrollment Note: This feature is supported only in legacy enrollment. CMS supports certificate-based enrollment for browser certificates. End users can use preissued certificates to authenticate to the server in order to enroll for certificates. The following are two deployment scenarios that explain the usefulness of certificate-based enrollment: •...
  • Page 408 Certificate-Based Enrollment • Enable the appropriate enrollment option, such as directory-based enrollment or NIS-server based enrollment. Be sure to configure the authentication module to compose the desired DN pattern. • To enable you to configure CMS for certificate-based enrollment, the following three enrollment forms are provided: l—this form enables end users to request dual CertBasedDualEnroll.htm...

  • Page 409: Issuing And Managing Server Certificates

    Issuing and Managing Server Certificates —this variable specifies one of the three certauthEnrollType certificate-based-enrollment types: , or dual single encryption dual specifies that the enrollment request is for dual certificates; single specifies that the enrollment request is for a signing certificate; and specifies that the enrollment request is for an encryption encryption certificate.

  • Page 410: Renewal Of Server Certificates

    Issuing and Managing Server Certificates The certificate profile feature offers an automated sever enrollment. Using this certificate profile, an agent makes the request for the SSL server certificate in the certificate profile and is authenticated using their agent certificate. If the agent is authenticated, the SSL server certificate request is automatically processed, and the issued certificate is returned to the agent via an HTML form.
  • Page 411 Issuing and Managing Server Certificates When the wizard generates the certificate signing request for the key size and type you specified, you’re presented with the opportunity to choose how you want to submit the request to the CA. The choices include the following: To CA’s email address.

  • Page 412: Cep Enrollment

    CEP Enrollment Click Submit. CEP Enrollment Note: This feature is supported in legacy enrollment only. CMS can issue certificates to a wide variety of entities, such as web browsers, SSL-enables servers, routers, virtual private network (VPN) clients, and so on. This section explains how you can configure CMS to issue router and VPN-client certificates.

  • Page 413: Setting Up Automated Cep Enrollment

    CEP Enrollment Setting Up Automated CEP Enrollment You can configure the Certificate Manager to use either the challenge password or the subject name (all or a part of it) as an authentication token during a CEP enrollment, thus enabling users to get router certificates without any action on the part of the Certificate Manager agent.
  • Page 414 CEP Enrollment Specifies the serial number of the router (for example, SERIALNUMBER 239333). This can sometimes be found on a label on the back of the router. It is also available by typing the show version command. This may not be in the request—a user may not want to include this in the subject name of the router certificate, and hence choose not to specify one during enrollment.
  • Page 415 CEP Enrollment In the CMS window of the Certificate Manager or Registration Manager that processes certificate requests, select the Configuration tab. Select Authentication in the navigation tree. The right pane shows the Authentication Instance tab listing currently configured authentication instances. Click Add.
  • Page 416 CEP Enrollment Setting Up Multiple CEP Services This step is optional. By default, the CEP service runs on this URL: /cgi-bin/pkiclient.exe It is possible to set up multiple instances of CEP, each with a different configuration, each listening on a different URL. This is useful if you have different requirements for different types of users.

  • Page 417: Setting Up Publishing Of Cep Certificates And Crls

    CEP Enrollment When setting up multiple CEP services, you can use the attribute to cepsubstore differentiate one CEP service from another. For example, if you’re setting up separate CEP services for router and VPN-client certificates and want to set different extensions in these certificates, you can make that happen with the help of predicates.
  • Page 418 CEP Enrollment Configure the Certificate Manager for Publishing Certificates and CRLs In this step, you configure the Certificate Manager to issue router and VPN-client certificates with CRL Distribution Point Extension and to publish the certificates to a directory. • Create an instance of the mapper plug-in named and of the LdapExactMapper publisher plug-in named...

  • Page 419: Certificate Issuance To Routers Or Vpn Clients

    CEP Enrollment Table 9-1 CEP service-related configuration parameters in the configuration file Parameter Description Specifies whether to create an entry in the directory before publishing createEntry the certificate. Note that to publish a certificate, an entry must already exist for the DN in the directory. •...
  • Page 420 CEP Enrollment In your router documentation, locate the information specific to requesting certificates for routers. Check the signing algorithm, such as RSA or DSA, and key lengths, such as 512 and 1024, supported by the router. Based on that information, determine the signing algorithm and the key length for the certificate you want to request.

  • Page 421: Example

    CEP Enrollment Run the appropriate command. The command will ask you for certain information: The CA’s identity. You specified this in Step 3. Challenge password. If you enter one, write it down; you will be required to specify this password to revoke the certificate. The CEP enrollment URL.
  • Page 422 CEP Enrollment router> enable router% config terminal router(config)#crypto key generate rsa The name for the keys will be: netscape.mcom.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

  • Page 423: Testing Your Enrollment Setup

    Testing Your Enrollment Setup Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The ’show crypto ca certificate’ command will also show the fingerprint. router(config)# exit router#show crypto ca certificates CA Certificate Status: Available Certificate Serial Number: 1...

  • Page 424: Managing Authentication Plug-Ins

    Managing Authentication Plug-ins Upon receipt of a notification about the certificate issuance, install the certificate in your browser. Verify that the certificate is installed in the browser’s certificate database; for example, in Communicator you can open the Security Info window and verify that the certificate is listed in there.

  • Page 425: Generating Files Required By Third-Party Object Signing Tools

    Generating Files Required By Third-Party Object Signing Tools Log in to the CMS window (see “Logging Into the CMS Console” on page 245). Select the Configuration tab. In the navigation tree, click Authentication, and in the right pane, click the Authentication Plug-in Registration tab.
  • Page 426 Generating Files Required By Third-Party Object Signing Tools Type the following line below it: Enroll.PVKFilename = "<pvk_file_path>" Your changes should look like this: Enroll.GenKeyFlags = 1 ’ key exportable Enroll.PVKFilename = "<pvk_file_path>" szCertReq = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2") Replace with the absolute path, including the filename, to <pvk_file_path>...
  • Page 427 Generating Files Required By Third-Party Object Signing Tools -----END CERTIFICATE----- Create an ASCII file named cert.b64 Copy and paste the base-64 encoded certificate blob, including the marker lines to the file. -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Convert the text-based certificate to its DER-encoded format using the ASCII to Binary tool, explained in CMS Command-Line Tools Guide.
  • Page 428 Generating Files Required By Third-Party Object Signing Tools Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 429: Chapter 10 Certificate Profiles

    Chapter 10 Certificate Profiles This chapter describes how to configure certificate profiles. This chapter contains the following sections: • About Certificate Profiles • Setting Up Certificate Profiles • Certificate Profile Reference • Input Reference • Output Reference • Defaults Reference •...
  • Page 430 About Certificate Profiles For example, you could set up a certificate profile for user certificates that defines all aspects of that certificate including the validity period of the issued certificate. You can set a default that defines the default validity period as two years. You would also set up a constraint that the validity period for certificates issued from requests submitted to this certificate profile cannot exceed two years.

  • Page 431: How Certificate Profiles Work

    About Certificate Profiles inputs using the CMS SDK. The inputs provide a certificate request field that can be added to any of the forms so that certificate requests can be pasted into this field, allowing a request to be created outside the input form with any of the request information you need.

  • Page 432: Setting Up Certificate Profiles

    Setting Up Certificate Profiles When a certificate profile is associated with an authentication method, the request is approved immediately and generates a certificate automatically if the user successfully authenticates, all the information required is provided, and the request does not violate any of the constraints set up for the certificate profile. The issued certificate contains the content defined in the defaults for this certificate profile, such as the extensions and validity period for the certificate, and the content of the certificate is constrained by the constraints set up for each default.

  • Page 433: Modifying A Certificate Profile

    Setting Up Certificate Profiles • Create any certificate profiles you will need that are not among the pre built certificate profiles. • Modify the existing certificate profiles and any certificate profiles you have created by changing the following: Changing the defaults set up in the certificate profile, the values of the parameters set in the defaults, or the constraints associated with the default to set the content of the issued certificate and the value of that content.
  • Page 434 Setting Up Certificate Profiles To create a new certificate profile: Click Add. The Select Certificate Profile Plugin Implementation window appears. Select if this is a Certificate Authority Enrollment Profile Certificate Manager or Registration Authority Enrollment Profile this is a Registration Manager. Click Next.
  • Page 435 Setting Up Certificate Profiles Manager that correlates to the certificate profile you set up in the Registration Manager. It is set to false allowing a signed request to be processed through the Certificate Manager’s Certificate Profile framework, rather than through the input page for this certificate profile. Certificate Profile Authentication.
  • Page 436 Setting Up Certificate Profiles End User Certificate Profile. Specifies whether or not the request must be made to the input form associated with this certificate profile. Generally, you will set this to true. If you have set up a Registration Manager, you will set this to false in the certificate profile you set up in the Certificate Manager that correlates to the certificate profile you set up in the Registration Manager.
  • Page 437 Setting Up Certificate Profiles Fill in the following fields: Policy Set Id. Type a name or identifier for this set of policies. When you are issuing dual key pairs, you can use separate sets to define the policies associated with each certificate. Certificate Profile Policy ID.
  • Page 438 Setting Up Certificate Profiles The Policy Rule Editor window contains two tabs, Defaults and Constraints. Defaults define attributes that populate the certificate request that will be used to create the issued certificate. These can be extensions, validity periods, or other fields contained in the certificates. Constraints define valid values for the defaults.
  • Page 439 Setting Up Certificate Profiles To add an input: Click Add. The Certificate Profile Input Editor window appears. Choose the input you want to add from the list and then click OK. See “Input Reference,” on page 443 for complete details of the default inputs. The New Certificate Profile Editor window appears.

  • Page 440: Certificate Profile Reference

    Certificate Profile Reference This output will be listed in the output tab. You can edit it to provide values to the parameters in this output. To delete an output: Select the output. Click delete. Delete any certificate profiles you don’t want approved by an agent. Any certificate profile that appears in the Certificate Profile Instance Management tab also appears on the Certificate Profiles page in the agent services interface.
  • Page 441 Certificate Profile Reference • caCACert Configured for enrollments for a CA signing certificate in a Certificate Manager. • caRACert Configured for enrollments for an RA signing certificate in a Certificate Manager. • caOCSPCert Configured for enrollments for an OCSP signing certificate in a Certificate Manager.
  • Page 442 Certificate Profile Reference Configured for enrollments for dual key pairs in a Registration Manager. Two keys will be generated, a signing key and an encryption key, and two certificates will be issued, one for each of those keys. This certificate profile will only work with the Netscape 7 or later browser.

  • Page 443: Input Reference

    Input Reference Configured for enrollments for a transport signing certificate, used by the Data Recovery Manager, in a Registration Manager. When installed in an RA, the value of the End User Certificate Profile field is set to true; when installed in a CA, the value of the End User Certificate Profile field is set to false.

  • Page 444: Dual Key Generation Input

    Input Reference Dual Key Generation Input input is used for enrollments in which dual Dual Key Geneneration Input key pairs will be generated, and thus two certificates issued, one for the signing certificate and one for the encryption certificate. The generation of dual key pairs using the certificate profile interface is only supported for the Netscape 7 and later browsers.

  • Page 445: Submitter Information Input

    Output Reference Organizational Unit. This field is for entering the organizational unit to which the user belongs. Organization. This field is for entering the organization name. Country. This field is for entering the country to which the user belongs. Submitter Information Input input is used to collect the certificate Submitter Information Input requestor’s information such as name, email and phone.

  • Page 446: Defaults Reference

    Defaults Reference Defaults Reference Defaults are used to define the contents of a certificate and the values associated with that content. This section lists the pre built defaults with complete definitions of each. Authority Info Access Extension Default This default populates the Authority Info Access extension. This extension specifies how an application validating a certificate can access information, such as on-line validation services and CA policy statements, about the CA that has issued the certificate.
  • Page 447 Defaults Reference Table 10-1 Authority Info Access Extension Default Configuration Parameters Parameter Description Specifies the general-name type for the location that contains LocationType_<n> additional information about the CA that has issued the certificate in which this extension appears. Select one of the following types from the drop down menu: DirectoryName, DNSName, EDIPartyName, IPAddress, OID, RFC822Name, or URI.

  • Page 448: Authority Key Identifier Extension Default

    Defaults Reference Table 10-1 Authority Info Access Extension Default Configuration Parameters Parameter Description • If you selected URI, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules. That is, the name must include both a scheme (for example, http) and a fully qualified domain name or IP address of the host.
  • Page 449 Defaults Reference Table 10-2 Basic Constraints Extension Default Configuration Parameters Parameter Description Select true to mark this extension critical; select false to mark Critical the extension noncritical. Specifies whether the certificate subject is a CA. If you select IsCA true, the server checks the PathLen parameter and sets the specified path length in the certificate.

  • Page 450: Crl Distribution Points Extension Default

    Defaults Reference CRL Distribution Points Extension Default This default populates the CRL Distribution points extension in the certificate request. This extension, when present in a certificate, identifies one or more locations from which an application that is validating the certificate can obtain the CRL information (to verify the revocation status of the certificate).

  • Page 451: Extended Key Usage Extension Default

    Defaults Reference Table 10-3 CRL Distribution Points Extension Configuration Parameters (Continued) Parameter Description Specifies revocation reasons covered by the CRL Reasons_<n> maintained at the distribution point. Provide a comma-separated list of the following constants: • unused • keyCompromise • cACompromise •...
  • Page 452 Defaults Reference For general information about this extension, see “extKeyUsage” on page 761. The extension identifies one or more purposes—in addition to or in place of the basic purposes indicated in the key usage extension—for which the certified public key may be used. For example, if the key usage extension identifies a key to be used for signing, the extended key usage extension can further narrow down the usage of the key for signing OCSP responses only or for signing Java applets only.

  • Page 453: Freshest Crl Extension Default

    Defaults Reference • Extension Constraint, see “Extension Constraint,” on page 473 • No Constraints, see “No Constraint,” on page 475. Table 10-5 Extended Key Usage Extension Default Configuration Parameters Parameter Description Select true to mark this extension critical; select false to mark the Critical extension noncritical.

  • Page 454: Key Usage Extension Default

    Defaults Reference Table 10-6 Freshest CRL Extension Default Configuration Parameters Parameter Description Select true to mark this extension critical; select false to mark the Critical extension noncritical. Select true to enable this point; select false to disable this point. PointEnable_<n> Specifies the type of issuing point.
  • Page 455 Defaults Reference For general information about this extension, see “keyUsage” on page 762. You can define the following constraints with this default: • Key Usage Constraint, see “Key Usage Extension Constraint,” on page 473. • Extension Constraint, see “Extension Constraint,” on page 473. •...

  • Page 456: Name Constraints Extension Default

    Defaults Reference Table 10-7 Key Usage Extension Default Configuration Parameters (Continued) Parameter Description Specifies whether to set the extension if the public key is to be decipherOnly used only for deciphering data. If this bit is set, keyAgreement should also be set. Select true to set, select false to not set. Name Constraints Extension Default This default populates a name constraint extension in the certificate request.
  • Page 457 Defaults Reference Table 10-8 Name Constraints Extension Default Configuration Parameters (Continued) Parameter Description Specifies the maximum number of permitted subtrees. permittedSubtrees max_<n> • -1 specifies that the field should not be set in the extension. • 0 specifies that the maximum number of subtrees is zero. •...
  • Page 458 Defaults Reference Table 10-8 Name Constraints Extension Default Configuration Parameters (Continued) Parameter Description • If you selected IPAddress, the value must be a valid IP address (IPv4 or IPv6). IPv4 address must be in n.n.n.n format, with netmask must be in n.n.n.n,m.m.m.m format. For example: 128.21.39.40.
  • Page 459 Defaults Reference Table 10-8 Name Constraints Extension Default Configuration Parameters (Continued) Parameter Description Specifies the general-name value for the permitted subtree you ExcludedSubtrees want to include in the extension. NameValue_<n> • If you selected RFC822Name, the value must be a valid Internet mail address in fully-qualified DNS format.

  • Page 460: Netscape Comment Extension Default

    Defaults Reference Table 10-8 Name Constraints Extension Default Configuration Parameters (Continued) Parameter Description Select true to enable this excluded subtree entry, select false to ExcludedSubtree disable this excluded subtree entry. Enable_<n> Netscape Comment Extension Default This default populates a Netscape comment extension in the certificate request. The extension can be used to include textual comments in certificates.
  • Page 461 Defaults Reference You can define the following constraints with this default: • Netscape Certificate Type Extension Constraint, see “Netscape Certificate Type Extension Constraint,” on page 475. • Extension Constraint, see “Extension Constraint,” on page 473. • No Constraints, see “No Constraint,” on page 475. Table 10-10 Netscape Certificate Type Extension Default Configuration Parameters Parameter Description...

  • Page 462: No Default Extension

    Defaults Reference No Default Extension This default can be used to set constraints when no defaults are being used. This default has not settings and sets no defaults, but does allow you to set all of the constraints available. OCSP No Check Extension Default This default populates an OCSP No Check extension in the certificate request.
  • Page 463 Defaults Reference • Extension Constraint, see “Extension Constraint,” on page 473. • No Constraints, see “No Constraint,” on page 475. Table 10-12 Policy Constraints Extension Default Configuration Parameters Parameter Description Select true to mark this extension critical; select false to mark the critical extension noncritical.

  • Page 464: Policy Mappers Extension Default

    Defaults Reference Policy Mappers Extension Default This default populates a policy mappings extension in the certificate request. The extension lists one or more pairs of OIDs, each pair identifying two policy statements of two CAs. The pairing indicates that the corresponding policies of one CA are equivalent to policies of another CA.

  • Page 465: Signing Algorithm Default

    Defaults Reference Signing Algorithm Default This default populates a signing algorithm in the certificate request. This default presents an agent with the possible algorithms that can be used for signing the certificate in a list that the agent can select from. You can define the following constraints with this default: •...
  • Page 466 Defaults Reference In general, you can configure which attributes should or shouldn’t be stored in the request; for example, you can exclude sensitive attributes such as passwords from getting stored in the request with the help of the parameter named defined in the CMS configuration file.

  • Page 467: Subject Key Identifier Extension Default

    Defaults Reference Table 10-15 Subject Alternative Name Extension Default Configuration Parameters Parameter Description Specifies the general-name type for the request attribute. Type • Select RFC822Name if the request-attribute value is an Internet mail address in the local-part@domain format. For example, jdoe@example.com.

  • Page 468: Subject Name Default

    Defaults Reference If enabled, the policy adds a Subject Key Identifier Extension to an enrollment request if the extension does not already exist. If the extension exists in the request, for example from a CRMF request, the default replaces the extension. In case of agent-approved enrollments, after an agent approves the enrollment request, the policy accepts any Subject Key Identifier Extension that is already there.

  • Page 469: User Supplied Extension Default

    Defaults Reference In addition, the directory-based authentication manager will formulate the subject name of the issuing certificate (It will forms the subject name by using the dnPattern attribute), and it will place the subject name into an internal data structured called AuthToken. This default is responsible for reading the subject name from the AuthToken and place it into the certificate request so that the final certificate will contain the subject name.

  • Page 470: User Signing Algorithm Default

    Defaults Reference User Signing Algorithm Default This default implements an enrollment default policy that populates a user-supplied signing algorithm into the certificate request. If included in the certificate profile, allows a user to choose a signing algorithm for the certificate, subject to the constraint set.

  • Page 471: Validity Default

    Constraints Reference Validity Default This default populates a server-side configurable validity into the certificate request. You can define the following constraints with this default: • Validity Constraint, see “Validity Constraint,” on page 477. • No Constraints, see “No Constraint,” on page 475. Table 10-17 Validity Default Configuration Parameters Parameter Description...

  • Page 472: Extended Key Usage Extension Constraint

    Constraints Reference Table 10-18 Basic Constraints Extension Constraint Configuration Parameters (Continued) Parameter Description Specifies the maximum allowable path length, the maximum PathLen number of CA certificates that may be chained below (subordinate to) the subordinate CA certificate being issued. Note that the path length you specify affects the number of CA certificates to be used during certificate validation.

  • Page 473: Extension Constraint

    Constraints Reference Table 10-19 Extended Key Usage Extension Constraint Configuration Parameters Parameter Description Specifies whether the extension can be marked critical or Critical noncritical. Select true to allow the extension to be marked critical, select false to disallow the extension from being marked critical; select “-”...
  • Page 474 Constraints Reference Table 10-21 Key Usage Extension Constraint Configuration Parameters Parameter Description Select true allow this extension to be marked critical; select false critical to keep this extension from being marked critical. Select true to allow this to be set; select false to not allow this to be set; select “-”...

  • Page 475: No Constraint

    Constraints Reference Table 10-21 Key Usage Extension Constraint Configuration Parameters (Continued) Parameter Description Specifies whether to set the extension if the public key is to be encipherOnly used only for enciphering data. If this bit is set, keyAgreement should also be set. Select true to allow this to be set; select false to not allow this to be set;...

  • Page 476: Signing Algorithm Constraint

    Constraints Reference Table 10-22 Netscape Certificate Type Extension Constraint Configuration Parameters Parameter Description Specifies that the certificate can be used by servers for SSLServer authentication during SSL connections. Select true to allow this capability; select false to not allow this capability; select “-”...

  • Page 477: Subject Name Constraint

    Constraints Reference Table 10-23 Signing Algorithms Constraint Configuration Parameters Parameter Description List the signing algorithms that can be specified for use in signingAlgsAllowed signing this certificate. Specify any or all of the following: MD2withRSA,MD5withRSA,SHA1withRSA Subject Name Constraint This constraint implements the subject name constraint. It checks if the subject name in the certificate request satisfies the criteria.
  • Page 478 Constraints Reference Table 10-25 Validity Constraint Configuration Parameters Parameter Description The range parameter is of type integer. And the unit of this range value is day. Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 479: Chapter 11 Policies

    Chapter 11 Policies Netscape Certificate Management System (CMS) provides a customizable policy framework for the Certificate Manager, Registration Manager, and Data Recovery Manager. This chapter explains how to configure these subsystems to apply organizational and other policies on incoming certificate and key-related requests. Note: This feature is provided for legacy purposes.

  • Page 480: Introduction To Policy

    Introduction to Policy Introduction to Policy You can configure the main subsystems of CMS—the Certificate Manager, Registration Manager, and Data Recovery Manager—to apply certain organizational policies on an end-entity’s certificate enrollment and management requests before servicing them. For example, some of the policies you might want a Certificate Manager to impose on these requests may include setting a minimum and maximum limit on validity period and key length of certificates, setting extensions based on the end entity's role within an organization, setting signing...

  • Page 481: Policy Rules

    Introduction to Policy • Screen the request for specific content, and modify, reject, or defer (for agent approval) it accordingly. For example, the request might be checked for the inclusion of organizational constraints, such as key algorithm, key size, validity period, or a particular signing algorithm; if it did not meet the requirement, the subsystem would modify the request or return an error, depending on the severity of the problem.

  • Page 482: Policy Processor

    Introduction to Policy • Revocation policies • Key-archival policies • Key-recovery policies To facilitate this classification, CMS supports a parent interface for a generic policy rule and other operation-specific interfaces that extend the parent interface. Check the CMS SDK. Policy Processor Each subsystem—the Certificate Manager, Registration Manager, or Data Recovery Manager—has its own policy processor.

  • Page 483: Using Predicates In Policy Rules

    Introduction to Policy If the request passes all the policy rules (that is, all policy rules returned a value), the request gets serviced—for example the PolicyResult.ACCEPTED certificate is issued or renewed. Using Predicates in Policy Rules You can use predicates in a policy rule. A predicate indicates whether the rule that contains the predicate applies to a request.
  • Page 484 Introduction to Policy Policy expressions are formed with the following rules: PrimitiveExpression | AndExpression | OrExpression is equal to: Attribute Value, where PrimitiveExpression Attribute can be a string can be any of these operators: Value can be a string is equal to: Expression Expression AndExpression is equal to: Expression...
  • Page 485 Introduction to Policy Be aware that if the same name is in an HTTP form input and authentication token (authentication result) the authentication result can override the HTTP form input. For example, if is in an HTTP input and an authentication module also puts email in the authentication result (that is, authtoken) the value from the...
  • Page 486 Introduction to Policy Table 11-2 Attributes supported by request object implementations (Continued) Request type Variable name Description Enrollment Specifies the certificate type. Default values include the certType following: • ca (Certificate Manager’s CA signing certificate) • caCrlSigning (Certificate Manager’s CRL signing certificate) •...
  • Page 487 Introduction to Policy Table 11-2 Attributes supported by request object implementations (Continued) Request type Variable name Description Enrollment Specifies the name of the CEP service; for example, cep1 and cepsubstore cep2. When setting up multiple CEP services, you can use predicates to differentiate one service for another;...
  • Page 488 Introduction to Policy Assuming that the new attribute you define for the organizational unit is orgunit the line you would add to the enrollment form would be: <input type="HIDDEN" name="orgunit" value="Sales"> To add this line to an enrollment form, you would: Open the corresponding HTML file in a text editor.

  • Page 489: Configuring Policy Rules For A Subsystem

    Configuring Policy Rules for a Subsystem Assume you named the instance , set the maximum validity ValidityRule1 period to 60 days, set the minimum validity period to 10 days, defined the predicate expression as HTTP_PARAMS.certType==client AND . (This expression specifies that the policy be HTTP_PARAMS.orgunit!=Sales applied to only client certificate requests from users who are not in the organizational unit named Sales.)

  • Page 490: Deleting Policy Rules

    Configuring Policy Rules for a Subsystem In the Policy Rule list, select a rule that you want to modify. For the purposes of this instruction, assume that you selected the rule named DefaultValidityRule Click Edit/View. The Policy Rule Editor window appears, showing how this rule is configured. Make the necessary changes and click OK.

  • Page 491: Reordering Policy Rules

    Configuring Policy Rules for a Subsystem When you add a policy rule, the CMS configuration gets updated with policy-specific information. Keep the following points in mind: • When naming a policy instance (or rule), be sure to formulate the name using any combination of letters (aA to ), digits (0 to 9), an underscore (_), and a hyphen (-);...

  • Page 492: Testing Policy Configuration

    Configuring Policy Rules for a Subsystem on request attributes to prevent conflicting changes. By ordering the rules, you introduce a concurrency control whereby a higher-priority rule configuration overwrites any changes made by a lower-priority rule configuration that precedes You may want to specify policies at different priority levels for the same operation depending on the end-entity information.

  • Page 493: Using Javascript For Policies

    Using JavaScript for Policies Using JavaScript for Policies CMS includes a facility for complex scripting of the policy plug-in instances via JavaScript . Using the JavaScript policy processor allows you to: • Determine the call sequence of existing Java plug-ins •...
  • Page 494 Constraints-Specific Policy Module Reference If the attribute named in the parameter is present in the attribute request, the policy accepts the request. If the attribute named in the parameter is not present in the attribute request, the policy rejects the request. •...
  • Page 495 Constraints-Specific Policy Module Reference Table 11-3 AttributePresentConstraints Configuration Parameters (Continued) Parameter Description Specifies the LDAP protocol version: ldap.ldapconn. version • 2 specifies LDAP version 2. If your directory is based on Netscape Directory Server 1.x, choose 2. • 3 specifies LDAP version 3. For Directory Server versions 3.x and later, choose 3 (default).

  • Page 496: Dsakeyconstraints

    Constraints-Specific Policy Module Reference Table 11-3 AttributePresentConstraints Configuration Parameters (Continued) Parameter Description Specifies the maximum number of connections permitted to the LDAP directory; ldap.ldapconn. when needed, connection pool can grow to this many (multiplexed) connections. maxConns Permissible values: 3 to 10; the default value is 5. Specifies the LDAP attribute, the presence of which is to be checked in the attribute certificate-enrollment request.

  • Page 497: Issuerconstraints

    Constraints-Specific Policy Module Reference Table 11-4 DSAKeyConstraints Configuration Parameters (Continued) Parameter Description Specifies the minimum length, in bits, for the key (the length of the modulus in bits). minSize The value must be smaller than or equal to the one specified by the maxSize parameter.

  • Page 498: Keyalgorithmconstraints

    Constraints-Specific Policy Module Reference Table 11-5 IssuerConstraints Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable (default), deselect to enable disable. Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default).

  • Page 499: Renewalconstraints

    Constraints-Specific Policy Module Reference Table 11-6 KeyAlgorithmConstraints Configuration Parameters (Continued) Parameter Description Specifies the key type the server should certify. The default is RSA. algorithms Permissible values: RSA or RSA. RenewalConstraints plug-in module imposes constraints on renewal of RenewalConstraints expired certificates—it allows or restricts the server from renewing expired certificates.

  • Page 500: Revocationconstraints

    Constraints-Specific Policy Module Reference The renewal validity constraints policy enables you to enforce certain restrictions on certificate-renewal requests, when end entities attempt to renew their certificates. During installation, CMS automatically creates an instance of the renewal validity constraints policy, named , that is enabled by DefaultRenewalValidityRule default.

  • Page 501: Rsakeyconstraints

    Constraints-Specific Policy Module Reference Table 11-9 RevocationConstraints Configuration Parameters (Continued) Parameter Description Specifies the predicate expression for this rule. If you want this rule to be applied predicate to all certificate requests, leave the field blank (default). To form a predicate expression, see “Using Predicates in Policy Rules”...

  • Page 502: Signingalgorithmconstraints

    Constraints-Specific Policy Module Reference Table 11-10 RSAKeyConstraints Configuration Parameters (Continued) Parameter Description Specifies the minimum length, in bits, for the key (the length of the modulus in bits). minSize The value must be smaller than or equal to the one specified by the maxSize parameter.

  • Page 503: Subcanameconstraints

    Constraints-Specific Policy Module Reference Table 11-11 describes the configuration parameters of the policy. SigningAlgorithmConstraints Table 11-11 SigningAlgorithmConstraintsConfiguration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable (default), deselect to enable disable. Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default).

  • Page 504: Uniquesubjectnameconstraints

    Constraints-Specific Policy Module Reference During installation, CMS automatically creates an instance of the subordinate CA name constraints policy, named , that is enabled by SubCANameConstraints default. Table 11-12 describes the configuration parameters of the SubCANameConstraints policy. Table 11-12 SubCANameConstraints Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled.
  • Page 505 Constraints-Specific Policy Module Reference Table 11-13 describes the configuration parameters of the policy. UniqueSubjectNameConstraints Table 11-13 UniqueSubjectNameConstraints Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable, deselect to disable enable (default). Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default).

  • Page 506: Validityconstraints

    Constraints-Specific Policy Module Reference ValidityConstraints plug-in module enforces minimum and maximum ValidityConstraints validity periods for certificates and changes them if the policy is not met. Specifically, the policy imposes constraints on the following: • The duration of a certificate’s validity period (based on supported minimum and maximum validity periods).
  • Page 507 Constraints-Specific Policy Module Reference During installation, CMS automatically creates an instance of the validity constraints policy, named , that is enabled by default. DefaultValidityRule Table 11-14 describes the configuration parameters of the ValidityConstraints policy. Table 11-14 ValidityConstraints Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled.

  • Page 508: Extension-Specific Policy Module Reference

    Extension-Specific Policy Module Reference Extension-Specific Policy Module Reference To enable you to add standard and private extensions to end-entity certificates, CMS provides a set of policy plug-in modules; each module enables you to add a particular extension to a certificate request. When deciding whether to add any of the X.509 v3 certificate extensions, keep in mind that not all applications support X.509 v3 extensions.
  • Page 509 Extension-Specific Policy Module Reference Note that if you installed the Certificate Manager with it’s built-in OCSP service enabled, the policy rule will be enabled and the address location ( ad0_location= will be pointed to the Certificate Manager’s non-SSL end-entity port. For example, if the non-SSL end-entity port of your Certificate Manager is 80, the URL would look like this: http://ocspResponder.example.com:80/ocsp...
  • Page 510 Extension-Specific Policy Module Reference Table 11-15 AuthInfoAccessExt Configuration Parameters (Continued) Parameter Description Permissible values: • ocsp (or 1.3.6.1.5.5.7.48.1). • caIssuers (or 1.3.6.1.5.5.7.48.2). • renewal (or 2.16.840.1.113730.16.1) Specifies the general-name type for the location that contains additional information ad<n>_location about the CA that has issued the certificate in which this extension appears. Select one _type type from the following: •...

  • Page 511: Authoritykeyidentifierext

    Extension-Specific Policy Module Reference Table 11-15 AuthInfoAccessExt Configuration Parameters (Continued) Parameter Description • If you selected URL, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules. That is, the name must include both a scheme (for example, http) and a fully qualified domain name or IP address of the host.

  • Page 512: Basicconstraintsext

    Extension-Specific Policy Module Reference During installation, CMS automatically creates an instance of the authority key identifier extension policy, named , that is enabled AuthorityKeyIdentifierExt by default. Table 11-16 AuthorityKeyIdentifierExt Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable, deselect to disable. enable Specifies the predicate expression for this rule.
  • Page 513 Extension-Specific Policy Module Reference Table 11-17 BasicConstraintsExt Configuration Parameters (Continued) Parameter Description Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default). To form a predicate expression, see “Using Predicates in Policy Rules”...

  • Page 514: Certificatepoliciesext

    Extension-Specific Policy Module Reference CertificatePoliciesExt plug-in module enables you to add the Certificate CertificatePoliciesExt Policies Extension in certificates. The extension contains a sequence of one or more policy statements, each indicating the policy under which the certificate has been issued and identifying the purposes for which the certificate may be used. Presence of this extension in certificates enables an application with specific policy requirements to compare its list of policies to the ones contained in a certificate during its validation;...

  • Page 515: Certificaterenewalwindowext

    Extension-Specific Policy Module Reference Table 11-18 CertificatePoliciesExt Configuration Parameters (Continued) Parameter Description Example: 2.16.840.1.113730.1.99 Specifies the name of the organization that owns the OID or is the owner of the organizationName policy statement referenced by the OID. Example: Example Corporation Specifies the location where the Certification Practice Statement published by the cpsURI CA (that has issued the certificate) can be found.
  • Page 516 Extension-Specific Policy Module Reference Because the renewal process requires end users to remember when their certificates expire and renew them before the expiry date, some clients provide built-in support for automated renewal. Inclusion of the certificate renewal window extension in certificates is useful in a PKI setup with such clients. Unlike some of the other policy modules, CMS does not create an instance of the certificate renewal window extension policy during installation.

  • Page 517: Certificatescopeofuseext

    Extension-Specific Policy Module Reference Table 11-19 CertificateRenewalWindowExt Configuration Parameters (Continued) Parameter Description Specifies the last opportunity for automatic renewal of the certificate that contains relativeEndTime this extension. Specifying a value for this parameter is optional; if you leave the field blank, the certificate-using application is expected to use the expiration date (notAfter value) in the certificate.
  • Page 518 Extension-Specific Policy Module Reference The SSL protocol provides a way for a client application to authenticate itself to a web site or server. SSL client authentication occurs upon request of the server, and proceeds by providing a certificate and a signature to the server. The client may have more than one certificate that could be used to perform this authentication.
  • Page 519 Extension-Specific Policy Module Reference Table 11-20 CertificateScopeOfUseExt Configuration Parameters (Continued) Parameter Description Specifies the total number of sites to be contained or allowed in the extension. numEntries This can be set to 0 specifying that no sites can be contained in the extension or ton specifies the total number of sites to be included in the extension;...

  • Page 520: Crldistributionpointsext

    Extension-Specific Policy Module Reference Table 11-20 CertificateScopeOfUseExt Configuration Parameters (Continued) Parameter Description • If you selected ediPartyName, the value must be an IA5String. For example, Example Corporation. • If you selected URL, the value must be a non-relative URI, including both a scheme (for example, http) and a fully qualified domain name or IP address of the host.
  • Page 521 Extension-Specific Policy Module Reference For general information about this extension, see “CRLDistributionPoints” on page 760. During installation, CMS automatically creates an instance of the CRL distribution points extension policy, named , that is disabled by CRLDistributionPointsExt default. Table 11-21 CRLDistributionPointsExt Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled.

  • Page 522: Extendedkeyusageext

    Extension-Specific Policy Module Reference Table 11-21 CRLDistributionPointsExt Configuration Parameters (Continued) Parameter Description • Select URI if the value in the pointName field is a uniform resource indicator. • Select RelativeToIssuer if the value in the pointName field is a location relative to the CRL Issuer.
  • Page 523 Extension-Specific Policy Module Reference usage extension identifies a key to be used for signing, the extended key usage extension can further narrow down the usage of the key for signing OCSP responses only or for signing Java applets only. (For information on key usage extension, see “KeyUsageExt”...
  • Page 524 Extension-Specific Policy Module Reference Note that the policy rule must remain enabled if your PKI setup OCSPSigningExt includes a CA-delegated OCSP responder and you want to issue an OCSP responder certificate to that server; the rule adds the extended key usage extension to an OCSP responder certificate indicating that the associated key can be used for signing OCSP responses.

  • Page 525: Genericasn1Ext

    Extension-Specific Policy Module Reference GenericASN1Ext plug-in module enables you to add custom extensions to GenericASN1Ext certificates. Using this policy, you can add as many ASN.1 type based-extensions as required without having to write any code. Further, it eliminates the dependency on the command-line tools for generating base-64 encoded standard extensions from the x.509 extension classes.
  • Page 526 Extension-Specific Policy Module Reference application validating the certificate must be able to interpret the extension, or else it must reject the certificate. Since it’s unlikely that all applications will be able to interpret your custom extensions, you should consider marking these extensions noncritical.
  • Page 527 Extension-Specific Policy Module Reference Table 11-24 GenericASN1Ext Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable, deselect to disable. enable n specifies the total number of key-usage purposes to be included in the extension; it predicate must be an integer greater than zero.
  • Page 528 Extension-Specific Policy Module Reference Table 11-24 GenericASN1Ext Configuration Parameters (Continued) Parameter Description Specifies the data type for attribute n, where n is an identifier assigned to identify attribute.<n>. parameters pertaining to a specific attribute. The value of n can be 0 to 9. type Permissible values: Integer, IA5String, OctetString, PrintableString, UTCtime, OID, or Boolean.

  • Page 529: Issueraltnameext

    Extension-Specific Policy Module Reference Table 11-24 GenericASN1Ext Configuration Parameters (Continued) Parameter Description Specifies the data value for attribute n, where n is an identifier assigned to identify attribute.<n>. parameters pertaining to a specific attribute. The value of n can be 0 to 9. value Permissible values: Depends on the data type and source you selected.
  • Page 530 Extension-Specific Policy Module Reference Unlike some of the other policy modules, CMS does not create an instance of the issuer alternative name extension policy during installation. If you want the server to add this extension to certificates, you must create an instance of the module and configure it.
  • Page 531 Extension-Specific Policy Module Reference Table 11-25 IssuerAltNameExt Configuration Parameters (Continued) Parameter Description Permissible values: rfc822Name, directoryName, dNSName, ediPartyName, URL, iPAddress, OID, or otherName. • Select rfc822Name if the alternative name is an Internet mail address (default). • Select directoryName if the alternative name is an X.500 directory name.
  • Page 532 Extension-Specific Policy Module Reference Table 11-25 IssuerAltNameExt Configuration Parameters (Continued) Parameter Description • If you selected ediPartyName, the value must be an IA5String. For example, Example Corporation. • If you selected URL, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules specified in RFC 1738.

  • Page 533: Keyusageext

    Extension-Specific Policy Module Reference KeyUsageExt plug-in module enables you to add the Key Usage Extension to KeyUsageExt certificates. The extension specifies the purposes for which the key contained in a certificate should be used—for example, it specifies whether the key should be used for data signing, key encipherment, or data encipherment—and thus enables you to restrict the usage of a key pair to predetermined purposes.
  • Page 534 Extension-Specific Policy Module Reference • On the client side, bits set in the key usage extension are formed from pre-defined HTTP input variables that can be embedded as hidden values in the enrollment forms. You specify which bits are to be set by adding the appropriate HTTP variables to the enrollment forms.
  • Page 535 Extension-Specific Policy Module Reference During installation, CMS automatically creates multiple instances of the key usage extension policy suitable for various types of certificates that you may want the server to issue. The default instances are named as follows: • This rule is for setting the appropriate key-usage bits in CMCertKeyUsageExt Certificate Manager CA signing certificates and is enabled by default.
  • Page 536 Extension-Specific Policy Module Reference The value of an HTTP input variable corresponding to a key-usage bit must be either ; any other value is considered equivalent to . For true false false example, a value would be interpreted as by the server. Note that tree false values...
  • Page 537 Extension-Specific Policy Module Reference Table 11-28 KeyUsageExt Configuration Parameters (Continued) Parameter Description Specifies whether to set the keyEncipherment bit (or bit 2) of the key usage keyEncipherment extension in certificates specified by the predicate parameter. Permissible values: true, false, or HTTP_INPUT. •...
  • Page 538 Extension-Specific Policy Module Reference Table 11-28 KeyUsageExt Configuration Parameters (Continued) Parameter Description Specifies whether to set the keyCertSign bit (or bit 5) of the key usage extension keyCertsign in certificates specified by the predicate parameter. Permissible values: true, false, or HTTP_INPUT. •...

  • Page 539: Nameconstraintsext

    Extension-Specific Policy Module Reference Table 11-28 KeyUsageExt Configuration Parameters (Continued) Parameter Description Specifies whether to set the decipherOnly bit (or bit 8) of the key usage extension decipherOnly in certificates specified by the predicate parameter. Permissible values: true, false, or HTTP_INPUT. •...
  • Page 540 Extension-Specific Policy Module Reference Table 11-29 NameConstraintsExt Configuration Parameters (Continued) Parameter Description Specifies the total number of subtrees to be permitted in the extension. numPermittedSubtrees Note that each permitted subtree has a set of configuration parameters and you must specify appropriate values for each of these parameters; otherwise the policy rule will return an error.
  • Page 541 Extension-Specific Policy Module Reference Table 11-29 NameConstraintsExt Configuration Parameters (Continued) Parameter Description Specifies the general-name type for the permitted subtree you want to permittedSubtrees<n>. include in the extension. base.generalNameChoice Permissible values: rfc822Name, directoryName, dNSName, ediPartyName, URI, iPAddress, registeredID, or otherName. •...
  • Page 542 Extension-Specific Policy Module Reference Table 11-29 NameConstraintsExt Configuration Parameters (Continued) Parameter Description • If you selected dNSName, the value must be a valid domain name in the preferred-name syntax as specified by RFC 1034 (http://www.ietf.org/rfc/rfc1034.txt). You may use upper and lower case letters in the domain name; no significance is attached to the case.
  • Page 543 Extension-Specific Policy Module Reference Table 11-29 NameConstraintsExt Configuration Parameters (Continued) Parameter Description Specifies the minimum number of permitted subtrees. permittedSubtrees<n>. Permissible values: -1, 0, or n. • -1 specifies that the field should not be set in the extension. • 0 specifies that the minimum number of subtrees is zero (default). •...
  • Page 544 Extension-Specific Policy Module Reference Table 11-29 NameConstraintsExt Configuration Parameters (Continued) Parameter Description Permissible values: Depends on the general-name type you selected in the excludedSubtrees<n>.base.generalNameChoice field. • If you selected rfc822Name, the value must be a valid Internet mail address in the local-part@domain format; see the definition of an rfc822Name as defined in RFC 822 (http://www.ietf.org/rfc/rfc0822.txt).
  • Page 545 Extension-Specific Policy Module Reference Table 11-29 NameConstraintsExt Configuration Parameters (Continued) Parameter Description • If you selected iPAddress, the value must be a valid IP address (IPv4 or IPv6) specified in the dot-separated numeric component notation. The syntax for specifying the IP address is as follows: For IP version 4 (IPv4), the address should be in the form specified in RFC 791 (http://www.ietf.org/rfc/rfc0791.txt).

  • Page 546: Nsccommentext

    Extension-Specific Policy Module Reference NSCCommentExt plug-in module enables you to add the Netscape Certificate NSCCommentExt Comment Extension to certificates. The extension can be used to include textual comments in certificates. Applications that are capable of interpreting the comment may display it to a relying party when the certificate is used or viewed. For general information about this extension, see “netscape-comment”...

  • Page 547: Nscerttypeext

    Extension-Specific Policy Module Reference Table 11-30 NSCCommentExt Configuration Parameters (Continued) Parameter Description Specifies the textual statement that should be included in certificates. If you want to displayText embed a textual statement (for example, your company’s legal notice) in certificates, then add that statement here. The text you enter here will be displayed to a relying party when the certificate is used or viewed.
  • Page 548 Extension-Specific Policy Module Reference Table 11-31 Netscape certificate type extension bits and designated purposes (Continued) Purpose Description SSL Server Specifies that the certificate can be used by servers for authentication during SSL connections. S/MIME Specifies that the certificate can be used to send secure email messages.
  • Page 549 Extension-Specific Policy Module Reference Table 11-32 HTTP input variables for Netscape certificate type extension bits HTTP input variable Netscape certificate type extension bit SSL Client (bit 0) ssl_client SSL Server (bit 1) ssl_server S/MIME (bit 2) email Object Signing (bit 3) object_signing Reserved for future use (bit 4) SSL CA (bit 5)

  • Page 550: Ocspnocheckext

    Extension-Specific Policy Module Reference Table 11-33 NSCertTypeExt Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable, deselect to disable enable (default). Specifies the predicate expression for this rule. If you want this rule to be applied to predicate all certificate requests, leave the field blank (default).

  • Page 551: Policyconstraintsext

    Extension-Specific Policy Module Reference Table 11-34 OCSPNoCheckExt Configuration Parameters (Continued) Parameter Description Select to mark critical, deselect to mark noncritical (default). critical PolicyConstraintsExt plug-in module enables you to add the Policy PolicyConstraintsExt Constraints Extension to certificates. The extension, which can be used in CA certificates only, constrains path validation in two ways—either to prohibit policy mapping or to require that each certificate in a path contain an acceptable policy identifier.

  • Page 552: Policymappingsext

    Extension-Specific Policy Module Reference Table 11-35 PolicyConstraintsExt Configuration Parameters (Continued) Parameter Description Specifies the total number of certificates permitted in the path before an explicit reqExplicit policy is required—that is, the number of CA certificates that can be chained below Policy (subordinate to) the subordinate CA certificate being issued before an acceptable policy is required.
  • Page 553 Extension-Specific Policy Module Reference extension may be useful in the context of cross-certification. If supported, the extension is to be included in CA certificates only. The policy allows you to map policy statements of one CA to that of another by pairing the OIDs assigned to their policy statements Each pair is defined by two parameters, issuerDomainPolicy...

  • Page 554: Privatekeyusageperiodext

    Extension-Specific Policy Module Reference Table 11-36 PolicyMappingsExt Configuration Parameters (Continued) Parameter Description Specifies the OID assigned to the policy statement<n> of the issuing CA that policyMap<n>. you want to map with the policy statement of another CA. issuerDomainPolicy Permissible values: Any valid OID specified in dot-separated numeric component notation (see the example).

  • Page 555: Removebasicconstraintsext

    Extension-Specific Policy Module Reference Table 11-37 PrivateKeyUsagePeriodExt Configuration Parameters (Continued) Parameter Description Specifies the date on which the validity period for the private key associated with the notBefore certificate begins. Permissible values: A valid date specified in the MM/DD/YYYY format. Example: 03/30/2002 Specifies the date on which the validity period for the private key associated with the notAfter...
  • Page 556 Extension-Specific Policy Module Reference The standard suggests that if the certificate subject field contains an empty sequence, then the subject alternative name extension must contain the subject’s alternative name and that the extension be marked critical. If you’re using any of the directory-based authentication methods, you can configure CMS to retrieve values for any string and byte attributes from the directory and set them in the certificate request during authentication—you specify these attributes by entering them in the...
  • Page 557 Extension-Specific Policy Module Reference Table 11-39 SubjectAltNameExt Configuration Parameters (Continued) Parameter Description Specifies the total number of alternative names or identities permitted in the numGeneralNames extension. Note that each name has a set of configuration parameters—generalName<n>.requestAttr and generalName<n>.generalNameChoice—and you must specify appropriate values for each of those parameters;...
  • Page 558 Extension-Specific Policy Module Reference Table 11-39 SubjectAltNameExt Configuration Parameters (Continued) Parameter Description • Select dNSName if the request-attribute value is a DNS name. For example, corpDirectory.example.com. • Select ediPartyName if the request-attribute value is a EDI party name. For example, Example Corporation. •...

  • Page 559: Subjectdirectoryattributesext

    Extension-Specific Policy Module Reference If you enable the default policy rule, the server automatically checks the certificate request for attributes AUTH_TOKEN.mail AUTH_TOKEN.mailalternateaddress . If the server finds any of the attributes, it HTTP_PARAMS.csrRequestorEmail sets the attribute value in the extension and then adds the extension to certificates specified by the parameter.

  • Page 560: Subjectkeyidentifierext

    Extension-Specific Policy Module Reference Table 11-40 SubjectDirectoryAttributesExt Configuration Parameters (Continued) Parameter Description Specifies whether the extension should be marked critical or noncritical. Select critical to mark critical, deselect to mark noncritical (default). Specifies the total number of directory attributes to be contained or allowed in numAttributes the extension.

  • Page 561: Managing Policy Plug-In Modules

    Managing Policy Plug-in Modules For general information about this extension, see “authorityKeyIdentifier” on page 771. You can also customize the method for deriving the Key Identifier using the CMS SDK by subclassing the policy and overriding the following method: formKeyIdentifier(X509CertInfo certInfo, IRequest req) If enabled, the policy adds a Subject Key Identifier Extension to an enrollment request if the extension does not already exist.

  • Page 562: Registering A Policy Module

    Managing Policy Plug-in Modules • Registering a Policy Module • Deleting a Policy Module Registering a Policy Module You can register new policy plug-in modules in a subsystem’s policy framework. Registering a new policy module involves specifying the name of the module and the full name of the Java class that implements the policy interface.

  • Page 563: Deleting A Policy Module

    Managing Policy Plug-in Modules Deleting a Policy Module You can delete unwanted policy plug-in modules using the CMS window. Before deleting a module, be sure to delete all the policy rules that are based on this module. To delete a policy module from a subsystem’s policy framework: Log in to the CMS window (see “Logging Into the CMS Console”...
  • Page 564 Managing Policy Plug-in Modules Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 565: Chapter 12 Automated Notifications

    Chapter 12 Automated Notifications Netscape Certificate Management System (CMS) can be configured to send automatic email notifications to end users when certificates are issued and revoked, or to an agent when a new request has arrived in the agent request queue. This chapter describes automated notifications, details how to enable and configure them, and details how to customize the notification email messages that are sent.

  • Page 566: Setting Up Automated Notifications

    About Automated Notifications Setting Up Automated Notifications The automated notifications feature is set up by performing the following tasks: • Enabling and configuring one of the notification types and setting preferences for that notification type; see “Setting Up Automated Notifications” on page 567 for complete details.

  • Page 567: Determining End-Entity Email Addresses

    Setting Up Automated Notifications Determining End-Entity Email Addresses The notification system determines the email address of an end entity by checking in the certificate request or revocation request itself, then in the subject name of the certificate, and last in the Subject Alternative Name extension of the certificate—if the certificate contains this extension.
  • Page 568 Setting Up Automated Notifications To enable Certificate Issued notifications, go to the Certificate Issued tab and specify information in the following fields: Enable Certificate Issued notification. Select this field to enable Certificate Issued notifications. Sender’s E-mail Address. Type the sender’s full email address; this is the email address of the person who is notified of any delivery problems.

  • Page 569: Configuring Specific Notifications By Editing The Configuration File

    Setting Up Automated Notifications Customize the notification message templates. See “Customizing Notification Messages,” on page 570. Test your configuration. See “Testing Your Configuration,” on page 569. Configuring Specific Notifications By Editing the Configuration File Stop the server instance whose configuration file you will be editing. Open the file for that server instance in a text editor.

  • Page 570: Customizing Notification Messages

    Customizing Notification Messages Login to the agent interface and approve the request. When the server issues a certificate, you should receive a Certificate Issued email notification. Check the message to see if has the correct information. Login to the agent interface and revoke the certificate. You should receive an email message notifying you that the certificate has been revoked.

  • Page 571: Notification Message Templates

    Customizing Notification Messages You could change the message by changing the text and tokens, shown as follows: THE EXAMPLE COMPANY CERTIFICATE ISSUANCE CENTER Your certificate has been issued! You can pick up your new certficate at the following website: https://$HttpHost:$HttpPort/displayBySerial?op=displayBySerial&seri alNumber=$SerialNumber This certificate has been issued with the following information: Serial Number= 0x$HexSerialNumber...
  • Page 572 Customizing Notification Messages Table 12-1 Notification Templates (Continued) Filename Description Template for the Certificate Manager to send certIssued_CA.html HTML-based notifications to end entities upon issuance of certificates. Template for the Registration Manager to send certIssued_RA plain-text notifications to end entities upon issuance of certificates.

  • Page 573: Token Definitions

    Customizing Notification Messages Table 12-1 Notification Templates (Continued) Filename Description Template for the Certificate Manager or reqInQueue_RA.html Registration Manager to send plain-text notifications to agents when a request enters the queue. Token Definitions Table 12-2 lists and defines the tokens that can be used in the notification message templates.
  • Page 574 Customizing Notification Messages Table 12-2 Notification Tokens (Continued) Token Description Specifies the NotBefore attribute. $NotBefore Specifies the email address of the recipient. $RecipientEmail Specifies the request ID. $RequestId Specifies the email address of the requestor. $RequestorEmail Specifies the type of request that was made. $RequestType Specifies the date the certificate was revoked.

  • Page 575: Chapter 13 Automated Jobs

    Chapter 13 Automated Jobs Netscape Certificate Management System (CMS) provides a customizable Job Scheduler component that supports various mechanisms for scheduling jobs. cron This chapter explains how to configure CMS to use specific job plug-in modules for accomplishing jobs. This chapter contains the following sections: •...

  • Page 576: Setting Up Automated Jobs

    About Automated Jobs Setting Up Automated Jobs The automated jobs feature is set up by performing the following tasks: • Enabling and configuring the Job Scheduler; see “Setting Up the Job Scheduler” on page 577 for complete details. • Enabling and configuring one or more of the job modules and setting preferences for those job module;...

  • Page 577: Setting Up The Job Scheduler

    Setting Up the Job Scheduler UnpublishExpiredJob Expired certificates are not automatically removed from the publishing directory. If you configure a Certificate Manager or Registration Manager to publish certificates to an LDAP directory, over time the directory will contain expired certificates. job checks for certificates that have expired and are still UnpublishExpiredJob marked as published in the internal database at the configured time interval.

  • Page 578: Enabling And Configuring The Job Scheduler

    Setting Up the Job Scheduler Table 13-1 Time Format for Scheduling Jobs Field Value Minute 0-59 Hour 0-23 Day of month 1-31 Month of year 1-12 Day of week 0-6 (where 0=Sunday) For example, the following time entry specifies every hour at 15 minutes (1:15, 2:15, 3:15 and so on): 15 * * * * The following example specifies a job execution time of noon on April 12:...

  • Page 579: Setting Up Specific Jobs

    Setting Up Specific Jobs Enter information as appropriate: Enable Jobs Scheduler. Select this option to enable the Job Scheduler; deselect to disable the Job Scheduler. Disabling turns off all the jobs. Check Frequency. Type the frequency at which the Job Scheduler daemon thread should wake up and call the configured jobs that meet the cron specification.

  • Page 580: Enabling And Configuring Specific Jobs Using The Cms Console

    Setting Up Specific Jobs Enabling and Configuring Specific Jobs Using the CMS Console To enable and configure an automated job using the CMS console: Ensure that the Jobs Scheduler is enabled and configured; see “Setting Up the Job Scheduler,” on page 577 for more information. Log in to the CMS console (see “Logging Into the CMS Console”...

  • Page 581: Enabling Configuring Specific Jobs By Editing The Configuration File

    Setting Up Specific Jobs Click Edit/View. The Job Instance Editor window appears, showing how this job is currently configured. Select Enable and set each of the configuration settings by specifying them in the fields for this dialog. see “Configuration Parameters of RenewalNotifier RenewalNotificationJob,”...

  • Page 582: Configuration Parameters Of Renewalnotificationjob

    Setting Up Specific Jobs Edit all of the configuration parameters for the job module you are enabling and configuring. To configure , edit all parameters that begin with RenewalNotifier ; see “Configuration Parameters jobsScheduler.job.certRenewalNotifier of RenewalNotificationJob,” on page 582 for details about these parameters. To configure RequestInQueueJob, edit all parameters that begin with ;...
  • Page 583 Setting Up Specific Jobs Table 13-2 RenewalNotificationJob Parameters (Continued) Parameter Description Specifies the cron string specifying the schedule of when cron this job should be run. In other words, it specifies the time at which the Job Scheduler daemon thread should check the certificates for sending renewal notifications.

  • Page 584: Configuration Parameters Of Requestinqueuejob

    Setting Up Specific Jobs Table 13-2 RenewalNotificationJob Parameters (Continued) Parameter Description Specifies the path, including the filename, to the directory summary. that contains the template to be used to create the content itemTemplate and format of each item to be collected for the summary report (see the summary.emailTemplate parameter below).

  • Page 585: Configuration Parameters Of Unpublishexpiredjob

    Setting Up Specific Jobs Table 13-3 RequestInQueueJob Parameters (Continued) Parameter Description Specifies whether a summary of the job accomplished summary.enabled should be compiled and sent. Specify the value of this parameter as true to enable; specify the value of this parameter as false to disable.
  • Page 586 Setting Up Specific Jobs Table 13-4 UnpublishExpiredJob Parameters (Continued) Parameter Description Specifies the cron specification for when this job should be cron run. This is the time at which the Job Scheduler daemon thread checks the certificates for removing expired certificates from the publishing directory.

  • Page 587: Customizing Notification Messages

    Customizing Notification Messages Customizing Notification Messages The email notifications that are sent are constructed using a template for each type of message that is sent. Each type of message has an HTML template and a plain text template associated with it. Messages are constructed from text and tokens, and HTML markup in the case of HTML templates.

  • Page 588: Token Definitions

    Customizing Notification Messages Table 13-5 Notification Templates (Continued) Filename Description Template for formulating the summary report or riq1Summary.html table that summarizes how many requests are pending in the agent queue of a Certificate Manager or Registration Manager. RenewalNotificationJob Template for formulating the message content to be rnJob1.txt sent to end entities to inform them that their certificates are about to expire and that they should...
  • Page 589 Customizing Notification Messages Table 13-6 Tokens for the renewal-notification job’s summary report (Continued) Token Description Specifies the port number on which the Certificate $HttpPort Manager or Registration Manager is listening to certificate-renewal requests from end entities. Specifies the name of the job instance. $InstanceID Specifies the distinguished name of the certificate issuer.

  • Page 590: Managing Job Plug-Ins

    Managing Job Plug-ins Managing Job Plug-ins You can register a new job plug-in module or delete a job plug-in module. This section details how to perform these tasks. Registering or Deleting a Job Module You can register custom job plug-in modules from the CMS window. Registering a new module involves specifying the name of the module and the full name of the Java class that implements the module.

  • Page 591: Chapter 14 Revocation And Crls

    Chapter 14 Revocation and CRLs Netscape Certificate Management System (CMS) provides methods for revoking certificates and for producing lists of revoked certificates, called certificate revocation lists (CRLs). This chapter describes the methods for revoking a certificate, describes CMC Revocation, and provides details about CRLs and setting up CRLs.

  • Page 592: Authentication Of End Users During Certificate Revocation

    Revocation revoked or can revoke all certificates in the list. The end user can also specify additional details, such as the date of revocation and revocation reason for each certificate or for the list as a whole. For instructions on how end users revoke their certificates, see the online help available by clicking the Help buttons in the end-entity forms.

  • Page 593: Certificate Revocation Forms

    Revocation After successful authentication, if the server detects only one valid or expired certificate with matching subject name as that of the one presented for client authentication, it revokes the certificate. If the server detects more than one valid or expired certificate with matching subject name, it lists all those certificates.

  • Page 594: Cmcrevocation

    CMCRevocation If you want to change the forms to suit your organization’s requirements, you can edit the following files: • (the form that allows challenge password based ChallengeRevoke1.html revocation of client or personal certificates) • (the form that allows SSL client authenticated UserRevocation.html revocation of client or personal certificates) Both the files are located in the following directory:...

  • Page 595: Testing Cmc Revoke

    CMCRevocation <server_root>/bin/cert/tools This utility has the following syntax: CMCRevoke -d<dir to cert8.db, key3.db> -n<nickname> -i<issuerName> -s<serialName> -m<reason to revoke> -c<comment> where The directory where , and containing cert8.db key3.db secmod.db the agent certificate are located. The nickname of the agent’s certificate. The issuer name of the certificate being revoked.

  • Page 596: About Crls

    About CRLs .\CMCRevoke -d<dir to cert8.db, key3.db> -n<nickname> -i<issuerName> -s<serialName> -m<reason to revoke> -c<comment> For example, if the directory containing the agent certificate is , the .netscape nickname of the certificate is , and the serial RegistartionManagerAgentCert number of the certificate is , the command would look like this: .\CMCRevoke -d".\.netscape"...

  • Page 597: Reasons For Revoking A Certificate

    About CRLs One of the standard methods for conveying the revocation status of certificates is by publishing a list of revoked certificates. This list is known as a certificate revocation list (CRL). A CRL is a publicly available list of certificates that have been revoked.

  • Page 598: Revocation Checking By Netscape Servers

    About CRLs = Affiliation Changed—The owner of the certificate is no longer affiliated with the issuer of the certificate, and either no longer has rights to the access gained with the certificate or no longer needs it. = Certificate Superseded—Another certificate replaces the use of this one. = Cessation of Operation—The CA that issued the certificate ceases to operate.

  • Page 599: Crl Issuing Points

    About CRLs For information on setting up an OCSP responder, see Chapter 5, “OCSP Responder.” CRL Issuing Points Because CRLs can grow very large, several methods have been developed to minimize the overhead of retrieving and delivering large CRLs. One of these methods is based on partitioning the entire certificate space and associating a separate CRL with every partition.
  • Page 600 About CRLs When the CRL feature is enabled by enabling one or more issuing points, the server collects revocation information as certificates are revoked. The server attempts to match the revoked certificate against all issuing points that are set up. A given certificate can match none of the issuing points, one of the issuing points, several of the issuing points, or all of the issuing points.

  • Page 601: Setting Up The Issuance Of Crls

    Setting Up the Issuance of CRLs Setting Up the Issuance of CRLs The process of setting up the CRL feature includes the following tasks: The Certificate Manager will use its CA signing key to sign CRLs. If you want to use a separate signing key pair for CRLs, you need to set up a CRL singing key and change the Certificate Manager configuration to allow it to use this key to sign CRLs.

  • Page 602: Configuring Issuing Points

    Setting Up the Issuance of CRLs Setting up publishing of CRLs to files, and LDAP directory, or to an OCSP responder. See Chapter 15, “Publishing” for complete details about setting up publishing. Configuring Issuing Points You can create Issuing Points that define which certificates are included in new a CRL that is generated.

  • Page 603: Configuring Crls For Each Issuing Point

    Setting Up the Issuance of CRLs You need to configure this new issuing point, and set up any CRL extensions that will be used in this CRL. See “Configuring CRLs for Each Issuing Point,” on page 603 for details on configuring an issuing point. See “Setting CRL Extensions,”...
  • Page 604 Setting Up the Issuance of CRLs In the adjoining text field, type the interval, in minutes, at which the Certificate Manager should publish CRLs. For example, if you want the server to publish CRLs every day, you should type 1440 in this field. with a skew of.

  • Page 605: Setting Crl Extensions

    Setting Up the Issuance of CRLs If you selected Allow extensions for this issuing point, you need to configure the extensions for this issuing point. See “Setting CRL Extensions,” on page 605 for details. Setting CRL Extensions Complete this step only if you configured the Certificate Manager to create version 2 CRLs in the previous step—that is, if you selected the “Allow extensions”...

  • Page 606: Crl Extension Reference

    CRL Extension Reference CRL Extension Reference To enable you to issue or publish X.509 v2 CRLs (that is, CRLs with extensions), CMS provides a set of extension rules; each rule enables you to configure the Certificate Manager to set a particular CRL or CRL-entry extension in CRLs it issues.

  • Page 607: Crlnumber

    CRL Extension Reference CRLNumber rule enables you to configure a Certificate Manager to set the CRL CRLNumber Number Extension in CRLs. This extension specifies a monotonically increasing sequence number for each CRL issued by a CA, allowing CRL users to easily determine when a particular CRL supersedes another CRL.

  • Page 608: Deltacrlindicator

    CRL Extension Reference DeltaCRLIndicator rule enables you to configure a Certificate Manager to set the CRL DeltaCRL DeltaCRLIndicator Extension in CRLs. The extension is included in generated deltas, which constitutes them and provides reference to the base CRL. Enabling this extension also enables the generation of delta CRLs for this issuing point.

  • Page 609: Holdinstruction

    CRL Extension Reference Table 14-5 FreshestCRL Configuration Parameters (Continued) Parameter Description • If pointType is set to directoryName, the value must be a pointName<n> string in the form of X.500 name, similar to the subject name in a certificate. For example, CN=CACentral,OU=Research Dept,O=Example Corporation,C=US.

  • Page 610: Invaliditydate

    CRL Extension Reference InvalidityDate rule enables you to configure a Certificate Manager to set the InvalidityDate Invalidity Date Extension in CRL entries. The extension is a non-critical CRL entry extension that is used to specify the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid.
  • Page 611 CRL Extension Reference Table 14-8 IssuerAlternativeName Configuration Parameters (Continued) Parameter Description Specifies the total number of alternative names or identities permitted in numNames the extension. Note that each name has a set of configuration parameters— nameType and name—and you must specify appropriate values for each of those parameters;...

  • Page 612: Issuingdistributionpoint

    CRL Extension Reference Table 14-8 IssuerAlternativeName Configuration Parameters (Continued) Parameter Description • If the type is URL, the value must be a non-relative universal resource identifier (URI). For example: http://testCA.example.com. • If the type is iPAddress, the value must be a valid IP address specified in dot-separated numeric component notation.
  • Page 613 CRL Extension Reference Table 14-9 IssuingDistributionPoint Configuration Parameters Parameter Description Specifies whether the rule is enabled or disabled. Select to enable enable, deselect to disable (default). Select you want the server to mark the extension critical critical (default); deselect if you want the server to mark the extension noncritical.
  • Page 614 CRL Extension Reference Table 14-9 IssuingDistributionPoint Configuration Parameters (Continued) Parameter Description Select if the distribution point contains CA certificates onlyContainsCACerts only; deselect if the distribution point contains all types of revoked certificates (default). Select if the distribution point contains user certificates onlyContainsUserCerts only;...

  • Page 615: Chapter 15 Publishing

    Chapter 15 Publishing Netscape Certificate Management System (CMS) provides a customizable publishing framework for the Certificate Manager and the Registration Manager, enabling them to publish certificates, certificate revocation lists (CRLs), and other certificate-related objects to any of the supported repositories—an LDAP-compliant directory, a flat file, and an online validation authority—using the appropriate protocol.

  • Page 616: About Publishing

    About Publishing About Publishing CMS is capable of publishing certificates to a file or an LDAP directory, and CRLs to a file, an LDAP directory, or to an OSCP responder. The publishing feature is very flexible allowing you to publish to a file, publish to an LDAP directory, to an OSCP responder, or all three.

  • Page 617: About Publishers

    About Publishing About Publishers Publishers specify the location in which certificates and CRLs are published. In the case of publishing to a file, publishers specify the publishing directory. In the case of LDAP publishing, publishers specify the attribute in the directory that will store the certificate or CRL;...

  • Page 618: About Publishing To Files

    About Publishing About Publishing to Files The server can publish certificates and CRLs to flat files, which can then be imported into any repository, for example, into a relational database. If you configure the server to publish certificates and CRLs to flat files, it publishes them to files as DER-encoded binary blobs.

  • Page 619: About Ocsp Publishing

    About Publishing If the server and publishing directory become out of sync for some reason, privileged users (administrators and agents) can also manually initiate the publishing process. For instructions, see “Manually Updating the CRL in the Directory” on page 660. About OCSP Publishing CMS provides two forms of OCSP services, an internal service and the Online Certificate Status Manager subsystem.

  • Page 620: Setting Up Publishing

    Setting Up Publishing When a rule is matched, the certificate or CRL is published according to the method and location specified in the publisher associated with that rule. For example, if a rule matches all certificates issued to users, and the rule has a publisher that publishes to a file in the location , the /etc/cms/certificates...
  • Page 621 Setting Up Publishing If you are publishing everything to one location, create one publisher specifying the location where you want to publish all files. If you are publishing to separate locations, create a publisher for each location you will publish to specifying the location you will publish. You can split these up by certificates and CRLs, or by even finer definitions.
  • Page 622 Setting Up Publishing For LDAP publishing, you need to set up Mappers to enable an entries’ DN to be derived from the certificate’s subject name. Generally, you will need to set one up for the CA certificate, CRLs and for user certificates. You can also set more than one up for a particular type.

  • Page 623: Publishers

    Publishers Publishers Publishers allow you to specify the location where you want a particular object published. In the case of publishing to a file, a publisher specifies a particular location in which you want to publish the files. You can publish everything to one location, or you can create publishers for each location you want to publish to.
  • Page 624 Publishers Click Add. The Select Publisher Plug-in Implementation window appears. It lists registered publisher modules. Select the module named FileBasedPublisher This is the only Publisher module that enables the Certificate Manager to publish certificates and CRLs to files. Click Next. The Publisher Editor window appears.

  • Page 625: Configuring Publishers For Publishing To Ocsp

    Publishers Fill in the following fields in this window: Publisher ID. Type a name for the rule. Be sure to use an alphanumeric string with no spaces. For example, PublishCertsToFile directory. Type the complete path to the directory in which the Certificate Manager should create the DER-encoded files;...
  • Page 626 Publishers Creating a Publisher for File Publishing To create publishers for publishing to files: Log in to the CMS console for the Certificate Manager (see “Logging Into the CMS Console” on page 245). Select the Configuration tab. In the navigation tree, select Certificate Manager, select Publishing, and then select Publishers.
  • Page 627 Publishers Select the module named OCSPPublisher This is the only Publisher module that enables the Certificate Manager to publish CRLs to the Online Certificate Status Manager. Click Next. The Publisher Editor window appears. Fill in the following fields in this window: Publisher ID.

  • Page 628: Configuring Publishers For Ldap Publishing

    Publishers Configuring Publishers for LDAP Publishing The Certificate Manager creates, configures, and enables a set of publishers that are associated with LDAP publishing as follows: • Used to publish Certificate Authrority certificates to LdapCaCertPublisher the LDAP directory. • Used to publish CRLs to the LDAP directory. LdapCrlPublisher •...
  • Page 629 Publishers FileBasedPublisher plug-in module enables you to configure a Certificate FileBasedPublisher Manager to publish certificates and CRLs to files. By default, the Certificate Manager does not create an instance of the module. FileBasedPublisher Table 15-1 FileBasedPublisher Configuration Parameters Parameter Description Specifies a name for the publisher.
  • Page 630 Publishers LdapUserCertPublisher plug-in module enables you to configure a LdapUserCertPublisher Certificate Manager to publish or unpublish a user certificate to the attribute of the user’s directory entry. userCertificate;binary You can use this module to publish any end-entity certificate to an LDAP directory. Types of end-entity certificates include SSL client, S/MIME, SSL server, object signing, router, and OCSP responder.
  • Page 631 Publishers LdapDeltaCrlPublisher plug-in module enables you to configure a LdapDeltaCrlPublisher Certificate Manager to publish or unpublish a delta CRL to the attribute of a directory entry. deltaRevocationList;binary During installation, the Certificate Manager automatically creates an instance of module for publishing CRLs to the directory. LdapDeltaCrlPublisher Table 15-5 LdapDeltaCrlPublisher Configuration Parameters Parameter...

  • Page 632: Mappers

    Mappers OCSPPublisher plug-in module enables you to configure a Certificate OCSPPublisher Manager to publish its CRLs to an Online Certificate Status Manager. During installation, the Certificate Manager does not create any instances of the module. OCSPPublisher Table 15-7 OCSPPublisher Parameters Parameter Description Specifies the fully qualified hostname of the Online Certificate...
  • Page 633 Mappers • —for locating the correct attribute of the CA’s entry in the LdapCrlMap directory in order to publish the CRL. • —for locating the correct attribute of the CA’s entry in the LdapCaCertMap directory in order to publish the CA certificate. You can use these mappers, or create instances of the other LDAP mapper plug-ins available and configure those.
  • Page 634 Mappers To modify an existing mapper: In the Mapper list, select a mapper that you want to modify. Click Edit/View. The Mapper Editor window appears. Go to step 6. To create a new mapper instance: Click Add. The Select Mapper Plugin Implementation window appears. It lists registered mapper modules.

  • Page 635: Mapper Plug-In Modules Reference

    Mappers Mapper Plug-in Modules Reference This section describes the mapper plug-in modules provided for the Certificate Manager. You can use these modules to configure a Certificate Manager to enable and configure specific Mapper instances. The available mapper plug-in modules include the following: •...
  • Page 636 Mappers If the mapper fails to create a second CA entry, be sure to check the base DN that the uid uniqueness plug-in is set to (in the file) and also check if slapd.ldbm.conf an entry with the same UID already exists in the directory. If it’s true, adjust the mapper setting, remove the old CA entry, comment out the plug-in, or create the entry manually using the Console window.
  • Page 637 Mappers Table 15-8 LdapCaSimpleMap Configuration Parameters (Continued) Parameter Description Example 1: uid=CertMgr, o=Example Corporation Example 2: CN=$subj.cn,OU=$subj.ou,O=$subj.o,C=US Example 3: uid=$req.HTTP_PARAMS.uid, E=$ext.SubjectAlternativeName.RFC822Name,ou=$subj. In the above examples, $req means take the attribute from the certificate request, $subj means take the attribute from the certificate subject name, and $ext means take the attribute from the certificate extension.
  • Page 638 Mappers LdapDNExactMap plug-in module enables you to configure a Certificate LdapDNExactMap Manager to map a certificate to an LDAP directory entry by searching for the LDAP entry DN that matches the certificate subject name. Note that to be able to use this mapper, each certificate subject name must exactly match a DN in a directory entry.
  • Page 639 Mappers In the above examples, means take the attribute from the certificate request, $req means take the attribute from the certificate subject name, and means $subj $ext take the attribute from the certificate extension. LdapSubjAttrMap plug-in module enables you to configure a Certificate LdapSubjAttrMap Manager to map a certificate to an LDAP directory entry by using the LDAP attribute named...
  • Page 640 Mappers LdapDNCompsMap plug-in module implements the DN components mapper. LdapDNCompsMap This mapper enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by constructing the entry’s distinguished name from components (such as , and ) specified in the certificate subject name, and then using it as the search DN to locate the entry in the directory.
  • Page 641 Mappers • , which represents an organization in the directory • , which represents a locality in the directory • , which represents a state in the directory • , which represents a country in the directory For example, the following DN represents the user named Jane Doe who works for the Sales department at Example Corporation, which is located in Mountain View in the state of California, United States: CN=Jane Doe, E=jdoe@example.com, OU=Sales, O=Example Corporation,...
  • Page 642 Mappers In general, for the parameter, you should enter those DN components that dnComps the Certificate Manager can use to form the LDAP DN exactly. In certain situations, however, the subject name in a certificate may match more than one entry in the directory.
  • Page 643 Mappers Table 15-10 LdapDNCompsMap Configuration Parameters Parameter Description Specifies the DN to start searching for an entry in the publishing baseDN directory. If you leave the dnComps field blank, the server uses the base DN value to start its search in the directory. Specifies where in the publishing directory the Certificate dnComps Manager should start searching for an LDAP entry that matches...

  • Page 644: Rules

    Rules Rules You set up Rules to determine what exactly gets published where. Rules work independently, not in tandem. A certificate or CRL that is being published is matched against every rule. Any rule to which it matches is activated. In this way, the same certificate can be published to a file, to an Online Certificate Status Manager, and to an LDAP directory by matching a file-based rule, an OCSP rule, and matching a directory-based rule.
  • Page 645 Rules To edit an existing rule, select that rule from the list and click Edit. The Rule Editor window appears. To create a rule: Click Add. The Select Rule Plugin Implementation window appears. Chapter 15 Publishing...
  • Page 646 Rules Select the module named Rule This is the only module. (If you have registered any custom modules, they too will be available for selection.) Click Next. The Rule Editor window appears. Enter the appropriate information: Rule ID. Type a name for the rule that will help you identify it later; use an alphanumeric string with no spaces.
  • Page 647 Rules type. Select the type value from the list. The type value depends on which type of certificate this rule applies. For a Certificate Manager signing certificate, the value is . For a cross-signed certificate, the value is . For all other cacert xcert types of certificates, the value is...

  • Page 648: Rule Instance Reference

    Rules Table 15-12 lists the predicates that can be used to identify CRL issuing points and delta CRLs. Table 15-12 CRL Predicate Expressions Predicate Type Predicate CRL Issuing issuingPointId=Issuing_Point_Instance_ID && isDeltaCRL=[true|false] Point To publish only the master CRL, set isDeltaCRL=false in order to publish only the master CRL.
  • Page 649 Rules Table 15-13 LdapCaCert Rule Configuration Parameters Parameter Value Description publisher LdapCaCertPublisher Specifies the publisher used with this rule. See “LdapCaCertPublisher,” on page 629 for details on this publisher. LdapXCertRule can be used to publish cross-pair certificates to an LDAP LdapXCertRule directory.
  • Page 650 Rules Table 15-15 LdapXCert Rule Configuration Parameters Parameter Value Description type certs Specifies the type of certificate that will be published. Select from the pull down menu. predicate Specifies a predicate for this publisher. enable Select to enable. mapper LdapUserCertMap Specifies the mapper used with this rule.

  • Page 651: Enabling Publishing

    Enabling Publishing Table 15-16 LdapCRL Rule Configuration Parameters Parameter Value Description publisher LdapCrlPublisher specifies the publisher used with this rule. See “LdapCrlPublisher,” on page 630 for details on this publisher. Enabling Publishing You can enable just file publishing, or both LDAP and file publishing. You should enable publishing after setting up publishers, rules, and mappers.
  • Page 652 Enabling Publishing Directory manager DN. Type the distinguished name (DN) of the directory entry that has directory manager privileges. The Certificate Manager uses this DN to access the directory tree and to publish to the directory. The access control set up for this DN determines whether the Certificate Manager can perform publishing.

  • Page 653: Testing Publishing To Files

    Testing Publishing to Files Testing Publishing to Files To verify that the Certificate Manager is publishing certificates and CRLs correctly to files, follow these steps: Go to the end-entity interface and request a certificate. Go to the agent services interface and approve the request if you have an agent-approved enrollment configuration.
  • Page 654 Testing Publishing to Files When the conversion is complete, open the file in a text editor. cert.txt You should see a base-64 encoded certificate similar to this: -----BEGIN CERTIFICATE----- MMIIBtgYJYIZIAYb4QgIFoIIBpzCCAZ8wggGbMIIBRaADAgEAAgEBMA0GCSqG SIb3DQEBBAUAMFcxC AJBgNVBAYTAlVTMSwwKgYDVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aWhfyyu ougjgjjgmkgjkgmjg fjfgjjjgfyjfyj9ucyBDb3Jwb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyh gdfhbfdpffjphotoo gdhkBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0Wj BXMQswCQYDVQQGEwJ VUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yY2F0 aW9ucyBDb3Jwb3Jhd GlvbjpMEaMBgGA1UECxMRSXNzdWluZyBBdXRob3JpdHkwHh -----END CERTIFICATE----- Convert the base 64-encoded certificate to a human-readable form using the Pretty Print Certificate tool (see Chapter 9, “Pretty Print Certificate Tool”...

  • Page 655: Configuring The Directory For Ldap Publishing

    Configuring the Directory for LDAP Publishing Compare the output with the certificate you issued; be sure to check the serial number in the certificate with the one used in the filename. If everything matches, the Certificate Manager is configured correctly to publish certificates to files.

  • Page 656: Schema

    Configuring the Directory for LDAP Publishing Schema For a Certificate Manager to publish certificates and CRLs to a directory, it must be configured with specific attributes and object classes. This section discusses those basic schema requirements. Required Schema for Publishing End-Entity Certificates The Certificate Manager publishes an end entity’s certificate to the attribute within the end entity’s or subject’s directory userCertificate;binary...

  • Page 657: Entry For The Ca

    Configuring the Directory for LDAP Publishing Entry for the CA You can have the Certificate Manager automatically create an entry for the CA in your directory. You specify this option in both the CA and CRL mapper instance you set up; it is enabled by default in both mappers. If you have restricted your directory in such a way that the Certificate Manager is not allowed to create entries in the directory, you will have to tun off this option in those mapper instances and add an entry for the CA manually in the directory.

  • Page 658: Directory Authentication Method

    Updating Certificates and CRLs in a Directory • Use the DN of an existing entry that has write access. For example, you can use the entry of the Directory Manager or choose an alternative. • Give write access to a user entry created for this purpose. The entry can be identified by the Certificate Manager’s DN.

  • Page 659: Manually Updating Certificates In The Directory

    Updating Certificates and CRLs in a Directory The following choices are available for synchronizing the directory with the internal database: • Search the internal database for certificates that are out of sync and publish or unpublish accordingly. • Publish certificates that were issued from time A to time B while Directory Server was down.

  • Page 660: Manually Updating The Crl In The Directory

    Updating Certificates and CRLs in a Directory Select the Update Directory Server link. The Update Directory Server page appears. Select the appropriate options. When you are done specifying the changes that you want updated, click Update Directory. The Certificate Manager starts updating the directory with the certificate information in its internal database.

  • Page 661: Registering And Deleting Mapper And Publisher Plug-In Modules

    Registering and Deleting Mapper and Publisher Plug-in Modules To manually update the CRL information in the directory: Go to the Certificate Manager Agent Services page. You must submit the proper client certificate to get access to this page. Select Update Revocation List. The Update Certificate Revocation List page appears.
  • Page 662 Registering and Deleting Mapper and Publisher Plug-in Modules To register or delete a publisher module, select Publishers, and then in the right pane, select the Publisher Plugin Registration tab. To delete a plug-in, select the plug-in and click delete. Confirm the deletion in the popup window that appears.

  • Page 663: Cms High Availability Overview

    Chapter 16 Configuring CMS for High Availability This chapter explains how to create and configure the Netscape Certificate Management System for high availability. CMS allows you to clone various subsystems and run the cloned instances on different machines. This provides failover support by ensuring that CMS services continue, even if the machine on which the master instance was installed goes down.

  • Page 664: Architecture Of A Failover System

    CMS High Availability Overview Typically, master and cloned instances are installed on different machines, and those machines are placed behind a load balancer. The load balancer accepts HTTP and HTTPS requests made to the CMS system and directs those requests appropriately between the two machines.

  • Page 665: Load Balancing

    CMS High Availability Overview Figure 16-1 CMS Setup Example As this diagram indicates, only one of the CAs can generate the CRLs. See “Cloned-Master CA Conversion” on page 681 for more information about configuring a clone for CRL generation during failover. Load balancing The load balancer in front of a CMS system is what provides the actual failover support in a high availability system.

  • Page 666: Cloning The Certificate Manager

    Cloning the Certificate Manager • DNS round robin, a feature for managing network congestion that distributes load across several different servers. • Sticky SSL, which makes it possible for a user returning to the system to be routed the same host they used previously. Consult the documentation for the load balancer you intend to use with CMS to read more about the features, advantages, and configuration of a load balancer.
  • Page 667 Cloning the Certificate Manager Verify that this master instance is running. The CA instance automatically starts up once it’s been properly configured. If you need to start or restart the Certificate Manager manually, you may do so by invoking the start-cert restart-cert commands, which are available in the CA instance directory:...

  • Page 668: Cloning The Ca

    Cloning the Certificate Manager same SSL server certificate and key copied from the master Certificate Manager. If you are not using a load balancer and your master and cloned Certificate Managers exist on separate machines (e. g. - a proprietary configuration which expects usernames [A-M] using one machine and usernames [N-Z] using the other machine), then the SSL server certificate DNs should contain the hostname of their resident machines with their...
  • Page 669 Cloning the Certificate Manager The Installation Wizard asks you to copy the key and certificates from the master CA to the clone if you have not already done so. Chapter 16 Configuring CMS for High Availability...
  • Page 670 Cloning the Certificate Manager Copy the master CA’s Certificate and Key Database. Because you want the cloned Certificate Manager to own the same keys and certificates as that of the master Certificate Manager, you need to make the keys and certificates used by the master Certificate Manager available to the Certificate Manager clone.
  • Page 671 Cloning the Certificate Manager Locate the certificate and key database files; the file names are as follows: cert-<instance_id>-<machine_name>-cert8.db cert-<instance_id>-<machine_name>-key3.db On the host machine of the cloned Certificate Manager, go to this III. directory: <server_root>/alias Copy the certificate and key database files from the master Certificate Manager to the clone.
  • Page 672 Cloning the Certificate Manager In the Local Consumer Database dialog, specify what type of database you are creating. Either select Create a local consumer database to create a new clone database local to the cloned Certificate Manager: Netscape Certificate Manager System Administrator’s Guide • June 2003...
  • Page 673 Cloning the Certificate Manager Or select Connect to the existing remote LDAP server to use the existing LDAP server as the internal database for the cloned Certificate Manager instance. If you select the remote database, make sure that you have already created an LDAP server containing a base suffix of on the host whose host name and port o=netscapeCertificateServer...
  • Page 674 Cloning the Certificate Manager Configure replication between the cloned CA database and the master CA database in the following dialog. Netscape Certificate Manager System Administrator’s Guide • June 2003...
  • Page 675 Cloning the Certificate Manager Follow the instructions on screen to create the password for the Replication Manager role in the Master database, the password for the Replication Manager role in the Consumer database, and the agreement names between the master and clone’s databases. See “Configuring the Certificate Manager” on page 112 for more information.
  • Page 676 Cloning the Certificate Manager Be aware of the following as you designate the serial number ranges for the certificate and request numbers of the cloned Certificate Manager: CA’s serial number range—On this screen, specify the lowest serial number the CA should assign to certificates it creates in the “Starting certificate number”...
  • Page 677 Cloning the Certificate Manager Specify the master CA’s agent port in the Agent Port field so that the clone can redirect “Update CRL” requests to the master CA (see “About CRLs” on page 596 for more information about CRLs). Choose the cloned CA’s signing certificate, the OCSP’s signing certificate, and the SSL server certificate from the pull-down menus provided in the Clone Key and Certificate Materials for CA Subsystem dialog.
  • Page 678 Cloning the Certificate Manager In order for these fields to be populated properly, you have to have already copied over the appropriate certificates from the master CA. If you do not see certificates in the pull-down menus, follow the instructions in Step 4 above to copy the key and certificate database material over correctly.

  • Page 679: Testing The Ca Cloned-Master Connection

    Cloning the Certificate Manager Stop the master CA server by issuing the following command in that directory: ./stop-cert Go to the master CA’s server config directory: cd <serverRoot>/cert-<masterID>/config Edit the CMS.cfg file by adding the following line: ca.listenToCloneModifications=true Close and save the CMS.cfg file. Go to the master CA directory at the command line: cd <serverRoot>/cert-<masterID>...

  • Page 680: Additional Crl Scheduling Information

    Additional CRL Scheduling Information Download the certificate to the browser. Revoke the certificate. Check master CA’s CRL for the revoked certificate. To verify that the revoked certificate has been included in the master Certificate Manager’s CRL, go to the master Certificate Manager’s Agent Services interface.

  • Page 681: Cloned-Master Ca Conversion

    Cloned-Master CA Conversion Restart the master CA server by issuing the following command in that directory: ./start-cert Cloned-Master CA Conversion In the event that the user needs to convert an existing cloned CA into a new master CA (e. g., a catastrophic failure of the existing master CA), one needs to first convert the existing offline master CA into a clone followed by converting one of the current existing online cloned CAs into the new online master CA.

  • Page 682: Converting A Cloned Ca Into A Master Ca

    Converting a Cloned CA into a Master CA Open the CMS.cfg file for editing, and make the following changes: To disable control of the database maintenance thread, modify the following line if it exists by changing the value to "0" (adding the line in if it does not already exist): ca.certStatusUpdateInterval=0 To disable monitoring database replication changes, modify the following...
  • Page 683 Converting a Cloned CA into a Master CA Stop this online cloned CA server by issuing the following command in that directory: ./stop-cert Go to this cloned CA’s configuration directory at the command line: cd <serverRoot>/cert-<cloneID>/config Open the CMS.cfg file for editing, and make the following changes: Delete each line of configuration data from this cloned CA’s configuration file called which...

  • Page 684: Cloning The Online Certificate Status Manager

    Cloning the Online Certificate Status Manager To disable CRL generation requests redirection, remove the following two lines: master.ca.agent.host=<hostname> master.ca.agent.port=<port number> Close and save the CMS.cfg file. Go to this cloned CA’s directory at the command line: cd <serverRoot>/cert-<cloneID> Start the new master CA server by issuing the following command in that directory: ./start-cert Cloning the Online Certificate Status Manager...

  • Page 685: Preparing To Clone The Online Certificate Status Manager

    Cloning the Online Certificate Status Manager Figure 16-2 Cloned Online Certificate Status Manager Setup See “CMS OCSP Services” on page 168 for more information about OCSP services. Preparing to Clone the Online Certificate Status Manager Before you can create a clone of the Online Certificate Status Manager, you must make sure that the instance you are cloning has been properly installed and configured, since some of that configuration data is copied over to the new instance.

  • Page 686: Cloning The Ocsp Responder

    Cloning the Online Certificate Status Manager Make sure that you have already installed the agent certificate for the master Online Certificate Status Manager. See “Agent Certificates” on page 335 for more information about agent certificates. Also consider the following: OCSP’s signing key and certificate—You must use the master Online Certificate Status Manager’s signing key and certificate.
  • Page 687 Cloning the Online Certificate Status Manager From the Object menu in the Netscape Console, choose Create Instance Of, then choose Netscape Certificate Management System. Alternatively, you can right-click the Server Group node and choose Create Instance Of > Netscape Certificate Management System. The admin console asks you to provide a name for the new instance;...
  • Page 688 Cloning the Online Certificate Status Manager In the Master Database dialog, enter the hostname, port, and password for the Master Database of the CMS system. In the Local Consumer Database dialog, specify what type of database you are creating. Either select Create a local consumer database to create a new clone database local to the cloned Online Certificate Status Manager.
  • Page 689 Cloning the Online Certificate Status Manager In order for these fields to be populated properly, you have to have already copied over the appropriate certificates from the master CA. If you do not see certificates in the pull-down menus, follow the instructions in Step 2 above to copy the key and certificate database material over correctly.

  • Page 690: Testing The Ocsp Cloned-Master Connection

    Cloning the Online Certificate Status Manager Testing the OCSP Cloned-Master Connection Follow these steps to test whether your cloned-master OCSP setup is complete and functional. Setup OCSP Publishing in the master CA so that the CRL will be published to the master Online Certificate Status Manager.

  • Page 691: Converting A Cloned Ocsp Responder Into A Master Ocsp Responder

    Cloning the Online Certificate Status Manager Open the CMS.cfg file for editing, and add the following line (21600 is the default value for a cloned OCSP Responder. This value can be changed to any other non-zero number): ocsp.store.defStore.refreshInSec=21600 Close and save the CMS.cfg file. Converting a Cloned OCSP Responder into a Master OCSP Responder Having already converted the existing offline master OCSP Responder into an...

  • Page 692: Cloning The Data Recovery Manager

    Cloning the Data Recovery Manager Start the new master OCSP Responder server by issuing the following command in that directory: ./start-cert Cloning the Data Recovery Manager The process for setting up a DRM clone is very similar to that for setting up a cloned CA.

  • Page 693: Cloning The Drm

    Cloning the Data Recovery Manager DRM transport certificate—The transport certificate for the master and cloned DRMs must be the same. See “Configuring Key Archival and Recovery Process” on page 228. DRM storage certificate—The storage certificate for the master and cloned DRMs must be the same.
  • Page 694 Cloning the Data Recovery Manager Copy the master DRM’s Certificate and Key Database. Because you want the cloned Data Recovery Manager to own the same keys and certificates as that of the master Data Recovery Manager, you need to make the keys and certificates used by the master available to the Data Recovery Manager clone.
  • Page 695 Cloning the Data Recovery Manager kra-cert.db kra-key.db (if present) kra-mn.conf On the host machine of the clone, go to this directory: III. <server_root>/cert-<cloneID>/config/ Copy the configuration files from the master Data Recovery Manager to the clone. If the master Data Recovery Manager’s storage keys and certificates are stored in the hardware token, you do not need to copy the kra-key.db files.
  • Page 696 Cloning the Data Recovery Manager Be aware of the following as you designate the key number ranges and request numbers of the cloned Data Recovery Manager: DRM's key number range—On this screen, specify the lowest key number the DRM should assign for archives it creates in the "Starting key number" field.
  • Page 697 Cloning the Data Recovery Manager In order for these fields to be populated properly, you have to have already copied over the appropriate certificates from the master DRM. If you do not see certificates in the pull-down menus, follow the instructions in Steps 4 and 5 above to copy the key and certificate database material and configuration files over correctly.

  • Page 698: Testing The Drm Cloned-Master Connection

    Cloning the Data Recovery Manager Testing the DRM Cloned-Master Connection Follow these steps to test whether your cloned-master DRM setup is complete and functional. Go to the DRM agent page. Click List Requests. Select "Show all requests" from the pull-down menu for Request type. Select "Show all requests"...

  • Page 699: Security Requirements For The It Environment

    Appendix A Common Criteria Environment: Security Requirements The text in this document is copied directly from the ST (Security Target). Security Requirements for the IT Environment This chapter specifies the security functional requirements that are applicable to the IT environment. Table A-1 IT Environment Functional Security Requirements Security Functional Class...

  • Page 700: Security Audit (Fau)

    Security Requirements for the IT Environment Table A-1 IT Environment Functional Security Requirements Security Functional Class Security Functional Components FDP_ITT.1 Basic internal transfer protection (iterations 1 and 2) FDP_UCT.1 Basic data exchange confidentiality (iteration 1) Identification and authentication FIA_AFL.1 Authentication failure handling (FIA) FIA_ATD.1 User attribute definition FIA_UAU.1 Timing of authentication (iteration 1)
  • Page 701 Security Requirements for the IT Environment FAU_GEN.1.1 The IT environment shall be able to generate an audit record of the following auditable events: Start-up and shutdown of the audit functions; All auditable events for the minimum level of audit; and The events listed in Table 2 below.
  • Page 702 Security Requirements for the IT Environment Table A-2 Auditable Events and Audit Data Section/Function Component Event Additional Details An Administrator changes the type of authenticator, e.g., from password to biometrics Account Roles and users are added or Administration deleted The access control privileges of a user account or a role are modified FAU_GEN.2 User identity association (iteration 1)

  • Page 703: Cryptographic Support (Fcs)

    Security Requirements for the IT Environment FAU_SEL.1.1 The IT environment shall be able to include or exclude auditable events from the set of audited events based on the following attributes: [event type]. FAU_STG.1 Protected audit trail storage (iteration 1) FAU_STG.1.1 The IT environment shall protect the stored audit records from unauthorized deletion.

  • Page 704: Identification And Authentication (Fia)

    Security Requirements for the IT Environment FDP_ACF.1 Security attribute based access control (iteration 1) FDP_ACF.1.1 The IT environment shall enforce the CIMC IT Environment Access Control Policy specified in “CIMC TOE Access Control Policy,” on page 709 to objects based on the identity of the subject and the set of roles that the subject is authorized to assume.

  • Page 705: Security Management (Fmt)

    Security Requirements for the IT Environment FIA_AFL.1.1 If authentication is not performed in a cryptographic module that has been FIPS 140-1 validated to an overall Level of 2 or higher with Level 3 or higher for Roles and Services, the IT environment shall detect when an Administrator configurable maximum authentication attempts unsuccessful authentication attempts have occurred since the last successful authentication for the indicated user identity.
  • Page 706 Security Requirements for the IT Environment FMT_MOF.1.1 The IT environment shall restrict the ability to modify the behavior of the functions listed in Table 4 to the authorized roles as specified in Table A-4. Authorized Roles for Management of Security Functions Behavior Table A-4 Section/Function Function/Authorized Role...

  • Page 707: Protection Of The Tsf (Fpt)

    Security Requirements for the IT Environment FMT_MTD.1.1 The IT environment shall restrict the ability to view (read) or delete the audit logs to Auditors. FMT_SMR.2 Restrictions on security roles FMT_SMR.2.1 The IT environment shall maintain the roles: Administrator, Auditor, and Officer. FMT_SMR.2.2 The IT environment shall be able to associate users with roles.
  • Page 708 Security Requirements for the IT Environment FPT_ITT.1 Basic internal TSF data transfer protection (iteration 1) FPT_ITT.1.1 The IT environment shall protect security-relevant IT environment data from modification when it is transmitted between separate parts of the IT environment. FPT_ITT.1 Basic internal TSF data transfer protection (iteration 2) FPT_ITT.1.1 The IT environment shall protect confidential IT environment data from disclosure when it is transmitted between separate parts of the IT...

  • Page 709: Trusted Path/Channels (Ftp)

    Security Requirements for the IT Environment FPT_TST_CIMC.3 Software/firmware load test FPT_TST_CIMC.3.1 A cryptographic mechanism using a FIPS-approved or recommended authentication technique (e.g., an authentication code, keyed hash, or digital signature algorithm) shall be applied to all security-relevant software and firmware that can be externally loaded into the CIMC. FPT_TST_CIMC.3.2 The IT environment shall verify the authentication code, keyed hash, or digital signature whenever the software or firmware is externally...
  • Page 710 Security Requirements for the IT Environment Content of the access request, and, Possession of a secret or private key, if required. Subject identification includes: • Individuals with different access authorizations • Roles with different access authorizations • Individuals assigned to one or more roles with different access authorizations Access type, with explicit allow or deny: •...

  • Page 711: Pki Overview

    Appendix B Common Criteria Environment: Setup and Operations This chapter provides information about the configuration used to set up Netscape Certificate Management System (CMS) in the Common Criteria Environment. For an overview of PKI, see Appendix J, “Introduction to Public-Key Cryptography.” This chapter contains the following sections: •...

  • Page 712: Toe Security Environment Assumptions

    TOE Security Environment Assumptions TOE Security Environment Assumptions For information about the TOE Security Environment, see Appendix E, “Common Criteria Environment: TOE Security Environment Assumptions”. Security Requirements for the IT Environment The security requirements for the IT environment are detailed in Appendix A, “Common Criteria Environment: Security Requirements.”...

  • Page 713: Password And Certificate Storage

    IT Environment Assumptions Password and Certificate Storage Plan for the storage of any passwords and certificates. Also plan your user password policy. Make sure everyone knows and adheres to these policies. Hardware Token This environment requires a FIPS 140-1 level 3 certified hardware cryptographic module.

  • Page 714: Supported Operating Systems

    Note: CMS does not store user secret keys, and it does not support the export of component (subsystem) private or secret keys. Supported Operating Systems CMS runs on the Solaris 2.8 and RedHat Advanced Server 2.1 operating systems. Supported Browsers The browsers that are supported in the Common Criteria Environment are Netscape 4.79, Netscape 6.2, and Netscape 7.x.
  • Page 715 CMS Privileged Users and Groups (Roles) Can approve fields/extensions (to be included in a certificate) of certificate profiles that have been enabled and configured by the Administrator (via SSL-capable browsers to the CA Agent interface). Can run tools (CMCEnroll and CMCRevoke) to pre-approve certificate enrollment and revocation requests.
  • Page 716 CMS Privileged Users and Groups (Roles) Can approve fields/extensions (to be included in a certificate) of certificate profiles that have been enabled and configured by the Administrator (via SSL-capable browsers to the RA Agent interface). • Auditors Can view signed audit logs (from the IT environment). This is the only role allowed this privilege.

  • Page 717: Ocsp

    CMS Privileged Users and Groups (Roles) communicate with the DRM securely, the DRM administrator creates a CA user in the DRM with the Trusted Manager role. All communications between the CA and DRM are then made through this special user with the CA’s certificate over SSL client-authentication and Trusted Manager role authorization.

  • Page 718: Cms Common Criteria Environment Setup And Installation Guide

    CMS Common Criteria Environment Setup and Installation Guide • Administrator The Administrator role is divided into finer-grained sub-roles, each bearing different responsibilities: Administrators for the CA, RA, DRM, and OCSP subsystems Online Certificate Status Manager Agents • Officer Certificate Manager Agents Data Recovery Manager Agents Registration Manager Agents •...
  • Page 719 CMS Common Criteria Environment Setup and Installation Guide Appendix B Common Criteria Environment: Setup and Operations...
  • Page 720 CMS Common Criteria Environment Setup and Installation Guide Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 721: Appendix C Understanding The Common Criteria Evaluated Cms Setup

    Appendix C Understanding the Common Criteria Evaluated CMS Setup This document describes at a high level the steps for setup, installation, and configuration of the Netscape Certificate Management System (CMS) in an IT environment of the kind described in “IT Environment Assumptions” on page 712. It gives administrators an idea of what's ahead before starting them on the exact setup steps involved in installation and setup.

  • Page 722: Cms Roles Assignment

    Understanding the Common Criteria Environment Operating System Environment Because CMS relies on the IT environment to provide the basic operating system file system security, inter-process communication, and process space protection, it is highly recommended that you install and run CMS on an operation system certified at a Common Criteria assurance level no less than the level of CMS itself.

  • Page 723: Understanding Cms Installation

    Understanding CMS Installation When you begin installation, you will be instructed to create a special user ID, which you will then use to log in to the Operating System when you install CMS. This user ID will be the effective user ID of the CMS server itself during runtime. You will then need to create groups for the auditor and administrator roles, which you must then assign to the actual user IDs for the CMS administrators and CMS auditor users on the operating system.

  • Page 724: Ssl Client Authentication With The Internal Database

    Understanding CMS Installation SSL Client Authentication with the Internal Database In the Common Criteria Environment, the internal LDAP database used by the subsystem must be set up for SSL client authentication. You will be instructed on how to set this up when you follow instructions in the document CMS Common Criteria Setup Procedure.

  • Page 725: Common Criteria Deployment Scenarios

    Common Criteria Deployment Scenarios Common Criteria Deployment Scenarios As long as the subsystems you install are installed and configured following the Common Criteria Environment rules and guidelines contained in this chapter, you can deploy CMS in any deployment scenario you wish. You can set up a root CA, for example, a CA subordinate to a CMS CA, a CA subordinate to a public third-party CA, or have any number of CAs in vertical or horizontal chains as long as they follow the constraints contained in the CA signing certificate.

  • Page 726: Understanding Subsystem Setup

    Understanding Subsystem Setup • Adding a custom plug-in, which in essence breaks the Common Criteria assurance. If adding custom plug-ins is inevitable, it is the responsibility of all role users to carefully evaluate these plug-ins before making them part of the system.

  • Page 727: Audit Logs

    Understanding Subsystem Setup You can also configure new groups and assign them privileges other than the default privileges assigned to the default groups, thus creating new roles in the subsystem. You do this by creating a group, setting up ACIs for this group in the ACLs pertinent to the privileges you want to define for this group.

  • Page 728: Certificate Policies

    Understanding Subsystem Setup Certificate Policies The non-profiles policy feature is not part of the Common Criteria Environment. All enrollments are set up using the certificate profiles feature. Authentication In the Common Criteria Environment, you can enable and configure the agent-approved authentication method or any of the authentication plug-ins in conjunction with a certificate profile.

  • Page 729: Publishing

    Understanding Subsystem Setup Notifications Automated email notifications are event-driven tasks that send out an email via SMTP when a specified event occurs. You can set up any of the available Notification plug-ins in the Common Criteria Environment. Custom plug-ins for the Notification feature are not part of the Common Criteria Environment, however.

  • Page 730: Key Archival And Recovery

    Common Criteria Environment Setup Procedures The first scenario involves setting up a user in the Certificate Manager for the Registration Manager. This user is assigned to the trusted managers group, and its certificate is stored in the database for the Certificate Manager. You can then set up the Registration Manager to communicate with the Certificate Manager.

  • Page 731: Appendix D Common Criteria Environment: Security Objectives

    1.1 Security Objectives for the TOE Appendix D Common Criteria Environment: Security Objectives The text in this document is copied directly from the ST (Security Target). This section includes the security objectives including security objectives for the TOE, security objectives for the environment, and security objectives for both the TOE and environment.

  • Page 732: System

    1.2 Security Objectives for the Environment 1.1.2 System O. Preservation/trusted recovery of secure state Preserve the secure state of the system in the event of a secure component failure and/or recover to a secure state. Sufficient backup storage and effective restoration Provide sufficient backup storage and effective restoration to ensure that the system can be recreated.

  • Page 733: Non-It Security Objectives For The Environment

    1.2 Security Objectives for the Environment 1.2.1 Non-IT security objectives for the environment O. Administrators, Operators, Officers and Auditors guidance documentation Deter Administrator, Operator, Officer or Auditor errors by providing adequate documentation on securely configuring and operating the CIMC. O. Auditors Review Audit Logs Identify and monitor security-relevant events by requiring auditors to review audit logs on a frequency sufficient to address level of risk.
  • Page 734 1.2 Security Objectives for the Environment O. Installation Those responsible for the TOE must ensure that the TOE is delivered, installed, managed, and operated in a manner which maintains IT security. O. Malicious Code Not Signed Protect the TOE from malicious code by ensuring all code is signed by a trusted entity prior to loading it into the system.

  • Page 735: It Security Objectives For The Environment

    1.3 Security Objectives for both the TOE and the Environment 1.2.2 IT security objectives for the environment O. Cryptographic functions The TOE must implement approved cryptographic algorithms for encryption/decryption, authentication, and signature generation/verification; approved key generation techniques and use validated cryptographic modules. (Validated is defined as FIPS 140-1 validated.) O.
  • Page 736 1.3 Security Objectives for both the TOE and the Environment O. Configuration Management Implement a configuration management plan. Implement configuration management to assure identification of system connectivity (software, hardware, and firmware), and components (software, hardware, and firmware), auditing of configuration data, and controlling changes to configuration items. O.
  • Page 737 1.3 Security Objectives for both the TOE and the Environment O. Object and data recovery free from malicious code Recover to a viable state after malicious code is introduced and damage occurs. That state must be free from the original malicious code. O.
  • Page 738 1.3 Security Objectives for both the TOE and the Environment O. React to detected attacks Implement automated notification (or other responses) to the TSF-discovered attacks in an effort to identify attacks and to create an attack deterrent Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 739: Appendix E Common Criteria Environment: Toe Security Environment Assumptions

    1.1 Secure Usage Assumptions Appendix E Common Criteria Environment: TOE Security Environment Assumptions The text in this document is copied directly from the ST (Security Target). This section includes the following: • 1.1 Secure Usage Assumptions • 1.2 Threats • 1.3 Organization Security Policies 1.1 Secure Usage Assumptions The usage assumptions are organized in three categories: personnel (assumptions...
  • Page 740 1.1 Secure Usage Assumptions A. Authentication Data Management An authentication data management policy is enforced to ensure that users change their authentication data at appropriate intervals and to appropriate values (e.g., proper lengths, histories, variations, etc.) (Note: this assumption is not applicable to biometric authentication data.) A.

  • Page 741: Physical Assumptions

    1.2 Threats 1.1.2 Physical Assumptions A. Communications Protection The system is adequately physically protected against loss of communications i.e., availability of communications. A. Physical Protection The TOE hardware, software, and firmware critical to security policy enforcement will be protected from unauthorized physical modification. 1.1.3 Connectivity Assumptions A.

  • Page 742: Cryptography

    1.2 Threats T. User error makes data inaccessible User accidentally deletes user data rendering user data inaccessible. T. Administrators, Operators, Officers and Auditors commit errors or hostile actions An Administrator, Operator, Officer or Auditor commits errors that change the intended security policy of the system or application or maliciously modify the system’s configuration to allow security violations to occur.

  • Page 743: External Attacks

    1.3 Organization Security Policies T. Modification of private/secret keys A secret/private key is modified. T. Sender denies sending information The sender of a message denies sending the message to avoid accountability for sending the message and for subsequent action or inaction. 1.2.4 External Attacks T.
  • Page 744 1.3 Organization Security Policies Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 745: Data Formats

    Appendix F Certificate Download Specification This appendix describes the data formats used by Netscape Communicator 4.x for installing certificates. It also describes how certificates are imported into different environments. This appendix contains the following sections: • “Data Formats,” on page 745 •...

  • Page 746: Text Formats

    Data Formats • PKCS #7 certificate chain This is a PKCS #7 object. The only significant field in the SignedData object is the certificates. In particular, the signature and the SignedData contents are ignored. In future versions of the software, the CRLs will also be used.

  • Page 747: Importing Certificate Chains

    Importing Certificate Chains Importing Certificate Chains Several of the supported formats can contain multiple certificates. When the Netscape certificate decoder encounters a collection of certificates, it handles them as follows: • The first certificate is processed in a context-specific manner, which varies according to how it is being imported.

  • Page 748: Importing Certificates Into Netscape Servers

    Importing Certificates into Netscape Servers If a certificate chain is being imported, the first certificate in the chain must be the CA certificate, and Communicator adds any subsequent certificates in the chain to the local database as untrusted CA certificates. •...
  • Page 749 Object Identifiers netscape-data-type OBJECT IDENTIFIER :: = { netscape 2 } netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 Appendix F Certificate Download Specification...
  • Page 750 Object Identifiers Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 751: Introduction To Certificate Extensions

    Appendix G Certificate and CRL Extensions This appendix explains both the standard certificate extensions defined by X.509 v3 and the extensions defined by Netscape that were used in versions of products released before X.509 v3 was finalized. It also provides recommendations for extensions to use with specific kinds of certificates, including both PKIX Part 1 recommendations and Netscape extensions that must be supported for compatibility with early versions of Netscape products.
  • Page 752 Introduction to Certificate Extensions • Trust— The X.500 specification establishes trust by means of a strict directory hierarchy. By contrast, Internet and extranet deployments frequently involve distributed trust models that do not conform to the hierarchical X.500 approach. • Certificate use—Some organizations may wish to restrict the use of certificates for policy reasons.

  • Page 753: Structure Of Certificate Extensions

    Introduction to Certificate Extensions Before the X.509 v3 standard was finalized, Netscape and other companies had to address some of the most pressing issues listed above with their own extension definitions. For example, Netscape applications (Netscape Navigator 3.0 or higher, and Enterprise Server 2.01 or higher) support an extension known as Netscape Certificate Type Extension that specifies the type of certificate issued, such as client, server, or object signing.
  • Page 754 Introduction to Certificate Extensions This identifier uniquely identifies the extension. It also determines the ASN.1 type of value in the value field and how the value is interpreted. That is, when an extension appears in a certificate, the OID appears as the extension ID field ) and the corresponding ASN.1 encoded structure appears as the value extnID of the octet string (...

  • Page 755: Sample Certificate Extensions

    Introduction to Certificate Extensions Sample Certificate Extensions The following is an example of the section of a certificate containing X.509 v3 extensions. (CMS can display certificates in human-readable format, as shown here.) As shown in the example, certificate extensions appear in sequence and only one instance of a particular extension may appear in a particular certificate;...
  • Page 756 Introduction to Certificate Extensions Secure Email CA ObjectSigning CA Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 3B:46:83:85:27:BC:F5:9D:8E:63:E3:BE:79:EF:AF:79: 9C:37:85:84 Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 3B:46:83:85:27:BC:F5:9D:8E:63:E3:BE:79:EF:AF:79:...

  • Page 757: Standard X.509 V3 Certificate Extensions

    Standard X.509 v3 Certificate Extensions Standard X.509 v3 Certificate Extensions This section summarizes the extension types that are defined as part of the Internet X.509 Version 3 standard, as of September 1998, and indicates which types are recommended by the PKIX working group. This section summarizes important information about each certificate.
  • Page 758 Standard X.509 v3 Certificate Extensions PKIX Part 1 defines one ) to get a list of CAs that accessMethod id-ad-caIssuers have issued certificates higher in the CA chain than the issuer of the certificate using the extension. The field then typically contains a URL accessLocation indicating the location and protocol (LDAP, HTTP, FTP) used to retrieve the list.
  • Page 759 Standard X.509 v3 Certificate Extensions by matching the fields in the SubjectName CertificateSerialNumber issuer’s certificate against the authortiyCertIssuer in the extension of the authorityCertSerialNumber AuthorityKeyIdentifier subject certificate. CMS Version Support Supported since CMS 4.1. Refer to “AuthorityKeyIdentifierExt” on page 511. Note that CMS does not use or support the field in authorityCertSerialNumber...
  • Page 760 Standard X.509 v3 Certificate Extensions Criticality This extension may be critical or noncritical. Discussion The Certificate Policies extension defines one or more policies, each of which consists of an OID and optional qualifiers. The extension can include a URI to the issuer’s Certificate Practice Statement or can embed issuer policy information, such as a user notice in text form.
  • Page 761 Standard X.509 v3 Certificate Extensions extKeyUsage 2.5.29.37 Criticality If this extension is marked critical, the certificate must be used for one of the indicated purposes only. If it is not marked critical, it is treated as an advisory field that may be used to identify keys but does not restrict the use of the certificate to the indicated purposes.
  • Page 762 Standard X.509 v3 Certificate Extensions * OCSP Signing is not defined in PKIX Part 1, but in RFC 2560, “X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP.” Private Extended Key Usage Extension Uses Table G-2 Certificate trust list signing 1.3.6.1.4.1.311.10.3.1 Microsoft Server Gated 1.3.6.1.4.1.311.10.3.3...
  • Page 763 Standard X.509 v3 Certificate Extensions Discussion The Key Usage extension defines the purpose of the key contained in the certificate. The Key Usage, Extended Key Usage, Basic Constraints, and Netscape Certificate Type extensions act together to specify the purposes for which a certificate can be used.
  • Page 764 Standard X.509 v3 Certificate Extensions Table G-3 Certificate uses and corresponding Key Usage bits (Continued) Purpose of certificate Required Key Usage bit S/MIME Encryption keyEncipherment Certificate Signing keyCertSign Object Signing digitalSignature If the extension is present and is marked critical, then it will be used to keyUsage enforce the usage of the certificate and key.
  • Page 765 Standard X.509 v3 Certificate Extensions Criticality This extension should be noncritical. Discussion The extension is meant to be included in an OCSP responder’s signing certificate. The extension tells an OCSP client that the signing certificate can be trusted without querying the OCSP responder (since the reply would again be signed by the OCSP responder, and the client would again request the validity status of the signing certificate).
  • Page 766 Standard X.509 v3 Certificate Extensions Criticality This extension must be noncritical. Discussion The Policy Mappings extension is used in CA certificates only. It lists one or more pairs of OIDs used to indicate that the corresponding policies of one CA are equivalent to policies of another CA.
  • Page 767 Standard X.509 v3 Certificate Extensions PKIX requires this extension for entities that are identified by name forms other than the X.500 distinguished name (DN) used in the subject field. PKIX Part 1 describes additional rules for the relationship between this extension and the subject field.

  • Page 768: Introduction To Crl Extensions

    Introduction to CRL Extensions Discussion The Subject Key Identifier extension identifies the public key certified by this certificate. This extension provides a way of distinguishing public keys if more than one is available for a given subject name, for example after the certificate has been renewed with a new key.

  • Page 769: Structure Of Crl Extensions

    Introduction to CRL Extensions The standard also suggests that you can define your own extensions and include them in CRLs you issue. These extensions are called private, proprietary, or custom CRL extensions and they carry information unique to your organization or business.

  • Page 770: Sample Crl And Crl Entry Extensions

    Introduction to CRL Extensions Typically, the application receiving the CRL checks the extension ID to determine if it can recognize the ID. If it can, it uses the extension ID to determine the type of value used. Sample CRL and CRL Entry Extensions The following is an example of the section of a CRL containing X.509 v2 extensions.

  • Page 771: Standard X.509 V3 Crl Extensions

    Standard X.509 v3 CRL Extensions Serial Number: 0xA Revocation Date: Wednesday, November 25, 1998 5:11:18 AM Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Affiliation_Changed Standard X.509 v3 CRL Extensions In addition to certificate extensions, the X.509 v3 proposed standard defines extensions to CRLs, which provide methods for associating additional attributes with Internet CRLs.
  • Page 772 Standard X.509 v3 CRL Extensions Discussion The Authority Key Identifier extension for a CRL identifies the public key corresponding to the private key used to sign the CRL. For details, see the discussion under certificate extensions at authorityKeyIdentifier. CMS Version Support Supported since CMS 4.2.
  • Page 773 Standard X.509 v3 CRL Extensions FreshestCRL 2.5.29.27 Criticality PKIX requires that this extension must be non-critical. Discussion The freshest CRL extension identifies how delta CRL information is obtained. The FreshestCRL extension is placed in the full CRL to indicate where to find latest delta CRL.

  • Page 774: Crl Entry Extensions

    Standard X.509 v3 CRL Extensions CMS Version Support Supported since CMS 4.2. Refer to “IssuingDistributionPoint” on page 612. CRL Entry Extensions The sections that follow lists the CRL entry extension types that are defined as part of the Internet X.509 v3 Public Key Infrastructure proposed standard, as of September 1998.

  • Page 775: Netscape-Defined Certificate Extensions

    Netscape-Defined Certificate Extensions CMS Version Support Supported since CMS 4.2. Refer to “InvalidityDate” on page 610. reasonCode 2.5.29.21 Discussion The Reason Code extension identifies the reason for certificate revocation. CMS Version Support Supported since CMS 4.2. Refer to “CRLReason” on page 607. Netscape-Defined Certificate Extensions Netscape has defined certain certificate extensions for use with Navigator and Communicator.

  • Page 776: Ca Certificates And Extension Interactions

    CA Certificates and Extension Interactions If the extension exists in a certificate, it limits the certificate to the uses specified in it. If the extension is not present, the certificate can be used for all applications except object signing. The value is a bit-string, where the individual bit positions, when set, certify the certificate for particular uses as follows: •...
  • Page 777 CA Certificates and Extension Interactions Extensions Present Description Only The certificate is a CA certificate if the cA component is true. Path length processing is done as described above. basicConstraints Only The certificate is a CA if at least one of the CA bits is set: SSL CA (5), S/MIME CA (6), or object-signing CA (7).
  • Page 778 CA Certificates and Extension Interactions • If CAs ever intend to generate new keys for their CA, they must add the extension to all subject certificates. If the authorityKeyIdentifier key ID anything other than the SHA-1 hash of the CA certificates field, then the CA certificate should contain the subjectPublicKeyInfo extension.

  • Page 779: Appendix H Object Identifiers

    Appendix H Object Identifiers Netscape Certificate Management System (CMS) comes with a set of extension-specific policy plug-in modules that enable you to add X.509 certificate extensions to the certificates the server issues. Some of the extensions contain fields for specifying object identifiers. This appendix explain what’s an object indentifier (OID) and the significance of registering it.
  • Page 780 Registration of Object Identifiers a certificate practice statement (CPS) of your company. To implement this, you need to compose the policy statement you want to include in the extension, define an OID for the policy statement, and configure Certificate Management System with the OID so that it can add that to the certificate it issues.

  • Page 781: What Is A Distinguished Name

    Appendix I Distinguished Names This appendix explains what a distinguished name is and how Netscape Certificate Management System (CMS) uses distinguished names to automatically update certificate information in your corporate LDAP directory. This appendix contains the following sections: • “What Is a Distinguished Name?,” on page 781 •...

  • Page 782: Distinguished Name Components

    What Is a Distinguished Name? Distinguished Name Components A DN identifies an entry in an LDAP directory. Because directories are hierarchical, DNs identify the entry by its location as a path in a hierarchical tree (much as a path in a file system identifies a file). Generally, a DN begins with a specific common name, and proceeds with increasingly broader areas of identification until the country name is specified.
  • Page 783 What Is a Distinguished Name? Table I-1 Definitions of standard DN components (Continued) Component Name Definition Locality Identifies the place where the entry resides. The locality can be a city, county, township, or other geographic region. For example: • L=Mountain View •...

  • Page 784: Dns In Certificate Management System

    DNs in Certificate Management System Typically, an LDAP search consists of the following components: • The base DN—for example, , which initiates a subtree O=example.com C=US search through all entries below this entry in the directory (in other words, all entries with the suffix O=example.com C=US...
  • Page 785 DNs in Certificate Management System Table I-2 Allowed characters for value types (Continued) Attribute Value type Object identifier Printable String of 2.5.4.6 length 2 Directory String 2.5.4.7 Directory String 2.5.4.8 STREET Directory String 2.5.4.9 TITLE Directory String 2.5.4.12 Directory String 0.9.2342.19200300.100.1.1 MAIL IA5String...

  • Page 786: Extending Attribute Support

    DNs in Certificate Management System Table I-3 Explanation of character sets for DNs (Continued) Value type Character set allowed Directory String Any character in format as specified in Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names (see http://www.ietf.org/rfc/rfc2253.txt).
  • Page 787 DNs in Certificate Management System • Value converter class converts a string to a ASN.1 value. • It must implement n interface. etscape.security.x509.AVAValueConverter The string-to-value converter class can be one of these: • —converts a string to a netscape.security.x509.PrintableConverter Printable String value. The string must have only printable characters. •...
  • Page 788 DNs in Certificate Management System IA5StringConverter X500Name.attr.MYATTR3.oid=111.222.333.444.555.666 X500Name.attr.MYATTR3.class=netscape.security.x509. PrintableConverter Save your changes and close the file. Next, add each new attribute or component (for example, MYATTR1 MYATTR2 ) to the enrollment form. For instructions, see “Adding Attributes MYATTR3 to an Enrollment Form” on page 788. Restart the Certificate Manager.
  • Page 789 DNs in Certificate Management System <tr> <td valign="TOP"> <div align="RIGHT"> <font face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif" size="-1">Organization unit: </font> </div> </td> <td valign="TOP"> <input type="TEXT" name="OU" size="30" onchange="formulateDN(this.form, this.form.subject)"> </td> </tr> <tr> <td valign="TOP"> <div align="RIGHT"> <font face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif"...
  • Page 790 DNs in Certificate Management System distinguishedName.value += ’OU=’ + escapeDNComponent(OU.value); if (form.DC != null) { if (DC.value != ’’) { if (doubleQuotes(DC.value) == true) { alert(’Double quotes are not allowed in DC field’); DC.value = ’’; DC.focus(); return; if (distinguishedName.value != ’’) distinguishedName.value += ’, ’;...

  • Page 791: Role Of Distinguished Names In Certificates

    DNs in Certificate Management System To change the DirectoryString encoding: Stop the Certificate Manager. Go to this directory: <server_root>/cert-<instance_id>/config Open the configuration file, , in a text editor. CMS.cfg Add the encoding order to the configuration file. For example, if you want to specify two encoding values, PrintableString , and the encoding order is first and...
  • Page 792 DNs in Certificate Management System DNs in End-Entity Certificates In end-entity certificates issued by Certificate Management System, DNs are used to identify the end entity that owns the certified key pair. The end entity is one of the following: • The individual who owns the certified key pair (for personal or client certificates—to form this type of DN, use the component to specify the...
  • Page 793 DNs in Certificate Management System For example: CN=Example Corporation Certificate Authority, O=Example Corporation, C=US DN Patterns and Certificate Subject Names You can configure Certificate Management System to issue certificates with subject names that are formulated from the directory attributes and entry DN. The configuration variable of the automated-enrollment modules enable dnpattern you to configure the server to issue certificates with required subject names.
  • Page 794 DNs in Certificate Management System Example 2 If the configured DN pattern is E=$attr.mail.1, CN=$attr.cn, OU=$dn.ou.2, O=$dn.o, C=US LDAP entry: dn: UID=jdoe, OU=IS+OU=people, O=example.com LDAP attributes: cn: Jane Doe LDAP attributes: mail: jdoe@example.com The subject name formulated will be as follows: E=jdoe@example.com, CN=Jane Doe, OU=people, O=example.com, C=US the first ‘...
  • Page 795 DNs in Certificate Management System the (first) ‘ ’ LDAP attribute value in the user’s entry. the second ‘ ’ value in the user’s entry DN followed by the first ‘ ’ value in the user’s entry; note the multiple AVAs in a RDN in this example. the (first) ‘...
  • Page 796 DNs in Certificate Management System Netscape Certificate Management System Administrator’s Guide • June 2003...

  • Page 797: Internet Security Issues

    Appendix J Introduction to Public-Key Cryptography Public-key cryptography and related standards and techniques underlie security features of many Netscape products, including signed and encrypted email, form signing, object signing, single sign-on, and the Secure Sockets Layer (SSL) protocol. This document introduces the basic concepts of public-key cryptography. •...
  • Page 798 Internet Security Issues The great flexibility of TCP/IP has led to its worldwide acceptance as the basic Internet and intranet communications protocol. At the same time, the fact that TCP/IP allows information to pass through intermediate computers makes it possible for a third party to interfere with communications in the following ways: •...

  • Page 799: Encryption And Decryption

    Encryption and Decryption • Authentication allows the recipient of information to determine its origin—that is, to confirm the sender’s identity. • Nonrepudiation prevents the sender of information from claiming at a later date that the information was never sent. The sections that follow introduce the concepts of public-key cryptography that underlie these capabilities.

  • Page 800: Symmetric-Key Encryption

    Encryption and Decryption Symmetric-Key Encryption With symmetric-key encryption, the encryption key can be calculated from the decryption key and vice versa. With most symmetric algorithms, the same key is used for both encryption and decryption, as shown in Figure J-1. Figure J-1 Symmetric-Key Encryption Implementations of symmetric-key encryption can be highly efficient, so that users...

  • Page 801: Public-Key Encryption

    Encryption and Decryption Public-Key Encryption The most commonly used implementations of public-key encryption are based on algorithms patented by RSA Data Security. Therefore, this section describes the RSA approach to public-key encryption. Public-key encryption (also called asymmetric encryption) involves a pair of keys—a public key and a private key—associated with an entity that needs to authenticate its identity electronically or to sign or encrypt data.

  • Page 802: Key Length And Encryption Strength

    Encryption and Decryption cryptography. Client software such as Communicator can then use your public key to confirm that the message was signed with your private key and that it hasn’t been tampered with since being signed. “Digital Signatures” (beginning on page 803) and subsequent sections describe how this confirmation process works.

  • Page 803: Digital Signatures

    Digital Signatures Digital Signatures Encryption and decryption address the problem of eavesdropping, one of the three Internet security issues mentioned at the beginning of this document. But encryption and decryption, by themselves, do not address the other two problems mentioned in “Internet Security Issues” (beginning on page 797): tampering and impersonation.

  • Page 804: Certificates And Authentication

    Certificates and Authentication Figure J-3 shows two items transferred to the recipient of some signed data: the original data and the digital signature, which is basically a one-way hash (of the original data) that has been encrypted with the signer’s private key. To validate the integrity of the data, the receiving software first uses the signer’s public key to decrypt the hash.

  • Page 805: A Certificate Identifies Someone Or Something

    Certificates and Authentication A Certificate Identifies Someone or Something A certificate is an electronic document used to identify an individual, a server, a company, or some other entity and to associate that identity with a public key. Like a driver’s license, a passport, or other commonly used personal IDs, a certificate provides generally recognized proof of a person’s identity.

  • Page 806: Authentication Confirms An Identity

    Certificates and Authentication Authentication Confirms an Identity Authentication is the process of confirming an identity. In the context of network interactions, authentication involves the confident identification of one party by another party. Authentication over networks can take many forms. Certificates are one way of supporting authentication.
  • Page 807 Certificates and Authentication Password-Based Authentication Figure J-4 shows the basic steps involved in authenticating a client by means of a name and password. Figure J-4 assumes the following: • The user has already decided to trust the server, either without authentication or on the basis of server authentication via SSL.
  • Page 808 Certificates and Authentication As shown in the next section, one of the advantages of certificate-based authentication is that it can be used to replace the first three steps in Figure J-4 with a mechanism that allows the user to supply just one password (which is not sent across the network) and allows the administrator to control user authentication centrally.
  • Page 809 Certificates and Authentication assumptions are true only if unauthorized personnel have not gained access to the user’s machine or password, the password for the client software’s private key database has been set, and the software is set up to request the password at reasonable frequent intervals.

  • Page 810: How Certificates Are Used

    Certificates and Authentication evaluation process can employ a variety of standard authorization mechanisms, potentially using additional information in an LDAP directory, company databases, and so on. If the result of the evaluation is positive, the server allows the client to access the requested resource. As you can see by comparing Figure J-5 to Figure J-4, certificates replace the authentication portion of the interaction between the client and the server.
  • Page 811 Certificates and Authentication • Server SSL certificates. Used to identify servers to clients via SSL (server authentication). Server authentication may be used with or without client authentication. Server authentication is a requirement for an encrypted SSL session. For more information, see “SSL Protocol” on page 812. Example: Internet sites that engage in electronic commerce (commonly known as e-commerce) usually support certificate-based server authentication, at a minimum, to establish an encrypted SSL session and to assure customers that...
  • Page 812 Certificates and Authentication SSL Protocol The Secure Sockets Layer (SSL) protocol is a set of rules governing server authentication, client authentication, and encrypted communication between servers and clients. SSL is widely used on the Internet, especially for interactions that involve exchanging confidential information such as credit card numbers. SSL requires a server SSL certificate, at a minimum.
  • Page 813 Certificates and Authentication known as nonrepudiation. In other words, signed email makes it very difficult for the sender to deny having sent the message. This is important for many forms of business communication. (For information about the way digital signatures work, see “Digital Signatures,”...
  • Page 814 Certificates and Authentication keeping track of different passwords, tend to choose poor ones, and tend to write them down in obvious places. Administrators must keep track of a separate password database on each server and deal with potential security problems related to the fact that passwords are sent over the network routinely and frequently.
  • Page 815 Certificates and Authentication The “objects” signed with object signing technology can be applets or other Java code, JavaScript scripts, plug-ins, or any kind of file. The “signature” is a digital signature. Signed objects and their signatures are typically stored in a special file called a JAR file.
  • Page 816 Certificates and Authentication DNs may include a variety of other name-value pairs. They are used to identify both certificate subjects and entries in directories that support the Lightweight Directory Access Protocol (LDAP). The rules governing the construction of DNs can be quite complex and are beyond the scope of this document.
  • Page 817 Certificates and Authentication Here are the data and signature sections of a certificate in human-readable format: Certificate: Data: Version: v3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: OU=Ace Certificate Authority, O=Ace Industry, C=US Validity: Not Before: Fri Oct 17 18:36:25 1997 After: Sun Oct 17 18:36:25 1999...

  • Page 818: How Ca Certificates Are Used To Establish Trust

    Certificates and Authentication Here is the same certificate displayed in the 64-byte-encoded form interpreted by software: -----BEGIN CERTIFICATE----- MIICKzCCAZSgAwIBAgIBAzANBgkqhkiG9w0BAQQFADA3MQswCQYDVQQGEwJVUzER MA8GA1UEChMITmV0c2NhcGUxFTATBgNVBAsTDFN1cHJpeWEncyBDQTAeFw05NzEw MTgwMTM2MjVaFw05OTEwMTgwMTM2MjVaMEgxCzAJBgNVBAYTAlVTMREwDwYDVQQK EwhOZXRzY2FwZTENMAsGA1UECxMEUHViczEXMBUGA1UEAxMOU3Vwcml5YSBTaGV0 dHkwgZ8wDQYJKoZIhvcNAQEFBQADgY0AMIGJAoGBAMr6eZiPGfjX3uRJgEjmKiqG 7SdATYazBcABu1AVyd7chRkiQ31FbXFOGD3wNktbf6hRo6EAmM5/R1AskzZ8AW7L iQZBcrXpc0k4du+2Q6xJu2MPm/8WKuMOnTuvzpo+SGXelmHVChEqooCwfdiZywyZ NMmrJgaoMa2MS6pUkfQVAgMBAAGjNjA0MBEGCWCGSAGG+EIBAQQEAwIAgDAfBgNV HSMEGDAWgBTy8gZZkBhHUfWJM1oxeuZc+zYmyTANBgkqhkiG9w0BAQQFAAOBgQBt I6/z07Z635DfzX4XbAFpjlRl/AYwQzTSYx8GfcNAqCqCwaSDKvsuj/vwbf91o3j3 UkdGYpcd2cYRCgKi4MwqdWyLtpuHAH18hHZ5uvi00mJYw8W2wUOsY0RC/a/IDy84 hW3WWehBUqVK5SY4/zJ4oTjx7dwNMdGwbWfpRqjd1A== -----END CERTIFICATE----- How CA Certificates Are Used to Establish Trust Certificate authorities (CAs) are entities that validate identities and issue certificates.
  • Page 819 Certificates and Authentication CA Hierarchies In large organizations, it may be appropriate to delegate the responsibility for issuing certificates to several different certificate authorities. For example, the number of certificates required may be too large for a single CA to maintain; different organizational units may have different policy requirements;...
  • Page 820 Certificates and Authentication Certificate Chains CA hierarchies are reflected in certificate chains. A certificate chain is series of certificates issued by successive CAs. Figure J-7 shows a certificate chain leading from a certificate that identifies some entity through two subordinate CA certificates to the CA certificate for the root CA (based on the CA hierarchy shown in Figure J-6).
  • Page 821 Certificates and Authentication In Figure J-7, the Engineering CA certificate contains the DN of the CA (that is, USA CA), that issued that certificate. USA CA’s DN is also the subject name of the next certificate in the chain. • Each certificate is signed with the private key of its issuer.
  • Page 822 Certificates and Authentication Figure J-8 Verifying a Certificate Chain All the Way to the Root CA Figure J-8 shows what happens when only Root CA is included in the verifier’s local database. If a certificate for one of the intermediate CAs shown in Figure J-8, such as Engineering CA, is found in the verifier’s local database, verification stops with that certificate, as shown in Figure J-9.
  • Page 823 Certificates and Authentication Expired validity dates, an invalid signature, or the absence of a certificate for the issuing CA at any point in the certificate chain causes authentication to fail. For example, Figure J-10 shows how verification fails if neither the Root CA certificate nor any of the intermediate CA certificates are included in the verifier’s local database.

  • Page 824: Managing Certificates

    Managing Certificates Managing Certificates The set of standards and services that facilitate the use of public-key cryptography and X.509 v3 certificates in a network environment is called the public key infrastructure (PKI). PKI management is complex topic beyond the scope of this document.

  • Page 825: Certificates And The Ldap Directory

    Managing Certificates Netscape Certificate Management System allows an organization to set up its own certificate authority and issue certificates. Issuing certificates is one of several managements tasks that can be handled by separate Registration Authorities. Certificates and the LDAP Directory The Lightweight Directory Access Protocol (LDAP) for accessing directory services supports great flexibility in the management of certificates within an organization.

  • Page 826: Renewing And Revoking Certificates

    Managing Certificates Keys can be generated by client software or generated centrally by the CA and distributed to users via an LDAP directory. There are trade-offs involved in choosing between local and centralized key generation. For example, local key generation provides maximum nonrepudiation, but may involve more participation by the user in the issuing process.

  • Page 827: Registration Authorities

    Managing Certificates intervals and checking the list as part of the authentication process. For some organizations, it may be preferable to check directly with the issuing CA each time a certificate is presented for authentication. This procedure is sometimes called real-time status checking.
  • Page 828 Managing Certificates Netscape Certificate Manager System Administrator’s Guide • June 2003...

  • Page 829: The Ssl Protocol

    Appendix K Introduction to SSL This document introduces the Secure Sockets Layer (SSL) protocol. Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. • The SSL Protocol •...
  • Page 830 The SSL Protocol Figure K-1 Where SSL Runs The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP. It uses TCP/IP on behalf of the higher-level protocols, and in the process allows an SSL-enabled server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection.
  • Page 831 Ciphers Used with SSL The SSL protocol includes two sub-protocols: the SSL record protocol and the SSL handshake protocol. The SSL record protocol defines the format used to transmit data. The SSL handshake protocol involves using the SSL record protocol to exchange a series of messages between an SSL-enabled server and an SSL-enabled client when they first establish an SSL connection.
  • Page 832 Ciphers Used with SSL Decisions about which cipher suites a particular organization decides to enable depend on trade-offs among the sensitivity of the data involved, the speed of the cipher, and the applicability of export rules. Some organizations may want to disable the weaker ciphers to prevent SSL connections with weaker encryption.
  • Page 833 Ciphers Used with SSL Table K-1 Cipher Suites Supported by the SSL Protocol That Use the RSA Key-Exchange Algorithm Strength Category and Cipher Suites Recommended Use Strongest Cipher Suite Triple DES With 168-Bit Encryption and SHA-1 Message Authentication Permitted for deployments within the United States only.
  • Page 834 Ciphers Used with SSL Table K-1 Cipher Suites Supported by the SSL Protocol That Use the RSA Key-Exchange Algorithm Strength Category and Cipher Suites Recommended Use Exportable Cipher Suites RC4 With 40-Bit Encryption and MD5 Message Authentication These cipher suites are not as RC4 40-bit encryption permits approximately 1.1 * 10 (a trillion) strong as those listed above, but...
  • Page 835 Ciphers Used with SSL Table K-2 Cipher Suites Supported by Netscape When Using Fortezza for SSL 3.0 Strength Category and Cipher Suites Recommended Use Strong Fortezza Cipher Suites RC4 With 128-bit Encryption and SHA-1 Message Authentication Permitted for deployments Like RC4 with 128-bit encryption and MD5 message authentication, within the United States only.
  • Page 836 The SSL Handshake The SSL Handshake The SSL protocol uses a combination of public-key and symmetric key encryption. Symmetric key encryption is much faster than public-key encryption, but public-key encryption provides better authentication techniques. An SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection...
  • Page 837 The SSL Handshake If the server has requested client authentication, the server attempts to authenticate the client (for details, see “Client Authentication,” which begins on page 841). If the client cannot be authenticated, the session is terminated. If the client can be successfully authenticated, the server uses its private key to decrypt the premaster secret, then performs a series of steps (which the client also performs, starting from the same premaster secret) to generate the master secret.
  • Page 838 The SSL Handshake • In the case of client authentication, the client encrypts some random data with the client’s private key—that is, it creates a digital signature. The public key in the client’s certificate can correctly validate the digital signature only if the corresponding private key was used.
  • Page 839 The SSL Handshake Figure K-2 Authentication of a Client Certificate An SSL-enabled client goes through these steps to authenticate a server’s identity: Is today’s date within the validity period? The client checks the server certificate’s validity period. If the current date and time are outside of that range, the authentication process won’t go any further.

  • Page 840: Man-In-The-Middle Attack

    The SSL Handshake doesn’t correspond to the private key used by the CA to sign the server certificate, the client won’t authenticate the server’s identity. If the CA’s digital signature can be validated, the server treats the user’s certificate as a valid “letter of introduction”...
  • Page 841 The SSL Handshake The encrypted information exchanged at the beginning of the SSL handshake is actually encrypted with the rogue program’s public key or private key, rather than the client’s or server’s real keys. The rogue program ends up establishing one set of session keys for use with the real server, and a different sent of session keys for use with the client.
  • Page 842 The SSL Handshake Figure K-3 Authentication and Verification of a Client Certificate An SSL-enabled server goes through these steps to authenticate a user’s identity: Does the user’s public key validate the user’s digital signature? The server checks that the user’s digital signature can be validated with the public key in the certificate.
  • Page 843 The SSL Handshake Is the issuing CA a trusted CA? Each SSL-enabled server maintains a list of trusted CA certificates, represented by the shaded area on the right side of Figure K-3. This list determines which certificates the server will accept. If the DN of the issuing CA matches the DN of a CA on the server’s list of trusted CAs, the answer to this question is yes, and the server goes on to Step 4.
  • Page 844 The SSL Handshake Netscape Certificate Manager System Administrator’s Guide • June 2003...
  • Page 845 Glossary access control The process of controlling who is allowed to do what. For example, access control to servers is typically based on an identity, established by a password or a certificate, and on rules regarding what that entity can do. See also access control list (ACL).
  • Page 846 attribute value assertion (AVA) An assertion of the form attribute = value, where attribute consists of a tag, such as o (organization) or (user ID), and value consists of a value, such as “Netscape Communications Corp.” or a login name. AVAs are used to form the distinguished name (DN) that identifies the subject of a certificate (called the subject name of the certificate).
  • Page 847 CA hierarchy A hierarchy of CAs in which a root CA delegates the authority to issue certificates to subordinate CAs. Subordinate CAs can also expand the hierarchy by delegating issuing status to other CAs. See also certificate authority (CA), subordinate CA, root CA. CA server key The SSL server key of the server providing a CA service.
  • Page 848 Certificate Enrollment Protocol (CEP) A certificate management protocol jointly developed by Cisco Systems and VeriSign, Inc. CEP is an early implementation of Certificate Management Messages over Cryptographic Message Syntax (CMC). CEP specifies how a device communicates with a CA, including how to retrieve the CA’s public key, how to enroll a device with the CA, and how to retrieve a CRL.
  • Page 849 Certificate Manager An independent CMS subsystem capable of acting as a stand-alone certificate authority. A Certificate Manager instance issues, renews, and revokes certificates, which it can publish along with CRLs to an LDAP directory. It can be configured to accept requests from end entities, Registration Managers, or both.
  • Page 850 CMC Enrollment Features that allow you to send either signed enrollment or signed revocation requests to a Certificate Manager using an agents signing certificate. These requests are then automatically processed by the Certificate Manager. CMMF See Certificate Management Message Formats (CMMF). CMS See Netscape Certificate Management System (CMS), Cryptographic Message Syntax (CMS).
  • Page 851 Cryptographic Message Syntax (CMS) The syntax used to digitally sign, digest, authenticate, or encrypt arbitrary messages, such as CMMF. cryptographic module See PKCS #11 module. cryptographic service provider (CSP) A cryptographic module that performs cryptographic services, such as key generation, key storage, and encryption, on behalf of software that uses a standard interface such as that defined by PKCS #11 to request such services.
  • Page 852 Data Encryption Standard (DES) A FIPS-approved cryptographic algorithm required by FIPS 140-1 and specified by FIPS PUBS 46-2. DES, which uses 56-bit keys, is a standard encryption and decryption algorithm that has been used successfully throughout the world for more than 20 years. See also FIPS PUBS 140-1.
  • Page 853 eavesdropping Surreptitious interception of information sent over a network by an entity for which the information is not intended. encryption The process of scrambling information in a way that disguises its meaning. See decryption. encryption key A private key used for encryption only. An encryption key and its equivalent public key, plus a signing key and its equivalent public key, constitute a dual key pair.
  • Page 854 intermediate CA A CA whose certificate is located between the root CA and the issued certificate in a certificate chain. IP spoofing The forgery of client IP addresses. JAR file A digital envelope for a compressed collection of files organized according to the Java archive (JAR) format.
  • Page 855 Lightweight Directory Access Protocol (LDAP) A directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP is a simplified version of Directory Access Protocol (DAP), used to access X.500 directories. LDAP is under IETF change control and has evolved to meet Internet requirements. linked CA An internally deployed certificate authority (CA) whose certificate is signed by a public, third-party CA.
  • Page 856 Netscape Security Services (NSS) A set of libraries designed to support cross-platform development of security-enabled communications applications. Applications built using the NSS libraries support the Secure Sockets Layer (SSL) protocol for authentication, tamper detection, and encryption, and the PKCS #11 protocol for cryptographic token interfaces.
  • Page 857 PKCS #11 The public-key cryptography standard that governs cryptographic tokens such as smart cards. PKCS #11 module A driver for a cryptographic device that provides cryptographic services, such as encryption and decryption, via the PKCS #11 interface. A PKCS #11 module (also called a cryptographic module or cryptographic service provider) can be implemented in either hardware or software.
  • Page 858 public-key infrastructure (PKI) The standards and services that facilitate the use of public-key cryptography and X.509 v3 certificates in a networked environment. RC2, RC4 Cryptographic algorithms developed for RSA Data Security by Rivest. See also cryptographic algorithm. registration See enrollment. Registration Manager An optional, independent CMS subsystem that performs tasks involving end entities, such as enrollment or renewal, on behalf of a Certificate Manager.
  • Page 859 server authentication The process of identifying a server to a client. See also client authentication. server group The servers in a server root directory managed by a single instance of Netscape Administration Server. server root The directory used to store Certificate Management System and other Netscape Server binaries that make up a server group.
  • Page 860 Certificates support single sign-on within a public-key infrastructure (PKI). A user can log in once to a local client’s private-key database and thereafter, as long as the client software is running, rely on certificate-based authentication to access each server within an organization that the user is allowed to access. slot The portion of a PKCS #11 module (implemented in either hardware or software) that contains a token.
  • Page 861 trust Confident reliance on a person or other entity. In a public-key infrastructure (PKI), trust refers to the relationship between the user of a certificate and the certificate authority (CA) that issued the certificate. If you trust a CA, you can generally trust valid certificates issued by that CA.
  • Page 862 Netscape Certificate Management System Administrator’s Guide • June 2003...
  • Page 863 Index tools provided CMS console 245 accelerators 318 Netscape Console 243 active logs Agent Services interface default file location 262 URL for 284 message categories 265 AgentDirEnrollment instance 406 See also logging agents adding authorizing remote key recovery 205 agents deleting 343 automated process 330 enrolling users in person 407, 594...
  • Page 864 managing from CMS window 388, 391, 395, 400, CA signing certificate 88, 90 402, 415 changing trust settings of 294 NIS server-based 389 deleting 293 password-based 807–808 getting a new one 297, 312 See also client authentication nickname 88 See also server authentication renewing 297 viewing details of 293 authentication modules...
  • Page 865 getting new ones 312 overview of renewal 826 OCSP signing certificate 89 revocation reasons 597 SSL server certificate 89 revoking 826 wTLS CA signing certificate 89 S/MIME 811 manual updates to publishing directory 659 self-signed 819 master CA 58 serial numbers Registration Manager and 54–55 what to do when a CA exhausts all 121 serial number range 120...
  • Page 866 on/off/unknown status 247 extensions for 771–?? security level 247 extension-specific modules 768 version number 247 issuing or distribution points 599 publishing of 596 CMS window publishing to files 618 configuring authentication 388, 391, 395, 400, 402, publishing to LDAP directory 598, 618 required schema 656 configuring policies 489 publishing to online validation authority 165...
  • Page 867 deleting authentication modules 424 email resolver 567 certificates from the token email, signed and encrypted 812 precaution 293 log modules 275 encrypted file system (EFS) 452, 523 mapper modules 661 encryption policy modules 563 defined 799 policy rules 490 public-key 801 privileged users 343 symmetric-key 800 publisher modules 661...
  • Page 868 nameConstraints 764 netscape-cert-type 775, 777 hardware accelerators 318 netscape-comment 776 hardware tokens Netscape-defined 775–778 See external tokens policyConstraints 765 policyMappings 765 HashAuth authentication plug-in 406 privateKeyUsagePeriod 766 high availability 663 reasonCode 775 holdInstructionCode 774 structure of 753 host name subjectAltName 766 for mail server used for notifications 257 subjectDirectoryAttributes 767 how to revoke certificates 598...
  • Page 869 to servers 409 keys Netscape 4.x servers 410 defined 799 to VPN clients 412 management and recovery 825 issuingDistributionPoint 773 keyUsage 762 JavaScript policy processor 493 LDAP 68 job modules LDAP publishing registering new ones 590 defined 618 manual updates 659 jobs when to do 659 built-in modules...
  • Page 870 configuring the mail server host name 257 m of n secret sharing 203 port 257 mail server used for notifications 257 to agents about unpublishing certificates 577 managing certificate database 292 policies 489 policy plug-in modules 561 mapper modules deleting 661 object identifiers 779 registering new ones 661 object signing 814...
  • Page 871 PKCS #11 support defined 481 deleting 490 PKCS #7 68 how policy processor applies them 482 pkiclient.exe 412 naming convention 491 PKIX 68 predicates in 483 plug-in modules reordering 491 for CRL extensions significance of ordering 491 AuthorityKeyIdentifier 606 See also predicates CRLNumber 607 types of 481 CRLReason 453, 607, 608...
  • Page 872 OCSP responder 632 Remove Basic Constraints extension policy 555 users’ entries in the directory 630 renewal of certificates CRLs See certificate renewal publishing reordering policy rules 491 See also LDAP publishing significance of ordering 491 publishing restarting of certificates Certificate Management System to files 618 from the command line 254 of CRLs 596...
  • Page 873 setting up key archival 228 Tasks tab 245 key recovery 234 tasks you can accomplish 245 signing TCP/IP, defined 797 rotated log files 273 templates signing certificate 134, 171 for notifications 571, 587 CA 90 timing log rotation 267 changing trust settings of 294 deleting 293 tokens getting a new one 297, 312...
  • Page 874 viewing CMS instance information 246 VPN clients getting certificates for 412 when the server was installed 247 why should you revoke certificates 597 wireless CA certificate 95, 100 wireless certificates 95, 100 wizard See Certificate Setup Wizard writing policies in JavaScript 493 wTLS CA signing certificate 89 nickname 89 wTLS certificates 95, 100...

This manual is also suitable for:

Certificate management system 6.2

Table of Contents