Netscape NETSCAPE DIRECTORY SERVER 6.01, Installation And Setup Manual

Page 1: ...Installation and Setup Guide Netscape Certificate Management System Version6 01 May 2002...

Page 2: ...DOCUMENTATION INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS PROFITS USE OR DATA The Software and documentation are copyright 2001 Sun Microsystems Inc Portions copyright 1999 2002...

Page 3: ...ew of Key Features 34 Flexible end entity registration services framework 37 System Overview 41 Public Key Infrastructure 43 CMS Subsystems or Managers 44 Certificate Manager 45 Registration Manager 4...

Page 4: ...Management Formats and Protocols 77 Security and Directory Protocols 78 Chapter 2 Certificate Enrollment and Life Cycle Management 81 Steps in End Entity Enrollment 81 Some Enrollment Scenarios 84 Fi...

Page 5: ...User to the Directory 145 Step 3 Enroll with Directory Based Authentication 147 Publish Certificates to an LDAP Directory 148 Configure the Publishing Destination 149 Set Rules for Publishing Certifi...

Page 6: ...ons 179 Deployment Strategy and Port Assignments 180 Chapter 5 Installation Worksheet 183 Information for UNIX Installation Script 184 Installation Location 184 Configuration Directory Server 184 User...

Page 7: ...ificate 201 Extensions for Transport Certificate 201 Transport Certificate Request 202 Storage Key and Recovery Agent Configuration 202 Storage Key Creation 202 Data Recovery Scheme 1 203 Data Recover...

Page 8: ...nces or CA Clones 278 Chapter 7 Installing and Uninstalling CMS Instances 279 Installing Multiple CMS Instances 280 Cloning a Certificate Manager 282 Step 1 Before You Begin 283 Step 2 Create Instance...

Page 9: ...pping From Netscape Console 311 Stopping From the Command Line 312 Stopping From the Windows NT Services Panel 312 Restarting Certificate Management System 312 Restarting From the CMS Window 313 Resta...

Page 10: ...ers 355 Step 5 Customize End Entity and Agent Forms 356 Step 6 Setup Authentication for End Users 356 Step 7 Enable Event Driven Notifications 356 Step 8 Schedule Jobs 357 Step 9 Set up Policies 357 S...

Page 11: ...nts Using the Automated Process 391 Setting up Agents Using the Manual Process 392 Setting Up Trusted Managers 397 Setting up Trusted Managers Using the Automated Process 397 Setting Up a Registration...

Page 12: ...sions 445 Step 7 Copy the Certificate Signing Request 447 Step 8 Check the Certificate Request Status 451 Using the Wizard to Install a Certificate or Certificate Chain 452 Data Formats for Installing...

Page 13: ...e From the Certificate Database 484 Changing the Trust Settings of a CA Certificate 485 Installing a New CA Certificate in the Certificate Database 487 Installing a CA Certificate Chain in the Certifi...

Page 14: ...7 Registering an Authentication Module 528 Deleting an Authentication Module 529 Chapter 16 Setting Up Automated Notifications 531 Automated Notifications 531 Notifications of Certificate Issuance to...

Page 15: ...p 2 Modify Existing Policy Rules 570 Step 3 Delete Unwanted Policy Rules 574 Step 4 Add New Policy Rules 574 Step 5 Reorder Policy Rules 579 Step 6 Restart the Server 580 Step 7 Test Policy Configurat...

Page 16: ...Specify CRL Details 629 Step B Set the CRL Extensions 631 Step C Create a Mapper for the CRL 632 Step D Create a Publisher for the CRL 633 Step E Create a Publishing Rule for the CRL 635 Step 5 Identi...

Page 17: ...t 676 Setting Up Netscape 6x for OCSP Based Certificate Validation 676 Setting Up Personal Security Manager for OCSP Based Certificate Validation 677 Step 3 Enable Certificate Manager s HTTP Port 679...

Page 18: ...Certificate in the Browser 711 Step G Check the Status of Online Certificate Status Manager 711 Step H Revoke the Certificate 712 Step I Verify the Certificate in the Browser 712 Step J Check the Onli...

Page 19: ...owser s Database 743 Chapter 23 Managing CMS Logs 745 Introduction to Logs 745 Logs Maintained by the Server 746 Services That Are Logged 747 Log Levels Message Categories 748 Log File Locations 749 L...

Page 20: ...ate Request 782 Step 3 Install Your Server s SSL Certificate 783 Step 4 Accept a CA as Trusted in Your Server 783 Step 5 Verify Your Server s SSL and CA Certificates 785 Getting Certificates for Netsc...

Page 21: ...ification 809 Data Formats 809 Binary Formats 809 Text Formats 810 Importing Certificate Chains 811 Importing Certificates into Netscape Communicator 811 Importing Certificates into Netscape Servers 8...

Page 22: ...22 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 23: ...s in This Guide This guide covers topics that are listed below You should use this guide in conjunction with the other CMS documentation such as the ones that explain all the plug ins and command lin...

Page 24: ...ng CMS Instances Describes how to create multiple instances delete unwanted instances clone instances upgrade from a previous CMS version and so on Chapter 8 Starting and Stopping CMS Instances Descri...

Page 25: ...ificate content such as key size signing algorithm validity period extensions and so on Chapter 19 Setting Up LDAP Publishing Provides an overview of LDAP publishing and describes how to configure a C...

Page 26: ...g certificates This guide assumes that you Are familiar with the basic concepts of public key cryptography and the Secure Sockets Layer SSL protocol SSL cipher suites The purpose of and major steps in...

Page 27: ...ons the superadministrator has set up for you Text within quotation marks Indicates cross references to other topics within this guide Example For more information see Issuing a Certificate to a New U...

Page 28: ...Sidebar text marks important information Make sure you read the information before continuing with a task Examples Where to Go for Related Information This section summarizes the documentation that sh...

Page 29: ...uide contents htm CMS Customization Guide Provides detailed reference information on customizing the HTML based agent and end entity interfaces To view the HTML version of this guide open this file se...

Page 30: ...Where to Go for Related Information 30 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 31: ...31 Part 1 Overview and Demo Installation Chapter 1 Introduction to Certificate Management System Chapter 2 Certificate Enrollment and Life Cycle Management Chapter 3 Default Demo Installation...

Page 32: ...32 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 33: ...looking for a security solution for your enterprise or setting up an independent certificate authority CA service Certificate Management System offers a robust customizable and scalable foundation fo...

Page 34: ...and 4096 RSA on both hardware and software tokens Supports multiple message formats such as KEYGEN SPAC CRMF CMMF CRS CEP SCEP and PKCS 10 and CMC for certificate requests All requests are delivered...

Page 35: ...component in the PKI it is a subordinate server to which a Certificate Manager can delegate some certificate management functions For example a Registration Manager may act as a front end to a Certif...

Page 36: ...he Certificate Manager as a root or subordinate CA see Part 2 Planning and Installation Ability to function as a linked CA Certificate Management System can function as a linked CA chaining up to many...

Page 37: ...rtificates see Tokens for Storing CMS Keys and Certificates on page 431 Support for Netscape client and server products client independence for non Netscape products Certificates issued by Certificate...

Page 38: ...dules such as authentication job policy and publishing modules that are provided for Certificate Management System see Plug in Modules on page 55 Single administration point achieved via LDAP complian...

Page 39: ...ort separate key pairs for signing and encrypting data Certificate Management System supports generation of dual certificates for end entities capable of generating dual key pairs If a client makes a...

Page 40: ...zed key recovery agents The key repository is encrypted using a Data Recovery Manager s storage private key which is protected with one or more recovery agents passwords Only these designated recovery...

Page 41: ...ficate Management System Certificate Management System provides an easy upgrade path from its previous versions For upgrade instructions check the CMS Command Line Tools Guide GUI based server install...

Page 42: ...varying deployment scenarios permitting rapid integration with existing client and server software customer databases security systems and authentication procedures You can use Certificate Management...

Page 43: ...that issues renews and revokes certificates An end entity EE is a person router server or other entity that uses a certificate to identify itself To participate in a PKI an end entity must enroll or...

Page 44: ...pendent installation of these four subsystems and each subsystem plays a distinct role in a PKI Each subsystem consists of built in system level components such as authentication framework for various...

Page 45: ...ocument as Certificate Manager agent or automatically based entirely on customizable policies and procedures When set up to work with a separate Registration Manager the Certificate Manager processes...

Page 46: ...ificates and CRLs RSA with MD2 RSA with MD5 RSA with SHA 1 and DSA with SHA 1 The Certificate Manager can issue X 509 v1 or v2 CRLs A CRL can be automatically updated whenever a certificate is revoked...

Page 47: ...on Manager then distributes the certificates to the end entities Note that you can run multiple Registration Managers remotely all reporting to a single CA a Certificate Manager to verify user identit...

Page 48: ...an end entity to get a new signing certificate and signing key pair without changing the encryption certificate or encryption key pair Note that the Data Recovery Manager archives encryption keys It d...

Page 49: ...tificate validation authority is often referred to as an OCSP responder Table 1 1 Key pairs used by end entities and key pairs used by the Data Recovery Manager End entity key pairs Data Recovery Mana...

Page 50: ...he four independent CMS managers and various kinds of end entities To keep things simple the figure assumes that each manager is installed in a different CMS instance and on a different machine The Re...

Page 51: ...ed by Cisco Systems and VeriSign Inc CEP governs communication between routers or VPN clients and a Registration Manager or Certificate Manager KEYGEN tag An HTML tag supported by Netscape browsers th...

Page 52: ...very Manager performs the long term archival and recovery of end users private encryption keys A Certificate Manager or Registration Manager can be configured to archive end users private encryption k...

Page 53: ...Manager 6 The Certificate Manager issues the signing and encryption certificates and sends them back to the Registration Manager 7 The Registration Manager delivers the certificates to the end entity...

Page 54: ...ce of Directory Server replacing the Relational Database Management System RDBMS used in Certificate Server 1 0x Some deployments require installation of two subsystems in a single CMS instance on a s...

Page 55: ...o CMS Plug Ins Guide To locate this guide see Where to Go for Related Information on page 28 Authentication Plug in Modules An authentication module is a set of rules implemented as a Java class for a...

Page 56: ...ion Requires manual approval by an agent This authentication module is hardwired you cannot configure it This ensures that when the server receives requests that lack authentication credentials it sen...

Page 57: ...adjusts the subject name in the request accordingly A validity constraints policy checks that the certificate validity period falls within a specified period and it rejects defers or adjusts the valid...

Page 58: ...uniqueness and prevents issuance of multiple subordinate CA certificates with same issuer names UniqueSubjectNameConstraints Allows the server to check for certificate subject name uniqueness and pre...

Page 59: ...ocations from where the application that is validating the certificate can obtain the CRL information ExtendedKeyUsageExt Adds the Extended Key Usage extension to certificates The extension identifies...

Page 60: ...icy statements of two CAs The pairing indicates that the corresponding policies of one CA are equivalent to policies of another CA PrivateKeyUsagePeriodExt Adds the Private Key Usage Period extension...

Page 61: ...n much the same way that you can write your own authentication and policy modules Plug in classes are provided out of the box for scheduling the following jobs Table 1 5 Plug in modules for schedulabl...

Page 62: ...CRLs to a directory The advantage of publishing certificates and CRLs to the directory is multifold You can keep users certificate related information with the rest of the user information This way wh...

Page 63: ...configure a Certificate Manager to publish certificates and CRLs to the mapped directory entries to files or to the Online Certificate Status Manager Table 1 6 Default mapper plug in modules for mappi...

Page 64: ...ilities or tools and Software Development Kit Table 1 7 Default publisher plug in modules for publishing certificates and CRLs Plug in module name Function FileBasedPublisher Publishes certificates an...

Page 65: ...de of various plug in modules that are included in Certificate Management System out of the box This source code has been included for reference purposes only and is only used to demonstrate how a par...

Page 66: ...ion of ObjectSigning capabilities Examples of how to use Certificate Management System with some third party products Entry Points for Various Types of Users Certificate Management System provides ent...

Page 67: ...nager or Online Certificate Status Manager serves the appropriate HTML forms for agent tasks For details see Agent Services Interface on page 68 Accessing Agent Services is a privileged operation agen...

Page 68: ...s you made during installation a combination of the following agent services will be installed Certificate Manager Agent Services Registration Manager Agent Services Data Recovery Manager Agent Servic...

Page 69: ...es and process them Listing certificates issued by the server Searching for certificates issued by the server Revoking certificates issued by the server Updating certificates and certificate revocatio...

Page 70: ...Using the default forms a Registration Manager agent can list deferred certificate requests from end entities and process them Data Recovery Manager Agent Services The Data Recovery Manager Agent Ser...

Page 71: ...tion private keys from the key archive Key recovery requires authorization from key recovery agents see Key Recovery Process on page 721 Online Certificate Status Manager Agent Services Interface The...

Page 72: ...hat use certificates to identify themselves and that need to be able to request certificate issuance and management operations These forms collectively identified as End Entity Services Interface use...

Page 73: ...ment on page 98 Figure 1 9 shows the end entity services interface of a Certificate Manager Figure 1 9 End entity services interface Note that the Data Recovery Manager and Online Certificate Status M...

Page 74: ...lation and Setup Guide May 2002 System Architecture Figure 1 10 shows the internal architecture of Certificate Management System The sections that follow describe the basic elements of this architectu...

Page 75: ...e slots in some form of physical reader for example for smart cards or as conceptual slots in software Each slot for a PKCS 11 module can in turn contain a token which is the hardware or software devi...

Page 76: ...on tamper detection and encryption as well as the PKCS 11 interface for cryptographic token interfaces Netscape uses NSS to support these features in a wide range of products including Certificate Man...

Page 77: ...ystem third parties can create their own custom modules using the APIs provided above the middleware and subsystem layers Modules for all three subsystems work the same way and are interchangeable Sta...

Page 78: ...CMMF Future versions of Certificate Management System will support this standard as it is finalized Cryptographic Message Syntax CMS A superset of PKCS 7 syntax used for digital signatures and encryp...

Page 79: ...ta and message format developed by RSA Data Security to represent digital signatures certificate chains and encrypted data This format is used to deliver certificates to end entities Public Key Crypto...

Page 80: ...Standards Summary 80 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 81: ...nagement System Steps in End Entity Enrollment The following steps take place when a Registration Manager or a Certificate Manager handles an enrollment request from an end user Figure 2 1 shows a sim...

Page 82: ...to the request for the purpose of formulating the contents of the certificate to be issued and to enforce certain rules such as name constraints Custom policy modules can be used to enforce specialize...

Page 83: ...Steps in End Entity Enrollment Chapter 2 Certificate Enrollment and Life Cycle Management 83 Figure 2 1 Roles of servlets authentication modules and policy modules in end entity enrollment...

Page 84: ...evocation Router Enrollment and Revocation For the sake of simplicity these examples do not show the role of the Data Recovery Manager For more information about data recovery see Data Recovery Manage...

Page 85: ...h their own firewalls In general Netscape recommends that the Certificate Manager handle all certificate and CRL publishing functions If it s necessary for some entries in a directory to be available...

Page 86: ...nd other personal details stored in the existing customer database 2 Custom authentication The Registration Manager uses a custom authentication module to verify the customer s account and status agai...

Page 87: ...ation to validate every certificate request personally before issuing the certificate Figure 2 3 illustrates the steps in this process 1 Request certificate The customer fills in and submits a certifi...

Page 88: ...If all authentication procedures are successful the agent approves the request 4 Request certificate The Registration Manager performs policy processing and if the processing is successful sends the...

Page 89: ...ct workers suppliers employees and others who routinely access parts of the company s internal network In general this can be achieved by using Kerberos or other non PKI security systems as the authen...

Page 90: ...isting extranet fills in and submits a certificate request over SSL using a customized form that requires a Kerberos ID and password 2 Authentication The Registration Manager uses a third party authen...

Page 91: ...eed access to the extranet To register all these people at once Atlas uses the directory based PIN Generator tool that comes with Certificate Management System to generate PINs in bulk The PINs are th...

Page 92: ...tem payroll stub invoice form or other out of band delivery mechanism 4 Request certificate using PIN The user goes to a specified Registration Manager URL fills in name and PIN and submits a certific...

Page 93: ...ns on a user s desktop outside the firewall and uses the IP Key Management Protocol IPKMP or IP Security IPSec protocol to establish encrypted communication with VPN hardware that straddles the firewa...

Page 94: ...be used during enrollment to authenticate the client 2 Issue certificate The Certificate Manager issues the certificate and the Registration Manager delivers it to the VPN client The VPN client can n...

Page 95: ...nt and Life Cycle Management 95 Figure 2 6 VPN client enrollment and revocation The certificate includes information about a CRL distribution point which is a directory that the VPN hardware can check...

Page 96: ...ficates As part of the issuing process the Certificate Manager publishes the certificates to the directory Publishing occurs only if the router s DN exists in the publishing directory This is importan...

Page 97: ...Some Enrollment Scenarios Chapter 2 Certificate Enrollment and Life Cycle Management 97 Figure 2 7 Router enrollment and revocation...

Page 98: ...Manager provide default HTML forms that use different protocols and life cycle management procedures for different kinds of end entities For example end entities running versions of Communicator earl...

Page 99: ...ons with CMS subsystems occur over HTTPS Table 2 1 End entities message formats algorithms and key pairs supported by Certificate Management System End entity software Enrollment message format over H...

Page 100: ...ntity interactions can take place over HTTP or HTTPS For example routers using CEP which includes its own encryption scheme uses HTTP rather than HTTPS For a more detailed discussion of these ports an...

Page 101: ...The authentication module is used by the servlet to authenticate the end entity the output template is an HTML page that returns information from the servlet to the end entity Figure 2 9 shows the def...

Page 102: ...particular Personal Security Manager simplifies certificate deployment with Certificate Management System by taking advantage of the following CMS features One click issuance of certificates Forced c...

Page 103: ...rds PKCS 12 Export and import of certificates and associated private keys CRMF CMMF Direct commmunication between Personal Security Manager and a CA simplifying enrollment processes and making one cli...

Page 104: ...End Entities and Life Cycle Management 104 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 105: ...wing sections Overview of the Default Demo page 106 Installing the Default Demo page 110 Using the Default Demo page 136 System Requirements For system requirements check the Release Notes that came w...

Page 106: ...entially be separate from the user directory Netscape Administration Server This lightweight HTTP server acts as the back end to Netscape Console An instance of Administration Server manages operation...

Page 107: ...for information on the locations and contents of server groups on the network It also interacts with the Administration Server for each server group to perform some tasks such as managing SSL encrypt...

Page 108: ...igned for the default demo You will also be asked to provide additional information such as the name of each server instance to be installed the names and passwords of various types of administrators...

Page 109: ...rds The demo that you install is a real CA that can issue certificates Even if you plan to remove it after testing you should maintain the security of the demo system For this reason the installation...

Page 110: ...llation Wizard Step 3 Get the First User Certificate Step 1 Run the Installation Script UNIX These instructions assume that you have the initial distribution of Certificate Management System available...

Page 111: ...ain com Press Enter to install on the local machine 11 System User nobody Enter the user that the configuration user Directory Server process will run as Where your system supports it accept the defau...

Page 112: ...take a few minutes press Enter to continue The first phase of the installation is now complete The installation script has installed Netscape Console installed and started an Administration Server and...

Page 113: ...fault Demo Chapter 3 Default Demo Installation 113 2 Welcome Click Next 3 Software License Agreement Click Yes 4 Select Server or Console Installation Leave the default setting Netscape Servers select...

Page 114: ...rtificate Management System Installation and Setup Guide May 2002 5 Type of Installation Leave the default setting Typical selected and click Next 6 Location of Installation Leave the default setting...

Page 115: ...3 Default Demo Installation 115 7 Components to Install Leave all four components selected and click Next 8 Directory Server 6 0 Leave the default setting This instance will be the configuration direc...

Page 116: ...k Next 10 Directory Server 6 0 Server Settings Type the following values then click Next Server identifier configDir Server port Accept the default which should be 389 Suffix Accept the default which...

Page 117: ...rator ID admin Password admin password Password again admin password 12 Directory Server 6 0 Administration Domain Accept the default which should be your company s domain name in the form your_domain...

Page 118: ...ertificate Management System Installation and Setup Guide May 2002 Directory Manager DN cn Directory Manager Password dir mgr password Password again dir mgr password 14 Administration Server Port Sel...

Page 119: ...er Type the value demoCA and click Next 16 Configuration Summary Click Next 17 Setup At this point the installation script extracts and installs the binaries for all of the servers in the server root...

Page 120: ...tallation of Certificate Management System by running the Installation Wizard Step 2 Run the Installation Wizard To begin running the Installation Wizard follow these steps 1 If Netscape Console is no...

Page 121: ...it alternatively you can also click the Open button on the Certificate Management System panel on the right After a few moments the Installation Wizard appears You use the wizard to get the initial ce...

Page 122: ...ion Click Next 2 Logon Token Enter the password for the cryptographic token or the key database The same password will also be used as the single signon password for starting Certificate Management Sy...

Page 123: ...on 123 Instance ID Accept the default demoCA db Port number Accept the default 38900 Directory Manager DN cn Directory Manager Password intdb password Password again intdb password At this point the s...

Page 124: ...nistrator Type the following values then click Next Administrator ID CMSadmin Full name Accept the default value Password CMS password Password again CMS password 5 Subsystems Click Next to accept the...

Page 125: ...al OCSP Service Click Next to accept the default the option is selected 9 Network Configuration Enable the non SSL end entity gateway and then accept the default values listed below If one of the defa...

Page 126: ...fault selection Create self signed CA certificate 11 Key Pair Information for Certificate Manager CA Signing Certificate Type the following values then click Next Token Accept the default value Intern...

Page 127: ...en click Next Common name CN Demo CA Organization Unit OU Demo CMS Organization O name of your company Locality L name of your locality State ST name of your state province or territory Country C two...

Page 128: ...Certificate Extensions for Certificate Manager CA Signing Certificate Click Next to accept the default selections 16 Certificate Manager CA Signing Certificate Creation Click Next 17 SSL Server Certi...

Page 129: ...Next 19 Message Digest Algorithm Click Next to accept the default SHA1 20 Subject Name for SSL Server Certificate Type the following values then click Next Common name CN hostname in the machine domai...

Page 130: ...ertificate Management System Installation and Setup Guide May 2002 21 Validity Period for SSL Server Certificate Modify year and month values of Expire on date to allow a validity period of one month...

Page 131: ...131 22 Certificate Extensions for SSL Server Certificate Click Next to accept the default selections 23 SSL Server Certificate Creation Click Next The generation of the certificate can take some time...

Page 132: ...utomatically The installation and configuration of Certificate Management System is now complete and the Certificate Manager is running The end entity interface of Certificate Management System is now...

Page 133: ...the request a special enrollment form allows you to get this first certificate automatically After you submit this initial Administrator Agent Certificate Enrollment form it is automatically disabled...

Page 134: ...tificate that you just created during installation Because you just created it it is not on your list of trusted certificates A series of dialog boxes now appears that lets you add the CMS server cert...

Page 135: ...n has now been designated as the first agent The certificate you just created allows you to access the Agent Services pages As an agent you can approve enrollment requests and start issuing new certif...

Page 136: ...cate Manager to reject certificate requests that do not use at least 1024 bit key lengths Use an LDAP Directory Adding a user to the configuration directory you just installed and using directory base...

Page 137: ...ecified For example https hostname 8100 2 Because this is an SSL connection you are prompted to present your client SSL certificate for authentication Choose the certificate you received on initial en...

Page 138: ...itial agent certificate CN CMS administrator 7 Use the browser s Back button to go back to the Services Summary page For example when using Communicator press and hold the mouse button while it s over...

Page 139: ...cate your identity 2 If a dialog box appears requesting that you select a certificate select the certificate name that begins with CMS Administrator The first form for the Agent Services gateway appea...

Page 140: ...system Setting Your Browser to Use the Agent Certificate To verify that the User1 certificate really can access the agent pages you must first set your browser to use the User1 certificate to identify...

Page 141: ...ly formulate your policies before installing any software and configure how the policies will be implemented before issuing any certificates For this demonstration you will implement a simple but very...

Page 142: ...uter then open Server Group 4 Select the CMS instance cert demoCA 5 In the Certificate Management System panel at the right click Open 6 Log in as CMSadmin giving the password CMS password Netscape Co...

Page 143: ...o this Certificate Manager by setting enabled to true 11 Click OK to save the changes The RSAKeyRule should now be listed as enabled in the Policy Rules Management tab That is all you need to do The p...

Page 144: ...p End User Authentication Step 1 Enable Directory Based Authentication To enable directory based authentication for the Certificate Manager 1 If the CMS console window is not still open start Netscape...

Page 145: ...irectory s user and groups subtree Notice that this is a different operation from adding a user or group to the Certificate Manager s internal database NOTE If you leave the dnpattern field blank the...

Page 146: ...e again or go back to the main window 2 Select the Users and Groups tab and click Create in the lower right corner 3 In the Select Organization Unit dialog box select People and click OK 4 In the Crea...

Page 147: ...he key length policy working you will request the certificate using a 512 bit key first then change the request to use a 1024 bit key 1 Open a browser window and go to the Certificate Manager s end en...

Page 148: ...d Publish Certificates to an LDAP Directory In any PKI there are things that you need to publish to make them available to entities Certificate revocation lists CRLs for example can be made available...

Page 149: ...redicate that must be true about that type of object in order to invoke the rule You will not configure any rules in this example By default the Certificate Manager uses a rule to coordinate the LdapU...

Page 150: ...am Directory publishing is now enabled Certificate Management System will publish any new certificates to the directory according to the publication rules The next step is to set those rules Set Rules...

Page 151: ...gement tab select LdapUserCertMap and click Edit View 5 Change the dnPattern parameter value to UID req UID OU people O your domain domain This pattern will cause the mapper to formulate a DN using th...

Page 152: ...blished every 20 minutes so you may need to wait a few minutes before a new certificate is published In the example here you conclude by manually updating the directory with the issued but unpublished...

Page 153: ...Most of the entries will indicate failures because in this example you did not configure publishing rules for most of the object types in the internal database The third item in the list should read...

Page 154: ...rations so in UNIX you may not need to change the CMS defaults Windows NT systems however do not typically run SMTP daemons by default and you will probably need to configure the SMTP settings in Cert...

Page 155: ...Select certRenewalNotifier in the Job Instance tab 5 Click Edit View The Job Instance Editor dialog box displays By default this job is enabled and scheduled to notify end entities 30 days before the...

Page 156: ...0 senderEmail your email address summary enabled true summary recipientEmail your email address summary senderEmail your email address 7 Click OK 8 Select Job Scheduler in the Configuration tab s navi...

Page 157: ...y default these are sent to the address in the email E attribute in the certificate subject These messages explain that the certificate is going to expire on a certain date and they provide a URL for...

Page 158: ...sages that better suit your organization You have now completed the default demo Before you attempt to install more sophisticated pilots or a full scale deployment you should read Chapter 4 Planning Y...

Page 159: ...tallation Chapter 4 Planning Your Deployment Chapter 5 Installation Worksheet Chapter 6 Installing Certificate Management System Chapter 7 Installing and Uninstalling CMS Instances Chapter 8 Starting...

Page 160: ...160 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 161: ...of whether a Certificate Manager is subordinate affects its distinguished name DN as well as its validity period extensions and place in the CA hierarchy As you begin to make decisions about your depl...

Page 162: ...age 162 Single Certificate Manager page 162 Certificate Manager and Registration Manager page 163 Certificate Manager and Data Recovery Manager page 165 Certificate Manager Data Recovery Manager and R...

Page 163: ...ntity certificates and CRLs to a directory Figure 4 1 Single root Certificate Manager Certificate Manager and Registration Manager Many organizations need to separate the role of the Registration Mana...

Page 164: ...er Alternatively the Certificate Manager might be configured to accept requests only from Registration Managers thus shielding the CA from end entities A Registration Manager can be installed in one C...

Page 165: ...ent and other persons responsible for administering the Certificate Manager and Registration Manager Certificate Manager and Data Recovery Manager If an organization requires key archival and recovery...

Page 166: ...ning the location of a Data Recovery Manager be sure to look into firewall considerations the physical security required for each subsystem and the physical location of the Certificate Manager agent D...

Page 167: ...g the enrollment process Before the Registration Manager sends the certificate request to the Certificate Manager for processing the Registration Manager must receive verification from the Data Recove...

Page 168: ...current design of Certificate Management System assumes that most deployments will rely on a single Data Recovery Manager associated with either a Registration Manager or a Certificate Manager However...

Page 169: ...nager but do not configure it Before configuring the clone you copy the CMS certificate and key database files from the original Certificate Manager to the new Certificate Manager server_root alias di...

Page 170: ...ration cn demoCA o Example Corporation ou Engineering c US Many combinations of name value pairs are possible for the Certificate Manager s DN The DN must be unique and readily identifiable since any...

Page 171: ...he purposes of an initial pilot it is easiest to make the CA a self signed root so that you won t need to apply to a third party and wait for the certificate to be issued Before deploying a full blown...

Page 172: ...ore to maintain compatibility with older versions of browsers that were released before the X 509 v3 specification was finalized certain kinds of certificates should include some of the Netscape exten...

Page 173: ...n old CA certificate to a new one You should begin planning for CA renewal or reissuance before you install any CMS managers consider any ramifications your planned procedures may have for extensions...

Page 174: ...ublishing to Certificates and CRLs to Files Any Certificate Manager that publishes certificates or CRLs to files need to specify the location for storing these files There will be a file for each cert...

Page 175: ...ee in which the subsystem can publish certificates and password the directory administrator needs to set up a corresponding access control list ACL If authentication is based on SSL client authenticat...

Page 176: ...stall the Certificate Manager without having to apply to a public certificate authority and waiting for it to issue sign and return your CA signing certificate Your own Certificate Manager can then is...

Page 177: ...s issued by that CA It s possible to control which CAs the client or server software trusts and which it doesn t and for what kinds of certificates by means of settings within the software The Certifi...

Page 178: ...ry Manager also requires at least one SSL server certificate For more information about the key pairs and certificates used by a Data Recovery Manager see Data Recovery Manager s Key Pairs and Certifi...

Page 179: ...ement using Certificate Management System see Chapter 15 Setting Up End User Authentication Policy Decisions CMS managers use policies to evaluate or verify incoming certificate enrollment or manageme...

Page 180: ...ignments Before you install any CMS instance you should review the decisions described in this chapter and work out the relationships between the Certificate Managers Data Recovery Managers Registrati...

Page 181: ...Deployment Strategy and Port Assignments Chapter 4 Planning Your Deployment 181 Figure 4 5 Deploying servers on a single host...

Page 182: ...ts for each CMS instance to listen on That is each CMS instance will require at least four unique ports Internal database port for communication with internal database SSL administration port for comm...

Page 183: ...gement System This chapter has the following sections Information for UNIX Installation Script page 184 Information for NT Installation Script page 187 Initial Configuration page 190 Certificate Manag...

Page 184: ...e fully qualified host name of the machine on which the installation is taking place For example mydirectory example com Do not attempt to install remotely Configuration Directory Server System user I...

Page 185: ...u must also supply the following information User directory host name___________________________________________ User directory port_____________________________________________ Bind as_______________...

Page 186: ...y suffix configured for your directory It also should not correspond to an actual entry stored in your directory For example cn Directory Manager Directory Manager password ________________________ Th...

Page 187: ...f Certificate Management System you must also install an Administration Server and Netscape Console application and have access to a configuration and user group directory For more information on the...

Page 188: ...directory server _______________________________________ If you choose this option the installation script either adds a user group directory to the newly installed instance of Directory Server if you...

Page 189: ...specify must not be used for any other purpose Suffix ____________________________________ If you are creating a new directory this should be the domain name of the current host For example o example...

Page 190: ...the default number Certificate Management System Identifier You must specify a unique identifier for the CMS server instance that you are installing Certificate Management System server identifier____...

Page 191: ...ificate requests keys and other information Certificate Management System uses LDAP to communicate with its local database Certificate Management System internal database instance ID_______________ Th...

Page 192: ...____________ Remote Certificate Manager If you are installing a Registration Manager you need to provide the following information about the Certificate Manager to which the Registration Manager sends...

Page 193: ...default 80 _______________ Certificate Manager Configuration This section summarizes information required to configure a Certificate Manager as a root or subordinate CA CA Signing Certificate When yo...

Page 194: ...list of already installed and available tokens For example SmartCard For installation instructions see Installing External Tokens on page 432 Token password____________________________________________...

Page 195: ...shed Names in CMS Plug Ins Guide To locate this guide see Where to Go for Related Information on page 28 Validity Period for CA Signing Certificate You can specify the validity period for a self signe...

Page 196: ...te the length of the chain is unlimited Netscape certificate type Yes _____________ SSL client No _________ Object signing No _________ SSL server No _________ S MIME CA Yes _________ S MIME No ______...

Page 197: ...ng Certificate Request When you install a Registration Manager you must supply information for the certificate that the Registration Manager will use to sign certificate requests This certificate also...

Page 198: ...he message digest algorithm to use for generating digital signatures on certificates Subject Name for Registration Manager Signing Certificate Common Name CN _____________________________________ Orga...

Page 199: ...ort Certificate For a discussion of issues related to key type and length see CA Signing Key Type and Length on page 170 Token for storing the transport certificate signing certificate and private key...

Page 200: ...5___ Select the message digest algorithm to use for generating digital signatures on certificates Subject Name for Transport Certificate Common Name CN _____________________________________ Organizati...

Page 201: ...ficate Manager that you just installed issue the certificate If the transport certificate is issued by a remote CA its extensions are determined by the issuing CA The default settings should work for...

Page 202: ...ou are obtaining your transport certificate from a remote CA you need to know where to submit your certificate request If you are submitting your transport certificate request to a third party CA foll...

Page 203: ...ry agents n default 3 _______________________________________ Data Recovery Scheme 2 Specify user IDs and passwords for the total number of designated recovery agents see preceding section User ID____...

Page 204: ...token you will need to install it before you run the Installation Wizard In the wizard you can select from a list of already installed and available tokens For example SmartCard For installation inst...

Page 205: ...CA follow the instructions provided by that CA If you are submitting your certificate request to another Certificate Manager you need to know its URL End entity URL for issuing a Certificate Manager__...

Page 206: ...supply information for the CA certificate that the Certificate Manager will use to sign the certificates it issues This certificate can also function as the Certificate Manager s SSL client certificat...

Page 207: ..._______________ Token name where copied keys are stored _______________________ Token password ___________________________________________ SSL Server Certificate Configuration When you install an inst...

Page 208: ..._______________________________ Organization O ________________________________________ Locality L _____________________________________________ State ST ______________________________________________...

Page 209: ...in the space provided on this screen For more information about extensions see Appendix C Certificate and CRL Extensions of CMS Plug Ins Guide Confirm that you want to include the following extension...

Page 210: ...64 encoding of a sequence of extensions into the wizard SSL Certificate Request If you are obtaining your SSL server certificate from another CA you need to know where to submit your certificate reque...

Page 211: ...d page 221 Stage 3 Enrolling for Administrator Agent Certificate page 271 Stage 4 Further Configuration Options page 277 Stage 5 Creating Additional Instances or CA Clones page 278 Installation Overvi...

Page 212: ...in a single server root directory involves four stages Stage 1 Run the installation script setup on UNIX setup exe on NT to install Administration Server and Directory Server as necessary and perform...

Page 213: ...CA to which you ll submit the subordinate CA s CA signing certificate and SSL server certificate requests Make sure the CA is running and if required identify the forms you ll use to submit these requ...

Page 214: ...the Online Certificate Status Manager s signing certificate and SSL server certificate requests Make sure the CA is running and if required identify the forms you ll use to submit these requests For O...

Page 215: ...alization file and the installation prompts resume at the point in which you left off This initialization file applies only to the installation of the Administration Server and Directory Server If you...

Page 216: ...you wish to install 1 2 Enter the numbers corresponding to the Administration Services components you wish to install or press Enter to accept the default components 9 Specify the components you wish...

Page 217: ...are using an existing configuration directory enter its identifier 17 Netscape configuration directory server administrator ID admin Enter the name and password of the user who will authenticate to N...

Page 218: ...er Directory Server Netscape Console and Certificate Management System and installs the binaries under the server root directory you have specified It creates one instance of Administration Server one...

Page 219: ...vice unless you want to set up the Directory Server Synchronization Service Click Next to accept the default selection 6 Directory Server 6 0 This instance will be the configuration directory server i...

Page 220: ...are using an existing configuration directory enter its administrator ID and password Click Next to continue 10 Directory Server 6 0 Administration Domain Click Next to accept the default value This...

Page 221: ...al configuration for this instance of Certificate Management System The Installation Wizard is the same for both UNIX and Windows In the last step of the installation script you were given an opportun...

Page 222: ...sets up the new internal database which takes some time If you have previously installed an internal database for this instance the Recreate Internal Database screen appears In the Recreate Internal D...

Page 223: ...e If you want to enable the non SSL end entity port be sure to check the Enable checkbox Click Next to continue 4 CA s Serial Number Range Specify range for the serial numbers In the Starting serial n...

Page 224: ...st deployments If necessary you can add an additional extension by pasting its base 64 encoding in the space provided on this screen Certificate Management System provides command line tools for gener...

Page 225: ...r certificate The validity period determines how soon you will have to renew the certificate Click Next to continue 17 Certificate Extensions for SSL Server Certificate Select the required extensions...

Page 226: ...installed a remote Data Recovery Manager that you want the Certificate Manager to use for archiving end users encryption private keys select Yes Then enter the remote Data Recovery Manager s host nam...

Page 227: ...ng Certificate Select the validity period for the subordinate CA signing certificate The default validity is two years The validity period determines how soon you will have to renew the certificate wh...

Page 228: ...To automatically submit the request to a remote Certificate Manager or for automatic enrollment follow these steps a Select the Send the request to a remote CMS now option b Enter the host name and en...

Page 229: ...signing certificate For example if you assigned the port number 17006 to the non SSL end entity port for your root CA you would go to the URL http hostname 17006 to bring up the Certificate Manager p...

Page 230: ...ificate request manually to a third party CA follow these steps a Make sure that the certificate request including BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST is highlighted and clic...

Page 231: ...st ID of your request and know the host name and end entity port number of the remote Certificate Manager that issued the certificate select the The certificate is at the CMS server where the request...

Page 232: ...for computing the certificate signature The choices are SHA 1 MD2 or MD5 Click Next to continue 20 Subject Name for SSL Server Certificate Type the values for the subject DN components these values i...

Page 233: ...est to a remote Certificate Manager or for automatic enrollment follow these steps a Select the Send the request to a remote CMS now option b Enter the host name and end entity port number of the remo...

Page 234: ...will issue the subordinate CA s SSL server certificate For example if you assigned the port number 17006 to the non SSL end entity port for your root CA you would go to the URL http hostname 17006 to...

Page 235: ...coded certificate into the Installation Wizard next So once you ve copied the certificate go back to the wizard screen Step 24 below To submit your certificate request manually to a third party CA fol...

Page 236: ...elect the The certificate is located in this file option and then type the file path including the filename in the text field If you copied the certificate to the clipboard select the The certificate...

Page 237: ...ificate Management System by storing the passwords for the internal database tokens publishing directory and so on Each time you log on you re only required to enter this single password For details s...

Page 238: ...en to store the Registration Manager signing certificate and key pair If you have not previously initialized the token s password you must do so in this screen Also specify the key type and length Cli...

Page 239: ...se the request format will be PKCS 10 If you want the wizard to generate the certificate request in PKCS 10 format select the Generate PKCS10 request option If you want the wizard to generate the cert...

Page 240: ...Requests click Show Pending Requests and click Find g In the pending request list locate your request click Details to see the request and make any changes Then scroll down to the bottom of the form...

Page 241: ...s below to issue the certificate Otherwise you ll have to wait till the remote Certificate Manager s agent approves your request f In the web browser window enter the URL for the remote Certificate Ma...

Page 242: ...on the clipboard or the copy in the file to transfer your request to the CA that will issue the Registration Manager s signing certificate b Submit your certificate request to a third party CA follow...

Page 243: ...to the certificate and verify that you re installing the correct certificate Click Next to continue 14 Import Certificate Chain This screen appears only if you need to import the CA certificate chain...

Page 244: ...rmational screen that tells you that the wizard has all the information required to generate the key pair and certificate request In the previous screen if you chose to include the Subject Key Identif...

Page 245: ...Requests click Show Pending Requests and click Find f In the pending request list locate your request click Details to see it and make any changes Then scroll down to the bottom of the form and click...

Page 246: ...nt interface you can follow the instructions below to issue the certificate Otherwise you ll have to wait till the remote Certificate Manager s agent approves your request f In the web browser window...

Page 247: ...the Installation Wizard screen click Yes or No If you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wai...

Page 248: ...nging certificate Follow these steps to import the remote Certificate Manager s CA chain a Go to the web browser window b Enter the end entity URL for the remote Certificate Manager that issued the SS...

Page 249: ...Click Next to continue 3 Key Pair Information for Data Recovery Manager Transport Certificate Select the token to store the transport certificate and key pair If you have not previously initialized t...

Page 250: ...e key pair and certificate request In the previous screen if you chose to include the Subject Key Identifier extension in the certificate you ll be given the choice to select the format for the certif...

Page 251: ...k Show Pending Requests and click Find g In the pending request list locate your request click Details to see the request and make any changes Then scroll down to the bottom of the form and click Do I...

Page 252: ...ccess that Certificate Manager s Agent interface you can follow the instructions below to issue the certificate f In the web browser window enter the URL for the remote Certificate Manager s Agent Ser...

Page 253: ...Installation Wizard screen click Yes or No If you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait da...

Page 254: ...f the remote Certificate Manager a Go to the web browser window b Enter the end entity URL for the remote Certificate Manager that issued the transport certificate c Select the Retrieval tab and then...

Page 255: ...st be the fully qualified host name of the machine on which you re installing the Data Recovery Manager Click Next to continue 19 Certificate Extensions for SSL Server Certificate Select the required...

Page 256: ...Certificate Manager s agent If you ve permission to access that Certificate Manager s Agent interface you can follow the instructions below to issue the certificate Otherwise you should wait for the r...

Page 257: ...d information If the request is in the CMC format click CMC Enrollment In the resulting form paste the request from the clipboard into the text area and fill in any other required information Be sure...

Page 258: ...ficate request has been saved to a file You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA s signing certificate...

Page 259: ...e required details Click Next to continue 24 Certificate Details This is an informational screen that displays the certificate so you can inspect its contents Notice the nickname assigned to the certi...

Page 260: ...age 3 Enrolling for Administrator Agent Certificate on page 271 to create the first agent for the Data Recovery Manager Installing a Online Certificate Status Manager To install a standalone Online Ce...

Page 261: ...nd the request to a remote CMS now option b Enter the host name for example host domain com and end entity port number of the Certificate Manager then specify whether this end entity port uses SSL c C...

Page 262: ...follow these steps a Open a web browser window b Go to the end entity URL for the Certificate Manager that will issue the Online Certificate Status Manager s signing certificate For example if you as...

Page 263: ...ty CA follow these steps a Make sure that the certificate request including BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST is highlighted and click the Copy to Clipboard button This act...

Page 264: ...paste the certificate including the header and footer in the text area provided If you want the wizard to retrieve the certificate from the remote CMS manager to which you submitted the request select...

Page 265: ...cate c Select the Retrieval tab and then choose Import CA Certificate Chain d Select the Display the CA certificate chain in PKCS 7 for importing into a server option and then click Submit e Copy the...

Page 266: ...an informational screen that tells you that the wizard has all the information required to generate the key pair and certificate request In the previous screen if you chose to include the Subject Key...

Page 267: ...sts then click Show Pending Requests and click Find The pending request list is displayed f Locate your request click Details to see it and make any changes Then scroll down to the bottom of the form...

Page 268: ...you can follow the instructions below to issue the certificate Otherwise you ll have to wait for the Certificate Manager s agent to approve your request and issue the certificate f In the web browser...

Page 269: ...he Installation Wizard screen click Yes or No If you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait...

Page 270: ...n Follow these steps to import the CA chain of a Certificate Manager a Go to the web browser window b Enter the end entity URL for the Certificate Manager that issued the SSL server certificate c Sele...

Page 271: ...rtificates Since there is no agent yet to approve the request a special enrollment form allows you to get this first certificate automatically Follow the appropriate procedure for the subsystem you in...

Page 272: ...Because you just created it it is not on your browser s list of trusted certificates Before you see the Administrator Agent Certificate Enrollment form a series of dialog boxes appears that lets you a...

Page 273: ...ho was named as the initial administrator for Certificate Management System during installation has been automatically designated as the first agent This certificate allows you to access the Agent Ser...

Page 274: ...o the CA and then install the certificate in the certificate database of the CMS instance Alternatively if you have agent privileges to any of the CMS managers for example to a Certificate Manager you...

Page 275: ...instance for which you want to create the agent user and double click the icon The login screen for the CMS window appears 9 Enter your administrator ID and password The CMS window for the subsystem...

Page 276: ...the text area and paste the agent s certificate in base 64 encoded form If you haven t copied the certificate go back to the browser window copy the certificate and then paste the certificate here Be...

Page 277: ...tance For more information about setting up and managing agents see Agents on page 373 Stage 4 Further Configuration Options When you have completed the initial configuration and installation of a CMS...

Page 278: ...reating Additional Instances or CA Clones After the initial installation you can use Netscape Console to create additional instances of Certificate Management System in the same server root directory...

Page 279: ...lation you specified a port number for the Administration Server instance you will use to administer Certificate Management System If Administration Server is shut down be sure to start it at this por...

Page 280: ...n you install additional CMS instances on the same machine you are required to specify different ports for each CMS instance to listen on For example you will have to set up one server to listen on po...

Page 281: ...or identifier for the new instance For the name you can use any combination of letters aA to zZ digits 0 to 9 an underscore _ and a hyphen other characters and spaces are not allowed For example you c...

Page 282: ...same CA functions you create another instance of a Certificate Manager and configure it to use the same CA signing key and certificate and issue certificates with serial numbers that do not conflict o...

Page 283: ...ng a Certificate Manager s OCSP service see Setting Up a Certificate Manager with OCSP Service on page 675 So CAs organized in a flat structure using the cloning method eliminate the need for you to i...

Page 284: ...s recommended that you start with say 0x100 as the starting lowest serial number This will ensure that the master Certificate Manager has sufficient serial numbers for its own certificates such as the...

Page 285: ...ending on your master Certificate Manager s installation there are three possible scenarios to install a clone Certificate Manager Installing Clone CA in Master CA s Server Group In this case you inst...

Page 286: ...aces are not allowed For example you can type Clone1_of_root CA as the instance name but not Clone1 of root CA 5 Click OK The instance you created appears in the navigation tree Note that the instance...

Page 287: ...stance When prompted to specify a configuration directory select the option for an existing directory and specify the host name and port number of the Directory Server instance used by the master Cert...

Page 288: ...ager s host machine go to this directory server_root alias b Locate the certificate and key database files the file names are as follows cert instance_id machine_name cert7 db cert instance_id machine...

Page 289: ...aster Certificate Manager Select the token name where the keys and certificate are stored and enter the token s password if required Clone key and certificate materials On this screen you choose wheth...

Page 290: ...aster Certificate Manager itself you can locate the certificate in the internal database by going to the Retrieval tab of the master Certificate Manager s end entity interface If the issuer of the SSL...

Page 291: ...kiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn jgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA4GBA Fi9FzyJlLmS kzsue0kTXawbwamGdYql2w4hIBgdR jWeLmD4CP4xzmKdvQ6IqD2q8DBs9lRQu9...

Page 292: ...b20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn jgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA4GBA Fi9FzyJlLmS kzsue0kTXawbwamGdYql2w4hIBgdR jWeLmD4CP4xzmKdvQ6Iq...

Page 293: ...ter Certificate Manager relies solely on its SSL server certificate which you will add in Step 3 for authentication User ID Type an ID that will help you identify this user in the list of privileged u...

Page 294: ...Certificate window appears 9 Click inside the text area and paste the master Certificate Manager s SSL server certificate in its base 64 encoded form Be sure to include the BEGIN CERTIFICATE and END...

Page 295: ...onfigured the clone Certificate Manager for automated certificate issuance for example for directory based enrollment you may use the appropriate form and request a certificate To request a client or...

Page 296: ...required attributes of a client certificate 6 Scroll to the bottom of the request form and approve the request You should see a confirmation page indicating that the certificate has been issued If you...

Page 297: ...okes the certificate updates the certificate status in its internal database and sends details about the revoked certificate to the master Certificate Manager Step E Check Master CA s CRL for the Revo...

Page 298: ...atest certificate revocation information use the browser s Back button to return to the previous page and click Update Step 10 Use Master CA s Agent Certificate in Clone CAs This step is optional The...

Page 299: ...paste it as the agent certificate in the clone CA For step by step instructions to create an agent user see Setting up Agents Using the Manual Process on page 392 8 After creating the agent entry for...

Page 300: ...e You can change this description see Changing the Name of an Instance on page 301 Installation Date The date the server was installed Server Root The directory that holds all the files for the select...

Page 301: ...when you installed this server For example if you installed an instance of Certificate Management System with an ID of testCA the instance name will be cert testCA You can change the instance name to...

Page 302: ...System when you uninstall Certificate Management System its program files are deleted from the host machine For instructions see Uninstalling Certificate Management System on page 303 To remove a CMS...

Page 303: ...tallation program Uninstalling Certificate Management System removes all the corresponding CMS instances from the navigation tree of Netscape Console To remove a specific CMS instance follow the instr...

Page 304: ...ystem by using the Windows NT Add Remove Programs utility 1 From the Start menu choose Settings then Control Panel 2 In the Control Panel choose Add Remove Programs 3 In the Add Remove Programs Proper...

Page 305: ...icate Management System page 312 Checking System Status page 314 Attending to an Unresponsive Server page 315 Password Cache page 315 Password Quality Checker page 316 NOTE You can use the CMS window...

Page 306: ...ssions for users in the Administrators group only As explained in the sections that follow the presence or absence of the password conf file determines ways in which you can start restart and stop Cer...

Page 307: ...sed for portal registration if you ve configured Certificate Management System for portal enrollment See the description for the ldap ldapauthbindDN and ldap ldapauth bindPWPrompt parameters of the Po...

Page 308: ...n the cryptographic module When you change any of the required passwords or provide new passwords you must start the server from the command line see Starting From the Command Line on page 309 so that...

Page 309: ...r 2 In a Unix system log in as root if the server runs on ports less than 1024 otherwise log in either as root or with the server s user account 3 At the command line prompt enter the following line s...

Page 310: ...agement System from the Windows NT Services panel 1 Click the Start button on your desktop 2 Select Control Panel from Settings 3 In the Control Panel window that appears click Services 4 Select the C...

Page 311: ...If your machine crashes or is taken offline the server stops and any requests it was servicing are lost You need to start the server again to restore service see Starting Certificate Management Syste...

Page 312: ...system Stopping From the Windows NT Services Panel You can stop a CMS instance running on a local host by stopping the corresponding service it is identified by the following in the Windows NT Servic...

Page 313: ...motely From the command line locally only In the absence of the password conf file Certificate Management System can be restarted from the command line and you will be prompted to enter the single sig...

Page 314: ...ou started the server 3 At the command line prompt enter the following line server_root cert instance_id restart cert bat bat specifies the file extension this is required only when running the utilit...

Page 315: ...ternal directory database which you had specified during installation was stored in the password cache similarly when you configure the Certificate Management System for LDAP publishing the bind passw...

Page 316: ...ory for details see Step 5 Identify the Publishing Directory on page 636 Except for the string Internal LDAP Database you can change any of the above prompts by modifying the corresponding value in th...

Page 317: ...jected to quality checks The reason for this is the password quality is handled by the system that creates and manages the password In an LDAP directory access the remote directory that you authentica...

Page 318: ...Password Quality Checker 318 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 319: ...tting Up Ports Chapter 12 Setting Up Internal Database Chapter 13 Managing Privileged Users and Groups Chapter 14 Managing CMS Keys and Certificates Chapter 15 Setting Up End User Authentication Chapt...

Page 320: ...stallation and Setup Guide May 2002 Chapter 19 Setting Up LDAP Publishing Chapter 20 Publishing Certificates and CRLs to a File Chapter 21 Setting Up an OCSP Responder Chapter 22 Setting Up Key Archiv...

Page 321: ...o enable system administrators to accomplish these server specific tasks quickly and easily Certificate Management System provides a GUI based administration tool called the CMS window within Netscape...

Page 322: ...erface to the user directory Figure 9 1 Netscape Console window with a CMS instance selected in the Console tab Console Tab For any given instance of Netscape Console the limits of the network it can...

Page 323: ...ment System uses file based configuration which is stored locally on the host system during installation the server registers only its SIE in the configuration directory For details about this file se...

Page 324: ...g Certificate Management System through Netscape Console Administration Server and the configuration directory must be running before you can configure any of these servers It is included with all Net...

Page 325: ...uring installation for monitoring Certificate Management System If you stopped Administration Server after installation you must start it before you can administer Certificate Management System from t...

Page 326: ...enter the following line server_root stop admin Administration Server runs as a service in a Windows system For example you can use the Windows NT Services panel to stop the service directly Logging I...

Page 327: ...ould show the URL to Administration Server If it doesn t or if it doesn t have the URL of Administration Server that you want type the URL in this field The URL is based on the computer host name and...

Page 328: ...tup Guide May 2002 Figure 9 3 Certificate Management System window launched from Netscape Console You can use the CMS window to access the server locally or remotely The window has three separate tabs...

Page 329: ...perform tasks such as starting stopping and restarting the server and running the Certificate Setup Wizard For details see Chapter 8 Starting and Stopping CMS Instances and Certificate Setup Wizard on...

Page 330: ...nts and trusted managers into the CMS internal database Modifying user information Deleting users from the database For details see see Chapter 13 Managing Privileged Users and Groups Managing CMS key...

Page 331: ...tificate issuance and management policies This involves operations such as the following Viewing currently registered policy plug in modules for a Certificate Manager or Registration Manager Configuri...

Page 332: ...d users encryption private keys For details see Chapter 22 Setting Up Key Archival and Recovery Managing CMS logs This involves configuring system error and audit logs maintained by Certificate Manage...

Page 333: ...the Console tab select the Server Group that contains the CMS instance you want to use as your source 3 In the navigation tree locate the CMS instance you want to administer 4 Select the instance and...

Page 334: ...S window without having to create privileged user entries Otherwise type your privileged user ID administrator ID Password If you are logging in for the first time type the Certificate Administrator p...

Page 335: ...w the installation affects the number of configuration files created in your machine and their contents It also explains ways in which you can modify the configuration and precautions you should take...

Page 336: ...arate configuration files for the instances running on Host A one for each CMS instance Although the names of both the configuration files are the same the information included in the files differs ac...

Page 337: ...one that contains the required configuration Figure 10 2 illustrates this quick way of deploying multiple Registration Managers with the same configuration Figure 10 2 Duplicating a configuration Loca...

Page 338: ...low focus on explaining how to change the various configuration parameter values from the CMS window Changing the Configuration by Editing the Configuration File This section explains how to change th...

Page 339: ...lines blank lines unknown parameters or misspelled parameters are ignored by Certificate Management System Comment lines begin with a number sign A line beginning with white space is considered a cont...

Page 340: ...configuration file Keep the following points in mind All authentication specific information such as names of registered authentication plug in modules and any configured instances appears in the Aut...

Page 341: ...dentified by the name specified when the rule was created You can create multiple rules out of an implementation each rule must have a unique name The sample on page 353 illustrates how information sp...

Page 342: ...naldb authz instance DirAclAuthz pluginName DirAclAuthz authz instance DirAclAuthz ldap _000 authz instance DirAclAuthz ldap _001 Internal Database authz instance DirAclAuthz ldap _002 authz instance...

Page 343: ...straintsExt class com netscape cms policy NameConstraintsExt ca Policy impl OCSPNoCheckExt class com netscape cms policy OCSPNoCheckExt ca Policy impl AttributePresent class com netscape cms policy At...

Page 344: ...RLDistributionPointsExt issuerName1 ca Policy rule CRLDistributionPointsExt issuerName2 ca Policy rule CRLDistributionPointsExt issuerType0 ca Policy rule CRLDistributionPointsExt issuerType1 ca Polic...

Page 345: ...cy rule GenericASN1Ext enable false ca Policy rule GenericASN1Ext implName GenericASN1Ext ca Policy rule GenericASN1Ext name ca Policy rule GenericASN1Ext oid ca Policy rule GenericASN1Ext pattern ca...

Page 346: ...licy rule NameConstraintsExt critical true ca Policy rule NameConstraintsExt enable false ca Policy rule NameConstraintsExt implName NameConstraintsExt ca Policy rule NameConstraintsExt numExcludedSub...

Page 347: ...Policy rule ObjSignCertKeyUsageExt predicate certType objSignClient ca Policy rule PolicyConstraintsExt critical false ca Policy rule PolicyConstraintsExt enable false ca Policy rule PolicyConstraint...

Page 348: ...a Policy rule SubCANameCheck implName SubCANameCheck ca Policy rule SubCANameCheck predicate ca Policy rule SubjectAltNameExt enable true ca Policy rule SubjectAltNameExt enableManualValues false ca P...

Page 349: ...rCRL extension IssuerAlternativeName class com netscape cmscore ca CMSIssuerAlternativeNameExtension ca crl MasterCRL extension IssuerAlternativeName critical false ca crl MasterCRL extension IssuerAl...

Page 350: ...netscape cms ldap LdapCaCertPublisher ca publish publisher impl LdapCrlPublisher class com netscape cms ldap LdapCrlPublisher ca publish publisher impl LdapUserCertPublisher class com netscape cms lda...

Page 351: ...0 cmsgateway enableAdminEnroll false cmsgateway wirelessSupport false dbs ldap internaldb dbs newSchemaEntryAdded true dbs nextSerialNumber 103 internaldb _000 internaldb _001 Internal Database intern...

Page 352: ...job requestInQueueNotifier summary emailSubject Requests in Queue Summary Report jobsScheduler job requestInQueueNotifier summary emailTemplate usr netscape cert testCA emails riq1Summary html jobsSc...

Page 353: ...rolloverInterval 2592000 log instance Audit type audit log instance Error bufferSize 512 log instance Error enable true log instance Error expirationTime 2592000 log instance Error fileName usr netsca...

Page 354: ...kcs9 class com netscape cms servlet cert scep ExtensionsRequested oidmap extensions_requested_pkcs9 oid 1 2 840 113549 1 9 14 oidmap extensions_requested_vsgn class com netscape cms servlet cert scep...

Page 355: ...uses its certificates For details see Keys and Certificates for the Main Subsystems on page 420 Determine if you want to generate any new certificates For details see Getting New Certificates for the...

Page 356: ...orms keep in mind the authentication method manual or automated you want to employ for your end entities Step 6 Setup Authentication for End Users Depending on how you ve deployed Certificate Manageme...

Page 357: ...nce renewal and revocation policies To understand policy see Introduction to Policy on page 559 1 During installation a few policy rules are already created and enabled Check each policy rule and deci...

Page 358: ...t these logs you can monitor a server s activities Also by configuring these logs you can control the information that gets written to the log files Because Certificate Management System maintains the...

Page 359: ...nternal token and trust database for PKI operations SSL ciphers during SSL negotiation privileged users and log files to log messages to This chapter explains how to configure the ports for a CMS inst...

Page 360: ...ssible services are usually maintained in a file named services On Unix if you are not running as root or superuser when you install or start the server you will have to use a port number higher than...

Page 361: ...ber you choose for the agent port affects your agent users all agents access Certificate Management System by specifying the name of the server the CMS instance and the agent port number in the URL Fo...

Page 362: ...es based on certain criteria for example an LDAP search filter defined over standard attributes and getting a CA s certificate chain Similar to the HTTP port you can enable or disable the HTTP port Fo...

Page 363: ...ns with the Agent Services interface that is HTTPS requests from agents To change the end entity HTTP port locate this line and edit the value assigned to port LS id ee_nonSSL ip 0 0 0 0 port 80 secur...

Page 364: ...s Step 2 Specify IP Addresses This step is optional You can configure CMS instances to listen to specific IP addresses For example you can install the Certificate Manager and Data Recovery Manager on...

Page 365: ...o the requests it receives These functions include the following Storing and retrieving of certificate issuance requests Storing and retrieving of certificate records Storing of CRLs Storing and retri...

Page 366: ...s CRLs and related information a Registration Manager only stores the certificate issuance requests it receives and a Data Recovery Manager only stores key records and related data Configuring the Int...

Page 367: ...as localhost instead of the actual host name for example certificates example com This is done on purpose to insulate the internal database from being visible outside the system that is a server on l...

Page 368: ...rt the server Step 2 Restrict Access to the Internal Database This step is optional Netscape Console displays an entry or icon for the Directory Server instance that Certificate Management System uses...

Page 369: ...ch you want to restrict access and click Open The Directory Server window appears 4 Select the Configuration tab 5 In the navigation tree expand Plugins and then select Pass Through Authentication 6 I...

Page 370: ...started from Netscape Console open the Directory Server window The Login to Directory dialog box appears the Distinguished Name field displays the Directory Manager DN and you re required to enter the...

Page 371: ...ted manager and granting access permissions to various CMS resources by adding the user to appropriate groups This chapter describes the types of privileged users you need to set up for a CMS instance...

Page 372: ...ration Manager For details see Trusted Managers on page 380 The role of a privileged user whether administrator agent or trusted manager is determined by the group to which the user belongs This is ex...

Page 373: ...red in a publishing directory Manage key archival and retrieval requests Manually add CRLs to the Online Certificate Status Manager See the list of OCSP requests processed by the Online Certificate St...

Page 374: ...em for it to service requests from the agents For information about agents certificates see Agent s Certificate for SSL Client Authentication on page 375 For information on creating agents for a CMS i...

Page 375: ...e exists in the subsystem s certificate or trust database and that the certificate is valid and trusted To check whether or not the CA s certificate exists in a subsystem s trust database follow the i...

Page 376: ...Rpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzA VBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJ ARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn...

Page 377: ...ter the user imports the certificate into the web browser you need to copy the certificate in base 64 encoded form in order to be able to add it to a subsystem s internal database To copy an agent s c...

Page 378: ...gure a Certificate Manager and Registration Manager to check the revocation status of an agent s certificate the server receives during SSL client authentication You can configure a Data Recovery Mana...

Page 379: ...onChecking ra ra auths revocationChecking unknownStateInterval 0 auths revocationChecking validityInterval 120 If you have a Data Recovery Manager installed in the same instance in addition to the abo...

Page 380: ...forming specific functions depending on the subsystem to which it is connected You establish this trust between the two subsystems by configuring them to function in certain way revocationChecking unk...

Page 381: ...s the Registration Manager and signs all certificate signing requests sent by this Registration Manager For example as illustrated in the figure below you might deploy one or more Registration Manager...

Page 382: ...does not take on the main functions of the subsystem that trusts it For example if a Registration Manager is connected to a Certificate Manager the Registration Manager has no authority to issue sign...

Page 383: ...the subsystem trusts If the subsystem is a Certificate Manager the certificate must be issued by either the Certificate Manager itself or a CA that the Certificate Manager trusts Similarly if the Reg...

Page 384: ...n page 388 You cannot delete or change the group names Also don t change the internal database in which the groups are stored Group for Administrators During installation Certificate Management System...

Page 385: ...When the Certificate Manager is installed a group called Certificate Manager Agents is automatically created in its internal database After installation this group has a single user entry when you ge...

Page 386: ...gistration Manager you need to do additional configurations See Setting Up Agents on page 391 Group for Data Recovery Manager Agents When the Data Recovery Manager is installed a group called Data Rec...

Page 387: ...he Online Certificate Status Manager Agents group can access the Online Certificate Status Manager Agent Services interface see Online Certificate Status Manager Agent Services Interface on page 71 Fo...

Page 388: ...that user into as many groups as you like This section describes the following tasks Setting Up Administrators Setting Up Agents Setting Up Trusted Managers Setting Up Administrators You need at least...

Page 389: ...Up Privileged Users Chapter 13 Managing Privileged Users and Groups 389 2 In the navigation tree select Users and Groups The Users tab appears on the right pane 3 Click Add The Select User Type window...

Page 390: ...ssword of up to eight characters for the user Give this password to the user The user is required to enter this password in the login screen of the CMS window Confirm password Retype the password exac...

Page 391: ...long to both Certificate Manager Agents and Administrators groups in the internal database of the Certificate Manager The request approval form includes a checkbox labeled This certificate is for a su...

Page 392: ...oup database copies the user s client certificate to the database and associates the certificate with the new user s entry 11 To verify log in to the CMS window for the Certificate Manager 12 In the n...

Page 393: ...not own a client certificate either issue the user a certificate or ask the user to get a certificate For details see Agent s Certificate for SSL Client Authentication on page 375 Identify the certif...

Page 394: ...on you enter here is to help you keep track of your agent users the user never sees or uses it The server relies solely on the agent s client certificate which you will add next for authentication Use...

Page 395: ...ent s certificate If you copied the user s certificate in base 64 encoded form to a text file proceed to Step 3 For details on getting the user s certificate see Agent s Certificate for SSL Client Aut...

Page 396: ...base 64 encoded form Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE marker lines 4 Click OK You are returned to the Manage User Certificates window The certificate you imported should no...

Page 397: ...usted Setting Up Trusted Managers You can set up a Registration Manager or Certificate Manager to function as a trusted manager to another CMS instance This section explains how to do this Setting up...

Page 398: ...o the database and associates the certificate with the new user s entry Note that for a Certificate Manager to add the Registration Manager this way the Certificate Manager agent who approves the Regi...

Page 399: ...e Manager keep this in mind during the installation of a Registration Manager you generated a signing certificate for the Registration Manager If you requested the signing certificate from a Certifica...

Page 400: ...vileged Users 400 Netscape Certificate Management System Installation and Setup Guide May 2002 2 In the navigation tree select Users and Groups The Users tab appears 3 Click Add The Select User Type w...

Page 401: ...Type the full host name of the Registration Manager The host name can be an alphanumeric string of up to 255 characters It must be in the machine_name your_domain domain form Group Select Trusted Mana...

Page 402: ...he certificate with the user entry you created in Step 2 To store the Registration Manager s SSL client certificate in the internal database of the subsystem 1 In the Users tab select the user entry y...

Page 403: ...3 must be trusted by the subsystem that services certificate requests approved by the Registration Manager Make sure that this CA s certificate exists in the subsystem s certificate database internal...

Page 404: ...CMS window for the Registration Manager see Logging In to the CMS Window on page 333 2 In the navigation tree select Registration Manager The General Settings tab appears in the right pane 3 Select th...

Page 405: ...of the TCP IP port at which the Certificate Manager will listen to requests from the trusted Registration Manager The default port designated for communication between a trusted Registration Manager a...

Page 406: ...t it to use for SSL client authentication to the Data Recovery Manager that will trust it by default the Certificate Manager uses its SSL server certificate for this purpose The certificate must be cu...

Page 407: ...y with appropriate access privileges for a Certificate Manager 1 Log in to the CMS window for the Data Recovery Manager see Logging In to the CMS Window on page 333 2 In the navigation tree select Use...

Page 408: ...racters Host name Type the fully qualified host name of the Certificate Manager The host name can be an alphanumeric string of up to 255 characters It must be in this form machine_name your_domain dom...

Page 409: ...er s SSL server certificate in the internal database of the subsystem 1 In the Users tab select the user entry you just added for the Certificate Manager and click Certificates The Manage User Certifi...

Page 410: ...hival requests initiated by the Certificate Manager Make sure that this CA s certificate exists in the Data Recovery Manager s certificate database internal and that it is trusted To check whether the...

Page 411: ...on of a Data Recovery Manager you were prompted to specify the host name and port number of the Certificate Manager to which the Data Recovery Manager will be connected If you specified this informati...

Page 412: ...main form Port Type the number of the TCP IP port at which the Data Recovery Manager will listen to requests from the trusted Certificate Manager The port designated for communication between a truste...

Page 413: ...To change the group membership or access permissions of a privileged user see Changing Members in a Group on page 415 Changing a Privileged User s Login Information To change a privileged user s login...

Page 414: ...ertificate information you want to change and click Certificates The Manage User Certificate window appears 4 Take the appropriate action To view a certificate select the certificate and click View To...

Page 415: ...remove members from all groups Keep in mind that the group for administrators must have at least one user entry For details see Groups and Their Privileges on page 384 To change a group s members 1 L...

Page 416: ...he users you want to add and click OK You are returned to the Edit Group Information window 6 Click OK when you are done with the changes You are returned to the Groups tab 7 Click Refresh to view the...

Page 417: ...tree select Users and Groups The Users tab appears in the right pane 3 In the User ID list select the user you want to delete and click Delete 4 When prompted confirm your action If you click OK the...

Page 418: ...Deleting a Privileged User 418 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 419: ...o install This chapter provides an overview of those certificates and it explains how to perform operations such as renewing the existing certificates before their validity period expires getting new...

Page 420: ...kens containing these keys must also be carefully guarded Access to the token itself should be limited If the keys and certificates are in the internal token make sure that only you or authorized admi...

Page 421: ...the Certificate Manager The default nickname for the certificate is caSigningCert cert instance_id where instance_id identifies the CMS instance in which the Certificate Manager is installed and the...

Page 422: ...ate Note that for generating the OCSP signing key pair the wizard uses some of the information you provide for the CA signing key pair which is explained in section CA Signing Key Pair and Certificate...

Page 423: ...e CMS window Use the Certificate Database tool certutil to generate a key pair request a certificate for the key pair and install the certificate in the Certificate Manager s certificate database For...

Page 424: ...instance of KeyUsageExt plug in h Approve the request i Once you have the CRL signing certificate ready restart the wizard and install the certificate in the Certificate Manager s database For genera...

Page 425: ...he Certificate Manager is installed The Certificate Manager s SSL server certificate was issued by the CA to which you submitted the certificate signing request You might have submitted the request to...

Page 426: ...Signing Key Pair and Certificate Every Registration Manager you have installed has a certificate identified as the Registration Manager signing certificate whose public key corresponds to the private...

Page 427: ...atabase Content on page 482 The Registration Manager uses its SSL server certificate to do SSL server side authentication to the following The end entity services interface the HTTPS port The Registra...

Page 428: ...ate signing request You might have submitted the request to the Certificate Manager that is installed in the same instance internally deployed another CA or a public CA To find out the issuer name fol...

Page 429: ...S port The Data Recovery Manager Agent Services interface By default the Data Recovery Manager uses a single SSL server certificate for authentication purposes However you can request and install addi...

Page 430: ...ne Certificate Status Manager The default nickname for the certificate is Server Cert cert instance_id where instance_id identifies the CMS instance in which the Online Certificate Status Manager is i...

Page 431: ...cate Management System automatically generates these files in the file system of its host machine when you choose to use the internal token for the first time These files were created for you during C...

Page 432: ...iven an opportunity to name it be sure to use a name that will help you identify the token later Step 2 Install the PKCS 11 Module PKCS 11 is a standard set of APIs and shared libraries used by Netsca...

Page 433: ...choose DLL as your file type in addition to the path to the DLL you are also required to provide a name for the module you re attempting to install so as to help you identify it easily later The samp...

Page 434: ...DLL or other library file containing the implementation of the PKCS 11 interface module module_name specifies the name of the PKCS 11 module which you specified in Step 1 when you installed the driver...

Page 435: ...irs or to gain access to them you must enter that password The first time you specified this password is when you used the token the first time most likely during CMS installation It is good security...

Page 436: ...ystem provides a wizard called the Certificate Setup Wizard which automates the process of requesting and installing the certificates required by the CMS manager Certificate Manager Registration Manag...

Page 437: ...stalling a certificate by using the Certificate Setup Wizard Using the Wizard to Request a Certificate Using the Wizard to Install a Certificate or Certificate Chain For instructions on getting new ce...

Page 438: ...nt System Installation and Setup Guide May 2002 Step 1 Select the Operation Indicate whether you want to request a certificate or install a certificate For the purposes of completing the instructions...

Page 439: ...signing and SSL server certificates For details see Certificate Manager s Key Pairs and Certificates on page 421 If a Registration Manager is installed the list includes the Registration Manager s sig...

Page 440: ...want to request a signing certificate for the Online Certificate Status Manager Registration Manager Signing Certificate choose this option if you want to request a signing certificate for the Regist...

Page 441: ...token is identified as internal You should choose this option if the key pair for the certificate you chose in the previous step is stored in the local key database The names of external tokens vary m...

Page 442: ...rtificate whose private key has been compromised To generate a certificate request based on a new key pair select the token that can generate the key pair you want to use for generating the request Fo...

Page 443: ...DN string If you want to enter values for individual DN components provide the following information Common name enter the name as appropriate Except for the SSL server certificate the common name fo...

Page 444: ...ain View State or province enter the name of the state or province where your business is located For example California Country enter the name of the country where your business is located For exampl...

Page 445: ...certificate extensions are required if you are setting up a hierarchy of certificate authorities CAs Subordinate CAs must have certificates that include the extension identifying them as either a subo...

Page 446: ...nsion is marked critical as recommended by the PKIX standard and RFC 2459 see http www ietf org rfc rfc2459 txt for a description of the Key Usage extension Extension in MIME 64 DER encoding select th...

Page 447: ...wZSBDb21tdW5pY2 F0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDA wMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFz AVBgoJkiaJkIsZAEBE...

Page 448: ...area provided in the CA s enrollment form Sending the CSR Automatically to a CMS Manager To send the certificate signing request CSR automatically to a Certificate Manager 1 Type the appropriate valu...

Page 449: ...tructions in Using the Wizard to Install a Certificate or Certificate Chain on page 452 Sending the CSR Manually to an Internal CA The following instructions assume that your internally deployed CA is...

Page 450: ...nes BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST 7 Submit the request 8 When the CA sends you a response save the information in a text file for future reference or inquiry Note that...

Page 451: ...and paste the CSR from the text file 6 Submit the request 7 When the CA sends you a response save the information in a text file for future reference or inquiry 8 When you receive the certificate fro...

Page 452: ...n each certificate in the chain is encoded as a separate DER encoded object When the wizard imports a certificate chain it imports these objects one after the other all the way up the chain to the las...

Page 453: ...ed by the delimiters BEGIN CERTIFICATE and END CERTIFICATE Netscape Certificate Sequence This is a simpler format for downloading certificate chains It consists of a PKCS 7 ContentInfo structure wrapp...

Page 454: ...ment System Installation and Setup Guide May 2002 Step 1 Select the Operation Indicate whether you want to request a certificate or install a certificate For the sake of completing the instructions th...

Page 455: ...OCSP Signing Certificate choose this option if you want to install an OCSP signing certificate for the Certificate Manager installed in the currently selected CMS instance Registration Manager Signing...

Page 456: ...this option if you want to install any other certificate for example a CRL signing certificate or a SSL client certificate Step 3 Specify the Location of the Certificate Locate the certificate or cert...

Page 457: ...coded certificate blob should look similar to this BEGIN CERTIFICATE MIICKzCCAZSgAwIBAgIBAzANgkqkiG9w0BAQQFADA3MQswCQYDVQQGEwJVUzERMA8GA1UEChMITmV0c2Nh cGUxFTATBgNVBAsTDFN1cHJpeWEncyBDQTAeFw05NzEwMTgw...

Page 458: ...he certificate or certificate chain information you have selected for installing You should check the information to make sure that you have chosen the correct one for installing After verifying that...

Page 459: ...he following The SSL server certificates a server must use for authenticating to the end entity agent and administration interfaces For details see Configuring the Server to Use Separate SSL Server Ce...

Page 460: ...Once you have installed the certificates you should be able to see them in the list of SSL server certificates in the Encryption tab of the CMS window Step 2 Update the Configuration After you verify...

Page 461: ...ry For details about publishing certificates and CRLs to a directory see Chapter 19 Setting Up LDAP Publishing If you want the Certificate Manager to use another certificate for authenticating to the...

Page 462: ...e For general instructions to use the wizard to add a certificate see Using the Wizard to Install a Certificate or Certificate Chain on page 452 Note that the default nickname for the certificate is c...

Page 463: ...l status makes it possible to export Certificate Management System with the same encryption and cryptographic features available in the US and Canada For more information check the license and export...

Page 464: ...f export browsers to establish strong SSL sessions with domestic SSL servers if they have the appropriate step up certificates Because many of the features such as issuance of dual certificates for du...

Page 465: ...L Communications on page 462 4 Click OK You are returned to the Encryption tab 5 To save your changes click Save The CMS configuration is modified If the changes you made require you to restart the se...

Page 466: ...nd SSL server certificates for the Certificate Manager signing and SSL server certificates for the Registration Manager transport and SSL server certificates for the Data Recovery Manager and signing...

Page 467: ...age 690 If you want to get a new signing certificate for a Registration Manager check whether the Registration Manager has been set up as a trusted manager for a Certificate Manager and Data Recovery...

Page 468: ...t database of Certificate Management System If not do you want to trust it Can the public CA issue the certificate you want to request Does the public CA impose any restrictions on certificates it iss...

Page 469: ...xtensions and validity period for the certificate Step 2 Request the New Certificate Once you have all the information go ahead and request the certificate The Certificate Setup Wizard built into the...

Page 470: ...tificates issued by the CA using its old key will work For example if the CA has issued certificates to subordinate Certificate Managers Registration Managers Data Recovery Managers Online Certificate...

Page 471: ...istration Manager Here s what you must do 1 Install the new signing certificate in the subsystems certificate databases Because the Registration Manager uses its signing certificate for SSL client aut...

Page 472: ...se on page 487 If you find the CA certificate verify its trust status If it is untrusted change the status to trusted For instructions on changing the trust setting of a CA certificate see Changing th...

Page 473: ...e listed there 4 Repeat steps 1 through 3 for any additional enrollment or key archival pages Deploying a Subsystem s SSL Server Certificate By default the Certificate Manager and Registration Manager...

Page 474: ...w the certificates used by the Certificate Manager Registration Manager Data Recovery Manager and Online Certificate Status Manager before they expire For example if you generated these certificates d...

Page 475: ...tects the token If the token is external make sure that the token is installed properly see Installing External Tokens on page 432 Decide on the validity period of the renewed certificate Decide on th...

Page 476: ...ectory which is located here server_root cert instance_id config The names of the text files vary depending on the certificate you choose for renewal Table 14 2 lists them NOTE When renewing a certifi...

Page 477: ...you must install it in the token that contains the key pair for the certificate this is the token you used to generate the request in Step 2 The Certificate Setup Wizard automates the process of insta...

Page 478: ...ine Certificate Status Manager again For details see Step 3 Identify the CA to the OCSP Responder on page 690 You might also need to get a new agent certificate For instructions see the procedure outl...

Page 479: ...you find the CA certificate verify its trust status If it is untrusted change the status to trusted For instructions on changing the trust setting of a CA certificate see Changing the Trust Settings...

Page 480: ...nsport certificate locate the certificate the MIME 64 string for the certificate will be listed there 4 Repeat steps 1 through 3 for any additional key archival or enrollment pages Deploying a Subsyst...

Page 481: ...lishing Directory on page 636 Step 5 Restart the Server After you renew any of the CMS certificates using the wizard you must restart the server For instructions see Restarting Certificate Management...

Page 482: ...tes the server uses To view the contents of the database 1 Log in to the CMS window see Logging In to the CMS Window on page 333 2 Select the Configuration tab and then in the right pane select the En...

Page 483: ...tabase contains multiple certificates with the same nickname they are sorted by their validity periods the most recently requested certificate is placed at the top For each certificate you see the fol...

Page 484: ...uration tab and then in the right pane select the Encryption tab 3 Click Manage Certificate The Certificate Database Management window appears The window lists all the certificates for the selected in...

Page 485: ...ertificate authentication By making the CA certificate untrusted you can prevent entities whose certificates have been signed by that CA from successfully authenticating to Certificate Management Syst...

Page 486: ...us If the certificate you selected is currently trusted the window shows a button named Change to Untrusted If it is untrusted the window shows a button named Change to Trusted 5 Click Change to Untru...

Page 487: ...A listed in its trust database as a trusted CA so it rejects the Registration Manager s service request The Certificate Setup Wizard built into the CMS window automates the process of installing trust...

Page 488: ...Managing the Certificate Database 488 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 489: ...t page 501 Setting Up Agent Initiated End User Enrollment page 524 Managing Authentication Instances page 524 Managing Authentication Plug in Modules page 527 Introduction to Authentication Authentica...

Page 490: ...stem uses built in authentication mechanisms Authentication of Administrators When an administrator makes an administrative request to Certificate Management System from the CMS window within Netscape...

Page 491: ...al database 2 If the user ID and password bind successfully to a user entry authentication succeeds otherwise it fails If authentication fails the server logs an error message and sends a rejection no...

Page 492: ...ociating them with the corresponding users identification information for details see Setting Up Agents on page 391 When an agent makes a request to perform a privileged operation the server requests...

Page 493: ...1 An agent opens a web browser and enters the URL to the Registration Manager Agent Services interface hosted by the Registration Manager The server requests the client for SSL client authentication T...

Page 494: ...that it has been issued by a CA that the Registration Manager trusts For details on configuring the Certificate Manager or Registration Manager to check the revocation status of its agents certificat...

Page 495: ...ile Authentication of End Users During Certificate Renewal When an end user submits a certificate renewal request the first step in the renewal process is for the Certificate Manager or Registration M...

Page 496: ...the server displays the URL for downloading the certificate This situation may occur if the end user forgets to download the renewed certificate It can also happen if the end user maintains two identi...

Page 497: ...voke his or her own certificate not a certificate belonging to someone else Both Certificate Manager and Registration Manager support the following methods of revocation SSL client authenticated revoc...

Page 498: ...s certificate revocation requests to this Certificate Manager For information on trusted managers see Trusted Managers on page 380 The certificate the user attempts to revoke must be currently valid o...

Page 499: ...ates the password with the certificate stores both the certificate and password in its internal database and uses them later for authenticating any revocation requests In the challenge password based...

Page 500: ...mismatch between the challenge password and serial number the server rejects the revocation request Certificate Revocation Forms The End Entity Services interface of the Certificate Manager and Regis...

Page 501: ...available by clicking the Help button on the form For more information on customizing the form see CMS Customization Guide Configuring Authentication for End User Enrollment To set up a Certificate M...

Page 502: ...odule note the authentication directory credentials such as the host name port number based DN the user entry to bind as and the corresponding password LDAP version number and minimum and maximum numb...

Page 503: ...t Complete this step only if you want to configure the server to use the directory and PIN based authentication method with or without PIN removal Otherwise skip to the next step To set up a directory...

Page 504: ...N from the directory after Certificate Management System successfully authenticates that user and thus prevents the user from enrolling for another certificate ACIs must be set up on the directory to...

Page 505: ...ACI for ou people o example com successful Step C Prepare the Input File This step is optional If you want to generate PINs for specific user entries or want to provide your own PINs use an input file...

Page 506: ...delivering PINs to users after you complete setting up the required authentication method see Step 9 Deliver PINs to End Users on page 523 Step 3 Enable the AttributePresentConstraints Policy This st...

Page 507: ...utes When a user enrolls for a certificate using the End Entity Services interface of the Registration Manager it authenticates the user against the replica of the corporate directory If the user pres...

Page 508: ...Chapter 3 Constraints Policy Plug in Modules of CMS Plug Ins Guide Note that unlike some of the other policy rules Certificate Management System does not create an instance of the Attribute Present Co...

Page 509: ...configuration You are returned to the Policy Rules Management tab If required click the Reorder button and order the rules as appropriate For details see Step 5 Reorder Policy Rules on page 579 Step...

Page 510: ...by default only the instance names are embedded in the forms for your convenience If you create authentication instances with the default names you can skip the step Step A Associate the Authenticati...

Page 511: ...Authentication information in the default directory based enrollment form For information on locating and customizing the default end entity forms see CMS Customization Guide To add an authentication...

Page 512: ...ovided by default with Certificate Management System If you have registered any custom authentication plug in modules they too will be available for selection UidPwdDirAuth Select this if you want to...

Page 513: ...module For the purposes of this instruction assume that you selected UidPwdPinDirAuth 5 Click Next The Authentication Instance Editor window appears The Authentication Instance ID field shows the def...

Page 514: ...5 Set Up the Enrollment Interface This step explains how to customize the end entity interface for the enrollment method you ve chosen for your users Step A Associate the Authentication Instance With...

Page 515: ...tribute the VALUE field Make sure that it is same as the name or ID you assigned to the authentication instance you created in Step 5 If it is different replace it with the name of the authentication...

Page 516: ...rt instance_id web apps ee subsystem 2 Locate the index html file 3 Open the file in a text editor 4 Follow instructions as appropriate If you want to enable the CertBasedDualEnroll html form search f...

Page 517: ...w menuItem item CertBasedSingleEnroll html Certificate Uncomment the lines and then add lines for using the automated enrollment module you configured the server with Your edited lines should look lik...

Page 518: ...ink for the corresponding form is automatically created under the Browser section For example if you create an instance of the directory based authentication module you will notice a new link named Di...

Page 519: ...interaction the Registration Manager is not configured for end entity interaction Depending on the subsystem you re configuring follow the instructions in Enabling End Entity Interaction with a Certif...

Page 520: ...e Both the modules are explained in CMS Plug Ins Guide 4 In the Certificate Serial Number section specify the serial number range for certificates issued by this Certificate Manager The server assigns...

Page 521: ...dified If the changes you made require you to restart the server you will be prompted accordingly In that case restart the server Enabling End Entity Interaction with a Registration Manager To enable...

Page 522: ...enrollment authority you configured The default URL is as follows https hostname end_entity_HTTPS_port or http hostname end_entity_HTTP_port 3 In the Enrollment tab open the enrollment form you custo...

Page 523: ...is corpDirectory port number is 389 base DN is O example com and user s ID is jdoe the URL would look like this ldap corpDirectory 389 O example com sub uid jdoe In the resulting page look for the us...

Page 524: ...HashAuth provided for the Registration Manager That is the enrollment form works only if an instance of the HashAuth authentication plug in is enabled in the Registration Manager s configuration givi...

Page 525: ...ation 1 Log in to the CMS window see Logging In to the CMS Window on page 333 2 Select the Configuration tab 3 In the navigation tree click Authentication The right pane shows the Authentication Insta...

Page 526: ...user servlet configuration To modify an authentication instance in the CMS configuration 1 Log in to the CMS window see Logging In to the CMS Window on page 333 2 Select the Configuration tab 3 In the...

Page 527: ...k OK The CMS configuration is modified If the changes you made require you to restart the server you will be prompted accordingly In that case restart the server Managing Authentication Plug in Module...

Page 528: ...t implements an authentication module com netscape certsrv authentication ssnAuth Before registering an authentication module be sure to put the Java class for the module in the classes directory If y...

Page 529: ...n is modified If the changes you made require you to restart the server you will be prompted accordingly In that case restart the server Deleting an Authentication Module You can delete an authenticat...

Page 530: ...Setup Guide May 2002 4 In the Plugin Name list select the module you want to delete and click Delete 5 When prompted confirm the delete action The CMS configuration is modified If the changes you made...

Page 531: ...mizing Notification Messages page 534 Configuring a Subsytem to Send Notifications page 539 Automated Notifications You can configure the Certificate Manager and Registration Manager to send automated...

Page 532: ...a notification certIssued and for the Registration Manager it is defined as ra notification certIssued For more information on listeners check the samples provided in CMS SDK server_root cms_sdk cms_j...

Page 533: ...roblems The location of the notification email template The subject line of the notification message Notification of New Request in Queue When a deferred end entity request enters the request queue of...

Page 534: ...n message The email addresses of message recipients these should be subsystem agents whose task is to review deferred enrollment requests Customizing Notification Messages Notification and summary ema...

Page 535: ...n text notifications to end entities upon issuance of certificates certIssued_RA html Template for the Registration Manager to send HTML based notifications to end entities upon issuance of certificat...

Page 536: ...ation Manager notification_name specifies the name of the event triggered notification certIssued for the certificate issuance notifications to end entities and requestInQ for the request in queue not...

Page 537: ...ms please send an email to cert_central example com Thank you Tokens Available in Message Templates This section explains the tokens provided in the templates used by the default job plug in and event...

Page 538: ...This token enables you to construct the URL from which end entities can download their certificates see the example in Customizing Message Templates on page 536 InstanceID Specifies the ID assigned to...

Page 539: ...on is sent by a Certificate Manager this will be ca If the notification is sent by a Registration Manager this will be ra RequestId Specifies the request ID Table 16 4 Tokens for the request in queue...

Page 540: ...ssages on page 534 and customize the message templates for the notifications your want to turn on Step 2 Turn On Certificate Issuance Notification Skip to the next step if you don t want to turn this...

Page 541: ...at contains the template to be used for formulating the message content 6 To save your changes click Save The CMS configuration is modified If the changes you made require you to restart the server yo...

Page 542: ...ubject title for the notification for example End Entity Request in Queue Recipient s E Mail Address Type the recipient s full email address this is the person who will check the queue You can specify...

Page 543: ...rwise type the full host name of the machine on which your mail server is installed Certificate Management System uses this name to access the mail server The format for the host name is as follows ma...

Page 544: ...ses in the notification configuration to your email address 2 Go to the end entity interface and request a certificate using the manual enrollment form When the request gets queued for agent approval...

Page 545: ...for various job items appear in the configuration file The chapter has the following sections Configuring a Subsystem to Run Automated Jobs page 545 Managing Job Plug in Modules page 555 Configuring...

Page 546: ...on Messages section to get familiar with the templates the server uses for formulating notification messages If you want to customize them do that before you start configuring a job plug in check the...

Page 547: ...ternatively you may keep it in the disabled state If you want to create a new job follow the instructions in Step 4 Add New Jobs on page 549 Figure 17 1 Default jobs created for a Certificate Manager...

Page 548: ...7 1 showing the default jobs 4 In the Instance Name list select a job that you want to modify For the purposes of this instruction assume that you selected the job named unpublishExpiredCerts 5 Click...

Page 549: ...need to create a new job because jobs for all the default plug ins are created for you during installation However in certain circumstances for example if you deleted a default instance you might hav...

Page 550: ...ger To add a job to the CMS configuration 1 In the Job Instance tab click Add The Select Job Plugin Implementation window appears Table 17 2 Job modules registered with a Certificate Manager and Regis...

Page 551: ...n Job Instance ID Type a unique name that will help you identify the job Be sure to formulate the name using any combination of letters aA to zZ digits 0 to 9 an underscore _ and a hyphen For example...

Page 552: ...to be used for formulating the message content For example usr netscape servers cert testCA emails renewJob txt summary enabled Type true if you want the server to compile a summary report of renewal...

Page 553: ...steps 1 through 5 and create additional rules if required Step 5 Schedule the Frequency The Certificate Manager and Registration Manager can execute a job only if the Job Scheduler is turned on or en...

Page 554: ...tion is modified If the changes you made require you to restart the server you will be prompted accordingly In that case restart the server Step 6 Verify Mail Server Settings The Certificate Manager a...

Page 555: ...quests Otherwise type the port number 3 To save your changes click Save The CMS configuration is modified If the changes you made require you to restart the server you will be prompted accordingly In...

Page 556: ...the Java class that implements the module For example you can add a job implementation named as follows com netscape jobscheduler unpublishUserCert Before registering a module be sure to put the Java...

Page 557: ...type com customplugins customJob 7 Click OK The CMS configuration is modified If the changes you made require you to restart the server you will be prompted accordingly In that case restart the serve...

Page 558: ...ob Plugin Registration tab appears It lists currently registered job modules 5 In the Plugin Name list select the module you want to delete and click Delete 6 When prompted confirm the delete action T...

Page 559: ...Modules page 582 Introduction to Policy You can configure the main subsystems of Netscape Certificate Management System CMS the Certificate Manager Registration Manager and Data Recovery Manager to a...

Page 560: ...revocation requests from end entities in order to formulate the certificate content before forwarding the requests to a Certificate Manager for signing For example you can configure a Registration Ma...

Page 561: ...validity period Enforce organizational constraints such as subject name key algorithm key size and validity period Determine whether the private key should be archived Keep in mind that the server ap...

Page 562: ...sing variables and relational operators AND or OR For example you could set up a predicate to put the CRL Distribution Point extension only in SSL client certificates or set different validity dates f...

Page 563: ...equest Other attributes regarding the end entity such as the user ID are set on the request after successful authentication The servlets also interpret the form content for example retrieving the key...

Page 564: ...a Attributes for Predicates Attributes for predicates can come from any of the following Input form that is the HTML form that end entities use for submitting certificate requests Authentication token...

Page 565: ...ver certificate Enrollment doSslAuth Specifies whether the client is required to do SSL client authentication during enrollment Default values include the following on off Enrollment certauthEnroll Sp...

Page 566: ...uide Enrollment cepsubstore Specifies the name of the CEP service for example cep1 and cep2 When setting up multiple CEP services you can use predicates to differentiate one service for another see St...

Page 567: ...issue certificates with the appropriate validity periods you must formulate your predicate expression with the attribute you added Here s how you do this 1 Create a new instance of the ValidityConstra...

Page 568: ...dityRule2 maxValidity 60 ca Policy rule ValidityRule2 minValidity 10 ca Policy rule ValidityRule2 predicate HTTP_PARAMS certType client AND HTTP_PARAMS orgunit Sales The new configuration would result...

Page 569: ...es on the request 2 If at least one of the policy rules requires agent approval for the request that is if any of the policy rules returned a PolicyResult DEFERRED value the processor stores the reque...

Page 570: ...Information on page 28 This planning will help you configure a Certificate Manager and Registration Manager with the appropriate policy rules so that your end entities get the right kind of certifica...

Page 571: ...s certificate renewal requests if DefaultRenewalValidityRule is disabled If you don t want to use a rule delete it from the configuration as explained in Step 3 Delete Unwanted Policy Rules on page 57...

Page 572: ...erExt Yes Yes CertificatePoliciesExt Yes Yes NSCCommentExt Yes Yes OCSPNoCheckExt No No OCSPSigningExt Yes Yes CODESigningExt Yes Yes GenericASN1Ext Yes Yes CRLDistributionPointsExt Yes Yes SubjectAlt...

Page 573: ...Select Policies The Policy Rules Management tab appears It lists configured policy rules 5 In the Policy Rule list select a rule that you want to modify For the purposes of this instruction assume tha...

Page 574: ...tart the server you will be prompted accordingly Don t restart the server yet you can do so after you ve made all the required changes Step 4 Add New Policy Rules Adding a policy rule to the CMS confi...

Page 575: ...policy modules registered with a Certificate Manager Table 18 4 Policy modules of a Certificate Manager and Registration Manager Policy plug in module name Certificate Manager Registration Manager Att...

Page 576: ...o PrivateKeyUsagePeriodExt Yes Yes RemoveBasicConstraintsExt Yes No RenewalConstraints Yes Yes RenewalValidityConstraints Yes Yes RevocationConstraints Yes Yes RSAKeyConstraints Yes Yes SigningAlgorit...

Page 577: ...plementation window appears It lists registered policy plug in modules If you have registered any custom policy modules see Registering a Policy Module on page 582 they too will be listed here 2 Selec...

Page 578: ...cates The value must be an integer greater than zero and also greater than the value you typed for the minValidity parameter The default value is 730 days leadTime Type the lead time in minutes for ce...

Page 579: ...y category in the configuration file a policy configuration with a lower priority precedes one with a higher priority This simple linear listing avoids the need to have explicit locking on request att...

Page 580: ...restart the server in any of the previous steps To restart the server from the CMS window 1 Click the Tasks tab 2 Click Restart the Server Step 7 Test Policy Configuration To make sure that you ve co...

Page 581: ...generation process Step B Approve the Request This step is required if you used the manual enrollment form for requesting the certificate The request you submitted is waiting in the agent queue for ap...

Page 582: ...o To learn more about how to use JavaScript in Certificate Management System consult the sample policy js file included in the distribution server_root bin cert profiles policy js Managing Policy Plug...

Page 583: ...s policy framework 1 Log in to the CMS window see Logging In to the CMS Window on page 333 2 Select the Configuration tab 3 In the navigation tree select the subsystem that will use the module you wan...

Page 584: ...ated configuration click Refresh Deleting a Policy Module You can delete unwanted policy plug in modules using the CMS window Before deleting a module be sure to delete all the policy rules that are b...

Page 585: ...er explains how to configure the Certificate Manager to publish certificates and CRLs to an LDAP directory The chapter also tells you how to update the directory manually if the need arises The chapte...

Page 586: ...es to a directory for distribution Note that configuring the Certificate Manager for LDAP publishing is optional you can turn this feature off without affecting any of the certificate issuance renewal...

Page 587: ...ia a Registration Manager get published to the directory Figure 19 3 Publishing of certificates requested via a Registration Manager Timing of Directory Updates If the LDAP directory is properly confi...

Page 588: ...You need to configure the server to run the appropriate job For details see Configuring a Subsystem to Run Automated Jobs on page 545 When the certificate revocation list is created or updated either...

Page 589: ...ly published or not Directory Update Process As indicated in Table 19 1 on page 588 when a Certificate Manager is requested to issue a certificate update certificate information or publish a CRL it au...

Page 590: ...u can use the Update Directory option in the Certificate Manager Agent Services interface to synchronize the publishing directory with the internal database The following choices are available for syn...

Page 591: ...two separate key pairs one for signing certificates and another one for signing CRLs The CA s function includes creating the CRLs periodically and distributing them to other applications For example t...

Page 592: ...longer has the right to use the certificate The private key of a certificate owner has been compromised The certificate owner doesn t want to use the certificate The private key of the CA that issued...

Page 593: ...e Retrieval tab of the CMS end entity interface Netscape client users can manually check the revocation status of a particular certificate and automatically import the latest version of the CRL into t...

Page 594: ...tically updated in the publishing directory Note that the server publishes the CRL to the certificateRevocationList binary attribute of the CA s entry in the directory To locate the correct directory...

Page 595: ...CRL and thus speed up the revocation status checking process CRL distribution points can be associated with certificates by setting the CRLDistributionPoint extension in them By default the Certifica...

Page 596: ...s certificates and CRLs to the directory Read Chapter 5 Mapper Plug in Modules and Chapter 6 Publisher Plug in Modules of CMS Plug Ins Guide Be sure to take a look at the default mappers and publisher...

Page 597: ...s on page 421 By default the server uses its SSL server certificate see SSL Server Key Pair and Certificate on page 425 Depending on your PKI setup you may use an external CA for requesting the certif...

Page 598: ...Schema for Publishing End Entity Certificates The Certificate Manager publishes an end entity s certificate to the userCertificate binary attribute within the end entity s or subject s directory objec...

Page 599: ...ateRevocationList binary This attribute is an attribute of the object class certificationAuthority The value of the attribute is the DER encoded binary X 509 certificate revocation list The CA s entry...

Page 600: ...and CRLs 3 Double click the instance or select the instance and click Open This opens the Directory Server window 4 Select the Directory tab 5 Select the domain name right click select New and then s...

Page 601: ...For example it may look like this CN testCA OU Research Dept O Example Corporation ST California C US For instructions on giving write access to the Certificate Manager s entry see your LDAP directory...

Page 602: ...ublishing With Basic Authentication To configure Directory Server for basic authentication 1 Go to the Directory Server window 2 Select the Configuration tab and then in the right pane select the Encr...

Page 603: ...rver certificate Trust the CA that issued the certificate the Certificate Manager will use for SSL client authentication Use a valid secure port number for communication with the Certificate Manager H...

Page 604: ...ory Server from a CA that is trusted by the Certificate Manager You may get this certificate from the Certificate Manager itself The instructions that follow Step 2 through Step 9 explain how to do th...

Page 605: ...select the Tasks tab and then click the Certificate Setup Wizard button b Select the token for generating the key pair and for storing the certificate Since you don t have the certificate select No If...

Page 606: ...nges to it As indicated in the message a copy of this information is also saved to the temp file in the host machine s file system BEGIN NEW CERTIFICATE REQUEST MMIIBnzCCAQgCAQAwXzELMAkGA1UEBhMCVXMxEz...

Page 607: ...n who will process this request e Click Submit 4 Approve the request you submitted Skip to the next step if you submitted the CSR to an external CA Complete this step if you submitted the CSR to the C...

Page 608: ...scroll down to the section that says Installing this certificate in a server b Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file or...

Page 609: ...Go to the end entity interface of the Certificate Manager or to the Registration Manager that s connected to the Certificate Manager b Click the Retrieval tab c In the left frame click Import CA Cert...

Page 610: ...Server listens for incoming requests a In the Directory Server window select the Configuration tab and then in the navigation tree select the root the topmost item b Select the Settings tab in the ri...

Page 611: ...section select the appropriate option Do not allow client authentication Select this if you want to configure the directory for basic authentication or for SSL based communication without client auth...

Page 612: ...g the entry in the directory What certificate attributes the server should use as search criteria when searching for the entry in the directory Whether the server needs to go through any additional ve...

Page 613: ...the entire LDAP tree for entries matching the filter If there isn t a DNComps entry in the mapping the server uses either the CmapLdapAttr setting if present or the entire subject DN in the Certifica...

Page 614: ...yGroup O MyCompany C US MyCA dnComps OU O C MyCA filterComps E MyCA verifycert on This file has two mappings a default one and another for MyCA When the Directory Server gets a certificate from anyone...

Page 615: ...SSL client authentication by the Certificate Manager is myCA and that the issuer name or DN of the CA is CN rootCA O example com the server should use the FilterComps attributes to locate the entry I...

Page 616: ...d supply the PIN or password that protects the key pair you generated for the Directory Server s certificate For security reasons the dialog box that prompts you for this PIN appears only on the serve...

Page 617: ...default publishers are as follows LdapCaCertPublisher LdapCrlPublisher LdapUserCertPublisher The Certificate Manager also creates a set of publishing rules using the default mappers and publishers The...

Page 618: ...ng and then select Mappers The right pane shows the Mappers Management tab which lists configured mappers 4 In the Mapper list select a mapper that you want to modify For the purposes of completing th...

Page 619: ...ple Corporation the pattern should look like this cn Certificate Authority o subj o This rule applies to all mappers 7 To modify the remaining mappers repeat steps Step 4 through Step 6 8 Click Refres...

Page 620: ...appears showing how this publisher is currently configured 4 Make the necessary changes and click OK You are returned to the Publishers Management tab 5 To modify the remaining publishers repeat steps...

Page 621: ...t Publishing and then select Rules The right pane shows the Rules Management tab which lists configured publishing rules 2 In the Rule list select a publishing rule that you want to modify For the pur...

Page 622: ...lishers and publishing rules for a CA certificate and for end entity certificates Creating of new mappers publishers and publishing rules for CRLs is covered in Step 4 Configure the Certificate Manage...

Page 623: ...ied in the certificate subject name and attribute variable assertion AVA constants LdapSubjAttrMap Select this if you want the server to locate the CA s entry by searching for an LDAP attribute whose...

Page 624: ...ick the Help button 6 Click OK The Mappers Management tab appears listing the new mapper Creating a Mapper for End Entity Certificates Creating a mapper for end entity certificates involves creating a...

Page 625: ...y the object class for the CA s entry in the directory Leave it as it is If the field is empty type certificationAuthority 6 Click OK The Publishers Management tab appears listing the new publisher Cr...

Page 626: ...the appropriate information Rule ID Type a unique name for the rule use an alphanumeric string with no spaces enable Select this option predicate Type HTTP_PARAMS certType ca indicating that the rule...

Page 627: ...appears It lists registered modules that enable creating of publishing rules 3 Select the module named Rule This is the default module If you have registered any custom modules they too will be avail...

Page 628: ...directory that is currently configured for publishing the CA and end entity certificates A configured Certificate Manager will publish the CRL to the CA s entry in the specified directory replacing th...

Page 629: ...er for the CRL Step D Create a Publisher for the CRL Step E Create a Publishing Rule for the CRL Step A Specify CRL Details You can specify information such as the publishing interval the CRL version...

Page 630: ...at regular intervals In this case the server publishes the CRL to the configured directory at the interval you specify In the adjoining text field type the interval in minutes at which the Certificate...

Page 631: ...type is RSA select MD2 with RSA MD5 with RSA or SHA 1 with RSA If the Certificate Manager s signing key type is DSA select SHA 1 with DSA 5 To save your changes click Save If the changes you made requ...

Page 632: ...odify a rule select it and then click Edit View 3 Change the information as appropriate Be sure to supply all the required values Click the Help button for detailed information on individual parameter...

Page 633: ...ting an instance of the publisher module that enables the Certificate Manager to publish the CRL to the correct attribute in the CA s directory entry In the next step described in Step E Create a Publ...

Page 634: ...module named LdapCrlPublisher Only this publisher module enables the Certificate Manager to publish the CRL to the certificateRevocationList binary attribute of the CA s directory entry If you have re...

Page 635: ...r and publisher created for publishing CRLs n To create a new publishing rule 1 In the navigation tree click Rules The right pane shows the Rules Management tab which lists any currently configured pu...

Page 636: ...ules Management tab appears listing the new rule Step 5 Identify the Publishing Directory To identify the directory to which the Certificate Manager should publish the CA certificate end entity certif...

Page 637: ...configured the Directory Server for basic authentication or for SSL communication without client authentication select Basic authentication and specify values for the Directory manager DN and password...

Page 638: ...the Certificate Manager to publish to is based on Netscape Directory Server 1 x select version 2 For Directory Server versions 3 x and later select LDAP version 3 4 To save your changes click Save Th...

Page 639: ...nt you can use the appropriate form and request a certificate To request a client or personal certificate from the Certificate Manager 1 Open a web browser window 2 Go to the end entity interface of t...

Page 640: ...Installing this certificate in a client 2 Follow the on screen instructions and download the certificate to your browser s certificate database An alternative way to download the certificate is from t...

Page 641: ...ost name is corpDirectory port number is 389 base DN is O example com and user s ID is jdoe the URL would look like this ldap corpDirectory 389 O example com sub uid jdoe In the resulting page look fo...

Page 642: ...hing directory 2 Locate the CA s entry 3 Check the certificateRevocationList binary attribute You should find the CRL published Manually Updating Certificates and CRLs in a Directory Normally you do n...

Page 643: ...it the proper certificate to get access to this page 3 Select the Update Directory Server link The Update Directory Server page appears 4 Select the appropriate options 5 When you are done specifying...

Page 644: ...rtificates by changing the value of the predicate parameter to HTTP_PARAMS certType ca Use the LdapCaCertPublisher publisher plug in module to add another rule with the predicate parameter set to HTTP...

Page 645: ...Up LDAP Publishing 645 When the directory is updated the Certificate Manager will display a status report If the process gets interrupted for some reason the server logs an error message Be sure to c...

Page 646: ...Manually Updating Certificates and CRLs in a Directory 646 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 647: ...ficates and CRLs to a file Note that configuring the Certificate Manager for publishing is optional you can turn this feature off without affecting any of the certificate issuance and management opera...

Page 648: ...follow these steps Step 1 Before You Begin Step 2 Configure the Certificate Manager Step 3 Test Publishing Step 1 Before You Begin Before configuring a Certificate Manager to publish the CA certifica...

Page 649: ...RLs Step D Specify CRL Details Step E Set the CRL Extensions Step F Make Sure Publishing is Enabled Step A Create a Publisher for the File Creating a publisher for the file involves creating an instan...

Page 650: ...ars It lists registered publisher modules 5 Select the module named FileBasedPublisher Only this publisher module enables the Certificate Manager to publish certificates and CRLs to flat files 6 Click...

Page 651: ...create another publisher for example PublishCrlsToFile with the value of the directory parameter set to the file path to the other directory for example C crls Step B Create Publishing Rules for Certi...

Page 652: ...rtType ca enable Select this option mapper Select NONE publisher Select the publisher you created in the previous step Step A For example PublishCertsToFile 6 Click OK The Rules Management tab appears...

Page 653: ...ct the module named Rule This is the default module If you have registered any custom modules they too will be available for selection Table 20 1 Certificate types and predicate expressions End entity...

Page 654: ...example PublishCertsToFile type Select crl predicate Leave this field blank enable Select this option mapper Select NONE publisher Select the publisher you created in the previous step Step A 6 Click...

Page 655: ...this case every time a certificate is revoked Publishing a CRL can be time consuming if the CRL is large Configuring the Certificate Manager to publish CRLs every time a certificate is revoked may eng...

Page 656: ...clude expired certificates Check this box if you want the server to include revoked certificates that have expired in the CRL Allow extensions Check this box if you want to allow extensions in the CRL...

Page 657: ...e CRL extensions the Certificate Manager should set 1 In the navigation tree select Certificate Manager and then select CRL Extensions The right pane shows the CRL Extensions Management tab which list...

Page 658: ...publish certificates and CRLs to an LDAP directory 3 If you changed anything click Save to save the changes If the changes you made require you to restart the server you are prompted accordingly In t...

Page 659: ...he client generates the key pair Do not interrupt the key generation process Step B Approve the Request Skip this step if you requested the certificate using any of the automated enrollment methods in...

Page 660: ...e it automatically attempts to publish the certificate to the configured repository in this case the file To check whether the Certificate Manager published the correct certificate you need to do the...

Page 661: ...ZSBDb21tdW5pY2F0aWhfyyuougjgjjgmkgjkgmjg fjfgjjjgfyjfyj9ucyBDb3Jwb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyhgdfhbfdpffjphotoo gdhkBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0WjBXMQswCQYDVQQGEwJ V...

Page 662: ...g the certificate make sure that you ve configured the Certificate Manager to publish the CRL every time a certificate is revoked In Step D Specify CRL Details on page 654 if you didn t configure the...

Page 663: ...specifies the value derived from the time dependent variable named This Update of the CRL contained in the file If you don t see the file check your configuration 2 Convert the DER encoded CRL to its...

Page 664: ...ools Guide To convert the base 64 encoded CRL to a human readable form a Check the command window to make sure that your are at this directory server_root bin cert tools b At the prompt enter this Pre...

Page 665: ...example you can add a mapper implementation named as follows to the Certificate Manager s policy framework com netscape publishing customMapper Before registering a plug in module be sure to put the...

Page 666: ...information as appropriate Plugin name Type a name for the plug in module Class name Type the full name of the class for this module that is the path to the implementing Java class If this class is p...

Page 667: ...g framework 1 Log in to the CMS window see Logging In to the CMS Window on page 333 2 Select the Configuration tab 3 In the navigation tree select Certificate Manager and then select Publishing To del...

Page 668: ...Managing Mapper and Publisher Plug in Modules 668 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 669: ...CSP service built into the Certificate Manager for real time verification of certificates issued by the Certificate Manager The chapter also explains how to configure one or more Certificate Managers...

Page 670: ...pplications which when trying to validate a certificate query the appropriate OCSP responder using the OCSP protocol for the status of the certificate The applications determine the location of the OC...

Page 671: ...following The CA that issued the certificate and whose status is being verified by the responder A responder whose public key which corresponds to the private key it uses to sign responses is trusted...

Page 672: ...by the client Based on the status the client decides whether to validate the certificate How to Get an OCSP Responder To aid you in the process of setting up a OCSP compliant PKI setup Certificate Man...

Page 673: ...to publish their CRLs to the Online Certificate Status Manager The Online Certificate Status Manager stores each Certificate Manager s CRL in its internal database and uses the appropriate CRL to ver...

Page 674: ...up an OCSP compliant PKI setup For this purpose you can use clients such as Netscape 6 or Netscape Communicator with Netscape Personal Security Manager Personal Security Manager is an OCSP compliant s...

Page 675: ...with Online Certificate Status Protocol OCSP read the PKIX draft RFC 2560 available at this web site http www ietf org rfc rfc2560 txt Read section What s an OCSP Compliant PKI Setup on page 670 Deci...

Page 676: ...version 4 7x with Personal Security Manager skip to the next step Step 5 Configure Certificate Manager for Required Extension Policies on page 700 Otherwise follow the instructions in this section and...

Page 677: ...structions 1 Download the latest version of Personal Security Manager from the web site to the machine on which you have Communicator installed 2 Locate the Release Notes release_notes html It explain...

Page 678: ...T system you can install Personal Security Manager by entering the path to the psm14_win32 jar file in the browser s URL area On a Solaris system you can unzip the file by running gunzip psm_14_solari...

Page 679: ...he revocation status of a certificate the certificate being validated must contain the Authority Information Access extension pointing to the location at which the Certificate Manager listens for OCSP...

Page 680: ...eck the status of the said policy rule and update it if required Also for testing whether your OCSP compliant clients can verify revocation status of certificates by querying the OCSP responder you wi...

Page 681: ...ation_type Shows URL ad0_location Shows the complete path to the location where the Certificate Manager listens to calls from OCSP compliant clients The path should be in this format http hostname non...

Page 682: ...supply the single sign on password for the server 3 Type the single sign on password you specified during installation and click OK Certificate Management System won t restart until you provide this...

Page 683: ...appears 5 Select the Use OCSP to verify only certificates that specify an OCSP service URL option and click OK 6 Click the Close button Step B Request a Certificate The steps outlined below explain ho...

Page 684: ...st of pending requests identify the request you submitted and click Details 5 Check the request to make sure that it has all the required attributes of a client certificate including the Authority Inf...

Page 685: ...ger s CA signing certificate select it and click Edit The Edit Security Certificate Settings window appears 4 Make sure all the three options are selected and click OK Step F Verify the Certificate in...

Page 686: ...ificate To revoke the certificate you issued 1 Go to the end entity interface for the Certificate Manager you configured or to the Registration Manager that s connected to this Certificate Manager Be...

Page 687: ...ad the page hold down the Shift key and click on the browser s Reload icon 3 Compare the information to the one you noted in Step G above The updated statistics should indicate that Personal Security...

Page 688: ...database of a subordinate Certificate Manager you can use the Certificate Setup Wizard For instructions see Using the Wizard to Install a Certificate or Certificate Chain on page 452 After you install...

Page 689: ...nt Clients Keep the Netscape Console login information for the Certificate Manager and Online Certificate Status Manager handy you ll need this to verify or make changes to their configuration Read se...

Page 690: ...icate Status Manager To locate the Certificate Manager s CA signing certificate it might be useful to know whether it s self signed or signed by another CA If the certificate is self signed you can lo...

Page 691: ...aX lhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJA END CERTIFICATE If the certificate is signed by another CA a Open a web browser window b Go the Certificate Manager s end entity interface...

Page 692: ...cate Manager CA you just added Note the values assigned to the This Update Next Update and Requests Served Since Startup fields All three fields should show a value of zero 0 Keep the web browser wind...

Page 693: ...tree select Certificate Manager and then in the right pane select the Revocation List tab 4 In the Update Frequency section select the Every time a certificate is revoked or taken off hold option Thi...

Page 694: ...set the required CRL extensions as described in Step B Set the CRL Extensions on page 694 Revocation list signing algorithm Select the algorithm the server should use to sign the CRL If the Certifica...

Page 695: ...all the required values Click the Help button for detailed information on individual parameters 4 Click OK You are returned to the CRL Extensions Management tab 5 To modify other rules repeat steps 2...

Page 696: ...h lists configured publisher instances 2 Click Add The Select Publisher Plugin Implementation window appears It lists registered publisher modules 3 Select the module named OCSPPublisher Only this pub...

Page 697: ...fault path ocsp addCRL If necessary type it in 6 Click OK The Publishers Management tab appears listing the new publisher Step D Create a Publishing Rule for the CRL Creating a publishing rule for the...

Page 698: ...name for the rule be sure to use an alphanumeric string with no spaces For example PublishCa1CrlToOcspResponder type Select crl predicate Leave this field blank enable Select this option mapper Selec...

Page 699: ...ry to files or to an online validation authority 2 Make sure that the Enable Publishing option is selected If it is already selected leave it as it is If it isn t select it Leave the Enable default LD...

Page 700: ...extension to a certificate it issues only if the corresponding policy is enabled and configured properly Hence before issuing the OCSP compliant client certificate you must verify that the Certificate...

Page 701: ...ent critical Leave this option unchecked numADs Type 1 ad0_method Type ocsp or 1 3 6 1 5 5 7 48 1 ad0_location_type Select URL ad0_location Type the complete path to the location where the Online Cert...

Page 702: ...and uses it as the default CRL store for verifying the revocation status of certificates You can also configure the Online Certificate Status Manager to use the CRL published to an LDAP directory ins...

Page 703: ...appropriate option If you want to configure the Online Certificate Status Manager to use the CRLs in its internal database select defStore and click Edit View If you want to configure the Online Certi...

Page 704: ...elect the option the response will be UNKNOWN which when encountered by Netscape Personal Security Manager an OCSP compliant client results in an error message includeNextUpdate The Online Certificate...

Page 705: ...ly qualified hostname of the LDAP directory The name must be in the machine_name your_domain domain form For example corpDir1 example com port n Type the nonSSL port of the LDAP directory For example...

Page 706: ...iant clients According to the OCSP protocol it is optional to include the time stamp of next CRL update in an OCSP response Select this option if you want the OCSP response to contain information abou...

Page 707: ...tatus Manager Connection When you restart the Certificate Manager it tries to connect to the Online Certificate Status Manager s end entity SSL port you specified this in Step C Create a Publisher for...

Page 708: ...CA is Trusted by the Browser Step F Verify the Certificate in the Browser Step G Check the Status of Online Certificate Status Manager Step H Revoke the Certificate Step I Verify the Certificate in t...

Page 709: ...ger that s connected to this Certificate Manager The URL is in this form https hostname end_entity_HTTPS_port or http hostname end_entity_HTTP_port 2 In the left frame under Browser click Manual This...

Page 710: ...ck the certificate details for the required extensions 3 Follow the on screen instructions and download the certificate to your browser s certificate database An alternative way to download the certif...

Page 711: ...ficate is verified generally it s at the top Step G Check the Status of Online Certificate Status Manager To go to the Online Certificate Status Manager s status page and verify the number of requests...

Page 712: ...rtificate you want to revoke 5 Select the certificate you downloaded and click OK The Certificate Manager revokes the certificate constructs the CRL and publishes the CRL to the Online Certificate Sta...

Page 713: ...eck the Online Certificate Status Manager status for verification 1 Go to the Online Certificate Status Manager s status page 2 Reload the page hold down the Shift key and click on the browser s Reloa...

Page 714: ...Setting Up a Remote OCSP Responder 714 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 715: ...he organization that owns the data This chapter explains how to use the Data Recovery Manager to archive users encryption private keys and how to use the archived keys later in place of missing encryp...

Page 716: ...cannot archive and recover a private key deriving from a single key pair By contrast clients that can generate dual key pairs use one private key for encrypting data and the other for signing data Bec...

Page 717: ...matically requests the service of the Data Recovery Manager For information on customizing this form see Step C Customize the Certificate Enrollment Form on page 733 Initiating the key recovery proces...

Page 718: ...each key is stored as a key record The archived copy of the key remains encrypted or wrapped with the Data Recovery Manager s storage key see Storage Key Pair on page 428 It can be decrypted or unwra...

Page 719: ...ager receives an encrypted copy of the user s private key and stores the key in its key repository To archive the key the Data Recovery Manager uses two special key pairs A transport key pair and corr...

Page 720: ...he Registration Manager the Data Recovery Manager decrypts it with the private key that corresponds to the public key in its transport certificate After confirming that the private encryption key corr...

Page 721: ...You facilitate this by allowing each recovery agent to enter a password in the Data Recovery Manager configuration They must be available to retrieve your users encryption private keys if the need ar...

Page 722: ...agents m provide their identifiers and passwords After verifying the passwords the Data Recovery Manager reconstructs the PIN for the token based on the given information Interface for the Key Recove...

Page 723: ...ta Recovery Manager retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS 12 package By default key recovery authorization is local Remote Key Recov...

Page 724: ...switch to remote authorization by deselecting the local authorization option in the Key Recovery form How Agent Initiated Key Recovery Works In an agent initiated key recovery the key is recovered by...

Page 725: ...ecovery Manager agent accesses the Key Recovery form using the appropriate client certificate types the identification information pertaining to the person whose encryption private key needs to be rec...

Page 726: ...ord for the PKCS 12 package and their individual identifiers and passwords The Data Recovery Manager agent submits the page to the Data Recovery Manager 5 The Data Recovery Manager matches the key rec...

Page 727: ...al storage key password Each password retrieves only a part of the private storage key You first specified the key recovery agent scheme when you installed the Data Recovery Manager Changing the Key R...

Page 728: ...ion and Setup Guide May 2002 3 In the navigation tree select the Data Recovery Manager and in the right pane click the Scheme Management tab The Scheme Management tab shows the current key recovery sc...

Page 729: ...nformation click Finish You are returned to the Scheme Management tab Changing Key Recovery Agents Passwords As administrator you have the responsibility of safeguarding the security of each Data Reco...

Page 730: ...ears 5 Allow the agent to enter the appropriate information During installation the Data Recovery Manager prompts you to enter key recovery agent passwords by default they are set to agent n where n c...

Page 731: ...and Recovery Process By default the Data Recovery Manager is not configured to archive or recover end users encryption private keys This section explains how to set up key archival and recovery proces...

Page 732: ...ent form served by an enrollment authority which can be either a Certificate Manager or a Registration Manager When the enrollment authority detects the key archival option in the request it initiates...

Page 733: ...fail to archive users keys All the end user enrollment forms provided by Certificate Management System for example the directory based enrollment form DirUserEnroll html directory and PIN based enroll...

Page 734: ...ficate in its base 64 encoded format The transport certificate is stored in the Data Recovery Manager s certificate database If the transport certificate is signed by a Certificate Manager then a copy...

Page 735: ...y the base 64 encoded certificate excluding the marker lines BEGIN CERTIFICATE and END CERTIFICATE to a text file An example is shown below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMC...

Page 736: ...CATE to a text file The copied information should look like the example below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCVVMxLDAqBgNVBAoTI0 5ldHNjYXBlIENvbW11bmljYXRpb25zIENvcnBvcmF0a...

Page 737: ...dHNjYXBlMQwwCgYDVQQDEwNLUmEwXDANBgkqhkiG9w0BAQEFAANLADB IAkEArrbDiYUI5SCdlCKKa0bEBn1m83kX6bdhytRYNkdHB95Bp85SR g Pass the kraTransportCert variable to the JavaScript method Replace null the fourth lin...

Page 738: ...nitiated key recovery process in which end users encryption private keys are recovered by designated key recovery agents This section explains how to set up the key recovery process To set up agent in...

Page 739: ...of an end user s encryption private key locally or remotely The default configuration is local authorization It is important that you evaluate both the authorization modes and choose the one that is...

Page 740: ...t Your Key Archival Setup To test whether you can successfully archive a key follow these instructions 1 Enroll for dual certificates To do this a Open a web browser window b Go to the end entity inte...

Page 741: ...ests link again b In the form that appears select the Show completed requests option and click Find You should see two new certificates with consecutive serial numbers c Download the certificates to t...

Page 742: ...igned and encrypted There should be a security icon at the top right corner of the message window and it should indicate that the message is signed and encrypted Step C Delete the Certificate To do th...

Page 743: ...ted Key Recovery Works on page 724 The base 64 encoded certificate that corresponds to the private key you want to recover use the enrollment authority s end entity or agent interface to get this info...

Page 744: ...cess 744 Netscape Certificate Management System Installation and Setup Guide May 2002 3 Open the test email that you couldn t verify after deleting the certificate from the browser s certificate datab...

Page 745: ...ts The chapter has the following sections Introduction to Logs page 745 Configuring CMS Logs page 753 Monitoring CMS Logs page 759 Archiving of Rotated Log Files page 769 Managing Log Modules page 772...

Page 746: ...essages to these files For example if you installed a Certificate Manager and a Data Recovery Manager together you will find log messages for both the subsystems in the same log file Table 23 1 Types...

Page 747: ...vents related to this server s administration activities that is HTTPS communication between the CMS window and Certificate Management System All Specifies logged events related to all the services Au...

Page 748: ...means less detail because only events of high priority are logged A lower priority level a smaller digit means greater detail because more kinds of events are recorded in the log file Request Queue S...

Page 749: ...server cannot send back the request it processed for a client through the same channel the request came from the client 4 Misconfiguration These messages indicate that a misconfiguration in the serve...

Page 750: ...s the current log file and then creates a new log file with the original name The rotated log file is saved with the original file type and an appended timestamp The name of a rotated log file is in t...

Page 751: ...out messages as they are generated to the log files Because the server performs an I O operation writing to the log file each time a message is generated configuring the server for unbuffered logging...

Page 752: ...lly Because the rotated log files are also saved in your local file system these files eventually take up a considerable amount of disk space You can avoid this problem by doing one of the following C...

Page 753: ...e 745 Read Chapter 8 Log Plug in Modules of CMS Plug Ins Guide Step 2 Modify the Existing Listeners When you create a CMS instance a set of log event listeners that you would most likely want to use a...

Page 754: ...actly like the listener you want to rename except with a new name and delete the old listener As a part of editing a listener you can change its status from enabled to disabled or vice versa by checki...

Page 755: ...Listener Editor window appears showing how this listener is configured An example is shown below 5 Make the necessary changes and click OK You are returned to the Log Event Listener Management tab 6 R...

Page 756: ...stered log plug in module assigning a unique name for the instance and entering appropriate values for the parameters that define the module you want to create an instance of When you add a listener t...

Page 757: ...te Manager To add a new listener to the CMS configuration 1 In the Log Event Listener Management tab click Add The Select Log Event Listener Plugin Implementation window appears It lists registered lo...

Page 758: ...ee Logs Maintained by the Server on page 746 enabled Select this box level From the drop down list select a log level The choices are Debug Information Warning Failure Misconfiguration Catastrophe and...

Page 759: ...n you have problems with Certificate Management System that require troubleshooting you may find it helpful to check the error or informational messages that the server has logged Also by examining th...

Page 760: ...ered such as authentication failures malformed universal resource indicators URIs invalid database password indications and server start up and shut down messages Messages related to the status of cer...

Page 761: ...has located that match the search request If you enter zero 0 no messages are returned If you leave the field blank the server returns every matching entry no limit regardless of the number found Sou...

Page 762: ...y you see the following details Source Indicates the CMS component or resource that logged the message Level Indicates the severity of the corresponding entry explained Table 23 3 on page 748 Date Ind...

Page 763: ...ted that match the search request If you enter zero 0 no messages are returned If you leave the field blank the server returns every matching entry no limit to the client regardless of the number foun...

Page 764: ...Table 23 3 on page 748 Date Indicates the date on which the entry was logged Time Indicates the time at which the entry was logged Details Provides a brief description of the log 6 To view an entry i...

Page 765: ...ction specify your viewing preferences Entries Type the maximum number of entries to be displayed When this limit is reached Certificate Management System returns any entries it has located that match...

Page 766: ...gical order with the most current log placed at the top Use the scroll arrows on the right edge of the panel to scroll through the log entries For each entry you see the following details Source Indic...

Page 767: ...r events related to your server For more information about the Event Viewer check your system documentation To monitor Certificate Management System by using Event Viewer 1 In the Administrative Tools...

Page 768: ...6 Error message indicating event log is full If you see this dialog box you must clean up the application log immediately Here s what you should do 1 From the Start menu on your desktop select Program...

Page 769: ...ption 5 Click OK 6 Close the Event Viewer window Archiving of Rotated Log Files Log files especially the audit log file contain critical information So it is good practice to periodically archive rota...

Page 770: ...s Determine the key pair you want to use for signing the log directory Typically you should use the Certificate Manager s the CA s signing key pair Also find out the nickname of the certificate that c...

Page 771: ...dule databases for the CA This must be the same path you used to copy the security module database in step 2 cert_nickname specifies the nickname of the certificate you want the utility to use for sig...

Page 772: ...e sure to put the Java class for the module in the classes directory the implementation must be on the class path To register a log plug in module with a CMS instance 1 Log in to the CMS window see Lo...

Page 773: ...a module be sure to delete all the listeners that are based on this module see Step 3 Delete Unwanted Listeners on page 755 To delete a module 1 Log in to the CMS window see Logging In to the CMS Wind...

Page 774: ...Managing Log Modules 774 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 775: ...775 Part 4 Issuing and Managing Certificates Chapter 24 Issuing and Managing Server Certificates Chapter 25 Setting Up CEP Enrollment...

Page 776: ...776 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 777: ...must receive the certificate signing request CSR from the server that needs the certificate This request must be initiated by the administrator of the specific server requiring the certificate SSL en...

Page 778: ...for the appropriate information On the other hand if the enrollment form specifies manual authentication the request gets queued and awaits approval by an agent 2 Subjects the request to policy check...

Page 779: ...er enrollment 2 The Registration Manager verifies the authenticity of the request Because the request requires manual authentication the Registration Manager stores the request in the queue for agent...

Page 780: ...specified in the enrollment form Optionally the Registration Manager may publish the certificate to the corporate directory Getting Server SSL Certificates for Netscape Servers To enable a server to e...

Page 781: ...r see the documentation for your server 4 Once you have generated a key pair follow the directions presented to generate a certificate signing request CSR 5 In the Certificate Authority field enter yo...

Page 782: ...W CERTIFICATE REQUEST marker lines In the contact information section enter values to identify yourself These values will be used by the CA if the need arises For example if there are any questions or...

Page 783: ...ends with END CERTIFICATE and paste it into the text area in the form The encryption alias Enter the alias for your server 4 Follow the prompts and add the certificate to your server s certificate dat...

Page 784: ...5pY2F0aW9ucyBDb3Jwb3JhdGlvbjEaMBgGA1UE CxMRSXNzdWluZyBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzM0WjBXMQswCQYDVQ QGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yYXRpb24xGjAYBgNV...

Page 785: ...For Netscape version 4 x servers you can use the Certificate Setup Wizard provided by Netscape Console to get new certificates renew existing certificates and install certificates in the database of a...

Page 786: ...anager agent To submit the server certificate request to Certificate Management System manually 1 Open a web browser window 2 Go to the End Entity Services interface of the Certificate Manager or a Re...

Page 787: ...rocess is similar to the enrollment process in that the administrators must manually generate the certificate signing request using the server s key pair paste that request in the manual enrollment fo...

Page 788: ...revoke certificates based on a range of serial numbers or based on one or more subject name components Upon submission of the revocation request the agent receives a list of certificates from which sh...

Page 789: ...e of certificates for authentication encryption and tamper detection by using the IP Security IPSec protocol Certificate Management System supports Cisco s PKI protocol the Certificate Enrollment Prot...

Page 790: ...cally created in the same server group in which Certificate Management System is installed one of the Directory Server instances is identified as the configuration directory and the other internal dat...

Page 791: ...ason for this is if you plan on publishing certificates from routers they may need to be published with the same DN as their certificate subject names For example if the certificate subject name conta...

Page 792: ...fy the directory for publishing For instructions see Step 5 Identify the Publishing Directory on page 636 Create an instance of the policy plug in named CRLDistributionPointsExt following the instruct...

Page 793: ...try if one does not already exist true false Enter false if an entry already exists in the directory and you don t want the server to create one url Specifies the URL for CEP enrollment It is used if...

Page 794: ...Company C US you must have already created three 3 directory entries for C US O Company C US OU Accounting O Company C US You can do this with the help of the ldapmodify command and an LDIF file with...

Page 795: ...Manager to use either the challenge password or the subject name all or a part of it as an authentication token during a CEP enrollment thus enabling users to get router certificates without any acti...

Page 796: ...ence to the auths instance authentication plug in described in the auths instance configuration parameters If you want to turn off automated enrollment for CEP based requests delete this parameter fro...

Page 797: ...es parameter as follows auths instance flatfile keyAttributes UNSTRUCTUREDNAME UNSTRUCTURED ADDRESS This will force the server to use both these attributes to locate an entry in the authentication tok...

Page 798: ...authentication token named pwd for the challenge password In this case you would set the authAttributes parameter as follows auths instance flatfile authAttributes pwd In summary to implement the auto...

Page 799: ...our authentication file and save your changes 4 Restart the Certificate Manager After changing the configuration file you must restart the server for the changes to take effect If the server fails to...

Page 800: ...ation file auths instance flatfile_VPN fileName full_path_to_the_authentication_file auths instance flatfile_VPN authAttributes pwd auths instance flatfile_VPN keyAttributes CN OU O auths instance fla...

Page 801: ...ether the HTTP port is enabled If it isn t enable it for instructions see Configuring Port Numbers on page 362 If you are requesting the certificate for an earlier version of router software make sure...

Page 802: ...rmine the signing algorithm and the key length for the certificate you want to request Find out the password that enables you to access the router in privileged mode In your router documentation locat...

Page 803: ...tified in Step 1 2 The router gets the CA certificate and displays its fingerprint on your screen 3 Verify the fingerprint on your screen with the one you noted down in Step 1 If it matches the router...

Page 804: ...igured for manual enrollment or authentication the request gets queued and awaits approval by an agent Example The example below shows the commands and associated outputs for a Cisco router To perform...

Page 805: ...ter password The subject name in the certificate will be router domain com Include the router serial number in the subject name yes no yes The serial number in the certificate will be 08342063 Include...

Page 806: ...Certificate Issuance to Routers or VPN Clients 806 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 807: ...807 Part 5 Appendix Appendix A Certificate Download Specification...

Page 808: ...808 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 809: ...ins page 811 Importing Certificates into Netscape Communicator page 811 Importing Certificates into Netscape Servers page 812 Object Identifiers page 812 Data Formats Netscape products can accept cert...

Page 810: ...ns It consists of a PKCS 7 ContentInfo structure wrapping a sequence of certificates The value of the contentType field should be netscape cert sequence see Object Identifiers on page 812 while the co...

Page 811: ...n as long as there is a trusted CA somewhere along the chain Importing Certificates into Netscape Communicator Communicator imports certificates via HTTP There are several MIME content types that are...

Page 812: ...ia the server administration interface Certificates are pasted into a text input field in an HTML form and then the form is submitted to the administration server Since the certificates are pasted int...

Page 813: ...Object Identifiers Appendix A Certificate Download Specification 813 netscape data type OBJECT IDENTIFIER netscape 2 netscape cert sequence OBJECT IDENTIFIER netscape data type 5...

Page 814: ...Object Identifiers 814 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 815: ...y ACE administrator The person who installs and configures one or more CMS managers and sets up privileged users or agents for them See also agent agent A user who belongs to a group authorized to man...

Page 816: ...configuring a CMS manager that allows automatic authentication for the purposes of end entity enrollment without human intervention With this form of authentication a certificate request that complete...

Page 817: ...series of certificates signed by successive certificate authorities A CA certificate identifies a certificate authority CA and is used to sign certificates issued by that authority A CA certificate c...

Page 818: ...bsumed by another proposed standard Certificate Management Messages over Cryptographic Message Syntax CMC For detailed information see http www ietf org internet drafts draft ietf pkix cmmf 02 txt Cer...

Page 819: ...CMS instance An instance of a CMS subsystem comprising both code and data and treated as a discrete entity CMS subsystem One of the three CMS Managers Certificate Manager Registration Manager or Data...

Page 820: ...stration Manager can be configured to archive end entities encryption keys with a Data Recovery Manager before issuing new certificates The Data Recovery Manager is useful only if end entities are enc...

Page 821: ...div897 pubs fip46 2 htm digital ID See certificate digital signature To create a digital signature the signing software first creates a one way hash from the data to be signed such as a newly issued c...

Page 822: ...X 509 certificate for use in a public key infrastructure PKI Also known as registration end entity In a public key infrastructure PKI a person router server or other entity that uses a certificate to...

Page 823: ...isting code written in a language such as C or C for a single platform to bind to Java See http java sun com products jdk 1 2 docs guide jni index html Java Security Services JSS A Java interface for...

Page 824: ...ght pretend to be a furniture store when it is really just a site that takes credit card payments but never sends any goods Misrepresentation is one form of impersonation See also spoofing Netscape Ce...

Page 825: ...encryption PKCS 10 The public key cryptography standard that governs certificate requests PKCS 11 The public key cryptography standard that governs cryptographic tokens such as smart cards PKCS 11 mod...

Page 826: ...identity electronically or to sign and encrypt electronic data Two keys are involved a public key and a private key A public key is published as part of a certificate which associates that key with a...

Page 827: ...connection SSL runs above TCP IP and below HTTP LDAP IMAP NNTP and other high level network protocols server authentication The process of identifying a server to a client See also client authenticati...

Page 828: ...s including mechanisms for automatically tracking passwords used with different servers Certificates support single sign on within a public key infrastructure PKI A user can log in once to a local cli...

Page 829: ...ot in a PKCS 11 module It provides cryptographic services and optionally stores certificates and keys tree hierarchy The hierarchical structure of an LDAP directory trust Confident reliance on a perso...

Page 830: ...830 Netscape Certificate Management System Installation and Setup Guide May 2002...

Page 831: ...onship to server root 324 starting 325 from Netscape Console 325 from the command line 325 from the Windows NT Services panel 325 stopping 326 from Netscape Console 326 from the command line 326 from...

Page 832: ...ed 489 during certificate enrollment 495 during certificate renewal 495 during certificate revocation 497 for administrators 490 for agents 492 managing from CMS window 511 authentication instances ad...

Page 833: ...197 configuring SMTP settings for notifications 543 554 555 to use separate SSL server certificates 459 to use specific ciphers 464 connecting to a Data Recovery Manager 406 Data Recovery Manager and...

Page 834: ...ide 463 which ones to choose 463 clone CA 169 cloning 36 cloning a CA 282 CMC 78 CMMF 78 CMS administrator defined 54 CMS agent defined 54 CMS certificates renewal 420 CMS data where it s stored 365 C...

Page 835: ...sion 595 CRL signing certificate 423 591 nickname 423 462 CRLs Certificate Manager support for 46 defined 591 issuing or distribution points 595 publishing of 39 591 publishing to files 647 publishing...

Page 836: ...CA renewalCA renewal 172 173 distinguished name 170 extensions 172 root versus subordinate 171 signing certificate 171 signing key 170 certificate decisions Certificate Manager 177 Data Recovery Mana...

Page 837: ...licy modules for 58 SSL server certificate 209 210 tool for joining 446 tools for generating 446 transport certificate 201 external tokens defined installing 432 viewing contents of 482 F filenames fo...

Page 838: ...installing external hardware tokens 432 installing multiple CMS instances 280 instances CMS agents for additional 274 277 282 creating additional 280 internal CMS database 107 internal database defaul...

Page 839: ...updates 642 when to do 643 who can do this 642 See CRLs linked CA 36 linking subsystems See connecting subsystems local vs remote key recovery 723 location of active log files CMS configuration file...

Page 840: ...mappers 617 policy rules 570 privileged user s group membership 415 privileged user information 413 publishers 619 620 monitoring logs 759 Audit log 764 Error log 762 System log 760 things you can mon...

Page 841: ...ion authority defined 49 P password cache 308 315 password cache filename 308 315 password cache location 308 315 password conf file 306 PasswordCache utility 316 password quality checker 308 316 pass...

Page 842: ...to choose numbers 360 predicates attributes for 564 expression support 562 operators for 562 sample expressions 562 564 what are they 562 why would you use 562 privileged users 371 372 deleting 416 gr...

Page 843: ...wal of CMS certificates 420 renewing certificates of subsystems 474 reordering policy rules 579 significance of ordering 579 restarting Certificate Management System 312 from Netscape Console 313 682...

Page 844: ...07 210 SSL server certificate 425 427 429 430 changing trust settings of 485 deleting 484 getting a new one 436 465 nickname 425 427 429 430 renewing 436 474 viewing details of 482 starting Administra...

Page 845: ...nsport certificate for Data Recovery Manager 199 202 trusted managers certificate for SSL client authentication 383 connectors for linking 382 deleting 416 designated group 387 access rights 387 modif...

Page 846: ...846 Netscape Certificate Management System Installation and Setup Guide May 2002 wizard See Certificate Setup Wizard writing policies in JavaScript 582 X X 509 certificates 79...