Introduction to Authentication
498
Netscape Certificate Management System Installation and Setup Guide • March 2002
Revoking a certificate using the challenge password is useful in certain
situations. For example, if you issue a single certificate to a user and the user is
unable to use the certificate due to loss of corresponding key pair, it’s not
possible for the user to revoke his or her own certificate using the SSL client
authenticated revocation method. If the user has a challenge password for the
certificate, he or she can use it to revoke the certificate the server maintains in
its database.
Forms for both methods are available through the End Entity Services interface
(HTTPS only) of the Certificate Manager and Registration Manager; see “Certificate
Revocation Forms” on page 500.
Here are a few common points to keep in mind about the automated revocation of
end users’ certificates:
•
A Certificate Manager can revoke only those certificates that it has issued; it
cannot revoke certificates issued by other CAs.
•
If the revocation request is processed by a Registration Manager, it must be
connected as a trusted manager to the Certificate Manager that has issued the
certificate the user is attempting to revoke; the Registration Manager forwards
certificate revocation requests to this Certificate Manager. For information on
trusted managers, see “Trusted Managers” on page 380.
•
The certificate the user attempts to revoke must be currently valid or must
have expired; it cannot have been already revoked.
•
At the time of revocation, the user can also specify additional details, such as
the date of revocation and revocation reason, for each certificate or for the list
as a whole.
SSL Client Authenticated Revocation
In an SSL client authenticated revocation method, the server expects the end user
to present a certificate that has the same subject name as the one he or she wants to
revoke and uses that for authentication purposes. The server verifies the
authenticity of a revocation request by mapping the subject name in the certificate
being presented for client authentication to certificates in its internal database. The
server revokes the certificate only if the certificate maps successfully to one or more
valid or expired certificates in its internal database.
After successful authentication, if the server detects only one valid or expired
certificate with matching subject name as that of the one presented for client
authentication, it revokes the certificate. If the server detects more than one valid or
expired certificate with matching subject name, it lists all those certificates. The
user can then either select the certificate to be revoked or revoke all certificates in
the list.
Summary of Contents for NETSCAPE MANAGEMENT SYSTEM 6.0
Page 1: ...Installation and Setup Guide Netscape Certificate Management System Version6 0 March 2002...
Page 22: ...22 Netscape Certificate Management System Installation and Setup Guide March 2002...
Page 32: ...32 Netscape Certificate Management System Installation and Setup Guide March 2002...
Page 160: ...160 Netscape Certificate Management System Installation and Setup Guide March 2002...
Page 776: ...776 Netscape Certificate Management System Installation and Setup Guide March 2002...
Page 807: ...807 Part 5 Appendix Appendix A Certificate Download Specification...
Page 808: ...808 Netscape Certificate Management System Installation and Setup Guide March 2002...
Page 830: ...830 Netscape Certificate Management System Installation and Setup Guide March 2002...