How it Works
Redhat
Loading...
A
B
C
D
E
G
J
L
N
O
R
S
V
W
Loading...
Loading...
NETSCAPE MANAGEMENT SYSTEM 4.5
User Manual
866 pgs7.73 Mb0
Table of contents
Loading...

Redhat NETSCAPE MANAGEMENT SYSTEM 4.5 User Manual

Installation and Setup Guide
Netscape Certificate Management System
Version4.5
October 2001
Netscape Communications Corporation(“Netscape”), a subsidiary of America Online, Inc., and its licensors retain all ownership rights to the software programsoffered by Netscape (referred to herein as “Software”) and related documentation.Use of the Software and related documentation i s governed by the license agreement accompanying the Software and applicable copyright law.
Your right to copy this documentation is limited by copyright law. Making unauthorized copies, adaptations, or compilation works is prohibited and constitutes a punishable violation of the law. Netscape may revise this documentation from time to time without notice.
THIS DOCUMENTATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL NETSCAPE BE LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL D AMAGES OF ANY KIND ARISING FROM ANY ERROR IN THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS, PROFITS, USE, OR DATA.
Software applications: © 2001 Sun Microsystems, Inc. Some software code: © 1999, 2001 Netscape Communications Corporation. All rights reserved.
Netscape and the Netscape N logo are registered trademarks of Netscape Communications Corporation in the United States and other countries. Other Netscape logos, product names, and service names are also trademarks of Netscape Communications Corporation, which may be registered in other countries. Other product and brand names are the exclusive property of their respective owners.
The downloading, exporting, or reexporting of Netscape software or any underlying information or technology must be in full compliance with all United States and other applicable laws and regulations. Any provision of Netscape software or documentation to the U.S. Government is with restricted rights a s described in the license agreement accompanying Netscape software.

Contents

AboutThisGuide.............................................................. 23
What’sinThisGuide....................................................................23
WhatYouShouldAlreadyKnow .........................................................26
ConventionsUsedinThisGuide .........................................................27
WheretoGoforRelatedInformation......................................................28
Part 1 OverviewandDemoInstallation......................................... 31
Chapter 1 IntroductiontoCertificateManagementSystem.......................... 33
OverviewofKeyFeatures ...............................................................34
Flexibleend-entityregistrationservicesframework ....................................38
SystemOverview.......................................................................41
Public-KeyInfrastructure .............................................................43
CMSSubsystemsorManagers .........................................................44
CertificateManager ...............................................................45
RegistrationManager ..............................................................47
DataRecoveryManager............................................................48
OnlineCertificateStatusManager ...................................................49
BasicSystemConfiguration ...........................................................50
Plug-inModules .....................................................................55
AuthenticationPlug-inModules ....................................................55
PolicyPlug-inModules ............................................................57
JobPlug-InModules...............................................................61
MapperandPublisherPlug-inModules ..............................................62
Event-DrivenNotifications............................................................64
3
AuxiliaryComponents.................................................................. 64
Command-Line Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
CMSSDK .......................................................................... 65
EntryPointsforVariousTypesofUsers ................................................... 66
AgentServicesInterface .............................................................. 68
CertificateManagerAgentServices ................................................. 68
RegistrationManagerAgentServices ................................................ 69
DataRecoveryManagerAgentServices.............................................. 70
OnlineCertificateStatusManagerAgentServicesInterface ............................. 71
End-EntityServicesInterface.......................................................... 72
SystemArchitecture .................................................................... 73
PKCS#11........................................................................... 74
NSS................................................................................ 76
JSSandtheJava/JNILayer ........................................................... 76
Middleware/Java2Layers ........................................................... 76
AuthenticationandPolicyModules .................................................... 77
Standards Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
CertificateManagementFormatsandProtocols.......................................... 77
SecurityandDirectoryProtocols....................................................... 78
Chapter 2 CertificateEnrollmentandLife-CycleManagement ....................... 81
StepsinEnd-EntityEnrollment .......................................................... 81
SomeEnrollmentScenarios.............................................................. 84
FirewallConsiderations .............................................................. 84
Extranet/E-Commerce:AcmeSalesCorp. .............................................. 85
EnrollingExistingCustomers....................................................... 86
EnrollingNewCustomers.......................................................... 87
EnrollingExtranetUsers ........................................................... 89
PINRegistration:AtlasManufacturing ................................................. 91
VPNClientEnrollmentandRevocation ................................................ 93
RouterEnrollmentandRevocation..................................................... 96
EndEntitiesandLife-CycleManagement.................................................. 98
Life-CycleManagementFormatsandProtocols.......................................... 98
AccesstoSubsystems ................................................................ 99
HTMLFormsforEndUsers.......................................................... 101
NetscapePersonalSecurityManager .................................................. 102
Chapter 3 DefaultDemoInstallation ........................................... 105
SystemRequirements.................................................................. 106
OperatingSystemandSoftwareRequired ............................................. 106
PlatformRequirements.............................................................. 106
OverviewoftheDefaultDemo .......................................................... 108
4 Netscape Certificate Management System Installation and Setup Guide • October 2001
DemoPasswords ...................................................................111
Installing the Default Demo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Step1.RuntheInstallationScript—UNIX .............................................112
Step1.RuntheInstallationScript—WindowsNT .......................................114
Step2.RuntheInstallationWizard....................................................122
Step3.GettheFirstUserCertificate ...................................................135
EnrollingfortheFirstAgentCertificate .............................................135
IfYouNeedtheFirstAgentFormAgain ............................................137
UsingtheDefaultDemo ................................................................138
VerifytheInstallation ...............................................................138
ViewingIssuedCertificatesFromtheAgentGateway .................................139
EnrollingforaCertificateFromtheEnd-EntityGateway ..............................140
FindingandApprovingaCertificateRequest ........................................141
SettingYourBrowsertoUsetheAgentCertificate ....................................142
TestingYourNewCertificate ......................................................142
CreateaPolicy .....................................................................143
ConfiguringanRSAKeyLengthPolicy .............................................143
UseanLDAPDirectory..............................................................145
Step1.EnableDirectory-BasedAuthentication .......................................146
Step2.AddaUsertotheDirectory .................................................147
Step3.EnrollwithDirectory-BasedAuthentication ...................................149
PublishCertificatestoanLDAPDirectory..............................................150
ConfigurethePublishingDestination ...............................................151
SetRulesforPublishingCertificates ................................................153
UpdatethePublishingDirectory ...................................................154
SendRenewalReminders ............................................................156
ConfiguringaMailServerforCertificateManagementSystem .........................157
ConfiguringCertificateManagementSystemtoSendRenewalReminders ...............157
Part 2 PlanningandInstallation.............................................. 161
Chapter 4 Planning Your Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
TopologyDecisions ....................................................................164
ServerGroupsandCMSInstances ....................................................164
SingleCertificateManager ...........................................................165
CertificateManagerandRegistrationManager .........................................166
CertificateManagerandDataRecoveryManager .......................................168
CertificateManager,DataRecoveryManager,andRegistrationManager...................170
ClonedCertificateManager ..........................................................172
CertificateAuthorityDecisions ..........................................................173
CA’sDistinguishedName ...........................................................173
5
CASigningKeyTypeandLength ....................................................174
CA Signing Certificate’s Validity Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Self-SignedRootVersusSubordinateCA .............................................. 174
CAsandCertificateExtensions ....................................................... 175
CACertificateRenewalorReissuance ................................................. 176
CryptographicTokenDecisions ......................................................... 177
PublishingDecisions .................................................................. 177
PublishingtoCertificatesandCRLstoFiles ............................................ 178
PublishingtoCertificatesandCRLstoaDirectory ...................................... 178
PublishingCRLstotheOnlineCertificateStatusManager ............................... 179
SubsystemCertificateDecisions ......................................................... 180
SSLServerCertificates .............................................................. 180
CertificateManagerCertificates ...................................................... 180
RegistrationManagerCertificates..................................................... 181
DataRecoveryManagerCertificateandStorageKey .................................... 182
OnlineCertificateStatusManagerCertificates .......................................... 182
AuthenticationDecisions............................................................... 183
PolicyDecisions.......................................................................183
DeploymentStrategyandPortAssignments .............................................. 184
Chapter 5 InstallationWorksheet .............................................. 187
InformationforUNIXInstallationScript ................................................. 188
InstallationLocation ................................................................ 188
ConfigurationDirectoryServer ....................................................... 188
User/GroupDirectoryServer ........................................................ 189
ConfigurationDirectorySettings ..................................................... 189
AdministrationServerInformation ................................................... 190
CertificateManagementSystemIdentifier ............................................. 191
InformationforNTInstallationScript.................................................... 191
InstallationDirectory ............................................................... 191
ConfigurationDirectoryServer ....................................................... 191
User/GroupDirectoryServer ........................................................ 192
ConfigurationDirectorySettings ..................................................... 193
ConfigurationDirectoryServerAdministrator ......................................... 193
DirectoryServerAdministrationDomain .............................................. 193
DirectoryManagerSettings .......................................................... 193
AdministrationServerPort .......................................................... 194
CertificateManagementSystemIdentifier ............................................. 194
InitialConfiguration................................................................... 194
InternalDatabase................................................................... 195
Administrator...................................................................... 195
Subsystems ........................................................................ 195
RemoteCertificateManager ......................................................... 196
6 Netscape Certificate Management System Installation and Setup Guide • October 2001
RemoteDataRecoveryManager ......................................................196
NetworkConfiguration..............................................................197
CertificateManagerConfiguration.......................................................197
CASigningCertificate ...............................................................197
CA’sSerialNumberRange ........................................................197
Key-PairInformationforCASigningCertificate......................................198
SubjectNameforCASigningCertificate ............................................198
Validity Period for CA Signing Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
ExtensionsforCASigningCertificate ...............................................199
CASigningCertificateRequest .......................................................200
RegistrationManagerConfiguration .....................................................201
RegistrationManagerSigningCertificateRequest .......................................201
Key-PairInformationforRegistrationManagerSigningCertificate .....................201
SubjectNameforRegistrationManagerSigningCertificate ............................202
RegistrationManagerSigningCertificateIssuer.........................................202
DataRecoveryManagerConfiguration ...................................................203
TransportCertificate ................................................................203
Key-PairInformationforTransportCertificate .......................................203
SubjectNameforTransportCertificate ..............................................204
Validity Period for Transport Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
ExtensionsforTransportCertificate ................................................205
TransportCertificateRequest.........................................................206
StorageKeyandRecoveryAgentConfiguration ........................................206
StorageKeyCreation .............................................................206
DataRecoveryScheme—1 .........................................................206
DataRecoveryScheme—2 .........................................................207
OnlineCertificateStatusManagerConfiguration ..........................................207
OnlineCertificateStatusManagerSigningCertificateRequest ............................207
Key-Pair Information for Online Certificate Status Manager Signing Certificate . . . . . . . . . . . 208
SubjectNameforOnlineCertificateStatusManagerSigningCertificate .................208
OnlineCertificateStatusManagerSigningCertificateIssuer ..............................209
ClonedCertificateManagerConfiguration................................................209
CASigningCertificate ...............................................................210
CA’sSerialNumberRange ........................................................210
ClonedKeyandCertificateMaterial ................................................210
SSLServerKeyandCertificate .....................................................211
SSLServerCertificateConfiguration .....................................................211
SSLServerCertificate ...............................................................211
Key-PairInformationforSSLServerCertificate ......................................211
SubjectNameforSSLServerCertificate .............................................212
Validity Period for SSL Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
ExtensionsforSSLServerCertificate ................................................213
SSLCertificateRequest ..............................................................214
7
SingleSign-OnPassword............................................................... 214
Chapter 6 InstallingCertificateManagementSystem ............................. 215
InstallationOverview.................................................................. 215
InstallationStages .................................................................. 216
BeforeYouBegintheInstallation ..................................................... 217
Stage1.RunningtheInstallationScript................................................... 219
RunningtheInstallationScriptonUNIX............................................... 219
RunningtheInstallationScriptonWindowsNT ........................................ 222
Stage2.RunningtheInstallationWizard ................................................. 225
Installing the Certificate Manager as a Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Installing the Certificate Manager as a Subordinate CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Installing a Standalone Registration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Installing a Standalone Data Recovery Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Installing a Online Certificate Status Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Stage3.EnrollingforAdministrator/AgentCertificate ..................................... 275
AgentCertificateforaCertificateManager............................................. 275
AgentCertificateforOtherCMSManagers ............................................ 278
Stage4.FurtherConfigurationOptions ..................................................281
Stage5.CreatingAdditionalInstancesorCAClones....................................... 282
Chapter 7 Installing and Uninstalling CMS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Installing Multiple CMS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
CloningaCertificateManager .......................................................... 286
Step1.BeforeYouBegin............................................................. 287
Step2.CreateInstancesforCloneCAs ................................................ 289
Installing Clone CA in Master CA’s Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Installing Clone CA in a Different Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Installing Clone CA on a Separate Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Step3.ShutdowntheMasterCA ..................................................... 291
Step4.CopyMasterCA’sCertificateandKeyDatabase ................................. 292
Step5.StarttheMasterCA .......................................................... 292
Step6.ConfiguretheCloneCA ...................................................... 292
Step8.EstablishTrustBetweenMasterCAandCloneCAs............................... 293
StepA.LocatetheMasterCA’sSSLServerCertificate................................. 294
StepB.CreateaPrivileged-UserEntryforCloneCAs ................................. 296
Step9.TestClone-MasterConnection ................................................. 299
StepA.RequestaCertificatefromtheCloneCA ..................................... 299
StepB.ApprovetheRequest ...................................................... 300
StepC.DownloadtheCertificatetotheBrowser ..................................... 300
StepD.RevoketheCertificate ..................................................... 301
StepE.CheckMasterCA’sCRLfortheRevokedCertificate ........................... 301
8 Netscape Certificate Management System Installation and Setup Guide • October 2001
Step10.UseMasterCA’sAgentCertificateinCloneCAs.................................302
ViewingInstanceInformation ...........................................................303
ChangingtheNameofanInstance.......................................................305
RemovinganInstanceFromaSystem ....................................................306
UninstallingCertificateManagementSystem..............................................308
UninstallingFromtheCommandLine.................................................308
UninstallingbyUsingtheWindowsNTAdd/RemoveProgramsUtility ...................308
Chapter 8 Starting and Stopping CMS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
StartingCertificateManagementSystem..................................................312
RequiredStart-upInformation........................................................312
ConfiguringtheServertoStartWithouttheSingleSign-OnPassword...................313
ConfiguringtheServertoReadtheSingleSign-onPasswordFromaFile ................314
StartingFromNetscapeConsole ......................................................317
StartingFromtheCommandLine .....................................................318
StartingFromtheWindowsNTServicesPanel..........................................319
StoppingCertificateManagementSystem.................................................320
StoppingFromNetscapeConsole .....................................................320
StoppingFromtheCommandLine....................................................321
StoppingFromtheWindowsNTServicesPanel ........................................322
RestartingCertificateManagementSystem................................................322
RestartingFromtheCMSWindow ....................................................322
RestartingFromtheCommandLine...................................................323
CheckingSystemStatus ................................................................324
AttendingtoanUnresponsiveServer ....................................................325
CMSWatchdogProcess ................................................................325
PasswordCache.......................................................................326
Password-QualityChecker .............................................................327
Part 3 Configuration ....................................................... 329
Chapter 9 Administration Tasks and Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
NetscapeConsole .....................................................................332
ConsoleTab........................................................................332
UsersandGroupsTab ...............................................................333
NetscapeAdministrationServer ......................................................334
StartingAdministrationServer.....................................................335
ShuttingDownAdministrationServer ..............................................336
LoggingIntoNetscapeConsole .........................................................336
TheCMSWindow .....................................................................338
TasksTab..........................................................................339
9
ConfigurationTab .................................................................. 339
StatusTab ......................................................................... 342
LoggingIntotheCMSWindow......................................................... 343
Chapter 10 CMS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
EffectsofInstallationTypeonConfiguration.............................................. 345
DuplicatingConfigurationFromOneInstancetoAnother ............................... 347
LocatingtheConfigurationFile ......................................................... 348
ModifyingtheConfiguration ........................................................... 349
ChangingtheConfigurationFromtheCMSWindow.................................... 349
ChangingtheConfigurationbyEditingtheConfigurationFile............................ 349
Guidelines for Editing the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
SampleConfigurationFile ........................................................... 353
RoadMaptoConfiguringSubsystems ................................................... 366
Step1.CheckWhichSubsystemsareInstalledintheInstance .......................... 366
Step2.CheckthePortNumbers ................................................... 366
Step3.VerifyKeyPairandCertificates ............................................. 366
Step4.SetupPrivilegedUsers..................................................... 367
Step5.CustomizeEnd-EntityandAgentForms...................................... 367
Step6.SetupAuthenticationforEndUsers .......................................... 367
Step7:EnableEvent-DrivenNotifications ........................................... 368
Step8.ScheduleJobs ............................................................. 368
Step9.SetupPolicies............................................................. 368
Step10.SetupPublishing......................................................... 369
Step11.SetupKeyArchivalandRecovery .......................................... 369
Step12.SetupLogging ........................................................... 369
Step13.PlanforBackingupCMSConfigurationandData ............................ 370
Chapter 11 SettingUpPorts .................................................. 371
CMSPorts............................................................................ 371
RemoteAdministrationPort ......................................................... 372
AgentPort......................................................................... 373
End-EntityPorts.................................................................... 373
ConfiguringPortNumbers ............................................................. 374
Step1.SpecifythePortNumber ...................................................... 374
Step2:SpecifyIPAddresses ......................................................... 377
Chapter 12 SettingUpInternalDatabase........................................ 379
InternalDatabase ..................................................................... 379
ConfiguringtheInternalDatabase....................................................... 380
Step1.IdentifytheDirectoryServerInstance........................................... 381
Step2.RestrictAccesstotheInternalDatabase ......................................... 382
10 Netscape Certificate Management System Installation and Setup Guide • October2001
Chapter 13 ManagingPrivilegedUsersandGroups .............................. 385
Privileged-User Types and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Administrators .....................................................................386
Agents ............................................................................387
Agent’sCertificateforSSLClientAuthentication .....................................389
RevocationStatusCheckingofAgentCertificates.....................................392
TrustedManagers ..................................................................394
SubsystemsThatCanFunctionasTrustedManagers..................................395
ConnectorsforLinkingTrustedManagers ...........................................396
TrustedManager’sCertificateforSSLClientAuthentication ...........................397
GroupsandTheirPrivileges ............................................................398
GroupforAdministrators ............................................................399
GroupsforAgents ..................................................................400
GroupforCertificateManagerAgents ..............................................400
GroupforRegistrationManagerAgents.............................................400
GroupforDataRecoveryManagerAgents ..........................................401
GroupforOnlineCertificateStatusManagerAgents ..................................401
GroupforTrustedManagers .........................................................402
SettingUpPrivilegedUsers.............................................................403
SettingUpAdministrators ...........................................................403
Step1.FindtheRequiredInformation ..............................................403
Step2.AddtheInformationtotheInternalDatabase..................................403
SettingUpAgents ..................................................................406
SettingupAgentsUsingtheAutomatedProcess .....................................406
SettingupAgentsUsingtheManualProcess.........................................407
SettingUpTrustedManagers.........................................................413
SettingupTrustedManagersUsingtheAutomatedProcess ...........................413
SettingUpaRegistrationManagerasaTrustedManager..............................414
SettingUpaCertificateManagerasaTrustedManager ...............................422
ChangingPrivileged-UserInformation ...................................................429
ChangingaPrivilegedUser’sLoginInformation ........................................429
ChangingaPrivilegedUser’sCertificate ...............................................430
ChangingMembersinaGroup .......................................................431
DeletingaPrivilegedUser ..............................................................432
Chapter 14 ManagingCMSKeysandCertificates ................................ 435
KeysandCertificatesfortheMainSubsystems ............................................436
CertificateManager’sKeyPairsandCertificates ........................................437
CASigningKeyPairandCertificate ................................................437
wTLSCASigningCertificate ......................................................438
OCSPSigningKeyPairandCertificate ..............................................438
CRLSigningKeyPairandCertificate ...............................................439
SSLServerKeyPairandCertificate .................................................441
11
RemoteAdministrationServerCertificate ........................................... 443
RegistrationManager’sKeyPairsandCertificates ...................................... 445
SigningKeyPairandCertificate ................................................... 445
SSLServerKeyPairandCertificate................................................. 445
RemoteAdministrationServerCertificate ........................................... 446
DataRecoveryManager’sKeyPairsandCertificates .................................... 446
TransportKeyPairandCertificate ................................................. 447
StorageKeyPair ................................................................. 447
SSLServerKeyPairandCertificate................................................. 448
RemoteAdministrationServerCertificate ........................................... 448
OnlineCertificateStatusManager’sKeyPairsandCertificates............................ 449
OCSPSigningKeyPairandCertificate.............................................. 449
SSLServerKeyPairandCertificate................................................. 449
RemoteAdministrationServerCertificate ........................................... 450
TokensforStoringCMSKeysandCertificates ............................................ 450
InternalToken ..................................................................... 451
ExternalToken ..................................................................... 451
Installing External Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
ManagingTokensUsedbytheSubsystems ............................................ 454
ViewingTokens ................................................................. 454
ChangingaToken’sPassword ..................................................... 455
HardwareCryptographicAccelerators ................................................... 455
CertificateSetupWizard ............................................................... 456
UsingtheWizardtoRequestaCertificate.............................................. 457
Step1.SelecttheOperation ....................................................... 457
Step2.ChoosetheCertificate ...................................................... 458
Step3.SpecifytheKey-PairInformation ............................................ 460
Step4.SpecifytheSubjectNamefortheCertificate ................................... 462
Step5.SpecifytheValidityPeriod.................................................. 463
Step6.SpecifyExtensions ......................................................... 464
Step7.CopytheCertificateSigningRequest......................................... 466
Step8.ChecktheCertificateRequestStatus ......................................... 470
UsingtheWizardtoInstallaCertificateorCertificateChain ............................. 471
DataFormatsforInstallingCertificatesandCertificateChains ......................... 472
Step1.SelecttheOperation ....................................................... 473
Step2.SelecttheCertificateorCertificateChain ..................................... 474
Step3.SpecifytheLocationoftheCertificate ........................................ 475
Step4.ViewtheCertificateorCertificateChain ...................................... 477
Step5.InstalltheCertificateorCertificateChain ..................................... 477
Step6.VerifytheCertificateStatus ................................................. 478
ConfiguringtheServer’sSecurityPreferences ............................................. 478
ConfiguringtheServertoUseSeparateSSLServerCertificates ........................... 478
Step1.GettheRequiredSSLServerCertificates ...................................... 479
12 Netscape Certificate Management System Installation and Setup Guide • October2001
Step2:UpdatetheConfiguration...................................................479
GettinganSSLClientCertificateforaSubsystem .......................................480
Setting Up Cipher Preferences for SSL Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
SSLCiphersSupportedinCertificateManagementSystem ............................482
ConfiguringtheServertoUseSpecificCiphers.......................................484
GettingNewCertificatesfortheSubsystems ..............................................485
Step1.PlanfortheNewCertificate....................................................486
Step2.RequesttheNewCertificate ...................................................489
Step3.InstalltheNewCertificate .....................................................489
Step4.DeploytheNewCertificate ....................................................490
DeployingCertificateManager’sCASigningCertificate ...............................490
DeployingRegistrationManager’sSigningCertificate.................................491
DeployingDataRecoveryManager’sTransportCertificate ............................492
DeployingaSubsystem’sSSLServerCertificate ......................................493
RenewingCertificatesfortheSubsystems.................................................494
Step1.PlanforCertificateRenewal ...................................................495
Step2.RenewtheExistingCertificate..................................................496
Step3.InstalltheRenewedCertificate .................................................497
Step4.DeploytheRenewedCertificate ................................................497
DeployingCertificateManager’sRenewedCASigningCertificate ......................498
DeployingRegistrationManager’sRenewedSigningCertificate ........................498
DeployingDataRecoveryManager’sRenewedTransportCertificate....................499
DeployingaSubsystem’sRenewedSSLServerCertificate .............................501
Step5.RestarttheServer.............................................................501
ManagingtheCertificateDatabase.......................................................502
ViewingtheCertificateDatabaseContent ..............................................502
DeletingaCertificateFromtheCertificateDatabase .....................................504
ChangingtheTrustSettingsofaCACertificate .........................................505
Installing a New CA Certificate in the Certificate Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Installing a CA Certificate Chain in the Certificate Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Chapter 15 SettingUpEnd-UserAuthentication ................................. 509
IntroductiontoAuthentication ..........................................................509
Privileged-UserAuthentication .......................................................510
AuthenticationofAdministrators ..................................................510
AuthenticationofAgents..........................................................512
End-EntityAuthentication ...........................................................515
AuthenticationofEndEntitiesDuringCertificateEnrollment ..........................515
AuthenticationofEndUsersDuringCertificateRenewal ..............................515
AuthenticationofEndUsersDuringCertificateRevocation ............................517
ConfiguringAuthenticationforEnd-UserEnrollment ......................................521
Step1.BeforeYouBegin .............................................................522
Step2.SetUptheDirectoryforPIN-BasedEnrollment ...................................523
13
StepA.ChecktheDirectoryforUserEntries......................................... 523
StepB.UpdatetheDirectory ...................................................... 524
StepC.PreparetheInputFile...................................................... 525
StepD.RuntheCommandWithouttheWriteOption................................. 525
StepE.ChecktheOutputFile...................................................... 526
StepF.RuntheCommandAgainwiththeWriteOption .............................. 526
Step3.EnabletheAttributePresentConstraintsPolicy ................................... 526
Step4:AddanAuthenticationInstance................................................ 529
Step5.SetUptheEnrollmentInterface ................................................ 534
StepA.AssociatetheAuthenticationInstanceWiththeEnrollmentForm................ 534
StepB.CustomizetheForm .......................................................535
StepC.HookUptheCertificate-BasedEnrollmentForm .............................. 535
StepD.RemoveUnwantedEnrollmentOptions...................................... 538
Step6.EnableEnd-EntityInteraction.................................................. 539
EnablingEnd-EntityInteractionwithaCertificateManager ........................... 539
EnablingEnd-EntityInteractionwithaRegistrationManager.......................... 541
Step7.TurnonAutomatedNotification ............................................... 542
Step8.TestYourAuthenticationSetup ................................................ 542
Step9.DeliverPINstoEndUsers..................................................... 544
ManagingAuthenticationInstances ..................................................... 544
DeletinganAuthenticationInstance .................................................. 544
ModifyinganAuthenticationInstance................................................. 545
ManagingAuthenticationPlug-inModules ............................................... 547
RegisteringanAuthenticationModule ................................................ 547
DeletinganAuthenticationModule ................................................... 549
Chapter 16 Setting Up Automated Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
AutomatedNotifications ............................................................... 551
NotificationsofCertificateIssuancetoEndEntities ..................................... 552
NotificationofNewRequestinQueue ................................................ 553
CustomizingNotificationMessages ..................................................... 554
TemplatesforEvent-TriggeredNotifications ........................................... 554
CustomizingMessageTemplates ..................................................... 556
TokensAvailableinMessageTemplates ............................................... 557
TokensforCertificateIssuanceNotificationstoEndEntities ........................... 557
TokensforRejectionNotificationstoEndEntities .................................... 558
TokensforRequestInQueueNotificationMessages .................................. 559
ConfiguringaSubsytemtoSendNotifications ............................................ 559
Step1.BeforeYouBegin............................................................. 560
Step2.TurnOnCertificate-IssuanceNotification ....................................... 560
Step3.TurnonRequestinQueueNotification ......................................... 561
Step4.VerifyMailServerSettings .................................................... 563
Step5.TestYourConfiguration ...................................................... 564
14 Netscape Certificate Management System Installation and Setup Guide • October2001
Chapter 17 Scheduling Automated Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
ConfiguringaSubsystemtoRunAutomatedJobs..........................................565
Step1.BeforeYouBegin .............................................................566
Step2.ModifyExistingJobs..........................................................566
Step3.DeleteUnwantedJobs.........................................................569
Step4.AddNewJobs ...............................................................569
Step5.ScheduletheFrequency .......................................................573
Step6.VerifyMailServerSettings ....................................................574
Step7.TestYourConfiguration.......................................................575
ManagingJobPlug-inModules..........................................................575
RegisteringaJobModule ............................................................576
DeletingaJobModule...............................................................577
Chapter 18 SettingUpPolicies................................................ 579
IntroductiontoPolicy ..................................................................579
WhatIsPolicy? .....................................................................580
PolicyRules ........................................................................581
TypesofPolicyRules .............................................................581
UsingPredicatesinPolicyRules ......................................................582
ExpressionSupportforPredicates ..................................................582
AttributesforPredicates ..........................................................584
PolicyProcessor ....................................................................588
ConfiguringPolicyRulesforaSubsystem ................................................589
Step1.BeforeYouBegin .............................................................590
Step2.ModifyExistingPolicyRules...................................................590
Step3.DeleteUnwantedPolicyRules .................................................594
Step4.AddNewPolicyRules ........................................................594
Step5.ReorderPolicyRules..........................................................599
Step6.RestarttheServer.............................................................600
Step7.TestPolicyConfiguration......................................................600
StepA.EnrollforaCertificate .....................................................600
StepB.ApprovetheRequest.......................................................601
StepC.ChecktheCertificateDetails ................................................601
UsingJavaScriptforPolicies ............................................................602
ManagingPolicyPlug-inModules .......................................................602
RegisteringaPolicyModule..........................................................602
DeletingaPolicyModule ............................................................604
Chapter 19 Setting Up LDAP Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
PublishingofCertificatestoaDirectory ..................................................605
TimingofDirectoryUpdates .........................................................607
DirectoryUpdateProcess ............................................................609
DirectorySynchronization ...........................................................610
15
PublishingofCRLs .................................................................... 610
What’saCRL? ..................................................................... 611
ReasonsforRevokingaCertificate .................................................... 612
RevocationCheckingbyNetscapeClients ............................................. 613
RevocationCheckingbyNetscapeServers ............................................. 613
PublishingofCRLstoanLDAPDirectory ............................................. 614
CRLIssuingPoints ................................................................. 615
ConfiguringaCertificateManagertoPublishCertificatesandCRLs ......................... 615
Step1.BeforeYouBegin............................................................. 616
Step2.SetUptheDirectoryforPublishing .............................................618
StepA.VerifytheDirectorySchema ................................................ 618
StepB.AddanEntryfortheCA ................................................... 619
StepC.IdentifyanEntryThatHasWriteAccess ..................................... 621
StepD.VerifyEntriesforEndEntities .............................................. 621
StepE.SpecifytheDirectoryAuthenticationMethod ................................. 622
StepF.ModifytheCertificateMappingFile ......................................... 632
StepG.RestartDirectoryServer ................................................... 636
Step3.ConfiguretheCertificateManagertoPublishCertificates.......................... 636
StepA.ModifytheDefaultMappers,Publishers,andPublishingRules ................. 636
StepB.AddMappers,Publishers,andPublishingRules............................... 642
Step4.ConfiguretheCertificateManagertoPublishCRLs ............................... 648
StepA.SpecifyCRLDetails ....................................................... 649
StepB.SettheCRLExtensions..................................................... 651
StepC.CreateaMapperfortheCRL ............................................... 652
StepD.CreateaPublisherfortheCRL .............................................. 653
StepE.CreateaPublishingRulefortheCRL ........................................ 655
Step5.IdentifythePublishingDirectory............................................... 656
Step6.TestCertificateandCRLPublishing ............................................ 658
StepA.DecideaDirectoryEntryforRequestingaCertificate .......................... 659
StepB.RequestaCertificate ....................................................... 659
StepC.ApprovetheRequest ...................................................... 659
StepD.DownloadtheCertificatetotheBrowser ..................................... 660
StepE.CheckiftheDirectoryHastheCertificate..................................... 660
StepF.RevoketheCertificate...................................................... 661
StepG.ChecktheDirectoryfortheCRL ............................................ 662
ManuallyUpdatingCertificatesandCRLsinaDirectory ................................... 662
ManuallyUpdatingCertificatesintheDirectory ........................................ 663
ManuallyUpdatingtheCRLintheDirectory........................................... 664
Chapter 20 Publishing Certificates and CRLs to a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
ConfiguringCertificateManagertoPublishtoFiles ........................................ 667
Step1.BeforeYouBegin............................................................. 668
Step2.ConfiguretheCertificateManager.............................................. 669
16 Netscape Certificate Management System Installation and Setup Guide • October2001
StepA.CreateaPublisherfortheFile ...............................................669
StepB.CreatePublishingRulesforCertificates.......................................671
StepC.CreateaPublishingRuleforCRLs ...........................................673
StepD.SpecifyCRLDetails........................................................674
StepE.SettheCRLExtensions .....................................................676
StepF.MakeSurePublishingisEnabled ............................................678
Step3.TestPublishing...............................................................678
StepA.RequestaCertificate .......................................................678
StepB.ApprovetheRequest.......................................................679
StepC.DownloadtheCertificatetotheBrowser......................................680
StepD.ChecktheFilefortheCertificate.............................................680
StepE.RevoketheCertificate ......................................................682
StepF.ChecktheFilefortheCRL ..................................................683
ManagingMapperandPublisherPlug-inModules.........................................685
RegisteringaMapperorPublisherModule.............................................685
DeletingaMapperorPublisherModule ...............................................687
Chapter 21 Setting Up an OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
What’sanOCSP-CompliantPKISetup? ..................................................690
HowtoGetanOCSPResponder? .....................................................692
HowCertificateManager’sOCSP-ServiceFeatureWorks ..............................692
HowOnlineCertificateStatusManagerWorks .......................................693
HowtoGetOCSP-CompliantClients? .................................................694
SettingUpaCertificateManagerwithOCSPService .......................................695
Step1.BeforeYouBegin .............................................................695
Step2.InstallOCSP-CompliantClient .................................................696
Step3.EnableCertificateManager’sHTTPPort.........................................697
Step4.EnableCertificateManager’sOCSPService ......................................699
Step5.ConfigureCertificateManagerforExtensions ....................................700
Step6.RestarttheCertificateManager.................................................702
Step7.TestYourCA’sOCSPServiceSetup.............................................703
StepA.TurnOnRevocationCheckingintheBrowser .................................703
StepB.RequestaCertificate .......................................................704
StepC.ApprovetheRequest ......................................................704
StepD.DownloadtheCertificatetotheBrowser .....................................705
StepE.MakeSuretheCAisTrustedbytheBrowser ..................................705
StepF.VerifytheCertificateintheBrowser..........................................706
StepG.ChecktheStatusofCertificateManager’sOCSPService ........................706
StepH.RevoketheCertificate .....................................................707
StepI.VerifytheCertificateintheBrowser ..........................................707
StepJ.ChecktheCertificateManager’sOCSPServiceStatusAgain .....................707
SettingUpaRemoteOCSPResponder ...................................................708
Step1.BeforeYouBegin .............................................................709
17
Step2.InstallanOCSP-CompliantClient .............................................. 710
Step3.IdentifytheCAtotheOCSPResponder ......................................... 711
Step4.ConfiguretheCertificateManagertoPublishCRLs ............................... 713
StepA.SpecifyCRLFormatandPublishingInterval.................................. 713
StepB.SettheCRLExtensions..................................................... 715
StepC.CreateaPublisherfortheCRL .............................................. 716
StepD.CreateaPublishingRulefortheCRL ........................................ 718
StepE.MakeSurePublishingisEnabled ............................................ 720
Step5.ConfigureCertificateManagerforRequiredExtensionPolicies..................... 721
Step6.ConfiguretheOnlineCertificateStatusManager ................................. 723
Step7.RestarttheCertificateManager ................................................ 727
Step8.RestarttheOnlineCertificateStatusManager .................................... 728
Step 9. Verify Certificate Manager and Online Certificate Status Manager Connection . . . . . . . 728
Step10.TestYourOCSPResponderSetup ............................................. 729
StepA.TurnOnRevocationChecking .............................................. 729
StepB.RequestaCertificate ....................................................... 730
StepC.ApprovetheRequest ...................................................... 730
StepD.DownloadtheCertificatetotheBrowser ..................................... 731
StepE.MakeSuretheCAisTrustedbytheBrowser.................................. 731
StepF.VerifytheCertificateintheBrowser ......................................... 732
StepG.ChecktheStatusofOnlineCertificateStatusManager ......................... 732
StepH.RevoketheCertificate ..................................................... 733
StepI.VerifytheCertificateintheBrowser .......................................... 733
StepJ.ChecktheOnlineCertificateStatusManagerStatusAgain....................... 733
Chapter 22 SettingUpKeyArchivalandRecovery ............................... 735
PKISetupforKeyArchivalandRecovery ................................................ 735
ClientsThatCanGenerateDualKeyPairs ............................................. 736
DataRecoveryManager ............................................................. 736
FormsforUsersandKeyRecoveryAgents............................................. 737
KeyArchivalProcess .................................................................. 737
WhyYouShouldArchiveKeys....................................................... 737
WheretheKeysareStored ........................................................... 738
HowKeyArchivalWorks ........................................................... 739
KeyRecoveryProcess.................................................................. 741
KeyRecoveryAgentsandTheirPasswords ............................................ 741
SecretSharingofStorageKeyPassword ............................................ 741
InterfacefortheKeyRecoveryProcess.............................................. 742
LocalVersusRemoteKeyRecoveryAuthorization ................................... 743
HowAgent-InitiatedKeyRecoveryWorks.............................................744
KeyRecoveryAgentScheme ......................................................... 747
ChangingtheKeyRecoveryAgentScheme.......................................... 747
ChangingKeyRecoveryAgents’Passwords ......................................... 749
18 Netscape Certificate Management System Installation and Setup Guide • October2001
ConfiguringKeyArchivalandRecoveryProcess ..........................................751
Step1.SetUptheKeyArchivalProcess................................................751
StepA.DeployClientsThatCanGenerateDualKeyPairs .............................752
Step B. Connect the Enrollment Authorityand the Data Recovery Manager . . . . . . . . . . . . . . 752
StepC.CustomizetheCertificateEnrollmentForm ...................................753
StepD.ConfigureKeyArchivalPolicies.............................................757
Step2.SetUptheKeyRecoveryProcess ...............................................758
StepA.VerifythemofnScheme ...................................................758
StepB.FacilitatetheKeyRecoveryAgentstoChangethePasswords ....................759
StepC.DeterminetheAuthorizationModeforKeyRecovery ..........................759
StepD.CustomizetheKeyRecoveryForm ..........................................759
StepE.ConfigureKeyRecoveryPolicies ............................................759
Step3.TestYourKeyArchivalandRecoverySetup .....................................760
StepA.TestYourKeyArchivalSetup...............................................760
StepB.VerifytheKey.............................................................762
StepC.DeletetheCertificate.......................................................762
StepD.TestYourKeyRecoverySetup ..............................................762
StepD.RestoretheKeyintheBrowser’sDatabase ....................................763
Chapter 23 ManagingCMSLogs .............................................. 765
IntroductiontoLogs ...................................................................765
LogsMaintainedbytheServer .......................................................766
ServicesThatAreLogged ............................................................767
LogLevels(MessageCategories)......................................................768
LogFileLocations ..................................................................769
LogFileNamingConventions ........................................................770
ActiveLogFileNamingConvention ................................................770
RotatedLogFileNamingConvention...............................................770
BufferedVersusUnbufferedLogging..................................................770
RotationofLogFiles ................................................................771
TimingofLogFileRotation........................................................771
LocationofRotatedLogFiles ......................................................772
DeletionofLogFiles ................................................................772
HowtoConserveDiskSpace ......................................................772
TimingofLogFileDeletion........................................................772
ConfiguringCMSLogs .................................................................773
Step1.BeforeYouBegin .............................................................773
Step2.ModifytheExistingListeners ..................................................773
Step3.DeleteUnwantedListeners ....................................................775
Step4.CreateNewListeners .........................................................776
MonitoringCMSLogs..................................................................779
MonitoringSystemLogs .............................................................780
MonitoringErrorLogs...............................................................782
19
MonitoringAuditLogs.............................................................. 784
UsingSystemToolsforMonitoringtheServer(WindowsNTOnly) ....................... 786
LoggingtoWindowsNTEventLog ................................................ 787
UsingEventViewer .............................................................. 787
Avoiding Event Log From Getting Filled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
ArchivingofRotatedLogFiles .......................................................... 789
SigningLogFiles ...................................................................790
ManagingLogModules ................................................................ 792
RegisteringaLogModule ........................................................... 792
DeletingaLogModule .............................................................. 793
Part 4 IssuingandManagingCertificates ...................................... 795
Chapter 24 IssuingandManagingServerCertificates............................. 797
CertificateIssuancetoServers .......................................................... 797
HowtheManualServerEnrollmentProcessWorks ..................................... 798
GettingServerSSLCertificatesforNetscapeServers ....................................... 800
GettingCertificatesforVersion3.xServers............................................. 800
Step1.GeneratetheServerCertificateRequest....................................... 801
Step2.SubmittheServerCertificateRequest ........................................ 802
Step3.InstallYourServer’sSSLCertificate .......................................... 803
Step4.AcceptaCAasTrustedinYourServer ....................................... 803
Step5.VerifyYourServer’sSSLandCACertificates.................................. 805
GettingCertificatesforNetscapeVersion4.xServers .................................... 805
RenewalofServerCertificates .......................................................... 807
RevocationofServerCertificates ........................................................ 807
Chapter 25 SettingUpCEPEnrollment ......................................... 809
CEPEnrollment....................................................................... 809
CEPEnrollmentUsingtheScript ........................................................ 810
SettingupCEPEnrollmentManually .................................................... 811
Step1.SetuptheDirectoryforPublishingCertificatesandCRLs ......................... 812
Step2.ConfiguretheCertificateManagerforPublishingCertificatesandCRLs ............. 813
Step3.SetUpAutomatedEnrollment ................................................. 816
Step4.SetUpMultipleCEPServices .................................................. 820
CertificateIssuancetoRoutersorVPNClients ............................................ 821
Step1.BeforeYouBegin............................................................. 822
Step2.GeneratetheKeyPairfortheRouter............................................ 823
Step3.RequesttheCA’sCertificate ................................................... 824
Step4.SubmittheCertificateRequesttotheCA ........................................ 824
Example........................................................................... 825
20 Netscape Certificate Management System Installation and Setup Guide • October2001
Part 5 Appendix........................................................... 827
Appendix A CertificateDownloadSpecification.................................. 829
DataFormats .........................................................................829
BinaryFormats .....................................................................829
TextFormats .......................................................................830
ImportingCertificateChains ............................................................831
Importing Certificates into Netscape Communicator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
ImportingCertificatesintoNetscapeServers ..............................................832
ObjectIdentifiers ......................................................................832
Glossary .................................................................... 835
Index ....................................................................... 851
21
22 Netscape Certificate Management System Installation and Setup Guide • October2001

About This Guide

The Installation and Setup Guide explains how to install, configure, and maintain Netscape Certificate Management System (CMS), and use it for issuing and managing certificates tovarious end entities, such as web browsers (users), servers, Virtual Private Network (VPN) clients, and Cisco™ routers.
This preface has the following sections:
What’s in This Guide (page 23)
What You Should Already Know (page 26)
Conventions Used in This Guide (page 27)
Where to Go for Related Information (page 28)

What’s in This Guide

This guide covers topics that are listed below. You should use this guide in conjunction with the other CMS documentation, such as the ones that explain all the plug-ins andcommand-line tools that are provided for Certificate Management System. For a complete list of CMS documentation, see section “Where to Go for Related Information” on page 28.
“About This Guide” Describes what’s covered in this guide, what you should already know, and where to look for more information.
Part 1, “Overview and Demo Installation”
Chapter 1, “Introduction to Certificate Management System” Provides an overview of the Certificate Management System architecture for creating, deploying, and managing certificates.
23
What’s in This Guide
Chapter 2, “Certificate Enrollment and Life-Cycle Management” Provides sample deployment scenarios.
Chapter 3, “Default Demo Installation” Describes how to set up a simple pilot that demonstrates the basic capabilities of a Certificate Manager.
Part 2, “Planning and Installation”
Chapter 4, “Planning Your Deployment” Reviews basic decisions you should make as you plan your initial deployment.
Chapter 5, “Installation Worksheet” Provides a worksheet you can copy and use to collect the detailed information that you will need to provide during installation and configuration of individual subsystems.
Chapter 6, “Installing Certificate Management System” Describes the procedure for installing CMS subsystems on the basis of the information collected in Chapter 5.
Chapter 7, “Installing and Uninstalling CMS Instances” Describes how to create multiple instances, delete unw anted instances, clone instances, upgrade from a previous CMS version, and so on.
Chapter 8, “Starting and Stopping CMS Instances” Describes how to start, restart, and stop CMS instances.
Part 3, “Configuration”
Chapter 9, “Administration Tasks and Tools” Explains the GUI-based administration tools, Netscape Console and CMS window.
Chapter 10, “CMS Configuration” Shows a sample configuration file and explains the rules for editing the configuration file.
Chapter 11, “Setting Up Ports” Describes various ports used by a CMS instance and explains how to set up these ports.
Chapter 12, “Setting Up Inte rnal Database” Describes the function of internal database and explains how to set it up.
Chapter 13, “Managing Privileged Users and Groups” Describes privileged users, their access rights, and how to create them for managing a CMS instance.
Chapter 14, “Managing CMS Keys and Certificates” Describes keys and certificates used by a CMS instance and explains how to renew and reissue them. Also provides information on installing hardware tokens.
24 Netscape Certificate Management System Installation and Setup Guide • October2001
What’s in This Guide
Chapter 15, “Setting Up End-User Authentication” Describes authentication methods for different types of CMS users, and explains how to configure a Certificate Manager or Registration Manager to use a specific authentication method for end-user enrollment.
Chapter 16, “Setting Up AutomatedNotifications” Describes how to ena blethe automated notification feature—such as notifying agents when a request gets queued and notifying users when their certificates are issued—to ease administration overheads.
Chapter 17, “Scheduling Automated Jobs” Describes how to schedule jobs that automatically perform certain certificate-related tasks at regular intervals—such as removing expired certificates from the directory and notifying users before their certificates expire—to ease administration overheads.
Chapter 18, “Setting Up Policies” Describes how to configure a CMS manager to use policy rules that govern the formulation and issuance of certificate content, such as key size, signingalgorithm,validity period, extensions, and so on.
Chapter 19, “Setting Up LDAP Publishing” Provides an overview of LDAP publishing and describes how to configure a Certificate Manager to publish certificates and CRLs to an LDAP directory.
Chapter 20, “Publishing Certificates and CRLs to a File” Describes how to configure a Certificate Manager to publish certificates and CRLs to files for importing to other repositories.
Chapter 21, “Setting Up an OCSP Responder” Provides an overview of OCSP-compliant PKI setup and describes how to set up an OCSP-compliant PKI setup.
Chapter 22, “Setting Up Key Archival and Recovery” Describes how to archive end users’ encryption private keys and recover them , if there’s a need.
Chapter 23, “Managing CMS Logs” Describes how to enable logging, use logs to monitor the server’s activities, and archive log files.
Part 4, “Issuing and Managing Certificates”
Chapter 24, “Issuing and Managing Server Certificates” Describes how to issue SSL server certificates to other servers and manage the certificates.
Chapter 25, “Setting Up CEP Enrollment” Describes how to configure the server to issue router and VPN client certificates.
About This Guide 25

What You Should Already Know

Part 5, “Appendix”
Appendix A, “Certificate Download Specification” Describes the data formats used by Netscape Communicator 4.x for installing certificates.
Glossary
Summarizes terms used in this guide and other CMS documentation.
What You Should Already Know
This guide is intended for experienced system administrators who are planning t o deploy Certificate Management System. CMS agents should refer to CMS Agent’s Guide for information on how to perform agent tasks, such as handling certificate requests and revoking certificates.
This guide assumes that you
Are familiar with the basic concepts of public-key cryptography and the Secure Sockets Layer (SSL) protocol.
SSL cipher suites The purpose of and major steps in the SSL handshake
Understand the concepts of intranet, extranet, and the Internet security and the role of digital certificates in a secure enterprise. These include the following topics:
Encryption and decryption Public keys, private keys, and symmetric keys Significance of key lengths Digital signatures Digital certificates, including various types of digital certificates The role of digital certificates in a public-key infrastructure (PKI) Certificate hierarchies
If you are new to these concepts, we recommend that you read the security-related appendixes (Appendix D and Appendix E) of the accompanying manual, Managing Servers with Net scape Console.
26 Netscape Certificate Management System Installation and Setup Guide • October2001
Are familiar with the role of Netscape Console in managing Netscape version
4.x servers. Otherwise, see the accompanying manual, Managing Servers with Netscape Console.
Are reading this guide in conjunction with the documentation listed in section “Where to Go for Related Information” on page 28.

Conventions Used in This Guide

The following conventions are used in this guide:
Monospaced font—Thistypefaceisusedforanytextthatappearsonthe
• computer screen or text that you should type. It’s also used for filenames, functions, and examples.
Conventions Used in This Guide
Example:
Server Root is the directory where the CMS binaries are kept.
Italic—Italic type is used for emphasis, book titles, and glossary terms. Example: This controldepends on the access permissions the superadministrator
has set up for you.
Text within “quotation marks”—Indicates cross-references to other topics within this guide.
Example: For more information, see “Issuing a Certificate to a New User” on page 154.
Boldface—Boldface type is used for various UI components such as captions and field names, and the terminology explained in the glossary.
Example: Rotation frequency. From the drop-down list, select the interval at which the
server should rotate the active error log file. The available choices are Hourly, Daily, Weekly, Monthly, and Yearly. The default selection is Monthly.
Monospaced [ ]—Square brackets enclose commands that are optional.
• Example:
PrettyPrintCert <input_file> [<output_file>]
<input_file>
specifies the path to the file that contains the base-64
encoded certificate.
<output_file> specifies the path to the file to write the certificate.This
argument is optional; if you don’t specify an output file, the certificate information is written to the standard output.
About This Guide 27

WheretoGoforRelatedInformation

Monospaced <>Angle brackets enclose variables or placeholders. When following examples, replace the angle brackets and their text with text that applies to your situation. For example, when path names appear in angle brackets, substitutethe path names used on your computer.
Example: Using Netscape Communicator 4.7 or later, enter the URL for the Netscape Administration Server:
/—A slash is used to separate directories ina path. If you use the WindowsNT operating system, you should replace / with \ in paths.
Example: Except for the Security Module Database Tool, yo u can find all the other command-lineutilities at this location:
Sidebar text—Sidebar text marks important information. Make sure you read the information before continuing with a task.
Examples:
NOTE You can use Netscape Console only when Administration Server is
http://<hostname>:<port_number>
<server_root>/bin/cert/tools
up and running.
CAUTION A caution note documents a potential risk of losing data, damaging
software or hardware, or otherwise disrupting system performance.
Where to Go for Related Information
This section summarizes the documentation that ships with Certificate Management System, using these conventions:
<server_root> is the directory where the CMS binaries are kept (which you
• specify during installation).
<instance_id> is the ID for this instance of Certificate Management System
• (specified during installation).
The documentation set for Certificate Management System includes the following:
Managing Servers with Netscape Co nsole Provides background information on basic cryptography conceptsand the role
of Netscape Console. To view the HTML version of this guide, open this file:
<server_root>/manual/en/admin/help/contents.htm
28 Netscape Certificate Management System Installation and Setup Guide • October2001
Where to Go for Related Information
CMS Installation and Setup Guide (this guide) Describes how to plan for, install, and administer Certificate Management
System. To access the installation and configuration information from within the CMS Installation Wizard or from the CMS window (within Netscape Console), click any help button.
To view the HTML version of this guide, open this file:
<server_root>/manual/en/cert/setup_guide/contents.htm
To view the PDF version o f this guide, open this file:
<server_root>/manual/en/cert/pdf/cms45setup.pdf
CMS Plug-ins Guide Provides detailed reference information on CMS plug-ins. To access thi s
information from the CMS window within Netscape Console, click any help button.
To view the HTML version of this guide, open this file:
<server_root>/manual/en/cert/plugin_guide/contents.htm
To view the PDF version o f this guide, open this file:
<server_root>/manual/en/cert/pdf/cms45plugin.pdf
CMS Command-Line Tools Guide Provides detailed reference information on CMS tools. To view the HTML version of this guide, open this file:
<server_root>/manual/en/cert/tools_guide/contents.htm
To view the PDF version o f this guide, open this file:
<server_root>/manual/en/cert/pdf/cms45tools.pdf
CMS Customization Guide Provides detailed reference information on customizing the HTML-based
agent and end-entity interfaces. To view the HTML version of this guide, open this file:
<server_root>/manual/en/cert/custom_guide/contents.htm
To view the PDF version o f this guide, open this file:
<server_root>/manual/en/cert/pdf/cms45custom.pdf
•CMSAgentsGuide
Provides detailed reference information on CMS agent interfaces. To access this information from the Agent Services pages, click any help button.
About This Guide 29
WheretoGoforRelatedInformation
To view the HTML version of this guide, open this file:
<server_root>/cert-<instance_id>/web/agent/manual/agent_guide/ contents.htm
To view the PDF version o f this guide, open this file:
<server_root>/manual/en/cert/pdf/cms45agent.pdf
•End-EntityHelp
Provides detailed reference information on CMS end-entity interfaces. To access this information from the end-entity pages, click any help button.
To view the HTML version of this guide, open this file:
<server_root>/cert-<instance_id>/web/ee/manual/ee_guide/ contents.htm
NOTE Do not change the default location of any of the HTML files; they
For a complete list of CMS documentation, open the
<server_root>/manual/index.html file. For the latest information about
Certificate Management System, check the CMS Release Notes.
areusedforonlinehelp.YoumaymovethePDFfilestoanother location.
30 Netscape Certificate Management System Installation and Setup Guide • October2001
Loading...
+ 836 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use