Netscape Certificate Management System 4.1

Last updated on October 26, 1999


These release notes contain important information about Netscape Certificate Management System, version 4.1. Please read these notes before using the product.

Use of this product is subject to the terms detailed in the license agreement accompanying it.


Contents

CMS Documentation
Software/Hardware Requirements
Packages Used
Installation Procedure
Notes on Features
Known Bugs/Issues for 4.1 Release


CMS Documentation

You can find CMS documentation in the directory named Docs at the top level of the CD. For installation instructions, see Netscape Certificate Management System Installation and Deployment Guide, available as a PDF file at Docs/cs40_dep.pdf. For a summary of the other CMS documentation that is available prior to installation, see Docs/docs_readme.html.

After you run the setup script as described under Installation Procedure below, see <server_root>/manual/en/cert/manual/index.html for a complete list of the documentation installed with the product.

If you are working with files you have downloaded, as opposed to the files on the CD, the Docs directory mentioned above will not be present. Instead, you must first run the setup script, then check <server_root> manual/en/cert/manual/index.html for the documentation.

For the latest information about Certificate Management System, including current release notes, technical notes, and deployment information, check this URL: http://home.netscape.com/eng/server/cms/


Software/Hardware Requirements

Operating Systems Supported
Windows NT 4.0 with Service Pack 4 and NTFS, Solaris 2.5.1, Solaris 2.6
Other Required Software
  • Netscape Administration Server 4.1 (included)
  • Netscape Directory Server 4.1 (included)
  • Browser software that supports SSL
  •  Platform and Hard Disk Requirements
    In addition to the requirements listed below, make sure you have ample swap space or virtual memory allocated for the system on which you intend to install the Certificate Management System..

    Solaris Platform Requirements:

    Windows NT Platform Requirements:
     Other Requirements
    On Unix systems, you must install as root in order to use well-known port numbers (such as 443) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as root. If you plan to run as root, you should also install as root and specify the default run-as user and group, nobody.


    Packages Used
  • Administration Server, version 4.1
  • Directory Server, version 4.1
  • Built with NSS, version 2.6

  • Installation Procedure

    For detailed installation instructions, see Netscape Certificate Management System Installation and Deployment Guide, available as a PDF file at Docs/cs40_dep.pdf.

    As explained in the documentation, installation involves four stages:

    If you wish to install a separate stand-alone version of Netscape Console for any reason, you can download it from this site: http://home.netscape.com/eng/server/console/4.1/

    Notes on Features

    An Alpha Build of a Dual-Key Test Bed for Communicator 4.5 NSS Integration Certificate Manager and Registration Manager Subsystems

    Known Bugs/Issues for 4.1 Release

    This section lists various bugs and known issues and provides workarounds for some of them. Administration Server Authentication Browser CEP Support
  • For more information about Certificate Enrollment Protocol (used by Cisco routers), including how to publish router certificates to a directory and how to configure automated enrollment for routers, see the CEP Enrollment with Certificate Management System 4.1 document, which is at this URL:

  • http://www.netscape.com/eng/server/cms/41/technotes/cep/cep_setup.html
     
  • See # 341389 in the Remote Registration Manager section.
  • CRLs Directory Server DSA Enrollment Enterprise Server

    Extensions

    The section Step 6. Specify Extensions in Chapter 8, "Keys and Certificates" of Netscape Certificate Management System Administrator's Guide specifies that you can add a custom extension to any of the CMS certificates (such as the CA signing and SSL server certificates) by adding the extension in MIME-64 DER encoded format in the text area of the Certificate Setup Wizard screen when requesting a certificate. The text field provided for pasting the extension in general accepts a single extension, and the documentation doesn't explain how you can add multiple extensions to the request. [# 348097]

    If you want to add multiple extensions, you should use the ExtJoiner provided as a sample in the CMS_SDK package. If you downloaded the CMS binaries from the web site, you will find the CMS_SDK directory where you unpacked/unzipped the binaries (in the same directory in which the setup program is located). If you installed Certificate Management System from a CD, check the CD for the CMS_SDK directory. The ExtJoiner is located here: CMS_SDK/cms_samples/exttools/

    The ExtJoiner is a program that joins a sequence of extensions together so that the final output can be used in the wizard text field for specifying multiple extensions; note that the program doesn't generate an extension, it only joins them. The command syntax for the ExtJoiner is as follows:

    java ExtJoiner <ext_file0> <ext_file1> ... <ext_fileN>
    where <ext_file> specifies the path, including the filename, to files that contain the base-64 encoded DER encoding of an X.509 extension.

    Step 1. Write the appropriate Java programs for the extensions.

    Step 2. Join the extensions using ExtJoiner:

    1. Note the file paths to the files that contain the programs for extensions.
    2. Open a command window.
    3. Run the ExtJoiner, substituting the appropriate file paths. For example, if you have two extension files named myExt1 and myExt2 in and have copied them to the same directory as the ExtJoiner, the command would look like this: java ExtJoiner myExt1 myExt2

    4. You should see a base-64 encoded blob, similar to the one below, of the joined extensions on screen:
      MEwwLgYDVR0lAQH/BCQwIgYFKoNFBAMGClGC5EKDM5PeXzUGBi2CVyLNCQYFUTiB
      akowGgYDVR0SBBMwEaQPMA0xCzAJBgNVBAYTAlVT
    5. Copy the encoded blob, without any modifications, to a file.
    Step 3. Verify that the extensions are joined correctly before adding them to a certificate request. To do this, first you'll need to convert the binary data to ASCII format using the AtoB utility and then verify the binary data by dumping the contents of the base-64 encoded blob using the dumpasn1 utility. For information on the AtoB utility see ASCII to Binary Tool and for the dumpasn1 utility see dumpasn1 Tool; both the utilities are explained in Appendix C, Command-Line Utilities of Netscape Certificate Management System Administrator's Guide.
    Here's how you would do this verification:
    1. Go to this directory: <server_root>/bin/cert/tools/
    2. Enter this command: AtoB <input_file> <output_file>, substituting <input_file> with the path to the file that contains the base-64 encoded data in ASCII format (from Step 2) and <output_file> with the path to the file to write the base-64 encoded data in binary format.
    3. Next, enter this command: dumpasn1 <ouput_file>, substituting <output_file> with the path to the file to that contains the base-64 encoded data in binary format. Your output should look similar to this:
      1.    0 30   76: SEQUENCE {
           2 30   46:   SEQUENCE {
           4 06    3:     OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
           9 01    1:     BOOLEAN TRUE
          12 04   36:     OCTET STRING
                    :       30 22 06 05 2A 83 45 04 03 06 0A 51 82 E4 42 83
                    :       33 93 DE 5F 35 06 06 2D 82 57 22 CD 09 06 05 51
                    :       38 81 6A 4A
                    :     }
          50 30   26:   SEQUENCE {
          52 06    3:     OBJECT IDENTIFIER issuerAltName (2 5 29 18)
          57 04   19:     OCTET STRING
                    :       30 11 A4 0F 30 0D 31 0B 30 09 06 03 55 04 06 13
                    :       02 55 53
                    :     }
                    :   }

        0 warnings, 0 errors.

    4. If the output doesn't appear right, repeat Step 1 through Step 3 to get the correct output.
    Step 4. Copy the base-64 encoded blob in Step 2 (the output generated by the ExtJoiner) to the wizard screen and generate the certificate or the certificate signing request (CSR), if submitting the request to another CA.

    Hardware Tokens

    In Netscape Console 4.1, when you choose to add a PKCS #11 module, you are presented with a dialog box (shown below) that allows you to specify the path to the DLL or to the JAR file containing the DLL. You may choose either of the options.
    If you choose JAR as your file type, you are required to provide the path to the JAR file that contains the DLLs. If you choose DLL as your file type, in addition to the path to the DLL you are also required to provide a name for the module you're attempting to install so as to help you identify it easily later.
    The sample figure shows how you would install an nCipher token.
    Installation Internationalization Support Job Scheduling/Notification LDAP Publishing Logging Migration Tool Miscellaneous Performance Policies Remote Registration Manager Renewal of CMS Certificates Request Queue Processing

    Samples and SDKs

    The documentation incorrectly tells you to check the <server_root>/bin/cert/samples/ directory for CMS samples. It also mentions that you can download CMS samples and SDK from the http://home.netscape.com/eng/server/cms/ site.

    The correct location for CMS SDK and sample code is as follows:

    Scalability/Sizing Searching for Certificates Starting/Stopping the Server UI (Netscape Console/CMS Window)

    © Copyright 1999 Netscape Communications Corporation. All Rights Reserved.