Netscape Certificate Management System Administrator's Guide:

Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool

Appendix A Distinguished Names

This appendix explains what a distinguished name is and how Netscape Certificate Management System (CMS) uses distinguished names to automatically update certificate information in your corporate LDAP directory.

The appendix has the following sections:

What Is a Distinguished Name?

Role of Distinguished Names in Certificates

For the most part, the information presented in this appendix is specific to Netscape Directory Server, an LDAP-compliant directory.

What Is a Distinguished Name?

Distinguished names (DNs) are string representations that uniquely identify users, systems, and organizations. In general, DNs are used in LDAP-compliant directories, such as Netscape Directory Server. In Certificate Management System, you use DNs to identify the owner of a certificate and the authority that issued a certificate.

Note If you are using an LDAP directory in conjunction with Certificate Management System, the DNs in your certificates should match the DNs in your directory.

Distinguished Name Components

A DN identifies an entry in an LDAP directory. Because directories are hierarchical, DNs identify the entry by its location as a path in a hierarchical tree (much as a path in a file system identifies a file). Generally, a DN begins with a specific common name, and proceeds with increasingly broader areas of identification until the country name is specified. DNs are typically made up of the following components (which are defined in the X.520 standard):

CN=common name, [OU=organizational unit, O=organization, L=locality, ST=state or province], C=country name

These components are described in Table 25.1.

Table 25.1 Definitions of standard DN components


Component	Name	Definition
CN	Common name	A required component that identifies the person or object defined by the entry. For example: CN=Jane Doe CN=myhost.mydomain.dom
E (deprecated)	Email address	Identifies the email address of the entry. The use of this component is discouraged.
OU	Organizational unit	Identifies a unit within the organization. For example: OU=Sales OU=Manufacturing
O	Organization	Identifies the organization in which the entry resides. For example: O=Netscape Communications Corporation O=Public Power & Gas
L	Locality	Identifies the place where the entry resides. The locality can be a city, county, township, or other geographic region. For example: L=Mountain View L=Pacific Northwest L=Anoka County
ST	State or province name	Identifies the state or province in which the entry resides. For example: ST=California ST=British Columbia
C	Country	Identifies the name of the country under which the entry resides. For example: C=US C=GB

Important If used in conjunction with an LDAP-compliant directory, Certificate Management System does not recognize components that are not listed here.

Root Distinguished Name

The root distinguished name, or root DN, is the first, or top-most, entry in an LDAP directory tree. In Netscape Directory Server, the root DN is commonly referred to as the directory manager. By default, the root DN uses no suffix; it is simply a common name attribute-data pair: CN=Directory Manager. For example, the root entry's DN could look like this: CN=Directory Manager, O=Netscape Communication Corporation, C=US. §

Base Distinguished Name

The base distinguished name, or base DN, identifies the entry in the directory from which searches initiated by LDAP clients occur; the base DN is often referred to as the search base. For example, if you specify a base DN of OU=people, O=airius.com for a client, the LDAP search operation initiated by the client examines only the OU=people subtree in the O=airius.com directory tree.

Typically, an LDAP search consists of the following components:

The base DN--for example, O=Netscape, C=US, which initiates a subtree search through all entries below this entry in the directory (in other words, all entries with the suffix O=Netscape, C=US).

The search type, which can be a base search (only the entry specified by the base DN is searched), a one-level search (only entries one level below the base entry are searched), or a subtree search (all entries at all levels below the base entry are searched).

The search filter, which specifies the search criteria applied to each entry within the scope of the search.

When Certificate Management System is configured for LDAP publishing, the search point and search criteria are determined by the configuration parameter values; for details, see information about the mapper or publisher classes in "Directory Update Process". In the absence of a base DN value, Certificate Management System uses DN components in the certificate's subject name to construct the base DN so that it can search the directory in order to publish to or update the appropriate directory entry.

Typically, when you configure Certificate Management System for LDAP publishing, you set the base DN value to Directory Manager, so that it can use the publishing directory's root entry to start searching. This way, the entire directory tree is searched.

Role of Distinguished Names in Certificates

In certificates issued by Certificate Management System, DNs are used to identify the entity that owns the certificate. In all cases, if you are using Certificate Management System with a directory, the format of the DNs in your certificates should match the format of the DNs in your directory. It is not necessary that the names match exactly; certificate mapping allows the subject DN in a certificate to be different from the one in the directory. For more information, see "Object-Mapping Rules".

DNs in End-Entity Certificates

In end-entity certificates issued by Certificate Management System, DNs are used to identify the end entity that owns the certified key pair. The end entity is one of the following:

The individual who owns the certified key pair (for personal or client certificates--to form this type of DN, use the CN component to specify the user's full name:

CN=<user's_full_name>, OU=<user's_division_name>, O=<company_name>, C=<country_name>

For example:

CN=Jane Doe, OU=Human Resources, O=Ace Industries, C=US

The server that owns the certified key pair (for SSL server certificates)--to form this type of DN, use the CN component to specify the server's fully qualified host name in the form <machine_name>.<your_domain>.<domain>:

CN=<host_name>, OU=<division_name>, O=<company_name>, C=<country_name>

For example:

CN=cert.netscape.com, OU=Human Resources, O=Ace Industries, C=US

When clients such as Netscape Navigator receive a server certificate, they expect the CN component of the certificate's subject to match the host name in the URL. If the name in the certificate and the host name of the server do not match, Navigator notifies the user and gives the user the choice of not connecting to the server.

For example, if Navigator goes to the URL https://cert.netscape.com and receives a certificate from the server, it expects the CN component of the certificate's subject to be cert.netscape.com. If the CN component has a different value (for example, certificate.netscape.com), Navigator notifies the user that the certificate's subject name does not match the host name in the URL.

DNs in CA Certificates

In CA certificates issued by Certificate Management System (for both root and subordinate CAs), DNs are used to identify the authority who owns the certified key pair.

To form this type of distinguished name, use the CN component to specify the name of your CA:

CN=<CA_name>, O=<company_name>, C=<country_name>

For example:

CN=Ace Industries Certificate Authority, O=Ace Industries, C=US

Selecting DNs for Certificates

Figure 25.4 illustrates the structure of distinguished names you might select for CA certificates, server certificates, and personal certificates.

Figure 25.4 Sample directory hierarchy

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.