Complete Contents
About This Guide
PART 1:
Netscape Certificate Management System
Chapter 1:
Introduction to Certificate Management System
Chapter 2:
Administration Tasks and Tool
Chapter 3:
Configuration
PART 2:
Managing Certificate Management System
Chapter 4:
Installing and Uninstalling Instances
Chapter 5:
Starting and Stopping Instances
PART 3:
System-Level Configuration
Chapter 6:
Configuring Ports, Database, and SMTP Settings
Chapter 7:
Managing Privileged Users and Groups
Chapter 8:
Keys and Certificates
PART 4:
Authentication
Chapter 9:
Introduction to Authentication
Chapter 10:
Using the PIN Generator Tool
Chapter 11:
Configuring Authentication for End Entities
Chapter 12:
Developing Authentication Plug-ins
PART 5:
Job Scheduling and Notification
Chapter 13:
Introduction to Job Scheduling and Notifications
Chapter 14:
Configuring Jobs
PART 6:
Policies
Chapter 15:
Introduction to Policies
Chapter 16:
Configuring Policies
PART 7:
LDAP Publishing
Chapter 17:
Introduction to LDAP Publishing
Chapter 18:
Configuring Subsystems for LDAP Publishing
Chapter 19:
Publishing CRLs
PART 8:
Agent and End-Entity Interfaces
Chapter 20:
Introduction to End-Entity and Agent Interfaces
Chapter 21:
Customizing End-Entity and Agent Interfaces
PART 9:
Logs
Chapter 22:
Introduction to Logs
Chapter 23:
Managing Logs
PART 10:
Issuance and Management of End-Entity Certificates
Chapter 24:
Issuing and Managing End-Entity Certificates
Chapter 25:
Recovering Encrypted Data
PART 11:
Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Contents
Index
Bookshelf
Netscape Certificate Management System Administrator's Guide
Contents
About This Guide
What's in This Guide
Who Should Read This Guide
What You Should Already Know
Conventions Used in This Guide
Where to Go for Related Information
Part 1
Netscape Certificate Management System
Chapter 1
Introduction to Certificate Management System
Overview
Key Features
System Architecture
LDAP Directory Integration
How the Main Subsystems Function
Entry Points for Various Types of Users
Chapter 2
Administration Tasks and Tool
Netscape Console
Console Tab
Users and Groups Tab
Netscape Administration Server
Starting Administration Server
Shutting Down Administration Server
Accessing Netscape Console
The CMS Window
Tasks Tab
Configuration Tab
Status Tab
Accessing the CMS Window
Chapter 3
Configuration
Effects of Installation Type on Configuration
Duplicating a Configuration from One Instance to Another
Locating the Configuration File
Modifying the Configuration
Changing the Configuration from the CMS Window
Changing the Configuration by Editing the Configuration File
Guidelines for Editing the Configuration File
Sample Configuration File
Road Map to Configuring Subsystems
Part 2
Managing Certificate Management System
Chapter 4
Installing and Uninstalling Instances
Installing Multiple Instances
Viewing Instance Information
Changing the Name of an Instance
Removing an Instance from a System
Uninstalling Certificate Management System
Uninstalling from the Command Line
Uninstalling by Using the Windows NT Add/Remove Programs Utility
Chapter 5
Starting and Stopping Instances
Starting Certificate Management System
Required Start-up Information
Starting from Netscape Console
Starting from the Command Line
Starting from the Windows NT Services Panel
Stopping Certificate Management System
Stopping from Netscape Console
Stopping from the Command Line
Stopping from the Windows NT Services Panel
Restarting Certificate Management System
Restarting from the CMS Window
Restarting from the Command Line
Checking System Status
Attending to an Unresponsive Server
CMS Watchdog Process
Part 3
System-Level Configuration
Chapter 6
Configuring Ports, Database, and SMTP Settings
CMS Ports
Remote Administration Port
Agent Port
End-Entity Ports
Configuring Port Numbers
Specifying IP Addresses for CMS Instances
Internal Database
Configuring the Internal Database
SMTP Settings
Chapter 7
Managing Privileged Users and Groups
Privileged-User Types and Responsibilities
Administrators
Agents
Agent's Certificate for SSL Client Authentication
Trusted Managers
Subsystems That Can Function as Trusted Managers
Connectors for Linking Trusted Managers
Trusted Manager's Certificate for SSL Client Authentication
Groups and Their Privileges
Group for Administrators
Groups for Agents
Group for Certificate Manager Agents
Group for Registration Manager Agents
Group for Data Recovery Manager Agents
Group for Trusted Managers
Setting Up Privileged Users
Setting Up Administrators
Step 1. Find the Required Information
Step 2. Add the Information to the Internal Database
Setting Up Agents
Step 1. Find the Required Information
Step 2. Add the Information to the Internal Database
Step 3. Store the Agent's SSL Client Certificate in the Internal Database
Step 4. Check the Certificate Database for the CA Certificate
Setting Up Trusted Managers
Setting Up a Registration Manager as a Trusted Manager
Setting Up a Certificate Manager as a Trusted Manager
Changing Privileged-User Information
Changing a Privileged User's Login Information
Changing a Privileged User's Certificate
Changing Members in a Group
Deleting a Privileged User
Chapter 8
Keys and Certificates
Keys and Certificates for the Main Subsystems
Certificate Manager's Key Pairs and Certificates
CA Signing Key Pair and Certificate
SSL Server Key Pair and Certificate
Registration Manager's Key Pairs and Certificates
Signing Key Pair and Certificate
SSL Server Key Pair and Certificate
Data Recovery Manager's Key Pairs and Certificates
Transport Key Pair and Certificate
Storage Key Pair
SSL Server Key Pair and Certificate
Tokens for Storing Keys and Certificates
Internal Token
External Token
Installing External Tokens
Managing Tokens Used by the Subsystems
Viewing Tokens
Changing a Token's Password
Hardware Cryptographic Accelerators
Certificate Setup Wizard
Using the Wizard to Request a Certificate
Step 1. Select the Operation
Step 2. Choose the Certificate
Step 3. Specify the Key-Pair Information
Step 4. Specify the Subject Name for the Certificate
Step 5. Specify the Validity Period
Step 6. Specify Extensions
Step 7. Copy the Certificate Signing Request
Step 8. Check the Certificate Request Status
Step 9. Send the Certificate Signing Request to a CA
Using the Wizard to Install a Certificate or Certificate Chain
Data Formats for Installing Certificates and Certificate Chains
Step 1. Select the Operation
Step 2. Select the Certificate or Certificate Chain
Step 3. Specify the Location of the Certificate
Step 4. View the Certificate or Certificate Chain
Step 5. Install the Certificate or Certificate Chain
Step 6. Verify the Certificate Status
Configuring the Server's Security Preferences
Configuring the Server to Use Separate SSL Server Certificates
Step 1. Get the Required SSL Server Certificates
Step 2: Update the Configuration
Getting an SSL Client Certificate for a Subsystem
Step 1. Generate a Key Pair for the Subsystem
Step 2. Generate a Certificate Signing Request for the Key Pair
Step 3. Submit the CSR to the CA
Step 4. Ask an Agent to Approve the Request
Step 5. Install the Certificate in the Internal Database
Step 6. Configure the Subsystem to Use This Certificate
Setting Up Cipher Preferences for SSL Communications
SSL Ciphers Supported in Certificate Management System
Configuring the Server to Use Specific Ciphers
Getting New Certificates for the Subsystems
Step 1. Plan for the New Certificate
Step 2. Request the New Certificate
Step 3. Install the New Certificate
Step 4. Deploy the New Certificate
Deploying Certificate Manager's CA Signing Certificate
Deploying Registration Manager's Signing Certificate
Deploying Data Recovery Manager's Transport Certificate
Deploying a Subsystem's SSL Server Certificate
Renewing Certificates for the Subsystems
Step 1. Plan for Certificate Renewal
Step 2. Renew the Existing Certificate
Step 3. Install the Renewed Certificate
Step 4. Deploy the Renewed Certificate
Deploying Certificate Manager's Renewed CA Signing Certificate
Deploying Registration Manager's Renewed Signing Certificate
Deploying Data Recovery Manager's Renewed Transport Certificate
Deploying a Subsystem's Renewed SSL Server Certificate
Managing the Certificate Database
Viewing the Certificate Database Contents
Deleting a Certificate from the Certificate Database
Changing the Trust Settings of a CA Certificate
Installing a New CA Certificate in the Certificate Database
Installing a CA Certificate Chain in the Certificate Database
Part 4
Authentication
Chapter 9
Introduction to Authentication
Privileged-User Authentication
Authentication of Administrators
Authentication of Agents
End-Entity Authentication During Certificate Enrollment
Manual Authentication
Directory-Based Authentication
Plug-in Module for User ID- and Password-Based Authentication
Configurable Parameters
Directory-Based Authentication with PINs
Plug-in Module for User ID-, Password-, and PIN-Based
Configurable Parameters
End-Entity Authentication During Certificate Renewal
End-Entity Authentication During Certificate Revocation
Chapter 10
Using the PIN Generator Tool
Locating the PIN Generator Tool
The setpin Command
Command-Line Syntax
Arguments
Example
How the Tool Works
Input File
Output File
How PINs Are Stored in the Directory
Exit Codes
Generating PINs
Step 1. Check the Directory for User Entries
Step 2. Update the Directory Schema
Updating Netscape Directory Server 3.x Schema
Updating Netscape Directory Server 4.x Schema
Step 3. Prepare the Input File
Step 4. Run the Command Without the Write Option
Step 5. Check the Output File
Step 6. Run the Command Again with the Write Option
Delivering PINs to End Entities
Chapter 11
Configuring Authentication for End Entities
Authentication Management
Authentication Management from the CMS Window
Authentication Instance Tab
Authentication Plugin Registration Tab
Authentication Parameters in the Configuration File
Authentication Plug-in Implementation and Instance
Managing Authentication Instances
Adding an Authentication Instance
Deleting an Authentication Instance
Modifying an Authentication Instance
Managing Authentication Plug-in Modules
Registering an Authentication Plug-in Module
Deleting an Authentication Plug-in Module
Chapter 12
Developing Authentication Plug-ins
Authentication Subsystem Architecture
How the Architecture Works
How Authentication Managers Are Used
Customizing Authentication
Step 1. Decide on an Authentication Scheme
Step 2. Write the Authentication Plug-in Module
Authentication Manager Plug-in API
Compiling and Installing Authentication Manager Plug-ins
Authentication Manager Examples
Step 3. Register the Authentication Manager Plug-in Module
Step 4. Create an Instance of the Authentication Plug-in Module
Step 5. Customize the End-Entity Enrollment Forms
Part 5
Job Scheduling and Notification
Chapter 13
Introduction to Job Scheduling and Notifications
Built-in Job Plug-in Modules
Certificate Renewal Notifications
Plug-in Module for Automated Renewal Notifications
Notification of Request Queue Status
Plug-in Module for Sending Notifications of Request Queue Status
Directory Update and Notification
Plug-in Module for Removing Expired Certificates from the Directory
Schedule for Executing Jobs
Event-Driven Notifications
Notifications of Certificate Issuance to End Entities
Configuring a Subsystem to Send Notifications to End Entities
Notification of New Request in Queue
Configuring a Subsystem to Send Request Queue Notifications
Customizing Notification Messages
Templates for Event-Triggered Notifications
Templates for Summary Notifications
Customizing Message Templates
Tokens Available in Message Templates
Tokens for Certificate Issuance Notifications to End Entities
Tokens for Renewal Notification Messages
Tokens for Request In Queue Notification Messages
Tokens for Directory Update Notification Messages
Chapter 14
Configuring Jobs
Job Management
Job Management from the CMS Window
Job Instance Tab
Job Plugin Registration Tab
Job Scheduler Parameters in the Configuration File
Job Plug-in Implementation and Instance
Managing Jobs
Adding a Job
Deleting a Job
Modifying a Job
Setting the Job Scheduler Frequency
Managing Job Plug-in Modules
Registering a Job Plug-in Module
Deleting a Job Scheduler Plug-in
Part 6
Policies
Chapter 15
Introduction to Policy
What Is Policy?
Policy Rules
Types of Policy Rules
Using Predicates in Policy Rules
Expression Support for Predicates
Attributes for Predicates
Policy Processor
Built-in Policy Plug-in Modules
Constraints-Specific Policy Plug-in Modules
Default Revocation Policy
DSA Key Constraints Policy
Key Algorithm Constraints Policy
Renewal Validity Constraints Policy
RSA Key Constraints Policy
Validity Constraints Policy
Extension-Specific Policy Plug-in Modules
Authority Key Identifier Extension Policy
Basic Constraints Extension Policy
CRL Distribution Point Extension Policy
Key Usage Extension Policy
Netscape Certificate Type Extension Policy
Subject Alternate Name Extension Policy
Subject Key Identifier Extension Policy
Chapter 16
Configuring Policies
Policy Management
Policy Management from the CMS Window
Policy Rules Management Tab
Policy Plugin Registration Tab
Policy Parameters in the Configuration File
Policy Plug-in Implementation and Rule
Managing Policy Rules
Adding a Policy Rule
Deleting a Policy Rule
Modifying a Policy Rule
Reordering Policy Rules
Managing Policy Plug-in Modules
Registering a Policy Plug-in Module
Deleting a Policy Plug-in Module
Part 7
LDAP Publishing
Chapter 17
Introduction to LDAP Publishing
What Is LDAP Publishing?
Timing of Directory Updates
Objects Published by the Certificate Manager
Objects Published by the Registration Manager
Directory Update Process
Object-Mapping Rules
Built-in Mapper Classes
How Mapping by DN Components Works
Object-Publishing Rules
Built-in Publisher Classes
Directory Schema Requirements
Required Schema for Publishing End-Entity Certificates
Required Schema for Publishing CA Certificates
Required Schema for Publishing CRLs
Directory Synchronization
Chapter 18
Configuring Subsystems for LDAP Publishing
Setting Up the Directory for Publishing
Step 1. Verify the Directory Schema
Step 2. Add an Entry for the CA
Step 3. Identify an Entry That Has Write Access
Step 4. Add Entries for End Entities
Configuring a Certificate Manager for LDAP Publishing
Identifying a Certificate Manager's Publishing Directory
Configuring Mapper and Publisher Classes for the CA Certificate
Configuring Mapper and Publisher Classes for End-Entity Certificates
Configuring a Registration Manager for LDAP Publishing
Identifying a Registration Manager's Publishing Directory
Configuring Mapper and Publisher Classes for End-Entity Certificates
Manually Updating Certificate Information in the Directory
Chapter 19
Publishing CRLs
CRL Authorities
CRL Issuing Points
Reasons for Revoking a Certificate
Updating CRLs Automatically
Configuring a Certificate Manager for Publishing CRLs
Updating CRLs Manually
Part 8
Agent and End-Entity Interfaces
Chapter 20
Introduction to End-Entity and Agent Interfaces
End-Entity Services
How Client Type Determines the End-Entity Interface
Certificate Request Formats Specific to End Entities
Configuring End-Entity Interaction with Subsystems
Enabling End-Entity Interaction with a Certificate Manager
Enabling End-Entity Interaction with a Registration Manager
Agent Services
Certificate Manager Agent Services
Registration Manager Agent Services
Data Recovery Manager Agent Services
Accessing the Agent Services Interface
Chapter 21
Customizing End-Entity and Agent Interfaces
What You Need to Know
HTTP, Query URLs, and HTML Forms
JavaScript
How the Forms Work
Requests Sent to the Server
Responses and Output Templates
Errors and the Error Template
Summary of End-Entity Forms and Templates
Locating End-Entity Forms and Templates
Forms for Certificate Enrollment
Forms for Certificate Renewal
Forms for Certificate Revocation
Forms for Certificate Retrieval
Forms for Key Recovery
Other Forms
Output Templates for End-Entity Operations
Summary of Agent Forms and Templates
Structure of the Agent Services Interface
Locating Agent Forms and Templates
Part 9
Logs
Chapter 22
Introduction to Logs
Logs Maintained by Certificate Management System
Services That Are Logged
Log Levels (Message Categories)
Log File Locations
Log File Naming Conventions
Active Log File Naming Convention
Rotated Log File Naming Convention
Buffered Versus Unbuffered Logging
Rotation of Log Files
Timing of Log File Rotation
Location of Rotated Log Files
Deletion of Log Files
How to Conserve Disk Space
Timing of Log File Deletion
Archiving of Rotated Log Files
Chapter 23
Managing Logs
Management of Logs
Log Management from the CMS Window
Log Parameters in the Configuration File
Configuring Logs
Configuring System Logs
Configuring Error Logs
Configuring Audit Logs
Monitoring Logs
Monitoring System Logs
Monitoring Error Logs
Monitoring Audit Logs
Using System Tools for Monitoring the Server (Windows NT Only)
Logging to Windows NT Event Log
Using Event Viewer
Signing Log Files
Part 10
Issuance and Management of End-Entity Certificates
Chapter 24
Issuing and Managing End-Entity Certificates
Certificate Issuance to Servers
How the Manual Server Enrollment Process Works
Getting Server SSL Certificates for Netscape Servers
Getting Certificates for Version 3.x Servers
Getting Certificates for Netscape Version 4.x Servers
Certificate Issuance to Routers
Step 1. Find the Required Information
Step 2. Generate the Key Pair for the Router
Step 3. Request the CA's Certificate
Step 4. Submit the Certificate Request to the CA
Example
Certificate Renewal
Renewal of Client Certificates
Renewal of Server Certificates
Certificate Revocation
Chapter 25
Recovering Encrypted Data
PKI Setup for Key Archival and Recovery
Clients That Can Generate Dual Key Pairs
Data Recovery Manager
Forms for Users and Key Recovery Agents
Key Archival Process
Why You Should Archive Keys
Where the Keys are Stored
How Key Archival Works
Key Recovery Process
Key Recovery Agents and Their Passwords
Secret Sharing of Storage Key Password
Interface for the Key Recovery Process
Local Versus Remote Key Recovery Authorization
How Agent-Initiated Key Recovery Works
Key Recovery Agent Scheme
Changing the Key Recovery Agent Scheme
Changing Key Recovery Agents' Passwords
Setting Up Key Archival and Recovery Process
Setting Up the Key Archival Process
Step 1. Deploy Clients That Can Generate Dual Key Pairs
Step 2. Connect the Enrollment Authority and the
Step 3. Customize the Certificate Enrollment Form
Step 4. Configure Key Archival Policies
Step 5. Test Your Key Archival Setup
Setting Up the Key Recovery Process
Step 1. Verify the m of n scheme
Step 2. Facilitate the Key Recovery Agents to Change the Passwords
Step 3. Determine the Authorization Mode for Key Recovery
Step 4. Customize the Key Recovery Form
Step 5. Configure Key Recovery Policies
Step 6. Test Your Key Recovery Setup
Part 11
Appendixes
Appendix A
Distinguished Names
What Is a Distinguished Name?
Distinguished Name Components
Root Distinguished Name
Base Distinguished Name
Role of Distinguished Names in Certificates
DNs in End-Entity Certificates
DNs in CA Certificates
Selecting DNs for Certificates
Appendix B
Backing Up and Restoring Data
Before Backing Up and Restoring Data
What Is a Backup?
Why You Should Back up Data
Guidelines for Creating a Backup
What Is a Restore?
When to Restore Data
Guidelines for Restoring Data
Backing Up the CMS Configuration and Data
Step 1. Back Up the Configuration Files
Step 2: Back up the Key Pairs
Step 3. Back Up the Internal Database
Restoring the CMS Configuration and Data
Appendix C
Command-Line Utilities
Summary of Command-Line Utilities
Location of Command-Line Utilities
ASCII to Binary Tool
Availability
Syntax
Example
Binary to ASCII Tool
Availability
Syntax
Example
Pretty Print Certificate Tool
Availability
Syntax
Example
Pretty Print CRL Tool
Availability
Syntax
Example
dumpasn1 Tool
Appendix D
Certificate Database Tool
Availability
Syntax
Options and Arguments
Usage
Examples
Creating a New Certificate Database
Listing Certificates in a Database
Creating a Certificate Request
Creating a Certificate
Adding a Certificate to the Database
Validating a Certificate
Appendix E
Key Database Tool
Availability
Syntax
Options and Arguments
Usage
Examples
Creating a Key Database
Generating a New Key
Displaying Public Key Information
Listing Key IDs
Deleting a Private Key
Appendix F
Netscape Signing Tool
Introduction to Netscape Signing Tool
What Is Netscape Signing Tool?
JAR Format and JAR Archives
What Signing a File Means
Object-Signing Certificates
Using Netscape Signing Tool
Getting Ready to Use Netscape Signing Tool
Setting Up Your Certificate
Listing Available Certificates
Signing a File
Using Netscape Signing Tool with a ZIP Utility
Tips and Techniques
SignTool Syntax and Options
Command Syntax
Command Options
Command File Syntax
Command File Keywords and Example
Generating Test Object-Signing Certificates
Generating the Keys and Certificate
Using Netscape Signing Tool with Smart Cards
What Is a Smart Card?
Setting Up a Smart Card
Using the -M Option to List Smart Cards
Using Netscape Signing Tool and a Smart Card to Sign Files
Netscape Signing Tool and FIPS-140-1
Using FIPS-140 Mode
Verifying FIPS Mode
Answers to Common Questions
Appendix G
SSL Strength Tool
Availability
Syntax
Options and Arguments
Usage
Restricting Ciphers
Export Policy and Step-up
Examples
Example 1
Example 2
Example 3
Appendix H
SSL Debugging Tool
Availability
Description
Syntax
Options
Examples
Example 1
Command
Output
Example 2
Command
Output
Example 3
Command
Output
Example 4
Command
Output
Usage Tips
Index
© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.
