Netscape Certificate Management System Administrator's Guide: Issuing and Managing End-Entity Certificates

Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool

Chapter 24 Issuing and Managing End-Entity Certificates

This chapter explains how Netscape Certificate Management System (CMS) issues and manages end-entity certificates.

The chapter has the following sections:

Certificate Issuance to Servers

Certificate Issuance to Routers

Certificate Renewal

Certificate Revocation

Certificate Issuance to Servers

For Certificate Management System to generate a server certificate, it must receive the certificate signing request (CSR) from the server that needs the certificate. This request must be initiated by the administrator of the specific server requiring the certificate.

SSL-enabled servers (or servers that are capable of using certificates for security) provide mechanisms for generating a CSR based on new or existing key pairs. For example, servers that belong to the Netscape's version 4.x server family come with a wizard that walks an administrator through the entire process of requesting a server certificate and installing it in the server's certificate database. For information on this wizard, see "Obtaining and Installing a Certificate" in Managing Servers with Netscape Console.

Once an administrator generates a CSR for a server, he or she must paste it into the appropriate server enrollment form hosted by a Registration Manager or Certificate Manager, and then submit the request. Upon receipt of the request, Certificate Management System responds as follows:

Verifies the validity and authenticity of the request.

The authentication mechanism that Certificate Management System uses is based on the authentication mechanism specified in the enrollment form the administrator uses to submit the certificate request. For example, if the enrollment form was configured to employ directory-based authentication, Certificate Management System checks the configured directory for the appropriate information. On the other hand, if the enrollment form specifies manual authentication, the request gets queued and awaits approval by an agent.

Subjects the request to policy checks.

If the request passes all the policy rules, Certificate Management System generates the server certificate and sends it to the email address specified in the server certificate request (the enrollment form includes a field for the administrator to enter this information). Otherwise, Certificate Management System logs an error message.

Upon receipt of the certificate, the server administrator installs the certificate in the server's certificate database.

How the Manual Server Enrollment Process Works

Figure 24.1 illustrates how Certificate Management System issues a server certificate in a deployment scenario involving a Registration Manager acting as an enrollment authority to a Certificate Manager. The server certificate is requested via a manual enrollment form hosted by the Registration Manager.

Figure 24.1 Server (or site) certificate issuance

These are the steps shown in Figure 24.1:

The server administrator goes to the manual enrollment form hosted by the Registration Manager, pastes in the certificate signing request in PKCS #10 format, completes the other information in the enrollment form, and submits the form.

(If the enrollment port is HTTPS, the administrator should visit the link that delivers the CA's certificate chain and download the chain into the browser that he or she will use for server enrollment.)

The Registration Manager verifies the authenticity of the request. Because the request requires manual authentication, the Registration Manager stores the request in the queue for agent approval.

An agent processes the request and either rejects or approves it.

The Registration Manager picks up the approved request and subjects it to policy checks.

If the request passes the Registration Manager's policy checking, the Registration Manager submits the request to the Certificate Manager for signing. The Certificate Manager verifies the authenticity of the Registration Manager by verifying the certificate presented by it. If it is a trusted Registration Manager, the Certificate Manager accepts the request.

The Certificate Manager subjects the request to its own policy checks.

If the request passes Certificate Manager's policy, it signs the request immediately and returns the certificate to the Registration Manager. The Registration Manager then delivers the certificate to the administrator. Optionally, the Certificate Manager may publish the certificate to the corporate directory.

If the Certificate Manager's policy requires additional information, the administrator will be directed to return later to pick up the certificate. The administrator may need to query the Registration Manager using the certificate request number to see whether the certificate has been issued. Alternatively, the Registration Manager can be configured to email the user when the certificate is ready for pick up. See "Notifications of Certificate Issuance to End Entities".

The Registration Manager delivers the server SSL certificate to the email address specified in the enrollment form. Optionally, the Registration Manager may publish the certificate to the corporate directory.

Getting Server SSL Certificates for Netscape Servers

To enable a server to establish SSL connections, you need to get a certificate that identifies the server. You can get a certificate for a server by submitting a request to Certificate Management System.

To generate the actual request, you (or the server administrator) need to use the server that requires the certificate. This is required because the private key must be stored with the server that will use it.

The following section explains how to request a server SSL certificate for Netscape servers. The instructions apply mainly to requests from servers other than CMS subsystem server--for example, Netscape Enterprise, Administration, and Directory Servers. To request a certificate for a CMS subsystem, follow the instructions in "Getting New Certificates for the Subsystems".

Getting Certificates for Version 3.x Servers

To get a certificate for a server in the Netscape version 3.x server family (for example, Netscape Administration Server 3.x) follow the procedure below:

Step 1. Generate a Server Certificate Request for Your Server

Step 2. Submit the Server Certificate Request to Certificate Management System

Step 3. Install Your Server's SSL Certificate

Step 4. Accept a CA as Trusted in Your Server

Step 5. Verify Your Server's SSL and CA Certificates

Step 1. Generate a Server Certificate Request for Your Server

To generate the certificate signing request for a server:

Open a web browser window.

Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.

Follow the directions presented there to generate a new key pair which you will then get certified (you will use this key pair to generate a certificate signing request).

Alternatively, you can use any other tool provided with your server to generate the key pair; see the documentation for your server.

Once you have generated a key pair, follow the directions presented to generate a certificate signing request (CSR).

In the Certificate Authority field, enter your own email address.

The server mails the request to the address specified in this field.

Submit the form.

The server generates and displays a CSR.

Copy the CSR, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- marker lines, to a text file. For example:

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIBBzCBsgIBADBPMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Y mxpY2F0aW9uczEWMBQGA1UEAxMNZHVtcC5tY29tLmNvbTBaMA0GCSqGSIb3DQEBAQU2nfjiMEYCQQ CksMRaLGdfp4m0OiGcgijG5KgOsyRNvwGYW7kfW+8mmijDtZRjYNjjcgpF3VnlsbxbclX9LVjjNLC 57u37XZdAgEDoAAwDQYJKoZIhvcNAQEEBQADQQCYUTnUtCVGyNrYGSfydclqiovxy1fRD1z23zg+e BPK7n85UyE4r5zGZjDsMYr172ytfAFL7DeG83DWzr8Z

-----END NEW CERTIFICATE REQUEST-----

Next, you need to paste this request into the server enrollment form hosted by Certificate Management System.

Step 2. Submit the Server Certificate Request to Certificate Management System

To submit the server certificate request to Certificate Management System:

Open a web browser.

Go to the server enrollment form (the page that allows you to submit a server certificate request).

By default, the enrollment forms are at this location:

https://<host_name>:<end_entity_HTTPS_port> or

http://<host_name>:<end_entity_HTTP_port>

Select the form that you want to use.

By default, Certificate Management System provides forms that employ manual and directory-based authentication. For information on how these forms work, see "How the Manual Server Enrollment Process Works" and "Getting Server SSL Certificates for Netscape Servers".

Complete the request form with the information that Certificate Management System needs to create a certificate for your server.

In general, you will be required to enter the following information:

In the certificate request text area, paste the CSR that you copied to the text file, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- marker lines.

In the contact information section, enter values to identify yourself. These values will be used by the CA, if the need arises. For example, if there are any questions or problems with the certificate request, the CA administrator or agent will use this information to contact you. Also, be sure to enter your email address. This is the address where the CA will send the certificate once it has been issued.

In the additional comments section, enter any additional information that might help the issuing agent process the request. For example, you might want to enter the name of the person who instructed you to obtain a certificate or some other administrative information.

Submit the request.

You should receive notification from Certificate Management System or an issuing agent (depending on which enrollment form you used) when your request is processed. The notification will contain your certificate, along with information on how to install the new certificate into your server. The notification may also mention that you need to install the CA's certificate as a trusted CA. Check the notification message for details.

Step 3. Install Your Server's SSL Certificate

To install the server SSL certificate on your server:

Open a web browser window.

Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.

Follow the directions presented there to install the certificate.

In general, you will be required to specify or enter the following information:

Whether the certificate is for this server. Be sure to select the option that says the certificate is for this server.

A name (or nickname) for the certificate. This name will be displayed in the list of certificates installed on this server.

The certificate, in base-64 encoded format. Open the email sent to you by the CA, locate and copy the portion that begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----, and paste it into the text area in the form.

The encryption alias. Enter the alias for your server.

Follow the prompts and add the certificate to your server's certificate database.

Stop and restart Administration Server for the changes to take effect.

The server decrypts the message, extracts the certificate, and saves it to the directory you specified.

Step 4. Accept a CA as Trusted in Your Server

In both Netscape clients and servers, CAs can be either trusted or untrusted. If a CA is trusted, Netscape clients and servers accept the certificates that have been issued by that CA. For the server to accept (during SSL client authentication) client certificates that have been issued by Certificate Management System, you must import its certificate chain into the certificate database of your server.

To view this chain in a format that can be used by Netscape servers:

Go to the home page of Certificate Management System.

By default, the home page is at this location:

https:// <machine_name>.<your_domain>.<domain>:<end_entity_port>

Click Accept "This Authority in Your Server."

Specify how you want Certificate Management System to display the certificate chain.

You can choose to display the entire certificate chain (in a single block) or individual certificates in the chain. The entire certificate chain is in PKCS #7 format. If you are using an older server that does not recognize the complete certificate chain format, you may need to display each individual certificate in the chain (for example, a version earlier than Netscape server 2.0 releases).

Specify how you want to trust this CA.

You can choose to trust only the CA you are accessing or all authorities whose certificates are included in the chain.

Click Present Certificate Chain.

If you chose to display the whole chain for importing into your server, the certificate chain is displayed in a format similar to this:

-----BEGIN CERTIFICATE-----

MIIBtgYJYIZIAYb4QgIFoIIBpzCCAZ8wggGbMIIBRaADAgEAAgEBMA0GCSqGSIb3DQEBBAUAMFcxC zAJBgNVBAYTAlVTMSwwKgYDVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aW9ucyBDb3Jwb3JhdGlvbj EaMBgGA1UECxMRSXNzdWluZyBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzM 0WjBXMQswCQYDVQQGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9y YXRpb24xGjAYBgNVBAsTEUlzc3VpbmcgQXV0aG9yaXR5MFowDQYJKoZIhvcNAQEBBQADSQAwRgJBA OBiQPcK8851jjQXA2GBsaKNFg6pYaM3qhQhM0w5EIy6P1ttMjc5MlPIzZHdlgNdQLzaNoLMVKjOV5
sBp+ffkCAQMwDQYJKoZIhvcNAQEEBQADQQCWPU4gI5uaWM3EAbXfhQ

-----END CERTIFICATE-----

Open a new web browser window.

Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.

Follow the directions presented there to install the certificate chain.

In general, you will be required to specify or enter the following information:

Whether the certificate is for this server or a trusted CA. Be sure to select the option that says the certificate is for a trusted certificate authority (CA).

A name (or nickname) for the certificate chain. This name will be displayed in the list of certificates installed on this server.

The certificate chain, in PKCS #7 format. In the original browser window (the window displaying the encoded certificate chain), copy the portion that begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----, and paste it into the message text area in the form.

Save your changes.

Stop and restart your Administration Server.

Step 5. Verify Your Server's SSL and CA Certificates

Before activating your server for SSL connections, you can verify whether you have installed your server's SSL and CA certificates correctly.

Open a web browser window.

Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.

Follow the directions there to get to the area that allows you to manage your server's certificates.

Scroll to the bottom of the list to find the SSL and CA certificate chain you installed (identified by the nicknames you specified).

If you find both of them, your server is ready for SSL configuration. If not, you must go through the steps again to correctly install whichever certificate is missing.

Getting Certificates for Netscape Version 4.x Servers

For Netscape version 4.x servers, you can use the Certificate Setup Wizard provided by Netscape Console to get new certificates, renew existing certificates, and install certificates in the database of a server. For information about this wizard, see to Managing Servers with Netscape Console.

Certificate Issuance to Routers

Cisco routers support the use of certificates for authentication, encryption, and tamper detection by using the IP Security (IPSec) protocol. Certificate Management System supports Cisco's PKI protocol, the Certificate Enrollment Protocol (CEP); this protocol runs over HTTP and provides its own form of encryption. For an overview of certificate authority support for IPSec, see the information available at this URL:

http://www.cisco.com/warp/public/778/security/821_pp.htm

You can issue certificates to routers using Certificate Management System. Routers use certificates to authenticate each other and to establish an encrypted IPSec channel between them; all TCP/IP communication passes through this encrypted channel.

In general, issuing a certificate to a router involves the following steps:

Step 1. Find the Required Information

Step 2. Generate the Key Pair for the Router

Step 3. Request the CA's Certificate

Step 4. Submit the Certificate Request to the CA

Step 1. Find the Required Information

Decide whether you want to submit the certificate request for your router to the Certificate Manager (CA) directly or through a Registration Manager.

Open Netscape Console, and locate the CMS instance that corresponds to the subsystem of your interest. Make sure that the Certificate Manager is started. If you are planning to submit the request via a Registration Manager, make sure that both the Registration Manager and Certificate Manager (to which the Registration Manager forwards its requests) are started.

Open the CMS window, and verify whether the HTTP port is enabled. If it isn't, enable it; see "Configuring Port Numbers". If you are requesting the certificate for an earlier version of router software, make sure that the HTTP port number is set to 80; earlier versions of router software can only connect to port 80.

Note the CEP enrollment URL. It is in this form:

http://<host_name>:<HTTP_port>/cgi-bin/pkiclient.exe

where <host_name> is in the form <machine_name>.<your_domain>.<domain>

Note or print the certificate fingerprint information of the Certificate Manager CA signing certificate. You will be required to compare this with the fingerprint the router will show on the screen.

To locate the fingerprint information:

Go to the end-entity page hosted by the Certificate Manager.

Click the Retrieval tab.

List or search for the CA signing certificate.

Click Details.

Scroll down to the section that says "Certificate fingerprint."

In your router documentation, locate the information specific to requesting certificates for routers. Check the signing algorithm, such as RSA or DSA, and key lengths, such as 512 and 1024, supported by the router. Based on that information, determine the signing algorithm and the key length for the certificate you want to request.

Find out the password that enables you to access the router in privileged mode.

In your router documentation, locate instructions for requesting certificates. You will be required to run the appropriate commands using this documentation.

Step 2. Generate the Key Pair for the Router

Run the appropriate commands for your router, and generate the key pair. You will be required to provide the signing algorithm, such as RSA or DSA, and the key length, such as 512 or 1024. The longer the key length, the more time the router takes to generate the key pair.

Step 3. Request the CA's Certificate

In this part of the operation, you identify the CA to the router, thus enabling the router to authenticate the CA from which it will request the certificate. You also verify whether the router is talking to the right CA; you do this manually.

Here's what you should do:

Run the appropriate command to get the CA certificate.

The command will ask you to specify the following:

An identity for the CA. You can give any identity; choose something you will remember, since you will be required to provide it when you submit the certificate request.

The CA's enrollment URL; this is the enrollment URL you identified in Step 1.

The router gets the CA certificate and displays its fingerprint on your screen.

Verify the fingerprint on your screen with the one you noted down in
Step 1.

If it matches, the router is talking to the right CA.

Step 4. Submit the Certificate Request to the CA

To submit the certificate request to the CA:

Run the appropriate command.

The command will ask you for certain information:

The CA's identity. You specified this in Step 3.

Challenge password. If you enter one, write it down; you will be required to specify this password to revoke the certificate.

The CEP enrollment URL.

Whether you want to include the router's serial number in the request. If you choose to include the serial number, it will be included in the certificate's subject name.

Whether you want to include the router's IP address in the request. If you choose to include the IP address, it will be included in the certificate's subject name.

This step depends on your CA's configuration for router enrollment.

If the CA to which the router submitted the request employs automatic enrollment (or authentication) for routers, the request will get processed by the CA. The CA may return the certificate to the router in the same transaction. If it doesn't, the router checks with the CA at periodic intervals; in the router configuration you can specify how often the router should poll the CA for the certificate and how many attempts it should make. By default, the router checks the CA every minute.

If the CA to which you submitted the request is configured for manual enrollment (or authentication), the request gets queued and awaits approval by an agent.

Important Your router may require additional configuration changes. Be sure to follow the information in your router documentation.

The example below shows the commands and associated outputs for a Cisco router:

# To perform certificate enrollment for a router using CEP, you must be 

# in privileged mode, which you do by typing "enable" first, and then 

# entering the password.

	router> enable

	router% config terminal

	router(config)#crypto key generate rsa

	The name for the keys will be: netscape.mcom.com

	Choose the size of the key modulus in the range of 360 to 2048 for 

		your General Purpose Keys. Choosing a key modulus greater than 512 

		may take a few minutes.

	How many bits in the modulus [512]:

	Generating RSA keys ...

	[OK]

	router(config)#crypto ca identity test-ca

	router(ca-identity)#enrollment url http://ca-hostname.domain.com/

                              cgi-bin/pkiclient.exe

	router(ca-identity)#exit

	router(config)#crypto ca authenticate test-ca

	Certificate has the following attributes:

	Fingerprint: 24D34656 EB830C39 DD9E8179 0A4EBA98

	% Do you accept this certificate? [yes/no]: yes

	router(config)#crypto ca enroll test-ca

	% Start certificate enrollment ..

	% Create a challenge password. You will need to verbally provide this 

		password to the CA Administrator in order to revoke your 

		certificate. For security reasons your password will not be saved 

		in the configuration. Please make a note of it.

	Password:

	Re-enter password:

	% The subject name in the certificate will be: router.domain.com

	% Include the router serial number in the subject name? [yes/no]: yes

	% The serial number in the certificate will be: 08342063

	% Include an IP address in the subject name? [yes/no]: yes

	Interface: ethernet0

	Request certificate from CA? [yes/no]: yes

	% Certificate request sent to Certificate Authority

	% The certificate request fingerprint will be displayed.

	% The 'show crypto ca certificate' command will also show the 		

		fingerprint.

	router(config)# exit

	router#show crypto ca certificates

	CA Certificate

	 Status: Available

	 Certificate Serial Number: 1

	 Key Usage: Not Set

	Certificate

	 Subject Name

		 Name: netscape.mcom.com

		 IP Address: 208.12.63.193

		 Serial Number: 08342063

	 Status: Pending

	 Key Usage: General Purpose

	 Fingerprint:  91D70D7F D8BF0DFA E13F00B0 6EA706A0 00000000

Certificate Renewal

Every certificate issued by Certificate Management System has a validity period that determines its expiration date. If you have configured the Certificate Manager or Registration Manager to use the validity constraints policy (see "Validity Constraints Policy"), the validity period of a certificate is determined by the policy settings at the time the certificate was issued. For a certificate to be valid beyond its expiration date, it must be renewed. Otherwise, the certificate becomes invalid, and the entity owning the certificate will no longer be able to use it. Also, the expired certificate will take up space in your publishing directory and in the internal database of Certificate Management System.

Note The Job scheduler component of Certificate Management System enables you to schedule a job for removing expired certificates from the publishing directory. For details, see "Directory Update and Notification".

Renewal of Client Certificates

Certificate Management System allows end users to renew their certificates by using the certificate renewal form hosted by a Certificate Manager or Registration Manager. End entities can use this form for renewing a single certificate or dual certificates. To renew a certificate, end entities need to present their current certificate (for SSL client authentication) during renewal. For renewal purposes, the server accepts even expired certificates for verifying the end entity.

Certificate Management System comes with a policy plug-in module that allows you to configure both Certificate Manager and Registration Manager to apply specific renewal rules for certificates; you can specify how long a renewed certificates should be valid and how many days before expiration of the current certificate an end entity can renew the certificate. The renewal policy rule, if enabled, also enforces that the certificate presented during client authentication is valid or is expired; it cannot have been revoked. The For more information about this policy module, see "Renewal Validity Constraints Policy".

When a certificate is renewed, Certificate Management System formulates a new certificate with the same public key and other details from the existing certificate; the renewal does not include key changeover. The server, if configured for LDAP publishing, also publishes the new certificate to the publishing directory.

The following steps describe how a Certificate Manager or Registration Manager renews client certificates:

If renewal is done automatically by the life-cycle management module, the server fetches end entities' certificates from its certificate repository, the internal database. If an end entity uses the renewal form, the end entity can request renewal of the authentication certificate only or renewal of all certificates that belong to the end entity with the same subject name as in the authentication certificate. After successful authentication, the server fetches the currently valid certificates for the end entity from its certificate repository.

The server formulates a renewal request based on the certificate being used for renewal.

The server applies its currently configured renewal policies to the request. If the policies require that the request be deferred for agent approval, the server stores the renewal request in the request queue and responds to that end entity indicating that the request is waiting for approval by an agent. If the request is rejected by policy modules, the server sends an error response.

The server formulates a CRMF request for one or more certificates as the case may be using a suitable template.

As an administrator, you can configure a Certificate Manager or Registration Manager to automatically notify end entities to renew their certificates before the current ones expire. If you enable this feature, the subsystem periodically queries the internal database for already expired or about to expire and not renewed already certificates, and alerts the user and you (optional) to imminent certificate expiration. For more information about this feature, see "Certificate Renewal Notifications".

Renewal of Server Certificates

Certificate Management System allows server administrators to renew their certificates by using the server enrollment form hosted by a Certificate Manager or Registration Manager. The renewal process is similar to the enrollment process in that the administrators must manually generate the certificate signing request using the server's key pair, paste that request in the manual enrollment form, and submit the request. For details, see "Certificate Issuance to Servers".

Note For renewing the certificates of a Certificate Manager, Registration Manager, or Data Recovery Manager, see "Renewing Certificates for the Subsystems".

Certificate Revocation

Certificate Management System allows a certificate to be revoked by an end entity (the original owner of the certificate) or by a Certificate Manager or Registration Manager agent. End entities can revoke certificates by using the Revocation form provided in the end-entity services interface. Agents can revoke end-entity certificates by using the appropriate form in the Agent Services interface. Certificate-based authentication (SSL client authentication) is required in both cases.

An end entity can revoke only those certificates that contain the same subject name as in the certificate presented for authentication. After successful authentication, the server lists the certificates belonging to the end entity. The end entity can then select the certificates to be revoked or can revoke all certificates in the list. The end entity can also specify additional details, such as the date of revocation and revocation reason for each certificate or for the list as a whole. For instructions on how end entities revoke their certificates, see the online help associated with the end-entity forms.

Agents can revoke certificates based on a range of serial numbers or based on one or more subject name components. Upon submission of the revocation request, the agent receives a list of certificates from which she or he can pick the ones to be revoked. For instructions on how agents revoke end-entity certificates, see Netscape Certificate Management System Agent's Guide.

Upon receiving the list of certificates to be revoked, the Registration Manager formulates a CMMF request and sends it to the Certificate Manager. The Certificate Manager marks the corresponding certificate records in its certificate store (maintained in the internal database) as revoked and if configured to do so, removes the revoked certificates from the publishing directory and updates the CRL in the publishing directory.

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.