This chapter introduces Netscape Certificate Management System (CMS), a highly configurable set of software components and tools for creating, deploying, and managing certificates. Based on open standards for certificate management, Certificate Management System leverages Netscape Directory Server and Netscape Console to provide a complete, scalable, high-performance certificate management solution for extranets and intranets.
Key Features
System Architecture
Entry Points for Various Types of Users
Employ specific authentication mechanisms for end-entity certificate enrollment, renewal, and revocation.
Specify policy restrictions on certificate-related operations, such as certificate formulation, issuance, renewal, and revocation.
Specify policy restrictions on key-related operations, such as archival and recovery of end users' encryption private keys.
Revoke certificates, and maintain and publish a list of revoked certificates.
Search for certificates issued by the server.
Set up hierarchies of certificate authorities--multiple subordinate CAs chained up to a root CA.
Publish certificate information and the list of revoked certificates to an LDAP-compliant directory, such as Netscape Directory Server, and maintain this information.
With its support for open standards, Certificate Management System gives organizations confidence that they will be able to communicate within a heterogeneous computing environment. Specifically, Certificate Management System does the following:
Supports RSA public-key algorithm for signing and encryption, DSA public-key algorithm for signing, and MD5 and SHA-1 for hashing.
Supports signature and encryption key lengths of up to 2048 bits for domestic use and 512 bits for export use.
Supports multiple formats for certificate requests using related standards, such as HTML (KEYGEN/SPAC), PKCS#10, CMMF, CEP, and HTTP.
Supports certificate formats that encompass certificates for SSL-based client and server authentication, secure Multipurpose Internet Mail Extensions (S/MIME) message signing and encryption, object signing, VPN clients, and Cisco routers. The server can also issue financial certificates for Netscape and Microsoft servers with step-up functionality for export browsers (with appropriate U.S. Department of Commerce approval).
Supports PKCS #12, an industry-standard certificate and key export-import format that encrypts key and certificate information with a user password or passphrase. This format bundles certificates and private keys with passwords and publishes them to LDAP directories for users to download into their client environment.
Publishes certificates and certificate revocation lists (CRLs) to any LDAP-compliant directory over LDAP and HTTP/HTTPS connections.
Supports generation and publication of CRLs conforming to X.509 version 1 and 2.
Certificate Management System includes three servers, the Certificate Manager, Registration Manager, and Data Recovery Manager.
The Registration Manager is an optional component in the PKI; it is a subordinate server to which a Certificate Manager can delegate some certificate management functions. For example, a Registration Manager may perform tasks, such as end-entity authentication and formulation of the certificate request for the Certificate Manager.
The Data Recovery Manager is an optional component in the PKI. It provides key archival and recovery services for end users' encryption private keys.
Certificate Management System lets you separate the registration process from the certificate-signing process with the help of Registration Managers. You can run multiple Registration Managers remotely, all reporting to a single CA--a Certificate Manager--to verify user identities and process certificate signing requests. The remote Registration Managers forward their completed and approved requests to the Certificate Manager for it to sign and issue the certificate automatically.
Certificate Management System can function as a root (or parent) CA (in which case the server signs its own CA signing key as well as other CA signing keys) enabling you to create your own CA hierarchy. You can also install the server to function as a subordinate CA (in which case the server gets its CA signing key signed by another CA) in an existing CA hierarchy.
Certificate Management System can function as a linked CA, chaining up to many third-party or public CAs for validation; this provides cross-company trust, so applications can verify certificate chains outside the company certificate hierarchy.
Certificate Management System supports smart cards and crypto accelerators provided by various third-party vendors of PKCS #11 version 2.1-compliant products. For a complete list of vendors, see the information available at this URL: http://home.netscape.com/cms/v4.0/index.html
Certificates issued by Certificate Management System work with existing Netscape client and server products that support SSL. The certificates also work (out of the box) with a variety of non-Netscape, standards-compliant applications. For a complete list of these products, see the information available at this URL: http://home.netscape.com/cms/v4.0/index.html
Certificate Management System uses a highly scalable, high-performance certificate storage facility--a built-in, preconfigured version of Netscape Directory Server 4.x--enabling you to issue and manage a large number of certificates.
The registration services framework for end entities includes the most commonly expected PKI features: manual, directory-based, and directory- plus PIN-based enrollment; certificate-authenticated renewals and revocations (based on SSL client authentication); certificate life-cycle operations that include automated certificate renewal and expiration notifications. These features are available out of the box for both Certificate Manager and Registration Manager.
Certificate Management System simplifies the details involved in certificate issuance and management with its built-in, configurable, and extensible authentication, policy, job scheduling, and LDAP publishing components. Each of these components come with customizable plug-in modules. For example, you can configure policy modules to determine the outcome of operations, such as certificate formulation (extensions, signing algorithm, key length, validity period, and so on), issuance, renewal, and revocation.
Certificate Management System works seamlessly with any LDAP-compliant directory services for easy distribution of certificates and CRLs, thus lowering the cost of information management. The shared directory architecture enables you to manage users, including their security credentials and other shared data, at a single place. Certificate Management System can do the following:
Integrate certificate-related information with the user and group information that exists in the LDAP directory.
Automatically publish certificates (when they are issued) and CRLs (when created or on a periodic basis) to the LDAP directory, from which they can be easily distributed to clients and servers.
Automatically delete expired and revoked certificates from the directory.
Connect to the directory using password-based (basic), certificate-based (strong) authentication, or both.
To support separate key pairs for signing and encrypting data, Certificate Management System supports generation of dual certificates for end entities capable of generating dual key pairs. If a client makes a certificate request for dual key pairs, the server issues two separate certificates.
If your organization uses S/MIME to encrypt mail messages, you can use the key archival feature offered by Certificate Management System to back up users' encryption private keys. This feature is useful when a key becomes unavailable--as, for instance, in the following cases:
An employee leaves the company, and company officials need to perform an audit that requires gaining access to the employee's encrypted data.
Certificate Management System stores users' encryption private keys in an encrypted key repository. Keys can be retrieved only by authorized key recovery agents. The key repository is encrypted using a Data Recovery Manager's storage private key, which is protected with one or more recovery agents' passwords. Only these designated recovery agents can authorize and initiate a key recovery process.
Certificate Management System maintains audit trails for all events--certificate requests and issuance, revocation requests, CRL publication, and so on. These audit records enable you to detect any unauthorized access or activity. In addition, extensive system and error logs record various events and system errors so that you can monitor and debug the system. All log records are stored in your local file system for quick and easy retrieval.
Certificate Management System allows you to sign log files digitally before archiving them or distributing them for audit purposes. This feature enables you to check whether the log files were tampered with after being signed.
The Java-based software development kit (SDK) provided with Certificate Management System includes APIs for customizing different aspects of the system. You can write the following custom modules:
Policy--for setting the rules applied by the individual subsystems.
Jobs--for PKI-related jobs that run with the individual systems.
Mapper and publisher classes--for publishing certificates and CRLs to an LDAP-compliant directory.
Gateway for end-entity and agent forms or HTTP interfaces--for customizing end-entity and agent interfaces.
Certificate Management System provides an easy migration path from Netscape Certificate Server 1.0x. The server includes a command-line-based migration tool that extracts the contents of a Certificate Server 1.0x database, including keys and certificates, and puts them in three platform-independent files. You then import the contents of these files into the internal database of Certificate Management System.
An installation wizard automates the installation and initial configuration process, helping you install Certificate Management System quickly and easily. Then after installation, you can locally or remotely administer Certificate Management System from various computers on your network (using the encryption, message integrity, and authentication services of SSL) with the help of an administration interface called the Certificate Management System window or the CMS window.
Registration Manager
Data Recovery Manager
Policy
Job scheduling and notification
Logging
LDAP publishing
Internal database
Figure 1.1 Certificate Management System architecture
Table 1.1 Certificate Management System components
Certificate Management System can function very closely with an LDAP-compliant directory, such as Netscape Directory Server, that organizations typically use to maintain corporatewide data about user and group accounts and other network resources. You can set up Certificate Management System to automatically publish certificate information and CRLs to a directory. The advantage of publishing certificates and CRLs to the directory is multifold:
If you are using S/MIME-enabled clients (for example, Netscape Communicator), publishing all certificates to a central directory enables your users to import others' certificates from the global directory.
Figure 1.2 Seamless integration with any LDAP-compliant directory
Independent CAs can issue and manage certificates to their users listed in any LDAP-compliant directory.
You can install the Certificate Manager and Data Recovery Manager together in the same instance or separately in two different instances. Installation in separate instances requires additional configuration to connect the two subsystems together.
If they are under separate server groups, then they use separate instances of Netscape Administration Server installed for those groups. The login URL for Netscape Console will be different for the subsystems.
Figure 1.3 Entry points for different types of users
Table 1.2 Certificate Server user-entry points
Previous
