Netscape Certificate Management System Administrator's Guide: Introduction to End-Entity and Agent Interfaces

Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool

Chapter 20 Introduction to End-Entity and Agent Interfaces

Netscape Certificate Management System (CMS) provides HTML forms-based interfaces for agents and end entities to use in performing certificate- and key-related operations. This chapter introduces these forms and explains how they work. You can use the forms as they are provided out of the box or customize them to meet your organization's requirements.

This chapter has the following sections:

End-Entity Services

Configuring End-Entity Interaction with Subsystems

Agent Services

For details on customizing these forms, see "Customizing End-Entity and Agent Interfaces".

End-Entity Services

Certificate Management System provides HTML forms for the various entities--people, routers, servers, and others--that use certificates to identify themselves and that need to be able to request certificate issuance and management operations. These forms, collectively called the end-entity services interface, use different protocols and life-cycle management procedures for different kinds of end entities. For example, the Certificate Manager provides separate certificate enrollment forms for clients such as Netscape Navigator 3.x, versions of Netscape Communicator later than 4.5, and Microsoft Internet Explorer. The reason for this is that end entities running Navigator 3.x and Communicator versions earlier than 4.5 present an enrollment form based on the use of the HTML tag KEYGEN to generate keys; end entities running Internet Explorer present a form based on PKCS #10, the RSA standard for certificate request syntax.

Figure 20.1 shows the end-entity services interface hosted by a Registration Manager.

Figure 20.1 End-entity services interface

For a summary of the various end entities, protocols, cryptographic algorithms, and key pairs (single or dual) supported by Certificate Management System, see Table 20.1.

For a complete list of the end-entity forms--for enrollment, renewal, retrieval, revocation, and key recovery--that come with Certificate Management System, see "Summary of End-Entity Forms and Templates".

How Client Type Determines the End-Entity Interface

Each type of end-entity form provided by Certificate Management System is served by a servlet. This servlet determines which version of the form to present based on information about the end entity (the type, version, language, and so on), information in the form itself, and other factors.

Each form also specifies both an authentication manager and an output template:

An authentication manager is a configured instance of an authentication plug-in module. When Certificate Management System receives a request from an end entity, it uses the authentication manager specified by the request to determine how to authenticate the end entity. For more information, see "Adding an Authentication Instance".

The output template is an HTML page with embedded JavaScript used to return information from the end entity to the servlet. For more information, see "Responses and Output Templates".

Based on all the information, a form's servlet sends the end entity the version of the form (including the embedded JavaScript code) appropriate for that end entity. For example, in the case of end entities that support the KEYGEN tag, the Certificate Manager or Registration Manager sends a form that uses KEYGEN to generate keys and formulate a certificate request. In the case of end entities that support the Certificate Management Message Format (CMMF) protocol, the Certificate Manager or Registration Manager sends a form that uses a JavaScript API to fully automate both key generation and certificate issuance.

Certificate Request Formats Specific to End Entities

Table 20.1 lists the forms provided by the Certificate Manager and Registration Manager for certificate issuance and life-cycle management operations, and indicates supported authentication mechanisms and request formats.

You can customize any of the default forms and their corresponding servlets and output templates. For details, see "Customizing End-Entity and Agent Interfaces".

Table 20.1 Summary of end-entity forms, authentication mechanisms and certificate request formats


Form for end-entity operation	Authentication mechanism	Supported certificate request formats
Certificate enrollment
Client (end user) certificates	Manual or directory based	KEYGEN for Navigator/Communicator PKCS #10 for Internet Explorer Certificate Request Message Format (CRMF) for future versions of Communicator
Server certificates	Manual or directory based	PKCS #10
Cisco routers	Manual	Certificate Enrollment protocol (CEP)
Certificate renewal
Client (end user) certificates	SSL client authentication	KEYGEN for Navigator/Communicator PKCS #10 for Internet Explorer CRMF for future versions of Communicator
Server certificates	Manual	PKCS #10
Cisco routers	Manual	CEP
Certificate revocation
Client (end user) certificates	SSL client authentication	KEYGEN for Navigator/Communicator PKCS #10 for IE CRMF for future versions of Communicator
Server certificates	Manual	PKCS #10
Cisco routers	Manual	CEP
Encryption private key storage and recovery
Client (end user) certificates	Not applicable	Not supported for clients that can't generate dual key pairs CRMF for future versions of Communicator

Configuring End-Entity Interaction with Subsystems

You can configure end-entity interaction with a Certificate Manager or a Registration Manager, or with both. End entities cannot interact with a Data Recovery Manager directly; they must interact through a Certificate Manager or Registration Manager.

By default, the Certificate Manager is configured for end-entity interaction; the Registration Manager is not configured for end-entity interaction.

Enabling End-Entity Interaction with a Certificate Manager

To enable end-entity interaction with a Certificate Manager:

Access the CMS window (see "Accessing the CMS Window").

Click the Configuration tab.

In the navigation tree, click Certificate Manager.

The General Setting tab appears.

In the Web Access section, check the "Enable end-entity interaction" option if you want end entities to be able to interact with the selected Certificate Manager via the HTTPS port; leave it unchecked to disable end-entity interaction with the server. Note that if you disable end-entity interaction, the Network tab still shows the HTTPS port and allows you to configure it (see "Configuring Port Numbers"). However, you should know that the server ignores this port.

In the Default Signing Algorithm section, select the signing algorithm the Certificate Manager should use for signing certificates. The choices are "MD2 with RSA," "MD5 with RSA," and "SHA1 with RSA," if the CA's signing key type is RSA and "SHA1 with DSA," if the CA's signing key type is DSA. Note that the signing algorithm specified in the Certificate Manager's policy configuration overrides the algorithm you select here. For information on a Certificate Manager's policy configuration, see "Policies".

To save your changes, click Save.

The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Enabling End-Entity Interaction with a Registration Manager

To enable end-entity interaction with a Registration Manager:

Access the CMS window (see "Accessing the CMS Window").

Click the Configuration tab.

In the navigation tree, click Registration Manager.

The General Setting tab appears.

In the Web Access section, check the "Enable end-entity interaction" option if you want end entities to be able to interact with the selected Registration Manager via the HTTPS port; leave it unchecked to disable end-entity interaction with the server. Note that if you disable end-entity interaction, the Network tab still shows the HTTPS port and allows you to configure it (see "Configuring Port Numbers"). However, you should know that the server ignores this port.

To save your changes, click Save.

The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Agent Services

As an administrator, you can designate privileged users, called agents, for each subsystem. Agents are responsible for the day-to-day operation of requests from end entities. To enable agents to accomplish their duties, Certificate Management System provides a set of HTML forms for Certificate Manager, Registration Manager, and Data Recovery Manager agents. Collectively, these forms are called the Agent Services interface.

Depending on the choices you made during installation, a combination of the following agent services will be installed:

Certificate Manager Agent Services

Registration Manager Agent Services

Data Recovery Manager Agent Services

This section gives an overview of these forms and explains how to access them. For a complete list of the agent forms and output templates that come with Certificate Management System, see "Summary of Agent Forms and Templates". For step-by-step instructions on using the agent forms, see Netscape Certificate Management System Agent's Guide. For information on locating this guide, see "Where to Go for Related Information".

Note that accessing the Agent Services interface is a privileged operation, requiring certificate-based (or strong) authentication. It can be done only by users belonging to authorized agent groups maintained by Certificate Management System in its internal database. For details, see "Agents".

Certificate Manager Agent Services

The Certificate Manager Agent Services interface enables a Certificate Manager agent to interact with the Certificate Manager (the server). Figure 20.2 shows the Certificate Manager Agent Services interface.

Figure 20.2 Certificate Manager Agent Services interface

Using the default forms, a Certificate Manager agent can accomplish tasks such as these:

Listing deferred certificate requests from end entities and process them

Listing certificates issued by the server

Searching for certificates issued by the server

Revoking certificates issued by the server

Updating certificates and certificate revocation lists (CRLs) maintained in the publishing directory

Registration Manager Agent Services

The Registration Manager Agent Services interface enables a Registration Manager agent to interact with the Registration Manager (the server). Figure 20.3 shows the Registration Manager Agent Services interface.

Figure 20.3 Registration Manager Agent Services interface

Using the default forms, a Registration Manager agent can list deferred certificate requests from end entities and process them.

Data Recovery Manager Agent Services

The Data Recovery Manager Agent Services interface enables a Data Recovery Manager agent to interact with the Data Recovery Manager (the server). Figure 20.4 shows the Data Recovery Manager Agent Services interface.

Figure 20.4 Data Recovery Manager Agent Services interface

Using the default forms, a Data Recovery Manager agent can search for and recover end users' encryption private keys from the key archive. (Key recovery requires authorization from key recovery agents; see "Key Recovery Process".)

Accessing the Agent Services Interface

Access to the Agent Services interface is restricted to authorized agents only. For details, see "Agents".

To access the Agent Services interface for a particular subsystem:

Open a web browser.

Go to the page where the Agent Services interface for Certificate Management System is installed.

The default URL for this page is:

https://<host_name>:<agent_port>

<host_name> is in the form <machine_name>.<your_domain>.<domain>

If you have customized Certificate Management System, go to the page containing the agent forms that you would use to submit a request.

In the Agent Services menu, choose the agent services you require:

To access the agent services for the Certificate Manager, click the Certificate Manager Agent Services link.

To access the agent services for the Registration Manager, click the Registration Manager Agent Services link.

To access the agent services for the Data Recovery Manager, click the Data Recovery Manager Agent Services link.

The appropriate interface appears.

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.