|
|
 A |
accelerators 198
active logs
default file location 572
naming convention 573
See also logging
adding
new authentication instances 311, 317
relationship with enrollment forms 317
new jobs 383, 387
new policy rules 461, 468
Administration Server 51
relationship to Netscape Console 51
relationship to server root 51
starting 52
from Netscape Console 52
from the command line 52
from the Windows NT Services panel 52
stopping 53
from Netscape Console 53
from the command line 53
from the Windows NT Services panel 53
administrators
common tasks 58
deleting 181
designated group 146
modifying 175
group membership 179
login information 176
port used for operations 122
See also ports
role defined 134
setting up 150
tools provided
CMS window 55
Netscape Console 48
agents
authorizing remote key recovery 632
deleting 181
designated groups 147
forms for 563
locating forms and templates for 564
modifying 175
certificate information 178
group membership 179
login information 176
port used for operations 123
See also ports
role defined 135
setting up 152
SSL client certificates for 137
See also Agent Services interface
Agent Services interface 541
for Certificate Manager agents 541
for Data Recovery Manager agents 543
for Registration Manager agents 542
how to access 544
URL for 123
who can access 541
archive
See backup
archiving
rotated log files 576
users' encryption private keys 623
ASCII to Binary tool 676
example 677
supported platforms 676
syntax 677
Audit log
defined 569
how to configure 585
how to monitor 592
logging to Windows NT event log 594
See also logging
authentication
built-in modules 265
directory- and PIN-based 275
directory-based 268
manual 266
See also PIN Generator tool
defined 259
developing custom plug-ins 333
API for 334
compiling 335
installing 335
samples 339
difference between plug-in implementation and instance 314
during certificate enrollment 265
during certificate renewal 282
during certificate revocation 283
for administrators 260
for agents 262
for end entities 265
managing from CMS window 310
subsystem architecture 330
how it works 331
authentication instances
adding new 311, 317
relationship with enrollment forms 317
deleting 311, 322
how they're used 332
modifying 311, 322
naming 317
authentication modules
deleting 313, 327
developing new 329
how they're used 332
registering new ones 312, 325
Authority Key Identifier extension policy 432
|
| B |
backing up
CMS configuration 668
CMS data 668
backup
defined 666
guidelines for creating 666
reasons for creating 666
base DN 661
Basic Constraints extension policy 435
Binary to ASCII tool 677
example 678
supported platforms 677
syntax 677
buffered logging 574
built-in plug-in modules
See plug-in modules
|
| C |
CA signing certificate 184
changing trust settings of 250
deleting 249
getting a new one 232
nickname 185
renewing 239
viewing details of 247
certificate chains
getting 559
installing in the certificate database 215
why you should install 255
certificate database
how to manage 246
what it contains 246
where it's maintained 246
Certificate Database tool 232, 240
certificate enrollment
supported authentication mechanisms 536
supported request formats 536
Certificate Enrollment Protocol (CEP) 613
certificate issuance
to routers 613
an example 617
to servers 603
manual enrollment 604
Netscape 3.x servers 607
Netscape 4.x servers 612
Certificate Manager
configuring
for LDAP publishing 507
for publishing CA certificate 511
for publishing CRLs 527
for publishing end-entity certificates 513
publishing directory 508
SMTP settings for notifications 131, 132
to use separate SSL server certificates 224
to use specific ciphers 230
connecting to a Data Recovery Manager 167
enabling interaction with end entities 538
enrollment forms for 556
interface for agents 541
key pairs and certificates
CA signing certificate 184
getting new ones 232
list of 184
renewing existing ones 239
SSL server certificate 186
logging to Windows NT event log 594
manual updates to publishing directory 520
specifying IP address for 127
what to do if not responding 116
certificate renewal 619
authentication during 282
of client certificates 619
of server certificates 621
supported authentication mechanisms 536
supported request formats 536
certificate request
result of policy processing 408
certificate request formats 536
for enrollments 536
for key archival and recovery 537
for renewals 536
for revocations 537
certificate revocation
authentication during 283
reasons for 525
supported authentication mechanisms 537
supported request formats 537
certificates
expired
publishing to the directory 529
revocation reasons 525
revoking 523
Certificate Setup Wizard 199
using to install certificate chains 215
using to install certificates 215
supported data formats 216
using to request certificates 200
changing
CMS instance name 98, 99
character set for the name 96
format for the name 98
group members 179
port numbers 125
See also ports
trust settings in certificates 250
why would you change 250
changing passwords 107, 118
checking CMS status 115
ciphers
configuring 230
defined 228
list of 229
step-up program for international export browsers 230
supported on the server side 228
which ones to choose 229
classpath for adding plug-ins 335
client certificate renewal 619
CMS configuration
how to backup 668
See also configuration file
CMS data
how to backup
where it's stored 128
CMS feature list 33
CMS instance
changing the name 98, 99
character set for the name 96
format for the name 98
creating multiple instances 94
removing 99
viewing information 96
file location 97
installation date 97
on/off status 98
security level 98
version number 98
CMS watchdog 117
CMS window
Configuration tab 58
configuring authentication 310
configuring jobs 382
configuring LDAP publishing 507, 515
configuring network settings 121
configuring policies 460
how to launch 63, 65
introduction 55
managing logs 578
Status tab 63
Tasks tab 57
using to manage policies 468
who can launch 65
command-line utilities 673
ASCII to Binary 676
Binary to ASCII 677
dumpasn1 683
killproc tool 116, 675
location 676
PIN Generator 285
Pretty Print Certificate 678
Pretty Print CRL 681
some guidelines 675
summary table 673
configuration
road map 83
ways to modify 71
configuration file 67
copying from one instance to another 70
effects of installation on 68
format 73
format for localizable values 74
guidelines for editing 73
how subsystem-specific parameters are distinguished 73
location 71
name 67
sample 74
shared parameters 68
ways to modify
by editing the file 72
from CMS window 71
what is ignored by the server 73
what it controls 68
when created 67
Configuration tab 58
tasks you can accomplish 58
configuring logs 581
Audit log 585
Error log 583
System log 581
See also logging 581
connecting subsystems 141, 158
connection types 143
connectors 143
why would you do this 141
constraints-specific policy modules 409
default revocation 411
DSA key 413
key algorithm 416
renewal validity 419
RSA key 422
validity 426
conventions used in this book 25
core features 33
creating multiple CMS instances 94
CRL Distribution Point extension 524
CRL Distribution Point extension policy 438
CRLs
defined 523
extensions 527
issuing or distribution points 524
publishing
configuring a Certificate Manager for 527
directory entry for publishing 527
directory for publishing 527
expired certificates 529
specifying allowed extensions 529
specifying interval 529
specifying signing algorithm 529
things you need to know 526
what happens to the old CRL 527
supported versions 527
updating manually 529
who's allowed to do this 530
when automated updates take place 526
who generates it 524
|
| D |
data formats for installing certificate chains 216
binary 216
text 217
data formats for installing certificates 216
binary 216
text 217
Data Recovery Manager
configuring
to use separate SSL server certificates 224
to use specific ciphers 230
connecting to a Certificate Manager 167
connecting to a Registration Manager 158
interface for agents 543
key pairs and certificates
getting new ones 232
list of 190
renewing existing ones 239
SSL server certificate 191
storage key pair 191
transport certificate 190
logging to Windows NT event log 594
setting up
key archival 641
key recovery 651
specifying IP address for 127
what to do if not responding 116
default revocation policy 411
deleting
authentication instances 311, 322
authentication modules 313, 327
certificates from the token 249
precaution 249
job modules 384, 398
jobs 383, 391
policy modules 463, 481
policy rules 461, 472
privileged users 181
rotated log files 575
developing custom plug-ins
classpath 335
developing plug-ins
for authentication 333
API 334
compiling 335
installing 335
samples 339
directory
removing expired certificates from 358
schema for PINs 300
setting up for LDAP publishing 504
directory-based authentication 268
user ID, password, and PIN 275
user ID and password 268
distinguished name (DN)
base DN 661
components 660
defined 659
guidelines for choosing DNs 664
role in certificates 662
CA certificates 664
end-entity certificates 663
root DN 661
documentation
conventions followed 25
where to find 27
DSA key constraints policy 413
dumpasn1 tool 683
|
| E |
end entities
enabling interaction with a Certificate Manager 538
enabling interaction with a Registration Manager 539
forms provided for 533
generating PINs for 299, 300
locating forms and templates 555
port used for operations 124
See also ports
publishing certificates to a directory 513, 518
supported request formats 536
end-entity certificates
renewal 619
revocation 621
end-entity forms 553
for enrollment 555
for renewal 557
for retrieval 558
for revocation 557
end-entity templates 561
enrollment forms
for Certificate Managers 556
for end users 555
for object signing certificates 556
for Registration Managers 556
for servers 555
specifying authentication 317
Error log
defined 568
how to configure 583
how to monitor 589
See also logging
event log
logging audit and system messages 594
expired certificates
publishing them to the directory 529
removing from the directory 358
extension-specific policy modules 431
authority key identifier 432
basic constraints 435
CRL distribution point 438
key usage 446
list of 431
Netscape certificate type 449
subject alternate name 453
subject key identifier 455
external tokens
defined
installing 194
viewing contents of 247
|
| F |
filenames
for active log files 573
for rotated log files 573
flush interval for logs 574
fonts used in this book 25
forms
See HTML forms
|
| G |
generating PINs for end entities 299, 300
getting new certificates for subsystems 232
groups
changing members 179
defined 146
for administrators 146
for agents 147
for trusted managers 149
where they're maintained 146
guidelines
for creating backups 666
for restoring 667
|
| H |
hardware accelerators 198
hardware tokens
See external tokens
host name
for mail server used for notifications 132
how to check whether CMS is on or off 115
how to search for keys 627
HTML forms
for agents 541, 563, 564
for end entities 533, 555
for enrollment 555
for renewal 557
for retrieval 558
for revocation 557
|
| I |
installation date 97
installing external hardware tokens 194
installing multiple CMS instances 94
internal database
default host name 130
precaution for changing the host name 130
defined 128
how to distinguish from other Directory Server instances 129
name format 129
schema 129
what you shouldn't do 129
what is it used for 128
when installed 129
internal tokens
viewing contents of 247
IP address 127
issuing certificates
to routers 613
an example 617
to servers 603
manual enrollment 604
Netscape 3.x servers 607
Netscape 4.x servers 612
|
| J |
job modules
deleting 384, 398
registering new ones 384, 396
jobs
adding new 383, 387
built-in modules 346
RenewalNotificationJob 346, 347
RequestInQueueJob 346, 353
UnpublishExpiredJob 347, 358
compared to plug-in implementation 387
configuration parameters 385
created during installation 392
deleting 383, 391
managing from CMS window 382
modifying 383, 391
naming 387
setting frequency 394
specifying schedule for 363
turning on scheduler 394
|
| K |
key algorithm constraints policy 416
key archival 626
how it works 627
how keys are stored 627
how to set up 641
PKI setup required 624
required format for requests 537
where keys are stored 626
why you should archive 626
key features 33
key recovery 629
designated agents
See key recovery agents
how to set up 651
interface for agents 631
local vs. remote 632
key recovery agents
passwords 630
significance 630
when specified the first time 630
responsibilities 630
role defined 630
Key Usage extension policy 446
killproc tool 116, 675
|
| L |
LDAP publishing
advantages 485
configuring a Certificate Manager 507
directory identity 508
rules for CA certificate 511
rules for end-entity certificates 513
configuring a Registration Manager 515
directory identity 515
rules for end-entity certificates 518
defined 486
directory schema 499
for CRLs 501
for end-entity certificates 500
for the CA certificate 500
how to set up 504
manual updates 520
when to do 520
who can do this 520
See CRLs
linking subsystems
See connecting subsystems
list of
agent forms and templates
end-entity forms and templates
local vs. remote key recovery 632
location of
active log files
agent forms 564
CMS configuration file 71
CMS documentation 27
command-line utilities 676
end-entity forms 555
PIN Generator tool 286
rotated log files 575
logging
buffered vs. unbuffered 574
configuring
Audit log 585
Error log 583
System log 581
log files
archiving rotated files 576
automatic deletion 575
automatic rotation 574
default location 572
location of rotated files 575
naming convention for active logs 573
naming convention for rotated logs 573
significance of deleting files 575
timing of rotation 575
log levels 570
default selection 572
how they're represented 571
how they relate to message categories 571
significance of choosing the right level 572
what it means 571
managing from CMS window 578
monitoring
Audit log 592
Error log 589
System log 587
using system tools in Windows NT 594
parameters in the configuration file 580
services that are logged 569
types of logs 568
Audit 569
Error 568
System 568
|
| M |
mail server used for notifications 132
managing
certificate database 246
job plug-in modules 396
policies 468
policy plug-in modules 479
privileged users 133
schedulable jobs 387
manual authentication 266
manually updating CRLs 529
who's allowed to do this 530
message templates for notifications 370
modifying
authentication instances 311, 322
jobs 383, 391
policy rules 461, 473
privileged user's group membership 179
privileged-user information 175
m of n secret sharing 630
monitoring logs 586
Audit log 592
Error log 589
System log 587
things you can monitor 586
using system tools in Windows NT 594
See also logging
|
| N |
naming convention
for active logs 573
for CMS instances 96
for internal database instances 129
for rotated logs 573
Netscape Certificate Type extension policy 449
Netscape Console
checking CMS status 115
how to launch 53
in Unix 54
in Windows NT 54
installing multiple CMS instances 94
introduction 48
opening CMS window 63
relationship to Administration Server 51
removing a CMS instances 99
restarting Certificate Management System 113
starting Administration Server 52
starting Certificate Management System 107
stopping Administration Server 53
stopping Certificate Management System 111
viewing CMS instance information 96
nickname
for CA signing certificate 185
for signing certificate 188
for SSL server certificate 186, 188, 191
for transport certificate 190
notifications
configuring the mail server 131
host name 132
port 132
customizing 370
templates 374
event-driven 364
when certificates are issued 365
when new requests are queued 367
sending renewal notifications to end entities 347
to agents about pending requests 353
to agents about unpublishing certificates 358
|
| O |
object signing certificates
how to enroll for 556
output templates
for end-entity operations 561
|
| P |
passwords
changing cached 107, 118
See also single signon passwords
PIN Generator tool 285
arguments 286
delivering PINs to users 307
directory schema requirements 300
changing 3.x directory schema 301
changing 4.x directory schema 303
exit codes 298
generating PINs 299
how it works 292
how PINs are stored in the directory 298
output file 296
checking the directory-entry status 294
format 297
why should you use an output file 294
overwriting existing PINs in the directory 290, 294
syntax 286
where to find 286
plug-in modules
classpath for adding 335
for authentication
developing new ones 333
UID, password, and PIN based 276
UID and password based 270
for LDAP publishing
mapping certificates to directory entries 491
publishing certificates to directory entries 498
for policy 409
authority key identifier extension 432
basic constraints extension 435
CRL distribution point extension 438
default revocation 411
DSA key constraints 413
key algorithm constraints 416
key usage extension 446
managing 479
Netscape certificate type extension 449
renewal validity constraints 419
RSA key constraints 422
subject alternate name extension 453
subject key identifier extension 455
validity constraints 426
for scheduling jobs
removal of expired certificates from directory 358
renewal notifications to end entities 347
request-in-queue notifications to agents 353
policy
built-in plug-in modules 409
configuration parameters 463
constraints-specific modules 409
defined 402
extension-specific modules 431
managing 468
managing from CMS window 460
processor 408
how it applies rules 408
result of processing 408
when used 408
what can you use it for 402
policy modules
deleting 463, 481
registering new ones 462, 479
policy rules
adding new 461, 468
compared to policy implementation 466
configuration parameters 463
created during installation 474
defined 403
deleting 461, 472
how policy processor applies them 408
modifying 461, 473
naming 468
predicates in 404
reordering 462, 477
significance of ordering 477
See also predicates
types of 403
what each rule does 403
ports 121
changing numbers 125
for agent operations 123
for end-entity operations 124
turning on/off HTTP port 126
for remote administration 122
for the mail server used for notifications 132
how to choose numbers 122
in Unix 122
in Windows NT 122
predicates
attributes for 406
expression support 404
operators for 404
sample expressions 406
what are they 404
why would you use 404
Pretty Print Certificate tool 678
example 679
supported platforms 678
syntax 678
Pretty Print CRL tool 681
example 681
supported platforms 681
syntax 681
privileged users 133, 134
deleting 181
groups 146
modifying privileges 175
certificate information 178
group membership 179
login information 176
setting up 149
administrators 150
agents 152
trusted managers 158
types 134
administrators 134
agents 135
determining factor 134
trusted manager 141
types or roles 134
CRLs
publishing
See also LDAP publishing
publishing
See LDAP publishing
|
| R |
reasons for revoking certificates 525
recovering users' private keys 629
registering
authentication modules 312, 325
job modules 384, 396
policy modules 462, 479
Registration Manager
configuring
for LDAP publishing 515
for publishing end-entity certificates 518
publishing directory 515
to use separate SSL server certificates 224
to use specific ciphers 230
connecting to another subsystem 158
enabling interaction with end entities 539
enrollment forms for 556
interface for agents 542
key pairs and certificates
getting new ones 232
list of 187
renewing existing ones 239
signing certificate 188
SSL server certificate 188
logging to Windows NT event log 594
specifying IP address for 127
what to do if not responding 116
removing unwanted CMS instances 99
renewal of certificates
See certificate renewal
renewal validity constraints policy 419
renewing certificates of subsystems 239
reordering policy rules 462, 477
significance of ordering 477
request formats for certificates 536
restarting
Certificate Management System 113
from Netscape Console 113
from the command line 115
restore
defined 667
guidelines for 667
when to do 667
revocation policy 411
revoking certificates 523, 621
reasons 525
road map to configuring subsystems 83
roles
administrator 134
agent 135
determining factor 134
key recovery agents 630
trusted manager 141
root DN 661
rotated logs
naming convention 573
rotating log files 574
archiving files 576
conserving disk space 575
how to set the time 575
routers
getting certificates for 613, 617
port used for requesting 613
RSA key constraints policy 422
|
| S |
samples
for authentication 339
schedulable jobs
See jobs
secret sharing of storage key pair 630
security level 98
server's on/off status 115
server certificate renewal 621
server enrollment forms 555
server instance
finding out details 96
server name
changing 98
server root
default for Unix 97
default for Windows NT 97
defined 97
how many on a single host 97
relationship with Administration Server 51
setpin command 286
setting up
key archival 641
key recovery 651
setting up directory for LDAP publishing 504
See also LDAP publishing
signing certificate 188
changing trust settings of 250
deleting 249
getting a new one 232
nickname 188
renewing 239
viewing details of 247
single signon password
changing cached passwords 107, 118
what it protects 106
when required 106
when specified 107
SMTP settings 131, 132
specifying IP address 127
SSL server certificate 186, 188, 191
changing trust settings of 250
deleting 249
getting a new one 232
nickname 186, 188, 191
renewing 239
viewing details of 247
starting
Administration Server 52
from Netscape Console 52
from the command line 52
from the Windows NT Service panel 52
Certificate Management System 106
from Netscape Console 107
from the command line 109
from the Windows NT Services panel 109
information required 106
Netscape Console 53
in Unix 54
in Windows NT 54
Status tab 63
tasks you can accomplish 63
stopping
Administration Server 53
from Netscape Console 53
from the command line 53
from the Windows NT Services panel 53
Certificate Management System 110
from Netscape Console 111
from the command line 112
from the Windows NT Services panel 112
storage key pair 191
secret sharing 630
stronger encryption for export browsers 230
Subject Alternate Name extension policy 453
Subject Key Identifier extension policy 455
subordinate CA
enrollment forms for 556
System log
defined 568
how to configure 581
how to monitor 587
logging to Windows NT event log 594
See also logging
|
| T |
Tasks tab 57
tasks you can accomplish 57
templates
for agents
location 564
for end entities
location 555
for end-entity operations 561
for notifications 370, 372
customizing 374
token list 374
templates
for automated notifications 370
timing log file deletion 576
timing log rotation 575
tokens
changing password of 198
deleting certificates from 249
external 193
See also external tokens
internal 193
managing 197
viewing contents of 247
viewing which tokens are installed 197
what are they 192
transport certificate 190
changing trust settings of 250
deleting 249
getting a new one 232
nickname 190
renewing 239
viewing details of 247
when used 629
trusted managers
certificate for SSL client authentication 144
connectors for linking 143
deleting 181
designated group 149
access rights 149
modifying 175
certificate information 178
group membership 179
login information 176
role defined 141
setting up 158
type styles used in this book 25
|
| U |
unbuffered logging 574
uninstalling Certificate Management System 101
from the command line 101
using Windows NT Add/Remove Programs utility 102
user enrollment forms 555
user ID, password, and PIN based authentication 275
configurable parameters 276
module name 276
user ID and password based authentication 268
configurable parameters 270
plug-in module name 270
users
privileged 133
|
| V |
validity constraints policy 426
version number 98
viewing
contents of a token 247
viewing CMS instance information 96
|
| W |
watchdog 117
when the server was installed 97
why should you revoke certificates 525
Windows NT event log
logging audit and system messages 594
wizard
See Certificate Setup Wizard
|
|
|
|
|