Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Previous Next Contents Index Bookshelf


Chapter 8 Keys and Certificates

The main subsystems of Netscape Certificate Management System (CMS)--the Certificate Manager, Registration Manager, and Data Recovery Manager--use certificates for authentication during SSL-enabled communication. For example, when a Registration Manager forwards a certificate issuance request to a Certificate Manager for signing, the Certificate Manager expects the Registration Manager to have performed SSL client authentication before processing the request.

When you installed Certificate Management System, the installation program prompted you to generate the required certificates for the subsystems you chose to install. This chapter provides an overview of those certificates and it explains how to perform operations such as renewing the existing certificates before their validity period expires, getting new certificates for the subsystems, adding trusted CA certificates and certificate chains to the CMS trust database, and changing the trust setting of CA certificates. The chapter also explains the certificate Setup Wizard, which automates the process of requesting and installing certificates.

 The chapter has the following sections:
Keys and Certificates for the Main Subsystems
This section explains the various certificates required and used by the Certificate Manager, Registration Manager, and Data Recovery Manager. The key pairs that correspond to certificates used by these subsystems can be stored either in an internal or an external token, or in both. It depends on the token you chose for the generation and storage of the keys and certificates. For information on tokens, see "Tokens for Storing Keys and Certificates".

Certificate Manager's Key Pairs and Certificates

The Certificate Manager uses the following key pairs and corresponding certificates:

CA Signing Key Pair and Certificate

Every Certificate Manager you installed has a certificate, identified as the Certificate Manager CA signing certificate, whose public key corresponds to the private key the Certificate Manager uses to sign the certificates it issues. The first time you generated this certificate is when you installed the Certificate Manager. The default nickname for the certificate is
caSigningCert cert-<instance_id>, where <instance_id> identifies the CMS instance in which the Certificate Manager is installed.

The subject name of the CA signing certificate reflects the name of your certificate authority (CA) as specified during the installation. All certificates signed or issued by the Certificate Manager include this name to identify the issuer of the certificate.

 Important You cannot change the CA name; doing so would make all previously issued certificates invalid.

The Certificate Manager's status as a root or subordinate CA is determined by whether its CA signing certificate is self-signed or is signed by another CA.

As an administrator, you must make sure that the private key that corresponds to the CA signing certificate is adequately protected. This includes protecting it from damage (in other words, by archiving and backing up the key) as well as protecting it from unauthorized access or use. The password that protects the token containing this key must be carefully guarded. Access to the token itself should be limited. (See "Tokens for Storing Keys and Certificates".)

Like any other certificate, the Certificate Manager's CA signing certificate has a validity period. You must renew the certificate before it expires. For instructions on renewing the certificate, see "Renewing Certificates for the Subsystems".

The CA signing key pair must be well protected to ensure that it is never compromised. However, if you know or suspect that the key pair has been compromised, reissue the certificate with a new key pair. For instructions on getting a new certificate, see "Getting New Certificates for the Subsystems".

Important Reissuing the Certificate Manager's CA signing certificate with a new key pair invalidates all certificates that have been signed by the old key pair.

SSL Server Key Pair and Certificate

Every Certificate Manager you have installed has at least one SSL server certificate. The first time you generated this certificate is when you installed the Certificate Manager. The default nickname for the certificate is
Server-Cert cert-<instance_id>, where <instance_id> identifies the CMS instance in which the Certificate Manager is installed.

The Certificate Manager's SSL server certificate was issued by the CA to which you submitted the certificate signing request. You might have submitted the request to the Certificate Manager itself, another internally deployed CA, or a public CA. To find out the issuer name, follow the instructions in "Viewing the Certificate Database Contents".

The Certificate Manager uses its SSL server certificate to do SSL server-side authentication to the following:

 By default, the Certificate Manager uses a single SSL server certificate for authentication purposes. However, you can request and install additional SSL server certificates for the Certificate Manager. For example, you can configure the Certificate Manager to use separate server certificates for authenticating to Netscape Console, the End-Entity Services interface, and the Certificate Manager Agent Services interface. For instructions, see "Configuring the Server to Use Separate SSL Server Certificates".

If you configure the Certificate Manager for SSL-enabled LDAP publishing, it also uses its SSL server certificate for SSL client authentication to the publishing directory; this is the default configuration. You can configure the Certificate Manager to use an alternate certificate for this purpose; see "Getting an SSL Client Certificate for a Subsystem".

If you configure the Certificate Manager to function as a trusted manager to a Data Recovery Manager, the Certificate Manager also uses its SSL server certificate for SSL client authentication to the Data Recovery Manager. For details on trusted managers, see "Trusted Managers"You can also configure the Certificate Manager to use an alternate certificate for this purpose; see "Getting an SSL Client Certificate for a Subsystem".

Like any certificate, the SSL server certificate has a validity period. You must renew the certificate before it expires. For instructions on renewing the certificate, see "Renewing Certificates for the Subsystems".

The SSL server key pair must be well protected to ensure that it is never compromised. However, if you know or suspect that the key pair has been compromised, reissue the certificate with a new key pair. For instructions on getting a new certificate, see "Getting New Certificates for the Subsystems".

Note If you have installed the Certificate Manager with a Data Recovery Manager, both subsystems use the same SSL server certificate.

Registration Manager's Key Pairs and Certificates

The Registration Manager uses the following certificates:

Signing Key Pair and Certificate

Every Registration Manager you have installed has a certificate, identified as the Registration Manager signing certificate, whose public key corresponds to the private key the Registration Manager uses to sign certificate requests before sending them to the Certificate Manager for signing. The Registration Manager's signature provides persistent proof to the Certificate Manager that the Registration Manager has processed the request. The first time you generated this certificate is when you installed the Registration Manager. The default nickname for the certificate is raSigningCert cert-<instance_id>, where <instance_id> identifies the CMS instance in which the Registration Manager is installed.

The Registration Manager's signing certificate was issued by the CA to which you submitted the certificate signing request. You might have submitted the request to an internally deployed CA or a public CA. To find out the issuer name, follow the instructions in "Viewing the Certificate Database Contents".

If you configure the Registration Manager to function as a trusted manager to another subsystem, the Registration Manager uses its signing certificate for SSL client authentication to the subsystem; this is the default configuration. For details, see "Trusted Manager's Certificate for SSL Client Authentication".

Like any certificate, the signing certificate has a validity period. You must renew the certificate before it expires. For instructions on renewing the certificate, see "Renewing Certificates for the Subsystems".

The Registration Manager's signing key pair must be well protected to ensure that it is never compromised. However, if you know or suspect that the key pair has been compromised, reissue the certificate with a new key pair. For instructions on getting a new certificate, see "Getting New Certificates for the Subsystems".

SSL Server Key Pair and Certificate

Every Registration Manager you have installed has at least one SSL server certificate. The first time you generated this certificate is when you installed the Registration Manager. The default nickname for the certificate is
Server-Cert cert-<instance_id>, where <instance_id> identifies the CMS instance in which the Registration Manager is installed.

The Registration Manager's SSL server certificate was issued by the CA to which you submitted the certificate signing request. You might have submitted the request to an internally deployed CA or a public CA. To find out the issuer name, follow the instructions in "Viewing the Certificate Database Contents".

The Registration Manager uses its SSL server certificate to do SSL server-side authentication to the following:

 By default, the Registration Manager uses a single SSL server certificate for authentication purposes. However, you can request and install additional SSL server certificates for the Registration Manager. For example, you can configure the Registration Manager to use separate server certificates for authenticating to Netscape Console, the end entity services interface, and the Registration Manager Agent Services interface. For instructions, see "Configuring the Server to Use Separate SSL Server Certificates".

If you configure the Registration Manager for SSL-enabled LDAP publishing, it uses its SSL server certificate for SSL client authentication to the publishing directory; this is the default configuration. You can configure the Registration Manager to use an alternate certificate for this purpose. See "Getting an SSL Client Certificate for a Subsystem".

Like any certificate, the SSL server certificate has a validity period. You must renew the certificate before it expires. For instructions on renewing the certificate, see "Renewing Certificates for the Subsystems".

The SSL server key pair must be well protected to ensure that it is never compromised. However, if you know or suspect that the key pair has been compromised, reissue the certificate with a new key pair. For instructions on getting a new certificate, see "Getting New Certificates for the Subsystems".

Note If you installed the Registration Manager with a Data Recovery Manager, both subsystems use the same SSL server certificate.

Data Recovery Manager's Key Pairs and Certificates

The Data Recovery Manager uses the following certificates:

Transport Key Pair and Certificate

Every Data Recovery Manager you have installed has a Data Recovery Manager transport certificate. The public key of the key pair that is used to generate the transport certificate is used by the client software to encrypt an end user's encryption private key before it is sent to the Data Recovery Manager for archival; only those clients capable of generating dual-key pairs (one for signing and one for encryption) use the transport certificate. For more information on how this certificate is used, see "Key Archival Process".

The first time you generated this certificate is when you installed the Data Recovery Manager. The default nickname for the certificate is
kraTransportCert cert-<instance_id>, where <instance_id> identifies the CMS instance in which the Data Recovery Manager is installed.

 The transport certificate was issued by the CA to which you submitted the certificate signing request. You might have submitted the request to the Certificate Manager that is installed in the same instance, internally deployed another CA, or a public CA. To find out the issuer name, follow the instructions in "Viewing the Certificate Database Contents".

Like any certificate, the transport certificate has a validity period. You must renew the certificate before it expires. For instructions on renewing the certificate, see "Renewing Certificates for the Subsystems".

The transport key pair must be well protected to ensure that it is never compromised. However, if you know or suspect that the key pair has been compromised, reissue the certificate with a new key pair. For instructions on getting a new certificate, see "Getting New Certificates for the Subsystems".

Storage Key Pair

Every Data Recovery Manager you have installed has a Data Recovery Manager storage key pair. The first time you generated this key pair is when you installed the Data Recovery Manager.

The Data Recovery Manager uses the public component of this key pair to encrypt (or wrap) end users' encryption private keys during the key archival operation; it uses the private component to decrypt (or unwrap) the archived key during the recovery operation. That is, the private key encrypts the key repository it uses to store users' encryption private keys. For more information on how this key pair is used, see "Recovering Encrypted Data".

The public component of the storage key pair is not certified; there is no certificate that corresponds to the public key.

 Keys encrypted with the storage key can be retrieved only by authorized key recovery agents. For details, see "Key Recovery Agents and Their Passwords".

SSL Server Key Pair and Certificate

Every Data Recovery Manager you have installed has at least one SSL server certificate. The first time you generated this certificate is when you installed the Data Recovery Manager. The default nickname for the certificate is
Server-Cert cert-<instance_id>, where <instance_id> identifies the CMS instance in which the Data Recovery Manager is installed.

The Data Recovery Manager's SSL server certificate was issued by the CA to which you submitted the certificate signing request. You might have submitted the request to the Certificate Manager that is installed in the same instance, an internally deployed CA, or a public CA. To find out the issuer name, follow the instructions in "Viewing the Certificate Database Contents".

The Data Recovery Manager uses its SSL server certificate to do SSL server-side authentication to the following:

 By default, the Data Recovery Manager uses a single SSL server certificate for authentication purposes. However, you can request and install additional SSL server certificates for the Data Recovery Manager. For example, you can configure the Data Recovery Manager to use separate server certificates for authenticating to Netscape Console, the end entity services interface, and the Data Recovery Manager Agent Services interface. For instructions, see "Configuring the Server to Use Separate SSL Server Certificates".

Like any certificate, the SSL server certificate has a validity period. You must renew the certificate before it expires. For instructions on renewing the certificate, see "Renewing Certificates for the Subsystems".

If you know or suspect that the key pair for the SSL server certificate has been compromised, reissue the certificate with a new key pair. For instructions on getting a new certificate, see "Getting New Certificates for the Subsystems".

Note If you installed the Data Recovery Manager with a Certificate Manager or Registration Manager, both subsystems use the same SSL server certificate.


Tokens for Storing Keys and Certificates
A token is a hardware or software device that performs cryptographic functions and optionally stores public-key certificates, cryptographic keys, and data defined by the application using the cryptographic services. Alternatively, a token can also be considered as a device that you can use to generate and store your certificates, public and private key pairs, and associated information.

 Certificate Management System defines two types of tokens, internal and external, for storing key pairs and certificates that belong to the Certificate Manager, Registration Manager, and Data Recovery Manager.

 Note Only those who have the password that protects a token can access it. For information on changing the password that protects a token, use the command- line utility called the Key Database Tool; for details about this utility, see Appendix E, "Key Database Tool". To locate the document, see "Where to Go for Related Information".

Internal Token

An internal (software) token refers to a pair of software files, usually called certificate database and key database, that Certificate Management System uses to generate and store its key pairs and certificates. Certificate Management System automatically generates these files in the file system of its host machine when you choose to use the internal token for the first time. These files were created for you during CMS installation if you chose to use the internal token for key-pair generation.

In the CMS host system, the certificate database is identified by the name cert7.db; the key database is identified by the name key3.db. You can find both these files at this location:

 <server_root>/cert-<instance_id>/config/...

<server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

<instance_id> is the ID for this instance of Certificate Management System. You first specified this when you installed this server.

External Token

An external (hardware) token refers to an external hardware device, such as a smart card, FORTEZZA card, or other crypto card, that Certificate Management System uses to generate and store its key pairs and certificates. Certificate Management System supports any hardware tokens that are compliant with PKCS #11 version 2.01. For details, see the information provided at this URL:

http://developer.netscape.com/support/faqs/pkcs_11.html

 If you haven't already done so, consider using external tokens for generating and storing the key pairs and certificates used by Certificate Management System. These devices represent another security measure you can take to safeguard private keys.

 Installing External Tokens

To use external encryption devices or tokens, you need to take the following steps:

Step 1. Install the Cryptographic Device

To install the drivers provided by the device manufacturer, follow the instructions that came with the device. When you install a hardware token, you are given an opportunity to name it; be sure to use a name that will help you identify the token later.

Step 2. Install the PKCS #11 Module

PKCS #11 is a standard set of APIs and shared libraries used by Netscape and a number of encryption vendors. PKCS #11 isolates an application from the details of the cryptographic device, thus enabling the application to provide a unified interface for PKCS #11-compliant cryptographic devices.

The PKCS #11 module implemented in Certificate Management System (in Netscape Administration Server) enables it to support cryptographic devices supplied by many different manufacturers. Specifically, it allows Certificate Management System to plug in shared libraries or DLLs supplied by manufacturers of external encryption devices and use them for generating and storing keys and certificates for the Certificate Manager, Registration Manager, and Data Recovery Manager.

 You install the PKCS #11 module in one of the two ways, depending on how you received the DLLs for the cryptographic device.

 Managing Tokens Used by the Subsystems

There are two main tasks involved in managing the tokens used by Certificate Management System:

Viewing Tokens

To view a list of the tokens currently installed for a CMS instance:

  1. Access the CMS window (see "Accessing the CMS Window").

  2. Click the Configuration tab, and then in the right pane, click the Encryption tab.

  3. In the Map To section, check the Token drop-down list.

    4. It shows the names (as specified when the tokens were installed) of external tokens installed for the currently selected CMS instance. For information on installing external tokens, see "External Token".

Changing a Token's Password

The token, internal or external, that stores the key pairs and certificates for the subsystems is protected (encrypted) by a password. To decrypt the key pairs or to gain access to them, you must enter that password. The first time you specified this password is when you used the token the first time, most likely during CMS installation.

It is good security practice to periodically change the password that protects your server's keys and certificates; changing the password periodically minimizes the risk of someone finding out the password. To change a token's password, use the command-line utility called the Key Database Tool; for details about this utility, see Appendix E, "Key Database Tool".

Note that the single sign-on password cache stores the passwords for tokens in order to start the server using a single password; for details, see "Required Start-up Information". Whenever you change the password, the cache is updated with the new password.


Hardware Cryptographic Accelerators
Certificate Management System allows you to use hardware cryptographic accelerators with external tokens. Many of the accelerators provide the following security features:

 For a list of vendors that supply hardware cryptographic accelerators, see this URL:

 http://www.netscape.com/cms/v4.0/index.html
Certificate Setup Wizard
Certificate Management System provides a wizard, called the Certificate Setup Wizard, that automates the process of requesting and installing the certificates required by Certificate Management System. (For a description of these certificates, see "Keys and Certificates for the Main Subsystems".)

The Certificate Setup Wizard is integrated into the CMS window and allows you to accomplish the following tasks:

 When you start the wizard, which you do by clicking the Certificate Setup Wizard button in the Encryption tab of the CMS window (see the figure on page 197), you are asked to specify whether you want to request or install a certificate. The wizard presents you with the screens appropriate to your choice and walks you through the entire process.

For installing certificates, except for cases when the certificate is self-signed by the CA, you will need to run the wizard twice: once, to request the certificate and once to install the certificate. The reason for this is, if you submit the certificate request to a non-local CA, you will have to wait for the certificate until it is delivered to you.

 The following sections explain the process of requesting and installing a certificate by using the Certificate Setup Wizard:

 For instructions on getting new certificates, see "Getting New Certificates for the Subsystems". For instructions on renewing existing certificates, see "Renewing Certificates for the Subsystems".

Using the Wizard to Request a Certificate

The Certificate Setup Wizard allows you to request any of the certificates used by the Certificate Manager, Registration Manager, and Data Recovery Manager installed in the currently selected CMS instance.

Using the wizard to request a certificate involves the following steps:

 Step 1. Select the Operation

Indicate whether you want to request a certificate or install a certificate.

For the sake of completing the instructions that follow, assume that you chose to request a certificate.

 Step 2. Choose the Certificate

Choose the certificate (by name) that you want to request.

The drop-down list shows various certificates used by the currently selected CMS instance. Choose the one you want to request. (If you need information on certificates used by Certificate Management System, see "Keys and Certificates for the Main Subsystems".)

Which certificates you see in the list depends on the subsystems installed in the currently selected CMS instance. You may see a combination of the following options:

 Depending on the certificate you want to generate, choose the one in the drop-down list:

 Step 3. Specify the Key-Pair Information

Specify the key-pair information for the certificate to be requested.

You need to identify the following:

 Step 4. Specify the Subject Name for the Certificate

Specify the subject name, in distinguished name (DN) format, for the certificate to be requested.

You can either enter values for individual DN attributes required to build the subject DN or build the complete subject DN string yourself. If you enter values for individual DN attributes, the wizard constructs the subject DN string.

 If you want to enter values for individual DN components, provide the following information:

 Important When choosing subject names for certificates, be sure to follow the information provided in "Role of Distinguished Names in Certificates".

Step 5. Specify the Validity Period

You need to complete this step only if you chose to generate a self-signed CA certificate request.

Specify the starting and ending dates of the validity period for the certificate request you want to generate. You can also specify the time at which the validity period should start and end on those dates. The date and time are in the form YYYYMMDD (Year, Month, Day) and HHmmSS (Hour, Minute, Second), in that order.

 The default validity period is one year.

 Step 6. Specify Extensions

You need to complete this step only if you chose to generate a CA signing certificate request for a Certificate Manager (deployed as either the root CA or a subordinate CA).

This screen allows you to set the standard X.509 version 3 extensions and Netscape-defined extensions for the certificate to be requested. The required extensions are chosen by default. If you want to change the default choices, be sure to read the general guidelines explained in "Certificate Extensions" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Also note that certificate extensions are required if you are setting up a hierarchy of certificate authorities (CAs). Subordinate CAs must have certificates that include the extension identifying them as either a subordinate SSL CA (which allows them to issue certificates for SSL) or a subordinate email CA (which allows them to issue certificates for secure email). If you disable certificate extensions, you will not be able to set up CA hierarchies. For more information on CA hierarchies, see "Certificate Hierarchies" in Appendix D of Managing Servers with Netscape Console.

You can set the following extensions:

 Step 7. Copy the Certificate Signing Request

Based on the information you've entered in the previous steps, the wizard now displays the certificate signing request (CSR).

The request is in a base-64 encoded PKCS #10 format and is bounded by the marker lines -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----.

 An example is show below:

-----BEGIN NEW CERTIFICATE REQUEST-----

MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBC6SAwHgYDVQQKExdOZXRzY2FwZSBDb21td W5pY2F0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5M DIyMzE5MDAwMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQ LEwZQZW9wbGUxFzAVBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0e TEjMCEGCSqGSIb3DbndgJARYUc3Vwcml5Yhvfggsvwryw4y7214vAOBgNVHQ8BAf8EBAMCBLAwFAY JYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA4GBAFi9FzyJlLmS+kzsue0kTXawbwamG dYql2w4hIBgdR+jWeLmD4CP4xzmKdvQ6IqD2q8DBs9lRQu9JYg129oaCLpZfMNTPnMc3WPKO2pWZW Um7waHEtdbo9vSpbJkXTM/2GhWbsO5vLdeOxrPGxihkHgV/ vmqCl4HW7AorqGgyfygbhgthgutrhryj

-----END NEW CERTIFICATE REQUEST-----

Do not modify the CSR; you must send it to the CA as is.

 Copy the CSR, including the marker lines -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----, to a text file. If you are running the wizard on a Windows NT system, you can also copy the CSR to the Windows clipboard. In a Unix system, you may have to open an application, such as Netscape Composer, with a clipboard.

 The wizard also copies the CSR to a text file it creates in the configuration directory, which is located at

 <server_root>/cert-<instance_id>/config/...

<server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

<instance_id> is the ID for this instance of Certificate Management System. You first specified this when you installed this server.

The name of the text file varies depending on for which key pair you generated the CSR:

Step 8. Check the Certificate Request Status

The wizard now informs you of the status of the request.

Step 9. Send the Certificate Signing Request to a CA

This step in not part of the wizard process. Follow these instructions to manually send the CSR to a CA of your choice. The CA can be internal or external.

Sending the CSR to an Internal CA

The following instructions assume that your internally deployed CA is a Certificate Manager and that you are using the default HTML forms provided for end-entity enrollment. If you have customized these forms, you should follow the appropriate instructions.

To send the CSR manually to an internal CA:
  1. Locate the text file to which you copied the CSR earlier (see "Step 7. Copy the Certificate Signing Request").

  2. Open a web browser window.

  3. Enter the URL to the CA's home page.

    4. By default, the CA's home page is the end entity services interface. Depending on the port at which the CA is listening to end-entity requests (see "End-Entity Ports") the URL to the end entity services is one of the following:

    http://<host_name>:<end_entity_port>

    or

    https://<host_name>:<end_entity_port>

    where <host_name> is in the form <machine_name>.<your_domain>.<domain>

    The end entity services interface appears.

  4. Click the Enrollment tab.
    5.

  5. In the menu list, click the appropriate link:

    6. For information on how the default server enrollment forms work, see "Certificate Issuance to Servers".

  6. In the form that appears, enter the required information and paste the CSR from the text file.
    7.

    Be sure to include the marker lines, -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----.

  7. Submit the request.
    8.

  8. When the CA sends you a response, save the information in a text file for future reference or inquiry.

  9. When you receive the certificate from the CA, install it following the instructions in "Using the Wizard to Install a Certificate or Certificate Chain".

Sending the CSR to an External CA

To send the CSR manually to an external CA:

  1. Locate the text file to which you copied the CSR (see "Step 7. Copy the Certificate Signing Request").

  2. Open a web browser window.

  3. Navigate to the CA's home page by entering the appropriate URL in the browser window.

  4. Locate the form that allows you to submit certificate requests for servers.

  5. Enter the required information and paste the CSR from the text file.

    6. Be sure to include the marker lines, -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----.

  6. Submit the request.
    7.

  7. When the CA sends you a response, save the information in a text file for future reference or inquiry.

  8. When you receive the certificate from the CA, install it following the instructions in "Using the Wizard to Install a Certificate or Certificate Chain".

Using the Wizard to Install a Certificate or Certificate Chain

The Certificate Setup Wizard allows you to install or import the following certificates into either an internal or external token used by the currently selected CMS instance:

The certificate or certificate chain you provide to the wizard for installation must be in one of the data formats supported by the wizard. This is explained in "Data Formats for Installing Certificates and Certificate Chains".

Using the wizard to install a certificate or certificate chain involves the following steps, described in detail on page 218:

Data Formats for Installing Certificates and Certificate Chains

The wizard can accept certificates and certificate chains in several data formats. This section briefly explains the data formats recognized by the wizard.

Binary Formats

The wizard can recognize certificates and certificate chains in the following binary formats:

Text Formats

The wizard can also import certificates and certificate chains in text formats. Here's what you should be aware of when using the wizard to install a certificate or certificate chain in text format:

The text format must begin with the following line:

-----BEGIN CERTIFICATE-----

Following this line should be the certificate data, which can be in any of the binary formats described in "Binary Formats". This data should be base-64 encoded as described by RFC 1113 (for details, see http://www.scit.wlv.ac.uk/rfc/rfc11xx/RFC1113.html).

Following the certificate data must be this line:

-----END CERTIFICATE-----

Step 1. Select the Operation

Indicate whether you want to request a certificate or install a certificate.

For the sake of completing the instructions that follow, assume that you chose to install a certificate.

 Step 2. Select the Certificate or Certificate Chain

Select the certificate you want to install.

The drop-down list shows various options:

 Depending on whether you want to install a CMS certificate, any other trusted CA certificate, or a CA certificate chain, choose the appropriate option from the list box:

 Step 3. Specify the Location of the Certificate

Locate the certificate or certificate chain you want to install.

You can keep the certificate or certificate chain in a text file or copy it to the text area on the wizard screen. Here is some information that will help you decide on the location.

 Step 4. View the Certificate or Certificate Chain

The wizard displays the certificate or certificate chain you have chosen to install. Make sure you have chosen the right one; otherwise, use the Back button to go back and locate the right one. Specify a nickname for the certificate.

Step 5. Install the Certificate or Certificate Chain

The wizard shows the certificate or certificate chain information you have selected for installing. You should check the information to make sure that you have chosen the correct one for installing.

After verifying that the certificate you have chosen is the correct one, click the Install button. The wizard installs the certificate or the CA chain in the token you have chosen.

 Step 6. Verify the Certificate Status

This step is applicable only if you installed a certificate chain.

After you install a certificate chain in the trust database of a CMS instance, check the trust status of each certificate that got installed, and make sure that the correct CA certificates are trusted. For instructions, see "Changing the Trust Settings of a CA Certificate".


Configuring the Server's Security Preferences
Configuring the server's security preferences involves identifying the following:

 Configuring the Server to Use Separate SSL Server Certificates

You can configure a CMS instance to use separate SSL server certificates for authenticating to Netscape Console, the Agent Services interface, and the end entity services interface.

This configuration involves the following steps:

 Step 1. Get the Required SSL Server Certificates

You must first request and install the required number of SSL server certificates for the particular CMS instance. For instructions, see "Getting New Certificates for the Subsystems".

Once you have installed the certificates, you should be able to see them in the list of SSL server certificates in the Encryption tab of the CMS window.

Step 2: Update the Configuration

After you verify that the certificates are installed, configure the server as follows:

  1. Stop the CMS instance; see "Stopping Certificate Management System".

  2. Open the configuration file (CMS.cfg) in a text editor; to locate the file, see "Locating the Configuration File".

  3. Change the configuration:

  4. Save your changes.
    5.

  5. Start the server; see "Starting Certificate Management System".

Getting an SSL Client Certificate for a Subsystem

By default, both Certificate Manager and Registration Manager use their SSL server certificates for SSL client authentication to the publishing directory. If you want these subsystems to use other certificates for authenticating to the publishing directory, you can do so. This section explains how to get an SSL client certificate for a subsystem and how to configure the subsystem to use that certificate for authenticating to the publishing directory.

Getting an SSL client certificate for a subsystem involves the following steps:

 Step 1. Generate a Key Pair for the Subsystem

Generate a key pair for the subsystem following the instructions in "Generating a New Key"; see Appendix E, "Key Database Tool".

Step 2. Generate a Certificate Signing Request for the Key Pair

Generate a certificate signing request (CSR) for the key pair following the instructions in "Creating a Certificate Request"; see Appendix D, "Certificate Database Tool". Be sure to include your email address in the request so that the CA can deliver the certificate to you.

Step 3. Submit the CSR to the CA

Submit the CSR to the CA. Because the request needs some modifications, be sure to use the manual enrollment process; this way you can tell the person who will process your request about the changes he or she must make before approving the request. For example, if you are submitting the request to a Certificate Manager (CA), be sure to use the manual enrollment form; do not use the automated enrollment forms, such as the directory-based server enrollment form. Include your email address in the request so that the CA can deliver the certificate to you.

Step 4. Ask an Agent to Approve the Request

If you submitted the request to a Certificate Manager (CA), ask its agent to process the request. The agent must make sure that only the SSL Client option for certificate type is selected in the request, and then approve it. (For certificates with no Netscape Certificate Type extensions, the key usage extension must be included with signing and encryption bits set.)

If you submitted the request to any other CA, you must ask the person managing that CA to make the same changes to the request before approving it.

 Step 5. Install the Certificate in the Internal Database

When you receive the request, follow the instructions in "Adding a Certificate to the Database" (see Appendix D, "Certificate Database Tool") and install the certificate in the token you used to generate the key pair.

Step 6. Configure the Subsystem to Use This Certificate

After you install the certificate, configure the corresponding subsystem to use the new certificate for SSL client authentication to the publishing directory. To configure the Certificate Manager, see "Identifying a Certificate Manager's Publishing Directory". To configure the Registration Manager, see "Identifying a Registration Manager's Publishing Directory".

Setting Up Cipher Preferences for SSL Communications

A cipher is the algorithm used in encryption. Some ciphers have stronger encryption capabilities than others. Generally speaking, the more bits a cipher uses during encryption, the harder it is to decrypt the data.

When a client initiates an SSL connection with Certificate Management System, it lets the server know what ciphers it prefers to use to encrypt information. In any two-way encryption process, both parties must use the same ciphers. A number of ciphers are available; your server needs to be able to use the most popular ones.

 SSL Ciphers Supported in Certificate Management System

Figure 8.1 shows the ciphers supported by Certificate Management System (on the server side). The figure shows SSL 2.0 and 3.0 ciphers supported in the US (or domestic) version of Certificate Management System. The export version of the software shows only those ciphers that are currently permitted by United States law.

Figure 8.1 SSL version 2.0 and 3.0 cipher suites supported (in the US version of the software)

You can choose ciphers from the SSL 2.0 protocol, as well as from SSL 3.0. To specify which ciphers your server can use, check them in the list of ciphers to enable them. Unless you have a compelling reason not to use a specific cipher, you should check them all, except as noted in the warning that follows. For a detailed description of ciphers, see "Ciphers Used with SSL" in Appendix E of Managing Servers with Netscape Console.

Warning You might not want to check the options that say "No Encryption, only MD5 message authentication" and "No Encryption, only Fortezza and SHA message authentication." The reason for this is, if no other ciphers are available on the client side, the server will use these and no encryption will occur.

Another reason not to enable all ciphers is to prevent SSL connections with less than optimal encryption. US law prohibits the export of products with 128-bit encryption, so overseas clients might be using only 40-bit encryption, which is not as difficult to crack as 128-bit. Disabling all 40-bit ciphers effectively restricts access to browsers available only in the United States.

Note that international users of Netscape Communicator (with encryption capability restricted to 40-bit encryption) can use Netscape's International Step-Up program to step up to stronger encryption, 56-bit, 128-bit, or 168-bit. Step-up refers to the ability of export browsers to establish strong SSL sessions with domestic SSL servers, if they have the appropriate step-up certificates.

 For general information on the International Step-Up program and getting step-up certificates, see the information available at the following URL:

 http://home.netscape.com/products/security/technology/128bit.html

 For information on configuring up your clients and servers for the international step-up feature (after you get the step-up certificates), see the information available at this URL:

 http://developer.netscape.com/tech/security/stepup/overview.html

 Configuring the Server to Use Specific Ciphers

You can set a number of systemwide preferences for SSL by specifying the ciphers that Certificate Management System should recognize and use during SSL communication; the server applies the cipher settings you choose to all the SSL (HTTPS) ports it uses.

To change the cipher settings for a CMS instance:
  1. Access the CMS window (see "Accessing the CMS Window").

  2. Click the Configuration tab, and then in the right pane, click the Encryption tab.

  3. Click SSL Cipher Preferences, and choose the appropriate options.

    4. For details, see "Setting Up Cipher Preferences for SSL Communications".

  4. Click OK.

    5. You are returned to the Encryption tab.

  5. To save your changes, click Save.
    6.

    The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.


Getting New Certificates for the Subsystems
You may need to get new certificates for Certificate Management System. Getting a new certificate means getting a certificate based on a new public and private key pair.

 The sections that follow explain how to get new certificates for the Certificate Manager, Registration Manager, and Data Recovery Manager using the Certificate Setup Wizard. Alternatively, you can use the command-line utility called the Certificate Database Tool; for details about this utility, see Appendix D, "Certificate Database Tool".

Getting a new certificate involves the following steps:

 Step 1. Plan for the New Certificate

Getting a new certificate for a subsystem requires careful planning. This section provides some guidelines that will help you request and install the new certificate.

Determine which certificate you want to get

You can get CA signing and SSL server certificates for the Certificate Manager; signing and SSL server certificates for the Registration Manager; and transport and SSL server certificates for the Data Recovery Manager.

Decide on the CA that will sign the certificate

If you want to get a new self-signed CA certificate, you don't have to make this decision, because the CA itself signs it. For all other certificates, you must decide on the CA that will sign the certificate.

If you want the certificate to be signed by an internally deployed CA, check to be sure that the CA can issue the certificate you want request.

 If you want the certificate to be signed by a public CA, find out the following:

 Determine the token for generating the key pair

Identify the token, internal or external, that you want to use to generate the key pair for the certificate and to store the certificate. If you want to use an existing token, you must know the password that protects the token. If the token is external, make sure that the token is installed properly; see "Installing External Tokens".

Determine certificate formulation information

Decide on the subject DN and nickname for the certificate you want generate. Also decide on details such as the key algorithm, key size, extensions, and validity period for the certificate.

Step 2. Request the New Certificate

Once you have all the information, go ahead and request the certificate. The Certificate Setup Wizard built into the CMS window automates the process of requesting certificates used by the Certificate Manager, Registration Manager, and Data Recovery Manager. You can use this wizard to generate a new certificate request and submit the request to any CA for signing. For instructions, see "Using the Wizard to Request a Certificate".

Step 3. Install the New Certificate

When you receive the certificate from the CA, you must install it in the token that contains the key pair for this certificate; it must be the token you used to generate the request in Step 2.

The Certificate Setup Wizard automates the process of installing certificates used by the Certificate Manager, Registration Manager, and Data Recovery Manager. You may use this wizard to install the new certificate. For instructions, see "Using the Wizard to Install a Certificate or Certificate Chain".

Step 4. Deploy the New Certificate

In this step, follow the instructions appropriate for the certificate you installed:

Deploying Certificate Manager's CA Signing Certificate

If you installed a new CA signing certificate, you must deploy it in the PKI environment that depends on this certificate for validation. It is beyond the scope of this book to explain how you should deploy the new CA certificate. You may find it useful to go over some of the deployment issues discussed in the document available at this URL:

http://help.netscape.com/kb/server/980710-25.html

 Deploying Registration Manager's Signing Certificate

If you installed a new Registration Manager signing certificate, you must also install this certificate in the certificate database of all subsystems (Certificate Manager, Registration Manager, and Data Recovery Manager) that trust this Registration Manager.

Here's what you must do:
  1. Install the new signing certificate in the subsystems' certificate databases.
    2.

    Because the Registration Manager uses its signing certificate for SSL client authentication to the subsystems, you must add the new signing certificate to the internal database of all subsystems that have been configured to receive requests from the Registration Manager.

    To add the new certificate to a subsystem's internal database:

  2. Ensure that the CA that signed the Registration Manager's certificate is in the certificate database of the subsystem.
    3.

    When a Registration Manager does SSL client authentication using its new certificate, the subsystem, as a part of validating the certificate presented by the Registration Manager, checks its trust database for the CA (certificate) that signed the Registration Manager's new certificate. If the subsystem does not find the CA as a trusted CA in its trust database, it rejects the Registration Manager.

    For instructions on checking the trust database of a subsystem, see "Viewing the Certificate Database Contents".

Deploying Data Recovery Manager's Transport Certificate

Because clients capable of generating dual key pairs use the transport certificate for encrypting end users' encryption private keys before sending them to the Data Recovery Manager, you must update the appropriate enrollment or key archival page to identify and use the new transport certificate. Otherwise, the Data Recovery Manager will fail to archive users' encryption private keys.

In general, here's what you need to do:
  1. Locate the enrollment page that embeds the key archival feature.
    2.

  2. View the HTML source, and identify the parameter that corresponds to the Data Recovery Manager's transport certificate.

    3. The default enrollment forms for end users embed this feature. Figure 8.2 shows the default directory-based user enrollment form with the transport certificate-related information highlighted. (For more information, see "Step 3. Customize the Certificate Enrollment Form".)

    Figure 8.2 Data Recovery Manager's transport certificate information in the default enrollment form

  3. Replace the current MIME-64 string with the one for the new transport certificate.

    4. To copy the MIME-64 string for the new transport certificate, locate the new transport certificate; the MIME-64 string for the certificate will be listed there.

  4. Repeat steps 1 through 3 for any additional enrollment or key archival pages.
    5.

Deploying a Subsystem's SSL Server Certificate

By default, a Certificate Manager and Registration Manager use a single SSL server certificate to do server-side authentication to all the CMS ports. If configured for LDAP publishing, they also use the SSL server certificate for authenticating to the publishing directory. Depending on the purpose for which you requested this certificate, you should configure the server appropriately.

To configure the server to use this certificate for authenticating to one of the clients, see "Configuring the Server to Use Separate SSL Server Certificates". To configure the Certificate Manager to use this certificate for authenticating to the publishing directory, see "Identifying a Certificate Manager's Publishing Directory". To configure the Registration Manager to use this certificate for authenticating to the publishing directory, see "Identifying a Registration Manager's Publishing Directory".


Renewing Certificates for the Subsystems
All certificates used by Certificate Management System have a validity period beyond which they are not usable, unless the validity period is extended. For Certificate Management System to function properly, you must renew the certificates used by the Certificate Manager, Registration Manager, or Data Recovery Manager before they expire. For example, if you generated these certificates during CMS installation with a validity period of two years, at the end of which they will all expire; you must consider renewing them well in advance, maybe two months in advance.

 When you renew a certificate, you get a new certificate with the same public and private key material as the existing certificate, but with a new name or an extended validity period, or both.

 The sections that follow explain how to renew certificates for the Certificate Manager, Registration Manager, and Data Recovery Manager using the Certificate Setup Wizard. Alternatively, you use the command-line utility called the Certificate Database Tool; for details about this utility, see Appendix D, "Certificate Database Tool".

Renewing an existing certificate involves the following:

 Step 1. Plan for Certificate Renewal

Renewing a subsystem's certificate requires careful planning. This section provides some guidelines that will help you renew the certificate smoothly.

Before renewing a certificate:

 Step 2. Renew the Existing Certificate

Once you have all the information, go ahead and renew the certificate. The Certificate Setup Wizard built into the CMS window automates the process of renewing certificates used by the Certificate Manager, Registration Manager, and Data Recovery Manager. The wizard can generate a certificate request based on the existing key pair and submit the request to a CA for signing. For instructions on using the wizard, see "Using the Wizard to Request a Certificate".

Important Be sure to use the existing key pair to generate the certificate signing request.

Step 3. Install the Renewed Certificate

When you receive the renewed certificate from the CA, you must install it in the token that contains the key pair for the certificate; this is the token you used to generate the request in Step 2.

The Certificate Setup Wizard automates the process of installing certificates used by the Certificate Manager, Registration Manager, and Data Recovery Manager. For instructions on using the wizard, see "Using the Wizard to Install a Certificate or Certificate Chain".

Step 4. Deploy the Renewed Certificate

In this step, you must follow the instructions appropriate for the certificate you installed:

Deploying Certificate Manager's Renewed CA Signing Certificate

If you installed a new CA signing certificate, deploy it in the PKI environment that depends on this certificate for validation. It is beyond the scope of this book to explain how you should deploy the new CA certificate. You may find it useful to go over some of the deployment issues discussed in the document available at this URL:

http://help.netscape.com/kb/server/980710-25.html

 Deploying Registration Manager's Renewed Signing Certificate

Here's what you must do:

  1. Install the renewed signing certificate in the subsystem's certificate database.
    2.

    Because the Registration Manager uses its signing certificate for SSL client authentication to the subsystems, you must add the renewed signing certificate to the internal database of all subsystems that have been configured to receive requests from the Registration Manager.

    To add the renewed certificate to a subsystem's internal database:

  2. Ensure that the CA that signed the Registration Manager's certificate is in the trust database of the subsystem.
    3.

    When a Registration Manager does SSL client authentication using its renewed certificate, the subsystem, as a part of validating the certificate presented by the Registration Manager, checks its trust database for the CA (certificate) that signed the Registration Manager's renewed certificate. If the subsystem does not find the CA as a trusted CA in its trust database, it rejects the Registration Manager.

    For instructions on checking the trust database of a subsystem, see "Viewing the Certificate Database Contents".

Deploying Data Recovery Manager's Renewed Transport Certificate

Because clients capable of generating dual key pairs use the transport certificate for encrypting end users' encryption private keys before sending them to the Data Recovery Manager, you must update the appropriate enrollment or key archival page to identify and use the renewed transport certificate. Otherwise, the Data Recovery Manager will fail to archive users' encryption private keys.

In general, here's what you need to do:
  1. Locate the page that embeds the key archival feature.
    2.

  2. View the HTML source, and identify the parameter that corresponds to the Data Recovery Manager's transport certificate.

    3. The default enrollment forms for end users embed this feature. Figure 8.3 shows the default directory-based user enrollment form with the transport certificate-related information highlighted. (For more information, see "Step 3. Customize the Certificate Enrollment Form".)

    Figure 8.3 Data Recovery Manager's transport certificate information in the default enrollment form

  3. Replace the current MIME-64 string with the one for the renewed transport certificate.
    4.

    To copy the MIME-64 string for the renewed transport certificate, locate the certificate; the MIME-64 string for the certificate will be listed there.

  4. Repeat steps 1 through 3 for any additional key archival or enrollment pages.
    5.

Deploying a Subsystem's Renewed SSL Server Certificate

By default, a Certificate Manager and Registration Manager use a single SSL server certificate to do server-side authentication to all the CMS ports. If configured for LDAP publishing, they also use the SSL server certificate for authenticating to the publishing directory. The Certificate Manager, if configured to function as a trusted manager to a Data Recovery Manager, also uses its SSL server certificate for SSL client authentication to the Data Recovery Manager. Depending on the purpose for which the certificate being renewed is used currently, you should configure the server appropriately.


Managing the Certificate Database
Each CMS instance has a certificate database (cert7.db), which is maintained in its internal token. This database contains certificates belonging to the subsystems installed in the CMS instance (for details, see "Keys and Certificates for the Main Subsystems") and various CA certificates the subsystems use for validating the certificates they receive.

Whether you use an internal token or an external token for generating and storing key pairs, Certificate Management System always maintains its list of trusted and untrusted CA certificates in its internal token.

 You may need to add new certificates to the database, remove unwanted certificates from the database, or change the trust settings of CA certificates in the database. This section explains how to view the contents of the certificate database, delete unwanted certificates, and change the trust settings of CA certificates installed in the database using the CMS window. For information on adding certificates to the database, see "Certificate Setup Wizard".

Note Certificate Management System provides a command-line utility called certutil for managing its certificate database. See Appendix D, "Certificate Database Tool".

Viewing the Certificate Database Contents

Each CMS instance has a certificate database that contains the list of certificates the server uses.

To view the contents of the database:
  1. Access the CMS window (see "Accessing the CMS Window").

  2. Click the Configuration tab, and then in the right pane, click the Encryption tab.

  3. Click Manage Certificate.

    4. The Certificate Database Management window appears.

    The window lists the certificates in a table, with each certificate occupying a row. The CA certificates are listed in alphabetical order. If the database contains multiple CA certificates with the same nickname, they are sorted by their validity periods; the most recently requested certificate is placed at the top.

    For each certificate, you see the following information:

    Certificate Name. Specifies the nickname of the CA certificate.

    Expiry Date. specifies the date (and time) on which the CA certificate expires.

    Trust Status. Specifies whether the CA is trusted or untrusted. To change the trust setting, see "Changing the Trust Settings of a CA Certificate".

Deleting a Certificate from the Certificate Database

By default, the CMS certificate database includes a few public or third-party CA certificates. As an administrator, you should periodically check the contents of the certificate database and make sure that it doesn't include any unwanted CA certificates. For example, if the database includes CA certificates that you don't ever want to trust in your PKI setup, you should delete them.

Removing unwanted certificates also reduces the size of the certificate database.

 Important When deleting CA certificates from the certificate database, be careful not to delete the intermediate CA certificates, which help a subsystem chain up to the trusted CA certificate. If in doubt, leave the certificates in the database as untrusted CA certificates; see "Changing the Trust Settings of a CA Certificate".

To delete a CA certificate from the certificate database:

  1. Access the CMS window (see "Accessing the CMS Window").

  2. Click the Configuration tab, and then in the right pane, click the Encryption tab.

  3. Click Manage Certificate.

    4. The Certificate Database Management window appears. The window lists all the certificates for the selected instance of Certificate Management System; the list is a table, with each certificate occupying a row.

  4. Select the CA certificate you want to delete, and click Delete.
    5.

  5. When prompted, confirm the delete action.

  6. Click Close.

    7. You are returned to the Encryption tab.

  7. To save your changes, click Save.
    8.

    The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Changing the Trust Settings of a CA Certificate

Certificate Management System relies on CA certificates in its certificate database for validating certificates it receives during an SSL communication. For example, when a Certificate Manager is authenticating a Registration Manager that has sent a certificate signing requests, the Certificate Manager checks its certificate database to see whether the CA that signed the certificate presented by the Registration Manager is included in the database as a trusted CA.

You may need to change the status of a currently trusted CA to untrusted (or vice versa) temporarily or permanently. For example, you may be notified that a CA is experiencing technical difficulty that prevents certificate authentication. By making the CA certificate untrusted, you can prevent entities whose certificates have been signed by that CA from successfully authenticating to Certificate Management System. You can then return the trust option to trusted when the CA notifies you that the problem has been resolved.

 If you want to untrust a CA permanently, you should consider removing its certificate from the trust database altogether. See "Deleting a Certificate from the Certificate Database".

Changing the trust setting changes the trust flag (or bit) in the CA certificate.

 To change the trust setting of a CA certificate:

  1. Access the CMS window (see "Accessing the CMS Window").

  2. Click the Configuration tab, and then in the right pane, click the Encryption tab.

  3. Click Manage Certificate.

    4. The Certificate Database Management window appears.

    The window lists the CA certificates currently installed for the selected CMS instance; the list is a table, with each CA certificate occupying a row.

  4. Select the CA certificate whose trust setting you want to modify, and click Edit.
    5.

    The Certificate Information window appears.

    The window shows detailed information about the selected certificate, including serial number, validity period, subject name, issuer name, certificate fingerprint, and trust status.

    If the certificate you selected is currently trusted, the window shows a button named "Change to Untrusted." If it is untrusted, the window shows a button named "Change to Trusted."

  5. Click Change to Untrusted or Change to Trusted, as appropriate.
    6.

  6. Click Close.

    7. You are returned to the Certificate Database Management window. The certificate now shows a different trust status.

  7. Click Close.
    8.

    You are returned to the Encryption tab.

  8. To save your changes, click Save.
    9.

    The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Installing a New CA Certificate in the Certificate Database

You may need to install new trusted CA certificates in the certificate database of a CMS instance. For example, assume that you renewed the signing certificate of a Registration Manager. Also assume that the CA that signed the Registration Manager's certificate is not included in the trust database of the Certificate Manager that has been configured to sign certificate requests from this Registration Manager.

When the Registration Manager attempts to request a service from the Certificate Manager (using the renewed certificate for SSL client authentication), the Certificate Manager fails to authenticate the Registration Manager. This happens because, as a part of validating the certificate presented by the Registration Manager, the Certificate Manager checks its certificate database for the CA that signed the Registration Manager's certificate. The Certificate Manager does not find the CA listed in its trust database as a trusted CA, so it rejects the Registration Manager's service request.

 The Certificate Setup Wizard built into the CMS window automates the process of installing trusted CA certificates in the certificate database. For instructions on using the wizard, see "Using the Wizard to Install a Certificate or Certificate Chain".

Important Be sure to choose the "Other Trusted CAs" option in Step 2 in the wizard process.

Installing a CA Certificate Chain in the Certificate Database

Any client or server software that supports certificates maintains a collection of trusted CA certificates in its certificate database. These CA certificates determine which other certificates the software can validate--in other words, which issuers of certificates the software can trust. In the simplest case, the software can validate only certificates issued by one of the CAs for which it has a certificate. It's also possible for a trusted CA certificate to be part of a chain of CA certificates, each issued by the CA above it in a certificate hierarchy; for details on certificate hierarchies and certificate chains, see "How CA Certificates Are Used to Establish Trust" in Appendix D of Managing Servers with Netscape Console.
 

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.