|
Contents
|
|
|
|
About This Guide
|
|
What You Should Already Know
|
|
What's in This Guide
|
|
Conventions Used in This Guide
|
|
Where to Go for Related Information
|
|
|
Part 1
|
Overview and Demo Installation
|
| |
Chapter 1
|
Introduction to Certificate Management System
|
|
System Overview
|
|
Public-Key Infrastructure
|
|
Subsystems of Certificate Management System
|
|
Basic System Configuration
|
|
Authentication and Policy Modules
|
|
Authentication Modules
|
|
Policy Modules
|
|
Steps in End-Entity Enrollment
|
|
Some Enrollment Scenarios
|
|
Firewall Considerations
|
|
Extranet/E-Commerce: Acme Sales Corp.
|
|
Enrolling Existing Customers
|
|
Enrolling New Customers
|
|
Enrolling Extranet Users
|
|
PIN Registration: Atlas Manufacturing
|
|
VPN Client Enrollment and Revocation
|
|
Router Enrollment and Revocation
|
|
End Entities and Life-Cycle Management
|
|
Life-Cycle Management Formats and Protocols
|
|
Access to Subsystems
|
|
HTML Forms for End Users
|
|
Summary of System Features
|
|
Authentication Modules
|
|
Policy Modules
|
|
Job Scheduler Plug-Ins
|
|
Event-Driven Notifications
|
|
Registration Manager
|
|
Certificate Manager
|
|
Signing Algorithms
|
|
Certificate Revocation Lists
|
|
Data Recovery Manager
|
|
Command-Line Utilities
|
|
System Architecture
|
|
PKCS #11
|
|
NSS
|
|
JSS and the Java/JNI Layer
|
|
Middleware/JDK 1.1.6 Layers
|
|
Authentication and Policy Modules
|
|
Standards Summary
|
|
Certificate Management Formats and Protocols
|
|
Security and Directory Protocols
|
| |
Chapter 2
|
Default Demo Installation
|
|
System Requirements
|
|
Software and Hardware Requirements
|
|
Platform Requirements
|
|
Solaris Platform Requirements
|
|
Windows NT Platform Requirements
|
|
Other Requirements
|
|
Overview of Default Demo
|
|
Demo Passwords
|
|
Default Demo Installation Procedure
|
|
Step 1. Run the Installation Script - Unix
|
|
Step 1. Run the Installation Script - Windows NT
|
|
Step 2. Run the Installation Wizard
|
|
Step 3. Get the First User Certificate
|
|
Using the Default Demo
|
|
Verify the Installation
|
|
Use an LDAP Directory
|
|
Enable Directory-Based Authentication
|
|
Add a User to the Directory
|
|
Enroll with Directory-Based Authentication
|
|
|
Part 2
|
Planning and Installation
|
| |
Chapter 3
|
Planning Your Deployment
|
|
Topology Decisions
|
|
Server Groups and CMS Instances
|
|
Single Certificate Manager
|
|
Certificate Manager and Registration Manager
|
|
Certificate Manager and Data Recovery Manager
|
|
Certificate Manager, Data Recovery Manager, and Registration Manager
|
|
Certificate Authority Decisions
|
|
CA's Distinguished Name
|
|
CA Signing Key Type and Length
|
|
CA Signing Certificate's Validity Period
|
|
Self-Signed Root Versus Subordinate CA
|
|
CAs and Certificate Extensions
|
|
CA Certificate Renewal or Reissuance
|
|
Cryptographic Token Decisions
|
|
Publishing Decisions
|
|
Subsystem Certificate Decisions
|
|
SSL Server Certificates
|
|
Certificate Manager Certificates
|
|
Registration Manager Certificates
|
|
Data Recovery Manager Certificate and Storage Key
|
|
Authentication Decisions
|
|
Policy Decisions
|
|
Deployment Strategy and Port Assignments
|
| |
Chapter 4
|
Installation Worksheet
|
|
Information for Unix Installation Script
|
|
Installation Location
|
|
Configuration Directory
|
|
User/Group Directory Server
|
|
Configuration Directory Settings
|
|
Administration Server Information
|
|
Certificate Management System Identifier
|
|
Information for NT Installation Script
|
|
Installation Directory
|
|
Configuration Directory Server
|
|
User/Group Directory Server
|
|
Configuration Directory Settings
|
|
Configuration Directory Server Administrator
|
|
Directory Server Administration Domain
|
|
Directory Manager Settings
|
|
Administration Server Port
|
|
Certificate Management System Identifier
|
|
Initial Configuration
|
|
Internal Database
|
|
Administrator
|
|
Subsystems
|
|
Remote Certificate Manager
|
|
Remote Data Recovery Manager
|
|
Network Configuration
|
|
Certificate Manager Configuration
|
|
Server Migration from Certificate Server 1.x
|
|
Migration Tool Output Files
|
|
Token for CA Signing Certificate
|
|
Token for SSL Server Certificate
|
|
CA Signing Certificate
|
|
Key-Pair Information for CA Signing Certificate
|
|
Subject Name for CA Signing Certificate
|
|
Validity Period for CA Signing Certificate
|
|
Extensions for CA Signing Certificate
|
|
CA Signing Certificate Request
|
|
Registration Manager Configuration
|
|
Registration Manager Signing Certificate Request
|
|
Key-Pair Information for Registration Manager Signing Certificate
|
|
Subject Name for Registration Manager Signing Certificate
|
|
Registration Manager Signing Certificate Issuer
|
|
Data Recovery Manager Configuration
|
|
Transport Certificate
|
|
Key-Pair Information for Transport Certificate
|
|
Subject Name for Transport Certificate
|
|
Validity Period for Transport Certificate
|
|
Extensions for Transport Certificate
|
|
Transport Certificate Request
|
|
Storage Key and Recovery Agent Configuration
|
|
Storage Key Creation
|
|
Data Recovery Scheme - 1
|
|
Data Recovery Scheme - 2
|
|
SSL Server Certificate Configuration
|
|
SSL Server Certificate
|
|
Key-Pair Information for SSL Server Certificate
|
|
Subject Name for SSL Server Certificate
|
|
Validity Period for SSL Server Certificate
|
|
Extensions for SSL Server Certificate
|
|
SSL Certificate Request
|
|
Single Sign-On Password
|
| |
Chapter 5
|
Installation and Configuration
|
|
Installation Overview
|
|
Installation Stages
|
|
Stage 1: Running the Installation Script
|
|
Running the Installation Script on Unix
|
|
Running the Installation Script on Windows NT
|
|
Stage 2: Using the Installation Wizard
|
|
Initial Configuration
|
|
Certificate Manager Configuration
|
|
Self-Signed CA Certificate
|
|
Subordinate CA Certificate Request
|
|
Registration Manager Configuration
|
|
Data Recovery Manager Configuration
|
|
Transport Certificate from a Remote CA
|
|
Storage Key and Recovery Agent Configuration
|
|
Certificate Manager and Data Recovery Manager Configuration
|
|
Certificate Manager Configuration
|
|
Data Recovery Manager Configuration
|
|
Registration Manager and Data Recovery Manager Configuration
|
|
Registration Manager Configuration
|
|
Data Recovery Manager Configuration
|
|
SSL Certificate Configuration
|
|
SSL Server Certificate from the Local CA
|
|
SSL Server Certificate from a Remote CA
|
|
Single Signon Configuration
|
|
Additional Steps
|
|
Administrator/Agent Certificate Enrollment
|
|
Stage 3: Further Configuration Options
|
|
Stage 4: Creating Additional Instances
|
|
First Agent for an Additional CMS Instance
|
| |
Appendix A
|
Migrating from Certificate Server 1.x
|
|
Using the Migration Tool
|
|
Command-Line Syntax
|
|
Arguments
|
|
The Migration Process
|
|
Entering Informix Database Login Information
|
|
Entering Key and Certificate Database Passwords
|
|
Exit Codes and Error Messages
|
|
Generated Files
|
|
Importing the Data to New Databases
|
|
Hardware, Operating System, and Version Support
|
| |
Appendix B
|
Certificate Extensions
|
|
Introduction to Certificate Extensions
|
|
Recommendations for Extension Usage
|
|
Standard X.509 v3 Certificate Extensions
|
|
authorityKeyIdentifier
|
|
basicConstraints
|
|
certificatePolicies
|
|
cRLDistributionPoints
|
|
extKeyUsage
|
|
issuerAltName
|
|
keyUsage
|
|
nameConstraints
|
|
policyConstraints
|
|
policyMappings
|
|
privateKeyUsagePeriod
|
|
subjectAltName
|
|
subjectDirectoryAttributes
|
|
subjectKeyIdentifier
|
|
Standard X.509 v3 CRL Extensions
|
|
Extensions for CRLs
|
|
authorityKeyIdentifier
|
|
CRLNumber
|
|
deltaCRLIndicator
|
|
issuerAltName
|
|
issuingDistributionPoint
|
|
CRL Entry Extensions
|
|
certificateIssuer
|
|
holdInstructionCode
|
|
invalidityDate
|
|
reasonCode
|
|
Netscape-Defined Certificate Extensions
|
|
netscape-cert-type
|
|
netscape-comment
|
|
Adding Extensions in Certificate Management System
|
|
CA Certificates and Extension Interactions
|
| |
Appendix C
|
Certificate Download Specification
|
|
Data Formats
|
|
Binary Formats
|
|
Text Formats
|
|
Importing Certificate Chains
|
|
Importing Certificates into Netscape Communicator
|
|
Importing Certificates into Netscape Servers
|
|
Object Identifiers
|
| |
Appendix D
|
Using SSL with Enterprise Server 3.x
|
|
Creating a New Server
|
|
Obtaining a Server Certificate
|
|
Generating a Key Pair
|
|
Submitting a Certificate Signing Request
|
|
Importing the Certificate
|
|
Enabling SSL on the Server
|
|
Trusting the Root CA Certificate
|
|
Enabling Encryption on the Server
|
|
Modifying the Configuration File
|
|
Modifying the Access Control Lists
|
|
Specifying the Authentication Directory
|
|
Note for CGI Programmers
|
|
Removing Untrusted CA Roots
|
|
Testing Client Authentication
|
| |
Appendix E
|
Export Control Information
|
|
Approved Export Operations and Key Sizes
|
|
SSL Cipher Suite Profiles for Export
|
|
Glossary
|
|
Index
|
|
|