Complete Contents
About This Guide
PART 1:
Overview and Demo Installation
Chapter 1
Introduction to Certificate Management System 4.0
Chapter 2
Default Demo Installation
PART 2:
Planning and Installation
Chapter 3
Planning Your Deployment
Chapter 4
Installation Worksheet
Chapter 5
Installation and Configuration
Appendix A
Migrating from Certificate Server 1.x
Appendix B
Certificate Extensions
Appendix C
Certificate Download Specification
Appendix D
Using SSL with Enterprise Server 3.x
Appendix E
Export Control Information
Glossary
Contents
Index
Bookshelf
Contents
About This Guide
What You Should Already Know
What's in This Guide
Conventions Used in This Guide
Where to Go for Related Information
Part 1
Overview and Demo Installation
Chapter 1
Introduction to Certificate Management System
System Overview
Public-Key Infrastructure
Subsystems of Certificate Management System
Basic System Configuration
Authentication and Policy Modules
Authentication Modules
Policy Modules
Steps in End-Entity Enrollment
Some Enrollment Scenarios
Firewall Considerations
Extranet/E-Commerce: Acme Sales Corp.
Enrolling Existing Customers
Enrolling New Customers
Enrolling Extranet Users
PIN Registration: Atlas Manufacturing
VPN Client Enrollment and Revocation
Router Enrollment and Revocation
End Entities and Life-Cycle Management
Life-Cycle Management Formats and Protocols
Access to Subsystems
HTML Forms for End Users
Summary of System Features
Authentication Modules
Policy Modules
Job Scheduler Plug-Ins
Event-Driven Notifications
Registration Manager
Certificate Manager
Signing Algorithms
Certificate Revocation Lists
Data Recovery Manager
Command-Line Utilities
System Architecture
PKCS #11
NSS
JSS and the Java/JNI Layer
Middleware/JDK 1.1.6 Layers
Authentication and Policy Modules
Standards Summary
Certificate Management Formats and Protocols
Security and Directory Protocols
Chapter 2
Default Demo Installation
System Requirements
Software and Hardware Requirements
Platform Requirements
Solaris Platform Requirements
Windows NT Platform Requirements
Other Requirements
Overview of Default Demo
Demo Passwords
Default Demo Installation Procedure
Step 1. Run the Installation Script - Unix
Step 1. Run the Installation Script - Windows NT
Step 2. Run the Installation Wizard
Step 3. Get the First User Certificate
Using the Default Demo
Verify the Installation
Use an LDAP Directory
Enable Directory-Based Authentication
Add a User to the Directory
Enroll with Directory-Based Authentication
Part 2
Planning and Installation
Chapter 3
Planning Your Deployment
Topology Decisions
Server Groups and CMS Instances
Single Certificate Manager
Certificate Manager and Registration Manager
Certificate Manager and Data Recovery Manager
Certificate Manager, Data Recovery Manager, and Registration Manager
Certificate Authority Decisions
CA's Distinguished Name
CA Signing Key Type and Length
CA Signing Certificate's Validity Period
Self-Signed Root Versus Subordinate CA
CAs and Certificate Extensions
CA Certificate Renewal or Reissuance
Cryptographic Token Decisions
Publishing Decisions
Subsystem Certificate Decisions
SSL Server Certificates
Certificate Manager Certificates
Registration Manager Certificates
Data Recovery Manager Certificate and Storage Key
Authentication Decisions
Policy Decisions
Deployment Strategy and Port Assignments
Chapter 4
Installation Worksheet
Information for Unix Installation Script
Installation Location
Configuration Directory
User/Group Directory Server
Configuration Directory Settings
Administration Server Information
Certificate Management System Identifier
Information for NT Installation Script
Installation Directory
Configuration Directory Server
User/Group Directory Server
Configuration Directory Settings
Configuration Directory Server Administrator
Directory Server Administration Domain
Directory Manager Settings
Administration Server Port
Certificate Management System Identifier
Initial Configuration
Internal Database
Administrator
Subsystems
Remote Certificate Manager
Remote Data Recovery Manager
Network Configuration
Certificate Manager Configuration
Server Migration from Certificate Server 1.x
Migration Tool Output Files
Token for CA Signing Certificate
Token for SSL Server Certificate
CA Signing Certificate
Key-Pair Information for CA Signing Certificate
Subject Name for CA Signing Certificate
Validity Period for CA Signing Certificate
Extensions for CA Signing Certificate
CA Signing Certificate Request
Registration Manager Configuration
Registration Manager Signing Certificate Request
Key-Pair Information for Registration Manager Signing Certificate
Subject Name for Registration Manager Signing Certificate
Registration Manager Signing Certificate Issuer
Data Recovery Manager Configuration
Transport Certificate
Key-Pair Information for Transport Certificate
Subject Name for Transport Certificate
Validity Period for Transport Certificate
Extensions for Transport Certificate
Transport Certificate Request
Storage Key and Recovery Agent Configuration
Storage Key Creation
Data Recovery Scheme - 1
Data Recovery Scheme - 2
SSL Server Certificate Configuration
SSL Server Certificate
Key-Pair Information for SSL Server Certificate
Subject Name for SSL Server Certificate
Validity Period for SSL Server Certificate
Extensions for SSL Server Certificate
SSL Certificate Request
Single Sign-On Password
Chapter 5
Installation and Configuration
Installation Overview
Installation Stages
Stage 1: Running the Installation Script
Running the Installation Script on Unix
Running the Installation Script on Windows NT
Stage 2: Using the Installation Wizard
Initial Configuration
Certificate Manager Configuration
Self-Signed CA Certificate
Subordinate CA Certificate Request
Registration Manager Configuration
Data Recovery Manager Configuration
Transport Certificate from a Remote CA
Storage Key and Recovery Agent Configuration
Certificate Manager and Data Recovery Manager Configuration
Certificate Manager Configuration
Data Recovery Manager Configuration
Registration Manager and Data Recovery Manager Configuration
Registration Manager Configuration
Data Recovery Manager Configuration
SSL Certificate Configuration
SSL Server Certificate from the Local CA
SSL Server Certificate from a Remote CA
Single Signon Configuration
Additional Steps
Administrator/Agent Certificate Enrollment
Stage 3: Further Configuration Options
Stage 4: Creating Additional Instances
First Agent for an Additional CMS Instance
Appendix A
Migrating from Certificate Server 1.x
Using the Migration Tool
Command-Line Syntax
Arguments
The Migration Process
Entering Informix Database Login Information
Entering Key and Certificate Database Passwords
Exit Codes and Error Messages
Generated Files
Importing the Data to New Databases
Hardware, Operating System, and Version Support
Appendix B
Certificate Extensions
Introduction to Certificate Extensions
Recommendations for Extension Usage
Standard X.509 v3 Certificate Extensions
authorityKeyIdentifier
basicConstraints
certificatePolicies
cRLDistributionPoints
extKeyUsage
issuerAltName
keyUsage
nameConstraints
policyConstraints
policyMappings
privateKeyUsagePeriod
subjectAltName
subjectDirectoryAttributes
subjectKeyIdentifier
Standard X.509 v3 CRL Extensions
Extensions for CRLs
authorityKeyIdentifier
CRLNumber
deltaCRLIndicator
issuerAltName
issuingDistributionPoint
CRL Entry Extensions
certificateIssuer
holdInstructionCode
invalidityDate
reasonCode
Netscape-Defined Certificate Extensions
netscape-cert-type
netscape-comment
Adding Extensions in Certificate Management System
CA Certificates and Extension Interactions
Appendix C
Certificate Download Specification
Data Formats
Binary Formats
Text Formats
Importing Certificate Chains
Importing Certificates into Netscape Communicator
Importing Certificates into Netscape Servers
Object Identifiers
Appendix D
Using SSL with Enterprise Server 3.x
Creating a New Server
Obtaining a Server Certificate
Generating a Key Pair
Submitting a Certificate Signing Request
Importing the Certificate
Enabling SSL on the Server
Trusting the Root CA Certificate
Enabling Encryption on the Server
Modifying the Configuration File
Modifying the Access Control Lists
Specifying the Authentication Directory
Note for CGI Programmers
Removing Untrusted CA Roots
Testing Client Authentication
Appendix E
Export Control Information
Approved Export Operations and Key Sizes
SSL Cipher Suite Profiles for Export
Glossary
Index
© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.
