This chapter provides a worksheet to help you prepare for installing a single instance of Netscape Certificate Management System. Print this chapter and make as many copies as you need. Fill out one copy for each CMS instance you plan to install and refer to it during the installation and configuration process. You should fill it in after you have read Chapter 3, "Planning Your Deployment." It is designed for easy reference while you are following the procedures described in Chapter 5, "Installation and Configuration."
This chapter has the following sections:
To install an instance of Certificate Management System, you must also install an Administration Server and Netscape Console application and have access to a configuration and user/group directory. For more information on the Netscape server environment, see Managing Servers with Netscape Console.
Enter the full pathname for the existing server root directory or for a new server root directory. For example, /user/tjones/certmmdd where tjones is your UNIX or Windows NT User ID and mmdd is the month and day. Computer name_____________________________________________
Enter the full pathname for the existing server root directory or for a new server root directory. For example, /user/tjones/certmmdd where tjones is your UNIX or Windows NT User ID and mmdd is the month and day.
The default should be the fully qualified host name of the machine on which the installation is taking place. For example, mydirectory.com. Do not attempt to install remotely.
The configuration directory runs as a user in the user directory. Enter the user ID that Directory Server will run as. Where your system supports it, accept the default user nobody, creating that user as necessary. System group __________________________________________
The configuration directory runs as a user in the user directory. Enter the user ID that Directory Server will run as. Where your system supports it, accept the default user nobody, creating that user as necessary.
The configuration directory also runs as a group in the user directory. Enter the user ID that Directory Server will run as. Where your system supports it, accept the default user nobody, creating that user as necessary.
The default should be the fully qualified host name of the machine on which the configuration directory is located. For example, mydirectory.com.
Do you want to use another directory to store your data?
User directory port_____________________________________________
Bind as_____________________________________________
User directory server suffix_____________________________________________
User directory administrator ID_____________________________________
You need to provide the following information about the configuration directory, whether it is an existing one or a new one to be created by the Installation Wizard:
Enter the port number for the Directory Server instance. The default is 389, if it is available, or a randomly selected number. The port number you specify must not be used for any other purpose. Directory Server identifier______________________________________
Enter the port number for the Directory Server instance. The default is 389, if it is available, or a randomly selected number. The port number you specify must not be used for any other purpose.
This unique identifier is required for each instance of a Directory Server. For example, configdir. Configuration Directory Server Administrator ID________________________
This unique identifier is required for each instance of a Directory Server. For example, configdir.
The ID for the user who will authenticate to Netscape Console with full privileges. For example, diradmin1. Configuration Directory Server Administrator Password _________________________________________
The ID for the user who will authenticate to Netscape Console with full privileges. For example, diradmin1.
The password must be at least eight characters long. Suffix ____________________________________
The password must be at least eight characters long.
Enter the domain name of the current host. For example, o=mydomain.com. Directory Manager DN ________________________
Enter the domain name of the current host. For example, o=mydomain.com.
Enter the distinguished name (DN) of the directory manager for the configuration directory. The password must be at least eight characters long. This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory. For example, cn=Directory Manager. Directory Manager password ________________________
Enter the distinguished name (DN) of the directory manager for the configuration directory. The password must be at least eight characters long.
This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory. For example, cn=Directory Manager.
The password must be at least eight characters long. Administration domain ________________________________________
This domain name identifies the collection of servers that use the same configuration directory. For example, mydomain.com
Pick a port number between 1024 and 65535 on which to run your Administration Server, or accept the default number. Run Administration Server as _____________________________
Pick a port number between 1024 and 65535 on which to run your Administration Server, or accept the default number.
This user ID should be the same as for the system user ID. For example, tjones.
You must specify a unique identifier for the CMS server instance that you are installing.
Enter a unique identifier such as certxx01.
The default installation directory is C:\Netscape\Server4. If you want to use a different directory, enter the full pathname for the existing server root directory or for a new server root directory. You cannot install more than one server root directory on a Windows NT system.
The default installation directory is C:\Netscape\Server4. If you want to use a different directory, enter the full pathname for the existing server root directory or for a new server root directory.
You cannot install more than one server root directory on a Windows NT system.
Choose one of these options:
If you choose the above option, the Installation Wizard will create a new instance of Directory Server for use as the configuration directory for this server root. Use existing configuration directory server._______________
If you choose the above option, the Installation Wizard will create a new instance of Directory Server for use as the configuration directory for this server root.
Port_____________________________________________
Password_____________________________________________
If you choose this option, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you have already decided to install a new configuration directory) or installs a new instance of Directory Server for use as a user/group directory. Store data in an existing directory server______________________________
If you choose this option, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you have already decided to install a new configuration directory) or installs a new instance of Directory Server for use as a user/group directory.
Suffix_____________________________________________
This unique identifier is required for each instance of a Directory Server. For example, configdir. Directory Server network port (default is 389)________________________
Enter the port number for the Directory Server instance. Suffix ____________________________________
Enter the port number for the Directory Server instance.
If you are creating a new directory, this should be the domain name of the current host. For example, o=mydomain.com.
For example, diradmin1. Configuration Directory Server Administrator Password _________________________________________
For example, diradmin1.
The administrative user is referred to as a Directory Manager and has a distinguished name (DN). For example, CN=Tom Jones. Directory Manager password ________________________
The administrative user is referred to as a Directory Manager and has a distinguished name (DN). For example, CN=Tom Jones.
The password must be at least eight characters in length.
For each instance of Certificate Management System, a new instance of Netscape Directory Server is created on the local host to act as the internal (local) database. Each subsystem must have access to this local database to store certificates, certificate requests, keys, and other information. The Certificate Management System uses LDAP over SSL to communicate with its local database.
The default provided by the system is the CMS server identifier with the suffix -db; for example, cmsdemo-db. Port number____________
The default provided by the system is the CMS server identifier with the suffix -db; for example, cmsdemo-db.
The default is random (on Unix, greater than 1024 if you are not logged in as root). For example, 17001. Directory Manager DN ____________________________________________
The default is random (on Unix, greater than 1024 if you are not logged in as root). For example, 17001.
The default is CN=Directory Manager. You can enter something more meaningful, such as CN=Internal Directory Manager. Internal database password_______________________________
The default is CN=Directory Manager. You can enter something more meaningful, such as CN=Internal Directory Manager.
Specify the CMS administrator. This person will be able to access the CMS window of Netscape Console and approve the first agent certificate.
For example, CMSadmin. CMS Administrator full name________________________________
For example, CMSadmin.
For example, Certificate Management System Administrator. CMS Administrator password________________________________
For example, Certificate Management System Administrator.
Choose the subsystems you will install in this instance. You can choose Certificate Manager and Data Recovery Manager together, or Data Recovery and Registration Manager together, or you can choose any individual manager, but you cannot install Certificate Manager and Registration Manager together. The Certificate Manager can be configured to perform all Registration Manager functions, so it's not necessary or possible to install both managers in the same instance.
Registration Manager___________
Data Recovery Manager__________
If you are installing a Registration Manager, you need to provide the following information about the Certificate Manager to which the Registration Manager sends certificate requests:
SSL agent port for remote Certificate Manager__________________________
If you are installing a standalone Certificate Manager or Registration Manager, and if you have already installed a remote Data Recovery Manager that you want the new manager to use, you need to provide the following information about the Data Recovery Manager:
SSL agent port for remote Data Recovery Manager______________________
Enter numbers for the ports to be used for various kinds of communications. On Unix, you must be root to assign ports less than 1024. The default values are well-known ports, which are used only if they are not already in use. If these defaults are not available, a randomly chosen port number is given as the default.
For example, 17003. SSL agent port (HTTPS) (default is random)_________________
For example, 17003.
For example, 17004. SSL end-entity port (HTTPS) (default 443)_________________
For example, 17004.
For example, 17005. Non-SSL end-entity port (HTTP) (default 80)________________________
For example, 17005.
For example, 17006.
If you are importing any certificates and keys previously created with Certificate Server 1.x, you must specify where they are, how to retrieve them, and where to put them. For information about migrating these files to Certificate Management System, see Appendix A, "Migrating from Certificate Server 1.x."
Enter the pathname to the directory where the migrate tool output files keyscerts.dat, database_add.ldif, and database_mod.ldif are located. All three files must be in the same directory. For example, /eng/migrationfile/certmanage/mycompany/. Password used to create keyscerts.dat("transport password")_____________________________________________
Enter the pathname to the directory where the migrate tool output files keyscerts.dat, database_add.ldif, and database_mod.ldif are located. All three files must be in the same directory. For example, /eng/migrationfile/certmanage/mycompany/.
Enter the transport password that you specified while exporting data with the Migration tool.
Enter either internal (if you plan to use the internal token) or the name of an external hardware token. If you are using an external token, enter the name of the hardware device that actually provides cryptographic services and stores certificates and keys. For example, MyToken. Token password_________________________________________________
Enter either internal (if you plan to use the internal token) or the name of an external hardware token. If you are using an external token, enter the name of the hardware device that actually provides cryptographic services and stores certificates and keys. For example, MyToken.
The password for the token must be at least one character long.
Enter either internal (if you plan to use the internal token) or the name of an external hardware token. If you are using an external token, enter the name of the hardware device that actually provides cryptographic services and stores certificates and keys. For example, MyToken. Token password__________________________________________
The password must be at least one character long.
When you install the Certificate Manager subsystem, you must supply information for the CA certificate that the Certificate Manager will use to sign the certificates it issues. This certificate also functions as the Certificate Manager's SSL client certificate.
For a discussion of related issues, see "CA Signing Key Type and Length" in Chapter 3.
Enter either internal (if you plan to use the internal token) or the name of an external hardware token. If you are using an external token, enter the name of the hardware device that actually provides cryptographic services and optionally stores certificates and keys. For example, MyToken. Token password_________________________________________________
Enter either internal (if you plan to use the internal token) or the name of an external hardware token. If you are using an external token, enter the name of the hardware device that actually provides cryptographic services and optionally stores certificates and keys. For example, MyToken.
The password for the token must be at least one character long. Key type_________________________________________________
RSA or DSA. Key length_______________________________________________
RSA or DSA.
Available settings for RSA are 512, 1024, 2048, or custom. Available settings for DSA are 512, 1024, or custom. In general, longer keys are considered to be cryptographically stronger than shorter keys. However, longer keys also require more time for signing operations.
Available settings for RSA are 512, 1024, 2048, or custom. Available settings for DSA are 512, 1024, or custom.
In general, longer keys are considered to be cryptographically stronger than shorter keys. However, longer keys also require more time for signing operations.
For a discussion of issues related to the subject name, see "CA's Distinguished Name" in Chapter 3.
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the CA signing certificate. You are not required to enter all the values, but must enter the Organizational Unit (OU), such as the name of your department. The Organizational Unit is required because it's absence causes Netscape Communicator 4.x to crash. For more information about distinguished names, see Appendix A, "Distinguished Names," in Netscape Certificate Management System Administrator's Guide.
You can specify the validity period for a self-signed CA signing certificate only. The validity period for a subordinate CA signing certificate is determined by the issuing CA.
Enter beginning and ending dates for the certificate's validity period. The validity period for the CA signing certificate determines how soon you will have to renew the certificate, which can be a complex procedure.
You can specify the extensions for a self-signed CA signing certificate only. Extensions for a subordinate CA signing certificate are specified by the issuing CA.
Certification path length (No)_______________________
The certificate chain path length, if specified, determines the maximum number of certificates in a chain, starting with the end-entity certificate. If you do not specify this attribute, the length of the chain is unlimited.
Object-signing (No)_________
SSL server (No)_________
S/MIME CA (Yes)_________
S/MIME (No)_________
Object-signing CA (Yes)_________
SSL CA (Yes)_________
Subject Key Identifier (Yes) ________________
Key usage (No)_____________
If you decide to include the key usage extension, the following key usage bits are set by default:
keyCertSign
CRLSign
If you are installing a subordinate CA, you need to specify where to send your request for a CA signing certificate.
Enter the URL for the end-entity gateway of the Certificate Manager that will issue the subordinate CA's signing certificate. For example, http:// hostname:17006.
When you install a Registration Manager subsystem, you must supply information for the certificate that the Registration Manager will use to sign certificate requests. This certificate also functions as the Registration Manager's SSL client certificate. The Installation Wizard formulates a certificate request on the basis of information you provide. It is possible for the CA that issues the certificate to overrule some of your decisions.
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the Registration Manager signing certificate. You are not required to enter all the values, but must enter the Organizational Unit (OU), such as your company name. The Organizational Unit is required because it's absence causes Netscape Communicator 4.x to crash. For more information about distinguished names, see Appendix A, "Distinguished Names," in Netscape Certificate Management System Administrator's Guide.
If you are submitting your certificate request to a third-party CA, follow the instructions provided by that CA.
Key-Pair Information for Transport Certificate
For a discussion of issues related to key type and length, see "CA Signing Key Type and Length" in Chapter 3.
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the transport certificate. You are not required to enter all the values, but must enter the Organizational Unit (OU), such as your company name. The Organizational Unit is required because it's absence causes Netscape Communicator 4.x to crash. For more information about distinguished names, see Apendix A, "Distinguished Names," in Netscape Certificate Management System Administrator's Guide.
You can specify the validity period for a transport certificate only if you are installing the Certificate Manager and Data Recovery Manager at the same time and you want the Certificate Manager that you just installed issue the transport certificate. If the transport certificate is issued by a remote CA, its validity period is determined by the issuing CA.
Enter beginning and ending dates for the transport certificate's validity period.
You can specify the extensions for a transport certificate only if you are installing the Certificate Manager and Data Recovery Manager at the same time and you have decided to have the Certificate Manager that you just installed issue the certificate. If the transport certificate is issued by a remote CA, its extensions are determined by the issuing CA.
S/MIME CA ((No)_________
S?MIME (No)_________
Object-signing CA ((No)_________
SSL CA ((No)_________
Subject Key Identifier (No)
If you decide to include the key usage extension, the keyEncipherment key usage bit is set by default.
If you are obtaining your transport certificate from a remote CA, you need to know where to submit your certificate request.
Enter the URL for the end-entity gateway of the Certificate Manager that will issue the transport certificate. For example, http://hostname:17006.
Storage Key Creation
Specify the length of the key that the Data Recovery Manager uses to encrypt end-entity encryption keys for storage.
The options available are 512, 1024, or 2048.
The number of agents you enter here is determined by your organization's policies with respect to data recovery. If you enter a larger number than the default of 2 for the number of recovery agents required to recover a key, you're reducing the chances of inappropriate recovery but increasing the complexity of the recovery process.
Total number of designated recovery agents (n, default 3)_______________________________________
Specify user IDs and passwords for the total number of designated recovery agents (see preceding section):
User ID______________________ Password_________________________
Key-Pair Information for SSL Server Certificate
For domestic versions of Certificate Management System, available settings for RSA are 512, 1024, 2048, or custom, and available settings for DSA are 512, 1024, or custom.
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the CA signing certificate. You are not required to enter all the values, but must enter the Organizational Unit (OU), such as your company name. The Organizational Unit is required because it's absence causes Netscape Communicator 4.x to crash. For more information about distinguished names, see Apendix A, "Distinguished Names," in Netscape Certificate Management System Administrator's Guide.
You can specify the validity period for an SSL server certificate only if you are installing a Certificate Manager and you have decided to have that Certificate Manager issue the certificate. If the SSL server certificate is issued by a remote CA, its validity period is determined by the issuing CA.
Enter beginning and ending dates for the certificate's validity period.
You can specify the extensions for an SSL server certificate only if you are installing a Certificate Manager and you have decided to have that local Certificate Manager issue the certificate. If the SSL server certificate is issued by a remote CA, its extensions are determined by the issuing CA.
SSL server (Yes)_________
S/MIME CA (No)_________
Object-signing CA (No)_________
SSL CA (No)_________
keyEncipherment
If you are obtaining your SSL server certificate from another CA, you need to know where to submit your certificate request.
Enter the URL for the end-entity gateway of the Certificate Manager that will issue the SSL server certificate. For example, http://hostname:17006.
Previous
