Complete Contents
About This Guide
PART 1: Overview and Demo Installation
Chapter 1 Introduction to Certificate Management System 4.0
Chapter 2 Default Demo Installation
PART 2: Planning and Installation
Chapter 3 Planning Your Deployment
Chapter 4 Installation Worksheet
Chapter 5 Installation and Configuration
Appendix A Migrating from Certificate Server 1.x
Appendix B Certificate Extensions
Appendix C Certificate Download Specification
Appendix D Using SSL with Enterprise Server 3.x
Appendix E Export Control Information
Glossary
Previous Next Contents Index Bookshelf


Chapter 4 Installation Worksheet

This chapter provides a worksheet to help you prepare for installing a single instance of Netscape Certificate Management System.

Print this chapter and make as many copies as you need. Fill out one copy for each CMS instance you plan to install and refer to it during the installation and configuration process. You should fill it in after you have read Chapter 3, "Planning Your Deployment." It is designed for easy reference while you are following the procedures described in Chapter 5, "Installation and Configuration."

Each completed worksheet contains sensitive information, such as passwords, that could severely compromise the security of your entire PKI if it falls into the wrong hands. Be sure to keep completed worksheets physically protected.

This chapter has the following sections:


Information for Unix Installation Script
The information summarized here must be provided once for each server root installation on a Unix system.

Installation Location

To install an instance of Certificate Management System, you must also install an Administration Server and Netscape Console application and have access to a configuration and user/group directory. For more information on the Netscape server environment, see Managing Servers with Netscape Console.

Configuration Directory

Do you want to register this software with an existing Netscape configuration directory server?

If you choose No, the Installation Wizard will create a new instance of Directory Server for use as the configuration directory for this server root.

If you choose Yes, you must also supply the following information about the existing configuration directory:

User/Group Directory Server

Do you want to use another directory to store your data?

If you choose No, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you answered no to the preceding question) or installs a new instance of Directory Server for use as a user/group directory.

If you choose Yes, you must also supply the following information:

Configuration Directory Settings

You need to provide the following information about the configuration directory, whether it is an existing one or a new one to be created by the Installation Wizard:

Administration Server Information

Certificate Management System Identifier

You must specify a unique identifier for the CMS server instance that you are installing.


Information for NT Installation Script
The information summarized here must be provided once for each server root installation.

Installation Directory

To install an instance of Certificate Management System, you must also install an Administration Server and Netscape Console application and have access to a configuration and user/group directory. For more information on the Netscape server environment, see Managing Servers with Netscape Console.

Configuration Directory Server

Choose one of these options:

If you choose to use an existing configuration directory, you must supply the following information:

User/Group Directory Server

Choose one of these options:

If you choose to use an existing directory, you must supply the following information:

Configuration Directory Settings

You need to provide the following information about the configuration directory, whether it is an existing one or a new one to be created by the Installation Wizard:

Configuration Directory Server Administrator

Directory Server Administration Domain

Directory Manager Settings

Administration Server Port

Certificate Management System Identifier

You must specify a unique identifier for the CMS server instance that you are installing.


Initial Configuration
For each instance of Certificate Management System that you create, you use the Installation Wizard to supply information about that instance's configuration. The information described in this section is required for each CMS instance, regardless of which subsystems you decide to install.

Internal Database

For each instance of Certificate Management System, a new instance of Netscape Directory Server is created on the local host to act as the internal (local) database. Each subsystem must have access to this local database to store certificates, certificate requests, keys, and other information. The Certificate Management System uses LDAP over SSL to communicate with its local database.

Administrator

Specify the CMS administrator. This person will be able to access the CMS window of Netscape Console and approve the first agent certificate.

Subsystems

Choose the subsystems you will install in this instance. You can choose Certificate Manager and Data Recovery Manager together, or Data Recovery and Registration Manager together, or you can choose any individual manager, but you cannot install Certificate Manager and Registration Manager together. The Certificate Manager can be configured to perform all Registration Manager functions, so it's not necessary or possible to install both managers in the same instance.

Remote Certificate Manager

If you are installing a Registration Manager, you need to provide the following information about the Certificate Manager to which the Registration Manager sends certificate requests:

Remote Data Recovery Manager

If you are installing a standalone Certificate Manager or Registration Manager, and if you have already installed a remote Data Recovery Manager that you want the new manager to use, you need to provide the following information about the Data Recovery Manager:

Network Configuration

Enter numbers for the ports to be used for various kinds of communications. On Unix, you must be root to assign ports less than 1024. The default values are well-known ports, which are used only if they are not already in use. If these defaults are not available, a randomly chosen port number is given as the default.

For a discussion of port assignments, see "Deployment Strategy and Port Assignments" in Chapter 3.


Certificate Manager Configuration
This section summarizes information required to configure a Certificate Manager as a root or subordinate CA (either by itself or as part of a joint installation with a Data Recovery Manager).

Server Migration from Certificate Server 1.x

If you are importing any certificates and keys previously created with Certificate Server 1.x, you must specify where they are, how to retrieve them, and where to put them. For information about migrating these files to Certificate Management System, see Appendix A, "Migrating from Certificate Server 1.x."

Migration Tool Output Files

Token for CA Signing Certificate

Token for SSL Server Certificate

CA Signing Certificate

When you install the Certificate Manager subsystem, you must supply information for the CA certificate that the Certificate Manager will use to sign the certificates it issues. This certificate also functions as the Certificate Manager's SSL client certificate.

Key-Pair Information for CA Signing Certificate

For a discussion of related issues, see "CA Signing Key Type and Length" in Chapter 3.

Subject Name for CA Signing Certificate

For a discussion of issues related to the subject name, see "CA's Distinguished Name" in Chapter 3.

Validity Period for CA Signing Certificate

You can specify the validity period for a self-signed CA signing certificate only. The validity period for a subordinate CA signing certificate is determined by the issuing CA.

Extensions for CA Signing Certificate

You can specify the extensions for a self-signed CA signing certificate only. Extensions for a subordinate CA signing certificate are specified by the issuing CA.

The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. For more information about extensions, see Appendix B, "Certificate Extensions."

Confirm that you want to include the following extensions. Check off all that apply; defaults are indicated in parentheses.

CA Signing Certificate Request

If you are installing a subordinate CA, you need to specify where to send your request for a CA signing certificate.

If you are submitting your certificate request to a third-party CA, follow the instructions provided by that CA.

If you are submitting your certificate request to another Certificate Manager, you need to know its URL:


Registration Manager Configuration
This section summarizes information required to configure a Registration Manager (either by itself or as part of a joint installation with a Data Recovery Manager).

Registration Manager Signing Certificate Request

When you install a Registration Manager subsystem, you must supply information for the certificate that the Registration Manager will use to sign certificate requests. This certificate also functions as the Registration Manager's SSL client certificate. The Installation Wizard formulates a certificate request on the basis of information you provide. It is possible for the CA that issues the certificate to overrule some of your decisions.

Key-Pair Information for Registration Manager Signing Certificate

Subject Name for Registration Manager Signing Certificate

Registration Manager Signing Certificate Issuer

If you are submitting your certificate request to a third-party CA, follow the instructions provided by that CA.

If you are submitting your certificate request to another Certificate Manager, you need to know its URL:

Enter the URL for the end-entity gateway of the Certificate Manager that will issue the subordinate CA's signing certificate. For example, http://hostname:17006.


Data Recovery Manager Configuration
This section summarizes information required to configure a Data Recovery Manager (either by itself or as part of a joint installation with a Certificate Manager or Registration Manager).

Transport Certificate

Key-Pair Information for Transport Certificate

For a discussion of issues related to key type and length, see "CA Signing Key Type and Length" in Chapter 3.

Subject Name for Transport Certificate

Validity Period for Transport Certificate

You can specify the validity period for a transport certificate only if you are installing the Certificate Manager and Data Recovery Manager at the same time and you want the Certificate Manager that you just installed issue the transport certificate. If the transport certificate is issued by a remote CA, its validity period is determined by the issuing CA.

Extensions for Transport Certificate

You can specify the extensions for a transport certificate only if you are installing the Certificate Manager and Data Recovery Manager at the same time and you have decided to have the Certificate Manager that you just installed issue the certificate. If the transport certificate is issued by a remote CA, its extensions are determined by the issuing CA.

The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. For more information about extensions, see Appendix B, "Certificate Extensions."

Confirm that you want to include the following extensions. Check off all that apply; defaults are indicated in parentheses.

Transport Certificate Request

If you are obtaining your transport certificate from a remote CA, you need to know where to submit your certificate request.

If you are submitting your transport certificate request to a third-party CA, follow the instructions provided by that CA.

If you are submitting your certificate request to a CMS Certificate Manager, you need to know its URL:

Storage Key and Recovery Agent Configuration

Storage Key Creation

Specify the length of the key that the Data Recovery Manager uses to encrypt end-entity encryption keys for storage.

Data Recovery Scheme - 1

The number of agents you enter here is determined by your organization's policies with respect to data recovery. If you enter a larger number than the default of 2 for the number of recovery agents required to recover a key, you're reducing the chances of inappropriate recovery but increasing the complexity of the recovery process.

Decide how you want to set up your m of n data recovery scheme (n > m):

Data Recovery Scheme - 2

Specify user IDs and passwords for the total number of designated recovery agents (see preceding section):


SSL Server Certificate Configuration
When you install an instance of Certificate Management System, you must supply information for the SSL server certificate used by that instance to identify itself. The same SSL certificate is shared by all subsystems installed in that instance.

SSL Server Certificate

Key-Pair Information for SSL Server Certificate

Subject Name for SSL Server Certificate

Validity Period for SSL Server Certificate

You can specify the validity period for an SSL server certificate only if you are installing a Certificate Manager and you have decided to have that Certificate Manager issue the certificate. If the SSL server certificate is issued by a remote CA, its validity period is determined by the issuing CA.

Extensions for SSL Server Certificate

You can specify the extensions for an SSL server certificate only if you are installing a Certificate Manager and you have decided to have that local Certificate Manager issue the certificate. If the SSL server certificate is issued by a remote CA, its extensions are determined by the issuing CA.

The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. For more information about extensions, see Appendix B, "Certificate Extensions."

Confirm that you want to include the following extensions. Check off all that apply; defaults are indicated in parentheses.

SSL Certificate Request

If you are obtaining your SSL server certificate from another CA, you need to know where to submit your certificate request.

If you are submitting your certificate request to a third-party CA, follow the instructions provided by that CA.

If you are submitting your certificate request to another Certificate Manager, you need to know its URL.


Single Sign-On Password
Before you exit the Installation Wizard, it asks you to specify a single signon password. This password simplifies the way you subsequently sign on to Certificate Management System by storing the passwords for the internal database and tokens. Each time you log on, you're required to enter just this single password.

 

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.