Netscape Netscape management system 6.0 Assembly instructions

Installation and Setup Guide

Netscape Certificate Management System

Version6.0

March 2002

Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by

Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed

by the license agreement for the Software and applicable copyright law.

Your right to copy this documentation is limited by copyright law. Making unauthorized copies, adaptations or compilation works is

prohibited and constitutes a punishable violation of the law. Netscape may revise this documentation from time to time without

notice.

THIS DOCUMENTATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL NETSCAPE BE

LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING FROM ANY

ERROR IN THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS,

PROFITS, USE, OR DATA.

Netscape and the Netscape N logo are registered trademarks of Netscape Communications Corporation in the United States and

other countries. Other Netscape logos, product names, and service names are also trademarks of Netscape Communications

Corporation, which may be registered in some countries. Other product and brand names are the exclusive property of their

respective owners.

The downloading, exporting, or reexporting of Netscape software or any underlying information or technology must be in full

compliance with all United States and other applicable laws and regulations. Any provision of Netscape software or documentation

to the U.S. government is with restricted rights as described in the license agreement for that Software.

Contents

AboutThisGuide.............................................................. 23

What’sinThisGuide....................................................................23

WhatYouShouldAlreadyKnow .........................................................26

ConventionsUsedinThisGuide .........................................................27

WheretoGoforRelatedInformation......................................................28

Part 1 OverviewandDemoInstallation......................................... 31

Chapter 1 IntroductiontoCertificateManagementSystem.......................... 33

OverviewofKeyFeatures ...............................................................34

Flexibleend-entityregistrationservicesframework ....................................37

SystemOverview.......................................................................41

Public-KeyInfrastructure .............................................................43

CMSSubsystemsorManagers.........................................................44

CertificateManager ...............................................................45

RegistrationManager..............................................................47

DataRecoveryManager............................................................48

OnlineCertificateStatusManager ...................................................49

BasicSystemConfiguration ...........................................................50

Plug-inModules.....................................................................55

AuthenticationPlug-inModules ....................................................55

PolicyPlug-inModules ............................................................57

JobPlug-InModules...............................................................61

MapperandPublisherPlug-inModules ..............................................62

Event-DrivenNotifications............................................................64

AuxiliaryComponents ..................................................................64

Command-Line Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

CMSSDK...........................................................................65

4 Netscape Certificate Management System Installation and Setup Guide • March 2002

EntryPointsforVariousTypesofUsers ................................................... 66

AgentServicesInterface .............................................................. 68

CertificateManagerAgentServices ................................................. 68

RegistrationManagerAgentServices ................................................ 69

DataRecoveryManagerAgentServices.............................................. 70

OnlineCertificateStatusManagerAgentServicesInterface............................. 71

End-EntityServicesInterface.......................................................... 72

SystemArchitecture .................................................................... 73

PKCS#11........................................................................... 74

NSS................................................................................ 76

JSSandtheJava/JNILayer ........................................................... 76

Middleware/Java2Layers ........................................................... 76

AuthenticationandPolicyModules .................................................... 77

Standards Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

CertificateManagementFormatsandProtocols.......................................... 77

SecurityandDirectoryProtocols....................................................... 78

Chapter 2 CertificateEnrollmentandLife-CycleManagement ....................... 81

StepsinEnd-EntityEnrollment .......................................................... 81

SomeEnrollmentScenarios.............................................................. 84

FirewallConsiderations .............................................................. 84

Extranet/E-Commerce:ExampleCorp .................................................. 85

EnrollingExistingCustomers....................................................... 86

EnrollingNewCustomers.......................................................... 87

EnrollingExtranetUsers ........................................................... 89

PINRegistration:AtlasManufacturing ................................................. 91

VPNClientEnrollmentandRevocation ................................................ 93

RouterEnrollmentandRevocation..................................................... 96

EndEntitiesandLife-CycleManagement.................................................. 98

Life-CycleManagementFormatsandProtocols.......................................... 98

AccesstoSubsystems ................................................................ 99

HTMLFormsforEndUsers.......................................................... 101

NetscapePersonalSecurityManager .................................................. 102

Chapter 3 DefaultDemoInstallation ........................................... 105

SystemRequirements.................................................................. 105

OverviewoftheDefaultDemo.......................................................... 106

DemoPasswords ................................................................... 109

Installing the Default Demo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Step1.RuntheInstallationScript—UNIX............................................. 110

Step1.RuntheInstallationScript—WindowsNT....................................... 112

Step2.RuntheInstallationWizard ................................................... 120

Step3.GettheFirstUserCertificate ...................................................133

EnrollingfortheFirstAgentCertificate .............................................133

IfYouNeedtheFirstAgentFormAgain ............................................135

UsingtheDefaultDemo................................................................136

VerifytheInstallation ...............................................................136

ViewingIssuedCertificatesFromtheAgentGateway .................................137

EnrollingforaCertificateFromtheEnd-EntityGateway ..............................138

FindingandApprovingaCertificateRequest ........................................139

SettingYourBrowsertoUsetheAgentCertificate ....................................140

TestingYourNewCertificate ......................................................140

CreateaPolicy .....................................................................141

ConfiguringanRSAKeyLengthPolicy .............................................141

UseanLDAPDirectory..............................................................143

Step1.EnableDirectory-BasedAuthentication .......................................144

Step2.AddaUsertotheDirectory .................................................145

Step3.EnrollwithDirectory-BasedAuthentication ...................................147

PublishCertificatestoanLDAPDirectory..............................................148

ConfigurethePublishingDestination ...............................................149

SetRulesforPublishingCertificates ................................................150

UpdatethePublishingDirectory ...................................................152

SendRenewalReminders ............................................................153

ConfiguringaMailServerforCertificateManagementSystem .........................154

ConfiguringCertificateManagementSystemtoSendRenewalReminders ...............155

Part 2 PlanningandInstallation.............................................. 159

Chapter 4 Planning Your Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

TopologyDecisions....................................................................162

ServerGroupsandCMSInstances ....................................................162

SingleCertificateManager ...........................................................162

CertificateManagerandRegistrationManager .........................................163

CertificateManagerandDataRecoveryManager .......................................165

CertificateManager,DataRecoveryManager,andRegistrationManager...................167

ClonedCertificateManager ..........................................................169

CertificateAuthorityDecisions ..........................................................169

CA’sDistinguishedName ...........................................................170

CASigningKeyTypeandLength.....................................................170

CA Signing Certificate’s Validity Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Self-SignedRootVersusSubordinateCA...............................................171

CAsandCertificateExtensions .......................................................172

CACertificateRenewalorReissuance .................................................172

6 Netscape Certificate Management System Installation and Setup Guide • March 2002

CryptographicTokenDecisions ......................................................... 173

PublishingDecisions .................................................................. 174

PublishingtoCertificatesandCRLstoFiles ............................................ 174

PublishingtoCertificatesandCRLstoaDirectory ...................................... 174

PublishingCRLstotheOnlineCertificateStatusManager ............................... 175

SubsystemCertificateDecisions......................................................... 176

SSLServerCertificates .............................................................. 176

CertificateManagerCertificates ...................................................... 177

RegistrationManagerCertificates..................................................... 177

DataRecoveryManagerCertificateandStorageKey .................................... 178

OnlineCertificateStatusManagerCertificates .......................................... 178

AuthenticationDecisions............................................................... 179

PolicyDecisions....................................................................... 179

DeploymentStrategyandPortAssignments .............................................. 180

Chapter 5 InstallationWorksheet.............................................. 183

InformationforUNIXInstallationScript ................................................. 184

InstallationLocation ................................................................ 184

ConfigurationDirectoryServer....................................................... 184

User/GroupDirectoryServer ........................................................ 185

ConfigurationDirectorySettings ..................................................... 185

AdministrationServerInformation ................................................... 186

CertificateManagementSystemIdentifier ............................................. 187

InformationforNTInstallationScript.................................................... 187

InstallationDirectory ............................................................... 187

ConfigurationDirectoryServer....................................................... 187

User/GroupDirectoryServer ........................................................ 188

ConfigurationDirectorySettings ..................................................... 189

ConfigurationDirectoryServerAdministrator ......................................... 189

DirectoryServerAdministrationDomain .............................................. 189

DirectoryManagerSettings .......................................................... 189

AdministrationServerPort .......................................................... 190

CertificateManagementSystemIdentifier ............................................. 190

InitialConfiguration................................................................... 190

TokenLogonorSingleSign-OnPassword ................................................ 191

InternalDatabase................................................................... 191

Administrator...................................................................... 191

Subsystems ........................................................................ 192

RemoteCertificateManager ......................................................... 192

RemoteDataRecoveryManager...................................................... 192

NetworkConfiguration ............................................................. 193

CertificateManagerConfiguration ...................................................... 193

CASigningCertificate .............................................................. 193

CA’sSerialNumberRange ........................................................193

Key-PairInformationforCASigningCertificate......................................194

SubjectNameforCASigningCertificate ............................................194

Validity Period for CA Signing Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

ExtensionsforCASigningCertificate ...............................................195

CASigningCertificateRequest .......................................................197

RegistrationManagerConfiguration .....................................................197

RegistrationManagerSigningCertificateRequest .......................................197

Key-PairInformationforRegistrationManagerSigningCertificate .....................197

SubjectNameforRegistrationManagerSigningCertificate ............................198

RegistrationManagerSigningCertificateIssuer.........................................199

DataRecoveryManagerConfiguration ...................................................199

TransportCertificate ................................................................199

Key-PairInformationforTransportCertificate .......................................199

SubjectNameforTransportCertificate..............................................200

Validity Period for Transport Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

ExtensionsforTransportCertificate ................................................201

TransportCertificateRequest.........................................................202

StorageKeyandRecoveryAgentConfiguration ........................................202

StorageKeyCreation .............................................................202

DataRecoveryScheme—1.........................................................203

DataRecoveryScheme—2.........................................................203

OnlineCertificateStatusManagerConfiguration ..........................................203

OnlineCertificateStatusManagerSigningCertificateRequest ............................204

Key-Pair Information for Online Certificate Status Manager Signing Certificate . . . . . . . . . . . 204

SubjectNameforOnlineCertificateStatusManagerSigningCertificate .................204

OnlineCertificateStatusManagerSigningCertificateIssuer ..............................205

ClonedCertificateManagerConfiguration................................................205

CASigningCertificate...............................................................206

CA’sSerialNumberRange ........................................................206

ClonedKeyandCertificateMaterial ................................................206

SSLServerKeyandCertificate .....................................................207

SSLServerCertificateConfiguration .....................................................207

SSLServerCertificate ...............................................................207

Key-PairInformationforSSLServerCertificate ......................................207

SubjectNameforSSLServerCertificate .............................................208

Validity Period for SSL Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

ExtensionsforSSLServerCertificate................................................209

SSLCertificateRequest ..............................................................210

Chapter 6 InstallingCertificateManagementSystem ............................. 211

InstallationOverview ..................................................................211

InstallationStages...................................................................212

8 Netscape Certificate Management System Installation and Setup Guide • March 2002

BeforeYouBegintheInstallation ..................................................... 213

Stage1.RunningtheInstallationScript................................................... 215

RunningtheInstallationScriptonUNIX............................................... 215

RunningtheInstallationScriptonWindowsNT ........................................ 218

Stage2.RunningtheInstallationWizard ................................................. 221

Installing the Certificate Manager as a Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Installing the Certificate Manager as a Subordinate CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Installing a Standalone Registration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Installing a Standalone Data Recovery Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Installing a Online Certificate Status Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Stage3.EnrollingforAdministrator/AgentCertificate ..................................... 271

AgentCertificateforaCertificateManager............................................. 271

AgentCertificateforOtherCMSManagers ............................................ 274

Stage4.FurtherConfigurationOptions .................................................. 277

Stage5.CreatingAdditionalInstancesorCAClones....................................... 278

Chapter 7 Installing and Uninstalling CMS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Installing Multiple CMS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

CloningaCertificateManager .......................................................... 282

Step1.BeforeYouBegin............................................................. 283

Step2.CreateInstancesforCloneCAs ................................................ 285

Installing Clone CA in Master CA’s Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Installing Clone CA in a Different Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Installing Clone CA on a Separate Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Step3.ShutdowntheMasterCA ..................................................... 287

Step4.CopyMasterCA’sCertificateandKeyDatabase ................................. 288

Step5.StarttheMasterCA .......................................................... 288

Step6.ConfiguretheCloneCA ...................................................... 289

Step8.EstablishTrustBetweenMasterCAandCloneCAs............................... 290

StepA.LocatetheMasterCA’sSSLServerCertificate................................. 290

StepB.CreateaPrivileged-UserEntryforCloneCAs ................................. 292

Step9.TestClone-MasterConnection ................................................. 295

StepA.RequestaCertificatefromtheCloneCA ..................................... 295

StepB.ApprovetheRequest ...................................................... 296

StepC.DownloadtheCertificatetotheBrowser ..................................... 296

StepD.RevoketheCertificate ..................................................... 297

StepE.CheckMasterCA’sCRLfortheRevokedCertificate ........................... 297

Step10.UseMasterCA’sAgentCertificateinCloneCAs ................................ 298

ViewingInstanceInformation .......................................................... 299

ChangingtheNameofanInstance ...................................................... 301

RemovinganInstanceFromaSystem.................................................... 302

UninstallingCertificateManagementSystem ............................................. 303

UninstallingFromtheCommandLine ................................................ 303

UninstallingbyUsingtheWindowsNTAdd/RemoveProgramsUtility ...................304

Chapter 8 Starting and Stopping CMS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Significanceofpassword.confFile .......................................................306

StartingCertificateManagementSystem..................................................306

RequiredStart-upInformation........................................................307

StartingFromNetscapeConsole ......................................................308

StartingFromtheCommandLine.....................................................309

StartingFromtheWindowsNTServicesPanel..........................................310

StoppingCertificateManagementSystem.................................................310

StoppingFromNetscapeConsole .....................................................311

StoppingFromtheCommandLine....................................................312

StoppingFromtheWindowsNTServicesPanel ........................................312

RestartingCertificateManagementSystem................................................312

RestartingFromtheCMSWindow ....................................................313

RestartingFromtheCommandLine...................................................314

CheckingSystemStatus ................................................................314

AttendingtoanUnresponsiveServer ....................................................315

PasswordCache.......................................................................315

Password-QualityChecker .............................................................316

Part 3 Configuration ....................................................... 319

Chapter 9 Administration Tasks and Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

NetscapeConsole .....................................................................322

ConsoleTab........................................................................322

UsersandGroupsTab...............................................................323

NetscapeAdministrationServer ......................................................324

StartingAdministrationServer.....................................................325

ShuttingDownAdministrationServer ..............................................326

LoggingIntoNetscapeConsole .........................................................326

TheCMSWindow .....................................................................327

TasksTab..........................................................................329

ConfigurationTab ..................................................................329

StatusTab .........................................................................332

LoggingIntotheCMSWindow .........................................................333

Chapter 10 CMS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

EffectsofInstallationTypeonConfiguration ..............................................335

DuplicatingConfigurationFromOneInstancetoAnother................................337

LocatingtheConfigurationFile..........................................................337

10 Netscape Certificate Management System Installation and Setup Guide • March 2002

ModifyingtheConfiguration ........................................................... 338

ChangingtheConfigurationFromtheCMSWindow.................................... 338

ChangingtheConfigurationbyEditingtheConfigurationFile............................ 338

Guidelines for Editing the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

SampleConfigurationFile ........................................................... 341

RoadMaptoConfiguringSubsystems ................................................... 354

Step1.CheckWhichSubsystemisInstalledintheInstance ............................ 355

Step2.CheckthePortNumbers ................................................... 355

Step3.VerifyKeyPairandCertificates ............................................. 355

Step4.SetupPrivilegedUsers..................................................... 355

Step5.CustomizeEnd-EntityandAgentForms...................................... 356

Step6.SetupAuthenticationforEndUsers.......................................... 356

Step7:EnableEvent-DrivenNotifications ........................................... 356

Step8.ScheduleJobs ............................................................. 357

Step9.SetupPolicies............................................................. 357

Step10.SetupPublishing......................................................... 357

Step11.SetupKeyArchivalandRecovery .......................................... 358

Step12.SetupLogging ........................................................... 358

Step13.PlanforBackingupCMSConfigurationandData ............................ 358

Chapter 11 SettingUpPorts .................................................. 359

CMSPorts............................................................................ 359

RemoteAdministrationPort ......................................................... 360

AgentPort......................................................................... 361

End-EntityPorts.................................................................... 361

ConfiguringPortNumbers ............................................................. 362

Step1.SpecifythePortNumber ...................................................... 362

Step2:SpecifyIPAddresses ......................................................... 364

Chapter 12 SettingUpInternalDatabase........................................ 365

InternalDatabase ..................................................................... 365

ConfiguringtheInternalDatabase....................................................... 366

Step1.IdentifytheDirectoryServerInstance........................................... 367

Step2.RestrictAccesstotheInternalDatabase ......................................... 368

Chapter 13 ManagingPrivilegedUsersandGroups .............................. 371

Privileged-User Types and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Administrators..................................................................... 372

Agents ............................................................................ 373

Agent’sCertificateforSSLClientAuthentication..................................... 375

RevocationStatusCheckingofAgentCertificates .................................... 378

TrustedManagers .................................................................. 380

SubsystemsThatCanFunctionasTrustedManagers..................................381

ConnectorsforLinkingTrustedManagers ...........................................382

TrustedManager’sCertificateforSSLClientAuthentication ...........................383

GroupsandTheirPrivileges ............................................................384

GroupforAdministrators............................................................384

GroupsforAgents ..................................................................385

GroupforCertificateManagerAgents ..............................................385

GroupforRegistrationManagerAgents.............................................386

GroupforDataRecoveryManagerAgents ..........................................386

GroupforOnlineCertificateStatusManagerAgents ..................................387

GroupforTrustedManagers .........................................................387

SettingUpPrivilegedUsers.............................................................388

SettingUpAdministrators ...........................................................388

Step1.FindtheRequiredInformation ..............................................388

Step2.AddtheInformationtotheInternalDatabase..................................388

SettingUpAgents ..................................................................391

SettingupAgentsUsingtheAutomatedProcess .....................................391

SettingupAgentsUsingtheManualProcess.........................................392

SettingUpTrustedManagers.........................................................397

SettingupTrustedManagersUsingtheAutomatedProcess ...........................397

SettingUpaRegistrationManagerasaTrustedManager..............................398

SettingUpaCertificateManagerasaTrustedManager ...............................406

ChangingPrivileged-UserInformation ...................................................413

ChangingaPrivilegedUser’sLoginInformation ........................................413

ChangingaPrivilegedUser’sCertificate ...............................................414

ChangingMembersinaGroup .......................................................415

DeletingaPrivilegedUser ..............................................................416

Chapter 14 ManagingCMSKeysandCertificates ................................ 419

KeysandCertificatesfortheMainSubsystems ............................................420

CertificateManager’sKeyPairsandCertificates ........................................421

CASigningKeyPairandCertificate ................................................421

OCSPSigningKeyPairandCertificate ..............................................422

CRLSigningKeyPairandCertificate ...............................................423

SSLServerKeyPairandCertificate .................................................425

RegistrationManager’sKeyPairsandCertificates.......................................426

SigningKeyPairandCertificate....................................................426

SSLServerKeyPairandCertificate .................................................427

DataRecoveryManager’sKeyPairsandCertificates.....................................427

TransportKeyPairandCertificate..................................................428

StorageKeyPair .................................................................428

SSLServerKeyPairandCertificate .................................................429

OnlineCertificateStatusManager’sKeyPairsandCertificates ............................429

12 Netscape Certificate Management System Installation and Setup Guide • March 2002

OCSPSigningKeyPairandCertificate.............................................. 429

SSLServerKeyPairandCertificate................................................. 430

TokensforStoringCMSKeysandCertificates ............................................ 431

InternalToken ..................................................................... 431

ExternalToken ..................................................................... 432

Installing External Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

ManagingTokensUsedbytheSubsystems ............................................ 434

ViewingTokens ................................................................. 434

ChangingaToken’sPassword ..................................................... 435

HardwareCryptographicAccelerators ................................................... 436

CertificateSetupWizard ............................................................... 436

UsingtheWizardtoRequestaCertificate.............................................. 437

Step1.SelecttheOperation ....................................................... 438

Step2.ChoosetheCertificate...................................................... 439

Step3.SpecifytheKey-PairInformation ............................................ 441

Step4.SpecifytheSubjectNamefortheCertificate ................................... 443

Step5.SpecifytheValidityPeriod.................................................. 444

Step6.SpecifyExtensions......................................................... 445

Step7.CopytheCertificateSigningRequest......................................... 447

Step8.ChecktheCertificateRequestStatus ......................................... 451

UsingtheWizardtoInstallaCertificateorCertificateChain ............................. 452

DataFormatsforInstallingCertificatesandCertificateChains ......................... 453

Step1.SelecttheOperation ....................................................... 454

Step2.SelecttheCertificateorCertificateChain ..................................... 455

Step3.SpecifytheLocationoftheCertificate ........................................ 456

Step4.ViewtheCertificateorCertificateChain ...................................... 458

Step5.InstalltheCertificateorCertificateChain ..................................... 458

Step6.VerifytheCertificateStatus ................................................. 459

ConfiguringtheServer’sSecurityPreferences ............................................. 459

ConfiguringtheServertoUseSeparateSSLServerCertificates ........................... 459

Step1.GettheRequiredSSLServerCertificates...................................... 460

Step2:UpdatetheConfiguration .................................................. 460

GettinganSSLClientCertificateforaSubsystem ....................................... 461

Setting Up Cipher Preferences for SSL Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

SSLCiphersSupportedinCertificateManagementSystem ............................ 463

ConfiguringtheServertoUseSpecificCiphers ...................................... 464

GettingNewCertificatesfortheSubsystems.............................................. 465

Step1.PlanfortheNewCertificate ................................................... 466

Step2.RequesttheNewCertificate ................................................... 469

Step3.InstalltheNewCertificate..................................................... 469

Step4.DeploytheNewCertificate.................................................... 470

DeployingCertificateManager’sCASigningCertificate .............................. 470

DeployingRegistrationManager’sSigningCertificate ................................ 471

DeployingDataRecoveryManager’sTransportCertificate ............................472

DeployingaSubsystem’sSSLServerCertificate ......................................473

RenewingCertificatesfortheSubsystems.................................................474

Step1.PlanforCertificateRenewal ...................................................475

Step2.RenewtheExistingCertificate..................................................476

Step3.InstalltheRenewedCertificate .................................................477

Step4.DeploytheRenewedCertificate ................................................477

DeployingCertificateManager’sRenewedCASigningCertificate ......................478

DeployingRegistrationManager’sRenewedSigningCertificate ........................478

DeployingDataRecoveryManager’sRenewedTransportCertificate....................479

DeployingaSubsystem’sRenewedSSLServerCertificate .............................480

Step5.RestarttheServer.............................................................481

ManagingtheCertificateDatabase.......................................................481

ViewingtheCertificateDatabaseContent ..............................................482

DeletingaCertificateFromtheCertificateDatabase .....................................484

ChangingtheTrustSettingsofaCACertificate .........................................485

Installing a New CA Certificate in the Certificate Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Installing a CA Certificate Chain in the Certificate Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Chapter 15 SettingUpEnd-UserAuthentication ................................. 489

IntroductiontoAuthentication ..........................................................489

Privileged-UserAuthentication .......................................................490

AuthenticationofAdministrators ..................................................490

AuthenticationofAgents..........................................................492

End-EntityAuthentication ...........................................................495

AuthenticationofEndEntitiesDuringCertificateEnrollment ..........................495

AuthenticationofEndUsersDuringCertificateRenewal ..............................495

AuthenticationofEndUsersDuringCertificateRevocation ............................497

ConfiguringAuthenticationforEnd-UserEnrollment ......................................501

Step1.BeforeYouBegin .............................................................502

Step2.SetUptheDirectoryforPIN-BasedEnrollment...................................503

StepA.ChecktheDirectoryforUserEntries .........................................503

StepB.UpdatetheDirectory.......................................................504

StepC.PreparetheInputFile ......................................................505

StepD.RuntheCommandWithouttheWriteOption .................................505

StepE.ChecktheOutputFile ......................................................506

StepF.RuntheCommandAgainwiththeWriteOption...............................506

Step3.EnabletheAttributePresentConstraintsPolicy....................................506

Step4:AddanAuthenticationInstance ................................................509

Step5.SetUptheEnrollmentInterface ................................................514

StepA.AssociatetheAuthenticationInstanceWiththeEnrollmentForm ................514

StepB.CustomizetheForm .......................................................515

StepC.HookUptheCertificate-BasedEnrollmentForm ..............................515

14 Netscape Certificate Management System Installation and Setup Guide • March 2002

StepD.RemoveUnwantedEnrollmentOptions...................................... 518

Step6.EnableEnd-EntityInteraction.................................................. 519

EnablingEnd-EntityInteractionwithaCertificateManager ........................... 519

EnablingEnd-EntityInteractionwithaRegistrationManager.......................... 521

Step7.TurnonAutomatedNotification ............................................... 522

Step8.TestYourAuthenticationSetup ................................................ 522

Step9.DeliverPINstoEndUsers..................................................... 523

ManagingAuthenticationInstances ..................................................... 524

DeletinganAuthenticationInstance .................................................. 524

ModifyinganAuthenticationInstance................................................. 525

ManagingAuthenticationPlug-inModules............................................... 527

RegisteringanAuthenticationModule ................................................ 527

DeletinganAuthenticationModule................................................... 529

Chapter 16 Setting Up Automated Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

AutomatedNotifications ............................................................... 531

NotificationsofCertificateIssuancetoEndEntities ..................................... 532

NotificationofNewRequestinQueue ................................................ 533

CustomizingNotificationMessages ..................................................... 534

TemplatesforEvent-TriggeredNotifications ........................................... 534

CustomizingMessageTemplates ..................................................... 536

TokensAvailableinMessageTemplates ............................................... 537

TokensforCertificateIssuanceNotificationstoEndEntities ........................... 537

TokensforRejectionNotificationstoEndEntities .................................... 538

TokensforRequestInQueueNotificationMessages .................................. 539

ConfiguringaSubsytemtoSendNotifications ............................................ 539

Step1.BeforeYouBegin............................................................. 540

Step2.TurnOnCertificate-IssuanceNotification ....................................... 540

Step3.TurnonRequestinQueueNotification ......................................... 541

Step4.VerifyMailServerSettings .................................................... 543

Step5.TestYourConfiguration ...................................................... 544

Chapter 17 Scheduling Automated Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545

ConfiguringaSubsystemtoRunAutomatedJobs ......................................... 545

Step1.BeforeYouBegin............................................................. 546

Step2.ModifyExistingJobs ......................................................... 546

Step3.DeleteUnwantedJobs ........................................................ 549

Step4.AddNewJobs ............................................................... 549

Step5.ScheduletheFrequency....................................................... 553

Step6.VerifyMailServerSettings .................................................... 554

Step7.TestYourConfiguration ...................................................... 555

ManagingJobPlug-inModules ......................................................... 555

RegisteringaJobModule ............................................................556

DeletingaJobModule...............................................................557

Chapter 18 SettingUpPolicies................................................ 559

IntroductiontoPolicy ..................................................................559

WhatIsPolicy? .....................................................................560

PolicyRules........................................................................561

TypesofPolicyRules .............................................................561

UsingPredicatesinPolicyRules ......................................................562

ExpressionSupportforPredicates ..................................................562

AttributesforPredicates ..........................................................564

PolicyProcessor ....................................................................568

ConfiguringPolicyRulesforaSubsystem ................................................569

Step1.BeforeYouBegin .............................................................570

Step2.ModifyExistingPolicyRules...................................................570

Step3.DeleteUnwantedPolicyRules .................................................574

Step4.AddNewPolicyRules ........................................................574

Step5.ReorderPolicyRules..........................................................579

Step6.RestarttheServer.............................................................580

Step7.TestPolicyConfiguration......................................................580

StepA.EnrollforaCertificate .....................................................580

StepB.ApprovetheRequest.......................................................581

StepC.ChecktheCertificateDetails ................................................581

UsingJavaScriptforPolicies ............................................................582

ManagingPolicyPlug-inModules .......................................................582

RegisteringaPolicyModule..........................................................582

DeletingaPolicyModule ............................................................584

Chapter 19 Setting Up LDAP Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

PublishingofCertificatestoaDirectory ..................................................585

TimingofDirectoryUpdates .........................................................587

DirectoryUpdateProcess ............................................................589

DirectorySynchronization ...........................................................590

PublishingofCRLs ....................................................................590

What’saCRL?......................................................................591

ReasonsforRevokingaCertificate ....................................................592

RevocationCheckingbyNetscapeClients..............................................593

RevocationCheckingbyNetscapeServers .............................................593

PublishingofCRLstoanLDAPDirectory..............................................594

CRLIssuingPoints..................................................................595

ConfiguringaCertificateManagertoPublishCertificatesandCRLs..........................595

Step1.BeforeYouBegin .............................................................596

16 Netscape Certificate Management System Installation and Setup Guide • March 2002

Step2.SetUptheDirectoryforPublishing............................................. 598

StepA.VerifytheDirectorySchema................................................ 598

StepB.AddanEntryfortheCA ................................................... 599

StepC.IdentifyanEntryThatHasWriteAccess ..................................... 601

StepD.VerifyEntriesforEndEntities .............................................. 601

StepE.SpecifytheDirectoryAuthenticationMethod ................................. 602

StepF.ModifytheCertificateMappingFile ......................................... 612

StepG.RestartDirectoryServer ................................................... 616

Step3.ConfiguretheCertificateManagertoPublishCertificates.......................... 616

StepA.ModifytheDefaultMappers,Publishers,andPublishingRules ................. 616

StepB.AddMappers,Publishers,andPublishingRules............................... 622

Step4.ConfiguretheCertificateManagertoPublishCRLs ............................... 628

StepA.SpecifyCRLDetails ....................................................... 629

StepB.SettheCRLExtensions..................................................... 631

StepC.CreateaMapperfortheCRL ............................................... 632

StepD.CreateaPublisherfortheCRL.............................................. 633

StepE.CreateaPublishingRulefortheCRL ........................................ 635

Step5.IdentifythePublishingDirectory............................................... 636

Step6.TestCertificateandCRLPublishing ............................................ 638

StepA.DecideaDirectoryEntryforRequestingaCertificate .......................... 639

StepB.RequestaCertificate ....................................................... 639

StepC.ApprovetheRequest ...................................................... 639

StepD.DownloadtheCertificatetotheBrowser ..................................... 640

StepE.CheckiftheDirectoryHastheCertificate..................................... 640

StepF.RevoketheCertificate...................................................... 641

StepG.ChecktheDirectoryfortheCRL ............................................ 642

ManuallyUpdatingCertificatesandCRLsinaDirectory ................................... 642

ManuallyUpdatingCertificatesintheDirectory ........................................ 643

ManuallyUpdatingtheCRLintheDirectory........................................... 644

Chapter 20 Publishing Certificates and CRLs to a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647

ConfiguringCertificateManagertoPublishtoFiles........................................ 647

Step1.BeforeYouBegin............................................................. 648

Step2.ConfiguretheCertificateManager.............................................. 649

StepA.CreateaPublisherfortheFile .............................................. 649

StepB.CreatePublishingRulesforCertificates ...................................... 651

StepC.CreateaPublishingRuleforCRLs........................................... 653

StepD.SpecifyCRLDetails ....................................................... 654

StepE.SettheCRLExtensions..................................................... 656

StepF.MakeSurePublishingisEnabled ............................................ 658

Step3.TestPublishing .............................................................. 658

StepA.RequestaCertificate....................................................... 658

StepB.ApprovetheRequest ...................................................... 659

StepC.DownloadtheCertificatetotheBrowser......................................660

StepD.ChecktheFilefortheCertificate.............................................660

StepE.RevoketheCertificate ......................................................662

StepF.ChecktheFilefortheCRL ..................................................663

ManagingMapperandPublisherPlug-inModules.........................................665

RegisteringaMapperorPublisherModule.............................................665

DeletingaMapperorPublisherModule ...............................................667

Chapter 21 Setting Up an OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

What’sanOCSP-CompliantPKISetup? ..................................................670

HowtoGetanOCSPResponder? .....................................................672

HowCertificateManager’sOCSP-ServiceFeatureWorks ..............................672

HowOnlineCertificateStatusManagerWorks.......................................673

HowtoGetOCSP-CompliantClients? .................................................674

SettingUpaCertificateManagerwithOCSPService .......................................675

Step1.BeforeYouBegin .............................................................675

Step2.InstallOCSP-CompliantClient .................................................676

SettingUpNetscape6xforOCSP-BasedCertificateValidation .........................676

Setting Up Personal Security Manager for OCSP-Based Certificate Validation . . . . . . . . . . . . 677

Step3.EnableCertificateManager’sHTTPPort.........................................679

Step4.ConfigureCertificateManagerforExtensions ....................................679

Step5.RestarttheCertificateManager.................................................682

Step6.TestYourCA’sOCSPServiceSetup.............................................682

StepA.TurnOnRevocationCheckingintheBrowser.................................683

StepB.RequestaCertificate .......................................................683

StepC.ApprovetheRequest ......................................................684

StepD.DownloadtheCertificatetotheBrowser .....................................684

StepE.MakeSuretheCAisTrustedbytheBrowser ..................................685

StepF.VerifytheCertificateintheBrowser..........................................685

StepG.ChecktheStatusofCertificateManager’sOCSPService ........................685

StepH.RevoketheCertificate .....................................................686

StepI.VerifytheCertificateintheBrowser ..........................................686

StepJ.ChecktheCertificateManager’sOCSPServiceStatusAgain .....................687

SettingUpaRemoteOCSPResponder ...................................................687

Step1.BeforeYouBegin .............................................................689

Step2.InstallanOCSP-CompliantClient ..............................................690

Step3.IdentifytheCAtotheOCSPResponder .........................................690

Step4.ConfiguretheCertificateManagertoPublishCRLs ...............................692

StepA.SpecifyCRLFormatandPublishingInterval ..................................693

StepB.SettheCRLExtensions .....................................................694

StepC.CreateaPublisherfortheCRL ..............................................695

StepD.CreateaPublishingRulefortheCRL ........................................697

StepE.MakeSurePublishingisEnabled ............................................699

18 Netscape Certificate Management System Installation and Setup Guide • March 2002

Step5.ConfigureCertificateManagerforRequiredExtensionPolicies..................... 700

Step6.ConfiguretheOnlineCertificateStatusManager ................................. 702

Step7.RestarttheCertificateManager ................................................ 706

Step8.RestarttheOnlineCertificateStatusManager .................................... 707

Step 9. Verify Certificate Manager and Online Certificate Status Manager Connection . . . . . . . 707

Step10.TestYourOCSPResponderSetup ............................................. 708

StepA.TurnOnRevocationChecking .............................................. 708

StepB.RequestaCertificate ....................................................... 709

StepC.ApprovetheRequest ...................................................... 709

StepD.DownloadtheCertificatetotheBrowser ..................................... 710

StepE.MakeSuretheCAisTrustedbytheBrowser.................................. 710

StepF.VerifytheCertificateintheBrowser ......................................... 711

StepG.ChecktheStatusofOnlineCertificateStatusManager ......................... 711

StepH.RevoketheCertificate ..................................................... 712

StepI.VerifytheCertificateintheBrowser.......................................... 712

StepJ.ChecktheOnlineCertificateStatusManagerStatusAgain....................... 712

Chapter 22 SettingUpKeyArchivalandRecovery ............................... 715

PKISetupforKeyArchivalandRecovery ................................................ 715

ClientsThatCanGenerateDualKeyPairs ............................................. 716

DataRecoveryManager ............................................................. 716

FormsforUsersandKeyRecoveryAgents............................................. 717

KeyArchivalProcess .................................................................. 717

WhyYouShouldArchiveKeys....................................................... 717

WheretheKeysareStored........................................................... 718

HowKeyArchivalWorks ........................................................... 719

KeyRecoveryProcess.................................................................. 721

KeyRecoveryAgentsandTheirPasswords ............................................ 721

SecretSharingofStorageKeyPassword ............................................ 721

InterfacefortheKeyRecoveryProcess.............................................. 722

LocalVersusRemoteKeyRecoveryAuthorization ................................... 723

HowAgent-InitiatedKeyRecoveryWorks............................................. 724

KeyRecoveryAgentScheme......................................................... 727

ChangingtheKeyRecoveryAgentScheme.......................................... 727

ChangingKeyRecoveryAgents’Passwords......................................... 729

ConfiguringKeyArchivalandRecoveryProcess .......................................... 731

Step1.SetUptheKeyArchivalProcess ............................................... 731

StepA.DeployClientsThatCanGenerateDualKeyPairs............................. 732

StepB.ConnecttheEnrollmentAuthorityandtheDataRecoveryManager.............. 732

StepC.CustomizetheCertificateEnrollmentForm................................... 733

StepD.ConfigureKeyArchivalPolicies ............................................ 737

Step2.SetUptheKeyRecoveryProcess ............................................... 738

StepA.VerifythemofnScheme .................................................. 738

StepB.FacilitatetheKeyRecoveryAgentstoChangethePasswords....................739

StepC.DeterminetheAuthorizationModeforKeyRecovery ..........................739

StepD.CustomizetheKeyRecoveryForm ..........................................739

StepE.ConfigureKeyRecoveryPolicies ............................................739

Step3.TestYourKeyArchivalandRecoverySetup .....................................740

StepA.TestYourKeyArchivalSetup...............................................740

StepB.VerifytheKey.............................................................742

StepC.DeletetheCertificate.......................................................742

StepD.TestYourKeyRecoverySetup ..............................................742

StepD.RestoretheKeyintheBrowser’sDatabase....................................743

Chapter 23 ManagingCMSLogs .............................................. 745

IntroductiontoLogs ...................................................................745

LogsMaintainedbytheServer .......................................................746

ServicesThatAreLogged ............................................................747

LogLevels(MessageCategories)......................................................748

LogFileLocations ..................................................................749

LogFileNamingConventions ........................................................750

ActiveLogFileNamingConvention ................................................750

RotatedLogFileNamingConvention...............................................750

BufferedVersusUnbufferedLogging..................................................750

RotationofLogFiles ................................................................751

TimingofLogFileRotation........................................................751

LocationofRotatedLogFiles ......................................................752

DeletionofLogFiles ................................................................752

HowtoConserveDiskSpace ......................................................752

TimingofLogFileDeletion........................................................752

ConfiguringCMSLogs.................................................................753

Step1.BeforeYouBegin .............................................................753

Step2.ModifytheExistingListeners ..................................................753

Step3.DeleteUnwantedListeners ....................................................755

Step4.CreateNewListeners .........................................................756

MonitoringCMSLogs..................................................................759

MonitoringSystemLogs .............................................................760

MonitoringErrorLogs...............................................................762

MonitoringAuditLogs ..............................................................764

UsingSystemToolsforMonitoringtheServer(WindowsNTOnly) .......................766

LoggingtoWindowsNTEventLog ................................................767

UsingEventViewer ..............................................................767

Avoiding Event Log From Getting Filled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768

ArchivingofRotatedLogFiles ..........................................................769

SigningLogFiles ...................................................................770

ManagingLogModules ................................................................772

20 Netscape Certificate Management System Installation and Setup Guide • March 2002

RegisteringaLogModule ........................................................... 772

DeletingaLogModule .............................................................. 773

Part 4 IssuingandManagingCertificates ......................................775

Chapter 24 IssuingandManagingServerCertificates............................. 777

CertificateIssuancetoServers .......................................................... 777

HowtheManualServerEnrollmentProcessWorks ..................................... 778

GettingServerSSLCertificatesforNetscapeServers ....................................... 780

GettingCertificatesforVersion3.xServers............................................. 780

Step1.GeneratetheServerCertificateRequest....................................... 781

Step2.SubmittheServerCertificateRequest ........................................ 782

Step3.InstallYourServer’sSSLCertificate .......................................... 783

Step4.AcceptaCAasTrustedinYourServer ....................................... 783

Step5.VerifyYourServer’sSSLandCACertificates.................................. 785

GettingCertificatesforNetscapeVersion4.xServers .................................... 785

RenewalofServerCertificates .......................................................... 787

RevocationofServerCertificates ........................................................ 787

Chapter 25 SettingUpCEPEnrollment ......................................... 789

CEPEnrollment....................................................................... 789

SettingupCEPEnrollmentManually .................................................... 790

Step1.SetuptheDirectoryforPublishingCertificatesandCRLs ......................... 791

Step2.ConfiguretheCertificateManagerforPublishingCertificatesandCRLs............. 792

Step3.SetUpAutomatedEnrollment ................................................. 795

Step4.SetUpMultipleCEPServices.................................................. 799

CertificateIssuancetoRoutersorVPNClients ............................................ 800

Step1.BeforeYouBegin............................................................. 801

Step2.GeneratetheKeyPairfortheRouter............................................ 802

Step3.RequesttheCA’sCertificate ................................................... 803

Step4.SubmittheCertificateRequesttotheCA ........................................ 803

Example........................................................................... 804

Part 5 Appendix ...........................................................807

Appendix A CertificateDownloadSpecification.................................. 809

DataFormats ......................................................................... 809

BinaryFormats..................................................................... 809

TextFormats....................................................................... 810

This manual suits for next models

Table of contents

Other Netscape Software manuals

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - AGENT GUIDE User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 -... Service manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - PLUG-IN User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 7.0 - AGENT GUIDE User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - AGENT GUIDE User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 7.0 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - AGENT GUIDE User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - AGENT... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - PLUG-IN User manual

Netscape

Netscape NETSCAPE DIRECTORY SERVER 6.01 Assembly instructions

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - PLUG-IN User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 7.0 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 Assembly instructions

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - AGENT GUIDE User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 -... Service manual

Popular Software manuals by other brands

F-SECURE

F-SECURE ANTI-VIRUS - FOR MICROSOFT EXCHANGE Administrator's guide

Ulead

Ulead PHOTO EXPLORER VERSION 8.0 user guide

Red Hat

Red Hat NETWORK SATELLITE 5.0.0 - installation guide

Kodak

Kodak 8342693 - Capture Software - PC user guide

Panasonic

Panasonic WV-ASC970 operating instructions

Epson

Epson BrightLink 455Wi Operation guide

Kyocera

Kyocera KM-4800w user manual

Avaya

Avaya IP Office Phone Manager Application notes

Lenovo

Lenovo ThinkCentre A62 Deployment guide

GRASS VALLEY

GRASS VALLEY MEDIAEDGE-SVS4 datasheet

Brother

Brother BES Lettering installation guide

Red Hat

Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment guide

Mylex

Mylex PCI Disk Array Controller Drivers 08P4100 Installation and user guide

Pioneer

Pioneer CNDV-800HD Upgrade instructions and operation manual addendum

Nortel

Nortel Quality Monitoring Quick reference guide

Nero

Nero Nero Express 9 manual

McAfee

McAfee VIRUSSCAN 4.5 - Administrator's guide

Adobe

Adobe 65048599 quick start guide

Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 Assembly instructions

Popular Software manuals by other brands