About This Guide
Chapter 1 Introduction to Certificate Management System
Chapter 2 Default Demo Installation
Chapter 3 Planning Your Deployment
Chapter 4 Installation Worksheet
Chapter 5 Installation and Configuration
Appendix A Migrating from Certificate Server 1.x
Appendix B Certificate Extensions
Appendix C Certificate Download Specification
Appendix D Using SSL with iPlanet Web Server, Enterprise Edition
Appendix E Export Control Information
Glossary
Index
Netscape Certificate Management System Installation and Deployment Guide: Installation and Configuration
Previous Next Contents Index Bookshelf


Chapter 5 Installation and Configuration

This chapter describes the procedure for installing a Certificate Management System instance. If you are migrating from a previous Certificate Server 1.x installation, first see Appendix A, "Migrating from Certificate Server 1.x."

Before you use this chapter to guide you through an installation, you should have read Chapters 1 through 3 and filled out the worksheet provided by Chapter 4, "Installation Worksheet."

This chapter contains the following sections:
Installation Overview
Before you begin installation, make sure your system meets the requirements listed in "System Requirements" in Chapter 2.

The installation process installs the Netscape Administration Server, Netscape Console, and Netscape Directory Server, as well as Netscape Certificate Management System. You typically create two instances of Directory Server: the first is for the configuration directory used by the local Administration Server; the second is used by Certificate Management System itself for its internal database.

You must have an Administration Server in each server root directory. Administration Server can use a local configuration directory or refer to an existing configuration directory installed elsewhere. You must install the Certificate Management System internal database directory locally.

 The initial installation script installs Netscape Console and the binaries for the servers, and it creates and starts instances of Administration Server and Directory Server. After running the initial script, you use the Installation Wizard to create and configure instances of Certificate Management System. The wizard helps you through the configuration process of choosing subsystems and creating the necessary keys and certificates.

 Installation Stages

Installing Certificate Management System in a single server root directory involves four stages:


Stage 1: Running the Installation Script
The setup program extracts files for the Administration Server, Directory Server, Netscape Console, and Certificate Management System and installs the binaries under the server root directory you have specified. It creates one instance of the Administration Server, one instance of the Directory Server, and one instance of the Certificate Management System, which is not yet configured. The setup program also installs Netscape Console and automatically starts the Administration Server and Directory Server.

 As you run the initial installation script, the program stores your configuration choices and generates a initialization file, or installation cache. As installation proceeds, the stored initialization file states information about your choices so far. As a result, you can stop the installation process and restart it as necessary. Your choices to the point at which you stopped the installation are automatically restored by the initialization file, and the installation prompts resume at the point in which you left off.

 This initialization file applies only to the installation of the Administration Server and Directory Server. If you want to use the file to do additional "silent" installations, see the documentation for these servers.

 Running the Installation Script on Unix

To run the installation script on Unix, follow these steps:

  1. Log in as root to install the servers on a Unix system. This is recommended, but not required. If you are not root, you can install only a local version in a directory to which you have write access, using ports higher than 1024, for which you are the administrator for all services.

  2. Change to the directory on the distribution CD, and run the setup program.

  3. Answer the questions that the script asks. You should have previously collected the requested information in the section "Information for Unix Installation Script" of Chapter 4, "Installation Worksheet." Most questions have a default answer shown in square brackets before the prompt. To accept the default answer, press Enter at the prompt.

Answer the questions for a typical installation as follows:

  1. Would you like to continue with setup? [Yes]: Press Enter.
    2.

  2. Do you agree to the license terms? [No]: Type yes and press Enter.

  3. Select the items you would like to install [1]: Accept the default to install the Netscape servers.

  4. Install location [/usr/netscape/server4]: Enter a full pathname to the location where you want to install the servers. The location that you enter must be different from the directory from which you are running the setup program. You must have write access to the directory. If the directory that you specify does not exist, the setup program creates it for you.

  5. Specify the components you wish to install [All]: Accept the default value, All, to accept the default server product components.

  6. Specify the components you wish to install [1,2,3]: Enter the numbers corresponding to the server product components you wish to install, or press Enter to accept the default components.

  7. Specify the components you wish to install [1,2]: Enter the numbers corresponding to the Directory Suite components you wish to install, or press Enter to accept the default components.

  8. Specify the components you wish to install [1,2]: Enter the numbers corresponding to the Administration Services components you wish to install, or press Enter to accept the default components.

  9. Specify the components you wish to install [1,2]: Enter the numbers corresponding to the CMS components you wish to install, or press Enter to accept the default components.

  10. Computer name [myhost.mydomain.com]: Accept the default value to install on the local machine. Do not attempt to install remotely.

  11. System User [nobody]: Enter the user ID that configuration directory will run as. Where your system supports it, accept the default user nobody, creating that user as necessary.

  12. System Group [nobody]: Enter the group that the configuration directory will run as. Where your system supports it, accept the default group, nobody, creating that group as necessary.

  13. Do you want to register this software with an existing Netscape configuration directory server? [No]: If you accept the default setting, the installation script installs a new instance of Directory Server for use as a configuration directory.

    14. You can also choose to use a previously installed configuration directory. In this case, select "Use existing configuration directory server," then fill in the values that identify and provide access to the previously installed directory.

  14. Do you want to use another directory to store your data? [No]: If you accept the default setting, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you accepted the default in step 13) or installs a new instance of Directory Server for use as a user/group directory.

    15. You can also choose to use a previously installed user/group directory. In this case, enter Yes, then fill in the values that identify and provide access to the previously installed directory.

  15. Directory server network port [random #]: Accept the default, which is either 389 or a randomly generated number, or enter any port number that is not and will not be used for another purpose.
    16.

    If you are using an existing configuration directory, enter its port number.

  16. Directory server identifier [myhost]: Enter a unique identifier for the new instance of the configuration directory.
    17.

    If you are using an existing configuration directory, enter its identifier.

  17. Netscape configuration directory server administrator ID [admin]: Enter the name and password of the user who will authenticate to Netscape Console with full privileges. The password must be at least eight characters long.
    18.

    If you are using an existing configuration directory, enter its administrator ID and password.

  18. Suffix [o=mydomain.com]: Accept the default value for the suffix, or base DN, to be used for the directory tree.

  19. Directory Manager DN [cn=Directory Manager]: Enter the distinguished name (DN) and password of the directory manager for the configuration directory. The password must be at least eight characters long.

    20. This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory.

  20. Administration Domain [mydomain.com]: Accept the default value. This domain name identifies the collection of servers that use the same configuration directory.
    21.

  21. Administration port [random #]: Accept the default port number, which is randomly generated, or enter any port number that is not and will not be used for another purpose.

  22. Run Administration Server as [current login]: Enter the user ID for the Administration Server process. If you are running as root, you can accept the default to run the server as root.

  23. Certificate Management System identifier [certificate]: Enter a unique identifier for the new instance of Certificate Management System.

    24. The script extracts and installs the binaries for all of the servers in the server root directory and creates and starts instances of the Administration Server and Directory Server.

When you have completed the installation script, you can complete the installation and configuration of the CMS instance by running the Installation Wizard. See Stage 2: Using the Installation Wizard.

Running the Installation Script on Windows NT

The setup.exe program extracts files for the Administration Server, Directory Server, Netscape Console, and Certificate Management System and installs the binaries under the server root directory you have specified. It creates one instance of Administration Server, one instance of Directory Server, and one instance of Certificate Management System, which is as yet unconfigured. The program installs Netscape Console, and automatically starts the Administration Server and Directory Server.

To run the installation script, follow these steps:
  1. Double click setup.exe to run the installation program.
    2.

  2. The installation dialog boxes prompt you to type in answers or make selections.

  3. Answer the questions that the script asks. You should have previously collected the requested information in the section "Information for NT Installation Script" of Chapter 4, "Installation Worksheet."

In the instructions that follow, the name that appears in the title bar of each setup screen is in boldface, followed by a description of the action you should take.

Answer the questions for a typical installation as follows:
  1. Welcome. Click Next.
    2.

  2. Software License Agreement. If you agree to all the terms of the License Agreement, click Yes.

  3. Select Server or Console Installation. "Netscape Servers" is selected by default. Click Next to accept the default selection.

  4. Choose Installation Directory. The default installation directory is C:\Netscape\Server4. To specify a server root directory different from the default, click Browse. Enter a full pathname, or navigate to the location where you want to install the servers, then click OK.

    5. The location that you enter must be different from the directory from which you are running the setup program. You must have write access to the directory. If the directory that you specify does not exist, the program can create it for you. Click Next to continue.

  5. Select Products. Four components are selected by default:
    6.

  6. Directory Server 4.1. "This instance will be the configuration directory server" is selected by default. If you accept the default setting, the installation script installs a new instance of Directory Server for use as a configuration directory.
    7.

    You can also choose to use a previously installed configuration directory. In this case, select "Use existing configuration directory server," then fill in the values that identify and provide access to the previously installed directory. Click Next to continue.

  7. Directory Server 4.1. "Store data in this directory server" is selected by default. If you accept the default setting, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you accepted the default in step 7) or installs a new instance of Directory Server for use as a user/group directory.

    8. You can also choose to use a previously installed user/group directory. In this case, select "Store data in an existing directory server," then fill in the values that identify and provide access to the previously installed directory. Click Next to continue.

  8. Directory Server 4.1 Server Settings
    9.

  9. Directory Server 4.1 Netscape Configuration Directory Server Administrator. Enter the administrator ID and password of the user who will authenticate to the directory console with full privileges. (Think of this as the root or superuser identity for Directory Server.) The password must be at least one character long. If you are using an existing configuration directory, enter its administrator ID and password. Click Next to continue.
    10.

  10. Directory Server 4.1 Administration Domain. Click Next to accept the default value. This name, which should be your organization's domain name, will be used for the collection of servers that use the same configuration directory.

  11. Directory Server 4.1 Directory Manager Settings. Enter the distinguished name and password of the directory manager for the configuration directory. The password must be at least eight characters long.

    12. This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory. Click Next to continue.

  12. Administration Server Port Selection. The default is 389 if that port is not already used; otherwise, it is a randomly selected port number. Accept the default port number, or enter any port number that is not and will not be used for another purpose. Click Next to continue.
    13.

  13. Netscape Certificate Management System Server Identifier. Enter a unique identifier for the new instance of Certificate Management System. Click Next to continue.

  14. Configuration Summary. This screen shows all of the components you are installing and the choices you have made for their configuration. Click Next to continue.

  15. Setup. At this point, the installation script extracts and installs the binaries for all of the servers in the server root directory, and creates and starts instances of the Administration Server and Directory Server.

  16. Setup Complete. "Restart my computer now" is selected by default. Click finish to accept the default. After the computer has rebooted, you'll note that the Netscape Console window is displayed with its associated icons.

When you have completed the installation script, you can complete the installation and configuration of the CMS instance by running the Installation Wizard. See Stage 2: Using the Installation Wizard.


Stage 2: Using the Installation Wizard
After you have finished running the installation script, you use the Installation Wizard to create and configure an instance of Certificate Management System. The Installation Wizard is the same for both Unix and Windows NT.

 To bring up Netscape Console and launch the Installation Wizard, follow these steps:
  1. Start Netscape Console:
    2.

  2. Log in as the administrator. On Unix systems, you will also need to specify the Administration Server URL that you specified during the installation script.
    3.

    The main window of Netscape Console appears.

  3. In the navigation tree at the left, open your computer, then open Server Group.
    4.

  4. Select the instance of Certificate Management System that you named while running the installation script.

  5. In the Netscape Certificate Management System panel at the right, click Open.

    6. After a few moments, the Introduction screen for the Installation Wizard appears. You use the wizard to get the initial certificates and set the initial configuration for this instance of Certificate Management System.

Your route through the Installation Wizard instructions is determined by the choices you make. The instructions that follow cover a wide variety of standard decisions, but your installation requirements may bring up screens in a slightly different order.

Initial Configuration

In the instructions that follow, the panel title that appears below the title bar for each screen is in boldface, followed by information about the choices you need to make. You should have previously collected the requested information in the section "Initial Configuration" of Chapter 4, "Installation Worksheet."

  1. Introduction. Click Next.

    2. If you have not yet installed an internal database for this instance, the Internal Database screen (step 2) appears. If you have previously installed an internal database for this instance, the Recreate Internal Database screen (step 3) appears.

  2. Internal Database. Specify the LDAP server to use as the Certificate Management System internal database. This database is used to store information (such as certificates or certificate requests) used by all the subsystems you will be installing in this CMS instance. Click Next to continue. The wizard sets up the new internal database, which takes some time.

  3. Recreate Internal Database. Specify whether you want to remove the existing database in order to create a new internal database, or use the existing internal database. Click Next to continue.

  4. Internal Database password. A special screen that comes up only if you stop the configuration process partway through and then start over again, in which case the wizard needs to ask for the internal database password again. Click Next to continue.

  5. Administrator. Enter the user ID, name, and password for the Certificate Management System Administrator. This is the administrator who can access the CMS window and control all CMS settings. Click Next to continue.

  6. Subsystems. Select the subsystems you want to install or accept the default settings by clicking Next.

    7. You can choose Certificate Manager and Data Recovery Manager together, or Data Recovery and Registration Manager together, or you can choose any individual manager, but you cannot install Certificate Manager and Registration Manager together. The Certificate Manager can be configured to perform all Registration Manager functions, so it's not necessary or possible to install both managers in the same instance.

  7. Remote Certificate Manager. This screen appears only when you are installing a Registration Manager. Supply the host name and agent SSL port number for the remote Certificate Manager, then click Next to continue.

  8. Remote Data Recovery Manager. This screen appears only when you are installing a standalone Registration Manager or a standalone Certificate Manager. If you have already installed a remote Data Recovery Manager that you want the new manager to use, click Yes and enter the remote Data Recovery Manager's host name and agent SSL port number. If you don't want to use a remote Data Recovery Manager, click No. Click Next to continue.

  9. Network Configuration. Enter the port numbers for the ports used by the CMS instance.

The screens that appear next depend on which combination of subsystems you selected in step 6 above. For instructions, see the section that corresponds to your subsystem selection:

 Certificate Manager Configuration

To configure a Certificate Manager, perform the steps described under "Initial Configuration" then follow the steps described here. Some decisions you make determine the content and sequence of the screens that follow.

You should have previously collected the requested information in the section "Certificate Manager Configuration" of Chapter 4, "Installation Worksheet."

  1. Server Migration from Certificate Server 1.x - Step 1. Click Yes if you are migrating from Certificate Server 1.x, or No if you do not want to enable data migration. You should not click Yes unless you have performed the procedures described in Appendix A, "Migrating from Certificate Server 1.x." Click Next to continue.

    2. If you select Yes, the screen "Server Migration from Certificate Server 1.x - Step 2" is displayed. If you select No, you will not see this screen.

    Server Migration from Certificate Server 1.x - Step 2. You will see this screen only if you selected Yes in the previous screen. You should have previously collected the requested information in the section "Server Migration from Certificate Server 1.x" of Chapter 4, "Installation Worksheet."

    Enter the pathname of the directory where the migration tool output files are located, select the token or tokens in which the Certificate Manager signing certificate and SSL server certificate will reside, and initialize the tokens with passwords.

    Click Next to continue. For descriptions of the screens that follow successful server migration, see "Single Signon Configuration."

  2. CA's serial number range. Specify the lowest serial number the CA should use in the "Starting serial number" field. If you only use one CA server, you can leave the "Ending serial number" blank to indicate no upper limit. If you use cloned CA servers to distribute load, you must specify an upper limit. For cloned CAs, be sure that the range of serial numbers does not overlap with any other CA server.

  3. CA Signing Certificate. Select the type of CA for which you want to request a signing certificate:

Self-Signed CA Certificate

You should have previously collected the information requested here in the section "CA Signing Certificate" of Chapter 4, "Installation Worksheet."

  1. Key-Pair Information for Certificate Manager CA Signing Certificate. The token you select is used to store the CA signing certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Specify the key type and length, then click Next to continue.

  2. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature: SHA-1, MD2, or MD5. Click Next to continue.

  3. Subject Name for Certificate Manager CA Signing Certificate. The values you enter here identify the CA signing certificate. You are not required to enter all the values, but must enter the Organization, such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. Enter the values for the subject DN components here, then click Next.

  4. Validity Period for Certificate Manager CA Signing Certificate. The validity period for the CA signing certificate determines how soon you will have to renew the certificate, which can be a complex procedure. Enter the validity period, then click Next.

  5. Certificate Extensions for Certificate Manager CA Signing Certificate. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. For more information about extensions, see "Certificate Extensions."

    6. You can use tools provided in the CMS SDK samples directory for generating extensions to include in CA and other certificate requests. For details about these tools, check the samples package at this location:

    <server_root>/cms_sdk/samples/exttools/

    The certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the ExtJoiner program, which is also provided as a sample in the CMS samples directory. See the "Certificate Setup Wizard" section in Chapter 8, "Keys and Certificates," in Netscape Certificate Management System Administrator's Guide for detailed instructions.

    Click Next to continue.

  6. Certificate Manager CA Signing Certificate Creation. Click Next to generate and install the certificate.

  7. SSL Server Certificate. Specify whether you want the Certificate Manager's SSL server certificate to be signed by the Certificate Manager itself or by some other CA:

Subordinate CA Certificate Request

The instructions in this section describe the screens displayed if you selected "Create subordinate CA certificate request" on page 149.

  1. Key-Pair Information for Certificate Manager CA Signing Certificate. The token you select is used to store the CA signing certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Specify the key type and length, then click Next to continue.

  2. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature: SHA-1, MD2, or MD5. Click Next to continue.

  3. Subject Name for Certificate Manager CA Signing Certificate. The values you enter here identify the CA signing certificate. You are not required to enter all the values, but must enter the Organization, such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. Enter the values for the subject DN components here, then click Next.

  4. CA Signing Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request. Click Next to generate them.

  5. Submission of Request. Choose whether you want to submit the request manually or send the request to a remote CMS server automatically.

    6. For automatic enrollment, select "Send the request to a remote CMS now," enter the hostname and end-entity port number, and select whether this end-entity port uses SSL. Click Next to submit the request, then continue with step .

    Follow these steps to submit your certificate request manually. Click Next when you are ready to proceed to the next screen.

    In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA's signing certificate.

    If you are submitting your request to a third-party CA, follow the instructions provided by that CA. If you are submitting your request to a CMS Certificate Manager, follow these steps:

  6. Certificate Request Result. This screen confirms that the request has been submitted. You can use the request ID provided to retrieve the certificate from the end-entity port once it has been issued. A Certificate Manager agent can follow the instructions in the next step to issue the certificate.

  7. A Certificate Manager agent issues the certificate. After you submit the request, an agent for the Certificate Manager to which you submitted the request must approve it. For example, if you are the agent, go to the Agent Services page for the Certificate Manager (using the same computer where you got your agent certificate), choose Certificate Manager Agent Services, and follow these steps:

  8. Certificate Manager Signing Certificate Installation. Click Yes to install the certificate now, or click No to install it at another time. The default is No. When you choose the default, you will continue with the configuration, and you'll be asked at the end of the configuration if you want to install the certificate at that point.

    9. If you have submitted your request to a third-party CA or to a remote Certificate Manager, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate.

    You should click Yes only if you have received the base-64 encoded certificate and are ready to install it. Click Next to continue.

  9. Location of Certificate. Enter the location of the file in which the encoded certificate is located, or paste in a base-64 encoded certificate including header and footer in the text area provided. Click Next to continue.

  10. Certificate Details. This informational screen displays the certificate so you can inspect its contents. Click Next to continue.

  11. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to do so:

  12. SSL Server Certificate. Specify how you want the Certificate Manager's SSL server certificate to be issued:

Registration Manager Configuration

To configure a Registration Manager, perform the steps described under "Initial Configuration" then follow the steps described here. Some decisions you make determine the content and sequence of the screens that follow.

You should have previously collected the requested information in the section "Registration Manager Configuration" of Chapter 4, "Installation Worksheet."

  1. Key-Pair Information for Registration Manager Signing Certificate. The token you select is used to store the Registration Manager signing certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Specify the key type and length, then click Next to continue.

  2. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature: SHA-1, MD2, or MD5. Click Next to continue.

  3. Subject Name for Registration Manager Signing Certificate. The values you enter here identify the Registration Manager's signing certificate. You are not required to enter all the values, but must enter the Organization, such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. Enter the values for the subject DN components here, then click Next.

  4. Registration Manager Signing Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request. Click Next to generate them.

  5. Submission of Request. Choose whether you want to submit the request manually or send the request to a remote CMS server automatically.

    6. For automatic enrollment, select "Send the request to a remote CMS now," enter the hostname and end-entity port number, and select whether this end-entity port uses SSL. Click Next to submit the request, then continue with step .

    Follow these steps to submit your certificate request manually. Click Next when you are ready to proceed to the next screen.

    In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA's signing certificate.

    If you are submitting your request to a third-party CA, follow the instructions provided by that CA. If you are submitting your request to a CMS Certificate Manager, follow these steps:

  6. Certificate Request Result. This screen confirms that the request has been submitted. You can use the request ID provided to retrieve the certificate from the end-entity port once it has been issued. A Certificate Manager agent can follow the instructions in the next step to issue the certificate.

  7. A Certificate Manager agent issues the certificate. After you submit the request, an agent for the Certificate Manager to which you submitted the request must approve it. For example, if you are the agent, go to the Agent Services page for the Certificate Manager (using the same computer where you got your certificate), choose Certificate Manager Agent Services, and follow these steps:

  8. Registration Manager Signing Certificate Installation. Click Yes to install the certificate now, or click No to install it at another time. The default is No. When you choose the default, you will continue with the configuration, and you'll be asked at the end of the configuration if you want to install the certificate at that point.

    9. If you have submitted your request to a third-party CA or to a remote Certificate Manager, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration , and restart the Installation Wizard after you receive the certificate. For a description of the screens that follow if you choose this option, see ."SSL Server Certificate from a Remote CA."

    You should click Yes only if you have received the base-64 encoded certificate and are ready to install it. Click Next to continue.

  9. Location of Certificate. Enter the location of the file in which the encoded certificate is located, or paste in a base-64 encoded certificate including header and footer in the text area provided. Click Next to continue.

  10. Certificate Details. This informational screen displays the certificate so you can inspect its contents. Click Next to continue.

  11. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to do so:

At this point, the wizard displays a series of screens that you use to request an SSL server certificate for the Registration Manager. See "SSL Server Certificate from a Remote CA" for details.

Data Recovery Manager Configuration

To configure a Data Recovery Manager, perform the steps described under "Initial Configuration" then follow the steps described here. Note that some decisions you make will affect the screens you see.

You should have previously collected the requested information in the section "Data Recovery Manager Configuration" of Chapter 4, "Installation Worksheet."

Transport Certificate from a Remote CA

  1. Key-Pair Information for Data Recovery Manager Transport Certificate. The token you select is used to store the transport certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Specify the key type and length, then click Next to continue.

  2. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature: SHA-1, MD2, or MD5. Click Next to continue.

  3. Subject Name for Data Recovery Manager Transport Certificate. The values you enter here identify the CA signing certificate. You are not required to enter all the values, but must enter the Organization, such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. Enter the values for the subject DN components here, then click Next.

  4. Data Recovery Manager Transport Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request. Click Next to generate them.

  5. Submission of Request. Choose whether you want to submit the request manually or send the request to a remote CMS server automatically.

    6. For automatic enrollment, select "Send the request to a remote CMS now," enter the hostname and end-entity port number, and select whether this end-entity port uses SSL. Click Next to submit the request, then continue with step .

    Follow these steps to submit your certificate request manually. Click Next when you are ready to proceed to the next screen.

    In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA's signing certificate.

    If you are submitting your request to a third-party CA, follow the instructions provided by that CA. If you are submitting your request to a CMS Certificate Manager, follow these steps:

  6. Certificate Request Result. This screen confirms that the request has been submitted. You can use the request ID provided to retrieve the certificate from the end-entity port once it has been issued. A Certificate Manager agent can follow the instructions in the next step to issue the certificate.

  7. A Certificate Manager agent issues the certificate. After you submit the request, an agent for the Certificate Manager to which you submitted the request must approve it. For example, if you are the agent, go to the Agent Services page for the Certificate Manager (using the same computer where you got your agent certificate), choose Certificate Manager Agent Services, and follow these steps:

  8. Data Recovery Manager Transport Certificate Installation. Click Yes to install the certificate now, or click No to install it at another time. The default is No. When you choose the default, you will continue with the configuration, and you'll be asked at the end of the configuration if you want to install the certificate at that point.

    9. If you have submitted your request to a third-party CA or to a remote Certificate Manager, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. For a description of the screens that follow if you choose this option, see "Storage Key and Recovery Agent Configuration."

    You should click Yes only if you have received the base-64 encoded certificate and are ready to install it. Click Next to continue.

  9. Location of Certificate. Enter the location of the file in which the encoded certificate is located, or paste in a base-64 encoded certificate including header and footer in the text area provided. Click Next to continue.

  10. Certificate Details. This informational screen displays the certificate so you can inspect its contents. Click Next to continue.

  11. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to do so:

Storage Key and Recovery Agent Configuration

The following screens let you configure the storage key and recovery schemes for the Data Recovery Manager.

  1. Storage Key Creation for Data Recovery Manager. Select the length you have decided on for your storage key, then click Next to continue.

  2. Data Recovery Key Scheme - 1. Enter the both the required number of recovery agents and the total number of recovery agents, then click Next.

  3. Data Recovery Key Scheme - 2. The number of table rows correspond to the total number of agents you specified in the previous screen. Enter the user ID and password for each agent in the table, then click Next.

At this point, the wizard displays a series of screens that you use to request an SSL server certificate for the Data Recovery Manager. See "SSL Server Certificate from a Remote CA" for details.

Certificate Manager and Data Recovery Manager Configuration

To configure a Certificate Manager and Data Recovery Manager in the same instance, perform the steps described under "Initial Configuration" then follow the steps described here. Some decisions you make determine the content and sequence of the screens that follow.

You should have previously collected the requested information in the sections "Certificate Manager Configuration" and "Data Recovery Manager Configuration" of Chapter 4, "Installation Worksheet."

Certificate Manager Configuration

To configure the Certificate Manager, follow these steps:

  1. Server Migration from Certificate Server 1.x - Step 1. Click Yes if you are migrating from Certificate Server 1.x, or No if you do not want to enable data migration. You should not click Yes unless you have performed the procedures described in Appendix A, "Migrating from Certificate Server 1.x."Click Next to continue.

    2. If you selected Yes, the screen "Server Migration from Certificate Server 1.x - Step 2" is displayed. If you selected No, you will not see this screen.

    Server Migration from Certificate Server 1.x - Step 2. You will see this screen only if you selected Yes in the previous screen. You should have previously collected the requested information in the section "Server Migration from Certificate Server 1.x" of "Installation Worksheet"

    Enter the pathname of the directory where the migration tool output files are located, select the token or tokens in which the Certificate Manager signing certificate and SSL server certificate will reside, and initialize the tokens with passwords.

    Click Next to continue. For descriptions of the screens that follow successful server migration, see "Single Signon Configuration."

  2. CA's serial number range. Specify the lowest serial number the CA should use in the "Starting serial number" field. If you only use one CA server, you can leave the "Ending serial number" blank to indicate no upper limit. If you use cloned CA servers to distribute load, you must specify an upper limit. For cloned CAs, be sure that the range of serial numbers does not overlap with any other CA server.

  3. CA Signing Certificate. Select the type of CA for which you want to request a signing certificate:

Self-Signed CA Certificate

  1. Key-Pair Information for Certificate Manager CA Signing Certificate. The token you select is used to store the CA signing certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Specify the key type and length, then click Next to continue.

  2. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature: SHA-1, MD2, or MD5. Click Next to continue.

  3. Subject Name for Certificate Manager CA Signing Certificate. The values you enter here identify the CA signing certificate. You are not required to enter all the values, but must enter the Organization, such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. Enter the values for the subject DN components here, then click Next.

  4. Validity Period for Certificate Manager CA Signing Certificate. The validity period for the CA signing certificate determines how soon you will have to renew the certificate, which can be a complex procedure. Enter the validity period, then click Next.

  5. Certificate Extensions for Certificate Manager CA Signing Certificate. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. For more information about extensions, see Appendix B, "Certificate Extensions."

    6. You can use tools provided in the CMS SDK samples directory for generating extensions to include in CA and other certificate requests. For details about these tools, check the samples package at this location:

    <server_root>/cms_sdk/samples/exttools/

    The certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the ExtJoiner program, which is also provided as a sample in the CMS samples directory. See the "Certificate Setup Wizard" section in Chapter 8, "Keys and Certificates," in Netscape Certificate Management System Administrator's Guide for detailed instructions.

    Click Next to continue.

  6. Certificate Manager CA Signing Certificate Creation. Click Next to generate and install the certificate.

At this point, the Installation wizard begins configuration of the Data Recovery Manager. For details, see "Data Recovery Manager Configuration."

Subordinate CA Certificate Request

  1. Key-Pair Information for Certificate Manager CA Signing Certificate. The token you select is used to store the CA signing certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Specify the key type and length, then click Next to continue.

  2. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature: SHA-1, MD2, or MD5. Click Next to continue.

  3. Subject Name for Certificate Manager CA Signing Certificate. The values you enter here identify the CA signing certificate and key pair. You are not required to enter all the values, but must enter the Organization, such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. Enter the values for the subject DN components here, then click Next.

  4. CA Signing Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request. Click Next to generate them.

  5. Submission of Request. Choose whether you want to submit the request manually or send the request to a remote CMS server automatically.

    6. For automatic enrollment, select "Send the request to a remote CMS now," enter the hostname and end-entity port number, and select whether this end-entity port uses SSL. Click Next to submit the request, then continue with step .

    Follow these steps to submit your certificate request manually. Click Next when you are ready to proceed to the next screen.

    In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA's signing certificate.

    If you are submitting your request to a third-party CA, follow the instructions provided by that CA. If you are submitting your request to a CMS Certificate Manager, follow these steps:

  6. Certificate Request Result. This screen confirms that the request has been submitted. You can use the request ID provided to retrieve the certificate from the end-entity port once it has been issued. A Certificate Manager agent can follow the instructions in the next step to issue the certificate.

  7. A Certificate Manager agent issues the certificate. After you submit the request, an agent for the Certificate Manager to which you submitted the request must approve it. For example, if you are the agent, go to the Agent Services page for the Certificate Manager (using the same computer where you got your agent certificate), choose Certificate Manager Agent Services, and follow these steps:

  8. Certificate Manager Signing Certificate Installation. Click Yes to install the certificate now, or click No to install it at another time. The default is No. When you choose the default, you will continue with the configuration, and you'll be asked at the end of the configuration if you want to install the certificate at that point.

    9. If you have submitted your request to a third-party CA or to a remote Certificate Manager, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate.

    You should click Yes only if you have received the base-64 encoded certificate and are ready to install it. Click Next to continue.

  9. Location of Certificate. Enter the location of the file in which the encoded certificate is located, or paste in a base-64 encoded certificate including header and footer in the text area provided. Click Next to continue

  10. Certificate Details. This informational screen displays the certificate so you can inspect its contents. Click Next to continue.

  11. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to do so:

At this point, the Installation Wizard begins configuration of the Data Recovery Manager. For details, see the next section.

 Data Recovery Manager Configuration

To configure a Data Recovery Manager, follow these steps:

  1. Data Recovery Manager Transport Certificate. Specify how you want the Data Recovery Manager Transport Certificate to be issued:

Transport Certificate from Local CA

  1. Key-Pair Information for Data Recovery Manager Transport Certificate. The token you select is used to store the transport certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Specify the key type and length, then click Next to continue.

  2. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature: SHA-1, MD2, or MD5. Click Next to continue.

  3. Subject Name for Data Recovery Manager Transport Certificate. The values you enter here identify the CA signing certificate. You are not required to enter all the values, but must enter the Organization, such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. Enter the values for the subject DN components here, then click Next.

  4. Validity Period for Data Recovery Manager Transport Certificate. The validity period for the transport certificate determines how soon you will have to renew the certificate. Enter the validity period, then click Next.

  5. Certificate Extensions for Data Recovery Manager Transport Certificate. The default settings should work for most deployments. If necessary, you can add additional extensions by pasting the base-64 encoding for each extension in the space provided on this screen. For more information about extensions, see Appendix C, "Certificate Extensions". Click Next to continue.

  6. Data Recovery Manager Transport Certificate Creation. Click Next to generate and install the certificate.

To continue configuring the Data Recovery Manager, go to "Storage Key and Recovery Agent Configuration" on page 208.

Transport Certificate from Remote CA

  1. Key-Pair Information for Data Recovery Manager Transport Certificate. The token you select is used to store the transport certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Specify the key type and length, then click Next to continue.

  2. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature: SHA-1, MD2, or MD5. Click Next to continue.

  3. Subject Name for Data Recovery Manager Transport Certificate. The values you enter here identifies the transport certificate. You are not required to enter all the values, but must enter the Organization, such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. Enter the values for the subject DN components here, then click Next.

  4. Data Recovery Manager Transport Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request. Click Next to generate them.

  5. Submission of Request. Choose whether you want to submit the request manually or send the request to a remote CMS server automatically.

    6. For automatic enrollment, select "Send the request to a remote CMS now," enter the hostname and end-entity port number, and select whether this end-entity port uses SSL. Click Next to submit the request, then continue with step .

    Follow these steps to submit your certificate request manually. Click Next when you are ready to proceed to the next screen.

    In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA's signing certificate.

    If you are submitting your request to a third-party CA, follow the instructions provided by that CA. If you are submitting your request to a CMS Certificate Manager, follow these steps:

  6. Certificate Request Result. This screen confirms that the request has been submitted. You can use the request ID provided to retrieve the certificate from the end-entity port once it has been issued. A Certificate Manager agent can follow the instructions in the next step to issue the certificate.

  7. A Certificate Manager agent issues the certificate. After you submit the request, an agent for the Certificate Manager to which you submitted the request must approve it. For example, if you are the agent, go to the Agent Services page for the Certificate Manager (using the same computer where you got your agent certificate), choose Certificate Manager Agent Services, and follow these steps:

  8. Data Recovery Manager Transport Certificate Installation. Click Yes to install the certificate now, or click No to install it at another time. The default is No. When you choose the default, you will continue with the configuration, and you'll be asked at the end of the configuration if you want to install the certificate at that point.

    9. If you have submitted your request to a third-party CA or to a remote Certificate Manager, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. For a description of the screens that follow if you choose this option, see "Storage Key and Recovery Agent Configuration."

    You should click Yes only if you have received the base-64 encoded certificate and are ready to install it. Click Next to continue.

  9. Location of Certificate. Enter the location of the file in which the encoded certificate is located, or paste in a base-64 encoded certificate including header and footer in the text area provided. Click Next to continue.

  10. Certificate Details. This informational screen displays the certificate so you can inspect its contents. Click Next to continue.

  11. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to do so:

Storage Key and Recovery Agent Configuration

  1. Storage Key Creation for Data Recovery Manager. Select the length you have decided on for your storage key, then click Next to continue.

  2. Data Recovery Key Scheme - 1. Enter the both the required number of recovery agents and the total number of recovery agents, then click Next.

  3. Data Recovery Key Scheme - 2. The number of table rows correspond to the total number of agents you specified in the previous screen. Enter the user ID and password for each agent in the table, then click Next.

  4. SSL Server Certificate. Specify how you want the SSL server certificate for this instance of Certificate Management System to be issued:

Registration Manager and Data Recovery Manager Configuration

To configure a Registration Manager and Data Recovery Manager in the same instance, perform the steps described under "Initial Configuration," then follow the steps described here. Some decisions you make determine the content and sequence of the screens that follow.

You should have previously collected the requested information in the sections "Registration Manager Configuration" and "Data Recovery Manager Configuration" of Chapter 4, "Installation Worksheet."

Registration Manager Configuration

  1. Key-Pair Information for Registration Manager Signing Certificate. The token you select is used to store the Registration Manager signing certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Specify the key type and length, then click Next to continue.

  2. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature: SHA-1, MD2, or MD5. Click Next to continue.

  3. Subject Name for Registration Manager Signing Certificate. The values you enter here identify the CA signing certificate. You are not required to enter all the values, but must enter the Organization, such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. Enter the values for the subject DN components here, then click Next.

  4. Registration Manager Signing Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request. Click Next to generate them.

  5. Submission of Request. Choose whether you want to submit the request manually or send the request to a remote CMS server automatically.

    6. For automatic enrollment, select "Send the request to a remote CMS now," enter the hostname and end-entity port number, and select whether this end-entity port uses SSL. Click Next to submit the request, then continue with step .

    Follow these steps to submit your certificate request manually. Click Next when you are ready to proceed to the next screen.

    In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA's signing certificate.

    If you are submitting your request to a third-party CA, follow the instructions provided by that CA. If you are submitting your request to a CMS Certificate Manager, follow these steps:

  6. Certificate Request Result. This screen confirms that the request has been submitted. You can use the request ID provided to retrieve the certificate from the end-entity port once it has been issued. A Certificate Manager agent can follow the instructions in the next step to issue the certificate.

  7. A Certificate Manager agent issues the certificate. After you submit the request, an agent for the Certificate Manager to which you submitted the request must approve it. For example, if you are the agent, go to the Agent Services page for the Certificate Manager (using the same computer where you got your agent certificate), choose Certificate Manager Agent Services, and follow these steps:

  8. Registration Manager Signing Certificate Installation. Click Yes to install the certificate now, or click No to install it at another time. The default is No. When you choose the default, you will continue with the configuration, and you'll be asked at the end of the configuration if you want to install the certificate at that point.

    9. If you have submitted your request to a third-party CA or to a remote Certificate Manager, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. For a description of the screens that follow if you choose this option, see "Data Recovery Manager Configuration."

    You should click Yes only if you have received the base-64 encoded certificate and are ready to install it. Click Next to continue.

  9. Location of Certificate. Enter the location of the file in which the encoded certificate is located, or paste in a base-64 encoded certificate including header and footer in the text area provided. Click Next to continue.

  10. Certificate Details. This informational screen displays the certificate so you can inspect its contents. Click Next to continue.

  11. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to do so:

Data Recovery Manager Configuration

Transport Certificate from a Remote CA

  1. Key-Pair Information for Data Recovery Manager Transport Certificate. The token you select is used to store the transport certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Specify the key type and length, then click Next to continue.

  2. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature: SHA-1, MD2, or MD5. Click Next to continue.

  3. Subject Name for Data Recovery Manager Transport Certificate. The values you enter here identify the CA signing certificate. You are not required to enter all the values, but must enter the Organization, such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. Enter the values for the subject DN components here, then click Next.

  4. Data Recovery Manager Transport Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request. Click Next to generate them.

  5. Submission of Request. Choose whether you want to submit the request manually or send the request to a remote CMS server automatically.

    6. For automatic enrollment, select "Send the request to a remote CMS now," enter the hostname and end-entity port number, and select whether this end-entity port uses SSL. Click Next to submit the request, then continue with step .

    Follow these steps to submit your certificate request manually. Click Next when you are ready to proceed to the next screen.

    In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA's signing certificate.

    If you are submitting your request to a third-party CA, follow the instructions provided by that CA. If you are submitting your request to a CMS Certificate Manager, follow these steps:

  6. Certificate Request Result. This screen confirms that the request has been submitted. You can use the request ID provided to retrieve the certificate from the end-entity port once it has been issued. A Certificate Manager agent can follow the instructions in the next step to issue the certificate.

  7. A Certificate Manager agent issues the certificate. After you submit the request, an agent for the Certificate Manager to which you submitted the request must approve it. For example, if you are the agent, go to the Agent Services page for the Certificate Manager (using the same computer where you got your agent certificate), choose Certificate Manager Agent Services, and follow these steps:

  8. Data Recovery Manager Transport Certificate Installation. Click Yes to install the certificate now, or click No to install it at another time. The default is No. When you choose the default, you will continue with the configuration, and you'll be asked at the end of the configuration if you want to install the certificate at that point.

    9. If you have submitted your request to a third-party CA or to a remote Certificate Manager, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. For a description of the screens that follow if you choose this option, see "Storage Key and Recovery Agent Configuration."

    You should click Yes only if you have received the base-64 encoded certificate and are ready to install it. Click Next to continue.

  9. Location of Certificate. Enter the location of the file in which the encoded certificate is located, or paste in a base-64 encoded certificate including header and footer in the text area provided. Click Next to continue.

  10. Certificate Details. This informational screen displays the certificate so you can inspect its contents. Click Next to continue.

  11. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to do so:

  12. Paste the certificate chain into the text box, then click Next.

Storage Key and Recovery Agent Configuration

  1. Storage Key Creation for Data Recovery Manager. Select the length you have decided on for your storage key, then click Next to continue.

  2. Data Recovery Key Scheme - 1. Enter the both the required number of recovery agents and the total number of recovery agents, then click Next.

  3. Data Recovery Key Scheme - 2. The number of table rows correspond to the total number of agents you specified in the previous screen. Enter the user ID and password for each agent in the table, then click Next.

To continue configuring the Data Recovery Manager, go to "SSL Server Certificate from a Remote CA."

Cloned Certificate Manager Configuration

To configure a cloned Certificate Manager, install the software or create a new CMS instance and copy the key3.db and cert7.db files from the config directory of the original server to the config directory of the clone. You must copy the database files before you perform the steps described under "Initial Configuration." Finally, follow the steps described here. Some decisions you make determine the content and sequence of the screens that follow.

You should have previously collected the requested information in the section "Cloned Certificate Manager Configuration" of Chapter 4, "Installation Worksheet."

  1. Server Migration from Certificate Server 1.x - Step 1. Click No. If you are migrating from Certificate Server 1.x, you migrate the data to the original CMS Certificate Manager instance. The clones should not use migrated data.

  2. CA's serial number range. Specify the lowest serial number the CA should use in the "Starting serial number" field. If you only use one CA server, you can leave the "Ending serial number" blank to indicate no upper limit. If you use cloned CA servers to distribute load, you must specify an upper limit. For cloned CAs, be sure that the range of serial numbers does not overlap with any other CA server.

  3. Clone key and certificate materials - Step 1. Click Yes to reuse the certificate and key material in the database files you copied from the original server. In the "Instance Name"field enter the instance ID of the original Certificate Manager instance. Select the token name where the keys and certificate are stored, and enter the token's password.

  4. Clone key and certificate materials - Step 2. On this screen you choose whether to reuse the SSL server certificate stored in the original Certificate Manager instance database or create a new one. You can only reuse the SSL server certificate if the clone uses the same hostname as the original server instance. To reuse the SSL server certificate, select Yes, enter the instance ID of the original server instance, select a token, and enter the token password.

    5. If you do not or cannot reuse the SSL server certificate, the screens that follow will be those described in "SSL Certificate Configuration."

    If you do reuse the SSL server certificate, the next screen will be the one described in "Single Signon Configuration."

SSL Certificate Configuration

SSL Server Certificate from the Local CA

The following screens allow you to generate an SSL Server Certificate signed with the local CA signing certificate.

  1. Key-Pair Information for SSL Server Certificate. The token you select is used to store the SSL server certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Specify the key type and length, then click Next to continue.

  2. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature: SHA-1, MD2, or MD5. Click Next to continue.

  3. Subject Name for SSL Server Certificate. The values you enter here identify the SSL server certificate. The CN must be the host name of the machine on which the server is running. You must also enter the Organization, such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. Enter the values for the subject DN components here, then click Next.

  4. Validity Period for SSL Server Certificate. The validity period for the SSL server certificate determines how soon you will have to renew the certificate. Enter the validity period, then click Next.

  5. Certificate Extensions for SSL Server Certificate. The default settings should work for most deployments. If necessary, you can add additional extensions by pasting the base-64 encoding for each extension in the space provided on this screen. For more information about extensions, see Appendix C, "Certificate Extensions." Click Next to continue.

  6. SSL Server Certificate Creation. This information screen tells you that the configuration wizard has all the required information to generate a key pair and its corresponding certificate. Click Next to generate the certificate.

To complete your configuration of this CMS instance, see "Single Signon Configuration."

SSL Server Certificate from a Remote CA

The following screens allow you to configure an SSL Server Certificate issued by the subordinate or remote CA.

  1. Key-Pair Information for SSL Server Certificate. The token you select is used to store the SSL server certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Specify the key type and length, then click Next to continue.

  2. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature: SHA-1, MD2, or MD5. Click Next to continue.

  3. Subject Name for SSL Server Certificate. The values you enter here identify the CA signing certificate. The CN must be the host name of the machine on which the server is running. You must also enter the Organization, such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. Enter the values for the subject DN components here, then click Next.

  4. SSL Server Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request. Click Next to generate the request.

  5. Submission of Request: Choose whether you want to submit the request manually or send the request to a remote CMS server automatically.

    6. For automatic enrollment, select "Send the request to a remote CMS now," enter the hostname and end-entity port number, and select whether this end-entity port uses SSL. Click Next to submit the request, then continue with step .

    Follow these steps to submit your certificate request manually. Click Next when you are ready to proceed to the next screen.

    In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA's signing certificate.

    If you are submitting your request to a third-party CA, follow the instructions provided by that CA. If you are submitting your request to a CMS Certificate Manager, follow these steps:

  6. Certificate Request Result. This screen confirms that the request has been submitted. You can use the request ID provided to retrieve the certificate from the end-entity port once it has been issued. A Certificate Manager agent can follow the instructions in the next step to issue the certificate.

  7. A Certificate Manager agent issues the certificate. After you submit the request, the agent for the Certificate Manager to which you submitted the request must approve it. For example, if you are the agent, go to the Agent Services page for the Certificate Manager (using the same computer where you got your agent certificate), choose Certificate Manager Agent Services, and follow these steps:

  8. SSL Server Certificate Installation. Click Yes to install the certificate now, or click No to install it at another time. The default is No. When you choose the default, you will continue with the configuration, and you'll be asked at the end of the configuration if you want to install the certificate at that point.

    9. If you have submitted your request to a third-party CA or to a remote Certificate Manager, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. For a description of the screens that follow if you choose this option, see "Single Signon Configuration."

    You should click Yes only if you have received the base-64 encoded certificate and are ready to install it. Click Next to continue.

  9. Location of Certificate. Enter the location of the file in which the encoded certificate is located, or paste in a base-64 encoded certificate including header and footer in the text area provided. Click Next to continue.

  10. Certificate Details. This informational screen displays the certificate so you can inspect its contents. Click Next to continue.

  11. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to do so:

  12. Paste the certificate chain into the text box, then click Next.

To complete your configuration of this CMS instance, see "Single Signon Configuration" (the next section).

Single Signon Configuration

The following are the final screens of the Installation Wizard.

  1. Create Single Signon Password. The single signon password simplifies the way you subsequently sign on to CMS by storing the passwords for the internal database, tokens, and LDAP publishing. Each time you log on, you're only required to enter this single password.

    2. Enter the single signon password, then click Next to continue.

  2. Configuration Status. This screen should indicate that your configuration has been successful. Click Done to exit the wizard.

You have now completed your configuration of this CMS instance. For information on creating additional instances in the same server root directory, see"Stage 4: Creating Additional Instances or Certificate Manager Clones."

For information on creating the first agent for the managers in this instance, see "Administrator/Agent Certificate Enrollment."

Additional Steps

Each of the following screens may be displayed at different points in the Installation Wizard, depending upon your actions taken thus far and your path through the installation.

Administrator/Agent Certificate Enrollment

Immediately after installing any Certificate Management System instance, the administrator must enroll for the initial administrator/agent certificate. This is the first user certificate that Certificate Management System issues.

The initial user is both an administrator and an agent. This person can create additional agents with the appropriate user privileges and issue them certificates. Since there is no agent yet to approve the request, a special enrollment form allows you to get this first certificate automatically.

After you submit this initial Administrator/Agent Certificate Enrollment form, it is automatically disabled, so that no one else can acquire a certificate without agent approval or some form of automated authentication. The system automatically adds the initial user to the list of agents.

 To enroll for the first agent certificate, you should be working at the computer you intend to use as the agent, so that the new certificate will be installed in the browser you will be using to access the Agent Services pages. Follow these steps:
  1. Open a web browser window.
    2.

  2. Go to the URL for the SSL agent port.

    3. By default, this is a URL of the following form:

    https://<hostname>:<agent_port_number>

  3. Complete the dialog boxes as instructed (the exact procedure depends on the browser you are using).
    4.

  4. In the Administrator/Agent Certificate Enrollment form, enroll for a client SSL certificate as the system's first privileged user by entering the following information:

    5. Authentication Information

    User ID: The ID you entered for the CMS administrator during installation.
    Password: The password you specified for the CMS administrator during installation.

    Subject Name

    The subject name is the distinguished name (DN) that identifies the certified owner of the certificate.

    Full name: Name of administrator/agent
    Login name: User ID of administrator/agent
    Email address: Email address of administrator/agent
    Organization unit: Name of the organization unit to which the administrator/agent belongs
    Organization: Name of the company or organization the administrator/ agent works for.
    Country: Two-letter code for the administrator/agent's country.

    User's Key Length Information

    Key Length: The length of the private key that will be generated by your browser. This key corresponds to the public key that is part of the administrator/agent certificate.

    Note that the validity period of this initial agent certificate is hard-coded as one year.

  5. Click Submit.
    6.

  6. Follow the instructions your browser presents as it generates a key pair.

  7. If authentication is successful, the new certificate will be imported into your browser, and you will be given an opportunity to make a backup copy.

Now you have a client authentication certificate in the name you specified. This special user, who was named as the initial administrator for Certificate Management System during installation, has been automatically designated as the first agent. This certificate allows you to access the Agent Services pages. As an agent, you can approve enrollment requests and start issuing new certificates. To access the CMS windows in Netscape Console, you use User ID that you specified for the certificate and the corresponding password--both of which must correspond to the values you specified for the CMS administrator during installation.

 Important After you submit the initial Administrative Enrollment form, it is no longer available from the agent port. If something goes wrong and you are unable to obtain the administrator/agent certificate, you must reset a parameter in the configuration file to make the initial administrative enrollment form available again. Follow these steps:

  1. In the left frame of Netscape Console, open the CMS instance for which you want to display the Administrator/Agent Certificate Enrollment form.
    2.

    The server requests the password for the CMS administrator.

  2. Click the icon labeled Stop the Server.
    3.

  3. Go to the directory <server_root>/<instance_ID>/config, open the file CMS.cfg in a text editor, and find the following line:

    4. agentGateway.enableAdminEnroll=false

  4. Change false to true, and save the file.

  5. Start the server from the CMS window where you stopped it. (Alternatively, right-click on the name of the instance in the left frame and choose Start Server.) At this point, the server asks you for the single signon password you specified during installation.

  6. The next time you access the SSL agent port, the Administrator/Agent Certificate Enrollment form will be available again.


Stage 3: Further Configuration Options
When you have completed the initial configuration and installation of a CMS instance, you use the CMS window for that instance within Netscape Console to further configure the system as necessary. For example, you may want to configure LDAP publishing, authentication modules, and policy modules, and customize end-entity forms and other aspects of the system's operation.

 For detailed information about the many CMS configuration options available, see Netscape Certificate Management System Administrator's Guide.


Stage 4: Creating Additional Instances or Certificate Manager Clones
After the initial installation, you can use the Administration Server Console to create additional instances of Certificate Management System in the same server root directory. Use the Certificate Management System Console and the Installation Wizard to configure any new instances.

 To create an additional instance of Certificate Management System:
  1. Start Netscape Console and log in with the administrator password.
    2.

    The main window of Netscape Console appears.

  2. In the navigation tree at the left, open your computer, then open Server Group.
    3.

  3. Right-click Server Group. Choose "instance of" from the menu, then choose Certificate Management System from the submenu.

  4. In the resulting dialog box, specify the unique identifier for the new instance.

  5. If the new instance is a Certificate Manager clone, copy the key3.db and cert7.db files from the original server's config directory to the new instance's config directory.

    6. The config directory is

    <server_root>/<instance_ID>/config

  6. Configure the new instance using the Installation Wizard and Console, as you did for the first instance.
    7.

For more information about installing multiple CMS instances, see "Chapter 4, Installing and Uninstalling CMS Instances," in Netscape Certificate Management System Administrator's Guide.

First Agent for an Additional CMS Instance

When you have finished setting up an additional CMS instance, you need to create at least one agent for that instance. If the new instance includes a Certificate Manager, you can create the administrator/agent as described in "Administrator/Agent Certificate Enrollment," as you did for the first instance in the server root. If the new instance does not include a Certificate Manager (that is, it contains a Registration Manager, a Data Recovery Manager, or a Registration Manager and Data Recovery Manager), you need to create a new agent as described in this section.

To create the first agent for an additional CMS instance that doesn't include a Certificate Manager, you use the CMS window for the new instance in Netscape Console to add a new user with agent privileges. You can then either associate the original administrator/agent certificate with the new user (if the original administrator and the new agent are the same person), or you can issue a new agent certificate for each new manager agent and associate the new certificate with the new user.

 In either case, you create the new user and associate a certificate with that user as follows. These instructions assume that you have already copied the base-64 encoded certificate (whether the original administrator/agent certificate or a new agent certificate) to the clipboard.
  1. Start Netscape Console and log in with the administrator password.
    2.

    The main window of Netscape Console appears.

  2. In the navigation tree at the left, open your computer, then open Server Group.
    3.

  3. Select the name of the new instance.

  4. In the Netscape Certificate Management System panel at the right, click Open.

  5. Log in as the CMS administrator.

  6. Select the Configuration tab and select "Users and Groups" in the navigation tree.

  7. On the Users page, click Add, and in the dialog box that appears, provide the following information:

    8. User ID: ID for the new user, for example, RegMgr
    Full name: Name of the new user, for example, Registration Manager Agent
    Password: Password for the new user
    E-Mail: Email address for the new user
    Group: Select the appropriate agent group.

  8. Click OK.

    9. The new user appears in the list of users.

  9. Select the new user's entry in the list of users.
    10.

  10. Click Certificates.

  11. In the Manage User Certificates dialog, click Import.

  12. In the Import Certificate dialog box, click Paste from Clipboard and click OK.

  13. In the Manage User Certificate Dialog box, click Done.

You have now designated an agent for the specified manager. You can now present the certificate you installed for that agent to access the Agent Services pages for that manager in the new instance.

 For more information about setting up and managing agents, see "Chapter 7, Managing Privileged Users and Groups," in Netscape Certificate Management System Administrator's Guide.
 

Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.