This chapter provides a worksheet to help you prepare for installing a single instance of Netscape Certificate Management System. Print this chapter and make as many copies as you need. Fill out one copy for each CMS instance you plan to install and refer to it during the installation and configuration process. You should fill it in after you have read Chapter 3, "Planning Your Deployment." It is designed for easy reference while you are following the procedures described in Chapter 5, "Installation and Configuration."
This chapter has the following sections:
To install an instance of Certificate Management System, you must also install an Administration Server and Netscape Console application and have access to a configuration and user/group directory. For more information on the Netscape server environment, see Managing Servers with Netscape Console.
Enter the full pathname for the existing server root directory or for a new server root directory. For example, /usr/netscape/server4.
The default should be the fully qualified host name of the machine on which the installation is taking place. For example, mydirectory.com. Do not attempt to install remotely.
Enter the user ID that Directory Server will run as. The configuration directory server process runs as this user. You should run the server as a user with restricted access to other system files and resources. Where your system supports it, accept the default user nobody, creating that user as necessary.
Enter a group to which the System User ID belongs. The group should also have limited access to system resources and files. Where your system supports it, accept the default user nobody, creating that group as necessary.
The default should be the fully qualified host name of the machine on which the configuration directory is located. For example, mydirectory.com.
Do you want to use another directory to store your data?
User directory port_____________________________________________
Bind as_____________________________________________
User directory server suffix_____________________________________________
User directory administrator ID_____________________________________
You need to provide the following information about the configuration directory, whether it is an existing one or a new one to be created by the Installation Wizard:
Enter the port number for the Directory Server instance. The default is 389, if it is available, or a randomly selected number. The port number you specify must not be used for any other purpose.
This unique identifier is required for each instance of a Directory Server. For example, configdir.
The ID for the user who will authenticate to Netscape Console with full privileges. For example, diradmin1.
The password must be at least eight characters long.
Enter the domain name of the current host. For example, o=mydomain.com.
Enter the distinguished name (DN) of the directory manager for the configuration directory.
This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory. For example, cn=Directory Manager.
This domain name identifies the collection of servers that use the same configuration directory. For example, mydomain.com
The default Administration Port is randomly generated. Pick a port number between 1024 and 65535 on which to run your Administration Server, or accept the default number.
Run the Administration Server as root if you want to be able to start and stop services and use port numbers below 1024 (for example to use port 80 for the HTTP end entity gateway).
You must specify a unique identifier for the CMS server instance that you are installing.
Enter a unique identifier such as certxx01.
The default installation directory is C:\Netscape\Server4. If you want to use a different directory, enter the full pathname for the existing server root directory or for a new server root directory.
You cannot install more than one server root directory on a Windows NT system.
Choose one of these options:
If you choose the above option, the Installation Wizard will create a new instance of Directory Server for use as the configuration directory for this server root.
Port_____________________________________________
Password_____________________________________________
If you choose this option, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you have already decided to install a new configuration directory) or installs a new instance of Directory Server for use as a user/group directory.
Suffix_____________________________________________
Enter the port number for the Directory Server instance.
If you are creating a new directory, this should be the domain name of the current host. For example, o=mydomain.com.
For example, diradmin1.
The password must be at least eight characters in length.
Pick a port number between 1024 and 65535 on which to run your Administration Server, or accept the default number.
For each instance of Certificate Management System, a new instance of Netscape Directory Server is created on the local host to act as the internal (local) database. Each subsystem must have access to this local database to store certificates, certificate requests, keys, and other information. The Certificate Management System uses LDAP over SSL to communicate with its local database.
The default provided by the system is the CMS server identifier with the suffix -db; for example, cmsdemo-db.
The default is 38900, but you may choose any value less than 65535. On Unix, you must choose a port greater than 1024 if you are not logged in as root.
The default is CN=Directory Manager. You can enter something more meaningful, such as CN=Internal Directory Manager.
Specify the CMS administrator. This person will be able to access the CMS window of Netscape Console and approve the first agent certificate.
For example, CMSadmin.
For example, Certificate Management System Administrator.
Choose the subsystems you will install in this instance. You can choose Certificate Manager and Data Recovery Manager together, or Data Recovery and Registration Manager together, or you can choose any individual manager, but you cannot install Certificate Manager and Registration Manager together. The Certificate Manager can be configured to perform all Registration Manager functions, so it's not necessary or possible to install both managers in the same instance.
Registration Manager___________
Data Recovery Manager__________
If you are installing a Registration Manager, you need to provide the following information about the Certificate Manager to which the Registration Manager sends certificate requests:
SSL agent port for remote Certificate Manager__________________________
If you are installing a standalone Certificate Manager or Registration Manager, and if you have already installed a remote Data Recovery Manager that you want the new manager to use, you need to provide the following information about the Data Recovery Manager:
SSL agent port for remote Data Recovery Manager______________________
Enter numbers for the ports to be used for various kinds of communications. On Unix, you must be root to assign ports less than 1024. The default values are well-known ports, which are used only if they are not already in use. If these defaults are not available, a randomly chosen port number is given as the default.
SSL agent port (HTTPS) (default is 8100)__________________
SSL end-entity port (HTTPS) (default 443)_________________
Non-SSL end-entity port (HTTP) (default 80)_______________.
If you are importing any certificates and keys previously created with Certificate Server 1.x, you must specify where they are, how to retrieve them, and where to put them. For information about migrating these files to Certificate Management System, see Appendix A, "Migrating from Certificate Server 1.x."
Enter the pathname to the directory where the migrate tool output files keyscerts.dat, database_add.ldif, and database_mod.ldif are located. All three files must be in the same directory. For example, /eng/migrationfile/certmanage/mycompany/.
Enter the transport password that you specified while exporting data with the Migration tool.
Enter either internal (if you plan to use the internal token) or the name of an external token. If you are using an external token, you will need to install it before you run the Installation Wizard. In the Installation Wizard, you can select from a list of all installed and available tokens. For example, SmartCard.
The password for the token must be at least one character long.
The password must be at least one character long.
When you install the Certificate Manager subsystem, you must supply information for the CA certificate that the Certificate Manager will use to sign the certificates it issues. This certificate also functions as the Certificate Manager's SSL client certificate.
For most CAs, you only need to enter the starting serial number. When you configure cloned CAs, you must specify upper and lower bounds for the serial numbers on all CAs and you must make sure the ranges do not overlap.
Enter the lowest serial number available for this CA to assign to certificates it creates. You can enter the number in decimal or hexadecimal (0xnn). The default is 0x1.
Enter the highest serial number available for this CA. You can enter the number in decimal or hexadecimal (0xnn). The default is no upper limit (blank).
For a discussion of related issues, see "CA Signing Key Type and Length" in Chapter 3.
RSA or DSA.
Available settings for RSA are 512, 1024, 2048, or custom. Available settings for DSA are 512, 1024, or custom.
In general, longer keys are considered to be cryptographically stronger than shorter keys. However, longer keys also require more time for signing operations.
Select the message digest algorithm to use for generating digital signatures on certificates.
For a discussion of issues related to the subject name, see You may fill in the attribute template or simply enter the DN as a string of attribute-value pairs"CA's Distinguished Name" in Chapter 3.
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the CA signing certificate. You are not required to enter all the values, but must enter the Organization (O), such as the name of your company. The Organization is required because its absence causes Netscape Communicator 4.x to crash. For more information about distinguished names, see Appendix A, "Distinguished Names," in Netscape Certificate Management System Administrator's Guide.
You can specify the validity period for a self-signed CA signing certificate only. The validity period for a subordinate CA signing certificate is determined by the issuing CA.
Enter beginning and ending dates for the certificate's validity period. The validity period for the CA signing certificate determines how soon you will have to renew the certificate, which can be a complex procedure.
You can specify the extensions for a self-signed CA signing certificate only. Extensions for a subordinate CA signing certificate are specified by the issuing CA.
Certification path length (Null)_______________________
The certificate chain path length, if specified, determines the maximum number of certificates in a chain, starting with the end-entity certificate. If you do not specify this attribute, the length of the chain is unlimited.
Object-signing (No)_________
SSL server (No)_________
S/MIME CA (Yes)_________
S/MIME (No)_________
Object-signing CA (Yes)_________
SSL CA (Yes)_________
Subject Key Identifier (Yes) ________________
Key usage (No)_____________
If you decide to include the key usage extension, the following key usage bits are set by default:
keyCertSign
CRLSign
To add extensions not included by default by CMS, you will need to paste the base64 encoding of a sequence of extensions into the wizard.
If you are installing a subordinate CA, you need to specify where to send your request for a CA signing certificate.
Enter the URL for the end-entity gateway of the Certificate Manager that will issue the subordinate CA's signing certificate. For example, https:// hostname:443/.
When you install a Registration Manager subsystem, you must supply information for the certificate that the Registration Manager will use to sign certificate requests. This certificate also functions as the Registration Manager's SSL client certificate. The Installation Wizard formulates a certificate request on the basis of information you provide. It is possible for the CA that issues the certificate to overrule some of your decisions.
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the Registration Manager signing certificate. You are not required to enter all the values, but must enter the Organization (O), such as your company name. The Organization is required because its absence causes Netscape Communicator 4.x to crash. For more information about distinguished names, see Appendix A, "Distinguished Names," in Netscape Certificate Management System Administrator's Guide.
If you are submitting your certificate request to a third-party CA, follow the instructions provided by that CA.
Key-Pair Information for Transport Certificate
For a discussion of issues related to key type and length, see "CA Signing Key Type and Length" in Chapter 3.
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the transport certificate. You are not required to enter all the values, but must enter the Organization (O), such as your company name. The Organization is required because its absence causes Netscape Communicator 4.x to crash. For more information about distinguished names, see Apendix A, "Distinguished Names," in Netscape Certificate Management System Administrator's Guide.
You can specify the validity period for a transport certificate only if you are installing the Certificate Manager and Data Recovery Manager at the same time and you want the Certificate Manager that you just installed issue the transport certificate. If the transport certificate is issued by a remote CA, its validity period is determined by the issuing CA.
Enter beginning and ending dates for the transport certificate's validity period.
You can specify the extensions for a transport certificate only if you are installing the Certificate Manager and Data Recovery Manager at the same time and you have decided to have the Certificate Manager that you just installed issue the certificate. If the transport certificate is issued by a remote CA, its extensions are determined by the issuing CA.
Certification path length (No)_______________________
S/MIME CA ((No)_________
S?MIME (No)_________
Object-signing CA ((No)_________
SSL CA ((No)_________
Subject Key Identifier (No)
If you decide to include the key usage extension, the keyEncipherment key usage bit is set by default.
If you are obtaining your transport certificate from a remote CA, you need to know where to submit your certificate request.
Enter the URL for the end-entity gateway of the Certificate Manager that will issue the transport certificate. For example, http://hostname:17006.
Storage Key Creation
Specify the length of the key that the Data Recovery Manager uses to encrypt end-entity encryption keys for storage.
The options available are 512, 1024, or 2048.
The number of agents you enter here is determined by your organization's policies with respect to data recovery. If you enter a larger number than the default of 2 for the number of recovery agents required to recover a key, you're reducing the chances of inappropriate recovery but increasing the complexity of the recovery process.
Total number of designated recovery agents (n, default 3)_______________________________________
Specify user IDs and passwords for the total number of designated recovery agents (see preceding section):
User ID______________________ Password_________________________
When you install the Certificate Manager subsystem, you must supply information for the CA certificate that the Certificate Manager will use to sign the certificates it issues. This certificate can also functions as the Certificate Manager's SSL client certificate. If the clone uses a different hostname than the original CA, you will need to generate a new SSL server certificate.
If you do not use the copied key and certificate databases, the Certificate Manager will need to generate a new signing key and certificate; consequently, it will not be a clone.
Answer yes, otherwise you are creating a new Certificate Manager and not a clone. Instance name of the original server ____________________________
Answer yes, otherwise you are creating a new Certificate Manager and not a clone.
Token name where copied keys are stored _______________________
Token password ___________________________________________
If the clone uses the same hostname, you can use the same SSL server certificate and key copied from the original server. Otherwise, answer no and continue with the next section, "SSL Server Certificate Configuration."
Instance name of the original server ____________________________
Key-Pair Information for SSL Server Certificate
For domestic versions of Certificate Management System, available settings for RSA are 512, 1024, 2048, or custom, and available settings for DSA are 512, 1024, or custom.
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the CA signing certificate. You are not required to enter all the values, but must enter the Organization (O), such as your company name. The Organization is required because its absence causes Netscape Communicator 4.x to crash. For more information about distinguished names, see Apendix A, "Distinguished Names," in Netscape Certificate Management System Administrator's Guide.
You can specify the validity period for an SSL server certificate only if you are installing a Certificate Manager and you have decided to have that Certificate Manager issue the certificate. If the SSL server certificate is issued by a remote CA, its validity period is determined by the issuing CA.
Enter beginning and ending dates for the certificate's validity period.
You can specify the extensions for an SSL server certificate only if you are installing a Certificate Manager and you have decided to have that local Certificate Manager issue the certificate. If the SSL server certificate is issued by a remote CA, its extensions are determined by the issuing CA.
SSL server (Yes)_________
S/MIME CA (No)_________
Object-signing CA (No)_________
SSL CA (No)_________
keyEncipherment
If you are obtaining your SSL server certificate from another CA, you need to know where to submit your certificate request.
Enter the URL for the end-entity gateway of the Certificate Manager that will issue the SSL server certificate. For example, http://hostname:17006.
Previous
