These release notes contain important information about Version 4.2, Service Pack 2 (SP2) release of iPlanet Certificate Management System (CMS). New features and enhancements, installation notes, known problems, and other late-breaking issues are addressed here. Read this document before you begin installing and using Certificate Management System.

These release notes contain the following sections:

• What's New in This Release
• CMS Documentation
• Software/Hardware Requirements
• Installation Procedure
• Important Notes and Known Bugs
• How to Report Problems
• For More Information

---

What's New in This Release

• Improved scalability (using cloned CAs)
• Improved performance and reliability
• Inclusion of a new server named "Online Certificate Status Manager" that functions as a OCSP responder with abilities to receive CRLs from multiple CAs
• Built-in OCSP service for the CA, enabling the CA to function as a light-weight OCSP responder
• Support for issuance of wTLS-compliant certificates (for wireless applications/devices)
• Improved SDK, including better Javadocs and tutorials for developing Java plug-ins
• Updated standards (Java 2)
• Policy processor that accepts policies written in JavaScript
• Support for requesting certificates in the CMC format
• i18n support for all end-entity interfaces
• Pluggable architecture for CMS logs
• Improved and extended CMS 4.2 features
• Improved product documentation

• Supported Operating Systems
• Other Packages
• Features

Supported Operating Systems

Other Packages

Features

CMS Documentation

• iPlanet Certificate Management System Release Notes (this document)

The release notes contain information on new features of this release, software/hardware requirements for installing the product, important notes and known bugs, last-minute product information, and how to send feedback.

• iPlanet Certificate Management System Installation and Setup Guide

This guide describes how to plan for, install, and configure Certificate Management System. Read this guide first, after you've read these release notes. Both HTML and PDF versions of this guide are provided.

• iPlanet Certificate Management System Plug-ins Guide

This guide provides detailed reference information on CMS plug-in modules, such as the ones provided for authentication, policy, publishing, and so on. Both HTML and PDF versions of this guide are provided.

• iPlanet Certificate Management System Command-Line Tools Guide

This guide provides detailed reference information on CMS tools. Both HTML and PDF versions of this guide are provided.
 
• iPlanet Certificate Management System Customization Guide

This guide provides reference information on customizing the HTML-based agent and end-entity interfaces. Both HTML and PDF versions of this guide are provided.

• iPlanet Certificate Management System Agent's Guide

This guide provides an overview of the CMS Agent Service interface and explains how to use the interface to perform agent tasks. Both HTML and PDF versions of this guide are provided.

• iPlanet Certificate Management System End-Entity Help

This document is the online help provided for the End-Entity Services interfaces; this interface contains HTML-based forms for certificate enrollments, renewals, revocations, and so on. Only an HTML version of this document is provided.

For the latest information about Certificate Management System, including current release notes, technical notes, and deployment information, check this web site: http://docs.iplanet.com/docs/manuals/cms.html

Software/Hardware Requirements

Operating Systems Supported

• AIX 4.3.3
• Compaq Tru64 v4.0D
• HP-UX B.11.00
• Solaris 2.6, 2.7, and 8
• Windows NT 4.0

Other Required Software

• Netscape Administration Server 4.2 (included)
• Netscape Directory Server 4.13 (included)

Check the Directory Server 4.13 release notes at http://docs.iplanet.com/docs/manuals/directory.html for the latest information about installing this server.
• Browser software that supports SSL

We strongly recommend that users who will interact with Certificate Management System as agents or end entities using Netscape Communicator should use Communicator version 4.7x. Earlier versions, such as 4.5x, may not work properly. Netscape 6 has not yet been fully tested with CMS 4.2-SP2.

 Platform, Memory, and Hard Disk Requirements

In addition to the requirements listed below, make sure you have ample swap space or virtual memory allocated for the system on which you intend to install Certificate Management System.

 

AIX Platform Requirements
OS Version	AIX 4.3.3 (with relevant Java 2 patches)
Machine	PowerPC_604 or faster
RAM	1 GB
Hard disk storage space requirements	Total required is approximately 400 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 250 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 300 MB
Compaq Tru64 Platform Requirements
OS Version	Compaq Tru64 v4.0D (with relevant Java 2 patches)
Machine	267MHz alpha or faster
RAM	256 MB
Hard disk storage space requirements	Total required is approximately 400 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 250 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 300 MB
HP-UX Platform Requirements
OS Version	HP-UX B.11.00 (with relevant Java 2 patches)
Machine	240MHz PA_RISC 9000/800 or faster
RAM	512 MB
Hard disk storage space requirements	Total required is approximately 420 MB, as follows: Total transient space required during installation: 120 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 250 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 300 MB
Solaris Platform Requirements
OS Version	Solaris 2.6, 2.7, or 8 (with relevant Java 2 patches)
Machine	Ultra 1 or faster
RAM	128 MB (required)
Hard disk storage space requirements	Total required is approximately 400 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 250 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 300 MB
Windows NT Platform Requirements
OS Version	Windows NT 4.0 with Service Pack 5 or 6
Machine	Pentium 350 or faster
File system	NTFS or FAT
RAM	128 MB of RAM (recommended)
Hard disk storage space requirements	Total required is approximately 350 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 200 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 250 MB
Other Requirements
On Unix systems, you must install as root in order to use well-known port numbers (such as 443) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as root. If you plan to run as root, you should also install as root and specify nobody as the default run-as user and group. On a Windows NT system, you must install as Administrator or a user with Administrator privileges (that is, the user must be in the Administrators group).

---

Installation Procedure

• Before installing the product, be sure to read these release notes and the installation instructions in CMS Installation and Setup Guide.

• If you're using the product CD for installation, this book is available as a PDF file in the Docs directory.
• If you downloaded the software from the web site, download the PDF version of the book from this site: http://docs.iplanet.com/docs/manuals/cms.html

• If you’re using CMS 4.2 and want to upgrade to CMS 4.2-SP2, follow the upgrade instructions provided in Chapter 7, "Installing and Uninstalling CMS Instances".
• If you don't have any previous installation of Certificate Management System, follow the instructions for installing the software. It involves the following stages:
• Stage 1: Run the installation script (setup on Unix, setup.exe on Windows NT) to install administration and directory servers as necessary, and perform the initial phase of CMS installation.
• Stage 2: Run the Installation Wizard to set up the initial configuration of the CMS instance. This is where you specify which subsystems are to be part of this instance.
• Stage 3: Use Netscape Console to further configure the new CMS instance as needed. For example, you must provide it with information about the LDAP publishing and authentication directories.
• Stage 4: If you wish, use Netscape Console to create additional instances of the Certificate Management System in the same server root directory, and use the Installation Wizard to configure them.

• If you wish to install a separate, stand-alone version of Netscape Console 4.2 for any reason, you can download it from this site: http://www.iplanet.com/downloads/patches/

Important Notes and Known Bugs

Administration Server

• To change the IP address of Administration Server, use the perl script provided here: <server_root>/shared/bin/admin_ip.pl

The syntax is admin_ip.pl <Dir_Manager_DN> <Dir_Manager_password> <old_IP> <new_IP> [port]
where
• <Dir_Manager_DN> is the DN of the manager of the Administration Server configuration directory (for example, "cn=Directory Manager");
• <Dir_Manager_password> is the password used to bind to the Administration Server configuration directory;
• <old_IP> is the current IP address;
• <new_IP> is the new IP address you want to use;
• [port] (optional) is the port Administration Server should use on the new address.

• After you create a new CMS instance using Netscape Console, the Console window does not display the instance in the navigation panel. To display the new CMS instance in the panel, click the Console's View menu and select Refresh.

• When you're trying to create a new CMS instance and if Administration Server starts up before the configuration Directory Server, you will get the following message and the instance will not be created: Please restart the console and admin server before creating a new instance

Once you  restart Administration Server, you will be able to create CMS instances without receiving the above message. Note that the above message will not always occur for all CMS  instance creations -- it appears mostly due to the randomness of the start order between Administration and Directory Servers on Window NT; typically, Directory Server starts first, but there are cases where Administration Server starts first. Certificate Management System requires Directory Server started prior to Administration Server. [# 394059]

• Netscape Administration Server does not support EXCEED X server software for running Unix X-Windows applications on Windows NT. Therefore, EXCEED will not run reliably with Certificate Management System.

• Netscape Administration Server might crash when you create or remove a CMS instance. If this happens, go to the command line and start Administration Server. [# 352824 and # 352372]

• By default, Administration Server administrator's password (also known as the SIE password) is stored in clear text in the adm.conf file.

This does not usually pose a security threat because most administrators use their Operating System's security features to ensure that the file is protected from other users. However, as an added security measure, you may choose to remove the clear text password.

If you remove the password from the adm.conf file, every time you start Netscape Console, you'll be prompted for the Administration Server administrator's password.



Once you've provided the password, if the server you're trying to connect to uses SSL, you'll be asked for the SSL token password you specified when you installed the server certificate.



To remove the clear text Administration Server password:

1. Stop the Administration Server.
2. Go to this directory: <server_root>/admin-serv/config
3. Open the adm.conf file in a text editor.
4. Delete this entry: siepid: <password>
5. Save the text file.
6. To restart the Administration Server, at the command line, run start-admin.

Known problem: As long as the SIE password is not included in the adm.conf file, you won't be able to use Netscape Console to restart Administration Server; you'll have to start the server by running startconsoleat the command line. [ # 357862]

• See also the ones listed in Installation and UI (Netscape Console/CMS Window) sections.

Authentication

• Agents and administrators must be users in the Certificate Management System user and group database. This will be replaced by ACLs in future releases.

Backup and Restore

• No known problem.

Browser

• IE 4.X and 5.X cache secure pages, but don't provide a means to flush the cache. This is especially frustrating when you authenticate to the agent interface with the wrong certificate, and then try to reload the page and reauthenticate with the correct certificate. You must reboot the system to get IE to stop caching the page. Communicator has similar problems with caching pages, but restarting Communicator causes it to flush cached secure pages. [# 394936]

• Microsoft Internet Explorer 3.x and Netscape Navigator 3.x are not fully supported by the default HTML interfaces for Agent Services (of the Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager). For best results, use Communicator 4.x or Internet Explorer 4.x.

• Client time drift detection in IE is disabled -- the HTML forms provided for end-user enrollment and renewal include JavaScript code (function named checkClientTime) that detects the time drift between the client and server clocks and prompts users to adjust their clocks (to be in sync with that of the server). This feature works only with Communicator. [# 341838]

• If you view a CRL as an agent using IE or Communicator, then revoke a certificate, and then view the CRL again, you will not see the certificate you just revoked listed in the CRL. To work around, exit the browser, relaunch it, and then view the CRL again. [# 347146]

• When you import a CRL from Certificate Management System into Communicator 4.x, a "View-Edit CRLs" button is added to the SIGNERS section of the Security Info window. If you click the "Reload" button for that particular CRL, it won't reload properly because of the incorrect URL. To make it work, you have to manually change the URL from https://<CMSEndEntityURL>/getCRL  to https://<CMSEndEntityURL>/getCRL?certSerialNumber=&op=importCRL&issuepoint=MasterCRL&submit=Submit.

• Communicator will crash when asked to do SSL client authentication if the DN for an SSL server certificate or a CA certificate does not have the O= attribute. However, there is a warning message displayed in the Installation Wizard if O= is left out of the DN when creating the certificates. This problem is fixed in Communicator 4.6.

• Communicator shows an error dialog when connecting with SSL to Netscape Enterprise Server, if the SSL certificate was generated with the Key Usage Extension policy turned on. To workaround the problem, turn off or disable the Key Usage Extension policy module and issue the certificate. [# 344996]

• IE fails to present a dialog asking the agent user to specify the certificate to be used for SSL client authentication to the second server, when two SSL servers are configured on the same machine. This problem occurs when you connect to two different servers running on two different ports of the same machine. When you do SSL client authentication to the first server, IE  presents a dialog box  from which you can choose the certificate you want to use to authenticate. When you connect to the other server on the same machine, IE assumes that you want to use the same certificate and doesn't provide you with an opportunity to change your selection. The result is that you fail to authenticate to the second server, because IE automatically presents the certificate you chose previously. The workaround is to restart IE (after authenticating to the first server) and then attempt to authenticate to the second server; when you restart, you can connect to the other server and you will again be presented with a dialog box for choosing an SSL client certificate. [# 350416]

• If you are using the Solaris version of IE to get a certificate using directory-based user enrollment, Certificate Management System successfully imports the certificate, but IE crashes. [# 347824]

• If IE 4.x is configured to prompt the user for a confirmation when a form is being submitted, the request will be submitted correctly. However, a second browser window may appear. [# 355696]

• IE 4.x (or higher) has problem importing a renewed certificate if the KEYGEN for the certificate didn't happen in that IE. For example, if you attempt to import a renewed certificate to IE and if the original certificate was issued to Communicator or IE (installed on another machine), you'll get the following error message: Error in acceptPKCS7. Error Number 80092004 occurred.

Note that the renewed certificate can be retrieved with Communicator and imported into IE without any problem, but any attempt to retrieve it using IE produces the above error. [# 397451]

• See also the ones listed in DSA, Installation, Internationalization, and Personal Security Manager sections.

CA Cloning

• You can create a clone Certificate Manager on the same host machine on which the master Certificate Manager is installed or on a different machine. If you choose to install the clone Certificate Manager on the same host as that of the master, you have the choice of using the master Certificate Manager's SSL server certificate for the clone Certificate Manager; the certificate and corresponding key pair are accessible to the clone Certificate Manager because as a part of the cloning process, you copy the certificate and key database of the master to the clone. If you decide to generate a new SSL server certificate for the clone Certificate Manager, be sure to specify a subject name that's different than the one specified for the master Certificate Manager's SSL server certificate; that is, when installing more than one SSL server certificate on a software/hardware token, the subject name of each certificate must be unique. However, since the 'CN' component in the subject name of SSL server certificates must be the fully-qualified hostname of the machine on which the server is installed (for example, camachine.siroe.com), subject name uniqueness can be achieved by changing other attributes, such as OU, O, L, ST, or C, that're used to form the certificate subject name. [# 528259]

CEP Support

• See # 341389 in the Remote Registration Manager section.

• If you are setting up publishing for use with Cisco Routers^TM, it is recommended that you set the appendDN parameter in the CEP script. This will append the given DN onto all the subject names of issued CEP certificates. The reason for this is that the subject names as requested by Cisco Routers are of this form:

UNSTRUCTUREDNAME=xxx+UNSTRUCTUREDADDRESS=yyy

Appending a DN such as O=company gives the certificate a root in which it is to be published. [# 386926]

• You can download a DSA CA certificate using IRE VPN client 3.0.1b3. However, because there is no way a DSA CA certificate can be used for encryption, such an action should give you some sort of meaningful message, instead of  the message that's currently being generated:  Getting cbEncodedBlob length failed

(This message is generated after a user selects the DSA certificate for enrollment, which leads to KEYGEN failure with the message.) [# 394928]

CGI Support

To configure the server to run a CGI script:

1. Stop Certificate Management System.
2. Go to this directory: <server_root>/cert-<instance_id>/web/ee
3. Create a directory for putting your CGI script, for example, cgi-bin.
4. Copy your CGI script to the cgi-bin directory.
5. Change to this directory: <server_root>/cert-<instance_id>/config
6. Open the configuration file, CMS.cfg, in a text editor.
7. Add the following lines:

eeGateway.servletName.CGI=com.netscape.certsrv.http.CgiServlet
eeGateway.servletAlias./cgi-bin=CGI
In this example, any file under the cgi-bin directory, or any path starting with /cgi-bin/ in the eeGateway will be executed as a CGI.
8. Save your changes.
9. Close the file.
10. Restart Certificate Management System.

Command-Line Tools

• Certificate Management System includes a set of compiled binaries of several command-line tools provided for your convenience. This includes security tools named Certificate Database Tool (certutil), Key Database Tool (keyutil), Netscape Signing Tool (signtool), SSL Debugging Tool (ssltap) and SSL Strength Tool (sslstrength). If any problems are found in these specific tools, you may obtain the source code and build instructions for the very latest version of this tool (and/or potentially a binary image for the newer tool) at the following URL: http://www.mozilla.org/projects/security/pki/nss/tools/index.html

Note that all Key Database Tool functions have now been incorporated into the single tool, Certificate Database Tool, and that several of the command-line options for many of the tools may have changed. Be sure to check back often to obtain the very latest version of the desired security tool, as this site will be updated often.

• The command-line tools named certutil and keyutil that are bundled with Certificate Management System rely on the security module database file (secmod.db on Windows NT and secmodule.db on Unix) to function. Before using these tools to view the list of CMS certificates or keys in a software or hardware token, you need to copy this file to the CMS configuration directory. [# 537267]

To do this:
1. Go to this directory: <server_root>/admin-serv/config/
2. Copy the security module database file (secmod.db on Windows NT and secmodule.db on Unix) to the CMS configuration directory: <server_root>/cert-<instance_id>/config
3. Use the certutil or keyutil tool. For example, run certutil -d . -L to list all certificates in the software or hardware token.

• For the modutil executable to function properly on Solaris and Compaq Tru64 platforms, the LD_LIBRARY_PATH variable must be set to <server_root>/lib. [# 538674]

• See also the ones listed in the Hardware Tokens section.

CRLs

• See the ones listed in Browser and Publishing sections.

Custom Plug-in Modules

• When developing custom modules (for example, authentication and policy) for Certificate Management System, it is recommended that you use Java 2.0, SDK 1.3.0.

• See also the one in the Starting/Stopping the Server section.

Directory Server

• In the first stage of CMS installation, you run the setup program during which you specify details relevant to the configuration Directory Server, Administration Server, and Netscape Console. In one of the screens, you're asked to specify the following information about the configuration directory (whether it is an existing one or a new one to be created by the Installation Wizard):
• Directory Server identifier -- A unique identifier for the Directory Server instance (and is required for each instance). For example, configdir.
• Directory Server network port -- The port number at which the Directory Server instance will listen to (or is listening for) requests. The default is 389.
• Suffix -- The domain name of the host. If you are creating a new directory, this should be the domain name of the current host. For example, O=mydomain.com or o=siroe.com.

In the Suffix field, you should enter a valid domain name. Otherwise, the suffix/base DN of the configuration directory will not appear correctly in the configuration Directory Server UI, accessible from within Netscape Console. For example, assume you used O=Siroe Corporation as the suffix/base DN for your configuration directory. When you open the configuration Directory Server console and view the Directory tab, the highlighted top level "Siroe Corporation" displays as follows: User Directory Subtree: O=Siroe

The "<space>Corporation" gets left off; that is, the words trailing the space get truncated in the UI. [# 395046]

• Each instance of Certificate Management System uses a Netscape Directory Server instance as its data store, referred to as the internal database. Because the internal database contains information for CMS activities, for example, activities of your CA, it's important to insulate the internal database from being visible outside its host system (and thus prevent users from outside to have access to the internal database). To make the internal database accessible only from the local machine, you must bind the Directory Server instance functioning as the internal database to a localhost (that is, IP address 127.0.0.1) with the help of listenhost parameter in the slapd.conf file; a server on localhost can only be accessed from the local machine.

However, if you bind the internal database to a localhost, Netscape Console fails to connect to the internal database. That is, if you attempt to open the console interface for the internal database from within Netscape Console, the console returns err=91, cannot connect because the LDAP server is either down or unreachable. [# 395001, # 395003]

The steps below explain how to configure Certificate Management System and the internal database to run on a localhost successfully:
1. Install Certificate Management System as you normally would.
2. Stop Certificate Management System and the Directory Server instance functioning as the internal database.
3. Add listenhost 127.0.0.1 to the slapd.conf file of the internal database. To do this:
1. Open a command-line window.
2. Go to this directory: <server_root>/slapd-<internal_database_id>-db/config
3. Open the slapd.conf file in a text editor.
4. Add this line to the beginning of the file: listenhost 127.0.0.1
5. Save your changes and close the file.
4. Change the value of the serverhostname parameter of the internal database to 127.0.0.1; if you do not do this, you cannot open the internal database from the Netscape Console topology tree. You can make this change from the configuration Directory Server Console or by using ldapmodify. To do this from the configuration Directory Server Console:
1. Log in to Netscape Console.
2. Open the console interface for the configuration directory.
3. Select the Directory tab and navigate to the server instance entry (SIE) for the internal database. The screen shot below shows how to navigate to the SIE entry of an internal database, slapd-thomask-db. (o=NetscapeRoot -> o=red.iplanet.com -> thomask.red.iplanet.com -> Server Group -> Netscape Directory Server -> slapd-thomask-db)


 
4. Right click the SIE node (for example, the slapd-thomask-db node) and select Properties. The Edit Entry dialog box appears.


 
5. Click the Advanced button at the bottom of the dialog box. The Property Editor dialog box opens.
6. Change the value of the serverhostname attribute to 127.0.0.1.


 
7. Click OK.
5. Restart Certificate Management System and the internal database.
6. Start Netscape Console by running startconsole from the command line.
7. Try to open the console interface for the internal database from within Netscape Console.

• See also the ones listed in Installation and Internationalization sections.

DSA

• When a DSA signing key pair is generated for a Certificate Manager, the Configuration Wizard first generates a new set of PQG parameters. This process is computationally intensive and will result in delays of several minutes, depending on the speed of the hardware.

• Communicator 4.x is the only browser that can successfully obtain and use DSA client certificates for SSL client authentication and that can recognize the signature on SSL certificates signed by a DSA CA. IE 5.x, which does support DSA, does not recognize SSL certificates signed by a DSA CA. Navigator 3.x and IE 3.x  do not support DSA at all.

• In order for Communicator to generate a DSA key pair, you must modify the KEYGEN tag in the default certificate enrollment forms; the modifications will indicate that the DSA algorithm is to be used, and will also supply the PQG parameters. For details on the KEYGEN tag, see "Netscape Extensions for User Key Generation" at this site: http://home.netscape.com/eng/security/comm4-keygen.html

Note that depending on your use of DSA, you may need to edit two KEYGEN tags in the adminEnroll.html form located here: <server_root>/cert-<instance_id>/web/agent/ca

Additionally, you may need to modify the KEYGEN tags in the following certificate enrollment forms:

• DirPinUserEnroll.html
• DirUserEnroll.html
• ManObjSignEnroll.html
• ManUserEnroll.html
• NISUserEnroll.html
• PortalEnrollment.html

These files are located here: <server_root>/cert-<instance_id>/web/ee

Instructions for modifying the KEYGEN tag in an enrollment form is covered in the section entitled "Customizing Enrollment Forms for Generating DSA Key Pairs" in Chapter 1, "Authentication Plug-in Modules" of CMS Plug-ins Guide. [# 352662 and # 356015]

• Once you have generated a single DSA private key with Communicator, the browser will reuse the same private key for any subsequent KEYGEN operations, rather than generating a new one. This bug can lead to the issuance of multiple certificates with identical DSA key pairs. To work around this bug, exit Communicator after generating a DSA private key, then relaunch it again. After relaunching, Communicator will generate a new DSA private key instead of reusing an existing one. You must exit Communicator after generating each DSA private key to ensure that no certificates with duplicate private keys are issued.

• For more information about using DSA for the Personal Security Manager installation, see the accompanying CMCJavascriptAPI.html document. You can get the document from this web site: http://docs.iplanet.com/docs/manuals/psm.html

• See also the ones listed in the UI (Netscape Console/CMS Window) section.

Enrollment

• On a Windows NT system, if your display configuration is set to use a background color other than white, you may notice that some of the end-entity enrollment forms don't set the background color to white, when displayed by IE 4.0. For example, if you view the manual user enrollment form (ManUserEnroll.html) or the manual object signing enrollment form (ManObjSignEnroll.html) on IE 4.0, you'll notice that the enrollment page doesn't set the background color to white. [# 385573]

• If the Data Recovery Manager's transport certificate copied into the certificate enrollment form of a Registration Manager (or Certificate Manager) is incorrect, during enrollment you will get the following error message:

Problem Processing Your Request
The Registration Manager encountered a problem while processing your request. The following is a detailed message of the error that occurred.

     Invalid Private Key

Please consult your local administrator for further assistance. The Certificate Management System logs may provide further information.

To correct this problem, modify the corresponding enrollment form to include the correct transport certificate; for details, see the section entitled "Step 3. Customize the Certificate Enrollment Form" in Chapter 21, "Setting Up Key Archival and Recovery" of CMS Installation and Setup Guide. [# 355937]

• To enroll for certificates using AT&T's Secret Agent product, use the server manual enrollment page. AT&T Secret Agent will generate a PKCS #10 request that can be pasted into the Server manual enrollment page. None of the default User enrollment pages accepts PKCS #10 data. You can, of course, use the server manual enrollment default page as an example for creating a new page dedicated to enrolling AT&T Secret Agent users.

Enterprise Server

• When using Netscape Enterprise Server version 3.62 and JRun, you can use the following Java servlet code to obtain a user's certificate:
String clientCert = "-----BEGIN CERTIFICATE-----\n" +
servReq.getHeader("auth-cert") +
"\n-----END CERTIFICATE-----\n";  // Newlines are critical!!!

Note that the servReq.getHeader("auth-cert") only works on Netscape servers. Sun's Java server uses req.getAttribute("javaex.net.ssl.peer_certificates").
The above code eliminates the need for you to do LDAP queries to obtain the certificate from the LDAP directory. [# 393043]

• Netscape Enterprise Server version 3.62 relies on the trust status of the issuer's certificate in its certificate database when validating client certificates presented during SSL client authentication -- when validating a client certificate, Enterprise Server verifies whether the CA that has signed the client certificate is trusted in its trust database. If the CA certificate is untrusted, the server rejects the client certificate. This information should be of interest to you if you have set up your Certificate Manager to function as a chained or linked CA -- that is, your Certificate Manager's CA signing certificate has been issued by a public or third-party CA.

Assume a deployment scenario in which your
• Certificate Manager is chained to a public root CA
• Certificate Manager has issued client certificates and all clients include the CA chain in their certificate databases
• Enterprise Server's certificate database includes both the public root CA certificate (trusted) and Certificate Manager's CA signing certificate (untrusted)

In this scenario, you would expect the Enterprise Server to successfully validate client certificates, but the server fails to do so because the Certificate Manager's CA signing certificate is untrusted in its database (untrusted issuer); the server doesn't check the root CA certificate for validation. [# 355999]

• See the ones listed in Browser and CRLs sections.

Extensions

• No known problems; see the ones listed in the Personal Security Manager and Policies sections.

Hardware Tokens

• When using a hardware token, you must use the token vendor's tools or utilities for initializing the token and for setting up the security officer password; the Certificate Setup Wizard may not initialize the hardware token successfully. [# 383999]

• The command-line tool keyutil (or the Key Database Tool) doesn't list keys residing in an nCipher token; for example, the command shown below won't display the list of keys residing in the token.

keyutil -L -h "tokenname" -d . -l

This will be fixed in the future version of the tool. [# 394912]

• If you have problem (Lynkstest.exe not showing expected results) using the SPYRUS^TM card with Certificate Management System running on a Windows NT system, try the following:
1. Click Start and select Control Panel.
2. In the Control Panel, double-click Devices.
3. In the Devices window, select Scsiscan and click Startup.
4. Select Disabled and click OK.


5. Remove the SPYRUS card.
6. Reboot the system.
7. After the system restarts, try running Lynkstest.exe again. If you get an error or forgot to remove the SPYRUS card when you rebooted, take the card out and put it back in, and then run Lynkstest.exe again. [# 389904]

• Hardware tokens that use a physical token (such as a key) or biometric check to unlock the key store typically do not require a password to be created during token initialization. If you're using such a hardware token with Certificate Management System, when initializing the token, the CMS installation wizard will still ask you to provide a password (even though that password is not used). To workaround this, just enter some password at the prompt and it will be ignored. Make sure that you authenticate to the hardware token (for example, by inserting the key or by using your fingerprint) before Certificate Management System attempts to generate the key. [# 381307]

• If you plan on using nCipher hardware tokens for generating keys and certificates used by CMS subsystems (for example, a Certificate Manager's CA signing certificate), be sure to use the latest version of the driver and software for the token. Certificate Management System has been tested to successfully generate DSA keys on a newer release of nCipher token. The details of this release are shown below. [# 390525]

This installer contains the following releases

sslyp devel    - SSLeay source code patch file              1.51.2
nfjava devel   - nFast Java Generic stub                   0.2.11
ldb185 user    -                                            1.0.4
nfast devel    - nFast developer software                   1.52.5
nfast user     - nFast software                             1.52.5
nftcl user     - Command line key management                1.59.2
nsapi user     - Netscape Enterprise Server 3.x plug-in     1.60.6
opensl user    - nftcl certificate generation utility       0.3.6
tclsrc devel   - Tcl run time - Headers and Libraries       1.8.7
tclsrc user    - Tcl run time                               1.8.7

• For the Solaris platform, when installing an nCipher hardware token using driver packages Cryptographic 3.06 and PKCS#11 2.02, the directory /opt/nfast/kmdata will be created. The account designated to run the CMS server processes will need access to the kmdata directory and one of its sub directories. This may be accomplished by editing /etc/group and adding the account designated to run CMS to group nfast.

For older nCipher drivers, the kmdata directory will not be created automatically.  It is recommended that the directory be created and be set to owner root and group nfast. Permissions for the directory should be set to drwxrwsr-x.  Access to the directory is then granted as described above for the newer nCipher drivers. [# 365280]

• When using the same hardware token for storing key pairs of multiple Certificate Manager instances, be sure to specify unique issuer DNs for the CA signing certificates. If you specify the same issuer DN for the CA signing certificates (you're asked to specify this when generating the certificate), the CMS installation wizard will fail to generate the certificate, and thus complete the installation process. [# 354993].

For example, assume you installed a CMS instance with a Certificate Manager and specified CN=myCA, O=Siroe, C=US as the issuer DN for the CA signing certificate. Next, you created another CMS instance with a Certificate Manager and attempted to generate a CA signing certificate with CN=myCA, O=Siroe, C=US as the issuer DN. The installation wizard will fail to generate the certificate; instead, it will display the following error message:
Token Error: import CA cert failure com.
netscape.jss.CryptoManager
$UserCertConflictException

• If you are using Chrysalis Luna^TM hardware token for storing CMS keys and certificates, after a period of time Certificate Management System may stop working. To resolve the problem, check if you ran the following command as a part of installing the hardware token:

../../shared/bin/modutil -nocertdb -dbdir . -default chrysalis -mechanisms rc2:rc4:rc5:des:dh:sha1:md5:md2:random

The above command appears in the installation instructions provided by the token vendor. [# 524072]
If you did, you can resolve the problem by rerunning the above command (only) with the undefault option, and then restarting Certificate Management System:

../../shared/bin/modutil -nocertdb -dbdir . -undefault chrysalis -mechanisms rc2:rc4:rc5:des:dh:sha1:md5:md2:random

• See also the ones listed in the Command-Line Tools section.

Installation

• Certificate Management System is built with Java 2 (SDK 1.3.0). Some UNIX platforms require specific versions of the operating system as well as operating-system patches to run their version of the Java 2 SDK 1.3. Depending on the platform, you may be required to install certain patches. If you don't install the required patches, CMS installation will fail. [# 525794]

Check the appropriate site to determine which patches you need to install.
• For Sun Solaris, check this site: http://java.sun.com/j2se/1.3/install-solaris-patches.html
• For IBM AIX, check this site: http://www-106.ibm.com/developerworks/java/jdk/jdkfaq/faqsaix130.html
• For HP UX, check this site: http://www.unix.hp.com/java/infolibrary/patches.html
• For Compaq Tru64, check this site: http://www.compaq.com/java/download/jdk_du/1.3.0/install_notes.html

• Certain new features, such as revocation checking using the OCSP protocol, supported in this release requires you to use Netscape Communicator versions 4.7 or later. If you're using earlier versions of Communicator, you must install the new version before you install Certificate Management System on a Windows NT system.

• During the installation of Certificate Management System, port numbers are suggested to the user. While the installer tries to suggest only unused ports, sometimes it is impossible to test whether the port is in use, so the installer may erroneously suggest a port that's in use. Please make sure that the ports you pick are unused before installing the product. [# 522361]

• When installing Certificate Management System, if an existing configuration Directory Server is to be used and if the existing configuration Directory Server is under a different domain, then it may be necessary to run the CMS installation in Custom mode. [# 395070]

• When installing Certificate Management System on a host which contains more than one static IP address (for example, two or more ethernet cards or a cluster), then it may be necessary to run the CMS installation in Custom mode. [# 394785]

• When you run the setup program on Unix, if you interrupt the installation process at any point, the setup program asks you if you want to continue with a default answer of [n]. Accepting the default actually continues the installation. You need to explicitly answer N to cancel out. [# 397563]

• When running the setup program, be sure to note the port number you assign to the Administration Server and use it later in the Netscape Console login screen to launch Netscape Console. The Netscape Console login screen that shows up after running the setup program does not show the correct URL (the value in the Administration URL field). The port number in the URL isn't the one you specify during setup. In order to launch Netscape Console and complete CMS installation, you need to remember the port number you assign to the Administration Server and then edit the port number in the URL. [# 382662]

If you forget to note the port number you assigned to the Administration Server, you can look it up (parameter named "port") in the configuration file of Administration Server. The file is located here: <server_root>/admin-serv/config/adm.conf

• When installing a CMS subsystem (for example, the Certificate Manager), if you specify identical subject names for the subsystem's certificates (for example, if you specify CN=myServer, OU=myDept, O=myOrg, C=myCountry as the subject name for both CA signing certificate and SSL server certificate), you will get an error. Make sure to assign appropriate values for the subject names; for example, the CN component of an SSL server certificate must be the fully-qualified host name of the machine on which the Certificate Manager will run. [# 390915]

• If you point Certificate Management System to a configuration directory running on a host which has different domain, you'll get an error message. In other words, if the domain for Administration Server is different than that of Certificate Management System, it would fail to bind to Administration Server; the reason for this is that you cannot set the domain for Administration Server. [# 389862]

• During installation, depending on the subsystems you've chosen to install, you generate various certificates, such as Certificate Manager's CA signing certificate, Registration Manager's signing certificate, and SSL server certificates. As a part of generating these certificates, you're required to specify subject names for the certificates. Subject names are formulated using DN components, such as Common Name (CN), Organizational Unit (OU), Organization (O), Locality (L), State (ST), and Country (C). Be sure to enter an appropriate value, such as the name of your company, for the Organization (O) component. The Organization is required because its absence causes Netscape Communicator version 4.6 (or below) to crash when it encounters the certificate. [# 362451]

• When installing a Registration Manager, the installation wizard does not present you with an appropriate screen for specifying whether you want to connect it to a Certificate Manager or to another Registration Manager. The wording on the screen suggests that the Registration Manager can only be connected to a Certificate Manager.

For example, assume that you are installing a Registration Manager (RA2) and want to chain it to another Registration Manager (RA1) that has already been installed and connected to a Certificate Manager (CA). When you run the installation wizard for RA2, you should have the opportunity to specify the host name and port number of RA1 so as to chain RA2 to RA1. However, the screen presented by the installation wizard suggests that you can connect RA2 to CA only. Note that the error is limited to the wordings on the screen only. You may use the input fields to enter values that correspond to a Certificate Manager or Registration Manager. In other words, you should ignore the on-screen wordings and enter the host name and port number of the subsystem -- either a Certificate Manager or another Registration Manager -- to which you want to connect the Registration Manager being installed. [# 351672]

• When running the Installation Wizard for installing a Data Recovery Manager, in the screen where you enter key recovery agents' user IDs and passwords, pressing the Tab key does not advance focus to the next field; this requires you to double-click a field to give it focus. [# 389864]

• At the end of the CMS installation wizard you're asked to enroll for an agent certificate. If you go ahead and request the agent certificate, the Certificate Manager issues you a certificate with a validity period of one year, irrespective of the validity period of your CA certificate. The reason for this is, as any other certificate request your very first agent certificate request gets subjected to the currently configured policy rules of the Certificate Manager. It is important to know that during CMS installation a few policy rules are automatically enabled with default settings. To find out more about these rules:
1. Log in to Netscape Console.
2. Double-click the CMS instance of your interest.
3. In the navigation tree, click Certificate Manager.
4. Click Policies. The right pane lists the currently configured policy rules. To view current settings of a rule, select it and click Edit.

The default policy rule named DefaultValidityRule (which is an instance of ValidityConstraints plug-in) determines the validity period of all certificates issued by the Certificate Manager. By default, this rule is configured to issue certificates that are valid for a year (365 days), starting from the day they are issued.

If you want your agent certificate's validity period to be the same as that of your CA certificate, be sure to edit the DefaultValidityRule policy rule first so that the server can approve the validity period you want to request, and then enter the required validity period in the enrollment form for the first agent certificate. [# 399178]

• If you're installing Certificate Management System on a Japanese version of Windows NT, the default validity dates displayed by the Installation Wizard may not be correct. Be sure to adjust the dates before you click the Next button. [# 401375]

• When installing Certificate Management System as a subordinate CA, in one of the steps, the Installation Wizard asks you to paste the complete root CA certificate chain. Be sure to paste the complete chain for the root CA. If you fail to paste the correct root CA chain, for example, if you paste in the CA certificate instead of the chain, the Installation Wizard does not complain. Later, if you view the certificate chain in the Retrieval tab of End-Entity Services interface, the chain will only display the lower-level CA certificate; it will not show the root CA certificate. [# 384940]

• See the ones listed in the Internationalization section.

Internationalization

• You cannot add users to the directory if the user entries have attribute data in a non-English (ISO-8859-1) character set and the operating system uses the English (en or C) locale. Netscape Console will not accept multibyte language input, so ldapmodify must be used to add multibyte data to Directory Server. However, there is a bug in ldapmodify that prevents multibyte data from being added successfully if the operating system locale is English. To add multibyte data, install Directory Server on a system whose operating system supports the correct language and run ldapmodify on that system.

• When requesting a certificate using the Manual enrollment form for Netscape Communicator with Personal Security Manager, if you enter double-byte characters, such as Japanese or Korean characters, in Full Name, Common Name, First Name, Last Name, Organizational Name, Organizational Unit Name fields, you get an error. [# 384405]

• When using Netscape Communicator with Personal Security Manager, if you attempt to import a certificate with BMPString encoding, import works. Later, when you view the certificate in the Personal Security Manager interface, the nickname isn't displayed correctly. Also, if you click the View button and check certificate details, the subject name of the certificate doesn't appear correctly. [# 384406]

• If you request a certificate using the Manual enrollment form for the English version of Netscape Communicator 4.7 running on a non-english version of Window NT 4.0 (for example, Korean), Certificate Management System issues the certificate. However, when you attempt to import the certificate into Communicator, the certificate doesn't get imported. There's no error message to indicate that the import operation was unsuccessful. [# 384407]

• Netscape Communicator crashes if you attempt to import a certificate with BMPString encoding. [# 384408]

Job Scheduling/Notification

• When naming a job (instance), be sure to formulate the name using any combination of letters (aA to zZ), digits (0 to 9), an underscore (_), and a hyphen (-); other characters and spaces are not allowed. For example, you can type My_Job or MyJob as the name, but not My Job. If you create a job instance with a space in the instance name, you may not find that instance in the CMS Console after you restart the server. [# 532176]

• If there are no expired certificates in the internal database and if the unpublishExpiredCerts job is enabled, you will see an error similar to this in the log:

6831.unpublishExpiredCerts - [30/Jun/2002:22:50:01 PDT] [20] [0]
unpublishExpiredCerts: buildContentParams: null value for name= SummaryItemList

In addition, in the summary notification sent for unpublished certificates, the words "VALUE UNKNOWN" will show up before the table-title row. All it means is that there are no expired certificates. [# 400973]

• The product documentation erroneously states the following [# 464982]:
  "Using the Jobs Scheduler, you can configure a Certificate Manager or Registration Manager to automatically send email-based renewal notices to users whose certificates are about to expire or have expired."
  
  In fact, you cannot configure a Registration Manager to automatically send such email-based renewal notices. This section of the documentation will be fixed in the next version of the product.

JSS

• Certificate Management System integrates JSS 2.1, which allows you to find VERSIONing information that may be useful when reporting bugs or choosing a patch. Here's how you can find out the version:

• On all UNIX systems, do the following from the command line:

% strings jss21.jar | grep "VERSION ="
DBM_VERSION = DBM_1_54
JDK_VERSION = JDK 1.2.2
#JSS_VERSION = JSS_2_1   05 Jan 2001
NSPR_VERSION = v3.5.1
NSS_VERSION = NSS_2_8_4_RTM
SVRCORE_VERSION = SVRCORE_2_5_1

% strings libjss21.so | grep "VERSION ="
JSS_VERSION = JSS_2_1   05 Jan 2001
JDK_VERSION = JDK 1.2.2
SVRCORE_VERSION = SVRCORE_2_5_1
NSS_VERSION = NSS_2_8_4_RTM
DBM_VERSION = DBM_1_54
NSPR_VERSION = v3.5.1

• On HP systems, you can perform the exact same command on jss21.jar file, but you will need to specify libjss21.sl on the command line instead of libjss21.so.
• On Windows Systems that do not have a version of "strings" and/or "grep" via MKS Toolkit, and do not have a compiler installed, the :notepad.exe program can be used. Simply open  the jss21.jar file in notepad.exe, and use the Search menu item. Then select Find from the submenu, type in VERSION = in the "Find what:" field, and check the Match case checkbox. Click the Find Next button to traverse the contents of the file. Likewise, you can open the jss21.dll file in notepad and follow the same steps.

Logging

• This release supports a new architecture for CMS logs, enabling you to plug-in custom log modules (similar to authentication, policy, and publishing).

Miscellaneous

• Initial connection to Netscape Console with a 2048-bit RSA SSL server certificate is a bit longer than the one made with a 512 bit RSA SSL server certificate.

• The configuration file, CMS.cfg, only supports Unix-style file separator, the forward slash (/). If MS file separator is required, you should use two backward slashes (\\) instead of one (\). [# 326875 and # 331495]

• Limitation in ECXpert 2.x when using certificates issued by Certificate Management System 4.1 -- when you paste in a certificate issued by Certificate Management System into ECXpert 2.x, be sure to cut and paste the base-64 encoded certificate excluding the marker lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----; including the marker lines will result in an error. [# 356027]

• You may encounter problems with Certificate Management System when using SSL server certificates that are issued by a public CA, if these certificates have Basic Constraints extension set in them. [# 356424]

• When creating a CMS instance, if you receive the following error message, it could be due to the server needing to achieve access over a slow network: Operation Error: Unable to perform the instance creation task

Note that despite the error message, the instance will be created properly and you will be able to configure it. [# 395304]

• The product documentation erroneously states the following [# 4727931]:

"Public storage key: used to encrypt an end entity's private encryption key for long-term storage.

"Private storage key: used to decrypt an end entity's stored private encryption key after m of n recovery agents have authorized the recovery operation."

In fact, the opposite is true. The documentation should read:

"Public storage key: used to decrypt an end entity's stored private encryption key after m of n recovery agents have authorized the recovery operation.used to encrypt an end entity's private encryption key for long-term storage.
"Private storage key: used to encrypt an end entity's private encryption key for long-term storage."

This section of the documentation will be fixed in the next version of the product.

OCSP

• This version of Certificate Management System includes a new server named Online Certificate Status Manager. This server can receive CRLs from multiple Certificate Managers and can function as an OCSP responder in your PKI.

• The documentation (CMS Customization Guide) doesn't cover the HTTP interface of Online Certificate Status Manager. The updated documentation will be posted to the web site on a future date.

Performance

• To improve performance under high load on Solaris we recommend that you do the following:

1. Install Solaris patches 103582 and 103630; these patches include various TCP/IP performance/stability related fixes.
2. Increase the number of threads available listening on the end-entity port by adding the following to the configuration file (CMS.cfg):
eeGateway.http.backlog=30
eeGateway.http.maxThreads=40
eeGateway.https.backlog=30
eeGateway.https.maxThreads=40
3. If you increase the number of threads available listening on the end-entity port, you must also increase the number of per-process file descriptors. By default, this limit is 64. Check your system by typing: sysdef. Note that the value reported is in hex. To increase the number of file descriptors (each thread may use at least one, maybe two file descriptors; also remember that about 30 are used by Certificate Management System for other purposes), edit the /etc/system file, inserting the following lines:
set rlim_fd_max=1024
set rlim_fd_cur=256
4. Reboot the system. [# 345598]

Personal Security Manager

• Unlike the previous versions, this version of Certificate Management System does not bundle Netscape Personal Security Manager. You can download the latest version of Personal Security Manager from this site: http://www.iplanet.com/downloads/download/

• If you want to add the Name Constraints extension to certificates and if your client is Netscape Communicator 4.7x with Personal Security Manager, make sure to set the permittedSubtrees.min and excludedSubtrees.min parameters to 0 in the NameConstraintsExt policy rule for client certificates. [# 386825]

• By default, CMS enrollment pages for Personal Security Manager specify the key size as 512 bits. However, you can specify to use the largest key size available using the parameter named crypto.algorithms.rsa.signing.keySizes[0], which is described in the document entitled JavaScript API for Client Certificate Management. You can get the document from this web site: http://docs.iplanet.com/docs/manuals/psm.html

Note that the document currently does not say that the 0th element will always be the largest key size supported. [# 395019]

• When you view a CMS-issued certificate in Personal Security Manager, it does not display information such as the algorithm and key size of the key associated with the certificate. However, IE displays this sort of information. [# 395453]

• Also see the ones listed in the Browser section.

Policies

• The Netscape Comment Policy Extension works only with Netscape Navigator; it does not work with Microsoft Internet Explorer.

• If you make some changes to extensions through policy, for example, add a Subject Directory Attributes Extension policy, and if you clone an old request, you'll see the request with its old set of extensions. However, when you approve the cloned request, the resulting certificate will have the new extension. [# 401670]

• See also the ones listed in the Browser section.

Publishing

• When configuring publishing, if you enter incorrect data (in the Publishing panel of CMS window) and attempt to save it, Certificate Management System will ask you to either save or abort your changes. If you choose to save, you must later make sure to configure the server correctly, and then restart the server for your changes to take effect. [# 388097]

• If the Certificate Manager is installed as a root CA and if you use its agent interface to update the directory with valid certificates, you may get an object class violation error (or other errors in the mapper). The reason for this is the CA signing certificate may get published using the publishing rule set up for user certificates. You can avoid this problem by selecting the appropriate serial-number range to not include the CA signing certificate; the CA signing certificate is the first certificate a root CA issues. [# 532510]

If the root CA has issued a subordinate CA certificate, the certificate may also get published using the publishing rule set up for user certificates, resulting in an object class violation error. To avoid the problem in publishing the subordinate CA certificate, you will need to do this:
• Modify the default publishing rule for user certificates by changing the value of the predicate parameter to HTTP_PARAMS.certType!=ca.
• Use the LdapCaCertPublisher publisher plug-in module to add another rule, with the predicate parameter set to HTTP_PARAMS.certType==ca, for publishing subordinate CA certificates.

• See also the ones listed in CRLs and UI (Netscape Console/CMS Window) sections.

Remote Registration Manager

• In one of the steps of a Registration Manager installation, the Installation Wizard asks you to paste the CA certificate in its PKCS#7 format. In the PKCS#7 chain that you paste, if either the root CA certificate or subordinate CA certificate doesn't have an O= component in its subject name, the Installation Wizard fails to import the PKCS#7 chain, resulting in the following error message:
java.security.cert
CertificateEncodingException:
CERT_ImportCAChain returned an error

To workaround the problem you should install the required CA certificates (for example, the root CA certificate or subordinate CA certificate, or both) using the certutil tool.  Note that the above suggested workaround prevents you from managing the Registration Manager's certificate database using the UI -- you will not be able to use the 'Manage Certificates' window in the CMS console. [# 512054]
The workaround suggested below is for a Registration Manager connected to a subordinate CA (RA-->subCA-->rootCA).
1. Run the Installation Wizard until you get the above mentioned error.
2. Quit the Installation Wizard.
3. Open a web browser window.
4. Go to the subordinate CA's end-entity interface.
5. Select the Retrieval tab.
6. Click Import CA certificate.
7. Select the "Display certificates in the CA certificate chain for importing individually into a server" option and click Submit.

You should see the certificates in base-64 encoded formats. Don't close this window.
8. Open a command-line window.
9. Go to Registration Manager's configuration directory:

cd <server_root>cert-<ra_instance_id>/config
10. Create two text files named subca and rootca.
11. Copy the base-64 encoding of the subordinate CA certificate into the subca file and of the root CA certificate into the rootca file. Be sure to include the -----BEGIN CERTIFICATE---- and -----END CERTIFICATE----- wrappers.
12. Save and close the files.
13. Add the two certificates to the Registration Manager's certificate database by running the following certutil commands:

certutil -d . -A -n "subca" -a -t TC,TC,TC -i subca
certutil -d . -A -n "rootca" -a -t TC,TC,TC -i rootca
Now you have imported the certificates.
14. Restart the Installation Wizard and run it as usual.
15. When the wizard asks you for the PKCS#7 chain, paste the chain as before. (You must still provide the chain, but the wizard won't try to reimport those certificates because they already exist in the Registration Manager's certificate database.)
16. Complete the installation process.

• If the remote Registration Manager is not set up correctly to work with the Certificate Manager, an unclear HTTP message results. Check to make sure that the configuration for the remote Registration Manager is set up correctly.

• The Registration Manager does not yet support the CRS/CEP enrollment; all router enrollment requests must be made through the Certificate Manager. [# 341389]

• Registration Managers cannot display the full PKCS #7 certificate chain for certificates. If you need the full PKCS #7 chain for a CA's certificate, you must use the Get CA Chain interface (Retrieval tab in the End Entity Services interface) on a Certificate Manager instance. If you need the full PKCS #7 chain for a particular certificate (such as a subordinate CA certificate) you must go to the Certificate Manager and display the certificate; the PKCS#7 chain is at the bottom of the page that shows the certificate.

• In a chained-CA setup, for example, a setup in which you have two CAs and a Registration Manager (Root CA --> Subordinate CA --> Registration Manager), if you list requests on the Registration Manager as a Registration Manager agent and if you notice that all requests are in the svc_pending state, it's likely that the trust setting among the three entities has not been set up correctly; that is, a certificate (CA or SSL) is not trusted and needs to be trusted. For example, in the above mentioned setup, if the SSL server certificates of the Registration Manager and the subordinate CA are signed by different CAs, transfer of requests from the subordinate CA to the Registration Manager would fail. To troubleshoot the problem, check CMS logs. [# 395614]

Renewal of CMS Certificates

• When renewing the CA signing certificate of a Certificate Manager, if you change the key algorithm, the corresponding parameters don't get changed in the configuration file (CMS.cfg). This causes the server to fail from starting up. To workaround this problem, you must modify the value assigned to the algorithms parameter of the policy rule named SigningAlgRule in the CMS.cfg file. For details about values you can assign to the algorithms parameter, check the section named "SigningAlgorithmConstraints Plug-in Module" in the CMS Plug-ins Guide. [# 386772]

Request Queue Processing

• This release allows agents to list requests based on their type, enrollment, renewal, revocation requests.

• This release does not support the cancel request operation.

Revocation

• When changing the status of a revoked certificate to valid in the internal database (Directory Server), it's not sufficient to change the value of the certStatus field from REVOKED to VALID. To properly switch the status of the certificate from revoked to valid, you need to remove revinfo, empty two fields, revokedon and revokedby, and change the value of the certStatus field from REVOKED to VALID.  [# 393454]

• See also the ones listed in the CRLs section.

Samples and SDKs

• To locate the CMS SDK and sample code, see SDK and Samples.

Searching for Certificates

• Searching for certificates is slow if the search criteria include a validity period and if there are many tens of thousands of certificates in the internal database.

Starting/Stopping the Server

• The 'Stop' operation stops the server without checking the password that is passed from the Console.

• The 'Start' operation fails when passed an incorrect password at startup -- when you attempt to start the server with a wrong password, the server does not prompt that the password you've entered is incorrect.

• You can stop a CMS instance from Netscape Administration Express, an HTML-based interface that can be launched by entering http://<admin_server_host>:<admin_server_port>  in the browser's URL field. However, you cannot start a CMS instance from this interface. [# 389901]

• Certificate Management System doesn't prompt you to supply the single sign-on password when you make an attempt to stop the server from the Windows NT service panel.

• If Certificate Management System is running on a Windows NT machine, it is not advisable to install any JDK on the same machine. If you install JDK 1.1.8 or later versions of JDK, Certificate Management System may not start due to an entry in the registry, forcing the CMS jre to use the classpath provided by the JDK installation. The solution is to remove the offending registry entry; you can use regedit to search for the jdk directory. [# 395048]

• In Certificate Management System 4.2, when you view any certificate that has been issued, it also shows you the PKCS#7 chain. The PKCS #7 chain can be used to install the certificate in a third-party CA that requires the certificate to be in the PKCS #7 format (instead of the based-64 encoded format). Note that Certificate Management System 4.1 displays the certificate in its based-64 encoded format only.

RSA Security Server^TM

• RSA Security Server does not accept a certificate that has a DSA signing key. [# 395018]

SHYM PKEnable^TM

• If PeopleSoft or SAP servers are protected by certificates with different CA roots than the one used by SHYM clients, and a new CA certificate is introduced into the SHYM system, the SHYM clients are automatically updated, but the servers are not. This requires the SHYM administrator to restart the PeopleSoft/SAP servers to cause the SHYM's to be reloaded to clear their caches of trusted roots (to refresh their root list).

• In order to introduce a new CA root into the SHYM software, the SHYM's PKEnable™ V2 management console, the following procedure needs to be run by the SHYM administrator:
1. Go to CA's end-entity page (either HTTP or HTTPS).
2. Select the Retrieval tab.
3. Click Import CA Certificate Chain.
4. Click "Download the CA certificate chain in binary form ".
5. Save the X509v3 certificate with a .cer extension.
6. Follow the SHYM software instructions to load the root into the SHYM software.

Check Point VPN-1^TM

• You can configure Certificate Management System to work with Check Point VPN-1, version 4.1. For details, take a look at this document in your CMS installation: <server_root>/cms_sdk/third_party/CheckPoint/CheckPoint_integration.html

UI (Netscape Console/CMS Window)

• The user interface of this product identifies it as Netscape Certificate Management System (instead of iPlanet Certificate Management System).

• The Netscape Console displays the product version number as 4.22 instead of 4.2, service pack 2. [# 533237]

• When you create a new CMS instance using Netscape Console, you might get the following error:

Operation Error: Unable to create the instance.
Check the log files under <server_root>/cert-<instance_id>/logs directory.

However, if you Refresh the console window, you'll see the entries that correspond to the new instance. If refreshing the window doesn't show the new entries, recreate the instance. [#534954]

• When you delete a CMS instance using Netscape Console, the entries corresponding to the instance don't get deleted. However, if you check the directory structure in the host system, the files for the instance you deleted are removed. [# 534959]

• Although the UI (Installation Wizard and CMS Window) allows you to specify key sizes up to 4096 for CMS certificates, be noted that the maximum key size allowed for all certificates in Certificate Management System is 2048 bits. For example, you cannot generate a key size of 4096 bits for the CA signing certificate or SSL server certificate. The documentation too incorrectly states that you can generate key sizes up to 4096 bits. [# 528714]

• Netscape Console, version 4.2 doesn't support the DSA key algorithm. This prevents you from using the auto-submit feature of the Installation Wizard and Certificate Setup Wizard to automatically submit the request to the CMS's HTTPS port for end-entity enrollments, if that CMS instance is using a DSA key. For example, when installing a Registration Manager, if you attempt to auto submit the Registration Manager's signing certificate request to the end-entity HTTPS port of a Certificate Manager whose SSL server certificate corresponds to a DSA key (or the certificate has been signed by a CA with DSA key), the wizard will fail to submit the request.

The workaround for this is to use the manual method of request submission -- that is, copy the base-64 encoded certificate request, go to the CMS's end-entity enrollment page (HTTPS), open the appropriate form, paste the certificate request, and submit the completed request. Alternatively, if you must use the auto-submit feature, you can change the CMS's configuration to accept certificate-enrollment requests on the end-entity HTTP (non-secure) port and then auto submit the request. [# 385973]

• If you install Certificate Management System on HP-UX platform and if the CA's signing certificate is of DSA key type, you'll not be able to use Netscape Console to manage Certificate Management System; Netscape Console will crash if you attempt to connect to Certificate Management System. To workaround the problem, install Netscape Console on a different platform, such as Windows NT or Sun Solaris, and use it to manage Certificate Management System. [# 413268]

• When installing a certificate using the Installation Wizard or the Certificate Setup Wizard, if the certificate is contained in a file, you should leave the file until the certificate is successfully installed. If you remove the file before the wizard completes installing the certificate, for example, if you remove the file after the wizard displays the detailed version of the certificate, the wizard will display an error indicating that it cannot find the file. [# 387267]

• When installing a certificate in the Console using X windows, you cannot simply highlight and drop the base-64 encoded certificate into the text box or field. Instead, you must explicitly cut the base-64 encoded certificate from one application (such as a text editor or web browser) and paste into the text box of the console. [# 327841]

• The Certificate Setup Wizard does not properly handle "+" and "," characters in Distinguished Name components. If you need to use one of these characters as part of a DN component, enclose the entire text in double quotes (") or escape the character with a backslash (\). For example, to use Siroe, Inc. as the organization (O) attribute, enter

    "Siroe, Inc."

in the text field for the O component. [# 391583]

• The Certificate Setup Wizard can automatically post a certificate signing request (CSR) to a Certificate Manager's or Registration Manager's enrollment interface. However, the Certificate Setup Wizard assumes that the port is 80 (even if the protocol in the URL is https). When you enter the URL for submitting the request, always include the port number if it is not 80. An example enrollment URL including port 443 is https://ca.siroe.com:443/enrollment. [# 390032]

To use https://, it is also important to have loaded the trusted root for the CA into the Administration Server's trust database prior to doing the enrollment. Otherwise, Administration Server will not be able to verify the SSL certificate that the CA is using -- assuming the SSL certificate is issued by a self-signed CA. If the CA chains under a public CA, this is a non-issue. Assuming the CA's SSL certificate is signed by a CA that Administration Server isn't aware of, you must do the following prior to enrollment for the Administration Server's SSL certificate:
1. Login to Netscape Console.
2. Double-click the Administration Server instance to open the Administration Server console.
3. Start the Certificate Setup Wizard (by clicking the Certificate Setup Wizard button available in the Tasks tab).
4. Click Next.
5. Be sure to select "Yes" as the certificate has already been generated, and click Next.
6. Setup password on the trust database if not already setup.
7. Click on "trusted certificate authority", and click Next.
8. Paste in the trusted root for the unknown CA, and then complete the rest of the wizard steps.

After this point, the SSL certificate that needs to be verified during the Administration Server enrollment (via the https:// URL) will chain
up to the trusted root. Note that if the trusted root (or any part of the chain) contains a DSA certificate, then the Console 4.2 UI will have problems initiating an https:// connection between the Console 4.2 (client) and Administration Server 4.2 (server). This is due to the limitation that Console client does not understand the DSA algorithm. [# 394929]

• When installing the Certificate Manager as a subordinate CA with the option for issuance of wTLS-compliant certificates enabled, if you send the request for the CA signing certificate automatically and if the request is submitted to the remote Certificate Manager successfully, the resulting message does not show the request ID. However, when you proceed with your installation steps, you'll see the request ID in the screen that enables you to specify the location of the certificate, and you'll be able to automatically import the already-issued certificate by specifying the request ID. [# 536335]

• If you enable an outbound LDAP connection from Certificate Management System, (for example, for publishing or authentication), make sure you specify the correct port. If you turn on SSL, but specify the regular, non-SSL LDAP port, the console may hang when the LDAP settings are changed. [# 399543]

• In the Console page for setting up LDAP publishing, there are input fields for entering values for the DNComps, filterComps, and baseDN parameters. Although value for either DNComps or baseDN is required, the UI gives the impression that values must be entered in both the fields. [# 331081]

• If a DN (either issuer DN or subject DN) contains special characters defined in RFC-1779, the characters will be automatically prefixed with a backward slash (\) upon displaying. This slash may give you the wrong impression that a slash character is included in the DN, and it is not consistent with the behaviour of Communicator that shows no slash character in such case. [# 351774]

• If clicking the Help button on the Console interface does not bring up the help text, Exit Communicator and click the Help button again. If the problem persists, reinstall Communicator. [# 399146]

• If you experience hard to read fonts when redirecting a console on Unix to another X Server, you could try to rename the file <server_root>/bin/base/jre/lib/font.properties to font.properties.old, and restart the console.

• See also the ones listed under Administration Server and Starting/Stopping the Server sections.

• If you’re using CMS 4.2 and want to upgrade to CMS 4.2-SP2, follow the upgrade instructions provided in Chapter 7, "Installing and Uninstalling CMS Instances" of CMS Installation and Setup Guide.

• This version of Certificate Management System supports issuance of Wireless Transport Layer Security (wTLS)-compliant certificates for use with wireless applications/devices. During the installation of a standalone Certificate Manager or Registration Manager, you're given the opportunity to specify whether to turn this feature on. If you do, the appropriate enrollment forms get installed and you can see them in the End Entity Services interface of the CMS manager.

• wTLS certificate enrollment does not work with CMC and CRMF requests. [# 529320]

If you submit a CMC or CRMF request, Certificate Management System returns the following error message: wTLS CA does not support CSR in CMC or CRMF.

• This release does not support renewal of wTLS-compliant certificates; the Renewal tab of the Certificate Manager does not include any forms for renewing these certificates.

---

How to Report Problems

If you need further assistance or information about Certificate Management System or if you need to report problems with this product, contact technical support. You may also contact us through our newsgroup for support, questions, answers, and the latest information:

snews://secnews.netscape.com/netscape.dev.certificate

snews://secnews.netscape.com/netscape.dev.ssl
snews://secnews.netscape.com/netscape.dev.security

• Description of the problem, including the situation where the problem occurs and its impact on your operation
• Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem
• Detailed steps on the methods you have used to reproduce the problem
• Any error logs or core dumps

---

For More Information

• Other iPlanet documentation --- http://docs.iplanet.com/docs/manuals/
• iPlanet Professional Services information --- http://www.iplanet.com/services/pro_serv/
• iPlanet developer information --- http://developer.iplanet.com/
• iPlanet learning solutions --- http://www.iplanet.com/learning/
• iPlanet product data sheets --- http://www.iplanet.com/products/