Contents


About This Guide

What's in This Guide
What You Should Already Know
Conventions Used in This Guide
Where to Go for Related Information

Part 1 Overview and Demo Installation

Chapter 1 Introduction to Certificate Management System

Overview of Key Features

Flexible end-entity registration services framework

System Overview

Public-Key Infrastructure
CMS Subsystems or Managers

Certificate Manager
Registration Manager
Data Recovery Manager
Online Certificate Status Manager

Basic System Configuration
Plug-in Modules

Authentication Plug-in Modules
Policy Plug-in Modules
Job Plug-In Modules
Mapper and Publisher Plug-in Modules

Event-Driven Notifications

Auxiliary Components

Command-Line Utilities
CMS SDK

Entry Points for Various Types of Users

Agent Services Interface

Certificate Manager Agent Services
Registration Manager Agent Services
Data Recovery Manager Agent Services
Online Certificate Status Manager Agent Services Interface

End-Entity Services Interface

System Architecture

PKCS #11
NSS
JSS and the Java/JNI Layer
Middleware/Java 2 Layers
Authentication and Policy Modules

Standards Summary

Certificate Management Formats and Protocols
Security and Directory Protocols

Chapter 2 Certificate Enrollment and Life-Cycle Management

Steps in End-Entity Enrollment
Some Enrollment Scenarios

Firewall Considerations
Extranet/E-Commerce: Acme Sales Corp.

Enrolling Existing Customers
Enrolling New Customers
Enrolling Extranet Users

PIN Registration: Atlas Manufacturing
VPN Client Enrollment and Revocation
Router Enrollment and Revocation

End Entities and Life-Cycle Management

Life-Cycle Management Formats and Protocols
Access to Subsystems
HTML Forms for End Users
Netscape Personal Security Manager

Chapter 3 Default Demo Installation

System Requirements

Operating System and Software Required
Platform Requirements

Overview of the Default Demo

Demo Passwords

Installing the Default Demo

Step 1. Run the Installation Script — UNIX
Step 1. Run the Installation Script—Windows NT
Step 2. Run the Installation Wizard
Step 3. Get the First User Certificate

Enrolling for the First Agent Certificate
If You Need the First Agent Form Again

Using the Default Demo

Verify the Installation

Viewing Issued Certificates From the Agent Gateway
Enrolling for a Certificate From the End-Entity Gateway
Finding and Approving a Certificate Request
Setting Your Browser to Use the Agent Certificate
Testing Your New Certificate

Create a Policy

Configuring an RSA Key Length Policy

Use an LDAP Directory

Step 1. Enable Directory-Based Authentication
Step 2. Add a User to the Directory
Step 3. Enroll with Directory-Based Authentication

Publish Certificates to an LDAP Directory

Configure the Publishing Destination
Set Rules for Publishing Certificates
Update the Publishing Directory

Send Renewal Reminders

Configuring a Mail Server for Certificate Management System
Configuring Certificate Management System to Send Renewal Reminders

Part 2 Planning and Installation

Chapter 4 Planning Your Deployment

Topology Decisions

Server Groups and CMS Instances
Single Certificate Manager
Certificate Manager and Registration Manager
Certificate Manager and Data Recovery Manager
Certificate Manager, Data Recovery Manager, and Registration Manager
Cloned Certificate Manager

Certificate Authority Decisions

CA's Distinguished Name
CA Signing Key Type and Length
CA Signing Certificate's Validity Period
Self-Signed Root Versus Subordinate CA
CAs and Certificate Extensions
CA Certificate Renewal or Reissuance

Cryptographic Token Decisions
Publishing Decisions

Publishing to Certificates and CRLs to Files
Publishing to Certificates and CRLs to a Directory
Publishing CRLs to the Online Certificate Status Manager

Subsystem Certificate Decisions

SSL Server Certificates
Certificate Manager Certificates
Registration Manager Certificates
Data Recovery Manager Certificate and Storage Key
Online Certificate Status Manager Certificates

Authentication Decisions
Policy Decisions
Deployment Strategy and Port Assignments

Chapter 5 Installation Worksheet

Information for UNIX Installation Script

Installation Location
Configuration Directory Server
User/Group Directory Server
Configuration Directory Settings
Administration Server Information
Certificate Management System Identifier

Information for NT Installation Script

Installation Directory
Configuration Directory Server
User/Group Directory Server
Configuration Directory Settings
Configuration Directory Server Administrator
Directory Server Administration Domain
Directory Manager Settings
Administration Server Port
Certificate Management System Identifier

Initial Configuration

Internal Database
Administrator
Subsystems
Remote Certificate Manager
Remote Data Recovery Manager
Network Configuration

Certificate Manager Configuration

CA Signing Certificate

CA's Serial Number Range
Key-Pair Information for CA Signing Certificate
Subject Name for CA Signing Certificate
Validity Period for CA Signing Certificate
Extensions for CA Signing Certificate

CA Signing Certificate Request

Registration Manager Configuration

Registration Manager Signing Certificate Request

Key-Pair Information for Registration Manager Signing Certificate
Subject Name for Registration Manager Signing Certificate

Registration Manager Signing Certificate Issuer

Data Recovery Manager Configuration

Transport Certificate

Key-Pair Information for Transport Certificate
Subject Name for Transport Certificate
Validity Period for Transport Certificate
Extensions for Transport Certificate

Transport Certificate Request
Storage Key and Recovery Agent Configuration

Storage Key Creation
Data Recovery Scheme—1
Data Recovery Scheme—2

Online Certificate Status Manager Configuration

Online Certificate Status Manager Signing Certificate Request

Key-Pair Information for Online Certificate Status Manager Signing Certificate
Subject Name for Online Certificate Status Manager Signing Certificate

Online Certificate Status Manager Signing Certificate Issuer

Cloned Certificate Manager Configuration

CA Signing Certificate

CA's Serial Number Range
Cloned Key and Certificate Material
SSL Server Key and Certificate

SSL Server Certificate Configuration

SSL Server Certificate

Key-Pair Information for SSL Server Certificate
Subject Name for SSL Server Certificate
Validity Period for SSL Server Certificate
Extensions for SSL Server Certificate

SSL Certificate Request

Single Sign-On Password

Chapter 6 Installing Certificate Management System

Installation Overview

Installation Stages
Before You Begin the Installation

Stage 1. Running the Installation Script

Running the Installation Script on UNIX
Running the Installation Script on Windows NT

Stage 2. Running the Installation Wizard

Installing the Certificate Manager as a Root CA
Installing the Certificate Manager as a Subordinate CA
Installing a Standalone Registration Manager
Installing a Standalone Data Recovery Manager
Installing a Online Certificate Status Manager

Stage 3. Enrolling for Administrator/Agent Certificate

Agent Certificate for a Certificate Manager
Agent Certificate for Other CMS Managers

Stage 4. Further Configuration Options
Stage 5. Creating Additional Instances or CA Clones

Chapter 7 Installing and Uninstalling CMS Instances

Installing Multiple CMS Instances
Cloning a Certificate Manager

Step 1. Before You Begin
Step 2. Create Instances for Clone CAs

Installing Clone CA in Master CA's Server Group
Installing Clone CA in a Different Server Group
Installing Clone CA on a Separate Host

Step 3. Shutdown the Master CA
Step 4. Copy Master CA's Certificate and Key Database
Step 5. Start the Master CA
Step 6. Configure the Clone CA
Step 8. Establish Trust Between Master CA and Clone CAs

Step A. Locate the Master CA's SSL Server Certificate
Step B. Create a Privileged-User Entry for Clone CAs

Step 9. Test Clone-Master Connection

Step A. Request a Certificate from the Clone CA
Step B. Approve the Request
Step C. Download the Certificate to the Browser
Step D. Revoke the Certificate
Step E. Check Master CA's CRL for the Revoked Certificate

Step 10. Use Master CA's Agent Certificate in Clone CAs

Viewing Instance Information
Changing the Name of an Instance
Removing an Instance From a System
Uninstalling Certificate Management System

Uninstalling From the Command Line
Uninstalling by Using the Windows NT Add/Remove Programs Utility

Upgrading From a Previous CMS Installation

Chapter 8 Starting and Stopping CMS Instances

Starting Certificate Management System

Required Start-up Information

Configuring the Server to Start Without the Single Sign-On Password
Configuring the Server to Read the Single Sign-on Password From a File

Starting From Netscape Console
Starting From the Command Line
Starting From the Windows NT Services Panel

Stopping Certificate Management System

Stopping From Netscape Console
Stopping From the Command Line
Stopping From the Windows NT Services Panel

Restarting Certificate Management System

Restarting From the CMS Window
Restarting From the Command Line

Checking System Status
Attending to an Unresponsive Server
CMS Watchdog Process
Password Cache
Password-Quality Checker

Part 3 Configuration

Chapter 9 Administration Tasks and Tools

Netscape Console

Console Tab
Users and Groups Tab
Netscape Administration Server

Starting Administration Server
Shutting Down Administration Server

Logging In to Netscape Console
The CMS Window

Tasks Tab
Configuration Tab
Status Tab

Logging In to the CMS Window

Chapter 10 CMS Configuration

Effects of Installation Type on Configuration

Duplicating Configuration From One Instance to Another

Locating the Configuration File
Modifying the Configuration

Changing the Configuration From the CMS Window
Changing the Configuration by Editing the Configuration File

Guidelines for Editing the Configuration File

Sample Configuration File

Road Map to Configuring Subsystems

Step 1. Check Which Subsystems are Installed in the Instance
Step 2. Check the Port Numbers
Step 3. Verify Key Pair and Certificates
Step 4. Set up Privileged Users
Step 5. Customize End-Entity and Agent Forms
Step 6. Setup Authentication for End Users
Step 7: Enable Event-Driven Notifications
Step 8. Schedule Jobs
Step 9. Set up Policies
Step 10. Set up Publishing
Step 11. Set up Key Archival and Recovery
Step 12. Set up Logging
Step 13. Plan for Backing up CMS Configuration and Data

Chapter 11 Setting Up Ports

CMS Ports

Remote Administration Port
Agent Port
End-Entity Ports

Configuring Port Numbers

Step 1. Specify the Port Number
Step 2: Specify IP Addresses

Chapter 12 Setting Up Internal Database

Internal Database
Configuring the Internal Database

Step 1. Identify the Directory Server Instance
Step 2. Restrict Access to the Internal Database

Chapter 13 Managing Privileged Users and Groups

Privileged-User Types and Responsibilities

Administrators
Agents

Agent's Certificate for SSL Client Authentication
Revocation Status Checking of Agent Certificates

Trusted Managers

Subsystems That Can Function as Trusted Managers
Connectors for Linking Trusted Managers
Trusted Manager's Certificate for SSL Client Authentication

Groups and Their Privileges

Group for Administrators
Groups for Agents

Group for Certificate Manager Agents
Group for Registration Manager Agents
Group for Data Recovery Manager Agents
Group for Online Certificate Status Manager Agents

Group for Trusted Managers

Setting Up Privileged Users

Setting Up Administrators

Step 1. Find the Required Information
Step 2. Add the Information to the Internal Database

Setting Up Agents

Setting up Agents Using the Automated Process
Setting up Agents Using the Manual Process

Setting Up Trusted Managers

Setting up Trusted Managers Using the Automated Process
Setting Up a Registration Manager as a Trusted Manager
Setting Up a Certificate Manager as a Trusted Manager

Changing Privileged-User Information

Changing a Privileged User's Login Information
Changing a Privileged User's Certificate
Changing Members in a Group

Deleting a Privileged User

Chapter 14 Managing CMS Keys and Certificates

Keys and Certificates for the Main Subsystems

Certificate Manager's Key Pairs and Certificates

CA Signing Key Pair and Certificate
wTLS CA Signing Certificate
OCSP Signing Key Pair and Certificate
CRL Signing Key Pair and Certificate
SSL Server Key Pair and Certificate
Remote Administration Server Certificate

Registration Manager's Key Pairs and Certificates

Signing Key Pair and Certificate
SSL Server Key Pair and Certificate
Remote Administration Server Certificate

Data Recovery Manager's Key Pairs and Certificates

Transport Key Pair and Certificate
Storage Key Pair
SSL Server Key Pair and Certificate
Remote Administration Server Certificate

Online Certificate Status Manager's Key Pairs and Certificates

OCSP Signing Key Pair and Certificate
SSL Server Key Pair and Certificate
Remote Administration Server Certificate

Tokens for Storing CMS Keys and Certificates

Internal Token
External Token

Installing External Tokens

Managing Tokens Used by the Subsystems

Viewing Tokens
Changing a Token's Password

Hardware Cryptographic Accelerators
Certificate Setup Wizard

Using the Wizard to Request a Certificate

Step 1. Select the Operation
Step 2. Choose the Certificate
Step 3. Specify the Key-Pair Information
Step 4. Specify the Subject Name for the Certificate
Step 5. Specify the Validity Period
Step 6. Specify Extensions
Step 7. Copy the Certificate Signing Request
Step 8. Check the Certificate Request Status

Using the Wizard to Install a Certificate or Certificate Chain

Data Formats for Installing Certificates and Certificate Chains
Step 1. Select the Operation
Step 2. Select the Certificate or Certificate Chain
Step 3. Specify the Location of the Certificate
Step 4. View the Certificate or Certificate Chain
Step 5. Install the Certificate or Certificate Chain
Step 6. Verify the Certificate Status

Configuring the Server's Security Preferences

Configuring the Server to Use Separate SSL Server Certificates

Step 1. Get the Required SSL Server Certificates
Step 2: Update the Configuration

Getting an SSL Client Certificate for a Subsystem
Setting Up Cipher Preferences for SSL Communications

SSL Ciphers Supported in Certificate Management System
Configuring the Server to Use Specific Ciphers

Getting New Certificates for the Subsystems

Step 1. Plan for the New Certificate
Step 2. Request the New Certificate
Step 3. Install the New Certificate
Step 4. Deploy the New Certificate

Deploying Certificate Manager's CA Signing Certificate
Deploying Registration Manager's Signing Certificate
Deploying Data Recovery Manager's Transport Certificate
Deploying a Subsystem's SSL Server Certificate

Renewing Certificates for the Subsystems

Step 1. Plan for Certificate Renewal
Step 2. Renew the Existing Certificate
Step 3. Install the Renewed Certificate
Step 4. Deploy the Renewed Certificate

Deploying Certificate Manager's Renewed CA Signing Certificate
Deploying Registration Manager's Renewed Signing Certificate
Deploying Data Recovery Manager's Renewed Transport Certificate
Deploying a Subsystem's Renewed SSL Server Certificate

Step 5. Restart the Server

Managing the Certificate Database

Viewing the Certificate Database Content
Deleting a Certificate From the Certificate Database
Changing the Trust Settings of a CA Certificate
Installing a New CA Certificate in the Certificate Database
Installing a CA Certificate Chain in the Certificate Database

Chapter 15 Setting Up End-User Authentication

Introduction to Authentication

Privileged-User Authentication

Authentication of Administrators
Authentication of Agents

End-Entity Authentication

Authentication of End Entities During Certificate Enrollment
Authentication of End Users During Certificate Renewal
Authentication of End Users During Certificate Revocation

Configuring Authentication for End-User Enrollment

Step 1. Before You Begin
Step 2. Set Up the Directory for PIN-Based Enrollment

Step A. Check the Directory for User Entries
Step B. Update the Directory
Step C. Prepare the Input File
Step D. Run the Command Without the Write Option
Step E. Check the Output File
Step F. Run the Command Again with the Write Option

Step 3. Enable the AttributePresentConstraints Policy
Step 4: Add an Authentication Instance
Step 5. Set Up the Enrollment Interface

Step A. Associate the Authentication Instance With the Enrollment Form
Step B. Customize the Form
Step C. Hook Up the Certificate-Based Enrollment Form
Step D. Remove Unwanted Enrollment Options

Step 6. Enable End-Entity Interaction

Enabling End-Entity Interaction with a Certificate Manager
Enabling End-Entity Interaction with a Registration Manager

Step 7. Turn on Automated Notification
Step 8. Test Your Authentication Setup
Step 9. Deliver PINs to End Users

Managing Authentication Instances

Deleting an Authentication Instance
Modifying an Authentication Instance

Managing Authentication Plug-in Modules

Registering an Authentication Module
Deleting an Authentication Module

Chapter 16 Setting Up Automated Notifications

Automated Notifications

Notifications of Certificate Issuance to End Entities
Notification of New Request in Queue

Customizing Notification Messages

Templates for Event-Triggered Notifications
Customizing Message Templates
Tokens Available in Message Templates

Tokens for Certificate Issuance Notifications to End Entities
Tokens for Rejection Notifications to End Entities
Tokens for Request In Queue Notification Messages

Configuring a Subsytem to Send Notifications

Step 1. Before You Begin
Step 2. Turn On Certificate-Issuance Notification
Step 3. Turn on Request in Queue Notification
Step 4. Verify Mail Server Settings
Step 5. Test Your Configuration

Chapter 17 Scheduling Automated Jobs

Configuring a Subsystem to Run Automated Jobs

Step 1. Before You Begin
Step 2. Modify Existing Jobs
Step 3. Delete Unwanted Jobs
Step 4. Add New Jobs
Step 5. Schedule the Frequency
Step 6. Verify Mail Server Settings
Step 7. Test Your Configuration

Managing Job Plug-in Modules

Registering a Job Module
Deleting a Job Module

Chapter 18 Setting Up Policies

Introduction to Policy

What Is Policy?
Policy Rules

Types of Policy Rules

Using Predicates in Policy Rules

Expression Support for Predicates
Attributes for Predicates

Policy Processor

Configuring Policy Rules for a Subsystem

Step 1. Before You Begin
Step 2. Modify Existing Policy Rules
Step 3. Delete Unwanted Policy Rules
Step 4. Add New Policy Rules
Step 5. Reorder Policy Rules
Step 6. Restart the Server
Step 7. Test Policy Configuration

Step A. Enroll for a Certificate
Step B. Approve the Request
Step C. Check the Certificate Details

Using JavaScript for Policies
Managing Policy Plug-in Modules

Registering a Policy Module
Deleting a Policy Module

Chapter 19 Setting Up LDAP Publishing

Publishing of Certificates to a Directory

Timing of Directory Updates
Directory Update Process
Directory Synchronization

Publishing of CRLs

What's a CRL?
Reasons for Revoking a Certificate
Revocation Checking by Netscape Clients
Revocation Checking by Netscape Servers
Publishing of CRLs to an LDAP Directory
CRL Issuing Points

Configuring a Certificate Manager to Publish Certificates and CRLs

Step 1. Before You Begin
Step 2. Set Up the Directory for Publishing

Step A. Verify the Directory Schema
Step B. Add an Entry for the CA
Step C. Identify an Entry That Has Write Access
Step D. Verify Entries for End Entities
Step E. Specify the Directory Authentication Method
Step F. Modify the Certificate Mapping File
Step G. Restart Directory Server

Step 3. Configure the Certificate Manager to Publish Certificates

Step A. Modify the Default Mappers, Publishers, and Publishing Rules
Step B. Add Mappers, Publishers, and Publishing Rules

Step 4. Configure the Certificate Manager to Publish CRLs

Step A. Specify CRL Details
Step B. Set the CRL Extensions
Step C. Create a Mapper for the CRL
Step D. Create a Publisher for the CRL
Step E. Create a Publishing Rule for the CRL

Step 5. Identify the Publishing Directory
Step 6. Test Certificate and CRL Publishing

Step A. Decide a Directory Entry for Requesting a Certificate
Step B. Request a Certificate
Step C. Approve the Request
Step D. Download the Certificate to the Browser
Step E. Check if the Directory Has the Certificate
Step F. Revoke the Certificate
Step G. Check the Directory for the CRL

Manually Updating Certificates and CRLs in a Directory

Manually Updating Certificates in the Directory
Manually Updating the CRL in the Directory

Chapter 20 Publishing Certificates and CRLs to a File

Configuring Certificate Manager to Publish to Files

Step 1. Before You Begin
Step 2. Configure the Certificate Manager

Step A. Create a Publisher for the File
Step B. Create Publishing Rules for Certificates
Step C. Create a Publishing Rule for CRLs
Step D. Specify CRL Details
Step E. Set the CRL Extensions
Step F. Make Sure Publishing is Enabled

Step 3. Test Publishing

Step A. Request a Certificate
Step B. Approve the Request
Step C. Download the Certificate to the Browser
Step D. Check the File for the Certificate
Step E. Revoke the Certificate
Step F. Check the File for the CRL

Managing Mapper and Publisher Plug-in Modules

Registering a Mapper or Publisher Module
Deleting a Mapper or Publisher Module

Chapter 21 Setting Up an OCSP Responder

What's an OCSP-Compliant PKI Setup?

How to Get an OCSP Responder?

How Certificate Manager's OCSP-Service Feature Works
How Online Certificate Status Manager Works

How to Get OCSP-Compliant Clients?

Setting Up a Certificate Manager with OCSP Service

Step 1. Before You Begin
Step 2. Install OCSP-Compliant Client
Step 3. Enable Certificate Manager's HTTP Port
Step 4. Enable Certificate Manager's OCSP Service
Step 5. Configure Certificate Manager for Extensions
Step 6. Restart the Certificate Manager
Step 7. Test Your CA's OCSP Service Setup

Step A. Turn On Revocation Checking in the Browser
Step B. Request a Certificate
Step C. Approve the Request
Step D. Download the Certificate to the Browser
Step E. Make Sure the CA is Trusted by the Browser
Step F. Verify the Certificate in the Browser
Step G. Check the Status of Certificate Manager's OCSP Service
Step H. Revoke the Certificate
Step I. Verify the Certificate in the Browser
Step J. Check the Certificate Manager's OCSP Service Status Again

Setting Up a Remote OCSP Responder

Step 1. Before You Begin
Step 2. Install an OCSP-Compliant Client
Step 3. Identify the CA to the OCSP Responder
Step 4. Configure the Certificate Manager to Publish CRLs

Step A. Specify CRL Format and Publishing Interval
Step B. Set the CRL Extensions
Step C. Create a Publisher for the CRL
Step D. Create a Publishing Rule for the CRL
Step E. Make Sure Publishing is Enabled

Step 5. Configure Certificate Manager for Required Extension Policies
Step 6. Configure the Online Certificate Status Manager
Step 7. Restart the Certificate Manager
Step 8. Restart the Online Certificate Status Manager
Step 9. Verify Certificate Manager and Online Certificate Status Manager Connection
Step 10. Test Your OCSP Responder Setup

Step A. Turn On Revocation Checking
Step B. Request a Certificate
Step C. Approve the Request
Step D. Download the Certificate to the Browser
Step E. Make Sure the CA is Trusted by the Browser
Step F. Verify the Certificate in the Browser
Step G. Check the Status of Online Certificate Status Manager
Step H. Revoke the Certificate
Step I. Verify the Certificate in the Browser
Step J. Check the Online Certificate Status Manager Status Again

Chapter 22 Setting Up Key Archival and Recovery

PKI Setup for Key Archival and Recovery

Clients That Can Generate Dual Key Pairs
Data Recovery Manager
Forms for Users and Key Recovery Agents

Key Archival Process

Why You Should Archive Keys
Where the Keys are Stored
How Key Archival Works

Key Recovery Process

Key Recovery Agents and Their Passwords

Secret Sharing of Storage Key Password
Interface for the Key Recovery Process
Local Versus Remote Key Recovery Authorization

How Agent-Initiated Key Recovery Works
Key Recovery Agent Scheme

Changing the Key Recovery Agent Scheme
Changing Key Recovery Agents' Passwords

Configuring Key Archival and Recovery Process

Step 1. Set Up the Key Archival Process

Step A. Deploy Clients That Can Generate Dual Key Pairs
Step B. Connect the Enrollment Authority and the Data Recovery Manager
Step C. Customize the Certificate Enrollment Form
Step D. Configure Key Archival Policies

Step 2. Set Up the Key Recovery Process

Step A. Verify the m of n Scheme
Step B. Facilitate the Key Recovery Agents to Change the Passwords
Step C. Determine the Authorization Mode for Key Recovery
Step D. Customize the Key Recovery Form
Step E. Configure Key Recovery Policies

Step 3. Test Your Key Archival and Recovery Setup

Step A. Test Your Key Archival Setup
Step B. Verify the Key
Step C. Delete the Certificate
Step D. Test Your Key Recovery Setup
Step D. Restore the Key in the Browser's Database

Chapter 23 Managing CMS Logs

Introduction to Logs

Logs Maintained by the Server
Services That Are Logged
Log Levels (Message Categories)
Log File Locations
Log File Naming Conventions

Active Log File Naming Convention
Rotated Log File Naming Convention

Buffered Versus Unbuffered Logging
Rotation of Log Files

Timing of Log File Rotation
Location of Rotated Log Files

Deletion of Log Files

How to Conserve Disk Space
Timing of Log File Deletion

Configuring CMS Logs

Step 1. Before You Begin
Step 2. Modify the Existing Listeners
Step 3. Delete Unwanted Listeners
Step 4. Create New Listeners

Monitoring CMS Logs

Monitoring System Logs
Monitoring Error Logs
Monitoring Audit Logs
Using System Tools for Monitoring the Server (Windows NT Only)

Logging to Windows NT Event Log
Using Event Viewer
Avoiding Event Log From Getting Filled

Archiving of Rotated Log Files

Signing Log Files

Managing Log Modules

Registering a Log Module
Deleting a Log Module

Part 4 Issuing and Managing Certificates

Chapter 24 Issuing and Managing Server Certificates

Certificate Issuance to Servers

How the Manual Server Enrollment Process Works

Getting Server SSL Certificates for Netscape Servers

Getting Certificates for Version 3.x Servers

Step 1. Generate the Server Certificate Request
Step 2. Submit the Server Certificate Request
Step 3. Install Your Server's SSL Certificate
Step 4. Accept a CA as Trusted in Your Server
Step 5. Verify Your Server's SSL and CA Certificates

Getting Certificates for Netscape Version 4.x Servers

Renewal of Server Certificates
Revocation of Server Certificates

Chapter 25 Setting Up CEP Enrollment

CEP Enrollment
CEP Enrollment Using the Script
Setting up CEP Enrollment Manually

Step 1. Set up the Directory for Publishing Certificates and CRLs
Step 2. Configure the Certificate Manager for Publishing Certificates and CRLs
Step 3. Set Up Automated Enrollment
Step 4. Set Up Multiple CEP Services

Certificate Issuance to Routers or VPN Clients

Step 1. Before You Begin
Step 2. Generate the Key Pair for the Router
Step 3. Request the CA's Certificate
Step 4. Submit the Certificate Request to the CA
Example

Part 5 Appendixes

Appendix A Certificate Download Specification

Data Formats

Binary Formats
Text Formats

Importing Certificate Chains
Importing Certificates into Netscape Communicator
Importing Certificates into Netscape Servers
Object Identifiers

Appendix B Using SSL with iPlanet Web Server, Enterprise Edition 4.x

Creating a New Server
Obtaining a Server Certificate

Creating a Trust Database
Submitting a Certificate Signing Request
Importing the Certificate

Enabling SSL on the Server

Enabling Encryption on the Server
Trusting the Root CA Certificate
Enabling Client Authentication for All Requests
Specifying the Authentication Directory

Note for CGI Programmers

Modifying the Configuration File
Modifying the Access Control Lists

Testing Client Authentication

Appendix C Export Control Information

Approved Export Operations and Key Sizes
SSL Cipher Suite Profiles for Export

Glossary

Index