Previous
Contents
Index
Next
|
| iPlanet Certificate Management System Installation and Setup Guide |
Appendix A Certificate Download Specification
This appendix describes the data formats used by Netscape Communicator 4.x for installing certificates. It also describes how certificates are imported into different environments.
Data Formats
Importing Certificates into Netscape Communicator
Data Formats
iPlanet products can accept certificates in several formats. Although the format can vary, the certificates themselves are X.509 version 1, 2, or 3.
Binary Formats
The Netscape certificate loader recognizes several binary formats, as follows.
DER-encoded certificate
This is a single binary DER-encoded certificate.
PKCS #7 certificate chain
This is a PKCS #7 SignedData object. The only significant field in the SignedData object is the certificates. In particular, the signature and the contents are ignored. In future versions of the software, the CRLs will also be used. The PKCS #7 format allows multiple certificates to be downloaded at once. See Importing Certificate Chains for more information about handling multiple certificates.
Netscape Certificate Sequence
This is a simpler format for downloading certificate chains. It consists of a PKCS #7 ContentInfo structure, wrapping a sequence of certificates. The value of the contentType field should be netscape-cert-sequence (see Object Identifiers), while the content field has the following structure:
CertificateSequence ::= SEQUENCE OF Certificate
This format allows multiple certificates to be downloaded at once. See Importing Certificate Chains for more information about handling multiple certificates.
Text Formats
Any of the above binary formats can also be imported in text form. The text form begins with the following line:
Following this line is the certificate data, which can be in any of the binary formats just described. This data should be base 64 encoded as described by RFC 1113. The data is followed by this line:
Importing Certificate Chains
Several of the supported formats can contain multiple certificates. When the Netscape certificate decoder encounters a collection of certificates, it handles them as follows:
The first certificate is processed in a context-specific manner, which varies according to how it is being imported. For Communicator, this handling depends upon the MIME content type that is used on the object being downloaded. For Netscape servers, it depends upon the options selected in the server administration interface.
Subsequent certificates are all treated the same. If the certificates contain the SSL-CA bit in the netscape-cert-type certificate extension and do not already exist in the local certificate database, they are added as untrusted CAs. In this way they can be used for certificate chain validation as long as there is a trusted CA somewhere along the chain.
Importing Certificates into Netscape Communicator
Communicator imports certificates via HTTP. There are several MIME content types that are used to indicate to Communicator what type of certificate is being imported. These MIME types are as follows:
application/x-x509-user-cert
The certificate being downloaded is a user certificate belonging to the user operating Communicator. If the private key associated with the certificate does not exist in the user's local key database, then Communicator generates an error dialog and the certificate is not imported. If a certificate chain is being imported, then the first certificate in the chain must be the user certificate, and any subsequent certificates will be added as untrusted CA certificates to the local database.
application/x-x509-ca-cert
The certificate being downloaded represents a certificate authority. When it is downloaded, a sequence of dialogs guides the user through the process of accepting the Certificate Authority and deciding whether to trust sites certified by the CA.
If a certificate chain is being imported, the first certificate in the chain must be the CA certificate, and Communicator adds any subsequent certificates in the chain to the local database as untrusted CA certificates.
application/x-x509-email-cert
The certificate being downloaded is a user certificate belonging to another user for use with S/MIME. If a certificate chain is being imported, the first certificate in the chain must be the user certificate, and Communicator adds any subsequent certificates to the local database as untrusted CA certificates. This process allows people or CAs to post their email certificates on web pages for download by other users who want to send them encrypted mail.
Importing Certificates into iPlanet Servers
Server certificates are imported via the server administration interface. Certificates are pasted into a text input field in an HTML form, and then the form is submitted to the administration server. Since the certificates are pasted into text fields, only the text formats described above are supported for servers.
The type of certificate being imported is specified by the server administrator by selections made on the administration pages. If a certificate chain is being imported, then the first certificate in the chain must be the server or CA certificate, and the server adds any subsequent certificates to the local database as untrusted CA certificates.
For detailed information about importing certificates into iPlanet Web Server and configuring it to support certificate-based client authentication, see Appendix B "Using SSL with iPlanet Web Server, Enterprise Edition 4.x."
Object Identifiers
The base of all Netscape object IDs is
netscape OBJECT IDENTIFIER ::= { 2 16 840 1 113730 }
The hexadecimal byte value of this OID, when DER-encoded, is
0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42
The following OIDs are mentioned in this document:
netscape-data-type OBJECT IDENTIFIER :: = { netscape 2 }
netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 }
Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated October 07, 2002