Chapter 6   Installing Certificate Management System


This chapter describes the procedure for installing a iPlanet Certificate Management Server (CMS) instance. Before you use this chapter to guide you through an installation, you should have read Chapter 1 through Chapter 5 and filled out the worksheet provided by Chapter 5 "Installation Worksheet."

This chapter contains the following sections:

• Installation Overview

• Stage 1. Running the Installation Script

• Stage 2. Running the Installation Wizard

• Stage 3. Enrolling for Administrator/Agent Certificate

• Stage 4. Further Configuration Options

• Stage 5. Creating Additional Instances or CA Clones

Installation Overview

---

Before you begin installation, make sure your system meets the requirements listed in the Release Notes for the product version at: http://docs.sun.com/?p=coll/S1_s1CertificateServer_47

The installation process installs the iPlanet Administration Server, iPlanet Console, and iPlanet Directory Server, as well as Certificate Management System. You typically create two instances of Directory Server: the first is for the configuration directory used by the local Administration Server; the second is used by Certificate Management System itself for its internal database.

You must have an Administration Server in each server root directory. Administration Server can use a local configuration directory or refer to an existing configuration directory installed elsewhere. You must install the Certificate Management System internal database directory locally.

The initial installation script installs iPlanet Console and the binaries for the servers, and it creates and starts instances of Administration Server and Directory Server. After running the initial script, you use the Installation Wizard to create and configure instances of Certificate Management System. The wizard helps you through the configuration process of choosing subsystems and creating the necessary keys and certificates.

Installation Stages

Installing Certificate Management System in a single server root directory involves four stages:

• Stage 1: Run the installation script (setup on UNIX, setup.exe on NT) to install Administration Server and Directory Server as necessary and perform the initial phase of CMS installation. These procedures are described in Stage 1. Running the Installation Script.

• Stage 2: Run the Installation Wizard to set up the initial configuration of the CMS instance. In this stage you specify which subsystems are to be part of this instance and generate the SSL client and server certificates for each subsystem. These procedures are described in Stage 2. Running the Installation Wizard..

• Stage 3: Use iPlanet Console to further configure the new Certificate Management System instance, as needed. See Stage 4. Further Configuration Options..

• Stage 4 (optional): Use iPlanet Console to create additional instances of the Certificate Management System in the same server root directory, and use the Installation Wizard to configure them. For a summary, see Stage 5. Creating Additional Instances or CA Clones..

Before You Begin the Installation

Before you start installing Certificate Management System, follow these instructions:

• If you're not familiar with Certificate Management System, you might find it useful to run a demo installation first; see Chapter 3 "Default Demo Installation."

• If you want to install the Certificate Manager as a root CA:
  • Read and fill in the information requested in the Certificate Manager installation worksheet; see Certificate Manager Configuration.

  • Decide whether you want to create clones of the CA. If you do, determine the serial number ranges for each CA.

• If you want to install the Certificate Manager as a subordinate CA:
  • Read and fill in the information requested in the Certificate Manager installation worksheet; see Certificate Manager Configuration.

  • Identify the CA to which you'll submit the subordinate CA's CA signing certificate and SSL server certificate requests. Make sure the CA is running and, if required, identify the forms you'll use to submit these requests.

  • If the CA is a third-party CA, familiarize with the enrollment interface of that CA and check how long does the CA take to send you the certificates.

  • Decide whether you want to create clones of the CA. If you do, determine the serial number ranges for each CA.

• If you want to install a standalone Registration Manager, do this:
  • Read and fill in the information requested in the Registration Manager installation worksheet; see Registration Manager Configuration.

  • Identify the CA to which you'll submit the Registration Manager's signing certificate and SSL server certificate requests. Make sure the CA is running and, if required, identify the forms you'll use to submit these requests.

• If you want to install a standalone Data Recovery Manager:
  • Read and fill in the information requested in the Data Recovery Manager installation worksheet; see Data Recovery Manager Configuration.

  • Identify the CA to which you'll submit the Data Recovery Manager's transport certificate and SSL server certificate requests. Make sure the CA is running and, if required, identify the forms you'll use to submit these requests.

  • If you plan to use hardware tokens for generating and storing Data Recovery Manager's key pairs, you'll need at least two tokens: one exclusively for the storage key pair and the other for the remaining key pairs. Be sure to install (and initialize, if required) these tokens before you start the Data Recovery Manager installation. For installation instructions, see Installing Level 2 External Tokens.

• If you want to install a standalone Online Certificate Status Manager:
  • Read and fill in the information requested in the Online Certificate Status Manager installation worksheet; see Online Certificate Status Manager Configuration.

  • Identify the CA to which you'll submit the Online Certificate Status Manager's signing certificate and SSL server certificate requests. Make sure the CA is running and, if required, identify the forms you'll use to submit these requests. For Online Certificate Status Manager's signing certificate to work properly, it must contain the following extensions:

    OCSPNoCheck extension—Presence of this extension indicates that an OCSP client should not use OCSP to check the revocation status of the OCSP responder certificate, because the certificate is only used to identify the responder that does the checking. (This extension is required to avoid a circular reference.) For details about this extension, see section "OCSPNoCheckExt Plug-in Module" of CMS Plug-Ins Guide.

    OCSPSigning extension—This is an Extended Key Usage extension with a unique value, OCSPSigning. Presence of this extension indicates that the key pair that corresponds to the certificate used by the OCSP responder can be used for signing OCSP responses. For details about this extension, see section "OCSPSigningExt Rule" of CMS Plug-Ins Guide.

    Make sure the Certificate Manager to which you'll submit the Online Certificate Status Manager's signing certificate request has these policies enabled.

• If you want to install two subsystems in a CMS instance, for example, a Certificate Manager along with a Data Recovery Manager, collect the information for both the subsystems.

Stage 1. Running the Installation Script

---

The setup program extracts files for the Administration Server, Directory Server, iPlanet Console, and Certificate Management System and installs the binaries under the server root directory you have specified. It creates one instance of the Administration Server, one instance of the Directory Server, and one instance of the Certificate Management System, which is not yet configured. The setup program also installs iPlanet Console and automatically starts the Administration Server and Directory Server.

As you run the initial installation script, the program stores your configuration choices and generates a initialization file, or installation cache. As installation proceeds, the stored initialization file states information about your choices so far. As a result, you can stop the installation process and restart it as necessary. Your choices to the point at which you stopped the installation are automatically restored by the initialization file, and the installation prompts resume at the point in which you left off.

This initialization file applies only to the installation of the Administration Server and Directory Server. If you want to use the file to do additional "silent" installations, see the documentation for these servers.

Running the Installation Script on UNIX

To run the installation script on UNIX, follow these steps:

1. Log in as root to install the servers on a UNIX system. This is recommended, but not required. If you are not root, you can install only a local version in a directory to which you have write access, using ports higher than 1024, for which you are the administrator for all services.

2. Change to the directory on the distribution CD, and run the setup program.

3. Answer the questions that the script asks. You should have previously collected the requested information in the section Information for UNIX Installation Script of Chapter 5 "Installation Worksheet." Most questions have a default answer shown in square brackets before the prompt. To accept the default answer, press Enter at the prompt.

Answer the questions for a typical installation as follows:

1. Would you like to continue with setup? [Yes]: Press Enter.

2. Do you agree to the license terms? [No]: Type yes and press Enter.

3. Select the items you would like to install [1]: Accept the default to install the iPlanet servers.

4. Install location [/usr/iplanet/servers]: Enter a full pathname to the location where you want to install the servers. The location that you enter must be different from the directory from which you are running the setup program. You must have write access to the directory. If the directory that you specify does not exist, the setup program creates it for you.

5. Specify the components you wish to install [All]: Accept the default value, All, to accept the default server product components.

6. Specify the components you wish to install [1,2,3]: Enter the numbers corresponding to the server product components you wish to install, or press Enter to accept the default components.

7. Specify the components you wish to install [1,2]: Enter the numbers corresponding to the Directory Suite components you wish to install, or press Enter to accept the default components.

8. Specify the components you wish to install [1,2]: Enter the numbers corresponding to the Administration Services components you wish to install, or press Enter to accept the default components.

9. Specify the components you wish to install [1,2]: Enter the numbers corresponding to the CMS components you wish to install, or press Enter to accept the default components.

10. Computer name [myhost.mydomain.com]: Accept the default value to install on the local machine. Do not attempt to install remotely.

11. System User [nobody]: Enter the user ID that configuration directory will run as. Where your system supports it, accept the default user nobody, creating that user as necessary.

12. System Group [nobody]: Enter the group that the configuration directory will run as. Where your system supports it, accept the default group, nobody, creating that group as necessary.

13. Do you want to register this software with an existing iPlanet configuration directory server? [No]: If you accept the default setting, the installation script installs a new instance of Directory Server for use as a configuration directory.

    You can also choose to use a previously installed configuration directory. In this case, select "Use existing configuration directory server," then fill in the values that identify and provide access to the previously installed directory.

14. Do you want to use another directory to store your data? [No]: If you accept the default setting, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you accepted the default in step 13) or installs a new instance of Directory Server for use as a user/group directory.

    You can also choose to use a previously installed user/group directory. In this case, enter Yes, then fill in the values that identify and provide access to the previously installed directory.

15. Directory server network port [random #]: Accept the default, which is either 389 or a randomly generated number, or enter any port number that is not and will not be used for another purpose.

    If you are using an existing configuration directory, enter its port number.

16. Directory server identifier [myhost]: Enter a unique identifier for the new instance of the configuration directory.

    If you are using an existing configuration directory, enter its identifier.

17. iPlanet configuration directory server administrator ID [admin]: Enter the name and password of the user who will authenticate to iPlanet Console with full privileges. The password must be at least eight characters long.

    If you are using an existing configuration directory, enter its administrator ID and password.

18. Suffix [o=mydomain.com]: Accept the default value for the suffix, or base DN, to be used for the directory tree.

19. Directory Manager DN [cn=Directory Manager]: Enter the distinguished name (DN) and password of the directory manager for the configuration directory. The password must be at least eight characters long.

    This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory.

20. Administration Domain [mydomain.com]: Accept the default value. This domain name identifies the collection of servers that use the same configuration directory.

21. Administration port [random #]: Accept the default port number, which is randomly generated, or enter any port number that is not and will not be used for another purpose.

22. Run Administration Server as [current login]: Enter the user ID for the Administration Server process. If you are running as root, you can accept the default to run the server as root.

23. Certificate Management System identifier [certificate]: Enter a unique identifier for the new instance of Certificate Management System.

    The script extracts and installs the binaries for all of the servers in the server root directory and creates and starts instances of the Administration Server and Directory Server.

When you have completed the installation script, you can complete the installation and configuration of the CMS instance by running the Installation Wizard. See Stage 2. Running the Installation Wizard.

Running the Installation Script on Windows NT

The setup.exe program extracts files for the Administration Server, Directory Server, iPlanet Console, and Certificate Management System and installs the binaries under the server root directory you have specified. It creates one instance of Administration Server, one instance of Directory Server, and one instance of Certificate Management System, which is as yet unconfigured. The program installs iPlanet Console, and automatically starts the Administration Server and Directory Server.

To run the installation script, follow these steps:

1. Double click setup.exe to run the installation program.

2. The installation dialog boxes prompt you to type in answers or make selections.

3. Answer the questions that the script asks. You should have previously collected the requested information in the section Information for NT Installation Script of Chapter 5 "Installation Worksheet."

In the instructions that follow, the name that appears in the title bar of each setup screen is in boldface, followed by a description of the action you should take.

Answer the questions for a typical installation as follows:

1. Welcome. Click Next.

2. Software License Agreement. If you agree to all the terms of the License Agreement, click Yes.

3. Select Server or Console Installation. "iPlanet Servers" is selected by default. Click Next to accept the default selection.

4. Choose Installation Directory. The default installation directory is C:\iPlanet\Servers. To specify a server root directory different from the default, click Browse. Enter a full pathname, or navigate to the location where you want to install the servers, then click OK.

   The location that you enter must be different from the directory from which you are running the setup program. You must have write access to the directory. If the directory that you specify does not exist, the program can create it for you.

   Click Next to continue.

5. Select Products. Four components are selected by default:
   • iPlanet Server Products Core Components.

   • iPlanet Directory Suite

   • Administration Services

   • iPlanet Certificate Management System

   You don't need to select the fifth component, Directory Server Synch Service, unless you want to set up the Directory Server Synchronization Service. Click Next to accept the default selection.

6. Directory Server 4.13. "This instance will be the configuration directory server" is selected by default. If you accept the default setting, the installation script installs a new instance of Directory Server for use as a configuration directory.

   You can also choose to use a previously installed configuration directory. In this case, select "Use existing configuration directory server," then fill in the values that identify and provide access to the previously installed directory. Click Next to continue.

7. Directory Server 4.13. "Store data in this directory server" is selected by default. If you accept the default setting, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you accepted the default in step 7) or installs a new instance of Directory Server for use as a user/group directory.

   You can also choose to use a previously installed user/group directory. In this case, select "Store data in an existing directory server," then fill in the values that identify and provide access to the previously installed directory. Click Next to continue.

8. Directory Server 4.13 Server Settings
   • Server Identifier. Enter a unique identifier for the new instance of the configuration directory. If you are using an existing configuration directory, enter its identifier.

   • Server Port. Accept the default, or enter any port number that is not and will not be used for another purpose. The default is 389 if that port is not already used; otherwise, it is a randomly selected port number. If you are using an existing configuration directory, enter its port number.

   • Suffix. Accept the default value for the suffix, or base DN, to be used for the directory tree.

   When all three values are correct, click Next.

9. Directory Server 5.1 iPlanet Configuration Directory Server Administrator. Enter the administrator ID and password of the user who will authenticate to the directory console with full privileges. (Think of this as the root or superuser identity for Directory Server.) The password must be at least one character long. If you are using an existing configuration directory, enter its administrator ID and password. Click Next to continue.

10. Directory Server 4.13 Administration Domain. Click Next to accept the default value. This name, which should be your organization's domain name, will be used for the collection of servers that use the same configuration directory.

11. Directory Server 4.13 Directory Manager Settings. Enter the distinguished name and password of the directory manager for the configuration directory. The password must be at least eight characters long.

    This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory. Click Next to continue.

12. Administration Server Port Selection. A randomly selected port number will be shown. Accept the default port number, or enter any port number that is not and will not be used for another purpose. Click Next to continue.

13. iPlanet Certificate Management System Server Identifier. Enter a unique identifier for the new instance of Certificate Management System. Click Next to continue.

14. Configuration Summary. This screen shows all of the components you are installing and the choices you have made for their configuration. Click Next to continue.

15. Setup. At this point, the installation script extracts and installs the binaries for all of the servers in the server root directory, and creates and starts instances of the Administration Server and Directory Server.

16. Setup Complete. "Restart my computer now" is selected by default. Click finish to accept the default. After the computer has rebooted, you'll note that the iPlanet Console window is displayed with its associated icons.

When you have completed the installation script, you can complete the installation and configuration of the CMS instance by running the Installation Wizard. See Stage 2. Running the Installation Wizard.

Stage 2. Running the Installation Wizard

---

After you have finished running the installation script, you use the Installation Wizard to create and configure an instance of Certificate Management System— you use the wizard to get the initial certificates and set the initial configuration for this instance of Certificate Management System. The Installation Wizard is the same for both UNIX and Windows NT.

In the last step of the installation script, you were given an opportunity to specify whether to launch iPlanet Console. If you chose to launch iPlanet Console, you'll see iPlanet Console open automatically. Otherwise, you need to open it manually. To bring up iPlanet Console and launch the Installation Wizard, follow these steps:

1. Start iPlanet Console:

   On a Windows NT system, click Start, and then choose Programs, iPlanet, and iPlanet Console, in that order. Alternatively, click the corresponding shortcut in the iPlanet Server Products directory window displayed after setup completes.

   On a UNIX system, open a command shell, change to the directory /usr/iplanet/servers, and execute the file startconsole.

2. Log in as the administrator. On UNIX systems, you will also need to specify the Administration Server URL that you specified during the installation script.

   The main window of iPlanet Console appears.

3. In the navigation tree at the left, open your computer, then open Server Group.

4. Select the CMS instance that you named while running the installation script.

5. In the Certificate Management System panel at the right, click Open.

   After a few moments, the Introduction screen for the Installation Wizard appears.

   Click Next to continue. The Internal Database screen appears.

6. In the Internal Database screen, specify the Directory Server instance that Certificate Management System should use as its internal database—you may choose to create a new Directory Server instance or use an existing Directory Server instance. The Directory Server instance you choose will be used as a database to store information (such as certificates and certificate requests) used by all the subsystems you will be installing in this CMS instance. It's recommended that you do not use this Directory Server instance for any other purposes; the directory schema will be configured for storing CMS data.

   Click Next to continue. The wizard sets up the new internal database, which takes some time.

   (If you have previously installed an internal database for this instance, the Recreate Internal Database screen appears. In the Recreate Internal Database, specify whether you want to remove the existing database in order to create a new internal database, or use the existing internal database.

   A special screen, Internal Database password, comes up only if you stop the configuration process partway through and then start over again, in which case the wizard needs to ask for the internal database password again.)

7. In the Administrator screen, type the ID, name and password for the CMS administrator. This is the administrator who can access the CMS window and control all CMS settings.

   Click Next to continue.

   The "Subsystems" screen appears. This screen enables you to choose a subsystem or the permitted combinations of subsystems you want to install. Depending on what you want to install, follow the appropriate instructions.

   • Installing the Certificate Manager as a Root CA

   • Installing the Certificate Manager as a Subordinate CA

   • Installing a Standalone Registration Manager

   • Installing a Standalone Data Recovery Manager

   • Installing an Online Certificate Status Manager

Installing the Certificate Manager as a Root CA

To install the Certificate Manager as a root CA:

1. Subsystems. Select Certificate Manager. If you want the Certificate Manager to issue certificates for wireless applications, select the "In addition to X.509 v3 certificates, do you want the Certificate Manager to support issuance of Wireless Transport Layer Support (wTLS)-compliant certificates" option. Otherwise, leave the option unchecked. (If you select the option, the end-entity interface will include two forms for requesting certificates for wireless applications and an option for downloading the wireless CA certificate.)

   Click Next to continue.

2. Remote Data Recovery Manager. Select the appropriate options:
   • Select No, if you don't want to connect the Certificate Manager to a remote Data Recovery Manager.

   • If you have already installed a remote Data Recovery Manager that you want the Certificate Manager to use for archiving end users' encryption private keys, select Yes. Then, enter the remote Data Recovery Manager's host name and agent SSL port number in the associated fields.

   Click Next to continue.

3. Network Configuration. Type the port numbers for the ports to be used by the CMS instance. If you want to enable the non-SSL end-entity port, be sure to check the "Enable" checkbox.

   Click Next to continue.

4. CA's Serial Number Range. Specify range for the serial numbers. In the "Starting serial number" field, type the lowest serial number the CA should assign to a certificate. If you plan to only use one CA server, you can leave the "Ending serial number" field blank to indicate no upper limit. If you plan to clone the CA to distribute load, you must specify an upper limit. (For cloned CAs, you must make sure that the range of serial numbers does not overlap with any other CA server.)

   Click Next to continue.

5. CA Signing Certificate. Select the "Create self-signed CA certificate" option.

   Click Next to continue.

6. Key-Pair Information for Certificate Manager CA Signing Certificate. Select the token to store the root CA signing certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Also specify the key type and length.

   Click Next to continue.

7. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature. The choices are: MD2, MD5, or SHA-1.

   Click Next to continue.

8. Subject Name for Certificate Manager CA Signing Certificate. Type values for the subject DN components; these values identify the root CA signing certificate.

   Click Next to continue.

9. Validity Period for Certificate Manager CA Signing Certificate. Select the validity period for the CA signing certificate. The default validity is two years. The validity period determines how soon you will have to renew the certificate, which can be a complex procedure.

   Click Next to continue.

10. Certificate Extensions for Certificate Manager CA Signing Certificate. Select the required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen.

    Certificate Management System provides command-line tools for generating extensions to include in CA and other certificate requests. For details about these tools, check this directory: <server_root>/bin/cert/tools

    Note that the certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the ExtJoiner program, which is also provided in the tools directory. For details on using the ExtJoiner program, see Chapter 5, "Extension Joiner Tool" of CMS Command-Line Tools Guide.

    Click Next to continue.

11. Certificate Manager CA Signing Certificate Creation. Click Next to generate and install the certificate.

12. SSL Server Certificate. Select the "Sign SSL certificate with my CA signing certificate" option. This option enables the wizard to generate an SSL Server Certificate signed with the local CA signing certificate, the root Certificate Manager's CA signing certificate you just created.

    Click Next to continue.

13. Key-Pair Information for SSL Server Certificate. Select the token to store the SSL server certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Also specify the key type and length.

    Click Next to continue.

14. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature. The choices are: SHA-1, MD2, or MD5.

    Click Next to continue.

15. Subject Name for SSL Server Certificate. Type the values for the subject DN components; these values identify the root CA's SSL server certificate. The CN must be the fully-qualified host name of the machine on which you're installing the Certificate Manager.

    Click Next to continue.

16. Validity Period for SSL Server Certificate. Select the validity period for the SSL server certificate. The validity period determines how soon you will have to renew the certificate.

    Click Next to continue.

17. Certificate Extensions for SSL Server Certificate. Select the required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen (see Step 10).

    Click Next to continue.

18. SSL Server Certificate Creation. This information screen tells you that the configuration wizard has all the required information to generate a key pair and its corresponding certificate.

    Click Next to generate the certificate.

19. Create Single Signon Password. Type the single signon password.

    The single signon password simplifies the way you subsequently sign on to Certificate Management System by storing the passwords for the internal database, tokens, publishing directory, and so on. Each time you log on, you're only required to enter this single password. (For details, see Required Start-up Information.)

    Click Next to continue.

20. Configuration Status. This screen should indicate that your configuration has been successful.

    Click Done to exit the Installation Wizard.

21. Proceed to the next step, Stage 3. Enrolling for Administrator/Agent Certificate., to create the first agent user for the Certificate Manager.

Installing the Certificate Manager as a Subordinate CA

To install the Certificate Manager as a subordinate CA:

1. Subsystems. Select Certificate Manager. If you want the Certificate Manager to issue certificates for wireless applications, select the "In addition to X.509 v3 certificates, do you want the Certificate Manager to support issuance of Wireless Transport Layer Support (wTLS)-compliant certificates" option. Otherwise, leave the option unchecked. (If you select the option, the end-entity interface will include two forms for requesting certificates for wireless applications and an option for downloading the wireless CA certificate.)

   Click Next to continue.

2. Remote Data Recovery Manager. Select the appropriate options:
   • If you don't want to connect the Certificate Manager to a remote Data Recovery Manager, select No.

   • If you have already installed a remote Data Recovery Manager that you want the Certificate Manager to use for archiving end users' encryption private keys, select Yes. Then, enter the remote Data Recovery Manager's host name and agent SSL port number in the associated fields.

   Click Next to continue.

3. Network Configuration. Type the port numbers for the ports to be used by the CMS instance. If you want to enable the non-SSL end-entity port, be sure to check the "Enable" checkbox.

   Click Next to continue.

4. CA's serial number range. Specify range for the serial numbers. In the "Starting serial number" field, type the lowest serial number the CA should assign to a certificate. If you only use one CA server, you can leave the "Ending serial number" field blank to indicate no upper limit. If you plan to clone the CA to distribute load, you must specify an upper limit. (For cloned CAs, you must make sure that the range of serial numbers does not overlap with any other CA server.)

   Click Next to continue.

5. CA Signing Certificate. Select the "Create subordinate CA certificate request" option.

   Click Next to continue.

6. Key-Pair Information for Certificate Manager CA signing certificate. Select the token to store the CA signing certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Also specify the key type and length.

   Click Next to continue.

7. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature. The choices are: MD2, MD5, or SHA-1.

   Click Next to continue.

8. Subject Name for Certificate Manager CA Signing Certificate. Type values for the subject DN components; these values identify the subordinate CA signing certificate.

   Click Next to continue.

9. Validity Period for Certificate Manager CA Signing Certificate. Select the validity period for the subordinate CA signing certificate. The default validity is two years. The validity period determines how soon you will have to renew the certificate, which can be a complex procedure.

   Click Next to continue.

10. Certificate Extensions for Certificate Manager CA Signing Certificate. Select the required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen.

    Certificate Management System provides command-line tools for generating extensions to include in CA and other certificate requests. For details about these tools, check this directory: <server_root>/bin/cert/tools

    Note that the certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the ExtJoiner program, which is also provided in the tools directory. For details about using the ExtJoiner program, see Chapter 5, "Extension Joiner Tool" of CMS Command-Line Tools Guide.

    Click Next to continue.

11. Certificate Manager CA Signing Certificate Creation. This is an informational screen that tells you that the wizard has all the information required to generate the key pair and certificate request. In the previous screen, if you chose to include the Subject Key Identifier extension in the certificate, you'll be given the choice to select the format for the certificate request. Otherwise, the request format will be PKCS #10.
    • If you want the wizard to generate the certificate request in PKCS #10 format, select the "Generate PKCS10 request" option.

    • If you want the wizard to generate the certificate request in CMC format, select the "Generate CMC full enrollment request" option.

    Click Next to generate the request. The wizard creates a certificate request that you must submit to another CA.

12. Submission of Request. Select whether you want to submit the request manually or send the request to a remote Certificate Manager automatically.

    To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps:

    1. Select the "Send the request to a remote CMS now" option.

    2. Enter the host name and end-entity port number of the remote Certificate Manager, and select whether this end-entity port is SSL enabled.

    3. Click Next to submit the request.

       The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.)

       Note that the request you submitted gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the other agent to approve your request and issue the certificate.

    4. Open a web browser window.

    5. Enter the URL for the remote Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

    6. Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed.

    7. Locate your request, click Details to see it, and make any changes. Then, scroll down to the bottom of the form and click Do It.

    8. After the certificate is generated, click Show Certificate.

    9. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

       Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard screen next. So, once you've copied the certificate, go back to the wizard screen (Step 13).

    To submit your certificate request manually to a remote Certificate Manager, follow these steps:

    1. Open a web browser window.

    2. Go to the end-entity URL for the remote Certificate Manager that will issue the subordinate CA's signing certificate.

       For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL http://hostname.17006 to bring up the Certificate Manager page for end entities.

    3. In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type:

       If the request is in the PKCS #10 format, under Server, click Certificate Manager. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.

       If the request is in the CMC format, click CMC Enrollment. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information. Be sure to select CA Signing Certificate as the certificate type.

    4. Click Submit.

    5. The request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you'll have to wait till the remote Certificate Manager's agent approves your request.

    6. In the web browser window, enter the URL for the remote Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

    7. Select List Requests, then click Show Pending Requests and click Find.

    8. In the pending request list, locate your request, click Details to see the request, and make any changes. Then, scroll down to the bottom of the form, and click Do It.

    9. After the certificate is generated, click Show Certificate.

    10. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

        Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 13).

    To submit your certificate request manually to a third-party CA, follow these steps:

    1. Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- and -----END NEW CERTIFICATE REQUEST -----) is highlighted, and click the Copy to Clipboard button.

       This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA's signing certificate.

    2. Submit your certificate request to a third-party CA, following the instructions provided by that CA.

    Click Next when you are ready to proceed.

13. CA Signing Certificate Installation. Depending on whether you have the certificate ready for pasting into the Installation Wizard screen, click Yes or No.
    • If you have submitted your request to a third-party CA or to a remote Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. The default selection is No. Select Yes, only if you have the certificate ready in its base-64 encoded format.

    Click Next to continue.

    • If you selected No, you will be presented with the "SSL Server Certificate" screen (Step 17).

    • If you selected Yes, the "Location of Certificate" screen appears (Step 14).

14. Location of Certificate. Specify the location of the certificate. You can use any of these options:
    • If you copied the encoded certificate to a file, select the "The certificate is located in this file" option and then type the file path, including the filename, in the text field.

    • If you copied the certificate to the clipboard, select the "The certificate is located in the text area below" option and then paste in a base-64 encoded certificate (including the header and footer) in the text area provided.

    • If you noted the request ID of your request and know the host name and end-entity port number of the remote Certificate Manager that issued the certificate, select the "The certificate is at the CMS server where the request was sent" option and then specify the required details.

    Click Next to continue.

15. Certificate Details. This is an informational screen that shows the certificate so you can inspect its contents. Notice the nickname assigned to the certificate and verify that you're installing the correct certificate.

    Click Next to continue.

16. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. If the CA that issued the certificate is a Certificate Manager, follow these steps:
    1. Go to the end-entity URL for the Certificate Manager that issued the subordinate CA's signing certificate.

    2. Select the Retrieval tab, and then choose Import CA Certificate Chain.

    3. Select the "Display the CA certificate chain in PKCS#7 for importing into a server" option, and then click Submit.

    4. Copy the certificate chain to the clipboard.

    5. Return to the Installation Wizard.

    6. Paste the certificate chain into the text box.

    Click Next to continue.

17. SSL Server Certificate. Select the appropriate option:
    • If you want to get the SSL server certificate signed by the subordinate CA itself, select the "Sign SSL certificate with my CA signing certificate" option.

    • If you want to submit the SSL server certificate request to another CA, for example to the CA that signed the subordinate CA's signing certificate, select the "Create request for submission to another CA" option.

    Click Next to continue.

18. Key-Pair Information for SSL Server Certificate. Select the token to store the SSL server certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Also specify the key type and length.

    Click Next to continue.

19. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature. The choices are: SHA-1, MD2, or MD5.

    Click Next to continue.

20. Subject Name for SSL Server Certificate. Type the values for the subject DN components; these values identify the subordinate CA's SSL server certificate. The CN must be the fully-qualified host name of the machine on which you're installing the Certificate Manager.

    Click Next to continue.

21. Certificate Extensions for SSL Server Certificate. Select the required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. (For details, see Step 10 of this section.)

    Click Next to continue.

22. SSL Server Certificate Request Creation. This is an informational screen that tells you that the wizard has all the information required to generate the key pair and certificate request. In the previous screens, if you chose to generate a certificate request and include the Subject Key Identifier extension in the certificate, you'll be given the choice to select the format for the certificate request. Otherwise, the request format will be PKCS #10.
    • If you want the wizard to generate the certificate request in PKCS #10 format, select the "Generate PKCS10 request" option.

    • If you want the wizard to generate the certificate request in CMC format, select the "Generate CMC full enrollment request" option.

    Click Next to generate the certificate or the request:

    • If you chose to get the certificate signed by the subordinate CA itself, the wizard generates the SSL server certificate. You'll be presented with the "Create Single Signon Password" screen (Step 28).

    • If you chose to generate a request for submission to another CA, the wizard generates an SSL server certificate request that you must submit to another CA. You'll be presented with the "Submission of Request" screen (Step 23).

23. Submission of Request. Select whether you want to submit the request manually or send the request automatically to a remote Certificate Manager.

    To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps:

    1. Select the "Send the request to a remote CMS now" option.

    2. Enter the host name and end-entity port number of the remote Certificate Manager, and specify whether the end-entity port is SSL enabled.

    3. Click Next to submit the request.

       The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.)

       Note that the request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the remote Certificate Manager's agent to approve your request and issue the certificate.

    4. Open a web browser window.

    5. Enter the URL for the remote Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

    6. Select List Requests, click Show Pending Requests, and then click Find.

    7. In the pending request list, locate your request, click Details to see the request, and make any changes. Then, scroll down to the bottom of the form, and click Do It.

    8. After the certificate is generated, click Show Certificate.

    9. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

       Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 24).

    To submit your certificate request manually to a remote Certificate Manager, follow these steps:

    1. Open a web browser window.

    2. Go to the end-entity URL for the remote Certificate Manager that will issue the subordinate CA's SSL server certificate.

       For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL http://hostname.17006 to bring up the Certificate Manager page for end entities.

    3. In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type:

       If the request is in the PKCS #10 format, under Server, click SSL Server. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.

       If the request is in the CMC format, click CMC Enrollment. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information. Be sure to select Server SSL Certificate as the certificate type.

    4. Click Submit.

    5. The request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you'll have to wait till the remote Certificate Manager's agent approves your request.

    6. In the web browser window, enter the URL for the remote Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

    7. Select List Requests, click Show Pending Requests, and click Find.

    8. In the pending request list, locate your request, click Details to see it, and make any changes. Then, scroll down to the bottom of the form and click Do It.

    9. After the certificate is generated, click Show Certificate.

    10. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

        Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 24 below).

    To submit your certificate request manually to a third-party CA, follow these steps:

    1. Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- and -----END NEW CERTIFICATE REQUEST -----) is highlighted, and click the Copy to Clipboard button.

       This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA's SSL server certificate.

    2. Submit your certificate request to a third-party CA, following the instructions provided by that CA.

    Click Next when you are ready to proceed to the next screen.

24. SSL Server Certificate Installation. Depending on whether you have the certificate ready for pasting into the Installation Wizard screen, click Yes or No.
    • If you have submitted your request to a third-party CA or to a remote Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. The default is No. If you selected No, you will be presented with the "Create Single Signon Password" screen.Select Yes, only if you have the certificate ready in its base-64 encoded format.

    Click Next to continue.

    • If you selected Yes, the "Location of Certificate" screen appears (Step 25).

    • If you selected No, you will be presented with the "Create Single Signon Password" screen (Step 28).

25. Location of Certificate. Specify the location of the certificate. You can use any of these options:
    • If you copied the encoded certificate to a file, select the "The certificate is located in this file" option and then type the file path, including the filename, in the text field.

    • If you copied the certificate to the clipboard, select the "The certificate is located in the text area below" option and then paste in a base-64 encoded certificate (including the header and footer) in the text area provided.

    • If you noted the request ID of your request and know the host name and end-entity port number of the remote Certificate Manager that issued the certificate, select the "The certificate is at the CMS server where the request was sent" option and then specify the required details.

    Click Next to continue.

26. Certificate Details. This is an informational screen that displays the certificate so you can inspect its contents. Notice the nickname assigned to the certificate and verify that you're installing the correct certificate.

    Click Next to continue.

27. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. If the CA that issued the certificate is a Certificate Manager, follow these steps:
    1. Go to the end-entity URL for the remote Certificate Manager that issued the SSL server certificate.

    2. Select the Retrieval tab, and then in the left-hand frame, click Import CA Certificate Chain.

    3. Select the "Display the CA certificate chain in PKCS#7 for importing into a server" option, and then click Submit.

    4. In the resulting form, locate the CA certificate chain, in its base-64 encoded format, to the clipboard.

    5. Return to the Installation Wizard.

    6. Paste the certificate chain into the text box.

    Click Next to continue.

28. Create Single Signon Password. Type the single signon password. The single signon password simplifies the way you subsequently sign on to Certificate Management System by storing the passwords for the internal database, tokens, publishing directory, and so on. Each time you log on, you're only required to enter this single password. (For details, see Required Start-up Information.)

    Click Next to continue.

29. Configuration Status. This screen should indicate that your configuration has been successful.

    Click Done to exit the Installation Wizard.

30. Proceed to the next step, Stage 3. Enrolling for Administrator/Agent Certificate., to create the first agent user for the Certificate Manager.

Installing a Standalone Registration Manager

To install a standalone Registration Manager:

1. Subsystems. Select Registration Manager.

   Click Next to continue.

2. Remote Certificate Manager. Type the host name and agent port number of the remote Certificate Manager to which you want to connect this Registration Manager.

   Click Next to continue.

3. Remote Data Recovery Manager. Select the appropriate options:
   • Select No, if you don't want to connect the Registration Manager to a remote Data Recovery Manager.

   • If you have already installed a remote Data Recovery Manager that you want the Registration Manager to use for archiving end users' encryption private keys, select Yes. Then, enter the remote Data Recovery Manager's host name and agent port number in the associated fields.

   Click Next to continue.

4. Network Configuration. Type the numbers for the ports to be used by the CMS instance. If you want to enable the non-SSL end-entity port, be sure to check the "Enable" checkbox.

   Click Next to continue.

5. Key-Pair Information for Registration Manager Signing Certificate. Select the token to store the Registration Manager signing certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Also specify the key type and length.

   Click Next to continue.

6. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature. The choices are: SHA-1, MD2, or MD5.

   Click Next to continue.

7. Subject Name for Registration Manager Signing Certificate. Type the values for the subject DN components; these values identify the Registration Manager's signing certificate.

   Click Next to continue.

8. Certificate Extensions for Registration Manager Signing Certificate. Select the required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen.

   Certificate Management System provides command-line tools for generating extensions to include in CA and other certificate requests. For details about these tools, check this directory: <server_root>/bin/cert/tools

   Note that the certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the ExtJoiner program, which is also provided in the tools directory. For details on using the ExtJoiner program, see Chapter 5, "Extension Joiner Tool" of CMS Command-Line Tools Guide.

   Click Next to continue.

9. Registration Manager Signing Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request. In the previous screen, if you chose to include the Subject Key Identifier extension in the certificate, you'll be given the choice to select the format for the certificate request. Otherwise, the request format will be PKCS #10.
   • If you want the wizard to generate the certificate request in PKCS #10 format, select the "Generate PKCS10 request" option.

   • If you want the wizard to generate the certificate request in CMC format, select the "Generate CMC full enrollment request" option. (This option is available only if you selected to add the Subject Key Identifier extension to the certificate in the previous.)

   Click Next. The wizard creates a certificate request that you must submit to a CA, which could be a remote Certificate Manager or a third-party CA.

10. Submission of Request. Select whether you want to submit the request manually or send the request automatically to a remote Certificate Manager.

    To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps:

    1. Select the "Send the request to a remote CMS now" option.

    2. Enter the host name and end-entity port number of the remote Certificate Manager, and specify whether the end-entity port is SSL enabled.

    3. Click Next to submit the request.

       The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.)

       Note that your request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the remote Certificate Manager's agent to approve your request.

    4. Open a web browser window.

    5. Enter the URL for the remote Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

    6. Select List Requests, click Show Pending Requests, and click Find.

    7. In the pending request list, locate your request, click Details to see the request, and make any changes. Then, scroll down to the bottom of the form and click Do It.

    8. After the certificate is generated, click Show Certificate.

    9. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

       Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 11).

    To submit your certificate request manually to a remote Certificate Manager, follow these steps:

    1. Open a web browser window.

    2. Go to the end-entity URL of the remote Certificate Manager that will issue the Registration Manager's signing certificate.

       For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL http://hostname.17006 to bring up the Certificate Manager page for end entities.

    3. In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type:

       If the request is in the PKCS #10 format, under Server, click Registration Manager. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.

       If the request is in the CMC format, click CMC Enrollment. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information. Be sure to select RA Signing Certificate as the certificate type.

    4. Click Submit.

    5. The request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you'll have to wait till the remote Certificate Manager's agent approves your request.

    6. In the web browser window, enter the URL for the remote Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

    7. Select List Requests, click Show Pending Requests, and click Find.

    8. In the pending request list, locate your request, click Details to see it. After checking the certificate request and making required changes, scroll down to the last section, labeled Privileges.

    9. Select the checkbox labeled "This certificate is for a Trusted Manager." (Note that you must be a designated CMS administrator as well as an agent for this option to work correctly.)

    10. Type a user ID for the new Registration Manager. This user ID can be the same that you specified in the certificate request, or it can be some other ID that you want to use to identify this manager in the CMS window of iPlanet Console, such as RMEng.

    11. Scroll to the bottom and click Do It.

    12. After the certificate is generated, click Show Certificate.

    13. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

        Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 11).

    To submit your certificate request manually to a third-party CA, follow these steps:

    1. Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- and -----END NEW CERTIFICATE REQUEST -----) is highlighted, and click the Copy to Clipboard button.

       This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the Registration Manager's signing certificate.

    2. Submit your certificate request to a third-party CA, following the instructions provided by that CA.

    Click Next when you are ready to proceed.

11. Registration Manager Signing Certificate Installation. Depending on whether you have the certificate ready for pasting into the Installation Wizard screen, click Yes or No.
    • If you have submitted your request to a third-party CA or to a remote Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. The default selection is No.Select Yes, only if you have the certificate ready in its base-64 encoded format.

    Click Next to continue.

    • If you selected Yes, the "Location of Certificate" screen appears (Step 12).

    • If you selected No, you will be presented with the "Key-Pair Information for SSL Server Certificate" screen (Step 15).

12. Location of Certificate. Specify the location of the certificate. You can use any of these options:
    • If you copied the encoded certificate to a file, select the "The certificate is located in this file" option and then type the file path, including the filename, in the text field.

    • If you copied the certificate to the clipboard, select the "The certificate is located in the text area below" option and then paste in a base-64 encoded certificate (including the header and footer) in the text area provided.

    • If you noted the request ID of your request and know the host name and end-entity port number of the remote Certificate Manager that issued the certificate, select the "The certificate is at the CMS server where the request was sent" option and then specify the required details.

    Click Next to continue.

13. Certificate Details. This is an informational screen that displays the certificate so you can inspect its contents. Notice the nickname assigned to the certificate and verify that you're installing the correct certificate.

    Click Next to continue.

14. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. If the CA that issued the certificate is a Certificate Manager, follow these steps:
    1. Go to the end-entity URL for the remote Certificate Manager that issued the Registration Manager's signing certificate.

    2. Select the Retrieval tab, and in the left-hand frame, click Import CA Certificate Chain.

    3. In the resulting form, select the "Display the CA certificate chain in PKCS#7 for importing into a server" option, and then click Submit.

    4. In the resulting page, locate the CA certificate chain in its base-64 encoded format, and copy the certificate chain to the clipboard.

    5. Return to the Installation Wizard.

    6. Paste the certificate chain into the text box.

    Click Next to continue.

15. Key-Pair Information for SSL Server Certificate. Select the token to store the SSL server certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Also specify the key type and length.

    Click Next to continue.

16. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature. The choices are: SHA-1, MD2, or MD5.

    Click Next to continue.

17. Subject Name for SSL Server Certificate. Type the values for the subject DN components; these values identify the Registration Manager's SSL server certificate. The CN must be the fully-qualified host name of the machine on which you're installing the Registration Manager.

    Click Next to continue.

18. Certificate Extensions for SSL Server Certificate. Select the required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. (For details, see Step 8 of this section.)

    Click Next to continue.

19. SSL Server Certificate Request Creation. This is an informational screen that tells you that the wizard has all the information required to generate the key pair and certificate request. In the previous screen, if you chose to include the Subject Key Identifier extension in the certificate, you'll be given the choice to select the format for the certificate request. Otherwise, the request format will be PKCS #10.
    • If you want the wizard to generate the certificate request in PKCS #10 format, select the "Generate PKCS10 request" option.

    • If you want the wizard to generate the certificate request in CMC format, select the "Generate CMC full enrollment request" option.

    Click Next. The wizard creates the certificate request that you must submit to another CA.

20. Submission of Request. Select whether you want to submit the request manually or send the request automatically to a remote Certificate Manager.

    To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps:

    1. Select the "Send the request to a remote CMS now" option.

    2. Enter the host name and end-entity port number of the remote Certificate Manager, and select whether the end-entity port is SSL enabled.

    3. Click Next to submit the request.

       The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.)

       Note that your request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the remote Certificate Manager's agent to approve your request.

    4. In the web browser window, enter the URL for the remote Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

    5. Select List Requests, click Show Pending Requests, and click Find.

    6. In the pending request list, locate your request, click Details to see it, and make any changes. Then, scroll down to the bottom of the form, and click Do It.

    7. After the certificate is generated, click Show Certificate.

    8. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

       Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 21).

    To submit your certificate request manually to a remote Certificate Manager, follow these steps:

    1. Open a web browser window.

    2. Go to the end-entity URL for the remote Certificate Manager that will issue the SSL server certificate.

       For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL http://hostname.17006 to bring up the Certificate Manager page for end entities.

    3. In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type:

       If the request is in the PKCS #10 format, under Server, click SSL Server. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.

       If the request is in the CMC format, click CMC Enrollment. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information. Be sure to select Server SSL Certificate as the certificate type.

    4. Click Submit.

    5. The request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you'll have to wait till the remote Certificate Manager's agent approves your request.

    6. In the web browser window, enter the URL for the remote Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

    7. Select List Requests, click Show Pending Requests, and click Find. The pending request list is displayed.

    8. Locate your request, click Details to see it, and make any changes. Then, scroll down to the bottom of the form and click Do It.

    9. After the certificate is generated, click Show Certificate.

    10. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

        Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 21).

    To submit your certificate request manually to a third-party CA, follow these steps:

    1. Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- and -----END NEW CERTIFICATE REQUEST -----) is highlighted, and click the Copy to Clipboard button.

       This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the Registration Manager's SSL server certificate.

    2. Submit your certificate request to a third-party CA, following the instructions provided by that CA.

    Click Next when you are ready to proceed to the next screen.

21. SSL Server Certificate Installation. Depending on whether you have the certificate ready for pasting into the Installation Wizard screen, click Yes or No.
    • If you have submitted your request to a third-party CA or to a remote Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. The default is No.Select Yes, only if you have the certificate ready in its base-64 encoded format.

    Click Next to continue.

    • If you selected Yes, the "Location of Certificate" screen appears (Step 22).

    • If you selected No, you will be presented with the "Create Single Signon Password" screen (Step 25).

22. Location of Certificate. Specify the location of the certificate. You can use any of these options:
    • If you copied the encoded certificate to a file, select the "The certificate is located in this file" option and then type the file path, including the filename, in the text field.

    • If you copied the certificate to the clipboard, select the "The certificate is located in the text area below" option and then paste in a base-64 encoded certificate (including the header and footer) in the text area provided.

    • If you noted the request ID of your request and know the host name and end-entity port number of the Certificate Manager that issued the certificate, select the "The certificate is at the CMS server where the request was sent" option and then specify the required details.

    Click Next to continue.

23. Certificate Details. This is an informational screen that displays the certificate so you can inspect its contents. Notice the nickname assigned to the certificate and verify that you're installing the correct certificate.

    Click Next to continue.

24. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain again; for example, if you requested the SSL certificate from a different CA than the one from which you requested the singing certificate.

    Follow these steps to import the remote Certificate Manager's CA chain:

    1. Go to the web browser window.

    2. Enter the end-entity URL for the remote Certificate Manager that issued the SSL server certificate.

    3. Select the Retrieval tab, and in the left-hand frame, click Import CA Certificate Chain.

    4. Select the "Display the CA certificate chain in PKCS#7 for importing into a server" option, and then click Submit.

    5. In the resulting page, locate the CA certificate chain in its base-64 encoded format, and copy it to the clipboard.

    6. Return to the Installation Wizard.

    7. Paste the CA certificate chain into the text box.

    Click Next to continue.

25. Create Single Signon Password. Type the single signon password. The single signon password simplifies the way you subsequently sign on to Certificate Management System by storing the passwords for the internal database, tokens, and so on. Each time you log on, you're only required to enter this single password. (For details, see Required Start-up Information.)

    Click Next to continue.

26. Configuration Status. This screen should indicate that your configuration has been successful.

    Click Done to exit the Installation Wizard.

27. Proceed to the next step, Stage 3. Enrolling for Administrator/Agent Certificate., to create the first agent user for the Registration Manager.

Installing a Standalone Data Recovery Manager

To install a standalone Data Recovery Manager:

1. Subsystems. Select Data Recovery Manager.

   Click Next to continue.

2. Network Configuration. Type the numbers for the ports to be used by the CMS instance. If you want to enable the non-SSL end-entity port, be sure to check the "Enable" checkbox.

   Click Next to continue.

3. Key-Pair Information for Data Recovery Manager Transport Certificate. Select the token to store the transport certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Also specify the key type and length.

   Click Next to continue.

4. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature. The choices are: SHA-1, MD2, or MD5.

   Click Next to continue.

5. Subject Name for Data Recovery Manager Transport Certificate. Type the values for the subject DN components; these values identify the transport certificate.

   Click Next to continue.

6. Certificate Extensions for Data Recovery Manager Transport Certificate. Select the required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen.

   Certificate Management System provides command-line tools for generating extensions to include in CA and other certificate requests. For details about these tools, check this directory: <server_root>/bin/cert/tools

   Note that the certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the ExtJoiner program, which is also provided in the tools directory. For details on using the ExtJoiner program, see Chapter 5, "Extension Joiner Tool" of CMS Command-Line Tools Guide.

   Click Next to continue.

7. Data Recovery Manager Transport Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request. In the previous screen, if you chose to include the Subject Key Identifier extension in the certificate, you'll be given the choice to select the format for the certificate request. Otherwise, the request format will be PKCS #10.
   • If you want the wizard to generate the certificate request in PKCS #10 format, select the "Generate PKCS10 request" option.

   • If you want the wizard to generate the certificate request in CMC format, select the "Generate CMC full enrollment request" option.

   Click Next. The wizard generates the certificate request that you must submit to a CA, which could be a remote Certificate Manager or a third-party CA.

8. Submission of Request. Specify whether you want to submit the request automatically or manually.

   To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps:

   1. Select the "Send the request to a remote CMS now" option.

   2. Enter the host name and end-entity port number, and specify whether the end-entity port is SSL enabled.

   3. Click Next to submit the request.

      The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.)

      Note that your request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the remote Certificate Manager's agent to approve your request.

   4. Open a web browser window.

   5. Enter the URL for the remote Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

   6. Select List Requests, click Show Pending Requests, and click Find.

   7. In the pending request list, locate your request, click Details to see the request, and make any changes. Then, scroll down to the bottom of the form, and click Do It.

   8. After the certificate is generated, click Show Certificate.

   9. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

      Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 9).

   To submit your certificate request manually to a remote Certificate Manager, follow these steps:

   1. Open a web browser window.

   2. Go to the end-entity URL for the remote Certificate Manager that will issue the Data Recovery Manager's transport certificate.

      For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL http://hostname.17006 to bring up the Certificate Manager page for end entities.

   3. In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type:

      If the request is in the PKCS #10 format, under Server, click SSL Server. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.

      If the request is in the CMC format, click CMC Enrollment. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information. Be sure to select Server SSL Certificate as the certificate type.

   4. Click Submit.

   5. The request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate.

   6. In the web browser window, enter the URL for the remote Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

   7. Select List Requests, click Show Pending Requests, and click Find.

   8. In the pending request list, locate your request, then click Details to see the request. After checking the rest of the certificate request, scroll down to the end of the form and click Do It.

   9. After the certificate is generated, click Show Certificate.

   10. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

       Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 9).

   To submit the transport certificate request manually to a third-party CA, follow these steps:

   1. Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- and -----END NEW CERTIFICATE REQUEST -----) is highlighted, and click the Copy to Clipboard button.

      This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the Data Recovery Manager's transport certificate.

   2. Submit your certificate request to a third-party CA, following the instructions provided by that CA.

   Click Next when you are ready to proceed.

9. Data Recovery Manager Transport Certificate Installation. Depending on whether you have the certificate ready for pasting into the Installation Wizard screen, click Yes or No.
   • If you have submitted your request to a third-party CA or to a remote Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. The default is No.Select Yes, only if you have the certificate ready in its base-64 encoded format.

   Click Next to continue.

   • If you selected Yes, the "Location of Certificate" screen appears (Step 10).

   • If you selected No, you will be presented with the "Storage Key Creation for Data Recovery Manager" screen (Step 13).

10. Location of Certificate. Specify the location of the certificate. You can use any of these options:
    • If you copied the encoded certificate to a file, select the "The certificate is located in this file" option and then type the file path, including the filename, in the text field.

    • If you copied the certificate to the clipboard, select the "The certificate is located in the text area below" option and then paste in a base-64 encoded certificate (including the header and footer) in the text area provided.

    • If you noted the request ID of your request and know the host name and end-entity port number of the remote Certificate Manager that issued the certificate, select the "The certificate is at the CMS server where the request was sent" option and then specify the required details.

    Click Next to continue.

11. Certificate Details. This informational screen displays the certificate so you can inspect its contents. Notice the nickname assigned to the certificate and verify that you're installing the correct certificate.

    Click Next to continue.

12. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to import the CA chain of the remote Certificate Manager:
    1. Go to the web browser window.

    2. Enter the end-entity URL for the remote Certificate Manager that issued the transport certificate.

    3. Select the Retrieval tab, and then in the left-hand frame, click Import CA Certificate Chain.

    4. In the resulting form, select the "Display the CA certificate chain in PKCS#7 for importing into a server" option, and click Submit.

    5. In the resulting page, locate the CA certificate chain in its base-64 encoded format, and copy it to the clipboard.

    6. Return to the Installation Wizard.

    7. Paste the CA certificate chain into the text box.

    Click Next to continue.

    The screens that follow let you configure the storage key and recovery schemes for the Data Recovery Manager.

13. Storage Key Creation for Data Recovery Manager. Select the length you have decided on for your storage key.

    Click Next to continue.

14. Data Recovery Key Scheme - 1. Type the both the required number of recovery agents and the total number of recovery agents.

    Click Next to continue.

15. Data Recovery Key Scheme - 2. The number of table rows correspond to the total number of agents you specified in the previous screen. Type the user ID and password for each agent in the table.

    Click Next to continue. The screens that follow let you request an SSL server certificate for the Data Recovery Manager.

16. Key-Pair Information for SSL Server Certificate. Select the token to store the SSL server certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Also specify the key type and length.

    Click Next to continue.

17. Message Digest Algorithm. Select the algorithm to use for computing the certificate signature. The choices are: SHA-1, MD2, or MD5.

    Click Next to continue.

18. Subject Name for SSL Server Certificate. Type the values for the subject DN components; these values the Data Recovery Manager's SSL server certificate. The CN must be the fully-qualified host name of the machine on which you're installing the Data Recovery Manager.

    Click Next to continue.

19. Certificate Extensions for SSL Server Certificate. Select the required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. (For details, see Step 6 of this section.)

    Click Next to continue.

20. SSL Server Certificate Request Creation. This is an informational screen that tells you that the wizard has all the information required to generate the key pair and certificate request. In the previous screen, if you chose to include the Subject Key Identifier extension in the certificate, you'll be given the choice to select the format for the certificate request. Otherwise, the request format will be PKCS #10.
    • If you want the wizard to generate the certificate request in PKCS #10 format, select the "Generate PKCS10 request" option.

    • If you want the wizard to generate the certificate request in CMC format, select the "Generate CMC full enrollment request" option.

    Click Next. The wizard generates a certificate request that you must submit to a CA.

21. Submission of Request. Select whether you want to submit the request manually or send the request automatically to a remote Certificate Manager.

    To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps:

    1. Select the "Send the request to a remote CMS now" option.

    2. Enter the host name and end-entity port number of the remote Certificate Manager, and specify whether the end-entity port is SSL enabled.

    3. Click Next to submit the request.

       The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.)

       Note that your request gets added to the agent queue of the remote Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the remote Certificate Manager's agent to approve your request and issue the certificate.

    4. In the web browser window, enter the URL for the remote Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

    5. Select List Requests, click Show Pending Requests, and click Find.

    6. In the pending request list, locate your request, click Details to see the request, and make any changes. Then, scroll down to the bottom of the form and click Do It.

    7. After the certificate is generated, click Show Certificate.

    8. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

       Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 22).

    To submit your certificate request manually to a Certificate Manager, follow these steps:

    1. Open a web browser window.

    2. Go to the end-entity URL for the Certificate Manager that will issue the SSL server certificate.

       For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL http://hostname.17006 to bring up the Certificate Manager page for end entities.

    3. In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type:

       If the request is in the PKCS #10 format, under Server, click SSL Server. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.

       If the request is in the CMC format, click CMC Enrollment. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information. Be sure to select Server SSL Certificate as the certificate type.

    4. Click Submit.

       The request gets added to the agent queue of that Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate.

    5. In the web browser window, enter the URL for the Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

    6. Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed.

    7. Locate your request, click Details to see it, and make any changes. Then, scroll down to the bottom of the form and click Do It.

    8. After the certificate is generated, click Show Certificate.

    9. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

       Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 22).

    To submit your certificate request manually to a third-party CA, follow these steps:

    1. Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- and -----END NEW CERTIFICATE REQUEST -----) is highlighted, and click the Copy to Clipboard button.

       This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA's signing certificate.

    2. Submit your certificate request to a third-party CA, following the instructions provided by that CA.

    Click Next when you are ready to proceed to the next screen.

22. SSL Server Certificate Installation. Depending on whether you have the certificate ready for pasting into the Installation Wizard screen, click Yes or No.
    • If you have submitted your request to a third-party CA or to a remote Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. The default is No.Select Yes, only if you have the certificate ready in its base-64 encoded format.

    Click Next to continue.

    • If you selected Yes, the "Location of Certificate" screen appears (Step 23).

    • If you selected No, you will be presented with the "Create Single Signon Password" screen (Step 26).

23. Location of Certificate. Specify the location of the certificate. You can use any of these options:
    • If you copied the encoded certificate to a file, select the "The certificate is located in this file" option and then type the file path, including the filename, in the text field.

    • If you copied the certificate to the clipboard, select the "The certificate is located in the text area below" option and then paste in a base-64 encoded certificate (including the header and footer) in the text area provided.

    • If you noted the request ID of your request and know the host name and end-entity port number of the remote Certificate Manager that issued the certificate, select the "The certificate is at the CMS server where the request was sent" option and then specify the required details.

    Click Next to continue.

24. Certificate Details. This is an informational screen that displays the certificate so you can inspect its contents. Notice the nickname assigned to the certificate and verify that you're installing the correct certificate.

    Click Next to continue.

25. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain again. Follow these steps to import the CA chain of a remote Certificate Manager:
    1. Go to the web browser window.

    2. Enter the end-entity URL for the remote Certificate Manager that issued the SSL server certificate.

    3. Select the Retrieval tab, and then in the left-hand frame, select Import CA Certificate Chain.

    4. In the resulting form, select the "Display the CA certificate chain in PKCS#7 for importing into a server" option, and click Submit.

    5. In the resulting page, locate the CA certificate chain in its base-64 encoded format and copy it to the clipboard.

    6. Return to the Installation Wizard.

    7. Paste the CA certificate chain into the text box.

    Click Next to continue.

26. Create Single Signon Password. Type the single signon password. The single signon password simplifies the way you subsequently sign on to Certificate Management System by storing the passwords for the internal database, tokens, and so on. Each time you log on, you're only required to enter this single password. (For details, see Required Start-up Information.)

    Click Next to continue.

27. Configuration Status. This screen should indicate that your configuration has been successful.

    Click Done to exit the Installation Wizard.

28. Proceed to the next step, Stage 3. Enrolling for Administrator/Agent Certificate., to create the first agent for the Data Recovery Manager.

Installing an Online Certificate Status Manager

To install a standalone Online Certificate Status Manager:

1. Subsystems. Select Online Certificate Status Manager.

   Click Next to continue.

2. Network Configuration. Type the numbers for the ports to be used by the CMS instance. Be sure to leave the "Enable" checkbox for the non-SSL end-entity port selected. The OCSP-compliant clients will use this port to communicate with the Online Certificate Status Manager.

   Click Next to continue.

3. Key-Pair Information for Online Certificate Status Manager Signing Certificate. Select the token to store the Online Certificate Status Manager signing certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Also specify the key type and length.

   Click Next to continue.

4. Subject Name for Online Certificate Status Manager Signing Certificate. Type the values for the subject DN components; these values identify the Online Certificate Status Manager's signing certificate.

   Click Next to continue.

5. Online Certificate Status Manager Signing Certificate Request Creation. This informational screen tells you that the wizard has all the information required to generate the key pair and certificate request.

   Click Next to generate them.

6. Submission of Request. Select whether you want to submit the request manually or send the request to a remote CMS manager (Certificate Manager or Registration Manager) automatically. The wizard creates a certificate request that you must submit to a CA.

   To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps:

   1. Select the "Send the request to a remote CMS now" option.

   2. Enter the host name (for example, host.domain.com) and end-entity port number of the Certificate Manager, then specify whether this end-entity port uses SSL.

   3. Click Next to submit the request.

      The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once the certificate has been issued, from the end-entity port.)

      Note that your request gets added to the agent queue of the Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the other agent to approve the request you submitted and issue the certificate.

   4. Open a web browser window.

   5. Enter the URL for the Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

   6. Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed.

   7. Locate your request, click Details to see it, and make any changes. Then, scroll down to the bottom of the form and click Do It.

   8. After the certificate is generated, click Show Certificate.

   9. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

      Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 7).

      Also note that you might be required to paste the CA certificate chain in the Installation Wizard. So, keep the browser window open.

   To submit your certificate request manually to a Certificate Manager, follow these steps:

   1. Open a web browser window.

   2. Go to the end-entity URL for the Certificate Manager that will issue the Online Certificate Status Manager's signing certificate.

      For example, if you assigned the port number 17006 to the non-SSL end-entity port for your CA, you would go to the URL http://hostname.17006 to bring up the Certificate Manager page for end entities.

   3. In the left-hand frame, under Server, click OCSP Responder.

   4. In the OCSP Responder Enrollment page that appears, paste the request from the clipboard into the field labeled PKCS #10 Request and fill in any other required information.

   5. Click Submit.

   6. If the request contains all the required information, you'll get a notification of request being successfully added to the agent queue of that Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate.

   7. In the web browser window, enter the URL for the Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

   8. Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed.

   9. Locate your request, click Details to see it.

   10. After checking the rest of the certificate request and making any changes, scroll to the bottom, and click Do It.

   11. After the certificate is generated, click Show Certificate.

   12. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

       Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 7).

       Also note that you might be required to paste the CA certificate chain in the Installation Wizard. So, keep the browser window open.

   To submit your certificate request manually to a third-party CA, follow these steps:

   1. Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- and -----END NEW CERTIFICATE REQUEST -----) is highlighted, and click the Copy to Clipboard button.

      This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the Online Certificate Status Manager's signing certificate.

   2. Submit your certificate request to a third-party CA, following the instructions provided by that CA.

   Click Next when you are ready to proceed.

7. Online Certificate Status Manager Signing Certificate Installation. Depending on whether you have the certificate ready for pasting into the Installation Wizard screen, click Yes or No.
   • If you have submitted your request to a third-party CA or to a remote Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. The default selection is No. Select Yes, only if you have the certificate ready in its base-64 encoded format.

   Click Next to continue.

   • If you selected Yes, the "Location of Certificate" screen appears (Step 8).

   • If you selected No, you will be presented with the "Key-Pair Information for SSL Server Certificate" screen (Step 11).

8. Location of Certificate. Specify the location of the certificate. You can use one of these options:
   • If you noted the file path to the file that contains the certificate (in its base 64-encoded format), select the "The certificate is located in this file" option and type the file path, including the filename, in the text field.

   • If you copied the certificate (in its base 64-encoded format) to the clipboard, select the "The certificate is located in the text area below" option and paste the certificate (including the header and footer) in the text area provided.

   • If you want the wizard to retrieve the certificate from the remote CMS manager to which you submitted the request, select the "The certificate is at the CMS where the request was sent" option and supply the host name, end-entity port number, and request ID.

   Click Next to continue.

9. Certificate Details. This is an informational screen that displays the certificate so you can inspect its contents. Notice the nickname assigned to the certificate and verify that you're installing the correct certificate.

   Click Next to continue.

10. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to import the CA chain of a Certificate Manager:
    1. Go back to the web browser window from which you copied the Online Certificate Status Manager's signing certificate (in its base-64 encoded format).

    2. Scroll down to the part that says "Base 64 encoded certificate with CA certificate chain in pkcs7 format" and shows the CA certificate chain in its PKCS#7 format.

    3. Highlight all the encoded blob (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

       Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen.

    4. Paste the certificate chain into the text box.

    5. Click Next to continue.

    If you closed the end-entity interface, you can get the CA certificate chain this way:

    1. Open a web browser window.

    2. Go to the end-entity URL for the Certificate Manager that issued the Online Certificate Status Manager's signing certificate.

    3. Select the Retrieval tab, and then choose Import CA Certificate Chain.

    4. Select the "Display the CA certificate chain in PKCS#7 for importing into a server" option, and then click Submit.

    5. Copy the certificate chain to the clipboard.

    6. Return to the Installation Wizard.

    7. Paste the certificate chain into the text box.

    8. Click Next to continue.

11. Key-Pair Information for SSL Server Certificate. Select the token to store the SSL server certificate and key pair. If you have not previously initialized the token's password, you must do so in this screen. Also specify the key type and length.

    Click Next to continue.

12. Subject Name for SSL Server Certificate. Type the values for the subject DN components; these values identify the Online Certificate Status Manager's SSL server certificate. The CN must be the fully-qualified host name of the machine on which you're installing the Online Certificate Status Manager.

    Click Next to continue.

13. Certificate Extensions for SSL Server Certificate. Select the required extensions. The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen.

    Certificate Management System provides command-line tools for generating extensions to include in CA and other certificate requests. For details about these tools, check this directory: <server_root>/bin/cert/tools

    Note that the certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the ExtJoiner program, which is also provided in the tools directory. For details on using the ExtJoiner program, see Chapter 5, "Extension Joiner Tool" of CMS Command-Line Tools Guide.

    Click Next to continue.

14. SSL Server Certificate Request Creation. This is an informational screen that tells you that the wizard has all the information required to generate the key pair and certificate request. In the previous screen, if you chose to include the Subject Key Identifier extension in the certificate, you'll be given the choice to select the format for the certificate request. Otherwise, the request format will be PKCS #10.
    • If you want the wizard to generate the certificate request in PKCS #10 format, select the "Generate PKCS10 request" option.

    • If you want the wizard to generate the certificate request in CMC format, select the "Generate CMC full enrollment request" option.

    Click Next. The wizard generates the certificate request that you must submit to a CA.

15. Submission of Request. Select whether you want to submit the request manually or send the request to a remote CMS server (Certificate Manager or Registration Manager) automatically.

    To automatically submit the request to a remote Certificate Manager (or for automatic enrollment), follow these steps:

    1. Select the "Send the request to a remote CMS now" option.

    2. Enter the host name and end-entity port number of the Certificate Manager, and select whether this end-entity port uses SSL.

    3. Click Next to submit the request.

       The Certificate Request Result screen appears, confirming that the request has been submitted. Note the request ID provided in the response message. (You can use it later to retrieve the certificate, once it has been issued, from the end-entity port.)

       Note that your request gets added to the agent queue of the Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you should wait for the other agent to approve your request and issue the certificate.

    4. In the web browser window, enter the URL for the Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

    5. Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed.

    6. Locate your request, click Details to see it, and make any changes. Then scroll down to the bottom of the form and click Do It.

    7. After the certificate is generated, click Show Certificate.

    8. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

       Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 16).

    To submit your certificate request manually to a Certificate Manager, follow these steps:

    1. Open a web browser window.

    2. Go to the end-entity URL for the Certificate Manager that will issue the SSL server certificate.

       For example, if you assigned the port number 17006 to the non-SSL end-entity port for your root CA, you would go to the URL http://hostname.17006 to bring up the Certificate Manager page for end entities.

    3. In the left-hand frame of the Enrollment tab, choose the form appropriate for the request type:

       If the request is in the PKCS #10 format, under Server, click SSL Server. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information.

       If the request is in the CMC format, click CMC Enrollment. In the resulting form, paste the request from the clipboard into the text area and fill in any other required information. Be sure to select Server SSL Certificate as the certificate type.

    4. Click Submit.

    5. The request gets added to the agent queue of that Certificate Manager for approval by that Certificate Manager's agent. If you've permission to access that Certificate Manager's Agent interface, you can follow the instructions below to issue the certificate. Otherwise, you'll have to wait for the Certificate Manager's agent to approve your request and issue the certificate.

    6. In the web browser window, enter the URL for the Certificate Manager's Agent Services page. (You must use the same computer where you got your agent certificate.)

    7. Select List Requests, then click Show Pending Requests and click Find. The pending request list is displayed.

    8. Locate your request, click Details to see it, and make any changes. Then, scroll down to the bottom of the form and click Do It.

    9. After the certificate is generated, click Show Certificate.

    10. When the certificate is displayed, scroll down to the base-64 encoded version of the certificate, highlight all the text (including -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE-----), and copy it to the clipboard or to a text file.

        Be sure to not make any changes to the certificate. You're required to paste the encoded certificate into the Installation Wizard next. So, once you've copied the certificate, go back to the wizard screen (Step 16).

    To submit your certificate request manually to a third-party CA, follow these steps:

    1. Make sure that the certificate request (including -----BEGIN NEW CERTIFICATE REQUEST ----- and -----END NEW CERTIFICATE REQUEST -----) is highlighted, and click the Copy to Clipboard button.

       This action copies the certificate request to the clipboard. In addition to the copy on the clipboard, the screen informs you that the certificate request has been saved to a file. You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA's signing certificate.

    2. Submit your certificate request to a third-party CA, following the instructions provided by that CA.

    Click Next when you are ready to proceed to the next screen.

16. SSL Server Certificate Installation. Depending on whether you have the certificate ready for pasting into the Installation Wizard screen, click Yes or No.
    • If you have submitted your request to a third-party CA or to a remote Certificate Manager for which you do not have agent privileges, you may have to wait days or weeks before you receive the certificate. In this case, you should click No, continue as far as you can with the configuration, and resume after you receive the certificate. The default is No.Select Yes, only if you have the certificate ready in its base-64 encoded format.

    Click Next to continue.

    • If you selected Yes, the "Location of Certificate" screen appears (Step 17).

    • If you selected No, you will be presented with the "Create Single Signon Password" screen (Step 20).

17. Location of Certificate. Specify the location of the certificate. You can use one of these options:
    • If you copied the encoded certificate to a file, select the "The certificate is located in this file" option and type the file path, including the filename, in the text field.

    • If you copied the certificate to the clipboard, select the "The certificate is located in the text area below" option and then paste in a base-64 encoded certificate (including the header and footer) in the text area provided.

    • If you know the request ID of your request and the host name and end-entity port number of the Certificate Manager that issued the SSL server certificate, select the "The certificate is at the CMS server where the request was sent" option and then specify the required details.

    Click Next to continue.

18. Certificate Details. This is an informational screen that displays the certificate so you can inspect its contents. Notice the nickname assigned to the certificate and verify that you're installing the correct certificate.

    Click Next to continue.

19. Import Certificate Chain. This screen appears only if you need to import the CA certificate chain. Follow these steps to import the CA chain of a Certificate Manager:
    1. Go to the web browser window.

    2. Enter the end-entity URL for the Certificate Manager that issued the SSL server certificate.

    3. Select the Retrieval tab, and then choose Import CA Certificate Chain.

    4. Select the "Display the CA certificate chain in PKCS#7 for importing into a server" option, and then click Submit.

    5. Copy the certificate chain to the clipboard.

    6. Return to the Installation Wizard.

    7. Paste the certificate chain into the text box.

    8. Click Next to continue.

20. Create Single Signon Password. Type the single signon password. The single signon password simplifies the way you subsequently sign on to Certificate Management System by storing the passwords for the internal database, tokens, and so on. Each time you log on, you're only required to enter this single password. (For details, see Required Start-up Information.)

    Click Next to continue.

21. Configuration Status. This screen should indicate that your configuration has been successful and that you need to create an agent for the Online Certificate Status Manager.

    Click Done to exit the Installation Wizard.

22. Proceed to the next step, Stage 3. Enrolling for Administrator/Agent Certificate., to create an agent user for the Online Certificate Status Manager.

Stage 3. Enrolling for Administrator/Agent Certificate

---

Immediately after installing any CMS instance, the administrator must enroll for the initial administrator/agent certificate. This is the first user (agent) certificate that Certificate Management System issues.

The initial user is both an administrator and an agent. This person can create additional agents with the appropriate user privileges and issue them certificates. Since there is no agent yet to approve the request, a special enrollment form allows you to get this first certificate automatically.

Follow the appropriate procedure for the subsystem you installed:

• Agent Certificate for a Certificate Manager

• Agent Certificate for Other CMS Managers

For more information about setting up and managing agents, see Agents.

Agent Certificate for a Certificate Manager

If the CMS instance you installed contains a Certificate Manager, a special enrollment form, Administrator/Agent Certificate Enrollment Form, allows you to get this first certificate automatically. After you submit this initial form, it is automatically disabled, so that no one else can acquire a certificate without agent approval or some form of automated authentication. The system automatically adds the initial user to the list of agents.

To enroll for the first agent certificate, you should be working at the computer you intend to use as the agent, so that the new certificate will be installed in the browser you will be using to access the Agent Services pages. Follow these steps:

1. Open a web browser window.

2. Go to the URL for the SSL agent port.

   By default, this is a URL of the following form: https://<hostname>:<agent_port>

   • For <hostname>, provide the fully qualified name of the machine on which Certificate Management System is installed; for example, CAmachine.siroe.com.

   • The <agent_port> is the TCP port specified during installation for agent communications over SSL.

   The first time you access this port, the system opens the Administrator/Agent Certificate Enrollment form.

   Because you have accessed an SSL port, Certificate Management System presents its server SSL certificate to your browser for authentication. This is the server SSL certificate that you created during installation. Because you just created it, it is not on your browser's list of trusted certificates. Before you see the Administrator/Agent Certificate Enrollment form, a series of dialog boxes appears that lets you add the CMS server certificate to your list of trusted certificates.

3. Complete the dialog boxes as instructed (the exact procedure depends on the browser you are using).

4. In the Administrator/Agent Certificate Enrollment form, enroll for a client SSL certificate as the system's first privileged user by entering the following information:

   Authentication Information

   User ID. Type the ID you entered for the CMS administrator during installation.

   Password. Type the password you specified for the CMS administrator during installation.

   Subject Name

   The subject name is the distinguished name (DN) that identifies the certified owner of the certificate.

   Full name. Type the name of administrator/agent.

   Login name. Type the user ID of administrator/agent.

   Email address. Type the email address of administrator/agent.

   Organization unit. Type the name of the organization unit to which the administrator/agent belongs.

   Organization. Type the name of the company or organization the administrator/agent works for.

   Country. Type the two-letter code for the administrator/agent's country.

   User's Key Length Information

   Key Length. Type the length of the private key that will be generated by your browser. This key corresponds to the public key that is part of the administrator/agent certificate.

   Note that the validity period of this initial agent certificate is hard-coded as one year.

5. Click Submit.

6. Follow the instructions your browser presents as it generates a key pair.

7. If authentication is successful, the new certificate will be imported into your browser, and you will be given an opportunity to make a backup copy.

Now you have a client authentication certificate in the name you specified. This special user, who was named as the initial administrator for Certificate Management System during installation, has been automatically designated as the first agent. This certificate allows you to access the Agent Services pages. As an agent, you can approve enrollment requests and start issuing new certificates. To access the CMS windows in iPlanet Console, you use the user ID that you specified for the certificate and the corresponding password—both of which must correspond to the values you specified for the CMS administrator during installation.

Important
After you submit the initial Administrative Enrollment form, it is no longer available from the agent port. If something goes wrong and you are unable to obtain the administrator/agent certificate, you must reset a parameter in the configuration file to make the initial administrative enrollment form available again. Here's how you can do this:

1. In the left frame of iPlanet Console, open the CMS instance for which you want to display the Administrator/Agent Certificate Enrollment form.

   The server requests the password for the CMS administrator.

2. Click the icon labeled "Stop the Server."

3. Go to this directory: <server_root>/cert-<instance_id>/config

4. Open the configuration file (CMS.cfg) in a text editor.

5. Locate the following line: agentGateway.enableAdminEnroll=false

6. Change false to true, and save the file.

7. Start the server from the CMS window where you stopped it. (Alternatively, right-click on the name of the instance in the left frame and choose Start Server.) At this point, the server asks you for the single signon password you specified during installation.

8. The next time you access the SSL agent port, the Administrator/Agent Certificate Enrollment form will be available again.

Agent Certificate for Other CMS Managers

If the CMS instance you installed doesn't include a Certificate Manager—for example, if it's a standalone Registration Manager, Data Recovery Manager, or Online Certificate Status Manager—you need to manually submit a client certificate request to the CA and then install the certificate in the certificate database of the CMS instance. Alternatively, if you have agent privileges to any of the CMS managers, for example to a Certificate Manager, you can use the same agent certificate for performing agent tasks of another CMS manager. This you can do by storing a copy of the agent's SSL client certificate in the internal database of the newly-installed CMS manager.

The instructions below assume that you already have a client certificate for a Certificate Manager (whether the original administrator/agent certificate or a new agent certificate) and want to use the same certificate for agent operations of another CMS manager.

1. Make sure the Certificate Manager is started.

2. Open a web browser window.

3. Go to the end-entity interface of the Certificate Manager that issued the certificate you want to use.

4. Select the Retrieval tab

5. Click List Certificates or Search for Certificates and locate the certificate (check the subject name of the certificate).

6. Copy the certificate in its base-64 encoded format (or keep the browser window open so that you can copy the certificate later in this procedure).

7. Log in to iPlanet Console (see Logging In to iPlanet Console).

8. In the navigation tree, locate the CMS instance for which you want to create the agent user, and double-click the icon.

   The login screen for the CMS window appears.

9. Enter your administrator ID and password.

   The CMS window for the subsystem opens.

10. In the navigation tree, select Users and Groups.

    The Users tab appears.
    
    

11. Select the user ID for the administrator, the one created during installation, and click Certificates.

    The Manage User Certificates window appears.
    
    

12. Click Import.

    The Import Certificate window appears.

13. Click inside the text area, and paste the agent's certificate in base-64 encoded form. (If you haven't copied the certificate, go back to the browser window, copy the certificate, and then paste the certificate here.)

    Be sure to include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines.
    
    

14. Click OK.

    You are returned to the Manage User Certificates window. The certificate you imported should now be listed in this window.
    
    

15. To view the certificate you imported, select it and click View.

    The certificate information appears.
    
    

16. Click Done.

    You are returned to the Users tab.

17. Click Refresh to view the updated configuration.

    You have now designated an agent for the specified manager. You can now present the certificate you installed for that agent to access the Agent Services pages for that manager in the new instance.

For more information about setting up and managing agents, see Agents.

Stage 4. Further Configuration Options

---

When you have completed the initial configuration and installation of a CMS instance, you use the CMS window for that instance within iPlanet Console to further configure the system as necessary. For example, you may want to configure LDAP publishing, authentication modules, and policy modules, and customize end-entity forms and other aspects of the system's operation. If you installed a Data Recovery Manager, you may want to configure your Certificate Manager or Registration Manager to archive end users' encryption private keys with the Data Recovery Manager.

For detailed information about the many CMS configuration options available, check the chapters in Part 3, "Configuration." You might find it useful to read Road Map to Configuring Subsystems.

Stage 5. Creating Additional Instances or CA Clones

---

After the initial installation, you can use iPlanet Console to create additional instances of Certificate Management System in the same server root directory. Once you have a new instance, you can use the Installation Wizard and CMS window to configure any new instances.

• For instructions to create an additional instance of Certificate Management System, see Installing Multiple CMS Instances.

• For instructions to clone a Certificate Manager (CA), see Cloning a Certificate Manager.