Previous
Contents
Index
Next
|
| iPlanet Certificate Management System Installation and Setup Guide |
Chapter 5 Installation Worksheet
This chapter provides a worksheet to help you prepare for installing a single instance of iPlanet Certificate Management Server (CMS). Print this chapter and make as many copies as you need. Fill out one copy for each CMS instance you plan to install and refer to it during the installation and configuration process. You should fill it in after you have read Chapter 4 "Planning Your Deployment" It is designed for easy reference while you are following the procedures described in Chapter 6 "Installing Certificate Management System."
This chapter has the following sections:
Information for UNIX Installation Script
Information for NT Installation Script
Certificate Manager Configuration
Registration Manager Configuration
Data Recovery Manager Configuration
Online Certificate Status Manager Configuration
Cloned Certificate Manager Configuration
Information for UNIX Installation Script
The information summarized here must be provided once for each server root installation on a UNIX system.
Installation Location
To install an instance of Certificate Management System, you must also install an Administration Server and iPlanet Console application and have access to a configuration and user/group directory. For more information on the iPlanet server environment, see Managing Servers with iPlanet Console.
Installation directory (Server root directory)_______________________________
Enter the full pathname for the existing server root directory or for a new server root directory. For example, /usr/iplanet/servers.
Computer name_____________________________________________
The default should be the fully qualified host name of the machine on which the installation is taking place. For example, mydirectory.siroe.com. Do not attempt to install remotely.
Configuration Directory Server
System user ID ________________________________
Enter the user ID that Directory Server will run as. The configuration directory server process runs as this user. You should run the server as a user with restricted access to other system files and resources. Where your system supports it, accept the default user nobody, creating that user as necessary.
System group __________________________________________
Enter a group to which the System User ID belongs. The group should also have limited access to system resources and files. Where your system supports it, accept the default user nobody, creating that group as necessary.
Do you want to register this software with an existing iPlanet configuration directory server?
Yes or No._______________
If you choose No, the Installation Wizard will create a new instance of Directory Server for use as the configuration directory for this server root.
If you choose Yes, you must also supply the following information about the existing configuration directory:
Computer name_____________________________________________
The default should be the fully qualified host name of the machine on which the configuration directory is located. For example, mydirectory.siroe.com.
User/Group Directory Server
Do you want to use another directory to store your data?
Yes or No._______________ If you choose No, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you answered no to the preceding question) or installs a new instance of Directory Server for use as a user/group directory.
If you choose Yes, you must also supply the following information:
User directory host name___________________________________________
User directory port_____________________________________________
Bind as_____________________________________________
User directory server suffix_____________________________________________
User directory administrator ID_____________________________________
Configuration Directory Settings
You need to provide the following information about the configuration directory, whether it is an existing one or a new one to be created by the Installation Wizard:
Directory Server network port ________________________
Enter the port number for the Directory Server instance. The default is 389, if it is available, or a randomly selected number. The port number you specify must not be used for any other purpose.
Directory Server identifier______________________________________
This unique identifier is required for each instance of a Directory Server. For example, configdir.
Configuration Directory Server Administrator ID________________________
The ID for the user who will authenticate to iPlanet Console with full privileges. For example, diradmin1.
Configuration Directory Server Administrator Password___________________
The password must be at least eight characters long.
Suffix ____________________________________
Enter the domain name of the current host. For example, o=siroe.com.
Directory Manager DN ________________________
Enter the distinguished name (DN) of the directory manager for the configuration directory.
This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory. For example, cn=Directory Manager.
Directory Manager password ________________________
The password must be at least eight characters long.
Administration domain ________________________________________
This domain name identifies the collection of servers that use the same configuration directory. For example, siroe.com
Administration Server Information
Administration Port___________________________________________
The default Administration Port is randomly generated. Pick a port number between 1024 and 65535 on which to run your Administration Server, or accept the default number.
Run Administration Server as _____________________________
Run the Administration Server as root if you want to be able to start and stop services and use port numbers below 1024 (for example to use port 80 for the HTTP end entity gateway).
Certificate Management System Identifier
You must specify a unique identifier for the CMS server instance that you are installing.
Certificate Management System server identifier___________________________
Enter a unique identifier. For the name, you can use any combination of letters (aA to zZ), digits (0 to 9), an underscore (_), and a hyphen (-); other characters and spaces are not allowed. For example, you can type pilotCA , pilot_CA, or pilot-CA as the instance name, but not pilot CA.
Information for NT Installation Script
The information summarized here must be provided once for each server root installation.
Installation Directory
To install an instance of Certificate Management System, you must also install an Administration Server and iPlanet Console application and have access to a configuration and user/group directory. For more information on the iPlanet server environment, see Managing Servers with iPlanet Console.
Installation directory (Server root directory)_______________________________
The default installation directory is C:\iPlanet\Servers. If you want to use a different directory, enter the full pathname for the existing server root directory or for a new server root directory.
You cannot install more than one server root directory on a Windows NT system.
Configuration Directory Server
Choose one of these options:
This instance will be the configuration directory server._____________________
If you choose the above option, the Installation Wizard will create a new instance of Directory Server for use as the configuration directory for this server root.
Use existing configuration directory server._______________________________
If you choose to use an existing configuration directory, you must supply the following information:
User/Group Directory Server
Choose one of these options:
Store data in this directory server._______________________________________
If you choose this option, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you have already decided to install a new configuration directory) or installs a new instance of Directory Server for use as a user/group directory.
Store data in an existing directory server._________________________________
If you choose to use an existing directory, you must supply the following information:
Configuration Directory Settings
You need to provide the following information about the configuration directory, whether it is an existing one or a new one to be created by the Installation Wizard:
Directory Server identifier_______________________________________
This unique identifier is required for each instance of a Directory Server. For example, configdir.
Directory Server network port (default is 389)________________________
Enter the port number for the Directory Server instance. The default is 389, if it is available, or a randomly selected number. The port number you specify must not be used for any other purpose.
Suffix ____________________________________
If you are creating a new directory, this should be the domain name of the current host. For example, o=siroe.com.
Configuration Directory Server Administrator
Configuration Directory Server Administrator ID________________________
For example, diradmin1.
Configuration Directory Server Administrator Password___________________
The password must be at least eight characters long.
Directory Server Administration Domain
Administration domain ________________________________________
This domain name identifies the collection of servers that use the same configuration directory. For example, siroe.com.
Directory manager DN ________________________
Enter the distinguished name (DN) of the directory manager for the configuration directory.
This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory. For example, cn=Directory Manager.
Directory Manager password ________________________
The password must be at least eight characters in length.
Administration Port-----------------___________________________________________
Pick a port number between 1024 and 65535 on which to run your Administration Server, or accept the default number.
Certificate Management System Identifier
You must specify a unique identifier for the CMS server instance that you are installing.
Certificate Management System server identifier___________________________
Enter a unique identifier. For the name, you can use any combination of letters (aA to zZ), digits (0 to 9), an underscore (_), and a hyphen (-); other characters and spaces are not allowed. For example, you can type cmsdemo, cms_demo, or cms-demo as the instance name, but not cms demo.
Initial Configuration
For each instance of Certificate Management System that you create, you use the Installation Wizard to supply information about that instance's configuration. The information described in this section is required for each CMS instance, regardless of which subsystems you decide to install.
Internal Database
For each instance of Certificate Management System, a new instance of iPlanet Directory Server is created on the local host to act as the internal (local) database. Each subsystem must have access to this local database to store certificates, certificate requests, keys, and other information. Certificate Management System uses LDAP to communicate with its local database.
Certificate Management System internal database instance ID_______________
The default provided by the system is the CMS server identifier with the suffix -db; for example, cmsdemo-db.
Port number_______________
The default is 38900, but you may choose any value less than 65535. On UNIX, you must choose a port greater than 1024 if you are not logged in as root.
Directory Manager DN ____________________________________________
The default is CN=Directory Manager. You can enter something more meaningful, such as CN=Internal Directory Manager.
Internal database password_______________________________
Administrator
Specify the CMS administrator. This person will be able to access the CMS window of iPlanet Console and approve the first agent certificate.
CMS Administrator ID_____________________________________________
For example, CMSadmin.
CMS Administrator full name________________________________
For example, Certificate Management System Administrator.
CMS Administrator password________________________________
Subsystems
Choose the subsystems you will install in this instance. You can choose to install any individual manager, Certificate Manager and Data Recovery Manager together, or Registration Manager and Data Recovery Manager together. Other combinations are not allowed, for example, you cannot install a Certificate Manager and Registration Manager together or Certificate Manager and Online Certificate Status Manager together. The Certificate Manager can be configured to perform all Registration Manager functions, so it's not necessary or possible to install both managers in the same instance.
In addition to x.509 certificates, the Certificate Manager can also issue Wireless Transport Layer Security (wTLS)-compliant certificates for wireless applications. If you want this feature, you must choose the appropriate option. If you enable issuance of wTLS certificates, the Certificate Manager generates a wTLS CA signing certificate and installs the approriate HTML interfaces for users to request certificates for wireless applications.
Certificate Manager___________________________________
Enable issuance of wTLS certificates? _____________________
Registration Manager__________________________________
Remote Certificate Manager
If you are installing a Registration Manager, you need to provide the following information about the Certificate Manager to which the Registration Manager sends certificate requests:
Host name for remote Certificate Manager_____________________________
SSL agent port for remote Certificate Manager__________________________
Remote Data Recovery Manager
If you are installing a standalone Certificate Manager or Registration Manager, and if you have already installed a remote Data Recovery Manager that you want the new manager to use, you need to provide the following information about the Data Recovery Manager:
Host name for remote Data Recovery Manager_________________________
SSL agent port for remote Data Recovery Manager______________________
Network Configuration
Enter numbers for the ports to be used for various kinds of communications. On UNIX, you must be root to assign ports less than 1024. The default values are well-known ports, which are used only if they are not already in use. If these defaults are not available, a randomly chosen port number is given as the default.
For a discussion of port assignments, see Deployment Strategy and Port Assignments in Chapter 3.
SSL administration port (HTTPS) (default is 8200)___________
SSL agent port (HTTPS) (default is 8100)__________________
Certificate Manager Configuration
This section summarizes information required to configure a Certificate Manager as a root or subordinate CA (either by itself or as part of a joint installation with a Data Recovery Manager).
CA Signing Certificate
When you install the Certificate Manager, you must supply information for the CA certificate that the Certificate Manager will use to sign the certificates it issues. This certificate also functions as the Certificate Manager's SSL client certificate.
CA's Serial Number Range
For most CAs, you only need to enter the starting serial number. When you configure cloned CAs, you must specify upper and lower bounds for the serial numbers on all CAs and you must make sure the ranges do not overlap.
CA's starting serial number _____________________
Enter the lowest serial number available for this CA to assign to certificates it creates. You can enter the number in decimal or hexadecimal (0xnn). The default is 0x1.
CA's ending serial number __________________________
Enter the highest serial number available for this CA. You can enter the number in decimal or hexadecimal (0xnn). The default is no upper limit (blank).
Key-Pair Information for CA Signing Certificate
For a discussion of related issues, see CA Signing Key Type and Length in Chapter 3.
Token for storing the Certificate Manager CA signing certificate and private key____________________________________
Enter either internal (if you plan to use the internal/software token) or the name of an external token. If you are using an external token, you will need to install it before you run the Installation Wizard. In the wizard, you can select from a list of already installed and available tokens. For example, SmartCard.
Token password_________________________________________________
The password for the token must be at least eight character long.
Key type_________________________________________________
RSA or DSA.
Key length_______________________________________________
Available key sizes for RSA are 512, 1024, 2048, 4096, or custom. Available key sizes for DSA are 512, 1024, or custom (must be in increments of 64 bit).
In general, longer keys are considered to be cryptographically stronger than shorter keys. However, longer keys also require more time for signing operations.
Message Digest Algortihm (select one): SHA1___ MD2___ MD5_____
Select the message digest algorithm to use for generating digital signatures on certificates.
Subject Name for CA Signing Certificate
For a discussion of issues related to the subject name, see CA's Distinguished NameYou may fill in the attribute template or simply enter the DN as a string of attribute-value pairsCA's Distinguished Name in Chapter 3.
Common Name (CN=) _____________________________________
Organizational Unit (OU=) ___________________________________
Organization (O=) ________________________________________
Locality (L=) _____________________________________________
State (ST=) ______________________________________________
Country (C=) ____________________________________________
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the CA signing certificate. You are not required to enter all the values, but must enter the Organization (O), such as the name of your company. The Organization is required because its absence causes Netscape Communicator (version 4.6 or below) to crash. For more information about distinguished names, see Apendix A, "Distinguished Names," in CMS Plug-Ins Guide.
Validity Period for CA Signing Certificate
You can specify the validity period for a self-signed CA signing certificate only. The validity period for a subordinate CA signing certificate is determined by the issuing CA.
Validity period_________________________ to __________________________
Enter beginning and ending dates for the certificate's validity period. The validity period for the CA signing certificate determines how soon you will have to renew the certificate, which can be a complex procedure. The default validity period is two years.
Extensions for CA Signing Certificate
You can specify the extensions for a self-signed CA signing certificate only. Extensions for a subordinate CA signing certificate are specified by the issuing CA.
The default settings should work for most deployments. If necessary, you can add and additional/custom extension by pasting its base-64 encoding in the space provided on this screen. For more information about extensions, see Appendix C, "Certificate and CRL Extensions" of CMS Plug-Ins Guide.
Confirm that you want to include the following extensions. Check off all that apply; defaults are indicated in parentheses.
Basic constraints (Yes)_____________
The certificate chain path length, if specified, determines the maximum number of certificates in a chain, starting with the end-entity certificate. If you do not specify this attribute, the length of the chain is unlimited.
Netscape certificate type (Yes)_____________
Authority Key Identifier (Yes) ________________
Subject Key Identifier (Yes) ________________
If you decide to include the key usage extension, the following key usage bits are set by default:
Additional Extension (No)___________________________
To add extensions not included by default by Certificate Management System, you will need to paste the base-64 encoding of a sequence of extensions into the wizard.
CA Signing Certificate Request
If you are installing a subordinate CA, you need to specify where to send your request for a CA signing certificate.
If you are submitting your certificate request to a third-party CA, follow the instructions provided by that CA.
If you are submitting your certificate request to another Certificate Manager, you need to know its URL:
End-entity URL for issuing Certificate Manager___________________________
Enter the URL for the end-entity gateway of the Certificate Manager that will issue the subordinate CA's signing certificate. For example, https://hostname:443/.
Registration Manager Configuration
This section summarizes information required to configure a Registration Manager (either by itself or as part of a joint installation with a Data Recovery Manager).
Registration Manager Signing Certificate Request
When you install a Registration Manager, you must supply information for the certificate that the Registration Manager will use to sign certificate requests. This certificate also functions as the Registration Manager's SSL client certificate. The Installation Wizard formulates a certificate request on the basis of information you provide. It is possible for the CA that issues the certificate to overrule some of your decisions.
Key-Pair Information for Registration Manager Signing Certificate
Token for storing the Registration Manager signing certificate and private key____________________________________
Enter either internal (if you plan to use the internal token) or the name of an external token. If you are using an external token, you will need to install it before you run the Installation Wizard. In the wizard, you can select from a list of already installed and available tokens. For example, SmartCard. .
Token password_________________________________________________
The password for the token must be at least one character long.
Key type_________________________________________________
RSA or DSA.
Key length_______________________________________________
Available key sizes for RSA are 512, 1024, 2048, 4096, or custom. Available key sizes for DSA are 512, 1024, or custom (in increments of 64 bits only).
In general, longer keys are considered to be cryptographically stronger than shorter keys. However, longer keys also require more time for signing operations.
Message Digest Algortihm (select one): SHA1___ MD2___ MD5___
Select the message digest algorithm to use for generating digital signatures on certificates.
Subject Name for Registration Manager Signing Certificate
Common Name (CN=) _____________________________________
Organizational Unit (OU=) ___________________________________
Organization (O=) ________________________________________
Locality (L=) _____________________________________________
State (ST=) ______________________________________________
Country (C=) ____________________________________________
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the Registration Manager signing certificate. You are not required to enter all the values, but must enter the Organization (O), such as your company name. The Organization is required because its absence causes Netscape Communicator (version 4.6 or below) to crash. For more information about distinguished names, see Apendix A, "Distinguished Names," in CMS Plug-Ins Guide.
Registration Manager Signing Certificate Issuer
If you are submitting your certificate request to a third-party CA, follow the instructions provided by that CA.
If you are submitting your certificate request to another Certificate Manager, you need to know its URL:
End-entity URL for issuing a Certificate Manager__________________________ Enter the URL for the end-entity gateway of the Certificate Manager that will issue the Registration Manager's signing certificate. For example, http://hostname:17006.
Data Recovery Manager Configuration
This section summarizes information required to configure a Data Recovery Manager (either by itself or as part of a joint installation with a Certificate Manager or Registration Manager).
Key-Pair Information for Transport Certificate
For a discussion of issues related to key type and length, see CA Signing Key Type and Length in Chapter 3.
Token for storing the transport certificate signing certificate and private key________________________________________
Enter either internal (if you plan to use the internal token) or the name of an external token. If you are using an external token, you will need to install it before you run the Installation Wizard. In the wizard, you can select from a list of already installed and available tokens. For example, SmartCard.
Token password_________________________________________________
The password for the token must be at least one character long.
Key type_________________________________________________
RSA or DSA.
Key length_______________________________________________
Available key sizes for RSA are 512, 1024, 2048, 4096, or custom. Available key sizes for DSA are 512, 1024, or custom (in increments of 64 bits only).
In general, longer keys are considered to be cryptographically stronger than shorter keys. However, longer keys also require more time for signing operations.
Message Digest Algortihm (select one): SHA1___ MD2___ MD5___
Select the message digest algorithm to use for generating digital signatures on certificates.
Subject Name for Transport Certificate
Common Name (CN=) _____________________________________
Organizational Unit (OU=) ___________________________________
Organization (O=) ________________________________________
Locality (L=) _____________________________________________
State (ST=) ______________________________________________
Country (C=) ____________________________________________
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the transport certificate. You are not required to enter all the values, but must enter the Organization (O), such as your company name. The Organization is required because its absence causes Netscape Communicator (version 4.6 or below) to crash. For more information about distinguished names, see Apendix A, "Distinguished Names," in CMS Plug-Ins Guide.
Validity Period for Transport Certificate
You can specify the validity period for a transport certificate only if you are installing the Certificate Manager and Data Recovery Manager at the same time and you want the Certificate Manager that you just installed issue the transport certificate. If the transport certificate is issued by a remote CA, its validity period is determined by the issuing CA.
Validity period______________________ to _______________________
Enter beginning and ending dates for the transport certificate's validity period.
Extensions for Transport Certificate
You can specify the extensions for a transport certificate only if you are installing the Certificate Manager and Data Recovery Manager at the same time and you have decided to have the Certificate Manager that you just installed issue the certificate. If the transport certificate is issued by a remote CA, its extensions are determined by the issuing CA.
The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. For more information about extensions, see Appendix C, "Certificate and CRL Extensions" of CMS Plug-Ins Guide.
Confirm that you want to include the following extensions. Check off all that apply; defaults are indicated in parentheses.
Basic constraints (No)_____________
The certificate chain path length, if specified, determines the maximum number of certificates in a chain, starting with the end-entity certificate. If you do not specify this attribute, the length of the chain is unlimited.
Netscape certificate type ((No)_____________
Authority Key Identifier (Yes) ________________
If you decide to include the key usage extension, the keyEncipherment key usage bit is set by default.
Additional Extension (No)___________________________
To add extensions not included by default by Certificate Management System, you will need to paste the base64 encoding of a sequence of extensions into the wizard.
Transport Certificate Request
If you are obtaining your transport certificate from a remote CA, you need to know where to submit your certificate request.
If you are submitting your transport certificate request to a third-party CA, follow the instructions provided by that CA.
If you are submitting your certificate request to a Certificate Manager, you need to know its URL:
End-entity URL for issuing Certificate Manager___________________________
Enter the URL for the end-entity gateway of the Certificate Manager that will issue the transport certificate. For example, http://hostname:17006.
Storage Key and Recovery Agent Configuration
Storage Key Creation
Specify the length of the key that the Data Recovery Manager uses to encrypt end-entity encryption keys for storage.
Storage key length___________________
The options available are 512, 1024, 2048, or 4096.
Data Recovery Scheme—1
The number of agents you enter here is determined by your organization's policies with respect to data recovery. If you enter a larger number than the default of 2 for the number of recovery agents required to recover a key, you're reducing the chances of inappropriate recovery but increasing the complexity of the recovery process.
Decide how you want to set up your m of n data recovery scheme (n > m):
Number of recovery agents
required to recover a key (m, default 2) _______________________________________
Total number of designated
recovery agents (n, default 3)_______________________________________
Data Recovery Scheme—2
Specify user IDs and passwords for the total number of designated recovery agents (see preceding section):
User ID______________________ Password_________________________
User ID______________________ Password_________________________
User ID______________________ Password_________________________
User ID______________________ Password_________________________
User ID______________________ Password_________________________
User ID______________________ Password_________________________
User ID______________________ Password_________________________
User ID______________________ Password_________________________
Online Certificate Status Manager Configuration
This section summarizes information required to configure a Online Certificate Status Manager.
Online Certificate Status Manager Signing Certificate Request
When you install a Online Certificate Status Manager, you must supply information for the certificate that the Online Certificate Status Manager will use to sign OCSP responses. The Installation Wizard formulates a certificate request on the basis of information you provide. It is possible for the CA that issues the certificate to overrule some of your decisions.
Key-Pair Information for Online Certificate Status Manager Signing Certificate
Token for storing the Online Certificate Status Manager signing certificate and private key____________________________________
Enter either internal (if you plan to use the internal token) or the name of an external token. If you are using an external token, you will need to install it before you run the Installation Wizard. In the wizard, you can select from a list of already installed and available tokens. For example, SmartCard.
Token password_________________________________________________
The password for the token must be at least one character long.
Key type_________________________________________________
RSA or DSA.
Key length_______________________________________________
Available key sizes for RSA are 512, 1024, 2048, 4096, or custom. Available key sizes for DSA are 512, 1024, or custom (in increments of 64 bits only).
In general, longer keys are considered to be cryptographically stronger than shorter keys. However, longer keys also require more time for signing operations.
Message Digest Algortihm (select one): SHA1___ MD2___ MD5___
Select the message digest algorithm to use for generating digital signatures on certificates.
Subject Name for Online Certificate Status Manager Signing Certificate
Common Name (CN=) _____________________________________
Organizational Unit (OU=) ___________________________________
Organization (O=) ________________________________________
Locality (L=) _____________________________________________
State (ST=) ______________________________________________
Country (C=) ____________________________________________
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the Online Certificate Status Manager signing certificate. For more information about distinguished names, see Apendix A, "Distinguished Names," in CMS Plug-Ins Guide.
Online Certificate Status Manager Signing Certificate Issuer
If you are submitting your certificate request to a third-party CA, follow the instructions provided by that CA.
If you are submitting your certificate request to another Certificate Manager, you need to know its URL:
End-entity URL for issuing a Certificate Manager__________________________ Enter the URL for the end-entity gateway of the Certificate Manager that will issue the Online Certificate Status Manager's signing certificate. For example, http://hostname:17006.
Cloned Certificate Manager Configuration
This section summarizes information required to configure a clone of a Certificate Manager. You must have installed the original Certificate Manager and installed or created a new CMS instance. You must copy the key3.db and cert7.db files from the config directory of the original server to the config directory of the cloned server. If you use a hardware token for key and certificate storage, you must copy any key or certificate data from the original token to a new token accessible to the cloned Certificate Manager.
You can clone a Certificate Manager instance to have two server processes perfoming the same CA functions using the same keys and certificates. Each cloned Certificate Manager, including the original, must only issue certificates with serial numbers that do not conflict with the serial numbers issued by other clones. Use the CA serial number range to make sure that the serial numbers used by a clone do not overlap with the serial number range of another clone (or the original server).
If the cloned Certificate Manager has the same hostname as the original server, the clone can use the same SSL server certificate. The SSL server certificate DN contains the hostname as the common name (CN) attribute, so a clone with a different hostname must enroll for a new SSL server certificate.
CA Signing Certificate
When you install the Certificate Manager, you must supply information for the CA certificate that the Certificate Manager will use to sign the certificates it issues. This certificate can also function as the Certificate Manager's SSL client certificate. If the clone uses a different hostname than the original CA, you will need to generate a new SSL server certificate.
CA's Serial Number Range
For most CAs, you only need to enter the starting serial number. When you configure cloned CAs, you must specify upper and lower bounds for the serial numbers on all CAs and you must make sure the ranges do not overlap.
CA's starting serial number __________________
Enter the lowest serial number available for this CA to assign to certificates it creates. You can enter the number in decimal or hexadecimal (0xnn). The default is 0x1.
CA's ending serial number ____________________
Enter the highest serial number available for this CA. You can enter the number in decimal or hexadecimal (0xnn). The default is no upper limit (blank).
Cloned Key and Certificate Material
If you do not use the copied key and certificate databases, the Certificate Manager will need to generate a new signing key and certificate; consequently, it will not be a clone.
Use existing key and certificate? ___________________
Answer yes, otherwise you are creating a new Certificate Manager and not a clone.
Instance name of the original server ____________________________
Token name where copied keys are stored _______________________
SSL Server Key and Certificate
If the clone uses the same hostname, you can use the same SSL server certificate and key copied from the original server. Otherwise, answer no and continue with the next section, SSL Server Certificate Configuration.
Use existing SSL server key and certificate? Yes____ No______
Instance name of the original server ____________________________
Token name where copied keys are stored _______________________
SSL Server Certificate Configuration
When you install an instance of iPlanet Certificate Management Server, you must supply information for the SSL server certificate used by that instance to identify itself. The same SSL certificate is shared by all subsystems installed in that instance.
Key-Pair Information for SSL Server Certificate
Token for storing the SSL server certificate and private key__________________
Enter either internal (if you plan to use the internal token) or the name of an external token. If you are using an external token, you will need to install it before you run the Installation Wizard. In the wizard, you can select from a list of already installed and available tokens. For example, SmartCard.
Token password_________________________________________________
The password for the token must be at least one character long.
Key type_________________________________________________
RSA or DSA.
Key length_______________________________________________
For domestic versions of iPlanet Certificate Management Server, available settings for RSA are 512, 1024, 2048, 4096, or custom, and available settings for DSA are 512, 1024, or custom (in increments of 64 bits only).
Message Digest Algortihm (select one): SHA1___ MD2___ MD5___
Select the message digest algorithm to use for generating digital signatures on certificates.
Subject Name for SSL Server Certificate
Common Name (CN=) _____________________________________
Organizational Unit (OU=) ___________________________________
Organization (O=) ________________________________________
Locality (L=) _____________________________________________
State (ST=) ______________________________________________
Country (C=) ____________________________________________
A DN is a series of name-value pairs that in combination uniquely identify an entity. The subject DN identifies the CA signing certificate. You are not required to enter all the values, but must enter the Organization (O), such as your company name. The Organization is required because its absence causes Netscape Communicator (version 4.6 or below) to crash. For more information about distinguished names, see Apendix A, "Distinguished Names," in CMS Plug-Ins Guide.
Validity Period for SSL Server Certificate
You can specify the validity period for an SSL server certificate only if you are installing a Certificate Manager and you have decided to have that the Certificate Manager issue the certificate. If the SSL server certificate is issued by a remote CA, its validity period is determined by the issuing CA.
Validity period___________________ to __________________________
Enter beginning and ending dates for the certificate's validity period.
Extensions for SSL Server Certificate
You can specify the extensions for an SSL server certificate only if you are installing a Certificate Manager and you have decided to have that local Certificate Manager issue the certificate. If the SSL server certificate is issued by a remote CA, its extensions are determined by the issuing CA.
The default settings should work for most deployments. If necessary, you can add an additional extension by pasting its base-64 encoding in the space provided on this screen. For more information about extensions, see Appendix C, "Certificate and CRL Extensions" of CMS Plug-Ins Guide.
Confirm that you want to include the following extensions. Check off all that apply; defaults are indicated in parentheses.
Basic constraints (No)_____________
The certificate chain path length, if specified, determines the maximum number of certificates in a chain, starting with the end-entity certificate. If you do not specify this attribute, the length of the chain is unlimited.
Netscape certificate type (Yes)_____________
Authority Key Identifier (Yes) ________________
If you decide to include the key usage extension, the following key usage bits are set by default:
Additional Extension (No)___________________________
To add extensions not included by default by Certificate Management System, you will need to paste the base64 encoding of a sequence of extensions into the wizard.
SSL Certificate Request
If you are obtaining your SSL server certificate from another CA, you need to know where to submit your certificate request.
If you are submitting your certificate request to a third-party CA, follow the instructions provided by that CA.
If you are submitting your certificate request to another Certificate Manager, you need to know its URL.
End-entity URL for issuing Certificate Manager___________________________
Enter the URL for the end-entity gateway of the Certificate Manager that will issue the SSL server certificate. For example, http://hostname:17006.
Single Sign-On Password
Before you exit the Installation Wizard, it asks you to specify a single signon password. This password simplifies the way you subsequently sign on to iPlanet Certificate Management Server by storing the passwords for the internal database and tokens. Each time you log on, you're required to enter just this single password.
Single signon password__________________________________________
Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated October 07, 2002