Complete Contents
About This Guide
PART 1:
Netscape Certificate Management System
Chapter 1:
Introduction to Certificate Management System
Chapter 2:
Administration Tasks and Tool
Chapter 3:
Configuration
PART 2:
Managing Certificate Management System
Chapter 4:
Installing and Uninstalling CMS Instances
Chapter 5:
Starting and Stopping CMS Instances
PART 3:
System-Level Configuration
Chapter 6:
Configuring Ports, Database, and SMTP Settings
Chapter 7:
Managing Privileged Users and Groups
Chapter 8:
Keys and Certificates
PART 4:
Authentication
Chapter 9:
Introduction to Authentication
Chapter 10:
Authentication Modules for End-Entity Enrollment
Chapter 11:
Using the PIN Generator Tool
Chapter 12:
Configuring Authentication for End Users
Chapter 13:
Developing Custom Authentication Modules
PART 5:
Job Scheduling and Notification
Chapter 14:
Introduction to Job Scheduling and Notifications
Chapter 15:
Configuring Schedulable Jobs
PART 6:
Policies
Chapter 16:
Introduction to Policy
Chapter 17:
Constraints-Specific Policy Modules
Chapter 18:
Extension-Specific Policy Modules
Chapter 19:
Configuring a Subsystem's Policies
PART 7:
Publishing
Chapter 20:
Introduction to Publishing Certificates and CRLs
Chapter 21:
Modules for Publishing Certificates and CRLs
Chapter 22:
Configuring a Certificate Manager for Publishing
PART 8:
Agent and End-Entity Interfaces
Chapter 23:
Introduction to End-Entity and Agent Interfaces
Chapter 24:
Customizing End-Entity and Agent Interfaces
PART 9:
Logs
Chapter 25:
Introduction to Logs
Chapter 26:
Managing Logs
PART 10:
Issuance and Management of End-Entity Certificates
Chapter 27:
Issuing and Managing End-Entity Certificates
Chapter 28:
Recovering Encrypted Data
PART 11:
Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Netscape Certificate Management System Administrator's Guide
Contents
Index
Bookshelf
Netscape Certificate Management System Administrator's Guide
Contents
About This Guide
What's in This Guide
Who Should Read This Guide
What You Should Already Know
Conventions Used in This Guide
Where to Go for Related Information
Part 1
Netscape Certificate Management System
Chapter 1
Introduction to Certificate Management System
Overview
Key Features
System Architecture
LDAP Directory Integration
How the Main Subsystems Function
Entry Points for Various Types of Users
Chapter 2
Administration Tasks and Tool
Netscape Console
Console Tab
Users and Groups Tab
Netscape Administration Server
Starting Administration Server
Shutting Down Administration Server
Logging In to Netscape Console
The CMS Window
Tasks Tab
Configuration Tab
Status Tab
Logging In to the CMS Window
Chapter 3
Configuration
Effects of Installation Type on Configuration
Duplicating a Configuration from One Instance to Another
Locating the Configuration File
Modifying the Configuration
Changing the Configuration From the CMS Window
Changing the Configuration by Editing the Configuration File
Guidelines for Editing the Configuration File
Sample Configuration File
Road Map to Configuring Subsystems
Part 2
Managing Certificate Management System
Chapter 4
Installing and Uninstalling CMS Instances
Installing Multiple Instances
Viewing Instance Information
Changing the Name of an Instance
Removing an Instance From a System
Uninstalling Certificate Management System
Uninstalling from the Command Line
Uninstalling by Using the Windows NT Add/Remove Programs Utility
Chapter 5
Starting and Stopping CMS Instances
Starting Certificate Management System
Required Start-up Information
Configuring the Server to Start Without the Single Sign-On Password
Configuring the Server to Read the Single Sign-on Password
Starting From Netscape Console
Starting From the Command Line
Starting From the Windows NT Services Panel
Stopping Certificate Management System
Stopping From Netscape Console
Stopping From the Command Line
Stopping From the Windows NT Services Panel
Restarting Certificate Management System
Restarting From the CMS Window
Restarting From the Command Line
Checking System Status
Attending to an Unresponsive Server
CMS Watchdog Process
Password Cache
Password Cache Utility
Locating the PasswordCache Utility
Syntax
Managing the Password Cache
Changing the Single Sign-On Password
Listing the Contents of the Password Cache
Adding a New Entry to the Password Cache
Changing the Password of an Entry in the Password Cache
Deleting an Entry From the Password Cache
Creating a New Password Cache
Password-Quality Checker
Part 3
System-Level Configuration
Chapter 6
Configuring Ports, Database, and SMTP Settings
CMS Ports
Remote Administration Port
Agent Port
End-Entity Ports
Configuring Port Numbers
Step 1. Specify the Port Number
Step 2: Specify IP Addresses
Internal Database
Configuring the Internal Database
Step 1. Identify the Directory Server Instance
Step 2. Restrict Access to the Internal Database
SMTP Settings
Chapter 7
Managing Privileged Users and Groups
Privileged-User Types and Responsibilities
Administrators
Agents
Agent's Certificate for SSL Client Authentication
Revocation Status Checking of Agent Certificates
Trusted Managers
Subsystems That Can Function as Trusted Managers
Connectors for Linking Trusted Managers
Trusted Manager's Certificate for SSL Client Authentication
Groups and Their Privileges
Group for Administrators
Groups for Agents
Group for Certificate Manager Agents
Group for Registration Manager Agents
Group for Data Recovery Manager Agents
Group for Trusted Managers
Setting Up Privileged Users
Setting Up Administrators
Step 1. Find the Required Information
Step 2. Add the Information to the Internal Database
Setting Up Agents
Setting up Agents Using the Automated Process
Setting up Agents Using the Manual Process
Setting Up Trusted Managers
Setting up Trusted Managers Using the Automated Process
Setting Up a Registration Manager as a Trusted Manager
Setting Up a Certificate Manager as a Trusted Manager
Changing Privileged-User Information
Changing a Privileged User's Login Information
Changing a Privileged User's Certificate
Changing Members in a Group
Deleting a Privileged User
Chapter 8
Keys and Certificates
Keys and Certificates for the Main Subsystems
Certificate Manager's Key Pairs and Certificates
CA Signing Key Pair and Certificate
SSL Server Key Pair and Certificate
Registration Manager's Key Pairs and Certificates
Signing Key Pair and Certificate
SSL Server Key Pair and Certificate
Data Recovery Manager's Key Pairs and Certificates
Transport Key Pair and Certificate
Storage Key Pair
SSL Server Key Pair and Certificate
Tokens for Storing Keys and Certificates
Internal Token
External Token
Installing External Tokens
Managing Tokens Used by the Subsystems
Viewing Tokens
Changing a Token's Password
Hardware Cryptographic Accelerators
Certificate Setup Wizard
Using the Wizard to Request a Certificate
Step 1. Select the Operation
Step 2. Choose the Certificate
Step 3. Specify the Key-Pair Information
Step 4. Specify the Subject Name for the Certificate
Step 5. Specify the Validity Period
Step 6. Specify Extensions
Step 7. Copy the Certificate Signing Request
Step 8. Check the Certificate Request Status
Step 9. Send the Certificate Signing Request to a CA
Using the Wizard to Install a Certificate or Certificate Chain
Data Formats for Installing Certificates and Certificate Chains
Step 1. Select the Operation
Step 2. Select the Certificate or Certificate Chain
Step 3. Specify the Location of the Certificate
Step 4. View the Certificate or Certificate Chain
Step 5. Install the Certificate or Certificate Chain
Step 6. Verify the Certificate Status
Configuring the Server's Security Preferences
Configuring the Server to Use Separate SSL Server Certificates
Step 1. Get the Required SSL Server Certificates
Step 2: Update the Configuration
Getting an SSL Client Certificate for a Subsystem
Step 1. Generate a Key Pair for the Subsystem
Step 2. Generate a Certificate Signing Request for the Key Pair
Step 3. Submit the CSR to the CA
Step 4. Ask an Agent to Approve the Request
Step 5. Install the Certificate in the Internal Database
Step 6. Configure the Subsystem to Use This Certificate
Setting Up Cipher Preferences for SSL Communications
SSL Ciphers Supported in Certificate Management System
Configuring the Server to Use Specific Ciphers
Getting New Certificates for the Subsystems
Step 1. Plan for the New Certificate
Step 2. Request the New Certificate
Step 3. Install the New Certificate
Step 4. Deploy the New Certificate
Deploying Certificate Manager's CA Signing Certificate
Deploying Registration Manager's Signing Certificate
Deploying Data Recovery Manager's Transport Certificate
Deploying a Subsystem's SSL Server Certificate
Renewing Certificates for the Subsystems
Step 1. Plan for Certificate Renewal
Step 2. Renew the Existing Certificate
Step 3. Install the Renewed Certificate
Step 4. Deploy the Renewed Certificate
Deploying Certificate Manager's Renewed CA Signing Certificate
Deploying Registration Manager's Renewed Signing Certificate
Deploying Data Recovery Manager's Renewed Transport Certificate
Deploying a Subsystem's Renewed SSL Server Certificate
Step 5. Restart the Server
Managing the Certificate Database
Viewing the Certificate Database Content
Deleting a Certificate From the Certificate Database
Changing the Trust Settings of a CA Certificate
Installing a New CA Certificate in the Certificate Database
Installing a CA Certificate Chain in the Certificate Database
Part 4
Authentication
Chapter 9
Introduction to Authentication
Privileged-User Authentication
Authentication of Administrators
Authentication of Agents
End-Entity Authentication
Authentication of End Entities During Certificate Enrollment
Authentication of End Users During Certificate Renewal
Certificate Renewal Form
Authentication of End Users During Certificate Revocation
SSL Client Authenticated Revocation
Challenge-Password-Based Revocation
Certificate Revocation Forms
Chapter 10
Authentication Modules for End-Entity Enrollment
Overview of Authentication Modules
Manual Authentication
Directory-Based Authentication
UidPwdDirAuth Module
Directory- and PIN-Based Authentication
UidPwdPinDirAuth Module
NIS Server-Based Authentication
NISAuth Module
Portal Enrollment
PortalEnroll Module
Certificate-Based Enrollment
Enrollment Forms
Generating Files Required By Third-Party Object Signing Tools
Chapter 11
Using the PIN Generator Tool
Locating the PIN Generator Tool
The setpin Command
Command-Line Syntax
Arguments
Example
How the Tool Works
Input File
Output File
How PINs Are Stored in the Directory
Exit Codes
Chapter 12
Configuring Authentication for End Users
Authentication Management
Authentication Management From the CMS Window
Authentication Instance Tab
Authentication Plugin Registration Tab
Authentication Parameters in the Configuration File
Managing Authentication Instances
Setting Up Authentication for End-User Enrollment
Step 1: Find the Required Information
Step 2. Set Up the Directory for PIN-Based Enrollment
Step 3. Enable the PIN Present Policy
Step 4: Add an Authentication Instance
Step 5. Set Up the Enrollment Interface
Step 6. Enable End-Entity Interaction
Step 7. Turn on Automated Notification
Step 8. Test Your Authentication Setup
Step 9. Deliver PINs to End Users
Deleting an Authentication Instance
Modifying an Authentication Instance
Managing Authentication Plug-in Modules
Registering an Authentication Module
Deleting an Authentication Module
Chapter 13
Developing Custom Authentication Modules
Authentication Subsystem Architecture
How the Architecture Works
How Authentication Managers Are Used
Customizing Authentication
Step 1. Decide on an Authentication Scheme
Step 2. Write the Authentication Plug-in Module
Authentication Manager Plug-in API
Compiling and Installing Authentication Manager Plug-ins
Authentication Manager Examples
Step 3. Register the Authentication Manager Plug-in Module
Step 4. Create an Instance of the Authentication Plug-in Module
Step 5. Customize the End-Entity Enrollment Forms
Part 5
Job Scheduling and Notification
Chapter 14
Introduction to Job Scheduling and Notifications
Overview of Job Plug-in Modules
Certificate Renewal Notifications
RenewalNotificationJob Module
Notification of Request Queue Status
RequestInQJob Module
Directory Update and Notification
UnpublishExpiredJob Module
Schedule for Executing Jobs
Event-Driven Notifications
Notifications of Certificate Issuance to End Entities
Configuring a Subsystem to Send Notifications to End Entities
Notification of New Request in Queue
Configuring a Subsystem to Send Request Queue Notifications
Customizing Notification Messages
Templates for Event-Triggered Notifications
Templates for Summary Notifications
Customizing Message Templates
Tokens Available in Message Templates
Tokens for Certificate Issuance Notifications to End Entities
Tokens for Rejection Notifications to End Entities
Tokens for Renewal Notification Messages
Tokens for Request In Queue Notification Messages
Tokens for Directory Update Notification Messages
Chapter 15
Configuring Schedulable Jobs
Job Management
Job Management From the CMS Window
Job Instance Tab
Job Plugin Registration Tab
Job Scheduler Parameters in the Configuration File
Scheduling Automated Jobs
Step 1. Plan
Step 2. Modify Existing Jobs
Step 3. Delete Unwanted Jobs
Step 4. Add New Jobs
Step 5. Schedule the Frequency
Step 6. Customize Message Templates
Step 7. Verify Mail Server Settings
Managing Job Plug-in Modules
Registering a Job Module
Deleting a Job Module
Part 6
Policies
Chapter 16
Introduction to Policy
What Is Policy?
Policy Rules
Types of Policy Rules
Using Predicates in Policy Rules
Expression Support for Predicates
Attributes for Predicates
Policy Processor
Built-in Policy Plug-in Modules
Chapter 17
Constraints-Specific Policy Modules
Overview of Constraints-Specific Policy Modules
DSA Key Constraints Policy
DSAKeyConstraints Module
DSAKeyRule Rule
Issuer Constraints Policy
IssuerConstraints Module
IssuerRule Rule
Key Algorithm Constraints Policy
KeyAlgorithmConstraints Module
KeyAlgRule Rule
PIN Present Policy
PinPresentConstraints Module
Renewal Constraints Policy
RenewalConstraints Module
RenewalConstraintsRule Rule
Revocation Constraints Policy
RevocationConstraints Module
RevocationConstraintsRule Rule
Renewal Validity Constraints Policy
RenewalValidityConstraints Module
DefaultRenewalValidityRule Rule
RSA Key Constraints Policy
RSAKeyConstraints Module
RSAKeyRule Rule
Signing Algorithm Constraints Policy
SigningAlgorithmConstraints Module
SigningAlgRule Rule
Subordinate CA Name Constraints Policy
SubCANameConstraints Module
SubCANameConstraints Rule
Unique Subject Name Constraints Policy
UniqueSubjectNameConstraints Module
UniqueSubjectNameConstraints Rule
Validity Constraints Policy
ValidityConstraints Module
DefaultValidityRule Rule
Chapter 18
Extension-Specific Policy Modules
Certificate Extensions
Structure of Certificate Extensions
Sample Certificate Extensions
Object Identifier
Registration of Object Identifiers
Overview of Extension-Specific Policy Modules
Authority Information Access Extension Policy
AuthInfoAccessExt Module
Authority Key Identifier Extension Policy
AuthorityKeyIdentifierExt Module
AuthorityKeyIdentifierExt Rule
Basic Constraints Extension Policy
BasicConstraintsExt Module
BasicConstraintsExt Rule
Certificate Policies Extension Policy
CertificatePoliciesExt Module
CertificatePoliciesExt Rule
Certificate Renewal Window Extension Policy
CertificateRenewalWindowExt Module
Certificate Scope of Use Extension Policy
CertificateScopeOfUseExt Module
CRL Distribution Points Extension Policy
CRLDistributionPointsExt Module
CRLDistributionPointsExt Rule
Extended Key Usage Extension Policy
ExtendedKeyUsageExt Module
CODESigningExt Rule
OCSPSigningExt Rule
Generic ASN.1 Extension Policy
GenericASN1Ext Module
GenericASN1Ext Rule
Issuer Alternative Name Extension Policy
IssuerAltNameExt Module
Key Usage Extension Policy
KeyUsageExt Module
CMCertKeyUsageExt Rule
RMCertKeyUsageExt Rule
ServerCertKeyUsageExt Rule
ClientCertKeyUsageExt Rule
ObjSignCertKeyUsageExt Rule
Name Constraints Extension Policy
NameConstraintsExt Module
NameConstraintsExt Rule
Netscape Certificate Comment Extension Policy
NSCCommentExt Module
NSCCommentExt Rule
Netscape Certificate Type Extension Policy
NSCertTypeExt Module
NSCertTypeExt Rule
OCSP No Check Extension Policy
OCSPNoCheck Module
OCSPNoCheckExt Rule
Policy Constraints Extension Policy
PolicyConstraintsExt Module
PolicyConstraintsExt Rule
Policy Mappings Extension Policy
PolicyMappingsExt Module
PolicyMappingsExt Rule
Private Key Usage Period Extension Policy
PrivateKeyUsagePeriodExt Module
Subject Alternative Name Extension Policy
SubjectAltNameExt Module
SubjectAltNameExt Rule
Subject Directory Attributes Extension Policy
SubjectDirectoryAttributesExt Module
Subject Key Identifier Extension Policy
SubjectKeyIdentifierExt Module
SubjectKeyIdentifierExt Rule
Chapter 19
Configuring a Subsystem's Policies
Policy Management
Policy Management From the CMS Window
Policy Rules Management Tab
Policy Plugin Registration Tab
Policy Parameters in the Configuration File
Setting up Policy Rules for a Subsystem
Step 1. Plan
Step 2. Modify Existing Policy Rules
Step 3. Delete Unwanted Policy Rules
Step 4. Add New Policy Rules
Step 5. Reorder Policy Rules
Step 6. Restart the Server
Step 7. Test Policy Configuration
Step A. Enroll for a Certificate
Step B. Approve the Request
Step C. Check the Certificate Details
Managing Policy Plug-in Modules
Registering a Policy Module
Deleting a Policy Module
Part 7
Publishing
Chapter 20
Introduction to Publishing Certificates and CRLs
Publishing of Certificates
Publishing of Certificates to a Directory
Timing of Directory Updates
Directory Update Process
Directory Synchronization
Publishing of Certificates to a Flat File
Publishing of CRLs
Reasons for Revoking a Certificate
Revocation Checking by Netscape Clients
Revocation Checking by Netscape Servers
Supported Methods for Verifying Revocation Status of Certificates
Publishing of CRLs to an LDAP Directory
Publishing of CRLs to Flat Files
Publishing of CRLs to an Online Validation Authority
Chapter 21
Modules for Publishing Certificates and CRLs
Mapper Modules
Overview of Mapper Modules
CA Certificate Mapper
LdapCaSimpleMap Module
LdapCaCertMap Mapper
LdapCrlMap Mapper
DN Components Mapper
LdapDNCompsMap Module
Subject Name Mapper
LdapDNExactMap Module
Simple Mapper
LdapSimpleMap Module
LdapUserCertMap Mapper
Subject Attribute Mapper
LdapSubjAttrMap Module
Publisher Modules
Overview of Publisher Modules
Flat File Publisher
FileBasedPublisher Module
CA Certificate Publisher
LdapCaCertPublisher Module
LdapCaCertPublisher Publisher
End-Entity Certificate Publisher
LdapUserCertPublisher Module
LdapUserCertPublisher Publisher
CRL Publisher
LdapCrlPublisher Module
LdapCrlPublisher Publisher
ValiCert Publisher
ValiCertPublisher Module
CRL Extension Modules
Structure of CRL Extensions
Sample CRL and CRL Entry Extensions
Overview of CRL Extension Modules
AuthorityKeyIdentifier Rule
CRLNumber Rule
CRLReason Rule
HoldInstruction Rule
InvalidityDate Rule
IssuerAlternativeName Rule
IssuingDistributionPoint Rule
Chapter 22
Configuring a Certificate Manager for Publishing
Publishing Certificates and CRLs to a Directory
Step 1. Plan
Step 2. Set Up the Directory for Publishing
Step A. Verify the Directory Schema
Step B. Add an Entry for the CA
Step C. Identify an Entry That Has Write Access
Step D. Verify Entries for End Entities
Step E. Specify the Directory Authentication Method
Step F. Modify the Certificate Mapping File
Step G. Restart Directory Server
Step 3. Configure the Certificate Manager to Publish Certificates
Step A. Modify the Default Mappers, Publishers, and Publishing Rules
Step B. Add Mappers, Publishers, and Publishing Rules
Step 4. Configure the Certificate Manager to Publish CRLs
Step A. Specify CRL Details
Step B. Set the CRL Extensions
Step C. Create a Mapper for the CRL
Step D. Create a Publisher for the CRL
Step E. Create a Publishing Rule for the CRL
Step 5. Identify the Publishing Directory
Step 6. Test Certificate and CRL Publishing
Step A. Decide a Directory Entry for Requesting a Certificate
Step B. Request a Certificate
Step C. Approve the Request
Step D. Download the Certificate to the Browser
Step E. Check if the Directory Has the Certificate
Step F. Revoke the Certificate
Step G. Check the Directory for the CRL
Manually Updating Certificates and CRL in a Directory
Manually Updating Certificates in the Directory
Manually Updating the CRL in the Directory
Publishing Certificates and CRLs to Flat Files
Step 1. Plan
Step 2. Configure the Certificate Manager
Step A. Create a Publisher for the Flat File
Step B. Create Publishing Rules for Publishing CA Certificate,
Step C. Specify CRL Details
Step D. Set the CRL Extensions
Step E. Make Sure Publishing is Enabled
Step 3. Test Publishing
Step A. Request a Certificate
Step B. Approve the Request
Step C. Download the Certificate to the Browser
Step D. Check the File for the Certificate
Step E. Revoke the Certificate
Step F. Check the File for the CRL
Publishing CRLs to Online Validation Authority
Step 1. Plan
Step 2. Install an OCSP-Compliant Client
Step 3. Install the Certificate VA
Step A: Verify and Copy Files
Step B. Read the Documentation
Step C. Run the Installation Program
Step D. Generate a Key Pair and Self-Signed Certificate
Step E. Copy the CA Certificate
Step F. Add the CA Certificate to the Certificate Store
Step 4. Configure Certificate Manager for Required Extension Policies
Step 5. Replace the Certificate VA's Certificate
Step A. Copy the Server's Certificate Signing Request
Step B. Request an OCSP Responder Certificate From the
Certificate Manager
Step C. Approve the Request
Step D. Add the Certificate to the Certificate Store
Step E. Verify That the Certificates Are Stored
Step 6. Restart Certificate VA
Step 7. Configure the Certificate Manager for Publishing CRLs
Step A. Create a Publisher for the CRL
Step B. Create a Publishing Rule for the CRL
Step C. Specify CRL Details
Step D. Set CRL Extensions
Step E. Make Sure Publishing is Enabled
Step 8. Test Publishing
Step A. Turn On Revocation Checking
Step B. Request a Certificate
Step C. Approve the Request
Step D. Download the Certificate to the Browser
Step E. Verify the Certificate in the Browser
Step F. Check the Certificate VA Status
Step G. Revoke the Certificate
Step H. Verify the Certificate in the Client
Step I. Check the Certificate VA Status Again
Managing Mapper and Publisher Modules
Registering a Mapper or Publisher Module
Deleting a Mapper or Publisher Module
Part 8
Agent and End-Entity Interfaces
Chapter 23
Introduction to End-Entity and Agent Interfaces
End-Entity Services
How Client Type Determines the End-Entity Interface
Certificate Request Formats Specific to End Entities
Agent Services
Certificate Manager Agent Services
Registration Manager Agent Services
Data Recovery Manager Agent Services
Accessing the Agent Services Interface
Chapter 24
Customizing End-Entity and Agent Interfaces
What You Need to Know to Change Forms
HTTP, Query URLs, and HTML Forms
JavaScript
How the Forms Work
Requests Sent to the CMS server
Responses and Output Templates
Errors and the Error Template
Displaying Forms in Non-English Languages
End-Entity Forms and Templates
Locating End-Entity Forms and Templates
Forms for Certificate Enrollment
Forms for Certificate Renewal
Forms for Certificate Revocation
Forms for Certificate Retrieval
Forms for Key Recovery
Other Forms
Output Templates for End-Entity Interfaces
Agent Forms and Templates
Structure of the Agent Services Interface
Locating Agent Forms and Templates
JavaScript Used By All Interfaces
End-entity Interface Reference
Certificate Enrollment Protocol Interface
Description
Default Forms
Request Parameters
Challenge Revocation Interface
Description
Default Forms
Request Parameters
Response
Display Certificate By Serial Number Interface
Description
Default Forms
Request Parameters
Response
Display Certificate From Request Interface
Description
Default Forms
Request Parameters
Response
Enrollment Interface
Description
Default Forms
Request Parameters
Response
Get CA Chain Interface
Description
Default Forms
Request Parameters
Response
Get Certificate By Serial Number Interface
Description
Default Forms
Request Parameters
Response
Get Certificate From Request Interface
Description
Default Forms
Request Parameters
Response
Get CRL Interface
Description
Default Forms
Request Parameters
Response
List Certificates Interface
Description
Default Forms
Request Parameters
Response
Renewal Interface
Description
Default Forms
Request Parameters
Response
Revocation Interface
Description
Default Forms
Request Parameters
Response
Agent Interface Reference
Approve Revocation Interface
Description
Default Forms
Request Parameters
Response
Bulk Enrollment Interface
Description
Configuration Parameters
Default Forms
Request Parameters
Response
Display Key By Serial Number Interface
Description
Default Forms
Request Parameters
Response
Display Key For Recovery Interface
Description
Default Forms
Request Parameters
Response
Examine Recovery Interface
Description
Default Forms
Request Parameters
Response
Get Approval Status Interface
Description
Default Forms
Request Parameters
Response
Get PKCS #12 Data Interface
Description
Default Forms
Request Parameters
Response
Grant Recovery Interface
Description
Default Forms
Request Parameters
Response
Key Query Interface
Description
Default Forms
Request Parameters
Response
Key Recovery Query Interface
Description
Default Forms
Request Parameters
Response
Process Certificate Request Interface
Description
Default Forms
Request Parameters
Response
Process DRM Request Interface
Description
Default Forms
Request Parameters
Response
Process Request Interface
Description
Default Forms
Request Parameters
Response
Recover Key By Serial Number Interface
Description
Default Forms
Request Parameters
Response
Remove Certificate Hold Interface
Description
Default Forms
Request Parameters
Response
Requests Query Interface
Description
Default Forms
Request Parameters
Response
Select for Revocation Interface
Description
Default Forms
Request Parameters
Response
Update CRL Interface
Description
Default Forms
Request Parameters
Response
Update Directory Interface
Description
Default Forms
Request Parameters
Response
Part 9
Logs
Chapter 25
Introduction to Logs
Logs Maintained by Certificate Management System
Services That Are Logged
Log Levels (Message Categories)
Log File Locations
Log File Naming Conventions
Active Log File Naming Convention
Rotated Log File Naming Convention
Buffered Versus Unbuffered Logging
Rotation of Log Files
Timing of Log File Rotation
Location of Rotated Log Files
Deletion of Log Files
How to Conserve Disk Space
Timing of Log File Deletion
Archiving of Rotated Log Files
Chapter 26
Managing Logs
Management of Logs
Log Management From the CMS Window
Log Parameters in the Configuration File
Configuring Logs
Configuring System Logs
Configuring Error Logs
Configuring Audit Logs
Monitoring Logs
Monitoring System Logs
Monitoring Error Logs
Monitoring Audit Logs
Using System Tools for Monitoring the Server (Windows NT Only)
Logging to Windows NT Event Log
Using Event Viewer
Avoiding Event Log From Getting Filled
Signing Log Files
Part 10
Issuance and Management of End-Entity Certificates
Chapter 27
Issuing and Managing End-Entity Certificates
Certificate Issuance to Servers
How the Manual Server Enrollment Process Works
Getting Server SSL Certificates for Netscape Servers
Getting Certificates for Version 3.x Servers
Getting Certificates for Netscape Version 4.x Servers
CEP Enrollment
CEP Enrollment Using the Script
Setting up CEP Enrollment Manually
Step 1. Set up the Directory for Publishing Certificates and CRLs
Step 2. Configure the Certificate Manager for Publishing Certificates and CRLs
Step 3. Set up Automated Enrollment
Step 4. Set Up Multiple CEP Services
Certificate Issuance to Routers or VPN Clients
Step 1. Find the Required Information
Step 2. Generate the Key Pair for the Router
Step 3. Request the CA's Certificate
Step 4. Submit the Certificate Request to the CA
Example
Certificate Renewal
Renewal of Client Certificates
Renewal of Server Certificates
Certificate Revocation
Chapter 28
Recovering Encrypted Data
PKI Setup for Key Archival and Recovery
Clients That Can Generate Dual Key Pairs
Data Recovery Manager
Forms for Users and Key Recovery Agents
Key Archival Process
Why You Should Archive Keys
Where the Keys are Stored
How Key Archival Works
Key Recovery Process
Key Recovery Agents and Their Passwords
Secret Sharing of Storage Key Password
Interface for the Key Recovery Process
Local Versus Remote Key Recovery Authorization
How Agent-Initiated Key Recovery Works
Key Recovery Agent Scheme
Changing the Key Recovery Agent Scheme
Changing Key Recovery Agents' Passwords
Setting Up Key Archival and Recovery Process
Step 1. Set Up the Key Archival Process
Step A. Deploy Clients That Can Generate Dual Key Pairs
Step B. Connect the Enrollment Authority and the Data Recovery Manager
Step C. Customize the Certificate Enrollment Form
Step D. Configure Key Archival Policies
Step 2. Set Up the Key Recovery Process
Step A. Verify the m of n Scheme
Step B. Facilitate the Key Recovery Agents to Change the Passwords
Step C. Determine the Authorization Mode for Key Recovery
Step D. Customize the Key Recovery Form
Step E. Configure Key Recovery Policies
Step 3. Test Your Key Archival and Recovery Setup
Step A. Test Your Key Archival Setup
Step B. Verify the Key
Step C. Delete the Certificate
Step D. Test Your Key Recovery Setup
Step D. Restore the Key in the Browser's Database
Part 11
Appendixes
Appendix A
Distinguished Names
What Is a Distinguished Name?
Distinguished Name Components
Root Distinguished Name
Base Distinguished Name
DNs in Certificate Management System
Extending Attribute Support
Adding New or Proprietary Attributes
Adding Attributes to an Enrollment Form
Changing the DER Encoding Order
Role of Distinguished Names in Certificates
DNs in End-Entity Certificates
DNs in CA Certificates
Selecting DNs for Certificates
DN Patterns and Certificate Subject Names
Appendix B
Backing Up and Restoring Data
Backup and Restore Tools
Backing Up Data
What the Backup Tool Does
What the Backup Tool Does Not Do
Running the Backup Tool
After You Finish a Backup
Restoring Data
Before You Restore Data
Running the Restore Tool
Appendix C
Command-Line Utilities
Summary of Command-Line Utilities
ASCII to Binary Tool
Availability
Syntax
Example
Binary to ASCII Tool
Availability
Syntax
Example
Pretty Print Certificate Tool
Availability
Syntax
Example
Pretty Print CRL Tool
Availability
Syntax
Example
dumpasn1 Tool
Appendix D
Certificate Database Tool
Availability
Syntax
Options and Arguments
Usage
Examples
Creating a New Certificate Database
Listing Certificates in a Database
Creating a Certificate Request
Creating a Certificate
Adding a Certificate to the Database
Validating a Certificate
Appendix E
Key Database Tool
Availability
Syntax
Options and Arguments
Usage
Examples
Creating a Key Database
Generating a New Key
Displaying Public Key Information
Listing Key IDs
Deleting a Private Key
Appendix F
Netscape Signing Tool
Introduction to Netscape Signing Tool
What Is Netscape Signing Tool?
JAR Format and JAR Archives
What Signing a File Means
Object-Signing Certificates
Using Netscape Signing Tool
Getting Ready to Use Netscape Signing Tool
Setting Up Your Certificate
Listing Available Certificates
Signing a File
Using Netscape Signing Tool with a ZIP Utility
Tips and Techniques
SignTool Syntax and Options
Command Syntax
Command Options
Command File Syntax
Command File Keywords and Example
Generating Test Object-Signing Certificates
Generating the Keys and Certificate
Using Netscape Signing Tool with Smart Cards
What Is a Smart Card?
Setting Up a Smart Card
Using the -M Option to List Smart Cards
Using Netscape Signing Tool and a Smart Card to Sign Files
Netscape Signing Tool and FIPS-140-1
Using FIPS-140 Mode
Verifying FIPS Mode
Answers to Common Questions
Appendix G
SSL Strength Tool
Availability
Syntax
Options and Arguments
Usage
Restricting Ciphers
Export Policy and Step-up
Examples
Example 1
Example 2
Example 3
Appendix H
SSL Debugging Tool
Availability
Description
Syntax
Options
Examples
Example 1
Command
Output
Example 2
Command
Output
Example 3
Command
Output
Example 4
Command
Output
Usage Tips
Index
© Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.
