Netscape Certificate Management System Administrator's Guide: Issuing and Managing End-Entity Certificates

Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool

Netscape Certificate Management System Administrator's Guide: Issuing and Managing End-Entity

Contents

Index

Bookshelf

Chapter 27 Issuing and Managing End-Entity Certificates

This chapter explains how Netscape Certificate Management System (CMS) issues and manages end-entity certificates.

The chapter has the following sections:

Certificate Issuance to Servers

CEP Enrollment

Certificate Renewal

Certificate Revocation

Certificate Issuance to Servers

For Certificate Management System to generate a server certificate, it must receive the certificate signing request (CSR) from the server that needs the certificate. This request must be initiated by the administrator of the specific server requiring the certificate.

SSL-enabled servers (or servers that are capable of using certificates for security) provide mechanisms for generating a CSR based on new or existing key pairs. For example, servers that belong to the Netscape's version 4.x server family come with a wizard that walks an administrator through the entire process of requesting a server certificate and installing it in the server's certificate database. For information on this wizard, see "Obtaining and Installing a Certificate" in Managing Servers with Netscape Console.

Once an administrator generates a CSR for a server, he or she must paste it into the appropriate server enrollment form hosted by a Registration Manager or Certificate Manager, and then submit the request. Upon receipt of the request, Certificate Management System responds as follows:

Verifies the validity and authenticity of the request.

The authentication mechanism that Certificate Management System uses is based on the authentication mechanism specified in the enrollment form the administrator uses to submit the certificate request. For example, if the enrollment form was configured to employ directory-based authentication, Certificate Management System checks the configured directory for the appropriate information. On the other hand, if the enrollment form specifies manual authentication, the request gets queued and awaits approval by an agent.

Subjects the request to policy checks.

If the request passes all the policy rules, Certificate Management System generates the server certificate and sends it to the email address specified in the server certificate request (the enrollment form includes a field for the administrator to enter this information). Otherwise, Certificate Management System logs an error message.

Upon receipt of the certificate, the server administrator installs the certificate in the server's certificate database.

How the Manual Server Enrollment Process Works

Figure 27.1 illustrates how Certificate Management System issues a server certificate in a deployment scenario involving a Registration Manager acting as an enrollment authority to a Certificate Manager. The server certificate is requested via a manual enrollment form hosted by the Registration Manager.

Figure 27.1 Server (or site) certificate issuance

These are the steps shown in Figure 27.1:

The server administrator goes to the manual enrollment form hosted by the Registration Manager, pastes in the certificate signing request in PKCS #10 format, completes the other information in the enrollment form, and submits the form.

(If the enrollment port is HTTPS, the administrator should visit the link that delivers the CA's certificate chain and download the chain into the browser that he or she will use for server enrollment.)

The Registration Manager verifies the authenticity of the request. Because the request requires manual authentication, the Registration Manager stores the request in the queue for agent approval.

An agent processes the request and either rejects or approves it.

The Registration Manager picks up the approved request and subjects it to policy checks.

If the request passes the Registration Manager's policy checking, the Registration Manager submits the request to the Certificate Manager for signing. The Certificate Manager verifies the authenticity of the Registration Manager by verifying the certificate presented by it. If it is a trusted Registration Manager, the Certificate Manager accepts the request.

The Certificate Manager subjects the request to its own policy checks.

If the request passes Certificate Manager's policy, it signs the request immediately and returns the certificate to the Registration Manager. The Registration Manager then delivers the certificate to the administrator. Optionally, the Certificate Manager may publish the certificate to the corporate directory.

If the Certificate Manager's policy requires additional information, the administrator will be directed to return later to pick up the certificate. The administrator may need to query the Registration Manager using the certificate request number to see whether the certificate has been issued. Alternatively, the Registration Manager can be configured to email the user when the certificate is ready for pick up. See "Notifications of Certificate Issuance to End Entities".

The Registration Manager delivers the server SSL certificate to the email address specified in the enrollment form. Optionally, the Registration Manager may publish the certificate to the corporate directory.

Getting Server SSL Certificates for Netscape Servers

To enable a server to establish SSL connections, you need to get a certificate that identifies the server. You can get a certificate for a server by submitting a request to Certificate Management System.

To generate the actual request, you (or the server administrator) need to use the server that requires the certificate. This is required because the private key must be stored with the server that will use it.

The following section explains how to request a server SSL certificate for Netscape servers. The instructions apply mainly to requests from servers other than CMS subsystem server--for example, Netscape Enterprise, Administration, and Directory Servers. To request a certificate for a CMS subsystem, follow the instructions in "Getting New Certificates for the Subsystems".

Getting Certificates for Version 3.x Servers

To get a certificate for a server in the Netscape version 3.x server family (for example, Netscape Administration Server 3.x) follow the procedure below:

Step 1. Generate a Server Certificate Request for Your Server

Step 2. Submit the Server Certificate Request to Certificate Management System

Step 3. Install Your Server's SSL Certificate

Step 4. Accept a CA as Trusted in Your Server

Step 5. Verify Your Server's SSL and CA Certificates

Step 1. Generate a Server Certificate Request for Your Server

To generate the certificate signing request for a server:

Open a web browser window.

Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.

Follow the directions presented there to generate a new key pair which you will then get certified (you will use this key pair to generate a certificate signing request).

Alternatively, you can use any other tool provided with your server to generate the key pair; see the documentation for your server.

Once you have generated a key pair, follow the directions presented to generate a certificate signing request (CSR).

In the Certificate Authority field, enter your own email address.

The server mails the request to the address specified in this field.

Submit the form.

The server generates and displays a CSR.

Copy the CSR, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- marker lines, to a text file. For example:

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIBBzCBsgIBADBPMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Y mxpY2F0aW9uczEWMBQGA1UEAxMNZHVtcC5tY29tLmNvbTBaMA0GCSqGSIb3DQEBAQU2nfjiMEYCQQ CksMRaLGdfp4m0OiGcgijG5KgOsyRNvwGYW7kfW+8mmijDtZRjYNjjcgpF3VnlsbxbclX9LVjjNLC 57u37XZdAgEDoAAwDQYJKoZIhvcNAQEEBQADQQCYUTnUtCVGyNrYGSfydclqiovxy1fRD1z23zg+e BPK7n85UyE4r5zGZjDsMYr172ytfAFL7DeG83DWzr8Z

-----END NEW CERTIFICATE REQUEST-----

Next, you need to paste this request into the server enrollment form hosted by Certificate Management System.

Step 2. Submit the Server Certificate Request to Certificate Management System

To submit the server certificate request to Certificate Management System:

Open a web browser.

Go to the server enrollment form (the page that allows you to submit a server certificate request).

By default, the enrollment forms are at this location:

https://<host_name>:<end_entity_HTTPS_port> or

http://<host_name>:<end_entity_HTTP_port>

In the Enrollment tab, unser Server, select SSL Server.

The form for requesting SSL server certificate appears.

Complete the request form with the information that Certificate Management System needs to create a certificate for your server.

In general, you will be required to enter the following information:

In the certificate request text area, paste the CSR that you copied to the text file, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- marker lines.

In the contact information section, enter values to identify yourself. These values will be used by the CA, if the need arises. For example, if there are any questions or problems with the certificate request, the CA administrator or agent will use this information to contact you. Also, be sure to enter your email address. This is the address where the CA will send the certificate once it has been issued.

In the additional comments section, enter any additional information that might help the issuing agent process the request. For example, you might want to enter the name of the person who instructed you to obtain a certificate or some other administrative information.

Submit the request.

You should receive notification from Certificate Management System or an issuing agent (depending on which enrollment form you used) when your request is processed. The notification will contain your certificate, along with information on how to install the new certificate into your server. The notification may also mention that you need to install the CA's certificate as a trusted CA. Check the notification message for details.

Step 3. Install Your Server's SSL Certificate

To install the server SSL certificate on your server:

Open a web browser window.

Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.

Follow the directions presented there to install the certificate.

In general, you will be required to specify or enter the following information:

Whether the certificate is for this server. Be sure to select the option that says the certificate is for this server.

A name (or nickname) for the certificate. This name will be displayed in the list of certificates installed on this server.

The certificate, in base-64 encoded format. Open the email sent to you by the CA, locate and copy the portion that begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----, and paste it into the text area in the form.

The encryption alias. Enter the alias for your server.

Follow the prompts and add the certificate to your server's certificate database.

Stop and restart Administration Server for the changes to take effect.

The server decrypts the message, extracts the certificate, and saves it to the directory you specified.

Step 4. Accept a CA as Trusted in Your Server

In both Netscape clients and servers, CAs can be either trusted or untrusted. If a CA is trusted, Netscape clients and servers accept the certificates that have been issued by that CA. For the server to accept (during SSL client authentication) client certificates that have been issued by Certificate Management System, you must import its certificate chain into the certificate database of your server.

To view this chain in a format that can be used by Netscape servers:

Go to the home page of Certificate Management System.

By default, the home page is at this location:

https://<host_name>:<end_entity_HTTPS_port>

Click Accept "This Authority in Your Server."

Specify how you want Certificate Management System to display the certificate chain.

You can choose to display the entire certificate chain (in a single block) or individual certificates in the chain. The entire certificate chain is in PKCS #7 format. If you are using an older server that does not recognize the complete certificate chain format, you may need to display each individual certificate in the chain (for example, a version earlier than Netscape server 2.0 releases).

Specify how you want to trust this CA.

You can choose to trust only the CA you are accessing or all authorities whose certificates are included in the chain.

Click Present Certificate Chain.

If you chose to display the whole chain for importing into your server, the certificate chain is displayed in a format similar to this:

-----BEGIN CERTIFICATE-----

MIIBtgYJYIZIAYb4QgIFoIIBpzCCAZ8wggGbMIIBRaADAgEAAgEBMA0GCSqGSIb3DQEBBAUAMFcxC zAJBgNVBAYTAlVTMSwwKgYDVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aW9ucyBDb3Jwb3JhdGlvbj EaMBgGA1UECxMRSXNzdWluZyBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzM 0WjBXMQswCQYDVQQGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9y YXRpb24xGjAYBgNVBAsTEUlzc3VpbmcgQXV0aG9yaXR5MFowDQYJKoZIhvcNAQEBBQADSQAwRgJBA OBiQPcK8851jjQXA2GBsaKNFg6pYaM3qhQhM0w5EIy6P1ttMjc5MlPIzZHdlgNdQLzaNoLMVKjOV5 sBp+ffkCAQMwDQYJKoZIhvcNAQEEBQADQQCWPU4gI5uaWM3EAbXfhQ

-----END CERTIFICATE-----

Open a new web browser window.

Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.

Follow the directions presented there to install the certificate chain.

In general, you will be required to specify or enter the following information:

Whether the certificate is for this server or a trusted CA. Be sure to select the option that says the certificate is for a trusted certificate authority (CA).

A name (or nickname) for the certificate chain. This name will be displayed in the list of certificates installed on this server.

The certificate chain, in PKCS #7 format. In the original browser window (the window displaying the encoded certificate chain), copy the portion that begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----, and paste it into the message text area in the form.

Save your changes.

Stop and restart your Administration Server.

Step 5. Verify Your Server's SSL and CA Certificates

Before activating your server for SSL connections, you can verify whether you have installed your server's SSL and CA certificates correctly.

Open a web browser window.

Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.

Follow the directions there to get to the area that allows you to manage your server's certificates.

Scroll to the bottom of the list to find the SSL and CA certificate chain you installed (identified by the nicknames you specified).

If you find both of them, your server is ready for SSL configuration. If not, you must go through the steps again to correctly install whichever certificate is missing.

Getting Certificates for Netscape Version 4.x Servers

For Netscape version 4.x servers, you can use the Certificate Setup Wizard provided by Netscape Console to get new certificates, renew existing certificates, and install certificates in the database of a server. For information about this wizard, see Managing Servers with Netscape Console. To locate an online version of this book, open the <server_root>/manual/index.html file.

Note that there are two ways in which you can submit the certificate signing request to Certificate Management System:

Submit the request (which is in the form of a base-64 encoded blob) directly from the wizard; in this method, you need not copy the request to a text file.

Submit the request manually by pasting the request (which is in the form of a base-64 encoded blob) in to the Certificate Manager's server enrollment form; in this method, you need to copy the request when the wizard displays it.

To submit the request to the Certificate Manager directly from the wizard:

When the wizard generates the certificate signing request for the key size and type you specified, you're presented with the opportunity to choose how you want to submit the request to the CA. The choices include the following:

To CA's email address. This option allows you to send the CSR to the CA administrator's email address. The administrator will then be required to submit the request to the CA by pasting the CSR in the CA's server enrollment form.

To CA's URL. This option allows you to submit the CSR to the CA directly. To submit the CSR to the Certificate Manager, you should enter, depending on the end-entity port you want to use, either of the following URL:

http://<CA's_host_name>:<end_entity_port>/enrollment or
https://<CA's_host_name>:<end_entity_SSL_port>/enrollment

Note that the request submitted to the CA's URL gets queued for approval by the Certificate Manager agent.

To submit the server certificate request to Certificate Management System manually:

Open a web browser window.

Go to the End Entity Services interface of the Certificate Manager (or a Registration Manager that's connected to the Certificate Manager) by entering either of these URLs:

https://<host_name>:<end_entity_HTTPS_port> or

http://<host_name>:<end_entity_HTTP_port>

In the left frame, under Server, select SSL Server.

In the server-enrollment form that appears, enter the required information:

PKCS#10 Request. Paste the base-64 encoded blob, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- marker lines, you copied to the text file earlier.

Name. Type your name.

Email. Type your business email address, for example, jdoe@someCompany.com.

Phone. Type your business phone number.

Additional Comments. Type any information that will help you identify this request in the future or will help the person who will process this request.

Click Submit.

CEP Enrollment

Cisco routers support the use of certificates for authentication, encryption, and tamper detection by using the IP Security (IPSec) protocol. Certificate Management System supports Cisco's PKI protocol, the Certificate Enrollment Protocol (CEP); this protocol runs over HTTP and provides its own form of encryption. For an overview of certificate authority support for IPSec, see the information available at this URL:

http://www.cisco.com/warp/public/cc/cisco/mkt/security/encryp/prodlit/821_pp.htm

You can issue certificates to routers and CEP-compliant Virtual Private Network (VPN) clients using Certificate Management System. Routers use certificates to authenticate each other and to establish an encrypted IPSec channel between them; all TCP/IP communication passes through this encrypted channel.

Note that Certificate Management System by default supports issuance of certificates to routers and VPN clients using the CEP-based enrollment. However, publishing of these certificates to an LDAP-compliant directory is not turned on by default because routers and VPN clients need to have access to an LDAP directory in order to fully support various functions, such as certificate and CRL retrieval. This section explains how to set up a Certificate Manager to issue certificates to routers and CEP-compliant Virtual Private Network (VPN) clients. The section also describes how to configure the Certificate Manager to publish these certificates and certificate revocation lists (CRLs) to an LDAP-compliant directory.

You may configure the Certificate Manager to publish to any LDAP-compliant directory, but if you do not have one available, you can use the one supplied with Certificate Management System. Certificate Management System comes with Netscape Directory Server, which is an LDAP-compliant directory. When you install Certificate Management System, two instances of Netscape Directory Server are automatically created in the same server group in which Certificate Management System is installed--one of the Directory Server instances is identified as the configuration directory and the other internal database. For publishing certificates and CRLs you may use the configuration directory, but not the internal database. The internal database is configured for exclusive use by Certificate Management System; see "Internal Database".

There are two ways to set up CEP enrollment:

CEP Enrollment Using the Script

Setting up CEP Enrollment Manually

CEP Enrollment Using the Script

Certificate Management System provides a menu-driven, interactive script to automate the CEP enrollment process. To invoke the script:

Go to the Certificate Manager's host system.

Open a command-line window.

Go to this directory: <server_root>

Enter the following at the prompt:

% install/perl/bin/cert/tools/cepconfig.pl

The main menu shows up.

CEPCONFIG

This script can be used to configure any instance of CMS.  
Configuration tasks include the following:

- Adding/removing CEP services

You can configure different services, responding to different URLs in CMS. This enables different authentication and policy options to be set for different types of client (e.g. router and VPN)

- Enabling/disabling LDAP publishing of certificates and CRLs

Quick-and easy set up the publishing directory.

Turns on publishing.

Adds CRL distribution point to certificates.

_____________________________________________________________

Press ENTER to continue....

Follow the on-screen instructions to set up CEP enrollment.

Setting up CEP Enrollment Manually

The information covered in this section explains how to set up CEP enrollment manually. Note that the instructions are written with these assumptions:

That you will publish certificates and CRLs to the configuration directory. For more information about the configuration directory, see Managing Servers with Netscape Console. To locate this document, open this file: <server_root>/manual/index.html

That you will publish certificates and CRLs to the same tree in the configuration directory; you may customize this if you desire. We recommend that you publish to a tree named after the O attribute in your CA signing certificate. Router certificates will also need to have an O inserted in the subject name; this can be done automatically. This section refers to the name of this tree as Base DN.

If you want to publish to any other LDAP-compliant directory, read Part 7 "Publishing".

To set up CEP enrollment manually, follow these steps:

Step 1. Set up the Directory for Publishing Certificates and CRLs

Step 2. Configure the Certificate Manager for Publishing Certificates and CRLs

Step 3. Set up Automated Enrollment (optional)

Step 4. Set Up Multiple CEP Services (optional)

Step 1. Set up the Directory for Publishing Certificates and CRLs

The section "Step 2. Set Up the Directory for Publishing" contains information on setting up Netscape Directory Server for publishing certificates and CRLs--it covers directory schema required for publishing certificates and the attributes to which a Certificate Manager publishes end-entity certificates and CRLs.

For the configuration directory to support publishing of certificates and CRLs, you need to verify two things:

The Directory Server schema--verify that the directory schema can accommodate router and VPN client certificates. You may need to update the Directory Server's schema. The reason for this is, if you plan on publishing certificates from routers, they may need to be published with the same DN as their certificate subject names. For example, if the certificate subject name contains UnstructuredAddress or UnstructuredName components, you may need to add them to the directory schema.

unstructuredAddress, 1.2.840.113549.1.9.7, string

unstructuredName, 1.2.840.113549.1.9.8, string

To modify the schema you can use the Directory Server window, which can be launched from within Netscape Console. Alternatively, you can prepare an LDIF file with the changes you want to make and then run the LDAP modify command. Check the directory documentation for instructions.

The Directory Server port--note the port number assigned to the configuration directory; it must be 389. If you installed Certificate Management System with the default choices, you may skip this step; the default port assigned to the configuration directory is 389. To find out the port number assigned to Directory Server, check it's configuration file (which is at <server_root>/slapd-*/slapd.oc.conf). Alternatively, you can also find and change the port number from Netscape Console.

Step 2. Configure the Certificate Manager for Publishing Certificates and CRLs

In this step, you should configure the Certificate Manager to issue router and VPN-client certificates with CRL Distribution Point Extension and to publish the certificates to a directory.

Create an instance of the mapper plug-in named LdapExactMapper and of the publisher plug-in named LdapUserCertPublisher. Once you create these instances, you should create a publishing rule for publishing router certificates. For instructions, see "Step B. Add Mappers, Publishers, and Publishing Rules".

Note that the publishing rule must be configured to use the mapper and publisher you create for router certificates. In addition, the predicate expression must be set to HTTP_PARAMS.certType==CEP-Request.

Configure CRL publishing details; for instructions, see "Step 4. Configure the Certificate Manager to Publish CRLs".

Identify the directory for publishing. For instructions, see "Step 5. Identify the Publishing Directory".

Create an instance of the policy plug-in named CRLDistributionPointsExt, which is explained in "CRL Distribution Points Extension Policy", for router certificates. This extension, if present in a certificate, enables the user of the certificate to find revocation information pertaining to that certificate. When you create an instance of the CRLDistributionPointsExt plugin, be sure to leave the issuerName and issuerType fields blank and to enter HTTP_PARAMS.certType==CEP-Request in the predicate field.

Stop the Certificate Manager and edit the configuration file to include the following lines:

eeGateway.cep.cep1.appendDN=O=<BASE DN>

eeGateway.cep.cep1.createEntry=true

eeGateway.cep.cep1.entryObjectClass=cep

eeGateway.cep.cep1.url=/cgi-bin/pkiclient.exe

A description for each of the above parameters are provided in Table 27.1.

Table 27.1 CEP service-related parameters in the configuration file


Parameter	Description
appendDN	Specifies the DN component appended to the DN the router requests. You must have a constant component in the DN which exists in the certificate to be able to publish.
createEntry	Specifies whether to create an entry in the directory before publishing the certificate. Note that to publish a certificate, an entry must already exist for the DN in the directory. Enter true if you want the Certificate Manager to create an entry if one does not already exist (true/false). Enter false if an entry already exists in the directory and you don't want the server to create one.
entryObjectClass	Specifies the type of object to assign to the new entry. By default, this cep, and should not be changed. Note that when createEntry=true, the Certificate Manager will attempt to create an entry for the user. The directory hierarchy must be set up correctly beforehand to accept new entries. To clarify this by an example, if you expect the Certificate Manager to be able to create an entry for a certificate with DN CN=John Doe, OU=Accounting, O=Company, C=US, you must have already created three (3) directory entries for C=US O=Company, C=US OU=Accounting, O=Company, C=US You can do this with the help of the ldapmodify command and an LDIF file with the following information: dn: C=US changetype: add objectclass: top objectclass: country c: US dn: O=Company, C=US changetype: add objectclass: top objectclass: organization o: Company dn: OU=Accounting, O=Company, C=US changetype: add objectclass: top objectclass: organizationalunit ou: Accounting dn: cn=config,cn=ldbm changetype: modify add: nsslapd-suffix nsslapd-suffix: C=US Also, note that in this case, C=US is the root of your directory, because it is the sole component of the DN. To create a new root, you must first add a new suffix, which is done by adding this to your LDIF file (see the last section of the LDIF file above). For more details, check Netscape Directory Server Administrator's Guide.
url	Specifies the URL for CEP enrollment. It is used if the router requests a subject name such as unstructuredAddress=1.2.3.4+unstructuredName= fred.siroe.com. You will need to append the DN to add-on O=siroe.com as otherwise publishing to the directory will not work.

Once this is done, you may configure the Certificate Manager for automated enrollment. To do so, follow the steps in the next section. If you do not want to configure the server for automated enrollment, restart the server.

Step 3. Set up Automated Enrollment

As a part of enrolling for a certificate (via CEP), a router administrator or VPN-client user needs to start the enrollment process, which in turn asks the user for information such as the following:

The CA's identity

The CEP enrollment URL

A challenge password

The serial number and IP address

Some of the information a user enters, such as the serial number and IP address, goes in to the subject name in the CEP request. Information such as the CA's identity and enrollment URL enables the router to connect to the valid CA to make the certificate request. The challenge password, if specified, enables the user to authenticate to the server during enrollment and to revoke the certificate, if needed, by presenting the same password again. (See "Certificate Issuance to Routers or VPN Clients".)

You can configure the Certificate Manager to use either the challenge password or the subject name (all or a part of it) as an authentication token during a CEP enrollment, thus enabling users to get router certificates without any action on the part of the Certificate Manager agent.

To aid you in implementing the automated CEP enrollment process, Certificate Management System comes with an authentication plug-in module named FlatFileAuth. This plug-in is available in source-code form in the CMS samples package in this directory:

<server_root>/cms_sdk/samples/authentication

In order for the Certificate Manager to recognize the FlatFileAuth plug-in and use it for authenticating CEP-based certificate requests, you must do the following:

Create an instance of the plug-in; for instructions, see "Step 4: Add an Authentication Instance".

You can do this either via the CMS window or by adding the required parameters to the Certificate Manager's configuration file (CMS.cfg). The configuration parameters of the FlatFileAuth plug-in are as follows:

eeGateway.cep.cep1.authName=flatfile

auths.instance.flatfile.fileName=<full_pathname_of_password_ file>

auths.instance.flatfile.authAttributes=pwd

auths.instance.flatfile.keyAttributes=UNSTRUCTUREDNAME

auths.instance.flatfile.pluginName=flatfilePlugin

auths.instance.flatfile.deferOnFailure=false

auths.impl.flatfilePlugin.class=com.netscape.certsrv.authent ication.FlatFileAuth

A description for each of the above listed parameters are provided in Table 27.2.

Table 27.2 Configuration parameters defined in the FlatFileAuth plug-in


Configuration parameter	Description
authName	Provides a reference to the auths.instance authentication plug-in described in the auths.instance.* configuration parameters. If you want to turn off automated enrollment for CEP-based requests, delete this parameter from the configuration file.
fileName	Specifies the filename of an authentication-token file. You prepare this file as a part of setting up an automated CEP enrollment as explained in Step 4-B. Be sure to use the full path name.
keyAttributes	Specifies a comma-separated list of attributes in the request which together, uniquely identify an entry in the authentication-token file. Note that these attributes must be present in the request and in the password file for the authentication to succeed.
authAttributes	Specifies a comma-separated list of attributes from the CEP request which must match the attributes specified in the authentication-token file for authentication to succeed. Currently the most useful thing to put in this parameter is pwd, the challenge password from the request.
deferOnFailure	Specifies whether the server should defer CEP requests that fail authentication. true specifies that the server should defer CEP-enrollment requests that fail authentication; the deferred requests get queued for agent approval. false specifies that the server should reject CEP-enrollment requests that fail authentication.

During CEP enrollment, all the attributes in the subject name and the challenge password are passed to the FlatFileAuth plug-in. The plug-in looks in a prepared file (referred to as the authentication-token file in this document), which consists of a series of entries for each valid enrollee, to determine if the request should be authenticated. For the Certificate Manager to be able to locate the appropriate entry in the authentication-token file before it does any checking of the password, you must identify attributes that are unique in each router request. You do this by setting the keyAttributes parameter of the FlatFileAuth plug-in implementation to the list of attributes which will be unique in the CEP request.

Table 27.3 lists the default attributes set by the router in the request.

Table 27.3 Default request attributes set by the router


Attribute	Description
UNSTRUCTUREDNAME	Specifies the DNS name of the router (for example, router32.siroe.com). This is always specified in the request.
UNSTRUCTUREDADDRESS	Specifies the IP address of the router (for example, 101.22.33.124). This may not be in the request--a user may not want to include this in the subject name of the router certificate, and hence choose not to specify one during enrollment.
SERIALNUMBER	Specifies the serial number of the router (for example, 239333). This can sometimes be found on a label on the back of the router. It is also available by typing the show version command. This may not be in the request--a user may not want to include this in the subject name of the router certificate, and hence choose not to specify one during enrollment.

You can identify one or more of these attributes as unique attributes in the authentication-token file. For most cases, specifying the UNSTRUCTUREDNAME as the unique attribute will suffice. In this case, you would set the keyAttributes parameter as follows:

auths.instance.flatfile.keyAttributes=UNSTRUCTUREDNAME

However, if this is not unique, you may specify both UNSTRUCTUREDNAME and UNSTRUCTUREDADDRESS as unique attributes. In this case, you would set the keyAttributes parameter as follows:

auths.instance.flatfile.keyAttributes=UNSTRUCTUREDNAME,UNSTRUCTUREDADDRESS

This will force the server to use both these attributes to locate an entry in the authentication-token file. Note that both the attributes must be present in the request for authentication to succeed.

There's an added advantage in determining unique attributes for it allows you to enforce a rule on the attributes that must be present in the CEP enrollment request. For example, if you would like to enforce that a particular router be assigned to an IP address and host name, you could set the keyAttributes parameter as follows:

auths.instance.flatfile.keyAttributes=UNSTRUCTUREDNAME,UNSTRUCTUREDADDRESS,SERIALNUMBER

Once an entry has been found in the authentication-token file, the server tests the authentication tokens specified in the authAttributes parameter against those in the file. Only if they all match, the server grants the request. For the purposes of this discussion, let us assume that you define a single authentication token named pwd for the challenge password. In this case, you would set the authAttributes parameter as follows:

auths.instance.flatfile.authAttributes=pwd

In summary, to implement the automated CEP enrollment process, you need to do the following:

Decide on authentication credentials for users.

Prepare a list of your CEP enrollees and assign a password to each enrollee.

Prepare the authentication-token file with the credentials.

Create a text file with CEP-enrollee information. The format of the authentication-token file must be as follows:

...

Each enrolling user is represented by a sequence of attribute-value pairs, terminated by a blank line or end-of-file (EOF). The attributes can be any part of the subject name from the request, for example SERIALNUMBER, CN, OU, UID, or the challenge password (pwd). An example is shown below:

DN: <DN_for_user1>

UNSTRUCTUREDNAME: router32.siroe.com

UNSTRUCTUREDADDRESS: 101.22.33.124

SERIALNUMBER: 239333

pwd: ff93Kd

DN: <DN_for_user1>

UNSTRUCTUREDNAME: router33.siroe.com

UNSTRUCTUREDADDRESS: 101.22.33.125

SERIALNUMBER: 233455

pwd: 35pww3a

Note that if you specify a DN for a CEP enrollee in the authentication file, the Certificate Manager replaces the subject name requested by that user (router or VPN client) with the one specified in the file.

After you've created entries for all the CEP enrollees, save the file. Also note the complete path to the file; you'll be required to specify this in the next step.

Configure the Certificate Manager to use the FlatFileAuth plug-in to verify predetermined credentials.

Once you have created the authentication file, you should register the FlatFileAuth plug-in implementation in the CMS authentication framework and create an instance (named flatfile) of the registered plug-in. Be sure to specify the full path to your authentication file and save your changes.

Restart the Certificate Manager.

After changing the configuration file, you must restart the server for the changes to take effect. If the server fails to start, check the log file for any error messages.

Provide users with the predetermined authentication credentials.

Send the password you determined to the CEP enrollees, asking them to enter it when they are prompted for the challenge password during CEP enrollment.

Step 4. Set Up Multiple CEP Services

This step is optional.

By default, the CEP service runs on this URL: /cgi-bin/pkiclient.exe

It is possible to set up multiple instances of CEP, each with a different configuration, each listening on a different URL. This is useful if you have different requirements for different types of users. For example, you might want to have one CEP service that authenticates routers and publishes their certificates to the directory and another CEP service that authenticates VPN clients but does not publish their certificates to the directory.

To set up multiple CEP services, use the following example as a guide:

## Router configuration

eeGateway.cep.cep1.appendDN=O=*BASE_DN*

eeGateway.cep.cep1.createEntry=true

eeGateway.cep.cep1.entryObjectClass=cep

eeGateway.cep.cep1.url=/cgi-bin/pkiclient.exe

eeGateway.cep.cep1.authName=flatfile_router

## VPN configuration

eeGateway.cep.cep2.url=/vpnenroll

eeGateway.cep.cep2.authName=flatfile_VPN

## Router authentication parameters in the configuration file

auths.instance.flatfile_router.fileName=<full_path_to_the_au thentication_file>

auths.instance.flatfile_router.authAttributes=pwd

auths.instance.flatfile_router.keyAttributes=UNSTRUCTUREDNAM E

auths.instance.flatfile_router.pluginName=flatfile

auths.instance.flatfile_router.deferOnFailure=true

## VPN authentication parameters in the configuration file

auths.instance.flatfile_VPN.fileName=<full_path_to_the_authe ntication_file>

auths.instance.flatfile_VPN.authAttributes=pwd

auths.instance.flatfile_VPN.keyAttributes=CN,OU,O

auths.instance.flatfile_VPN.pluginName=flatfile

auths.instance.flatfile_VPN.deferOnFailure=false

## FlatFileAuth plugin registered in the configuration file

auths.impl.flatfile.class=com.netscape.certsrv.authenticatio n.FlatFileAuth

When setting up multiple CEP services, you can use the cepsubstore attribute to differentiate one CEP service from another. For example, if you're setting up separate CEP services for router and VPN-client certificates and want to set different extensions in these certificates, you can make that happen with the help of predicates; see Table 16.2.

Certificate Issuance to Routers or VPN Clients

In general, issuing a certificate to a router involves the following steps:

Step 1. Find the Required Information

Step 2. Generate the Key Pair for the Router

Step 3. Request the CA's Certificate

Step 4. Submit the Certificate Request to the CA

Step 1. Find the Required Information

Decide whether you want to submit the certificate request for your router to the Certificate Manager (CA) directly or through a Registration Manager.

Open Netscape Console, and locate the CMS instance that corresponds to the subsystem of your interest. Make sure that the Certificate Manager is started. If you are planning to submit the request via a Registration Manager, make sure that both the Registration Manager and Certificate Manager (to which the Registration Manager forwards its requests) are started.

Open the CMS window, and verify whether the HTTP port is enabled. If it isn't, enable it; see "Configuring Port Numbers". If you are requesting the certificate for an earlier version of router software, make sure that the HTTP port number is set to 80; earlier versions of router software can only connect to port 80.

Note the CEP enrollment URL. It is in this form:

http://<host_name>:<HTTP_port>/cgi-bin/pkiclient.exe

where <host_name> is in the <machine_name>.<your_domain>.<domain> form.

Note or print the certificate fingerprint information of the Certificate Manager CA signing certificate. You will be required to compare this with the fingerprint the router will show on the screen.

To locate the fingerprint information:

Go to the end-entity page hosted by the Certificate Manager.

Click the Retrieval tab.

List or search for the CA signing certificate.

Click Details.

Scroll down to the section that says "Certificate fingerprint."

In your router documentation, locate the information specific to requesting certificates for routers. Check the signing algorithm, such as RSA or DSA, and key lengths, such as 512 and 1024, supported by the router. Based on that information, determine the signing algorithm and the key length for the certificate you want to request.

Find out the password that enables you to access the router in privileged mode.

In your router documentation, locate instructions for requesting certificates. You will be required to run the appropriate commands using this documentation.

Step 2. Generate the Key Pair for the Router

Run the appropriate commands for your router, and generate the key pair. You will be required to provide the signing algorithm, such as RSA or DSA, and the key length, such as 512 or 1024. The longer the key length, the more time the router takes to generate the key pair.

Step 3. Request the CA's Certificate

In this part of the operation, you identify the CA to the router, thus enabling the router to authenticate the CA from which it will request the certificate. You also verify whether the router is talking to the right CA; you do this manually.

Here's what you should do:

Run the appropriate command to get the CA certificate.

The command will ask you to specify the following:

An identity for the CA. You can give any identity; choose something you will remember, since you will be required to provide it when you submit the certificate request.

The CA's enrollment URL; this is the enrollment URL you identified in Step 1.

The router gets the CA certificate and displays its fingerprint on your screen.

Verify the fingerprint on your screen with the one you noted down in
Step 1.

If it matches, the router is talking to the right CA.

Step 4. Submit the Certificate Request to the CA

To submit the certificate request to the CA:

Run the appropriate command.

The command will ask you for certain information:

The CA's identity. You specified this in Step 3.

Challenge password. If you enter one, write it down; you will be required to specify this password to revoke the certificate.

The CEP enrollment URL.

Whether you want to include the router's serial number in the request. If you choose to include the serial number, it will be included in the certificate's subject name.

Whether you want to include the router's IP address in the request. If you choose to include the IP address, it will be included in the certificate's subject name.

This step depends on your CA's configuration for router enrollment.

If the CA to which the router submitted the request employs automatic enrollment (or authentication) for routers, the request will get processed by the CA. The CA may return the certificate to the router in the same transaction. If it doesn't, the router checks with the CA at periodic intervals; in the router configuration you can specify how often the router should poll the CA for the certificate and how many attempts it should make. By default, the router checks the CA every minute.

If the CA to which you submitted the request is configured for manual enrollment (or authentication), the request gets queued and awaits approval by an agent.

Important Your router may require additional configuration changes. Be sure to follow the information in your router documentation.

Example

The example below shows the commands and associated outputs for a Cisco router:

# To perform certificate enrollment for a router using CEP, you must be 

# in privileged mode, which you do by typing "enable" first, and then 

# entering the password.

	router> enable

	router% config terminal

	router(config)#crypto key generate rsa

	The name for the keys will be: netscape.mcom.com

	Choose the size of the key modulus in the range of 360 to 2048 for 

		your General Purpose Keys. Choosing a key modulus greater than 512 

		may take a few minutes.

	How many bits in the modulus [512]:

	Generating RSA keys ...

	[OK]

	router(config)#crypto ca identity test-ca

	router(ca-identity)#enrollment url http://ca-hostname.domain.com/

													cgi-bin/pkiclient.exe

	router(ca-identity)#exit

	router(config)#crypto ca authenticate test-ca

	Certificate has the following attributes:

	Fingerprint: 24D34656 EB830C39 DD9E8179 0A4EBA98

	% Do you accept this certificate? [yes/no]: yes

	router(config)#crypto ca enroll test-ca

	% Start certificate enrollment ..

	% Create a challenge password. You will need to verbally provide this 

		password to the CA Administrator in order to revoke your 

		certificate. For security reasons your password will not be saved 

		in the configuration. Please make a note of it.

	Password:

	Re-enter password:

	% The subject name in the certificate will be: router.domain.com

	% Include the router serial number in the subject name? [yes/no]: yes

	% The serial number in the certificate will be: 08342063

	% Include an IP address in the subject name? [yes/no]: yes

	Interface: ethernet0

	Request certificate from CA? [yes/no]: yes

	% Certificate request sent to Certificate Authority

	% The certificate request fingerprint will be displayed.

	% The 'show crypto ca certificate' command will also show the 		

		fingerprint.

	router(config)# exit

	router#show crypto ca certificates

	CA Certificate

	 Status: Available

	 Certificate Serial Number: 1

	 Key Usage: Not Set

	Certificate

	 Subject Name

		 Name: netscape.mcom.com

		 IP Address: 208.12.63.193

		 Serial Number: 08342063

	 Status: Pending

	 Key Usage: General Purpose

	 Fingerprint:  91D70D7F D8BF0DFA E13F00B0 6EA706A0 00000000

Certificate Renewal

Every certificate issued by Certificate Management System has a validity period that determines its expiration date. The validity period of a certificate is determined by the validity constraints policy settings at the time the certificate was issued (see "Validity Constraints Policy"). For a certificate to be valid beyond its expiration date, it must be renewed. Otherwise, the certificate becomes invalid, and the entity owning the certificate will no longer be able to use it. Also, the expired certificate will take up space in your publishing directory and in the internal database of Certificate Management System.

Note The Job scheduler component of Certificate Management System enables you to schedule a job for removing expired certificates from the publishing directory. For details, see "Directory Update and Notification".

Renewal of Client Certificates

Certificate Management System allows end users to renew their certificates by using the certificate renewal form hosted by a Certificate Manager or Registration Manager; the form is available in the Renewal tab of the HTTPS interface. End users can use this form for renewing a single certificate or dual certificates. To renew a certificate, end users need to present their current certificate (for SSL client authentication) during renewal. For renewal purposes, the server accepts even expired certificates.

Certificate Management System comes with a policy plug-in module that allows you to configure both Certificate Manager and Registration Manager to apply specific renewal rules for certificates; you can specify how long a renewed certificates should be valid and how many days before expiration of the current certificate an end user can renew the certificate. The renewal policy rule, if enabled, also enforces that the certificate presented during client authentication is valid or is expired; it cannot have been revoked. For more information about this policy module, see "Renewal Validity Constraints Policy".

When a certificate is renewed, Certificate Management System formulates a new certificate with the same public key and other details from the existing certificate; the renewal does not include key changeover. The server, if configured for LDAP publishing, also publishes the new certificate to the publishing directory.

The following steps describe how a Certificate Manager or Registration Manager renews client certificates:

The end user uses the certificate renewal form provided in the Renewal tab of the End Entity Services interface of a Certificate Manager or Registration Manager and submits a certificate-renewal request.

The end user can request renewal of the certificate he or she presents for client authentication or renewal of all certificates (that belong to the end user) with the same subject name as in the authentication certificate. After successful authentication, the server fetches the currently-valid (or expired) certificates for the end user from its certificate repository.

The server formulates a renewal request based on the certificate being used for renewal.

The server applies its currently configured renewal policies to the request. If the policies require that the request be deferred for agent approval, the server stores the renewal request in the request queue and responds to that end user indicating that the request is waiting for approval by an agent. If the request is rejected by any of the policy rules, the server sends an error response.

The server formulates a CRMF request for one or more certificates as the case may be using a suitable template.

As an administrator, you can configure a Certificate Manager or Registration Manager to automatically notify end users to renew their certificates before the current ones expire. If you enable this feature, the subsystem periodically queries the internal database for already expired or about to expire and not renewed already certificates, and alerts the user and you (optional) to imminent certificate expiration. For more information about this feature, see "Certificate Renewal Notifications".

Renewal of Server Certificates

Certificate Management System allows server administrators to renew their certificates by using the server enrollment form hosted by a Certificate Manager or Registration Manager. The renewal process is similar to the enrollment process in that the administrators must manually generate the certificate-signing request using the server's key pair, paste that request in the manual enrollment form, and submit the request. For details, see "Certificate Issuance to Servers".

Note For renewing the certificates of a Certificate Manager, Registration Manager, or Data Recovery Manager, see "Renewing Certificates for the Subsystems".

Certificate Revocation

Certificate Management System allows a certificate to be revoked by an end user (the original owner of the certificate), a server administrator, or by a Certificate Manager or Registration Manager agent. End users can revoke certificates by using the Revocation form provided in the end-entity services interface. Agents can revoke end-entity certificates by using the appropriate form in the Agent Services interface. Certificate-based (SSL client authentication) or challenge-password-based authentication is required in both cases; for details, see "Authentication of End Users During Certificate Revocation".

An end user can revoke only those certificates that contain the same subject name as in the certificate presented for authentication; if using a challenge password, the user can revoke only the certificate that is associated with that password. After successful authentication, the server lists the certificates belonging to the end user. The end user can then select the certificate to be revoked or can revoke all certificates in the list. The end user can also specify additional details, such as the date of revocation and revocation reason for each certificate or for the list as a whole. For instructions on how end users revoke their certificates, see the online help available by clicking the Help buttons on the end-entity forms.

Agents can revoke certificates based on a range of serial numbers or based on one or more subject name components. Upon submission of the revocation request, the agent receives a list of certificates from which she or he can pick the ones to be revoked. For instructions on how agents revoke end-entity certificates, see Netscape Certificate Management System Agent's Guide.

Upon receiving the list of certificates to be revoked, the Registration Manager formulates a CMMF request and sends it to the Certificate Manager. The Certificate Manager marks the corresponding certificate records in its certificate store (maintained in the internal database) as revoked and if configured to do so, removes the revoked certificates from the publishing directory and updates the CRL in the publishing directory.