This chapter introduces Netscape Certificate Management System (CMS), a highly configurable set of software components and tools for creating, deploying, and managing certificates. Based on open standards for certificate management, Certificate Management System leverages Netscape Directory Server and Netscape Console to provide a complete, scalable, high-performance certificate management solution for extranets and intranets.
Key Features
System Architecture
Entry Points for Various Types of Users
Employ specific authentication methods for end-entity certificate enrollment, renewal, and revocation.
Specify policy restrictions on certificate-related operations, such as certificate formulation, issuance, renewal, and revocation.
Specify policy restrictions on key-related operations, such as archival and recovery of end users' encryption private keys.
Revoke certificates, and maintain and publish a list of revoked certificates.
Search for certificates issued by the server.
Set up hierarchies of certificate authorities--multiple subordinate CAs chained up to a root CA. Note that Certificate Management System can chain under popular public CAs that are already pretrust in popular client and server products.
Publish certificate information and the list of revoked certificates to an LDAP-compliant directory, such as Netscape Directory Server, and maintain this information.
Publish the list of revoked certificates to an LDAP-compliant directory, a flat file, and an online validation authority.
With its support for open standards, Certificate Management System gives organizations confidence that they will be able to communicate within a heterogeneous computing environment. Specifically, Certificate Management System does the following:
For details on setting extensions in certificates, see "Overview of Extension- Specific Policy Modules".
Supports signature key lengths of up to 1024 bits (DSA) and 4096 (RSA) on both hardware and software tokens. For details, see Appendix E "Export Control Information" of Netscape Certificate Management System Installation and Deployment Guide.
Supports multiple message formats, such as KEYGEN/SPAC, CRMF/CMMF, CRS/CEP/SCEP, and PKCS #10, for certificate requests. All requests are delivered to Certificate Management System over HTTP or HTTPS; in the case of CRS/CEP/SCEP protocol, the delivery method is always over HTTP.
Supports certificate formats that encompass certificates for SSL-based client and server authentication, secure Multipurpose Internet Mail Extensions (S/MIME) message signing and encryption, object signing, VPN clients, and Cisco routers.
Supports generation and publication of CRLs conforming to X.509 version 1 and 2. For more information, see "CRL Extension Modules".
Publishes certificates and certificate revocation lists (CRLs) to the any LDAP-compliant directory over LDAP and HTTP/HTTPS connections. For more information, see "Publishing of CRLs to an LDAP Directory".
Publishes certificates and CRLs to a flat file for importing into other resources. For example, the sample code for Flat File CRL and certificate publisher can be customized to store certificates and CRLs in an Oracle RDBMSTM. For more information, see "Publishing of CRLs to Flat Files".
Publishes CRLs to an online validation authority (or OCSP responder), such as ValiCert Certificate VA, enabling real-time verification of certificates by OCSP-compliant clients. For more information, see "Publishing of CRLs to an Online Validation Authority".
Certificate Management System includes three servers, the Certificate Manager, Registration Manager, and Data Recovery Manager.
The Registration Manager is an optional component in the PKI; it is a subordinate server to which a Certificate Manager can delegate some certificate management functions. For example, a Registration Manager may perform tasks, such as end-entity authentication and formulation of the certificate request for the Certificate Manager.
The Data Recovery Manager is an optional component in the PKI. It provides key archival and recovery services for end users' encryption private keys.
Certificate Management System lets you separate the registration process from the certificate-signing process with the help of Registration Managers. You can run multiple Registration Managers remotely, all reporting to a single CA--a Certificate Manager--to verify user identities and process certificate signing requests. The remote Registration Managers forward their completed and approved requests to the Certificate Manager for it to sign and issue the certificate automatically.
Certificate Management System can function as a root (or parent) CA (in which case the server signs its own CA signing key as well as other CA signing keys) enabling you to create your own CA hierarchy. You can also install the server to function as a subordinate CA (in which case the server gets its CA signing key signed by another CA) in an existing CA hierarchy.
Certificate Management System can function as a linked CA, chaining up to many third-party or public CAs for validation; this provides cross-company trust, so applications can verify certificate chains outside the company certificate hierarchy.
Certificate Management System supports smart cards and crypto accelerators provided by various third-party vendors of PKCS #11 version 2.1-compliant products. For a complete list of vendors, check this site:
Certificates issued by Certificate Management System work with existing Netscape client and server products that support SSL. The certificates also work (out of the box) with a variety of non-Netscape, standards-compliant applications. For a complete list of these products, see the information available at this URL:
Certificate Management System uses a highly scalable, high-performance certificate storage facility--a preconfigured version of Netscape Directory Server 4.x that's automatically installed with Certificate Management System--enabling you to issue and manage a large number of certificates. For more information, see "Internal Database".
The registration services framework for end entities includes the most commonly expected PKI features: manual, directory-based, and directory- and PIN-based enrollment; certificate-authenticated renewals and revocations (based on SSL client authentication); certificate life-cycle operations that include automated certificate renewal and expiration notifications. These features are available out of the box for both Certificate Manager and Registration Manager.
For information on automated notifications, see "Introduction to Job Scheduling and Notifications".
Certificate Management System simplifies the details involved in certificate issuance and management with its built-in, configurable, and extensible authentication, policy, job scheduling, and publishing components. Each of these components come with a set of default modules that enable you to configure Certificate Management System for your PKI requirements. For example, you can configure policy modules to determine the outcome of operations, such as certificate formulation (extensions, signing algorithm, key length, validity period, and so on), issuance, renewal, and revocation.
For information job modules, see Chapter 14, "Introduction to Job Scheduling and Notifications."
For information policy modules, see Chapter 17, "Constraints-Specific Policy Modules" and Chapter 18, "Extension-Specific Policy Modules."
For information publishing modules, see Chapter 21, "Modules for Publishing Certificates and CRLs."
Certificate Management System works seamlessly with any LDAP-compliant directory services for easy distribution of certificates and CRLs, thus lowering the cost of information management. The shared directory architecture enables you to manage users, including their security credentials and other shared data, at a single place. Certificate Management System can do the following:
Integrate certificate-related information with the user and group information that exists in the LDAP directory.
Automatically publish certificates (when they are issued) and CRLs (when created or on a periodic basis) to the LDAP directory, from which they can be easily distributed to clients and servers.
Automatically delete expired and revoked certificates from the directory.
Connect to the directory using password-based (basic) or certificate-based (in the context of LDAP over SSL) authentication using a digital certificate.
To support separate key pairs for signing and encrypting data, Certificate Management System supports generation of dual certificates for end entities capable of generating dual key pairs. If a client makes a certificate request for dual key pairs, the server issues two separate certificates.
Certificate Management System bundles Netscape Personal Security Manager, which when plugged into Netscape Communicator version 4.7 or later enables it to support the CMC protocol and generate dual key pairs. Personal Security Manager is a standards-based, client-independent application that performs PKI operations on behalf of Communicator 4.7 and other applications. Personal Security Manager also provides advanced cryptographic capabilities for applications that connect with Certificate Management System and greatly simplifies PKI operations for end users. In particular, Personal Security Manager allows system administrators to take advantage of the following Certificate Management System features:
Forced certificate backup by end users after certificate issuance.
Issuance and management of dual encryption and signing email certificates.
Automatic storage of encryption private keys with a key recovery authority, such as the Data Recovery Manager, at the time a certificate is issued.
Automatic revocation checking each time Personal Security Manager verifies a certificate.
If your organization uses S/MIME to encrypt mail messages, you can use the key archival feature offered by Certificate Management System to back up users' encryption private keys. This feature is useful when a key becomes unavailable--as, for instance, in the following cases:
An employee leaves the company, and company officials need to perform an audit that requires gaining access to the employee's encrypted data.
Certificate Management System stores users' encryption private keys in an encrypted key repository. Keys can be retrieved only by authorized key recovery agents. The key repository is encrypted using a Data Recovery Manager's storage private key, which is protected with one or more recovery agents' passwords. Only these designated recovery agents can authorize and initiate a key recovery process.
Certificate Management System maintains audit trails for all events--certificate requests and issuance, revocation requests, CRL publication, and so on. These audit records enable you to detect any unauthorized access or activity. In addition, extensive system and error logs record various events and system errors so that you can monitor and debug the system. All log records are stored in your local file system for quick and easy retrieval.
Certificate Management System allows you to sign log files digitally before archiving them or distributing them for audit purposes. This feature enables you to check whether the log files were tampered with after being signed.
The Java-based software development kit (SDK) provided with Certificate Management System includes APIs for customizing different aspects of the system. You can write the following custom modules:
Policy--for setting the rules applied by the individual subsystems.
Jobs--for PKI-related jobs that run with the individual systems.
Mapper and publisher classes--for publishing certificates and CRLs to an LDAP-compliant directory, flat file, and an OCSP responder.
Gateway for end-entity and agent forms or HTTP interfaces--for customizing end-entity and agent interfaces.
Certificate Management System provides an easy migration path from Netscape Certificate Server 1.0x. The server includes a command-line-based migration tool that extracts the contents of a Certificate Server 1.0x database, including keys and certificates, and puts them in three platform-independent files. You then import the contents of these files into the internal database of Certificate Management System.
Certificate Management System version 4.2 provides an easy upgrade path from its previous version, 4.1.
An installation wizard automates the installation and initial configuration process, helping you install Certificate Management System quickly and easily. Then after installation, you can locally or remotely administer Certificate Management System from various computers on your network (using the encryption, message integrity, and authentication services of SSL) with the help of an administration interface called the Certificate Management System window or the CMS window.
Registration Manager
Data Recovery Manager
Policy
Job scheduling and notification
Logging
LDAP publishing
Internal database
Figure 1.1 Certificate Management System architecture
Table 1.1 Certificate Management System components
Certificate Management System can function very closely with an LDAP-compliant directory, such as Netscape Directory Server, that organizations typically use to maintain corporatewide data about user and group accounts and other network resources. You can set up Certificate Management System to automatically publish certificate information and CRLs to a directory. The advantage of publishing certificates and CRLs to the directory is multifold:
If you are using S/MIME-enabled clients (for example, Netscape Communicator), publishing all certificates to a central directory enables your users to import others' certificates from the global directory.
Figure 1.2 Seamless integration with any LDAP-compliant directory
Independent CAs can issue and manage certificates to their users listed in any LDAP-compliant directory.
You can install all three subsystems, the Certificate Manager, Registration Manager, and Data Recovery Manager as standalone servers. You can also install the Data Recovery Manager with a Certificate Manager or Registration Manager--that is, the same instance of Certificate Management System will include both the servers. You cannot install a Registration Manager in the same instance as that of a Certificate Manager.
If the subsystems are installed under separate server groups, then they use separate instances of Netscape Administration Server installed for those groups. In this case, the URL for logging in to Netscape Console will be different for the subsystems.
Note that when installed standalone, each subsystem has its own configuration file and an administrative interface, the CMS window, which can be launched within Netscape Console. The subsystem also has its own Directory Server instance (identified as the internal database) for storing and retrieving persistent objects such as certificates and keys.
Figure 1.3 Entry points for different types of users
Table 1.2 Certificate Server user-entry points