|
|
 A |
accelerators 241
active logs
default file location 1049
naming convention 1050
See also logging
adding
administrators 190
agents 193
automated process 193
manual process 195
extensions
to CA certificates 252
to CRLs 765, 826, 849, 882
to end-entity certificates 554, 697
new authentication instances 385, 395
relationship with enrollment forms 400
new directory attributes 1161
new entries to the password cache 149
new jobs 469, 475
new policy rules 688, 697
Administration Server 66, 67
relationship to Netscape Console 66
relationship to server root 67
starting 67
from Netscape Console 68
from the command line 68
from the Windows NT Services panel 68
stopping 68
from Netscape Console 69
from the command line 69
from the Windows NT Services panel 69
administrators
common tasks 74
deleting 223
designated group 186
modifying 219
group membership 221
login information 219
port used for operations 156
See also ports
role defined 172
setting up 190
tools provided
CMS window 71
Netscape Console 64
agents
authorizing remote key recovery 1125
deleting 223
designated groups 187
forms for 921
locating forms and templates for 922
modifying 219
certificate information 220
group membership 221
login information 219
port used for operations 157
See also ports
revocation checking of certificates 310
role defined 173
setting up 193
automated process 193
manual process 195
SSL client certificates for 175
See also Agent Services interface
Agent Services interface 899
Approve Revocation 974
Bulk Enrollment 978
Display Key By Serial Number 987
Display Key For Recovery 989
Examine Recovery 992
for Certificate Manager agents 900
for Data Recovery Manager agents 902
for Registration Manager agents 901
Get Approval Status 994
Get PKCS#12 Data 996
Grant Recovery 998
how to access 903
Key Query 1000
KeyRecovery Query 1005
Process Certificate Request 1009
Process DRM Request 1017
Process Request 1021
Recover Key By Serial Number 1023
Remove Certificate Hold 1026
Requests Query 1029
Select for Revocation 1033
Update CRL 1036
Update Directory 1038
URL for 157
who can access 900
Approve Revocation 974
archiving
rotated log files 1053
users' encryption private keys 1115
ASCII to Binary tool 1189
example 1189
supported platforms 1189
syntax 1189
Audit log
defined 1046
how to configure 1063
how to monitor 1070
logging to Windows NT event log 1072
See also logging
authentication
automated vs. manual 320
built-in modules 320
list of 321
NISAuth 343
PortalEnroll 348, 353
See also PIN Generator tool
UidPwdDirAuth 327
UidPwdPinDirAuth 333
configuration parameters 386
defined 305
developing custom plug-ins 421
API for 422
compiling 423
installing 423
samples 427
directory- and PIN-based 332
directory-based 325
during certificate enrollment 311
during certificate renewal 312
during certificate revocation 314
for administrators 306
for agents 308
managing from CMS window 384
manual 323
NIS server-based 340
subsystem architecture 418
how it works 419
authentication instances
adding new 385, 395
relationship with enrollment forms 400
configuration parameters 386
deleting 385, 410
how they're used 420
modifying 385, 411
naming convention 395
authentication modules
deleting 386, 416
developing new 417
how they're used 420
registering new ones 386, 414
Authority Information Access extension policy 558
Authority Key Identifier extension policy 566
automated enrollment 320
|
| B |
base DN 1156
Basic Constraints extension policy 570
Binary to ASCII tool 1189
example 1190
supported platforms 1190
syntax 1190
buffered logging 1051
built-in plug-in modules
See plug-in modules
bulkissuance 978
|
| C |
CA certificate mapper 734
CA certificate publisher 753
CA signing certificate 226
changing trust settings of 299
deleting 298
getting a new one 242, 277
nickname 226
renewing 242, 286
viewing details of 296
CEP 928
CEP enrollment 1092
manual 1094
port number for 1105
setting up multiple services 1103
URL 1105
using a script 1093
certificate-based enrollment 357
forms for 358
what you need 358
when to use 357
Certificate Chain
get from CA
certificate chains
getting 918
installing in the certificate database 260
why you should install 302
certificate database
how to manage 294
what it contains 295
where it's maintained 294
Certificate Database tool 277, 286, 1197
examples 1206
supported platforms 1198
syntax 1198
usage 1204
certificate enrollment
authentication during 311
supported authentication mechanisms 898
supported request formats 898
Certificate Enrollment Protocol (CEP) 1092
Certificate Enrollment Protocol Interface 928
certificate issuance
to routers 1092, 1105
an example 1109
to servers 1081
manual enrollment 1082
Netscape 3.x servers 1085
Netscape 4.x servers 1090
to VPN clients 1092
Certificate Manager
configuring
SMTP settings for notifications 168, 169, 481
to use separate SSL server certificates 269
to use specific ciphers 275
connecting to a Data Recovery Manager 211
enabling interaction with end entities 405
enrollment forms for 365, 916
interface for agents 900
key pairs and certificates
CA signing certificate 226
getting new ones 277
list of 226
renewing existing ones 286
SSL server certificate 228
logging to Windows NT event log 1072
manual updates to publishing directory 838
specifying IP address for 161
what to do if not responding 142
Certificate Policy extension policy 574
certificate renewal 1111
authentication during 312
of client certificates 1111
of server certificates 1113
supported authentication mechanisms 898
supported request formats 898
validity period for 525
Certificate Renewal Window extension policy 580
certificate request
result of policy processing 498
certificate request formats 898
for enrollments 898
for key archival and recovery 899
for renewals 898
for revocations 898
certificate revocation
authentication during 314
reasons for 722
supported authentication mechanisms 898
supported request formats 898
who can do this 722
certificate revocation list
manual update 1036
to retrieve 956
certificates
enrollment forms 361
automated 361
manual 361
how to revoke 722
publishing of 715
publishing to files 720, 840
publishing to LDAP directory 716, 786
required schema 789
revocation reasons 722
Certificate Scope of Use extension policy 586
Certificate Setup Wizard 242
using to install certificate chains 260
using to install certificates 260
supported data formats 261
using to request certificates 243
challenge_revocation1 929
challenge password 323
Challenge Revocation Interface 929
changing
CMS instance name 120, 121
character set for the name 117
format for the name 120
DER encoding order of DirectoryString 1164
group members 221
passwords in the password cache 149
port numbers 159
See also ports
single sign-on password 148
trust settings in certificates 299
why would you change 299
changing passwords 129, 144
checking CMS status 142
ciphers
configuring 275
defined 273
list of 274
step-up program for browsers 275
supported on the server side 273
which ones to choose 274
classpath for adding plug-ins 423
client certificate renewal 1111
CMS_TEMPLATE tag 922
CMS data
where it's stored 163
CMS feature list 45
CMS instance
changing the name 120, 121
character set for the name 117
format for the name 120
creating multiple instances 116
removing 121
viewing information 118
file location 119
installation date 119
on/off/unknown status 120
security level 120
version number 120
CMS watchdog 143
CMS window
Configuration tab 74
configuring authentication 384
configuring jobs 468
configuring network settings 155
configuring policies 686
how to launch 78, 80
introduction 71
managing logs 1056
Status tab 78
Tasks tab 73
using to manage policies 690
using to schedule jobs 471
who can launch 80
command-line utilities 1185
ASCII to Binary 1189
Binary to ASCII 1189
Certificate Database tool 1197
dumpasn1 1195
for adding extensions to CMS certificates 253
Key Database tool 1211
killproc tool 142, 1187
location 1185
Netscape Signing tool 1221
Password Cache tool 146
PasswordCache tool 1186
PIN Generator 369
Pretty Print Certificate 1190
Pretty Print CRL 1193
some guidelines 1188
SSL Debugging tool 1259
SSL Strength tool 1253
summary table 1185
common features in extension policies 558
configuration
road map 105
ways to modify 85
configuration file 81
copying from one instance to another 84
effects of installation on 82
format 87
format for localizable values 88
guidelines for editing 87
how subsystem-specific parameters are distinguished 87
location 85
name 81
sample 88
shared parameters 82
ways to modify
by editing the file 86
from CMS window 85
what is ignored by the server 87
what it controls 82
when created 81
Configuration tab 74
tasks you can accomplish 74
configuring logs 1058
Audit log 1063
Error log 1061
System log 1058
See also logging 1058
connecting subsystems 181, 201
connection types 183
connectors 183
why would you do this 181
constraints-specific policies
DSA key constraints 505
issuer constraints 509
key algorithm constraints 512
PIN present constraints 514
renewal constraints 518
renewal validity constraints 525
revocation constraints 522
RSA key constraints 529
signing algorithm constraints 533
subordinate CA name constraints 536
unique subject name constraints 539
validity constraints 543
constraints-specific policy modules 502
conventions used in this book 37
core features 45
creating
administrators 190
agents 193
automated process 193
manual process 195
new password cache 150
creating multiple CMS instances 116
CRL Distribution Point extension 726
CRL Distribution Point extension policy 591
CRL extension modules
AuthorityKeyIdentifier 767
CRLNumber 769
CRLReason 770
HoldInstruction 772
InvalidityDate 774
IssuerAlternativeName 776
IssuingDistributionPoint 780
list of 766
CRL publisher 757
CRLs
defined 721
extension-specific modules 763
issuing or distribution points 725
publishing of 721, 724
publishing to files 726, 840
publishing to LDAP directory 724, 786
required schema 789
publishing to online validation authority 726, 857
supported extensions 722
supported versions 722
when automated updates take place 722
when generated 722
who generates it 721
|
| D |
data formats for installing certificate chains 261
binary 261
text 262
data formats for installing certificates 261
binary 261
text 262
Data Recovery Manager
configuring
to use separate SSL server certificates 269
to use specific ciphers 275
connecting to a Certificate Manager 211
connecting to a Registration Manager 202
interface for agents 902
key pairs and certificates
getting new ones 277
list of 232
renewing existing ones 286
SSL server certificate 234
storage key pair 233
transport certificate 232
logging to Windows NT event log 1072
setting up
key archival 1134
key recovery 1143
specifying IP address for 161
what to do if not responding 142
defining custom OIDs 553
deleting
authentication instances 385, 410
authentication modules 386, 416
certificates from the token 298
precaution 298
entries from the password cache 150
job modules 470, 484
jobs 469, 475
mapper modules 891
policy modules 688, 711
policy rules 688, 697
privileged users 223
publisher modules 891
rotated log files 1052
DER-encoding order of DirectoryString 1164
developing custom plug-ins
classpath 423
developing plug-ins
for authentication 421
API 422
compiling 423
installing 423
samples 427
directory
removing expired certificates from 444
schema for PINs 390
directory attributes
adding new 1161
supported in CMS 1157
directory-based authentication 325
user ID, password, and PIN 332
user ID and password 325
display
See retrieve
displayBySerial
key for recovery 987
displayBySerialForRecovery 989
displayCertFromRequest
Display Certificate By Serial Number 931
Display Certificate From Request 933
Display Key For Recovery 989
distinguished name (DN)
base DN 1156
characters allowed in CMS 1157
components 1154
defined 1153
extending attribute support 1160
guidelines for choosing DNs 1167
role in certificates 1166
CA certificates 1167
end-entity certificates 1166
root DN 1155
DN character support in CMS 1157
DN components mapper 738, 744
DN pattern mapper 745
documentation
conventions followed 37
where to find 39
doRevoke 974
doUnrevoke 1026
DSA Key Constraints policy 505
dumpasn1 tool 1195
|
| E |
email resolver 451
end entities
enabling interaction with a Certificate Manager 405
enabling interaction with a Registration Manager 407
forms provided for 895
generating PINs for 389, 390
locating forms and templates 914
port used for operations 158
See also ports
supported request formats 898
end-entity certificate publisher 755
end-entity certificates
renewal 1111
revocation 1113
end-entity enrollment forms 361
automated 361
manual 361
end-entity forms 913
for enrollment 363, 915
for renewal 916
for retrieval 917
for revocation 917
End-entity Interface
Certificate Enrollment Protocol 928
Challenge Revocation 929
Display Certificate By Serial Number 931
Display Certificate From Request 933
Enrollment 936
Get CA Chain 946
Get Certificate By Serial Number 948
Get Certificate From Request 952
Get CRL 956
List Certificates 958
Renewal 966
Revocation 968
end-entity templates 920
Enrollment 936
enrollment
approval 1009
automated 320
bulk issuance 978
list queued requests 1029
manual 320
enrollment forms
for Certificate Managers 365, 916
for end users 363, 915
for object signing certificates 365, 916
for OCSP responder certificates 365
for Registration Managers 365, 916
for servers 365, 915
specifying authentication 400
Error log
defined 1046
how to configure 1061
how to monitor 1068
See also logging
event log
logging audit and system messages 1072
Examine Recovery 992
examineRecovery 992
expired certificates
removing from the directory 444
Extended Key Usage extension policy 598
extending directory-attribute support in CMS 1160
extensions
556
adding to a CA certificate 252
adding to end-entity certificates 554
an example 552
introduction to 550
structure of 551
tool for joining 253
tools for generating 253
extension-specific policies
authority information access 558
authority key identifier 566
basic constraints 570
certificate policy 574
certificate renewal window 580
certificate scope of use 586
common features 558
CRL distribution point 591
extended key usage 598
Generic ASN.1 605
issuer alternative name 612
key usage 618
name constraints 632
Netscape certificate comment 642
Netscape certificate type 647
policy constraints 653, 657
policy mappings 661
private key usage period 666
subject alternative name 668
subject directory attributes 675
subject key identifier 679
extension-specific policy modules 550
list of 556
external tokens
defined
installing 236
viewing contents of 295
|
| F |
file-based publisher 752
filenames
for active log files 1050
for rotated log files 1050
flush interval for logs 1051
fonts used in this book 37
forms
See HTML forms
|
| G |
generating PINs for end entities 389, 390
Generic ASN.1 extension policy 605
getApprovalStatus 994
getBySerial
Get CA Chain 946
getCAChain
getCertFromRequest
Get Certificate By Serial Number 948
Get Certificate From Request 952
Get CRL 956
getCRL 956
getPk12 996
Get PKCS#12 Data 996
getting new certificates for subsystems 277
grantRecovery 998
Grant Recovery (DRM interface) 998
groups
changing members 221
defined 186
for administrators 186
for agents 187
for trusted managers 189
where they're maintained 186
|
| H |
hardware accelerators 241
hardware tokens
See external tokens
host name
for mail server used for notifications 168
how to check whether CMS is on or off 142
how to revoke certificates 722
how to search for keys 1119
HTML forms
for agents 899, 921, 922
for end entities 895, 914
for enrollment 363, 915
for renewal 916
for retrieval 917
for revocation 917
|
| I |
installation date 119
installing external hardware tokens 236
installing multiple CMS instances 116
internal database
default host name 165
precaution for changing the host name 165
defined 163
how to distinguish from other Directory Server instances 163, 166
name format 163, 166
schema 164
what you shouldn't do 164
what is it used for 163
when installed 163
internal tokens
viewing contents of 295
IP address 161
Issuer Alternative Name extension policy 612
Issuer Constraints policy 509
issuing certificates
to routers 1092, 1105
an example 1109
to servers 1081
manual enrollment 1082
Netscape 3.x servers 1085
Netscape 4.x servers 1090
to VPN clients 1092
|
| J |
job modules
deleting 470, 484
registering new ones 470, 482
jobs
adding new 469, 475
built-in modules 434
RenewalNotificationJob 434, 435
RequestInQueueJob 434, 440
UnpublishExpiredJob 435, 444
compared to plug-in implementation 434
configuration parameters 470
created during installation 472
deleting 469, 475
managing 471
managing from CMS window 468
modifying 469, 472
naming 475
naming convention 475
setting frequency 480
specifying schedule for 448
turning on scheduler 480
|
| K |
Key Algorithm Constraints policy 512
key archival 1118
how it works 1119
how keys are stored 1119
how to set up 1134
PKI setup required 1116
required format for requests 899
where keys are stored 1119
why you should archive 1118
Key Database tool 1211
examples 1216
supported platforms 1212
syntax 1212
usage 1215
key features 45
Key Query (DRM Interface) 1000
key recovery 1122
archive request approval 1017
by serial number 987, 989
check request 992
designated agents
See key recovery agents
find by serial number 1023
grant approval 998
how to set up 1143
interface for agents 1123
list keys 1000, 1005
local vs. remote 1124
PKCS #12 data 996
request status 994
key recovery agents
passwords 1122
significance 1122
when specified the first time 1123
responsibilities 1122
role defined 1122
Key Recovery Query (DRM Interface) 1005
Key Usage extension policy 618
killproc tool 142, 1187
|
| L |
LDAP publishing
advantages 716
defined 716
manual updates 838
when to do 838
who can do this 838
See CRLs
linking subsystems
See connecting subsystems
List Certificates 958
listCerts 958
listing
contents of password cache 148
of CRL extension modules 766
of schedulable jobs 434
list of
agent forms and templates
end-entity forms and templates
local OCSP support 729
local vs. remote key recovery 1124
location of
active log files
agent forms 922
CMS configuration file 85
CMS documentation 39
command-line utilities 1185
end-entity forms 914
PIN Generator tool 370
rotated log files 1052
logging
buffered vs. unbuffered 1051
configuring
Audit log 1063
Error log 1061
System log 1058
log files
archiving rotated files 1053
automatic deletion 1052
automatic rotation 1051
default location 1049
location of rotated files 1052
naming convention for active logs 1050
naming convention for rotated logs 1050
significance of deleting files 1053
timing of rotation 1052
log levels 1048
default selection 1049
how they're represented 1048
how they relate to message categories 1048
significance of choosing the right level 1049
what it means 1048
managing from CMS window 1056
monitoring
Audit log 1070
Error log 1068
System log 1065
using system tools in Windows NT 1072
parameters in the configuration file 1058
services that are logged 1047
types of logs 1046
Audit 1046
Error 1046
System 1046
|
| M |
mail server used for notifications 168
managing
certificate database 294
job plug-in modules 482
mapper plug-in modules 888
policies 690
policy plug-in modules 708
privileged users 171
publisher plug-in modules 888
schedulable jobs 471
manual authentication 323
manual enrollment 320
mapper modules
deleting 891
introduction 732
list of 733
registering new ones 889
mappers
created during installation 735, 745, 811
defined 732
modifying 812
mappers that use
CA certificate 734
DN components 738
DN patterns 745
subject attributes 747
subject names 744
mapping certificates to directory entries 732
message templates for notifications 455
modifying
authentication instances 385, 411
jobs 469, 472
mappers 812
policy rules 688, 691
privileged user's group membership 221
privileged-user information 219
publishers 813, 815
m of n secret sharing 1123
monitoring logs 1065
Audit log 1070
Error log 1068
System log 1065
things you can monitor 1065
using system tools in Windows NT 1072
See also logging
|
| N |
Name Constraints extension policy 632
naming convention
for active logs 1050
for authentication instances 395
for CMS instances 117
for internal database instances 163, 166
for policy rules 698
for rotated logs 1050
for schedulable jobs 475
Netscape Certificate Comment extension policy 642
Netscape Certificate Type extension policy 647
Netscape Console
checking CMS status 142
how to launch 69
in Unix 70
in Windows NT 70
installing multiple CMS instances 116
introduction 64
opening CMS window 78
relationship to Administration Server 66
removing a CMS instances 121
restarting Certificate Management System 140
starting Administration Server 68
starting Certificate Management System 133
stopping Administration Server 69
stopping Certificate Management System 137
viewing CMS instance information 118
Netscape Signing tool 1222
supported platforms 1222
nickname
for CA signing certificate 226
for signing certificate 230
for SSL server certificate 228, 231, 234
for transport certificate 232
NIS server-based authentication 340
configurable parameters 343
plug-in module name 343
notifications
configuring the mail server 168, 481
host name 168
port 169
customizing 455
templates 459
event-driven 449
when certificates are issued 450
when new requests are queued 453
sending renewal notifications to end entities 435
to agents about pending requests 440
to agents about unpublishing certificates 444
|
| O |
object identifiers 553
object signing certificates
for third-party tools 366
how to enroll for 365, 916
OCSP responder 727, 729
OCSP responder certificates
how to enroll for 365
OCSP server 727
OIDs 553
output templates
for end-entity operations 920
overview
authentication modules 320
|
| P |
password cache
tool for managing 146
PasswordCache tool 1186
Password Cache utility 146
adding new entries 149
changing passwords 149
creating a new cache 150
deleting entries 150
listing contents 148
syntax 146
usage 147
where to find 146
password-quality checker 130, 151
passwords
changing cached 129, 144
See also single signon passwords
pending requests
list 1029
PIN Generator tool 369
arguments 370
delivering PINs to users 410
directory schema requirements 390
changing 3.x directory schema 390
changing 4.x directory schema 390
exit codes 381
generating PINs 389
how it works 375
how PINs are stored in the directory 380
output file 379
checking the directory-entry status 377
format 379
why should you use an output file 377
overwriting existing PINs in the directory 374, 377
syntax 370
where to find 370
PIN Present Constraints policy 514
PIN present constraints policy 393
PKCS #11 support
PKCS #12
key recovery 996
pkiclient.exe 928, 1106
plug-in modules
classpath for adding 423
for authentication
developing new ones 421
list of 321
NISAuth 343
PortalEnroll 353
UidPwdDirAuth 327
UidPwdPinDirAuth 333
for CRL extensions
AuthorityKeyIdentifier 767
CRLNumber 769
CRLReason 770
HoldInstruction 772
InvalidityDate 774
IssuerAlternativeName 776
IssuingDistributionPoint 780
list of 766
for mapping certificates and CRL
managing 888
for policy 499, 501, 549
AuthInfoAccessExt 558
AuthorityKeyIdentifierExt 566
BasicConstraintsExt 570
CertificatePoliciesExt 574
CertificateRenewalWindowExt 580
CertificateScopeOfUseExt 586
CRLDistributionPointsExt 591
DSAKeyConstraints 505
ExtendedKeyUsageExt 598
GenericASN1Ext 605
IssuerAltNameExt 612
IssuerConstraints 509
KeyAlgorithmConstraints 512
KeyUsageExt 618
managing 708
NameConstraintsExt 632
NSCCommentExt 642
NSCertTypeExt 647
OCSPNoCheckExt 653
PinPresentConstraints 514
PolicyConstraintsExt 657
PolicyMappingsExt 661
PrivateKeyUsagePeriodExt 666
RenewalConstraints 518
RenewalValidityConstraints 525
RevocationConstraints 522
RSAKeyConstraints 529
SigningAlgorithmConstraints 533
SubCANameConstraints 536
SubjectAltNameExt 668
SubjectDirectoryAttributesExt 675
SubjectKeyIdentifierExt 679
UniqueSubjectNameConstraints 539
ValidityConstraints 543
for publishing 749
FileBasedPublisher 752
LdapCaCertPublisher 753
LdapCaSimpleMap 734
LdapCrlPublisher 757
LdapDNCompsMap 738
LdapDNExactMap 744
LdapSimpleMap 745
LdapSubjAttrMap 747
LdapUserCertPublisher 755
list of 733, 750
ValiCertPublisher 759
for publishing certificates and CRL
managing 888
for scheduling jobs
list of 434
RenewalNotificationJob 435
RequestInQJob 440
UnpublishExpiredJob 444
policy
built-in plug-in modules 499, 501, 549
configuration parameters 689
constraints-specific modules 502
defined 488
extension-specific modules 550
managing 690
managing from CMS window 686
processor 497
how it applies rules 498
result of processing 498
when used 498
what can you use it for 488
Policy Constraints extension policy 653, 657
Policy Mappings extension policy 661
policy modules
deleting 688, 711
registering new ones 688, 709
policy rules
adding new 688, 697
configuration parameters 689
created during installation 691
defined 489
deleting 688, 697
how policy processor applies them 498
modifying 688, 691
naming convention 698
predicates in 490
reordering 688, 705
significance of ordering 705
See also predicates
types of 489
what each rule does 489
portal enrollment 348
configurable parameters 353
plug-in module name 353
ports 155
changing numbers 159
for agent operations 157
for end-entity operations 158
turning on/off HTTP port 160
for remote administration 156
for the mail server used for notifications 169
how to choose numbers 156
predicates
attributes for 493
expression support 490
operators for 491
sample expressions 490, 492
what are they 490
why would you use 490
Pretty Print Certificate tool 1190
example 1191
supported platforms 1190
syntax 1191
Pretty Print CRL tool 1193
example 1194
supported platforms 1193
syntax 1193
Private Key Usage Period extension policy 666
privileged users 171, 172
deleting 223
groups 186
modifying privileges 219
certificate information 220
group membership 221
login information 219
setting up 190
administrators 190
agents 193
trusted managers 201
types 172
administrators 172
agents 173
determining factor 172
trusted manager 181
types or roles 172
Process Certificate Request 1009
processCertReq 1009
Process DRM Request 1017
processReq 1021
processReq (DRM) 1017
Process Request 1021
publisher modules
deleting 891
introduction 749
list of 750
registering new ones 889
publishers
created during installation 754, 756, 757, 811
modifying 813, 815
publishers that can publish to
CA's entry in the directory 753, 757
files 752
online validation authority 759
users' entries in the directory 755
CRLs
publishing
See also LDAP publishing
publishing
defined 715
manual directory update 1038
of certificates 715
to files 720, 840
to LDAP directory 716, 786
of CRLs 721
to files 726, 840
to LDAP directory 724, 786
to online validation authority 726, 857
See LDAP publishing
publishing certificates and CRLs to directory entries 749
publishing directory
defined 716
publishing rules
created during installation 811
|
| Q |
queryKey 1000
queryKeyForRecovery 1005
queryReq 1029
|
| R |
reasons for revoking certificates 722
reasonToRevoke 1033
recoverBySerial (DRM) 1023
recovering users' private keys 1122
Recover Key By Serial Number 1023
registering
authentication modules 386, 414
custom OIDs 553
job modules 470, 482
mapper modules 889
policy modules 688, 709
publisher modules 889
Registration Manager
configuring
SMTP settings for notifications 168, 481
to use separate SSL server certificates 269
to use specific ciphers 275
connecting to another subsystem 202
enabling interaction with end entities 407
enrollment forms for 365, 916
interface for agents 901
key pairs and certificates
getting new ones 277
list of 230
renewing existing ones 286
signing certificate 230
SSL server certificate 231
logging to Windows NT event log 1072
specifying IP address for 161
what to do if not responding 142
Remove Certificate Hold 1026
removing unwanted CMS instances 121
Renewal (interface) 966
Renewal Constraints policy 518
renewal of certificates
See certificate renewal
Renewal Validity Constraints policy 525
renew certificates 966
renewing certificates of subsystems 286
reordering policy rules 688, 705
significance of ordering 705
request formats for certificates 898
Requests Query 1029
restarting
Certificate Management System 139
from Netscape Console 140
from the command line 141
retrieve certificate
by list 958
by request number 933, 952
by serial number 931, 948
CA certificate chain 946
retrieve certificate revocation list 956
revocation
agent approval 1033
agent approval interface 974
challenge-phrase based 929
remove certificate hold 1026
using SSL client authentication 968
Revocation (interface) 968
revocation checking of agent certificates 310
Revocation Constraints policy 522
revocation-status checking for agent certificates 179
revoking certificates 1113
reasons 722
who can do this 722
road map to configuring subsystems 105
roles
administrator 172
agent 173
determining factor 172
key recovery agents 1122
trusted manager 181
root DN 1155
rotated logs
naming convention 1050
rotating log files 1051
archiving files 1053
conserving disk space 1053
how to set the time 1052
routers
getting certificates for 1092, 1105, 1109
port used for requesting 1105
RSA Key Constraints policy 529
|
| S |
samples
for authentication 427
schedulable jobs
See jobs
scheduling
jobs 471
secret sharing of storage key pair 1123
security level 120
Select for Revocation 1033
server's on/off status 142
server certificate renewal 1113
server enrollment forms 365, 915
server instance
finding out details 118
server name
changing 120
server root
default for Unix 119
default for Windows NT 119
defined 119
how many on a single host 119
relationship with Administration Server 67
server status
off 120
on 120
unknown 120
setpin.conf file 391
setpin command 370
setting CRL extensions 765, 826, 849, 882
setting up
key archival 1134
key recovery 1143
Signing Algorithm Constraints policy 533
signing certificate 230
changing trust settings of 299
deleting 298
getting a new one 242, 277
nickname 230
renewing 242, 286
viewing details of 296
single sign-on password 143
changing 147, 148
single signon password
changing cached passwords 129, 144
starting CMS without 130, 150
what it does 130
what it protects 128
when required 128
when specified 129
why change periodically 130
SMTP settings 168, 169, 481
specifying IP address 161
SSL Debugging tool 1259
examples 1261
supported platforms 1259
syntax 1260
usage tips 1271
SSL server certificate 228, 231, 234
changing trust settings of 299
deleting 298
getting a new one 242, 277
nickname 228, 231, 234
renewing 242, 286
viewing details of 296
SSL Strength tool 1253
examples 1256
supported platforms 1253
syntax 1253
usage 1255
starting
Administration Server 67
from Netscape Console 68
from the command line 68
from the Windows NT Service panel 68
Certificate Management System 128
from Netscape Console 133
from the command line 135
from the Windows NT Services panel 136
information required 128
Netscape Console 69
in Unix 70
in Windows NT 70
Status tab 78
tasks you can accomplish 78
stopping
Administration Server 68
from Netscape Console 69
from the command line 69
from the Windows NT Services panel 69
Certificate Management System 137
from Netscape Console 137
from the command line 138
from the Windows NT Services panel 139
storage key pair 233
secret sharing 1123
stronger encryption for export browsers 275
Subject Alternative Name extension policy 668
subject attribute mapper 747
Subject Directory Attributes extension policy 675
Subject Key Identifier extension policy 679
subordinate CA
enrollment forms for 365, 916
Subordinate CA Name Constraints policy 536
support for
local OCSP responder 729
OCSP client 729
publishing of CRLs 724
support for DN characters in CMS 1157
System log
defined 1046
how to configure 1058
how to monitor 1065
logging to Windows NT event log 1072
See also logging
|
| T |
Tasks tab 73
tasks you can accomplish 73
templates
for agents
location 922
for end entities
location 914
for end-entity operations 920
for notifications 455, 457
customizing 459
token list 460
templates
for automated notifications 455
timing log file deletion 1053
timing log rotation 1052
tokens
changing password of 240
deleting certificates from 298
external 236
See also external tokens
internal 235
managing 239
viewing contents of 295
viewing which tokens are installed 240
what are they 235
transport certificate 232
changing trust settings of 299
deleting 298
getting a new one 242, 277
nickname 232
renewing 242, 286
viewing details of 296
when used 1121
trusted managers
certificate for SSL client authentication 184
connectors for linking 183
deleting 223
designated group 189
access rights 189
modifying 219
certificate information 220
group membership 221
login information 219
role defined 181
setting up 201
type styles used in this book 37
|
| U |
unbuffered logging 1051
uninstalling Certificate Management System 123
from the command line 123
using Windows NT Add/Remove Programs utility 124
Unique Subject Name Constraints policy 539
unrevocation 1026
Update CRL 1036
updateCRL 1036
updateDir 1038
Update Directory (interface) 1038
user enrollment forms 363, 915
user ID, password, and PIN based authentication 332
configurable parameters 333
module name 333
user ID and password based authentication 325
configurable parameters 327
plug-in module name 327
users
privileged 171
|
| V |
ValiCert publisher 759
Validity Constraints policy 543
version number 120
viewing
contents of a token 295
viewing CMS instance information 118
VPN clients
getting certificates for 1092
|
| W |
watchdog 143
when the server was installed 119
why should you revoke certificates 722
Windows NT event log
logging audit and system messages 1072
wizard
See Certificate Setup Wizard
|
|
|
|
|