Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Netscape Certificate Management System Administrator's Guide: Configuring a Certificate Manager for
Previous Next Contents Index Bookshelf


Chapter 22 Configuring a Certificate Manager for Publishing

Netscape Certificate Management System (CMS) provides a customizable publishing framework for the Certificate Manager. This chapter explains how to configure the Certificate Manager to publish to an LDAP directory, a flat file, and an online validation authority.

Before reading this chapter, you should have read the previous chapters in this part. In particular, you should be familiar with the mapper and publisher plug-in modules that are provided for the Certificate Manager. If you are not, see "Modules for Publishing Certificates and CRLs".

The chapter has the following sections:


Publishing Certificates and CRLs to a Directory
If you are using an LDAP-compliant directory, such as Netscape Directory Server, to publish and manage your user and group data, you can configure the Certificate Manager to communicate with this directory. The Certificate Manager can then publish end-entity as well as CA certificates and the certificate revocation list (CRL) to the directory. This way, your publishing directory acts as a common distribution point for information about users and other entities on the network, including each entity's current security credentials.

Once the Certificate Manager is configured to publish to the directory, the following operations are performed automatically:

To configure a Certificate Manager to publish certificates and CRLs to a directory, follow these steps:

Step 1. Plan

Before configuring a Certificate Manager to publish its CA certificate, end-entity certificates, and CRLs to a directory, do this:

Step 2. Set Up the Directory for Publishing

For a Certificate Manager to publish certificates and CRLs to an LDAP directory, the directory needs to be set up to receive certificate- and CRL-related information from the Certificate Manager.

Step A. Verify the Directory Schema

For a Certificate Manager to publish certificates and CRLs to a directory, it must be configured with specific attributes and object classes. This section discusses those basic schema requirements. Is it assumed that you're familiar with directory schema and related terminology. If you're not, check the Directory Server documentation.

Required Schema for Publishing End-Entity Certificates

The Certificate Manager publishes an end entity's certificate to the userCertificate;binary attribute within the end entity's or subject's directory object. This attribute is multivalued; each value is a DER encoded binary X.509 certificate. The LDAP object class named inetOrgPerson allows this attribute. This object class is supported by Netscape Directory Server versions 1.0, 3.x, and 4.x. The mix-in object class named strongAuthenticationUser allows this attribute and can be combined with any other object class to allow certificate publication to that object. Note that the Certificate Manager does not automatically add this object class in the schema table of the corresponding Directory Server while publishing or unpublishing end-entity certificates. If the directory object that it finds does not allow the userCertificate;binary attribute, the addition or removal of that specific certificate fails.

If you have created user entries as inetOrgPerson, the userCertificate;binary attribute already exists in the directory. Otherwise, you must add the userCertificate;binary attribute to your directory schema table. For information on modifying directory schema, check the Directory Server documentation.

Required Schema for Publishing the CA Certificate

The Certificate Manager publishes its own CA certificate in the caCertificate;binary attribute of the CA's directory object when the server is started; this is the object that corresponds to the Certificate Manager's issuer name. This is a required attribute of the certificationAuthority object class. Note that the Certificate Manager will add this object class to the directory entry for the CA, provided that it finds the CA's directory entry.

Required Schema for Publishing CRLs

The Certificate Manager maintains its list of revoked certificates in its internal database; this list is called the certificate revocation list (CRL). You can configure the server to publish the CRL to the directory whenever it is generated, which could be when a certificate is revoked and at regular intervals. You can also manually trigger the server to generate a CRL and publish it to the directory.

The Certificate Manager publishes the updated CRL to the CA's directory object under this attribute: certificateRevocationList;binary.

This attribute is an attribute of the object class certificationAuthority. The value of the attribute is the DER encoded binary X.509 certificate revocation list. The CA's entry must already be a certificate authority.

Step B. Add an Entry for the CA

Complete this step only if you want to manually create an entry for your CA in the directory--that is, you do not want use the automated feature built into the LdapCaSimpleCAMap plug-in module for creating the CA's entry in a directory; see "CA Certificate Mapper".

For the Certificate Manager to publish its CA certificate and CRL, the directory must include an entry for the CA. This section explains how to manually add this entry in Netscape Directory Server 4.x using the Directory Server window (which you can launch from within Netscape Console). To add this entry in Netscape Directory Server 3.x, use its HTML forms-based interface (also called the HTTP gateway).

When adding the CA's entry to the directory, you need to select the entry type based on the distinguished name of your CA:

After you select the correct entry type, you need to specify the required information to create the entry. Note that the entry you create doesn't have to be in the certificationAuthority object class. The Certificate Manager will convert this entry to the certificationAuthority object class automatically by publishing its CA's signing certificate (as explained in "Required Schema for Publishing the CA Certificate").

To create an entry for the Certificate Manager in Netscape Directory Server, version 4.x:

  1. Log in to Netscape Console (see "Logging In to Netscape Console").
  2. Locate the Directory Server instance you want the Certificate Manager to use for publishing certificates and CRLs.
  3. Double-click the instance or select the instance and click Open.
  4. This opens the Directory Server window.

  5. Select the Directory tab.
  6. Select the domain name, right click, select New, and then select Other.
  7. The "New object" window appears.

  8. Select "person" and click OK.
  9. The Property Editor - New window appears.

  10. Enter the required information.
  11. Full name. Enter the common name (the value of the CN component) of the CA exactly as it appears in the issuer DN; this DN shows up in the CA's signing certificate. For example, if your CA's issuer DN is CN=testCA, OU=Research Dept, O=Siroe Corporation, ST=California, C=US, you should enter testCA in this field.

    Last name. Enter the name again; it must be the same as the one you entered in the "Full name" field.

  12. Keep the default values in the remaining fields, and click OK.
  13. The new entry appears in the Directory tab.

  14. Verify that the entry has been created.
    1. Double-click Directory Administrators, click Members, and then click Add.
    2. Search for the user entry you added earlier.
    3. Click OK and again OK.
Step C. Identify an Entry That Has Write Access

When you configure the Certificate Manager to work with Directory Server, you'll be required to specify a distinguished name in the directory that has read-write permissions to the directory. To publish certificates and CRLs to the directory, the Certificate Manager needs to use a user entry (in the directory) that has write access to the directory. This enables the Certificate Manager to bind to the directory as this user and modify the user entries with certificate-related information and the CA entry with CA's certificate and CRL related information.

To provide the Certificate Manager with a user entry that has read-write permission, you can do either of the following:

For instructions on giving write access to the Certificate Manager's entry, see your LDAP directory documentation. In either case, note the entry DN and the corresponding password as you will be required to identify this user entry to the Certificate Manager later; see "Step 5. Identify the Publishing Directory".

Step D. Verify Entries for End Entities

The publishing directory must contain an entry for each end entity for whom you want a certificate published. If the end entity does not have an entry in the directory, the Certificate Manager will not be able to publish the end entity's certificate.

To add an entry for each end entity, you can use the tools provided with Directory Server. Keep in mind that the end-entity entries must belong to an object class, such as inetOrgPerson, that allows the userCertificate;binary attribute.

Note If you configured the Certificate Manager to use directory-based authentication for end entities and are using the same directory for authentication and publishing, you may not have to deal with this issue. The server will not issue certificates to end entities that do not have entries in the directory. See "End- Entity Authentication During Certificate Enrollment".

Step E. Specify the Directory Authentication Method

Depending on how you want the Certificate Manager to authenticate to the directory, you must set up Directory Server for one of the following methods of communication:

The instructions that follow explain how to configure Netscape Directory Server 4.x for all of the above methods of communication. If you're using any other directory, refer to the documentation that accompanied that product.

Publishing With Basic Authentication

To configure Directory Server for basic authentication:

  1. Go to the Directory Server window.
  2. Select the Configuration tab, and then in the right pane, select the Encryption tab.
  3. Make sure that the Enable SSL box is unchecked. If it's checked, uncheck it.
  4. Click Save.
  5. You are prompted to restart the server. Don't restart the server yet; you can do this after you've made all the configuration changes.

Publishing Over SSL Without Client Authentication

To configure the Directory Server for SSL-enabled communication:

  1. Go to the Directory Server window.
  2. Select the Configuration tab, and then in the right pane, select the Encryption tab.
  3. Check the Enable SSL box.
  4. In the Cipher Family section, check the RSA box.
  5. Click the Cipher Preferences button and select the appropriate SSL ciphers.
  6. For details on individual ciphers, click the Help button.

  7. In the Client Authentication section, select the "Allow client authentication" option.
  8. Be sure not to select the "Require client authentication" option. If you do, Netscape Console will not be able to communicate with the directory.

  9. Click Save.
  10. You are be prompted to restart the server. Don't restart the server yet; you can do this after you've made all the configuration changes.

Publishing Over SSL With Client Authentication

For the Certificate Manager to publish to the directory with SSL client authentication, Directory Server must

The steps that follow explain how you can configure Directory Server for all of the above.

Step 1. Check the Directory Server's Certificate Database

Before getting an SSL server certificate, determine whether Directory Server already has an SSL server certificate installed in its certificate database and whether you want Directory Server to use the same certificate during the SSL handshake.

To check the Directory Server's certificate database:

  1. Go to the Directory Server window.
  2. Select the Tasks tab.
  3. From the Console menu, choose the Manage Certificates option.
  4. The Certificate Management dialog box appears showing a list of all the certificates installed for Directory Server.

  5. Scroll through the list to see if it contains the SSL server certificate that you want to use.
Step 2. Generate an SSL Server Certificate Request for Directory Server

The steps below explain in general how to generate a certificate signing request (CSR) using the Certificate Setup Wizard, which is built into the Directory Server window available within Netscape Console. For detailed instructions on each step of the wizard, you should read the on-screen instructions and view the online help by clicking the Help button.

In the first step of generating the CSR, you will be asked to specify whether the certificate is for a new key pair or an exiting key pair and the method for submitting the CSR to the CA.

To generate a certificate request:

  1. In the Directory Server window, select the Tasks tab, and then click the Certificate Setup Wizard button.
  2. Select the token for generating the key pair (and for storing the certificate). Since you don't have the certificate, select No.
  3. If you're generating the certificate for the first time, the wizard informs you that it needs to create a trust database (cert7.db and key3.db files) for Directory Server.

  4. When prompted for the password, enter the password.
  5. Remember this password because you will be required to supply it when starting Directory Server from now on.

    Once the trust database is generated, the wizard steps for generating the CSR begin.

  6. You are asked to specify whether the certificate is for a new key pair or an existing key pair and the method for submitting the CSR to the CA.

  7. The choices for submitting the CSR to the CA include the following:

    To CA's email address. Select this if you want to send the CSR to the CA administrator's email address. Type the administrator's email address (for example, jdoe@siroe.com) in the adjoining field. The administrator will then be required to submit the request to the CA by pasting the CSR in the CA's server enrollment form.

    To CA's URL. Select this if you want to submit the CSR to the Certificate Manager directly. Depending on the end-entity port that's enabled, type either of the following URL:

    http://<CA's_host_name>:<end_entity_port>/enrollment

    or

    https://<CA's_host_name>:<end_entity_SSL_port>/enrollment

    Note that the request submitted to the CA's URL gets queued for approval by the Certificate Manager agent.

  8. When the wizard displays the CSR, if you are running the wizard on a Windows NT system, copy the CSR (displayed in its base-64 encoded format) to a text file. The information you copied should look similar to the sample shown below. Do not make any changes to it. (As indicated in the message, a copy of this information is also saved to the /temp file in the host machine's file system.)
  9. -----BEGIN NEW CERTIFICATE REQUEST-----

    MMIIBnzCCAQgCAQAwXzELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1JOSUExHTAbBgNVBAo
    pME5ldHNjYXBlIENvbW0uIENvcnAuMRwwGgYDVQQDExNzdXByaXlhLW50Lm1jb20uY29tMIGfMA0G
    CSGSIb3DQEBAQUAA4GNADCBiQKBgQCk49jBib3SZQqTt5YtIGugnVOq38Y1CcB9xowCsapR+DIow8
    MUVWGRUT38mcX0lfpNT4hzW1aePiHersIMZFLxRgel0kEtJ0ClWfNQKzrnOfpL1H3CjcLjSM5hWaF
    t0M5hfZEtPk+XBsMbu3dCtbRacxs0M2I0AVkf+kp24ePvqD8QIDAQABoAAwDQYJKoZIhvcNAQEE
    BQADYEAdE0hZFHK6fAonMnHmNz46M96qqgtjwO3R9alt1l+0YWKslCjf+ThG38adNw1aH0qioW7yl
    THJhpHF48M3SmmTqR7S3yKg+3ECLWbMYmUmd2wNTxsIdD4r8ySByxMIncVSvCjFOHJnifZCUqr+0N
    ukZnqhDWqy0vqrGW71akstyyttdtttyyy790bfgfiwrytdnbjdgnhffnb0hgjyu08o=po=9=

    -----END NEW CERTIFICATE REQUEST-----

Step 3. Submit the Request to a CA and Get the SSL Server Certificate

If you decided to submit the certificate request to an external CA, you need to go to that CA's enrollment area and use the form provided for requesting SSL server certificates. After you submit the request, hold on to the confirmation message until you receive the certificate. When the CA sends the certificate to you, complete the remaining configuration, starting from "Step 6. Install the Certificate in the Directory Server's Certificate Database".

The instructions in this step explain how to request the SSL server certificate from the Certificate Manager manually. You should complete this step if you didn't use the auto-submit feature of the wizard to directly send the CSR to the Certificate Manager's URL.

To submit the request to the Certificate Manager manually:

  1. Open a web browser window.
  2. Go to the end-entity interface of the Certificate Manager (or to the Registration Manager that's connected to the Certificate Manager).
  3. In the left frame, under Server, click SSL Server.
  4. In the server enrollment form that appears, enter the required information:
  5. PKCS#10 Request. Paste the base-64 encoded blob, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- marker lines, you copied to the text file earlier.

    Name. Type your name.

    Email. Type your business email address, for example, jdoe@siroe.com.

    Phone. Type your business phone number.

    Additional Comments. Type any information that will help you identify this request in the future or will help the person who will process this request.

  6. Click Submit.
Step 4. Approve the Request You Submitted

Skip to the next step if you submitted the CSR to an external CA. Complete this step if you submitted the CSR to the Certificate Manager.

To access the agent queue and approve the SSL server certificate request you submitted:

  1. In the browser window, go to the Certificate Manager Agent Services interface. (If you submitted the request to a Registration Manager, go its agent interface.)
  2. In the left frame, select List Requests. In the form that appears, select the "Show pending request" option and click Find.
  3. In the request queue, locate the request you submitted and click Details.
  4. Verify the information and click Do It.
  5. If your request contained all the required information, the server issues a certificate and you should see a message indicating so.

  6. Click Show Certificate.
  7. The complete details about the certificate appear. Don't close the page; in the next step, you'll need to copy the certificate from this page.

Step 5. Copy the SSL Server Certificate

You must go through this step, irrespective of whether you submitted the CSR to the Certificate Manager or to an external CA.

To install the certificate in the Directory Server's database, you need to have a copy of the certificate in its base 64-encoded format:

The steps below explain how to copy the base 64-encoded blob of the certificate from the confirmation page that you received from the Certificate Manager:

  1. In the page that shows the certificate details, scroll down to the section that says "Installing this certificate in a server".
  2. Copy the base-64 encoded certificate, including the ----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to a text file or to the clipboard; be sure not to make any changes to the text blob. An example of the information you should copy is shown below:
  3. -----BEGIN CERTIFICATE-----

    MMIICVDCCAf6gAwIBAgIBDDANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJVUzELMAkGA1UECBM
    Q0M0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxETAPBgNVBAoTCE5ldHNjYXBlMRUwEwYDVQQLEwx
    TZW1cml0eVB1YnMxHDAaBgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNOTkwNzA5MjIxNjQ5W
    hcMDAwNzA4MjIxNjQ5WjCQYDVQQGEwJVczETMBEGA1UECBMKQ0FMSUZPUk5JQTEdMBsGA1UEChMUT
    m0c2NhcGUgQ29tbS4gQ29ycC4xHDAaBgNVBAMTE3N1cHJpeWEtbnQubWNvbS5jb20nbh4++oPxAgM
    AAGjRjBEMBEGCWCGSAGG+EIBAQQEAwIGQDAOBgNVHQ8BAf8EBAMCBPAwHwYDVR0jBBgFoAUXuCIMl
    07LCdanaxlek5DlpU4cxLgwDQYJKoZIhvcNAQEEBQADQQCagJsZwKG2usqiQ+bmZ0TJb44XhXDLRY
    1GkbXtNLLf5acA1iBvi0cbEG5UsZk5zdB5zSDDe7Tuk9HrbyQrtQ6F

    -----END CERTIFICATE-----

Step 6. Install the Certificate in the Directory Server's Certificate Database

You must go through this step, irrespective of whether you requested the certificate from the Certificate Manager or from an external CA.

To install the SSL server certificate in the Directory Server's certificate database:

  1. Go to the Directory Server window.
  2. Start the Certificate Setup Wizard.
  3. In the first step that the wizard displays, select the "Install Certificate for This Server" option.
  4. In the second step, select the "The certificate is located in the following text field" option and paste the certificate blob, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, you copied earlier.
  5. Follow the prompts and add the certificate to the certificate database.
Step 7. Copy the CA Chain

You must go through this step, irrespective of whether you requested the certificate from the Certificate Manager or from an external CA.

The steps in this section explain how to copy the CA chain, if you requested the SSL server certificate from a Certificate Manager. If you got the certificate from an external CA, make sure that the CA's chain exists in certificate database of Directory Server; otherwise, go to the CA site and copy the chain.

  1. Go to the end-entity interface of the Certificate Manager (or to the Registration Manager that's connected to the Certificate Manager).
  2. Click the Retrieval tab.
  3. In the left frame, click Import CA Certificate Chain.
  4. In the form that appears, select the "Display the CA certificate chain in PKCS#7 for importing into a server" option, and click Submit.
  5. The CA certificate chain appears.

  6. Copy the base-64 encoded certificate blob, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to a text file or the clipboard.
Step 8. Install the CA Chain in the Directory Server as a Trusted CA

To install the CA chain:

  1. Go to the Directory Server window.
  2. Start the Certificate Setup Wizard.
  3. Select the option to install a certificate for a trusted certificate authority.
  4. Select the "The certificate is located in the following text field" option and paste the certificate blob, including the -----BEGIN CERTIFICATE---- and -----END CERTIFICATE----- marker lines, you copied earlier.
  5. Follow the prompts and add the CA certificate chain to the certificate database of Directory Server.
Step 9. Confirm that the New Certificates are Installed

To verify that the certificates are installed in the certificate database of Directory Server:

  1. In the Directory Server window, select the Tasks tab.
  2. From the Console menu, select Manage Certificates.
  3. The Certificate Management dialog box appears showing a list of certificates installed for Directory Server.

  4. Scroll through the list. You should find the certificates you installed. If you find the certificates, your server is ready for SSL activation.
Step 10. Verify the Port Number

Before turning on SSL-enabled communication for Directory Server, you must verify that the configured port number can be used for this purpose. If not, you must change the port number to a valid one.

To modify the port (for a secure port) on which the Directory Server listens for incoming requests:

  1. In the Directory Server window, select the Configuration tab, and then in the navigation tree, select the root (the topmost) item.
  2. Select the Settings tab in the right pane.
  3. Port. Type the port number you want the server to use for non-SSL communication. The default port number is 389.

    Encrypted Port. Type the port number you want the server to use for SSL-enabled communication. The default secure port number is 636. The encrypted port number that you specify must not be the same as one you specified in the Port field.

  4. Click Save.
  5. You are be prompted to restart the server. Don't restart the server yet; you can restart it after you've made all the changes.

    Be aware that changing the Directory Server port number requires you to change the corresponding port number in all other servers that communicate with the directory. For example, if you have other Netscape Servers installed that point to the directory, you need to update those server configurations to use the new port number. For details, see Managing Servers with Netscape Console (to locate this document, see <server_root>/manual/index.html).

Step 11. Turn on SSL-Enabled Communication

To turn on SSL-enabled communication in Directory Server:

  1. In the Directory Server window, select the Configuration tab, and then in the right pane, select the Encryption tab.
  2. Check the Enable SSL box.
  3. In the Cipher Family section, check the RSA box.
  4. Click the Cipher Preferences button and select the appropriate SSL ciphers.
  5. For details on individual ciphers, click the Help button.

  6. In the Token drop-down list, select the token that contains the key pair for the certificate you installed (or for the certificate you want the server to use).
  7. Select the certificate you want the server to use during SSL-enabled communication with the Certificate Manager.
  8. In the Client Authentication section, select the appropriate option:
  9. Do not allow client authentication. Select this if you want to configure the directory for basic authentication or for SSL-based communication without client authentication.

    Allow client authentication. Select this if you want to configure the directory for SSL client authenticated communication.

    Require client authentication. Don't select this option. If you do, Netscape Console will not be able to communicate with Directory Server. This is because Netscape Console does not support client-authenticated communication yet. For example, if you're using the same directory for user data and configuration information of other Netscape servers and if you configure Directory Server to require client authentication, you will no longer be able to manage your Netscape servers from Netscape Console; instead, you will be required to use the command-line tools.

  10. Click Save.
  11. You are prompted to restart the server. Don't restart the server yet; you can restart it after you've made all the required changes.

Step F. Modify the Certificate Mapping File

This step explains how to modify the certmap.conf file to add a certificate mapping rule for the CA's entry you created. You need to go through this step only if you configured the directory for SSL client authenticated communication. Otherwise, skip to "Step G. Restart Directory Server".

When the Certificate Manager presents its certificate for SSL client authentication, Directory Server uses the mapping rule specified in the certmap.conf file to locate the corresponding entry in the directory and then determine the access privileges set for the entry. The certificate mapping file is located in the <server_root>/shared/config directory, where <server_root> is the directory in which the Directory Server binaries are installed.

The certmap.conf file specifies the following:

The file contains one or more named mappings, each applying to a different CA. A mapping has the following syntax:

certmap <name> <issuerDN>

<name>:<property1> [<value1>]

<name>:<property2> [<value2]

...

<name>:<propertyn> [<valuen]

The first line specifies a name for the entry and the DN of the issuer of the client certificate--in this case, the issuer of the certificate the Certificate Manager will present during client authentication. (By default, the Certificate Manager uses its SSL server certificate generated during installation.) The name is arbitrary; you can define it to be whatever you want. However, the issuer DN must exactly match the issuer DN of the CA that has issued the certificate the Certificate Manager will use for client authentication. For example, the following two issuer DN lines differ only in the number of spaces separating the attribute value assertions (AVAs), but the Directory Server will treat these two entries as different:

certmap moz CN=myCA,OU=myDept,O=myCompany,C=US

certmap moz CN=myCA,OU=myDept,O=myCompany, C=US

The second and subsequent lines in the named mapping match properties with values. The certmap.conf file has six default properties, but the ones that should be of use to you are explained below. For in depth detail about the certmap.conf file, see Managing Servers with Netscape Console (open the <server_root>/manual/index.html file to locate this document).

The following two examples illustrate two different ways you can use the certmap.conf file.


certmap default default
default:dnComps
default:filterComps E, UID

certmap MyCA CN=CA,OU=MyGroup,O=MyCompany,C=US
MyCA:dnComps OU,O,C
MyCA:filterComps E
MyCA:verifycert on
This file has two mappings: a default one and another for MyCA. When the Directory Server gets a certificate from anyone other than MyCA, the server uses the default mapping, which starts at the top of the LDAP tree and searches for an entry matching the client's email address and user ID. If the certificate is from MyCA, the server starts its search at the LDAP branch containing the organizational unit and searches for matching email addresses. Also note that if the certificate is from MyCA, the server verifies the certificate with the one stored for the entry in the directory; other certificates are not verified. Note that the issuer DN in the certificate must be identical to the issuer DN listed in the first line of the mapping. Even an extra space after a comma will cause a mismatch.

To modify the certmap.conf file:

  1. In the Directory Server host machine, go to this directory:
    <server_root>/shared/config
  2. Open the certmap.conf file in a text editor.
  3. Follow the instructions in the file and add the mapping information for the entry you added.

  4. The figure above shows the following mapping rule being added to the file:

    certmap myCA CN=rootCA, O=siroe.com

    #myCA:DNComps

    myCA:FilterComps

    This mapping rule specifies that if the name of the CA that signed the certificate used for SSL client authentication by the Certificate Manager is myCA and that the issuer name or DN of the CA is CN=rootCA, O=siroe.com, the server should use the FilterComps attributes to locate the entry.

    If you determine that the certmap.conf file needs an empty DNComps mapping (because your certificate subject name has no overlap with the corresponding directory DN), you may need to modify the default base DN in Directory Server by adding the following to the Directory Server configuration file:

    dn: cn=config

    changetype: modify

    replace: nsslapd-certmap-basedn

    nsslapd-certmap-basedn: dc=siroe, dc=com

  5. Save your changes, and close the file.
Step G. Restart Directory Server

For all your changes to take effect, you must restart Directory Server.

Step 3. Configure the Certificate Manager to Publish Certificates

This section explains how to specify certificate mapping and publishing rules the Certificate Manager should use to publish certificates to the correct entries in the directory.

Step A. Modify the Default Mappers, Publishers, and Publishing Rules

Complete this step if you decided to use any of the default mappers, publishers, and publishing rules created during installation. If you want to create new mappers, publishers, and publishing rules, skip to the next step, "Step B. Add Mappers, Publishers, and Publishing Rules".

During installation, the Certificate Manager automatically creates a set of mappers that you would most likely want to use. The names of the default mappers are as follows:

Similar to mappers, the Certificate Manager also creates a set of publishers for your convenience. The names of the default publishers are as follows:

The Certificate Manager also creates a set of publishing rules using the default mappers and publishers. The names of these rules are as follows:

It is important that you review each of the default mappers, publishers, and publishing rules and modify them as suitable. The instructions below explain how to modify the default mappers, publishers, and publishing rules.

Step A.1. Modify the Default Mappers

You can modify a mapper by editing its configuration parameter values; you cannot change the name of a mapper. To change the name of a mapper, you need to create a new mapper exactly like the mapper you want to rename, except with a new name, and delete the old mapper.

To modify a mapper:

  1. Log in to the CMS window for the Certificate Manager (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, select Publishing, and then select Mappers.
  4. The right pane shows the Mappers Management tab, which lists configured mappers.

  5. In the Mapper list, select a mapper that you want to modify.
  6. For the purposes of completing this instruction, assume that you selected the mapper named LdapUserCertMap.

  7. Click Edit/View.
  8. The Mapper Editor window appears, showing how this mapper is configured. An example is shown below.

  9. Make the necessary changes and click OK.
  10. You are returned to the Mappers Management tab.

  11. To modify the remaining mappers, repeat steps 4 through 6.
  12. Click Refresh to see the update status of all the mappers.
Step A.2. Modify the Default Publishers

Modifying a publisher involves changing its configuration parameter values; you cannot change the name of a publisher. To change the name of a publisher, create a new publisher using the same publisher plug-in module with the same parameter values, and delete the old one.

To modify a publisher:

  1. In the navigation tree, select Publishing, and then select Publishers.
  2. The right pane shows the Publishers Management tab, which lists configured publishers.

  3. In the Publisher list, select a publisher that you want to modify.
  4. For the purposes of this instruction, assume that you selected the publisher named LdapUserCertPublisher.

  5. Click Edit/View.
  6. The Publisher Editor window appears, showing how this publisher is currently configured.

  7. Make the necessary changes and click OK.
  8. You are returned to the Publishers Management tab.

  9. To modify the remaining publishers, repeat steps 2 through 4.
  10. Click Refresh to see the update status of all the publishers.
Step A.3. Modify the Default Publishing Rules

Modifying a publishing rule involves changing its configuration parameter values; you cannot change the name of a publishing rule. To change the name of a publishing rule, create a new rule with the same parameter values, and delete the old one.

To modify a publishing rule:

  1. In the navigation tree, select Publishing, and then select Rules.
  2. The right pane shows the Rules Management tab, which lists configured publishing rules.

  3. In the Rule list, select a publishing rule that you want to modify.
  4. For the purposes of this instruction, assume that you selected the rule named LdapUserCertRule.

  5. Click Edit/View.
  6. The Rule Editor window appears, showing how the rule is currently configured.

  7. Make the necessary changes and click OK.
  8. You are returned to the Rules Management tab.

  9. To modify the remaining rules, repeat steps 2 through 4.
  10. Click Refresh to see the update status of all the rules.
Step B. Add Mappers, Publishers, and Publishing Rules

Complete this step if you need to create new mappers, publishers, or publishing rules. For example, if you already configured the Certificate Manager for publishing all types of certificates in "Step A. Modify the Default Mappers, Publishers, and Publishing Rules", you can skip to the next step, "Step A. Specify CRL Details".

The instructions that follow cover how to add new mappers, publishers, and publishing rules for a CA certificate and for end-entity certificates. Creating of new mappers, publishers, and publishing rules for CRLs is covered in "Step 4. Configure the Certificate Manager to Publish CRLs".

Follow the steps that's appropriate for you:

Step B.1. Create a Mapper for the CA Certificate

Creating a mapper for the CA certificate involves creating an instance of the mapper module that enables the Certificate Manager to locate the CA's entry in the directory; for a list of modules, see "Overview of Mapper Modules". Later, when creating the LDAP publishing rule for the CA certificate, you specify the mapper you create here.

To create a mapper:

  1. In the navigation tree of the CMS window, under Publishing, select Mappers.
  2. The right pane shows the Mappers Management tab, which lists configured mappers.

  3. Click Add.
  4. The Select Mapper Plugin Implementation window appears. It lists registered mapper modules.

  5. Select a module.
  6. The following choices are the ones provided by default with the Certificate Manager for mapping a CA's certificate to the CA's directory entry. (If you have registered any custom mapper modules, they too will be available here for selection.)

    LdapDNCompsMap. Select this if you want the server to locate the CA's entry by formulating the entry's distinguished name from components in the certificate subject name and using it as the search DN. For details, see "DN Components Mapper".

    LdapDNExactMap. Select this if you want the server to locate the CA's entry by searching for its certificate subject name. For details, see "Subject Name Mapper".

    LdapSimpleMap. Select this if you want the server to locate the CA's entry by formulating the entry's DN from components specified in the certificate subject name and attribute variable assertion (AVA) constants. For details, see "Simple Mapper".

    LdapSubjAttrMap. Select this if you want the server to locate the CA's entry by searching for an LDAP attribute whose value matches the certificate subject name. For details, see "Subject Attribute Mapper".

    For the purposes of this instruction, assume that you selected LdapDNCompsMapper.

  7. Click Next.
  8. The Mapper Editor window appears.

  9. Enter the appropriate information:
  10. Mapper ID. Type a unique name for the mapper that will help you identify it; use an alphanumeric string with no spaces.

    baseDN. Type the DN from which the server should start searching for the CA's entry in the directory. If you leave the next field, dnComps, blank, the server uses the base DN value to start its search in the directory. For example, O=siroe.com.

    dnComps. Type DN components (attributes) separated by commas, that you want the server to use to locate an LDAP entry that match the CA's information. The server gathers values for these attributes from the CA certificate subject name and uses the values to form an LDAP DN, which then determines where in the LDAP directory the server starts its search. For example, if the subject name of your CA's certificate is
    CN=testCA, O=siroe.com, C=US, and you set dnComps to use the O and C attributes of the DN, the server starts the search from the O=siroe.com, C=US entry in the directory.

    If you leave the dnComps field empty, the server checks the value in the baseDN field and searches the directory tree specified by that DN. The server searches the entire LDAP tree for entries matching the filter specified by filterComps parameter values.

    filterComps. Type components the server should use to filter entries that result from the search. The server uses the filterComps values to form an LDAP search filter for the subtree. The server constructs the filter by gathering values for these attributes from the certificate subject name; it uses the filter to search for and match entries in the LDAP directory.

    If you need additional details about any of these parameters, click the Help button.

  11. Click OK.
  12. The Mappers Management tab appears, listing the new mapper.

Step B.2. Create a Mapper for End-Entity Certificates

Creating a mapper for end-entity certificates involves creating an instance of the mapper module that enables the Certificate Manager to locate the correct end-entity entry in the directory; for a list of modules, see "Overview of Mapper Modules". Later, when creating the publishing rule for end-entity certificates, you specify the mapper you create here.

To create a mapper for end-entity certificates, follow the procedure in Step B.1, above. Unlike the CA certificate mapper configuration, keep this mapper's configuration generic so that the Certificate Manager is able to locate any end-entity entry in the directory.

Step B.3. Create a Publisher for the CA Certificate

Creating a publisher for the CA certificate involves creating an instance of the publisher module that enables the Certificate Manager to publish the CA certificate to the correct attribute in the CA's directory entry; for a list of modules, see "Overview of Publisher Modules". Later, when creating the LDAP publishing rule for the CA certificate, you specify the publisher you create here.

To create a publisher:

  1. In the navigation tree of the CMS window, under Publishing, select Publishers.
  2. The right pane shows the Publishers Management tab, which lists configured publishers.

  3. Click Add.
  4. The Select Publisher Plugin Implementation window appears. It lists registered publisher modules.

  5. Select the module named LdapCaCertPublisher.
  6. As explained in "CA Certificate Publisher", only this module publishes the CA certificate to caCertificate;binary attribute in the CA's directory entry. (If you have registered any custom publisher modules, they too will be available here for selection.)

  7. Click Next.
  8. The Publisher Editor window appears.

  9. Enter the appropriate information:
  10. Publisher ID. Type a unique name for the publisher that will help you identify it later; be sure to use an alphanumeric string with no spaces.

    caCertAttr. The field shows caCertificate;binary, the directory attribute to publish the CA certificate. Leave it as it is. If the field is empty, type caCertificate;binary.

    caObjectClass. The field shows certificationAuthority, the object class for the CA's entry in the directory. Leave it as it is. If the field is empty, type certificationAuthority.

  11. Click OK.
  12. The Publishers Management tab appears, listing the new publisher.

Step B.4. Create a Publisher for End-Entity Certificates

Creating a publisher for end-entity certificates involves creating an instance of a publisher module that enables the Certificate Manager to publish an end-entity certificate to the correct attribute in the end entity's directory entry; for a list of modules, see "Overview of Publisher Modules"Later, when creating publishing rules for end-entity certificates, you specify the publisher you create here.

To create a publisher for end-entity certificates, complete the procedure in Step B.3 above. When selecting the publisher module, be sure to choose the module named LdapUserCertPublisher as this is the only module that allows publishing to the userCertificate;binary attribute of a mapped-directory entry.

Step B.5. Create a Publishing Rule for the CA Certificate

Creating a publishing rule for the CA certificate involves creating a rule that uses the mapper and publisher that you created for the CA certificate in the previous steps.

To create a publishing rule:

  1. In the navigation tree, under Publishing, select Rules.
  2. The right pane shows the Rules Management tab, which lists configured publishing rules.

  3. Click Add.
  4. The Select Rule Plugin Implementation window appears. It lists registered modules that enable creating of publishing rules.

  5. Select the module named Rule.
  6. This is the default module. (If you have registered any custom modules, they too will be available for selection.)

  7. Click Next.
  8. The Rule Editor window appears.

  9. Enter the appropriate information:
  10. Rule ID. Type a unique name for the rule; use an alphanumeric string with no spaces.

    enable. Select this option.

    predicate. Type HTTP_PARAMS.certType==ca, indicating that the rule be applied to the CA certificate only. (For information on predicates, see "Using Predicates in Policy Rules".)

    type. Select cacert.

    mapper. Select the mapper you added for locating the CA's entry in the directory.

    publisher. Select the publisher you added for publishing the CA's certificate to the directory.

  11. Click OK.
  12. The Rules Management tab appears, listing the new rule.

Step B.6. Create Publishing Rules for End-Entity Certificates

Creating a publishing rule for end-entity certificates involves creating a rule for publishing each type of end-entity certificates the Certificate Manager will issue:

You need to create a rule for each type of certificate using the mapper and publisher that you created for end-entity certificates.

To create a publishing rule:

  1. In the navigation tree, under Publishing, select Rules.
  2. The right pane shows the Rules Management tab, which lists configured publishing rules.

  3. Click Add.
  4. The Select Rule Plugin Implementation window appears. It lists registered modules that enable creating of publishing rules.

  5. Select the module named Rule.
  6. This is the default module. (If you have registered any custom modules, they too will be available for selection.)

  7. Click Next.
  8. The Rule Editor window appears.

  9. Enter the appropriate information:
  10. Rule ID. Type a name for the rule; use an alphanumeric string with no spaces.

    enable. Select this option.

    predicate. Type HTTP_PARAMS.certType==client, indicating that the rule be applied to client certificates only (see Table 22.1).

    type. Select certs.

    mapper. Select the mapper you added for locating end-entity entries in the directory.

    publisher. Select the publisher you added for publishing end-entity certificates (to the userCertificate;binary attribute of an end-entity entry in the directory).

  11. Click OK.
  12. The Rules Management tab appears, listing the new rule you just created for publishing end users' client certificates.

  13. Repeat steps 1 through 6 for each type of end-entity certificate the Certificate Manager will issue. Use Table 22.1 for filling in the correct values in the type and predicate fields. (For information on predicates, see "Using Predicates in Policy Rules".)

Table 22.1 Certificate type and predicate expression

End-entity certificate type
"type" field value
"predicate" field value
SSL client certificate
certs
HTTP_PARAMS.certType==client
SSL server certificate
certs
HTTP_PARAMS.certType==server
Object signing certificate
certs
HTTP_PARAMS.certType==objSignClient
Certificate Manager signing certificate (subordinate CA)
cacert
HTTP_PARAMS.certType==ca
Registration Manager signing certificate
certs
HTTP_PARAMS.certType==ra
OCSP responder certificate
certs
HTTP_PARAMS.certType==ocspResponder
Router certificate
certs
HTTP_PARAMS.certType==CEP-Router

Step 4. Configure the Certificate Manager to Publish CRLs

If you don't want the Certificate Manager to publish CRLs to the directory, skip to "Step 5. Identify the Publishing Directory".

You can configure the Certificate Manager to publish CRLs to the directory that is currently configured for publishing the CA and end-entity certificates. A configured Certificate Manager will publish the CRL to the CA's entry in the specified directory, replacing the old CRL with the new one; the old CRL is not saved. The Certificate Manager connects to the directory using the base DN and password that you will specify in "Step 5. Identify the Publishing Directory".

To configure a Certificate Manager to publish CRLs to the directory, follow these steps:

Step A. Specify CRL Details

You can specify information, such as the publishing interval, the CRL version (whether to include CRL extensions), and the signing algorithm the Certificate Manager should use for signing the CRL object.

To specify CRL details:

  1. In the navigation tree of the CMS window, select Certificate Manager, and then in the right pane, select the Revocation List tab.

  2. In the Update Frequency section, specify the interval for publishing the CRL to the directory:
  3. Every time a certificate is revoked, or taken off-hold. Select this option if you want the Certificate Manager to generate the CRL every time it revokes a certificate. Keep in mind that the Certificate Manager attempts to publish the CRL to the configured directory whenever the CRL is generated, in this case, every time a certificate is revoked. Publishing a CRL can be time consuming if the CRL is large. Configuring the Certificate Manager to publish CRLs every time a certificate is revoked may engage the server for a considerable amount of time; during this time, the server will not be able to service any requests it receives and will not be able to update the directory with any changes it receives.

    Update at this frequency. Select this option if you want the Certificate Manager to generate CRLs at regular intervals. In this case, the server publishes the CRL to the configured directory at the interval you specify.

    In the adjoining text field, type the interval, in minutes, at which the Certificate Manager should publish CRLs. For example, if you want the server to publish CRLs every day, you should type 1440 in this field.

    with a skew of. If you configure the server to update the CRL automatically every time period, the server by default adds a 5 second skew to the next update time to allow time to create the CRL and publish it. For example, if you configure the server to update the CRL every 20 minutes, and if the CRL is updated at 16:00:00, the CRL will be updated again at 16:19:55. You can configure the skew by changing the default value, which is specified in seconds.

  4. In the CRL Format section, specify the format for publishing the CRL:
  5. Include expired certificates. Check this box if you want the server to include revoked certificates that have expired in the CRL.

    Allow extensions. Check this box if you want to allow extensions in the CRL. If you enable this option, the server generates and publishes CRLs conforming to X.509 version 2 standard. If you disable this option, the server generates and publishes CRLs conforming to X.509 version 1 standard. By default, the server publishes version 1 CRLs. If you enable this option, be sure to set the required CRL extensions as described in "Step B. Set the CRL Extensions".

    Revocation list signing algorithm. Select the algorithm the server should use to sign the CRL. If the Certificate Manager's signing key type is RSA, select MD2 with RSA, MD5 with RSA, or SHA-1 with RSA. If the Certificate Manager's signing key type is DSA, select SHA-1 with DSA.

  6. To save your changes, click Save.
  7. If the changes you made require you to restart the server, you are prompted accordingly. However, don't restart the server yet; you can restart it after you've made all the required changes.

Step B. Set the CRL Extensions

Complete this step only if you configured the Certificate Manager to publish version 2 CRLs--that is, you selected the "Allow extensions" option in "Step A. Specify CRL Details".

During installation, the Certificate Manager creates default CRL extension rules; these are listed in Table 21.10. Note that the server is configured to add the CRL Reason extension only; all the other rules are in the disabled state. In this step, you modify the default CRL extension rules to add the required CRL extensions.

To specify the CRL extensions the Certificate Manager should set:

  1. In the navigation tree, under Certificate Manager, select CRL Extensions.
  2. The right pane shows the CRL Extensions Management tab, which lists configured extensions.

  3. To modify a rule, select it and then click Edit/View.
  4. Change the information as appropriate.
  5. Be sure to supply all the required values. Click the Help button for detailed information on individual parameters.

  6. Click OK.
  7. You are returned to the CRL Extensions Management tab.

  8. To modify other rules, repeat steps 2 through 4.
  9. Click Refresh to see the updated status of all the rules.
Step C. Create a Mapper for the CRL

The Certificate Manager publishes the CRL to the certificateRevocationList;binary attribute of the CA's directory entry. (See "Required Schema for Publishing CRLs")

Since you already created a mapper for locating the CA's entry (either in "Step A. Modify the Default Mappers, Publishers, and Publishing Rules" or in "Step B.1. Create a Mapper for the CA Certificate"), you can configure the Certificate Manager to use that mapper to locate the CA's entry for publishing the CRL; you don't need to create another mapper for publishing CRLs.

Step D. Create a Publisher for the CRL

Creating a publisher for the CRL involves creating an instance of the publisher module that enables the Certificate Manager to publish the CRL to the correct attribute in the CA's directory entry. In the next step, described in "Step E. Create a Publishing Rule for the CRL", you specify the publisher you create here.

To create a publisher for the CRL:

  1. In the navigation tree, click Publishers.
  2. The right pane shows the Publishers Management tab, which lists configured publisher instances.

  3. Click Add.
  4. The Select Publisher Plugin Implementation window appears. It lists registered publisher modules.

  5. Select the module named LdapCrlPublisher.
  6. Only this publisher module enables the Certificate Manager to publish the CRL to the certificateRevocationList;binary attribute of the CA's directory entry; for details, see "CRL Publisher". (If you have registered any custom publisher modules, they too will be available for selection.)

  7. Click Next.
  8. The Publisher Editor window appears.

  9. Enter the appropriate information:
  10. Publisher ID. Type a name for the rule; use an alphanumeric string with no spaces.

    crlAttr. Make sure this field shows the directory attribute to publish the CRL, certificateRevocationList;binary. If necessary, type it in.

  11. Click OK.
  12. The Publishers Management tab appears, listing the new publisher.

Step E. Create a Publishing Rule for the CRL

Creating a publishing rule for the CRL involves creating a rule that uses the mapper and publisher instances that you created in the previous steps. To create a publishing rule:

  1. In the navigation tree, click Rules.
  2. The right pane shows the Rules Management tab, which lists any currently configured publishing rules.

  3. Click Add.
  4. The Select Rule Plugin Implementation window appears. It lists registered modules that enable creating of publishing rules.

  5. Select the module named Rule.
  6. This is the default module. (If you have registered any custom modules, they too will be available for selection.)

  7. Click Next.
  8. The Rule Editor window appears.

  9. Enter the appropriate information:
  10. Rule ID. Type a name for the rule; be sure to use an alphanumeric string with no spaces.

    enable. Select this option.

    predicate. Leave this field blank.

    type. Select crl.

    mapper. Select the mapper you added for locating the CA's entry in the directory.

    publisher. Select the publisher you added for publishing the CRL.

  11. Click OK.
  12. The Rules Management tab appears, listing the new rule.

Step 5. Identify the Publishing Directory

To identify the directory to which the Certificate Manager should publish the CA certificate, end-entity certificates, and CRLs:

  1. In the navigation tree of the CMS window, select Certificate Manager, and then select Publishing.
  2. The right pane shows the publishing details necessary for the server to publish to an LDAP-compliant directory.

  3. To enable LDAP publishing, select both "Enable Publishing" and "Enable default LDAP connection" options.
  4. In the Destination section, identify the Directory Server instance.
  5. Host name. Type the full host name of the Directory Server instance in this format: <machine_name>.<your_domain>.<domain>

    The Certificate Manager uses this name to locate the directory.

    If you configured the Directory Server for SSL client authenticated communication (in "Step E. Specify the Directory Authentication Method"), the name you enter here must match the CN component in the subject DN of the Directory server's SSL server certificate. For example, the host name may look like corpDirectory.siroe.com.

    Port number. Type the TCP/IP port number at which the Directory Server is listening to certificate and CRL publishing requests from the Certificate Manager; you specified this port in "Step 10. Verify the Port Number". The port you specify must be unique on the Directory Server host system; make sure no other application is attempting to use the port.

    Authentication. Select the authentication type appropriate to your Directory Server configuration. The choices are Basic authentication and SSL client authentication.

    If you configured the Directory Server for basic authentication or for SSL communication without client authentication, select Basic authentication and specify values for the Directory manager DN and password.

    If you configured the Directory Server for SSL communication with client authentication, select SSL client authentication, select the Use SSL communication option, and identify the certificate that the Certificate Manager must use for SSL client authentication to the directory.

    Use SSL communication. Select this option if the port number you specified is an SSL port; deselect the box if the port is non-SSL. The type of port you specify determines whether the Certificate Manager needs to do SSL client authentication prior to publishing certificates and CRLs to the directory.

    Client certificate. Select the certificate you want the Certificate Manager to use for SSL client authentication to the publishing directory. By default, the Certificate Manager uses its SSL server certificate for this purpose (see "SSL Server Key Pair and Certificate").

    Directory manager DN. Type the distinguished name (DN) of the directory entry that you identified in "Step C. Identify an Entry That Has Write Access". The Certificate Manager uses this DN to access the directory tree and to publish to the directory. The access control set up for this DN determines whether the Certificate Manager can perform publishing. Typically, you would want to enter the directory manager's DN because it has read-write permission to the entire directory tree (the root DN). For more information on root DN, see "Root Distinguished Name".

    Password. Type the password for this DN. The Certificate Manager saves this password in the single sign-on password cache and uses it during startup; for details, see "Required Start-up Information". (If you change the password, the server updates the single sign-on password cache with the new password.)

    LDAP version. Select the version of LDAP protocol appropriate to your version of Directory Server. If the directory you want the Certificate Manager to publish to is based on Netscape Directory Server 1.x, select version 2. For Directory Server versions 3.x and later, select LDAP version 3.

  6. To save your changes, click Save.
  7. The server attempts to connect to the specified Directory Server. If the information you specified is incorrect, the server displays an error message and you will need to correct the information and save your changes again.

    If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Step 6. Test Certificate and CRL Publishing

To test whether you've configured the Certificate Manager correctly to publish certificates and CRLs to the directory, follow these steps:

Step A. Decide a Directory Entry for Requesting a Certificate

Decide on a user entry for which you will request a certificate. This way, you can check whether the Certificate Manager published the certificate to that entry. The entry you choose could be any end-entity's directory entry, as long as it supports the userCertificate;binary attribute.

If you don't have a directory entry yet, you can create one for testing purposes.

Step B. Request a Certificate

The steps outlined below explain how to request a personal certificate from the Certificate Manager using the manual enrollment method (see "Manual Authentication"). If you've configured the Certificate Manager for automated certificate issuance, for example for directory-based enrollment, you can use the appropriate form and request a certificate.

To request a client or personal certificate from the Certificate Manager:

  1. Open a web browser window.
  2. Go to the end-entity interface of the Certificate Manager you configured (or to the Registration Manager that's connected to this Certificate Manager). The URL is in this form:
  3. https://<host_name>:<end_entity_HTTPS_port>

    or

    http://<host_name>:<end_entity_HTTP_port>

  4. In the left frame, under Browser, select Manual.
  5. This opens the manual enrollment form.

  6. Fill in all the values and submit the request.
  7. The client prompts you to enter the password for your key database.

  8. When you enter the correct password, the client generates the key pairs.
  9. Do not interrupt the key-generation process.

Step C. Approve the Request

Skip this step if you used an automated enrollment method for requesting the certificate. Complete this step if you used the manual enrollment form for requesting the certificate; the request you submitted is waiting in the agent queue for approval by an agent.

To approve the request:

  1. Go to the Certificate Manager's Agent Services interface.
  2. The URL is in this format: https://<host_name>:<agent_port>

  3. In the left frame, click List Requests.
  4. In the form that appears, select the "Show pending requests" option and click Find.
  5. In the list of pending requests, locate the request you submitted and approve the request.
  6. You should see a confirmation page indicating that the certificate has been issued. Don't close the page until after you read the next step.

Step D. Download the Certificate to the Browser

To download the certificate into your browser's certificate database:

  1. In the confirmation page, scroll down to the section that says "Installing this certificate in a client."
  2. Follow the on-screen instructions and download the certificate to your browser's certificate database.
  3. (An alternative way to download the certificate is from the Retrieval tab of the end-entity services interface.)

  4. Open the browser's security information window and verify that the certificate has been stored in the certificate database.
Step E. Check if the Directory Has the Certificate

If you've configured the Certificate Manager and Directory Server correctly, the Certificate Manager automatically publishes the certificate to the directory whenever it issues a certificate.

Verify that the Certificate Manager has published the certificate to the correct user entry.

If you're using Netscape Directory Server version 4.x you can do this verification from the Directory Server window as follows:

  1. In Netscape Console, double-click the Directory Server instance that corresponds to the publishing directory.
  2. This opens the Directory Server window.

  3. Select the Directory tab.
  4. Locate the user entry for which you requested the certificate.
  5. Double-click the entry and check if the entry has a certificate attribute.
  6. You should find the certificate published to the attribute. You won't be able to see anything interesting about the certificate; it will be a DER-encoded binary blob.

Alternatively, you can point your browser to the user entry in the directory to verify that the certificate has been published. To do this:

  1. Open a web browser window.
  2. In the URL field, type
    ldap://<host_name>:<port>/<base_dn>??sub?(uid=<user_id>), substituting <host_name> with the fully qualified host name of the Directory Server, <port_number> with the port number at which the Directory Server is listening to publishing requests from the Certificate Manager <base_dn> with the DN to start searching for the user's entry, and <user_id> with the ID of the user to whom you issued the certificate.
  3. For example, if the directory host name is corpDirectory, port number is 389, base DN is O=siroe.com, and user's ID is jdoe, the URL would look like this: ldap://corpDirectory:389/O=siroe.com??sub?(uid=jdoe)

    In the resulting page, look for the user's certificate-related information. The information typically includes the owner of the certificate, the CA that issued the certificate, the serial number, the validity period, and the certificate fingerprint.

Step F. Revoke the Certificate

To check whether you've configured the Certificate Manager to publish the CRL to the directory correctly, revoke the certificate you issued. In "Step A. Specify CRL Details", if you didn't configure the Certificate Manager to publish the CRL every time a certificate is revoked, go back to the Revocation List tab and select the "Every time a certificate is revoked or taken off-hold" option. After you complete testing, remember to go back to the same tab and uncheck the option.

To revoke the certificate:

  1. Go to the end-entity interface for the Certificate Manager (or to the Registration Manager that's connected to this Certificate Manager. Be sure to go to the HTTPS interface (the revocation feature is not available in the HTTP interface).
  2. Select the Revocation tab.
  3. In the left frame, select User Certificate.
  4. The User Certificate Revocation form appears.

  5. In the Revocation Reason section, select Unspecified and click Submit.
  6. The client displays the "Select a Certificate" dialog box and prompts you to choose the certificate you want to revoke.

  7. Select the certificate you downloaded and click OK.
  8. The certificate is revoked.

Step G. Check the Directory for the CRL

Verify that the Certificate Manager published the CRL (in this case, containing the single certificate that you revoked) to the correct location in the directory--that is, the certificateRevocationList;binary attribute of the CA's entry in the directory.

To do this:

  1. Go to the publishing directory.
  2. Locate the CA's entry.
  3. Check the certificateRevocationList;binary attribute.
  4. You should find the CRL published.

Manually Updating Certificates and CRL in a Directory

Normally you do not need to manually update the directory with certificate-related information; if configured properly, the Certificate Manager handles most of the updates automatically. However, a situation might arise in which you need to update the directory manually. For example, Directory Server might be down for a while and be unable to receive changes from the Certificate Manager. In such a situation, use the forms provided in the Certificate Manager Agent Services interface to manually update the directory.

Certificate Manager's publishing directory can be manually updated by a Certificate Manager agent only. Agent operations are restricted to those with a valid agent certificate; see "Agent's Certificate for SSL Client Authentication". For complete details on agent operations, see Netscape Certificate Management System Agent's Guide.

Manually Updating Certificates in the Directory

The Update Directory Server form in the Certificate Manager Agent Services interface enables you to manually update the directory with certificate-related information. This form lets you initiate a combination of the following operations:

To manually update the directory with changes:

  1. Open a web browser window.
  2. Go to the Certificate Manager Agent Services interface.
  3. You must submit the proper certificate to get access to this page.

  4. Select the Update Directory Server link.
  5. The Update Directory Server page appears.

  6. Select the appropriate options.
  7. When you are done specifying the changes that you want updated, click Update Directory.
  8. The Certificate Manager starts updating the directory with the certificate information in its internal database. In some circumstances, for example if the changes are substantial, updating the directory can take considerable time. During this period, any changes made through the Certificate Manager (for example, any certificates issued or any certificates revoked) may not be included in the update. If you have issued or revoked any certificates during that time, you need to update the directory again to reflect those changes.

    When the directory update is complete, the Certificate Manager displays a status report. If for some reason the process gets interrupted, the server logs an error message. Be sure to check logs if that happens; for details, see "Monitoring Logs".

Manually Updating the CRL in the Directory

The Update Certificate Revocation List form in the Certificate Manager Agent Services interface to enables you to manually update the directory with CRL-related information.

To manually update the CRL information in the directory:

  1. Go to the Certificate Manager Agent Services page.
  2. You must submit the proper client certificate to get access to this page.

  3. Select Update Revocation List.
  4. The Update Certificate Revocation List page appears.

  5. From the Signature algorithm drop-down list, select the appropriate signature algorithm.
  6. Click Update.
  7. The Certificate Manager starts updating the directory with the CRL in its internal database. In some circumstances, for example, if the CRL is large, updating the directory may take considerable time. During this period, any changes made to the CRL (for example, any new certificates revoked) may not be included in the update.

    When the directory is updated, the Certificate Manager will display a status report. If the process gets interrupted for some reason, the server logs an error message. Be sure to check logs if that happens; for details, see "Monitoring Logs".


Publishing Certificates and CRLs to Flat Files
The Certificate Manager can publish certificates and CRLs to flat files, which can then be imported into any repository, for example, into a relational database. If you configure the server to publish certificates and CRLs to flat files, it publishes them to files as DER-encoded binary blobs.

To configure the Certificate Manager to publish certificates and CRLs to files, follow these steps:

Step 1. Plan

Before configuring a Certificate Manager to publish the CA certificate, end-entity certificates, and CRLs to flat files:

Step 2. Configure the Certificate Manager

To configure a Certificate Manager to publish certificates and CRLs to files, follow these steps:

Step A. Create a Publisher for the Flat File

Creating a publisher for the flat file involves creating an instance of the publisher module that enables the Certificate Manager to publish certificates and CRLs to flat files. In the next step, "Step B. Create Publishing Rules for Publishing CA Certificate, End-Entity Certificates and CRLs", you specify the publisher you create here.

To create a publisher:

  1. Log in to the CMS window for the Certificate Manager (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, select Certificate Manager, select Publishing, and then select Publishers.
  4. The right pane displays the Publishers Management tab, which lists configured publisher instances.

  5. Click Add.
  6. The Select Publisher Plugin Implementation window appears. It lists registered publisher modules.

  7. Select the module named FileBasedPublisher.
  8. Only this publisher module enables the Certificate Manager to publish certificates and CRLs to flat files; for details about the module, see "Flat File Publisher".

  9. Click Next.
  10. The Publisher Editor window appears.

  11. Enter the appropriate information:
  12. Publisher ID. Type a name for the rule. Be sure to use an alphanumeric string with no spaces.

    directory. Type the complete path to the directory in which the Certificate Manager should create the DER-encoded files; the path can be an absolute path or can be relative to the CMS instance directory. For example, C:\certs_crls.

  13. Click OK.
  14. You are returned to the Publishers Management tab. It should now list the publisher you just created.

  15. If you want to publish certificates and CRLs to two separate directories, repeat steps 4 though 8 to create another publisher with the value of the directory parameter set to the file path to the other directory.
Step B. Create Publishing Rules for Publishing CA Certificate, End-Entity Certificates and CRLs

Creating a publishing rule for the CRL involves creating a rule that uses the publisher that you created in the previous step.

To create a publishing rule:

  1. In the navigation tree, under Publishing, select Rules.
  2. The right pane displays the Rules Management tab, which lists configured publishing rules.

  3. Click Add.
  4. The Select Rule Plugin Implementation window appears. It lists registered modules that enable creating of publishing rules.

  5. Select the module named Rule.
  6. This is the default module. (If you have registered any custom modules, they too will be available for selection.)

  7. Click Next.
  8. The Rule Editor window appears.

  9. Enter the appropriate information:
  10. Rule ID. Type a name for the rule that will help you identify it later; use an alphanumeric string with no spaces.

    type. Select crl.

    predicate. Leave this field blank.

    enable. Select this option.

    mapper. Select <NONE>.

    publisher. Select the publisher you created in the previous step.

  11. Click OK.
  12. The Rules Management tab appears, listing the new rule you just created for publishing CRLs to flat files.

  13. Repeat steps 2 through 6 to create publishing rules for the CA certificate and for each type of end-entity certificates the Certificate Manager will issue. Use Table 22.1 for filling in the correct values in the type and predicate fields. (For information on predicates, see "Using Predicates in Policy Rules".)

Table 22.2 Certificate type and predicate expression

End-entity certificate type
"type" field value
"predicate" field value
SSL client certificate
certs
HTTP_PARAMS.certType==client
SSL server certificate
certs
HTTP_PARAMS.certType==server
Object signing certificate
certs
HTTP_PARAMS.certType==objSignClient
Certificate Manager signing certificate (subordinate CA)
cacert
HTTP_PARAMS.certType==ca
Registration Manager signing certificate
certs
HTTP_PARAMS.certType==ra
OCSP responder certificate
certs
HTTP_PARAMS.certType==ocspResponder
Router certificate
certs
HTTP_PARAMS.certType==CEP-Router

Step C. Specify CRL Details

You can specify information, such as the publishing interval, the CRL version (whether to include CRL extensions), and the signing algorithm the Certificate Manager should use for signing the CRL object.

To specify CRL details:

  1. In the navigation tree, select Certificate Manager, and then in the right pane, select the Revocation List tab.

  2. In the Update Frequency section, specify the interval for publishing the CRL to the directory:
  3. Every time a certificate is revoked, or taken off-hold. Select this option if you want the Certificate Manager to generate the CRL every time it revokes a certificate. Keep in mind that the Certificate Manager attempts to publish the CRL to the configured directory whenever it is generated, in this case, every time a certificate is revoked. Publishing a CRL can be time consuming if the CRL is large. Configuring the Certificate Manager to publish CRLs every time a certificate is revoked may engage the server for a considerable amount of time; during this time, the server will not be able to service any requests it receives and will not be able to update the directory with any changes it receives.

    (This setting is not recommended for a standard installation. You can select this option if you want to see the results of revocation immediately, for example, when testing whether the server publishes the CRL to a flat file.)

    Update at this frequency. Select this option if you want the Certificate Manager to generate CRLs at regular intervals. In this case, the server publishes the CRL to the configured directory at the interval you specify.

    In the adjoining text field, type the interval, in minutes, at which the Certificate Manager should publish CRLs. For example, if you want the server to publish CRLs every day, you should type 1440 in this field.

    with a skew of. If you configure the Certificate Manager to update the CRL automatically every time period, the server by default adds a 5 second skew to the next update time to allow time to create the CRL and publish it. For example, if you configure the server to update the CRL every 20 minutes, and if the CRL is updated at 16:00:00, the CRL will be updated again at 16:19:55. You can change the skew by editing the default value, which is specified in seconds.

  4. In the CRL Format section, specify the format for publishing the CRL:
  5. Include expired certificates. Check this box if you want the server to include revoked certificates that have expired in the CRL.

    Allow extensions. Check this box if you want to allow extensions in the CRL. If you enable this option, the server generates and publishes CRLs conforming to X.509 version 2 standard. If you disable this option, the server generates and publishes CRLs conforming to X.509 version 1 standard. By default, the server publishes version 1 CRLs. If you enable this option, be sure to set the required CRL extensions as described in "Step D. Set the CRL Extensions".

    Revocation list signing algorithm. Select the algorithm the server should use to sign the CRL. If the Certificate Manager's signing key type is RSA, select MD2 with RSA, MD5 with RSA, or SHA-1 with RSA. If the Certificate Manager's signing key type is DSA, select SHA-1 with DSA.

  6. To save your changes, click Save.
  7. The configuration is modified. If the changes you made require you to restart the server, you are prompted accordingly. Don't restart the server yet; you can restart it after you've made all the required changes.

Step D. Set the CRL Extensions

Complete this step only if you configured the Certificate Manager to publish version 2 CRLs in the previous step--that is, if you selected the "Allow extensions" option in "Step C. Specify CRL Details".

During installation, the Certificate Manager creates default CRL extension rules; these are shown in Table 21.10. Note that the server is configured to add the CRL Reason extension only; all the other rules are in the disabled state. In this step, you modify the default rules to suit your organization's requirements.

To specify the CRL extensions the Certificate Manager should set:

  1. In the navigation tree, select Certificate Manager, and then select CRL Extensions.
  2. The right pane shows the CRL Extensions Management tab, which lists configured extensions.

  3. To modify a rule, select it and then click Edit/View.
  4. Change the information as appropriate.
  5. Be sure to supply all the required values. Click the Help button for detailed information on individual parameters.

  6. Click OK.
  7. You are returned to the CRL Extensions Management tab.

  8. To modify other rules, repeat steps 2 through 4.
  9. Click Refresh to see the updated status of all the rules.
Step E. Make Sure Publishing is Enabled

To make sure that the Certificate Manager is configured for publishing:

  1. In the navigation tree, select Certificate Manager, then select Publishing.
  2. The right pane shows the publishing details necessary for the server to publish to an LDAP-compliant directory, to flat files, or to an online validation authority.

  3. Make sure that the Enable Publishing option is selected. If it is already selected, leave it as it is. If it isn't, select it.
  4. (Leave the "Enable default LDAP connection" option as it is; it specifies that the Certificate Manager is configured to publish certificates and CRLs to an LDAP directory.)

  5. If you changed anything, click Save to save the changes.
  6. If the changes you made require you to restart the server, you are prompted accordingly. In that case, restart the server.

Step 3. Test Publishing

To verify that the Certificate Manager is publishing certificates and CRLs correctly to flat files, follow these steps:

Step A. Request a Certificate

The steps outlined below explain how to request a personal certificate from the Certificate Manager using the manual enrollment method (see "Manual Authentication"). If you've configured the Certificate Manager for automated certificate issuance, for example for directory-based enrollment, you can use the appropriate form and request a certificate.

To request a client or personal certificate from the Certificate Manager:

  1. Open a web browser window.
  2. Go to the end-entity interface of the Certificate Manager you configured (or to the Registration Manager that's connected to this Certificate Manager). The URL is in this form:
  3. https://<host_name>:<end_entity_HTTPS_port>

    or

    http://<host_name>:<end_entity_HTTP_port>

  4. In the left frame, under Browser, click Manual.
  5. This opens the manual enrollment form.

  6. Fill in all the values and submit the request.
  7. The client prompts you to enter the password for your key database.

  8. When you enter the correct password, the client generates the key pair.
  9. Do not interrupt the key-generation process.

Step B. Approve the Request

Skip this step if you requested the certificate using any of the automated enrollment methods in "Step A. Request a Certificate". Complete this step if you used the manual enrollment form to request the certificate; the request you submitted is waiting in the agent queue for approval by an agent.

To approve the request:

  1. Go to the Certificate Manager's Agent Services interface.
  2. The URL is in this format: https://<host_name>:<agent_port>

  3. In the left frame, click List Requests.
  4. In the form that appears, select the "Show pending requests" option and click Find.
  5. In the list of pending requests, identify the request you submitted and approve the request.
  6. You should see a confirmation page indicating that the certificate has been issued. Don't close the page until after you complete the next step.

Step C. Download the Certificate to the Browser

To download the certificate into your browser's certificate database:

  1. In the confirmation page, scroll down to the section that says "Installing this certificate in a client."
  2. Follow the on-screen instructions and download the certificate to your browser's certificate database.
  3. (An alternative way to download the certificate is from the Retrieval tab of the end-entity services interface.)

  4. Open the browser's security information window and verify that the certificate has been stored in the certificate database.
Step D. Check the File for the Certificate

Whenever the Certificate Manager issues a certificate, it automatically attempts to publish the certificate to the configured repository--in this case, the flat file. To check whether the Certificate Manager published the correct certificate, you need to do the following:

  1. Check whether the server generated the DER-encoded file containing the certificate.
  2. To check whether the server published the certificate as a binary blob to the specified directory, go to the directory or folder you specified for the server to publish certificates. You should see a file with name similar to
    cert-<serial_number>.der, where <serial_number> specifies the serial number of the certificate contained in the file. If you don't see a file, check your configuration.

  3. Convert the DER-encoded certificate to its base 64-encoded format using the Binary to ASCII tool (see "Binary to ASCII Tool").
  4. To convert the DER-encoded certificate to its base 64-encoded form:

    1. Open a command window.
    2. Go to this directory: <server_root>/bin/cert/tools
    3. At the prompt, enter this: BtoA[.bat] <input_file> <output_file>
    4. substituting <input_file> with the path to the file that contains the DER encoded certificate and <output_file> with the path to the file to write the base-64 encoded certificate. (The optional .bat specifies the file extension; this is required only when running the utility on a Windows NT system.)

      For example, if the file is in C:\certificates\cert-1234.der and you want the base-64 encoded certificate to be in C:\certificates\cert-1234.txt, the command would look like this: BtoA C:\certificates\cert-1234.der C:\certificates\cert-1234.txt

    5. When the conversion is complete, open the cert.txt file in a text editor. You should see a base-64 encoded certificate similar to this:
    6. -----BEGIN CERTIFICATE-----

      MMIIBtgYJYIZIAYb4QgIFoIIBpzCCAZ8wggGbMIIBRaADAgEAAgEBMA0GCSqGSIb3DQEBBAUAM
      FcxCAJBgNVBAYTAlVTMSwwKgYDVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aWhfyyuougjgjjgm
      kgjkgmjgfjfgjjjgfyjfyj9ucyBDb3Jwb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyhgdf
      hbfdpffjphotokogdhkBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0
      WjBXMQswCQYDVQQGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG
      9yY2F0aW9ucyBDb3Jwb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyBBdXRob3JpdHkwHh

      -----END CERTIFICATE-----

  5. Convert the base 64-encoded certificate to a human-readable form using the Pretty Print Certificate tool (see "Pretty Print Certificate Tool").
  6. To convert the base 64-encoded certificate to a human-readable form:

    1. Check the command window to make sure that you are in this directory: <server_root>/bin/cert/tools
    2. At the prompt, enter this:
    3. PrettyPrintCert[.bat] <input_file> [<output_file>]

      substituting <input_file> with the path to the ASCII file that contains the base-64 encoded certificate and <output_file> with the path to the file to write the certificate in a human-readable form. If you don't specify an output file, the certificate information is written to the standard output. (The optional .bat specifies the file extension; this is required only when running the utility on a Windows NT system.)

      For example, if the base-64 encoded certificate is in C:\certificates\cert-1234.txt and you want the human-readable form of the certificate to be displayed on your screen, the command would look like this:

      PrettyPrintCert.bat C:\certificates\cert-1234.txt

      When the conversion is complete, you should see the certificate you issued in human-readable form.

    4. Compare the output with the certificate you issued; be sure to check the serial number in the certificate with the one used in the filename.
    5. If everything matches, the Certificate Manager is configured correctly to publish certificates to files.

Step E. Revoke the Certificate

To check whether the Certificate Manager is configured correctly to publish CRLs to flat files, you need to revoke the certificate you issued. Before revoking the certificate, make sure that you've configured the Certificate Manager to publish the CRL every time a certificate is revoked. (In "Step C. Specify CRL Details", if you didn't configure the Certificate Manager to publish the CRL every time a certificate is revoked, go back to the Revocation List tab and check the "Every time a certificate is revoked or taken off-hold" option. After the testing, remember to go back to the same tab and uncheck the option.)

To revoke the certificate:

  1. Go back to the end-entity interface for the Certificate Manager (or to a Registration Manager that's connected to this Certificate Manager. Be sure to go to the HTTPS interface; the revocation feature is not available in the HTTP interface.
  2. Click the Revocation tab.
  3. In the left frame, click User Certificate.
  4. The User Certificate Revocation form appears.

  5. In the Revocation Reason section, select Unspecified and click Submit.
  6. The browser displays the "Select a Certificate" dialog box and prompts you to choose the certificate you want to revoke.

  7. Select the certificate you downloaded and click OK.
  8. The certificate is revoked.

Step F. Check the File for the CRL

Whenever the Certificate Manager generates a CRL, it automatically attempts to publish the CRL to the configured repository--in this case, the flat file. The CRL it publishes is a binary blob, in the DER-encoded format. To check whether the Certificate Manager published the correct CRL (in this case, the CRL contains only one certificate), you need to do the following:

  1. Check whether the server generated the DER-encoded file containing the CRL.
  2. To check whether the server published the CRL as a binary blob to the specified directory, go to the directory you specified for the server to publish CRLs. You should find a file with its name in the crl- <this_update>.der format, where <this_update> specifies the value derived from the time-dependent variable named This Update of the CRL contained in the file. If you don't see the file, check your configuration.

  3. Convert the DER-encoded CRL to its base 64-encoded format using the Binary to ASCII tool (see "Binary to ASCII Tool").
  4. To convert the DER-encoded CRL to its base 64-encoded form:

    1. Open a command window.
    2. Go to this directory: <server_root>/bin/cert/tools
    3. At the prompt, enter this: BtoA[.bat] <input_file> <output_file>
    4. substituting <input_file> with the path to the file that contains the DER-encoded CRL and <output_file> with the path to the file to write the base-64 encoded CRL. (The optional .bat specifies the file extension; this is required only when running the utility on a Windows NT system.)

      For example, if the DER-encoded file is in
      C:\crls\crl-949102696899.der and you want the base-64 encoded CRL to be in C:\crls\crl-949102696899.txt, the command would look like this:

      BtoA C:\crls\crl-949102696899.der C:\crls\crl-949102696899.txt

    5. When the conversion is complete, open the crl.txt file in a text editor. You should see a base-64 encoded CRL similar to this:
    6. -----BEGIN CRL-----

      MIIBkjCBAIBATANBgkqhkiG9w0BAQQFADAsMREwDwYDVQQKEwhOZXRzY2FwZTEXMBUGA1UEAx
      OQ2VydDQwIFRlc3QgQ0EXDTk4MTIxNzIyMzcyNFowgaowIAIBExcNOTgxMjE1MTMxODMyWjAMM
      AoGA1UdFQQDCgEBMCACARIXDTk4MTIxNTEzMjA0MlowDDAKBgNVHRUEAwoBAjAgAgERFw05ODE
      yMTYxMjUxNTRaMAwwCgYDVR0VBAMKAQEwIAIBEBcNOTgxMjE3MTAzNzI0WjAMMAoGA1UdFQQDC
      gEDMCACAQoXDTk4MTEyNTEzMTExOFowDDAKBgNVHRUEAwoBATANBgkqhkiG9w0BAQQFAAOBgQB
      CN85O0GPTnHfImYPROvoorx7HyFz2ZsuKsVblTcemsX0NL7DtOa+MyY0pPrkXgm157JrkxEJ7G
      BOeogbAS6iFbmeSqPHj8+JBH5stJNnfTCuhaM6Wx63Wc9LwZXOXTPsvpGxq0YYI0+DPfBZlI3z
      4lCsNczxJV+9NkeMrheEg==

      -----END CRL-----

  5. Convert the base 64-encoded CRL to a human-readable form using the Pretty Print CRL tool (see "Pretty Print CRL Tool").
  6. To convert the base 64-encoded CRL to a human-readable form:

    1. Check the command window to make sure that your are at this directory: <server_root>/bin/cert/tools
    2. At the prompt, enter this: PrettyPrintCrl[.bat] <input_file> [<output_file>]
    3. substituting <input_file> with the path to the ASCII file that contains the CRL in its base 64-encoded format and <output_file> with the path to the file to write the CRL information in a human-readable form. If you don't specify an output file, the CRL information is written to the standard output. (The optional .bat specifies the file extension; this is required only when running the utility on a Windows NT system.)

      For example, if the base-64 encoded CRL is in
      C:\crls\crl-949102696899.txt and you want the human-readable form of the CRL to be displayed on your screen, the command would look like this:

      PrettyPrintCrl.bat C:\crls\crl-949102696899.txt

      When the conversion is complete, you should see the CRL (in this case, the CRL will only contain the certificate you revoked) in the human-readable form.

    4. Compare the output with the certificate you revoked.
    5. If they match, the Certificate Manager is configured correctly to publish CRLs to files.


Publishing CRLs to Online Validation Authority
You can configure the Certificate Manager to publish CRLs to an online certificate validation authority, such as ValiCert Certificate VA (Certificate VA). This section explains how to set up Certificate VA (included with Certificate Management System) as your local online validation authority.

Step 1. Plan

Before you configure a Certificate Manager to publish CRLs to Certificate VA, do the following:

Step 2. Install an OCSP-Compliant Client

If you decided to install Personal Security Manager, which came with Certificate Management System, follow the steps below. If you downloaded the latest version of Personal Security Manager from the web site, follow the instructions that came with it. If you don't want to install Personal Security Manager, skip to "Step 3. Install the Certificate VA".

  1. Go to this directory: <server_root>/psm11
  2. Make sure you see the following files:

  3. Copy the file appropriate to the machine on which you have Netscape Communicator, version 4.7 or later, installed.
  4. Follow the instructions in the release notes and install the product.
  5. For example, in a Windows NT system, you can install Personal Security Manager by entering the path to the psm11_win32.jar file in the browser's URL area. On a Solaris system, you can unzip the file by running gunzip psm_11_solaris2.5.1.tar.gz, untar the file by running tar xvf psm11_solaris2.5.1.tar, and then install Personal Security Manager by running psm-install.

  6. Verify that Personal Security Manager is installed.
  7. In the menu bar, click Communicator, and from the Tools menu, select Security Info. You should see the Personal Security Manager interface (Figure 22.1).

    Figure 22.1 Personal Security Manager interface within Netscape Communicator

Step 3. Install the Certificate VA

To install the Certificate VA, follow these steps:

Step A: Verify and Copy Files

To do this:

  1. Go to this directory: <server_root>/cva301
  2. Make sure you see these files:
  3. Copy files to the machine on which you want to install your OCSP responder.
Step B. Read the Documentation

Read the documentation: release notes for the package (release notes.txt), readme for Certificate VA, version 3.01 (cva301readme.txt), and the ValiCert Certificate VA Installation and Administration Guide, version 3.01 (cva.pdf file available in the docs directory).

Step C. Run the Installation Program

To install Certificate VA, follow the instructions in Chapter 2 of ValiCert Certificate VA Installation and Administration Guide. Be sure to do the following:

  1. When you run the setup (or install) program, you're prompted to specify the following:
  2. Note the values you assign to these.

  3. When the setup (or install) program is complete, choose the option to launch the Administration Interface.
  4. The installation program opens the Certificate VA Management menu (which is at http://<host>:<administration_port>/index.html) in a browser window.

Step D. Generate a Key Pair and Self-Signed Certificate

The section briefly outlines the steps you need to follow for Certificate VA to work with Certificate Management System; general details about this procedure can be found in Chapter 3 of ValiCert Certificate VA Installation and Administration Guide.

To generate a key pair and self-signed certificate:

  1. In the left pane, under SETUP, click Create New Key Pair, specify the details, and generate a key pair.
  2. Next, specify values for the certificate subject name, select the "Generate self-signed certificate" option, and submit the request. (You must select this option.)
  3. Scroll down the page and click Next Step.
  4. In the Add Certificate form that appears, select the following:
  5. Click Submit Certificate Type.
  6. The form for pasting the CA certificate (in its base 64-encoded format) shows up. Don't close the form as you will need to use it in "Step F. Add the CA Certificate to the Certificate Store".

Step E. Copy the CA Certificate

In order for the OCSP-compliant clients in your PKI to successfully validate the OCSP responder certificate presented by Certificate VA, the Certificate Manager's CA signing certificate must be installed in the Certificate VA's certificate store. The CA signing certificate is available in the Certificate Manager's internal database.

To copy the CA signing certificate:

  1. Open another browser window.
  2. Go to the Certificate Manager's end-entity interface.
  3. Select the Retrieval tab.
  4. In the left frame, click List Certificates.
  5. Click the Find button.
  6. Click the Details button for the first certificate listed; this is the CA's signing certificate.
  7. Copy the base-64 encoded certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to the clipboard or to a text file.
Step F. Add the CA Certificate to the Certificate Store

To install the CA certificate you copied in the Certificate VA's certificate store:

  1. Go back to the browser window that is showing the Certificate VA interface for pasting the CA signing certificate.
  2. Paste the certificate to the text area. Be sure to include the marker lines, -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
  3. Click Submit Certificate.
  4. A page appears indicating whether the certificate has been added successfully.

  5. Click Next Step.
  6. Scroll to the bottom of the page.
  7. Click Submit Configuration Parameters.
  8. Click Next Step.
  9. Reload the Certificate VA Management menu page (hold the Shift key down and click the browser's Reload icon on the menu bar).
  10. Don't close the page.

Step 4. Configure Certificate Manager for Required Extension Policies

As a part of setting up an OCSP-compliant PKI setup, you will be requesting a OCSP responder certificate for Certificate VA (you installed in the previous step) from the Certificate Manager. For this certificate to work properly, it must contain the following extensions:

Also, for testing whether your OCSP-compliant clients can verify revocation status of certificates by querying the OCSP responder, you will be issuing a client certificate containing the Authority Information Access extension to Personal Security Manager you installed. The extension specifies the location of the online validation authority, in this case, Certificate VA. For details about this extension, see "Authority Information Access Extension Policy".

The Certificate Manager can add an extension to a certificate it issues only if the corresponding policy is enabled and configured properly. Hence, before issuing the OCSP responder and OCSP-compliant client certificate, you must verify that the Certificate Manager is configured with the appropriate policy rules to add the required extensions to these certificates (which you will request in the steps that follow).

To verify the status of policy rules that enable the Certificate Manager to add the extensions required in the OCSP responder certificate and the OCSP-compliant client certificate:

  1. Log in to Netscape Console (see "Logging In to Netscape Console").
  2. Log in to the CMS window (see "Logging In to the CMS Window").
  3. In the navigation tree, select Certificate Manager, and then select Policies.
  4. The Policy Rules Management tab appears. It lists configured policy rules.

  5. In the Policy Rule list, select the rule named OCSPNoCheckExt and click Edit; this rule was created by default during installation.
  6. The Policy Rule Editor window appears, showing how this rule is currently configured.

  7. Make sure the values assigned to parameters are as follows:
  8. Enable. Checked.

    predicate. HTTP_PARAMS.certType==ocspResponder.

    critical. Unchecked.

    If you need details about any of these parameters, click the Help button or see Table 18.21.

  9. Click OK.
  10. You are returned to the Policy Rules Management tab.

  11. Select the rule named OCSPSigningExt and click Edit; this rule was created by default during installation.
  12. The Policy Rule Editor window appears, showing how this rule is configured.

  13. Make sure the values assigned to parameters are as follows:
  14. Enable. Checked.

    predicate. HTTP_PARAMS.certType==ocspResponder.

    critical. Unchecked.

    id0. 1.3.6.1.5.5.7.3.9.

    If you need details about any of these parameters, click the Help button or see Table 18.10.

  15. Click OK.
  16. You are returned to the Policy Rules Management tab.

  17. Click Add.
  18. The Select Policy Plugin Implementation window appears. It lists registered policy modules.

  19. Select the module named AuthInfoAccessExt and click Next.
  20. The Policy Rule Editor window appears. It lists the configuration information required for this policy rule.

  21. Assign the following values:

  22. Enable. Check this box.

    predicate. Type HTTP_PARAMS.certType==client.

    critical. Leave this option unchecked.

    numADs. Type 1.

    ad0_method. Type ocsp or 1.3.6.1.5.5.7.48.1.

    ad0_location_type. Select URL.

    ad0_location. Type the complete path to the location where your OCSP responder listens to calls from OCSP-compliant clients. The path should be in this format: http://<host_name>:<service_port>.

    For example, if the URL to the Certificate VA you installed is
    http://ocspResponder.siroe.com:8000, type that URL here.

    If you need details about any of these parameters, click the Help button or see Table 18.2.

  23. Click OK.
  24. You are returned to the Policy Rules Management tab.

  25. Click Refresh.
  26. The Certificate Manager is ready to request OCSP responder and client certificates.

Step 5. Replace the Certificate VA's Certificate

When you installed Certificate VA (in "Step 3. Install the Certificate VA"), you generated a key pair and a corresponding certificate; Certificate VA self signed this certificate. The certificate is intended for use by Certificate VA to identify itself to OCSP-compliant clients and the private key of the key pair is intended for use by Certificate VA to sign certificate-validation responses it will send when queried about the revocation status of a certificate.

For Certificate VA to function as your CA-designated responder, you must replace its self-signed certificate with an OCSP responder certificate issued by your CA--the Certificate Manager that signs or revokes the certificates whose revocation status will be verified by the OCSP responder. You added the CA signing certificate of this CA to the Certificate VA's certificate store.

The end-entity interface of both Registration Manager and Certificate Manager include a form that allows you to manually request a certificate for the OCSP responder. The default enrollment form provided for requesting an OCSP Responder certificate includes all the attributes (for example, HTTP_PARAMS.certType=ocspResponder) that identify it as a OCSP responder certificate. When the certificate request passes through Certificate Manager's policies, the required extensions (OCSP no check and OCSP signing) get added to the certificate.

To convert the Certificate VA to your CA-designated responder:

Step A. Copy the Server's Certificate Signing Request

To copy the Certificate VA's certificate signing request (CSR):

  1. Go to the Certificate VA Management menu.
  2. In the browser's URL field, enter the URL for the Certificate VA Management menu; it's in this form: http://<host_name>:<administration_port>

  3. In the left frame, select Manage Keys and Certificates, and then select the Display Certificate Request option.
  4. Select the type of request and click Display Certificate Request.
  5. The certificate signing request, in its base 64-encoded format, appears.

  6. Copy the base 64-encoded blob, including the marker lines, -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----, to the clipboard or a text file. For example, the information you copied should look like this:
  7. -----BEGIN CERTIFICATE REQUEST-----

    XRpb24xGjAYBgNVBAsTEUlzc3VpbmcgQXV0aG9yaXR5MFowDQYJKoZIhvcNAQEBBQADSQAwRgJBAM
    OBiQPcK8851jjQXA2GBsaKNFg6pYaM3qhQhM0w5EIy6P1ttMjc5MlPIzZHdlgNdQLzaNoLMVKjOV
    sBp+ffkCAQMwDQYJKoZIhvcNAQEEBQADQQCWPU4gI5uaWM3Egs9909HRGIHGgwpR7Y538BGDTHOGD
    KBGDKBNGDKHJPYRKJOKNXKCQWUY7P0Y9=E50668695SWRGQ3NRI3QJR3QPIGIGIRWGAbXfhQMMIIB
    BzCBsgIBADBPMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1YxpY2
    F0aW9uczEWMBQGA1UEAxMNZHVtcC5tY29tLmNvbTBaMA0GCSqGSIb3DQEBAQU2nfjiMEYCQQ0ksMR
    aLGdfp4m0OiGcgijG5KgOsyRNvwGYW7kfW+8mmijDtZRjYNjjcgpF3VnlsbxbclX9LVjjNLCM57u3
    7XZdAgEDoAAwDQYJKoZIhvcNAQEEBQADQQCYUTnUtCVGyNrYGSfydclqiovxy1fRD1z23zg+eK7n8
    5UyE4r5zGZjDsMYr172ytfAFL7DeG83DWzr8Z

    -----END CERTIFICATE REQUEST-----

    Don't make any changes to the copied information. You need to paste the request exactly as it is into the OCSP Responder Enrollment form of the Certificate Manager.

Step B. Request an OCSP Responder Certificate From the Certificate Manager

To request an OCSP responder certificate from the Certificate Manager:

  1. Go to the end-entity interface of the Certificate Manager that will publish the CRL to Certificate VA; if you've disabled enrollment via the Certificate Manager, go to the Registration Manager that's connected to this Certificate Manager. The URL is in one of these forms:
  2. https://<host_name>:<end_entity_HTTPS_port>

    or

    http://<host_name>:<end_entity_HTTP_port>

  3. In the left frame, under Server, click OCSP Responder Enrollment.
  4. This opens the form for requesting a certificate for an OCSP responder.

  5. Complete the form with the information that the Certificate Manager needs to create a certificate for Certificate VA.
  6. PKCS #10 Request. In the certificate request text area, paste the certificate signing request, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- marker lines, that you copied to the text file.

    Contact Information. In this section, type your name, email address, and phone number. These values will be used by the CA, if the need arises. Be sure to enter your email address. This is the address where the CA will send the certificate once it has been issued (if the automated-notification feature explained in "Notifications of Certificate Issuance to End Entities" is turned on).

    Additional Comments. Type any information that will help the issuing agent who will process the request (if you aren't that agent). For example, you might want to enter the name of the person who instructed you to obtain a certificate or some other administrative information.

  7. Click Submit.
  8. The Certificate Manager confirms that your request was submitted.

Step C. Approve the Request

The enrollment method for an OCSP responder certificate is manual, which means that the request gets queued for agent approval.

To approve the request you submitted (you'll need agent privileges to do this):

  1. Go to the Certificate Manager Agent Services interface.
  2. The URL is in this format: https://<host_name>:<agent_port>

  3. In the left frame, click List Requests.
  4. In the form that appears, select the "Show pending requests" option and click Find.
  5. In the list of pending requests, locate the request and click Details.
  6. Check the information and click Do It.
  7. If your request contains all the information required by the Certificate Manager to issue a certificate, the server responds that it has issued the certificate, shows the Certificate VA's certificate, and tells how to install the new certificate.

    Scroll down to the section where the certificate is shown in its base 64- encoded format; it will look similar to the sample below:

    -----BEGIN CERTIFICATE-----

    MMIIBtgYJYIZIAYb4QgIFoIIBpzCCAZ8wggGbMIIBRaADAgEAAgEBMA0GCSqGSIb3DQEBBAUAMFcx
    CAJBgNVBAYTAlVTMSwwKgYDVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aWhfyyuougjgjjgmkgjkgm
    jgfjfgjjjgfyjfyj9ucyBDb3Jwb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyhgdfhbfdpffjpho
    tokogdhkBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0WjBXMQswCQYDVQ
    QGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yY2F0aW9ucyBDb3J
    wb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyBBdXRob3JpdHkwHh

    -----END CERTIFICATE-----

  8. Copy the certificate, including the marker lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, to the clipboard or to a text file. In the next step, you'll be required to paste this into another form.
If you lose the certificate blob inadvertently, here's how you can get it again:

  1. In the Agent Services interface, click List Certificates or Search for Certificates.
  2. Search for the certificate you just issued.
Step D. Add the Certificate to the Certificate Store

After you get an OCSP responder certificate, you should install it in Certificate VA's certificate store. This way, Certificate VA can use the certificate to identify itself as a CA -designated OCSP responder.

To install the OCSP responder certificate in the Certificate VA's certificate store:

  1. Go to the Certificate VA Management menu.
  2. In the left frame, select the Manage Certificate Stores link, and then click Add Certificate.
  3. The Add Certificate form appears.

  4. Specify details for storing the certificate:
  5. Click Submit Certificate Type.
  6. The form for pasting the certificate in its base 64-encoded format shows up.

  7. Paste the certificate in the text area of the form. Be sure to include the marker lines, -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
  8. Click Submit Certificate.
  9. A page appears indicating whether the certificate is added successfully.

Step E. Verify That the Certificates Are Stored

To verify that the OCSP responder certificate and the CA certificate have been added correctly to the certificate store:

  1. In the left frame, click the Manage Certificate Stores link, and then click the View/Modify Certificate Stores option.
  2. The "Certificate Stores currently managed by the ValiCert Certificate VA" form appears.

  3. Click the "Certificates of CAs publishing CRLs to the VA" option.
  4. The subject name of the Certificate Manager's CA signing certificate you added should appear as a link there.

  5. Click the link and make sure the that you added the correct certificate.
  6. Next, click the "CA Delegated Certificates of the VA" option.
  7. The subject name of the OCSP responder certificate you added should appear as a link there.

  8. Click the link and make sure the that you added the correct certificate.
Step 6. Restart Certificate VA

For all the changes to take effect, restart Certificate VA.

Step 7. Configure the Certificate Manager for Publishing CRLs

To configure a Certificate Manager to publish CRLs to Certificate VA, follow these steps:

Step A. Create a Publisher for the CRL

Creating a publisher for the CRL involves creating an instance of the publisher module that enables the Certificate Manager to publish CRLs to Certificate VA. In the next step, when creating the publishing rule for the CRL, you specify the publisher you create here.

To create a publisher:

  1. If you closed the CMS window for the Certificate Manager, log in to it again (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, select Certificate Manager, select Publishing, and then select Publishers.
  4. The right pane shows the Publishers Management tab, which lists configured publishers.

  5. Click Add.
  6. The Select Publisher Plugin Implementation window appears. It lists registered publisher modules.

  7. Select the module named ValiCertPublisher.
  8. Only this publisher module enable the Certificate Manager to publish CRLs to Certificate VA; for details about the module, see "ValiCert Publisher".

  9. Click Next.
  10. The Publisher Editor window appears.

  11. Enter the appropriate information:
  12. Publisher ID. type a name for the publisher that will help you identify it later; be sure to use an alphanumeric string with no spaces.

    NUM_OUTPUT_LOCATIONS. Type the total number of output locations. If you leave the field blank, it defaults to 1.

    VC_LOG_FILE. Type the path, including the filename, to the file to which you want the server to write (log) messages. If you leave the value field blank, the server logs messages to a file named ./vpublish.log.

    LOG_LEVEL. Select the appropriate level for log messages.

    DEFAULT_FORMAT. Select PKCS7. (The server considers the value specified in this field when the default format for publishing the CRL is not specified in the OUTPUT_SECTION parameter.)

    DEFAULT_ENCODING. Select DER. (The server considers the value specified in this field when the default encoding is not specified in the OUTPUT_SECTION parameter.)

    PROXY_HOST. Type the name of the proxy server, if you are using one. If you leave the field blank, no proxy server will be used.

    PROXY_PORT. Type the port number of the proxy server, if you are using one. If you leave the field blank, no proxy server will be used.

    [OUTPUT_SECTIONS_*]LOCATION. Type the location to publish the CRL. The syntax for specifying the location information must be:

    [pkcs7;][der;]valicert://<host>[:<port>][/<location>]

    Substitute <host> with a fully qualified host name of Certificate VA and <port> with the service port of Certificate VA (by default it is 80); attributes enclosed within the square bracket are optional.

    For example, the value you enter may look like this: pkcs7;der;valicert://ocspResponder.siroe.com:8000.

  13. Click OK.
  14. You are returned to the Publishers Management tab. It should now list the publisher you just created.

Step B. Create a Publishing Rule for the CRL

Creating a publishing rule for the CRL involves creating a rule that uses the publisher you created in "Step A. Create a Publisher for the CRL".

To create a publishing rule:

  1. In the navigation tree, under Publishing, select Rules.
  2. The right pane shows the Rules Management tab, which lists configured publishing rules.

  3. Click Add.
  4. The Select Rule Plugin Implementation window appears. It lists registered modules that enable creating of publishing rules.

  5. Select the module named Rule.
  6. This is the default module. (If you have registered any custom modules, they too will be available for selection.)

  7. Click Next.
  8. The Rule Editor window appears.

  9. Enter the appropriate information:
  10. Rule ID. Type a unique name for the rule; use an alphanumeric string with no spaces.

    enable. Select this option.

    predicate. Leave this field blank.

    type. Select crl.

    mapper. Select <NONE>.

    publisher. Select the publisher you created for publishing CRLs to Certificate VA.

  11. Click OK.
  12. The Rules Management tab appears, listing the new rule.

Step C. Specify CRL Details

You can specify information, such as the publishing interval, the CRL version (whether to include CRL extensions), and the signing algorithm the Certificate Manager should use for signing the CRL object.

To specify CRL details:

  1. Go to the CMS window.
  2. In the navigation tree, select Certificate Manager, and then in the right pane, select the Revocation List tab.

  3. In the Update Frequency section, specify the interval for publishing the CRL to the directory:
  4. Every time a certificate is revoked, or taken off-hold. Select this option if you want the Certificate Manager to generate the CRL every time it revokes a certificate. Keep in mind that the Certificate Manager attempts to publish the CRL to the configured directory whenever the CRL is generated, in this case, every time a certificate is revoked. Publishing a CRL can be time consuming if the CRL is large. Configuring the Certificate Manager to publish CRLs every time a certificate is revoked may engage the server for a considerable amount of time; during this time, the Certificate Manager will not be able to service any requests it receives and will not be able to update the directory with any changes it receives.

    (This setting is not recommended for a standard installation. You can select this option if you want to see the results of revocation immediately, for example, when testing whether the server publishes the CRL to the OCSP responder.)

    Update at this frequency. Select this option if you want the Certificate Manager to generate CRLs at regular intervals. In this case, the server publishes the CRL to the configured directory at the interval you specify.

    In the adjoining text field, type the interval, in minutes, at which the Certificate Manager should publish CRLs. For example, if you want the server to publish CRLs every day, you should type 1440 in this field.

    with a skew of. If you configure the server to update the CRL automatically every time period, the server by default adds a 5 second skew to the next update time to allow time to create the CRL and publish it. For example, if you configure the server to update the CRL every 20 minutes, and if the CRL is updated at 16:00:00, the CRL will be updated again at 16:19:55. You can change the skew by manually editing the default value, which is specified in seconds.

  5. In the CRL Format section, specify the format for publishing the CRL:
  6. Include expired certificates. Select this box if you want the server to include revoked certificates that have expired in the CRL.

    Allow extensions. Select this box if you want to allow extensions in the CRL. If you enable this option, the server generates and publishes CRLs conforming to X.509 version 2 standard. If you disable this option, the server generates and publishes CRLs conforming to X.509 version 1 standard. By default, the server publishes version 1 CRLs. If you enable this option, be sure to set the required CRL extensions in "Step D. Set CRL Extensions".

    Revocation list signing algorithm. Select the algorithm the server should use to sign the CRL. If the Certificate Manager's signing key type is RSA, select MD2 with RSA, MD5 with RSA, or SHA-1 with RSA. If the Certificate Manager's signing key type is DSA, select SHA-1 with DSA.

  7. To save your changes, click Save.
  8. The configuration is modified. If the changes you made require you to restart the server, you are prompted accordingly. Don't restart the server yet; you can do this after you've made all the changes.

Step D. Set CRL Extensions

You should go through this step only if you configured the Certificate Manager to publish version 2 CRLs--that is, you selected the "Allow extensions" option in "Step C. Specify CRL Details".

During installation, the Certificate Manager creates default CRL extension rules; these are listed in Table 21.10. Note that the server is configured to add the CRL Reason extension only; all the other rules are in the disabled state. In this step, you modify the default rules to suit your organization's requirements.

To specify the CRL extensions the Certificate Manager should set:

  1. In the navigation tree, select Certificate Manager, and then select CRL Extensions.
  2. The right pane shows the CRL Extensions Management tab, which lists configured extensions.

  3. To modify a rule, select it and then click Edit/View.
  4. Change the information as appropriate.
  5. Be sure to supply all the required values. Click the Help button for detailed information on individual parameters.

  6. Click OK.
  7. You are returned to the CRL Extensions Management tab.

  8. To modify other rules, repeat steps 2 through 4.
  9. Click Refresh to see the updated status of all the rules.
Step E. Make Sure Publishing is Enabled

To make sure that the Certificate Manager is configured for publishing:

  1. In the navigation tree, select Certificate Manager, then select Publishing.
  2. The right pane shows the publishing details necessary for the server to publish to an LDAP-compliant directory, to flat files, or to an online validation authority.

  3. Make sure that the Enable Publishing option is selected. If it is already selected, leave it as it is. If it isn't, select it.
  4. (Leave the "Enable default LDAP connection" option as it is; it specifies that the Certificate Manager is configured to publish certificates and CRLs to an LDAP directory.)

  5. If you changed anything, click Save to save the changes.
  6. If the changes you made require you to restart the server, you are prompted accordingly. In that case, restart the server.

Step 8. Test Publishing

To test whether the Certificate Manager is publishing to Certificate VA properly and to test that the online validation of certificates is taking place, follow these steps:

Step A. Turn On Revocation Checking

To ensure that Personal Security Manager (the OCSP-compliant client) is configured to verify the revocation status of certificates using the OCSP protocol:

  1. Open a web browser window.
  2. Open the Personal Security Manager interface.
  3. In Communicator version 4.7, you can open this window by selecting Communicator from the main menu, selecting Tools, and then selecting Security Info.

  4. Select the Advanced tab, and then in left pane, select Options.
  5. Click the OCSP Settings button.
  6. The OCSP Setting window appears.

  7. Select the "Use OCSP to verify only certificates that specify an OCSP service URL" option, and click OK.
  8. Click on the Close button.
Step B. Request a Certificate

The steps outlined below explain how to request a personal certificate from the Certificate Manager using the manual enrollment method. If you've configured the Certificate Manager for automated certificate issuance, for example for directory-based enrollment, you may use the appropriate form and request a certificate.

To request a client or personal certificate from the Certificate Manager:

  1. Go to the end-entity interface of the Certificate Manager you configured (or to the Registration Manager that's connected to this Certificate Manager). The URL is in this form:
  2. https://<host_name>:<end_entity_HTTPS_port>

    or

    http://<host_name>:<end_entity_HTTP_port>

  3. In the left frame, under Browser, click Manual.
  4. This opens the manual enrollment form.

  5. Fill in all the values and submit the request.
  6. The client prompts you to enter the password for your key database.

  7. When you enter the correct password, the client generates the key pairs.
  8. Do not interrupt the key-generation process.

Step C. Approve the Request

Skip this step if you requested the certificate using any of the automated enrollment methods. Complete this step if you used the manual enrollment form for requesting the certificate; the request you submitted is waiting in the agent queue for approval by an agent.

To approve the request:

  1. Go to the Certificate Manager's Agent Services interface.
  2. The URL is in this format: https://<host_name>:<agent_port>

  3. In the left frame, click List Requests.
  4. In the form that appears, select the "Show pending requests" option and click Find.
  5. In the list of pending requests, identify the request you submitted and approve the request.
  6. You should see a confirmation page indicating that the certificate has been issued. Don't close the page until after you complete the next step.

Step D. Download the Certificate to the Browser

To download the certificate into the certificate database of Personal Security Manager:

  1. In the confirmation page, scroll down to the section that says "Installing this certificate in a client."
  2. Check the certificate details for the required extensions.
  3. Follow the on-screen instructions and download the certificate to your browser's certificate database.
  4. (An alternative way to download the certificate is from the Retrieval tab of the end-entity services interface.)

Step E. Verify the Certificate in the Browser

To verify that the certificate has been downloaded into the certificate database of Personal Security Manager:

  1. In the browser, open the Personal Security Manager interface.
  2. In Communicator version 4.7, you can open this window by selecting Communicator from the main menu, selecting Tools, and then selecting Security Info.

  3. Click the Certificates tab and then click Mine.
  4. You should see the name of the certificate you just downloaded.

  5. Select the certificate name and click View.
  6. In the View Security Certificate dialog box that appears, look for a message that says that the certificate is verified.

Step F. Check the Certificate VA Status

To go to the Certificate VA's status page and verify the number of requests Certificate VA has processed so far:

  1. Go to the web browser window.
  2. Enter this URL: http://<host_name>:<admin_port>/~stats
  3. substituting <hostname> with the fully qualified host name of Certificate VA and <admin_port> with its administration port number.

    The status page for Certificate VA appears. This page summarizes the Certificate VA's activity since it was last started.

  4. Note values assigned to the "Number of CRLs received" and "Number of certificates checked" fields; they should be zero.
Step G. Revoke the Certificate

To revoke the certificate you issued so that the Certificate Manager publishes the CRL to Certificate VA:

  1. Go to the end-entity interface for the Certificate Manager you configured (or to the Registration Manager that's connected to this Certificate Manager). Be sure to go to the HTTPS interface. The URL is in this form:
    https://<host_name>:<end_entity_HTTPS_port>
  2. Select the Revocation tab.
  3. In the left frame, click User Certificate.
  4. The User Certificate Revocation form appears.

  5. In the Revocation Reason section, select Unspecified and click Submit.
  6. The client shows the "Select a Certificate" dialog box and prompts you to choose the certificate you want to revoke.

  7. Select the certificate you downloaded and click OK.
  8. The Certificate Manager revokes the certificate, constructs the CRL, and publishes the CRL to Certificate VA.

Step H. Verify the Certificate in the Client

To verify that the certificate has been revoked:

  1. Open the Personal Security Manager interface.
  2. Select the Certificates tab and then click Mine.
  3. Select the certificate you revoked and click View.
  4. In the View Security Certificate dialog box that appears, look for a message that says that the certificate could not be verified.

Step I. Check the Certificate VA Status Again

You check Certificate VA status again to verify that these things happened:

To check the Certificate VA status for verification:

  1. Go to the Certificate VA's status page.
  2. Reload the page (hold down the Shift key and click on the browser's Reload icon.)
  3. Compare the information to the one you noted in Step F.
  4. Note the updated statistics. It should indicate that Personal Security Manager queried the Certificate VA about the status of the certificate and in response, the Certificate VA sent a status.


Managing Mapper and Publisher Modules
This section explains how to use the CMS window to do the following:

For information on adding or changing publishing-specific information in the configuration file, see "Changing the Configuration by Editing the Configuration File".

Registering a Mapper or Publisher Module

You can register new mapper or publisher plug-in modules in a Certificate Manager's publishing framework. Registering a new mapper or publisher module involves specifying the name of the module and the full name of the Java class that implements the mapper or publisher interface. For example, you can add a mapper implementation, named as follows, to the Certificate Manager's policy framework:

com.netscape.publishing.customMapper

Before registering a plug-in module, be sure to put the Java class for the module in the classes directory (the implementation must be on the class path).

To register a mapper or publisher module in a Certificate Manager's publishing framework:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, select Certificate Manager, and then select Publishing.
  4. Select the appropriate object under Publishing:
  5. This tab lists registered plug-in modules.

  6. Click Register.
  7. If you selected Mapper, the Register Mapper Plugin Implementation window appears. If you selected Publisher, the Register Publisher Plugin Implementation window appears.

  8. Specify information as appropriate:
  9. Plugin name. Type the name of the plug-in module.

    Class name. Type the full name of the class for this module--that is, the path to the implementing Java class. If this class is part of a package, be sure to include the package name. For example, if you are registering a class named myMapper and if this class is in a package named com.myCompany, type com.myCompany.myMapper.

  10. Click OK.
  11. You are returned to the Mapper Plugin Registration tab or Publisher Plugin Registration tab.

  12. To view the updated configuration, click Refresh.
Deleting a Mapper or Publisher Module

You can delete unwanted mapper or publisher plug-in modules using the CMS window. Before deleting a module, be sure to delete all the publishing rules that are based on this module.

To delete a mapper or publisher module from a Certificate Manager's publishing framework:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, select Certificate Manager, and then select Publishing.
  4. This tab lists registered plug-in modules.

  5. In the Plugin Name list, select the module you want to delete and click Delete.
  6. When prompted, confirm the delete action.
 

© Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.