Netscape Certificate Management System Administrator's Guide: Modules for Publishing Certificates and CRLs

Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool

Netscape Certificate Management System Administrator's Guide: Modules for Publishing Certificates

Contents

Index

Bookshelf

Chapter 21 Modules for Publishing Certificates and CRLs

When a Certificate Manager is requested to issue a certificate or to update certificate information, it can automatically update the corresponding entry in the configured LDAP directory or the flat file with relevant information. Similarly, when a certificate is revoked, the Certificate Manager can automatically update the configured LDAP directory, the online-validation authority, or the flat file with relevant CRL information. To locate the correct entry and update it with relevant information, the Certificate Manager relies on object-mapping and publishing rules.

To enable you to construct these rules, the Certificate Manager provides a set of mapper and publisher plug-in modules. These modules are implemented as Java classes and are registered with the CMS publishing framework.

This chapter explains the mapper and publisher modules that are installed with a Certificate Manager--it lists and briefly describes the modules and then explains each one in detail. Before reading this chapter, you should have read the previous chapter, "Introduction to Publishing Certificates and CRLs".

The chapter has the following sections:

Mapper Modules

Publisher Modules

CRL Extension Modules

Mapper Modules

You can configure a Certificate Manager to publish certificates to a directory or flat file, and to publish CRLs to a directory, online validation authority, or flat file. If you configure the Certificate Manager to publish to a directory, whenever the server issues a certificate or updates a certificate or CRL, it needs to locate the entry in the directory in order to update it. For example, to find the correct directory entry to update, the Certificate Manager needs to present Directory Server with search criteria (so that it can initiate an LDAP search operation); the Certificate Manager considers the search successful only if Directory Server returns a single LDAP entry that exactly matches the search criteria.

The Certificate Manager uses object-mapping rules to find the directory entry that needs to be updated. When configuring a Certificate Manager for publishing certificates and CRLs, you define mapping rules that help the server to construct appropriate search criteria that find the entry that needs to be updated.

Mapper modules help you configure the Certificate Manager to use specific rules to map or locate a specific entry, such as a CA's entry or an end-entity's entry, in a specified directory; once the correct entry is located, the server publishes the certificate or CRL to the correct attribute in the entry using a publisher rule, as explained in "Publisher Modules".

Overview of Mapper Modules

By default, the Certificate Manager provides a set of mapper plug-in modules for mapping the CA certificate, end-entity certificates, and CRLs to appropriate entries in an LDAP directory; because it's not required to map entries in a flat file and online validation authority, no mapper modules are provided for mapping objects in a flat file or an online validation authority. Plug-in modules are implemented as Java classes and are registered in the CMS publishing framework. The Mapper Plugin Registration tab of the CMS window (Figure 21.1) lists all the modules and the corresponding classes that are registered by default with a Certificate Manager.

Figure 21.1 Default mapper modules registered with a Certificate Manager

Table 21.1 lists the mapper modules provided for the Certificate Manager.

Table 21.1 Default mapper plug-in modules for mapping certificates and CRLs


Plug-in module name	Function
LdapCaSimpleMap	Maps the CA certificate to the CA's directory entry by formulating the entry's DN from components specified in the certificate's issuer name and attribute variable assertion (AVA) constants. Optionally, the plugin can also create an entry for the CA in the directory. For details, see "CA Certificate Mapper".
LdapDNCompsMap	Maps a certificate to a directory entry by formulating the entry's DN from components (such as CN, OU, O, and C) in the certificate's subject name and using it as the search DN to locate the entry in the directory. For details, see "DN Components Mapper".
LdapDNExactMap	Maps a certificate to a directory entry by searching for the entry whose DN exactly matches the certificate subject name. For details, see "Subject Name Mapper".
LdapSimpleMap	Maps a certificate to a directory entry by formulating the entry's DN from components specified in the certificate's subject name and attribute variable assertion (AVA) constants. For details, see "Simple Mapper".
LdapSubjAttrMap	Maps a certificate to a directory entry by searching for the entry that contains the LDAP attribute named certSubjNameAttr whose value exactly matches the certificate subject name. For details, see "Subject Attribute Mapper".

After you take a look at the default mapper modules, if you determine that they do not meet your requirements entirely, you can develop a custom mapper module by implementing the following Java interface:

com.netscape.certsrv.ldappublish.ILdapMapper

For more information on this interface, check the CMS software development kit (SDK) installed at this location: <server_root>/cms_sdk/sdkdocs

Be sure to take a look at the samples available at this location: <server_root>/cms_sdk/samples/publishing/mappers

When developing a custom mapper module, you may want to intercept LDAP error 52 and reword it so that the correct error message gets logged. To give you an example, if the publishing directory has been stopped, the server logs the following message in its error and system logs:

Error publishing CRL MasterCRL: Cannot find a match in the LDAP server for certificate. netscape.ldap.LDAPException: unable to establish connection (52); DSA is unavailable.

Notice that the error message incorrectly says DSA is unavailable instead of Directory Server is unavailable.

For instructions on how to configure a Certificate Manager to use a mapper module, see "Step 3. Configure the Certificate Manager to Publish Certificates".

CA Certificate Mapper

The LdapCaSimpleMap plug-in module implements the CA certificate mapper. This mapper enables you to configure a Certificate Manager to automatically create an entry for the CA in an LDAP directory and then map the CA's certificate to the directory entry by formulating the entry's DN from components specified in the certificate's subject name and attribute variable assertion (AVA) constants. For more information on AVAs, check the directory documentation.

The CA certificate mapper allows you to specify whether to create an entry for the CA or to just map the certificate to an existing entry, or to do both; for example, you can choose to manually create an entry for the CA in the directory and then configure the CA certificate mapper to just locate the entry by using attributes from the issuer name in the CA's signing certificate and AVA constants.

During installation, the Certificate Manager automatically creates two instances (called mappers) of the CA certificate mapper module (see Figure 21.2). The mappers are named as follows:

LdapCrlMap for CRLs (see "LdapCrlMap Mapper")

LdapCaCertMap for CA certificates (see "LdapCaCertMap Mapper")

Figure 21.2 Default mappers created during installation

It is important that you review and customize these mappers. For instructions on modifying mappers or creating new mappers, see "Step 3. Configure the Certificate Manager to Publish Certificates".

LdapCaSimpleMap Module

The Java class that implements the CA certificate mapper is as follows:

com.netscape.certsrv.ldap.LdapCaSimpleMap

In the CMS configuration file, the plug-in module is identified as follows: ca.publish.mapper.impl.LdapCaSimpleMap.class=com.netscape.
certsrv.ldap.LdapCaSimpleMap

In the CMS window, the module is identified as follows: LdapCaSimpleMap

Figure 21.3 shows how the configurable parameters for the LdapCaSimpleMap module are displayed in the CMS window.

Figure 21.3 Parameters defined in the LdapCaSimpleMap module

Table 21.2 describes these parameters.

Table 21.2 Description of parameters defined in the LdapCaSimpleMap module


Parameter	Description
dnPattern	Specifies the DN pattern the Certificate Manager should use to construct the DN in order to search for the CA's entry in the publishing directory. The value of dnPattern can be a list of AVA s separated by commas. An AVA can be a variable, such as CN=$subj.cn, that the Certificate Manager can derive from the certificate subject name, or a constant, such as O=Siroe Corporation. Permissible values: A valid pattern that will enable the Certificate Manager to construct the DN for the CA's entry. Example: CN=$subj.cn,OU=$subj.ou,O=$subj.o,C=US
createCAEntry	Specifies whether the Certificate Manager should create an entry for the CA in the publishing directory. Check the box if you want the server to create a CA's entry (default). Uncheck the box if you don't want the server to create an entry. If you check the box, the Certificate Manager first attempts to create an entry for the CA in the directory. If the Certificate Manager succeeds in creating the entry, it then attempts to publish the CA's certificate to the entry. Note that the CA's entry DN in the directory will match the pattern you specify in the dnPattern field. For example, if the issuer DN (specified in the CA's signing certificate) is CN=testCA, OU=Research Dept, O=Siroe Corporation, C=US, and the dnPattern is set to CN=$subj.cn,OU=$subj.ou,O=$subj.o,C=US, the Certificate Manager creates an entry with CN=testCA, OU=Research Dept, O=Siroe Corporation, C=US as its DN.

LdapCaCertMap Mapper

The mapper named LdapCaCertMap is an instance of the LdapCaSimpleMap module. The Certificate Manager automatically creates this mapper during installation.

You can use this mapper for creating an entry for the CA in the directory and for mapping the CA certificate to the CA's entry in the directory.

By default, the mapper is configured to create an entry for the CA in the directory and the default DN pattern for locating the CA's entry is as follows:

UID=$subj.cn,OU=people,O=$subj.o

LdapCrlMap Mapper

The mapper named LdapCrlMap is an instance of the LdapSimpleMap module. The Certificate Manager automatically creates this mapper during installation.

You can use this mapper for creating an entry for the CA in the directory and for mapping the CRL to the CA's entry in the directory.

By default, the mapper is configured to create an entry for the CA in the directory and the default DN pattern for locating the CA's entry is as follows:

UID=$subj.cn,OU=people,O=$subj.o

DN Components Mapper

The LdapDNCompsMap plug-in module implements the DN components mapper. This mapper enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by constructing the entry's distinguished name from components (such as CN, OU, O, and C) specified in the certificate subject name, and then using it as the search DN to locate the entry in the directory. You can use this mapper to locate the following:

The CA's entry in the directory for publishing the CA certificate and the CRL.

End-entity entries in the directory for publishing end-entity certificates.

The mapper requires you to specify values for three parameters, filterComps, dnComps, and baseDN, which are explained in Table 21.3. In general, the mapper takes DN components to build the search DN. The mapper also takes an optional root search DN. The server uses the DN components to form an LDAP entry to begin a subtree search and the filter components to form a search filter for the subtree. If none of the DN components are configured, the server uses the base DN for the subtree. If the base DN is null and none of the DN components match, an error is returned. If none of the DN components and filter components match, an error is returned. If the filter components are null, a base search is performed.

Note that both DNComps and filterComps parameters accept valid DN components or attributes separated by commas. The parameters don't accept multiple entries of an attribute; for example, you can set filterComps to CN,OU, but not to CN,OU2,OU1. If there's a need for you to support such a filter, for example, if your directory entries contain multiple OUs and you want to use multiple OUs in your filterComps for filtering entries, you can modify the source code for the LdapDNCompsMap module. The java class for the module is in this directory:

<server_root>/cms_sdk/samples/publishing/mappers

The discussion below explains how mapping by DN components works. It is recommended that you read this before configuring a Certificate Manager to use this mapper.

Subject names in certificates are in distinguished-name format. A distinguished name (DN) uniquely identifies an entry in an LDAP directory. The DN consists of components that help identify the entry; for details, see Appendix A, "Distinguished Names."

The following components are commonly used in DNs:

UID, which represents the user ID of a user in the directory

CN, which represents the common name of a user in the directory

OU, which represents an organizational unit in the directory

O, which represents an organization in the directory

L, which represents a locality in the directory

ST, which represents a state in the directory

C, which represents a country in the directory

For example, the following DN represents the user named Jane Doe who works for the Sales department at Siroe Corporation, which is located in Mountain View in the state of California, United States:

CN=Jane Doe, E=jdoe@siroe.com, OU=Sales, O=Siroe Corporation, L=Mountain View, ST=California, C=US

The Certificate Manager uses the components in subject names to construct a DN that it can use as the base for searching specific directory entries in order to publish the corresponding certificate information.

For example, suppose the subject name in the certificate is in this form:

CN=Jane Doe, OU=Sales, O=Siroe Corporation, L=Mountain View, ST=California, C=US

The Certificate Manager can use some or all of these components (CN, OU, O, L, ST, and C) to build a DN for searching the directory. When creating a mapper rule, you can specify the components the server should use to build a DN (that is, components to match attributes in the directory). You do this by configuring the dnComps parameter; for details, see Table 21.3.

For example, assume you entered components CN, E, OU, O, and C as values for the dnComps parameter. For locating Jane Doe's entry in the directory, the Certificate Manager constructs the following DN by reading the DN attribute values from the certificate, and uses the DN as the base for searching the directory:

CN=Jane Doe, OU=Sales, O=Siroe Corporation, C=US

Note the following:

A subject name does not need to have all of the components that you specify for the dnComps parameter. The server ignores any components that are not part of the subject name (such as L, ST, and E in this example).

Unspecified components are not used to build the DN. In the example, if you did not include the OU component, the server would use this DN as the base for searching the directory:

CN=Jane Doe, O=Siroe Corporation, C=US

In general, for the dnComps parameter, you should enter those DN components that the Certificate Manager can use to form the LDAP DN exactly. In certain situations, however, the subject name in a certificate may match more than one entry in the directory. Then, the Certificate Manager might not get a single, distinct matching entry from the DN. For example, the subject name

CN=Jane Doe, OU=Sales, O=Siroe Corporation, C=US

might match two users with the name Jane Doe in the directory. If that occurred, the Certificate Manager would need additional criteria to determine which entry corresponds to the subject of the certificate.

To specify the components the Certificate Manager must use to distinguish between different entries in the directory, use the filterComps parameter; for details, see Table 21.3.

For example, if you entered CN, OU, O, and C as values for the dnComps parameter, enter L for the filterComps parameter only if the L attribute can be used to distinguish between entries with identical CN, OU, O, and C values.

Consider another example that shows how two directory entries with similar DNs can be differentiated by the value of the UID attribute: Assume that the two Jane Doe entries are distinguished by the value of the UID attribute. One entry's UID value is janedoe1 and the other entry's UID value is janedoe2. Because the UID attribute corresponds to the UID component in a DN, you can set up the subject names of certificates to include the UID component.

Generally, the E, L, and ST components are not included in the standard set of certificate request forms provided for end entities. You can add these components to the forms, or you can have the issuing agents insert these components when editing the subject name in the certificate issuance forms.

LdapDNCompsMap Module

The Java class that implements the DN components mapper is identified as follows:

com.netscape.certsrv.ldap.LdapCertCompsMap

In the configuration file, the plug-in module is identified as follows: ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.
certsrv.ldap.LdapCertCompsMap

In the CMS window, the module is identified as follows: LdapDNCompsMap

Figure 21.4 shows how the configurable parameters for the LdapDNCompsMap module are displayed in the CMS window.

Figure 21.4 Parameters defined in the LdapDNCompsMap module

With this configuration, a Certificate Manager maps its certificates with the ones in the LDAP directory by using the dnComps values to form a DN and the filterComps values to form a search filter for the subtree.

If the formed DN is null, the server uses the baseDN value for the subtree. If both the formed DN and base DN are null, the server logs an error.

If the filter is null, the server uses the baseDN value for the search. If both the filter and base DN are null, the server logs an error.

Table 21.3 describes these parameters.

Table 21.3 Description of parameters defined in the LdapDNCompsMap module


Parameter	Description
baseDN	Specifies the DN to start searching for an entry in the publishing directory. If you leave the dnComps field blank, the server uses the base DN value to start its search in the directory. Permissible values: Alphanumeric string up to 255 characters; see "Base Distinguished Name". Example: O=siroe.com
dnComps	Specifies where in the publishing directory the Certificate Manager should start searching for an LDAP entry that matches the CA's or the end entity's information (that is, the owner of the certificate). The server uses the dnComps values to form an LDAP entry to begin a subtree search. The server gathers values for these attributes from the certificate subject name and uses the values to form an LDAP DN, which then determines where in the LDAP directory the server starts its search. For example, if you set dnComps to use the O and C attributes of the DN, the server starts the search from the O=<org>, C=<country> entry in the directory, where <org> and <country> are replaced with values from the DN in the certificate. If you leave the dnComps field empty, the server checks the baseDN field and searches the directory tree specified by that DN for entries matching the filter specified by filterComps parameter values. Permissible values: Valid DN components or attributes separated by commas. Example: O,C
filterComps	Specifies components the Certificate Manager should use to filter entries from the search result. The server uses the filterComps values to form an LDAP search filter for the subtree. The server constructs the filter by gathering values for these attributes from the certificate subject name; it uses the filter to search for and match entries in the LDAP directory. If the server finds one or more entries in the LDAP directory that match the information gathered from the certificate, the search is successful and the server optionally performs a verification. For example, if filterComps is set to use the email and user ID attributes (filterComps=e, uid), the server searches the directory for an entry whose values for email and user ID match the information gathered from the certificate. Email addresses and user IDs are good filters because they are usually unique entries in the directory. Keep in mind that email is not always included in the certificate subject name. The filter needs to be specific enough to match one and only one entry in the LDAP database. Permissible values: Valid directory attributes (in the certificate DN) separated by commas. The attribute names for the filters need to be attribute names from the certificate, not from ones in the LDAP directory. For example, most certificates have an E attribute for the user's email address; LDAP calls that attribute mail. Example: UID

Subject Name Mapper

The LdapDNExactMap plug-in module implements the subject name mapper. This mapper enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by searching for the LDAP entry DN that matches the certificate subject name. Note that to be able to use this mapper, each certificate subject name must exactly match a DN in a directory entry. For example, assume the certificate subject name is this:

UID=jdoe, O=Siroe Corporation, C=US

When searching the directory for the entry, the Certificate Manager only searches for an entry whose DN is this:

UID=jdoe, O=Siroe Corporation, C=US

If no matching entries are found, the server returns an error and does not publish the certificate.

This mapper does not require you to specify any values for any parameters because it obtains all values from the certificate (see Figure 21.5).

LdapDNExactMap Module

The Java class that implements the subject name mapper is identified as follows:

com.netscape.certsrv.ldap.LdapCertExactMap

In the configuration file, the plug-in module is identified as follows: ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.
certsrv.ldap.LdapCertExactMap

In the CMS window, the module is identified as follows: LdapDNExactMap

Figure 21.5 shows how the LdapDNExactMap module looks when viewed in the CMS window.

Figure 21.5 The LdapDNExactMap module

Simple Mapper

The LdapSimpleMap plug-in module implements the simple mapper. This mapper enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by formulating the entry's DN from components specified in the certificate's subject name and attribute variable assertion (AVA) constants. For more information on AVAs, see the directory documentation.

The simple mapper requires you to specify just one parameter, which is named dnPattern. The value of dnPattern can be a list of AVA s separated by commas. An AVA can be a variable, such as UID=$subj.UID, or a constant, such as O=Siroe Corporation. By default, the Certificate Manager uses mapper rules that are based on the simple mapper.

During installation, the Certificate Manager automatically creates an instance (called a mapper) of the simple mapper module. The mapper is named LdapUserCertMap (see Figure 21.2). You can use the default mapper to map various types of end-entity certificates the server will issue to their corresponding directory entries. For details, see "LdapUserCertMap Mapper".

It is important that you review and customize this mapper. For instructions on modifying mappers or creating new mappers, see "Step 3. Configure the Certificate Manager to Publish Certificates".

LdapSimpleMap Module

The Java class that implements the simple mapper is as follows:

com.netscape.certsrv.ldap.LdapSimpleMap

In the CMS configuration file, the plug-in module is identified as follows: ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.
certsrv.ldap.LdapSimpleMap

In the CMS window, the module is identified as follows: LdapSimpleMap

Figure 21.6 shows how configurable parameters for the LdapSimpleMap module are displayed in the CMS window.

Figure 21.6 Parameters defined in the LdapSimpleMap module

LdapUserCertMap Mapper

The rule named LdapUserCertMap is an instance of the LdapSimpleMap module. The Certificate Manager automatically creates this mapper during installation.

You can use this mapper for mapping end-user certificates to users' directory entries. The default DN pattern for locating end-user entries is as follows:

UID=$subj.UID, OU=people, O=$subj.o

The default pattern indicates that the Certificate Manager should use the UID and O values from the certificate subject name and a constant OU=people to construct the DN pattern in order to search for an entry.

For example, if the certificate subject name is

CN=Jane Doe, UID=jdoe, OU=people, O=Siroe Corporation, C=US

the Certificate Manager will construct the following DN to search the directory for the entry:

UID=jdoe, OU=people, O=Siroe Corporation

Subject Attribute Mapper

The LdapSubjAttrMap plug-in module implements the subject attribute mapper. This mapper enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by using the LDAP attribute named certSubjectDN. Note that for you to be able to use this mapper, your directory entries must include the certSubjectDN attribute.

This mapper requires you to specify the exact pattern of the subject DN because the Certificate Manager searches the directory for the certSubjectDN attribute whose value exactly matches the entire subject DN specified in the mapper configuration. For example, assume the certificate subject name is this:

UID=jdoe, O=Siroe Corporation, C=US

When searching the directory for the entry, the Certificate Manager first searches for entries that have these attributes in common

certSubjectDN=UID=jdoe, O=Siroe Corporation, C=US

and then narrows down the search to an entry that has only this:

certSubjectDN=UID=jdoe, O=Siroe Corporation, C=US

If no matching entries are found, the server returns an error and writes it to the log; see "Monitoring Logs".

LdapSubjAttrMap Module

The Java class that implements the subject attribute mapper is identified as follows:

com.netscape.certsrv.ldap.LdapCertSubjMap

In the configuration file, the plug-in module is identified as follows: ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.
certsrv.ldap.LdapCertSubjMap

In the CMS window, the module is identified as follows: LdapSubjAttrMap

Figure 21.7 shows how configurable parameters for the LdapSubjAttrMap module are displayed in the CMS window.

Figure 21.7 Parameters defined in the LdapSubjAttrMap module

Table 21.4 describes these parameters.

Table 21.4 Description of parameters defined in the LdapSubjAttrMap module


Parameter	Description
certSubjNameAttr	Specifies the name of the LDAP attribute that contains a certificate subject name as its value. Permissible values: Must be certSubjectName. Example: certSubjectName
searchBase	Specifies the base DN for starting the attribute search. Permissible values: A valid DN of an LDAP entry. Example: O=siroe.com, C=US

Publisher Modules

Publisher modules help you configure the Certificate Manager to publish a CA certificate, end-entity certificates, or CRLs to the following:

A mapped entry in the directory (entries are mapped by one of the mapper modules explained in "Mapper Modules")

A particular file

An online validation authority

Overview of Publisher Modules

By default, the Certificate Manager provides publisher modules for publishing the CA certificate, end-entity certificates, and CRLs. Plug-in modules are implemented as Java classes and are registered in the CMS publishing framework. The Publisher Plugin Registration tab of the CMS window (see Figure 21.8) lists all the modules and the corresponding classes that are currently registered with a Certificate Manager.

Figure 21.8 Default publisher modules registered with a Certificate Manager

Table 21.5 describes the publisher modules provided for the Certificate Manager. You can use these modules to configure a Certificate Manager to employ specific publishing rules.

Table 21.5 Default publisher plug-in modules for publishing certificates and CRLs


Plug-in module name	Function
FileBasedPublisher	Publishes certificates and CRLs to a flat file (for exporting into other repositories). For details, see "Flat File Publisher".
LdapCaCertPublisher	Publishes or unpublishes a certificate to the caCertificate;binary attribute of the mapped directory entry as a DER encoded binary blob. Also converts the object class to a certificationAuthority if it's not one already; similarly, removes the certificationAuthority object class on unpublish if the CA has no other certificates. For details, see "CA Certificate Publisher".
LdapCrlPublisher	Publishes (replaces) a CRL to the certificateRevocationList;binary attribute of the mapped directory entry as a DER encoded binary blob. The entry should be a certificationAuthority object class. For details, see "CRL Publisher".
LdapUserCertPublisher	Publishes or unpublishes a certificate to the userCertificate;binary attribute of the mapped directory entry as a DER encoded binary blob. For details, see "End-Entity Certificate Publisher".
ValiCertPublisher	Publishes the CRL to ValiCert Certificate VA. For details, see "ValiCert Publisher".

If you determine that the default publisher modules do not meet your requirements, you can develop a custom publisher class by implementing the following Java interface:

com.netscape.certsrv.ldappublish.ILdapPublisher

For more information on this interface, check the CMS software development kit (SDK) installed at this location: <server_root>/cms_sdk/sdkdocs

Be sure to take a look at the samples available at this location: <server_root>/cms_sdk/samples/publishing/publishers

When developing a custom publisher module, you may want to intercept LDAP error 52 and reword it so that the correct error message gets logged. To give you an example, if the publishing directory has been stopped, the server logs the following message in its error and system logs:

Error publishing CRL MasterCRL: Cannot find a match in the LDAP server for certificate. netscape.ldap.LDAPException: unable to establish connection (52); DSA is unavailable.

Notice that the error message incorrectly says DSA is unavailable instead of Directory Server is unavailable.

For instructions on how to configure a Certificate Manager to use a publisher module, see "Step 3. Configure the Certificate Manager to Publish Certificates".

Flat File Publisher

The FileBasedPublisher plug-in module implements the flat file publisher. This module enables you to configure a Certificate Manager to publish certificates and CRLs to files, which then can be used for importing the certificates and CRLs into any other repository.

By default, the Certificate Manager does not create an instance of the FileBasedPublisher module. The instructions covered in "Publishing Certificates and CRLs to Flat Files" explain how to create an instance of this module and how to configure a Certificate Manager to publish certificates and CRLs to files.

FileBasedPublisher Module

The Java class that implements the flat file publisher is as follows:

com.netscape.certsrv.ldap.FileBasedPublisher

In the CMS configuration file, the plug-in module is identified as follows: ca.publish.publisher.impl.FileBasedPublisher.class=com.
netscape.certsrv.ldap.FileBasedPublisher

In the CMS window, the module is identified as follows: FileBasedPublisher

Figure 21.9 shows how the configurable parameters for the FileBasedPublisher module are displayed in the CMS window.

Figure 21.9 Configuration parameters defined in the FileBasedPublisher module

The configuration shown in Figure 21.9 creates a publisher named PublishCertsToFile, which can publish certificate and CRL files to a directory at C:\certificates.

CA Certificate Publisher

The LdapCaCertPublisher plug-in module implements the CA certificate publisher. This module enables you to configure a Certificate Manager to publish or unpublish a certificate to the caCertificate;binary attribute of the mapped directory entry; the mapper must locate the correct entry so the publisher can publish the certificate to the specified attribute. The certificate is published as a DER encoded binary blob.

The module also converts the object class of the CA's entry to a certificationAuthority if it's not one already. Similarly, it also removes the certificationAuthority object class on unpublish if the CA has no other certificates.

You can use this module for publishing the CA certificate to the LDAP directory only.

During installation, the Certificate Manager automatically creates an instance (called a publisher) of the LdapCaCertPublisher module for publishing the CA certificate to the directory. See "LdapCaCertPublisher Publisher".

LdapCaCertPublisher Module

The Java class that implements the CA certificate publisher is as follows:

com.netscape.certsrv.ldap.LdapCaCertPublisher

In the CMS configuration file, the plug-in module is identified as follows: ca.publish.publisher.impl.LdapCaCertPublisher.class=com.
netscape.certsrv.ldap.LdapCaCertPublisher

In the CMS window, the module is identified as follows: LdapCaCertPublisher

Figure 21.10 shows how the configurable parameters for the LdapCaCertPublisher module are displayed in the CMS window.

Figure 21.10 Parameters defined in the LdapCaCertPublisher module

Table 21.6 describes these parameters.

Table 21.6 Description of parameters defined in the LdapCaCertPublisher module


Parameter	Description
caCertAttr	Specifies the LDAP directory attribute to publish the CA certificate. Permissible values: Must be caCertificate;binary. Example: caCertificate;binary
caObjectClass	Specifies the object class for the CA's entry in the directory. Permissible values: Must be certificationAuthority. Example: certificationAuthority

LdapCaCertPublisher Publisher

The publisher named LdapCaCertPublisher is an instance of the LdapCaCertPublisher module. The Certificate Manager automatically creates this publisher during installation.

You can use this publisher for publishing the CA certificate to caCertificate;binary attribute of the mapped CA's entry in the directory.

End-Entity Certificate Publisher

The LdapUserCertPublisher plug-in module implements the end-entity certificate publisher. This module enables you to configure a Certificate Manager to publish or unpublish a certificate to the userCertificate;binary attribute of the mapped directory entry; the mapper must locate the correct entry so the publisher can publish the certificate to the specified attribute. The certificate is published as a DER encoded binary blob.

You can use this module to publish any end-entity certificate to an LDAP directory. Types of end-entity certificates include SSL client, S/MIME, SSL server, object signing, router, and OCSP responder.

During installation, the Certificate Manager automatically creates an instance (called a publisher) of the LdapUserCertPublisher module for publishing end-entity certificates to the directory. See "LdapUserCertPublisher Publisher".

LdapUserCertPublisher Module

The Java class that implements the end-entity certificate publisher is as follows:

com.netscape.certsrv.ldap.LdapUserCertPublisher

In the CMS configuration file, the plug-in module is identified as follows: ca.publish.publisher.impl.LdapUserCertPublisher.class=com.
netscape.certsrv.ldap.LdapUserCertPublisher

In the CMS window, the module is identified as follows: LdapUserCertPublisher

Figure 21.11 shows how the configurable parameters for the LdapUserCertPublisher module are displayed in the CMS window.

Figure 21.11 Parameters defined in the LdapUserCertPublisher module

The configuration shown in Figure 21.11 creates a publisher rule named LdapUserCertPublisher, which publishes user certificates to the userCertificate;binary attribute of the mapped user entries.

Table 21.7 describes the parameters.

Table 21.7 Description of parameters defined in the LdapUserCertPublisher module


Parameter	Description
certAttr	Specifies the directory attribute of the mapped entry to which the Certificate Manager should publish the certificate. Permissible values: Must be userCertificate;binary. Example: userCertificate;binary

LdapUserCertPublisher Publisher

The publisher named LdapUserCertPublisher is an instance of the LdapUserCertPublisher module. The Certificate Manager automatically creates this publisher during installation.

You can use this publisher to publish an end-entity certificate to the userCertificate;binary attribute of the mapped end-entity's entry in the directory.

CRL Publisher

The LdapCrlPublisher plug-in module implements the CRL publisher. This module enables you to configure a Certificate Manager to publish or unpublish the CRL to the certificateRevocationList;binary attribute of the mapped directory entry; the configured mapper must locate the CA's entry so that the publisher can publish the CRL to the certificateRevocationList;binary attribute. The CRL is published as a DER-encoded binary blob.

The CRL publisher requires you to specify just one parameter named crlAttr. The value of this parameter must be certificateRevocationList;binary.

During installation, the Certificate Manager automatically creates an instance (called a publisher) of the LdapCrlPublisher module for publishing CRLs to the directory. See "LdapCrlPublisher Publisher".

LdapCrlPublisher Module

The Java class that implements the CRL publisher is as follows:

com.netscape.certsrv.ldap.LdapCrlPublisher

In the CMS configuration file, the plug-in module is identified as follows: ca.publish.publisher.impl.LdapCrlPublisher.class=com.
netscape.certsrv.ldap.LdapCrlPublisher

In the CMS window, the module is identified as follows: LdapCrlPublisher

Figure 21.12 shows how the configurable parameters for the LdapCrlPublisher module are displayed in the CMS window.

Figure 21.12 Parameters defined in the LdapCrlPublisher module

Table 21.8 describes these parameters.

Table 21.8 Description of parameters defined in the LdapCrlPublisher module


Parameter	Description
crlAttr	Specifies the directory attribute of the mapped entry to which the Certificate Manager should publish the certificate. Permissible values: Must be certificateRevocationList;binary. Example: certificateRevocationList;binary

LdapCrlPublisher Publisher

The publisher named LdapCrlPublisher is an instance of the LdapCrlPublisher module. The Certificate Manager automatically creates this publisher during installation.

You can use this publisher for publishing the CRL to certificateRevocationList;binary attribute of the CA's entry in the directory.

ValiCert Publisher

The ValiCertPublisher plug-in module implements the ValiCert publisher. This publisher enables you to configure a Certificate Manager to publish CRLs to ValiCert Certificate VA (Certificate VA), which can function as a local online validation authority for your PKI setup. For details, see "Local OCSP Support".

By default, the Certificate Manager does not create any instance of the ValiCertPublisher module. The instructions covered in "Publishing CRLs to Online Validation Authority" explain how to create an instance of this module and how to configure a Certificate Manager to publish CRLs to Certificate VA.

ValiCertPublisher Module

The Java class that implements the ValiCert publisher is as follows:

com.valicert.publisher.VcPublisher

In the CMS configuration file, the plug-in module is identified as follows: ca.publish.publisher.impl.ValiCertPublisher.class=com.
valicert.publisher.VcPublisher

In the CMS window, the module is identified as follows: ValiCertPublisher

Figure 21.13 shows how the configurable parameters for the ValiCertPublisher module are displayed in the CMS window.

Figure 21.13 Parameters defined in the ValiCertPublisher module

Table 21.9 describes these parameters.

Table 21.9 Description of parameters defined in the ValiCertPublisher module


Parameter	Description
NUM_OUTPUT_ LOCATIONS	Specifies the total number of output locations. You can change the total number of locations by changing the value assigned to this parameter. Permissible values: n (or leave the field blank). n specifies the total number of locations; it must be an integer greater than zero. The default value is 5. If you leave the value field blank, it defaults to 1. Example: 2
VC_LOG_FILE	Specifies the name of the file to which the server writes or logs messages to. If you leave the value field blank, the server writes to a file named ./vpublish.log.
LOG_LEVEL	Specifies the log level, the level of information to be reported. Permitted values: 0, 1, or 2. 0 specifies informational messages should be logged. 1 specifies error and warning messages should be logged (default). 1 specifies debugging messages should be logged. Example: 2
DEFAULT_FORMAT	Specifies the data format for the CRL; the value in this field is used if the CRL format is not specified by the OUTPUT_SECTION parameter. Permissible values: CRL or PKCS7. CRL specifies that the CRL format should be the same as the one defined in the X.509 standard. PKCS7 specifies that the CRL format should be PKCS #7 (default). Example: PKCS7
DEFAULT_ENCODING	Specifies the encoding to be used for the CRL; the value in this field is used if the encoding is not specified by the OUTPUT_SECTION parameter. Permissible values: DER or BASE64. DER specifies that the CRL should be published as a DER-encoded blob (default). BASE64 specifies that the CRL should be published as a base-64 encoded blob. Example: DER
PROXY_HOST	Specifies the name of the proxy server. If you leave the field blank, proxy server will not be used.
PROXY_PORT	Specifies the port number of the proxy server. If you leave the field blank, proxy server will not be used.
[OUTPUT_SECTIONS_<n>]LOCATION	Specifies the location or the destination information to publish the CRL. Each location is distinguished by <n>, which is an integer derived from the value you assigned in the NUM_OUTPUT_LOCATIONS field. For example, if you set the NUM_OUTPUT_LOCATIONS parameter to 2, <n> would be 1 and 2. The syntax for specifying the destination information is as follows: [<format>;][<encoding>;]valicert://<host>[:<port>] [/<location>] Attribute inside the square bracket, [], is optional. Permissible values: For <format>: CRL or PKCS7 For <encoding>: DER or BASE64 For <host>: A fully qualified host name of the ValiCert Certificate VA. For <port>: The service port of ValiCert Certificate VA; by default it is 80. Example: PKCS7;DER;valicert://validator.siroe.com:8000

CRL Extension Modules

Since its initial publication, the X.509 standard for CRL formats has been amended to include additional information within a CRL. Version 2, the latest version, allows you to add information as CRL extensions.

The extensions defined by ANSI X9 and ISO/IEC/ITU for X.509 v2 CRLs [X.509] [X9.55] enable you to associate additional attributes with CRLs. The Internet X.509 Public Key Infrastructure Certificate and CRL Profile (see http://www.ietf.org/rfc/rfc2459.txt) recommends a set of extensions to be used in CRLs. These extensions are called standard CRL extensions.

The standard also suggests that you can define your own extensions and include them in CRLs you issue. These extensions are called private, proprietary, or custom CRL extensions and they carry information unique to your organization or business. Keep in mind that applications may not able to validate CRLs that contain private, critical extensions, thus preventing the use of these CRLs in a general context.

Note Some explanations in this chapter make reference to Abstract Syntax Notation One (ASN.1) and Distinguished Encoding Rules (DER). These are specified in the CCITT Recommendations X.208 and X.209. For a quick summary of ASN.1 and DER, see A Layman's Guide to a Subset of ASN.1, BER, and DER, which is available at RSA Laboratories' web site (http://www.rsa.com).

Structure of CRL Extensions

A CRL extension consists of the following:

The object identifier (OID) for the extension; see "Object Identifier".

This identifier uniquely identifies the extension. It also determines the ASN.1 type of value in the value field and how the value is interpreted. That is, when an extension appears in a CRL, the OID appears as the extension ID field (extnID) and the corresponding ASN.1 encoded structure appears as the value of the octet string (extnValue); see the examples in "Sample CRL and CRL Entry Extensions".

A flag or boolean field called critical.

The true or false value assigned to this field indicates whether the extension is critical (true) or noncritical (false) to the CRL.

If the extension is critical and the CRL is sent to an application that does not understand the extension (based on the extension's ID), the application must reject the CRL.

If the extension is not critical and the CRL is sent to an application that does not understand the extension (based on the extension's ID), the application can ignore the extension and accept the CRL.

An octet string containing the DER encoding of the value of the extension.

Typically, the application receiving the CRL checks the extension ID to determine if it can recognize the ID. If it can, it uses the extension ID to determine the type of value used.

Sample CRL and CRL Entry Extensions

The following is an example of the section of a CRL containing X.509 v2 extensions. (Certificate Management System can display CRLs in human-readable format, as shown here.) As shown in the example, CRL extensions appear in sequence and only one instance of a particular extension may appear in a particular CRL; for example, a CRL may contain only one authority key identifier extension. However, CRL-entry extensions appear in appropriate entries in the CRL.

Certificate Revocation List:

	Data: 

		Version:  v2

...

Extensions: 

	Identifier: Authority Key Identifier

		Critical: no

		Key Identifier:

		2c:22:c6:ae:4e:4b:91:c7:fb:4c:cc:ae:84:e8:aa:5b:46:6a:a0:ad

Extensions: 

	Identifier: Revocation Reason - 2.5.29.21

		Critical: no 

		Reason: Key_Compromise

		Serial Number: 0x12

		Revocation Date: Tuesday, December 15, 1998 5:20:42 AM

Extensions: 

	Identifier: Revocation Reason - 2.5.29.21

		Critical: no

		Reason: CA_Compromise

		Serial Number: 0x11

		Revocation Date: Wednesday, December 16, 1998 4:51:54 AM

Extensions: 

	Identifier: Revocation Reason - 2.5.29.21

		Critical: no

		Reason: Key_Compromise

		Serial Number: 0x10

		Revocation Date: Thursday, December 17, 1998 2:37:24 AM

Extensions:

	Identifier: Revocation Reason - 2.5.29.21

		Critical: no

		Reason: Affiliation_Changed

		Serial Number: 0xA

		Revocation Date: Wednesday, November 25, 1998 5:11:18 AM

...

Overview of CRL Extension Modules

To enable you issue or publish X.509 v2 CRLs (that is, CRLs with extensions), Certificate Management System provides a set of plug-in modules; each module enables you to configure the Certificate Manager to set a particular CRL or CRL-entry extension in CRLs it issues. Plug-in modules are implemented as Java classes and are registered in the CMS publishing framework. The CRL Extensions Management tab of the CMS window (Figure 21.14) lists all the modules that are registered with a Certificate Manager.

When deciding whether to add CRL extensions, keep in mind that not all applications support version 2 CRLs. Among the applications that do support extensions, not all applications will recognize every extension. For general guidelines on using these extensions in CRLs, see "Certificate Extensions" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Figure 21.14 Default CRL extension modules registered with a Certificate Manager

Table 21.10 lists CRL extension modules that are installed with a Certificate Manager.

Table 21.10 Default CRL extension modules


Plug-in module name	Function
AuthorityKeyIdentifier	Sets the Authority Key Identifier extension in CRLs. For details, see "AuthorityKeyIdentifier Rule".
CertificateIssuer	Sets the Certificate Issuer extension in CRLs. For details, see "CertificateIssuer Rule""CertificateIssuer Rule" on page 749.
CRLNumber	Sets the CRL Number extension in CRLs. For details, see "CRLNumber Rule".
CRLReason	Sets the Reason Code extension in CRL entries. For details, see "CRLReason Rule".
HoldInstruction	Sets the Hold Instruction Code extension in CRL entries. For details, see "HoldInstruction Rule".
InvalidityDate	Sets the Invalidity Date extension in CRL entries. For details, see "InvalidityDate Rule".
IssuerAlternativeName	Sets the Issuer Alternative Name extension in CRLs. For details, see "IssuerAlternativeName Rule".
IssuingDistributionPoint	Sets the Issuing Distribution Point extension in CRLs. For details, see "IssuingDistributionPoint Rule".

For instructions on how to configure a Certificate Manager to set CRL extensions, see "Step B. Set the CRL Extensions".

AuthorityKeyIdentifier Rule

The AuthorityKeyIdentifier rule enables you to configure a Certificate Manager to set the Authority Key Identifier Extension defined in X.509 and PKIX standard RFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) in CRLs. The extension is used to identify the public key that corresponds to the private key used by a CA to sign CRLs.

The PKIX standard recommends that the CA must include this extension in all CRLs it issues. Therefore, you should consider adding this extension to all CRLs issued by the Certificate Manager. The reason for this is that in certain situations, a CA's public key may change (for example, when the key gets updated) or the CA may have multiple signing keys (either because of multiple concurrent key pairs or because of key changeover). In these cases, the CA ends up with more than one key pair. When verifying a signature on a certificate, other applications need to know which key was used in the signature. The extension, if present in a certificate, enables applications (those that can use the extension) to identify the correct key to use in situations when multiple keys exist; the extension specifies the public key to be used to verify the signature on the CRL.

For general guidelines on setting the authority key identifier extension in CRLs, see "authorityKeyIdentifier" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Figure 21.15 shows how configurable parameters for the AuthorityKeyIdentifier rule are displayed in the CMS window.

Figure 21.15 Parameters defined in the AuthorityKeyIdentifier rule

The configuration shown in Figure 21.15 specifies that the server should not set the authority key identifier extension in CRLs.

Table 21.11 describes these parameters.

Table 21.11 Description of parameters defined in the AuthorityKeyIdentifierExt rule


Parameter	Description
enable	Specifies whether the rule is enabled or disabled. Check the box to enable the rule. Uncheck the box to disable the rule (default). If you enable the rule and set the remaining parameters correctly, the server sets the authority key identifier extension in CRLs. If you disable the rule, the server does not add the extension to CRLs; it ignores the values in the remaining fields.
critical	Specifies whether the extension should be marked critical or noncritical in CRLs issued by the server. Check the box if you want the server to mark the extension critical. Uncheck the box if you want the server to mark the extension noncritical (default).

CRLNumber Rule

The CRLNumber rule enables you to configure a Certificate Manager to set the CRL Number Extension defined in X.509 and PKIX standard RFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) in CRLs. This extension specifies a monotonically increasing sequence number for each CRL issued by a CA, allowing CRL users to easily determine when a particular CRL supersedes another CRL.

For general guidelines on setting the CRL number extension in CRLs, see "CRLNumber" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Figure 21.16 shows how the configurable parameters for the CRLNumber rule are displayed in the CMS window.

Figure 21.16 Parameters defined in the CRLNumber rule

The configuration shown in Figure 21.16 specifies that the server should not set the CRL number extension in CRLs.

Table 21.12 describes these parameters.

Table 21.12 Description of parameters defined in the CRLNumber rule


Parameter	Description
enable	Specifies whether the rule is enabled or disabled. Check the box to enable the rule. Uncheck the box to disable the rule (default). If you enable the rule and set the remaining parameters correctly, the server sets the CRL number extension in CRLs. If you disable the rule, the server does not add the extension to CRLs; it ignores the values in the remaining fields.
critical	Specifies whether the extension should be marked critical or noncritical in CRLs issued by the server. Check the box if you want the server to mark the extension critical. Uncheck the box if you want the server to mark the extension noncritical (default).

CRLReason Rule

The CRLReason rule enables you to configure a Certificate Manager to set the CRL ReasonCode Extension defined in X.509 and PKIX standard RFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) in CRL entries. The extension is used to identify the reason for the revocation of a certificate included in the CRL.

For general guidelines on setting the CRL reason code in CRL entries, see "reasonCode" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

The revocation reasons defined by the standard are listed in Table 21.13.

Table 21.13 Certificate revocation reasons


Code	Reason
0	unspecified
1	keyCompromise
2	cACompromise
3	affiliationChanged
4	superseded
5	cessationOfOperation
6	certificateHold
8	removeFromCRL

Figure 21.17 shows how the configurable parameters for the CRLReason rule are displayed in the CMS window.

Figure 21.17 Parameters defined in the CRLReason rule

The configuration shown in Figure 21.17 specifies that the server should set the CRL reason code extension in CRL entries.

Table 21.14 describes these parameters.

Table 21.14 Description of parameters defined in the CRLReason rule


Parameter	Description
enable	Specifies whether the rule is enabled or disabled. Check the box to enable the rule (default). Uncheck the box to disable the rule. If you enable the rule and set the remaining parameters correctly, the server sets the CRL number extension in CRLs. If you disable the rule, the server does not add the extension to CRLs; it ignores the values in the remaining fields.
critical	Specifies whether the extension should be marked critical or noncritical in CRLs issued by the server. Check the box if you want the server to mark the extension critical. Uncheck the box if you want the server to mark the extension noncritical (default).

HoldInstruction Rule

The HoldInstruction rule enables you to configure a Certificate Manager to set the CRL Hold Instruction Extension defined in X.509 and PKIX standard RFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) in CRLs. The extension is a non-critical CRL entry extension that is used to specify a registered instruction identifier--the identifier indicates what action the validating application should take when it encounters a certificate that has been placed on hold.

For general guidelines on setting the CRL hold instruction code in CRL entries, see "holdInstructionCode" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Figure 21.18 shows how the configurable parameters for the HoldInstruction rule are displayed in the CMS window.

Figure 21.18 Parameters defined in the HoldInstruction rule

The configuration shown in Figure 21.18 specifies that the server should not set the hold instruction extension in CRL entries.

Table 21.15 describes these parameters.

Table 21.15 Description of parameters defined in the HoldInstruction rule


Parameter	Description
enable	Specifies whether the rule is enabled or disabled. Check the box to enable the rule. Uncheck the box to disable the rule (default). If you enable the rule and set the remaining parameters correctly, the server sets the Hold Instruction extension in CRLs. If you disable the rule, the server does not add the extension to CRLs; it ignores the values in the remaining fields.
critical	Specifies whether the extension should be marked critical or noncritical in CRLs issued by the server. Check the box if you want the server to mark the extension critical. Uncheck the box if you want the server to mark the extension noncritical (default).
instruction	Specifies the action a validating application must take when it encounters a certificate that has been put on hold. Permissible values: none, callissuer, or reject. none specifies that the validating application need not do anything; the PKIX standard says that this is semantically equivalent to the absence of a holdInstructionCode (default). callissuer specifies that the validating application must call the CA that has issued the certificate or reject the certificate. reject specifies that the validating application must reject the certificate on hold. Example: none

InvalidityDate Rule

The InvalidityDate rule enables you to configure a Certificate Manager to set the Invalidity Date Extension defined in X.509 and PKIX standard RFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) in CRLs. The extension is a non-critical CRL entry extension that is used to specify the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid.

For general guidelines on setting the invalidity date extension in CRL entries, see "invalidityDate" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Figure 21.19 shows how the configurable parameters for the InvalidityDate rule are displayed in the CMS window.

Figure 21.19 Parameters defined in the InvalidityDate rule

The configuration shown in Figure 21.19 specifies that the server should not set the invalidity date extension in CRL entries.

Table 21.16 describes these parameters.

Table 21.16 Description of parameters defined in the InvalidityDate rule


Parameter	Description
enable	Specifies whether the rule is enabled or disabled. Check the box to enable the rule. Uncheck the box to disable the rule (default). If you enable the rule and set the remaining parameters correctly, the server sets the Invalidity Date extension in CRLs. If you disable the rule, the server does not add the extension to CRLs; it ignores the values in the remaining fields.
critical	Specifies whether the extension should be marked critical or noncritical in CRLs issued by the server. Check the box if you want the server to mark the extension critical. Uncheck the box if you want the server to mark the extension noncritical (default).

IssuerAlternativeName Rule

The IssuerAlternativeName rule enables you to configure a Certificate Manager to set the Issuer Alternative Name Extension defined in X.509 and PKIX standard RFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) in CRLs. This extension enables binding of or associating alternative identities, such as Internet electronic mail address, a DNS name, an IP address, and a uniform resource indicator (URI), with the issuer of the CRL.

The IssuerAlternativeName rule enables you to associate the following identities with a CRL issuer, by including them in the extension:

An rfc822Name

A DNS name

A directory name

A uniform resource indicator (URI)

An IP address

An object identifier (OID)

For general guidelines on setting the issuer alternative name extension in CRLs, see "issuerAltName" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Figure 21.20 shows how configurable parameters for the IssuerAlternativeName rule are displayed in the CMS window.

Figure 21.20 Parameters defined in the IssuerAlternativeName rule

The configuration shown in Figure 21.20 specifies that the server should not set the issuing point extension in CRLs.

Table 21.17 describes these parameters.

Table 21.17 Description of parameters defined in the IssuerAlternativeName rule


Parameter	Description
enable	Specifies whether the rule is enabled or disabled. Check the box to enable the rule. Uncheck the box to disable the rule (default). If you enable the rule and set the remaining parameters correctly, the server sets the issuer alternative name extension in CRLs. If you disable the rule, the server does not add the extension to CRLs; it ignores the values in the remaining fields.
critical	Specifies whether the extension should be marked critical or noncritical in CRLs issued by the server. Check the box if you want the server to mark the extension critical. Uncheck the box if you want the server to mark the extension noncritical (default).
numNames	Specifies the total number of alternative names or identities permitted in the extension. Note that each name has a set of configuration parameters-- nameType and name--and you must specify appropriate values for each of those parameters; otherwise, the policy rule will return an error. You can change the total number of identities by changing the value specified in this field; there's no restriction on the total number of identities you can include in the extension. Each set of configuration parameters is distinguished by <n>, which is an integer derived from the value you assign in this field. For example, if you set the numNames parameter to 2, <n> would be 0 and 1. Permissible values: 0 or n. 0 specifies that no identities can be contained in the extension. n specifies the total number of identities to be included in the extension; it must be an integer greater than zero. The default value is 3. Example: 1
nameType<n>	Specifies the general-name type. Permissible values: rfc822Name, directoryName, dNSName, ediPartyName, URL, iPAddress, OID, or otherName. Select rfc822Name if the name is an Internet mail address. Select directoryName if the name is an X.500 directory name. Select dNSName if the name is a DNS name. Select ediPartyName if the name is a EDI party name. Select URL if the name is a uniform resource identifier (default). Select iPAddress if the name is an IP address. Select OID if the name is an object identifier. Select otherName if the name is in any other name form. Example: URL
name<n>	Specifies the general-name value. Permissible values: Depends on the name type specified in the nameType<n> field. If the type is rfc822Name, the value must be a valid Internet mail address in the local-part@domain format; see the definition of an rfc822Name as defined in RFC 822 (http://www.ietf.org/rfc/rfc0822.txt). You may use upper and lower case letters in the mail address; no significance is attached to the case. Example: testCA@siroe.com
	If the type is directoryName, the value must be a string form of X.500 name, similar to the subject name in a certificate, in the RFC 2253 syntax (see http://www.ietf.org/rfc/rfc2253.txt). Note that RFC 2253 replaces RFC 1779. Example: CN=CACentral,OU=Research Dept,O=Siroe Corp,C=US.
	If the type is dNSName, the value must be a valid domain name in the preferred-name syntax as specified in RFC 1034 (http://www.ietf.org/rfc/rfc1034.txt). You may use upper and lower case letters in the domain name; no significance is attached to the case. Do not use the string " " for the DNS name. Also don't use the DNS representation for Internet mail addresses; such identities should be encoded as rfc822Name. Example: testCA.siroe.com
	If the type is ediPartyName, the name must be an IA5String. Example: Siroe Corporation
	If the type is URL, the value must be a non-relative universal resource identifier (URI) following the URL syntax and encoding rules specified in RFC 1738 (http://www.ietf.org/rfc/rfc1738.txt). That is, the name must include both a scheme (for example, http) and a fully qualified domain name or IP address of the host. Example: http://testCA.siroe.com
	If the type is iPAddress, the value must be a valid IP address specified in dot-separated numeric component notation. The syntax for specifying the IP address is as follows: For IP version 4 (IPv4), the address should be in the form specified in RFC 791 (http://www.ietf.org/rfc/rfc0791.txt). IPv4 address must be in the n.n.n.n format; for example, 128.21.39.40. IPv4 address with netmask must be in the n.n.n.n,m.m.m.m format. For example, 128.21.39.40,255.255.255.00. For IP version 6 (IPv6), the address should be in the form described in RFC 1884 (http://www.ietf.org/rfc/rfc1884.txt), with netmask separated by a comma. Examples of IPv6 addresses with no netmask are 0:0:0:0:0:0:13.1.68.3 and FF01::43. Examples of IPv6 addresses with netmask are 0:0:0:0:0:0:13.1.68.3,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:255.255.255.0 and FF01::43,FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FF00:0000.
	If the type is OID, the value must be a unique, valid OID specified in the dot-separated numeric component notation. Although you can invent your own OIDs for the purposes of evaluating and testing this server, in a production environment, you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs. See "Object Identifier" for information on allocating private OIDs. Example: 1.2.3.4.55.6.5.99
	If the type is otherName, the name must be must be the absolute path to the file that contains the general name in its base-64 encoded format. Example: C:\netscape\server4\extn\ian\othername.txt

IssuingDistributionPoint Rule

The IssuingDistributionPoint rule enables you to configure a Certificate Manager to set the Issuing Distribution Point Extension defined in X.509 and PKIX standard RFC 2459 (see http://www.ietf.org/rfc/rfc2459.txt) in CRLs. The CRL issuing point extension enables you to specify a pointer to a particular CRL and to include additional information about the CRL at that location--whether it covers revocation of end-entity certificates only, CA certificates only, or revoked certificates that have a limited set of reason codes.

By default, the pointer can be in either of these forms:

The name of the X.500 directory that stores the CRL

The URI to the location that contains the CRL

Optionally, each issuing point may contain a set of reason flags, indicating what revocation reasons are covered by the CRL at the specified location. Note that you can modify the rule to support any name form by making the appropriate changes to the sample code provided for this purpose. The sample code is located here:

<server_root>/cms_sdk/samples/CRLs/IssuingDistributionPoint

For general guidelines on setting the issuing distribution point extension in CRLs, see "issuingDistributionPoints" in Appendix B of Netscape Certificate Management System Installation and Deployment Guide.

Figure 21.21 shows how configurable parameters for the IssuingDistributionPoint rule are displayed in the CMS window.

Figure 21.21 Parameters defined in the IssuingDistributionPoint rule

The configuration shown in Figure 21.21 specifies that the server should not set the issuing point extension in CRLs.

Table 21.18 describes these parameters.

Table 21.18 Description of parameters defined in the IssuingDistributionPoint rule


Parameter	Description
enable	Specifies whether the rule is enabled or disabled. Check the box to enable the rule. Uncheck the box to disable the rule (default). If you enable the rule and set the remaining parameters correctly, the server sets the issuing distribution point extension in CRLs. If you disable the rule, the server does not add the extension to CRLs; it ignores the values in the remaining fields.
critical	Specifies whether the extension should be marked critical or noncritical in CRLs issued by the server. Check the box if you want the server to mark the extension critical (default). Uncheck the box if you want the server to mark the extension noncritical.
pointType	Specifies the type (for example, URI) of the issuing distribution point. Permissible values: By default, DirectoryName and URI. DirectoryName specifies that the type is an X.500 Directory Name (that is, the CRL is stored in an X.500 directory). URI specifies that the type is a uniform resource indicator (this provides a pointer to the location for the most current CRL issued by this CA). Example: URI
pointName	Specifies the name of the issuing distribution point. The name of the distribution point can be in any of the following formats: Permissible values: Depends on the value specified for the pointType parameter. If the pointType attribute is set to DirectoryName, the name must be an X.500 Name (in RFC1779 syntax). If the pointType attribute is set to URI, the name must be a URI; the URI must be an absolute pathname and must specify the host. Example: If the name is a URI, it would look similar to this: http://testCA.siroe.com/get/your/crls/here/ If the name is an X.500 Directory Name, it would look similar to this: CN=CRLCentral,OU=Research Dept,O=Siroe Corp,C=US (Note that the CRL may be stored in the directory entry corresponding to the CRL issuing point, which may be different than the directory entry of the CA.)
onlySomeReasons	Specifies the reason codes associated with the distribution point. Permissible values: A combination of reason codes--unspecified, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, and removeFromCRL--separated by commas. Leave field blank if the distribution point contains revoked certificates with all reason codes or if you don't want to set this field (default). Example: unspecified, keyCompromise, cessationOfOperation
onlyContainsCACerts	Specifies whether the distribution point contains only revoked CA certificates. Check the box if the distribution point contains CA certificates only. Uncheck the box if the distribution point contains all types of revoked certificates (default).
onlyContainsUserCerts	Specifies whether the distribution point contains only revoked user certificates. Check the box if the distribution point contains user certificates only. Uncheck the box if the distribution point contains all types of certificates (default).
indirectCRL	Specifies whether the distribution point contains an indirect CRL. Check the box if the distribution point contains an indirect CRL. Uncheck the box if the distribution point doesn't contain an indirect CRL (default).