Chapter 3 Finding and Revoking Certificates

As a Certificate Manager agent, you can use the Agent Services page to find a specific certificate issued by Certificate Management System or to retrieve a list of certificates that match specified criteria. You can examine certificates that you have retrieved. You can also revoke certificates and manage the certificate revocation list.

• Basic Certificate Listing

• Advanced Certificate Search


• Revoking Certificates


• Managing the Certificate Revocation List

1. Go to the Certificate Manager Agent Services page (see Accessing Agent Services). You must submit the proper client certificate to get access to this page.
2. Click List Certificates to display the List Certificates form in which you specify listing criteria.
3. To find a certificate with a specific serial number, enter the serial number in both the upper limit and lower limit fields of the List Certificates form, in either decimal or hexadecimal form.

Use 0x to indicate the beginning of a hexadecimal number; for example, 0x00000006. (Serial numbers are displayed in hexadecimal form in the Search Results and Details pages.)

4. To find all certificates within a range of serial numbers, enter the upper and lower limits of the serial number range (in decimal or hexadecimal form).

If you leave either the lower limit or upper limit field blank, the certificate whose number you specified plus all certificates before or after it in sequence are displayed.

5. To limit the returned list to valid certificates, select one or both of the checkboxes labeled with filtering methods.

You can choose not to show revoked certificates or not to show certificates that have expired or are not yet valid.

6. Enter the number of certificates matching the criteria that you want to see.

For a number n, the first n matching certificates are initially displayed.

7. Click Find.

Certificate Management System displays a list of the certificates that match your search criteria. You can select a certificate in the list and examine it in more detail or perform various operations on it. For more information, see "Examining Certificates."

1. Go to the Certificate Manager Agent Services page (see Accessing Agent Services). You must submit the proper client certificate to get access to this page.
2. Click Search for Certificates to display the Search for Certificates form in which you specify search criteria.
3. To search by particular criteria, use one or more of the sections of the Search for Certificates form.

The form is quite long; scroll down to see the different sections. To use a section, select the appropriate checkbox, then fill in any necessary information.

Serial Number Range. Use this section to find a certificate with a specific serial number or to list all certificates within a range of serial numbers.

• To find a certificate with a specific serial number, enter the serial number in both the upper limit and lower limit fields, in either decimal or hexadecimal form. Use 0x to indicate the beginning of a hexadecimal number; for example, 0x2A. (Serial numbers are displayed in hexadecimal form in the Search Results and Details pages.)
• To find all certificates within a range of serial numbers, enter the upper and lower limits of the serial number range (in decimal or hexadecimal form).

If you leave either the lower limit or upper limit field blank, all certificates before or after the one you specify are displayed.

Status. Use this section to select certificates by their status. A certificate can have one of the following status codes:

• VALID - The certificate has been issued, its validity period has begun but not ended, and it has not been revoked.
• INVALID - The certificate has been issued, but its validity period has not yet begun.
• REVOKED - The certificate has been revoked.
• EXPIRED - The current time is later than the end of the certificate's validity period.
• REVOKED & EXPIRED - The certificate meets the criteria for both status codes.

Subject Name. Use this section to list certificates with a particular owner. For more information on filling in this section, see Step 4.

Revocation Information. Use this section to list certificates that have been revoked during a particular period or by a particular agent. For example, you can list all certificates revoked between July 1996 and January 1997, or all certificates revoked by the agent with the user name admin.

• To list certificates revoked within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.
• To list certificates revoked by a particular agent, enter the name of the agent. You can use wildcards in this field. (For more information on wildcard syntax, see Step 4.)

Issuing Information. Use this section to list certificates that have been issued during a particular period or by a particular agent. For example, you can list all certificates issued between July 1996 and January 1997, or all certificates issued by the agent with the user name betatest.

• To list certificates issued within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.
• To list certificates issued by a particular agent, enter the name of the agent. You can use wildcards in this field. (For more information on wildcard syntax, see Step 4.)

Dates of Validity. Use this section to list certificates that become effective or expire during a particular period. For example, you can list all certificates that became valid on June 1, 1996, or that expired between January 1, 1997 and June 1, 1997.

You can also list certificates that have a validity period of a certain length of time. For example, you can list all certificates that are valid for less than one month.

• To list certificates that become effective or expire within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.
• To list certificates that have a validity period of a certain length in time, select "not greater than" or "not less than" from the drop-down list, enter a number, and select a time unit from the drop-down list: Days, Weeks, Months, or Years.

Type. Use this section to list certain types of certificates. For example, you can list all certificates for subordinate CAs. Note that this search works only for certificates containing the netscape-cert-type extension, which stores type information.

• For each type, choose from the drop-down list to find certificates where that type is On, Off, or Absent.
4. To find a certificate with a specific subject name, use the Subject Name section.

• Select the checkbox, then enter the subject name criteria.
• Enter values for the fields you want included in your search criteria and leave the others blank.

The standard tags or components are as follows:

Email address. To narrow the search by email address, enter the email address in this field.

Common name. To find certificates associated with a specific person or server, enter the name in this field.

UserID. The UserID for the person whose certificate you want to find. For example, at many companies the UserID is the name used to log in to the network when starting up a computer.

Organization unit. To narrow the search to a specific division, department, or unit within an organization, enter the name of the unit in this field.

Organization. To narrow the search by organization, enter the name of the business, university, or organization in this field.

Locality. To narrow the search by locality, enter the name of the local area (for example, the name of the city) in this field.

State. To narrow the search by state or province, enter the name of the state or province in this field.

Country (two-letter code). To narrow the search by country, enter the two- letter code for the country (for example, US) in this field.

When you have entered the field values for the server to match, specify the type of search that you want performed:

• Select Exact to search for certificates that have subject names that match exactly the components you have specified and contain none of the components you have left blank. You cannot use wildcards in this type of search.
• Select Partial to search for all certificates with subject names that match at least the components you have specified but that may also have any values in the components you have left blank.

You can specify wildcard patterns in this type of search by using the question mark character (?) to match an arbitrary single character and the asterisk character (*) to match an arbitrary string of zero or more characters.

Note that placing a single asterisk in a given field in the search form specifies that the corresponding component must be in the certificate's subject name but may have any value whatsoever. To indicate that you do not care if the component is present, leave the field blank.

5. After entering your search criteria, scroll to the bottom of the form and enter the number of certificates matching your specified criteria that you want to see.

For a number n, the first n matching certificates are initially displayed.

6. Click Find.

1. On the Agent Services page, click List Certificates or Search for Certificates, specify search criteria, and click Find to display a list of certificates.

For details of how to specify criteria, see "Basic Certificate Listing" and "Advanced Certificate Search".

2. On the Search Results form, find the particular certificate you want to examine.

If the certificate you want to see is not shown, scroll to the bottom of the list, specify an additional number n, and click Find. The system displays the next n certificates that match your original search criteria.

3. When you have found the certificate you want, click the Details button at the left side of its entry.

The Certificate page appears. It shows the detailed contents of the selected certificate and instructions for installing the certificate in a server or in Netscape Navigator.

• The owner of the certificate has changed status and no longer has the right to use the certificate.
• The private key of a certificate owner has been compromised.

1. Go to the Certificate Manager Agent Services page (see Accessing Agent Services).

You must submit the proper client certificate to get access to this page.

2. Click Revoke Certificates.

The search form that appears has the same search criteria sections as the Search for Certificates form.

3. Specify the search criteria by selecting the checkboxes for the sections you want to use, then filling in the required information.

For details on search criteria, see "Advanced Certificate Search.".

4. Scroll to the bottom of the form and select a number of matching certificates to display.
5. Click Find.

The search returns a list of matching certificates. You have the option of revoking one or all certificates in the list.

1. On the Certificate Manager's Agent Services page, click Revoke Certificates, specify search criteria, and click Find to display a list of certificates.

For details of how to specify criteria, see "Basic Certificate Listing" and "Advanced Certificate Search".

2. On the Search Results form, find the certificate you want to revoke.

If the certificate you want to see is not shown, scroll to the bottom of the list, specify an additional number n, and click Find. The system displays the next n certificates that match your original search criteria.

3. Click the Revoke button next to the certificate that you want to revoke.
4. Confirm the revocation in the resulting form (see "Confirming a Revocation").

1. On the Certificate Manager's Agent Services page, click Revoke Certificates, specify search criteria, and click Find to display a list of certificates.

For details of how to specify criteria, see "Basic Certificate Listing" and "Advanced Certificate Search".

2. On the Search Results page, scroll to the bottom to reach the "Revoke ALL n Certificates" button. The number shown in the button is the total number of certificates returned by the search. Note that this is usually a larger number than the number of certificates displayed on the current page.
3. Verify that all of the certificates returned by the search should be revoked (not just those displayed on the current page).
4. Click "Revoke ALL n Certificates" at the bottom of the form.
5. Confirm the revocation in the resulting form (see "Confirming a Revocation").

Confirming a Revocation
When you have requested the revocation of one or more certificates, the Certificate Revocation Confirmation form appears.

1. Inspect the details of the certificate and verify that it is the one you want to revoke. If you are revoking more than one certificate, the form shows details of all the listed certificates.
2. Select a reason for the revocation. The reason applies to all the listed certificates.
3. Optionally, enter any additional comment. The comment will be included in the revocation request.
4. Click Submit.

Updating the CRL
Normally, when you revoke a certificate, the CRL is automatically updated. If you are using Certificate Management System with an LDAP directory server, the CRL in the directory is updated automatically.

1. Go to the Certificate Manager Agent Services page (see Accessing Agent Services). You must submit the proper client certificate to get access to this page.
2. Click Update Revocation List to display the form for updating the CRL.
3. Select the algorithm that you want to use to sign the new CRL.

• MD5 with RSA generates a 128-bit message digest. Most existing software applications that handle certificates support only MD5. This is the default algorithm.
• SHA-1 with RSA generates a 160-bit message digest. Before choosing SHA-1 with RSA, make sure your applications support it. Netscape Navigator 3.0 (or later) and Enterprise Server 2.01 (or later) support SHA-1.
• SHA-1 with DSA generates a 160-bit message digest. Before choosing SHA-1 with DSA, make sure your applications support it. Communicator 4.0 (or later) and Netscape server products with a version number greater than 4.0 support it.

Before selecting an algorithm, make sure that Certificate Management System has the algorithm enabled. Your CMS administrator can let you know whether this is the case.

4. To examine CRL before updating it, click Display.

The CRL appears in the browser window. You can, for example, check whether a particular certificate appears in the list. Use the browser's Back button to return to the Update page.

5. To update the CRL with the latest certificate revocation information, click Update.