As an agent, you can approve a certificate request. If the request was made directly to the Certificate Manager, it issues the certificate; if the request was made through a Registration Manager, the Registration Manager passes the approved request on to the Certificate Manager for issuance. Before approving a request, you can assign it to yourself, adjust the attributes of the request, and verify that it will result in a valid certificate. To do these things, use the Request Details form that appears when you examine a selected request (as described in "Selecting a Request"). If you want to reject or cancel the request, see "Other Options for Handling Requests."The approval and issuing process has the following stages:
Assigning a Request
Before acting on a request, you can assign it to yourself. Assignment is not required; any agent can act on an unassigned request. When a request is assigned to a particular agent, all agents can examine that request, but only the assigned agent can act on it. When a request is assigned to another agent, however, you can choose to reassign it to yourself in order to act on it.
When you view the details of an unassigned request, you can click "assign to me" to assign it to yourself. The request is immediately assigned to you, and the Request Details page reflects the assignment. If you leave the page without approving, rejecting, or canceling the request, the request remains in the queue with the status of Pending, but it is assigned to you.
Adjusting, Verifying, and Approving a Request
Before you verify and approve a request, you can adjust some of the parameters, such as the subject name and validity period.
To adjust, verify, and approve a certificate request:
Select the certificate request from a list of requests, as described in "Selecting a Request."
In the Service Request form, check the Assigned To prompt to see if the certificate request is assigned to you.
To change the subject name, enter a new value in the Subject Name field.
For example, you might need to change the subject name to prevent
duplications or to correct spelling errors. Nothing prevents you from issuing
many different certificates with the same subject name. However, in current
versions of Netscape software (Netscape Navigator, Netscape
Communicator, and Netscape servers), you cannot install more than one
certificate with a particular subject name.
If you want to change the validity period, you can set the dates directly using the menus for start and end times or you can select a predefined period from the "Length of validity period" menu. Making a selection from the "Length of validity period menu" sets the "Not valid after" date based on the "Not valid before date" and your selection.
Use the Extensions section to specify Netscape certificate type bits that you want to be set in the issued certificate.
If you want to add extensions other than Netscape cert type extensions, you can paste a base-64 encoding of the extension in the "Additional Extensions" field.
If you want the certificate to be signed using a signature algorithm other than the default, choose an alternative from the "Signature algorithm" drop-down list:
Review the unauthenticated request attributes. These attriubutes were submitted by the end entity with the enrollment request. Since these attributes do not come from a trusted source (such as an authentication module in the CMS server), they are "unauthenticated." Your site policies may or may not require agents to review or validate any of these attributes.
Review the authenticated attributes. These attributes were generated in the CMS server by authentication or policy plug-in modules. They are considered authenticated since they have been validated by or have originated in the CMS server itself.
If the certificate request is for an SSL client certificate for a CMS manager or a CMS agent, you should indicate this in the last section, labeled Privileges.
To approve the request and issue the certificate, open the drop-down menu at the bottom of the page, choose "Accept this request," then click Do It.
If the certificate conforms to policy, a page containing the new certificate
appears. It includes instructions on how to help the certificate requester
install the new certificate.
Note. If, after verifying or attempting to issue the certificate, you receive the error
message "The requested signature algorithm is not enabled," check with your
CMS administrator to make sure that the signature algorithm you selected in
Step 7 is supported.
Sending an Issued Certificate to the Requester
When the Certificate Manager has issued a certificate in response to a request, the user who requested it must receive a copy of it to install locally. End users install their own certificates in their client software. Server administrators install their servers' certificates in the servers that they manage.
Depending on how your Certificate Management System is configured, an end user who requests a certificate might receive automatic email notification of the success of the request; this email message contains either the certificate itself or a URL from which the user can get the certificate. In this case, you need not take any further action.
If your system is not configured for automatic certificate-issuance notification, or if the requester is a server administrator, you must either send the issued certificate to the requester or ask the requester to pick it up from the Certificate Manager's end-entity gateway.
Figure 2.2 shows a web page containing a new certificate. This is the page you receive in response to the command "Issue this certificate," as described in Step 11 in "Approving Requests.") Before you issue the certificate, you should copy the requester's email address.
Figure 2.2    A newly issued certificate page
To copy and mail a new server certificate to the requester, follow these steps:
Open a new email message composition window and address it to the requester.
From the Agent Services window where the new certificate is displayed, copy only the base-64 encoded certificate. Be sure to include the marker lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
Paste the base-64 encoded certificate into the addressed email message and send the message.
To deliver a new client certificate to the requester, note the serial number of the request you approved, then follow these steps:
Go to the Agent Services gateway, click List Requests in the left frame, enter the serial number for the request that you approved, and click Find.
In the Request Queue form, click Details beside the relevant request, then right-click the certificate serial number and choose Open Frame in New Window from the pop-up menu.
In the new browser window containing the certificate, copy the URL from the Location or Netsite field.
Open a new email message composition window and address it to the requester.
Paste the URL into the body of the message, along with instructions to the effect that the user should go to that URL and click the Import button at the bottom of the page.
Alternatively, you can include the URL for the Agent Services gateway in the email message instead, along with the certificate serial number, and instruct the user as follows:
Click the Retrieval tab. The List Certificates form should appear.
Enter the serial number of the certificate in both serial number fields.
Click Find.
When the Search Results form appears, click Details.
When the certificate appears, scroll down to the bottom of the form and click Import Certificate.
|