About This Guide
Chapter 1 Introduction to Certificate Management System
Chapter 2 Default Demo Installation
Chapter 3 Planning Your Deployment
Chapter 4 Installation Worksheet
Chapter 5 Installation and Configuration
Appendix A Migrating from Certificate Server 1.x
Appendix B Certificate Extensions
Appendix C Certificate Download Specification
Appendix D Using SSL with iPlanet Web Server, Enterprise Edition
Appendix E Export Control Information
Glossary
Index
Netscape Certificate Management System Installation and Deployment Guide:
Previous Contents Index Bookshelf


Index


A
Administration Server
  and demo 80
  NT setup 148
  Unix setup 145
administrator/agent, initial enrollment 93-95, 224-226
agent enrollment 228-229
authentication
  client, with Enterprise Server 3.x 289-307
  decisions for deployment 136
authentication modules 29-30, 30-43, 55-56, 74
authorityKeyIdentifier 254, 274, 281

B
basicConstraints 255, 281

C
CA decisions, for deployment 127-131
  CA renewal 130-131
  distinguished name 127
  extensions 129-130
  root versus subordinate 129
  signing certificate 128
  signing key 128
CA signing certificate 128
  configuration of 153-156, 166-??
CEP 44-45, 46, 50, 74
certificateIssuer 277
certificate life-cycle management 33, 48-53, 62
Certificate Management System (CMS)
  access to subsystems 50
  architecture 70-74
  command-line utilities 68-70
  identifier 145, 148
  overview of 22-29
  servlets 29
  standards supported by 74-76
Certificate Manager
  configuration of 151-157
  Data Recovery Manager and 122-127
  Data Recovery Manager and Registration Manager and 124-127
  demo and 81
  features of 62
  installed by itself 119-120
  introduced 24
  Registration Manager and 120-121
certificatePolicies 256
certificates
  Certificate Manager 134
  Data Recovery Manager 135
  extensions for 245-282
  for subsystems, summarized 133-135
  installing 283-287
  life-cycle management 48-53
  management formats and protocols 74-75
  Registration Manager 135
  SSL server, for CMS subsystems 134
  X.509 specification 76
cipher suites for export 313
client authentication, with Enterprise Server 3.x 289-307
CMC 75
CMMF 75
CMS. See Certificate Management System, Cryptographic Message Syntax
CMS instances
  ports and 137-139
  server groups and 118, 137-139
command-line utilities 68-70
configuration directory
  demo and 80
  NT setup 146, 147-148
  Unix setup 144
configuration directory server
  Unix setup 142
conventions used in this book 15
cRLDistributionPoints 257
CRLNumber 274
CRLs
  Certificate Manager support for 63
  extensions for 273-278
CRMF 74
Cryptographic Message Syntax (CMS) 75

D
database, internal CMS 81
Data Recovery Manager
  Certificate Manager and 122-127
  Certificate Manager and Registration Manager and 124-127
  configuration of 159-164
  features of 64
  introduced 24
  recovery agents for 163-164
  transport certificate 159-162
deltaCRLIndicator 275
demo 77-113
  first user certificate for 93-95
  installation of 77-113
  Installation Wizard and 89-93
  overview of 80-84
  passwords for 83-84
  port numbers for 82
  software installed for 82
  using 95-113
  using an LDAP directory with 103-113
  verifying installation 96-101
deployment planning 117-139
  authentication decisions 136
  CA decisions 127-131
    CA renewalCA renewal 130-131
    distinguished name 127
    extensions 129-130
    root versus subordinate 129
    signing certificate 128
    signing key 128
  certificate decisions
    Certificate Manager 134
    Data Recovery Manager 135
    Registration Manager 135
  enrollment scenarios 33-47
  firewall considerations 34
  hardware token decisions 131-??
  LDAP publishing decisions 132-133
  policy decisions 136-137
  port assignments 137-139
  SSL server certificate decisions 134
  storage key 135
  subsystem certificate decisions 133-135
  topology decisions 118-127
distinguished name (DN)
  for CA 127, 128
  for CA signing certificate 154
  for Data Recovery Manager transport certificate 160
  for Registration Manager signing certificate 159
downloading certificates 283-287
DSA 128

E
end entities
  enrollment, steps in 30-32
  enrollment scenarios for 33-47
  forms for 52
  life-cycle management and 48-53
enrollment, initial administrator/agent 224-226
enrollment scenarios 33-47
  custom authentication, customer database 36
  custom authentication, Kerberos 40-41
  firewall considerations 34
  manual authentication 38-39
  PIN-based authentication 42-43
  routers 46-47
  VPNs 44-45
Enterprise Server 3.x, using SSL with 289-307
event-driven notifications 61
export control information 309-313
extensions 245-282
  adding to certificates 280
  authorityKeyIdentifier 254, 274, 281
  basicConstraints 255, 281
  CA certificates and 155-156, 280-282
  CAs and 129-130
  certificateIssuer 277
  certificatePolicies 256
  CMS policy modules for 58
  cRLDistributionPoints 257
  CRLNumber 274
  deltaCRLIndicator 275
  extKeyUsage 259
  holdInstructionCode 277
  invalidityDate 278
  issuerAltName 261, 276
  issuingDistributionPoint 276
  keyUsage 262
  nameConstraints 265
  netscape-cert-type 279, 281
  netscape-comment 280
  Netscape-defined 278-282
  policyConstraints 267
  policyMappings 268
  privateKeyUsagePeriod 269
  reasonCode 278
  recommendations for usage 247-251
  SSL server certificate 169-170
  subjectAltName 270
  subjectDirectoryAttributes 271
  subjectKeyIdentifier 272
  transport certificate 161
  X.509 certificate, summarized 251-273
  X.509 CRL, summarized 273-278
extKeyUsage 259

F
FIPS PUBS 140-1 75
firewalls 34
fonts used in this book 15

G
gateway
  agent, for demo 92
  end user, for demo 92

H
hardware requirements for CMS installation 78
hardware token decisions, for deployment 131-??
holdInstructionCode 277

I
installation 171-229
  additional instances 227
  demo 77-113
    first user certificate for 93-95
    Installation Wizard and 89-93
    NT installation script for 87-89
    overview of 80-84
    passwords for 83-84
    Unix installation script for 85-87
    using 95-113
    verifying 96-101
  hardware requirements 78
  location of
    NT setup 145
    Unix setup 142
  overview 172
  port considerations 137-139
  software requirements 78
  Solaris requirements 78, 80
  system requirements 78-80
  Windows NT requirements 79
  wizard 180-222
  worksheet 141-170
installation script
  information requested by 142-149
  NT
    complete instructions 177-180
    running for demo 87-89
    worksheet for 145-149
  Unix
    complete instructions 174-177
    running for demo 85-87
    worksheet for 142-145
Installation Wizard
  initial configuration steps 149-151
  procedures for using 180-223
  running for demo 89-93
installing certificates 283-287
instances, CMS
  agents for additional 228-229
  creating additional 227
internal CMS database 81
invalidityDate 278
IP addresses, and port assignments 139
issuerAltName 261, 276
issuingDistributionPoint 276

J
Java/JNI 73
JDK 1.1.6 73
job scheduler 61
JSS 73

K
KEYGEN tag 76
key length 128
keyUsage 262

L
LDAP 76
LDAP directory
  configuration, demo and 80
  DN pattern for authentication 104
  internal CMS database, demo and 81
  publishing decisions 132-133
  testing authentication with 103-113

M
migrating from Certificate Server 1.x 152-153, 164-165, 231-243

N
nameConstraints 265
netscape-cert-type 279, 281
netscape-comment 280
Netscape Console
  demo and 80
  starting Installation Wizard from 180
notifications, event-driven 61
NSS 73

P
PKCS #10 76
PKCS #11 71-73, 76
PKCS #7 76
PKI. Seedistinguished name (DN).
PKI. See installation script.
PKI. See Public-Key Infrastructure.
PKIX 75
policyConstraints 267
policyMappings 268
policy modules 29-32, 56-60
  decisions for deployment 136-137
port numbers
  assignment of 137-139
  for demo 82
  IP addresses and 139
privateKeyUsagePeriod 269
Public-Key Infrastructure (PKI) 23

R
reasonCode 278
Registration Manager
  Certificate Manager and 120-121
  Certificate Manager and Data Recovery Manager and 124-127
  configuration of 157-159
  features of 62
  introduced 24
root versus subordinate CA 129
RSA 128

S
server certificate 167-170
server groups 118
servlets, CMS 29
setup script 113
signing algorithms 63
signing certificate
  CA 128, 153-157, 166-??
  Registration Manager 157-159
signing key, for CA 128
single sign-on password 170
software requirements for CMS installation 78
Solaris
  requirements for installation 80
Solaris requirements for installation 78
SSL 76
  cipher suites approved for export 313
  server certificate 167-170
  using with Enterprise Server 289-307
storage key, for Data Recovery Manager 135
subjectAltName 270
subjectDirectoryAttributes 271
subjectKeyIdentifier 272
subject name 141
subsystem certificate decisions 133-135
subsystem certificate decisions, for deployment
  Certificate Manager 134
  Data Recovery Manager 135
  SSL server 134
system requirements for CMS installation 78-80

T
terms used in this book 15
topology decisions, for deployment 118-127
transport certificate, for Data Recovery Manager 159-162
typestyles used in this book 15

U
user/group directory
  NT setup 146
user/group directory server
  Unix setup 143
utilities, command-line 68-70

W
Windows NT, requirements for installation 79

X
X.509 certificates 76
 

Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.