About This Guide
Chapter 1 Introduction to Certificate Management System
Chapter 2 Default Demo Installation
Chapter 3 Planning Your Deployment
Chapter 4 Installation Worksheet
Chapter 5 Installation and Configuration
Appendix A Migrating from Certificate Server 1.x
Appendix B Certificate Extensions
Appendix C Certificate Download Specification
Appendix D Using SSL with iPlanet Web Server, Enterprise Edition
Appendix E Export Control Information
Glossary
Index
Netscape Certificate Management System Installation and Deployment Guide: Default Demo Installation
Previous Next Contents Index Bookshelf


Chapter 2 Default Demo Installation

This chapter describes how to set up a simple installation that demonstrates the basic capabilities of a Certificate Manager with an integrated Registration Manager. It is intended for administrators who are already familiar with PKI concepts. An experienced administrator should be able to install and set up the default demo in less than an hour, then use it to try out basic Netscape Certificate Management System procedures.

This chapter describes how to install a Certificate Manager for demonstration purposes only. The steps described require that you accept most of the default values suggested at each stage of installation and configuration. Before you attempt to install more sophisticated pilots or a full-scale deployment, you should read Chapter 3, "Planning Your Deployment," and the chapters that follow.

This chapter has the following sections:
System Requirements
This section summarizes the basic software and hardware requirements for any machine on which you intend to install Certificate Management System instances and related software:

 Operating System and Software Required

Operating systems supported:

Other required software:

 Platform Requirements

Each platform has slightly different requirements. In addition to the requirements listed below, make sure you have ample swap space or virtual memory allocated for the system on which you intend to install Certificate Management System.

UNIX Platform Requirements

RAM: 128 MB (recommended)

Hard disk storage space of approximately 250 MB total, broken down as follows:

Windows NT Platform Requirements

NT Service Pack 4 or 5

128 MB of RAM (recommended)

Pentium 166 or faster

Hard disk storage space of approximately 250 MB total, broken down as follows:

 Other Requirements


Overview of the Default Demo
The default demo installation described in this chapter is intended to provide a quick, hands-on experience of the basic Certificate Management System interfaces. It is intended for demonstration purposes only and relies on a number of default settings that may not be appropriate for a mission-critical installation. Before you attempt to install more sophisticated pilots or a full-scale deployment, read Chapter 3, "Planning Your Deployment," and the chapters that follow.

The default demo installation includes the following Netscape software:

 You use the main window of Netscape Console to perform basic tasks such as starting and stopping a server. To manage any server controlled by Netscape Console (in this case, just Directory Server and the Certificate Manager), first locate it on the left side of the main Netscape Console window, then double-click the icon to open a separate administrative window for that server.

Netscape Console uses the configuration directory for information on the locations and contents of server groups on the network. It also interacts with the Administration Server for each server group to perform some tasks, such as managing SSL encryption settings. However, to manage settings displayed in the Netscape Console window for a particular Certificate Management System instance, Netscape Console acts directly on a configuration file stored with that instance. (For more information about the configuration file, see Netscape Certificate Management System Administrator's Guide.)

As you proceed with the default demo installation and configuration, you will be asked to assign several port numbers, names, and passwords. Figure 2.1 shows the four main software elements of the demo and the port numbers and protocols they use for different purposes. Using the default ports for the end-entity URLs helps users because they will not need to remember port numbers; any HTTPS request will try port 443 if no port is specified in the URL.

Figure 2.1 Software installed and port numbers assigned for the default demo

You will also be asked to provide additional information, such as the name of each server instance to be installed, the names and passwords of various types of administrators, and information related to the CA signing certificate and SSL server certificate that the Certificate Manager must have available before it can begin operation.

To keep things simple for the default demo, most of the information requested during installation is set either to a default or to some arbitrary, convenient value. Before you attempt to install more sophisticated pilots or a full-scale deployment, you should read Chapter 3, "Planning Your Deployment," and the chapters that follow to determine the precise names and settings that are appropriate for your situation.

Another difference between the default demo and more sophisticated installations is that the Directory Server instance, in addition to providing both the configuration directory and the user directory, is also used to publish and test certificates you issue with the Certificate Manager instance. In a real-world deployment, the Directory Server Instance used for configuration and for users is unlikely to be used for publishing.

Demo Passwords

The demo that you install is a real CA that can issue certificates. Even if you plan to remove it after testing, you should maintain the security of the demo system. For this reason, the installation procedure does not give specific passwords for each administrative user. However, to avoid confusion, the passwords that you will need are identified here and are later referred to by this identification. If you make a list of the passwords you decide on, be sure to keep the list secure.

You will need to provide the following passwords during the installation process:
<admin password>
Administrator for both Administration Server and its configuration directory. Use this password to start Netscape Console and the Installation Wizard.
<dir mgr password>
Manager for the configuration directory. (This password must be at least eight characters.)
<intdb password>
Administrator for the CMS internal database (an instance of Directory Server). This password is kept and protected in a special cache that you access with the <single-signon password>.
<CMS password>
CMS administrator. Use this password to access Netscape Console's CMS window.
<token password>
Password for the CMS key database. This password is kept and protected in a special cache that you access with the <single-signon password>.
<single-signon password>
This password protects the <intdb password> and <token password>. Use this password to start Certificate Management System.


Installing the Default Demo
The installation script installs and starts an Administration Server and a Directory Server; the process is slightly different for Windows NT and Unix systems. The Installation Wizard, which is the same on both systems, installs Certificate Management System itself and creates the system's certificates. When you have finished installing the files, you start Certificate Management System and enroll for the initial administrator-agent certificate, which you then use to verify that the system is properly installed and functions correctly.

 The steps of this installation procedure are described in the following sections:

 Step 1. Run the Installation Script - Unix

These instructions assume that you have the initial distribution of Certificate Management System available, either on a CD or on your hard disk.

If you are using a Windows NT system, see "Step 1. Run the Installation Script - Windows NT."

To run the installation script, change to the distribution directory (where you have downloaded the distribution files) and execute the file setup.

In the instructions that follow, the question that appears at the bottom of each setup screen is in boldface, followed by the action you should take.
  1. Would you like to continue with setup? [Yes]: Press Enter.
    2.

  2. Do you agree to the license terms? [No]: Type yes and press Enter.

  3. Select the items you would like to install [1]: Press Enter.

  4. Server root [/usr/netscape/server4]: Press Enter to accept the default server root directory. (If you are not installing as root, you probably will not have permission to create directories in /usr so you will have to choose another location.)

  5. Specify the components you wish to install [All]: Press Enter to accept the default.

  6. Specify the components you wish to install [1,2,3]: Press Enter to accept the default server product components.

  7. Specify the components you wish to install [1,2]: Press Enter to accept the default Directory Suite components.

  8. Specify the components you wish to install [1,2]: Press Enter to accept the default Administration Services components.

  9. Specify the components you wish to install [1, 2]: Press Enter to accept the default CMS components.

  10. Computer name [myhost.mydomain.com]: Press Enter to install on the local machine.

  11. System User [nobody]: Enter the user that the configuration/user Directory Server process will run as. Where your system supports it, accept the default user, nobody, creating that user as necessary.

  12. System Group [nobody]: Enter the group that the configuration/user Directory Server process will run as. Where your system supports it, accept the default group, nobody, creating that group as necessary.

  13. Do you want to register this software with an existing Netscape configuration directory server? [No]: Press Enter to install a new configuration directory.

  14. Do you want to use another directory to store your data? [No]: Press Enter to use the new configuration directory as your user/group directory.

  15. Directory server network port [389]: Press enter to accept the default, 389. If you are not installing as root or if 389 is in use, the default will be a random number; you may want to change this number to something easy to remember, such as 38989.

  16. Directory server identifier [myhost]: Type configdir as the unique identifier for the configuration directory, and press Enter.

  17. Netscape configuration directory server administrator ID [admin]: Press Enter to accept the default, then enter the <admin password>.

  18. Suffix [o=mydomain.com]: Press Enter to accept the default.

  19. Directory Manager DN [cn=Directory Manager]: Press Enter to accept the default, then enter the <dir mgr password>.

  20. Administration Domain [mydomain.com]: Press Enter to accept the default.

  21. Administration port [random #]: Type 4444 and press Enter.

  22. Run Administration Server as [root]: Press Enter to accept the default.

  23. Netscape Certificate Management System Server identifier [localhost]: Type cmsdemo and press Enter. After the script copies the files and updates the system, which may take a few minutes, press Enter to continue.

The first phase of the installation is now complete. The installation script has installed Netscape Console, installed and started an Administration Server and its configuration directory, and copied the files for Certificate Management System. You are now ready to configure the Certificate Management System instance by running the Installation Wizard.

 Step 1. Run the Installation Script - Windows NT

These instructions assume that you have the initial distribution of Certificate Management System available, either on a CD or on your hard disk.

If you are using a Unix system, see "Step 1. Run the Installation Script - Unix."

  1. To run the installation script, open the distribution directory for the system software you are using and double-click the file setup.exe.

    2. In the instructions that follow, the name that appears in the title bar of each setup screen is in bold, followed by a description of the action you should take.

  2. Welcome. Click Next.
    3.

  3. Software License Agreement. Click Yes.

  4. Select Server or Console Installation. Leave the default setting (Netscape Servers) selected and click Next.

  5. Choose Installation Directory. Leave the default setting (C:\Netscape\Server4) selected and click Next.

  6. Select Products. Leave all four components selected and click Next.

  7. Directory Server 4.12. Leave the default setting ("This instance will be the configuration directory server") selected and click Next.

  8. Directory Server 4.12. Leave the default setting ("Store data in this directory server") selected and click Next.

  9. Directory Server 4.12 Server Settings. Type the following values, then click Next:

    10. Server identifier: configdir
    Server port: Accept the default, which should be 389
    Suffix: Accept the default, which should be your company's domain name, in the form o=mydomain.com.

  10. Directory Server 4.12 Netscape Configuration Directory Server Administrator. Type the following values, then click Next:
    11.

    Configuration Directory Administrator ID: admin
    Password: <admin password>
    Password (again): <admin password>

  11. Directory Server 4.12 Administration Domain. Accept the default, which should be your company's domain name, in the form mydomain.com.
    12.

  12. Directory Server 4.12 Directory Manager Settings. Type the following values, then click Next:

    13. Directory Manager DN: cn=Directory Manager
    Password: <dir mgr password>
    Password (again): <dir mgr password>

  13. Administration Server Port Selection. Type the value 4444 and click Next.
    14.

  14. Netscape Certificate Management System Server identifier. Type the value cmsdemo and click Next.

  15. Configuration Summary. Click Next.

  16. Setup. At this point, the installation script extracts and installs the binaries for all of the servers in the server root directory and creates and starts instances of the Administration Server and Directory Server. This process may take a few minutes.

  17. Setup Complete. Leave the default setting ("Restart my computer now") and click Finish.

The first phase of the installation is now complete. The installation script has installed Netscape Console, installed and started an Administration Server and its configuration directory, and copied the files for Certificate Management System. You are now ready to complete the installation of Certificate Management System by running the Installation Wizard.

 Step 2. Run the Installation Wizard

To begin running the Installation Wizard, follow these steps:

  1. Start Netscape Console:
    2.

  2. Log in as admin, giving the password <admin password>.
    3.

    The main window of Netscape Console appears.

    If the Administration URL is not filled in, enter http://<myhost>:4444/

  3. In the navigation tree at the left, open your computer, then open Server Group.
    4.

  4. Select cert-cmsdemo.

  5. In the Netscape Certificate Management System panel at the right, click Open.

    6. After a few moments, the Installation Wizard appears. You use the wizard to get the initial certificates and set the initial configuration for this demo instance of Certificate Management System.

In the instructions that follow, the panel title that appears below the title bar for each screen is in boldface, followed by the action you should take.

  1. Introduction. Click Next.
    2.

  2. Internal Database. Type the following values, then click Next:

    3. Instance ID: Accept the default (cmsdemo-db).
    Port number: Accept the default (38900).
    Directory Manager DN: cn=internal directory manager
    Password: <intdb password>
    Password (again): <intdb password>

    At this point the system creates the internal database, which can take some time.

  3. Administrator. Type the following values, then click Next:
    4.

    Administrator ID: CMSadmin
    Full name: Accept the default value.
    Password: <CMS password>
    Password (again): <CMS password>

  4. Subsystems. Click Next to accept the default selection (Certificate Manager only).
    5.

  5. Remote Data Recovery Manager. Click Next to accept the default selection (No).

    6. At this point the system configures the internal database, which can take some time.

  6. Network Configuration. Select the Enable checkbox to enable the non-SSL end-entity gateway, then accept the default values listed below. If one of the default ports is unavailable, a different, randomly selected port will appear in the form.
    7.

    SSL administration port: 8200
    SSL agent port: 8100
    SSL end-entity port: 443
    Enable: Select this checkbox to enable the non-SSL end-entity gateway.
    Non-SSL end-entity port: 80

  7. Server Migration from Certificate Server 1.x - Step 1. Click Next to accept the default selection (No).
    8.

  8. CA's serial number range. Click Next to accept the default (start at 0x1 with no upper limit).

  9. CA Signing Certificate. Click Next to accept the default selection (Create self-signed CA certificate).

  10. Key-Pair Information for Certificate Manager CA Signing Certificate. Type the following values, then click Next:

    11. Token: Accept the default value (Internal).
    Password: <token password>
    Password (again): <token password>
    Key type: Accept the default value (RSA).
    Key length: Select 1024 and leave the custom key-length field blank.

  11. Message Digest Algorithm. Click Next to accept the default (SHA1).
    12.

  12. Subject Name for Certificate Manager CA Signing Certificate. Type the following values, then click Next:

    13. Common name (CN=): Demo CA
    Organization Unit (OU=): CMS Demo
    Organization (O=): name of your company
    Locality (L=): name of your locality
    State (ST=): name of your state, province, or territory
    Country (C=): two-letter code for your country

  13. Validity Period for Certificate Manager CA Signing Certificate. Modify year and month values of "Expire on" date to allow a validity period of one month from the installation date, then click Next.
    14.

  14. Certificate Extensions for Certificate Manager CA Signing Certificate. Click Next to accept the default selections.

  15. Certificate Manager CA Signing Certificate Creation. Click Next.

  16. SSL Server Certificate. Click Next to accept the default selection (Sign SSL certificate with my CA signing certificate).

  17. Key-Pair Information for Server SSL Certificate. Change the Key length to 1024, accept the default values for other fields, then click Next.

  18. Message Digest Algorithm. Click Next to accept the default (SHA1).

  19. Subject Name for SSL Server Certificate. Type the following values, then click Next.

    20. Common name (CN=): your local host name, in the form mymachine.mydomain.com
    Organization Unit (OU=): CMS Demo
    Organization (O=): name of your company
    Locality (L=): name of your locality
    State (ST=): name of your state, province, or territory
    Country (C=): two-letter code for your country

  20. Validity Period for SSL Server Certificate. Modify year and month values of "Expire on" date to allow a validity period of one month from the installation date, then click Next.
    21.

  21. Certificate Extensions for SSL Server Certificate. Click Next to accept the default selections.

  22. SSL Server Certificate Creation. Click Next.

    23. The generation of the certificate can take some time.

  23. Set Up Single Signon Password. Type the following values, then click Next:
    24.

    Single signon password: <single-signon password>
    Single signon password (again): <single-signon password>

  24. Configuration Status. Click Done.
    25.

    Certificate Management System starts automatically.

The installation and configuration of Certificate Management System is now complete, and the Certificate Manager is running.

The user interface of Certificate Management System is available through the web gateways whose ports you specified during installation. You can access them directly in a web browser by going to those ports using the appropriate protocol.

 Step 3. Get the First User Certificate

After you complete configuration of Certificate Management System with the Installation Wizard, you must enroll for a certificate for the first agent. This is the first user certificate that Certificate Management System issues.

The initial user is both an administrator and an agent. This person can use Netscape Console to create additional agents with the appropriate user privileges and use Agent Services to issue them certificates. Since there is no agent yet to approve the request, a special enrollment form allows you to get this first certificate automatically.

After you submit this initial Administrator/Agent Certificate Enrollment form, it is automatically disabled, so that no one else can acquire a certificate without agent approval or some form of automated authentication. The system automatically adds the initial user to the list of agents.

 Enrolling for the First Agent Certificate

To enroll for the first agent certificate, you should be working at the computer you intend to use as the agent, so that the new certificate will be installed in the browser you will be using to access the Agent Services pages. Follow these steps:

  1. Open a web browser window.
    2.

  2. Go to the URL for the SSL agent port (8100).

    3. For example: 

    	https://myhost.mydomain.com:8100

    The first time you access this port, the system opens the Administrator/ Agent Certificate Enrollment form.

    Because you have accessed an SSL port, Certificate Management System presents its SSL server certificate to your browser for authentication. This is the SSL server certificate that you just created during installation. Because you just created it, it is not on your list of trusted certificates. A series of dialog boxes now appears that lets you add the CMS server certificate to your list of trusted certificates.

  3. Complete the dialog boxes as instructed (the exact procedure depends on the browser you are using).
    4.

  4. In the Administrator/Agent Certificate Enrollment form, enroll for a client SSL certificate as the system's first privileged user by entering the following information:

    5. Authentication Information

    User ID: CMSadmin
     Password: <CMS password>

    Subject Name

    Full name: CMS Administrator
     Login name: CMSadmin
     Email address: your email address
     Organization unit: CMS Demo
     Organization: name of your company

    User's Key Length Information

    Key Length: Select 1024 (High Grade)

    Note that the validity period of this initial agent certificate is hard-coded as one year.

  5. Click Submit.
    6.

  6. Follow the instructions your browser presents as it generates a key pair.

    7. If authentication is successful, the new certificate will be imported into your browser. You should make a backup copy of the certificate.

Now you have a client authentication certificate in the name CMS Administrator. This special user name, which you specified as the initial administrator for Certificate Management System during installation, has now been designated as the first agent. The certificate you just created allows you to access the Agent Services pages. As an agent, you can approve enrollment requests and start issuing new certificates. To access the CMS windows in Netscape Console, you use the CMS administrator user ID and the CMS password.

 If You Need the First Agent Form Again

After you submit the initial Administrator/Agent Certificate Enrollment form, it is no longer available from the agent port. If something goes wrong and you are unable to obtain the initial agent certificate, you must reset a parameter in the configuration file to make the initial Administrator/Agent Certificate Enrollment form available again. Follow these steps:

  1. In the left frame of Netscape Console, open cert-cmsdemo.
    2.

    The server requests your <CMS password>.

  2. Click the icon labeled Stop the Server.
    3.

  3. Go to the directory <server root>/cert-cmsdemo/config, open the file CMS.cfg in a text editor, and find the following line:

    4. agentGateway.enableAdminEnroll=false

  4. Change false to true, and save the file.

  5. Start the server from the CMS window where you stopped it.

    6. Alternatively, right-click on cert-cmsdemo in the left frame and choose Start Server.

  6. Enter your <single-signon password>.

    7. The next time you access https://myhost.mydomain.com:8100, the Administrative Enrollment form will be available again.


Using the Default Demo
You have now performed a basic installation and can use the installed demo Certificate Manager to issue certificates. This section provides the following exercises with which you can test the installation and practice using the system:
  • "Verify the Installation,"Accessing the various web gateways and using the default versions of the forms to enroll for and issue a certificate.

  • "Create a Policy,": Configuring the Certificate Manager to reject certificate requests that do not use at least 1024-bit key lengths.

  • "Use an LDAP Directory,": Adding a user to the configuration directory you just installed and using directory-based authentication to enroll as that user.

  • "Publish Certificates in a Directory,": Publishing client certificates to the directory.

  • "Send Renewal Reminders,": Configuring the Certificate Manager to send out automatic renewal reminders to entities whose certificates will be expiring soon.

Verify the Installation

To verify that the installation is correct and complete, you will access each of the different gateways for the various user interface pages: the SSL and non-SSL end-user pages, and the Agent Services pages for the Certificate Manager. You will use each set of pages to perform a basic task.

In a real installation, you would probably not give users access to both gateways or to all the enrollment choices and other possible actions in the pages. You access both end-user gateways here simply for testing purposes, not because these particular actions need to be performed from these locations.

Viewing Issued Certificates From the Agent Gateway

  1. In a web browser window, use HTTPS to go to the URL for the SSL agent port that you specified. For example:
    2.  

    	https://myhost.mydomain.com:8100

  2. Because this is an SSL connection, you are prompted to present your client SSL certificate for authentication. Choose the certificate you received on initial enrollment.

    3. The Agent Services entry page appears.

  3. Click Services Summary.
    4.

    The Services Summary page appears, giving you access to all the gateways.

  4. Click End Users Services.

    5. The Enrollment tab for the non-SSL end-entity gateway appears.

  5. Click the Retrieval tab.
    6.

    The form that appears is for the first option, List Certificates.

  6. Type 0x0 into the field labeled "Lowest serial number," then click Find to list the certificates that the Certificate Manager has issued so far.
    7.

    If you followed the instructions in this chapter exactly, you should see three certificates listed: the CA signing certificate (CN=Demo CA), the Certificate Manager SSL server certificate (CN=<your hostname>), and your initial agent certificate (CN=CMS administrator).

  7. Use the browser's Back button to go back to the Services Summary page. (For example, when using Communicator, press and hold the mouse button while it's over the Back button, then choose Index from the pop-up menu.)
    8.

Enrolling for a Certificate From the End-Entity Gateway

After following the previous procedure, your browser will be at the Services Summary page. Follow this procedure to submit an enrollment request through the end-entity gateway.

  1. Click SSL End-Users Services.

    2. The Enrollment tab for the SSL end-entity gateway appears.

  2. Use the Manual User Enrollment form that appears to enroll for a certificate.

    3. For Full Name, type the name User1, so you will recognize this certificate as distinct from your administrator's certificate. When you have finished filling it out, submit the form.

  3. Follow the instructions your browser presents as it generates a key pair.
    4.

    After the key pair has been generated, the Certificate Manager displays a notice that the certificate request has been submitted, including a request ID.

  4. Use the browser's Back button to go back to the Services Summary page. (For example, when using Communicator, press and hold the mouse button while it's over the Back button, then choose Index from the pop-up menu.)
    5.

Finding and Approving a Certificate Request

After following the previous procedure, your browser will be at the Services Summary page. Follow this procedure to approve the enrollment request you just submitted. This procedure will issue a certificate from the request that can be used as an agent certificate.

  1. Click Agent Services, then click Certificate Manager Agent Services.
    2.

    To access this page, your browser must present your client SSL certificate to authenticate your identity.

  2. If a dialog box appears requesting that you select a certificate, select the certificate name that begins with CMS Administrator.
    3.

    The first form for the Agent Services gateway appears--the List Requests form.

  3. Select "Show enrollment requests" for Request Type.
    4.

  4. Select "Show Pending Requests" for Request status, and then click Find.

    5. One request should be returned: the request you just made through the SSL end-user gateway, which is marked as pending.

  5. Click the Details button next to the pending request.
    6.

  6. Scroll down to the last section of the Request Details form, labeled Privileges.

  7. Select the checkbox labeled "This certificate is for a Certificate Manager agent," then type a user ID for the new agent.

    8. This user ID can be the same (User1) that you specified in the certificate request, or it can be some other ID that you want to use to identify this agent in the CMS window of Netscape Console, such as Agent1.

  8. At the bottom of the form, select "Accept this request" and click Do It.
    9.

    The certificate is issued immediately. The Request Details form is replaced by a form announcing that the certificate has been generated, along with its serial number.

  9. Click Show Certificate to view the new certificate.
    10.

    At the bottom of the page is a button labeled Import Your Certificate. Normally, you would mail this page to the requestor, or the Certificate Manager would mail the requestor an automatic notification containing the certificate and instructions.

  10. Since you made the request yourself from this computer, go ahead and click Import Your Certificate to import the certificate into your browser.
    11.

You have now designated User1 as an agent. Since you have already issued a certificate in the name of User1, you can now present that certificate to access the Agent Services pages. User1 is an agent, but not an administrator; as User1, you can manage certificate requests, but you cannot access Netscape Console's CMS window to configure the system.

 Setting Your Browser to Use the Agent Certificate

To verify that the User1 certificate really can access the agent pages, you must first set your browser to use the User1 certificate to identify you to web sites. To do this in Communicator 4.x, for example, follow these steps:

  1. Click the Security button in the Navigation toolbar near the top of the window.

  2. Click Navigator in the left-hand frame.

  3. From the drop-down list labeled "Certificate to identify you to a web site," select your User1 certificate.

  4. Click OK.

Testing Your New Certificate

Clear the browsers cached security information so that it will ask for a new certificate when you view the agent gateway.

  1. Go to any other web page that is not part of Agent Services (such as http://home.netscape.com).

  2. Return to the Agent Services pages at the URL for the SSL agent port that you specified. For example:

    3. 	https://myhost.mydomain.com:8100

    You should be able to access the Agent Services pages without any difficulty, as long as you are using the same computer from which you requested and imported the User1 certificate.

Before you continue, you might want to try accessing the new installation from another computer and with a different login. Try enrolling for user certificates from there, using both the SSL and non-SSL end-user gateways. If you wish, you can also enroll for additional agent certificates. You will have to return to the computer from which you requested and imported your CMSAdmin and User1 certificates to access the Agent Services pages and approve the requests.

 Create a Policy

Policies are rules that you define that are applied to requests before a certificate is issued. Certificate Management System provides configurable policies that allow you to enforce your organization's requirements for certificates. You can configure different policies to be applied to different requests based on criteria such as the type of request or which Registration or Certificate Manager received the request. You can find out more about policies in Chapter 16, "Introduction to Policy," in Netscape Certificate Management System Administrator's Guide.

In a real PKI deployment, you would probably formulate your policies before installing any software, and configure how the policies will be implemented before issuing any certificates. For this demonstration, you will implement a simple but very useful rule before you start issuing certificates.

 You will create a policy that requires all certificate requests use RSA key pairs that are 1024-bit or longer. This ensures that all of the certificates you issue meet a minimum level of security. Later, you will try to enroll for a certificate using a shorter-length key pair (512 bits) to show how the request is rejected automatically by the policy.

 Policies do not always result in acceptance or rejection: they can also be used to modify certificate attributes such as the validity period or certificate extensions. In the "Create a Policy"exercise, you create a policy that will reject requests that do not have at least 1024-bit keys. In the "Use an LDAP Directory" exercise, you will try to enroll using a 512-bit key to see how the policy works.

 Configuring an RSA Key Length Policy

  1. Start Netscape Console:
    2.

  2. Log in as admin, giving the password <admin password>.
    3.

    The main window of Netscape Console appears.

  3. In the navigation tree on the left, open your computer, then open Server Group.
    4.

  4. Select CMS (cert-cmsdemo).

  5. In the Netscape Certificate Management System panel at the right, click Open.

  6. Log in as CMSadmin, giving the password <CMS password>.

    7. Netscape Console's CMS window appears, showing the Tasks tab.

  7. In the CMS window, click the Configuration tab.
    8.

  8. In the navigation tree on the left, open the Certificate Manager folder and click Policies.

  9. From the list of policies in the Policy Rules Management tab, select RSAKeyRule (the second policy in the list) then click Edit/View.

  10. In the Policy Editor dialog box, provide the following information:

    11. minSize: 1024
    maxSize: 2048
    exponents: accept the default setting
    enable: true
    predicate: certType==client

    The predicate indicates that this policy will be applied to certificate requests for client certificates only. The minSize sets the minimum allowed length for the RSA key pair used to generate the request; requests with shorter RSA keys will be rejected. The policy is turned on for all requests to this Certificate Manager by setting enabled to true.

  11. Click OK to save the changes. The RSAKeyRule should now be listed as enabled in the Policy Rules Management tab.
    12.

That is all you need to do. The policy will now be enforced on all requests for client certificates. You will see how this policy works in the next part of the demonstration when you enroll for a client certificate.

 Use an LDAP Directory

To test using Certificate Management System with an LDAP directory, you will use Netscape Console's CMS window to enable directory-based authentication using the configuration directory that you installed with the demo. You will add a user (User2) to the directory, then enroll for a certificate as User2, using directory-based enrollment.

You will first try to enroll using 512-bit keys; the enrollment will fail because of the policy requiring 1024-bit keys. After you submit a new request with a 1024-bit key, Certificate Management System should authenticate the user information in the directory and issue the certificate automatically.

 To use directory-based authentication to enroll entities,

 Enable Directory-Based Authentication

To enable directory-based authentication for the Certificate Manager:

  1. If the CMS console window is not still open, start Netscape Console again (or go back to the main window) and open the window for CMS.
    2.

  2. In the CMS console window, select the Configuration tab, then select Authentication in the navigation tree.

  3. On the Authentication Instance tab, click Add.

  4. In the Select Authentication Plugin Implementation dialog box, select UidPwdDirAuth and click Next.

  5. In the Authentication Instance Editor dialog box, provide the following information:

    6. Authentication Instance ID: UserDirEnrollment
    dnpattern: cn=$attr.cn,c=US
    ldapStringAttributes: Leave blank
    ldapByteAttributes: Leave blank
    ldap.ldapconn.host: your host name
    ldap.ldapconn.port: 389
    ldap.ldapconn.secureConn: false
    ldap.ldapconn.version: 2
    ldap.basedn: o=mydomain.com
    ldap.minConns: 3
    ldap.maxConns: 5

  6. Click OK.
    7.

Note If you leave the dnpattern field blank, the dnpattern used by default is E=$attr.mail,CN=$attr.cn,O=dn.o,C=$dn.c. This pattern works well with Communicator and other browsers. For the demo, you used a simpler dnpattern to avoid configuring other things. The simpler pattern should not be used for a real deployment. End-entity certificates for use with S/MIME may not work correctly if the E attribute is not present. Certificate display will not work correctly if the C and O attributes are left out.

 Add a User to the Directory

The users and groups of your organization are kept in the organization's global directory. Since you are using the configuration directory that you installed with the demo to simulate such a global directory, you must add a user to the configuration directory's user and groups subtree. (Notice that this is a different operation from adding a user or group to the Certificate Manager's internal database.)

To add a user to the configuration directory's subtree for users and groups:
  1. Start Netscape Console again, or go back to the main window.
    2.

  2. Select the Users and Groups tab and click Create (in the lower right corner).

  3. In the Select Organization Unit dialog box, select People and click OK.

  4. In the Create User dialog box fill out the required fields as follows:

    5. First Name: User
    Last Name: Two
    Full Name: User Two
    User ID: User2
    Password: <User2 password>
    Confirm password: <User2 password>
    E-Mail: your email address

  5. Click OK.

    6. You can see that User Two has been added to the list of users.

Enroll with Directory-Based Authentication

Now that there is a user in the authentication directory, you can test directory-based authentication. In order to show the key length policy working, you will request the certificate using a 512-bit key first, then change the request to use a 1024-bit key.

  1. Open a browser and go to the SSL end-user gateway:
    2.  

    	https://mymachine.mydomain.com:443

  2. In the Enrollment panel under User Enrollment, click Directory-based.

  3. Fill out the enrollment form as follows:

    4. User ID: User2
    Password: <User2 password>
    Key Length: select 512 (Low Grade)

  4. Click Submit.
    5.

    A dialog box asks whether to generate a private key.

  5. Click OK, and provide your key database password if requested.
    6.

    After the key is generated, your browser submits the certificate request to the Certificate Manager. The Certificate Manager verifies the request against all applicable policies (including the RSA key length policy for client certificates you configured earlier). The response from the server will be a Request Rejected page explaining that the request violated the RSAKeyRule policy.

  6. Use your browser's Back button to return to the Directory-based enrollment form. If the identity information is no longer present, enter the User ID and Password again.
    7.

  7. Change the Key Length setting to 1024 (High Grade), and click Submit.

    8. A dialog box asks whether to generate a private key.

  8. Click OK, and provide your key database password if requested.
    9.

    The new certificate is issued immediately and installed in your browser.

Next, you will configure Certificate Management System to publish (in the directory) the certificate you just issued.

 Publish Certificates in a Directory

In any PKI there are things that you need to publish to make them available to entities. Certificate revocation lists (CRLs), for example, can be made available at a well known URL so that clients and servers can check them as needed instead of fetching and storing the list every time it is updated. In a PKI where people need to exchange encrypted files or email, you do not want each person to have to store everyone else's public key; instead, you can publish certificates to a directory or database and allow users to look up public keys as needed.

In this example, you will configure a Certificate Manager to publish new certificates to an existing directory (the configuration directory that Netscape Console uses).

 To publish certificates to a directory, you must configure information about the destination directory, configure the rules for publishing to it, then update the directory. Updating the directory publishes certificates that were issued before publishing was enabled; certificates issued later will be published automatically as they are issued.

 Before you change the configuration you should understand the basics of the flexible components that make up the Certificate Management System publishing system: mappers, publishers, and rules.

 Mappers translate objects (such as certificates) in the internal database into some other form for publishing. You will configure an LDAP mapper to translate the user name in a client certificate request to a distinguished name (DN) in the publishing directory.

 Publishers are objects that actually publish the data. You will not configure the publisher here, but the LdapUserCertPublisher finds the DN that the mapper produces and adds a certificate attribute to its entry. The value of the attribute, of course, is the client certificate (in a binary form).

 Rules coordinate the use of a mapper with a publisher for objects that meet certain conditions. The conditions may simply require a certain type of object (such as a client certificate). A condition may also assert some additional requirement (a predicate) that must be true about that type of object in order to invoke the rule. You will not configure any rules in this example. By default, the Certificate Manager uses a rule to coordinate the LdapUserCertMap and the LdapUserCertPublisher for publishing client certificates.

 Configure the Publishing Destination

To enable publishing and configure the directory where certificates will be published:

  1. If the CMS window is not still open, start Netscape Console again (or go back to the main Console window) and open the window for CMS.
    2.

  2. Open the Certificate Manager folder and select Publishing.

  3. Check the Enable Publishing checkbox then the Enable LDAP Publishing checkbox.

    4. The Destination area becomes editable.

  4. Enter information in the Destination area to identify the directory to which you want to publish (use the configuration directory, where User Two's entry is stored):
    5.

    Host Name: your local host name, in the form mymachine.mydomain.com
    Port Number: 389
    Directory Manager DN: cn=Directory Manager
    Password: <dir mgr password>
    Password (again): <dir mgr password>
    Version: 2
    Authentication: Basic authentication

  5. Click Save.
    6.

    A dialog box appears that indicates whether CMS is able to connect, authenticate, and bind to the directory.

    If your configuration is not successful, make sure that the entries you make in the Destination area correspond to how you configured the Configuration Directory Server when you ran the setup program.

Directory publishing is now enabled. Certificate Management System will publish any new certificates to the directory according to the publication rules. The next step is to set those rules.

 Set Rules for Publishing Certificates

In this section, you configure CMS to map client certificates to People entries in the o=mydomain.com directory tree using the user ID from the certificate request.

To configure CMS to publish user certificates to an LDAP directory:
  1. Open the CMS console window and select the Configuration tab.
    2.

  2. Open the Certificate Manager folder and double-click Publishing.

  3. Below Publishing in the navigation tree, click Mappers.

  4. In the Mappers Management tab, select LdapUserCertMap and click Edit/View.

  5. Change the dnPattern parameter value to UID=$req.UID, OU=people, O=mydomain.com.

    6. This pattern will cause the mapper to formulate a DN using the user ID from the certificate request (the data entered in the User ID field on the end entity enrollment form) and fixed values for OU and O.

  6. Click OK.
    7.

CMS can now publish user certificates in the configuration directory. You do not need to configure the Publisher or Rule. If you want to see more about how the rule works, look at the LdapUserCertRule under Rules (using the Edit/View button) and the LdapUserCertPublisher under Publishers.

 Update the Publishing Directory

Your Certificate Manager is now configured to automatically publish newly issued client certificates. If you want to experience this, you can follow the instructions in "Add a User to the Directory" and "Enroll with Directory-Based Authentication" again to add a new user and enroll for a certificate.

Use the procedure in this example to view the new user's directory entry and see the certificate published automatically (certificates are published every 20 minutes, so you may need to wait a few minutes before a new certificate is published).

 In the example here, you conclude by manually updating the directory with the issued (but unpublished) certificate for User Two. You will look at User Two's directory entry before and after publishing to see how the entry changes.

 To view the directory entry for User Two:
  1. Go to the Netscape Console main window, select the configuration directory (configdir) in the navigation tree, and then click Open.
    2.

  2. Click the Directory tab.

    3. The directory information trees are represented in the navigation tree on the left.

  3. Open the entry for your domain (for example, mcom.com).
    4.

  4. Select the People node in the entry for your domain.

    5. The right side of the window lists the People entries. (If you have followed the examples, User Two will be the only entry.)

  5. Double-click the User Two entry to open the Edit Entry dialog box.
    6.

  6. Click Advanced at the bottom of the dialog box to see all of the attributes for User Two in the Property Editor dialog box.

    7. User Two has attributes for Email address, First name, etc., but no certificate.

  7. Click Cancel to close the Property Editor dialog box, but leave the Edit Entry dialog box open if you can: you will open the Property Editor again after you manually publish certificates.
    8.

To publish certificates to the directory manually:
  1. In a browser, go to the URL for the SSL agent port. For example:
    2.

    https://myhost.mydomain.com:8100/

    If you are asked to select a certificate for client authentication, be sure not to choose the certificate for User Two since that user does not have administrative privileges.

  2. Select Certificate Manager Agent Services.
    3.

  3. Select Update Directory Server from the list on the left.

  4. Check the first checkbox, labeled "Update everything in the database to the directory," then click Update Directory.

    5. After a few seconds a results page displays. Most of the entries will indicate failures because in this example you did not configure publishing rules for most of the object types in the internal database.

    The third item in the list should read "Valid certificates have been published in the directory." This means that publishing client certificates was successful.

  5. Return to the Edit Entry dialog for User Two (repeat the previous procedure if necessary) and click Advanced to open the Property Editor.
    6.

    The first attribute listed is now the Certificate for User Two. The certificate is in an unreadable binary form, so you do not see any actual data.

You have successfully configured the Certificate Manager to publish client certificates to an LDAP directory.

Send Renewal Reminders

Certificate Management System provides a facility for scheduling automatic jobs. The jobs facility can help you manage the certificate lifecycle by automating processes such as removing revoked certificates from your data store or notifying end-entities when their certificates are about to expire.

This exercise will show you how to use the jobs facility to send out automatic renewal reminders to entities. You will configure CMS to send email to entities starting 400 days before the certificate expires. In a real deployment, of course, you would probably not start reminding certificate holders to renew until 30 days before expiration. You will see the email that is sent to a certificate holder and a summary report of all notices that can be sent to a CMS agent.

 To complete this exercise, you need to have access to a host that can receive Simple Mail Transfer Protocol (SMTP) requests and send mail. By default, CMS configures localhost (the machine on which it is running) as the mail server. Many UNIX hosts run SMTP daemons (such as sendmail) in their default configurations, so in UNIX you may not need to change the CMS defaults. Windows NT systems, however, do not typically run SMTP daemons by default and you will probably need to configure the SMTP settings in CMS.

 If you are sure that the machine on which CMS is running is also capable of receiving SMTP requests on port 25, skip to "Configuring CMS to Send Renewal Reminders."

Otherwise, find out the name of host that can accept SMTP requests and follow the next procedure, "Configuring a Mail Server for CMS," to configure CMS.

Configuring a Mail Server for CMS

To configure the server from which CMS can send mail:

  1. Open the CMS console window and select the Configuration tab.
    2.

  2. Click the SMTP tab.

  3. Type the hostname of your mail server in the "Server name" field.

  4. Enter the port number your server uses for SMTP in the Port Number field.

    5. If you are certain that your server uses a port number other than 25 for SMTP, enter it in the "Port number" field. However, it is unlikely that any server uses a different number for the well-known SMTP service.

  5. Click Save.
    6.

Configuring CMS to Send Renewal Reminders

To configure Certificate Management System to send renewal reminders:

  1. Open the CMS console window and select the Configuration tab.
    2.

  2. Open Job Scheduler in the navigation tree.

  3. Select Jobs.

  4. Select certRenewalNotifier in the Job Instance tab.

  5. Click Edit/View.

    6. The Job Instance Editor dialog box displays. By default this job is enabled and scheduled to notify end-entities 30 days before their certificates expire. You will change the settings so that renewal notices begin 400 days before the certificate expires (so you will get notices for the certificates issued during this demonstration). You will also send notices every minute (instead of every day) so that you get an immediate message, and send a summary report to yourself.

  6. Make sure the following parameters have the listed values:
    7.

    enabled: true
    cron: * * * * * (include spaces between the asterisks)
    notifyTriggerOffset: 400
    senderEmail: your email address
    summary.enabled: true
    summary.recipientEmail: your email address
    summary.senderEmail: your email address

  7. Click OK.
    8.

  8. Select Job Scheduler in the Configuration tab's navigation tree.

    9. The next step will turn on the Job Scheduler. Once the scheduler is enabled you will receive at least two email messages every minute. Make sure you turn off the Job Scheduler after a few minutes to avoid a flood of email messages.

  9. Select the Enable Jobs Scheduler checkbox.
    10.

  10. Click Save.

    11. You should begin receiving email after one minute.

  11. After the scheduler has been running for a few minutes, deselect the Enable Jobs Scheduler checkbox.
    12.

  12. Click Save.

  13. Check your email.

    14. You will have at least two messages.

    Messages with the subject "Certificate Renewal Notification" are examples of notices sent to end entities. By default, these are sent to the address in the email (E) attribute in the certificate subject. These messages explain that the certificate is going to expire on a certain date, and they provide a URL for an end-entity gateway where the certificate can be renewed.

    Messages with the subject "Certificate Renewal Notification Summary" are examples of the summary report sent to the address in the job's summaryRecipientEmail parameter (usually a CMS agent). These messages list all of the certificates that are about to expire (according to the job's notifyTriggerOffset parameter) and whether or not the Certificate Manager succeeded in sending a renewal notice.

    The message content, format, and subject are all customizable, so in a real deployment you can create messages that better suit your organization.

You have now completed the default demo. Before you attempt to install more sophisticated pilots or a full-scale deployment, you should read Chapter 3, "Planning Your Deployment," and the chapters that follow.

After you are finished using the demonstration installation, remove it from your system. See Chapter 4, "Installing and Uninstalling CMS Instances" in Netscape Certificate Management System Administrator's Guide for complete uninstallation instructions.

 

Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.