CMS Help: Using Netscape Certificate
Previous Next Contents


Chapter 2 Using Netscape Certificate Management System

With Netscape Certificate Management System, you can perform the following tasks:

For an introduction to basic terms and concepts, see "Understanding Certificates."


User Enrollment
Certificate Management System provides forms that support several kinds of user enrollment:

Additional enrollment forms may be available at your site.

Manual User Enrollment
When you enroll manually, you submit all the information Certificate Management System needs to create a certificate for you. This information is then evaluated by a person who may use a variety of means to confirm your identity (physical proof, information gathered over the telephone, and so on). This person then decides whether to issue the certificate. Because you must wait for someone to review and approve your request, it can take some time before your certificate is issued.

Fill out the enrollment form as directed. If you are not sure how to supply some of the information, ask your system administrator. When you are sure everything is correct, click the Submit button at the bottom of the form.

When the enrollment request is approved, you will receive an email notification that includes the certificate and instructions for importing it into your browser.

For an introduction to basic terms and concepts, see "Understanding Certificates."

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

Organization Unit, Organization, and Country

Challenge Phrase Password

Additional Comments

Key-length Information

Directory-Based User Enrollment
If your organization has a Lightweight Directory Access Protocol (LDAP) directory, the directory contains much of the information that Certificate Management System needs to verify your identity and issue a certificate. The directory-based user enrollment form uses such a directory.

Fill out the enrollment form as directed. If you are not sure how to supply some of the information, ask your system administrator. When you are sure everything is correct, click the Submit button at the bottom of the form.

Upon receiving the request and confirming the information you provided with an LDAP directory, Certificate Management System issues the certificate automatically and immediately. If the certificate is successfully issued, your new certificate will appear in a browser window, along with instructions on how to import it into your browser.

For an introduction to basic terms and concepts, see "Understanding Certificates."

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

IMPORTANT NOTICE TO ADMINISTRATORS

Key-length Information

Directory- and PIN-Based Enrollment
If your organization has a Lightweight Directory Access Protocol (LDAP) directory, the directory contains much of the information that Certificate Management System needs to verify your identity and issue a certificate. Before you enroll, your system administrator sends you a unique personal identification number (PIN) that helps guarantee your identity. This is the number you must enter in the enrollment form.

Fill out the enrollment form as directed, using the PIN you have received. If you are not sure how to supply some of the information, ask your system administrator. When you are sure everything is correct, click the Submit button at the bottom of the form.

Upon receiving the request and confirming the information you provided, Certificate Management System issues the certificate automatically and immediately. If the certificate is successfully issued, your new certificate will appear in a browser window, along with instructions on how to import it into your browser.

For an introduction to basic terms and concepts, see "Understanding Certificates."

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

IMPORTANT NOTICE TO ADMINISTRATORS

Key-length Information

NIS Server-Based Enrollment
NIS or NIS+ is a network information name service. If your organization uses NIS to store information about users, the NIS service contains much of the information that Certificate Management System needs to verify your identity and issue a certificate.

You need to provide the user name and password you use to log into the network. When you are sure everything is correct, click the Submit button at the bottom of the form.

Upon receiving the request and confirming the information you provided, Certificate Management System issues the certificate automatically and immediately. If the certificate is successfully issued, your new certificate will appear in a browser window, along with instructions on how to import it into your browser.

For an introduction to basic terms and concepts, see "Understanding Certificates."

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

User's Identity

Key-length Information

Portal Enrollment
Portal enrollment allows you to enroll for a certificate when you register yourself with a portal (for example, Netscape Netcenter). You only need to provide a user name that is unique on the portal, a new password, and whatever personal information the portal operator needs to issue a certificate to you (for example, your name and address).

Fill out the enrollment form as directed. When you are sure everything is correct, click the Submit button at the bottom of the form.

You may be asked to re-submit the form if any of the required information is missing or if the user name is already in use.

Upon receiving a valid request and confirming the information you provided, Certificate Management System issues the certificate automatically and immediately. If the certificate is successfully issued, your new certificate will appear in a browser window, along with instructions on how to import it into your browser.

For an introduction to basic terms and concepts, see "Understanding Certificates."

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

User's Identity

User's Personal Information

Key-length Information


Server Enrollment
Certificate Management System provides forms that support three kinds of server enrollment: manual (based on explicit approval by someone who verifies the server's identity) and directory-based (based on server information in an LDAP directory). Additional enrollment forms may be available at your site.

Server Certificate Enrollment (for Server Administrators)
This form is intended for use by server administrators. Before a server can support the Secure Sockets Layer (SSL) protocol for authentication, encryption, and tamper detection, it must have an SSL server certificate.

When you enroll manually for an SSL server certificate, you submit all the information Certificate Management System needs to create the certificate. This information is then evaluated by a person who may use a variety of means to confirm your identity (physical proof, information gathered over the telephone, and so on). This person then decides whether to issue the certificate. Because you must wait for someone to review and approve your request, it can take some time before your certificate is issued.

Fill out the enrollment form as directed. If you are not sure how to supply some of the information, ask your system administrator. When you are sure everything is correct, click the Submit button at the bottom of the form.

When the enrollment request is approved, you will receive an email notification that includes either the certificate itself or a URL at which you can find the certificate. You must copy the encoded certificate and import it into your server. (For a Netscape server, use the administration forms provided by the Administration Server associated with your server.)

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

PKCS #10 Request

Server Administrator Contact Information

Additional Comments

Directory-Based Server Enrollment (for Server Administrators)
This form is intended for use by server administrators. Before a server can support the Secure Sockets Layer (SSL) protocol for authentication, encryption, and tamper detection, it must have an SSL server certificate. If your organization has a Lightweight Directory Access Protocol (LDAP) directory, the information that Certificate Management System needs to verify your identity and issue such a certificate can be stored in the directory.

Fill out the enrollment form as directed. If you are not sure how to supply some of the information, ask your system administrator. When you are sure everything is correct, click the Submit button at the bottom of the form.

Upon receiving the request, Certificate Management System issues the certificate automatically and immediately. If the certificate is successfully issued, your new certificate will appear in a browser window. You must copy the encoded certificate and import it into your server. (For a Netscape server, use the administration forms of the Administration Server associated with your server.)

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

IMPORTANT NOTICE TO ADMINISTRATORS

PKCS #10 Request

Server Administrator Information

Additional Comments


Registration Manager Enrollment
This form is intended for use by agents who are managing a Certificate Management System Registration Manager. Registration Managers must have a signing certificate issued by the Certificate Manager for which the Registration Manager is handling end-entity interactions. This form allows Registration manager agents to enroll for such a certificate. This type of enrollment is always manual; that is, the request must be approved by the human agent responsible for the Certificate Manager.

Fill out the enrollment form as directed. When the enrollment request is approved, you will receive an email notification that includes the certificate or a URL at which you can find the certificate. You must copy the certificate and import it into the Registration Manager from the CMS window in Netscape Console.

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

PKCS #10 Request

Server Administrator Contact Information

Additional Comments


Certificate Manager Enrollment
This form is intended for use by agents who are managing a Certificate Management System Certificate Manager that is to be used as a subordinate CA. A Certificate Manager that functions as a subordinate CA must have a signing certificate issued by the Certificate Manager to which it is subordinate. This type of enrollment is always manual; that is, the request must be approved by the human agent responsible for the Certificate Manager that will be issuing the certificate.

Fill out the enrollment request form as directed. When the enrollment request is approved, you will receive an email notification that includes the certificate or a URL at which you can find the certificate. You must copy the certificate and import it into the subordinate Certificate Manager, using Netscape Console's CMS window.

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

PKCS #10 Request

Server Administrator Information

Additional Comments


OCSP Responder Enrollment
This form is intended for use by administrators of Online Certificate Status Protocol (OCSP) Responder servers such as the Valicert Certificate Validation Authority (CVA) that comes with CMS. An OCSP responder requires a certificate for signing its responses to requests about certificate validity. Use this form to enroll for the OCSP Responder's signing certificate.

To enroll for a certificate for a Valicert Certificate Validation Authority server follow the steps in the procedure "To Enroll a Valicert CVA Responder." For other OCSP responders, follow the vendor's instructions for generating a certificate signing request.

When you enroll manually for an OCSP Responder signing certificate, you submit all the information Certificate Management System needs to create the certificate. This information is then evaluated by a person who may use a variety of means to confirm your identity (physical proof, information gathered over the telephone, and so on). This person then decides whether to issue the certificate. Because you must wait for someone to review and approve your request, it can take some time before your certificate is issued.

When the enrollment request is approved, you will receive an email notification that includes either the certificate itself or a URL at which you can find the certificate. You must copy the encoded certificate and import it into your server.

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

PKCS #10 Request

Server Administrator Contact Information

Additional Comments

To Enroll a Valicert CVA Responder
The Valicert CVA software comes with CMS. To request a certificate for a CVA server, first install the server according to its documentation. When you configure the server, follow these steps:

  1. The first time you access the CVA admin server page, you see the Certificate VA setup menu. Select "Create a New Key Pair."
  2. Follow the instructions to generate a key pair and enter information about your server.
  3. Before you submit the certificate request, select "Generate self-signed certificate."
  4. There is a known problem with generating a request to submit to a CA. To work around this problem, you create a self-signed certificate and extract a certificate request from it later.

  5. Finish configuring the CVA server, then start it according to the instructions.
  6. Reload the CVA admin server page.
  7. Select "Manage Keys and Certificates."
  8. Select "Display Certificate Request." A PKCS #10 certificate request appears. Copy the request, including the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines to the clipboard.
  9. Open the CMS end-entity page in a browser, select the Enrollment tab then select "OCSP Server Enrollment" from the Server section of the menu.
  10. Paste the request into the "PKCS #10 Request" text area.
  11. Fill in your contact information, then click Submit.
  12. Your request has been submitted. When the certificate is ready, you will be notified by the CMS agent (usually by email) with instructions on where to retrieve the certificate.

  13. When the certificate has been issued, copy the base-64 encoded certificate from the CMS retrieval page to the clipboard.
  14. Open the CVA admin server page and select "Manage Certificate Stores" then "Add Certificate."
  15. Copy and paste the base-64 encoded certificate into the form provided on the CVA admin server.

Object Signing Enrollment
Object Signing (Browser)
This form is intended for use by administrators or software developers who want to enroll for an object-signing certificate. The keys will be generated and stored by the web browser. If you want to enroll for a certificate to use with a signing tool that does not use the browser's database (for example, the Java keytool), you can use the Object Signing (PKCS10) form to submit a generic PKCS #10 request for an object-signing certificate.

Object-signing certificates are used to create digital signatures that can be attached to software objects such as Java applets. Digital signatures provide recipients of such objects with some assurance that you are really the person or company responsible for the object, rather than an imposter.

This type of enrollment is always manual. After you submit all the information Certificate Management System needs to create an object-signing certificate for you, the information is evaluated by a person who may use a variety of means to identify you (physical proof, information gathered over the telephone, and so on). This person then decides whether to issue the certificate. Because you must wait for someone to review and approve your request, it can take some time before your certificate is issued.

Fill out the enrollment request form as directed. If you are not sure how to supply some of the information, ask your system administrator.

When the enrollment request is approved, you will receive an email notification that includes the certificate and instructions for importing it into your browser.

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

Organization Unit, Organization, and Country

Select Signing Type

Key-length Information

Additional Comments

Object Signing (PKCS10)
This form is intended for use by administrators or software developers who want to enroll for an object-signing certificate. This form accepts a generic PKCS #10 request. When the certificate has been issued, you can retrieve it (see Certificate Retrieval) in base-64 encoded format and import it into your object-signing application (for example, the Java keytool). To enroll for a Netscape Object-Signing certificate (for use with the signtool application that comes with CMS) or a Microsoft Authenticode signing certificate, you should use the Object Signing (Browser) form.

Object-signing certificates are used to create digital signatures that can be attached to software objects such as Java applets. Digital signatures provide recipients of such objects with some assurance that you are really the person or company responsible for the object, rather than an imposter.

This type of enrollment is always manual. After you submit all the information Certificate Management System needs to create an object-signing certificate for you, the information is evaluated by a person who may use a variety of means to identify you (physical proof, information gathered over the telephone, and so on). This person then decides whether to issue the certificate. Because you must wait for someone to review and approve your request, it can take some time before your certificate is issued.

Fill out the enrollment request form as directed. If you are not sure how to supply some of the information, ask your system administrator.

When the enrollment request is approved, you will receive an email notification that includes the certificate and instructions for importing it into your browser.

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

PKCS #10 Request

Contact Information

Additional Comments


User Certificate Renewal
The Certificate Renewal page requires SSL client authentication, so it is only available on SSL-enabled CMS servers. If you do not see the Renewal tab, ask your system administrator for the SSL-enabled URL for CMS at your site.

Certificates have a starting date and an expiration date, just like your driver's license and credit cards. When the expiration date of your certificate approaches, you must renew the certificate.

You may receive an email notification that a certificate is about to expire and must be renewed. The message may include a link to this page, which you use to request the renewal.

Be sure you are renewing the certificate from the same computer and browser that you used when you acquired the certificate. This is the computer on which your private key is stored.

You cannot use this form unless you have reached it via the URL for the HTTPS port of Certificate Management System. The URL in the Location field near the top of the window in which the form appears should begin with https://. If it doesn't, the form won't work, and you should ask your system administrator for the correct URL.

For an introduction to basic terms and concepts, see "Understanding Certificates."


User Certificate Revocation
The Certificate Revocation pages are only available on SSL-enabled CMS servers. If you do not see the Revocation tab, ask your system administrator for the SSL-enabled URL for CMS at your site.

User Certificate
You may need to revoke a certificate if, for example, it is superseded by another one or if you no longer use the service for which it is required.

If you still have access to the certificate, you can use this form to present it to the server (using SSL client authentication) to have it revoked.

For an introduction to basic terms and concepts, see "Understanding Certificates."

About the Form Elements
The form you see is customized for your site and may not include all the elements explained below.

Revocation Reason

Certificate (Challenge Phrase-Based)
You may need to revoke a certificate if, for example, it is superseded by another one or if you no longer use the service for which it is required.

You can use this form to revoke any certificate if you know the challenge phrase that was set during certificate enrollment. The challenge phrase allows you to revoke your certificate even though you may no longer have access to the actual certificate (for example, if your certificate was stored on a disk that failed). You must know the challenge phrase and the certificate serial number. See "Search Certificates" for information on how to search for your certificate's serial number.

For an introduction to basic terms and concepts, see "Understanding Certificates."

About the Form Elements
The form you see is customized for your site and may not include all the elements explained below.

Certificate Serial Number

Authentication Information

Revocation Reason


Certificate Retrieval
You may need to find one or more certificates. For example, if you want to send encrypted email, you must have the recipients' certificates. The retrieval feature lets you search for any certificate that is in the Certificate Management System database.

The Retrieval tab allows you to perform the following tasks:

For an introduction to basic terms and concepts, see "Understanding Certificates."

Check Request Status
This form allows you to check the status of a certificate request. When you submit a request that requires manual processing, you get a request identifier from the Certificate Authority or Registration Authority where you made the request.

Enter the request identifier for a pending enrollment in the field on this form and click Submit.

If the certificate request is still pending or has been rejected, you will get a status message.

If the certificate has been issued, you will get a page showing the certificate information. At the bottom of the page there is an Import Certificate button to click to import the certificate into your browser.

List Certificates
This form allows you to list certificates by serial number.

For an introduction to basic terms and concepts, see "Understanding Certificates."

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

Serial Number Range

Search Certificates
Use the form as directed. It is quite long; scroll down to see the different sections. When you have specified the search criteria, scroll to the bottom of the form and click Find.

For an introduction to basic terms and concepts, see "Understanding Certificates."

About the Form Elements
The form you see is customized for your site and may not include all the elements explained here.

Serial Number Range

Subject Name

Revocation Information

Issuing Information

Dates of Validity

Type

Note. The type search works only for certificates containing the netscape-cert- type extension, which stores type information.


Import CA Certificate Chain
Before you can use any certificate that you receive, the certificate authority (CA) that signed it must be in your browser's list of trusted CAs. That CA's certificate may in turn be signed by another CA. There can be a whole chain of subordinate CAs, all the way to a root CA. At least one of the CAs in the chain must be trusted in order for you to use the certificate. To add a CA to your list of trusted CAs, you import the CA's certificate or certificate chain into your browser.

When you begin to use Netscape Certificate Management System as your local CA, you must import its certificate chain into your browser in order to use certificates that it issues. Similarly, if you are a server administrator, you must import the certificate chain into the server in order for that server to accept client authorization certificates signed by that Certificate Management System.

Use this form to import the certificate chain for Certificate Management System into your browser or into a server you manage. You need to do this only once, when you first begin using Certificate Management System.

For an introduction to basic terms and concepts, see "Understanding Certificates."

About the Form Elements
The form you see is customized for your site and may not include all the elements explained below.

Import the CA certificate chain into your browser

Download the CA certificate chain in binary form

Display the CA certificate chain for importing into a server

Display certificates in the CA certificate chain for importing individually into a server


Import Certificate Revocation List
Your browser may automatically import the latest certificate revocation list (CRL) from an LDAP directory that receives regular updates from Netscape Certificate Management System, and it may automatically check all certificates against the CRL to ensure that they have not been revoked. If your browser does not do this automatically, or if you have reason to believe that the CRL is out of date (if your computer or the LDAP directory has been down, for example), use this form to check the master CRL or update the browser's version.

For an introduction to basic terms and concepts, see "Understanding Certificates."

About the Form Elements
The form you see is customized for your site and may not include all the elements explained below.

Check whether the following certificate is revoked

Import the latest CRL to your Netscape Navigator

Download the latest CRL in binary form

Display the CRL header information

 

Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.