Chapter 3   Finding and Revoking Certificates


As a Certificate Manager agent, you can use the Agent Services page to find a specific certificate issued by iPlanet Certificate Management System or to retrieve a list of certificates that match specified criteria. You can examine certificates that you have retrieved. You can also revoke certificates and manage the certificate revocation list.

This chapter has the following sections:

• Basic Certificate Listing

• Advanced Certificate Search

• Revoking Certificates

• Managing the Certificate Revocation List

Basic Certificate Listing

---

You can get a list of certificates quickly and easily by specifying a range of serial numbers. You can also choose to show all certificates within the range, or only those that are currently valid.

To find a specific certificate or to list certificates by serial number:

1. Go to the Certificate Manager Agent Services page (see Accessing Agent Services). You must submit the proper client certificate to get access to this page.

2. Click List Certificates to display the List Certificates form in which you specify listing criteria.

   
   
   

3. To find a certificate with a specific serial number, enter the serial number in both the upper limit and lower limit fields of the List Certificates form, in either decimal or hexadecimal form.

   Use 0x to indicate the beginning of a hexadecimal number; for example, 0x00000006. (Serial numbers are displayed in hexadecimal form in the Search Results and Details pages.)

4. To find all certificates within a range of serial numbers, enter the upper and lower limits of the serial number range (in decimal or hexadecimal form).

   If you leave either the lower limit or upper limit field blank, the certificate whose number you specified plus all certificates before or after it in sequence are displayed.

5. To limit the returned list to valid certificates, select one or both of the checkboxes labeled with filtering methods.

   You can choose not to show revoked certificates or not to show certificates that have expired or are not yet valid.

6. Enter the number of certificates matching the criteria that you want to see.

   For a number n, the first n matching certificates are initially displayed.

7. Click Find.

   Certificate Management System displays a list of the certificates that match your search criteria. You can select a certificate in the list and examine it in more detail or perform various operations on it. For more information, see "Examining Certificates."

Advanced Certificate Search

---

If you want to search for certificates by more complex criteria than serial number, use the advanced search form.

To perform an advanced search for certificates:

1. Go to the Certificate Manager Agent Services page (see Accessing Agent Services). You must submit the proper client certificate to get access to this page.

2. Click Search for Certificates to display the Search for Certificates form in which you specify search criteria.

   
   
   

3. To search by particular criteria, use one or more of the sections of the Search for Certificates form.

   The form is quite long; scroll down to see the different sections. To use a section, select the appropriate checkbox, then fill in any necessary information.

   Serial Number Range. Use this section to find a certificate with a specific serial number or to list all certificates within a range of serial numbers.

   • To find a certificate with a specific serial number, enter the serial number in both the upper limit and lower limit fields, in either decimal or hexadecimal form. Use 0x to indicate the beginning of a hexadecimal number; for example, 0x2A. (Serial numbers are displayed in hexadecimal form in the Search Results and Details pages.)

   • To find all certificates within a range of serial numbers, enter the upper and lower limits of the serial number range (in decimal or hexadecimal form).

     If you leave either the lower limit or upper limit field blank, all certificates before or after the one you specify are displayed.

   Status. Use this section to select certificates by their status. A certificate can have one of the following status codes:

   • VALID - The certificate has been issued, its validity period has begun but not ended, and it has not been revoked.

   • INVALID - The certificate has been issued, but its validity period has not yet begun.

   • REVOKED - The certificate has been revoked.

   • EXPIRED - The current time is later than the end of the certificate's validity period.

   • REVOKED & EXPIRED - The certificate meets the criteria for both status codes.

   Subject Name. Use this section to list certificates with a particular owner. For more information on filling in this section, see Step 4.

   Revocation Information. Use this section to list certificates that have been revoked during a particular period or by a particular agent. For example, you can list all certificates revoked between July 1996 and January 1997, or all certificates revoked by the agent with the user name admin.

   • To list certificates revoked within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.

   • To list certificates revoked by a particular agent, enter the name of the agent. You can use wildcards in this field. (For more information on wildcard syntax, see Step 4.)

   Issuing Information. Use this section to list certificates that have been issued during a particular period or by a particular agent. For example, you can list all certificates issued between July 1996 and January 1997, or all certificates issued by the agent with the user name betatest.

   • To list certificates issued within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.

   • To list certificates issued by a particular agent, enter the name of the agent. You can use wildcards in this field. (For more information on wildcard syntax, see Step 4.)

   Dates of Validity. Use this section to list certificates that become effective or expire during a particular period. For example, you can list all certificates that became valid on June 1, 1996, or that expired between January 1, 1997 and June 1, 1997.

   You can also list certificates that have a validity period of a certain length of time. For example, you can list all certificates that are valid for less than one month.

   • To list certificates that become effective or expire within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.

   • To list certificates that have a validity period of a certain length in time, select "not greater than" or "not less than" from the drop-down list, enter a number, and select a time unit from the drop-down list: Days, Weeks, Months, or Years.

   Type. Use this section to list certain types of certificates. For example, you can list all certificates for subordinate CAs. Note that this search works only for certificates containing the netscape-cert-type extension, which stores type information.

   • For each type, choose from the drop-down list to find certificates where that type is On, Off, or Absent.

4. To find a certificate with a specific subject name, use the Subject Name section.
   • Select the checkbox, then enter the subject name criteria.

   • Enter values for the fields you want included in your search criteria and leave the others blank.

   The standard tags or components are as follows:

   Email address. To narrow the search by email address, enter the email address in this field.

   Common name. To find certificates associated with a specific person or server, enter the name in this field.

   UserID. The user id for the person whose certificate you want to find. For example, at many companies the user id is the name used to log in to the network when starting up a computer.

   Organization unit. To narrow the search to a specific division, department, or unit within an organization, enter the name of the unit in this field.

   Organization. To narrow the search by organization, enter the name of the business, university, or organization in this field.

   Locality. To narrow the search by locality, enter the name of the local area (for example, the name of the city) in this field.

   State. To narrow the search by state or province, enter the name of the state or province in this field.

   Country. To narrow the search by country, enter the two-letter code for the country (for example, US) in this field.

   When you have entered the field values for the server to match, specify the type of search that you want performed:

   • Select Exact to search for certificates that have subject names that match exactly the components you have specified and contain none of the components you have left blank. You cannot use wildcards in this type of search.

   • Select Partial to search for all certificates with subject names that match at least the components you have specified but that may also have any values in the components you have left blank.

     You can specify wildcard patterns in this type of search by using the question mark character (?) to match an arbitrary single character and the asterisk character (*) to match an arbitrary string of zero or more characters.

     Note that placing a single asterisk in a given field in the search form specifies that the corresponding component must be in the certificate's subject name but may have any value whatsoever. To indicate that you do not care if the component is present, leave the field blank.

5. After entering your search criteria, scroll to the bottom of the form and enter the number of certificates matching your specified criteria that you want to see.

   For a number n, the first n matching certificates are initially displayed.

6. Click Find.

   The Search Results form appears, showing a list of the certificates that match your search criteria. You can select a certificate in the list and examine it in more detail. For more information, see "Examining Certificates."

   
   
   

Examining Certificates

To examine the details of a certificate, follow these steps:

1. On the Agent Services page, click List Certificates or Search for Certificates, specify search criteria, and click Find to display a list of certificates.

   For details of how to specify criteria, see "Basic Certificate Listing" and "Advanced Certificate Search."

2. On the Search Results form, find the particular certificate you want to examine.

   If the certificate you want to see is not shown, scroll to the bottom of the list, specify an additional number n, and click Find. The system displays the next n certificates that match your original search criteria.

3. When you have found the certificate you want, click the Details button at the left side of its entry.

   The Certificate page appears. It shows the detailed contents of the selected certificate and instructions for installing the certificate in a server or in Netscape Navigator.

   
   
   

The certificate is shown in base-64 encoded form at the bottom of the Certificate page, under the heading "Installing this certificate in a server." In addition to its use with servers, this encoded form of the certificate can be used by CMS administrators and Data Recovery Manager agents for setting up new agents and recovering private encryption keys, respectively. (For more information on key recovery, see "Finding and Recovering Keys" in Chapter 5.)

Revoking Certificates

---

Only Certificate Manager agents can revoke certificates other than their own. You need to revoke a certificate if one of the following situations occurs:

• The owner of the certificate has changed status and no longer has the right to use the certificate.

• The private key of a certificate owner has been compromised.

To revoke one or more certificates, you must search for the certificates you want to revoke using the Revoke Certificates button. While the search is similar to the one invoked by Search for Certificates, the Search Results form returned by this search gives you the option of revoking one or all of the found certificates.

Searching for Certificates to Revoke

To search for one or more certificates to revoke:

1. Go to the Certificate Manager Agent Services page (see Accessing Agent Services).

   You must submit the proper client certificate to get access to this page.

2. Click Revoke Certificates.

   The search form that appears has the same search criteria sections as the Search for Certificates form.

3. Specify the search criteria by selecting the checkboxes for the sections you want to use, then filling in the required information.

   For details on search criteria, see "Advanced Certificate Search."

4. Scroll to the bottom of the form and select a number of matching certificates to display.

5. Click Find.

   The search returns a list of matching certificates. You have the option of revoking one or all certificates in the list.

   
   
   

Revoking One or More Certificates

You can revoke an entire list of certificates returned by a search, or select and revoke one of the certificates from the list.

Revoking One Certificate

To revoke a single certificate:

1. On the Certificate Manager's Agent Services page, click Revoke Certificates, specify search criteria, and click Find to display a list of certificates.

   For details of how to specify criteria, see "Basic Certificate Listing" and "Advanced Certificate Search."

2. On the Search Results form, find the certificate you want to revoke.

   If the certificate you want to see is not shown, scroll to the bottom of the list, specify an additional number n, and click Find. The system displays the next n certificates that match your original search criteria.

3. Click the Revoke button next to the certificate that you want to revoke.

4. Confirm the revocation in the resulting form (see "Confirming a Revocation").

Revoking Multiple Certificates

To revoke all of the certificates found by a search:

1. On the Certificate Manager's Agent Services page, click Revoke Certificates, specify search criteria, and click Find to display a list of certificates.

   For details of how to specify criteria, see "Basic Certificate Listing" and "Advanced Certificate Search."

2. On the Search Results page, scroll to the bottom to reach the "Revoke ALL n Certificates" button. The number shown in the button is the total number of certificates returned by the search. Note that this is usually a larger number than the number of certificates displayed on the current page.

3. Verify that all of the certificates returned by the search should be revoked (not just those displayed on the current page).

4. Click "Revoke ALL n Certificates" at the bottom of the form.

5. Confirm the revocation in the resulting form (see "Confirming a Revocation").

   
   

   ---

   Caution

   Whether you are revoking a single certificate or a list of certificates, be extremely careful that you have selected the correct one or that the list contains only the certificates you want to revoke. Once you confirm a revocation operation, there is no way to undo it.

   ---

   
   

Confirming a Revocation

When you have requested the revocation of one or more certificates, the Certificate Revocation Confirmation form appears.

To confirm the revocation:

1. Inspect the details of the certificate and verify that it is the one you want to revoke. If you are revoking more than one certificate, the form shows details of all the listed certificates.

2. Select a reason for the revocation. The reason applies to all the listed certificates.

3. Optionally, enter any additional comment. The comment will be included in the revocation request.

4. Click Submit.

   The revocation request is submitted; it is automatically approved, and the certificate is revoked. You can see revocation requests by listing requests with a status of Completed; see "Listing Certificate Requests."
   

   ---

   Caution

   Whether you are revoking a single certificate or a list of certificates, be extremely careful that you have selected the correct one or that the list contains only the certificates you want to revoke. Once you confirm a revocation operation, there is no way to undo it.

   ---

   
   

Managing the Certificate Revocation List

---

By revoking a certificate, you are notifying other users that the certificate is no longer valid. You make this notification by publishing a list of the revoked certificates, called the certificate revocation list (CRL), to an LDAP directory. This list is publicly available and ensures that revoked certificates are not misused.

---

Note

Certificate Management System is currently the only Netscape server that can check the revocation status of the certificates that it issues. With Certificate Management System, therefore, you can use the certificate revocation status to control access. On other Netscape servers, you must use other forms of access control. For example, you can remove individual users from access groups to prevent them from accessing the server.

---

Viewing or Examining CRLs

In some cases, you may need to view or examine the CRL, for example, prior to manually updating the directory with the latest CRL.

Only a Certificate Manager agent can view the CRL.

To view or display the CRL:

1. Go to the Certificate Manager Agent Services page (see Accessing Agent Services). You must submit the proper client certificate to get access to this page.

2. Click Display Certificate Revocation List to display the form for viewing the CRL.

3. Select the CRL that you want to view. (If your administrator has created multiple issuing points, you will see them in the "Issuing point" drop-down list. Otherwise, you'll only see the master CRL.)

4. To examine the selected CRL, click Display.

   The CRL appears in the browser window. You can, for example, check whether a particular certificate appears in the list. Additionally, you can also can note recent changes: total number of certificates that were revoked since the last update, total number of certificates that were taken off hold since the last update, and total number of certificates that expired since the last update.

Updating the CRL

Normally, when you revoke a certificate, the CRL is automatically updated. If you are using Certificate Management System with an LDAP directory server, the CRL in the directory is updated automatically.

In some cases, you need to update the CRL manually. For example, you might want to remove expired certificates from the CRL to reduce its size. (Expired certificates do not need to be included in the CRL; they are already invalid because of the expiration date.) You might also want to update the CRL manually after the system has been down for any reason.

Only a Certificate Manager agent can manually update the CRL.

To manually update the CRL:

1. Go to the Certificate Manager Agent Services page (see Accessing Agent Services). You must submit the proper client certificate to get access to this page.

2. Click Update Revocation List to display the form for updating the CRL.

   
   
   

3. Select the algorithm that you want to use to sign the new CRL.
   • MD5 with RSA generates a 128-bit message digest. Most existing software applications that handle certificates support only MD5. This is the default algorithm.

   • SHA-1 with RSA generates a 160-bit message digest. Before choosing SHA-1 with RSA, make sure your applications support it. Netscape Navigator 3.0 (or later) and Enterprise Server 2.01 (or later) support SHA-1.

   • SHA-1 with DSA generates a 160-bit message digest. Before choosing SHA-1 with DSA, make sure your applications support it. Communicator 4.0 (or later) and Netscape server products with a version number greater than 4.0 support it.

   Before selecting an algorithm, make sure that Certificate Management System has the algorithm enabled. Your CMS administrator can let you know whether this is the case.

4. To examine CRL before updating it, click Display.

   The CRL appears in the browser window. You can, for example, check whether a particular certificate appears in the list. Use the browser's Back button to return to the Update page.

5. To update the CRL with the latest certificate revocation information, click Update.