Chapter 2   Handling Certificate Requests


As a Certificate Manager or Registration Manager agent, you are responsible for handling both manual enrollment requests made by end entities (end users, server administrators, or other CMS subsystems) and automated enrollment requests that have been deferred. This chapter describes the general procedure for handling requests and explains how to handle different aspects of certificate request management.

The chapter has the following sections:

• Managing Requests

• Listing Certificate Requests

• Approving Requests

• Other Options for Handling Requests

Managing Requests

---

This the typical procedure for handling certificate enrollment requests:

1. View the list of pending requests for the Certificate Manager or Registration Manager (see "Listing Certificate Requests").

2. Select a request from the list to view it and, optionally, assign the request to yourself (see "Selecting a Request").

3. Process the request (see "Approving Requests" and "Other Options for Handling Requests").

   In processing a request for a certificate, you can choose to take one of the following actions:

   • Approve the request. You can approve a request manually, or it can be approved automatically by policy modules if the request has been authenticated by an authentication module (and if the CMS administrator has configured the system to do this). After a request has been approved, Certificate Management System issues the requested certificate (Certificate Manager) or passes it on to the Certificate Manager for issuance (Registration Manager).

   • Reject the request. You can reject a request manually, or it can be rejected automatically by a policy module if it does not conform to your organization's policies. If the CMS administrator has configured the system to provide automatic notifications to end users, a rejected request will automatically result in such a notification being sent.

   • Cancel the request. You can cancel a request manually, but requests are never cancelled automatically, and users do not receive automatic notification of cancelled requests. Cancellation can be useful, for example, if the user has left the company since submitting the request, or if you have already talked to the user over the phone about the problem and therefore don't need to invoke automatic notification.

   Each of these actions changes the status of the certificate request. If you close the form without taking one of these actions, the request remains in the queue with the same status.

   It's also possible to clone any request, whether it's still pending, canceled, rejected, or completed. This can be useful in a variety of situations. For example, if a user receives a certificate that doesn't work because it has been incorrectly formulated, you can locate the completed request, clone it, and correct it without requiring the user to enroll a second time. Cloning a request gives it a new request ID number and puts it into the list of pending requests, but does not change the status of the original request.

   Figure 2-1 illustrates the process for handling requests and the different types of status for a request.

Figure 2-1    The certificate request management process

Listing Certificate Requests

---

The Certificate Manager or Registration Manager keeps a queue of all certificate service requests that have been submitted to it. The queue records whether a request is pending, completed, canceled, or rejected. Four types of requests can be in the queue:

• Enrollment requests

• Revocation requests

• Renewal requests

• Certificate chain requests

As a Certificate Manager or Registration Manager agent, you must review and approve manual enrollment requests; those that require review have a status of Pending.

To see a list of requests:

1. Go to the Registration Manager or Registration Manager Agent Services page (see Accessing Agent Services).

   You must submit the proper client certificate to get access to this page.

2. Click List Requests at the top of the left frame to view the queue of requests for certificates and to issue those certificates.

   The List Requests form appears.

   
   
   

3. Choose the type of requests you want to see by selecting one of the following from the "Request type" menu:
   • Show enrollment requests

   • Show renewal requests

   • Show revocation requests

   • Show all requests

     
     
     

4. Choose the status of requests you want to see by selecting one of the following from the "Request status" menu:
   • Show pending requests

     These are enrollment requests that have not yet been processed but are waiting for manual review. Requests in this state may already be assigned to an issuing agent for processing.

   • Show canceled requests

     These are requests that have been manually canceled by an agent. Users do not receive automatic notification of canceled requests. Cancellation can be useful, for example, if the user has left the company since submitting the request, or if you have already talked to the user over the phone about the problem and therefore don't need to invoke automatic notification.

   • Show rejected requests

     These are requests that have been either manually rejected or rejected automatically during policy processing. If the CMS administrator has configured the system to provide automatic notifications to users, a rejected request will automatically result in such a notification being sent.

   • Show completed requests

     These are requests that have been completed. They include enrollment requests for which certificates have been issued and also completed revocation and certificate chain requests.

   • Show all requests

     This will show all requests of the selected type, regardless of status.

5. To start the list at a specific place in the queue, enter the starting request identifier in decimal or hexadecimal form.

   Use 0x to indicate a hexadecimal number; for example, 0x2A.

6. Choose the number of matching requests you want to see. When you specify a number n, the system displays the first n requests after the starting sequence number that matches your specified criteria.

7. Click Find to display the list of requests that match your specified criteria.

   The Request Queue form appears.

   
   
   

Selecting a Request

To select a request from the queue:

1. On the Agent Services page, click List Requests, specify search criteria, and click Find to display a list of certificate signing requests.

   See "Listing Certificate Requests" for details.

2. On the Request Queue form, find the particular request you want to examine.

   If the request you want to see is not shown, scroll to the bottom of the list, specify an additional number n, and click Find. The system displays the next n requests that match your original search criteria.

3. When you have found the request you want, click Details at the left.

   The Request details form appears, showing detailed information about the selected request. Use this form to approve or otherwise handle the request. For more information, see "Approving Requests" and "Other Options for Handling Requests."

   
   
   

   If the system changes the state of the displayed request, and if you use your browser's Back or Forward buttons or the Go (history) menu to move to another page, the data shown can become out of date. To refresh the data, click the highlighted serial number at the top of the page.

Approving Requests

---

As an agent, you can approve a certificate request. If the request was made directly to the Certificate Manager, it issues the certificate; if the request was made through a Registration Manager, the Registration Manager passes the approved request on to the Certificate Manager for issuance. Before approving a request, you can assign it to yourself, adjust the attributes of the request, and verify that it will result in a valid certificate. To do these things, use the Request Details form that appears when you examine a selected request (as described in "Selecting a Request"). If you want to reject or cancel the request, see "Other Options for Handling Requests."

The approval and issuing process has the following stages:

• Assigning a Request

• Adjusting, Verifying, and Approving a Request

• Sending an Issued Certificate to the Requester

Assigning a Request

Before acting on a request, you can assign it to yourself. Assignment is not required; any agent can act on an unassigned request. When a request is assigned to a particular agent, all agents can examine that request, but only the assigned agent can act on it. When a request is assigned to another agent, however, you can choose to reassign it to yourself in order to act on it.

When you view the details of an unassigned request, you can click "assign to me" to assign it to yourself. The request is immediately assigned to you, and the Request Details page reflects the assignment. If you leave the page without approving, rejecting, or canceling the request, the request remains in the queue with the status of Pending, but it is assigned to you.

Adjusting, Verifying, and Approving a Request

Before you verify and approve a request, you can adjust some of the parameters, such as the subject name and validity period.

To adjust, verify, and approve a certificate request:

1. Select the certificate request from a list of requests, as described in "Selecting a Request."

2. In the Service Request form, check the Assigned To prompt to see if the certificate request is assigned to you.
   • If the request is unassigned, you can choose to assign it to yourself. Click "assign to me." Your CMS login name appears as the assigned agent, and the "assign to me" link changes to "cancel request assignment."

   • If the request is already assigned to you, you can choose to cancel the assignment. To cancel the request's assignment, click "cancel request assignment." The form then shows that the request is unassigned. You can still act upon an unassigned request.

   • If the request is assigned to another agent, you cannot act on the request unless you reassign it to yourself. Click "re-assign to me." Your CMS login name appears as the assigned agent, and the "re-assign to me" link changes to "cancel request assignment."

3. To change the subject name, enter a new value in the Subject Name field.

   For example, you might need to change the subject name to prevent duplications or to correct spelling errors. Nothing prevents you from issuing many different certificates with the same subject name. However, in current versions of Netscape software (Netscape Navigator, Netscape Communicator, and Netscape servers), you cannot install more than one certificate with a particular subject name.

4. If you want to change the validity period, you can set the dates directly using the menus for start and end times or you can select a predefined period from the "Length of validity period" menu. Making a selection from the "Length of validity period menu" sets the "Not valid after" date based on the "Not valid before date" and your selection.

5. Use the Extensions section to specify Netscape certificate type bits that you want to be set in the issued certificate.
   • To specify the intended use of the certificate that you are issuing, select one or more types from the list of Netscape certificate types, as described below. If you select any of these types, the equivalent Netscape certificate type bit is set.

     
     

     Table 2-1    Netscape certificate type extension  
     
     

     Type	Description
     SSL client	Indicates that the certificate is a personal certificate used by Netscape Navigator to establish SSL connections with servers.
     SSL server	Indicates that the certificate is a server certificate used by a Netscape server to establish SSL connections with clients.
     Secure Email	Indicates that the certificate is used by an email application to send and receive signed and encrypted email.
     Object signing	Indicates that the certificate is used for object signing.
     Subordinate SSL CA (available only for CA certificate requests)	Allows a CA to sign and issue personal and server certificates.
     Subordinate email CA (available only for CA certificate requests)	Allows a CA to sign and issue certificates for use with signed and encrypted email.
     Subordinate executable object-signing CA	Allows a CA to sign and issue object-signing certificates.

   Note that additional extensions can be set by means of policy modules, which must be configured by the CMS administrator.

6. If you want to add extensions other than Netscape cert type extensions, you can paste a base-64 encoding of the extension in the "Additional Extensions" field.

   You can use the tools provided for generating extensions to include in CA and other certificate requests. For details about these tools, check this directory:

   <server_root>/bin/cert/tools

   The certificate extension text field accepts a single extension blob. If you want to add multiple extensions, you should use the ExtJoiner program, which is also provided in the above directory. For details about this tool, see "Extension Joiner Tool" in CMS Command-Line Tools Guide. "Where to Go for Related Information"

7. If you want the certificate to be signed using a signature algorithm other than the default, choose an alternative from the "Signature algorithm" drop-down list:
   • MD5 with RSA and MD2 with RSA generate a 128-bit message digest. Most existing software applications that handle certificates support only MD5. This is the default algorithm.

   • SHA-1 with RSA generates a 160-bit message digest. Before choosing SHA-1, make sure your applications support it. Netscape Navigator 3.0 (or later) and Enterprise Server 2.01 (or later) support SHA-1. If your users have previous versions of these applications, choose MD5 as the signature algorithm, or upgrade your users to the most recent version of these applications.

   Before selecting an algorithm, check with your CMS administrator to make sure that Certificate Management System has the algorithm enabled.

8. Review the unauthenticated request attributes. These attriubutes were submitted by the end entity with the enrollment request. Since these attributes do not come from a trusted source (such as an authentication module in the CMS server), they are "unauthenticated." Your site policies may or may not require agents to review or validate any of these attributes.

9. Review the authenticated attributes. These attributes were generated in the CMS server by authentication or policy plug-in modules. They are considered authenticated since they have been validated by or have originated in the CMS server itself.

10. If the certificate request is for an SSL client certificate for a CMS manager or a CMS agent, you should indicate this in the last section, labeled Privileges.
    • If the request is for a CMS manager's certificate, select the checkbox labeled "This certificate is for a Trusted Manager."

    • If the request is for a CMS agent's certificate, select the checkbox labeled "This certificate is for a name of manager agent."

    You must also type a user ID for the new manager or agent. This user ID can be the same that you specified in the certificate request, or it can be some other ID that you want to use to identify this agent or manager in the CMS window of Netscape Console, such as Agent1 or RMEng.

11. To approve the request and issue the certificate, open the drop-down menu at the bottom of the page, choose "Accept this request," then click Do It.

    
    
    

    If the certificate conforms to policy, a page containing the new certificate appears. It includes instructions on how to help the certificate requester install the new certificate.

    
    

    ---

    Note	If, after verifying or attempting to issue the certificate, you receive the error message "The requested signature algorithm is not enabled," check with your CMS administrator to make sure that the signature algorithm you selected in Step 7 is supported.

    ---

    
    

Sending an Issued Certificate to the Requester

When the Certificate Manager has issued a certificate in response to a request, the user who requested it must receive a copy of it to install locally. End users install their own certificates in their client software. Server administrators install their servers' certificates in the servers that they manage.

Depending on how your Certificate Management System is configured, an end user who requests a certificate might receive automatic email notification of the success of the request; this email message contains either the certificate itself or a URL from which the user can get the certificate. In this case, you need not take any further action.

If your system is not configured for automatic certificate-issuance notification, or if the requester is a server administrator, you must either send the issued certificate to the requester or ask the requester to pick it up from the Certificate Manager's end-entity gateway.

Figure 2-2 shows a web page containing a new certificate. This is the page you receive in response to the command "Issue this certificate," as described in Step 11 in "Approving Requests.") Before you issue the certificate, you should copy the requester's email address.

Figure 2-2    A newly issued certificate page

To copy and mail a new server certificate to the requester, follow these steps:

1. Open a new email message composition window and address it to the requester.

2. From the Agent Services window where the new certificate is displayed, copy only the base-64 encoded certificate. Be sure to include the marker lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

3. Paste the base-64 encoded certificate into the addressed email message and send the message.

To deliver a new client certificate to the requester, note the serial number of the request you approved, then follow these steps:

1. Go to the Agent Services gateway, click List Requests in the left frame, enter the serial number for the request that you approved, and click Find.

2. In the Request Queue form, click Details beside the relevant request, then right-click the certificate serial number and choose Open Frame in New Window from the pop-up menu.

3. In the new browser window containing the certificate, copy the URL from the Location or Netsite field.

4. Open a new email message composition window and address it to the requester.

5. Paste the URL into the body of the message, along with instructions to the effect that the user should go to that URL and click the Import button at the bottom of the page.

Alternatively, you can include the URL for the Agent Services gateway in the email message instead, along with the certificate serial number, and instruct the user as follows:

1. Click the Retrieval tab. The List Certificates form should appear.

2. Enter the serial number of the certificate in both serial number fields.

3. Click Find.

4. When the Search Results form appears, click Details.

5. When the certificate appears, scroll down to the bottom of the form and click Import Certificate.

Other Options for Handling Requests

---

If you do not want to issue the certificate in response to a certificate request, you can choose one of the other options from the command menu at the bottom of the Request Details form, then click Do It.

• Cancel this request changes the state of the request to Canceled. Users do not receive automatic notification of cancelled requests. Cancellation can be useful, for example, if the user has left the company since submitting the request, or if you have already talked to the user over the phone about the problem and therefore don't need to invoke automatic notification.

• Reject this request changes the state of the request to Rejected, indicating that it was unacceptable for policy reasons. If the CMS administrator has configured the system to provide automatic notifications to end users, a rejected request will automatically result in such a notification being sent.

• Clone this request creates a copy of the request and gives the copy a new request ID number. The status of the new request is Pending. The status of the original request also remains as Pending until you accept, cancel, or reject it.