Previous     Contents     Index     Next     
iPlanet Certificate Management System Installation and Setup Guide



Chapter 24   Issuing and Managing Server Certificates


This chapter explains how you can use iPlanet Certificate Management System (CMS) to issue and manage SSL server certificates.

The chapter has the following sections:



Certificate Issuance to Servers

For Certificate Management System to generate a server certificate, it must receive the certificate signing request (CSR) from the server that needs the certificate. This request must be initiated by the administrator of the specific server requiring the certificate.

SSL-enabled servers (or servers that are capable of using certificates for security) provide mechanisms for generating a CSR based on new or existing key pairs. For example, servers that belong to the Netscape's version 4.x server family come with a wizard that walks an administrator through the entire process of requesting a server certificate and installing it in the server's certificate database. For information on this wizard, see "Obtaining and Installing a Certificate" in Managing Servers with Netscape Console.

Once an administrator generates a CSR for a server, he or she must paste it into the appropriate server enrollment form hosted by a Registration Manager or Certificate Manager, and then submit the request. Upon receipt of the request, Certificate Management System responds as follows:

  1. Verifies the validity and authenticity of the request.

    The authentication mechanism that Certificate Management System uses is based on the authentication mechanism specified in the enrollment form the administrator uses to submit the certificate request. For example, if the enrollment form was configured to employ directory-based authentication, Certificate Management System checks the configured directory for the appropriate information. On the other hand, if the enrollment form specifies manual authentication, the request gets queued and awaits approval by an agent.

  2. Subjects the request to policy checks.

    If the request passes all the policy rules, Certificate Management System generates the server certificate and sends it to the email address specified in the server certificate request (the enrollment form includes a field for the administrator to enter this information). Otherwise, Certificate Management System logs an error message.

Upon receipt of the certificate, the server administrator installs the certificate in the server's certificate database.


How the Manual Server Enrollment Process Works

Figure 24-1 illustrates how Certificate Management System issues a server certificate in a deployment scenario involving a Registration Manager acting as an enrollment authority to a Certificate Manager. The server certificate is requested via a manual enrollment form hosted by the Registration Manager.

Figure 24-1    Server (or site) certificate issuance

These are the steps shown in Figure 24-1:

  1. The server administrator goes to the manual enrollment form hosted by the Registration Manager, pastes in the certificate signing request in PKCS #10 format, completes the other information in the enrollment form, and submits the form.

    (If the enrollment port is HTTPS, the administrator should visit the link that delivers the CA's certificate chain and download the chain into the browser that he or she will use for server enrollment.)

  2. The Registration Manager verifies the authenticity of the request. Because the request requires manual authentication, the Registration Manager stores the request in the queue for agent approval.

  3. An agent processes the request and either rejects or approves it.

  4. The Registration Manager picks up the approved request and subjects it to policy checks.

  5. If the request passes the Registration Manager's policy checking, the Registration Manager submits the request to the Certificate Manager for signing. The Certificate Manager verifies the authenticity of the Registration Manager by verifying the certificate presented by it. If it is a trusted Registration Manager, the Certificate Manager accepts the request.

  6. The Certificate Manager subjects the request to its own policy checks.

  7. If the request passes Certificate Manager's policy, it signs the request immediately and returns the certificate to the Registration Manager. The Registration Manager then delivers the certificate to the administrator. Optionally, the Certificate Manager may publish the certificate to the corporate directory.

    If the Certificate Manager's policy requires additional information, the administrator will be directed to return later to pick up the certificate. The administrator may need to query the Registration Manager using the certificate request number to see whether the certificate has been issued. Alternatively, the Registration Manager can be configured to email the user when the certificate is ready for pick up. See "Notifications of Certificate Issuance to End Entities".

  8. The Registration Manager delivers the server SSL certificate to the email address specified in the enrollment form. Optionally, the Registration Manager may publish the certificate to the corporate directory.



Getting Server SSL Certificates for Netscape Servers

To enable a server to establish SSL connections, you need to get a certificate that identifies the server. You can get a certificate for a server by submitting a request to Certificate Management System.

To generate the actual request, you (or the server administrator) need to use the server that requires the certificate. This is required because the private key must be stored with the server that will use it.

The following section explains how to request a server SSL certificate for Netscape servers. The instructions apply mainly to requests from servers other than CMS subsystem server—for example, Netscape Enterprise, Administration, and Directory Servers. To request a certificate for a CMS subsystem, follow the instructions in "Getting New Certificates for the Subsystems".


Getting Certificates for Version 3.x Servers

To get a certificate for a server in the Netscape version 3.x server family (for example, Netscape Administration Server 3.x) follow the procedure below:


Step 1. Generate the Server Certificate Request

To generate the certificate signing request (CSR) for a server:

  1. Open a web browser window.

  2. Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.

  3. Follow the directions presented there to generate a new key pair which you will then get certified (you will use this key pair to generate a certificate signing request).

    Alternatively, you can use any other tool provided with your server to generate the key pair; see the documentation for your server.

  4. Once you have generated a key pair, follow the directions presented to generate a certificate signing request (CSR).

  5. In the Certificate Authority field, enter your own email address.

    The server mails the request to the address specified in this field.

  6. Submit the form.

    The server generates and displays a CSR.

  7. Copy the CSR, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- marker lines, to a text file. For example:

    -----BEGIN NEW CERTIFICATE REQUEST-----

    MIIBBzCBsgIBADBPMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1YmxpY2
    F0aW9uczEWMBQGA1UEAxMNZHVtcC5tY29tLmNvbTBaMA0GCSqGSIb3DQEBAQU2nfjiMEYCQQCksMRaLGdf
    p4m0OiGcgijG5KgOsyRNvwGYW7kfW+8mmijDtZRjYNjjcgpF3VnlsbxbclX9LVjjNLC57u37XZdAgEDoAA
    wDQYJKoZIhvcNAQEEBQADQQCYUTnUtCVGyNrYGSfydclqiovxy1fRD1z23zg+eBPK7n85UyE4r5zGZjDsM
    Yr172ytfAFL7DeG83DWzr8Z

    -----END NEW CERTIFICATE REQUEST-----

    Next, you need to paste this request into the server enrollment form hosted by Certificate Management System.


Step 2. Submit the Server Certificate Request

To submit the server certificate request to Certificate Management System:

  1. Open a web browser.

  2. Go to the server enrollment form (the page that allows you to submit a server certificate request).

    By default, the enrollment forms are at this location: https://<hostname>:<end_entity_HTTPS_port> or http://<hostname>:<end_entity_HTTP_port>

  3. In the Enrollment tab, unser Server, select SSL Server.

    The form for requesting SSL server certificate appears.

  4. Complete the request form with the information that Certificate Management System needs to create a certificate for your server.

    In general, you will be required to enter the following information:

    • In the certificate request text area, paste the CSR that you copied to the text file, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- marker lines.

    • In the contact information section, enter values to identify yourself. These values will be used by the CA, if the need arises. For example, if there are any questions or problems with the certificate request, the CA administrator or agent will use this information to contact you. Also, be sure to enter your email address. This is the address where the CA will send the certificate once it has been issued.

    • In the additional comments section, enter any additional information that might help the issuing agent process the request. For example, you might want to enter the name of the person who instructed you to obtain a certificate or some other administrative information.

  5. Submit the request.

You should receive notification from Certificate Management System or an issuing agent (depending on which enrollment form you used) when your request is processed. The notification will contain your certificate, along with information on how to install the new certificate into your server. The notification may also mention that you need to install the CA's certificate as a trusted CA. Check the notification message for details.


Step 3. Install Your Server's SSL Certificate

To install the server SSL certificate on your server:

  1. Open a web browser window.

  2. Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.

  3. Follow the directions presented there to install the certificate.

    In general, you will be required to specify or enter the following information:

    • Whether the certificate is for this server. Be sure to select the option that says the certificate is for this server.

    • A name (or nickname) for the certificate. This name will be displayed in the list of certificates installed on this server.

    • The certificate, in base-64 encoded format. Open the email sent to you by the CA, locate and copy the portion that begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----, and paste it into the text area in the form.

    • The encryption alias. Enter the alias for your server.

  4. Follow the prompts and add the certificate to your server's certificate database.

  5. Stop and restart Administration Server for the changes to take effect.

    The server decrypts the message, extracts the certificate, and saves it to the directory you specified.


Step 4. Accept a CA as Trusted in Your Server

In both Netscape clients and servers, CAs can be either trusted or untrusted. If a CA is trusted, Netscape clients and servers accept the certificates that have been issued by that CA. For the server to accept (during SSL client authentication) client certificates that have been issued by Certificate Management System, you must import its certificate chain into the certificate database of your server.

To view this chain in a format that can be used by Netscape servers:

  1. Go to the home page of Certificate Management System.

    By default, the home page is at this location: https://<hostname>:<end_entity_HTTPS_port>

  2. Click Accept "This Authority in Your Server."

  3. Specify how you want Certificate Management System to display the certificate chain.

    You can choose to display the entire certificate chain (in a single block) or individual certificates in the chain. The entire certificate chain is in PKCS #7 format. If you are using an older server that does not recognize the complete certificate chain format, you may need to display each individual certificate in the chain (for example, a version earlier than Netscape server 2.0 releases).

  4. Specify how you want to trust this CA.

    You can choose to trust only the CA you are accessing or all authorities whose certificates are included in the chain.

  5. Click Present Certificate Chain.

    If you chose to display the whole chain for importing into your server, the certificate chain is displayed in a format similar to this:

    -----BEGIN CERTIFICATE-----

    MIIBtgYJYIZIAYb4QgIFoIIBpzCCAZ8wggGbMIIBRaADAgEAAgEBMA0GCSqGSIb3DQEBBAUAMFcxCzAJBg
    NVBAYTAlVTMSwwKgYDVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aW9ucyBDb3Jwb3JhdGlvbjEaMBgGA1UE
    CxMRSXNzdWluZyBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzM0WjBXMQswCQYDVQ
    QGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yYXRpb24xGjAYBgNVBAsT
    EUlzc3VpbmcgQXV0aG9yaXR5MFowDQYJKoZIhvcNAQEBBQADSQAwRgJBAOBiQPcK8851jjQXA2GBsaKNFg
    6pYaM3qhQhM0w5EIy6P1ttMjc5MlPIzZHdlgNdQLzaNoLMVKjOV5sBp+ffkCAQMwDnnhup9mvbhgh

    -----END CERTIFICATE-----

  6. Open a new web browser window.

  7. Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.

  8. Follow the directions presented there to install the certificate chain.

    In general, you will be required to specify or enter the following information:

    • Whether the certificate is for this server or a trusted CA. Be sure to select the option that says the certificate is for a trusted certificate authority (CA).

    • A name (or nickname) for the certificate chain. This name will be displayed in the list of certificates installed on this server.

    • The certificate chain, in PKCS #7 format. In the original browser window (the window displaying the encoded certificate chain), copy the portion that begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----, and paste it into the message text area in the form.

  9. Save your changes.

  10. Stop and restart your Administration Server.


Step 5. Verify Your Server's SSL and CA Certificates

Before activating your server for SSL connections, you can verify whether you have installed your server's SSL and CA certificates correctly.

  1. Open a web browser window.

  2. Go to the Administration Server, and use the Server Selector to access the Server Manager for your server.

  3. Follow the directions there to get to the area that allows you to manage your server's certificates.

  4. Scroll to the bottom of the list to find the SSL and CA certificate chain you installed (identified by the nicknames you specified).

    If you find both of them, your server is ready for SSL configuration. If not, you must go through the steps again to correctly install whichever certificate is missing.


Getting Certificates for Netscape Version 4.x Servers

For Netscape version 4.x servers, you can use the Certificate Setup Wizard provided by Netscape Console to get new certificates, renew existing certificates, and install certificates in the database of a server. For information about this wizard, see Managing Servers with Netscape Console.

Note that there are two ways in which you can submit the certificate signing request to Certificate Management System:

  • Submit the request (which is in the form of a base-64 encoded blob) directly from the wizard; in this method, you need not copy the request to a text file.

  • Submit the request manually by pasting the request (which is in the form of a base-64 encoded blob) in to the Certificate Manager's server enrollment form; in this method, you need to copy the request when the wizard displays it.

When the wizard generates the certificate signing request for the key size and type you specified, you're presented with the opportunity to choose how you want to submit the request to the CA. The choices include the following:

To CA's email address. This option allows you to send the CSR to the CA administrator's email address. The administrator will then be required to submit the request to the CA by pasting the CSR in the CA's server enrollment form.

To CA's URL. This option allows you to submit the CSR to the CA directly. To submit the CSR to the Certificate Manager, you should enter, depending on the end-entity port you want to use, either of the following URL:

http://<CA's_hostname>:<end_entity_port>/enrollment or
https://<CA's_hostname>:<end_entity_SSL_port>/enrollment

Note that the request submitted to the CA's URL gets queued for approval by the Certificate Manager agent.

To submit the server certificate request to Certificate Management System manually:

  1. Open a web browser window.

  2. Go to the End Entity Services interface of the Certificate Manager (or a Registration Manager that's connected to the Certificate Manager) by entering either of these URLs:

    https://<hostname>:<end_entity_HTTPS_port> or http://<hostname>:<end_entity_HTTP_port>

  3. In the left frame, under Server, select SSL Server.

  4. In the server-enrollment form that appears, enter the required information:

    PKCS#10 Request. Paste the base-64 encoded blob, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- marker lines, you copied to the text file earlier.

    Name. Type your name.

    Email. Type your business email address, for example, jdoe@someCompany.com.

    Phone. Type your business phone number.

    Additional Comments. Type any information that will help you identify this request in the future or will help the person who will process this request.

  5. Click Submit.



Renewal of Server Certificates

Every certificate issued by Certificate Management System has a validity period that determines its expiration date. The validity period of a certificate is determined by the validity constraints policy settings at the time the certificate was issued (see section "ValidityConstraints Plug-in Module" in CMS Plug-ins Guide). For a certificate to be valid beyond its expiration date, it must be renewed. Otherwise, the certificate becomes invalid, and the entity owning the certificate will no longer be able to use it. Also, the expired certificate will take up space in your publishing directory and in the internal database of Certificate Management System.

Note that the Job scheduler component of Certificate Management System enables you to schedule a job for removing expired certificates from the publishing directory. For details, see "Configuring a Subsystem to Run Automated Jobs".

Certificate Management System allows server administrators to renew their certificates by using the server enrollment form hosted by a Certificate Manager or Registration Manager. The renewal process is similar to the enrollment process in that the administrators must manually generate the certificate-signing request using the server's key pair, paste that request in the manual enrollment form, and submit the request. For details, see "Certificate Issuance to Servers".

For renewing the certificates of a Certificate Manager, Registration Manager, or Data Recovery Manager, see "Renewing Certificates for the Subsystems".



Revocation of Server Certificates


Certificate Management System allows a certificate to be revoked by an end user (the original owner of the certificate), a server administrator, or by a Certificate Manager or Registration Manager agent. End users can revoke certificates by using the Revocation form provided in the end-entity services interface. Agents can revoke end-entity certificates by using the appropriate form in the Agent Services interface. Certificate-based (SSL client authentication) or challenge-password-based authentication is required in both cases; for details, see "Authentication of End Users During Certificate Revocation".

  • An end user can revoke only those certificates that contain the same subject name as in the certificate presented for authentication; if using a challenge password, the user can revoke only the certificate that is associated with that password. After successful authentication, the server lists the certificates belonging to the end user. The end user can then select the certificate to be revoked or can revoke all certificates in the list. The end user can also specify additional details, such as the date of revocation and revocation reason for each certificate or for the list as a whole. For instructions on how end users revoke their certificates, see the online help available by clicking the Help buttons on the end-entity forms.

  • Agents can revoke certificates based on a range of serial numbers or based on one or more subject name components. Upon submission of the revocation request, the agent receives a list of certificates from which she or he can pick the ones to be revoked. For instructions on how agents revoke end-entity certificates, see CMS Agent's Guide.

Upon receiving the list of certificates to be revoked, the Registration Manager formulates a CMMF request and sends it to the Certificate Manager. The Certificate Manager marks the corresponding certificate records in its certificate store (maintained in the internal database) as revoked and if configured to do so, removes the revoked certificates from the publishing directory and updates the CRL in the publishing directory.


Previous     Contents     Index     Next     
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated April 02, 2001