Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 Installation And Setup Manual

Installation and Setup Guide

Netscape Certificate Management System

Version4.5

October 2001

Netscape Communications Corporation (“Netscape”), a subsidiary of America Online, Inc., and its licensors retain all ownership

rights to the software programs offered by Netscape (referred to herein as “Software”) and related documentation. Use of the

Software and related documentation is governed by the license agreement accompanying the Software and applicable copyright law.

Your right to copy this documentation is limited by copyright law. Making unauthorized copies, adaptations, or compilation works

is prohibited and constitutes a punishable violation of the law. Netscape may revise this documentation from time to time without

notice.

THIS DOCUMENTATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL NETSCAPE BE

LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING FROM ANY

ERROR IN THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS,

PROFITS, USE, OR DATA.

Netscape and the Netscape N logo are registered trademarks of Netscape Communications Corporation in the United States and

other countries. Other Netscape logos, product names, and service names are also trademarks of Netscape Communications

Corporation, which may be registered in other countries. Other product and brand names are the exclusive property of their

respective owners.

The downloading, exporting, or reexporting of Netscape software or any underlying information or technology must be in full

compliance with all United States and other applicable laws and regulations. Any provision of Netscape software or documentation

to the U.S. Government is with restricted rights as described in the license agreement accompanying Netscape software.

3

Contents

AboutThisGuide.............................................................. 23

What’sinThisGuide....................................................................23

WhatYouShouldAlreadyKnow .........................................................26

ConventionsUsedinThisGuide .........................................................27

WheretoGoforRelatedInformation......................................................28

Part 1 OverviewandDemoInstallation......................................... 31

Chapter 1 IntroductiontoCertificateManagementSystem.......................... 33

OverviewofKeyFeatures ...............................................................34

Flexibleend-entityregistrationservicesframework ....................................38

SystemOverview.......................................................................41

Public-KeyInfrastructure .............................................................43

CMSSubsystemsorManagers.........................................................44

CertificateManager ...............................................................45

RegistrationManager..............................................................47

DataRecoveryManager............................................................48

OnlineCertificateStatusManager ...................................................49

BasicSystemConfiguration ...........................................................50

Plug-inModules.....................................................................55

AuthenticationPlug-inModules ....................................................55

PolicyPlug-inModules ............................................................57

JobPlug-InModules...............................................................61

MapperandPublisherPlug-inModules ..............................................62

Event-DrivenNotifications............................................................64

4 Netscape Certificate Management System Installation and Setup Guide • October 2001

AuxiliaryComponents.................................................................. 64

Command-Line Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

CMSSDK .......................................................................... 65

EntryPointsforVariousTypesofUsers ................................................... 66

AgentServicesInterface .............................................................. 68

CertificateManagerAgentServices ................................................. 68

RegistrationManagerAgentServices ................................................ 69

DataRecoveryManagerAgentServices.............................................. 70

OnlineCertificateStatusManagerAgentServicesInterface............................. 71

End-EntityServicesInterface.......................................................... 72

SystemArchitecture .................................................................... 73

PKCS#11........................................................................... 74

NSS................................................................................ 76

JSSandtheJava/JNILayer ........................................................... 76

Middleware/Java2Layers ........................................................... 76

AuthenticationandPolicyModules .................................................... 77

Standards Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

CertificateManagementFormatsandProtocols.......................................... 77

SecurityandDirectoryProtocols....................................................... 78

Chapter 2 CertificateEnrollmentandLife-CycleManagement ....................... 81

StepsinEnd-EntityEnrollment .......................................................... 81

SomeEnrollmentScenarios.............................................................. 84

FirewallConsiderations .............................................................. 84

Extranet/E-Commerce:AcmeSalesCorp. .............................................. 85

EnrollingExistingCustomers....................................................... 86

EnrollingNewCustomers.......................................................... 87

EnrollingExtranetUsers ........................................................... 89

PINRegistration:AtlasManufacturing ................................................. 91

VPNClientEnrollmentandRevocation ................................................ 93

RouterEnrollmentandRevocation..................................................... 96

EndEntitiesandLife-CycleManagement.................................................. 98

Life-CycleManagementFormatsandProtocols.......................................... 98

AccesstoSubsystems ................................................................ 99

HTMLFormsforEndUsers.......................................................... 101

NetscapePersonalSecurityManager .................................................. 102

Chapter 3 DefaultDemoInstallation ........................................... 105

SystemRequirements.................................................................. 106

OperatingSystemandSoftwareRequired ............................................. 106

PlatformRequirements.............................................................. 106

OverviewoftheDefaultDemo.......................................................... 108

5

DemoPasswords ...................................................................111

Installing the Default Demo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Step1.RuntheInstallationScript—UNIX .............................................112

Step1.RuntheInstallationScript—WindowsNT .......................................114

Step2.RuntheInstallationWizard....................................................122

Step3.GettheFirstUserCertificate ...................................................135

EnrollingfortheFirstAgentCertificate .............................................135

IfYouNeedtheFirstAgentFormAgain ............................................137

UsingtheDefaultDemo................................................................138

VerifytheInstallation ...............................................................138

ViewingIssuedCertificatesFromtheAgentGateway .................................139

EnrollingforaCertificateFromtheEnd-EntityGateway ..............................140

FindingandApprovingaCertificateRequest ........................................141

SettingYourBrowsertoUsetheAgentCertificate ....................................142

TestingYourNewCertificate ......................................................142

CreateaPolicy .....................................................................143

ConfiguringanRSAKeyLengthPolicy .............................................143

UseanLDAPDirectory..............................................................145

Step1.EnableDirectory-BasedAuthentication .......................................146

Step2.AddaUsertotheDirectory .................................................147

Step3.EnrollwithDirectory-BasedAuthentication ...................................149

PublishCertificatestoanLDAPDirectory..............................................150

ConfigurethePublishingDestination ...............................................151

SetRulesforPublishingCertificates ................................................153

UpdatethePublishingDirectory ...................................................154

SendRenewalReminders ............................................................156

ConfiguringaMailServerforCertificateManagementSystem .........................157

ConfiguringCertificateManagementSystemtoSendRenewalReminders ...............157

Part 2 PlanningandInstallation.............................................. 161

Chapter 4 Planning Your Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

TopologyDecisions....................................................................164

ServerGroupsandCMSInstances ....................................................164

SingleCertificateManager ...........................................................165

CertificateManagerandRegistrationManager .........................................166

CertificateManagerandDataRecoveryManager .......................................168

CertificateManager,DataRecoveryManager,andRegistrationManager...................170

ClonedCertificateManager ..........................................................172

CertificateAuthorityDecisions ..........................................................173

CA’sDistinguishedName ...........................................................173

6 Netscape Certificate Management System Installation and Setup Guide • October 2001

CASigningKeyTypeandLength .................................................... 174

CA Signing Certificate’s Validity Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Self-SignedRootVersusSubordinateCA .............................................. 174

CAsandCertificateExtensions ....................................................... 175

CACertificateRenewalorReissuance ................................................. 176

CryptographicTokenDecisions ......................................................... 177

PublishingDecisions .................................................................. 177

PublishingtoCertificatesandCRLstoFiles ............................................ 178

PublishingtoCertificatesandCRLstoaDirectory ...................................... 178

PublishingCRLstotheOnlineCertificateStatusManager ............................... 179

SubsystemCertificateDecisions......................................................... 180

SSLServerCertificates .............................................................. 180

CertificateManagerCertificates ...................................................... 180

RegistrationManagerCertificates..................................................... 181

DataRecoveryManagerCertificateandStorageKey .................................... 182

OnlineCertificateStatusManagerCertificates .......................................... 182

AuthenticationDecisions............................................................... 183

PolicyDecisions....................................................................... 183

DeploymentStrategyandPortAssignments .............................................. 184

Chapter 5 InstallationWorksheet.............................................. 187

InformationforUNIXInstallationScript ................................................. 188

InstallationLocation ................................................................ 188

ConfigurationDirectoryServer....................................................... 188

User/GroupDirectoryServer ........................................................ 189

ConfigurationDirectorySettings ..................................................... 189

AdministrationServerInformation ................................................... 190

CertificateManagementSystemIdentifier ............................................. 191

InformationforNTInstallationScript.................................................... 191

InstallationDirectory ............................................................... 191

ConfigurationDirectoryServer....................................................... 191

User/GroupDirectoryServer ........................................................ 192

ConfigurationDirectorySettings ..................................................... 193

ConfigurationDirectoryServerAdministrator ......................................... 193

DirectoryServerAdministrationDomain .............................................. 193

DirectoryManagerSettings .......................................................... 193

AdministrationServerPort .......................................................... 194

CertificateManagementSystemIdentifier ............................................. 194

InitialConfiguration................................................................... 194

InternalDatabase................................................................... 195

Administrator...................................................................... 195

Subsystems ........................................................................ 195

RemoteCertificateManager ......................................................... 196

7

RemoteDataRecoveryManager ......................................................196

NetworkConfiguration..............................................................197

CertificateManagerConfiguration.......................................................197

CASigningCertificate...............................................................197

CA’sSerialNumberRange ........................................................197

Key-PairInformationforCASigningCertificate......................................198

SubjectNameforCASigningCertificate ............................................198

Validity Period for CA Signing Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

ExtensionsforCASigningCertificate ...............................................199

CASigningCertificateRequest .......................................................200

RegistrationManagerConfiguration .....................................................201

RegistrationManagerSigningCertificateRequest .......................................201

Key-PairInformationforRegistrationManagerSigningCertificate .....................201

SubjectNameforRegistrationManagerSigningCertificate ............................202

RegistrationManagerSigningCertificateIssuer.........................................202

DataRecoveryManagerConfiguration ...................................................203

TransportCertificate ................................................................203

Key-PairInformationforTransportCertificate .......................................203

SubjectNameforTransportCertificate..............................................204

Validity Period for Transport Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

ExtensionsforTransportCertificate ................................................205

TransportCertificateRequest.........................................................206

StorageKeyandRecoveryAgentConfiguration ........................................206

StorageKeyCreation .............................................................206

DataRecoveryScheme—1.........................................................206

DataRecoveryScheme—2.........................................................207

OnlineCertificateStatusManagerConfiguration ..........................................207

OnlineCertificateStatusManagerSigningCertificateRequest ............................207

Key-Pair Information for Online Certificate Status Manager Signing Certificate . . . . . . . . . . . 208

SubjectNameforOnlineCertificateStatusManagerSigningCertificate .................208

OnlineCertificateStatusManagerSigningCertificateIssuer ..............................209

ClonedCertificateManagerConfiguration................................................209

CASigningCertificate...............................................................210

CA’sSerialNumberRange ........................................................210

ClonedKeyandCertificateMaterial ................................................210

SSLServerKeyandCertificate .....................................................211

SSLServerCertificateConfiguration .....................................................211

SSLServerCertificate ...............................................................211

Key-PairInformationforSSLServerCertificate ......................................211

SubjectNameforSSLServerCertificate .............................................212

Validity Period for SSL Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

ExtensionsforSSLServerCertificate................................................213

SSLCertificateRequest ..............................................................214

8 Netscape Certificate Management System Installation and Setup Guide • October 2001

SingleSign-OnPassword............................................................... 214

Chapter 6 InstallingCertificateManagementSystem ............................. 215

InstallationOverview.................................................................. 215

InstallationStages .................................................................. 216

BeforeYouBegintheInstallation ..................................................... 217

Stage1.RunningtheInstallationScript................................................... 219

RunningtheInstallationScriptonUNIX............................................... 219

RunningtheInstallationScriptonWindowsNT ........................................ 222

Stage2.RunningtheInstallationWizard ................................................. 225

Installing the Certificate Manager as a Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Installing the Certificate Manager as a Subordinate CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Installing a Standalone Registration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Installing a Standalone Data Recovery Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Installing a Online Certificate Status Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Stage3.EnrollingforAdministrator/AgentCertificate ..................................... 275

AgentCertificateforaCertificateManager............................................. 275

AgentCertificateforOtherCMSManagers ............................................ 278

Stage4.FurtherConfigurationOptions .................................................. 281

Stage5.CreatingAdditionalInstancesorCAClones....................................... 282

Chapter 7 Installing and Uninstalling CMS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Installing Multiple CMS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

CloningaCertificateManager .......................................................... 286

Step1.BeforeYouBegin............................................................. 287

Step2.CreateInstancesforCloneCAs ................................................ 289

Installing Clone CA in Master CA’s Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Installing Clone CA in a Different Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Installing Clone CA on a Separate Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Step3.ShutdowntheMasterCA ..................................................... 291

Step4.CopyMasterCA’sCertificateandKeyDatabase ................................. 292

Step5.StarttheMasterCA .......................................................... 292

Step6.ConfiguretheCloneCA ...................................................... 292

Step8.EstablishTrustBetweenMasterCAandCloneCAs............................... 293

StepA.LocatetheMasterCA’sSSLServerCertificate................................. 294

StepB.CreateaPrivileged-UserEntryforCloneCAs ................................. 296

Step9.TestClone-MasterConnection ................................................. 299

StepA.RequestaCertificatefromtheCloneCA ..................................... 299

StepB.ApprovetheRequest ...................................................... 300

StepC.DownloadtheCertificatetotheBrowser ..................................... 300

StepD.RevoketheCertificate ..................................................... 301

StepE.CheckMasterCA’sCRLfortheRevokedCertificate ........................... 301

9

Step10.UseMasterCA’sAgentCertificateinCloneCAs.................................302

ViewingInstanceInformation...........................................................303

ChangingtheNameofanInstance.......................................................305

RemovinganInstanceFromaSystem ....................................................306

UninstallingCertificateManagementSystem..............................................308

UninstallingFromtheCommandLine.................................................308

UninstallingbyUsingtheWindowsNTAdd/RemoveProgramsUtility ...................308

Chapter 8 Starting and Stopping CMS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

StartingCertificateManagementSystem..................................................312

RequiredStart-upInformation........................................................312

ConfiguringtheServertoStartWithouttheSingleSign-OnPassword...................313

ConfiguringtheServertoReadtheSingleSign-onPasswordFromaFile ................314

StartingFromNetscapeConsole ......................................................317

StartingFromtheCommandLine.....................................................318

StartingFromtheWindowsNTServicesPanel..........................................319

StoppingCertificateManagementSystem.................................................320

StoppingFromNetscapeConsole .....................................................320

StoppingFromtheCommandLine....................................................321

StoppingFromtheWindowsNTServicesPanel ........................................322

RestartingCertificateManagementSystem................................................322

RestartingFromtheCMSWindow ....................................................322

RestartingFromtheCommandLine...................................................323

CheckingSystemStatus ................................................................324

AttendingtoanUnresponsiveServer ....................................................325

CMSWatchdogProcess ................................................................325

PasswordCache.......................................................................326

Password-QualityChecker .............................................................327

Part 3 Configuration ....................................................... 329

Chapter 9 Administration Tasks and Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

NetscapeConsole .....................................................................332

ConsoleTab........................................................................332

UsersandGroupsTab...............................................................333

NetscapeAdministrationServer ......................................................334

StartingAdministrationServer.....................................................335

ShuttingDownAdministrationServer ..............................................336

LoggingIntoNetscapeConsole .........................................................336

TheCMSWindow .....................................................................338

TasksTab..........................................................................339

10 Netscape Certificate Management System Installation and Setup Guide • October 2001

ConfigurationTab .................................................................. 339

StatusTab ......................................................................... 342

LoggingIntotheCMSWindow......................................................... 343

Chapter 10 CMS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

EffectsofInstallationTypeonConfiguration.............................................. 345

DuplicatingConfigurationFromOneInstancetoAnother ............................... 347

LocatingtheConfigurationFile ......................................................... 348

ModifyingtheConfiguration ........................................................... 349

ChangingtheConfigurationFromtheCMSWindow.................................... 349

ChangingtheConfigurationbyEditingtheConfigurationFile............................ 349

Guidelines for Editing the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

SampleConfigurationFile ........................................................... 353

RoadMaptoConfiguringSubsystems ................................................... 366

Step1.CheckWhichSubsystemsareInstalledintheInstance.......................... 366

Step2.CheckthePortNumbers ................................................... 366

Step3.VerifyKeyPairandCertificates ............................................. 366

Step4.SetupPrivilegedUsers..................................................... 367

Step5.CustomizeEnd-EntityandAgentForms...................................... 367

Step6.SetupAuthenticationforEndUsers.......................................... 367

Step7:EnableEvent-DrivenNotifications ........................................... 368

Step8.ScheduleJobs ............................................................. 368

Step9.SetupPolicies............................................................. 368

Step10.SetupPublishing......................................................... 369

Step11.SetupKeyArchivalandRecovery .......................................... 369

Step12.SetupLogging ........................................................... 369

Step13.PlanforBackingupCMSConfigurationandData ............................ 370

Chapter 11 SettingUpPorts .................................................. 371

CMSPorts............................................................................ 371

RemoteAdministrationPort ......................................................... 372

AgentPort......................................................................... 373

End-EntityPorts.................................................................... 373

ConfiguringPortNumbers ............................................................. 374

Step1.SpecifythePortNumber ...................................................... 374

Step2:SpecifyIPAddresses ......................................................... 377

Chapter 12 SettingUpInternalDatabase........................................ 379

InternalDatabase ..................................................................... 379

ConfiguringtheInternalDatabase....................................................... 380

Step1.IdentifytheDirectoryServerInstance........................................... 381

Step2.RestrictAccesstotheInternalDatabase ......................................... 382

11

Chapter 13 ManagingPrivilegedUsersandGroups .............................. 385

Privileged-User Types and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Administrators .....................................................................386

Agents ............................................................................387

Agent’sCertificateforSSLClientAuthentication .....................................389

RevocationStatusCheckingofAgentCertificates.....................................392

TrustedManagers ..................................................................394

SubsystemsThatCanFunctionasTrustedManagers..................................395

ConnectorsforLinkingTrustedManagers ...........................................396

TrustedManager’sCertificateforSSLClientAuthentication ...........................397

GroupsandTheirPrivileges ............................................................398

GroupforAdministrators............................................................399

GroupsforAgents ..................................................................400

GroupforCertificateManagerAgents ..............................................400

GroupforRegistrationManagerAgents.............................................400

GroupforDataRecoveryManagerAgents ..........................................401

GroupforOnlineCertificateStatusManagerAgents ..................................401

GroupforTrustedManagers .........................................................402

SettingUpPrivilegedUsers.............................................................403

SettingUpAdministrators ...........................................................403

Step1.FindtheRequiredInformation ..............................................403

Step2.AddtheInformationtotheInternalDatabase..................................403

SettingUpAgents ..................................................................406

SettingupAgentsUsingtheAutomatedProcess .....................................406

SettingupAgentsUsingtheManualProcess.........................................407

SettingUpTrustedManagers.........................................................413

SettingupTrustedManagersUsingtheAutomatedProcess ...........................413

SettingUpaRegistrationManagerasaTrustedManager..............................414

SettingUpaCertificateManagerasaTrustedManager ...............................422

ChangingPrivileged-UserInformation ...................................................429

ChangingaPrivilegedUser’sLoginInformation ........................................429

ChangingaPrivilegedUser’sCertificate ...............................................430

ChangingMembersinaGroup .......................................................431

DeletingaPrivilegedUser ..............................................................432

Chapter 14 ManagingCMSKeysandCertificates ................................ 435

KeysandCertificatesfortheMainSubsystems ............................................436

CertificateManager’sKeyPairsandCertificates ........................................437

CASigningKeyPairandCertificate ................................................437

wTLSCASigningCertificate ......................................................438

OCSPSigningKeyPairandCertificate ..............................................438

CRLSigningKeyPairandCertificate ...............................................439

SSLServerKeyPairandCertificate .................................................441

12 Netscape Certificate Management System Installation and Setup Guide • October 2001

RemoteAdministrationServerCertificate ........................................... 443

RegistrationManager’sKeyPairsandCertificates ...................................... 445

SigningKeyPairandCertificate ................................................... 445

SSLServerKeyPairandCertificate................................................. 445

RemoteAdministrationServerCertificate ........................................... 446

DataRecoveryManager’sKeyPairsandCertificates .................................... 446

TransportKeyPairandCertificate ................................................. 447

StorageKeyPair ................................................................. 447

SSLServerKeyPairandCertificate................................................. 448

RemoteAdministrationServerCertificate ........................................... 448

OnlineCertificateStatusManager’sKeyPairsandCertificates............................ 449

OCSPSigningKeyPairandCertificate.............................................. 449

SSLServerKeyPairandCertificate................................................. 449

RemoteAdministrationServerCertificate ........................................... 450

TokensforStoringCMSKeysandCertificates ............................................ 450

InternalToken ..................................................................... 451

ExternalToken ..................................................................... 451

Installing External Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

ManagingTokensUsedbytheSubsystems ............................................ 454

ViewingTokens ................................................................. 454

ChangingaToken’sPassword ..................................................... 455

HardwareCryptographicAccelerators ................................................... 455

CertificateSetupWizard ............................................................... 456

UsingtheWizardtoRequestaCertificate.............................................. 457

Step1.SelecttheOperation ....................................................... 457

Step2.ChoosetheCertificate...................................................... 458

Step3.SpecifytheKey-PairInformation ............................................ 460

Step4.SpecifytheSubjectNamefortheCertificate ................................... 462

Step5.SpecifytheValidityPeriod.................................................. 463

Step6.SpecifyExtensions......................................................... 464

Step7.CopytheCertificateSigningRequest......................................... 466

Step8.ChecktheCertificateRequestStatus ......................................... 470

UsingtheWizardtoInstallaCertificateorCertificateChain ............................. 471

DataFormatsforInstallingCertificatesandCertificateChains ......................... 472

Step1.SelecttheOperation ....................................................... 473

Step2.SelecttheCertificateorCertificateChain ..................................... 474

Step3.SpecifytheLocationoftheCertificate ........................................ 475

Step4.ViewtheCertificateorCertificateChain ...................................... 477

Step5.InstalltheCertificateorCertificateChain ..................................... 477

Step6.VerifytheCertificateStatus ................................................. 478

ConfiguringtheServer’sSecurityPreferences ............................................. 478

ConfiguringtheServertoUseSeparateSSLServerCertificates ........................... 478

Step1.GettheRequiredSSLServerCertificates...................................... 479

13

Step2:UpdatetheConfiguration...................................................479

GettinganSSLClientCertificateforaSubsystem .......................................480

Setting Up Cipher Preferences for SSL Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

SSLCiphersSupportedinCertificateManagementSystem ............................482

ConfiguringtheServertoUseSpecificCiphers.......................................484

GettingNewCertificatesfortheSubsystems ..............................................485

Step1.PlanfortheNewCertificate....................................................486

Step2.RequesttheNewCertificate ...................................................489

Step3.InstalltheNewCertificate .....................................................489

Step4.DeploytheNewCertificate ....................................................490

DeployingCertificateManager’sCASigningCertificate...............................490

DeployingRegistrationManager’sSigningCertificate.................................491

DeployingDataRecoveryManager’sTransportCertificate ............................492

DeployingaSubsystem’sSSLServerCertificate ......................................493

RenewingCertificatesfortheSubsystems.................................................494

Step1.PlanforCertificateRenewal ...................................................495

Step2.RenewtheExistingCertificate..................................................496

Step3.InstalltheRenewedCertificate .................................................497

Step4.DeploytheRenewedCertificate ................................................497

DeployingCertificateManager’sRenewedCASigningCertificate ......................498

DeployingRegistrationManager’sRenewedSigningCertificate ........................498

DeployingDataRecoveryManager’sRenewedTransportCertificate....................499

DeployingaSubsystem’sRenewedSSLServerCertificate .............................501

Step5.RestarttheServer.............................................................501

ManagingtheCertificateDatabase.......................................................502

ViewingtheCertificateDatabaseContent ..............................................502

DeletingaCertificateFromtheCertificateDatabase .....................................504

ChangingtheTrustSettingsofaCACertificate .........................................505

Installing a New CA Certificate in the Certificate Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Installing a CA Certificate Chain in the Certificate Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508

Chapter 15 SettingUpEnd-UserAuthentication ................................. 509

IntroductiontoAuthentication ..........................................................509

Privileged-UserAuthentication .......................................................510

AuthenticationofAdministrators ..................................................510

AuthenticationofAgents..........................................................512

End-EntityAuthentication ...........................................................515

AuthenticationofEndEntitiesDuringCertificateEnrollment ..........................515

AuthenticationofEndUsersDuringCertificateRenewal ..............................515

AuthenticationofEndUsersDuringCertificateRevocation ............................517

ConfiguringAuthenticationforEnd-UserEnrollment ......................................521

Step1.BeforeYouBegin .............................................................522

Step2.SetUptheDirectoryforPIN-BasedEnrollment...................................523

14 Netscape Certificate Management System Installation and Setup Guide • October 2001

StepA.ChecktheDirectoryforUserEntries......................................... 523

StepB.UpdatetheDirectory ...................................................... 524

StepC.PreparetheInputFile...................................................... 525

StepD.RuntheCommandWithouttheWriteOption................................. 525

StepE.ChecktheOutputFile...................................................... 526

StepF.RuntheCommandAgainwiththeWriteOption .............................. 526

Step3.EnabletheAttributePresentConstraintsPolicy ................................... 526

Step4:AddanAuthenticationInstance................................................ 529

Step5.SetUptheEnrollmentInterface ................................................ 534

StepA.AssociatetheAuthenticationInstanceWiththeEnrollmentForm................ 534

StepB.CustomizetheForm ....................................................... 535

StepC.HookUptheCertificate-BasedEnrollmentForm .............................. 535

StepD.RemoveUnwantedEnrollmentOptions...................................... 538

Step6.EnableEnd-EntityInteraction.................................................. 539

EnablingEnd-EntityInteractionwithaCertificateManager ........................... 539

EnablingEnd-EntityInteractionwithaRegistrationManager.......................... 541

Step7.TurnonAutomatedNotification ............................................... 542

Step8.TestYourAuthenticationSetup ................................................ 542

Step9.DeliverPINstoEndUsers..................................................... 544

ManagingAuthenticationInstances ..................................................... 544

DeletinganAuthenticationInstance .................................................. 544

ModifyinganAuthenticationInstance................................................. 545

ManagingAuthenticationPlug-inModules............................................... 547

RegisteringanAuthenticationModule ................................................ 547

DeletinganAuthenticationModule................................................... 549

Chapter 16 Setting Up Automated Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

AutomatedNotifications ............................................................... 551

NotificationsofCertificateIssuancetoEndEntities ..................................... 552

NotificationofNewRequestinQueue ................................................ 553

CustomizingNotificationMessages ..................................................... 554

TemplatesforEvent-TriggeredNotifications ........................................... 554

CustomizingMessageTemplates ..................................................... 556

TokensAvailableinMessageTemplates ............................................... 557

TokensforCertificateIssuanceNotificationstoEndEntities ........................... 557

TokensforRejectionNotificationstoEndEntities .................................... 558

TokensforRequestInQueueNotificationMessages .................................. 559

ConfiguringaSubsytemtoSendNotifications ............................................ 559

Step1.BeforeYouBegin............................................................. 560

Step2.TurnOnCertificate-IssuanceNotification ....................................... 560

Step3.TurnonRequestinQueueNotification ......................................... 561

Step4.VerifyMailServerSettings .................................................... 563

Step5.TestYourConfiguration ...................................................... 564

15

Chapter 17 Scheduling Automated Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

ConfiguringaSubsystemtoRunAutomatedJobs..........................................565

Step1.BeforeYouBegin .............................................................566

Step2.ModifyExistingJobs ..........................................................566

Step3.DeleteUnwantedJobs.........................................................569

Step4.AddNewJobs ...............................................................569

Step5.ScheduletheFrequency .......................................................573

Step6.VerifyMailServerSettings ....................................................574

Step7.TestYourConfiguration.......................................................575

ManagingJobPlug-inModules..........................................................575

RegisteringaJobModule ............................................................576

DeletingaJobModule...............................................................577

Chapter 18 SettingUpPolicies................................................ 579

IntroductiontoPolicy ..................................................................579

WhatIsPolicy? .....................................................................580

PolicyRules........................................................................581

TypesofPolicyRules .............................................................581

UsingPredicatesinPolicyRules ......................................................582

ExpressionSupportforPredicates ..................................................582

AttributesforPredicates ..........................................................584

PolicyProcessor ....................................................................588

ConfiguringPolicyRulesforaSubsystem ................................................589

Step1.BeforeYouBegin .............................................................590

Step2.ModifyExistingPolicyRules...................................................590

Step3.DeleteUnwantedPolicyRules .................................................594

Step4.AddNewPolicyRules ........................................................594

Step5.ReorderPolicyRules..........................................................599

Step6.RestarttheServer.............................................................600

Step7.TestPolicyConfiguration......................................................600

StepA.EnrollforaCertificate .....................................................600

StepB.ApprovetheRequest.......................................................601

StepC.ChecktheCertificateDetails ................................................601

UsingJavaScriptforPolicies ............................................................602

ManagingPolicyPlug-inModules .......................................................602

RegisteringaPolicyModule..........................................................602

DeletingaPolicyModule ............................................................604

Chapter 19 Setting Up LDAP Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605

PublishingofCertificatestoaDirectory ..................................................605

TimingofDirectoryUpdates .........................................................607

DirectoryUpdateProcess ............................................................609

DirectorySynchronization ...........................................................610

16 Netscape Certificate Management System Installation and Setup Guide • October 2001

PublishingofCRLs .................................................................... 610

What’saCRL? ..................................................................... 611

ReasonsforRevokingaCertificate .................................................... 612

RevocationCheckingbyNetscapeClients ............................................. 613

RevocationCheckingbyNetscapeServers ............................................. 613

PublishingofCRLstoanLDAPDirectory ............................................. 614

CRLIssuingPoints ................................................................. 615

ConfiguringaCertificateManagertoPublishCertificatesandCRLs ......................... 615

Step1.BeforeYouBegin............................................................. 616

Step2.SetUptheDirectoryforPublishing............................................. 618

StepA.VerifytheDirectorySchema................................................ 618

StepB.AddanEntryfortheCA ................................................... 619

StepC.IdentifyanEntryThatHasWriteAccess ..................................... 621

StepD.VerifyEntriesforEndEntities .............................................. 621

StepE.SpecifytheDirectoryAuthenticationMethod ................................. 622

StepF.ModifytheCertificateMappingFile ......................................... 632

StepG.RestartDirectoryServer ................................................... 636

Step3.ConfiguretheCertificateManagertoPublishCertificates.......................... 636

StepA.ModifytheDefaultMappers,Publishers,andPublishingRules ................. 636

StepB.AddMappers,Publishers,andPublishingRules............................... 642

Step4.ConfiguretheCertificateManagertoPublishCRLs ............................... 648

StepA.SpecifyCRLDetails ....................................................... 649

StepB.SettheCRLExtensions..................................................... 651

StepC.CreateaMapperfortheCRL ............................................... 652

StepD.CreateaPublisherfortheCRL.............................................. 653

StepE.CreateaPublishingRulefortheCRL ........................................ 655

Step5.IdentifythePublishingDirectory............................................... 656

Step6.TestCertificateandCRLPublishing ............................................ 658

StepA.DecideaDirectoryEntryforRequestingaCertificate .......................... 659

StepB.RequestaCertificate ....................................................... 659

StepC.ApprovetheRequest ...................................................... 659

StepD.DownloadtheCertificatetotheBrowser ..................................... 660

StepE.CheckiftheDirectoryHastheCertificate..................................... 660

StepF.RevoketheCertificate...................................................... 661

StepG.ChecktheDirectoryfortheCRL ............................................ 662

ManuallyUpdatingCertificatesandCRLsinaDirectory ................................... 662

ManuallyUpdatingCertificatesintheDirectory ........................................ 663

ManuallyUpdatingtheCRLintheDirectory........................................... 664

Chapter 20 Publishing Certificates and CRLs to a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

ConfiguringCertificateManagertoPublishtoFiles........................................ 667

Step1.BeforeYouBegin............................................................. 668

Step2.ConfiguretheCertificateManager.............................................. 669

17

StepA.CreateaPublisherfortheFile...............................................669

StepB.CreatePublishingRulesforCertificates.......................................671

StepC.CreateaPublishingRuleforCRLs ...........................................673

StepD.SpecifyCRLDetails........................................................674

StepE.SettheCRLExtensions .....................................................676

StepF.MakeSurePublishingisEnabled ............................................678

Step3.TestPublishing...............................................................678

StepA.RequestaCertificate .......................................................678

StepB.ApprovetheRequest.......................................................679

StepC.DownloadtheCertificatetotheBrowser......................................680

StepD.ChecktheFilefortheCertificate.............................................680

StepE.RevoketheCertificate ......................................................682

StepF.ChecktheFilefortheCRL ..................................................683

ManagingMapperandPublisherPlug-inModules.........................................685

RegisteringaMapperorPublisherModule.............................................685

DeletingaMapperorPublisherModule ...............................................687

Chapter 21 Setting Up an OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689

What’sanOCSP-CompliantPKISetup? ..................................................690

HowtoGetanOCSPResponder? .....................................................692

HowCertificateManager’sOCSP-ServiceFeatureWorks ..............................692

HowOnlineCertificateStatusManagerWorks.......................................693

HowtoGetOCSP-CompliantClients? .................................................694

SettingUpaCertificateManagerwithOCSPService .......................................695

Step1.BeforeYouBegin .............................................................695

Step2.InstallOCSP-CompliantClient .................................................696

Step3.EnableCertificateManager’sHTTPPort.........................................697

Step4.EnableCertificateManager’sOCSPService ......................................699

Step5.ConfigureCertificateManagerforExtensions ....................................700

Step6.RestarttheCertificateManager.................................................702

Step7.TestYourCA’sOCSPServiceSetup.............................................703

StepA.TurnOnRevocationCheckingintheBrowser.................................703

StepB.RequestaCertificate .......................................................704

StepC.ApprovetheRequest ......................................................704

StepD.DownloadtheCertificatetotheBrowser .....................................705

StepE.MakeSuretheCAisTrustedbytheBrowser ..................................705

StepF.VerifytheCertificateintheBrowser..........................................706

StepG.ChecktheStatusofCertificateManager’sOCSPService ........................706

StepH.RevoketheCertificate .....................................................707

StepI.VerifytheCertificateintheBrowser ..........................................707

StepJ.ChecktheCertificateManager’sOCSPServiceStatusAgain .....................707

SettingUpaRemoteOCSPResponder ...................................................708

Step1.BeforeYouBegin .............................................................709

18 Netscape Certificate Management System Installation and Setup Guide • October 2001

Step2.InstallanOCSP-CompliantClient .............................................. 710

Step3.IdentifytheCAtotheOCSPResponder ......................................... 711

Step4.ConfiguretheCertificateManagertoPublishCRLs ............................... 713

StepA.SpecifyCRLFormatandPublishingInterval.................................. 713

StepB.SettheCRLExtensions..................................................... 715

StepC.CreateaPublisherfortheCRL .............................................. 716

StepD.CreateaPublishingRulefortheCRL ........................................ 718

StepE.MakeSurePublishingisEnabled ............................................ 720

Step5.ConfigureCertificateManagerforRequiredExtensionPolicies..................... 721

Step6.ConfiguretheOnlineCertificateStatusManager ................................. 723

Step7.RestarttheCertificateManager ................................................ 727

Step8.RestarttheOnlineCertificateStatusManager .................................... 728

Step 9. Verify Certificate Manager and Online Certificate Status Manager Connection . . . . . . . 728

Step10.TestYourOCSPResponderSetup ............................................. 729

StepA.TurnOnRevocationChecking .............................................. 729

StepB.RequestaCertificate ....................................................... 730

StepC.ApprovetheRequest ...................................................... 730

StepD.DownloadtheCertificatetotheBrowser ..................................... 731

StepE.MakeSuretheCAisTrustedbytheBrowser.................................. 731

StepF.VerifytheCertificateintheBrowser ......................................... 732

StepG.ChecktheStatusofOnlineCertificateStatusManager ......................... 732

StepH.RevoketheCertificate ..................................................... 733

StepI.VerifytheCertificateintheBrowser.......................................... 733

StepJ.ChecktheOnlineCertificateStatusManagerStatusAgain....................... 733

Chapter 22 SettingUpKeyArchivalandRecovery ............................... 735

PKISetupforKeyArchivalandRecovery ................................................ 735

ClientsThatCanGenerateDualKeyPairs ............................................. 736

DataRecoveryManager ............................................................. 736

FormsforUsersandKeyRecoveryAgents............................................. 737

KeyArchivalProcess .................................................................. 737

WhyYouShouldArchiveKeys....................................................... 737

WheretheKeysareStored........................................................... 738

HowKeyArchivalWorks ........................................................... 739

KeyRecoveryProcess.................................................................. 741

KeyRecoveryAgentsandTheirPasswords ............................................ 741

SecretSharingofStorageKeyPassword ............................................ 741

InterfacefortheKeyRecoveryProcess.............................................. 742

LocalVersusRemoteKeyRecoveryAuthorization ................................... 743

HowAgent-InitiatedKeyRecoveryWorks............................................. 744

KeyRecoveryAgentScheme......................................................... 747

ChangingtheKeyRecoveryAgentScheme.......................................... 747

ChangingKeyRecoveryAgents’Passwords......................................... 749

19

ConfiguringKeyArchivalandRecoveryProcess ..........................................751

Step1.SetUptheKeyArchivalProcess................................................751

StepA.DeployClientsThatCanGenerateDualKeyPairs .............................752

Step B. Connect the Enrollment Authority and the Data Recovery Manager . . . . . . . . . . . . . . 752

StepC.CustomizetheCertificateEnrollmentForm ...................................753

StepD.ConfigureKeyArchivalPolicies.............................................757

Step2.SetUptheKeyRecoveryProcess ...............................................758

StepA.VerifythemofnScheme...................................................758

StepB.FacilitatetheKeyRecoveryAgentstoChangethePasswords....................759

StepC.DeterminetheAuthorizationModeforKeyRecovery ..........................759

StepD.CustomizetheKeyRecoveryForm ..........................................759

StepE.ConfigureKeyRecoveryPolicies ............................................759

Step3.TestYourKeyArchivalandRecoverySetup .....................................760

StepA.TestYourKeyArchivalSetup...............................................760

StepB.VerifytheKey.............................................................762

StepC.DeletetheCertificate.......................................................762

StepD.TestYourKeyRecoverySetup ..............................................762

StepD.RestoretheKeyintheBrowser’sDatabase....................................763

Chapter 23 ManagingCMSLogs .............................................. 765

IntroductiontoLogs ...................................................................765

LogsMaintainedbytheServer .......................................................766

ServicesThatAreLogged ............................................................767

LogLevels(MessageCategories)......................................................768

LogFileLocations ..................................................................769

LogFileNamingConventions ........................................................770

ActiveLogFileNamingConvention ................................................770

RotatedLogFileNamingConvention...............................................770

BufferedVersusUnbufferedLogging..................................................770

RotationofLogFiles ................................................................771

TimingofLogFileRotation........................................................771

LocationofRotatedLogFiles ......................................................772

DeletionofLogFiles ................................................................772

HowtoConserveDiskSpace ......................................................772

TimingofLogFileDeletion........................................................772

ConfiguringCMSLogs.................................................................773

Step1.BeforeYouBegin .............................................................773

Step2.ModifytheExistingListeners ..................................................773

Step3.DeleteUnwantedListeners ....................................................775

Step4.CreateNewListeners .........................................................776

MonitoringCMSLogs..................................................................779

MonitoringSystemLogs .............................................................780

MonitoringErrorLogs...............................................................782

20 Netscape Certificate Management System Installation and Setup Guide • October 2001

MonitoringAuditLogs.............................................................. 784

UsingSystemToolsforMonitoringtheServer(WindowsNTOnly) ....................... 786

LoggingtoWindowsNTEventLog ................................................ 787

UsingEventViewer .............................................................. 787

Avoiding Event Log From Getting Filled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788

ArchivingofRotatedLogFiles.......................................................... 789

SigningLogFiles ................................................................... 790

ManagingLogModules................................................................ 792

RegisteringaLogModule ........................................................... 792

DeletingaLogModule .............................................................. 793

Part 4 IssuingandManagingCertificates ......................................795

Chapter 24 IssuingandManagingServerCertificates............................. 797

CertificateIssuancetoServers .......................................................... 797

HowtheManualServerEnrollmentProcessWorks ..................................... 798

GettingServerSSLCertificatesforNetscapeServers ....................................... 800

GettingCertificatesforVersion3.xServers............................................. 800

Step1.GeneratetheServerCertificateRequest....................................... 801

Step2.SubmittheServerCertificateRequest ........................................ 802

Step3.InstallYourServer’sSSLCertificate .......................................... 803

Step4.AcceptaCAasTrustedinYourServer ....................................... 803

Step5.VerifyYourServer’sSSLandCACertificates.................................. 805

GettingCertificatesforNetscapeVersion4.xServers .................................... 805

RenewalofServerCertificates .......................................................... 807

RevocationofServerCertificates ........................................................ 807

Chapter 25 SettingUpCEPEnrollment ......................................... 809

CEPEnrollment....................................................................... 809

CEPEnrollmentUsingtheScript ........................................................ 810

SettingupCEPEnrollmentManually .................................................... 811

Step1.SetuptheDirectoryforPublishingCertificatesandCRLs ......................... 812

Step2.ConfiguretheCertificateManagerforPublishingCertificatesandCRLs............. 813

Step3.SetUpAutomatedEnrollment ................................................. 816

Step4.SetUpMultipleCEPServices.................................................. 820

CertificateIssuancetoRoutersorVPNClients ............................................ 821

Step1.BeforeYouBegin............................................................. 822

Step2.GeneratetheKeyPairfortheRouter............................................ 823

Step3.RequesttheCA’sCertificate ................................................... 824

Step4.SubmittheCertificateRequesttotheCA ........................................ 824

Example........................................................................... 825

Page is loading ...

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 Installation And Setup Manual

Related papers

Other documents