Netscape Certificate Management System Administrator's Guide:

Administrator's Guide
Netscape Certificate Management System

Index

Symbols A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A

accelerators 1
active logs

default file location 1
message categories 1
See also logging 1

adding

agents

automated process 1

extensions

to CA certificates 1
to CRLs 1
to end-entity certificates 1

new policy rules 1

adding extensions

to CRLs 1
to end-entity certificates 1

adding new directory attributes 1
Administration Server 1

relationship to Netscape Console 1
starting 1

from the command line 1

administrator/agent, initial enrollment ??- 1
administrators

deleting 1
modifying

group membership 1

port used for operations 1

See also ports 1

tools provided

CMS console 1
Netscape Console 1

Agent Services interface

URL for 1

AgentDirEnrollment instance 1
agents

authorizing remote key recovery 1
deleting 1
enrolling users in person 1, 2
modifying

group membership 1

port used for operations 1

See also ports 1

role defined 1
setting up

automated process 1

See also Agent Services interface 1

algorithm, cryptographic 1
archiving

rotated log files 1
users' encryption private keys 1

Audit log

defined 1
See also logging 1

authentication

certificate-based 1, 2
client and server 1
during certificate revocation 1
used in form signing 1
managing from CMS window 1, 2, 3, 4, 5, 6
password-based 1, 2
See also client authentication 1
See also server authentication 1

authentication modules

agent initiated user enrollment 1, 2
deleting 1
registering new ones 1

authorityKeyIdentifier 1, 2, 3

B

base DN 1
basicConstraints 1, 2
buffered logging 1
built-in plug-in modules

See plug-in modules 1

C

CA

certificate 1
defined 1
hierarchies and root 1
trusted 1

CA certificate mapper 1
CA certificate publisher 1, 2
CA chaining 1
CA cloning 1
CA decisions, for deployment

CA renewal 1
distinguished name 1
root versus subordinate 1
signing certificate 1
signing key 1, 2, 3, 4

CA hierarchy 1

root CA 1
subordinate CA 1

CA scalability 1, 2
CA signing certificate 1, 2

changing trust settings of 1
deleting 1
getting a new one 1, 2
nickname 1
renewing 1
viewing details of 1

CEP 1
CEP enrollment 1

setting up multiple services 1

certificate chains

installing in the certificate database 1
why you should install 1

certificate database

how to manage 1
what it contains 1
where it's maintained 1

Certificate Database tool 1
Certificate Enrollment Protocol (CEP) 1
certificate issuance

to routers 1, 2

an example 1

to servers 1

Netscape 4.x servers 1

to VPN clients 1

Certificate Management System (CMS)

standards supported by 1, 2

Certificate Manager

as root CA 1
as subordinate CA 1
built-in OCSP service 1
CA hierarchy 1
CA scalability 1
chaining to third-party CAs 1
clone CA 1
clones 1
cloning 1, 2
configuring

SMTP settings for notifications 1
to use separate SSL server certificates 1

Data Recovery Manager and 1, 2
Data Recovery Manager and Registration Manager and 1, 2
installed by itself 1
key pairs and certificates

CA signing certificate 1
getting new ones 1
OCSP signing certificate 1
SSL server certificate 1
wTLS CA signing certificate 1

manual updates to publishing directory 1
master CA 1
Registration Manager and 1, 2
serial number range 1
specifying IP address for 1
what to do when exhausts all serial numbers 1

certificate renewal 1

of server certificates 1

certificate request

result of policy processing 1

certificate revocation

authentication during 1
reasons for 1
who can do this 1

Certificate Setup Wizard 1

using to install certificate chains 1
using to install certificates 1

supported data formats 1

using to request certificates 1

certificate-based authentication, defined 1
certificate-based enrollment 1

forms for 1
what you need 1
when to use 1

certificateIssuer 1
certificatePolicies 1
certificates

authentication using 1
CA certificate 1
chains 1
contents of 1
extensions for 1, 2
for wireless applications 1, 2
how to revoke 1
installing 1, 2
issuing of 1
and LDAP Directory 1
management formats and protocols ??- 1
object-signing 1
publishing to files 1
publishing to LDAP directory

required schema 1

overview of renewal 1
revocation reasons 1
revoking 1
S/MIME 1
self-signed 1
serial numbers

what to do when a CA exhausts all 1

verifying a certificate chain 1
X.509 specification 1

changing

CMS instance name 1
DER encoding order of DirectoryString 1
group members 1
trust settings in certificates 1

why would you change 1

Chapter Single Template 1, 2
ciphers

defined 1

client authentication

client SSL certificates defined 1

clone CA 1
cloning 1

Certificate Manager 1
Data Recovery Manager 1
OCSP 1
Online Certificate Status Manager 1

cloning a CA 1
cloning the CA 1
CMC 1

CMC Request utility 1
CMC Response utility 1
HTTP Client utility 1
Setting up client 1
setting up CMCAuth authentication plug-in 1
setting up server for multiple requests 1

CMMF 1
CMS architecture

high availability 1

CMS console

Configuration tab 1
introduction 1
managing logs 1
Status tab 1
Tasks tab 1
using to manage policies 1

CMS data

where it's stored 1

CMS instance

changing the name 1
viewing information 1

installation date 1
on/off/unknown status 1
security level 1
version number 1

CMS window

configuring authentication 1, 2, 3, 4, 5, 6
configuring policies 1

CMS. See Certificate Management System, Cryptographic Message Syntax 1
command-line utilities

for adding extensions to CMS certificates 1

configuration file 1

copying from one instance to another 1
format 1
format for localizable values 1
guidelines for editing 1
name 1
what is ignored by the server 1
when created 1

Configuration tab 1
configuring for high availability 1
connecting subsystems

why would you do this 1

constraints-specific policy modules 1
conventions used in this book 1
creating

agents

automated process 1

CRL Distribution Point extension 1
CRL extension modules

AuthorityKeyIdentifier 1
CRLNumber 1
CRLReason 1, 2, 3
HoldInstruction 1
InvalidityDate 1
IssuerAlternativeName 1
IssuingDistributionPoint 1

CRL publisher 1, 2
CRL signing certificate 1

nickname 1

cRLDistributionPoints 1
CRLNumber 1
CRLs

Certificate Manager support for 1
defined 1
extensions for 1
extension-specific modules 1
issuing or distribution points 1
publishing of 1
publishing to files 1
publishing to LDAP directory 1, 2

required schema 1

publishing to online validation authority 1
supported extensions 1
when automated updates take place 1
when generated 1
who generates it 1

CRMF 1
Cryptographic Message Syntax (CMS) 1
custom plug-ins

for mapping directory entries 1
for policy 1

D

data formats for installing certificate chains 1

binary 1
text 1

data formats for installing certificates 1

binary 1
text 1

Data Recovery Manager

Certificate Manager and 1, 2
Certificate Manager and Registration Manager and 1, 2
cloning the DRM 1
configuring

to use separate SSL server certificates 1

key pairs and certificates

getting new ones 1
list of 1
SSL server certificate 1
storage key pair 1
transport certificate 1

setting up

key archival 1
key recovery 1

specifying IP address for 1

defining custom OIDs 1
deleting

authentication modules 1
certificates from the token

precaution 1

log modules 1
mapper modules 1
policy modules 1
policy rules 1
privileged users 1
publisher modules 1

deltaCRLIndicator 1
deployment planning

CA decisions

CA renewalCA renewal 1
distinguished name 1
root versus subordinate 1
signing certificate 1
signing key 1, 2, 3, 4

topology decisions ??- 1

DER-encoding order of DirectoryString 1
digital signatures

defined 1

directory

removing expired certificates from 1

directory attributes

adding new 1
supported in CMS 1

distinguished name (DN)

base DN 1
characters allowed in CMS 1
components 1
defined 1
extending attribute support 1
for CA 1, 2, 3, 4, 5
role in certificates 1

CA certificates 1
end-entity certificates 1

root DN 1

DN character support in CMS 1
DN components mapper 1
documentation

conventions followed 1

downloading certificates 1, 2
DSA 1, 2, 3, 4

E

email resolver 1
email, signed and encrypted 1
encrypted file system (EFS) 1, 2
encryption

defined 1
public-key 1
symmetric-key 1

end entities

port used for operations 1

See also ports 1

end-entity certificate publisher 1
end-entity certificates

renewal 1

enrollment

agent initiated 1, 2
in person 1

enrollment, initial administrator/agent ??- 1
Enterprise Security Client (ESC) 1
Error log

defined 1
See also logging 1

expired certificates

removing from the directory 1

Extended Key Usage extension policy

OIDs for encrypted file system 1, 2

extending directory-attribute support in CMS 1
extensions 1, 2

adding to a CA certificate 1
adding to end-entity certificates 1
an example 1
authorityKeyIdentifier 1, 2, 3
basicConstraints 1, 2
CA certificates and 1, 2
certificateIssuer 1
certificatePolicies 1
cRLDistributionPoints 1
CRLNumber 1
deltaCRLIndicator 1
extKeyUsage 1
holdInstructionCode 1
introduction to 1
invalidityDate 1
issuerAltName 1, 2
issuingDistributionPoint 1
keyUsage 1
nameConstraints 1
netscape-cert-type 1, 2
netscape-comment 1
Netscape-defined 1, 2
policyConstraints 1
policyMappings 1
privateKeyUsagePeriod 1
reasonCode 1
structure of 1
subjectAltName 1
subjectDirectoryAttributes 1
subjectKeyIdentifier 1
tool for joining 1
tools for generating 1
X.509 certificate, summarized 1
X.509 CRL, summarized 1

extension-specific policies

remove basic constraints 1

extension-specific policy modules 1
external tokens

defined 1
installing 1

extKeyUsage 1

F

failover 1
failover and load balancing 1
failover architecture 1
file-based publisher 1
FIPS PUBS 140-1 1
flush interval for logs 1
fonts used in this book 1
form signing, defined 1

G

getting new certificates for subsystems 1
groups

changing members 1

H

hardware accelerators 1
hardware tokens

See external tokens 1

HashAuth authentication plug-in 1
high availability 1
holdInstructionCode 1
host name

for mail server used for notifications 1

how to revoke certificates 1
how to search for keys 1
HTTP Client utility 1

I

installation 1

wizard ??- 1, 2, 3, 4, 5

installation date 1
installation script

Unix

complete instructions 1

Installation Wizard

procedures for using ??- 1, 2

installing certificates 1, 2
installing external hardware tokens 1
internal database

default host name 1

precaution for changing the host name 1

defined 1
how to distinguish from other Directory Server instances 1, 2
name format 1, 2
schema 1

what you shouldn't do 1

what is it used for 1
when installed 1

internal tokens 1
invalidityDate 1
IP address 1
issuerAltName 1, 2
issuing certificates

to routers 1, 2

an example 1

to servers 1

Netscape 4.x servers 1

to VPN clients 1

issuingDistributionPoint 1

J

JavaScript policy processor 1
job modules

registering new ones 1

jobs

built-in modules

UnpublishExpiredJob 1

compared to plug-in implementation 1
setting frequency 1
specifying schedule for 1
turning on scheduler 1

K

key archival 1

how it works 1
how keys are stored 1
how to set up 1
PKI setup required 1
where keys are stored 1
why you should archive 1

key length 1, 2, 3, 4
key recovery 1

designated agents

See key recovery agents 1

how to set up 1
interface for agents 1
local vs. remote 1

key recovery agents

passwords 1

significance 1
when specified the first time 1

responsibilities 1
role defined 1

KEYGEN tag 1
keys

defined 1
management and recovery 1

keyUsage 1

L

LDAP 1
LDAP publishing

defined 1
manual updates 1

when to do 1
who can do this 1

See CRLs 1

linked CA 1
load balancing 1
local vs. remote key recovery 1
locating directory entries for publishing

how to write custom plug-ins 1

location of

active log files 1

log modules

deleting 1
registering new ones 1

logging

buffered vs. unbuffered 1
log files

archiving rotated files 1
default location 1
signing rotated files 1
timing of rotation 1

log levels 1

default selection 1
how they relate to message categories 1
how they're represented 1
significance of choosing the right level 1
what it means 1

managing from CMS console 1
services that are logged 1
types of logs 1

Audit 1
Error 1

M

m of n secret sharing 1
mail server used for notifications 1
managing

certificate database 1
policies 1
policy plug-in modules 1

mapper modules

deleting 1
registering new ones 1

mappers

created during installation 1, 2, 3

mappers that use

CA certificate 1
DN components 1

master CA 1
modifying

privileged user's group membership 1

N

nameConstraints 1
naming convention

for internal database instances 1, 2
for policy rules 1

Netscape Console

how to launch 1
introduction 1
relationship to Administration Server 1
viewing CMS instance information 1

netscape-cert-type 1, 2
netscape-comment 1
nickname

for CA signing certificate 1
for CRL signing certificate 1
for OCSP signing certificate 1
for signing certificate 1, 2
for SSL server certificate 1, 2, 3, 4
for transport certificate 1
for wTLS signing certificate 1

notifications

configuring the mail server

host name 1
port 1

to agents about unpublishing certificates 1

O

object identifiers 1
object signing 1
object signing certificates

for third-party tools 1

OCSP 1

cloning the OCSP 1

OCSP publisher 1
OCSP responder 1

defined 1

OCSP server 1
OCSP signing certificate 1

nickname 1

OIDs 1
Online Certificate Status Manager

cloning 1
introduced 1
key pairs and certificates

signing certificate 1
SSL server certificate 1

online certificate validation authority

defined 1

P

password

using for authentication 1

password cache 1
password-based authentication, defined 1, 2
password-quality checker 1
PIN Generator tool

delivering PINs to users 1

PKCS #10 1
PKCS #11 1
PKCS #11 support 1
PKCS #7 1
pkiclient.exe 1
PKIX 1
plug-in modules

for CRL extensions

AuthorityKeyIdentifier 1
CRLNumber 1
CRLReason 1, 2, 3
HoldInstruction 1
InvalidityDate 1
IssuerAlternativeName 1
IssuingDistributionPoint 1

for policy 1

managing 1
RemoveBasicConstraintsExt 1

for publishing

FileBasedPublisher 1
LdapCaCertPublisher 1, 2
LdapCaSimpleMap 1
LdapCrlPublisher 1, 2
LdapDNCompsMap 1
LdapUserCertPublisher 1
OCSPPublisher 1

for scheduling jobs

UnpublishExpiredJob 1

policies in JavaScript 1
policy

built-in plug-in modules 1
constraints-specific modules 1
defined 1
extension-specific modules 1
how to write custom plug-ins 1
managing 1
managing from CMS window 1
processor 1

how it applies rules 1
JavaScript 1
result of processing 1
when used 1

what can you use it for 1

policy modules

deleting 1
registering new ones 1

policy rules

adding new 1
defined 1
deleting 1
how policy processor applies them 1
naming convention 1
predicates in 1
reordering 1

significance of ordering 1

See also predicates 1
types of 1
what each rule does 1

policyConstraints 1
policyMappings 1
ports 1

for agent operations 1
for end-entity operations 1
for remote administration 1
for the mail server used for notifications 1
how to choose numbers 1

predicates

attributes for 1
expression support 1

operators for 1

sample expressions 1, 2
what are they 1
why would you use 1

private key, defined 1
privateKeyUsagePeriod 1
privileged users

deleting 1
modifying privileges

group membership 1

types

agents 1

public key

cryptography 1
defined 1
infrastructure 1
management 1

publisher modules

deleting 1
registering new ones 1

publishers

created during installation 1, 2, 3, 4

publishers that can publish to

CA's entry in the directory 1, 2, 3
files 1
OCSP responder 1
users' entries in the directory 1

CRLs

publishing

See also LDAP publishing 1

publishing

of certificates

to files 1

of CRLs 1

to files 1
to LDAP directory 1, 2
to online validation authority 1

publishing directory

defined 1

R

RA, See Registration Authority 1
reasonCode 1
reasons for revoking certificates 1
recovering users' private keys 1
registering

authentication modules 1
custom OIDs 1
job modules 1
log modules 1
mapper modules 1
policy modules 1
publisher modules 1

Registration Authority, defined 1
Registration Manager

Certificate Manager and 1, 2
Certificate Manager and Data Recovery Manager and 1, 2
configuring

to use separate SSL server certificates 1

key pairs and certificates

getting new ones 1
remote admin server certificate 1
signing certificate 1
SSL server certificate 1

specifying IP address for 1

Remote admin server certificate 1
Remove Basic Constraints extension policy 1
renewal of certificates

See certificate renewal 1

reordering policy rules 1

significance of ordering 1

restarting

Certificate Management System

from the command line 1

revocation-status checking for agent certificates 1
revoking certificates

reasons 1
who can do this 1

roles

agent 1
key recovery agents 1

root CA 1
root DN 1
root versus subordinate CA 1
rotating log files

archiving files 1
how to set the time 1
signing files 1

routers

getting certificates for 1, 2, 3

RSA 1, 2, 3, 4

S

S/MIME certificate 1
scalability 1
SCEP 1
secret sharing of storage key pair 1
security level 1
self-signed certificate 1
server certificate renewal 1
server instance

finding out details 1

server status

off 1
on 1
unknown 1

setting CRL extensions 1, 2
setting up

key archival 1
key recovery 1

signing

rotated log files 1

signing certificate 1, 2

CA 1
changing trust settings of 1
deleting 1
getting a new one 1, 2
nickname 1, 2
renewing 1
viewing details of 1

signing key, for CA 1, 2, 3, 4
single sign-on 1
SMTP settings 1
specifying IP address 1
SSL 1

client certificates 1

SSL server certificate 1, 2, 3, 4

changing trust settings of 1
deleting 1
getting a new one 1, 2
nickname 1, 2, 3, 4
renewing 1
viewing details of 1

starting

Administration Server 1

from the command line 1

Certificate Management System

from the command line 1

Netscape Console 1

Status tab 1
storage key pair 1

secret sharing 1

subjectAltName 1
subjectDirectoryAttributes 1
subjectKeyIdentifier 1
subordinate CA 1
support for DN characters in CMS 1

T

Tasks tab 1

tasks you can accomplish 1

TCP/IP, defined 1
templates

for notifications 1, 2

timing log rotation 1
Token KeyService (TKS) 1
Token Management System 1

ESC 1
TKS 1
TPS 1

Token Processing Service (TPS) 1
tokens

changing password of 1
external 1

See also external tokens 1

internal 1
managing 1
viewing which tokens are installed 1
what are they 1

topology decisions, for deployment ??- 1
transport certificate 1

changing trust settings of 1
deleting 1
getting a new one 1, 2
nickname 1
renewing 1
viewing details of 1
when used 1

trusted CA, defined 1
trusted managers

certificate for SSL client authentication 1
deleting 1
modifying

group membership 1

type styles used in this book 1

U

unbuffered logging 1
uninstalling Certificate Management System 1

V

version number 1
viewing CMS instance information 1
VPN clients

getting certificates for 1

W

when the server was installed 1
why should you revoke certificates 1
wireless CA certificate 1, 2
wireless certificates 1, 2
wizard

See Certificate Setup Wizard 1

writing policies in JavaScript 1
wTLS CA signing certificate 1

nickname 1

wTLS certificates 1, 2

X

X.509 certificates 1

Last Updated November 23, 2004