Netscape Certificate Management System 4.5 Release Notes

Netscape Certificate Management System Release Notes

Version: 4.5

Updated on: October 10, 2001

These release notes contain important information available at the time of the Version 4.5 release of Netscape Certificate Management System (CMS). New features and enhancements, installation notes, known problems, and other late-breaking issues are addressed here. Read this document before you begin using Certificate Management System.

Check with technical support prior to installing and setting up your software and then periodically thereafter to obtain the latest release notes and manuals.

These release notes contain the following sections:

What's New in This Release
Software/Hardware Requirements
CMS Documentation
Installation Procedure
Upgrading From a Previous CMS Version
Important Notes and Known Bugs
For More Information

What's New in This Release


Feature	Description/Notes
Bug fix #557698	In previous versions, CMS attempted a reverse DNS lookup when accepting a new connection. If no DNS was available, the system would work very slowly. This is now fixed.
Bug fix #558479	This fix makes the OCSP request parsing more rebust, so it can handle request from a wider variety of OCSP clients.
Bug fix #545900	SCEP enrollment can now be used with a CA configured with a PKCS#11 HSM.
Bug fix #551320	The LdapEnhancedMap mapper plug-in is now provided in the CMS mapper plugin registration area (this was originally sample code in previous versions of CMS).
Bug fix #551549	A security fix to prevent unauthorized revocations.
Bug fix #552223	A security fix to prevent unauthorized revocations.
Bug fix #553256	In PinBasedEnrollment, the parameter used to specify the pin attribute (`pinAttr`) was ignored. This fix corrects this behaviour.
Bug fix #552345	In the previous version of CMS, the server was inconsisent when constructing PKCS#7 certificate chains. Sometimes, the end-entity certificate was first, sometimes it was last. This fix makes the behaviour consistent - the end-entity certificate is always first in the chain, followed by its successive signers. This is to improve interoperability with PKI applications which rely on the cert chain ordering.
Bug fix #558480	CMS sometimes rendered an incorrect HTML response with the Netscape 6 browser. This behaviour is now fixed.
Bug fix (bugzilla) #63961	IE and Netscape 6 includes a feature to remember passwords a user submits in an HTML form. This is seen as undesirable in the CA enrollment page, so it is turned off by adding attributes to the HTML form.
Bug fix #558492	This fix improves the reliablity of email notification. Previously, if an error was encountered while sending email to a set of users, the entire job was aborted.
Bug fix #558261	This fix improves scaling of CMS to handle large numbers of agents.
Feature - Allow administrators to disable selected servlets	The CMS SDK now includes documentation on how to disable servlets. This is useful if you need to prevent the end-entity from searching or revoking their certificates.
Feature - Allow administrators to disallow putting certificates 'on hold'	The administrator can now configure the RevocationConstraints policy with the parameter 'allowOnHold' to disallow users from putting their certificates on hold.
Feature - Allow end user to import, download, and view delta-CRLs	CMS now provides a user interface to view and download Delta CRLs.
Feature - Make CMS start when rebooting NT without having to login as a user	CMS can run automatically when either an NT or Unix system boots, without having a user login. Instructions for setting this up is included in the 'misc' folder in the CMS SDK.
Feature - Improve Random Number Generator entropy by collecting UI events during installation wizard	CMS now collects additional mouse events from the user during installation to provide additional entropy to the CMS Random Number Generator.

Software/Hardware Requirements


Solaris Platform Requirements
OS Version	Solaris 2.6 or 8 (with relevant Java 2 patches )
Machine	Ultra 10 or faster
RAM	128 MB (required)
Hard disk storage space requirements	Total required is approximately 400 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 250 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 300 MB
Other Requirements	You must install as `root` in order to use well-known port numbers (such as 443) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as `root`. If you plan to run as `root`, you should also install as `root` and specify `nobody` as the default run-as user and group
Windows NT Platform Requirements
OS Version	Windows NT 4.0 with Service Pack 6a, or Windows 2000 Server SP2
Machine	Pentium 350 or faster
File system	NTFS
RAM	128 MB of RAM (recommended)
Hard disk storage space requirements	Total required is approximately 350 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 200 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 250 MB
Other Requirements	On a Windows system, you must install as `Administrator` or a user with `Administrator` privileges (that is, the user must be in the `Administrators` group).

CMS Documentation

The complete set of CMS documentation for this release includes the following:

CMS Release Notes (this document) -- The release notes contain information on new features of this release, software/hardware requirements for installing the product, important notes and known bugs, last-minute product information, and how to send feedback.

CMS Installation and Setup Guide -- This guide describes how to plan for, install, and configure Certificate Management System. Read this guide first, after you've read these release notes. Both HTML and PDF versions of this guide are provided.

CMS Plug-ins Guide -- This guide provides detailed reference information on CMS plug-in modules, such as the ones provided for authentication, policy, publishing, and so on. Both HTML and PDF versions of this guide are provided.

CMS Command-Line Tools Guide -- This guide provides detailed reference information on CMS tools. Both HTML and PDF versions of this guide are provided.

CMS Customization Guide -- This guide provides reference information on customizing the HTML-based agent and end-entity interfaces. Both HTML and PDF versions of this guide are provided.

CMS Agent's Guide -- This guide provides an overview of the CMS Agent Service interface and explains how to use the interface to perform agent tasks. Both HTML and PDF versions of this guide are provided.

CMS End-Entity Help -- This document is the online help provided for the End-Entity Services interfaces; this interface contains HTML-based forms for certificate enrollments, renewals, revocations, and so on. Only an HTML version of this document is provided.

After you run the setup script as described under Installation Procedure , check this file for a complete list of documentation installed with the product:
<server_root>/manual/index.html, where <server_root> is your CMS installation directory. The index file also contains links to Netscape Directory
Server and Netscape Administration Server documentation, as these get installed along with the CMS documentation listed above.

Installation Procedure

Before installing the product, be sure to read these release notes and the installation instructions in CMS Installation and Setup Guide.

If you're using the product CD for installation, this book is available as a PDF file in the Docs directory.
If you downloaded the software from the web site, be sure to download the PDF version of the book.

If youÆre using a previous release of CMS and want to upgrade to CMS 4.5, follow the upgrade instructions .

If you don't have any previous installation of Certificate Management System, follow the instructions for installing the software. It involves the following stages:

Stage 1: Run the installation script (setup on Unix, setup.exe on Windows NT) to install administration and directory servers as necessary, and perform the initial phase of CMS installation.
Stage 2: Run the Installation Wizard to set up the initial configuration of the CMS instance. This is where you specify which subsystems are to be part of this instance.
Stage 3: Use Netscape Console to further configure the new CMS instance as needed. For example, you must provide it with information about the LDAP publishing and authentication directories.
Stage 4: If you wish, use Netscape Console to create additional instances of the Certificate Management System in the same server root directory, and use the Installation Wizard to configure them.

Upgrading From a Previous CMS Version

Upgrading from a previous version of CMS can be accomplished by installing into the same server root as the previous installation. It is advisable to backup the entire server root before upgrading.

Important Notes and Known Bugs

This section lists important notes, bugs, and known issues, and provides workarounds for some of the problems that you may encounter with the product. (The problems are identified by bug numbers to help you refer to them if you need to contact technical support.)

Administration Server
Authentication
Backup and Restore
Browser
CA Cloning
CEP Support
CGI Support
Command-Line Tools
CRLs
Custom Plug-in Modules
Directory Server
DSA
Enrollment

Enterprise Server
Extensions
Hardware Tokens
Installation
Internationalization
Job Scheduling/Notification
JSS
Logging
Miscellaneous
OCSP
Performance
Personal Security Manager
Policies

Publishing
Remote Registration Manager
Renewal of CMS Certificates
Request Queue Processing
Revocation
Samples and SDKs
Searching for Certificates
Starting/Stopping the Server
UI (Netscape Console/CMS Window)
wTLS

Administration Server

To change the IP address of Administration Server, use the perl script provided here: <server_root>/shared/bin/admin_ip.pl

admin_ip.pl <Dir_Manager_DN> <Dir_Manager_password> <old_IP> <new_IP> [port]

<Dir_Manager_DN> is the DN of the manager of the Administration Server configuration directory (for example, "cn=Directory Manager");
<Dir_Manager_password> is the password used to bind to the Administration Server configuration directory;
<old_IP> is the current IP address;
<new_IP> is the new IP address you want to use;
[port] (optional) is the port Administration Server should use on the new address.

After you create a new CMS instance using Netscape Console, the Console window does not display the instance in the navigation panel. To display the new CMS instance in the panel, click the Console's View menu and select Refresh.

When you're trying to create a new CMS instance and if Administration Server starts up before the configuration Directory Server, you will get the following message and the instance will not be created: Please restart the console and admin server before creating a new instance

Once you restart Administration Server, you will be able to create CMS instances without receiving the above message. Note that the above message will not always occur for all CMS instance creations -- it appears mostly due to the randomness of the start order between Administration and Directory Servers on Window NT; typically, Directory Server starts first, but there are cases where Administration Server starts first. Certificate Management System requires Directory Server started prior to Administration Server. [# 394059]

Netscape Administration Server does not support EXCEED X server software for running Unix X-Windows applications on Windows NT. Therefore, EXCEED will not run reliably with Certificate Management System.

Netscape Administration Server might crash when you create or remove a CMS instance. If this happens, go to the command line and start Administration Server. [# 352824 and # 352372]

By default, Administration Server administrator's password (also known as the SIE password) is stored in clear text in the adm.conf file.

adm.conf

To remove the clear text Administration Server password:

Stop the Administration Server.
Go to this directory: <server_root>/admin-serv/config
Open the adm.conf file in a text editor.
Delete this entry: siepid: <password>
Save the text file.
To restart the Administration Server, at the command line, run start-admin.

adm.conf

startconsole

See also the ones listed in Installation and UI (Netscape Console/CMS Window) sections.

Authentication

Agents and administrators must be users in the Certificate Management System user and group database. This will be replaced by ACLs in future releases.

Backup and Restore

No known problem.

Browser

IE 4.X and 5.X cache secure pages, but don't provide a means to flush the cache. This is especially frustrating when you authenticate to the agent interface with the wrong certificate, and then try to reload the page and reauthenticate with the correct certificate. You must reboot the system to get IE to stop caching the page. Communicator has similar problems with caching pages, but restarting Communicator causes it to flush cached secure pages. [# 394936]

Microsoft Internet Explorer 3.x and Netscape Navigator 3.x are not fully supported by the default HTML interfaces for Agent Services (of the Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager). For best results, use Communicator 4.x or Internet Explorer 4.x.

Client time drift detection in IE is disabled -- the HTML forms provided for end-user enrollment and renewal include JavaScript code (function named checkClientTime) that detects the time drift between the client and server clocks and prompts users to adjust their clocks (to be in sync with that of the server). This feature works only with Communicator. [# 341838]

If you view a CRL as an agent using IE or Communicator, then revoke a certificate, and then view the CRL again, you will not see the certificate you just revoked listed in the CRL. To work around, exit the browser, relaunch it, and then view the CRL again. [# 347146]

When you import a CRL from Certificate Management System into Communicator 4.x, a "View-Edit CRLs" button is added to the SIGNERS section of the Security Info window. If you click the "Reload" button for that particular CRL, it won't reload properly because of the incorrect URL. To make it work, you have to manually change the URL from https://<CMSEndEntityURL>/getCRL to https://<CMSEndEntityURL>/getCRL?certSerialNumber=&op=importCRL&issuepoint=MasterCRL&submit=Submit.

Communicator will crash when asked to do SSL client authentication if the DN for an SSL server certificate or a CA certificate does not have the O= attribute. However, there is a warning message displayed in the Installation Wizard if O= is left out of the DN when creating the certificates. This problem is fixed in Communicator 4.6.

Communicator shows an error dialog when connecting with SSL to Netscape Enterprise Server, if the SSL certificate was generated with the Key Usage Extension policy turned on. To workaround the problem, turn off or disable the Key Usage Extension policy module and issue the certificate. [# 344996]

IE fails to present a dialog asking the agent user to specify the certificate to be used for SSL client authentication to the second server, when two SSL servers are configured on the same machine. This problem occurs when you connect to two different servers running on two different ports of the same machine. When you do SSL client authentication to the first server, IE presents a dialog box from which you can choose the certificate you want to use to authenticate. When you connect to the other server on the same machine, IE assumes that you want to use the same certificate and doesn't provide you with an opportunity to change your selection. The result is that you fail to authenticate to the second server, because IE automatically presents the certificate you chose previously. The workaround is to restart IE (after authenticating to the first server) and then attempt to authenticate to the second server; when you restart, you can connect to the other server and you will again be presented with a dialog box for choosing an SSL client certificate. [# 350416]

If you are using the Solaris version of IE to get a certificate using directory-based user enrollment, Certificate Management System successfully imports the certificate, but IE crashes. [# 347824]

If IE 4.x is configured to prompt the user for a confirmation when a form is being submitted, the request will be submitted correctly. However, a second browser window may appear. [# 355696]

IE 4.x (or higher) has problem importing a renewed certificate if the KEYGEN for the certificate didn't happen in that IE. For example, if you attempt to import a renewed certificate to IE and if the original certificate was issued to Communicator or IE (installed on another machine), you'll get the following error message: Error in acceptPKCS7. Error Number 80092004 occurred.

Note that the renewed certificate can be retrieved with Communicator and imported into IE without any problem, but any attempt to retrieve it using IE produces the above error. [# 397451]

See also the ones listed in DSA, Installation, Internationalization, and Personal Security Manager sections.

CA Cloning

You can create a clone Certificate Manager on the same host machine on which the master Certificate Manager is installed or on a different machine. If you choose to install the clone Certificate Manager on the same host as that of the master, you have the choice of using the master Certificate Manager's SSL server certificate for the clone Certificate Manager; the certificate and corresponding key pair are accessible to the clone Certificate Manager because as a part of the cloning process, you copy the certificate and key database of the master to the clone. If you decide to generate a new SSL server certificate for the clone Certificate Manager, be sure to specify a subject name that's different than the one specified for the master Certificate Manager's SSL server certificate; that is, when installing more than one SSL server certificate on a software/hardware token, the subject name of each certificate must be unique. However, since the 'CN' component in the subject name of SSL server certificates must be the fully-qualified hostname of the machine on which the server is installed (for example, camachine.example.com), subject name uniqueness can be achieved by changing other attributes, such as OU, O, L, ST, or C, that're used to form the certificate subject name. [# 528259]

CEP Support

See # 341389 in the Remote Registration Manager section.

If you are setting up publishing for use with Cisco Routers^TM, it is recommended that you set the appendDN parameter in the CEP script. This will append the given DN onto all the subject names of issued CEP certificates. The reason for this is that the subject names as requested by Cisco Routers are of this form:

UNSTRUCTUREDNAME=xxx+UNSTRUCTUREDADDRESS=yyy

O=company

You can download a DSA CA certificate using IRE VPN client 3.0.1b3. However, because there is no way a DSA CA certificate can be used for encryption, such an action should give you some sort of meaningful message, instead of the message that's currently being generated: Getting cbEncodedBlob length failed

(This message is generated after a user selects the DSA certificate for enrollment, which leads to KEYGEN failure with the message.) [# 394928]

CGI Support

You can configure Certificate Management System to run CGI scripts by putting the CGI script (or executable) in a directory under the end-entity gateway's doc-root (<server_root>/cert-<instance_id>/web/ee) or agent gateway's doc-root (<server_root>/cert-<instance_id>/web/agent), and by editing the configuration file to include information about the CGI script. [# 384101]

To configure the server to run a CGI script:

Stop Certificate Management System.
Go to this directory: <server_root>/cert-<instance_id>/web/ee
Create a directory for putting your CGI script, for example, cgi-bin.
Copy your CGI script to the cgi-bin directory.
Change to this directory: <server_root>/cert-<instance_id>/config
Open the configuration file, CMS.cfg, in a text editor.
Add the following lines:

eeGateway.servletName.CGI=com.netscape.certsrv.http.CgiServlet

eeGateway.servletAlias./cgi-bin=CGI

cgi-bin

/cgi-bin/

Save your changes.
Close the file.
Restart Certificate Management System.

Command-Line Tools

Certificate Management System includes a set of compiled binaries of several command-line tools provided for your convenience. This includes security tools named Certificate Database Tool (certutil), Key Database Tool (keyutil), Netscape Signing Tool (signtool), SSL Debugging Tool (ssltap) and SSL Strength Tool (sslstrength). If any problems are found in these specific tools, you may obtain the source code and build instructions for the very latest version of this tool (and/or potentially a binary image for the newer tool) at the following URL: http://www.mozilla.org/projects/security/pki/nss/tools/index.html

Note that all Key Database Tool functions have now been incorporated into the single tool, Certificate Database Tool, and that several of the command-line options for many of the tools may have changed. Be sure to check back often to obtain the very latest version of the desired security tool, as this site will be updated often.

The command-line tools named certutil and keyutil that are bundled with Certificate Management System rely on the security module database file (secmod.db on Windows NT and secmodule.db on Unix) to function. Before using these tools to view the list of CMS certificates or keys in a software or hardware token, you need to copy this file to the CMS configuration directory. [# 537267]

Go to this directory: <server_root>/admin-serv/config/
Copy the security module database file (secmod.db on Windows NT and secmodule.db on Unix) to the CMS configuration directory: <server_root>/cert-<instance_id>/config
Use the certutil or keyutil tool. For example, run certutil -d . -L to list all certificates in the software or hardware token.

For the modutil executable to function properly on the Solaris platform, the LD_LIBRARY_PATH variable must be set to <server_root>/lib. [# 538674]

See also the ones listed in the Hardware Tokens section.

CRLs

See the ones listed in Browser and Publishing sections.

Custom Plug-in Modules

When developing custom modules (for example, authentication and policy) for Certificate Management System, it is recommended that you use Java 2.0, SDK 1.3.0.

See also the one in the Starting/Stopping the Server section.

Directory Server

In the first stage of CMS installation, you run the setup program during which you specify details relevant to the configuration Directory Server, Administration Server, and Netscape Console. In one of the screens, you're asked to specify the following information about the configuration directory (whether it is an existing one or a new one to be created by the Installation Wizard):

Directory Server identifier -- A unique identifier for the Directory Server instance (and is required for each instance). For example, configdir.
Directory Server network port -- The port number at which the Directory Server instance will listen to (or is listening for) requests. The default is 389.
Suffix -- The domain name of the host. If you are creating a new directory, this should be the domain name of the current host. For example, o=example.com.

Suffix

O=Netscape Corporation

Netscape Corporation

User Directory Subtree: O=Netscape

The "<space>Corporation" gets left off; that is, the words trailing the space get truncated in the UI. [# 395046]

Each instance of Certificate Management System uses a Netscape Directory Server instance as its data store, referred to as the internal database. Because the internal database contains information for CMS activities, for example, activities of your CA, it's important to insulate the internal database from being visible outside its host system (and thus prevent users from outside to have access to the internal database). To make the internal database accessible only from the local machine, you must bind the Directory Server instance functioning as the internal database to a localhost (that is, IP address 127.0.0.1) with the help of listenhost parameter in the slapd.conf file; a server on localhost can only be accessed from the local machine.

localhost

err=91

Install Certificate Management System as you normally would.
Stop Certificate Management System and the Directory Server instance functioning as the internal database.
Add listenhost 127.0.0.1 to the slapd.conf file of the internal database. To do this:

Open a command-line window.
Go to this directory: <server_root>/slapd-<internal_database_id>-db/config
Open the slapd.conf file in a text editor.
Add this line to the beginning of the file: listenhost 127.0.0.1
Save your changes and close the file.

Change the value of the serverhostname parameter of the internal database to 127.0.0.1; if you do not do this, you cannot open the internal database from the Netscape Console topology tree. You can make this change from the configuration Directory Server Console or by using ldapmodify. To do this from the configuration Directory Server Console:

Log in to Netscape Console.
Open the console interface for the configuration directory.
Select the Directory tab and navigate to the server instance entry (SIE) for the internal database. The screen shot below shows how to navigate to the SIE entry of an internal database, slapd-host-db. (o=NetscapeRoot -> o=netscape.com -> host.netscape.com -> Server Group -> Netscape Directory Server -> slapd-host-db)

Right click the SIE node (for example, the slapd-host-db node) and select Properties. The Edit Entry dialog box appears.

Click the Advanced button at the bottom of the dialog box. The Property Editor dialog box opens.
Change the value of the serverhostname attribute to 127.0.0.1.

Click OK.

Restart Certificate Management System and the internal database.
Start Netscape Console by running startconsole from the command line.
Try to open the console interface for the internal database from within Netscape Console.

See also the ones listed in Installation and Internationalization sections.

DSA

When a DSA signing key pair is generated for a Certificate Manager, the Configuration Wizard first generates a new set of PQG parameters. This process is computationally intensive and will result in delays of several minutes, depending on the speed of the hardware.

Communicator 4.x is the only browser that can successfully obtain and use DSA client certificates for SSL client authentication and that can recognize the signature on SSL certificates signed by a DSA CA. IE 5.x, which does support DSA, does not recognize SSL certificates signed by a DSA CA. Navigator 3.x and IE 3.x do not support DSA at all.

In order for Communicator to generate a DSA key pair, you must modify the KEYGEN tag in the default certificate enrollment forms; the modifications will indicate that the DSA algorithm is to be used, and will also supply the PQG parameters. For details on the KEYGEN tag, see "Netscape Extensions for User Key Generation" at this site: http://home.netscape.com/eng/security/comm4-keygen.html

adminEnroll.html

<server_root>/cert-<instance_id>/web/agent/ca

Additionally, you may need to modify the KEYGEN tags in the following certificate enrollment forms:

DirPinUserEnroll.html
DirUserEnroll.html
ManObjSignEnroll.html
ManUserEnroll.html
NISUserEnroll.html
PortalEnrollment.html

<server_root>/cert-<instance_id>/web/ee

CMS Plug-ins Guide

Once you have generated a single DSA private key with Communicator, the browser will reuse the same private key for any subsequent KEYGEN operations, rather than generating a new one. This bug can lead to the issuance of multiple certificates with identical DSA key pairs. To work around this bug, exit Communicator after generating a DSA private key, then relaunch it again. After relaunching, Communicator will generate a new DSA private key instead of reusing an existing one. You must exit Communicator after generating each DSA private key to ensure that no certificates with duplicate private keys are issued.

The ManUserEnroll.html and DirUserEnroll.html certificate enrollment forms are modified so that they are mainly using the Javascript call crypto.generateCRMFRequest() to generate requests. However, the absence of the KEYGEN tag makes it difficult to edit enrollment forms to obtain DSA certificates, as the user is not allowed to specify PQG parameters. Therefore, here is an example of how crypto.generateCRMFRequest() should be called [# 600140]:
```
     var keyTransportCert = null;
     var keyGenAlg = "dsa-nonrepudiation";
     certNickname.value = subject.value;
     crmfObject = crypto.generateCRMFRequest(
                         subject.value,
                         "regToken", "authenticator", 
                         keyTransportCert,
                         "setCRMFRequest();", 
                         512, null, keyGenAlg);
```

For more information about using DSA for the Personal Security Manager installation, see the CMCJavascriptAPI.html document.

See also the ones listed in the UI (Netscape Console/CMS Window) section.

Enrollment

On a Windows NT system, if your display configuration is set to use a background color other than white, you may notice that some of the end-entity enrollment forms don't set the background color to white, when displayed by IE 4.0. For example, if you view the manual user enrollment form (ManUserEnroll.html) or the manual object signing enrollment form (ManObjSignEnroll.html) on IE 4.0, you'll notice that the enrollment page doesn't set the background color to white. [# 385573]

If the Data Recovery Manager's transport certificate copied into the certificate enrollment form of a Registration Manager (or Certificate Manager) is incorrect, during enrollment you will get the following error message:

Problem Processing Your Request

The Registration Manager encountered a problem while processing your request. The following is a detailed message of the error that occurred.

Invalid Private Key

Please consult your local administrator for further assistance. The Certificate Management System logs may provide further information.

CMS Installation and Setup Guide

To enroll for certificates using AT&T's Secret Agent product, use the server manual enrollment page. AT&T Secret Agent will generate a PKCS #10 request that can be pasted into the Server manual enrollment page. None of the default User enrollment pages accepts PKCS #10 data. You can, of course, use the server manual enrollment default page as an example for creating a new page dedicated to enrolling AT&T Secret Agent users.

Enterprise Server

When using Netscape Enterprise Server version 3.62 and JRun, you can use the following Java servlet code to obtain a user's certificate:

String clientCert = "-----BEGIN CERTIFICATE-----\n" +

servReq.getHeader("auth-cert") +

"\n-----END CERTIFICATE-----\n"; // Newlines are critical!!!

servReq.getHeader("auth-cert")

req.getAttribute("javaex.net.ssl.peer_certificates")

Netscape Enterprise Server version 3.62 relies on the trust status of the issuer's certificate in its certificate database when validating client certificates presented during SSL client authentication -- when validating a client certificate, Enterprise Server verifies whether the CA that has signed the client certificate is trusted in its trust database. If the CA certificate is untrusted, the server rejects the client certificate. This information should be of interest to you if you have set up your Certificate Manager to function as a chained or linked CA -- that is, your Certificate Manager's CA signing certificate has been issued by a public or third-party CA.

Certificate Manager is chained to a public root CA
Certificate Manager has issued client certificates and all clients include the CA chain in their certificate databases
Enterprise Server's certificate database includes both the public root CA certificate (trusted) and Certificate Manager's CA signing certificate (untrusted)

In this scenario, you would expect the Enterprise Server to successfully validate client certificates, but the server fails to do so because the Certificate Manager's CA signing certificate is untrusted in its database (untrusted issuer); the server doesn't check the root CA certificate for validation. [# 355999]

See the ones listed in Browser and CRLs sections.

Extensions

No known problems; see the ones listed in the Personal Security Manager and Policies sections.

Hardware Tokens

When using a hardware token, you must use the token vendor's tools or utilities for initializing the token and for setting up the security officer password; the Certificate Setup Wizard may not initialize the hardware token successfully. [# 383999]

The command-line tool keyutil (or the Key Database Tool) doesn't list keys residing in an nCipher token; for example, the command shown below won't display the list of keys residing in the token.

keyutil -L -h "tokenname" -d . -l

This will be fixed in the future version of the tool. [# 394912]

If you have problem (Lynkstest.exe not showing expected results) using the SPYRUS^TM card with Certificate Management System running on a Windows NT system, try the following:

Click Start and select Control Panel.
In the Control Panel, double-click Devices.
In the Devices window, select Scsiscan and click Startup.
Select Disabled and click OK.

Remove the SPYRUS card.
Reboot the system.
After the system restarts, try running Lynkstest.exe again. If you get an error or forgot to remove the SPYRUS card when you rebooted, take the card out and put it back in, and then run Lynkstest.exe again. [# 389904]

Hardware tokens that use a physical token (such as a key) or biometric check to unlock the key store typically do not require a password to be created during token initialization. If you're using such a hardware token with Certificate Management System, when initializing the token, the CMS installation wizard will still ask you to provide a password (even though that password is not used). To workaround this, just enter some password at the prompt and it will be ignored. Make sure that you authenticate to the hardware token (for example, by inserting the key or by using your fingerprint) before Certificate Management System attempts to generate the key. [# 381307]

If you plan on using nCipher hardware tokens for generating keys and certificates used by CMS subsystems (for example, a Certificate Manager's CA signing certificate), be sure to use the latest version of the driver and software for the token. Certificate Management System has been tested to successfully generate DSA keys on a newer release of nCipher token. The details of this release are shown below. [# 390525]

This installer contains the following releases

sslyp devel - SSLeay source code patch file 1.51.2

nfjava devel - nFast Java Generic stub 0.2.11

ldb185 user - 1.0.4

nfast devel - nFast developer software 1.52.5

nfast user - nFast software 1.52.5

nftcl user - Command line key management 1.59.2

nsapi user - Netscape Enterprise Server 3.x plug-in 1.60.6

opensl user - nftcl certificate generation utility 0.3.6

tclsrc devel - Tcl run time - Headers and Libraries 1.8.7

tclsrc user - Tcl run time 1.8.7

For the Solaris platform, when installing an nCipher hardware token using driver packages Cryptographic 3.06 and PKCS#11 2.02, the directory /opt/nfast/kmdata will be created. The account designated to run the CMS server processes will need access to the kmdata directory and one of its sub directories. This may be accomplished by editing /etc/group and adding the account designated to run CMS to group nfast.

kmdata

root

nfast

drwxrwsr-x

When using the same hardware token for storing key pairs of multiple Certificate Manager instances, be sure to specify unique issuer DNs for the CA signing certificates. If you specify the same issuer DN for the CA signing certificates (you're asked to specify this when generating the certificate), the CMS installation wizard will fail to generate the certificate, and thus complete the installation process. [# 354993].

CN=myCA, O=Netscape, C=US

Token Error: import CA cert failure com.

netscape.jss.CryptoManager

$UserCertConflictException

If you are using Chrysalis Luna^TM hardware token for storing CMS keys and certificates, after a period of time Certificate Management System may stop working. To resolve the problem, check if you ran the following command as a part of installing the hardware token:

../../shared/bin/modutil -nocertdb -dbdir . -default chrysalis -mechanisms rc2:rc4:rc5:des:dh:sha1:md5:md2:random

../../shared/bin/modutil -nocertdb -dbdir . -undefault chrysalis -mechanisms rc2:rc4:rc5:des:dh:sha1:md5:md2:random

See also the ones listed in the Command-Line Tools section.

Installation

Certificate Management System is built with Java 2 (SDK 1.3.0). Some UNIX platforms require specific versions of the operating system as well as operating-system patches to run their version of the Java 2 SDK 1.3. Be sure to check this site and install the required patches for Sun Solaris: http://java.sun.com/j2se/1.3/install-solaris-patches.html

If you don't install the required patches, CMS installation will fail. [# 525794]

Certain new features, such as revocation checking using the OCSP protocol, supported in this release requires you to use Netscape Communicator versions 4.7 or later. If you're using earlier versions of Communicator, you must install the new version before you install Certificate Management System on a Windows NT system.

During the installation of Certificate Management System, port numbers are suggested to the user. While the installer tries to suggest only unused ports, sometimes it is impossible to test whether the port is in use, so the installer may erroneously suggest a port that's in use. Please make sure that the ports you pick are unused before installing the product. [# 522361]

When installing Certificate Management System, if an existing configuration Directory Server is to be used and if the existing configuration Directory Server is under a different domain, then it may be necessary to run the CMS installation in Custom mode. [# 395070]

When installing Certificate Management System on a host which contains more than one static IP address (for example, two or more ethernet cards or a cluster), then it may be necessary to run the CMS installation in Custom mode. [# 394785]

When you run the setup program on Unix, if you interrupt the installation process at any point, the setup program asks you if you want to continue with a default answer of [n]. Accepting the default actually continues the installation. You need to explicitly answer N to cancel out. [# 397563]

When running the setup program, be sure to note the port number you assign to the Administration Server and use it later in the Netscape Console login screen to launch Netscape Console. The Netscape Console login screen that shows up after running the setup program does not show the correct URL (the value in the Administration URL field). The port number in the URL isn't the one you specify during setup. In order to launch Netscape Console and complete CMS installation, you need to remember the port number you assign to the Administration Server and then edit the port number in the URL. [# 382662]

<server_root>/admin-serv/config/adm.conf

When installing a CMS subsystem (for example, the Certificate Manager), if you specify identical subject names for the subsystem's certificates (for example, if you specify CN=demoCA, OU=Sales, O=Netscape, C=US as the subject name for both CA signing certificate and SSL server certificate), you will get an error. Make sure to assign appropriate values for the subject names; for example, the CN component of an SSL server certificate must be the fully-qualified host name of the machine on which the Certificate Manager will run. [# 390915]

If you point Certificate Management System to a configuration directory running on a host which has different domain, you'll get an error message. In other words, if the domain for Administration Server is different than that of Certificate Management System, it would fail to bind to Administration Server; the reason for this is that you cannot set the domain for Administration Server. [# 389862]

During installation, depending on the subsystems you've chosen to install, you generate various certificates, such as Certificate Manager's CA signing certificate, Registration Manager's signing certificate, and SSL server certificates. As a part of generating these certificates, you're required to specify subject names for the certificates. Subject names are formulated using DN components, such as Common Name (CN), Organizational Unit (OU), Organization (O), Locality (L), State (ST), and Country (C). Be sure to enter an appropriate value, such as the name of your company, for the Organization (O) component. The Organization is required because its absence causes Netscape Communicator version 4.6 (or below) to crash when it encounters the certificate. [# 362451]

When installing a Registration Manager, the installation wizard does not present you with an appropriate screen for specifying whether you want to connect it to a Certificate Manager or to another Registration Manager. The wording on the screen suggests that the Registration Manager can only be connected to a Certificate Manager.

For example, assume that you are installing a Registration Manager (RA2) and want to chain it to another Registration Manager (RA1) that has already been installed and connected to a Certificate Manager (CA). When you run the installation wizard for RA2, you should have the opportunity to specify the host name and port number of RA1 so as to chain RA2 to RA1. However, the screen presented by the installation wizard suggests that you can connect RA2 to CA only. Note that the error is limited to the wordings on the screen only. You may use the input fields to enter values that correspond to a Certificate Manager or Registration Manager. In other words, you should ignore the on-screen wordings and enter the host name and port number of the subsystem -- either a Certificate Manager or another Registration Manager -- to which you want to connect the Registration Manager being installed. [# 351672]

When running the Installation Wizard for installing a Data Recovery Manager, in the screen where you enter key recovery agents' user IDs and passwords, pressing the Tab key does not advance focus to the next field; this requires you to double-click a field to give it focus. [# 389864]

At the end of the CMS installation wizard you're asked to enroll for an agent certificate. If you go ahead and request the agent certificate, the Certificate Manager issues you a certificate with a validity period of one year, irrespective of the validity period of your CA certificate. The reason for this is, as any other certificate request your very first agent certificate request gets subjected to the currently configured policy rules of the Certificate Manager. It is important to know that during CMS installation a few policy rules are automatically enabled with default settings. To find out more about these rules:

Log in to Netscape Console.
Double-click the CMS instance of your interest.
In the navigation tree, click Certificate Manager.
Click Policies. The right pane lists the currently configured policy rules. To view current settings of a rule, select it and click Edit.

DefaultValidityRule

ValidityConstraints

DefaultValidityRule

If you're installing Certificate Management System on a Japanese version of Windows NT, the default validity dates displayed by the Installation Wizard may not be correct. Be sure to adjust the dates before you click the Next button. [# 401375]

When installing Certificate Management System as a subordinate CA, in one of the steps, the Installation Wizard asks you to paste the complete root CA certificate chain. Be sure to paste the complete chain for the root CA. If you fail to paste the correct root CA chain, for example, if you paste in the CA certificate instead of the chain, the Installation Wizard does not complain. Later, if you view the certificate chain in the Retrieval tab of End-Entity Services interface, the chain will only display the lower-level CA certificate; it will not show the root CA certificate. [# 384940]

See the ones listed in the Internationalization section.

Internationalization

You cannot add users to the directory if the user entries have attribute data in a non-English (ISO-8859-1) character set and the operating system uses the English (en or C) locale. Netscape Console will not accept multibyte language input, so ldapmodify must be used to add multibyte data to Directory Server. However, there is a bug in ldapmodify that prevents multibyte data from being added successfully if the operating system locale is English. To add multibyte data, install Directory Server on a system whose operating system supports the correct language and run ldapmodify on that system.

When requesting a certificate using the Manual enrollment form for Netscape Communicator with Personal Security Manager, if you enter double-byte characters, such as Japanese or Korean characters, in Full Name, Common Name, First Name, Last Name, Organizational Name, Organizational Unit Name fields, you get an error. [# 384405]

When using Netscape Communicator with Personal Security Manager, if you attempt to import a certificate with BMPString encoding, import works. Later, when you view the certificate in the Personal Security Manager interface, the nickname isn't displayed correctly. Also, if you click the View button and check certificate details, the subject name of the certificate doesn't appear correctly. [# 384406]

If you request a certificate using the Manual enrollment form for the English version of Netscape Communicator 4.7 running on a non-english version of Window NT 4.0 (for example, Korean), Certificate Management System issues the certificate. However, when you attempt to import the certificate into Communicator, the certificate doesn't get imported. There's no error message to indicate that the import operation was unsuccessful. [# 384407]

Netscape Communicator crashes if you attempt to import a certificate with BMPString encoding. [# 384408]

Job Scheduling/Notification

When naming a job (instance), be sure to formulate the name using any combination of letters (aA to zZ), digits (0 to 9), an underscore (_), and a hyphen (-); other characters and spaces are not allowed. For example, you can type My_Job or MyJob as the name, but not My Job. If you create a job instance with a space in the instance name, you may not find that instance in the CMS Console after you restart the server. [# 532176]

If there are no expired certificates in the internal database and if the unpublishExpiredCerts job is enabled, you will see an error similar to this in the log:

6831.unpublishExpiredCerts - [30/Jun/2002:22:50:01 PDT] [20] [0]

unpublishExpiredCerts: buildContentParams: null value for name= SummaryItemList

In addition, in the summary notification sent for unpublished certificates, the words "VALUE UNKNOWN" will show up before the table-title row. All it means is that there are no expired certificates. [# 400973]

JSS

Certificate Management System integrates JSS 3.1.1, which allows you to find VERSIONing information that may be useful when reporting bugs or choosing a patch. Here's how you can find out the version:

On all UNIX systems, do the following from the command line:

% strings jss3.jar | grep "VERSION ="

DBM_VERSION = NSS_3_1_1_RTM

JDK_VERSION = JDK 1.2.2

JSS_VERSION = JSS_3_0

"NSPR_VERSION = NSPRPUB_RELEASE_4_1

NSS_VERSION = NSS_3_2_RTM

% strings libjss3.so | grep "VERSION ="

JSS_VERSION = JSS_3_0

JDK_VERSION = JDK 1.2.2

NSS_VERSION = NSS_3_2_RTM

DBM_VERSION = NSS_3_1_1_RTM

NSPR_VERSION = NSPRPUB_RELEASE_4_1

On Windows Systems that do not have a version of "strings" and/or "grep" via MKS Toolkit, and do not have a compiler installed, the notepad.exe program can be used. Simply open the jss3.jar file in notepad.exe, and use the Search menu item. Then select Find from the submenu, type in VERSION = in the "Find what:" field, and check the Match case checkbox. Click the Find Next button to traverse the contents of the file. Likewise, you can open the jss3.dll file in notepad and follow the same steps.

Logging

This release supports a new architecture for CMS logs, enabling you to plug-in custom log modules (similar to authentication, policy, and publishing).

Miscellaneous

Initial connection to Netscape Console with a 2048-bit RSA SSL server certificate is a bit longer than the one made with a 512 bit RSA SSL server certificate.

The configuration file, CMS.cfg, only supports Unix-style file separator, the forward slash (/). If MS file separator is required, you should use two backward slashes (\\) instead of one (\). [# 326875 and # 331495]

You may encounter problems with Certificate Management System when using SSL server certificates that are issued by a public CA, if these certificates have Basic Constraints extension set in them. [# 356424]

When creating a CMS instance, if you receive the following error message, it could be due to the server needing to achieve access over a slow network: Operation Error: Unable to perform the instance creation task

Note that despite the error message, the instance will be created properly and you will be able to configure it. [# 395304]

OCSP

This version of Certificate Management System includes a new server named Online Certificate Status Manager. This server can receive CRLs from multiple Certificate Managers and can function as an OCSP responder in your PKI.

The documentation (CMS Customization Guide) doesn't cover the HTTP interface of Online Certificate Status Manager. The updated documentation will be posted to the web site on a future date.

Performance

To improve performance under high load on Solaris we recommend that you do the following:

Install Solaris patches 103582 and 103630; these patches include various TCP/IP performance/stability related fixes.
Increase the number of threads available listening on the end-entity port by adding the following to the configuration file (CMS.cfg):

eeGateway.http.backlog=30

eeGateway.http.maxThreads=40

eeGateway.https.backlog=30

eeGateway.https.maxThreads=40

If you increase the number of threads available listening on the end-entity port, you must also increase the number of per-process file descriptors. By default, this limit is 64. Check your system by typing: sysdef. Note that the value reported is in hex. To increase the number of file descriptors (each thread may use at least one, maybe two file descriptors; also remember that about 30 are used by Certificate Management System for other purposes), edit the /etc/system file, inserting the following lines:

set rlim_fd_max=1024

set rlim_fd_cur=256

Reboot the system. [# 345598]

Personal Security Manager

If you want to add the Name Constraints extension to certificates and if your client is Netscape Communicator 4.7x with Personal Security Manager, make sure to set the permittedSubtrees.min and excludedSubtrees.min parameters to 0 in the NameConstraintsExt policy rule for client certificates. [# 386825]

By default, CMS enrollment pages for Personal Security Manager specify the key size as 512 bits. However, you can specify to use the largest key size available using the parameter named crypto.algorithms.rsa.signing.keySizes[0], which is described in the document entitled JavaScript API for Client Certificate Management.

Note that the document currently does not say that the 0th element will always be the largest key size supported. [# 395019]

When you view a CMS-issued certificate in Personal Security Manager, it does not display information such as the algorithm and key size of the key associated with the certificate. However, IE displays this sort of information. [# 395453]

Also see the ones listed in the Browser section.

Policies

The Netscape Comment Policy Extension works only with Netscape Navigator; it does not work with Microsoft Internet Explorer.

If you make some changes to extensions through policy, for example, add a Subject Directory Attributes Extension policy, and if you clone an old request, you'll see the request with its old set of extensions. However, when you approve the cloned request, the resulting certificate will have the new extension. [# 401670]

See also the ones listed in the Browser section.

Publishing

When configuring publishing, if you enter incorrect data (in the Publishing panel of CMS window) and attempt to save it, Certificate Management System will ask you to either save or abort your changes. If you choose to save, you must later make sure to configure the server correctly, and then restart the server for your changes to take effect. [# 388097]

If the Certificate Manager is installed as a root CA and if you use its agent interface to update the directory with valid certificates, you may get an object class violation error (or other errors in the mapper). The reason for this is the CA signing certificate may get published using the publishing rule set up for user certificates. You can avoid this problem by selecting the appropriate serial-number range to not include the CA signing certificate; the CA signing certificate is the first certificate a root CA issues. [# 532510]

Modify the default publishing rule for user certificates by changing the value of the predicate parameter to HTTP_PARAMS.certType!=ca.
Use the LdapCaCertPublisher publisher plug-in module to add another rule, with the predicate parameter set to HTTP_PARAMS.certType==ca, for publishing subordinate CA certificates.

See also the ones listed in CRLs and UI (Netscape Console/CMS Window) sections.

Remote Registration Manager

In one of the steps of a Registration Manager installation, the Installation Wizard asks you to paste the CA certificate in its PKCS#7 format. In the PKCS#7 chain that you paste, if either the root CA certificate or subordinate CA certificate doesn't have an O= component in its subject name, the Installation Wizard fails to import the PKCS#7 chain, resulting in the following error message:

java.security.cert

CertificateEncodingException:

CERT_ImportCAChain returned an error

certutil

Run the Installation Wizard until you get the above mentioned error.
Quit the Installation Wizard.
Open a web browser window.
Go to the subordinate CA's end-entity interface.
Select the Retrieval tab.
Click Import CA certificate.
Select the "Display certificates in the CA certificate chain for importing individually into a server" option and click Submit.

Open a command-line window.
Go to Registration Manager's configuration directory:

cd <server_root>cert-<ra_instance_id>/config

Create two text files named subca and rootca.
Copy the base-64 encoding of the subordinate CA certificate into the subca file and of the root CA certificate into the rootca file. Be sure to include the -----BEGIN CERTIFICATE---- and -----END CERTIFICATE----- wrappers.
Save and close the files.
Add the two certificates to the Registration Manager's certificate database by running the following certutil commands:

certutil -d . -A -n "subca" -a -t TC,TC,TC -i subca

certutil -d . -A -n "rootca" -a -t TC,TC,TC -i rootca

Restart the Installation Wizard and run it as usual.
When the wizard asks you for the PKCS#7 chain, paste the chain as before. (You must still provide the chain, but the wizard won't try to reimport those certificates because they already exist in the Registration Manager's certificate database.)
Complete the installation process.

If the remote Registration Manager is not set up correctly to work with the Certificate Manager, an unclear HTTP message results. Check to make sure that the configuration for the remote Registration Manager is set up correctly.

The Registration Manager does not yet support the CRS/CEP enrollment; all router enrollment requests must be made through the Certificate Manager. [# 341389]

Registration Managers cannot display the full PKCS #7 certificate chain for certificates. If you need the full PKCS #7 chain for a CA's certificate, you must use the Get CA Chain interface (Retrieval tab in the End Entity Services interface) on a Certificate Manager instance. If you need the full PKCS #7 chain for a particular certificate (such as a subordinate CA certificate) you must go to the Certificate Manager and display the certificate; the PKCS#7 chain is at the bottom of the page that shows the certificate.

In a chained-CA setup, for example, a setup in which you have two CAs and a Registration Manager (Root CA --> Subordinate CA --> Registration Manager), if you list requests on the Registration Manager as a Registration Manager agent and if you notice that all requests are in the svc_pending state, it's likely that the trust setting among the three entities has not been set up correctly; that is, a certificate (CA or SSL) is not trusted and needs to be trusted. For example, in the above mentioned setup, if the SSL server certificates of the Registration Manager and the subordinate CA are signed by different CAs, transfer of requests from the subordinate CA to the Registration Manager would fail. To troubleshoot the problem, check CMS logs. [# 395614]

Renewal of CMS Certificates

When renewing the CA signing certificate of a Certificate Manager, if you change the key algorithm, the corresponding parameters don't get changed in the configuration file (CMS.cfg). This causes the server to fail from starting up. To workaround this problem, you must modify the value assigned to the algorithms parameter of the policy rule named SigningAlgRule in the CMS.cfg file. For details about values you can assign to the algorithms parameter, check the section named "SigningAlgorithmConstraints Plug-in Module" in the CMS Plug-ins Guide. [# 386772]

Request Queue Processing

This release allows agents to list requests based on their type, enrollment, renewal, revocation requests.

This release does not support the cancel request operation.

Revocation

When changing the status of a revoked certificate to valid in the internal database (Directory Server), it's not sufficient to change the value of the certStatus field from REVOKED to VALID. To properly switch the status of the certificate from revoked to valid, you need to remove revinfo, empty two fields, revokedon and revokedby, and change the value of the certStatus field from REVOKED to VALID. [# 393454]

See also the ones listed in the CRLs section.

Samples and SDKs

Check the <server_root>/cms_sdk directory for CMS SDK and sample code.

Searching for Certificates

Searching for certificates is slow if the search criteria include a validity period and if there are many tens of thousands of certificates in the internal database.

Starting/Stopping the Server

The 'Stop' operation stops the server without checking the password that is passed from the Console.

The 'Start' operation fails when passed an incorrect password at startup -- when you attempt to start the server with a wrong password, the server does not prompt that the password you've entered is incorrect.

You can stop a CMS instance from Netscape Administration Express, an HTML-based interface that can be launched by entering http://<admin_server_host>:<admin_server_port> in the browser's URL field. However, you cannot start a CMS instance from this interface. [# 389901]

Certificate Management System doesn't prompt you to supply the single sign-on password when you make an attempt to stop the server from the Windows NT service panel.

If Certificate Management System is running on a Windows NT machine, it is not advisable to install any JDK on the same machine. If you install JDK 1.1.8 or later versions of JDK, Certificate Management System may not start due to an entry in the registry, forcing the CMS jre to use the classpath provided by the JDK installation. The solution is to remove the offending registry entry; you can use regedit to search for the jdk directory. [# 395048]

UI (Netscape Console/CMS Window)

When you create a new CMS instance using Netscape Console, you might get the following error:

Operation Error: Unable to create the instance.

Check the log files under <server_root>/cert-<instance_id>/logs directory.

However, if you Refresh the console window, you'll see the entries that correspond to the new instance. If refreshing the window doesn't show the new entries, recreate the instance. [#534954]

When you delete a CMS instance using Netscape Console, the entries corresponding to the instance don't get deleted. However, if you check the directory structure in the host system, the files for the instance you deleted are removed. [# 534959]

Although the UI (Installation Wizard and CMS Window) allows you to specify key sizes up to 4096 for CMS certificates, be noted that the maximum key size allowed for all certificates in Certificate Management System is 2048 bits. For example, you cannot generate a key size of 4096 bits for the CA signing certificate or SSL server certificate. The documentation too incorrectly states that you can generate key sizes up to 4096 bits. [# 528714]

Netscape Console, version 4.2 doesn't support the DSA key algorithm. This prevents you from using the auto-submit feature of the Installation Wizard and Certificate Setup Wizard to automatically submit the request to the CMS's HTTPS port for end-entity enrollments, if that CMS instance is using a DSA key. For example, when installing a Registration Manager, if you attempt to auto submit the Registration Manager's signing certificate request to the end-entity HTTPS port of a Certificate Manager whose SSL server certificate corresponds to a DSA key (or the certificate has been signed by a CA with DSA key), the wizard will fail to submit the request.

manual

When installing a certificate using the Installation Wizard or the Certificate Setup Wizard, if the certificate is contained in a file, you should leave the file until the certificate is successfully installed. If you remove the file before the wizard completes installing the certificate, for example, if you remove the file after the wizard displays the detailed version of the certificate, the wizard will display an error indicating that it cannot find the file. [# 387267]

When installing a certificate in the Console using X windows, you cannot simply highlight and drop the base-64 encoded certificate into the text box or field. Instead, you must explicitly cut the base-64 encoded certificate from one application (such as a text editor or web browser) and paste into the text box of the console. [# 327841]

The Certificate Setup Wizard does not properly handle "+" and "," characters in Distinguished Name components. If you need to use one of these characters as part of a DN component, enclose the entire text in double quotes (") or escape the character with a backslash (\). For example, to use Netscape, Inc. as the organization (O) attribute, enter

    "Netscape, Inc."

The Certificate Setup Wizard can automatically post a certificate signing request (CSR) to a Certificate Manager's or Registration Manager's enrollment interface. However, the Certificate Setup Wizard assumes that the port is 80 (even if the protocol in the URL is https). When you enter the URL for submitting the request, always include the port number if it is not 80. An example enrollment URL including port 443 is https://ca.example.com:443/enrollment. [# 390032]

https://

Login to Netscape Console.
Double-click the Administration Server instance to open the Administration Server console.
Start the Certificate Setup Wizard (by clicking the Certificate Setup Wizard button available in the Tasks tab).
Click Next.
Be sure to select "Yes" as the certificate has already been generated, and click Next.
Setup password on the trust database if not already setup.
Click on "trusted certificate authority", and click Next.
Paste in the trusted root for the unknown CA, and then complete the rest of the wizard steps.

https://

When installing the Certificate Manager as a subordinate CA with the option for issuance of wTLS-compliant certificates enabled, if you send the request for the CA signing certificate automatically and if the request is submitted to the remote Certificate Manager successfully, the resulting message does not show the request ID. However, when you proceed with your installation steps, you'll see the request ID in the screen that enables you to specify the location of the certificate, and you'll be able to automatically import the already-issued certificate by specifying the request ID. [# 536335]

If you enable an outbound LDAP connection from Certificate Management System, (for example, for publishing or authentication), make sure you specify the correct port. If you turn on SSL, but specify the regular, non-SSL LDAP port, the console may hang when the LDAP settings are changed. [# 399543]

In the Console page for setting up LDAP publishing, there are input fields for entering values for the DNComps, filterComps, and baseDN parameters. Although value for either DNComps or baseDN is required, the UI gives the impression that values must be entered in both the fields. [# 331081]

If a DN (either issuer DN or subject DN) contains special characters defined in RFC-1779, the characters will be automatically prefixed with a backward slash (\) upon displaying. This slash may give you the wrong impression that a slash character is included in the DN, and it is not consistent with the behaviour of Communicator that shows no slash character in such case. [# 351774]

If clicking the Help button on the Console interface does not bring up the help text, Exit Communicator and click the Help button again. If the problem persists, reinstall Communicator. [# 399146]

If you experience hard to read fonts when redirecting a console on Unix to another X Server, you could try to rename the file <server_root>/bin/base/jre/lib/font.properties to font.properties.old, and restart the console.

See also the ones listed under Administration Server and Starting/Stopping the Server sections.

wTLS

This version of Certificate Management System supports issuance of Wireless Transport Layer Security (wTLS)-compliant certificates for use with wireless applications/devices. During the installation of a standalone Certificate Manager or Registration Manager, you're given the opportunity to specify whether to turn this feature on. If you do, the appropriate enrollment forms get installed and you can see them in the End Entity Services interface of the CMS manager.

wTLS certificate enrollment does not work with CMC and CRMF requests. [# 529320]

wTLS CA does not support CSR in CMC or CRMF.

This release does not support renewal of wTLS-compliant certificates; the Renewal tab of the Certificate Manager does not include any forms for renewing these certificates.

For More Information

Your feedback is welcome and extremely helpful for improving the product. Before contacting us to request assistance, please check the documentation for this release. If you need further assistance or information about Certificate Management System or if you need to report problems with this product, contact technical support. You may also contact us through our newsgroup for support, questions, answers, and the latest information:

snews://secnews.netscape.com/netscape.dev.certificate

You might also find it useful to subscribe to the following newsgroups, where security- and directory related topics are discussed:

snews://secnews.netscape.com/netscape.dev.ssl
snews://secnews.netscape.com/netscape.dev.security
snews://secnews.netscape.com/netscape.dev.directory

So that we can best assist you in resolving problems, please be sure to include the following information:

Description of the problem, including the situation where the problem occurs and its impact on your operation
Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem
Detailed steps on the methods you have used to reproduce the problem
Any error logs or core dumps

For problems involving the use of certificates issued by Certificate Management System in other products, include the product name (for example, Netscape Communicator or Netscape 6), the release number, and platform information for those products as well.

Use of Netscape Certificate Management System is subject to the terms described in the license agreement accompanying it.
Software applications: © 2001 Sun Microsystems, Inc. Some software code: © 1999, 2001 Netscape Communications Corporation. All rights reserved.

Netscape and the Netscape N logo are registered trademarks of Netscape Communications Corporation in the United States and other countries. Other Netscape logos, product names, and service names are also trademarks of Netscape Communications Corporation, which may be registered in other countries. Other product and brand names are the exclusive property of their respective owners.