Release Notes for Certificate Management System

Version 6.1 (SP 2)

Updated May 5, 2003á

---

These release notes contain the following sections:

• Overview
• Bugs Fixed by this Patch
• Files
• Installation Procedure
• Bug Verification Information

---

Overview

• Provides a new subject directory attributes extension to the profile framework
• Fixes the extended key usage bug where the OCSPSigning bit is added regardless of any agent's modification
• Provides a new private key usage period extension to the profile framework
• Provides capability to use a new othername format that supports string-based input
• Provides capability to specify multiple general names in the configuration of a subject alternative directory attribute extension plugin
• Provides the capability to support multiple OU components
• Provides the capability to add an inhibit any-policy extension to the profile framework
• Fixes the incorrect encoding of the certificate policies policy extension in the old policy framework
• Provides the capability to schedule CRL generation at a specific time

---

Bugs Fixed by this Patch

#613465	-	CRL cache recovery
#615234	-	Missing PrivateKeyUsagePeriodExt
#617020	-	Extended Key Usage policy incorrectly added OCSPSigning
#617023	-	next update grace period
#617025	-	new CRL generation scheduling
#617568	-	OtherName usage on approval page
#618519	-	SubjectDirectoryAttributesExt is not present in the end certificate for request attributes
#619067	-	Subject Alternative Directory attribute supports only one general name configuration
#619068	-	subject name plugin is limited
#619138	-	Inhibit Any-Policy Extension
#619506	-	empty sequence in certificate policies policy
#620052	-	new schema for CRL generation

---

Files

• Readme File
• Installation Script
• Server Jar Files
• Console Jar Files
• Configuration File
• Template Files
• Profile Configuration Files

Readme File

• readme.txt

Installation Script

• install.sh

Server Jar Files

• bin/cert/jars/certsetup.jar
• bin/cert/jars/certsrv.jar
• bin/cert/jars/cms.jar
• bin/cert/jars/cmsbundle.jar
• bin/cert/jars/cmscore.jar
• bin/cert/jars/cmstools.jar
• bin/cert/jars/cmsutil.jar
• bin/cert/jars/nsutil.jar

Console Jar Files

• java/jars/cms61.jar
• java/jars/cms61_en.jar

Configuration File

• config/registry.cfg

Template Files

• web-apps/agent/ca/updateCRL.template
• web-apps/agent/ca/toDisplayCRL.template
• web-apps/agent/ca/toUpdateCRL.template

Profile Configuration Files

• profiles/ca/caCMCUserCert.cfg
• profiles/ca/caDirUserCert.cfg
• profiles/ca/caDualCert.cfg
• profiles/ca/caUserCert.cfg
• profiles/ca/raDirUserCert.cfg
• profiles/ra/raDirUserCert.cfg
• profiles/ra/raDualCert.cfg
• profiles/ra/raUserCert.cfg

---

Installation Procedure

1. Make sure that a CMS 6.1 (SP 1) instance has already been configured.
2. Stop CMS by executing '<server-root>/cert-<id>/stop-cert'
3. Use an editor to edit the installation script, install.sh, and configure the following variables to match your CMS 6.1 (SP 1) installation:
   SERVERROOT
   INSTANCE
   PATCHROOT
4. Execute install.sh.
5. Update the internal directory's schema by starting the console, and for each internal directory instance (i.e. slapd-<id>-db), do the following:
• Start the directory console.
• Select the Configuration tab.
• Select the Schema folder.
• Select the Attributes Tab.
• Click the Create button, and a dialog box will be presented. Fill in the following:
Attribute name: deltaNumber
Syntax: DirectoryString
• Click the OK button.
• Click the OK button.
• Click the Create button, and a dialog box will be presented. Fill in the following:
Attribute name: deltaSize
Syntax: DirectoryString
• Click the OK button.
• Click the OK button.
• Select the Object Classes tab.
• Select the crlissuingpointrecord under Object Classes.
• Click the Edit button.
• Select the deltaNumber under Available Attributes.
• Click the Add button for Allowed Attributes.
• Select the deltaSize under Available Attributes.
• Click the Add button for Allowed Attributes.
• Click the OK button.
6. Stop the console.
7. Update CMS's configuration file, CMS.cfg.
8. Change directory to '<server-root>/cert-<id>/config.
9. Open CMS.cfg and search for all CRL issuing points. The default id for CRL issuing points is MasterCRL. Add following lines to each CRL issuing point:
ca.crl.<issuing-point-id>.alwaysUpdate=false
ca.crl.<issuing-point-id>.caCertsOnly=false
ca.crl.<issuing-point-id>.dailyUpdates=0:00
ca.crl.<issuing-point-id>.enable=true
ca.crl.<issuing-point-id>.enableCRLUpdates=true
ca.crl.<issuing-point-id>.enableCacheRecovery=false
ca.crl.<issuing-point-id>.enableDailyUpdates=false
ca.crl.<issuing-point-id>.enableUpdateInterval=true
ca.crl.<issuing-point-id>.includeExpiredCerts=false
ca.crl.<issuing-point-id>.minUpdateInterval=0
ca.crl.<issuing-point-id>.nextUpdateGracePeriod=0
ca.crl.<issuing-point-id>.publishOnStart=false
ca.crl.<issuing-point-id>.signingAlgorithm=SHA1withRSA
ca.crl.<issuing-point-id>.updateSchema=1
10. Start CMS by executing '<server-root>/cert-<id>/start-cert'.
11. Start the Console.

---

Bug Verification Information

• Verifying #615234 - Missing PrivateKeyUsagePeriodExt
• Verifying #617020 - Extended Key Usage policy incorrectly added OCSPSigning
• Verifying #617568 - OtherName usage on approval page
• Verifying #618519 - SubjectDirectoryAttributesExt is not present in the end certificate for Request Attribute
• Verifying #619067 - Subject Alternative Name Extension needs to support multiple general names
• Verifying #619068 - subject name plugin is limited
• Verifying #619138 - Inhibit Any-Policy Extension
• Verifying #619506 - empty sequence in certificate policies policy

Verifying #615234 - Missing PrivateKeyUsagePeriodExt

1. Enable the PrivateKeyUsagePeriodExt Extension:
• Disable the Profile for configuration changes:
• Access the agent interface.
• Select "Manage Certificate Profiles".
• Select the "Manual Server Certificate Enrollment" profile.
• Click the Disable button.
• Access the CMS console.
• Click Certificate Manager --> Certificate Profiles node in the tree menu.
• Select the caServerCert profile.
• Click Edit.
• Select the Add button to add new profile policy.
• Select Private Key Period Extension and No Constraint, and fill in the following:
Policy Set Id: serverCertSet
Policy Id: zzz
puCritical: false
puStartTime: 0
puDurationInDays: 30
• Click the OK button.
• Click the OK button.
2. Enable the "Manual Server Certificate Enrollment" profile:
• Access the agent interface.
• Select "Manage Certificate Profiles".
• Select the "Manual Server Certificate Enrollment" profile.
• Click the Approve button.
3. Submit a Request:
• Access the end-entity interface.
• Select the "Manual server Certificate Enrollment" profile, and fill in the following:
Certificate Request Type: PKCS10
Certificate Request:


-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBxDCCAS0CAQAwUDELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA2FvbDERMA8GA1UE
CxMIbmV0c2NhcGUxIDAeBgNVBAMTF3BjNjY1NDM5Lm5zY3AuYW9sdHcubmV0MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCltyUhmLIqzyGMUZIlB+xrr49klpMO
5Rl4I5QSYGNNuS+L5H8UXvhW9hKk1w+ofT3Ey9UT2L0touc2bpJbhHVhXmPcqOy3
pNOsCxRD4DcwMmf38TnzgZiPEIODwO5kl07WvcbREDcezWzyjNf/aQ04nWbFZ4Dp
VYHWUQW1Y0/f0QIDAQABoDQwMgYJKoZIhvcNAQkOMSUwIzARBglghkgBhvhCAQEE
BAMCBsAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBAUAA4GBAFlW0dnfJ0xy
ka8H/NX3C8jyKUc+vUpvG/g0ViAwKxK4Q3CYhouy4/pOKgYpF2KRK/j7oxfgNlPx
BfRtwLotXzt5EzHLzVfGBD4OsDPqsNcPqS67uA3qaVs89lwydPgbNh2Rgo+yjNtt
qVMkhKW06R3dr5IYuSO5VWeSkS9238iu
-----END NEW CERTIFICATE REQUEST-----

Requestor Name: Joe Smith
Requestor Email: joesmith@netscape.com
Requestor Phone: 123-456
• Click Submit.
4. Approve the Request:
• Access the agent interface.
• Approve the submitted request.
5. The issued certificate should contain the following:

      ...
                Identifier: Private Key Usage: - 2.5.29.16
                     Critical: no 
                     Validity:
                         Not Before: Monday, April 7, 2003
                         Not  After: Wednesday, May 7, 2003
      ...

Verifying #617020 - Extended Key Usage policy incorrectly added OCSPSigning

1. Enable the Extended Key Usage Extension:
• Disable the Profile for configuration changes:
• Access the Agent interface.
• Select "Manage Certificate Profiles".
• Select the "Manual Server Certificate Enrollment" profile.
• Click the Disable button.
• Access the CMS console.
• Click Certificate Manager --> Certificate Profiles node in the tree menu.
• Select the caServerCert profile.
• Click Edit.
• Select the Add button to add a new profile policy.
• Select Extended Key Usage Extension and No Constraint, and fill in the following:
Policy Set Id: serverCertSet
Policy Id: xxx
exKeyUsageCritical: false
exKeyUsageOIDs: 1.2.3.4
• Click OK.
• Click OK.
2. Enable the "Manual Server Certificate Enrollment" profile:
• Access the Agent interface.
• Select "Manage Certificate Profiles".
• Select the "Manual Server Certificate Enrollment" profile.
• Click the Approve button.
3. Submit a Request:
• Access the end-entity interface.
• Select the "Manual server Certificate Enrollment" profile, and fill in the following:
Certificate Request Type: PKCS10
Certificate Request:


-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBxDCCAS0CAQAwUDELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA2FvbDERMA8GA1UE
CxMIbmV0c2NhcGUxIDAeBgNVBAMTF3BjNjY1NDM5Lm5zY3AuYW9sdHcubmV0MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCltyUhmLIqzyGMUZIlB+xrr49klpMO
5Rl4I5QSYGNNuS+L5H8UXvhW9hKk1w+ofT3Ey9UT2L0touc2bpJbhHVhXmPcqOy3
pNOsCxRD4DcwMmf38TnzgZiPEIODwO5kl07WvcbREDcezWzyjNf/aQ04nWbFZ4Dp
VYHWUQW1Y0/f0QIDAQABoDQwMgYJKoZIhvcNAQkOMSUwIzARBglghkgBhvhCAQEE
BAMCBsAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBAUAA4GBAFlW0dnfJ0xy
ka8H/NX3C8jyKUc+vUpvG/g0ViAwKxK4Q3CYhouy4/pOKgYpF2KRK/j7oxfgNlPx
BfRtwLotXzt5EzHLzVfGBD4OsDPqsNcPqS67uA3qaVs89lwydPgbNh2Rgo+yjNtt
qVMkhKW06R3dr5IYuSO5VWeSkS9238iu
-----END NEW CERTIFICATE REQUEST-----

Requestor Name: Joe Smith
Requestor Email: joesmith@netscape.com
Requestor Phone: 123-456
• Click Submit.
4. Approve the Request:
• Access the agent interface.
• Approve the submitted request.
5. The issued certificate should contain the following:

     ...
                Identifier: Extended Key Usage: - 2.5.29.37
                     Critical: no 
                     Extended Key Usage: 
                         1.2.3.4
     ...

Verifying #617568 - OtherName usage on approval page

1. Submit a Request:
• Access the End-Entity interface.
• Select "Manual User Dual-Use Certificate Enrollment", and fill in the following:
UID: joesmith
Email: joesmith@netscape.com
Common Name: Joe Smith
Organizationl Unit: Netscape
Organization: AOL
Country: US
Requestor Name: Joe Smith
Requestor Email: joesmith@netscape.com
Requestor Phone: 123-456
• Click Submit to submit the request.
2. Approve the Request:
• Access the Agent interface.
• Select "List Requests".
• Click the "Find" button.
• Click the "Details" button on the submitted request.
• In the Subject Alternative name extension section, replace:
RFC822Name: joesmith@netscape.com
with
OtherName: (PrintableString)1.2.3.4,testing
3. Click the submit button.
4. You should see the following extension in the certificate:

     ...
         Identifier: Subject Alternative Name - 2.5.29.17
              Critical: no 
              Value: 
              OtherName: (PrintableString)1.2.3.4,testing
     ...

Verifying #618519 - SubjectDirectoryAttributesExt is not present in the end certificate for Request Attribute

1. Setup Directory-based Authentication:
• Access the CMS console.
• Click the Configuration Tab.
• Click the Authentication node in the tree menu.
• Click Add in the Authentication Instance panel.
• Select UidPwdDirAuth.
• Click the Next button, and fill in the following information:
Authentication Instance ID: UserDirEnrollment
ldapStringAttributes: businesscategory,employeetype
ldap.ldapconn.host: <host of configuration directory>
ldap.ldapconn.port: <port of configuration directory>
ldap.basedn: <base DN>
• Click OK.
2. Create a user in the configuration directory:
• Access the Configuration Directory console.
• Click the Directory Tab.
• Select the <base DN> (for example, dc=netscape, dc=com).
• Right click and select New --> User.
• Create a user with the following information:
First Name: Joe
Last Name: Smith
Common Name(s): Joe Smith
User ID: joesmith
Password: netscape
Confirm Password: netscape
• Click the Advanced properties button:
• Click the Add Attribute.
• Select businesscategory, and employeetype, and fill in the following:
employeetype: fulltime
businesscategory: engineering
• Click OK.
• Click OK.
3. Enable the Subject Directory Attribute Extension:
• Disable the Profile for configuration changes:
• Access the Agent interface.
• Select "Manage Certificate Profiles".
• Select the "Directory-Based User Dual-Use Certificate Enrollment" profile.
• Click the Disable button.
• Access the CMS console.
• Click Certificate Manager --> Certificate Profiles node in the tree menu.
• Select the caDirUserCert profile.
• Click Edit.
• Select the Add button to add new profile policy.
• Select Subject Directory Attributes Extension and No Constraint, and fill in the following information:
Policy Set Id: userCertSet
Policy Id: subjDir
subjDirAttrsCritical: false
subjDirAttrName_0: 1.2.3.4
subjDirAttrPattern_0: $request.auth_token.businesscategory[0]$
subjDirAttrEnable_0: true
subjDirAttrName_1: 1.2.3.5
subjDirAttrPattern_1: $request.auth_token.employeetype[0]$
subjDirAttrEnable_1: true
• Click OK.
• Click OK.
• Enable Profile for configuration changes.
• Access the Agent interface.
• Approve the "Directory-Based User Dual-Use Certificate Enrollment" profile.
4. Submit an Enrollment Request
• Access the End-Entity interface.
• Select Enrollment --> List Certificate Profiles.
• Select "Directory-Based User Dual-Use Certificate Enrollment", and fill in the following:
Ldap User Id: joesmith
Ldap User Password: netscape
• Click the submit button.
5. Validate the Subject Directory Attributes Extension in the Certificate.
• Check the Subject Directory Attributes extension.

Verifying #619067 - Subject Alternative Name Extension needs to support multiple general names

1. Setup Directory-based Authentication:
• Enable multiple subject alternative name configuration:
• Stop CMS.
• Update the parameter in <server-root>/profiles/ca/caUserCert.cfg from:
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
to
policyset.userCertSet.8.default.params.subjAltNameNumGNs=2
• Start CMS.
• Enable the Extended Subject Alternative Extension Extension.
• Disable the Profile for configuration changes:
• Access the Agent interface.
• Select "Manage Certificate Profiles".
• Select the "Manual User Dual-Use Certificate Enrollment" profile.
• Click the Disable button.
• Access the CMS console.
• Click the Certificate Manager --> Certificate Profiles node in the tree menu.
• Select the caUserCert profile.
• Click Edit.
• Select Id 8 (Subject Alt Name Extension Default).
• Click Edit, and fill in (select) the following test data:
subjAltNameExtCritical: false
subjAltExtType_0: RFC822Name
subjAltExtPattern_0: $Request.requestor_email$
SubjAltExtGNEnable_0: true
subjAltExtType_1: URIName
subjAltExtPattern_1: http://www.netscape.com
SubjAltExtGNEnable_1: true
• Click OK.
• Click OK.
2. Enable the "Manual User Dual-Use Certificate Enrollment" profile:
• Access the Agent interface.
• Select "Manage Certificate Profiles".
• Select the "Manual User Dual-Use Certificate Enrollment" profile.
• Click the Approve button.
3. Submit a Request:
• Access the end-entity interface.
• Select the "Manual User Dual-Use Certificate Enrollment" profile.
• Fill in all enrollment info (assuming requestor email is ii@netscape.com)
• Click Submit.
4. Approve the Request.
• Access the agent interface.
• Approve the submitted request.
5. The issued certificate should contain the following:

     ...
                Identifier: Subject Alternative Name - 2.5.29.17
                    Critical: no 
                    Value: 
                        RFC822Name: ii@netscape.com
                        URIName: http://cfu.netscape.com
     ...

Verifying #619068 - subject name plugin is limited

1. Access the End-Entity Service.
2. Select List Certificate Policies.
3. Select the "Manual User Signing & Encryption Certificates Enrollment" profile.
4. You should see new CN, OU fields.

Verifying #619138 - Inhibit Any-Policy Extension

1. cd <server-root>/cert-<id>/. Stop the server by typing stop-cert.
2. cd <server-root>/cert-<id>/config. Edit the file called registry.cfg.
• Search for the line starting with "defaultPolicy.ids=", and then append a line with the new id "inhibitAnyPolicyExtDefaultImpl" separated by a comma.
• Next, add the following lines under the line starting with "defaultPolicy.ids=":
defaultPolicy.inhibitAnyPolicyExtDefaultImpl.class=com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
defaultPolicy.inhibitAnyPolicyExtDefaultImpl.desc=Inhibit Any-Policy Extension Default
defaultPolicy.inhibitAnyPolicyExtDefaultImpl.name=Inhibit Any-Policy Extension Default
3. cd <server-root>/cert-<id>/. Start the server by typing start-cert.
4. Add the Inhibit Any-Policy extension to the specified profile:
• Go to the agent page by typing https://<hostname>:<agent-port>.
• Select "Manage Certificate Profiles" on the left hand panel.
• Select the profile you would like to add the Inhibit Any-Policy extension to.
• Click the Disable button at the bottom of the profile page.
• Go back to the CMS console.
• Click the Configuration tab.
• Depending on which subsystem gets installed, the Certificate Manager folder will be shown on the left-hand panel if the Certificate Manager subsystem is installed. The Registration Manager folder will be shown on the left-hand panel if the Registration Manager subsystem is installed.
• Open the subsystem folder (Certificate Manager or Registration Manager), and select the Certificate Profiles node.
• Select the disabled profile from the table shown on the right-hand panel.
• Click the Edit button to open the "Certificate Profile Rule Editor".
• Click the Add button to open the "Certificate Profile Policy Editor".
• Select the "Inhibit Any-Policy Extension Default" from the top list and select the "No Constraint" option from the bottom list.
• Click OK to open the "New Certificate Profile Editor", and fill in all the information in the Editor window:
Policy Set Id:
Policy Id:
critical: false
skipCerts: 1
• Click OK to save the data.
• Click OK to dismiss the "Certificate Profile Rule Editor".
• Go to the agent page by typing https://<hostname>:<agent-port>.
• Select "Manage Certificate Profiles" on the left-hand panel.
• Select the profile you just disabled.
• Click the Approve button at the bottom of the profile page to enable the profile.
5. Submit a Certificate Request.
6. Approve the Certificate Request. The issued certificate should contain the following:

     ...
               Identifier: Inhibit Any-Policy - 2.5.29.54
                     Critical: no
                     Skip Certs: 1
     ...

Verifying #619506 - empty sequence in certificate policies policy

1. Enable Policies enrollment forms:
• Go to the following directory:
  <server-root>/cert-<id>/web-apps/ee/<subsystem-id>/policyEnrollment
• cp *.html ../.
2. Refresh your browser for the EE page.
3. Set up CertificatePoliciesExt:
• Access the CMS console.
• Click Certificate Manager --> Policies.
• Select CertificatePoliciesExt.
• Click Edit.
• Click Enable.
• Enter certPolicy0.policyId: 1.2.3.4 (do not fill out other fields).
• Click OK.
4. Submit a Request:
• Access the end-entity interface.
• At Manual Enrollment, fill in info.
5. Approve the Request:
• Access the agent interface.
• Approve the submitted request.
6. The issued certificate should contain a field like the following:

         ...
                Identifier:  CertificatePolicies - 2.5.29.32
                    Critical: no 
                    Value: 
                        30:07:30:05:06:03:2A:03:04
         ...
Use your favorite ASN.1 decoder
(i. e. - <server-root>/bin/cert/tools/dumpasn1) to decode the Base-64
encoded blob.  You should not see any empty sequences.

Use of this product is subject to the License accompanying the product. Copyright © 2001 Sun Microsystems, Inc.
Portions copyright © 1999, 2002-2003 Netscape Communications Corporation. All rights reserved.