User manual REDHAT NETSCAPE MANAGEMENT SYSTEM 6.01 AGENT GUIDE

[. . . ] Agent's Guide Netscape Certificate Management System Version 6. 01 May 2002 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law. Making unauthorized copies, adaptations or compilation works is prohibited and constitutes a punishable violation of the law. [. . . ] Most existing software applications that handle certificates support only MD5. This is the default algorithm. 36 Netscape Certificate Management System Agent's Guide · May 2002 Approving Requests r SHA-1 with RSA generates a 160-bit message digest. Before choosing SHA-1, make sure your applications support it. Netscape Navigator 3. 0 (or later) and Enterprise Server 2. 01 (or later) support SHA-1. If your users have previous versions of these applications, choose MD5 as the signature algorithm, or upgrade your users to the most recent version of these applications. Before selecting an algorithm, check with your CMS administrator to make sure that Certificate Management System has the algorithm enabled. 8. Review the unauthenticated request attributes. These attriubutes were submitted by the end entity with the enrollment request. Since these attributes do not come from a trusted source (such as an authentication module in the CMS server), they are "unauthenticated. " Your site policies may or may not require agents to review or validate any of these attributes. These attributes were generated in the CMS server by authentication or policy plug-in modules. They are considered authenticated since they have been validated by or have originated in the CMS server itself. CMS agent, you should indicate this in the last section, labeled Privileges. r 9. 10. If the certificate request is for an SSL client certificate for a CMS manager or a If the request is for a CMS manager's certificate, select the checkbox labeled "This certificate is for a Trusted Manager. " If the request is for a CMS agent's certificate, select the checkbox labeled "This certificate is for a name of manager agent. " r You must also type a user ID for the new manager or agent. This user ID can be the same that you specified in the certificate request, or it can be some other ID that you want to use to identify this agent or manager in the CMS window of Netscape Console, such as Agent1 or RMEng. 11. To approve the request and issue the certificate, open the drop-down menu at the bottom of the page, choose "Accept this request, " then click Do It. Chapter 2 Handling Certificate Requests 37 Approving Requests If the certificate conforms to policy, a page containing the new certificate appears. It includes instructions on how to help the certificate requester install the new certificate. NOTE If, after verifying or attempting to issue the certificate, you receive the error message "The requested signature algorithm is not enabled, " check with your CMS administrator to make sure that the signature algorithm you selected in Step 7 is supported. Sending an Issued Certificate to the Requester When the Certificate Manager has issued a certificate in response to a request, the user who requested it must receive a copy of it to install locally. End users install their own certificates in their client software. Server administrators install their servers' certificates in the servers that they manage. 38 Netscape Certificate Management System Agent's Guide · May 2002 Approving Requests Depending on how your Certificate Management System is configured, an end user who requests a certificate might receive automatic email notification of the success of the request; this email message contains either the certificate itself or a URL from which the user can get the certificate. In this case, you need not take any further action. If your system is not configured for automatic certificate-issuance notification, or if the requester is a server administrator, you must either send the issued certificate to the requester or ask the requester to pick it up from the Certificate Manager's end-entity gateway. Figure 2-2 shows a web page containing a new certificate. This is the page you receive in response to the command "Issue this certificate, " as described in Step 11 in "Approving Requests" on page 33. ) Before you issue the certificate, you should copy the requester's email address. Figure 2-2 A newly issued certificate page Chapter 2 Handling Certificate Requests 39 Approving Requests To copy and mail a new server certificate to the requester, follow these steps: 1. Open a new email message composition window and address it to the requester. From the Agent Services window where the new certificate is displayed, copy only the base-64 encoded certificate. [. . . ] In the left frame, click Add Certificate Authority. In the resulting form, paste the encoded CA signing certificate inside the text area labeled "Base 64 encoded certificate (including header and footer). " Chapter 6 Managing OCSP Service Related Tasks 77 Adding a CRL to Online Certificate Status Manager 12. Click Add. The certificate is added to the internal database of the Online Certificate Status Manager. 13. To verify that the certificate is added successfully, in the left frame, click List Certificate Authorities. [. . . ]