Index

A

active logs
default file location, Configuring Subsystem Logs
message categories, Services That Are Logged
adding
extensions
to CRLs, Setting CRL Extensions
adding new directory attributes, Adding New or Custom Attributes
administrators
creating, Creating Users
deleting, Deleting a Certificate System User
modifying
group membership, Changing Members in a Group
sudo permissions for, Setting sudo Permissions for Certificate System Services
agent certificate
requesting, Requesting and Receiving a User or Agent Certificate through the End-Entities Page
agents
creating, Creating Users
deleting, Deleting a Certificate System User
enrolling users in person, Certificate Revocation Pages
modifying
group membership, Changing Members in a Group
role defined, Agents
See also Agent Services interface, Agents
archiving
rotated log files, Log File Rotation
users' private encryption keys, Setting up Key Archival and Recovery
Audit log
defined, Transactions Log
auditors
creating, Creating Users
authentication
during certificate revocation, User-Initiated Revocation
managing through the Console, Setting up PIN-Based Enrollment
authentication modules
agent initiated user enrollment, Certificate Revocation Pages
deleting, Registering Custom Authentication Plug-ins
registering new ones, Registering Custom Authentication Plug-ins
authorityInfoAccess, authorityInfoAccess
authorityKeyIdentifier, Setting Restrictions on CA Certificates , authorityKeyIdentifier, authorityKeyIdentifier
automatic revocation checking, Enabling Automatic Revocation Checking on the CA

B

backing up the Certificate System, Backing up and Restoring Certificate System
backups, Backing up and Restoring Certificate System
base-64 encoded file
viewing content, Viewing Certificates and CRLs Published to File
basicConstraints, basicConstraints
bridge certificates, Using Cross-Pair Certificates
buffered logging, Buffered and Unbuffered Logging

C

CA
configuring ECC signing algorithm, Setting the Signing Algorithms for Certificates
enabling SCEP enrollments, Enabling SCEP Enrollments
prompting for subsystem passwords
existing instance, Configuring Existing CA, KRA, TKS, TPS, and OCSP Instances to Prompt for Passwords
SCEP settings, Configuring Security Settings for SCEP
CA certificate mapper, LdapCaSimpleMap
CA certificate publisher, LdapCaCertPublisher, LdapCertificatePairPublisher
CA signing certificate, CA Signing Key Pair and Certificate
changing trust settings of, Changing the Trust Settings of a CA Certificate
deleting, Deleting Certificates from the Database
nickname, CA Signing Key Pair and Certificate
requesting, Requesting Certificates through the Console
viewing details of, Viewing Database Content through the Console
certificate
viewing content, Viewing Certificates and CRLs Published to File
certificate chains
installing in the certificate database, Installing Certificates through the Console
why install, About CA Certificate Chains
certificate database
how to manage, Managing the Certificate Database
what it contains, Managing the Certificate Database
where it is maintained, Managing the Certificate Database
Certificate Manager
administrators
creating, Creating Users
agents
creating, Creating Users
configuring
SMTP settings for notifications, Configuring a Mail Server for Certificate System Notifications
key pairs and certificates
CA signing certificate, CA Signing Key Pair and Certificate
OCSP signing certificate, OCSP Signing Key Pair and Certificate
SSL server certificate, SSL Server Key Pair and Certificate
subsystem certificate, Subsystem Certificate
TLS CA signing certificate, OCSP Signing Key Pair and Certificate
manual updates to publishing directory, Updating Certificates and CRLs in a Directory
serial number range, Changing the Restrictions for CAs on Issuing Certificates
certificate profiles
signing algorithms, Setting the Signing Algorithms for Certificates
Windows smart card login, Using the Windows Smart Card Logon Profile
certificate renewal, Configuring Profiles to Enable Renewal
certificate revocation
authentication during, User-Initiated Revocation
reasons for, Reasons for Revoking a Certificate
who can revoke certificates, Reasons for Revoking a Certificate
Certificate Setup Wizard
using to install certificate chains, Installing Certificates through the Console
using to install certificates, Installing Certificates through the Console
Certificate System
backing up, Backing up and Restoring Certificate System
restoring, Backing up and Restoring the Instance Directory
Certificate System Console
configuring authentication, Setting up Directory-Based Authentication, Setting up PIN-Based Enrollment
Certificate System console
managing logs, Viewing Logs
Certificate System data
where it is stored, Configuring the LDAP Database
certificateIssuer, certificateIssuer
certificatePolicies, certificatePoliciesExt
certificates
extensions for, Setting Restrictions on CA Certificates , Defaults, Constraints, and Extensions for Certificates and CRLs
how to revoke, Reasons for Revoking a Certificate
installing, Installing Certificates in the Certificate System Database
publishing to files, Publishing to Files
publishing to LDAP directory
required schema, Configuring the LDAP Directory
revocation reasons, Reasons for Revoking a Certificate
signing algorithms, Setting the Signing Algorithms for Certificates
certutil
requesting certificates, Requesting Certificates Using certutil
changing
DER-encoding order of DirectoryString, Changing the DER-Encoding Order
group members, Changing Members in a Group
trust settings in certificates, Changing the Trust Settings of a CA Certificate
why would you change, Changing the Trust Settings of a CA Certificate
cms.passwordlist, Requiring System Password Prompts
command-line utilities
for adding extensions to Certificate System certificates, Requesting Signing Certificates, Requesting Other Certificates
configuration file, CS.cfg Files
CS.cfg, Overview of the CS.cfg Configuration File
format, Overview of the CS.cfg Configuration File
CRL
viewing content, Viewing Certificates and CRLs Published to File
CRL Distribution Point extension, CRL Issuing Points
CRL extension modules
CRLReason, Freshest CRL Extension Default
CRL publisher, LdapCrlPublisher
CRL signing certificate, About Revoking Certificates
requesting, Requesting Certificates through the Console
cRLDistributionPoints, CRLDistributionPoints
CRLNumber, CRLNumber
CRLReason, CRLReason
CRLs
defined, About Revoking Certificates
entering multiple update times, Configuring CRLs for Each Issuing Point
entering update period, Configuring CRLs for Each Issuing Point
extension-specific modules, About CRL Extensions
extensions for, Standard X.509 v3 CRL Extensions Reference
issuing or distribution points, CRL Issuing Points
publishing of, About Revoking Certificates
publishing to files, Publishing to Files
publishing to LDAP directory, Publishing CRLs, LDAP Publishing
required schema, Configuring the LDAP Directory
supported extensions, About Revoking Certificates
when automated updates take place, About Revoking Certificates
when generated, About Revoking Certificates
who generates it, About Revoking Certificates
cross-pair certificates, Using Cross-Pair Certificates
CS.cfg, CS.cfg Files
comments and TPS, Overview of the CS.cfg Configuration File

D

deleting
authentication modules, Registering Custom Authentication Plug-ins
log modules, Managing Log Modules
mapper modules, Registering Custom Mapper and Publisher Plug-in Modules
privileged users, Deleting a Certificate System User
publisher modules, Registering Custom Mapper and Publisher Plug-in Modules
deltaCRLIndicator, deltaCRLIndicator
DER-encoded file
viewing content, Viewing Certificates and CRLs Published to File
DER-encoding order of DirectoryString, Changing the DER-Encoding Order
directory
removing expired certificates from, unpublishExpiredCerts (UnpublishExpiredJob)
directory attributes
adding new, Adding New or Custom Attributes
supported in CS, Changing DN Attributes in CA-Issued Certificates
distinguished name (DN)
extending attribute support, Changing DN Attributes in CA-Issued Certificates
DN components mapper, LdapDNCompsMap
downloading certificates, Installing Certificates in the Certificate System Database

E

ECC
configuring, Setting the Signing Algorithms for Certificates
requesting, Requesting Certificates Using certutil
encrypted file system (EFS), Extended Key Usage Extension Default
end-entity certificate publisher, LdapUserCertPublisher
end-entity certificates
renewal, Configuring Profiles to Enable Renewal
enrollment
agent initiated, Certificate Revocation Pages
Error log
defined, Tomcat Error and Access Logs
expired certificates
removing from the directory, unpublishExpiredCerts (UnpublishExpiredJob)
Extended Key Usage extension
OIDs for encrypted file system, Extended Key Usage Extension Default
extending directory-attribute support in CS, Changing DN Attributes in CA-Issued Certificates
extensions, Setting Restrictions on CA Certificates , Defaults, Constraints, and Extensions for Certificates and CRLs
an example, Standard X.509 v3 Certificate Extension Reference
authorityInfoAccess, authorityInfoAccess
authorityKeyIdentifier, Setting Restrictions on CA Certificates , authorityKeyIdentifier, authorityKeyIdentifier
basicConstraints, basicConstraints
CA certificates and, Setting Restrictions on CA Certificates
certificateIssuer, certificateIssuer
certificatePolicies, certificatePoliciesExt
cRLDistributionPoints, CRLDistributionPoints
CRLNumber, CRLNumber
CRLReason, CRLReason
deltaCRLIndicator, deltaCRLIndicator
extKeyUsage, extKeyUsage
invalidityDate, invalidityDate
issuerAltName, issuerAltName Extension, issuerAltName
issuingDistributionPoint, issuingDistributionPoint
keyUsage, keyUsage
nameConstraints, nameConstraints
netscape-cert-type, netscape-cert-type
Netscape-defined, Netscape-Defined Certificate Extensions Reference
policyConstraints, policyConstraints
policyMappings, policyMappings
privateKeyUsagePeriod, privateKeyUsagePeriod
subjectAltName, subjectAltName
subjectDirectoryAttributes, subjectDirectoryAttributes
tool for joining, Requesting Signing Certificates, Requesting Other Certificates
tools for generating, Requesting Signing Certificates, Requesting Other Certificates
X.509 certificate, summarized, Standard X.509 v3 Certificate Extension Reference
X.509 CRL, summarized, Standard X.509 v3 CRL Extensions Reference
extKeyUsage, extKeyUsage

F

Federal Bridge Certificate Authority, Using Cross-Pair Certificates
file-based publisher, FileBasedPublisher
flush interval for logs, Buffered and Unbuffered Logging

G

groups
changing members, Changing Members in a Group

H

host name
for mail server used for notifications, Configuring a Mail Server for Certificate System Notifications
how to revoke certificates, Reasons for Revoking a Certificate

I

installing certificates, Installing Certificates in the Certificate System Database
internal database
default hostname, Changing the Internal Database Configuration
precaution for changing the hostname, Changing the Internal Database Configuration
defined, Configuring the LDAP Database
how to distinguish from other Directory Server instances, Restricting Access to the Internal Database
name format, Restricting Access to the Internal Database
schema, Configuring the LDAP Database
what is it used for, Configuring the LDAP Database
when installed, Configuring the LDAP Database
invalidityDate, invalidityDate
IPv6
and SCEP certificates, Generating the SCEP Certificate for a Router
issuerAltName, issuerAltName Extension, issuerAltName
issuingDistributionPoint, issuingDistributionPoint

J

job modules
registering new ones, Registering a Job Module
jobs
built-in modules
unpublishExpiredCerts, unpublishExpiredCerts (UnpublishExpiredJob)
compared to plug-in implementation, About Automated Jobs
configuring job notification messages, Customizing CA Notification Messages, Setting up Automated Jobs
setting frequency, Setting up the Job Scheduler
specifying schedule for, Frequency Settings for Automated Jobs
turning on scheduler, Setting up the Job Scheduler

K

key archival, About Key Archival and Recovery
how keys are stored, About Key Archival and Recovery
how to set up, Manually Setting up Key Archival
reasons to archive, About Key Archival and Recovery
key recovery, About Key Archival and Recovery
how to set up, Setting up Agent-Approved Key Recovery Schemes
Key Recovery Authority
administrators
creating, Creating Users
agents
creating, Creating Users
key pairs and certificates
list of, Key Recovery Authority Certificates
storage key pair, Storage Key Pair
subsystem certificate, Subsystem Certificate
transport certificate, Transport Key Pair and Certificate
setting up
key archival, Manually Setting up Key Archival
key recovery, Setting up Agent-Approved Key Recovery Schemes
keyUsage, keyUsage
KRA
prompting for subsystem passwords
existing instance, Configuring Existing CA, KRA, TKS, TPS, and OCSP Instances to Prompt for Passwords
KRA transport certificate
requesting, Requesting Certificates through the Console

L

LDAP publishing
defined, LDAP Publishing
manual updates, Updating Certificates and CRLs in a Directory
when to do, Manually Updating Certificates in the Directory
who can do this, Updating Certificates and CRLs in a Directory
location of
active log files, Configuring Subsystem Logs
log modules
deleting, Managing Log Modules
registering new ones, Managing Log Modules
logging
buffered vs. unbuffered, Buffered and Unbuffered Logging
log files
archiving rotated files, Log File Rotation
default location, Configuring Subsystem Logs
signing rotated files, Signing Log Files
timing of rotation, Log File Rotation
log levels, Log Levels (Message Categories)
default selection, Log Levels (Message Categories)
how they relate to message categories, Log Levels (Message Categories)
significance of choosing the right level, Log Levels (Message Categories)
managing from Certificate System console, Viewing Logs
services that are logged, Services That Are Logged
types of logs, Configuring Subsystem Logs
Audit, Transactions Log
Error, Tomcat Error and Access Logs

M

mail server used for notifications, Configuring a Mail Server for Certificate System Notifications
managing
certificate database, Managing the Certificate Database
mapper modules
deleting, Registering Custom Mapper and Publisher Plug-in Modules
registering new ones, Registering Custom Mapper and Publisher Plug-in Modules
mappers
created during installation, Creating Mappers, LdapCaSimpleMap, LdapSimpleMap
mappers that use
CA certificate, LdapCaSimpleMap
DN components, LdapDNCompsMap
modifying
privileged user's group membership, Changing Members in a Group

N

Name extension modules
Issuer Alternative Name, Issuer Alternative Name Extension Default
nameConstraints, nameConstraints
naming convention
for internal database instances, Restricting Access to the Internal Database
netscape-cert-type, netscape-cert-type
nickname
for CA signing certificate, CA Signing Key Pair and Certificate
for OCSP signing certificate, OCSP Signing Key Pair and Certificate
for signing certificate, OCSP Signing Key Pair and Certificate
for SSL server certificate, SSL Server Key Pair and Certificate, SSL Server Key Pair and Certificate
for subsystem certificate, Subsystem Certificate, Subsystem Certificate, Subsystem Certificate
for TLS signing certificate, OCSP Signing Key Pair and Certificate
notifications
configuring the mail server
hostname, Configuring a Mail Server for Certificate System Notifications
port, Configuring a Mail Server for Certificate System Notifications
to agents about unpublishing certificates, unpublishExpiredCerts (UnpublishExpiredJob)

O

OCSP
prompting for subsystem passwords
existing instance, Configuring Existing CA, KRA, TKS, TPS, and OCSP Instances to Prompt for Passwords
OCSP publisher, OCSPPublisher
OCSP signing certificate, OCSP Signing Key Pair and Certificate
nickname, OCSP Signing Key Pair and Certificate
requesting, Requesting Certificates through the Console
Online Certificate Status Manager
administrators
creating, Creating Users
agents
creating, Creating Users
key pairs and certificates
signing certificate, OCSP Signing Key Pair and Certificate
SSL server certificate, SSL Server Key Pair and Certificate
subsystem certificate, Subsystem Certificate

P

password.conf
configuring contents, Configuring the password.conf File
configuring location, Configuring the password.conf File
contents, Configuring the password.conf File
removing, Requiring System Password Prompts
passwords
configuring the password.conf file, Configuring the password.conf File
for subsystem instances, Managing System Passwords
prompting for (without password.conf), Requiring System Password Prompts
required at startup, Requiring System Password Prompts
used by subsystem instances, Managing System Passwords
PIN Generator tool
delivering PINs to users, Setting up PIN-Based Enrollment
plug-in modules
for CRL extensions
CRLReason, Freshest CRL Extension Default
for publishing
FileBasedPublisher, FileBasedPublisher
LdapCaCertPublisher, LdapCaCertPublisher, LdapCertificatePairPublisher
LdapCaSimpleMap, LdapCaSimpleMap
LdapCrlPublisher, LdapCrlPublisher
LdapDNCompsMap, LdapDNCompsMap
LdapUserCertPublisher, LdapUserCertPublisher
OCSPPublisher, OCSPPublisher
for scheduling jobs
unpublishExpiredCerts, unpublishExpiredCerts (UnpublishExpiredJob)
Issuer Alternative Name, Issuer Alternative Name Extension Default
policyConstraints, policyConstraints
policyMappings, policyMappings
ports
for the mail server used for notifications, Configuring a Mail Server for Certificate System Notifications
privateKeyUsagePeriod, privateKeyUsagePeriod
privileged users
deleting, Deleting a Certificate System User
modifying privileges
group membership, Changing Members in a Group
types
agents, Agents
profiles
how profiles work , The Enrollment Profile
prompting for system passwords, Requiring System Password Prompts
publisher modules
deleting, Registering Custom Mapper and Publisher Plug-in Modules
registering new ones, Registering Custom Mapper and Publisher Plug-in Modules
publishers
created during installation, Configuring LDAP Publishers, LdapCaCertPublisher, LdapUserCertPublisher, LdapCertificatePairPublisher
publishers that can publish to
CA's entry in the directory, LdapCaCertPublisher, LdapCrlPublisher, LdapCertificatePairPublisher
files, FileBasedPublisher
OCSP responder, OCSPPublisher
users' entries in the directory, LdapUserCertPublisher
publishing
of certificates
to files, Publishing to Files
of CRLs, About Revoking Certificates
to files, Publishing to Files
to LDAP directory, Publishing CRLs, LDAP Publishing
queue, Enabling a Publishing Queue
(see also publishing queue)
viewing content, Viewing Certificates and CRLs Published to File
publishing directory
defined, LDAP Publishing
publishing queue, Enabling a Publishing Queue
enabling, Enabling a Publishing Queue

R

reasons for revoking certificates, Reasons for Revoking a Certificate
recovering users' private keys, About Key Archival and Recovery
registering
authentication modules, Registering Custom Authentication Plug-ins
custom OIDs, Standard X.509 v3 Certificate Extension Reference
job modules, Registering a Job Module
log modules, Managing Log Modules
mapper modules, Registering Custom Mapper and Publisher Plug-in Modules
publisher modules, Registering Custom Mapper and Publisher Plug-in Modules
requesting certificates
agent certificate, Requesting and Receiving a User or Agent Certificate through the End-Entities Page
CA signing certificate, Requesting Certificates through the Console
CRL signing certificate, Requesting Certificates through the Console
ECC certificates, Requesting Certificates Using certutil
KRA transport certificate, Requesting Certificates through the Console
OCSP signing certificate, Requesting Certificates through the Console
SSL client certificate, Requesting Certificates through the Console
SSL server certificate, Requesting Certificates through the Console
through the Console, Requesting Certificates through the Console
through the end-entities page, Requesting and Receiving a User or Agent Certificate through the End-Entities Page
user certificate, Requesting and Receiving a User or Agent Certificate through the End-Entities Page
using certutil, Requesting Certificates Using certutil
restarting
subsystem instance, Starting, Stopping, and Restarting a PKI Instance
sudo permissions for administrators, Setting sudo Permissions for Certificate System Services
without the java security manager, Starting a Subsystem Instance without the Java Security Manager
restore, Backing up and Restoring the Instance Directory
restoring the Certificate System, Backing up and Restoring the Instance Directory
revoking certificates
reasons, Reasons for Revoking a Certificate
who can revoke certificates, Reasons for Revoking a Certificate
roles
agent, Agents
rotating log files
archiving files, Log File Rotation
how to set the time, Log File Rotation
signing files, Signing Log Files
RSA
configuring, Setting the Signing Algorithms for Certificates

S

SCEP
enabling, Enabling SCEP Enrollments
setting allowed algorithms, Configuring Security Settings for SCEP
setting nonce sizes, Configuring Security Settings for SCEP
using a separate authentication certificate, Configuring Security Settings for SCEP
SCEP certificates
and IPv6, Generating the SCEP Certificate for a Router
setting CRL extensions, Setting CRL Extensions
setting up
key archival, Manually Setting up Key Archival
key recovery, Setting up Agent-Approved Key Recovery Schemes
signing
rotated log files, Signing Log Files
signing algorithms, Setting the Signing Algorithms for Certificates
ECC certificates, Setting the Signing Algorithms for Certificates
RSA certificates, Setting the Signing Algorithms for Certificates
signing certificate, OCSP Signing Key Pair and Certificate
changing trust settings of, Changing the Trust Settings of a CA Certificate
deleting, Deleting Certificates from the Database
nickname, OCSP Signing Key Pair and Certificate
viewing details of, Viewing Database Content through the Console
smart cards
Windows login, Using the Windows Smart Card Logon Profile
SMTP settings, Configuring a Mail Server for Certificate System Notifications
SSL client certificate
requesting, Requesting Certificates through the Console
SSL server certificate, SSL Server Key Pair and Certificate, SSL Server Key Pair and Certificate
changing trust settings of, Changing the Trust Settings of a CA Certificate
deleting, Deleting Certificates from the Database
nickname, SSL Server Key Pair and Certificate, SSL Server Key Pair and Certificate
requesting, Requesting Certificates through the Console
viewing details of, Viewing Database Content through the Console
starting
subsystem instance, Starting, Stopping, and Restarting a PKI Instance
sudo permissions for administrators, Setting sudo Permissions for Certificate System Services
without the java security manager, Starting a Subsystem Instance without the Java Security Manager
stoping
subsystem instance
sudo permissions for administrators, Setting sudo Permissions for Certificate System Services
stopping
subsystem instance, Starting, Stopping, and Restarting a PKI Instance
storage key pair, Storage Key Pair
subjectAltName, subjectAltName
subjectDirectoryAttributes, subjectDirectoryAttributes
subjectKeyIdentifier
subjectKeyIdentifier, subjectKeyIdentifier
subsystem certificate, Subsystem Certificate, Subsystem Certificate, Subsystem Certificate
nickname, Subsystem Certificate, Subsystem Certificate, Subsystem Certificate
subsystems
configuring password file, Configuring the password.conf File
passwords required at startup, Requiring System Password Prompts
subsystems for tokens
Enterprise Security Client, A Review of Certificate System Subsystems
sudo
permissions for administrators, Setting sudo Permissions for Certificate System Services
system passwords
prompting for (without password.conf), Requiring System Password Prompts

T

templates
for notifications, Customizing CA Notification Messages
timing log rotation, Log File Rotation
TKS
prompting for subsystem passwords
existing instance, Configuring Existing CA, KRA, TKS, TPS, and OCSP Instances to Prompt for Passwords
TLS CA signing certificate, OCSP Signing Key Pair and Certificate
nickname, OCSP Signing Key Pair and Certificate
Token Key Service
administrators
creating, Creating Users
agents
creating, Creating Users
tokens
changing password of, Changing a Token's Password
managing, Managing Tokens Used by the Subsystems
viewing which tokens are installed, Viewing Tokens
Windows login, Using the Windows Smart Card Logon Profile
TPS
comments in the CS.cfg file, Overview of the CS.cfg Configuration File
prompting for subsystem passwords
existing instance, Configuring Existing TPS Instances to Prompt for Passwords
setting profiles, Setting Profiles for Users
troubleshooting, Configuring Existing TPS Instances to Prompt for Passwords
users, Creating and Managing Users for a TPS
Windows smart card login, Using the Windows Smart Card Logon Profile
transport certificate, Transport Key Pair and Certificate
changing trust settings of, Changing the Trust Settings of a CA Certificate
deleting, Deleting Certificates from the Database
viewing details of, Viewing Database Content through the Console
when used, About Key Archival and Recovery
trusted managers
deleting, Deleting a Certificate System User
modifying
group membership, Changing Members in a Group

U

unbuffered logging, Buffered and Unbuffered Logging
user certificate
requesting, Requesting and Receiving a User or Agent Certificate through the End-Entities Page
users
creating, Creating Users

W

why to revoke certificates, Reasons for Revoking a Certificate
Windows smart card login, Using the Windows Smart Card Logon Profile