End-Entities

This section describes end-entities. If you feel you know this stuff already, take the quiz at the end and see if you can skip this module.

Describe the high level architecture of Netscape's Certificate Management System.

What Are End Entities?

End-entities are the clients of Netscape's Certificate Management System and are the users or requesters of certificates issued by CMS4. Among these are:
  • Clients, such as Netscape Navigator version 3.x; Netscape Communicator version 4.x and later; Microsoft Internet Explorer versions 3.x, 4.x and 5.x
  • SSL-enabled servers, such as Netscape Administration, Directory, and Enterprise Servers
  • Routers, such as Cisco routers
  • VPN (Virtual Private Network) clients, such as Aventail, KyberPass, and RedCreek

End-Entity Interactions with CMS4

A registration service framework exists that includes the most commonly expected PKI features: manual, directory-based, and directory- plus PIN-based enrollment; certificate-authenticated renewals and revocations; certificate life cycle operations that include automated certificate renewal and expiration notifications.

End-entities access CMS4 through a gateway in a web browser. This gateway provides the general front end for end-entity interactions with the server.  Through this gateway, the Certificate Manager or Registration manager serves the appropriate HTML forms for end-entity operations (the Data Recovery Manager does not have an end-entity interface). These include forms for certificate enrollment, retrieval, query, renewal, import, and revocation. These forms are collectively referred to as the end-entity services interface.

End-entity interactions can take place over HTTP or HTTPS. For example, routers using CEP, which includes its own encryption scheme, uses HTTP rather than HTTPS.

Each type of end-entity form provided by a Registration Manager or Certificate Manager determines the type of client, such as Communicator or Internet Explorer, and presents the appropriate input page. Each form also specifies both an authentication module and an output template. The authentication module (which is a set of rules for authenticating an end-entity, agent, administrator, or any other entity that needs to interact with a CMS manager) is used by the servlet to authenticate the end-entity the output template is an HTML page that returns information from the servlet to the end-entity.

Figure 3.2


Life Cycle Management of End-Entities

The Registration Manager and Certificate Manager provide default HTML forms that use different protocols and life cycle management procedures for different kinds of end entities. For example, end entities running Navigator 3.x and versions of Communicator earlier than 4.5 need to be presented with an enrollment form based on the use of the HTML tag KEYGEN to generate keys.  End-entities running Microsoft Internet Explorer require a form containing VBScript XENROLL commands. These various tags, scripts and protocols result in enrollment messages that are sent back to the Certificate Manager or Registration Manager in a variety of nonstandard and standards based formats.

Top of Page
Copyright © 1999 Sun-Netscape Alliance.
All Rights Reserved.