Wizard Step |
Response |
Notes |
1. Introduction
|
Click Next.
|
|
2. Internal Database
|
Enter the following values, then click Next:
- Instance ID: Accept the default (your_machine-db).
- Port number: 17002
- Directory Manager DN:
cn=CMS Directory Manager
- Password: cmsdirman
- Password (again): cmsdirman
|
Be sure to override the default port number (38900) and enter 17002.
The server instance ID will be automatically set to your machine name followed by "-db".
The installation script will create the internal database used by CMS4, which may take
a few minutes.
This database will be used to store certificate records, revocation information, and
open requests for certs (the request queue).
Think of this account as "root" for CMS's internal database.
The person with this login and password has full control over this instance of CMS4
and is able to change the database schema.
|
3. Administrator
| Enter the following values, then click Next:
- Administrator ID: cmsadmin
- Full name: Accept the default value.
- Password: cmsadmin
- Password (again): cmsadmin
|
Be sure to override the default Administrator's ID ("admin") and enter
cmsadmin.
This is the first account to be stored in CMS's internal database.
The person with this login and password will be able to perform
administrative and agent functions on CMS4, however they will not
be able to make schema changes to the database.
|
4. Subsystems
| Accept the default selection (Certificate Manager only) and click Next.
|
The installation script gives you the option of configuring CMS4 as a certificate authority
(CA), a registration authority (RA) or a Data Recovery Manager (DRM).
In this course, we're just going to use CMS4 as a CA.
|
5. Remote Data Recovery Manager
|
Accept the default selection (No) and click Next.
|
At this point the system creates the internal database, which will take a few seconds.
You'll see a couple of black command-line windows appear and disappear.
|
6. Network Configuration
| Type the following values, then click Next:
- SSL administration port: 17003
- SSL agent port: 17004
- SSL end-entity port: 17005
- Enable: Select this checkbox to enable the non-SSL end-entity gateway.
- Non-SSL end-entity port: 17006
|
Be sure to enable the non-SSL gateway by clicking on that checkbox.
We'll use the SSL agent port (17004) to verify installation when we're finished
with the Wizard.
This is one of the most important screens in the Wizard because it
lets you specify which ports will be used for routine communication with
CMS4.
Netscape Console will communicate with CMS4 through the SSL administration port (17003).
Agents will normally communicate with CMS4 through the SSL agent port (17004).
Most end-entities will communicate with CMS4 through the SSL end-entity port (17005).
Browsers that don't support SSL communication will have to use a non-SSL port (17006).
|
7. Server Migration from Certificate Server 1.x
| Accept the default selection (No) and click Next.
|
Since we're not going to import data from Cert Server 1.x, we answer "No"
to this question.
If an organization was already using Certificate Server 1.01 (the predecessor
to CMS4) they could import all the data from that server into CMS4.
|
8. CA Signing Certificate
| Accept the default selection (Create self-signed CA certificate) and click Next.
|
At this step we're indicating that this Certificate Authority (CA)
is at the top of a chain of trust.
|
9. Key-Pair Information for Certificate Manager CA Signing Certificate
| Type the following values, then click Next:
- Token: Accept the default value (Internal)
- Password: token
- Password (again): token
- Key type: Accept the default value (RSA).
- Key length: Accept the default value (512) and leave the custom key-length field blank.
|
At this point we're creating a key for the CA.
We're indicating where it is (on disk or in a special hardware device)
and how long it is.
In either case it needs to be protected with a password.
|
10.
Subject Name for Certificate Manager CA Signing Certificate
| Enter whatever you want for the first three values, then click Next:
- Common name (CN=): whatever
- Organization Unit (OU=): whatever
- Organization (O=): whatever
- Locality (L=): optional
- State (ST=): optional
|
At this point we're naming the CA, so we need to specify the CN=
You'll need to enter dummy values for the Common Name and Organization Unit.
The hostname should be entered in the form host.domain.com.
The default CN is probably already set to this value, so you only have
to invent names for the orgainizational unit and the organization.
The Locality and State fields can be left blank.
|
11.
Validity Period for Certificate Manager CA Signing Certificate
| Modify year and month values of "Expire on" date to allow a
validity period of one year from the installation date, then click Next.
|
This screen controls the lifetime of the Certificate Manager's cert.
Typical values for this lifetime are 1 to 2 years; after that time all certs signed by
this CA will be invalid.
That means all certs issued by this CA will have to be re-issued.
|
12.
Certificate Extensions for Certificate Manager CA Signing Certificate
| Accept the default selections and click Next.
|
This screen allows you to customize the certs issued by this instance of CMS4.
You can add things like...
|
13.
Certificate Manager CA Signing Certificate Creation
|
You should see a message stating "The wizard has all the information required to generate
the key pair and the corresponding certificate."
Click Next.
|
You'll see a couple of black command-line windows appear and disappear.
|
14.
SSL Server Certificate.
| Accept the default selection (Sign SSL certificate with my CA signing certificate) and click Next.
|
|
15.
Key-Pair Information for Server SSL Certificate
| Accept the default selections, then click Next.
(The token should be "internal", the key type should be "RSA",
and the key length should be "512".)
|
|
16
Subject Name for SSL Server Certificate
| Enter dummy values for OU= and O=, then click Next.
- Common name (CN=): host.domain.com
- Organization Unit (OU=): anything
- Organization (O=): anything
- Locality (L=): optional
- State (ST=): optional
- Country (C=): two-letter code for your country
|
The hostname should be entered in the form host.domain.com.
The default CN is probably already set to this value, so you only have
to invent names for the orgainizational unit and the organization.
Locality and state are optional.
|
17.
Validity Period for SSL Server Certificate
| Modify year and month values of "Expire on" date to
allow a validity period of one
month from the installation date, then click Next.
|
This will cause the SSL server cert to expire in one month.
|
18.
Certificate Extensions for SSL Server Certificate
| Accept the default selections and click Next.
|
|
19.
SSL Server Certificate Creation
| Click Next.
|
Generating this certificate will take a few seconds.
|
20.
Set Up Single Signon Password
| Enter the following values, then click Next:
- Single signon password: signon
- Single signon password (again): signon
|
CMS4 uses so many passwords because it's designed to be administered
in a distributed environment at a corporation that is very serious about network
security.
In cases like ours where one person is going to assume responsibility
for many roles, a single password that works for multiple roles is very
useful.
Make note of this password since you'll need to use it later in this course.
|
21.
Configuration Status
| Click Done.
Certificate Management System starts automatically.
|
The installation and configuration of CMS4 is now complete,
and the Certificate Manager should be running.
|