Issuing The Admin Cert

The third phase of installation involves issuing a certificate for the top-level CMS Administrator. The new cert will be added to the cert database in your browser.

Issue the initial user cert to youself.

You can only submit the initial Administrator/Agent Certificate Enrollment form once. If something goes wrong and you're unable to obtain the initial agent certificate, you'll have to manually reset a parameter in the configuration file to make the initial Administrator/Agent Certificate Enrollment form available again. See the Installation Guide for more details.

CMS4 Admin Guide, Get The First User Certificate

The Initial User

The initial user is both an administrator and an agent. This person can use Netscape Console to create additional agents with the appropriate user privileges and use Agent Services to issue them certificates. Since there is no agent yet to approve the request, a special enrollment form allows you to get this first certificate automatically.

After you submit this initial Administrator/Agent Certificate Enrollment form, it is automatically disabled, so that no one else can acquire a certificate without agent approval or some form of automated authentication. The system automatically adds the initial user to the list of agents.

To enroll for the first agent certificate, you should be working at the computer you intend to use as the agent, so that the new certificate will be installed in the browser you will be using to access the Agent Services pages.


Procedure

Step Notes
1. Open a new browser window. You'll need to start up a second instance of Netscape Navigator in order to access the Administrator's web interface to CMS4 while continuing to view these instructions.
2. Use the second browser to connect to the SSL agent port (17004). Enter this URL in the browser's Location field in the format shown below. (Use your actual machine name, not "your_machine".)

https://your_machine:17004

Note the use of "https" instead of the usual "http" - that's because we're using one of the SSL ports to communicate with CMS4. The port number should be the one you specified in the wizard: 17004. Use your machine name in the URL (there's no need for the ".com" since everything is local).

Because you're accessing an SSL port, CMS4 will use its SSL server certificate to authenticate itself to your browser. (You generated the SSL server certificate in the wizard). Because you just created it, it's not on your browser's list of trusted certificates. This means you'll have to add it to your browser by going through a series of dialog boxes that lets you add new certificates.

3.  Your browser will respond with a message saying it doesn't recognize the authority of the person who signed the SSL certificate. Click the Next button to continue. This is the first step in adding the new cert to your browser.
4.  You should see a screen showing a summary of the new cert. Click the Next button to continue. Note the name of the person who supposedly signed this cert. This is some of the information you entered in the Wizard. You can click on the More Info button to see more details about the person or server that's asking you to trust it.
5.  You will be asked if you want to accept this cert just for this session or until it expires. Select "Accept this certificate forever (until it expires)" and click the Next button to continue. This will add the new cert to your browser's certificate database. The file that contains your browsr's certs is cert7.db.
6.  You should see a screen that asks you if you want to be warned before sending information to the new site. Go ahead and click the checkbox for the warning, then click the Next button to continue. This is the first step in adding the new cert to your browser.
7.  You should see a screen that says "You have finished examining the certificate presented by your server". Click the Finish button to continue. We're not finished yet!
8.  Reload the current page (https://your_machine:17004) You'll need to reload the page to continue issuing the initial user cert.
9. In the Administrator/Agent Certificate Enrollment form, enroll for a client SSL certificate as the system's first privileged user by entering the following information:

  • Authentication Information -
    User ID: cmsadmin
    Password: cmsadmin

  • Subject Name -
    Full name: CMS Administrator
    Login name: cmsadmin
    Email address: your email address
    Organization unit: optional
    Organization: optional

  • User's Key Length Information -
    Key Length: Select 512 (Low Grade)
Note that the validity period of this initial agent certificate is hard-coded as one year.
10. Click Submit.
11. Follow the instructions your browser presents as it generates a key pair.
12. If authentication is successful, the new certificate will be imported into your browser, and you will be given an opportunity to make a backup copy.

Your New Cert

Now you have a client authentication certificate in the name "cmsadmin". This special user, who was created as the initial administrator for CMS4 during installation, is assumed by CMS4 to be the first or top-level agent. This agent certificate allows you to access the Agent Services pages.

Using the Agent Services pages, you can approve enrollment requests and issue new certificates. To access the CMS windows in Netscape Console, you'll use the CMS Administrator's login and password (cmsadmin / cmsadmin).


Top of Page
Copyright © 1999 Sun-Netscape Alliance.
All Rights Reserved.