PGP Corporation Tech Note

Netscape Directory Server 4.1:
Setting Up Netscape Certificate Management System and Microsoft Active Directory for X.509

Copyright © 2002 by PGP Corporation. All Rights Reserved.


This Tech Note describes how to set up a Netscape Certificate Management System (CMS) and Microsoft Active Directory.


To set up Netscape Certificate Management System

  1. Install Netscape CMS 4.1 and Directory Server 4.1 (included with CMS).

    Note: Netscape's servers have some problems with pathnames with spaces in them, so PGP Corporation recommends against using "Program Files". The default is "C:\Netscape\Server4". Use the default.

    For the examples in this document, we assume you chose "o=PGP" for your suffix.

  2. Finish setting up CMS.

    In the Netscape Console, open the server item for CMS. Answer the questions to finish the installation.

  3. Tell CMS where to publish accepted certificate requests.

    In the Netscape CMS console, click on the Configuration tab. In the tree view on the left, open the "Certificate Manager" item. Click LDAP Publishing. On the General tab, click the checkbox for Enable LDAP Publishing. Enter the hostname and port of the Netscape Directory Server you just installed. Enter the Directory Manager DN ("cn=Directory Manager") and the password (you chose this password when you installed Directory Server). Click Save. On the Tasks panel, click Restart the Server.

  4. Add a new user for each user wishing to store X.509 certificates.

    Open up the tree for the suffix you chose when you installed DS (o=PGP, etc. The tree doesn't display the "o=", just the value). Right click on the People tree item, and select New --> User.

    On the "User" page (tabs are on the left of the window), type in the new user's first and last name into "First Name" and "Last Name", respectively. You may change his User ID if you wish. Finally, type a password for this user into "Password" and "Confirm Password". Click OK.

  5. When you request the certificate, the Full name and Login name must match the user you created in the previous step for the certificate to be successfully published. When the CMS Administrator or Agent fulfills the certificate request, it will show whether the certificate was successfully published.


To set up Microsoft Active Directory

  1. Install Windows 2000 Server or Advanced Server.
  2. Install Active Directory. In order to do this, you need to configure your Windows 2000 Server as a domain controller.
  3. Install Windows 2000 Support Tools from the CD in \SUPPORT\TOOLS.
  4. Set the Active Directory Permissions so that an anonymous user can read the certificates.

    1. Run ADSI Edit (installed with Windows 2000 Support Tools).
    2. Open the tree item for Domain NC. Open the item for the domain name you selected when you installed Active Directory.
    3. Right click on CN=Users, select Properties.
    4. Select the Security tab.
    5. Click Add, select Everyone, click OK.
    6. Click Advanced.
    7. Select Everyone, click View/Edit.
    8. Change Apply onto to This object and all child objects.
    9. Click OK.
    10. Click OK.
    11. Click OK.

  5. Create a user.

    Under Control Panel\Administrative Tools, open "Active Directory Users and Computers". Open the tree item for your domain. Right click on Users. Select New --> User. Enter the user's information.

  6. Using Internet Explorer (Netscape won't work), go to http://<server>/certsrv. You'll need to enter the new users' login information. From here, you can request a certificate.