PGP Certificate Server Freeware ReadMe
Version 2.5.8 for Windows NT
Copyright (c) 1998-2000 by Networks Associates Technology, Inc., and its Affiliated Companies.
All Rights Reserved.

Thank you for using Network Associates' products. This ReadMe file contains important information regarding the PGP Certificate Server Freeware. Network Associates strongly recommends that you read this entire document.

Network Associates welcomes your comments and suggestions. Please use the information provided in this file to contact us.

Note: PGP freeware products are for non-commercial use only. Please refer to the included license agreement for terms and conditions of use.

Note: Network Associates does not provide technical support for PGP freeware products.

Warning: Export of this software may be restricted by the U.S. Government.

WHAT'S IN THIS FILE

Fixes in this Release
New Features
Documentation
System Requirements
Installation
Starting PGP Certificate Server
Starting PGP Replication Engine
Using the Web Configuration/Monitoring Wizard
Known Issues
Additional Information
Contacting Network Associates

FIXES IN THIS RELEASE

  • This release corrects a security-related bug with Additional Decryption Keys (ADKs) that may allow sophisticated attackers to add unauthorized ADK key IDs to the unhashed areas of PGP public keys.

    For more information about this bug, please review the PGP ADK Security Advisory available on www.pgp.com.

    You can download a repair tool (PGPrepair) from the web page mentioned above to determine whether an existing PGP Certificate Server database contains any keys with tampered signatures.

  • Resolved a replication looping issue, which may have occurred with two-way replication on PGP Certificate Server 2.5.1 when revoked keys revoked by a designated revoker were added to the server.

  • Added additional logging information for Delete operations, so that the full list of deleted keys is displayed in the log.

  • The released version of the Certificate Server, when configured with a single MustSigID and the TrimUsers and TrimSigs features enabled, would prevent that MustSigID key from being uploaded to the server. Added the ability for the server to accept that key.

  • Resolved an issue with the indexing of certain revoked keys. A problem existed when performing a KeyStatus-is-revoked search.

  • Resolved a potential looping issue which may have occurred if the replication daemon was down and a key was added to and then deleted from the server, followed by re-starting the replication daemon.

  • Resolved a potential Denial of Service vulnerability in PGP Certificate Server 2.5.1. This may have occurred when devices attempted to connect to the PGP Certificate Server management port (port 4000 by default) if incoming DNS/NetBIOS traffic was blocked to the PGP Certificate Server.

  • Resolved a potential Denial of Service vulnerability in PGP Certificate Server 2.5.1. This may have occurred when devices attempted to connect to the PGP Replication port (port 5000 by default) if incoming DNS/NetBIOS traffic was blocked to the PGP Certificate Server.

  • Resolved a replication looping issue which may have occurred with two-way replication on PGP Certificate Server 2.5.1 when revoked keys were added to the server.

DOCUMENTATION

Included with this release is the following manual, which can be viewed on-line as well as printed:

  • PGP Certificate Server Administrator's Guide
    This document is saved in Adobe Acrobat Portable Document Format (.PDF). You can view and print the document with Adobe's Acrobat Reader. PDF files can include hypertext links and other navigation features to assist you in finding answers to questions about your Network Associates product.

    To download Adobe Acrobat Reader from the World Wide Web, visit Adobe's Web site. The Adobe Acrobat Reader is also included on this product CD.

    Opening the Administrator's Guide:
    After installing Adobe Acrobat Reader, bring up the Windows Start Menu. Then select Programs > Network Associates > PGP Certificate Server > Documentation > Administrator's Guide. If the web server support for PGP Certificate Server is installed, the Administrator's Guide is also available through a link found on the page:
    http://YOUR-HOST-NAME:PORT/certserver/default.htm
    Substitute the hostname of the machine running the PGP Certificate Server for the YOUR-HOST-NAME value. For PORT, substitute the port number for the web server that you are running on YOUR-HOST-NAME (this defaults to 80 if it is not specified).

This release also includes integrated online help in Microsoft Windows Help format:

  • PGP Certificate Server online help
  • PGP Replication Engine online help

Documentation feedback is welcome. Send e-mail to tns_documentation@nai.com.

NEW FEATURES

  • New Native, Optimized Windows NT Service
    This is the premiere release of PGP Certificate Server as a native Windows NT service that has been optimized for this environment. This new service provides round-the-clock, standards-based PGP certificate management and lookup services for administrators and users.

  • Easy-to-Use Remote Console Application
    The new PGP Certificate Server Remote Console, a native Windows NT application, gives administrators the ability to remotely monitor and manage their PGP Certificate Server through an intuitive, easy-to-use interface. All communications between the console and the Certificate Server are strongly authenticated and encrypted using the TLS (Transport Layer Security) protocol, thus providing a very secure foundation for remote management.

  • Improved web-based Configuration
    Administrators can conveniently manage the Certificate Server's configuration from nearly any web browser. This version improves the extensive on-line help on product configuration settings. This version provides integrated support for many popular web servers, including:

    • Microsoft IIS 2.0 - 4.0
    • Netscape Enterprise Server 3.x
    • Netscape FastTrack Server 3.x
    • Apache 1.3.x

    Administrators can secure communications between the web browser and Certificate Server using the native security services provided by the web server installed with Certificate Server.

  • Database Size and Performance Improvements
    This version includes numerous performance enhancements and database optimizations. Certificate database size has been reduced by 20%-30% from previous versions, due to improved certificate storage methods. This size reduction provides improved server performance; more certificates are now stored in the server's cache, less data is read from and written to the server's hard disk, and fewer transformations are needed on certificate data.

  • Output Filename Options for Certificates
    The pgpexport command now allows the output filename to be specified as an argument. Also, the exported certificates can now be split across multiple files.

SYSTEM REQUIREMENTS

  • Windows NT version 4.0 and higher
  • 32MB RAM minimum
  • 15MB disk space for software
  • Additional disk space for database (10MB - 500MB)
  • Network interface card
  • PGP 6.5.2 (Only required for management of secure keys).
  • To run the Configuration/Monitoring Wizard:
    • Microsoft Internet Information Server (version 4 recommended) with Microsoft Internet Explorer 4 or later
      or
    • Any web server and a version 4 or later browser

INSTALLATION

PGP Certificate Server Freeware is distributed as a self-extracting file.

To install the product from a downloaded self-extracting file:

  1. Start Windows.

  2. Download the PGP Certificate Server installation program onto your computer’s hard drive.

  3. Double-click the installation program.

  4. Follow the on-screen prompts.

STARTING PGP CERTIFICATE SERVER

After successfully installing the server, you can start it by following these steps.

  1. Choose Programs > PGP Certificate Server > PGP Certificate Server Console from the Windows Start Menu.

  2. Click "Create Database" to create the initial database (if necessary).

  3. Click Start to start Certificate Server.

To test that the server is running properly:

  1. Start PGP version 5.5 or later.

  2. Add the URL of the machine running PGP Certificate Server to PGP's configuration as follows:
    1. Open the PGPkeys window by selecting PGPkeys from the PGPtray menu.
    2. Select Edit > Options.
    3. On the Servers page, click New to add a New server.
    4. Select the Protocol to use.
    5. Enter an LDAP server name using the format:
      ldap://YOUR-HOST-NAME
    6. Type a new domain or choose an existing one and click OK.
    7. Click OK to exit the Options dialog box.
    8. In the PGPkeys window, select any key from your list of keys, then select the Send Key to Server item on the Keys menu. Be sure to select the name of your new PGP Certificate Server.

    If the key is successfully sent to the server, your server is running properly. You can also use the search dialog in PGPkeys to search the keys on the server. Again, be sure to set the name of your new server as the server to search.

STARTING THE PGP REPLICATION ENGINE

If you installed the optional PGP Replication Engine component, you can start it by selecting Programs > PGP Certificate Server > PGP Replication Engine Console from the Windows Start Menu.

PGP Replication Engine uses the same configuration file as the PGP Certificate Server. The default configuration file does not have replication enabled. The 'Replica' and 'RepLogFile' configuration tags need to be configured prior to successfully starting the server.

Examples of each are:

Replica ldap://mirror.company.com
RepLogFile rep.log

See the Administrator's Guide for exact details on these configuration values.

Pressing Start will cause the product to beginning monitoring for data to replicate.

USING THE WEB CONFIGURATION/MONITORING WIZARD

You use a web browser-based wizard running with an existing web server product to configure PGP Certificate Server; most popular web servers support the wizard. (The web server must be running on the same machine as PGP Certificate Server.)

If you are running version 2.0 or later of the Microsoft Internet Information Server and you automatically installed support for the wizard, you can run the wizard by (re)starting the web server. You can then access the configuration/monitoring wizard from your browser using the URL:

http://YOUR-HOST-NAME:PORT/certserver/default.htm

If you are using another web server or did not have the installer add this support, please see the Administrator's Guide for details on how to properly configure this feature.

You can also use any standard text editor to directly edit the Certificate Server configuration file, located at C:\Program Files\Network Associates\PGPcertd\etc\ pgpcertd.cfg.

KNOWN ISSUES

  • Using RSA keys as Admin keys
    In the International and Freeware releases, RSA keys cannot be used by the server as the Server Secure KeyID. Only DSS/Diffie-Hellman keys can be used as the key the client uses to determine which server it is connecting to using TLS/SSL.

ADDITIONAL INFORMATION

International and Freeware releases
The International and Freeware versions of the PGP Certificate Server do not encrypt data. They do provide strong authentication. The Transport Layer Security (TLS) connection between the PGP client and the server is strongly authenticated; but the data is sent over the network without being encrypted. This means that the queries and adds that are performed by the PGP client can be viewed by others, but the identity of someone performing administrative functions is still strongly authenticated.

CONTACTING NETWORK ASSOCIATES

Note: Network Associates does not provide technical support for PGP freeware products. To purchase a commercial version of PGP, please contact the Network Associates Customer Service department at:

Network Associates Corporate Headquarters
3965 Freedom Circle
McCandless Towers
Santa Clara, CA 95054