Certificates FAQ
DogFood Section:
- What's so special about this new certificate server?
- Why do we have to get new certificates? Didn't I just do this a little while ago?
- Why do I have to keep renewing my certificate? Can't it just be set to expire a long time from now?
What's so special about this NEW certificate server?
-
The old Certificate server (rootca.netscape.com) was running
Netscape Certificate Server v1.0. A newer version with tons of
features as a result of a lot of real-world feedback (including
many lessons learned from Netscape IS) has been released: Netscape
Certificate Management System (CMS) v4.0. It's been totally
rewritten from the ground up and is getting rave reviews from
everyone who works on it.
- A greatly improved UI (user interface)
- The old forms and user interactions with rootca were tough. With CMS4, we have the ability to make very clean and easy-to-use UI.
- S/MIME now actually works
- With certificates issued from the old certificate server, signed email messages couldn't be seen as "valid" by persons outside of Netscape. That's now changed. We've reached a deal with a publicly trusted CA (certificate authority) to sign our new certificate server so that you can finally exchange signed/encrypted email with persons outside of Netscape.
- Support for MS Internet Explorer
- Many of our salespeople do presentations and demos for other customers and have asked for this. We can now grant them their wish. The old Cert Server could support IE with patches, but this one supports it out of the box.
- Support for Netscape Security Manager (also known as
"Cartman")
- As NSM gets released, we will be able to support all the marvelous user-friendly features of NSM (including dual-key).
Netscape IS-specific features:
Why do we have to get new certificates? Didn't I just do this a little while ago?
Certificates issued by the old rootca will continue to work for awhile, but rootca will be decommissioned by June 1, 1999. By that time, all employees will start getting their certificates from the CMS4 server. This server will be much easier to interact with.
As part of our Y2K upgrades, the transition to CMS4 will also ensure our Y2K compliance for critical IS resources.
Why do I have to keep renewing my certificate? Can't it just be set to expire a long time from now?
Part of the security built into the certificate system ensures when someone stops working for Netscape, their certificate allows access for only three months. By forcing certificates to expire at this interval, there is a second tier to reduce the risk of personal certificates continuing to work too long after an individual's employment has ceased.
The real problem is that users have to be involved in the process of renewing certificates. If you didn't realize that your certificate expired and was automatically renewed more often, you might not care as much about it. Making the technology of certificates transparent to the user is the goal of the Netscape Security Manager. IS will be helping PD test this component in the Spring and Summer of 1999.
Troubleshooting Contents
- What is a certificate?
- How are certificates better than LDAP usernames and passwords?
- How do I get my own certificate?
- Should I back up my own certificate?
- Why should I get a Netscape certificate?
- How do I export/back up my certificate?
- I have two machines. How do I use my certificate on my other computer?
- My certificate comes up Expired when I try to use it, but I just got it! What's happening?
- My certificate won't encrypt mail/won't let me browse secure sites! I think it's busted.
- Help! My certificate is about to expire or has expired. How do I renew it?
- I tried to authenticate myself on a secure web site using my certificate, but the process failed.
- Communicator won't let me in to my certificate database, even though I know I'm entering the right password.
- I'm getting all kinds of weird certificate errors, like previously valid/readable signed and encrypted mail suddenly coming up invalid/unreadable.
- The Security Info window (click the lock) does not list my valid certificate under Certificates - Yours. Am I doomed?
- What is S/MIME?
- What are some of the problems that S/MIME solves for mail users?
- What are some of the benefits of Netscape Messenger's S/MIME implementation?
- What do you need to send secure messages?
- How does a signature on a message become invalid?
- I want to send someone an encrypted message. How do I get someone's certificate (public key)?
- How do you know whose certificates I have received from other people?
- I enter my UNIX ID and password to unlock
my certificate database, and there is no response! The same dialog
box reappears, but without my password.
- What is a digital certificate?
A certificate is a digital form of Identification. A certificate is composed of two "keys": a private key (which you must never give to anyone else) and a public key (which can -- and should -- be shared with everyone).The private key is typically located only on a user's computer and is protected by a password. It can be exported to another machine or it can be contained on a smart card.
The public key may contain a S/MIME public key for yourself. If you give that to other people, they will be able to send encrypted email to you, and no one else will be able to read it.
There are two main uses for certificates at Netscape: authentication (like your username and password) and secure email (that is, S/MIME).
The Netscape LDAP server (Phonebook) contain everyone's public keys automatically. These are used by our internal web applications to authenticate you. They also enable employees to send you encrypted email.
For more information about Digital Certificates, please see Netscape's external "Enterprise PKI Security Center" website.
- How are certificates better than what I'm used to --
namely, LDAP usernames and passwords?
A few things make digital certificates better than usernames and passwords:- Encryption is at the heart of certificates. This means it's extremely difficult for someone to see your traffic on the network and make any sense of it.
- Passwords are too easy to steal or guess.
- Certificate-based authentication relies on two factors: something you have (the certificate) and something you know (the password to unlock the certificate database). LDAP Passwords are just a single form of authentication.
- You can't send signed or encrypted email with usernames and passwords.
- You can't easily tell if a message has been altered without S/MIME.
- How do I get my own certificate?
As an employee, you are required to get a Netscape Digital Certificate as part of your job. You will need it to access certain web applications.You can get a Netscape-issued certificate here.
- Should I back up my own certificate?
Absolutely. Remember that only one half of your digital certificate is backed up by Netscape IS. The private key is stored on your computer's hard drive.During the certificate-issuing process, make sure you export your digital certificates to a floppy drive or to a network-based hard drive.
If you lose or erase your private key, there is no way to recover it. This means that you won't be able to decrypt messages that were sent to you, since messages are always stored in an encrypted state.
- Why should I get a Netscape certificate? Why
can't I use a Verisign certificate?
Our Netscape Certificate Authority (rootca.netscape.com) verifies that an individual is a current, active employee at the time that they request a certificate. It assumes that HR has already done its own level of identity verification when the person starts with the company.A Verisign certificate will only establish that you are who you claim you are. Since we will be using your certificate to identify and authenticate you, Netscape needs to do its own checks of your identity. A Verisign certificate (or a certificate from any other CA) won't do that.
- How do I export/backup my certificate?
You can move your certificate (actually, the private key) through the wonders of PKCS 12. In the Security Advisor/Certificates/|Yours, there is a button that acts as the mechanism you use to export your certificate to a floppy or to another computer. - I have two machines. How do I use my cert on my other
computer?
You can only have one valid Netscape certificate at one time. If you have more than one machine, you will need to copy that one certificate and install it on each of your machines (or profiles).First, find the cert you want to use from machine A and follow the export (backup) procedure. Put the exported version of the key on a floppy (if that's how you want to transfer the file), and load it on machine B. Then launch Communicator on machine B, and open the Security Advisor. Select Certificates/Yours. Click the Import button. Your certificate will now be loaded and available on machine B.
- My certificate comes up Expired when I try to use it,
but I just got it! What's happening?!
Most likely, your machine is set to the wrong time zone or its clock is not accurate.Make sure your machine is set to the right time and the right time zone. If your machine's clock is fast, your certificate will be "expired" until "certificate time" catches up with "machine time." For example, if your clock is 20 minutes fast, your certificate will not be valid for 20 minutes from the time that you installed it.
In order to save you from frustration, the Certificate Server will not allow you to get a certificate if your clock is more than a few minutes different from "true" time.
If you are a Win95 user, you my be seeing the ill effects of a time zone bug. Click here to find out about the bug and the workaround.
- My certificate won't encrypt
mail/won't let me browse secure sites! I think it's busted.
Take it easy, now. Before you lose faith, make sure that your Netscape certificate is configured properly! - Help! My certificate is about to
expire or has expired. How do I renew it?
To be syntactically accurate, you cannot "renew" your certificate unless you have the "Netscape Security Manager" loaded on your machine. If you don't, then you have to get a new certificate from the certificate server.Remember these points, though:
- If you have any saved email that was encrypted using an older (that is, expired) certificate, you must keep that old certificate in Communicator in order to be able to read that mail. (If you lose or delete a certificate, there is no way for anyone to get it back. Backups are your friend!)
- When the certificate server gives you a new certificate, it automatically pushes it to the LDAP directory (that is, phonebook) so others can get your new one, as well.
- Your Communicator client automatically uses the most recent certificate when sending signed or encrypted email. So, as you start to send email with this new certificate, your recipients' Communicator clients also automatically get your new certificate. You won't need to tell anyone that you have a new certificate.
- I tried to authenticate
myself on a secure internal web site using my certificate, but
the process failed.
Check that you meet the following criteria:- You must have a Netscape personal certificate. Click here to get a certificate. For internal web sites you can't use a Verisign or other Certificate.
- You must have your valid Netscape personal certificate loaded on the machine that you are using to authenticate yourself. If you requested your certificate from a machine other than the one you are currently using, copy your certificate from your other machine to your current one.
- You must run Communicator version 4.5 or later.
Click
here to
upgrade.
- >From the Navigator Tool bar, select Security. (Click the Lock.)
- In the left frame, click Navigator.
- >From the Certificate to identify you to a web site: drop-down list, select Ask Every Time.
- Click OK.
- You must enable SSL version 2 and 3.
- >From the Navigator Tool bar, select Security. (Click the Lock.)
- In the left frame, click Navigator.
- Check Enable SSL (Secure Sockets Layer) v2 and Enable SSL (Secure Sockets Layer) v3.
- Click OK.
- Your certificate database may be corrupt. Click here to see some symptoms of a corrupt certificate database and how to fix it.
- Communicator won't let me in to my certificate database, even though I know I'm entering the right password.
- Also (or), I'm getting all kinds of weird certificate errors, like previously valid/readable signed and encrypted mail suddenly coming up invalid/unreadable.
- Also (or), The Security
Info window (click the lock) does not list my valid certificate
under Certificates - Yours. Am I doomed?
Not if you've backed up your certificate!If this happens, the following procedure should solve your problem:
Never execute this operation unless you really know what you are doing, or have been given explicit instructions from the Help Desk.
- Quit Communicator.
- Create a directory on your local hard drive called something like dead-certs.
- Move (don't just copy) all cert* and key*
files to that directory.
These files are located in your Netscape/Users/yourNameHere directory (exact paths vary by platform and user). - Start Communicator again.
Communicator rebuilds the files that you just removed, giving you a fresh start. - Import your certificate(s) from your backup file(s).
To do this:- Click the Security button in the Toolbar, or select Security Info from the Communicator menu to display the Security Info window.
- Click Yours under Certificates in the Security Info navigation frame.
- Click the Import a Certificate button.
You are prompted to create a new password for your certificate database. - Create and confirm your new password.
- Browse to your backup certificate.
Repeat these two steps until you have restored all the certificates that you want to.
The good news is that your problem should now be fixed.
- What is S/MIME?
S/MIME (Secure Multipurpose Internet Mail Extension) is the Internet standard for encrypting and digitally signing e-mail messages. S/MIME depends on X.509 certificates for encryption, as well as RSA encryption algorithms. - What are some of the problems that S/MIME solves for
mail users?
Problem
S/MIME Solution in Netscape Messenger
Mail that travels across the net is like a postcard: anyone can read it
Keep messages private with encryption.
Is the person who sent this message really who they say they are?
Authenticate sender with digital signatures. This helps prevent sender spoofing of mail messages.
Has my mail been tampered with?
Detect message tampering with digital signatures.
How do I communicate sensitive documents internally and with partners?
S/MIME is an Internet open standard that permits exchange of encrypted/signed mail with the widest possible audience.
- What are some of the benefits of Netscape Messenger's
S/MIME implementation?
Netscape Messenger makes signing/encryption transparent and easy for end users. Messenger accomplishes this with the following features:- Fast performance for encryption/signing/decryption.
- An easy to use security advisor which provides help with creating and reading secure messages.
Encrypted mail is also stored encrypted on your computer and on the mail server, so it is difficult for an intruder to read your encrypted mail. - What do you need to send secure messages?
- To sign: You need your own certificate (which includes a private key).
- To encrypt: You need someone else's certificate.
- Check the signing/encryption boxes in the options tab of the Messenger Compose window.

- How does a signature on a message become invalid?
A signature can be invalidated three ways:- The message has been tampered with (for example, text has been changed, deleted, or added).
- The signing certificate doesn't match the sender's e-mail address.
- The signing certificate was issued by a non-trusted certificate authority.
If a signature is invalid, you can click on the security icon to obtain an explanation of what made the signature fail.
- I want to send someone an encrypted message. How do I
get someone's certificate (public key)?
Here are the ways:-
1. Receiving a signed/encrypted message -- the sender's cert
is automatically added to your key database.
2. Importing a cert with Navigator via HTTP from a web site -- Verisign supports this service.
3. Importing a cert with Messenger using LDAP from Phonebook.
If you are trying to send a Netscape employee an encrypted email, you need their public key. To get that, click the Security Advisor. In the upper right panel that opens up, you will see a list of email addresses to which you are sending and which cannot be sent encrypted. Click the button labeled "Get Certificates..." and choose the Netscape Phonebook to search. Your Navigator will receive these new public certificates and you will then be able to send the email encrypted. - How do I know whose certificates I have received from
other people?
Go to security advisor/certificates/other people's. All the certificates that you have for email are here. Java Applet certificates can be viewed under Java Applet Privileges. Remember that these certificates only have the user's public key and that you need a person's certificate to send encrypted mail. - I enter my UNIX ID and password to unlock my certificate
database, and there is no response! The same dialog box
reappears, but without my password.
Try again, and be sure to use the password that you created when you received your certificate. If you enter the wrong password, Communicator doesn't tell you that your password was wrong; the password dialog box simply reappears.Note: The password that is used to protect the Certificate Database on your machine is not necessarily the same password as your LDAP password. They are not synchronized n any way. That password was typed by you and could be anything.
For a higher level of security, Netscape IS recommends that you do not protect your Certificate Database with your LDAP password.
More information on S/MIME can be found at RSA's web site: RSA S/MIME FAQ.

- What is a digital certificate?
