Documentation

NETSCAPE SSL 2.0 CERTIFICATE FORMAT

INTRODUCTION

This document describes how Netscape products work with certificates when using the SSL 2.0 protocol. The document is intended to provide Certificate Authority (CA) service providers enough details to build a service that can issue certificates for Netscape products.

This document has four sections that describe:

  1. How Netscape products use SSL 2.0 certificates
  2. Site certificate format
  3. Certificate Authority certificate format
  4. Certificate signing requests (CSRs) for SSL 2.0 server certificates


HOW NETSCAPE PRODUCTS USE SSL 2.0 CERTIFICATES

Netscape Commerce Server 1.x uses a single X.509 certificate that enables the server to authenticate itself to clients requesting SSL 2.0 connections.

When a server presents a certificate during an SSL handshake, Navigator checks the certificate against its certificate database. If the server certificate is already in Navigator's database, or if the server certificate is signed by a Certificate Authority whose certificate in Navigator's database, the SSL handshake can conclude successfully.

Netscape Navigator 2.0 allows end users to add new trusted certificates to Navigator's certificate database. To see a list of the trusted certificates that are shipped with Navigator, choose Security Preferences under the Options menu. If necessary, click on the Site Certificates tab.

Navigators can handle two different kinds of certificates:

  1. A Certificate Authority certificate is a signed certificate that identifies a Certificate Authority. Netscape recommends that these certificates be self-signed. When server certificates signed by this Certificate Authority are presented during an SSL handshake, Navigator trusts those certificates. Navigator can download (via HTTP) new trusted CA certificates because they are identified by a newly defined MIME type.
  2. A site certificate is a server certificate presented by a server during a SSL handshake. If the certificate is signed by some certificate authority that Navigator does not trust (that is, does not show up on the Certificate Authority list in the Security Options dialog box or is marked by the user as not trusted), Navigator displays a series of screens that allow the user to accept or reject the certificate. (In the case of a bad certificate, Navigator displays a warning that allows the user to continue or abort the connection.)

When Navigator receives a certificate it does not already trust, it launches a wizard to guide the user through the process of installing the certificate as follows:

  1. The first time Navigator attempts to connect to an SSL server which presents a certificate that Navigator does not trust, Navigator launches a wizard to install the certificate. The inital screen of the installation wizard alerts the user that Navigator has received an unrecognized certificate. The exact text on this introductory screen depends on whether the certificate is a site certificate or a Certificate Authority certificate.
  2. The wizard presents human-readable information about the certificate including the following information.
  3. The user may choose to view more information about the certificate by clicking on the More Info button. Clicking this button opens a window that displays more information about the certificate including:
  4. The user then chooses whether to trust this certificate.
  5. The wizard asks the user if they would like to be warned each time the user attempts to send data to this server. The default behavior is to display no warnings.
  6. (Only for Certificate Authorities) Finally, the wizard prompts the user to enter a nickname to identify the Certificate Authority. This name appears in the list of certificates displayed as part of the Security Preferences (under the Options menu).
    In future releases of Navigator, Netscape plans to display simply the Certificate Authority's Common Name. Therefore, Netscape encourages Certificate Authorities to use a Common Name that the user will recognize as the Certificate Authority. For example, a Common Name of "Netscape Certificate Authority" would be better than simply "Certificate Authority".


SITE CERTIFICATES

The following section describe the mandatory and recommended certificate content. The content of site certificates and CA certificates are nearly identical, though there are small differences in the subject.commonName field described below.

Key length of signature
All Certificate Authorities should use 1024-bit RSA keys for signing certificates. Netscape Navigator 2.0 can not operate on keys larger than 1024 bits.

Certificate serial numbers
Certificate serial numbers should be unique. No Certificate Authority should issue two certificates with the same serial number.

Distinguished Name
The Distinguished Name of a certificate should be unique unless the same subject has several certificates issued by the same Certificate Authority (i.e., owns several key pairs that need to be certified by the same CA).

Site certificate CertificateInfo fields
The following are the mandatory or recommended values for the fields of the certificateInfo for an SSL 2 server certificate.

Field Value Required Comment
version 0 Required x509v1
signature md2WithRSAEncryption
md5WithRSAEncryption
md5 is Recommended From PKCS #1
subjectPublicKeyInfo.algorithm rsaEncryption Required From PKCS #1
subject.commonName See below Host name pattern required to avoid user seeing a warning dialog. See below.  

Signature Algorithm
Use of md5WithRSAEncryption is recommended. The MD2 algorithm is currently supported, but in January of 1996, RSA began recommending that vendors cease using MD2 due to a potential new weakness found in the algorithm. Consequently, support for MD2 will be discontinued in a future release.

Subject Common Name
The subject.commonName field should contain a pattern (such as *.netscape.com) that matches the DNS name of the host with which the client is connecting (such as home.netscape.com). Encoding a host name in this field is used to defeat a potential man in the middle attack.

Navigator 2.0 checks the name referenced or typed by the user (the URL displayed in Navigator's Location field) against the pattern in the subject.commonName field. Note that Navigator does not check the result of a double-reverse-DNS lookup on the name.

Netscape Navigator 2.0 applies the following matching rules to the pattern in the subject.commonName field:


CERTIFICATE AUTHORITY CERTIFICATES

Key length of signature
All Certificate Authorities should use 1024-bit RSA keys for signing certificates. Netscape Navigator 2.0 can not operate on keys larger than 1024 bits.

Certificate serial numbers
Certificate serial numbers should be unique. No Certificate Authority should issue two certificates with the same serial number.

Certificate fingerprint
Navigator calculates a certificate fingerprint which the user sees when they choose "Edit Certificate" from the Security Options menu. This fingerprint is an MD5 hash of the certificate. Netscape encourages Certificate Authorities to publish the fingerprint for their certificate so that users may, if they desire, verify that they have the correct certificate.

Certificate Authority CertificateInfo fields
The following are the mandatory or recommended values for the fields of the certificateInfo for a Certificate Authority certificate that can be downloaded to Navigator 2.0.

Field Value Required Comment
signature md2WithRSAEncryption
md5WithRSAEncryption
Required From PKCS #1
subjectPublicKeyInfo.algorithm rsaEncryption Required From PKCS #1
subject.commonName See Below Recommended  

Signature Algorithm
Use of md5WithRSAEncryption is recommended. The MD2 algorithm is curently supported, but support will be discontinued in some future release. In January of 1996 RSA began recommending that vendors cease using MD2 due to a potential new weakness found in the algorithm.

Subject Common Name for CA Certificates
Netscape recommends that the commonName for CA certificates be a user-readable name that describes the CA without the rest of the Distinguished Name. (Note the certificate should still contain a complete Distinguished Name.)

The Common Name will be displayed when the user chooses to view the list of trusted Certificate Authorities in the Security Preferences dialog box (under the Options menu). Examples include Netscape Test CA or Certs-R-Us Level 42 CA. Examples of names that are not recommended are Certificate Authority and CA Root.

CERTIFICATE ENCODING

In Netscape Navigator 2.0, users (or administrators) can add new trusted Certificate Authorities to Navigator's certificate database. To add a new certificate, users point Navigator at an URL that contains the new CA certificate. Navigator will recognize and appropriately process a certificate encoded as follows:

Encoding
The certificate should be a binary DER encoded X.509 certificate with default 8-bit encoding.

X.509 versions
Netscape Navigator 2.0 can accept CA certificates that are X509 version 1, 2, or 3. However, Navigator 2.0 ignores the fields issuerUniqueID, subjectUniqueID, and extensions.

MIME-type
The certificate should be delivered to Navigator via the HTTP protocol, and should be identified by the newly defined MIME type application/x-x509-ca-cert. The body of the document should be the DER encoded certificate.


CERTIFICATE SIGNING REQUESTS FOR SSL 2.0 CERTIFICATES

Certificate Signing Requests for SSL 2.0 certificates are issued via email.

CERTIFICATE REQUESTS

Certificate Signing Requests are emailed to the certificate issuer. They take the following form:

Webmaster: webmaster@foo.com
Phone: 415-555-1212
Server: Netscape-Commerce/1.12

Common-name: www.foo.com
Email: webmaster@foo.com
Organization: FooBar Corp.
Org-unit: Web Content Division
Locality: Anytown
State: California
Country: US

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBOTCB5AIBADCBgDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
EDAOBgNVBAcTB0FueXRvd24xFTATBgNVBAoTDEZvb0JhciBDb3JwLjEdMBsGA1UE
CxMUV2ViIENvbnRlbnQgRGl2aXNpb24xFDASBgNVBAMTC3d3dy5mb28uY29tMFow
DQYJKoZIhvcNAQEBBQADSQAwRgJBANwLUqDA13nb1rGDSNNhl6HW77PZJrzec+I3
gO8bYmcSTD8TLZ2u6eHaBsnR4qOcl+/7EoENhowKieTDv+xTz8ECAQOgADANBgkq
hkiG9w0BAQQFAANBANsX9Y9wYVLEnAZD0AaTnCzg0ekA/9MnxCpfDml5SaNjOV2P
xEXStjrijdP/Rb/1vYujpWBLaLS+e2IZwzvPpKI=
-----END NEW CERTIFICATE REQUEST-----

The actual certificate request is a DER encoded PKCS #10 certificate request that is base64 encoded for email transport.

CERTIFICATE RESPONSES

The Certificate Authority emails the signed certificate to the requester. The certificate is a DER encoded X.509 Version 1 certificate that is base64 encoded for email transport.

The server administrator saves the certificate to a file and points the Commerce Server to the location of the certificate using administrative utilities.

Here is a sample certificate:

This certificate will expire in 1 days

-----BEGIN CERTIFICATE-----
MIIB8jCCAVsCAgNNMA0GCSqGSIb3DQEBBAUAMEcxCzAJBgNVBAYTAlVTMRAwDgYD
VQQLEwdUZXN0IENBMSYwJAYDVQQKEx1OZXRzY2FwZSBDb21tdW5pY2F0aW9ucyBD
b3JwLjAeFw05NTEyMTkxMDU4NTNaFw05NTEyMjAxMDU4NTNaMIGAMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEQMA4GA1UEBxMHQW55dG93bjEVMBMG
A1UEChMMRm9vQmFyIENvcnAuMR0wGwYDVQQLExRXZWIgQ29udGVudCBEaXZpc2lv
bjEUMBIGA1UEAxMLd3d3LmZvby5jb20wWjANBgkqhkiG9w0BAQEFAANJADBGAkEA
3AtSoMDXedvWsYNI02GXodbvs9kmvN5z4jeA7xtiZxJMPxMtna7p4doGydHio5yX
7/sSgQ2GjAqJ5MO/7FPPwQIBAzANBgkqhkiG9w0BAQQFAAOBgQBmnCciKst05XSa
7jbIWZ5b7/7eBGmNxlXyJhPrVN+8OKGOL70XifXcangTmeuQ8MhVoUPJbZjkGmo6
K/a3j1GTv1lHkjzAzUSh7X7Y5kotfrj8OZxfsw+95qzGlPWE7f4Uv6RlV/fkXNyg
k0FemXUd5iPnkQ8kU66E2EJxyBmMUQ==
-----END CERTIFICATE-----



Help   |   Site Map   |   How to Get Netscape Products   |   Advertise With Us   |   Add Site   |   Custom Browser Program
Autos   |   Business   |   Computing & Internet   |   Entertainment   |   Family   |   Games   |   Health   |   Lifestyles   |   Local   |   Netscape   |   Netscape Open Directory   |   News   |   Personal Finance   |   Real Estate   |   Research & Learn   |  Shopping   |   Small Business   |   Sports   |   Travel
© 1999 Netscape, All Rights Reserved. Legal & Privacy Notices
This site powered by Netscape SuiteSpot servers.