Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Previous Next Contents Index


Appendix F Netscape Signing Tool

This appendix describes how to use version 1.2 of Netscape Signing Tool (signtool on the command line) to digitally sign software, including binary files intended for distribution via SmartUpdate, Java class files, and JavaScript scripts. Version 1.2 includes all the capabilities of, and is fully compatible with, previous versions of Netscape Signing Tool (.50, .60, 1.0, and 1.1).

This appendix has these sections:


Introduction to Netscape Signing Tool
This section reviews basic concepts that you need to understand before you begin using version 1.2 of Netscape Signing Tool to sign files or JavaScript scripts. If you are already familiar with object-signing concepts, go straight to "Using Netscape Signing Tool""Using Netscape Signing Tool" on page 716.

For a complete introduction to object signing technology, see Netscape Object Signing: Establishing Trust for Downloaded Software at this URL:

http://developer.netscape.com/docs/manuals/signedobj/trust/index.htm

What Is Netscape Signing Tool?

Netscape Signing Tool is a stand-alone command-line tool that creates digital signatures and uses the Java Archive (JAR) format to associate them with files in a directory. It is intended for use by system administrators and by developers who want to distribute software electronically over the Internet.

Netscape Signing Tool 1.2 is available for the following platforms:

This appendix describes how to use Netscape Signing Tool 1.2 to sign Java applets, JavaScript scripts, plug-ins, and other files and how to package the signed objects in a JAR archive (also called a JAR file), which is a digital envelope for a compressed collection of files. Communicator client software uses JAR archives to install or update software automatically.

Electronic software distribution over any network involves potential security problems. To help address some of these problems, you can associate digital signatures with the files in a JAR archive. Digital signatures allow Communicator to perform two operations that are important to end users:

You do not need to understand the technical details of JAR archives or digital signatures to use Netscape Signing Tool. However, you do need some familiarity with the concepts described in the rest of this appendix. If you are already familiar with basic object-signing concepts, go straight to "Using Netscape Signing Tool".

JAR Format and JAR Archives

The Java Archive (JAR) format is a set of conventions for associating digital signatures, installer scripts, and other information with files in a directory. Signing tools such as Netscape Signing Tool allow you to sign files using the JAR format and package them as a single JAR file. JAR files are used by Communicator client software to support automatic software installation, user-controlled access to local system resources by Java applets, and other features that help address potential security problems.

The JAR file type is a registered Internet MIME type based on the standard cross-platform ZIP archive format. A JAR file functions as a digital envelope for a compressed collection of files. The JAR file type is distinct from the JAR format, which is simply a way of organizing information in a directory.

Because the JAR format doesn't require a digital signature to be stored physically inside the file with which it is associated, JAR files are extremely flexible. You can use Netscape Signing Tool to sign any files, including Java class files, Communicator plug-ins, or any other kind of document or application. You can also use version 1.1 and later versions of Netscape Signing Tool to sign inline JavaScript scripts.

You must create a JAR file if you want to take advantage of Communicator's SmartUpdate feature. Communicator can automatically locate, download, and install components, plug-ins, and Java classes on a user's machine, thus freeing the user from this chore. Automatic software installation also helps both software developers who want to distribute software and updates over the Internet and system administrators using Mission Control to manage a corporate intranet.

You don't need to know anything else about the JAR format to use Netscape Signing Tool, which takes care of the details for you. For detailed information about the JAR format, see The Jar Format at this URL:

http://developer.netscape.com/docs/manuals/signedobj/jarfile/index.html

For detailed information about using the JAR Installation Manager to package your software for use with SmartUpdate, see Using JAR Installation Manager for SmartUpdate at this URL:

http://developer.netscape.com/docs/manuals/communicator/jarman/index.htm

What Signing a File Means

If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file. An object-signing certificate is a special kind of certificate that allows you to associate your digital signature with one or more files. For information about obtaining an object-signing certificate, see Object-Signing Tools at this URL:

http://developer.netscape.com/docs/manuals/index.html?content=security.html

An individual file can potentially be signed with multiple digital signatures. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company. A network administrator manager might sign the same files with an additional digital signature based on a company-generated certificate to indicate that the product is approved for use within the company.

The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed a file, it is difficult to claim later that you didn't sign it. In some situations, a digital signature may be considered as legally binding as a handwritten signature. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute.

For example, if you are a software developer, you should test your code to make sure it is virus-free before signing it. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it.

Object-Signing Certificates

Before you can use Netscape Signing Tool to sign files, you must have an object-signing certificate, which is a special certificate whose associated private key is used to create digital signatures.

For testing purposes only, you can create an object-signing certificate with Netscape Signing Tool 1.2. When testing is finished and you are ready to disitribute your software, you should obtain an object-signing certificate from one of two kinds of sources:

You must also have a certificate for the CA that issues your signing certificate before you can sign files. If the certificate authority's certificate isn't already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority's web site, for example on the page from which you initiated enrollment for your signing certificate. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database.

When you receive an object-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software. Communicator supports the public-key cryptography standard known as PKCS #12, which governs key portability. You can, for example, move an object-signing certificate and its associated private key from one computer to another on a credit-card-sized device called a smart card. For motr information, see "Using Netscape Signing Tool with Smart Cards".


Using Netscape Signing Tool
This section describes how to use Netscape Signing Tool to create digital signatures for files in a directory and to associate the signatures with the files according to the JAR format. Netscape Signing Tool also provides an option that automatically creates a JAR file containing the directory; this option was not implemented in pre-1.0 versions. For maximum flexibility, and for compatibility with scripts that used earlier versions of Netscape Signing Tool, you can still use a ZIP utility to create the JAR file.

For a complete list of Netscape Signing Tool command-line options, see "SignTool Syntax and Options".

Getting Ready to Use Netscape Signing Tool

Before using Netscape Signing Tool, you must have the signtool executable in your path environment variable. You must also have an object-signing certificate.

Netscape Signing Tool includes an option that allows you to generate an object-signing certificate for testing purposes. For information about using this option, see "Generating Test Object-Signing Certificates".

Although suitable for testing purposes, the object-signing certificate produced by Netscape Signing Tool is not recommended for signing finished software that will be widely distributed over the Internet or an intranet. When you are ready to sign finished software, you will need to get an object-signing certificate from your company's internal certificate authority, if it has one, or from a third-party certificate authority.

The sections that follow describe how to prepare Netscape Signing Tool for signing files.

Setting Up Your Certificate

These instructions apply to an object-signing certificate obtained from a third party or an in-house CA for use in signing finished code. During development, you may wish to use a special certificate generated by Netscape Signing Tool for testing purposes.

If you obtained your object-signing certificate while running Communicator on a system that's different from the system on which you intend to sign files, you need to copy your certificate and private key files to the new system. Communicator's certificate and key databases are portable among all platforms.

On the computer where you ran Communicator to get the object-signing certificate, locate the files key3.db and cert7.db. For example, on a typical Windows NT system, these files are found at C:\Program Files\NETSCAPE\USERS\username\. You must copy these files to the system where you intend to sign pages. (If you use FTP, be sure to transfer in binary mode.)

If you are running Netscape Signing Tool on a Unix system and you don't already have a ~/.netscape directory, first run Communicator once to create one. If you want to maintain whatever certificates are already in your ~/.netscape directory, put the existing key3.db and cert7.db files in some other directory before replacing them with the versions that include the object-signing certificate you want to use with Netscape Signing Tool.

If you are using Unix, set up an alias to call signtool, or place it in your path.

If you are using Windows 95 or NT, the signtool executable doesn't know where your certificates are, so either put the key3.db and cert7.db files in the current directory and use "-d." or use -d to point to the directory in which they are located.

Warning. Keep copies of the key3.db and cert7.db files somewhere separate from the copies you use with the signtool executable. This ensures that you won't lose your certificates if you accidentally damage the files. If your keys are on external tokens, such as smart cards, you should keep a copy the secmod.db file.

Listing Available Certificates

You use the -L option to list the nicknames for all available certificates and check which ones are signing certificates, as shown in this Unix example:

% signtool -L 
using certificate directory: /u/jsmith/.netscape
S Certificates
- ------------
BBN Certificate Services CA Root 1
IBM World Registry CA
VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc.
GTE CyberTrust Root CA
Uptime Group Plc. Class 4 CA
* Verisign Object Signing Cert
Integrion CA
GTE CyberTrust Secure Server CA
AT&T Directory Services
* test object signing cert
Uptime Group Plc. Class 1 CA
VeriSign Class 1 Primary CA
- ------------
Certificates that can be used to sign objects have *'s to their left.
%

In the above example, two signing certificates are displayed: Verisign Object Signing Cert and test object signing cert.

You use the -l option to get a list of signing certificates only, including the signing CA for each, as shown in this Unix example:

% signtool -l
using certificate directory: /u/jsmith/.netscape
Object signing certificates
---------------------------------------
Verisign Object Signing Cert
Issued by: VeriSign, Inc. - Verisign, Inc.
Expires: Tue May 19, 1998
test object signing cert
Issued by: test object signing cert (Signtool 1.0 Testing Certificate (960187691))
Expires: Sun May 17, 1998
---------------------------------------
For a list including CAs, use "signtool -L"

Signing a File

To sign a file using Netscape Signing Tool, follow these steps:

1. Create an empty directory.

% mkdir signdir

2. Put some file into it.

% echo boo > signdir/test.f

3. Specify the name of your object-signing certificate and sign the directory.

If you are using Unix, this example assumes you have put your .db files in the
~/.netscape directory, as explained in
"Setting Up Your Certificate".

% signtool -k MySignCert -Z testjar.jar signdir

using key "MySignCert"
using certificate directory: /u/jsmith/.netscape
Generating signdir/META-INF/manifest.mf file..
--> test.f
adding signdir/test.f to testjar.jar
Generating signtool.sf file..
Enter Password or Pin for "Communicator Certificate DB":

4. At the prompt, type the password to your private-key database.

If it accepts the password, signtool responds as follows:

adding signdir/META-INF/manifest.mf to testjar.jar
adding signdir/META-INF/signtool.sf to testjar.jar
adding signdir/META-INF/signtool.rsa to testjar.jar
tree "signdir" signed successfully

5. Test the archive you just created.

% signtool -v testjar.jar

using certificate directory: /u/jsmith/.netscape
archive "testjar.jar" has passed crypto verification.

           status   path
------------ -------------------
verified test.f

You can also use Netscape Signing Tool from within a script to automate some aspects of signing. For example, here's a Windows script that starts with an unsigned JAR file, unpackages it, signs it, and then repackages it:

rem Expand the jar file into a new directory
unzip -qq myjar.jar -d signjar
del myjar.jar
rem Sign everything in the new directory and recompress
signtool -k MySignCert -Z myjar.jar signdir

Using Netscape Signing Tool with a ZIP Utility

To use Netscape Signing Tool with a ZIP utility, you must have the utility in your path environment variable. You should use the zip.exe utility rather than pkzip.exe, which cannot handle long filenames.

You can use a ZIP utility instead of the -Z option to package a signed archive into a JAR file after you have signed it:

% cd signdir 
% zip -r ../myjar.jar *
adding: META-INF/ (stored 0%)
adding: META-INF/manifest.mf (deflated 15%)
adding: META-INF/signtool.sf (deflated 28%)
adding: META-INF/signtool.rsa (stored 0%)
adding: text.txt (stored 0%)
%

Tips and Techniques


SignTool Syntax and Options
This section summarizes the syntax and options for Netscape Signing Tool 1.2.

Command Syntax

To run Netscape Signing Tool, type

signtool options

where options can be any sequence of the options listed in this chapter.

Each argument for each signtool option must be in quotes if it contains any spaces or other nonalphanumeric characters.

Command Options

Options for signtool are defined as follows:

-b basename
Specifies the base filename for the .rsa and .sf files in the META-INF directory (required by The JAR Format). For example,
-b signatures 

causes the files to be named signatures.rsa and signatures.sf. The default is signtool.

The -b option is available in Netscape Signing Tool 1.0 and later versions only.

-c#
Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes.

If the -c# option is not used with either the -J or the -Z option, the default compression value used by both the -J and -Z options is 6.

-d certdir
Specifies your certificate database directory; that is, the directory in which you placed your key3.db and cert7.db files. To specify the current directory, use "-d." (including the period).

The Unix version of signtool assumes ~/.netscape unless told otherwise. The NT version of signtool always requires the use of the -d option to specify where the database files are located.

-e extension
Tells signtool to sign only files with the given extension; for example, use -e".class" to sign only Java class files. Note that with Netscape Signing Tool version 1.1 and later this option can appear multiple times on one command line, making it possible to specify multiple file types or classes to include.

-f commandfile
Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format. All options and arguments can be expressed through this file. For more information about the syntax used with this file, see "Tips and Techniques".

-G nickname
Generates a new private-public key pair and corresponding object-signing certificate with the given nickname.

The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.

Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects.

The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. For more information about the use of the -G option, see "Generating Test Object-Signing Certificates""Generating Test Object-Signing Certificates" on page 733.

-i scriptname
Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script.

-j directory
Specifies a special JavaScript directory. This option causes the specified directory to be signed and tags its entries as inline JavaScript. This special type of entry does not have to appear in the JAR file itself. Instead, it is located in the HTML page containing the inline scripts. When you use signtool -v, these entries are displayed with the string NOT PRESENT.

-J
Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once.

The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option.

If the -c# option is not used with the -J option, the default compression value is 6.

Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages.

-k key ... directory
Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory. The directory to sign is always specified as the last command-line argument. Thus, it is possible to write
signtool -k MyCert -d . signdir

You may have trouble if the nickname contains a single quotation mark. To avoid problems, escape the quotation mark using the escape conventions for your platform.

It's also possible to use the -k option without signing any files or specifying a directory. For example, you can use it with the -l option to get detailed information about a particular signing certificate.

-l
Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate.

The -l option is available in Netscape Signing Tool 1.0 and later versions only.

-L
Lists the certificates in your database. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool.

--leavearc
Retains the temporary .arc (archive) directories that the -J option creates. These directories are automatically erased by default. Retaining the temporary directories can be an aid to debugging.

-m metafile
Specifies the name of a metadata control file. Metadata is signed information attached either to the JAR archive itself or to files within the archive. This metadata can be any ASCII string, but is used mainly for specifying an installer script.

The metadata file contains one entry per line, each with three fields:

field #1: file specification, or + if you want to specify global metadata (that is, metadata about the JAR archive itself or all entries in the archive)
field #2: the name of the data you are specifying; for example: Install-Script
field #3: data corresponding to the name in field #2

For example, the -i option uses the equivalent of this line:
+ Install-Script: script.js


This example associates a MIME type with a file:

movie.qt MIME-Type: video/quicktime

For information about the way installer script information appears in the manifest file for a JAR archive, see The JAR Format on Netscape DevEdge.

-M
Lists the PKCS #11 modules available to signtool, including smart cards.

The -M option is available in Netscape Signing Tool 1.0 and later versions only.

For information on using Netscape Signing Tool with smart cards, see "Using Netscape Signing Tool with Smart Cards".

For information on using the -M option to verify FIPS-140-1 validated mode, see "Netscape Signing Tool and FIPS-140-1".

--norecurse
Blocks recursion into subdirectories when signing a directory's contents or when parsing HTML.

-o
Optimizes the archive for size. Use this only if you are signing very large archives containing hundreds of files. This option makes the manifest files (required by the JAR format) considerably smaller, but they contain slightly less information.

--outfile outputfile
Specifies a file to receive redirected output from Netscape Signing Tool.

-p password
Specifies a password for the private-key database. Note that the password entered on the command line is displayed as plain text.

-s keysize
Specifies the size of the key for generated certificate. Use the -M option to find out what tokens are available.

The -s option can be used with the -G option only.

-t token
Specifies which available token should generate the key and receive the certificate. Use the -M option to find out what tokens are available.

The -t option can be used with the -G option only.

-v archive
Displays the contents of an archive and verifies the cryptographic integrity of the digital signatures it contains and the files with which they are associated. This includes checking that the certificate for the issuer of the object-signing certificate is listed in the certificate database, that the CA's digital signature on the object-signing certificate is valid, that the relevant certificates have not expired, and so on.

--verbosity value
Sets the quantity of information Netscape Signing Tool generates in operation. A value of 0 (zero) is the default and gives full information. A value of -1 suppresses most messages, but not error messages.

-w archive
Displays the names of signers of any files in the archive.

-x directory
Excludes the specified directory from signing. Note that with Netscape Signing Tool version 1.1 and later this option can appear multiple times on one command line, making it possible to specify several particular directories to exclude.

-z
Tells signtool not to store the signing time in the digital signature. This option is useful if you want the expiration date of the signature checked against the current date and time rather than the time the files were signed.

-Z jarfile
Creates a JAR file with the specified name. You must specify this option if you want signtool to create the JAR file; it does not do so automatically. If you don't specify -Z, you must use an external ZIP tool to create the JAR file.

The -Z option cannot be used at the same time as the -J option.

If the -c# option is not used with the -Z option, the default compression value is 6.

Command File Syntax

Entries in a Netscape Signing Tool command file have this general format:

keyword=value

Everything before the = sign on a single line is a keyword, and everything from the = sign to the end of line is a value. The value may include = signs; only the first = sign on a line is interpreted. Blank lines are ignored, but white space on a line with keywords and values is assumed to be part of the keyword (if it comes before the equal sign) or part of the value (if it comes after the first equal sign). Keywords are case insensitive, values are generally case sensitive. Since the = sign and newline delimit the value, it should not be quoted.

Command File Keywords and Example

Here are the command file keywords and their values:

Keyword
Value
basename
Same as -b option.

compression
Same as -c option.

certdir
Same as -d option.

extension
Same as -e option.

generate
Same as -G option.

installscript
Same as -i option.

javascriptdir
Same as -j option.

htmldir
Same as -J option.

certname
Nickname of certificate, as with -k and -l -k options.

signdir
The directory to be signed, as with -k option.

list
Same as -l option. Value is ignored, but = sign must be present.

listall
Same as -L option. Value is ignored, but = sign must be present.

metafile
Same as -m option.

modules
Same as -M option. Value is ignored, but = sign must be present.

optimize
Same as -o option. Value is ignored, but = sign must be present.

password
Same as -p option.

keysize
Same as -s option.

token
Same as -t option.

verify
Same as -v option.

who
Same as -w option.

exclude
Same as -x option.

notime
Same as -z option. value is ignored, but = sign must be present.

jarfile
Same as -Z option.

outfile
Name of a file to which output and error messages will be redirected. This option has no command-line equivalent.

Here's an example of the use of the command file. The command

signtool -d c:\netscape\users\james -k mycert -Z myjar.jar signdir > output.txt 

becomes

signtool -f somefile

where somefile contains the following lines:

certdir=c:\netscape\users\james 
certname=mycert
jarfile=myjar.jar
signdir=signdir
outfile=output.txt


Generating Test Object-Signing Certificates
Netscape Signing Tool allows you to create object-signing certificates for testing purposes. This section describes how to create and use such test certificates.

Unlike certificates normally used to sign finished code to be distributed over a network, the test certificates created with Netscape Signing Tool are not signed by a recognized certificate authority. Instead, they are self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA.

Generating the Keys and Certificate

The signtool option -G generates a new public-private key pair and certificate. It takes the nickname of the new certificate as an argument. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.

Important Before installing new keys and certificates in the key and certificate databases, you must set the database password (if you have not done so already). To set the password for the key and certificate databases currently being used by Communicator, click the Security icon in the Communicator toolbar, click Passwords, and click Set Password to create a password.

Warning. If you intend to install the new key pair and certificate in the Communicator databases, you must exit Communicator before using Netscape Signing Tool to generate the object-signing certificate. Otherwise, you risk corrupting your certificate and key databases.

Certificates contain standard information about the entity they identify, such as the common name and organization name. Netscape Signing Tool prompts you for this information when you run the command with the -G option. However, all of the requested fields are optional for test certificates. If you do not enter a common name, the tool provides a default name. In the following example, the user input is in boldface:

% signtool -G MyTestCert
using certificate directory: /u/someuser/.netscape
Enter certificate information. All fields are optional. Acceptable
characters are numbers, letters, spaces, and apostrophes.
certificate common name: Test Object Signing Certificate
organization: Netscape Communications Corp.
organization unit: Server Products Division
state or province: California
country (must be exactly 2 characters): US
username: someuser
email address: someuser@netscape.com
Enter Password or Pin for "Communicator Certificate DB": [Password will not echo]
generated public/private key pair
certificate request generated
certificate has been signed
certificate "MyTestCert" added to database
Exported certificate to x509.raw and x509.cacert.
%

The certificate information is read from standard input. Therefore, the information can be read from a file using the redirection operator (<) in some operating systems. To create a file for this purpose, enter each of the seven input fields, in order, on a separate line. Make sure there is a newline character at the end of the last line. Then run signtool with standard input redirected from your file as follows:

% signtool -G MyTestCert <inputfile

The prompts show up on the screen, but the responses will be automatically read from the file. The password will still be read from the console unless you use the -p option to give the password on the command line.


Using Netscape Signing Tool with Smart Cards
This section describes how to use smart cards from within Netscape Signing Tool to digitally sign files.

What Is a Smart Card?

A smart card (sometimes called a token) is a credit-card-sized card, a key, or other easily removable device that can be used for cryptographic operations and for storing certificates. Smart cards are portable and must be physically inserted in an appropriate smart card reader attached to a computer for use with Communicator software running on that computer. Smart cards extend the private-key protection provided by Communicator, since private keys stored on the card require the card's presence as well as the password to the private-key database.

Navigator and Netscape Signing Tool support PKCS #11, a cryptographic standard developed to support services provided by smart cards. Before purchasing a smart card for use with Communicator, you should ensure that your vendor provides a PKCS #11 driver that has been tested with Communicator on your platform. Tested brands include Litronic Netsign and Datakey's SignaSURE.

Setting Up a Smart Card

Connect the smart card reader according to the manufacturer instructions. You may need to reset the smart card to a default state using the manufacturer's configuration utility. Not all smart cards require this step.

Smart cards designed for use with Communicator come with a software driver that you should install in your computer according to the manufacturer's instructions. You can then add the driver (also called a cryptographic module) to Communicator as follows:

  1. Make sure the smart card is inserted in the smart card reader.
  2. Click the Security button near the top of a Navigator window.
  3. Click Cryptographic Modules in the left frame.
  4. Click the Add button.
  5. Type an appropriate name for the module you want to add in the box labeled Security Module Name.
  6. Type the name of the driver that was supplied with your smart card in the box labeled Security Module File. For Windows systems, this is a dynamic linked library (DLL). You don't have to type the entire path, but you may.
  7. Click OK.
  8. If Communicator asks for it, type the smart card password.
  9. Select the module you've just installed and click the View/Edit button.
  10. Make sure the displayed information is correct for the smart card you just installed.
  11. Select the name of the smart card.
  12. Click the More Info button and examine that information as well.
  13. If the state of the smart card (shown near the bottom of the More Info window) is Not Logged In, click OK and then click the Login button. Otherwise, just click OK. (Logging in allows you to install your signing certificate on the smart card. The smart card doesn't have to be logged in within Communicator for you to use it with Netscape Signing Tool.)
  14. Click OK again.
After you have activated the smart card, use Communicator to visit the web site for the certificate authority (CA) you want to use and request a signing certificate.

When you submit your information to the certificate authority, Communicator asks you to select the card or database you wish to use to generate your private key. You should select the name of your smart card.

Your system then generates a public-private key pair and submits your request to the CA. When you receive the certificate, it is installed directly onto the card and travels with that smart card. However, you will be unable to use the certificate unless the smart card is inserted in the appropriate reader and you have entered its password correctly.

Using the -M Option to List Smart Cards

You can use the -M option to list the PKCS #11 modules, including smart cards, that are available to signtool:

% signtool -d "c:\netscape\users\jsmith" -M
using certificate directory: c:\netscape\users\<username>
Listing of PKCS11 modules
-----------------------------------------------
1. Netscape Internal PKCS #11 Module
(this module is internally loaded)
slots: 2 slots attached
status: loaded
slot: Communicator Internal Cryptographic Services Version 4.0
token: Communicator Generic Crypto Svcs
slot: Communicator User Private Key and Certificate Services
token: Communicator Certificate DB
2. CryptOS
(this is an external module)
DLL name: core32
slots: 1 slots attached
status: loaded
slot: Litronic 210
token:
3. Datakey SignaSURE
(this is an external module)
DLL name: dkck232.dll
slots: 1 slots attached
status: loaded
slot: Datakey Reader
token: <username>
-----------------------------------------------

Using Netscape Signing Tool and a Smart Card to Sign Files

Before you try to use Netscape Signing Tool with a smart card, try using it to sign a file without a smart card as described in "Using Netscape Signing Tool".

The signtool command normally takes an argument of the -k option to specify a signing certificate. To sign with a smart card, you supply only the fully qualified name of the certificate.

To see fully qualified certificate names when you run Communicator, click the Security button in Navigator, then click Yours under Certificates in the left frame. Fully qualified names are of the format smart card:certificate, for example "MyCard:My Signing Cert". You use this name with the -k argument as follows:

signtool -k "MyCard:My Signing Cert" directory

where directory is the directory tree you want to sign. signtool asks you for two passwords: the password that protects the Communicator certificate database and the password that protects your smart card. If the passwords are correct, signtool signs the files in the directory.


Netscape Signing Tool and FIPS-140-1
This section describes how to use Netscape Signing Tool in FIPS-140-1 validated mode. FIPS 140-1 is a U.S. government standard for implementations of cryptographic modules--that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations (such as creating or verifying digital signatures). Many products sold to the U.S. government must comply with one or more of the FIPS standards.

For general information on FIPS standards and Netscape FIPS-140-1 validation, see the FIPS 140-1 FAQ.

Using FIPS-140 Mode

Netscape Signing Tool is FIPS-140-1 validated when it uses the FIPS-validated Netscape cryptographic module. The FIPS module can be activated and deactivated from within Communicator. Communicator stores the module choice in the security module database (called secmod.db on Windows platforms and secmodule.db on Unix platforms). This database is stored in the same directory as your certificate database (cert7.db) and key database (key3.db), as indicated by the -d option of Netscape Signing Tool.

Before using Netscape Signing Tool in FIPS-validated mode, you must use Navigator to switch to FIPS mode. For information on how to do this, see Operating Netscape Navigator in FIPS PUB-140-1 Compliant Mode on Netscape DevEdge.

After switching the Navigator cryptographic module to FIPS mode, you have two choices:

Verifying FIPS Mode

Use the -M option to verify that you are using the FIPS-140-1 module.

This Unix example shows that Netscape Signing Tool is using a non-FIPS module:

% signtool -d "c:\netscape\users\jsmith" -M
using certificate directory: c:\netscape\users\jsmith
Listing of PKCS11 modules
-----------------------------------------------
1. Netscape Internal PKCS #11 Module
(this module is internally loaded)
slots: 2 slots attached
status: loaded
slot: Communicator Internal Cryptographic Services Version 4.0
token: Communicator Generic Crypto Svcs
slot: Communicator User Private Key and Certificate Services
token: Communicator Certificate DB
-----------------------------------------------

This Unix example shows that Netscape Signing Tool is using a FIPS-140-1 module:

% signtool -d "c:\netscape\users\jsmith" -M
using certificate directory: c:\netscape\users\jsmith
Enter Password or Pin for "Communicator Certificate DB": [password will not echo]
Listing of PKCS11 modules
-----------------------------------------------
1. Netscape Internal FIPS PKCS #11 Module
(this module is internally loaded)
slots: 1 slots attached
status: loaded
slot: Netscape Internal FIPS-140-1 Cryptographic Services
token: Communicator Certificate DB
-----------------------------------------------


Answers to Common Questions
This section answers the most common technical questions regarding Netscape Signing Tool.

Netscape Signing Tool, or Communicator, fails to report the presence of a particular certificate in the database, even though that certificate should be there.

Netscape Signing Tool 1.x and Communicator 4.x are designed to read only the cert7.db files used by Communicator 4.x. If it happens that a certificate gets downloaded with Navigator 3.x after Communicator 4.x was installed and run, that certificate is recorded in a database of the older (3.x) format. While Communicator does automatically convert Navigator's cert5.db and key.db databases to the cert7.db and key3.db formats the first time it runs, it does not do so again.

To get a certificate into the new database from an old one requires forcing Communicator to reinitialize its cert7.db file as it does at first run-time. This requires that the certificates in the current cert7.db file be exported for later re-importing.

  1. Click the Security Info button on the Communicator toolbar.
  2. Click Yours under Certificates in the left panel, and select a certificate to export.
  3. Click Export and save a PKCS #12 copy of the certificate to a safe location (if no copy already exists).
  4. Repeat steps 2 and 3 for each certificate present.
  5. Exit Communicator completely.
  6. Move the cert7.db and key3.db files from your user profile directory to a backup directory. This is a safety measure: these files shouldn't be needed again. Once the following steps are successfully completed, and you have used signtool -l to verify that the upgraded cert7.db file has the right certificates, you can discard these backup copies.
  7. Copy Navigator's cert5.db and key.db files to your Communicator user-profile directory.
  8. Restart Communicator. It automatically upgrades the older database files, including their contents.
  9. Click the Security Info button on the Communicator toolbar, then click Yours under Certificates in the left panel.
  10. Click Import a Certificate and give the database password.
  11. Select a certificate file to open and give the certificate's password.
  12. Repeat steps 9 and 10 for each certificate to be re-imported.
The certificate needed to sign an object is in the certificate database, but Netscape Signing Tool's -l and -k options report "Unable to find issuer certificate" or "Unknown user" errors.

Netscape Signing Tool 1.x reads the cert7.db files used by Communicator 4.x. Normally, cert7.db files record a certificate's complete certificate chain information using the PKCS #7 cryptographic message-syntax standard. However, Navigator 3.x wasn't designed to properly use this standard (it wasn't in wide use yet). Therefore, certificates used by Communicator 4.x that were originally imported with Navigator 3.x may not have all the certificate chain information required for object signing.

In the case of VeriSign Class 2 or Class 3 certificates, the missing portion of the chain is the intermediate node, since the root is provided with Communicator by default and the leaf is included in the existing certificate information. To get the intermediate portion, use Communicator 4.x and click these links for VeriSign Class 2 or VeriSign Class 3 certificate authority updates.

When trying to read a JAR file into Communicator 4.05 the error message "Inconsistent files in manifest" appears in the Java console.

Communicator 4.05 (and only that version) has a bug that makes it sensitive to the case of the JAR manifest's filename as stored in the META-INF directory. Version 4.05 requires the filename to be all lowercase. Although the JAR specification calls for case insensitivity and Netscape Signing Tool does generate a lowercase filename, an uppercase filename can appear if another tool is used to create the JAR, or case translation occurs on the Windows platform.

This problem can be repaired by re-signing the JAR with Netscape Signing Tool, or by unzipping the file and changing MANIFEST.MF to manifest.mf.

How can users change the nicknames of their own certificates?

For convenience, users may want to shorten the nicknames of some of the certificates they use. While certificates cannot be renamed directly, it may be possible to replace them and give the replacement a new name.

Note that this process can present a risk because it requires the user to delete a certificate before replacing it, and if the replacement fails and there is no backup certificate, the certificate is lost.

  1. Click the Security Info button on Communicator's toolbar.
  2. Click Yours under Certificates and select a certificate to rename.
  3. Click Export and save a PKCS #12 copy of the certificate to a safe location (if no copy already exists). This copy is needed if replacement fails.
  4. Click Delete and remove the certificate from the certificate database. Note that the certificate's corresponding private key isn't deleted, just the certificate itself.
  5. Retrieve the certificate again from the Certificate Authority. The specific procedure for doing this depends on the Certificate Authority being used. Be very sure that the replacement is the correct one.
  6. Enter a new name for the certificate when downloading it.

Note: The Export and Import buttons in the Security Info dialog box can't be used to change certificate nicknames. These functions can affect only a certificate's exported PKCS #12 filename.

When I click the Security icon in the Communicator toolbar, click Yours under Certificates, select my object-signing certificate, and click Verify, Communicator informs me that the certificate is not valid. Why?

This is a common occurrence. The Verify button works with S/MIME certificates only. It does not work with object-signing certificates.

To verify an object-signing certificate, use

signtool -l -k nickname

where nickname is the nickname of the certificate you want to verify.

I get the following error when trying to create a test certificate:

failure authenticating to key database .: Security I/O error. 

This error typically means that you have not yet set a password for the certificate database. To set the password for the Communicator database, click the Security icon in the Communicator toolbar, click Passwords, and click Set Password to create a password.

Objects to be signed will be stored and used long-term, well after the certificates used for signing have expired. Will signed objects still be trusted even after their object-signing certificates have expired?

Although certificates expire, valid signatures do not. Signature validation is based on the date of the signature rather than the time verification occurs. If a certificate chain was valid at signing, Communicator will continue to recognize that signature even after certificates in that chain expire. Note that this would not be true, however, if an object was signed using the -z option which omits the original timestamp and forces validation to rely on the current status of the certificate chain.

 

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.