PGP Certificate Server Freeware ReadMe Version 2.5.8 for Windows NT Copyright (c) 1998-2000 by Networks Associates Technology, Inc., and its Affiliated Companies. All Rights Reserved. Thank you for using Network Associates' products. This ReadMe file contains important information regarding the PGP Certificate Server Freeware. Network Associates strongly recommends that you read this entire document. Network Associates welcomes your comments and suggestions. Please use the information provided in this file to contact us. NOTE: PGP freeware products are for non-commercial use only. Please refer to the included license agreement for terms and conditions of use. NOTE: Network Associates does not provide technical support for PGP freeware products. Warning: Export of this software may be restricted by the U.S. Government. ___________________ WHAT'S IN THIS FILE - Fixes in this Release - New Features - Documentation - System Requirements - Installation - Starting PGP Certificate Server - Starting PGP Replication Engine - Using the Web Configuration/Monitoring Wizard - Known Issues - Additional Information - Contacting Network Associates _____________________ FIXES IN THIS RELEASE * This release corrects a security-related bug with Additional Decryption Keys (ADKs) that may allow sophisticated attackers to add unauthorized ADK key IDs to the unhashed areas of PGP public keys. For more information about this bug, please review the PGP ADK Security Advisory available on www.pgp.com. You can download a repair tool (PGPrepair) from the web page mentioned above to determine whether an existing PGP Certificate Server database contains any keys with tampered signatures. * Resolved a replication looping issue, which may have occurred with two-way replication on PGP Certificate Server 2.5.1 when revoked keys revoked by a designated revoker were added to the server. * Added additional logging information for Delete operations, so that the full list of deleted keys is displayed in the log. * The released version of the Certificate Server, when configured with a single MustSigID and the TrimUsers and TrimSigs features enabled, would prevent that MustSigID key from being uploaded to the server. Added the ability for the server to accept that key. * Resolved an issue with the indexing of certain revoked keys. A problem existed when performing a KeyStatus-is-revoked search. * Resolved a potential looping issue which may have occurred if the replication daemon was down and a key was added to and then deleted from the server, followed by re-starting the replication daemon. * Resolved a potential Denial of Service vulnerability in PGP Certificate Server 2.5.1. This may have occurred when devices attempted to connect to the PGP Certificate Server management port (port 4000 by default) if incoming DNS/NetBIOS traffic was blocked to the PGP Certificate Server. * Resolved a potential Denial of Service vulnerability in PGP Certificate Server 2.5.1. This may have occurred when devices attempted to connect to the PGP Replication port (port 5000 by default) if incoming DNS/NetBIOS traffic was blocked to the PGP Certificate Server. * Resolved a replication looping issue which may have occurred with two-way replication on PGP Certificate Server 2.5.1 when revoked keys were added to the server. ____________ NEW FEATURES * New Native, Optimized Windows NT Service This is the premiere release of PGP Certificate Server as a native Windows NT service that has been optimized for this environment. This new service provides round-the-clock, standards-based PGP certificate management and lookup services for administrators and users. * Easy-to-Use Remote Console Application The new PGP Certificate Server Remote Console, a native Windows NT application, gives administrators the ability to remotely monitor and manage their PGP Certificate Server through an intuitive, easy-to-use interface. All communications between the console and the Certificate Server are strongly authenticated and encrypted using the TLS (Transport Layer Security) protocol, thus providing a very secure foundation for remote management. * Improved web-based Configuration Administrators can conveniently manage the Certificate Server's configuration from nearly any web browser. This version improves the extensive on-line help on product configuration settings. This version provides integrated support for many popular web servers, including: - Microsoft IIS 2.0 - 4.0 - Netscape Enterprise Server 3.x - Netscape FastTrack Server 3.x - Apache 1.3.x Administrators can secure communications between the web browser and Certificate Server using the native security services provided by the web server installed with Certificate Server. * Database Size and Performance Improvements This version includes numerous performance enhancements and database optimizations. Certificate database size has been reduced by 20%-30% from previous versions, due to improved certificate storage methods. This size reduction provides improved server performance; more certificates are now stored in the server's cache, less data is read from and written to the server's hard disk, and fewer transformations are needed on certificate data. * Output Filename Options for Certificates The pgpexport command now allows the output filename to be specified as an argument. Also, the exported certificates can now be split across multiple files. _____________ DOCUMENTATION Included with this release is the following manual, which can be viewed on-line as well as printed: * PGP Certificate Server Administrator's Guide This document is saved in Adobe Acrobat Portable Document Format (.PDF). You can view and print the document with Adobe's Acrobat Reader. PDF files can include hypertext links and other navigation features to assist you in finding answers to questions about your Network Associates product. To download Adobe Acrobat Reader from the World Wide Web, visit Adobe's Web site at: http://www.adobe.com/ * Opening the Administrator's Guide * After installing Adobe Acrobat Reader, bring up the Windows Start Menu. Then select Programs--> Network Associates-->PGP Certificate Server--> Documentation-->Administrator's Guide. If the web server support for PGP Certificate Server is installed, the Administrator's Guide is also available through a link found on the page: http://YOUR-HOST-NAME:PORT/certserver/default.htm Substitute the hostname of the machine running PGP Certificate Server for the YOUR-HOST-NAME value. For PORT, substitute the port number for the web server that you are running on YOUR-HOST-NAME (this defaults to 80 if it is not specified). * Online Help * This release also includes integrated online help in Microsoft Windows Help format: - PGP Certificate Server online help - PGP Replication Engine online help Documentation feedback is welcome. Send email to tns_documentation@nai.com. ___________________ SYSTEM REQUIREMENTS - Windows NT version 4.0 and higher - 32MB RAM minimum - 15MB disk space for software - Additional disk space for database (10MB - 500MB) - Network interface card - PGP 6.5.2 (Only required for management of secure keys). - To run the Configuration/Monitoring Wizard: Microsoft Internet Information Server (version 4 recommended) with Microsoft Internet Explorer 4 or later, or any web server and a version 4 or later browser. ____________ INSTALLATION PGP Certificate Server Freeware is distributed as a self-extracting file. To install the product from a downloaded self-extracting file: 1. Start Windows. 2. Download the PGP Certificate Server installation program onto your computer’s hard drive. 3. Double-click the installation program. 4. Follow the on-screen prompts. _______________________________ STARTING PGP CERTIFICATE SERVER After successfully installing the server, you may start it by following these steps. 1. Choose Programs-->PGP Certificate Server-->PGP Certificate Server Console from the Windows Start Menu. 2. Click "Create Database" to create the initial database (if necessary). 3. Click Start to start Certificate Server. To test that the server is running properly: 1. Start PGP version 5.5 or later. 2. Add the URL of the machine running PGP Certificate Server to PGP's configuration as follows: A. Open the PGPkeys window by selecting PGPkeys from the PGPtray menu. B. Select Edit-->Options. C. On the Servers page, click New to add a New server. D. Select the Protocol to use. E. Enter an LDAP server name using the format: ldap://YOUR-HOST-NAME F. Type a new domain or choose an existing one and click OK. G. Click OK to exit the Options dialog box. H. In the PGPkeys window, select any key from your list of keys, then select the Send Key to Server item on the Keys menu. Be sure to select the name of your new PGP Certificate Server. If the key is successfully sent to the server, your server is running properly. You can also use the search dialog in PGPkeys to search the keys on the server. Again, be sure to set the name of your new server as the server to search. _______________________________ STARTING PGP REPLICATION ENGINE If you installed the optional PGP Replication Engine component, you can start it by selecting Programs-->PGP Certificate Server-->PGP Replication Engine Console from the Windows Start Menu. PGP Replication Engine uses the same configuration file as PGP Certificate Server. The default configuration file does not have replication enabled. The 'Replica' and 'RepLogFile' configuration tags must be configured before you can start the engine. Examples of each are: Replica ldap://mirror.company.com RepLogFile rep.log See the Administrator's Guide for exact details on these configuration values. Pressing Start causes the product to begin monitoring data to replicate. _____________________________________________ USING THE WEB CONFIGURATION/MONITORING WIZARD You use a web browser-based wizard running with an existing web server product to configure PGP Certificate Server; most popular web servers support the wizard. (The web server must be running on the same machine as PGP Certificate Server.) If you are running version 2.0 or later of the Microsoft Internet Information Server and you automatically installed support for the wizard, you can run the wizard by (re)starting the web server. You can then access the configuration/monitoring wizard from your browser using the URL: http://YOUR-HOST-NAME:PORT/certserver/default.htm If you are using another web server or did not have the installer add this support, please see the Administrator's Guide for details on how to properly configure this feature. You can also use any standard text editor to directly edit the Certificate Server configuration file, located at C:\Program Files\Network Associates\PGPcertd\etc\ pgpcertd.cfg. ____________ KNOWN ISSUES * Using RSA keys as Admin keys In the International and Freeware releases, RSA keys cannot be used by the server as the Server Secure KeyID. Only DSS/Diffie-Hellman keys can be used as the key the client uses to determine which server it is connecting to using TLS/SSL. ______________________ ADDITIONAL INFORMATION ** International and Freeware releases ** The International and Freeware versions of PGP Certificate Server do not encrypt data. They do provide strong authentication. The Transport Layer Security (TLS) connection between the PGP client and the server is strongly authenticated; but the data is sent over the network without being encrypted. This means that the queries and adds that are performed by the PGP client can be viewed by others, but the identity of someone performing administrative functions is still strongly authenticated. _____________________________ CONTACTING NETWORK ASSOCIATES NOTE: Network Associates does not provide technical support for PGP freeware products. To purchase a commercial version of PGP, please contact the Network Associates Customer Service department at: Phone: (972) 308-9960 Email: cust_care@nai.com Web: http://www.pgp.com Network Associates Corporate Headquarters 3965 Freedom Circle McCandless Towers Santa Clara, CA 95054