Configuring Authentication for End-User Enrollment526 Netscape Certificate Management System Installation and Setup Guide • October 2001Step E. Check the Output FileCheck the output file to be sure it contains PINs for your users; the output shouldlook similar to the one specified in PIN Generator documentation.Next, verify that the tool has assigned PINs to the correct users and that the PINsconform to the length and character-set restrictions you specified. If the output isn’twhat you want, run the command again with appropriate arguments. Repeat theprocess until the output file shows the results you want.Step F. Run the Command Again with the Write OptionWhen you are sure about the results, run the command again (with exactly thesame arguments) with the write option and the output option. The tool stores thehashed PINs in the directory. For information on how PINs are stored in thedirectory, see section “How PINs Are Stored in the Directory” of the PIN Generatortool documentation.Use the output file for delivering PINs to users after you complete setting up therequired authentication method; see “Step 9. Deliver PINs to End Users” onpage 544.Step 3. Enable the AttributePresentConstraintsPolicyThis step is required for PIN-based enrollment with PIN removal only in certaindeployment scenarios. Here’s some information that will help you decide whetheryou need to enable this policy.In the password and PIN-based enrollment method, users enroll for a certificateusing their directory user ID, password and PIN. After a PIN has been used tosuccessfully authenticate a user, the Certificate Manager calls thePinRemovalListener module. This module removes the PIN from theauthentication directory when the Certificate Manager issues the requestedcertificate.Note that listeners in Certificate Management System are objects which registerthemselves as interested in knowing about certain events—for example, change inthe state of a request—and carry out a specific task. For more information onlisteners, check the samples directory:/cms_sdk/cms_jdk/samples/listenersOnce the PIN is removed from the authentication directory, it prevents the userfrom enrolling for another certificate.