Enrollment Forms58 Netscape Certificate Management System Plug-Ins Guide • March 2002Customizing Enrollment Forms for GeneratingDSA Key PairsNetscape Communicator (version 4.x and later) can successfully obtain and useDSA client certificates for SSL client authentication. These versions ofCommunicator can also recognize the signature on SSL certificates signed by aDSA CA. In order for Communicator to generate a DSA key pair, you must modifythe KEYGEN tag in the default certificate enrollment forms; the modifications willindicate that the DSA algorithm is to be used, and will also supply the PQGparameters. For details on the KEYGEN tag, see the document entitled NetscapeExtensions for User Key Generation available at this site:http://home.netscape.com/eng/security/comm4-keygen.htmlDepending on the enrollment plug-in you want to use for authenticating end users,you may need to modify the KEYGEN tags in the following certificate enrollmentforms:• DirPinUserEnroll.html• DirUserEnroll.html• ManObjSignEnroll.html• ManUserEnroll.html• NISUserEnroll.html• PortalEnrollment.htmlThese files are located in this directory:/cert-/web-apps/eeThe procedure below explains how to modify an enrollment form to generate aDSA key pair when used with Netscape Communicator:1. Go to the configuration directory of the Certificate Manager:/cert-/config2. Open the Certificate Manager’s configuration file (CMS.cfg) in a text editor.3. Open the enrollment form in a text editor.4. In the configuration file, find the DSSParms entry; this entry represents thePQG attribute and its value contains the PQG parameters that the CA hasgenerated during configuration.5. Copy the value of the DSSParms entry.6. Go to the text editor that has the enrollment form open.