Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual page 304
Hide thumbs
Also See for CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR:
Table of Contents
Advertisement
Managing the Certificate Database
Getting a new certificate for a CS manager requires careful planning. This section provides
some guidelines that will help you request and install the new certificate.
Determine which certificate you want to get
You can get CA signing, OCSP signing, CRL signing, and SSL server certificates for the
Certificate Manager; signing and SSL server certificates for the Registration Manager;
transport and SSL server certificates for the Data Recovery Manager; and signing and SSL
server certificates for the Online Certificate Status Manager. For details about certificates
used by a CS manager.
•
If you have deployed a Certificate Manager as your root CA and if you want to get a
new self-signed CA certificate for that Certificate Manager, you must consider the
possible effects on your PKI setup of changing the key pair of the root CA. If you
reissue the Certificate Manager's CA signing certificate with a new key material, none
of the certificates issued or signed by the CA using its old key will work; the reason for
this is, when you change the root CA key, all certificates that rely on the CA certificate
for validation will no longer be validated. For example, if the CA has issued certificates
to subordinate Certificate Managers, Registration Managers, Data Recovery Managers,
Online Certificate Status Managers, and agents, all those certificates will become
invalid—the subsystems will fail to function, and agents will fail to access agent
interfaces.
Before getting a new self-signed certificate for the Certificate Manager, therefore, you
must address issues involved in deploying the new root CA certificate across your
enterprise. Because each deployment would have very specific requirements, it is
beyond the scope of this document to explain how you should deploy the new CA
certificate.
•
If you have deployed a Certificate Manager as a subordinate CA (that's chained to a
root CA) and if you want to get a new subordinate CA certificate for that Certificate
Manager, you must consider the possible effects on your PKI setup of changing the key
pair of the subordinate CA. When you change the subordinate CA key, all certificates
that rely on the subordinate CA certificate for validation will no longer be validated.
Before getting a new subordinate certificate, therefore, you must plan to address issues
involved in deploying the new subordinate CA certificate across you enterprise.
•
If you have deployed a Certificate Manager and if you have configured it to publish
CRLs to a Online Certificate Status Manager, you will need to identify the Certificate
Manager to the Online Certificate Status Manager again.
304
Red Hat Certificate System Administrator's Guide • September 2005
Advertisement
Table of Contents
Related Manuals for Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR
Related Products for Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR
- Red Hat CERTIFICATE SYSTEM 7.0 - MIGRATION GUIDE
- Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION
- Red Hat LINUX 7.2 - S-390
- Red Hat LINUX 7.1 - PSERIES
- Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0
- Red Hat CERTIFICATE SYSTEM 7.2 - AGENT GUIDE
- Red Hat DIRECTORY SERVER 7.1 SP7 - S
- Red Hat Application Server
- Red Hat APPLICATION SERVER - JONAS
- Red Hat APPLICATION STACK 1.1 RELEASE
- Red Hat APPLICATION STACK 1.2 RELEASE
- Red Hat APPLICATION STACK 1.3 RELEASE
- Red Hat APPLICATION STACK 1.4 RELEASE
- Red Hat APPLICATION STACK 2.0 RELEASE
- Red Hat APPLICATION STACK 2.1 RELEASE
- Red Hat APPLICATION STACK 2.2 RELEASE
Need help?
Do you have a question about the CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR and is the answer not in the manual?