Certificate Manager And Data Recovery Manager - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Deployment Scenarios
In many organizations, it may be desirable to deploy multiple Registration Managers that all
communicate with a single Certificate Manager. Each separate Registration Manager, for
example, might handle all end-entity interactions in a particular geographic area or within
an organizational group.
Decisions about the number of, locations of, and relationships among Certificate Managers
and Registration Managers depend on many factors. These include firewall considerations,
the physical security required for each subsystem, the physical location of the end entities
that the Registration Manager is intended to serve, and the physical location of the
Certificate Manager agent, Registration Manager agent, and other persons responsible for
administering the Certificate Manager and Registration Manager.

Certificate Manager and Data Recovery Manager

If an organization requires key archival and recovery capabilities—for example, if
encrypted mail is widely used and the organization risks data loss if it is unable to recover
encryption keys—it can install a Data Recovery Manager. This can be done without regard
for the presence or absence of a separate Registration Manager.
For example, to add key storage and recovery to the scenario sketched in Figure 1-2, a Data
Recovery Manager can be installed in a different CS instance; this instance can be located
in the same server group on the same machine, in a different server group on the same
machine, or on a different machine. Figure 1-3 illustrates a Data Recovery Manager in a
separate CS instance. All communication between the Certificate Manager and the Data
Recovery Manager takes place over HTTPS.
Chapter 1 Overview 51