Cloned Certificate Manager - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Deployment Scenarios
The Registration Manager handles all end-entity interactions and communicates with the
Certificate Manager and the Data Recovery Manager over HTTPS. The Registration
Manager is configured to request the end entity's private encryption key (in encrypted
form) and send it to the Data Recovery Manager during the enrollment process. Before the
Registration Manager sends the certificate request to the Certificate Manager for
processing, the Registration Manager must receive verification from the Data Recovery
Manager that the private key has been received and stored and that it corresponds to the end
entity's public key.
Only the Certificate Manager can be configured to enable or disable LDAP publishing or to
publish to separate directories. The Certificate Manager also has the complete record of
issued certificates, so that it can perform the publishing tasks, as shown in the figure.
Many other combinations are possible. For example, there might be multiple Registration
Managers in different instances, all dealing with the same Data Recovery Manager and
Certificate Manager; or the Certificate Manager might also handle some end-entity
interactions. It's also possible to set up both Certificate Managers and Registration
Managers such that each has a hierarchy of subordinate managers.
NOTE

Cloned Certificate Manager

A cloned Certificate Manager is a CS server instance that uses the same CA signing key and
certificate as another Certificate Manager, identified as the master Certificate Manager.
Each Certificate Manager issues certificates with serial numbers in a restricted range so that
all of the servers together act as a single Certificate Authority (operating in several server
processes).
The advantage of cloning is the ability to distribute the Certificate Manager's load across
several processes or even several physical machines. For a CA that has high enrollment
demand, the distribution gained from cloning allows more certificates to be signed and
issued in a given time interval.
To create a cloned Certificate Manager, you must first install and configure at least one
Certificate Manager and specify a definite upper, but no lower bound for the serial numbers
it will use. You then install or create a new instance of a Certificate Manager (but do not
configure it). Before configuring the clone, you copy the CS certificate and key database
54 Red Hat Certificate System Administrator's Guide • September 2005
The current design of Certificate System assumes that most deployments
will rely on a single Data Recovery Manager (associated with either a
Registration Manager or a Certificate Manager). However, it is also
possible to write custom policies that support multiple Data Recovery
Managers. This might be useful, for example, for subordinate CAs that
issue certificates for completely independent organizations.