Cloned Ca; Certificate Manager Certificates - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR:
Table of Contents
Advertisement
Certificate Manager Deployment Considerations
with the certificates you issue. If you are using Netscape Communicator as your client, you
can accomplish this task within an intranet by using tools such as Mission Control Desktop
or with the aid of Personal Security Manager, but extranet deployments can be more
complicated.
Subordination to Another CS CA
If you set up a CA using CS that has subordinate CAs, you control the subordinate CAs by
setting policies that control the contents of the CA signing certificate issued. A subordinate
CA issues certificates evaluating its own authentication, policy, and certificate profile
configuration, it is completely unaware of its parents set up for these configurations.
A Certificate Manager cannot issue a certificate that has a validity period longer than the
validity period of the CAs' CA signing certificate. Any requests that are for a period longer
than this will result in certificates issued only to the validity period of the CAs' CA signing
certificate.
Cloned CA
A Certificate Manager can also be cloned so that more than one CA shares the same set of
keys and certificates allowing more than one CA issue certificates with the same issuer
name and keys. Each clone CA issues a different set of serial numbers. Where the
relationship between a self-signed CA and its subordinates is hierarchical, a CA and its
clones function together, effectively forming a single Certificate Manager with failover
support (and, potentially, load balancing on the front end). For details about a CA, see
"Cloning a CA," on page 127.
Certificate Manager Certificates
When you install the Certificate Manager, the keys for the CA signing certificate, SSL
server certificate, and OCSP signing certificate are created and a certificate request is made
for the CA signing certificate and the SSL server certificate. The OCSP signing certificate is
created by the CA itself.
You submit this request either as a self-signing request to the CA itself which will then
issue the certificates, this is how you create a self-signing root CA, or you submit the
request to a third party public CA and then install the certificate you receive from the CA
during the rest of the installation.
About the CA Key Pairs and Certificates
This section describes the key pairs and certificates associated with the Certificate Manager.
Chapter 3
Certificate Manager
79
Advertisement
Table of Contents
