Cloned Certificate Manager - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Chapter 1. Overview
Figure 1.2. Certificate Manager and DRM in Different Instances
NOTE
The DRM is intended for archival and recovery of private encryption keys only. Therefore,
end entities must use either a browser that supports dual-key generation.
When determining the location of a DRM, consider possible firewall interactions, the physical security
required for each subsystem, and the physical location of the Certificate Manager agent, DRM agent,
and other people responsible for administering the Certificate Manager and recovering keys.
Like a Certificate Manager, a DRM has special physical security requirements, since a compromised
DRM has devastating security consequences for the entire PKI. Consider keeping the DRM in a
special locked room or building; this consideration can affect the deployment strategy.

1.3.3. Cloned Certificate Manager

A cloned Certificate Manager uses the same CA signing key and certificate as another Certificate
Manager, the master Certificate Manager. Since each Certificate Manager issues certificates with
serial numbers in a restricted range, all of the servers together act as a single CA operating in several
server processes.
The advantage of cloning is that it distributes the Certificate Manager's load across several processes
or even several physical machines. For a CA with a high enrollment demand, the distribution gained
from cloning allows more certificates to be signed and issued in a given time interval.
14