Table of Contents
Advertisement
Overview of Certificate Management System
End entities and CAs may be in different geographic or organizational areas or in
completely different organizations. CAs may include third parties that provide
services through the Internet as well as the root CAs and subordinate CAs for
individual organizations. Policies and certificate content may vary from one
organization to another. End-entity enrollment for some certificates may require
physical verification, such as an interview or notarized documents, while
enrollment for others may be fully automated.
To meet the widest possible range of configuration requirements, Certificate
Management System permits the independent installation of four separate
subsystems, or "managers," that typically play distinct roles:
•
Certificate Manager—A Certificate Manager functions as a root or subordinate
certificate authority. This subsystem issues, renews, and revokes certificates,
generates certificate revocation lists (CRLs). It can publish certificates to a
Lightweight Directory Access Protocol (LDAP) directory and files, and CRLs to
an LDAP directory, a file, and an Online Certificate Status Protocol (OCSP)
responder. The Certificate Manager can be configured to accept requests from
end entities, Registration Managers, or both, and can process requests either
manually (that is, with the aid of a human being) or automatically (based
entirely on customizable policies and procedures). When set up to work with a
Registration Manager, the Certificate Manager processes requests and returns
the signed certificates to the Registration Manager for distribution to the end
entities. (For an overview of the role of certificate authorities and related
concepts of public-key cryptography, see Appendix D of Managing Servers with
Netscape Console.)
Note that the publishing tasks can be performed by the Certificate Manager
only. The Certificate Manager also has a built-in OCSP service, enabling
OCSP-compliant clients to directly query the Certificate Manager about the
revocation status of a certificate that it has issued. In certain PKI deployments,
it might be convenient to use the Certificate Manager's built-in OCSP service,
instead of a Online Certificate Status Manager.
•
Registration Manager—A Registration Manager is an optional component in
the PKI and can be used to separate the registration process from the
certificate-signing process. The Registration Manager performs a subset of the
end-entity tasks performed by the Certificate Manager, such as enrollment or
renewal, on behalf of the Certificate Manager. A Registration Manager is
typically installed on a different machine from the Certificate Manager that it
serves. After the Registration Manager approves requests, it forwards them to
this Certificate Manager, which trusts the Registration Manager to provide
12
Netscape Certificate Management System Agent's Guide • May 2002
Advertisement
Table of Contents
Related Manuals for Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - AGENT GUIDE
Related Products for Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - CUSTOMIZATION
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - PLUG-IN
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - CUSTOMIZATION
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - PLUG-IN
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - ADMINISTRATOR
- Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - AGENT GUIDE