Cryptographic Token Decisions; Publishing Decisions - Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual
Hide thumbs
Also See for NETSCAPE MANAGEMENT SYSTEM 4.5:
Table of Contents
Advertisement
For a discussion of CA certificate expiration issues in the context of Certificate
Server 1.x, see
http://help.netscape.com/products/server/certificate/cacertdoc/
Many of the same issues apply to Certificate Management System.
For detailed information on certificate extensions, see Appendix C, "Certificate and
CRL Extensions" of CMS Plug-ins Guide.
Cryptographic Token Decisions
As explained in "PKCS #11" on page 74, one or more PKCS #11 modules must be
available to any CMS instance. A PKCS #11 module, which can be implemented in
either software or hardware, manages cryptographic services such as encryption
and decryption. Netscape provides a built-in PKCS #11 module with Certificate
Management System; see "Installing External Tokens" on page 451.
A PKCS #11 module always has one or more slots, which can be implemented as
physical hardware slots in some form of physical reader (for example, for smart
cards) or as conceptual slots in software. Each slot for a PKCS #11 module can in
turn contain a token, which is the hardware or software device that actually
provides cryptographic services and optionally stores certificates and keys.
As shown in Figure 1-10 on page 74, the built-in PKCS #11 module for Certificate
Management System includes two tokens, one for cryptographic operations and
one for manipulating the key and certificate databases. You can accelerate
cryptographic operations such as the signing of new certificates by using
third-party hardware tokens and accelerator boards. Certificate Management
System support for PKCS #11 also allows you to store critical keys, such as the root
CA signing key, on smart cards or other hardware tokens to facilitate strong
physical security measures.
Hardware products compatible with Certificate Management System are available
from nCipher
(
http://www.chrysalis-its.com
If you decide to test or deploy hardware acceleration and storage devices, consult
the vendor's installation instructions.
Publishing Decisions
A Certificate Manager can publish certificates to an LDAP directory and to files,
and CRLs to an LDAP directory, files, and the Online Certificate Status Manager.
TM
(
http://www.ncipher.com
) and Chrysalis-ITS
).
Chapter 4
Cryptographic Token Decisions
.
TM
Planning Your Deployment
177
Advertisement
Table of Contents
