Subsystem Certificate Decisions; Ssl Server Certificates; Certificate Manager Certificates - Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual

Subsystem Certificate Decisions

Subsystem Certificate Decisions
Using a self-signed signing certificate for the Certificate Manager simplifies the
deployment of an initial pilot. You can install the Certificate Manager without
having to apply to a public certificate authority and waiting for it to issue, sign, and
return your CA signing certificate. Your own Certificate Manager can then issue all
the other certificates required for your pilot. However, taking this approach means
that end entities outside your organization will not recognize your Certificate
Manager unless you distribute the root Certificate Manager certificate to them.
The certificates and keys you need for each subsystem depend in part on whether
the subsystems are in the same or different CMS instances. Subsystems installed
together in the same instance use internal connectors to communicate and therefore
don't need separate SSL certificates to authenticate each other.
When two CMS subsystems are installed in a single instance, they normally share a
single SSL server certificate. If one or more subsystems are installed in a separate
instance from the other subsystems, each instance requires a separate SSL server
certificate.
In addition to any SSL server certificates, the Certificate Manager, Registration
Manager, and Online Certificate Status Manager each requires its own signing
certificate, and the Data Recovery Manager needs its own transport certificate and
storage key.
For more information about the key pairs and certificates used by the CMS
managers, see "Keys and Certificates for the Main Subsystems" on page 436.

SSL Server Certificates

Each CMS instance requires a single SSL server certificate. If you install two
managers in the same instance—that is, a Certificate Manager or Registration
Manager and a Data Recovery Manager—both managers share the same SSL server
certificate.

Certificate Manager Certificates

Every Certificate Manager must have a CA signing certificate whose public key
corresponds to the private key the Certificate Manager uses to sign the certificates
it issues. This certificate is also used for SSL client authentication to the publishing
directory (LDAP over SSL) if the Certificate Manager is set up to publish
certificates or CRLs.
180 Netscape Certificate Management System Installation and Setup Guide • October 2001