Cloning A Certificate Manager - Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual

Cloning a Certificate Manager

To start the installation wizard, double-click the new instance in the navigation
6.
tree, and then use the installation wizard to finish configuring the new
instance.
Create the first agent for the new CMS instance.
7.
When you have finished setting up an additional CMS instance, you need to
create at least one agent for that instance. If the new instance includes a
Certificate Manager, you can create the administrator/agent as described in
"Agent Certificate for a Certificate Manager" on page 275 as you did for the
first instance in the server root. If the new instance does not include a
Certificate Manager—that is, if it contains a Registration Manager, Data
Recovery Manager, Online Certificate Status Manager, Registration Manager
and Data Recovery Manager, or Online Certificate Status Manager and Data
Recovery Manager—you will need to use the CMS window to create a new
agent. This is described in section "Agent Certificate for Other CMS Managers"
on page 278.
Cloning a Certificate Manager
Cloning a Certificate Manager refers to the process of creating two server processes
performing the same CA functions: you create another instance of a Certificate
Manager and configure it to use the same CA signing key and certificate and issue
certificates with serial numbers that do not conflict or overlap with the serial
numbers of the Certificate Manager that's being cloned or with the serial numbers
of any other clones. The Certificate Manager that's being cloned is called the master
Certificate Manager or master CA in this document.
You can use the cloning feature for CA scalability and for setting up a PKI with
CAs organized in a flat structure as opposed to a hierarchical structure. For
example, if you don't want your PKI to be a CA hierarchy comprising root and
subordinate CAs, you can create multiple clones of a Certificate Manager and
configure each clone to issue certificates that fall within a distinct range of serial
numbers. Because clone CAs use the same CA signing key and certificate (as that of
the master CA) to sign the certificates they issue, the issuer name in all the
certificates in your PKI setup would be the same, as if they've been issued by a
single CA.
The other advantage of cloning is that when you setup a clone Certificate Manager,
it automatically sends the revocation status of the certificates it has issued to the
master Certificate Manager. The clone Certificate Manager uses the master
Certificate Manager's agent port to communicate this information; the
286 Netscape Certificate Management System Installation and Setup Guide • October 2001