Keys And Certificates For The Main Subsystems - Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual

Keys and Certificates for the Main Subsystems

Keys and Certificates for the Main Subsystems
This section explains the various certificates required and used by the CMS
managers:
• Certificate Manager's Key Pairs and Certificates
• Registration Manager's Key Pairs and Certificates
• Data Recovery Manager's Key Pairs and Certificates
• Online Certificate Status Manager's Key Pairs and Certificates
The key pairs that correspond to certificates used by these subsystems can be
stored either in an internal or an external token, or in both. It depends on the token
you chose for the generation and storage of the keys and certificates. For
information on tokens, see "Tokens for Storing CMS Keys and Certificates" on
page 450.
As an administrator, you must make sure that the private keys that correspond to
all certificates, especially the CA signing certificate, used by CMS managers are
adequately protected. This includes protecting them from damage (in other words,
by archiving and backing up the keys) as well as protecting them from
unauthorized access or use. The passwords that protect the tokens containing these
keys must also be carefully guarded. Access to the token itself should be limited.
• If the keys are in the internal token (the
or authorized administrators have access to this file. It's also important to
know if the file is stored on backup tapes or is otherwise available for someone
to intercept. Because the destruction of a private key in a disk crash can be
disastrous if you are depending upon that key for a hierarchy of certificate
authorities, backing up your key data is commensurately important. If you do
make copies of your keys, however, you must protect your backups with the
same level of security that you use for protecting your original keys.
• If the keys are in an external token, such as a smart card, keep it in a locked
facility. Also, periodically change the passwords that protect these keys. See
"Changing a Token's Password" on page 455.
All CMS certificates have a validity period, as specified when the certificates were
generated, beyond which they cannot be used. For a certificate to be valid beyond
it's expiration date, it must ne renewed. For instructions to renew a CMS certificate,
see section "Renewing Certificates for the Subsystems" on page 494.
436 Netscape Certificate Management System Installation and Setup Guide • October 2001
file), make sure that only you
key3.db