Crl Signing Key Pair And Certificate - Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual

Irrespective of whether you chose to enable the OCSP service feature, the
Installation Wizard transparently generates a key pair and a corresponding
certificate identified as the OCSP signing certificate. The reason for generating this
certificate even if you chose to not enable the OCSP service is that you can enable
the OCSP service feature in the CMS window after installation. This way, if you
decide to enable the feature in a future date, you wouldn't have to go through the
process of requesting an OCSP signing certificate.
Note that for generating the OCSP signing key pair, the wizard uses some of the
information you provide for the CA signing key pair, which is explained in section
"CA Signing Key Pair and Certificate" on page 437. The key type, key size, key
algorithm, and validity period of the OCSP signing certificate is the same as the one
you specified for the CA signing key pair. The subject name of the OCSP signing
certificate is in the form
extensions, such as OCSPSigning and OCSPNoCheck, required for signing OCSP
responses.
The Certificate Manager uses the private key (that corresponds to the public key
used to generate the OCSP signing certificate) to sign the OCSP responses it sends
to the OCSP-compliant clients when queried about the revocation status of
certificates. The Certificate Manager's signature provides persistent proof to the
client that the Certificate Manager has processed the request.
The default nickname for the OCSP signing certificate is
ocspSigningCert cert-<instance_id>
CMS instance in which the Certificate Manager is installed.

CRL Signing Key Pair and Certificate

By default, a Certificate Manager you have installed uses the same key pair, the one
that corresponds to the CA signing certificate explained in "CA Signing Key Pair and
Certificate" on page 437, for signing certificates and certificate revocation lists
(CRLs). For details about CRLs, see "What's a CRL?" on page 611.
If you want a Certificate Manager to use a separate key pair for signing the CRL it
generates, you can do so after installation. The instructions are provided below.
Note that a Certificate Manager's CRL signing certificate must be signed or issued
by itself; make sure you submit the request to the Certificate Manager itself.
Request and install a CRL signing certificate for the Certificate Manager. To do
1.
this, you may use either of these options:
Use the Certificate Setup Wizard available within the CMS window.
CN=OCSP cert-<cms_instance_id>
, where
Chapter 14
Keys and Certificates for the Main Subsystems
, and it contains
identifies the
<instance_id>
Managing CMS Keys and Certificates 439