Step 1. Plan For The New Certificate - Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual

Getting New Certificates for the Subsystems
The sections that follow explain how to get new certificates for the Certificate
Manager, Registration Manager, Data Recovery Manager, and Online Certificate
Status Manager using the Certificate Setup Wizard. Alternatively, you can use the
command-line utilities called the Key Database Tool and Certificate Database Tool.
For details about these tools, check the CMS Command-Line Tools Guide. To locate an
online version of this book, see "Where to Go for Related Information" on page 28.
Getting a new key pair and a corresponding certificate involves the following
steps:
•

Step 1. Plan for the New Certificate

• Step 2. Request the New Certificate
• Step 3. Install the New Certificate
• Step 4. Deploy the New Certificate
Step 1. Plan for the New Certificate
Getting a new certificate for a CMS manager requires careful planning. This section
provides some guidelines that will help you request and install the new certificate.
Determine which certificate you want to get
You can get CA signing, OCSP signing, CRL signing, SSL server, and remote
administration certificates for the Certificate Manager; signing, SSL server, and
remote administration certificates for the Registration Manager; transport, SSL
server, and remote administration certificates for the Data Recovery Manager; and
signing, SSL server, and remote administration certificates for the Online
Certificate Status Manager. For details about the certificates used by a CMS
manager, see "Keys and Certificates for the Main Subsystems" on page 436.
• If you have deployed a Certificate Manager as your root CA and if you want to
get a new self-signed CA certificate for that Certificate Manager, you must
consider the possible effects on your PKI setup of changing the key pair of the
root CA. If you reissue the Certificate Manager's CA signing certificate with a
new key material, none of the certificates issued or signed by the CA using its
old key will work; the reason for this is, when you change the root CA key, all
certificates that rely on the CA certificate for validation will no longer be
validated. For example, if the CA has issued certificates to subordinate
Certificate Managers, Registration Managers, Data Recovery Managers, Online
Certificate Status Manager, and agents, all those certificates will become
invalid—the subsystems will fail to function, and agents will fail to access
agent interfaces.
486 Netscape Certificate Management System Installation and Setup Guide • October 2001