Certificate Manager Certificates; Registration Manager Certificates - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual

Subsystem Certificate Decisions

Certificate Manager Certificates

Every Certificate Manager must have a CA signing certificate whose public key
corresponds to the private key the Certificate Manager uses to sign the certificates
it issues. This certificate is also used for SSL client authentication to the publishing
directory (LDAP over SSL) if the Certificate Manager is set up to publish
certificates or CRLs.
If the Certificate Manager is acting as a root CA, the CA certificate must be installed
and trusted by each client that needs to validate certificates issued by the root
Certificate Manager. In the context of a PKI, trust refers to the relationship between
the user of a certificate and the CA that issued the certificate. If you trust a CA, you
can generally trust valid certificates issued by that CA. It's possible to control
which CAs the client or server software trusts and which it doesn't, and for what
kinds of certificates, by means of settings within the software.
The Certificate Manager also requires an SSL server certificate. For more
information about the key pairs and certificates used by a Certificate Manager, see
"Certificate Manager's Key Pairs and Certificates" on page 421.

Registration Manager Certificates

Every Registration Manager subsystem must have a signing certificate whose
public key corresponds to the private key the Registration Manager uses to sign
end-entity certificate requests before sending them to the Certificate Manager.
Signed requests give the Certificate Manager persistent proof that a particular
Registration Manager processed the request.
The Registration Manager also requires at least one SSL server certificate. For more
information about the key pairs and certificates used by a Registration Manager,
see "Registration Manager's Key Pairs and Certificates" on page 426.
Chapter 4 Planning Your Deployment 177