Step 1. Before You Begin - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual

communication is SSL-client authenticated. This way, the master Certificate
Manager has the complete list of certificates revoked by all clone Certificate
Managers and is able to generate a consolidated list of revoked certificates or a
complete CRL.
Because the master Certificate Manager has the complete CRL, if you enable the
OCSP-service feature built into the Certificate Manager, it can function as a
full-fledged OCSP responder for your PKI—that is, irrespective of which clone
Certificate Manager has issued the certificate, OCSP-compliant clients can directly
query the master Certificate Manager for the revocation status of a certificate. (For
information on enabling a Certificate Manager's OCSP service, see "Setting Up a
Certificate Manager with OCSP Service" on page 675.) So, CAs organized in a flat
structure using the cloning method eliminate the need for you to install the
standalone OCSP responder, the Online Certificate Status Manager, and configure
each Certificate Manager to publish its CRL to the Online Certificate Status
Manager.
To setup a clone a Certificate Manager (or a CA), follow these steps:
•

Step 1. Before You Begin

• Step 2. Create Instances for Clone CAs
• Step 3. Shutdown the Master CA
• Step 4. Copy Master CA's Certificate and Key Database
• Step 5. Start the Master CA
• Step 6. Configure the Clone CA
• Step 8. Establish Trust Between Master CA and Clone CAs
• Step 9. Test Clone-Master Connection
• Step 10. Use Master CA's Agent Certificate in Clone CAs
Step 1. Before You Begin
Before you start cloning a Certificate Manager:
• Verify that the master Certificate Manager is installed and configured
properly, and is started.
Chapter 7 Installing and Uninstalling CMS Instances
Cloning a Certificate Manager
283