Public-Key Infrastructure - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual

• Search for certificates issued by the server.
• Set up hierarchies of certificate authorities—multiple subordinate CAs chained
up to a root CA. (Certificate Management System can also chain under popular
public CAs that are already pretrust in popular client and server products.)
• Publish certificate information to an LDAP-compliant directory, such as
Netscape Directory Server, and maintain this information. Publish the list of
revoked certificates (CRLs) to an LDAP-compliant directory, a flat file, and an
online-validation authority.
This chapter describes the basic features and capabilities of Certificate
Management System. Chapter 3, "Default Demo Installation" describes how to
install a simple demo that uses some of these features.

Public-Key Infrastructure

The standards and services that facilitate the use of public-key cryptography and
X.509 version 3 certificates in a networked environment are collectively called
public-key infrastructure (PKI). In any PKI, a certificate authority (CA) is a trusted
entity that issues, renews, and revokes certificates. An end entity (EE) is a person,
router, server, or other entity that uses a certificate to identify itself.
To participate in a PKI, an end entity must enroll, or register, in the system. The end
entity typically initiates enrollment by giving the CA some form of identification
and a newly generated public key. The CA uses the information provided to
authenticate, or confirm, the identity. In some cases the CA may require human
intervention, such as an interview or examination of notarized documents, to
authenticate the end entity (manual approval). In other cases the information
provided may be sufficient (automatic approval). In addition to authenticating the
end entity, the CA uses the public key to ensure "proof of possession"—that is,
cryptographic evidence that the certificate request was signed by the holder of the
corresponding private key. Finally, the CA issues a certificate that associates the
end entity's identity with the public key, and signs the certificate with the CA's
own private signing key.
Certificate Management System dramatically simplifies the PKI enrollment
process. Before you deploy a PKI, however, you need to make many decisions
about the relationships between CAs and end entities and related policies and
procedures.
Chapter 1 Introduction to Certificate Management System
System Overview
43