Step 1. Plan For The New Certificate - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual
Hide thumbs
Also See for NETSCAPE MANAGEMENT SYSTEM 6.0:
- Manual (302 pages) ,
- Installation and migration manual (66 pages) ,
- Administrator's manual (470 pages)
Table of Contents
Advertisement
Getting New Certificates for the Subsystems
The sections that follow explain how to get new certificates for a Certificate
Manager, Registration Manager, Data Recovery Manager, and Online Certificate
Status Manager using the Certificate Setup Wizard. Alternatively, you can use the
command-line utilities called the Key Database Tool and Certificate Database Tool.
For details about these tools, check the CMS Command-Line Tools Guide. To locate
this book, see "Where to Go for Related Information" on page 28.
Getting a new key pair and a corresponding certificate involves the following
steps:
•
Step 1. Plan for the New Certificate
•
Step 2. Request the New Certificate
•
Step 3. Install the New Certificate
•
Step 4. Deploy the New Certificate
Step 1. Plan for the New Certificate
Getting a new certificate for a CMS manager requires careful planning. This section
provides some guidelines that will help you request and install the new certificate.
Determine which certificate you want to get
You can get CA signing, OCSP signing, CRL signing, and SSL server certificates for
the Certificate Manager; signing and SSL server certificates for the Registration
Manager; transport and SSL server certificates for the Data Recovery Manager; and
signing and SSL server certificates for the Online Certificate Status Manager. For
details about certificates used by a CMS manager, see "Keys and Certificates for the
Main Subsystems" on page 420.
•
If you have deployed a Certificate Manager as your root CA and if you want to
get a new self-signed CA certificate for that Certificate Manager, you must
consider the possible effects on your PKI setup of changing the key pair of the
root CA. If you reissue the Certificate Manager's CA signing certificate with a
new key material, none of the certificates issued or signed by the CA using its
old key will work; the reason for this is, when you change the root CA key, all
certificates that rely on the CA certificate for validation will no longer be
validated. For example, if the CA has issued certificates to subordinate
Certificate Managers, Registration Managers, Data Recovery Managers, Online
Certificate Status Managers, and agents, all those certificates will become
invalid—the subsystems will fail to function, and agents will fail to access
agent interfaces.
466
Netscape Certificate Management System Installation and Setup Guide • March 2002
Advertisement
Table of Contents
