Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual page 467

Before getting a new self-signed certificate for the Certificate Manager,
therefore, you must address issues involved in deploying the new root CA
certificate across your enterprise. Because each deployment would have very
specific requirements, it is beyond the scope of this document to explain how
you should deploy the new CA certificate.
• If you have deployed a Certificate Manager as a subordinate CA (that's
chained to a root CA) and if you want to get a new subordinate CA certificate
for that Certificate Manager, you must consider the possible effects on your
PKI setup of changing the key pair of the subordinate CA. When you change
the subordinate CA key, all certificates that rely on the subordinate CA
certificate for validation will no longer be validated. Before getting a new
subordinate certificate, therefore, you must plan to address issues involved in
deploying the new subordinate CA certificate across you enterprise.
• If you have deployed a Certificate Manager and if you have configured it to
publish CRLs to a Online Certificate Status Manager, you will need to identify
the Certificate Manager to the Online Certificate Status Manager again. For
details, see "Step 3. Identify the CA to the OCSP Responder" on page 690.
• If you want to get a new signing certificate for a Registration Manager, check
whether the Registration Manager has been set up as a trusted manager for a
Certificate Manager and Data Recovery Manager—that is, you must identify
the subsystems that have been configured to receive requests from this
Registration Manager; see "Trusted Managers" on page 380. You will need to
replace the existing signing certificate with the new one in all these
subsystems.
• If you want to get a new transport certificate for a Data Recovery Manager, you
must identify the end-entity interfaces or forms that have been set up for the
archival of end users' encryption private keys; see "How Key Archival Works"
on page 719. You will need to replace the existing transport certificate with the
new one in all these forms.
• If you want to get a new SSL server certificate for a Certificate Manager,
determine whether the Certificate Manager is used as a master CA in a
cloned-CA setup; see "Cloning a Certificate Manager" on page 282. If it is,
you'll have to update the clone CAs certificate databases with the new SSL
server certificate.
Also determine whether the Certificate Manager is configured to publish
certificates and CRLs to an LDAP directory and whether it uses the SSL server
certificate for SSL client authentication to the directory. If it does, you will have
to request the certificate with the appropriate extensions, and after installing
the certificate you will have to configure the publishing directory to use this
certificate.
Getting New Certificates for the Subsystems
Chapter 14 Managing CMS Keys and Certificates 467