Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual page 52

System Overview
The Registration Manager communicates with the Data Recovery Manager and the
Certificate Manager as necessary to facilitate certificate management operations
such as enrollment, renewal, or key storage. When the four subsystems are
installed in separate CMS instances (whether on the same machine or on different
machines), they use proprietary connectors to communicate with each other over
HTTPS—that is, HTTP over SSL, as shown in Figure 1-1. For information about the
connectors, see "Trusted Managers" on page 380.
The Certificate Manager maintains complete record of issued certificates and can
publish certificates and CRLs many repositories, such as a directory using LDAP or
LDAP over SSL (LDAPS), a file, or the Online Certificate Status Manager. If the
Certificate Manager and directory are inside the firewall and if it's necessary for
some entries in a directory to be available outside the firewall, Netscape
recommends using the partial replication feature of Directory Server to replicate
the relevant portion of the directory to which the Certificate Manager publishes. In
this guide, a directory used for publishing certificates and CRLs is called a
publishing directory. Publishing directories can also be used for authentication to
implement an automated certificate enrollment method.
As mentioned earlier, the Data Recovery Manager performs the long-term archival
and recovery of end users' private encryption keys. A Certificate Manager or
Registration Manager can be configured to archive end users' private encryption
keys with a Data Recovery Manager as part of the process of issuing new
certificates. End-entities do not have direct access to the Data Recovery Manager.
The following steps summarize the key storage process during end-entity
enrollment through a Registration Manager. Figure 1-2 illustrates these steps.
After the user completes and submits an enrollment form, the end entity
1.
generates dual key pairs and sends two certificate requests to the Registration
Manager, which detects a request for key archival and requests the private
encryption key from the end entity. The end entity then encrypts (or "wraps")
its newly minted private encryption key with the Data Recovery Manager's
public transport key (obtained from a copy of the transport certificate
embedded in the enrollment form) and sends the wrapped private key to the
Registration Manager.
The Registration Manager sends the end entity's wrapped private encryption
2.
key to the Data Recovery Manager as part of a key storage request (which also
includes the end entity's public encryption key).
The Data Recovery Manager uses its private transport key to decrypt the end
3.
entity's private encryption key. After confirming that the private encryption
key corresponds to the end entity's public encryption key, the Data Recovery
Manager encrypts the private encryption key with its private storage key and
stores the private encryption key in the CMS internal database.
52 Netscape Certificate Management System Installation and Setup Guide • March 2002