Step A. Deploy Clients That Can Generate Dual Key Pairs; Step B. Connect The Enrollment Authority And The Data Recovery Manager - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual

Configuring Key Archival and Recovery Process

Step A. Deploy Clients That Can Generate Dual Key Pairs

You can use the Data Recovery Manager to archive and recover keys only from
clients that support dual key-pair generation, the key archival option, and the CMC
protocol. Clients that do not meet this criteria cannot be used with the Data
Recovery Manager. To understand why you need to use clients that can generate
dual key pairs, see "Clients That Can Generate Dual Key Pairs" on page 716. The
same section also points you to an introduction to Netscape Personal Security
Manager, which when plugged into Netscape Communicator version 4.7x enables
it to support the CMC protocol and generate dual key pairs.
You may have already installed Personal Security Manager—for example, you
might have installed it as an OCSP-compliant client when setting up a Certificate
Manager to publish CRLs to an OCSP responder; see "Step 2. Install an
OCSP-Compliant Client" on page 690.
Step B. Connect the Enrollment Authority and the Data Recovery
Manager
Key archival occurs when dual key pairs are generated by the client. The client
generates the key pairs when a user requests a certificate by filling out the
appropriate certificate enrollment form served by an enrollment authority, which
can be either a Certificate Manager or a Registration Manager. When the
enrollment authority detects the key archival option in the request, it initiates the
key archival process and requests the service of the Data Recovery Manager for
archiving the key.
For the enrollment authority to be able to request the service of the Data Recovery
Manager, the two subsystems must be configured to recognize, trust, and
communicate with each other. When you installed the Data Recovery Manager,
you were asked to connect it to a Certificate Manager or Registration Manager. You
might have specified some of the configuration information required for the two
subsystems to communicate with each other. Also, if the enrollment authority and
the Data Recovery Manager are installed in the same CMS instance, certain
configurations are done automatically.
However, to ensure that key archival takes place successfully, you must make sure
that the Data Recovery Manager is connected to the appropriate enrollment
authority. Also verify whether the enrollment authority has been set up as a
privileged user, with an appropriate SSL client authentication certificate, in the
internal database of the Data Recovery Manager. By default, the Certificate
Manager uses its SSL server certificate for SSL client authentication, whereas the
Registration Manager uses its signing certificate for this purpose; for more
information, see "Keys and Certificates for the Main Subsystems" on page 420.
732 Netscape Certificate Management System Installation and Setup Guide • March 2002