Renewal Of Server Certificates; Revocation Of Server Certificates - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual

Renewal of Server Certificates

Every certificate issued by Certificate Management System has a validity period
that determines its expiration date. The validity period of a certificate is
determined by the validity constraints policy settings at the time the certificate was
issued (see section "ValidityConstraints Plug-in Module" in CMS Plug-Ins Guide).
For a certificate to be valid beyond its expiration date, it must be renewed.
Otherwise, the certificate becomes invalid, and the entity owning the certificate
will no longer be able to use it. Also, the expired certificate will take up space in
your publishing directory and in the internal database of Certificate Management
System.
Note that the Job scheduler component of Certificate Management System enables
you to schedule a job for removing expired certificates from the publishing
directory. For details, see "Configuring a Subsystem to Run Automated Jobs" on
page 545.
Certificate Management System allows server administrators to renew their
certificates by using the server enrollment form hosted by a Certificate Manager or
Registration Manager. The renewal process is similar to the enrollment process in
that the administrators must manually generate the certificate-signing request
using the server's key pair, paste that request in the manual enrollment form, and
submit the request. For details, see "Certificate Issuance to Servers" on page 777.
For renewing the certificates of a Certificate Manager, Registration Manager, or
Data Recovery Manager, see "Renewing Certificates for the Subsystems" on
page 474.

Revocation of Server Certificates

Certificate Management System allows a certificate to be revoked by an end user
(the original owner of the certificate), a server administrator, or by a Certificate
Manager or Registration Manager agent. End users can revoke certificates by using
the Revocation form provided in the end-entity services interface. Agents can
revoke end-entity certificates by using the appropriate form in the Agent Services
interface. Certificate-based (SSL client authentication) or
challenge-password-based authentication is required in both cases; for details, see
"Authentication of End Users During Certificate Revocation" on page 497.
• An end user can revoke only those certificates that contain the same subject
name as in the certificate presented for authentication; if using a challenge
password, the user can revoke only the certificate that is associated with that
password. After successful authentication, the server lists the certificates
Chapter 24 Issuing and Managing Server Certificates
Renewal of Server Certificates
787