Cloned Certificate Manager; Certificate Authority Decisions - Netscape MANAGEMENT SYSTEM 6.01 Installation And Setup Manual
Hide thumbs
Also See for NETSCAPE MANAGEMENT SYSTEM 6.01:
- Configuration manual (282 pages) ,
- Reference (162 pages) ,
- Installation manual (106 pages)
Table of Contents
Advertisement
Cloned Certificate Manager
A cloned Certificate Manager is a CMS server instance that uses the same CA
signing key and certificate as another Certificate Manager, identified as the master
Certificate Manager. Each Certificate Manager issues certificates with serial
numbers in a restricted range so that all of the servers together act as a single
Certificate Authority (operating in several server processes).
The advantage of cloning is the ability to distribute the Certificate Manager's load
across several processes or even several physical machines. For a CA that has high
enrollment demand, the distribution gained from cloning allows more certificates
to be signed and issued in a given time interval.
To create a cloned Certificate Manager, you must first install and configure at least
one Certificate Manager and specify a definite upper, but no lower bound for the
serial numbers it will use. You then install or create a new instance of a Certificate
Manager (but do not configure it). Before configuring the clone, you copy the CMS
certificate and key database files from the original Certificate Manager to the new
Certificate Manager (
present, the Configuration Wizard will recognize that you are creating a clone and
confirm that you want to reuse the CA's signing key and certificate (if the clone is
on the same server, you can also reuse the SSL server certificate).
If you store the CA key material on a hardware token, you will have to follow the
hardware vendor's instructions for copying the key material to a hardware device
accessible to the clone.
A cloned Certificate Manager will have all the same features, for example, agent
gateway functions and end entity gateway functions, that a normal Certificate
Manager has. You can then configure Registration Managers that point to different
Certificate Manager servers but that appear to be serviced by the same CA.
Certificate Authority Decisions
This section covers some of the critical decisions you need to make about your
certificate authority:
•
CA's Distinguished Name
•
CA Signing Key Type and Length
•
CA Signing Certificate's Validity Period
•
Self-Signed Root Versus Subordinate CA
<server_root>/alias
Certificate Authority Decisions
directory). If these databases are
Chapter 4
Planning Your Deployment
169
Advertisement
Table of Contents
