Step 1. Plan For Certificate Renewal - Netscape MANAGEMENT SYSTEM 6.01 Installation And Setup Manual

Step 1. Plan for Certificate Renewal

Renewing a CMS manager's certificate requires careful planning. This section
provides some guidelines that will help you renew the certificate smoothly.
Before renewing a certificate:
• Note the subject DN and nickname of the certificate you want to renew.
If you are planning on renewing the CA signing certificate of a Certificate
Manager, make sure that the Certificate Manager has updated your LDAP
directory, file, and OCSP responder with the most current certificate and CRL
information. For details, see Chapter 19, Chapter 20, and, Chapter 21.
When you renew its CA signing certificate, the Certificate Manager
automatically formulates a new certificate with the same public key and other
details from the existing certificate, and publishes the new CA certificate to the
configured LDAP directory.
• Identify the token, internal or external, that contains the keys for the certificate
you want to renew. To use an existing token, you must know the password
that protects the token. If the token is external, make sure that the token is
installed properly; see "Installing External Tokens" on page 432.
• Decide on the validity period of the renewed certificate.
• Decide on the CA that will sign the certificate. If you want the certificate to be
signed by a public CA, find out what information you need to provide with the
certificate request. If you want the certificate to be signed by an internally
deployed CA, check to be sure it can issue the certificate you want to request
and that it's configured to set the required extensions in the certificate.
• Find out how long the CA will take to deliver the certificate to you. Make sure
the renewed certificate is delivered to you well in advance so that you have a
buffer period for installing and testing the renewed certificate, before the
current certificate expires.
• Find out how the certificate will be delivered to you; the most common
delivery mechanism is email. Make appropriate arrangements to receive the
certificate.
• If you want to renew a subordinate CA certificate, plan how you will deploy
the renewed CA certificate to end entities that rely on this certificate for
validation.
• If you want to renew a root CA certificate, plan how you will deploy the
renewed root CA certificate in your enterprise.
Renewing Certificates for the Subsystems
Chapter 14 Managing CMS Keys and Certificates 475