Consideration When Getting New Certificates For The Subsystems - Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual

Managing the Certificate Database
After you install a certificate chain in the trust database of a CMS instance, check
the trust status of each certificate that got installed, and make sure that the correct
CA certificates are trusted. For instructions, see "Changing the Trust Settings of a
CA Certificate" on page 296.
Consideration When Getting New Certificates for
the Subsystems
You may need to get new certificates for the CMS manager installed in a CMS
instance. Getting a new certificate means getting a certificate based on a new public
and private key pair.
The sections that follow explain how to get new certificates for a Certificate
Manager, Registration Manager, Data Recovery Manager, and Online Certificate
Status Manager using the Certificate Setup Wizard. Alternatively, you can use the
command-line utility called the Certificate Database tool (
about this tool, check this site:
Getting a new certificate for a CMS manager requires careful planning. This section
provides some guidelines that will help you request and install the new certificate.
Determine which certificate you want to get
You can get CA signing, OCSP signing, CRL signing, and SSL server certificates for
the Certificate Manager; signing and SSL server certificates for the Registration
Manager; transport and SSL server certificates for the Data Recovery Manager; and
signing and SSL server certificates for the Online Certificate Status Manager. For
details about certificates used by a CMS manager.
• If you have deployed a Certificate Manager as your root CA and if you want to
get a new self-signed CA certificate for that Certificate Manager, you must
consider the possible effects on your PKI setup of changing the key pair of the
root CA. If you reissue the Certificate Manager's CA signing certificate with a
new key material, none of the certificates issued or signed by the CA using its
old key will work; the reason for this is, when you change the root CA key, all
certificates that rely on the CA certificate for validation will no longer be
validated. For example, if the CA has issued certificates to subordinate
Certificate Managers, Registration Managers, Data Recovery Managers, Online
Certificate Status Managers, and agents, all those certificates will become
invalid—the subsystems will fail to function, and agents will fail to access
agent interfaces.
314 Netscape Certificate Management System Administrator's Guide • February 2003
). For details
certutil