Table of Contents
Advertisement
Deployment Scenarios
The Registration Manager handles all end-entity interactions and communicates
with the Certificate Manager and the Data Recovery Manager over HTTPS. The
Registration Manager is configured to request the end entity's private encryption
key (in encrypted form) and send it to the Data Recovery Manager during the
enrollment process. Before the Registration Manager sends the certificate request to
the Certificate Manager for processing, the Registration Manager must receive
verification from the Data Recovery Manager that the private key has been
received and stored and that it corresponds to the end entity's public key.
Only the Certificate Manager can be configured to enable or disable LDAP
publishing or to publish to separate directories. The Certificate Manager also has
the complete record of issued certificates, so that it can perform the publishing
tasks, as shown in the figure.
Many other combinations are possible. For example, there might be multiple
Registration Managers in different instances, all dealing with the same Data
Recovery Manager and Certificate Manager; or the Certificate Manager might also
handle some end-entity interactions. It's also possible to set up both Certificate
Managers and Registration Managers such that each has a hierarchy of subordinate
managers.
NOTE
Cloned Certificate Manager
A cloned Certificate Manager is a CMS server instance that uses the same CA
signing key and certificate as another Certificate Manager, identified as the master
Certificate Manager. Each Certificate Manager issues certificates with serial
numbers in a restricted range so that all of the servers together act as a single
Certificate Authority (operating in several server processes).
The advantage of cloning is the ability to distribute the Certificate Manager's load
across several processes or even several physical machines. For a CA that has high
enrollment demand, the distribution gained from cloning allows more certificates
to be signed and issued in a given time interval.
56
Netscape Certificate Management System Administrator's Guide • February 2003
The current design of Certificate Management System assumes that
most deployments will rely on a single Data Recovery Manager
(associated with either a Registration Manager or a Certificate
Manager). However, it is also possible to write custom policies that
support multiple Data Recovery Managers. This might be useful,
for example, for subordinate CAs that issue certificates for
completely independent organizations.
Advertisement
Table of Contents
