Table of Contents
Advertisement
Certificate Manager Deployment Considerations
One benefit of chaining up to a public CA is that the third party is responsible for
getting the root CA certificate into the browser or other client software. This can be
a major advantage if you are deploying an extranet that involves certificates used
by different companies whose browsers you cannot control. Alternatively, if you
create your own CA hierarchy from scratch, you are responsible for getting your
root certificate into all the browsers used with the certificates you issue. If you are
using Netscape Communicator as your client, you can accomplish this task within
an intranet by using tools such as Mission Control Desktop or with the aid of
Personal Security Manager, but extranet deployments can be more complicated.
Subordination to Another CMS CA
If you set up a CA using CMS that has subordinate CAs, you control the
subordinate CAs by setting policies that control the contents of the CA signing
certificate issued. A subordinate CA issues certificates evaluating its own
authentication, policy, and certificate profile configuration, it is completely
unaware of its parents set up for these configurations.
A Certificate Manager cannot issue a certificate that has a validity period longer
than the validity period of the CAs' CA signing certificate. Any requests that are
for a period longer than this will result in certificates issued only to the validity
period of the CAs' CA signing certificate.
Cloned CA
A Certificate Manager can also be cloned so that more than one CA shares the same
set of keys and certificates allowing more than one CA issue certificates with the
same issuer name and keys. Each clone CA issues a different set of serial numbers.
For details about cloning a CA, see "Cloning a CA," on page 129.
Certificate Manager Certificates
When you install the Certificate Manager, the keys for the CA signing certificate,
SSL server certificate, and OCSP signing certificate are created and a certificate
request is made for the CA signing certificate and the SSL server certificate. The
OCSP signing certificate is created by the CA itself.
You submit this request either as a self-signing request to the CA itself which will
then issue the certificates, this is how you create a self-signing root CA, or you
submit the request to a third party public CA and then install the certificate you
receive from the CA during the rest of the installation.
Chapter 3
Certificate Manager
85
Advertisement
Table of Contents
