Table of Contents
Advertisement
Certificate Manager Deployment Considerations
Certificate Considerations
This section explains some of the decisions you need to make about the certificates
you get for the Certificate Manager when you install the subsystem.
CA's Distinguished Name
The core elements of a CA consist of a signing unit and the Certificate Manager's
own identity. The signing unit digitally signs certificates requested by end-entities
that use a specified enrollment process to establish their identities. Regardless of
how related Registration Managers or Data Recovery Managers are configured,
any Certificate Manager must have its own distinguished name (DN), which is
listed in every certificate it issues.
Like any other X.509 version 3 certificate, a CA certificate binds a DN to a public
key. A DN is a series of name-value pairs that in combination uniquely identify an
entity. For example, the following DN might be used to identify a hypothetical
Certificate Manager for the Engineering department of a corporation named
Example Corporation:
c=US
Many combinations of name-value pairs are possible for the Certificate Manager's
DN. The DN must be unique and readily identifiable, since any end entity can
examine it. For more information about DNs, see Managing Servers with Netscape
Console.
CA Signing Certificate's Validity Period
Every certificate, including a Certificate Manager signing certificate, must have a
validity period. CMS does not restrict the validity period you can specify. In
general it's a good idea to specify as long a validity period as possible, depending
on your plans for certificate renewal, the place of the CA in the certificate
hierarchy, and the requirements of any public CAs that you may want to include in
your PKI.
Serial Number Ranges for the CA
You can designate the starting and ending serial numbers that a CA can issue
during the configure of the CA. This is especially useful when you are installing
cloned CAs. Each cloned CA is given a specific range of serial numbers that it can
issue. In this way, none of the cloned CAs can issue the same serial number.
Signing Key Type and Length
If you wish, you can import the signing key and certificate used in a previous
version of CMS installation rather than generating a new signing key pair. For
information on how to do this, check the migration information.
88
Netscape Certificate Management System Administrator's Guide • February 2003
cn=demoCA, o=Example Corporation, ou=Engineering,
Advertisement
Table of Contents
Related Manuals for Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR
Related Products for Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - CUSTOMIZATION
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - PLUG-IN
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - CUSTOMIZATION
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - PLUG-IN
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - ADMINISTRATOR
- Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - PLUG-IN