Table of Contents
Advertisement
How Certificate Management System Works
An agent can also revoke a certificate if the owner of the certificate is unwilling or
unable to do so.
When the certificate is revoked, it is marked revoked in the internal database, and
is marked revoked in the publishing system. The certificate is also added to the
Certificate Revocation List (CRL) produced by the Certificate Manager. See
Chapter 14, "Revocation and CRLs" for complete details.
CRLs
Whenever a certificate is revoked, any CRLs that are set up are edited and updated
in the internal database. It is also published to a file, an LDAP directory, or an
OSCP responder, if you have set up these services. You can configure the
Certificate Manager to issue CRLs, and also define CRL Issuing Points that define
which certificates go into each CRL, such as CA signing certificates, or for a subset
of a type of certificates, such as those certificates issued to west coast employees.
The publishing framework allows you the flexibility to define which CRL is
published where. It also allows you to define the extensions contained in a CRL,
and the frequency and intervals when a CRL are published.
You can also provide delta CRLs allowing you to publish a list of only those
certificates have been revoked since a certain date.
See Chapter 14, "Revocation and CRLs" for complete details.
About the Registration Manager
The Registration Manager is an optional subsystem of CMS that can act as a
Registration Authority (RA). It establishes a trusted relationship with a Certificate
Manager in which its signed requests are processed. The Registration Manager is
able to accept enrollment, renewal, and revocation requests; process those requests
either by agents or through an automated means; provide agent initiated requests
for enrollment, renewal, and revocation; send signed requests to a Certificate
Manager, and disburse certificates that are created by the Certificate Manager. You
can set up a Registration Manager outside a firewall to protect a Certificate
Manager behind a firewall, or you can use a Registration Manager to balance the
incoming load for a Certificate Manager by off loading the enrollment and
approval to one or more Registration Manager.
The Registration Manager cannot issue, renew, or revoke certificate, and does not
compile CRLs. It can publish certificates, but it cannot publish CRLs.
It can, however, be configured for authentication, authorization, certificate profiles,
policies in an almost identical manner as a Certificate Manager.
Chapter 1
Overview
47
Advertisement
Table of Contents
