Certificates And The Ldap Directory; Key Management - Netscape MANAGEMENT SYSTEM 6.2 - ADMINISTRATOR Administrator's Manual

Managing Certificates
Netscape Certificate Management System allows an organization to set up its own
certificate authority and issue certificates.
Issuing certificates is one of several managements tasks that can be handled by
separate Registration Authorities.

Certificates and the LDAP Directory

The Lightweight Directory Access Protocol (LDAP) for accessing directory services
supports great flexibility in the management of certificates within an organization.
System administrators can store much of the information required to manage
certificates in an LDAP-compliant directory. For example, a CA can use
information in a directory to prepopulate a certificate with a new employee's legal
name and other information. The CA can leverage directory information in other
ways to issue certificates one at a time or in bulk, using a range of different
identification techniques depending on the security policies of a given
organization. Other routine management tasks, such as key management and
renewing and revoking certificates, can be partially or fully automated with the aid
of the directory.
Information stored in the directory can also be used with certificates to control
access to various network resources by different users or groups. Issuing
certificates and other certificate management tasks can thus be an integral part of
user and group management.
In general, high-performance directory services are an essential ingredient of any
certificate management strategy. Netscape Directory Server is fully integrated with
Netscape Certificate Management System to provide a comprehensive certificate
management solution.

Key Management

Before a certificate can be issued, the public key it contains and the corresponding
private key must be generated. Sometimes it may be useful to issue a single person
one certificate and key pair for signing operations, and another certificate and key
pair for encryption operations. Separate signing and encryption certificates make it
possible to keep the private signing key on the local machine only, thus providing
maximum nonrepudiation, and to back up the private encryption key in some
central location where it can be retrieved in case the user loses the original key or
leaves the company.
Appendix J Introduction to Public-Key Cryptography 825