Table of Contents
Advertisement
Certificate Manager Deployment Considerations
Serial Number Ranges for the CA
You can designate the starting and ending serial numbers that a CA can issue
during the configure of the CA. This is especially useful when you are installing
cloned CAs. Each cloned CA is given a specific range of serial numbers that it can
issue. In this way, none of the cloned CAs can issue the same serial number.
Signing Key Type and Length
If you wish, you can import the signing key and certificate used in a previous
version of CMS installation rather than generating a new signing key pair. For
information on how to do this, check the migration information.
If you decide to generate a new signing key, one of the first decisions you need to
make is whether to use the RSA or DSA algorithm. If you use DSA, the software
can generate and verify the PQG value. PQG values are used to create the DSA
signing key pair. For more information about the way they are used, see the
following document:
.
http://www.itl.nist.gov/div897/pubs/fip186.htm
In general, longer keys are considered to be cryptographically stronger than
shorter keys. However, longer keys also require more time for signing operations.
Many people no longer consider an RSA key of length less than 1024 bits to be
cryptographically strong. Export and other regulations permitting, it may be a
good rule of thumb to start with 1024 bits and consider increasing the length to
4096 bits for certificates that provide access to highly sensitive data or services.
However, the question of key length has no simple answers. Every organization
must make its own decision based on its own security requirements. For more
information on key length and encryption strength, see Appendix D of Managing
Servers with Netscape Console.
Certificate Manager Interfaces
When you install a Certificate Manager, three interfaces are enabled. The
installation wizard lets you choose the ports these interfaces listen on. The
following interfaces, and associated ports will be created:
Chapter 3
Certificate Manager
91
Advertisement
Table of Contents
Need help?
Do you have a question about the NETSCAPE MANAGEMENT SYSTEM 6.2 - ADMINISTRATOR and is the answer not in the manual?