Managing the Certificate Database
Chapter
7
Administrative Basics
315
Before getting a new self-signed certificate for the Certificate Manager,
therefore, you must address issues involved in deploying the new root CA
certificate across your enterprise. Because each deployment would have very
specific requirements, it is beyond the scope of this document to explain how
you should deploy the new CA certificate.
•
If you have deployed a Certificate Manager as a subordinate CA (that’s
chained to a root CA) and if you want to get a new subordinate CA certificate
for that Certificate Manager, you must consider the possible effects on your
PKI setup of changing the key pair of the subordinate CA. When you change
the subordinate CA key, all certificates that rely on the subordinate CA
certificate for validation will no longer be validated. Before getting a new
subordinate certificate, therefore, you must plan to address issues involved in
deploying the new subordinate CA certificate across you enterprise.
•
If you have deployed a Certificate Manager and if you have configured it to
publish CRLs to a Online Certificate Status Manager, you will need to identify
the Certificate Manager to the Online Certificate Status Manager again.
•
If you want to get a new signing certificate for a Registration Manager, check
whether the Registration Manager has been set up as a trusted manager for a
Certificate Manager and Data Recovery Manager—that is, you must identify
the subsystems that have been configured to receive requests from this
Registration Manager; see “Trusted Managers” on page 329. You will need to
replace the existing signing certificate with the new one in all these
subsystems.
•
If you want to get a new transport certificate for a Data Recovery Manager, you
must identify the end-entity interfaces or forms that have been set up for the
archival of end users’ encryption private keys; see “How Key Archival Works”
on page 203. You will need to replace the existing transport certificate with the
new one in all these forms.
•
If you want to get a new SSL server certificate for a Certificate Manager,
determine whether the Certificate Manager is used as a master CA in a
cloned-CA setup. If it is, you’ll have to update the clone CAs certificate
databases with the new SSL server certificate.
Also determine whether the Certificate Manager is configured to publish
certificates and CRLs to an LDAP directory and whether it uses the SSL server
certificate for SSL client authentication to the directory. If it does, you will have
to request the certificate with the appropriate extensions, and after installing
the certificate you will have to configure the publishing directory to use this
certificate.
•
You can get any number of SSL server certificates.
Summary of Contents for Certificate Management System 6.1
Page 1: ...Administrator s Guide Netscape Certificate Management System Version6 1 February 2003...
Page 28: ...Documentation 28 Netscape Certificate Management System Administrator s Guide February 2003...
Page 82: ...Uninstalling CMS 82 Netscape Certificate Management System Administrator s Guide February 2003...
Page 382: ...ACL Reference 382 Netscape Certificate Management System Administrator s Guide February 2003...
Page 794: ...Managing Certificates 794 Managing Servers with Netscape Console December 2001...
Page 810: ...The SSL Handshake 810 Managing Servers with Netscape Console December 2001...
Page 828: ...828 Netscape Certificate Management System Administrator s Guide February 2003...