Certificate Manager Deployment Considerations
Chapter
3
Certificate Manager
87
The wizard uses the key type, key size, key algorithm, and validity period you
provided for the CA signing key pair to generate the OCSP signing key pair. The
subject name of the OCSP signing certificate is in the form
CN=OCSP
cert-<cms_instance_id>
, and it contains extensions, such as
OCSPSigning
and
OCSPNoCheck
, required for signing OCSP responses.
The default nickname for the OCSP signing certificate is
ocspSigningCert cert-<instance_id>
, where
<instance_id>
identifies the
CMS instance in which the Certificate Manager is installed.
The Certificate Manager uses the private key (that corresponds to the public key
used to generate the OCSP signing certificate) to sign the OCSP responses it sends
to the OCSP-compliant clients when queried about the revocation status of
certificates.
SSL Server Key Pair and Certificate
Every Certificate Manager you install has at least one SSL server certificate. The first
time you generated this certificate is when you installed the Certificate Manager.
The default nickname for the certificate is
Server-Cert cert-<instance_id>
, where
<instance_id>
identifies the CMS
instance in which the Certificate Manager is installed.
The Certificate Manager’s SSL server certificate was issued by the CA to which you
submitted the certificate signing request. You might have submitted the request to
the Certificate Manager itself, another internally deployed CA, or a public CA.
By default, the Certificate Manager uses a single SSL server certificate for
authentication purposes. However, you can request and install additional SSL
server certificates for the Certificate Manager. For example, you can configure the
Certificate Manager to use separate server certificates for authenticating to the
End-Entity Services interface and Agent Services interface. See “Managing
Certificates and the Certificate Database” on page 111 for more details.
If you configure the Certificate Manager for SSL-enabled communication with a
publishing directory, the Certificate Manager also uses its SSL server certificate for
SSL client authentication to the publishing directory. This is the default
configuration. You can configure the Certificate Manager to use an alternate
certificate for this purpose. See “Managing Certificates and the Certificate
Database” on page 111 for more details.
If you configure the Certificate Manager to function as a trusted manager to a Data
Recovery Manager, the Certificate Manager also uses its SSL server certificate for
SSL client authentication to the Data Recovery Manager. For details on trusted
managers, see “Trusted Managers” on page 329. You can also configure the
Certificate Manager to use an alternate certificate for this purpose. See “Managing
Certificates and the Certificate Database” on page 111 for more details.
Summary of Contents for Certificate Management System 6.1
Page 1: ...Administrator s Guide Netscape Certificate Management System Version6 1 February 2003...
Page 28: ...Documentation 28 Netscape Certificate Management System Administrator s Guide February 2003...
Page 82: ...Uninstalling CMS 82 Netscape Certificate Management System Administrator s Guide February 2003...
Page 382: ...ACL Reference 382 Netscape Certificate Management System Administrator s Guide February 2003...
Page 794: ...Managing Certificates 794 Managing Servers with Netscape Console December 2001...
Page 810: ...The SSL Handshake 810 Managing Servers with Netscape Console December 2001...
Page 828: ...828 Netscape Certificate Management System Administrator s Guide February 2003...