Managing the Certificate Database
314
Netscape Certificate Management System Administrator’s Guide • February 2003
After you install a certificate chain in the trust database of a CMS instance, check
the trust status of each certificate that got installed, and make sure that the correct
CA certificates are trusted. For instructions, see “Changing the Trust Settings of a
CA Certificate” on page 296.
Consideration When Getting New Certificates for
the Subsystems
You may need to get new certificates for the CMS manager installed in a CMS
instance. Getting a new certificate means getting a certificate based on a new public
and private key pair.
The sections that follow explain how to get new certificates for a Certificate
Manager, Registration Manager, Data Recovery Manager, and Online Certificate
Status Manager using the Certificate Setup Wizard. Alternatively, you can use the
command-line utility called the Certificate Database tool (
certutil
). For details
about this tool, check this site:
Getting a new certificate for a CMS manager requires careful planning. This section
provides some guidelines that will help you request and install the new certificate.
Determine which certificate you want to get
You can get CA signing, OCSP signing, CRL signing, and SSL server certificates for
the Certificate Manager; signing and SSL server certificates for the Registration
Manager; transport and SSL server certificates for the Data Recovery Manager; and
signing and SSL server certificates for the Online Certificate Status Manager. For
details about certificates used by a CMS manager.
•
If you have deployed a Certificate Manager as your root CA and if you want to
get a new self-signed CA certificate for that Certificate Manager, you must
consider the possible effects on your PKI setup of changing the key pair of the
root CA. If you reissue the Certificate Manager’s CA signing certificate with a
new key material, none of the certificates issued or signed by the CA using its
old key will work; the reason for this is, when you change the root CA key, all
certificates that rely on the CA certificate for validation will no longer be
validated. For example, if the CA has issued certificates to subordinate
Certificate Managers, Registration Managers, Data Recovery Managers, Online
Certificate Status Managers, and agents, all those certificates will become
invalid—the subsystems will fail to function, and agents will fail to access
agent interfaces.
Содержание Certificate Management System 6.1
Страница 1: ...Administrator s Guide Netscape Certificate Management System Version6 1 February 2003...
Страница 28: ...Documentation 28 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 68: ...Support for Open Standards 68 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 82: ...Uninstalling CMS 82 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 166: ...How a Registration Manager Works 166 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 382: ...ACL Reference 382 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 566: ...Managing Policy Plug in Modules 566 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 710: ...1 3 Organization Security Policies 710 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 716: ...Object Identifiers 716 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 762: ...DNs in Certificate Management System 762 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 794: ...Managing Certificates 794 Managing Servers with Netscape Console December 2001...
Страница 810: ...The SSL Handshake 810 Managing Servers with Netscape Console December 2001...
Страница 828: ...828 Netscape Certificate Management System Administrator s Guide February 2003...