Deployment Scenarios
56
Netscape Certificate Management System Administrator’s Guide • February 2003
The Registration Manager handles all end-entity interactions and communicates
with the Certificate Manager and the Data Recovery Manager over HTTPS. The
Registration Manager is configured to request the end entity’s private encryption
key (in encrypted form) and send it to the Data Recovery Manager during the
enrollment process. Before the Registration Manager sends the certificate request to
the Certificate Manager for processing, the Registration Manager must receive
verification from the Data Recovery Manager that the private key has been
received and stored and that it corresponds to the end entity’s public key.
Only the Certificate Manager can be configured to enable or disable LDAP
publishing or to publish to separate directories. The Certificate Manager also has
the complete record of issued certificates, so that it can perform the publishing
tasks, as shown in the figure.
Many other combinations are possible. For example, there might be multiple
Registration Managers in different instances, all dealing with the same Data
Recovery Manager and Certificate Manager; or the Certificate Manager might also
handle some end-entity interactions. It’s also possible to set up both Certificate
Managers and Registration Managers such that each has a hierarchy of subordinate
managers.
Cloned Certificate Manager
A cloned Certificate Manager is a CMS server instance that uses the same CA
signing key and certificate as another Certificate Manager, identified as the master
Certificate Manager. Each Certificate Manager issues certificates with serial
numbers in a restricted range so that all of the servers together act as a single
Certificate Authority (operating in several server processes).
The advantage of cloning is the ability to distribute the Certificate Manager’s load
across several processes or even several physical machines. For a CA that has high
enrollment demand, the distribution gained from cloning allows more certificates
to be signed and issued in a given time interval.
NOTE
The current design of Certificate Management System assumes that
most deployments will rely on a single Data Recovery Manager
(associated with either a Registration Manager or a Certificate
Manager). However, it is also possible to write custom policies that
support multiple Data Recovery Managers. This might be useful,
for example, for subordinate CAs that issue certificates for
completely independent organizations.
Содержание Certificate Management System 6.1
Страница 1: ...Administrator s Guide Netscape Certificate Management System Version6 1 February 2003...
Страница 28: ...Documentation 28 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 68: ...Support for Open Standards 68 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 82: ...Uninstalling CMS 82 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 166: ...How a Registration Manager Works 166 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 382: ...ACL Reference 382 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 566: ...Managing Policy Plug in Modules 566 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 710: ...1 3 Organization Security Policies 710 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 716: ...Object Identifiers 716 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 762: ...DNs in Certificate Management System 762 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 794: ...Managing Certificates 794 Managing Servers with Netscape Console December 2001...
Страница 810: ...The SSL Handshake 810 Managing Servers with Netscape Console December 2001...
Страница 828: ...828 Netscape Certificate Management System Administrator s Guide February 2003...