Certificate Manager Deployment Considerations
86
Netscape Certificate Management System Administrator’s Guide • February 2003
About the CA Key Pairs and Certificates
This section describes the key pairs and certificates associated with the Certificate
Manager.
CA Signing Key Pair and Certificate
Every Certificate Manager you install has a Certificate Manager CA signing certificate,
whose public key corresponds to the private key the Certificate Manager uses to
sign the X.509 certificates and CRLs it issues. This certificate is created and installed
when you install the Certificate Manager. The default nickname for the certificate is
caSigningCert cert-<instance_id>
, where
<instance_id>
identifies the CMS
instance in which the Certificate Manager is installed, and the default validity
period for the certificate is two years.
The subject name of the CA signing certificate reflects the name of your certificate
authority (CA) as specified during the installation. All certificates signed or issued
by the Certificate Manager include this name to identify the issuer of the certificate.
The Certificate Manager’s status as a root or subordinate CA is determined by
whether its CA signing certificate is self-signed or is signed by another CA.
•
If the Certificate Manager is a root CA, its CA signing certificate is
self-signed—that is, the subject name and issuer name of the certificate is the
same.
•
If the Certificate Manager is a subordinate CA, its CA signing certificate is
signed by another CA, usually the one that is a level above in the CA hierarchy
(which may or may not be a root CA). If you have deployed the Certificate
Manager as a subordinate CA in a CA hierarchy, you must import your root
CA’s signing certificate into individual clients and servers before you can use
the Certificate Manager to issue certificates to them.
OCSP Signing Key Pair and Certificate
Irrespective of whether you chose to enable the OCSP service feature, the
Installation Wizard transparently generates a key pair and a corresponding
certificate identified as the OCSP signing certificate.
NOTE
You cannot change the CA name; doing so would make all
previously issued certificates invalid. Similarly, reissuing a
Certificate Manager’s CA signing certificate with a new key pair
invalidates all certificates that have been signed by the old key pair.
Содержание Certificate Management System 6.1
Страница 1: ...Administrator s Guide Netscape Certificate Management System Version6 1 February 2003...
Страница 28: ...Documentation 28 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 68: ...Support for Open Standards 68 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 82: ...Uninstalling CMS 82 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 166: ...How a Registration Manager Works 166 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 382: ...ACL Reference 382 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 566: ...Managing Policy Plug in Modules 566 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 710: ...1 3 Organization Security Policies 710 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 716: ...Object Identifiers 716 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 762: ...DNs in Certificate Management System 762 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 794: ...Managing Certificates 794 Managing Servers with Netscape Console December 2001...
Страница 810: ...The SSL Handshake 810 Managing Servers with Netscape Console December 2001...
Страница 828: ...828 Netscape Certificate Management System Administrator s Guide February 2003...