Describe the role of the Certificate Manager in the CMS4 architecture.
|
|
What Is The Certificate Manager?
A Certificate Manager can be configured to accept requests from end entities,
from Registration Managers, or from both end entities and Registration Managers.
When set up to work with a remote Registration Manager, the Certificate
Manager processes requests and returns the signed certificates to the Registration
Manager, which distributes them to end entities.
Basic capabilities of the Certificate Manager (as distinct from the Registration Manager)
include the following:
- Can be configured as either a root CA or a subordinate CA
- Can accept certificate requests directly from end entities and/or Registration
Managers
- Can issue end-entity, Registration Manager, and Certificate Manager certificates
- Can issue single key-pair or dual key-pair certificates
- Can notify users and administrators of approaching certificate expiration
- Can renew certificates
- Can revoke certificates
- Can publish certificates and CRLs to an LDAP directory (LDAP 1.0 or higher)
Figure 3.4
Although it is possible to configure a Registration Manager to publish
certificates to an LDAP directory, the Certificate Manager maintains a
complete record of issued certificates, so it is recommended that publishing
tasks be performed by the Certificate Manager only.
The Certificate Manager can issue certificates with the following characteristics:
- X.509 version 3
- internationalized subject names
- customized components in subject names
- customized extensions
Signing Algorithms
The Certificate Manager supports the following signing algorithms for both
certificates and CRLs:
- RSA with MD2
- RSA with MD5
- RSA with SHA-1
- DSA with SHA-1
Certificate Revocation Lists
The Certificate Manager can issue X.509 v1 or v2 CRLs. A CRL can be automatically
updated whenever a certificate is revoked or at specified intervals.
|