Certificate Manager

This section describes the role of the Certificate Manager in CMS4.

Describe the role of the Certificate Manager in the CMS4 architecture.

What Is The Certificate Manager?

A Certificate Manager can be configured to accept requests from end entities, from Registration Managers, or from both end entities and Registration Managers. When set up to work with a remote Registration Manager, the Certificate Manager processes requests and returns the signed certificates to the Registration Manager, which distributes them to end entities.

Basic capabilities of the Certificate Manager (as distinct from the Registration Manager) include the following:

  • Can be configured as either a root CA or a subordinate CA
  • Can accept certificate requests directly from end entities and/or Registration Managers
  • Can issue end-entity, Registration Manager, and Certificate Manager certificates
  • Can issue single key-pair or dual key-pair certificates
  • Can notify users and administrators of approaching certificate expiration
  • Can renew certificates
  • Can revoke certificates
  • Can publish certificates and CRLs to an LDAP directory (LDAP 1.0 or higher)


Figure 3.4

Although it is possible to configure a Registration Manager to publish certificates to an LDAP directory, the Certificate Manager maintains a complete record of issued certificates, so it is recommended that publishing tasks be performed by the Certificate Manager only.

The Certificate Manager can issue certificates with the following characteristics:

  • X.509 version 3
  • internationalized subject names
  • customized components in subject names
  • customized extensions

Signing Algorithms

The Certificate Manager supports the following signing algorithms for both certificates and CRLs:
  • RSA with MD2
  • RSA with MD5
  • RSA with SHA-1
  • DSA with SHA-1

Certificate Revocation Lists

The Certificate Manager can issue X.509 v1 or v2 CRLs. A CRL can be automatically updated whenever a certificate is revoked or at specified intervals.

Top of Page
Copyright © 1999 Sun-Netscape Alliance.
All Rights Reserved.