Privileged-User Types and Responsibilities
Chapter
13
Managing Privileged Users and Groups
383
During installation, Certificate Management System automatically creates a group
with trusted manager privileges. For more information about this group, see
“Group for Trusted Managers” on page 387.
Trusted Manager’s Certificate for SSL Client Authentication
By default, a Registration Manager that has been set up to function as a trusted
manager uses its signing certificate for SSL client authentication to the subsystem
that trusts it. For information on this certificate, see “Signing Key Pair and
Certificate” on page 426. Similarly, a Certificate Manager that has been set up to
function as a trusted manager uses its SSL server certificate for SSL client
authentication to the subsystem that trusts it. For information on this certificate, see
“SSL Server Key Pair and Certificate” on page 425.
When you set up a trusted manager for a CMS subsystem, it is important to know
which CA has issued the certificate the trusted manager will use for SSL client
authentication to the subsystem. The certificate must be issued by a CA that the
subsystem trusts. For example, when you set up a trusted Registration Manager for
a subsystem, it is important to know which CA has issued the Registration
Manager’s signing certificate. The certificate must be issued by a CA that the
subsystem trusts. If the subsystem is a Certificate Manager, the certificate must be
issued by either the Certificate Manager itself or a CA that the Certificate Manager
trusts. Similarly, if the Registration Manager is connected to a Data Recovery
Manager, the signing certificate must be issued by the CA that the Data Recovery
Manager trusts.
The issuer of a Registration Manager’s signing certificate is the CA from which you
requested the certificate when you installed the Registration Manager. If you have
renewed the certificate since installation, the issuer is the CA from which you
requested the renewed certificate. Check the signing certificate for its issuer’s
name; see “Viewing the Certificate Database Content” on page 482. You can also
find this information by looking at the installation worksheet you completed in
preparation for installing the system.
Once you learn the issuer’s name, verify that this CA’s certificate exists in the
subsystem’s trust database and that the certificate is trusted. To check whether the
CA’s certificate exists in the subsystem’s trust database, follow the instructions in
“Viewing the Certificate Database Content” on page 482.
•
If the CA’s certificate isn’t listed, follow the instructions in “Using the Wizard
to Install a Certificate or Certificate Chain” on page 452 and add the certificate
to the subsystem’s certificate database.
•
If the CA’s certificate is listed but untrusted, follow the instructions in
“Changing the Trust Settings of a CA Certificate” on page 485 and change the
trust setting to trusted.
Summary of Contents for NETSCAPE MANAGEMENT SYSTEM 6.0
Page 1: ...Installation and Setup Guide Netscape Certificate Management System Version6 0 March 2002...
Page 22: ...22 Netscape Certificate Management System Installation and Setup Guide March 2002...
Page 32: ...32 Netscape Certificate Management System Installation and Setup Guide March 2002...
Page 160: ...160 Netscape Certificate Management System Installation and Setup Guide March 2002...
Page 776: ...776 Netscape Certificate Management System Installation and Setup Guide March 2002...
Page 807: ...807 Part 5 Appendix Appendix A Certificate Download Specification...
Page 808: ...808 Netscape Certificate Management System Installation and Setup Guide March 2002...
Page 830: ...830 Netscape Certificate Management System Installation and Setup Guide March 2002...