Topology Decisions172 Netscape Certificate Management System Installation and Setup Guide • October 2001You can choose to install either a Certificate Manager and Data Recovery Manageror a Registration Manager and Data Recovery Manager in a single instance. Thereis not need to install a Certificate Manager and Registration Manager in the sameinstance; instead, a single Certificate Manager can be configured to perform allRegistration Manager functions.When subsystems are installed in the same instance, the connections between themare internal. Both subsystems must share the same host name, and the overallnumber of SSL server certificates can be reduced (see “Subsystem CertificateDecisions” on page 180).Cloned Certificate ManagerA cloned Certificate Manager is a CMS server instance that uses the same CAsigning key and certificate as another Certificate Manager, identified as the masterCertificate Manager. Each Certificate Manager issues certificates with serialnumbers in a restricted range so that all of the servers together act as a singleCertificate Authority (operating in several server processes).Cloning requires somewhat more management and administrative effort and itcreates more potential areas where the CA could become compromised, so itshould only be used when absolutely necessary.The advantage of cloning is the ability to distribute the Certificate Manager’s loadacross several processes or even several physical machines. For a CA that has highenrollment demand, the distribution gained from cloning allows more certificatesto be signed and issued in a given time interval.To create a cloned Certificate Manager, you must first install and configure at leastone Certificate Manager and specify a definite upper, but no lower bound for theserial numbers it will use. You then install or create a new instance of a CertificateManager (but do not configure it). Before configuring the clone, you copy thecertificate and key database files from the original Certificate Manager to the newCertificate Manager’s configuration(cert-/config) directory. If these databases arepresent, the Configuration Wizard will recognize that you are creating a clone andconfirm that you want to reuse the CA’s signing key and certificate (if the clone ison the same server, you can also reuse the SSL server certificate).If you store the CA key material on a hardware token, you will have to follow thehardware vendor’s instructions for copying the key material to a hardware deviceaccessible to the clone.