Cryptographic Token DecisionsChapter 4 Planning Your Deployment 177For a discussion of CA certificate expiration issues in the context of CertificateServer 1.x, seehttp://help.netscape.com/products/server/certificate/cacertdoc/.Many of the same issues apply to Certificate Management System.For detailed information on certificate extensions, see Appendix C, “Certificate andCRL Extensions” of CMS Plug-ins Guide.Cryptographic Token DecisionsAs explained in “PKCS #11” on page 74, one or more PKCS #11 modules must beavailable to any CMS instance. A PKCS #11 module, which can be implemented ineither software or hardware, manages cryptographic services such as encryptionand decryption. Netscape provides a built-in PKCS #11 module with CertificateManagement System; see “Installing External Tokens” on page 451.A PKCS #11 module always has one or more slots, which can be implemented asphysical hardware slots in some form of physical reader (for example, for smartcards) or as conceptual slots in software. Each slot for a PKCS #11 module can inturn contain a token, which is the hardware or software device that actuallyprovides cryptographic services and optionally stores certificates and keys.As shown in Figure 1-10 on page 74, the built-in PKCS #11 module for CertificateManagement System includes two tokens, one for cryptographic operations andone for manipulating the key and certificate databases. You can acceleratecryptographic operations such as the signing of new certificates by usingthird-party hardware tokens and accelerator boards. Certificate ManagementSystem support for PKCS #11 also allows you to store critical keys, such as the rootCA signing key, on smart cards or other hardware tokens to facilitate strongphysical security measures.Hardware products compatible with Certificate Management System are availablefrom nCipher TM (http://www.ncipher.com) and Chrysalis-ITSTM(http://www.chrysalis-its.com).If you decide to test or deploy hardware acceleration and storage devices, consultthe vendor’s installation instructions.Publishing DecisionsA Certificate Manager can publish certificates to an LDAP directory and to files,and CRLs to an LDAP directory, files, and the Online Certificate Status Manager.