Subsystem Certificate Decisions180 Netscape Certificate Management System Installation and Setup Guide • October 2001Subsystem Certificate DecisionsUsing a self-signed signing certificate for the Certificate Manager simplifies thedeployment of an initial pilot. You can install the Certificate Manager withouthaving to apply to a public certificate authority and waiting for it to issue, sign, andreturn your CA signing certificate. Your own Certificate Manager can then issue allthe other certificates required for your pilot. However, taking this approach meansthat end entities outside your organization will not recognize your CertificateManager unless you distribute the root Certificate Manager certificate to them.The certificates and keys you need for each subsystem depend in part on whetherthe subsystems are in the same or different CMS instances. Subsystems installedtogether in the same instance use internal connectors to communicate and thereforedon’t need separate SSL certificates to authenticate each other.When two CMS subsystems are installed in a single instance, they normally share asingle SSL server certificate. If one or more subsystems are installed in a separateinstance from the other subsystems, each instance requires a separate SSL servercertificate.In addition to any SSL server certificates, the Certificate Manager, RegistrationManager, and Online Certificate Status Manager each requires its own signingcertificate, and the Data Recovery Manager needs its own transport certificate andstorage key.For more information about the key pairs and certificates used by the CMSmanagers, see “Keys and Certificates for the Main Subsystems” on page 436.SSL Server CertificatesEach CMS instance requires a single SSL server certificate. If you install twomanagers in the same instance—that is, a Certificate Manager or RegistrationManager and a Data Recovery Manager—both managers share the same SSL servercertificate.Certificate Manager CertificatesEvery Certificate Manager must have a CA signing certificate whose public keycorresponds to the private key the Certificate Manager uses to sign the certificatesit issues. This certificate is also used for SSL client authentication to the publishingdirectory (LDAP over SSL) if the Certificate Manager is set up to publishcertificates or CRLs.