Cloning a Certificate Manager286 Netscape Certificate Management System Installation and Setup Guide • October 20016. To start the installation wizard, double-click the new instance in the navigationtree, and then use the installation wizard to finish configuring the newinstance.7. Create the first agent for the new CMS instance.When you have finished setting up an additional CMS instance, you need tocreate at least one agent for that instance. If the new instance includes aCertificate Manager, you can create the administrator/agent as described in“Agent Certificate for a Certificate Manager” on page 275 as you did for thefirst instance in the server root. If the new instance does not include aCertificate Manager—that is, if it contains a Registration Manager, DataRecovery Manager, Online Certificate Status Manager, Registration Managerand Data Recovery Manager, or Online Certificate Status Manager and DataRecovery Manager—you will need to use the CMS window to create a newagent. This is described in section “Agent Certificate for Other CMS Managers”on page 278.Cloning a Certificate ManagerCloning a Certificate Manager refers to the process of creating two server processesperforming the same CA functions: you create another instance of a CertificateManager and configure it to use the same CA signing key and certificate and issuecertificates with serial numbers that do not conflict or overlap with the serialnumbers of the Certificate Manager that’s being cloned or with the serial numbersof any other clones. The Certificate Manager that’s being cloned is called the masterCertificate Manager or master CA in this document.You can use the cloning feature for CA scalability and for setting up a PKI withCAs organized in a flat structure as opposed to a hierarchical structure. Forexample, if you don’t want your PKI to be a CA hierarchy comprising root andsubordinate CAs, you can create multiple clones of a Certificate Manager andconfigure each clone to issue certificates that fall within a distinct range of serialnumbers. Because clone CAs use the same CA signing key and certificate (as that ofthe master CA) to sign the certificates they issue, the issuer name in all thecertificates in your PKI setup would be the same, as if they’ve been issued by asingle CA.The other advantage of cloning is that when you setup a clone Certificate Manager,it automatically sends the revocation status of the certificates it has issued to themaster Certificate Manager. The clone Certificate Manager uses the masterCertificate Manager’s agent port to communicate this information; the