Getting New Certificates for the Subsystems486 Netscape Certificate Management System Installation and Setup Guide • October 2001The sections that follow explain how to get new certificates for the CertificateManager, Registration Manager, Data Recovery Manager, and Online CertificateStatus Manager using the Certificate Setup Wizard. Alternatively, you can use thecommand-line utilities called the Key Database Tool and Certificate Database Tool.For details about these tools, check the CMS Command-Line Tools Guide. To locate anonline version of this book, see “Where to Go for Related Information” on page 28.Getting a new key pair and a corresponding certificate involves the followingsteps:• Step 1. Plan for the New Certificate• Step 2. Request the New Certificate• Step 3. Install the New Certificate• Step 4. Deploy the New CertificateStep 1. Plan for the New CertificateGetting a new certificate for a CMS manager requires careful planning. This sectionprovides some guidelines that will help you request and install the new certificate.Determine which certificate you want to getYou can get CA signing, OCSP signing, CRL signing, SSL server, and remoteadministration certificates for the Certificate Manager; signing, SSL server, andremote administration certificates for the Registration Manager; transport, SSLserver, and remote administration certificates for the Data Recovery Manager; andsigning, SSL server, and remote administration certificates for the OnlineCertificate Status Manager. For details about the certificates used by a CMSmanager, see “Keys and Certificates for the Main Subsystems” on page 436.• If you have deployed a Certificate Manager as your root CA and if you want toget a new self-signed CA certificate for that Certificate Manager, you mustconsider the possible effects on your PKI setup of changing the key pair of theroot CA. If you reissue the Certificate Manager’s CA signing certificate with anew key material, none of the certificates issued or signed by the CA using itsold key will work; the reason for this is, when you change the root CA key, allcertificates that rely on the CA certificate for validation will no longer bevalidated. For example, if the CA has issued certificates to subordinateCertificate Managers, Registration Managers, Data Recovery Managers, OnlineCertificate Status Manager, and agents, all those certificates will becomeinvalid—the subsystems will fail to function, and agents will fail to accessagent interfaces.