Renewing Certificates for the SubsystemsChapter 14 Managing CMS Keys and Certificates 499To add the renewed certificate to a subsystem’s internal database:a. Note the instance ID and host name of the Registration Manager for whichyou got the signing certificate; this information will help you to identifythe Registration Manager in a subsystem’s list of privileged users.b. Copy the renewed signing certificate, in its base-64 encoded format, to atext file.c. Add the renewed certificate to the individual subsystem’s internaldatabase following the instructions in “Changing a Privileged User’sCertificate” on page 430. Repeat this step for all subsystems that receiverequests from this Registration Manager.2. Ensure that the CA that signed the Registration Manager’s certificate is in thetrust database of the subsystem.When a Registration Manager does SSL client authentication using its renewedcertificate, the subsystem, as a part of validating the certificate presented by theRegistration Manager, checks its trust database for the CA (certificate) thatsigned the Registration Manager’s renewed certificate. If the subsystem doesnot find the CA as a trusted CA in its trust database, it rejects the RegistrationManager.For instructions on checking the trust database of a subsystem, see “Viewingthe Certificate Database Content” on page 502.m If you don’t find the CA certificate, add it to the database as a trusted CA.For instructions on adding a CA certificate to the trust database of asubsystem, see “Installing a New CA Certificate in the CertificateDatabase” on page 507.m If you find the CA certificate, verify its trust status. If it is untrusted,change the status to trusted. For instructions on changing the trust settingof a CA certificate, see “Changing the Trust Settings of a CA Certificate” onpage 505.Deploying Data Recovery Manager’s Renewed Transport CertificateBecause clients capable of generating dual key pairs use the transport certificate forencrypting end users’ encryption private keys before sending them to the DataRecovery Manager, you must update the appropriate enrollment or key archivalpage to identify and use the renewed transport certificate. Otherwise, the DataRecovery Manager will fail to archive users’ encryption private keys.