Some Enrollment Scenarios84 Netscape Certificate Management System Installation and Setup Guide • October 2001Some Enrollment ScenariosSuccessful PKI deployment requires flexible and easy enrollment for end entities aswell as ongoing support for certificate life-cycle management—that is, management ofeach certificate from enrollment through encryption key storage (if necessary),renewal, and revocation. The preceding section describes the internal flow ofcontrol among servlets, authentication modules, and policy modules in a CMSmanager (see Figure 2-1 for a summary). The examples that follow illustrate theflexibility that the CMS architecture supports among end entities, RegistrationManagers, Certificate Managers, and existing customer databases, securitysystems, and directories.• Firewall Considerations• Extranet/E-Commerce: Acme Sales Corp.• PIN Registration: Atlas Manufacturing• VPN Client Enrollment and Revocation• Router Enrollment and RevocationFor the sake of simplicity, these examples do not show the role of the DataRecovery Manager. For more information about data recovery, see “Data RecoveryManager” on page 48.For more information about certificate life-cycle management, see “End Entitiesand Life-Cycle Management” on page 98.Firewall ConsiderationsMost of the examples that follow show a Certificate Manager inside the firewalland a Registration Manager outside the firewall. Other variations are possible, butthis arrangement is often appropriate. These are some of the advantages:• The most sensitive elements of the deployment—the Certificate Manager,internal databases, directories, and so on—have the additional protection ofthe firewall.• The Certificate Manager can have additional physical protection, ifdesired—such as storage in a locked room and agent authentication by meansof smart cards.• All communication between the Registration Manager and the CertificateManager takes place over SSL with mutual authentication—that is, both clientand server authentication via X.509 v3 certificates.