Subsystem Certificate DecisionsChapter 4 Planning Your Deployment 177Certificate Manager CertificatesEvery Certificate Manager must have a CA signing certificate whose public keycorresponds to the private key the Certificate Manager uses to sign the certificatesit issues. This certificate is also used for SSL client authentication to the publishingdirectory (LDAP over SSL) if the Certificate Manager is set up to publishcertificates or CRLs.If the Certificate Manager is acting as a root CA, the CA certificate must be installedand trusted by each client that needs to validate certificates issued by the rootCertificate Manager. In the context of a PKI, trust refers to the relationship betweenthe user of a certificate and the CA that issued the certificate. If you trust a CA, youcan generally trust valid certificates issued by that CA. It’s possible to controlwhich CAs the client or server software trusts and which it doesn’t, and for whatkinds of certificates, by means of settings within the software.The Certificate Manager also requires an SSL server certificate. For moreinformation about the key pairs and certificates used by a Certificate Manager, see“Certificate Manager’s Key Pairs and Certificates” on page 421.Registration Manager CertificatesEvery Registration Manager subsystem must have a signing certificate whosepublic key corresponds to the private key the Registration Manager uses to signend-entity certificate requests before sending them to the Certificate Manager.Signed requests give the Certificate Manager persistent proof that a particularRegistration Manager processed the request.The Registration Manager also requires at least one SSL server certificate. For moreinformation about the key pairs and certificates used by a Registration Manager,see “Registration Manager’s Key Pairs and Certificates” on page 426.