Keys and Certificates for the Main SubsystemsChapter 14 Managing CMS Keys and Certificates 421All key pairs associated with CMS certificates must be well protected to ensure thatthey are never compromised. However, if you know or suspect that a key pair hasbeen compromised, reissue the certificate with a new key pair. For instructions toget a new CMS certificate, see section “Getting New Certificates for theSubsystems” on page 465.Certificate Manager’s Key Pairs and CertificatesThe Certificate Manager uses the following key pairs and correspondingcertificates:• CA Signing Key Pair and Certificate• OCSP Signing Key Pair and Certificate• CRL Signing Key Pair and Certificate• SSL Server Key Pair and CertificateCA Signing Key Pair and CertificateEvery Certificate Manager you installed has a certificate, identified as the CertificateManager CA signing certificate, whose public key corresponds to the private key theCertificate Manager uses to sign the X.509 certificates it issues. The first time yougenerated this certificate is when you installed the Certificate Manager. The defaultnickname for the certificate is caSigningCert cert-, where identifies the CMS instance in which the Certificate Manager isinstalled, and the default validity period for the certificate is two years.The subject name of the CA signing certificate reflects the name of your certificateauthority (CA) as specified during the installation. All certificates signed or issuedby the Certificate Manager include this name to identify the issuer of the certificate.The Certificate Manager’s status as a root or subordinate CA is determined bywhether its CA signing certificate is self-signed or is signed by another CA.• If the Certificate Manager is a root CA, its CA signing certificate isself-signed—that is, the subject name and issuer name of the certificate is thesame.• If the Certificate Manager is a subordinate CA, its CA signing certificate issigned by another CA, usually the one that is a level above in the CA hierarchy(which may or may not be a root CA). If you have deployed the CertificateManager as a subordinate CA in a CA hierarchy, you must import your rootCA’s signing certificate into individual clients and servers before you can usethe Certificate Manager to issue certificates to them.