System OverviewChapter 1 Introduction to Certificate Management System 47• Invalidity date. Indicates the date on which the private key corresponding tothe public key certified by the certificate was (or is suspected to have been)compromised.Registration ManagerA Registration Manager is an optional component in the PKI, enabling you toseparate the registration process from the certificate-signing process. ARegistration Manager is typically installed on a different machine from theCertificate Manager that it serves. During installation, you connect the RegistrationManager to a Certificate Manager and configure the Certificate Manager to trustthe Registration Manager. Once the trust is established, the Registration Managercan perform a subset of the end-entity tasks performed by the Certificate Manager,such as enrollment or renewal, on behalf of the Certificate Manager. A RegistrationManager cannot issue or revoke certificates by itself; instead, it evaluatesend-entity requests and forwards them to a Certificate Manager for action, such asthe issuing of a certificate. The Certificate Manager processes the requests andissues the certificates. The Registration Manager then distributes the certificates tothe end entities.Note that you can run multiple Registration Managers remotely, all reporting to asingle CA—a Certificate Manager—to verify user identities and process certificatesigning requests. The Certificate Manager’s ability to support multiple RegistrationManagers makes it more scalable and also adds an extra layer of security for theCA. For example, you can set a policy that requires all clients to go through aremote Registration Manager, and then have the remote Registration Managerroute all client requests to the Certificate Manager located inside a firewall.The Registration Manager is designed to handle certificate life-cycle managementtasks—that is, the tasks required to maintain a certificate throughout its life cycle,including the following:• Enrolling end entities (initial authentication and initiation to the PKI)• Enforcing policies such as request validation requirements, authenticationrequirements, and certificate formulation• Distributing issued certificates• Coordinating certificate renewal• Coordinating storage of end users’ private encryption keys with a DataRecovery ManagerA Registration Manager’s default forms for end-entity interactions can be used as isor customized. For more information about default Registration Manager forms,see “End Entities and Life-Cycle Management” on page 98.