Setting up CEP Enrollment Manually790 Netscape Certificate Management System Installation and Setup Guide • March 2002Note that Certificate Management System by default supports issuance ofcertificates to routers and VPN clients using the CEP-based enrollment. However,publishing of these certificates to an LDAP-compliant directory is not turned on bydefault because routers and VPN clients need to have access to an LDAP directoryin order to fully support various functions, such as certificate and CRL retrieval.This section explains how to set up a Certificate Manager to issue certificates torouters and CEP-compliant Virtual Private Network (VPN) clients. The section alsodescribes how to configure the Certificate Manager to publish these certificates andcertificate revocation lists (CRLs) to an LDAP-compliant directory.You may configure the Certificate Manager to publish to any LDAP-compliantdirectory, but if you do not have one available, you can use the one supplied withCertificate Management System. Certificate Management System comes withNetscape Directory Server, which is an LDAP-compliant directory. When youinstall Certificate Management System, two instances of Netscape Directory Serverare automatically created in the same server group in which CertificateManagement System is installed—one of the Directory Server instances isidentified as the configuration directory and the other internal database. Forpublishing certificates and CRLs you may use the configuration directory, but notthe internal database. The internal database is configured for exclusive use byCertificate Management System; see Chapter 12, “Setting Up Internal Database.”Setting up CEP Enrollment ManuallyThe information covered in this section explains how to set up CEP enrollmentmanually. Note that the instructions are written with these assumptions:• That you will publish certificates and CRLs to the configuration directory. Formore information about the configuration directory, see Managing Servers withNetscape Console. To locate this document, open the/manual/index.html file.• That you will publish certificates and CRLs to the same tree in theconfiguration directory; you may customize this if you desire. We recommendthat you publish to a tree named after the O attribute in your CA signingcertificate. Router certificates will also need to have an O inserted in the subjectname; this can be done automatically. This section refers to the name of thistree as Base DN.If you want to publish to any other LDAP-compliant directory, read Chapter 19,“Setting Up LDAP Publishing.”To set up CEP enrollment manually, follow these steps: