Subsystem Certificate Decisions178 Netscape Certificate Management System Installation and Setup Guide • May 2002Data Recovery Manager Certificate and StorageKeyThe Data Recovery Manager needs a transport certificate and a storage key:• The transport certificate has a public key used by end-entity software toencrypt the private encryption key belonging to an end entity so that it can besent (via the Registration Manager) to the Data Recovery Manager. The publickey also corresponds to the private key used by the Data Recovery Manager tosign the proof-of-archival token it sends to the Registration Manager afterstoring an end entity’s encryption key.• The storage key is used by the Data Recovery Manager to encrypt the endentity’s encryption key (after it has been decrypted with the Data RecoveryManager’s private transport key) before the Data Recovery Manager stores theencryption key in the local directory. Data encrypted with the storage key canbe retrieved only if m of n split keys are provided at the same time by m of nauthorized agents.The Data Recovery Manager also requires at least one SSL server certificate. Formore information about the key pairs and certificates used by a Data RecoveryManager, see “Data Recovery Manager’s Key Pairs and Certificates” on page 427.Online Certificate Status Manager CertificatesEvery Online Certificate Status Manager must have a signing certificate whosepublic key corresponds to the private key the Online Certificate Status Manageruses to sign OCSP responses before sending them to OCSP-compliant clients. TheOnline Certificate Status Manager’s signature provides persistent proof to anOCSP-compliant client that the Online Certificate Status Manager has processedthe request.The Online Certificate Status Manager also requires at least one SSL servercertificate. For more information about the key pairs and certificates used by aOnline Certificate Status Manager, see “Online Certificate Status Manager’s KeyPairs and Certificates” on page 429.NOTE If you want to use hardware tokens for generating and storing DataRecovery Manager’s key pairs, you’ll need at least two tokens: oneexclusively for the storage key pair and the other for the remainingkey pairs. Be sure to install (and initialize, if required) these tokensbefore you start the Data Recovery Manager installation.