Overview of Key FeaturesChapter 1 Introduction to Certificate Management System 37PKCS #11 hardware support for smart cards and crypto acceleratorsCertificate Management System supports smart cards and crypto acceleratorsprovided by various third-party vendors of PKCS #11 version 2.01-compliantproducts.You can configure the server to use different PKCS #11 modules to generate andstore key pairs (and certificates) for the Certificate Manager, Registration Manager,and Data Recovery Manager. Using hardware for key storage (especially forCertificate Manager and Data Recovery Manager key pairs) reduces the risk of keycompromise, because hardware tokens don’t reveal keys or provide means forthem to be revealed, once the keys are generated in the hardware. Note thatPKCS#11 hardware devices also provide key backup and recovery features forbackup and recovery of the key material stored on the hardware token. Be sure torefer to the PKCS #11 vendor documentation on this subject.For information on configuring Certificate Management System to use hardwaretokens for generating and storing its key pairs and certificates, see “Tokens forStoring CMS Keys and Certificates” on page 431.Support for Netscape client and server products; client independencefor non-Netscape productsCertificates issued by Certificate Management System work with existing Netscapeclient and server products that support SSL. The certificates also work (out of thebox) with a variety of non-Netscape, standards-compliant applications.Highly scalable certificate data storeCertificate Management System uses a highly scalable, high-performancecertificate storage facility—a preconfigured version of Netscape Directory Server6.x that’s automatically installed with Certificate Management System—enablingyou to issue and manage a large number of certificates. For more information, seeChapter 12, “Setting Up Internal Database.”Flexible end-entity registration services frameworkThe registration services framework for end entities includes the most commonlyexpected PKI features: manual, directory-based, directory- and PIN-based,NIS-based, and portal enrollments; certificate-authenticated renewals andrevocations (based on SSL client authentication); certificate life-cycle operationsthat include automated certificate renewal and expiration notifications. Thesefeatures are available out of the box for both Certificate Manager and RegistrationManager.