System OverviewChapter 1 Introduction to Certificate Management System 43• Search for certificates issued by the server.• Set up hierarchies of certificate authorities—multiple subordinate CAs chainedup to a root CA. (Certificate Management System can also chain under popularpublic CAs that are already pretrust in popular client and server products.)• Publish certificate information to an LDAP-compliant directory, such asNetscape Directory Server, and maintain this information. Publish the list ofrevoked certificates (CRLs) to an LDAP-compliant directory, a flat file, and anonline-validation authority.This chapter describes the basic features and capabilities of CertificateManagement System. Chapter 3, “Default Demo Installation” describes how toinstall a simple demo that uses some of these features.Public-Key InfrastructureThe standards and services that facilitate the use of public-key cryptography andX.509 version 3 certificates in a networked environment are collectively calledpublic-key infrastructure (PKI). In any PKI, a certificate authority (CA) is a trustedentity that issues, renews, and revokes certificates. An end entity (EE) is a person,router, server, or other entity that uses a certificate to identify itself.To participate in a PKI, an end entity must enroll, or register, in the system. The endentity typically initiates enrollment by giving the CA some form of identificationand a newly generated public key. The CA uses the information provided toauthenticate, or confirm, the identity. In some cases the CA may require humanintervention, such as an interview or examination of notarized documents, toauthenticate the end entity (manual approval). In other cases the informationprovided may be sufficient (automatic approval). In addition to authenticating theend entity, the CA uses the public key to ensure “proof of possession”—that is,cryptographic evidence that the certificate request was signed by the holder of thecorresponding private key. Finally, the CA issues a certificate that associates theend entity’s identity with the public key, and signs the certificate with the CA’sown private signing key.Certificate Management System dramatically simplifies the PKI enrollmentprocess. Before you deploy a PKI, however, you need to make many decisionsabout the relationships between CAs and end entities and related policies andprocedures.