Introduction to AuthenticationChapter 15 Setting Up End-User Authentication 495End-Entity AuthenticationThis section provides an overview of how Certificate Management Systemauthenticates end entities during certificate enrollment, renewal, and revocationprocesses.Authentication of End Entities During Certificate EnrollmentWhen an end entity submits a certificate request, a Certificate Manager orRegistration Manager’s first task is to identify and authenticate the end entity. Theserver must perform this task before it can register the end entity for certificateissuance. This task includes verifying the end entity’s identity based oninformation the end entity provides and returning enough information about theend entity so that the subject name for the certificate can be constructed.To cater to a variety of end-entity enrollment scenarios, Certificate ManagementSystem supports both manual and automated certificate issuance. For detaileddescription of authentication methods supported by the Certificate Manager andRegistration Manager, see Chapter 1, “Authentication Plug-in Modules” of CMSPlug-Ins Guide. To locate an online version of this guide, open the/manual/index.html file.Authentication of End Users During Certificate RenewalWhen an end user submits a certificate renewal request, the first step in therenewal process is for the Certificate Manager or Registration Manager to identifyand authenticate the end user. This step includes making sure that the end user’scurrent certificate is either “valid” or “expired” (“revoked” is not acceptable).Certificate Management System verifies the authenticity of a certificate renewalrequest by mapping the subject name in the certificate being presented for renewalto certificates in its internal database. The server renews the certificate only if thesubject name maps successfully to a certificate in its internal database. If theinternal database contains more than one certificate with matching subject name asthat the one presented by the end entity for client authentication, the server lists allthe matching certificates and expects the end entity to pick one for renewal.Here are a few things to keep in mind about certificate renewal:• The certificate being presented by the end user for renewal must be issued by aCertificate Manager.• If the renewal request is processed by a Registration Manager, the end-usercertificate presented must be issued by a Certificate Manager that theRegistration Manager knows and is connected to; the Registration Managerforwards certificate requests to this Certificate Manager for signing.