Configuring the Certificate ManagerChapter 3 Certificate Manager 115CA Certificate Renewal or ReissuanceWhen a CA signing certificate expires, all certificates signed with the CA’scorresponding signing key become invalid. End entities use information in the CAcertificate to verify the certificate’s authenticity. If the CA certificate itself hasexpired, applications cannot chain the certificate to a trusted CA.There are two ways of dealing with CA certificate expiration:• Renewing a CA certificate involves issuing a new CA certificate with the samesubject name and public and private key material as the old CA certificate, butwith an extended validity period. As long as the new CA certificate isdistributed to all users well before the old CA certificate expires, this approachallows certificates issued under the old CA certificate to continue working forthe full duration of their validity periods.• Reissuing a CA certificate involves issuing a new CA certificate with a newname, public and private key material, and validity period. This approachavoids some of the problems associated with renewing a CA certificate, but itrequires more work for both administrators and users to implement. Allcertificates issued by the old CA, including those that have not yet expired,must be renewed by the new CA.There are advantages and disadvantages to each approach. Correct use ofextensions, for example the authorityKeyIdentifier extension, can also affectthe transition from an old CA certificate to a new one. You should begin planningfor CA renewal or reissuance before you install any CMS managers; consider anyramifications your planned procedures may have for extensions, policies, andother aspects of your initial PKI deployment.Changing Ports and IP AddressesYou set up the ports for each of the interfaces when you install the CertificateManager. You can change the ports that any of the interfaces listen on, and you canremove the HTTP (non-SSL) end-entity port if you will not use it. For informationon changing ports, see “Ports,” on page 285. For information about the ports thatare setup with a Certificate Manager, see “Certificate Manager Interfaces,” on page89.You can also change the IP address for the CMS instance. You might do this if youhave more than one IP address set up on your machine and want separateinstances of CMS to use different IP addresses. You cannot do this duringinstallation; you can only change this setting after installation. See “Changing an IPAddresses,” on page 289 for details.
