Managing the Certificate Database298 Netscape Certificate Management System Administrator’s Guide • February 2003When the Registration Manager attempts to request a service from the CertificateManager (using the renewed certificate for SSL client authentication), theCertificate Manager fails to authenticate the Registration Manager. This happensbecause, as a part of validating the certificate presented by the RegistrationManager, the Certificate Manager checks its certificate database for the CA thatsigned the Registration Manager’s certificate. The Certificate Manager does notfind the CA listed in its trust database as a trusted CA, so it rejects the RegistrationManager’s service request.The Certificate Setup Wizard built into the CMS window automates the process ofinstalling trusted CA certificates in the certificate database. For instructions onusing the wizard, see “Using the Wizard to Install a Certificate or CertificateChain” on page 309.Installing a CA Certificate Chain in the CertificateDatabaseAny client or server software that supports certificates maintains a collection oftrusted CA certificates in its certificate database. These CA certificates determinewhich other certificates the software can validate—in other words, which issuers ofcertificates the software can trust. In the simplest case, the software can validateonly certificates issued by one of the CAs for which it has a certificate. It’s alsopossible for a trusted CA certificate to be part of a chain of CA certificates, eachissued by the CA above it in a certificate hierarchy; for details on certificatehierarchies and certificate chains, see “How CA Certificates Are Used to EstablishTrust” in Appendix D of Managing Servers with Netscape Console.Certificate Setup WizardCMS provides a wizard, called the Certificate Setup Wizard, which automates theprocess of requesting and installing the certificates required by the CMSmanager—Certificate Manager, Registration Manager, Data Recovery Manager, orOnline Certificate Status Manager—installed in a CMS instance.NOTE Be sure to choose the “Other Trusted CAs” option in Step 2 of thewizard process.
