Managing the Certificate Database314 Netscape Certificate Management System Administrator’s Guide • February 2003After you install a certificate chain in the trust database of a CMS instance, checkthe trust status of each certificate that got installed, and make sure that the correctCA certificates are trusted. For instructions, see “Changing the Trust Settings of aCA Certificate” on page 296.Consideration When Getting New Certificates forthe SubsystemsYou may need to get new certificates for the CMS manager installed in a CMSinstance. Getting a new certificate means getting a certificate based on a new publicand private key pair.The sections that follow explain how to get new certificates for a CertificateManager, Registration Manager, Data Recovery Manager, and Online CertificateStatus Manager using the Certificate Setup Wizard. Alternatively, you can use thecommand-line utility called the Certificate Database tool (certutil). For detailsabout this tool, check this site:Getting a new certificate for a CMS manager requires careful planning. This sectionprovides some guidelines that will help you request and install the new certificate.Determine which certificate you want to getYou can get CA signing, OCSP signing, CRL signing, and SSL server certificates forthe Certificate Manager; signing and SSL server certificates for the RegistrationManager; transport and SSL server certificates for the Data Recovery Manager; andsigning and SSL server certificates for the Online Certificate Status Manager. Fordetails about certificates used by a CMS manager.• If you have deployed a Certificate Manager as your root CA and if you want toget a new self-signed CA certificate for that Certificate Manager, you mustconsider the possible effects on your PKI setup of changing the key pair of theroot CA. If you reissue the Certificate Manager’s CA signing certificate with anew key material, none of the certificates issued or signed by the CA using itsold key will work; the reason for this is, when you change the root CA key, allcertificates that rely on the CA certificate for validation will no longer bevalidated. For example, if the CA has issued certificates to subordinateCertificate Managers, Registration Managers, Data Recovery Managers, OnlineCertificate Status Managers, and agents, all those certificates will becomeinvalid—the subsystems will fail to function, and agents will fail to accessagent interfaces.
