How Certificate Management System Works42 Netscape Certificate Management System Administrator’s Guide • February 2003Revocation and CRLsCMS provides the framework for revoking certificates which can either be initiatedby an agent or by the end user themselves. An administrator can also revoke thecertificates of any of the subsystems or agents.CMS also support CMC Revocation. When the CMCAuth plug-in is enabled, CMCenrollment and CMC revocation are both enabled. CMC Revocation allows you tosend signed revocation requests that are automatically processed.CMS is capable of producing Certificate Revocation Lists (CRLs) that it can publisheither to files, an LDAP directory, or to an OCSP responder.You can also set up CRLs by Certificate Issuing Points allowing you to create morethan one CRL defined by the issuing point. For example, you can issue a CRL forjust CA Signing certificates, or separate CRLs for California and Florida end usercertificates.Delta CRLs can also be produced allowing you to create CRLs that contain only therevoked certificates since the last CRL was produced.See Chapter 14, “Revocation and CRLs” for complete details.How the Certificate Manager WorksThis sections details the processes that a Certificate Manager goes through, and thevarious configuration settings involved in those processes.Accepting Enrollment RequestsThe Certificate Manger contains an end-entity interface with various formsassociated with various types of certificates and various types of users. Thisinterface is customizable allowing you to only show the forms that are pertinent toyour users, change the look and feel of the pages, or add and delete fields for yourparticular needs. Certificate requests that come through the Certificate Managersend-entity interface are processed by the Certificate Manager. If it is anagent-approved enrollment, an agent of the Certificate Manger must approve therequest. If it is an automated enrollment, the request is considered approved if theend-entity supplies the correct information, and authenticates against theauthentication method set up. See the Netscape Certificate Management SystemCustomization Guide for information about customizing the end-entity interface.
