Managing Certificates792 Managing Servers with Netscape Console • December 2001Keys can be generated by client software or generated centrally by the CA anddistributed to users via an LDAP directory. There are trade-offs involved inchoosing between local and centralized key generation. For example, local keygeneration provides maximum nonrepudiation, but may involve moreparticipation by the user in the issuing process. Flexible key managementcapabilities are essential for most organizations.Key recovery, or the ability to retrieve backups of encryption keys under carefullydefined conditions, can be a crucial part of certificate management (depending onhow an organization uses certificates). Key recovery schemes usually involve an mof n mechanism: for example, m of n managers within an organization might haveto agree, and each contribute a special code or key of their own, before a particularperson’s encryption key can be recovered. This kind of mechanism ensures thatseveral authorized personnel must agree before an encryption key can berecovered.Renewing and Revoking CertificatesLike a driver’s license, a certificate specifies a period of time during which it isvalid. Attempts to use a certificate for authentication before or after its validityperiod will fail. Therefore, mechanisms for managing certificate renewal areessential for any certificate management strategy. For example, an administratormay wish to be notified automatically when a certificate is about to expire, so thatan appropriate renewal process can be completed in plenty of time without causingthe certificate’s subject any inconvenience. The renewal process may involvereusing the same public-private key pair or issuing a new one.A driver’s license can be suspended even if it has not expired—for example, aspunishment for a serious driving offense. Similarly, it’s sometimes necessary torevoke a certificate before it has expired—for example, if an employee leaves acompany or moves to a new job within the company.Certificate revocation can be handled in several different ways. For someorganizations, it may be sufficient to set up servers so that the authenticationprocess includes checking the directory for the presence of the certificate beingpresented. When an administrator revokes a certificate, the certificate can beautomatically removed from the directory, and subsequent authenticationattempts with that certificate will fail even though the certificate remains valid inevery other respect. Another approach involves publishing a certificate revocationlist (CRL)—that is, a list of revoked certificates—to the directory at regular
