Certificate Manager Deployment Considerations84 Netscape Certificate Management System Administrator’s Guide • February 2003Self-Signed Root vs. Subordinate CAA Certificate Manager can be set up as a self-signing root CA. You set up aself-signing root CA by choosing this option when you install. A self-signing rootCA issues and signs its own certificates. The subsystems are then issued certificatesby this self-signing CA.A Certificate Manager can be setup as a subordinate CA. It can either besubordinate to a public CA that signs its certificates, or to another CMS CA thatsigns its certificates. A subordinate CA is restricted in the types of certificates it canissue, and what the content of those certificates are by the contents and settings ofthe CA signing certificate issued to it.For the purposes of an initial pilot, it is easiest to make the CA a self-signed root, sothat you won’t need to apply to a third party and wait for the certificate to beissued. Before deploying a full-blown PKI, however, you will need to consider thisquestion carefully.Understanding Certificate Manger SubordinationA Certificate Manager (or CA) is subordinate to another CA because its CA signingcertificate, the certificate that allows it to issue certificates, is issued by another CA.The CA that issued the subordinate CA signing certificate controls the CA throughthe contents of the CA signing certificate. The CA can constrain the subordinate CAthrough the kinds of certificates that it can issue, the extensions that it is allowed toinclude in certificates, the number of level of subordinate CAs the subordinate CAcan create, and the validity period of certificates it can issue, as well as the validityperiod of the subordinate CAs signing certificate.Although a subordinate CA can create certificates that violate these constraints, aclient authenticating a certificate that violates those constraints will not accept thatcertificate.Subordination to a Public CAIf you want your CA to chain up to a third-party public CA, you must carefullyconsider the restrictions that public CAs place on the kinds of certificates your CAcan issue and the nature of the certificate chain. For example, a CA that chains upto a third-party CA might be restricted to issuing only Secure MultipurposeInternet Mail Extensions (S/MIME) and SSL client authentication certificates; butnot SSL server certificates. In addition, a CA that chains up to a third-party CAmight not be allowed to have any subordinate CAs and might have to obey certainrestrictions on its use of certificate extensions. These and other restrictions may beacceptable for some PKI deployments but not for others.
