The designated agents for each subsystem are responsible for the everyday management of end-entity requests and other aspects of the PKI:
To perform the privileged operations of an agent, you use the CMS Agent Services pages. To access these pages, you must have a personal SSL client certificate, and the CMS administrator must have identified you as a privileged user in the user database. For more information on how to get set up as a privileged user, see the Netscape Certificate Management System Administrator's Guide.
Certificate Manager Agent Services
The default entry page to the Certificate Manager agent services is shown in Figure 1.2. To access these pages, you must be a designated Certificate Manager agent and your client software must have a valid certificate identifying you as such.
Figure 1.2    Certificate Manager Agent Services page
As a Certificate Manager agent, you can perform the following tasks:
-
Handle certificate requests.
You can list the certificate service requests received by the Certificate
Manager subsystem, assign requests to yourself, reject or cancel requests,
and approve requests for certificate enrollment. See Chapter 2, "Handling
Certificate Requests."
-
Clone requests.
You can clone any request, whether it's still pending, canceled, rejected, or
completed. This can be useful in a variety of situations. For example, if a
user receives a certificate that doesn't work because it has been incorrectly
formulated, you can locate the completed request, clone it, and correct it
without requiring the user to enroll a second time. Cloning a request gives it
a new request ID number and puts it into the list of pending requests, but
does not change the status of the original request.
-
Find certificates.
You can search for individual certificates, or search for and list certificates
by various criteria, then display the details of certificates you have found.
See Chapter 3, "Finding and Revoking Certificates."
-
Revoke certificates.
If a user's key has been compromised, you need to revoke the user's
certificate to ensure that the key is not misused. You may also need to
revoke the certificates of users who have left the organization. You can use
Certificate Manager Agent Services to find and revoke a specific certificate
or a set of certificates. Users can also revoke their own certificates. See
"Revoking Certificates"in Chapter 3.
-
Update the CRL.
The Certificate Manager maintains a public list of certificates that have been
revoked, called the certificate revocation list (CRL). The list is usually
maintained automatically, but you may sometimes need to use the
Certificate Manager Agent Services page to update the list manually. See
"Updating the CRL" in Chapter 3.
-
Publish certificates to a directory.
You can set up Certificate Management System to publish certificates and
lists of revoked certificates in an LDAP directory. Certificate information is
usually published automatically, but you may sometimes need to use the
Certificate Manager Agent Services page to update the directory manually.
See Chapter 4, "Publishing to a Directory."
Registration Manager Agent Services
The default entry page to the Registration Manager agent services is shown in Figure 1.3. To access these pages, you must be a designated Registration Manager agent and your client software must have a valid certificate identifying you as such.
Figure 1.3    Registration Manager Agent Services page
As a Registration Manager agent, you can handle certificate requests. You can list the certificate service requests received by the Registration Manager subsystem, assign requests to yourself, reject or cancel requests, clone requests, and approve enrollment requests to be passed on to the Certificate Manager for issuance. See Chapter 2, "Handling Certificate Requests."
Data Recovery Manager Agent Services
The default entry page to the Data Recovery Manager agent services is shown in Figure 1.4. To access these pages, you must be a designated Data Recovery Manager agent and your client software must have a valid certificate identifying you as such.
Figure 1.4    Data Recovery Manager Agent Services page
As a Data Recovery Manager agent, you can perform the following tasks:
Key recovery requires the authorization of one or more recovery agents. The administrator for the Data Recovery Manager designates recovery agents. Typically, several recovery agents own portions of the storage key for the Data Recovery Manager. The approval of m of a total of n agents is required to authorize key recovery. The values of m and n for your installation of the Data Recovery Manager is determined by the administrator in charge of the subsystem.
For more information on these tasks, see Chapter 5, "Recovering Encrypted Data."
|