The Certificate System is installed on each host running a Certificate System subsystem. The subsystems on that host are then installed with a default configuration covering basic administrative tasks like logging and containing configurable, subsystem-specific plug-in modules. More than one subsystem can be installed on each host, or multiple instances of one subsystem can be installed on the same host or on different hosts.
The Certificate System has five highly-configurable subsystems, which provide flexibility in designing the PKI. The five subsystems that comprise Certificate System are as follows:
The Certificate Manager is the subsystem that provides Certificate Authority functionality for issuing, renewing, revoking, and publishing certificates and creating and publishing CRLs. See Chapter 5, Certificate Manager for details.
The Online Certificate Status Manager is an optional subsystem that provides OCSP responder services, which means it stored CRLs for CAs and can distribute the load for verifying certificate status. See Chapter 6, Online Certificate Status Protocol Responder for details.
The Data Recovery Manager (DRM) is an optional subsystem that provides private encryption key storage and retrieval. See Chapter 7, Data Recovery Manager for details.
The Token Key Service (TKS) manages one or more master keys required to set up secure channels directly to the token management system. The privileged operations such as key generation can only be requested on the tokens through a secure channel.
The Token Processing System (TPS) provides the registration authority functionality in the token management infrastructure and establishes secure channels between the Enterprise Security Client and the back-end subsystems. See Chapter 8, Token Processing System for more information on using the TPS to manage tokens.
The subsystems are highly integrated with each other depending on the deployment scenario and use. OCSP and CA instances work together for CRL publishing and certificate verification. CA and DRM instances work together for key recovery and archival. Smart card tokens, which processed through a user interface called the Enterprise Security Client, are managed by the TPS. The TPS, however, is configured to work with at least two essential subsystem instances, a TKS to generate keys and a CA to process token operations. A TPS can also be configured to use a DRM for server-side key generation and key archival and recovery.