The owner host is the machine allowed to use the private key. (For example, when specifying on a host which certificate should be used for authentication to management agents, only the certificates owned by the given host can be selected.) It is important to set the owner host of a certificate otherwise it would be impossible to use that certificate entity for all purposes (like authentication).
Distribution of certificates can be handled automatically by MS. MS examines which certificates are used by the given host, and deploys only those. This ensures that certificates are not unnecessarily present on all machines.
Any part of the certificate entity has to be deployed to the proper host in order to be used. Two main rule governs the distribution (deployment) of certificate entities:
Every certificate entity is distributed only to those hosts that actually use it, and only the used parts are deployed.
The private key can be used only on the host(s) that are set as the owner host of the certificate entity. (Therefor the private key is only distibuted to the owner host of the certificate entity.)
| Note |
|---|
|
CAs do not belong to a single host, but to the whole site, therefore their certificate entity (including their private key) can be made available on each host. Certificates (not the full entity, only the certificate part) can be distributed everywhere. |
| Warning |
|---|
Distribution should only be performed for complete, consistent settings. Distributing incomplete or only partially refreshed configuration can lead to lockouts. This is especially true when regenerating the keys of transfer agents. To prevent such situations, it might be useful to disable the automatic distribution when making large modifications to the PKI system, and re-enable it only after the new configuration is finished. |
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu
