Chapter 13. Basic Subsystem Management

This chapter discusses the Certificate System administrative console, the configuration files, and other basic administrative tasks such as starting and stopping the server, managing logs, changing port assignments, and changing the internal database.

13.1. PKI Instances

This version of the Certificate System continues to support separate PKI instances for all subsystems.
Separate PKI instances
  • run as a single Java-based Apache Tomcat instance,
  • contain a single PKI subsystem (CA, KRA, OCSP, TKS, or TPS), and
  • must utilize unique ports if co-located on the same physical machine or virtual machine (VM).
Additionally, this version of the Certificate System introduces the notion of a shared PKI instance.
Shared PKI instances
  • run as a single Java-based Apache Tomcat instance,
  • can contain a single PKI subsystem that is identical to a separate PKI instance,
  • can contain any combination of up to one of each type of PKI subsystem:
    • CA
    • TKS
    • CA, KRA
    • CA, OCSP
    • TKS, TPS
    • CA, KRA, TKS, TPS
    • CA, KRA, OCSP, TKS, TPS
    • and so on.
  • allow all of their subsystems contained within that instance to share the same ports, and
  • must utilize unique ports if more than one is co-located on the same physical machine or VM.