About Rules; Publishing To Files; Ldap Publishing - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Chapter 14. Publishing

14.1.3. About Rules

Rules for file, LDAP, and OCSP publishing tell the server whether and how a certificate or CRL is
to be published. A rule first defines what is to be published, a certificate or CRL matching certain
characteristics, by setting a type and predicate for the rule. A rule then specifies the publishing method
and location by being associated with a publisher and, for LDAP publishing, with a mapper.
Rules can be as simple or complex as necessary for the PKI deployment and are flexibile enough to
accomodate different scenarios.

14.1.4. Publishing to Files

The server can publish certificates and CRLs to flat files, which can then be imported into any
repository, such as a relational database. When the server is configured to publish certificates and
CRLs to file, the files created are DER-encoded binary blobs.
• For each certificate the server issues, it creates a file that contains the certificate in its DER-
encoded format. Each file is named cert-serial_number.der, where serial_number specifies the
serial number of the certificate contained in the file. For example, the filename for a certificate with
serial number 1234 is cert-1234.der.
• Every time the server generates a CRL, it creates a file that contains the new CRL in its DER-
encoded format. Each file is named crl-this_update.der, where this_update specifies the value
derived from the time-dependent This Update variable of the CRL contained in the file. For
example, the filename for a CRL with This Update: Friday January 28 15:36:00 PST
2008, is crl-94.3696899.der.

14.1.5. LDAP Publishing

In LDAP publishing, the server publishes the certificates, CRLs, and other certificate-related objects
to a directory using LDAP or LDAPS. The branch of the directory to which it publishes is called the
publishing directory.
• For each certificate the server issues, it creates a blob that contains the certificate in its DER-
encoded format in the specified attribute of the user's entry. The certificate is published as a DER
encoded binary blob.
• Every time the server generates a CRL, it creates a blob that contains the new CRL in its DER-
encoded format in the specified attribute of the entry for the CA.
The server can publish certificates and CRLs to an LDAP-compliant directory using the LDAP protocol
or LDAP over SSL (LDAPS) protocol, and applications can retrieve the certificates and CRLs over
HTTP. Support for retrieving certificates and CRLs over HTTP enables some browsers to import
the latest CRL automatically from the directory that receives regular updates from the server. The
browser can then use the CRL to check all certificates automatically to ensure that they have not been
revoked.
For LDAP publishing to work, the user entry must be present in the LDAP directory.
If the server and publishing directory become out of sync for some reason, privileged users
(administrators and agents) can also manually initiate the publishing process. For instructions, see
Section 14.10.2, "Manually Updating the CRL in the
304
Directory".