Setting Up A Certificate Manager With Ocsp Service - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR:
Table of Contents
Advertisement
As explained earlier, the Online Certificate Status Manager stores each Certificate
Manager's CRL in its internal database and uses it as the default CRL store for verifying
certificates. You can also configure the Online Certificate Status Manager to use the CRL
published to an LDAP directory by a Certificate Manager. In this case, the Certificate
Manager does not have to update the CRLs the Online Certificate Status Manager, it
updates them to the LDAP directory which the Online Certificate Status Manager is able to
read. If you do so, the Online Certificate Status Manager uses the CRL published to the
LDAP directory, instead of the CRL in its internal database.
For step-by-step instructions to set up an OCSP-compliant PKI setup using the Online
Certificate Status Manager, see "Installing an Online Certificate Status Manager" on
page 165.
Setting Up a Certificate Manager with OCSP Service
The Certificate Manager has a built-in OCSP service feature that can be used by
OCSP-compliant clients to do real-time verification of certificates issued by the Certificate
Manager. This section explains how to setup an OCSP-compliant PKI setup using the
Certificate Manager's OCSP-service feature.
You must have OCSP-compliant clients in order to be able to use the OCSP service.
Make sure the OCSP service for the CA is enabled.
1.
Set up CRLs. You need to configure the Certificate Manager to issue CRLs. See
2.
Chapter 15, "Revocation and CRLs" for details on configuring CRLs.
You must configure your policies or certificate profiles to include the Authority
3.
Information Access extension pointing to the location at which the Certificate Manager
listens for OCSP service requests (identified as the
the policy framework.) in certificates that are issued. This extension is necessary to
identify the OSCP service. If you installed the Certificate Manager with the OSCP
service on, this extension is created with the correct information for the OSCP service
in the policy framework, and is not enabled by default. If you chose not to configure the
OSCP service, you will have to create this policy and configure it for this service.
If you installed the Certificate Manager's with its OCSP service feature disabled, a
default policy rule (named
correct attributes for adding the Authority Information Access extension to certificates.
See Chapter 12, "Policies" for details on configuring policies, see
"AuthInfoAccessExt," on page 489 for specific information on this policy module.
Make sure the OCSP SSL signing certificate is from a CA that is trusted by the
4.
Certificate Manager. See "OCSP Certificates," on page 179 for more information.
Setting Up a Certificate Manager with OCSP Service
) is created, but it may not have the
AuthInfoAccessExt
AuthInfoAccessExt
Chapter 5
OCSP Responder
instance in
161
Advertisement
Table of Contents
