Setting Up Publishing Of Cep Certificates And Crls - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

CEP Enrollment

Setting Up Publishing of CEP Certificates and CRLs

Set up the Directory for Publishing CEP Certificates and CRLs
You need to do the following to set up the directory to publish CEP Certificates and CRLs:
• Set up the schema in the directory for publishing. Chapter 16, "Publishing" contains
information on setting up Red Hat Directory Server for publishing certificates and
CRLs—it covers directory schema required for publishing certificates and the
attributes to which a Certificate Manager publishes end-entity certificates and CRLs.
• Verify that the Directory Server schema can accommodate VPN clients. You may need
to update the Directory Server's schema. The reason for this is, if you plan on
publishing certificates from routers, they may need to be published with the same DN
as their certificate subject names. For example, if the certificate subject name contains
UnstructuredAddress
them to the directory schema.
unstructuredAddress, 1.2.840.113549.1.9.7, string
unstructuredName, 1.2.840.113549.1.9.8, string
Check the directory documentation for instructions on changing the schema.
• The Directory Server port must be 389. To find out the port number assigned to
Directory Server, check it's configuration file (which is at
<server_root>/slapd-*/slapd.oc.conf
change the port number from Red Hat Console.
• You will need publish certificates and CRLs to the same tree in the directory; you may
customize this if you desire. We recommend that you publish to a tree named after the
O
inserted in the subject name; this can be done automatically.
Configure the Certificate Manager for Publishing Certificates and CRLs
In this step, you configure the Certificate Manager to issue router and VPN-client
certificates with CRL Distribution Point Extension and to publish the certificates to a
directory.
• Create an instance of the mapper plug-in named
publisher plug-in named
you should create a publishing rule for publishing router certificates. For instructions,
see Chapter 16, "Publishing."
Note that the publishing rule must be configured to use the mapper and publisher you
create for router certificates. In addition, the predicate expression must be set to
HTTP_PARAMS.certType==CEP-Request
400 Red Hat Certificate System Administrator's Guide • September 2005
attribute in your CA signing certificate. Router certificates will also need to have an
LdapUserCertPublisher
or
UnstructuredName
). Alternatively, you can also find and
LdapExactMapper
.
components, you may need to add
and of the
. Once you create these instances,
O