About Ocsp Publishing; How Publishing Works - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

About OCSP Publishing

CS provides two forms of OCSP services, an internal service and the Online Certificate
Status Manager subsystem. The internal service checks the internal database of the
Certificate Manager to report on the status of a certificate. The internal service is not set up
for publishing, it uses the certificates stored in its internal database to determine the status
of a certificate. The Online Certificate Status Manager checks CRLs sent to it by one or
more Certificate Managers. You set up publishing for the Online Certificate Status Manager
in the Certificate Managers that will send it CRLs. You set up a publisher for each location
you will send a CRL to, and one rule for each type of CRL you will send.
For detailed information on both OCSP services, see Chapter 5, "OCSP Responder."

How Publishing Works

When publishing is enabled, every time a certificate or a CRL is issued, updated, or
revoked, the publishing system is invoked and the certificate or CRL is evaluated by the
rules to see if it matches the type and predicate set in the rule. The type setting specifies if
the object is a CRL, CA certificate, or any other certificate except for a CA certificate. The
predicate setting can be used to further specify the type of object being evaluated. For
example, it can specify user certificates, or it can specify west coast user certificates. To use
predicates, a value needs to be entered in the predicate field of the publishing rule, and a
corresponding value (although formatted somewhat differently) needs to be contained in the
certificate or certificate request itself in order for a match to occur. The value in the
certificate or certificate request may be derived from information in the certificate, such as
the type of certificate, or may be derived from a hidden value that is placed in the request
form. If no predicate is set, all of that type are considered matching, for example, all CRLs
will match this rule if CRL is set as the type.
Every rule that is matched publishes the certificate or CRL according to the method and
location specified in that rule. A given certificate or CRL can match no rules, one rule, more
than one rule, or all rules. The publishing system attempts to match every certificate and
CRL issued against all rules.
When a rule is matched, the certificate or CRL is published according to the method and
location specified in the publisher associated with that rule. For example, if a rule matches
all certificates issued to users, and the rule has a publisher that publishes to a file in the
location
/etc/CS/certificates
location. If another rule matches all certificates issued to users, and the rule has a publisher
that publishes to the LDAP attribute
will be published in the directory specified when you enabled LDAP publishing in this
attribute in the user's entry.
, the certificate will be published as a file in this
userCertificate;binary
About Publishing
attribute, the certificate
Chapter 16 Publishing 597