Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 38
Hide thumbs
Also See for CERTIFICATE SYSTEM 8 - DEPLOYMENT:
- Manual (86 pages) ,
- Install manual (132 pages)
Table of Contents
Advertisement
Chapter 2. Overview of Red Hat Certificate System Subsystems
• A responder with a public key trusted by the client. Such a responder is called a trusted responder.
• A responder that holds a specially marked certificate issued to it directly by the CA that revokes the
certificates and publishes the CRL. Possession of this certificate by a responder indicates that the
CA has authorized the responder to issue OCSP responses for certificates revoked by the CA. Such
a responder is called a CA-designated responder or a CA-authorized responder.
The end-entities page of a Certificate Manager includes a form for manually requesting a certificate for
the OCSP responder. The default enrollment form includes all the attributes that identify the certificate
as an OCSP responder certificate. The required certificate extensions, such as OCSPNoCheck and
Extended Key Usage, can be added to the certificate when the certificate request is submitted.
2.1.3.2. OCSP Responses
The OCSP response that the client receives indicates the current status of the certificate as
determined by the OCSP responder. The response could be any of the following:
• Good or Verified . Specifies a positive response to the status inquiry, meaning the certificate has
not been revoked. It does not necessarily mean that the certificate was issued or that it is within the
certificate's validity interval. Response extensions may be used to convey additional information on
assertions made by the responder regarding the status of the certificate.
• Revoked . Specifies that the certificate has been revoked, either permanently or temporarily.
Based on the status, the client decides whether to validate the certificate.
NOTE
The OCSP responder will never return a response of Unknown. The response will always
be either Good or Revoked.
2.1.3.3. OCSP Services
There are two ways to set up OCSP services:
• The OCSP built into the Certificate Manager
• The Online Certificate Status Manager subsystem
In addition to the built-in OCSP service, the Certificate Manager can publish CRLs to an OCSP-
compliant validation authority. CAs can be configured to publish CRLs to the Certificate System
Online Certificate Status Manager. The Online Certificate Status Manager stores each Certificate
Manager's CRL in its internal database and uses the appropriate CRL to verify the revocation status of
a certificate when queried by an OCSP-compliant client.
The Certificate Manager can generate and publish CRLs whenever a certificate is revoked and at
specified intervals. Because the purpose of an OCSP responder is to facilitate immediate verification
of certificates, the Certificate Manager should publish the CRL to the Online Certificate Status
Manager every time a certificate is revoked. Publishing only at intervals means that the OCSP service
is checking an outdated CRL.
28
Advertisement
Table of Contents
Related Manuals for Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
Related Products for Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
- Red Hat CERTIFICATE 7.2 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
- Red Hat CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR
- Red Hat CERTIFICATE 7.3 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE
- Red Hat CERTIFICATE 8.0 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
- Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE
- Red Hat CLUSTER SUITE - CONFIGURING AND MANAGING A CLUSTER 2006
- Red Hat CLUSTER MANAGER - INSTALLATION AND
- Red Hat Cluster Suite
- Red Hat Application Server
- Red Hat APPLICATION SERVER - JONAS
- Red Hat APPLICATION STACK 1.1 RELEASE
- Red Hat APPLICATION STACK 1.2 RELEASE
- Red Hat APPLICATION STACK 1.3 RELEASE