Setting Up Publishing - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Chapter 15. Publishing
When a certificate is revoked, the server uses the publishing rules to locate and delete the
corresponding certificate from the LDAP directory or from the filesystem.
When a certificate expires, the server can remove that certificate from the configured directory. The
server does not do this automatically; the server must be configured to run the appropriate job. For
Chapter 19, Automated
details, see

15.2. Setting up Publishing

The general process to configure publishing is as follows:
1. For file publishing, create a publisher for each location to publish files.
There can be a single publisher or multiple publishers, depending on how many locations will be
used. The locations can be split by certificates and CRLs or finer definitions, such as certificate
type. Rules determine which type to publish and to what location by being associated with the
publisher.
For details about setting up publishers, see
to a File".
2. For OCSP publishing, create a publisher for each Online Certificate Status Manager to which
CRLs will be published.
There can be a single publisher or multiple publishers, depending on how many locations will be
used. Rules determine which type to publish and to what location by being associated with the
publisher.
For details about setting up publishers, see
to OCSP".
3. For LDAP publishing, there are three steps:
a. Configure the Directory Server to which certificates will be published. Refer to
"Configuring the Directory for LDAP
b. Configure a publisher for each type of object published: CA certificates, cross-pair certificates,
CRLs, and user certificates. The publisher declares in which attribute to store the object.
The attributes set by default are the X.500 standard attributes for storing each object type.
This attribute can be changed in the publisher, but, generally, LDAP publishers do not need
changed. For more information, see
Publishing".
c. Set up mappers to enable an entry's DN to be derived from the certificate's subject name.
This generally does not need set for CA certificates, CRLs, and user certificates. There can
be more than one mapper set for a type of certificate. This can be useful, for example, to
publish certificates for two sets of users from different divisions of a company who are located
in different parts of the directory tree. A mapper is created for each of the groups to specify a
different branch of the tree.
For details about setting up mappers, see
4. Set rules to determine what certificates are published to the locations. Rules work independently,
not in tandem. A certificate or CRL that is being published is matched against every rule. Any
340
Jobs.
Section 15.3.1, "Configuring Publishers for Publishing
Section 15.3.2, "Configuring Publishers for Publishing
Publishing".
Section 15.3.3, "Configuring Publishers for LDAP
Section 15.4, "Configuring
Section 15.10,
Mappers".