Enabling The Certificate Manager's Internal Ocsp Service - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION:
- Using manual (48 pages) ,
- Agents manual (146 pages) ,
- Manual (124 pages)
Table of Contents
Advertisement
• The browser used that response to validate the certificate and returned its status, that the
certificate could not be verified.
11. Check the independent OCSP service subsystem again to verify that these things happened:
• The Certificate Manager published the CRL to the Online Certificate Status Manager.
• The browser sent an OCSP response to the Online Certificate Status Manager.
• The Online Certificate Status Manager sent an OCSP response to the browser.
• The browser used that response to validate the certificate and returned its status, that the
certificate could not be verified.
7.3. Enabling the Certificate Manager's Internal OCSP
Service
The Certificate Manager has a built-in OCSP service, which can be used by OCSP-compliant clients
to query the Certificate Manager directly about the revocation status of the certificate. When the
Certificate Manager is installed, an OCSP signing certificate is issued and the OCSP service is turned
on by default. This OCSP signing certificate is used to sign all responses to OCSP service requests.
Since the internal OCSP service checks the status of certificates stored in the Certificate Manager's
internal database, publishing does not have to be configured to use this service.
Clients can query the OCSP service through the non-SSL end-entity port of the Certificate Manager.
When queried for the revocation status of a certificate, the Certificate Manager searches its internal
database for the certificate, checks its status, and responds to the client. Since the Certificate
Manager has real-time status of all certificates it has issued, this method of revocation checking is the
most accurate.
Every CA's built-in OCSP service is turned on at installation. However, to use this service, the CA
needs to issue certificates with the Authority Information Access extension
1. Go to the CA's end-entities page. For example:
https://server.example.com:9444/ca/ee/ca
2. Find the CA signing certificate.
3. Look for the Authority Info Access extension in the certificate, and note the Location URIName
value, such as https://server.example.com:9444/ca/ocsp.
4. Update the enrollment profiles to enable the Authority Information Access extension, and set the
Location parameter to the Certificate Manager's URI. For information on editing the certificate
Section 2.2, "Setting up Certificate
profiles, see
5. Restart the CA instance.
service instance_ID restart
To disable the Certificate Manager's internal OCSP service, edit the CA's CS.cfg file and change the
value of the ca.ocsp parameter to false.
Enabling the Certificate Manager's Internal OCSP Service
Profiles".
191
Advertisement
Table of Contents
Related Manuals for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Related Products for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
- Red Hat CERTIFICATE 7.2 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
- Red Hat CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR
- Red Hat CERTIFICATE 7.3 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
- Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE
- Red Hat CERTIFICATE 8.0 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE
- Red Hat CLUSTER SUITE - CONFIGURING AND MANAGING A CLUSTER 2006
- Red Hat CLUSTER MANAGER - INSTALLATION AND
- Red Hat Cluster Suite
- Red Hat Application Server
- Red Hat APPLICATION SERVER - JONAS
- Red Hat APPLICATION STACK 1.1 RELEASE
- Red Hat APPLICATION STACK 1.2 RELEASE
- Red Hat APPLICATION STACK 1.3 RELEASE
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - ADMINISTRATION and is the answer not in the manual?
Questions and answers