Enabling Revocation Checking For The Tps And Ra - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION:
- Using manual (48 pages) ,
- Agents manual (146 pages) ,
- Manual (124 pages)
Table of Contents
Advertisement
Chapter 7. Using the Online Certificate Status Protocol Responder
ca.ocsp=false
7.4. Enabling Revocation Checking for the TPS and RA
Both the TPS and RA subsystems use web-based administrative services, which require
administrators and agents to authenticate using SSL client certificates. The TPS also uses certificate-
based authentication for officers to access the Enterprise Security Client interfaces.
Because administrative functions depend on having a valid certificate, the validity of the certificate
should be checked in both subsystems so that suspended or lost tokens or revoked certificates cannot
be used to gain access to the administrative functions of the subsystem.
OCSP checking can be enabled in both the TPS and the RA by setting certain parameters in their
nss.conf files. Most of the configuration for enabling OCSP validation is already in the file, but it
needs to be uncommented and configured.
NOTE
NSS, part of the Apache web server used by the TPS and the RA, provides the
mechanism for contacting the OCSP service. However, NSS caches OCSP responses for
60 minutes. If the TPS or RA polls again for the revocation status of a certificate within an
hour of its being checked, NSS returns the cached response, even if the revocation status
has changed.
If there is a very important or vulnerable certificate revocation, then it may be beneficial to
restart the subsystem to clear its NSS cache so an inaccurate status cannot be returned.
1. Update to the latest version of NSS.
yum update nss
2. Open the subsystem's nss.conf file. For example:
vim /var/lib/pki-tps/conf/nss.conf
3. Enable OCSP checking, and set the information for the OCSP service to use by uncommenting
three lines:
NSSOCSP on
NSSOCSPDefaultResponder on
NSSOCSPDefaultURL http://ocsp.example.com:11180/ocsp/ocsp
The TPS and RA can be configured to work with the CA's internal OCSP service or an external
OCSP Manager.
4. Set the certificate to use for authentication for OCSP validation.
NSSOCSPDefaultName caCert
192
Advertisement
Table of Contents
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - ADMINISTRATION and is the answer not in the manual?