Setting Up A Redirect For Certificates Issued In Certificate System 7.1 And Earlier - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier

# OCSPClient server.example.com 11443 /var/lib/pki-ca/alias 'caSigningCert cert-pki-ca'
1 /export/output.txt 1
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ
44kgy35o7xW5BMzM8FTvyTwCAQE=
2. Connect to the OCSP Manager using wget to send the OCSP request.
wget https://server.example.com:11443/ocsp/ee/ocsp/MEIwQDA
+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4J
pmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE= --no-check-certificate
--16:34:34-- https://server.example.com:11443/ocsp/ee/ocsp/MEIwQDA
+MDwwOjAJBgUrDgMCGgUABBT4cyABky
iCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE=
=>`MEIwQDA
+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE='
Resolving server.example.com... 192.168.123.224
Connecting to server.example.com|192.168.123.224|:11443... connected.
WARNING: Certificate verification error for server.example.com: self signed certificate
in certificate chain
HTTP request sent, awaiting response... 200 OK
Length: 2,362 (2.3K) [application/ocsp-response]
100%[======================================================================>] 2,362 --.--
K/s
16:34:34 (474.43 MB/s) - `MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewd
Dnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE=' saved [2362/2362]
3. The status for the specified certificate is written to the OCSP's debug log and can be GoodInfo,
RevokeInfo, or UnknownInfo.
[16/Jul/2009:16:48:47][http-11443-Processor24]: Serial Number: 1
Status: com.netscape.cmsutil.ocsp.GoodInfo
For certificates issued by a 7.1 CA with the Authority Information Access extension to be sent to the
OCSP with the GET method, a redirect needs to be created to forward the requests to the appropriate
Section 7.7, "Setting up a Redirect for Certificates Issued in Certificate System
URL, as described in
7.1 and Earlier".
7.7. Setting up a Redirect for Certificates Issued in
Certificate System 7.1 and Earlier
The location for the OCSP user pages, specified in the URL with the file root /ocsp/ee/ocsp/,
is different in Certificate System 8.0 than the location in Certificate System 7.1, which was simply /
ocsp/. In order for certificates issued by a 7.1 CA with the Authority Information Access extension to
be sent to the OCSP, create a redirect to forward the requests to the appropriate URL.
NOTE
Setting the redirect is only required to manage certificates issued by a 7.1 CA with the
Authority Information Access extension. If the certificates are issued by a later version
197