Ldap Publishing; Setting Up Publishing - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 8. Publishing Certificates and CRLs
For detailed information on both OCSP services, see
Protocol Responder.

8.1.6. LDAP Publishing

In LDAP publishing, the server publishes the certificates, CRLs, and other certificate-related objects
to a directory using LDAP or LDAPS. The branch of the directory to which it publishes is called the
publishing directory.
• For each certificate the server issues, it creates a blob that contains the certificate in its DER-
encoded format in the specified attribute of the user's entry. The certificate is published as a DER
encoded binary blob.
• Every time the server generates a CRL, it creates a blob that contains the new CRL in its DER-
encoded format in the specified attribute of the entry for the CA.
The server can publish certificates and CRLs to an LDAP-compliant directory using the LDAP protocol
or LDAP over SSL (LDAPS) protocol, and applications can retrieve the certificates and CRLs over
HTTP. Support for retrieving certificates and CRLs over HTTP enables some browsers to import
the latest CRL automatically from the directory that receives regular updates from the server. The
browser can then use the CRL to check all certificates automatically to ensure that they have not been
revoked.
For LDAP publishing to work, the user entry must be present in the LDAP directory.
If the server and publishing directory become out of sync for some reason, privileged users
(administrators and agents) can also manually initiate the publishing process. For instructions, see
Section 8.7.2, "Manually Updating the CRL in the

8.2. Setting up Publishing

The general process to configure publishing involves setting up a publisher to publish the certificates
or CRLs to the specific location. There can be a single publisher or multiple publishers, depending
on how many locations will be used. The locations can be split by certificates and CRLs or finer
definitions, such as certificate type. Rules determine which type to publish and to what location by
being associated with the publisher.
1. Publishing to file simply publishes the CRLs or certificates to text files on a given host. This is
Section 8.2.1, "Configuring Publishing to a
covered in
2. Publishing to an OCSP Manager is a way to publish CRLs to a specific location for client
verification. This is covered in
For OCSP publishing, CRLs must be configured before they can be published. See
Revoking Certificates and Issuing
3. LDAP publishing publishes the certificates to specific entries within an LDAP database, so other
clients can access the entries. There are three steps for configuring LDAP publishing:
a. Configure the Directory Server to which certificates will be published. Refer to
"Configuring the LDAP
b. Configure a publisher for each type of object published: CA certificates, cross-pair certificates,
CRLs, and user certificates. The publisher declares in which attribute to store the object.
206
Chapter 7, Using the Online Certificate Status
Directory".
Section 8.2.2, "Configuring Publishing to an
CRLs.
Directory".
File".
OCSP".
Chapter 6,
Section 8.2.3.1,