1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Software
  5. NETSCAPE MANAGEMENT SYSTEM 4.5 - PLUG-IN
  6. Manual

Ocspsigningext Rule - Netscape MANAGEMENT SYSTEM 4.5 - PLUG-IN Manual

Hide thumbs
Table of Contents

Advertisement

ExtendedKeyUsageExt Plug-in Module

OCSPSigningExt Rule

The rule named
module. Certificate Management System automatically creates this rule during
installation. By default, the rule is configured as follows:
The rule is enabled.
The predicate expression is set (
that the extension gets added to an OCSP responder certificate only—the
certificate that corresponds to the key an online validation authority uses to
sign OCSP responses.
The extension is marked noncritical (to comply with the PKIX
recommendation).
The extension contains a single key-usage purpose, which is identified by an
OID (
Note that this policy rule must remain enabled if your PKI setup includes a
CA-delegated OCSP responder and you want to issue an OCSP responder
certificate to that server; the rule adds the extended key usage extension to an
OCSP responder certificate indicating that the associated key can be used for
signing OCSP responses.
Here's some background information that will help you understand why you
should set this extension in OCSP responder certificates:
The online certificate status protocol (OCSP) enables OCSP-compliant applications
to determine the revocation status of a certificate being validated. Certificate
Management System supports the OCSP service—you can configure a Certificate
Manager to publish CRLs to an online validation authority (also called OCSP
responder); for details, see Chapter 21, "Setting Up an OCSP Responder" of CMS
Installation and Setup Guide. If you configure Certificate Management System to
work with an OCSP responder, OCSP-compliant applications in your PKI setup
will be able to do real-time verification of certificates by querying the OCSP
responder for their revocation status. Note that these applications will be able to
query the OCSP responder only if the certificate being validated includes the
authority information access extension indicating the location of the OCSP
responder; for information on adding this extension to certificates, see
"AuthInfoAccessExt Plug-in Module" on page 134.
174
Netscape Certificate Management System Plug-ins Guide • October 2001
OCSPSigningExt
id0=1.3.6.1.5.5.7.3.9
is an instance of the
ExtendedKeyUsageExt
HTTP_PARAMS.certType==ocspResponder
).
) so

Advertisement

Table of Contents
loading

Related Manuals for Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - PLUG-IN

Related Content for Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - PLUG-IN

This manual is also suitable for:

Netscape management system 4.5

Table of Contents