Publishing Of Crls To An Ldap Directory - Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual

Publishing of CRLs

Publishing of CRLs to an LDAP Directory

The Certificate Manager can publish the CRL to an LDAP-compliant directory
using the LDAP protocol or LDAP over SSL (LDAPS) protocol, and applications
can retrieve the CRL over HTTP. Support for retrieving CRLs over HTTP enables
some browsers, such as Netscape Communicator, to automatically import the latest
CRL from the directory that receives regular updates from the Certificate Manager.
The browser can then use the CRL to automatically check all certificates to ensure
that they have not been revoked.
For applications that are incapable of retrieving the CRL over HTTP, the Certificate
Manager also supports retrieval of the CRL in binary form. For example, if the
browser you've deployed doesn't support CRL retrieval over HTTP, your users
may download the CRL to a local file and then import the file into their browsers
by an appropriate method.
You can configure a Certificate Manager to publish the CRL it maintains to a
directory, for example, to the same directory in which end-entity certificates are
published. If you configure the Certificate Manager and directory to work
properly, any changes to the CRL information in the Certificate Manager are
automatically updated in the publishing directory. Note that the server publishes
the CRL to the
the directory. To locate the correct directory entry, the Certificate Manager uses
object mapping rules; to publish the CRL to the correct attribute of the located
entry, the server uses publishing rules. For details about mapper and publisher
rules, see Chapter 5, "Mapper Plug-in Modules" and Chapter 6, "Publisher Plug-in
Modules" of CMS Plug-ins Guide.
Directory updates take place depending on how you configure the Certificate
Manager—that is, publish the CRL to the directory every time a certificate is
revoked or at specific intervals, or both. It's important to understand that when the
Certificate Manager revokes a certificate, it marks the copy of the certificate in its
internal database as revoked, generates the CRL, and then publishes it to the
configured directory. For example, if you configure the server to publish the CRL
every time a certificate is revoked, CRL will be generated whenever a certificate is
revoked.
For instructions on configuring a Certificate Manager for publishing CRLs to a
directory, see "Configuring a Certificate Manager to Publish Certificates and
CRLs" on page 615.
If the Certificate Manager and publishing directory become out of sync for some
reason, privileged users (administrators and agents) can also manually initiate the
publishing process. For instructions, see "Manually Updating the CRL in the
Directory" on page 664.
614 Netscape Certificate Management System Installation and Setup Guide • October 2001
certificateRevocationList;binary
attribute of the CA's entry in