To import a CA certificate into the certificate database of a subordinate Certificate
Manager, you can use the Certificate Setup Wizard. For instructions, see "Using the
Wizard to Install a Certificate or Certificate Chain" on page 471. After you install
the certificate, you can follow the instructions in see "Changing the Trust Settings
of a CA Certificate" on page 505 to trust the CA certificate you imported.
•
Step 1. Before You Begin
•
Step 2. Install an OCSP-Compliant Client
•
Step 3. Identify the CA to the OCSP Responder
•
Step 4. Configure the Certificate Manager to Publish CRLs
•
Step 5. Configure Certificate Manager for Required Extension Policies
•
Step 6. Configure the Online Certificate Status Manager
•
Step 7. Restart the Certificate Manager
•
Step 8. Restart the Online Certificate Status Manager
•
Step 9. Verify Certificate Manager and Online Certificate Status Manager
Connection
•
Step 10. Test Your OCSP Responder Setup
Note that the Online Certificate Status Manager can be configured to receive CRLs
from more than one Certificate Manager. If your deployment has many CAs and
you want all of them to publish CRLs to the same Online Certificate Status
Manager, you should repeat the above steps for each Certificate Manager.
Step 1. Before You Begin
Before you configure a Certificate Manager (CA) to publish CRLs to an OCSP
responder, do the following:
•
If you are unfamiliar with Online Certificate Status Protocol (OCSP), read the
PKIX draft RFC 2560 available at this site:
http://www.ietf.org/rfc/rfc2560.txt
•
Read section "What's an OCSP-Compliant PKI Setup?" on page 690.
Setting Up a Remote OCSP Responder
Chapter 21
Setting Up an OCSP Responder
709