Ocsp Signing Key Pair And Certificate - Netscape MANAGEMENT SYSTEM 6.01 Installation And Setup Manual
Hide thumbs
Also See for NETSCAPE MANAGEMENT SYSTEM 6.01:
- Configuration manual (282 pages) ,
- Reference (162 pages) ,
- Installation manual (106 pages)
Table of Contents
Advertisement
Keys and Certificates for the Main Subsystems
NOTE
OCSP Signing Key Pair and Certificate
During the installation of a Certificate Manager, you're given the option to enable
its OCSP-service feature. This feature enables the Certificate Manager to function
as an OCSP responder, enabling OCSP-compliant clients to query the Certificate
Manager for the revocation status of certificates issued by the Certificate Manager.
For more information about an OCSP responder and setting up a Certificate
Manager to function as an OCSP responder, see Chapter 21, "Setting Up an OCSP
Responder."
Irrespective of whether you chose to enable the OCSP service feature, the
Installation Wizard transparently generates a key pair and a corresponding
certificate identified as the OCSP signing certificate. The reason for generating this
certificate even if you chose to not enable the OCSP service is that you can enable
the OCSP service feature in the CMS window after installation. This way, if you
decide to enable the feature in a future date, you wouldn't have to go through the
process of requesting an OCSP signing certificate.
Note that for generating the OCSP signing key pair, the wizard uses some of the
information you provide for the CA signing key pair, which is explained in section
"CA Signing Key Pair and Certificate" on page 421. The key type, key size, key
algorithm, and validity period of the OCSP signing certificate is the same as the one
you specified for the CA signing key pair. The subject name of the OCSP signing
certificate is in the form
extensions, such as OCSPSigning and OCSPNoCheck, required for signing OCSP
responses.
The Certificate Manager uses the private key (that corresponds to the public key
used to generate the OCSP signing certificate) to sign the OCSP responses it sends
to the OCSP-compliant clients when queried about the revocation status of
certificates. The Certificate Manager's signature provides persistent proof to the
client that the Certificate Manager has processed the request.
The default nickname for the OCSP signing certificate is
ocspSigningCert cert-<instance_id>
CMS instance in which the Certificate Manager is installed.
422
Netscape Certificate Management System Installation and Setup Guide • May 2002
You cannot change the CA name; doing so would make all
previously issued certificates invalid. Similarly, reissuing a
Certificate Manager's CA signing certificate with a new key pair
invalidates all certificates that have been signed by the old key pair.
CN=OCSP cert-<cms_instance_id>
, and it contains
, where
<instance_id>
identifies the
Advertisement
Table of Contents
