How Online Certificate Status Manager Works - Netscape MANAGEMENT SYSTEM 6.01 Installation And Setup Manual
Hide thumbs
Also See for NETSCAPE MANAGEMENT SYSTEM 6.01:
- Configuration manual (282 pages) ,
- Reference (162 pages) ,
- Installation manual (106 pages)
Table of Contents
Advertisement
What's an OCSP-Compliant PKI Setup?
Manager. That is, clients can verify only those certificates that are issued by the
Certificate Manager. In addition, you also need to keep the Certificate Manager's
nonSSL end-entity port enabled because the server can service OCSP requests only
via its HTTP port.
If your PKI setup is large, containing a hierarchy of multiple Certificate Managers
(root/subordinate CAs), using the Certificate Manager for validating certificates
may not be suitable for you. However, if your PKI setup large, but is made up of
cloned CAs, you should be able to use the Certificate Manager's built-in OCSP
service feature. For information about cloning Certificate Managers, see "Cloning a
Certificate Manager" on page 282.
For step-by-step instructions to set up an OCSP-compliant PKI setup using the
Certificate Manager, see "Setting Up a Certificate Manager with OCSP Service" on
page 675.
How Online Certificate Status Manager Works
In addition to the built-in OCSP service feature, the Certificate Manager can also
publish CRLs to an OCSP-compliant online validation authority (or server). If you
install the CMS OCSP responder, Online Certificate Status Manager, you can
configure one or more Certificate Managers to publish their CRLs to the Online
Certificate Status Manager. The Online Certificate Status Manager stores each
Certificate Manager's CRL in its internal database and uses the appropriate CRL to
verify the revocation status of a certificate when queried by an OCSP-compliant
client. This enables you to issue all client certificates in your PKI with the Authority
Information Access extension pointing to one location, the location at which the
Online Certificate Status Manager is waiting to service OCSP requests; to validate a
certificate, irrespective of which Certificate Manager has issued the certificate, an
OCSP-complaint client need to just query one server.
You can configure the Certificate Manager to generate and publish CRLs whenever
a certificate is revoked and at specified intervals, say every 20 minutes. Because the
purpose of setting up an OCSP responder is to facilitate real-time verification of
certificates, you should configure the Certificate Manager to generate and publish
the CRL to the Online Certificate Status Manager every time a certificate is
revoked—configuring the Certificate Manager to publish CRLs at specific intervals
would negate the very purpose for which it's being done because the CRL the
Online Certificate Status Manager would look up during verification would always
be outdated. It's important to note that if the CRL is large, the Certificate Manager
could take a considerable amount of time to publish the CRL.
Chapter 21
Setting Up an OCSP Responder
673
Advertisement
Table of Contents
