Setting Up a Remote OCSP Responder
The procedure for setting up a Certificate Manager functioning as a subordinate
CA to publish CRLs to a remote Online Certificate Status Manager would be the
same, except that you would have to perform extra steps to make sure the that CA
chain verification takes place smoothly. For example:
•
If the Online Certificate Status Manager's SSL server certificate is signed by the
same root CA that signed the subordinate Certificate Manager's certificates,
then you need to mark the root CA as a trusted CA in the subordinate
Certificate Manager's certificate database.
•
If the Online Certificate Status Manager's SSL server certificate is signed by a
different root CA, then you need to import the root CA certificate into the
subordinate Certificate Manager's certificate database and mark it as a trusted
CA.
To import a CA certificate into the certificate database of a subordinate Certificate
Manager, you can use the Certificate Setup Wizard. For instructions, see "Using the
Wizard to Install a Certificate or Certificate Chain" on page 452. After you install
the certificate, you can follow the instructions in see "Changing the Trust Settings
of a CA Certificate" on page 485 to trust the CA certificate you imported.
•
Step 1. Before You Begin
•
Step 2. Install an OCSP-Compliant Client
•
Step 3. Identify the CA to the OCSP Responder
•
Step 4. Configure the Certificate Manager to Publish CRLs
•
Step 5. Configure Certificate Manager for Required Extension Policies
•
Step 6. Configure the Online Certificate Status Manager
•
Step 7. Restart the Certificate Manager
•
Step 8. Restart the Online Certificate Status Manager
•
Step 9. Verify Certificate Manager and Online Certificate Status Manager
Connection
•
Step 10. Test Your OCSP Responder Setup
Note that the Online Certificate Status Manager can be configured to receive CRLs
from more than one Certificate Manager. If your deployment has many CAs and
you want all of them to publish CRLs to the same Online Certificate Status
Manager, you should repeat the above steps for each Certificate Manager.
688
Netscape Certificate Management System Installation and Setup Guide • May 2002