Table of Contents
Advertisement
CMS OCSP Services
CMS OCSP Services
To aid you in the process of setting up a OCSP-compliant PKI setup, CMS provides
two options:
•
The OCSP-service feature built into the Certificate Manager
•
The Online Certificate Status Manager
How Certificate Manager's OCSP-Service Feature Works
The Certificate Manager has a built-in OCSP-service feature, which when
configured, can be used by OCSP-compliant clients to directly query the Certificate
Manager about the revocation status of the certificate being validated. The OCSP
service is installed and configured by default, and is one of the options during
install. Unless you deselected this option, the service was installed and configured.
Clients can query the OCSP through the non-SSL end-entity port of the Certificate
Manager. When queried for the revocation status of a certificate, the Certificate
Manager looks up its internal database for the certificate, checks its status, and
accordingly responds to the client. Since the Certificate Manager has real-time
status of all certificates it has issued, this method of revocation checking is most
accurate.
Since the internal OCSP service checks the status of certificates stored in the
Certificate Manger's internal database, you do not need to set up publishing to use
this service. The certificates are stored, and revoked certificates are marked
revoked in the internal database of the Certificate Manager by default.
For step-by-step instructions to set up an OCSP-compliant PKI setup using the
Certificate Manager, see "Setting Up a Certificate Manager with OCSP Service" on
page 171.
How the Online Certificate Status Manager Works
In addition to the built-in OCSP service feature, the Certificate Manager can also
publish CRLs to an OCSP-compliant online validation authority. If you install the
CMS OCSP responder, Online Certificate Status Manager, you can configure one or
more Certificate Managers to publish their CRLs to the Online Certificate Status
Manager. The Online Certificate Status Manager stores each Certificate Manager's
CRL in its internal database and uses the appropriate CRL to verify the revocation
status of a certificate when queried by an OCSP-compliant client. (Note the
difference between the Online Certificate Status Manager and the internal OCSP
170
Netscape Certificate Management System Administrator's Guide • February 2003
Advertisement
Table of Contents
Need help?
Do you have a question about the NETSCAPE MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR and is the answer not in the manual?