Table of Contents
Advertisement
Trust Settings and CA Certificates
The trusted database also contains the CA certificates for those CAs that the
subsystem trusts. If your subsystem has certificates from a CA or accepts
certificates that are issued by a CA, it must have a copy of those CA certificates in
the trusted database, and they must be configured as trusted, see "Changing the
Trust Settings of a CA Certificate," on page 296 and "Installing a New CA
Certificate in the Certificate Database," on page 297.
Certificate Chain
You also may need to install a certificate chain in the database to provide the chain
of CAs to a trusted CA. You can install a certificate chain in the certificate database,
see "Installing a CA Certificate Chain in the Certificate Database," on page 298.
OCSP Certificates
Depending on who signed your Online Certificate Status Manager's SSL server
certificate, you may need to perform the following actions to get that certificate
recognized by the CA:
•
If the Online Certificate Status Manager's SSL server certificate is signed by the
CA that is publishing CRLs to the OCSP, you don't need to do anything.
•
If the Online Certificate Status Manager's SSL server certificate is signed by the
same root CA that signed the subordinate Certificate Manager's certificates,
then you need to mark the root CA as a trusted CA in the subordinate
Certificate Manager's certificate database.
•
If the Online Certificate Status Manager's SSL server certificate is signed by a
different root CA, then you need to import the root CA certificate into the
subordinate Certificate Manager's certificate database and mark it as a trusted
CA.
For general information about the OCSPs Certificates, see "OCSP Certificates," on
page 191.
Configuring the Online Certificate Status Manager
Chapter 5
OCSP Responder
191
Advertisement
Table of Contents
