About Ocsp Publishing; How Publishing Works - Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual

About Publishing
If the server and publishing directory become out of sync for some reason,
privileged users (administrators and agents) can also manually initiate the
publishing process. For instructions, see "Manually Updating the CRL in the
Directory" on page 662.

About OCSP Publishing

CMS provides two forms of OCSP services, an internal service and the Online
Certificate Status Manager subsystem. The internal service checks the internal
database of the Certificate Manager to report on the status of a certificate. The
internal service is not set up for publishing, it uses the certificates stored in its
internal database to determine the status of a certificate. The Online Certificate
Status Manager checks CRLs sent to it by one or more Certificate Mangers. You set
up publishing for the Online Certificate Status Manger in the Certificate Managers
that will send it CRLs. You set up a publisher for each location you will send a CRL
to, and one rule for each type of CRL you will send.
For detailed information on both OCSP services, see Chapter 5, "OCSP
Responder."

How Publishing Works

When publishing is enabled, every time a certificate or a CRL is issued, updated, or
revoked, the publishing system is invoked and the certificate or CRL is evaluated
by the rules to see if it matches the type and predicate set in the rule. The type
setting specifies if the object is a CRL, CA certificate, or any other certificate except
for a CA certificate. The predicate setting can be used to further specify the type of
object being evaluated. For example, it can specify user certificates, or it can specify
west coast user certificates. To use predicates, a value needs to be entered in the
predicate field of the publishing rule, and a corresponding value (although
formatted somewhat differently) needs to be contained in the certificate or
certificate request itself in order for a match to occur. The value in the certificate or
certificate request may be derived from information in the certificate, such as the
type of certificate, or may be derived from a hidden value that is placed in the
request form. If no predicate is set, all of that type are considered matching, for
example, all CRLs will match this rule if CRL is set as the type.
Every rule that is matched publishes the certificate or CRL according to the method
and location specified in that rule. A given certificate or CRL can match no rules,
one rule, more than one rule, or all rules. The publishing system attempts to match
every certificate and CRL issued against all rules.
Chapter 15 Publishing 621