Revocation Checking By Netscape Servers; Publishing Of Crls - Netscape MANAGEMENT SYSTEM 6.2 - ADMINISTRATOR Administrator's Manual

About CRLs
= Affiliation Changed—The owner of the certificate is no longer affiliated with
3
the issuer of the certificate, and either no longer has rights to the access gained with
the certificate or no longer needs it.
= Certificate Superseded—Another certificate replaces the use of this one.
4
= Cessation of Operation—The CA that issued the certificate ceases to operate.
5
= Certificate is on Hold—The certificate is on hold pending further action. It is
6
treated as revoked, but may be taken off hold in the future.
A certificate can be revoked by administrators, agents, and end entities. Agents and
administrators (with agent privileges) can revoke certificates by using the forms
provided in the agent interface. End users can revoke certificates by using the
forms provided in the Revocation tab of the end-entity interface. Note that end
users can revoke only their own certificates, whereas agents and administrators can
revoke any certificates issued by the server. End users are also required to
authenticate to the server in order to revoke their certificate.
Whenever a certificate is revoked, the Certificate Manager updates the status of the
certificate in its internal database. This way, the server keeps track of all revoked
certificates in its internal database and, when configured, it makes the revoked list
of certificates public (by publishing it to a central repository) to notify other users
that the certificates in the list are no longer valid.

Revocation Checking by Netscape Servers

Because Netscape servers currently cannot check the revocation status of a
certificate, you should use other forms of access control. For example, you can
remove individual users from access groups to prevent them from accessing the
server.
Because CMS can check the revocation status of the certificates that it issues, you
do not need to rely on other forms of access control.

Publishing of CRLs

The Certificate Manager can publish the CRL to a file, an LDAP-compliant
directory, or to an OCSP responder. You can set up publishing to one, or all of
these methods, and configure how often updates are made.
For information about setting up publishing to any of these methods, see Chapter
15, "Publishing."
598 Netscape Certificate Management System Administrator's Guide • June 2003