Chapter 5. CA: Publishing to a Directory
A Red Hat Directory Server installation is required for the Certificate System subsystems to be installed; this directory in-
stance maintains user information and certificate and key information. The Certificate System can be configured to publish
certificates and CRLs to that directory, or other LDAP directories, for other applications to access. Certificate information
published to the publishing directory must be periodically updated as certificates are issued and revoked. Updates are usu-
ally published automatically but may also be published manually.
This chapter describes the procedures for updating an LDAP directory with the current status of certificates. Only a Certi-
ficate Manager agent can publish certificates and CRLs to the directory.
1. Automatic Directory Updates
Once the Certificate System administrator has configured the Certificate System to publish to the publishing Directory
Server, any changes to certificate information in Certificate System are automatically updated in the publishing directory
at specific times.
•
The first time the Certificate System is started, it publishes the Certificate Manager's CA certificate to the LDAP pub-
lishing directory.
•
When the Certificate System issues a new certificate, the certificate is published to the LDAP publishing directory.
•
When the Certificate System revokes a certificate, the certificate is removed from the publishing directory.
•
When the CRL is created or updated, the list is published to the LDAP publishing directory.
For more information on configuring the Certificate System to publish to the Directory Server, see the Certificate System
Administration Guide.
2. Manual Directory Updates
The LDAP publishing directory usually does not need certificate data updated manually because most updates are auto-
matic. However, it may be necessary to update the LDAP publishing directory manually in the following situations:
•
The publishing Directory Server is down for a period of time and unable to receive changes from the Certificate Sys-
tem.
•
Expired certificates need to be removed from the publishing directory since certificates are not automatically removed
from the publishing directory when they expire.
NOTE
Any client using a certificate is responsible for determining its validity by checking the expiration date against the
client's current date information.
To update the LDAP publishing directory with changes manually, do the following:
1.
Open the Certificate Manager agent services page.
2.
Click Update Directory Server.
3.
Select Skip certificates already marked as updated to ignore certificates in the internal database that have already
been published or removed, in the case of revoked certificates.
In some circumstances, updating the LDAP publishing directory can take considerable time. During this period, any
changes made through the Certificate System such as issuing or revoking certificates may not be included in the up-
date. If certificates have been issued or revoked during that time, the publishing directory must be updated again to
reflect those changes. Use the Skip certificates already marked as updated option the second time to update only
certificates that been issued, revoked, or expired while the previous update was running.
4.
Select the type of update to perform.
40
Chapter 5. CA: Publishing to a Directory
Summary of Contents for CERTIFICATE SYSTEM 7.2 - AGENT GUIDE
Page 1: ...Red Hat Certificate System Agent Guide 7 2 ...
Page 3: ......