Chapter 15. Publishing
360
15.10.1. Schema
For a Certificate Manager to publish certificates and CRLs to a directory, it must be configured with
specific attributes and object classes. This section discusses those basic schema requirements.
15.10.1.1. Required Schema for Publishing End-Entity Certificates
The Certificate Manager publishes an end entity's certificate to the
userCertificate;binary
attribute within the end entity's or subject's directory object. This attribute is multi-valued; each value is
a DER-encoded binary X.509 certificate. The LDAP object class named
inetOrgPerson
allows this
attribute. The
strongAuthenticationUser
object class allows this attribute and can be combined
with any other object class to allow certificates to be published to that object. The Certificate Manager
does not automatically add this object class to the schema table of the corresponding Directory Server.
If the directory object that it finds does not allow the
userCertificate;binary
attribute, adding or
removing the certificate fails.
15.10.1.2. Required Schema for Publishing the CA Certificate
The Certificate Manager publishes its own CA certificate in the
caCertificate;binary
attribute
of the CA's directory object when the server is started; this is the object that corresponds to the
Certificate Manager's issuer name. This is a required attribute of the
certificationAuthority
object class. The Certificate Manager will add this object class to the directory entry for the CA if it can
find the CA's directory entry.
15.10.1.3. Required Schema for Publishing CRLs
The Certificate Manager publishes the updated CRL to the CA's directory object under the
certificateRevocationList;binary
attribute. This attribute is an attribute of the
certificationAuthority
object class. The value of the attribute is the DER-encoded binary
X.509 CRL. The CA's entry must already contain the
certificationAuthority
object class.
15.10.2. Entry for the CA
The Certificate Manager automatically creates an entry for the CA in the directory. This option is set in
both the CA and CRL mapper instances and enabled by default. If the directory restricts the Certificate
Manager from creating entries in the directory, turn off this option in those mapper instances, and add
an entry for the CA manually in the directory.
For the Certificate Manager to publish its CA certificate and CRL, the directory must include an entry
for the CA.
When adding the CA's entry to the directory, select the entry type based on the DN of the CA:
• If the CA's DN begins with the
cn
component, create a new
person
entry for the CA. Selecting a
different type of entry may not allow the
cn
component to be specified.
• If the CA's DN begins with the
ou
component, create a new
organizationalunit
entry for the
CA.
The entry does not have to be in the
certificationAuthority
object class. The Certificate
Manager will convert this entry to the
certificationAuthority
object class automatically by
publishing its CA's signing certificate.
For more information on creating directory entries, see the Red Hat Directory Server documentation.
Summary of Contents for CERTIFICATE SYSTEM 7.3 - ADMINISTRATION
Page 15: ...xv Index 525 ...
Page 16: ...xvi ...
Page 38: ...Chapter 1 Overview 16 Figure 1 4 Certificate System Architecture ...
Page 82: ...Chapter 2 Installation and Configuration 60 rpm ev rhpki manage ...
Page 154: ...132 ...
Page 194: ...172 ...
Page 238: ...216 ...
Page 244: ...222 ...
Page 246: ...224 ...
Page 286: ...264 ...
Page 292: ...270 ...
Page 318: ...Chapter 13 Certificate Profiles 296 Parameter IssuerType_n IssuerName_n ...
Page 321: ...Freshest CRL Extension Default 299 Parameter PointName_n PointIssuerName_n ...
Page 398: ...376 ...
Page 412: ...390 ...
Page 472: ...450 ...
Page 506: ...484 ...
Page 528: ...506 ...
Page 546: ...524 ...