CMS OCSP Services
170
Netscape Certificate Management System Administrator’s Guide • February 2003
CMS OCSP Services
To aid you in the process of setting up a OCSP-compliant PKI setup, CMS provides
two options:
•
The OCSP-service feature built into the Certificate Manager
•
The Online Certificate Status Manager
How Certificate Manager’s OCSP-Service Feature Works
The Certificate Manager has a built-in OCSP-service feature, which when
configured, can be used by OCSP-compliant clients to directly query the Certificate
Manager about the revocation status of the certificate being validated. The OCSP
service is installed and configured by default, and is one of the options during
install. Unless you deselected this option, the service was installed and configured.
Clients can query the OCSP through the non-SSL end-entity port of the Certificate
Manager. When queried for the revocation status of a certificate, the Certificate
Manager looks up its internal database for the certificate, checks its status, and
accordingly responds to the client. Since the Certificate Manager has real-time
status of all certificates it has issued, this method of revocation checking is most
accurate.
Since the internal OCSP service checks the status of certificates stored in the
Certificate Manger’s internal database, you do not need to set up publishing to use
this service. The certificates are stored, and revoked certificates are marked
revoked in the internal database of the Certificate Manager by default.
For step-by-step instructions to set up an OCSP-compliant PKI setup using the
Certificate Manager, see “Setting Up a Certificate Manager with OCSP Service” on
page 171.
How the Online Certificate Status Manager Works
In addition to the built-in OCSP service feature, the Certificate Manager can also
publish CRLs to an OCSP-compliant online validation authority. If you install the
CMS OCSP responder, Online Certificate Status Manager, you can configure one or
more Certificate Managers to publish their CRLs to the Online Certificate Status
Manager. The Online Certificate Status Manager stores each Certificate Manager’s
CRL in its internal database and uses the appropriate CRL to verify the revocation
status of a certificate when queried by an OCSP-compliant client. (Note the
difference between the Online Certificate Status Manager and the internal OCSP
Содержание Certificate Management System 6.1
Страница 1: ...Administrator s Guide Netscape Certificate Management System Version6 1 February 2003...
Страница 28: ...Documentation 28 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 68: ...Support for Open Standards 68 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 82: ...Uninstalling CMS 82 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 166: ...How a Registration Manager Works 166 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 382: ...ACL Reference 382 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 566: ...Managing Policy Plug in Modules 566 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 710: ...1 3 Organization Security Policies 710 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 716: ...Object Identifiers 716 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 762: ...DNs in Certificate Management System 762 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 794: ...Managing Certificates 794 Managing Servers with Netscape Console December 2001...
Страница 810: ...The SSL Handshake 810 Managing Servers with Netscape Console December 2001...
Страница 828: ...828 Netscape Certificate Management System Administrator s Guide February 2003...