Chapter 14. Publishing
328
• Publish certificates that were issued while the Directory Server was down. Similarly, unpublish
certificates that were revoked or that expired while Directory Server was down.
• Publish or unpublish a range of certificates based on serial numbers, from serial number
xx
to serial
number
yy
.
A Certificate Manager's publishing directory can be manually updated by a Certificate Manager agent
only.
14.10.1. Manually Updating Certificates in the Directory
The
Update Directory Server
form in the Certificate Manager agent services page can be used to
update the directory manually with certificate-related information. This form initiates a combination of
the following operations:
• Update the directory with certificates.
• Remove expired certificates from the directory.
Removing expired certificates from the publishing directory can be automated by scheduling an
automated job. For details, see
Chapter 18, Automated Jobs
.
• Remove revoked certificates from the directory.
Manually update the directory with changes by doing the following:
1. Open the Certificate Manager agent services page.
2. Select the
Update Directory Server
link.
3. Select the appropriate options, and click
Update Directory
.
The Certificate Manager starts updating the directory with the certificate information in its internal
database. If the changes are substantial, updating the directory can take considerable time. During
this period, any changes made through the Certificate Manager, including any certificates issued
or any certificates revoked, may not be included in the update. If any certificates are issued or
revoked while the directory is updated, update the directory again to reflect those changes.
When the directory update is complete, the Certificate Manager displays a status report. If the process
is interrupted, the server logs an error message.
If the Certificate Manager is installed as a root CA, the CA signing certificate may get published using
the publishing rule set up for user certificates when using the agent interface to update the directory
with valid certificates. This may return an object class violation error or other errors in the mapper.
Selecting the appropriate serial number range to exclude the CA signing certificate can avoid this
problem. The CA signing certificate is the first certificate a root CA issues.
• Modify the default publishing rule for user certificates by changing the value of the
predicate
parameter to
HTTP_PARAMS.certType!=ca
.
• Use the
LdapCaCertPublisher
publisher plug-in module to add another rule, with the predicate
parameter set to
HTTP_PARAMS.certType==ca
, for publishing subordinate CA certificates.
Содержание CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Страница 36: ...Chapter 1 Overview 16 Figure 1 4 Certificate System Architecture ...
Страница 144: ...124 ...
Страница 160: ...140 ...
Страница 208: ...188 ...
Страница 210: ...190 ...
Страница 256: ...236 ...
Страница 282: ...Chapter 12 Certificate Profiles 262 Parameter IssuerName_n IssuerType_n ...
Страница 285: ...Freshest CRL Extension Default 265 Parameter PointName_n PointIssuerName_n ...
Страница 335: ...Configuring Mappers 315 Figure 14 9 Selecting a New Mapper Type 6 Edit the mapper instance and click OK ...
Страница 362: ...342 ...
Страница 376: ...356 ...
Страница 436: ...416 ...
Страница 490: ...470 ...
Страница 504: ...484 ...