About This Guide
Chapter 1 Agent Services
Chapter 2 Handling Certificate Requests
Chapter 3 Finding and Revoking Certificates
Chapter 4 Publishing to a Directory
Chapter 5 Recovering Encrypted Data
Index
Netscape Certificate Management System Agent's Guide: Publishing to a Directory
Previous Next Contents Index


Chapter 4 Publishing to a Directory

This chapter describes the procedures for updating an LDAP directory with the current status of certificates. Only a Certificate Manager agent can update the directory.

The chapter has the following sections:


Working with a Directory Server
If your organization uses Netscape Directory Server (or another LDAP directory server) to publish information about users in your organization, you can configure Certificate Management System to publish certificates and certificate revocation lists through the directory.

Certificate information published to the directory must be periodically updated as certificates are issued and revoked. Updates are usually published automatically but can also be published manually.

Automatic Directory Updates
Once the CMS administrator has configured Certificate Management System to work with Directory Server, any changes to certificate information in Certificate Management System are automatically updated in the directory. Updates take place at specific times:

Manual Directory Updates
Normally you do not need to update a directory manually; most updates are done automatically. You must update the directory manually in the following situations:

Using the Update Directory Server form available from the Certificate Manager Agent Services page, you make the following changes in the directory:

Note that only a Certificate Manager agent with the proper certificate can access the Update Directory Server form.


Updating the Directory with Changes
To manually update the directory with changes:

  1. Go to the Certificate Manager Agent Services page (see Accessing Agent Services). You must submit the proper client certificate to get access to this page.

  2. Click Update Directory Server.

  3. Select "Skip certificates already marked as updated" to ignore certificates in the internal database that are maked as having been published already (or removed in the case of revoked certificates).

    4. For example, if you updated the directory once to revoke many certificates and it took several minutes, some new certificates may have been issued while the update was running. You would then use this selection and update the directory a second time to publish the new certificates (and save time by skipping all of the certificates that were just updated).

  4. To publish the latest CRL, select "Update certificate revocation list to the directory."

  5. To update information on valid certificates to the directory, select "Update valid certificates to the directory."

    6. If you want to update only a range of certificates (for example, only the most recently issued certificates), specify the range of the serial numbers of those certificates.

  6. To remove expired certificates from the directory, select "Remove expired certificates from the directory."

    7. If you want to remove only a range of certificates (not all expired certificates), specify the range of the serial numbers of those certificates.

  7. To remove revoked certificates from the directory, select "Remove revoked certificates from the directory."

    8. If you want to remove only a range of certificates (not all revoked certificates), specify the range of the serial numbers of those certificates.

  8. When you have finished specifying the changes that you want updated, click Update Directory.
Note
In some circumstances, updating the directory can take considerable time. During this period, any changes made through Certificate Management System (for example, any new certificates issued or any certificates revoked) may not be included in the update. If you have issued or revoked any certificates during that time, you need to update the directory again to reflect those changes. Use "Skip certificates already marked as updated" the second time to update only certificates that changed (issued, revoked, expired) while the previous update was running.

 

Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.