|Previous Contents Index Next|
|iPlanet Certificate Management System Agent's Guide|
Chapter 4 Publishing to a Directory
This chapter describes the procedures for updating an LDAP directory with the current status of certificates. Only a Certificate Manager agent can update the directory.
The chapter has the following sections:
Working with a Directory Server
If your organization uses iPlanet Directory Server (or another LDAP directory server) to publish information about users in your organization, you can configure Certificate Management System to publish certificates and certificate revocation lists through the directory.
Certificate information published to the directory must be periodically updated as certificates are issued and revoked. Updates are usually published automatically but can also be published manually.
Automatic Directory Updates
Once the CMS administrator has configured Certificate Management System to work with Directory Server, any changes to certificate information in Certificate Management System are automatically updated in the directory. Updates take place at specific times:
The first time you start Certificate Management System, it publishes the Certificate Manager's CA certificate to the directory.
Manual Directory Updates
Normally you do not need to update a directory manually; most updates are done automatically. You must update the directory manually in the following situations:
Directory Server is down for a period of time and unable to receive changes from Certificate Management System.
You want to remove expired certificates from the directory. Expired certificates are not automatically removed from the directory upon expiration. (Generally, any client using a certificate is responsible for determining that it is valid by checking its expiration date against the client's current date information.) Using the Update Directory Server form available from the Certificate Manager Agent Services page, you make the following changes in the directory:
Update the CRL in the directory. Note that only a Certificate Manager agent with the proper certificate can access the Update Directory Server form.
Updating the Directory with Changes
To manually update the directory with changes:
Go to the Certificate Manager Agent Services page (see Accessing Agent Services). You must submit the proper client certificate to get access to this page.
Click Update Directory Server.
Select "Skip certificates already marked as updated" to ignore certificates in the internal database that are maked as having been published already (or removed in the case of revoked certificates).
For example, if you updated the directory once to revoke many certificates and it took several minutes, some new certificates may have been issued while the update was running. You would then use this selection and update the directory a second time to publish the new certificates (and save time by skipping all of the certificates that were just updated).
To publish the latest CRL, select "Update certificate revocation list to the directory."
To update information on valid certificates to the directory, select "Update valid certificates to the directory."
If you want to update only a range of certificates (for example, only the most recently issued certificates), specify the range of the serial numbers of those certificates.
To remove expired certificates from the directory, select "Remove expired certificates from the directory."
If you want to remove only a range of certificates (not all expired certificates), specify the range of the serial numbers of those certificates.
To remove revoked certificates from the directory, select "Remove revoked certificates from the directory."
If you want to remove only a range of certificates (not all revoked certificates), specify the range of the serial numbers of those certificates.
When you have finished specifying the changes that you want updated, click Update Directory.
Note In some circumstances, updating the directory can take considerable time. During this period, any changes made through Certificate Management System (for example, any new certificates issued or any certificates revoked) may not be included in the update. If you have issued or revoked any certificates during that time, you need to update the directory again to reflect those changes. Use "Skip certificates already marked as updated" the second time to update only certificates that changed (issued, revoked, expired) while the previous update was running.
Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated October 07, 2002