Previous     Contents     Index     Next     
iPlanet Certificate Management System Agent's Guide



Chapter 6   Managing OCSP Service Related Tasks


This chapter describes how to perform Online Certificate Status Manager agent's tasks, such as identifying a CA to the Online Certificate Status Manager, adding a CRL to the Online Certificate Status Manager's internal datbase and so on. This service is available only when the Online Certificate Status Manager subsystem is installed. The Online Certificate Status Manager Agent Services page allows certified agents to accomplish these tasks.

This chapter has the following sections:



Listing CAs Identified by Online Certificate Status Manager

The Online Certificate Status Manager can be configured to receive CRLs from multiple Certificate Managers. Each Certificate Manager that can publish CRLs to the Online Certificate Status Manager must have its CA signing certificate stored in the internal database of the Online Certificate Status Manager. For instructions, see Identifying a CA to Online Certificate Status Manager.

At any given time, you can see the list Certificate Managers that are currently recognized by the Online Certificate Status Manager.

To see the list of Certificate Managers:

  1. Open a web browser window.

  2. Go to the Online Certificate Status Manager's Agent interface. The URL is in this format: https://<hostname>:<port>.

    The Online Certificate Status Manager Agent Services interface appears.

  3. In the left frame, click List Certificate Authorities.

    The resulting form should show information about the Certificate Managers (CAs) that are recognized by the Online Certificate Status Manager.



Identifying a CA to Online Certificate Status Manager

The Online Certificate Status Manager can be configured to receive CRLs from multiple Certificate Managers. Before you configure a Certificate Manager to publish CRLs to the Online Certificate Status Manager, you must identify the Certificate Manager to the Online Certificate Status Manager. You do this by storing the Certificate Manager's CA signing certificate in the internal database of the Online Certificate Status Manager.

The steps below explain how to store the Certificate Manager's CA signing certificate in the internal database of the Online Certificate Status Manager:

  1. Open a web browser window.

  2. Go the Certificate Manager's end-entity interface. The URL is in https://<hostname>:<SSL_port> or http://<hostname>:<port> format.

  3. Select the Retrieval tab, and in the left frame, click List Certificates.

  4. In the resulting form, click List.

    A list of certificates appear.

  5. Locate the Certificate Manager's CA signing certificate by looking at the subject name of the certificate.

    Typically, the CA signing certificate is the first certificate the Certificate Manager issues.

  6. Click Details.

  7. In the resulting page, scroll to the section that says "Base 64 encoded certificate" and shows the CA signing certificate in its base-64 encoded format.

  8. Copy the base-64 encoded certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to the clipboard or a text file.

    The copied information should look similar to the following example:

    -----BEGIN CERTIFICATE-----

    MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXR
    Y2FwZSBDb21tdW5pYF0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
    DTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAwMnbjdgngYoxIDAeBgNVBAoTF05ld
    HNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzAVBgoJkiaJk
    IsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSI
    b3DbndgJARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANL
    ADBIAkEAoYiYgthgtbbnjfngjnjgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZI
    AYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA

    -----END CERTIFICATE-----

  9. Go to the Online Certificate Status Manager's Agent interface. The URL is in this format: https://<hostname>:<port>.

    The Online Certificate Status Manager Agent Services interface appears.

  10. In the left frame, click Add Certificate Authority.

  11. In the resulting form, paste the encoded CA signing certificate inside the text area labeled "Base 64 encoded certificate (including header and footer)."



  12. Click Add.

    The certificate is added to the internal database of the Online Certificate Status Manager.

  13. To verify that the certificate is added successfully, in the left frame, click List Certificate Authorities.

    The resulting form should show information about the Certificate Manager (CA) you just added.



Adding a CRL to Online Certificate Status Manager

There may arise a situation when a Certificate Manager is unable to publish its CRL to the Online Certificate Status Manager. In such exigencies, you can manually add a CRL to the internal database of the Online Certificate Status Manager.

To add a CRL to the internal database:

  1. Open a web browser window.

  2. Go to the Certificate Manager's Agent interface (see Accessing Agent Services). The URL is in this format: https://<hostname>:<port>. You must submit the proper client certificate to get access to this page.

    The Certificate Manager Agent Services interface appears.

  3. Select the Retrieval tab, and in the left frame, click Import Certificate Revocation List.

  4. In the resulting form, select the option to display the CRL in base-64 encoded format and click Submit.

  5. In the resulting page, scroll to the section that says "Base-64 encoded CRL" which shows the CRL in its base-64 encoded format.

  6. Copy the base-64 encoded CRL, including the -----BEGIN CRL----- and -----END CRL----- marker lines, to the clipboard or a text file.

    The copied information should look similar to the following example:

    -----BEGIN CRL-----

    MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRz
    Y2FwZSBDb21tdW5pYF0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
    DTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAwMnbjdgngYoxIDAeBgNVBAoTF05ld
    HNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzAVBgoJkiaJk
    IsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSI
    b3DbndgJARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANL
    ADBIAkEAoYiYgthgtbbnjfngjnjgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZI
    AYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA4GBAFi9FzyJlLmS+kzsue0kT
    XawbwamGdYql2w4hIBgdR+jWeLmD4CP4xzmKdvQ6IqD2q8DBs9lRQu9JYg129o

    -----END CRL-----

  7. Go to the Online Certificate Status Manager's Agent interface. The URL is in this format: https://<hostname>:<port>.

    The Online Certificate Status Manager Agent Services interface appears.

  8. In the left frame, click Add Certificate Revocation List.

  9. In the resulting form, paste the encoded CRL inside the text area labeled "Base 64 encoded certificate revocation list (including the header and footer)."

  10. Click Add.

    The CRL is added to the internal database of the Online Certificate Status Manager.



Checking the Revocation Status of a Certificate

You can check the revocation status of a certificate by submitting the certificate in its base-64 encoded format to the Online Certificate Status Manager:

  1. Copy the base-64 encoded certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to the clipboard or a text file.

    The copied information should look similar to the following example:

    -----BEGIN CERTIFICATE-----

    MIICJzCCAZCgAwIBAgIByrgrugrwuguvgrvhfeygyDBCMSAwHgYDVQQKExdOZXRz
    Y2FwZSBDb21tdW5pYFdih9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
    DTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAwMnbjdgngYoxIDAeBgNVBAoTF05ld
    HNjYXBlafkhbfgsdbutihdhb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzAVBgoJkiaJk
    IsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSI
    b3DbndgJASdUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANL
    ADBIAkEAoYiYgthgtbbnjfngjnjgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZI
    AYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA

    -----END CERTIFICATE-----

  2. Go to the Online Certificate Status Manager Agent Services page (see Accessing Agent Services).

    You must submit the proper client certificate to get access to this page.

  3. In the left frame, click Check Certificate Status.

  4. In the resulting form, paste the certificate inside the text area labeled "Base 64 encoded certificate."

  5. Click Check.

    The resulting form should inform you about the status of the certificate you just submitted.


Previous     Contents     Index     Next     
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated October 07, 2002