Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Netscape Certificate Management System Administrator's Guide: Introduction to Publishing
Previous Next Contents Index Bookshelf


Chapter 20 Introduction to Publishing Certificates and CRLs

In Certificate Management System, publishing refers to the ability of the Certificate Manager to publish certificates, CRLs, and other certificate-related objects to any of the supported repositories--an LDAP-compliant directory, a flat file, and an online validation authority--using the appropriate protocol. Configuring the Certificate Manager for publishing is optional--you can turn this feature off without affecting any of the certificate issuance and management operations handled by the server.

This chapter explains how a Certificate Manager works with the above mentioned repositories. The chapter has the following sections:


Publishing of Certificates
The Certificate Manager can publish certificates (ones that it issues) to an LDAP-compliant directory and a flat file. Sections that follow explain each of these in detail.

Publishing of Certificates to a Directory

Large corporations typically use Lightweight Directory Access Protocol (LDAP) directories, such as Netscape Directory Server, to store and manage corporatewide data, including user and group information and network resource data. If you have deployed an LDAP-compliant directory, you can configure the Certificate Manager to automatically publish your CA and end-entity certificate-related information to that directory. For example, if you have configured the Certificate Management System to employ directory-based authentication, you should consider publishing the CA and end-entity certificates to the same directory. This way, you can keep your users' security credentials with the rest of the user information (see Figure 20.1).

Figure 20.1 Publishing certificates to a directory for distribution

The ability of a Certificate Manager to publish certificates, CRLs, and other certificate-related objects to a directory using the LDAP or LDAPS protocol is called LDAP publishing and the directory to which it publishes is called the publishing directory. Note that configuring the Certificate Manager for LDAP publishing is optional--you can turn this feature off without affecting any of the certificate issuance, renewal, and revocation operations handled by the server.

You can configure the Certificate Manager to automatically publish certificates to the directory every time a certificate is issued and at a predetermined interval--for example, every day or once every week. Privileged users (administrators and agents) can also manually initiate the LDAP publishing process.

Figure 20.2 illustrates LDAP publishing by the Certificate Manager when a certificate requested via the manual-enrollment process is issued.

Figure 20.2 Publishing by a Certificate Manager

Figure 20.3 illustrates how certificates requested via a Registration Manager get published to the directory.

Figure 20.3 Publishing of certificates requested via a Registration Manager

Timing of Directory Updates

If the LDAP directory is properly configured to work with the Certificate Manager (and vice versa), any changes to the certificate information in the Certificate Manager are automatically made also in the publishing directory.

The publishing directory is updated at these times:

Table 20.1 summarizes the above-listed actions of the Certificate Manager. The table also indicates how the Certificate Manager populates an LDAP directory, if configured for publishing. Note that certificates (and CRLs) are published as DER-encoded binary blobs.

Table 20.1 Details of objects published by the Certificate Manager

Object
Action and Timing
LDAP entry
LDAP attribute
End-entity certificate
Publishing occurs when a certificate is issued or renewed
End-entity's entry
userCertificate;binary

Unpublishing (removal) occurs when a certificate is revoked or expired
End-entity's entry
userCertificate;binary
CA certificate

Publishing occurs when the Certificate Manager is started
CA's entry
caCertificate;binary
CRL (full)
Publishing (replacement) occurs when a new CRL is generated
CA's entry
certificateRevocation
List;binary

The Certificate Manager cannot update the directory in the following cases:

Note that the Certificate Manager's LDAP publishing action happens as a separate transaction from any certificate operation (such as issuance); the operation of a certificate is not affected by whether it was successfully published or not.

Directory Update Process

As indicated in Table 20.1, when a Certificate Manager is requested to issue a certificate, update certificate information, or publish a CRL, it automatically updates the corresponding entry in the configured directory with relevant information. To locate the correct directory entry, the Certificate Manager relies on object-mapping rules, which can be defined using the mapper modules; for details, see "Mapper Modules". Once an entry is located, to publish the object to the correct attribute, the server relies on object-publishing rules, which can be defined with the help of publisher modules; for details, "Publisher Modules".

Similarly, when you revoke a certificate, the Certificate Manager uses the object mapping and publishing rule to locate and delete the corresponding certificate from the directory.

For instruction on how to configure the Certificate Manager to publish to a directory, see "Publishing Certificates and CRLs to a Directory".

Directory Synchronization

The Certificate Manager and the publishing directory can become out of sync if certificates are issued or revoked while Directory Server is down. Certificates that were issued or revoked need to be published or unpublished manually when Directory Server comes back up.

To help find certificates that are out of sync with the directory--that is, valid certificates that are not in the directory and revoked or expired certificates that are still in the directory--the Certificate Manager keeps a record of whether a certificate in its internal database has been published to the directory. If the Certificate Manager and the publishing directory become out of sync, you can use the Update Directory option in the Certificate Manager Agent Services interface to synchronize the publishing directory with the internal database.

The following choices are available for synchronizing the directory with the internal database:

For instructions, see "Manually Updating Certificates in the Directory".

Publishing of Certificates to a Flat File

In addition to publishing to a directory, the Certificate Manager can publish the certificate to a file. The certificate is published as a DER-encoded binary blob and applications that are capable of reading such data may read the file for certificate information. For example, you can customize the sample code for Flat File CRL and certificate publisher can be customized to store certificates and CRLs in a relational database management system.

For instructions on how to configure a Certificate Manager to publish certificates to a flat file, see "Publishing Certificates and CRLs to Flat Files".


Publishing of CRLs
Server and client applications that use public-key certificates as tokens of identification need access to information about the validity of a certificate; because one of the factors that determines the validity of a certificate is its revocation status, these applications need to know whether the certificate being validated has been revoked. In that regard, the CA has a responsibility to do the following:

One of the standard methods for conveying the revocation status of certificates is by publishing a list of revoked certificates. This list is known as the certificate revocation list (CRL). The CRL is a publicly available list of certificates that have been revoked.

A CRL is issued and digitally signed by the certificate authority (CA) that issued the certificates listed in the CRL. The CA's function includes creating the CRLs periodically and distributing them to other applications. For example, the CA may publish the CRL to a global directory which other applications may use for checking the revocation status of a certificate or from which other applications can retrieve the CRL.

In Certificate Management System, the Certificate Manager creates the CRL and publishes it to the configured repositories; this is explained in "Supported Methods for Verifying Revocation Status of Certificates". Configuring a Certificate Manager to publish CRLs is optional. Note that the Registration Manager cannot create or publish the CRL.

Normally, whenever a certificate is revoked (by administrators, agents, or end users), the Certificate Manager automatically updates the status of the certificate in its internal database--it marks the copy of the certificate in its internal database as revoked and removes the revoked certificate from the directory, if the Certificate Manager is configured to do so. In addition to certificates, the Certificate Manager also maintains a CRL in its internal database. You can configure the Certificate Manager to generate the CRL every time a certificate is revoked and at periodic intervals.

You can also configure the Certificate Manager to generate and publish CRLs conforming to X.509 (either version 1 or version 2) standards by enabling or disabling the CRL extension-specific modules in the server's configuration. Note that the server supports standard CRL extensions that are explained in "CRL Extension Modules".

For instructions on how to configure a Certificate Manager to publish CRLs, see "Configuring a Certificate Manager for Publishing".

Reasons for Revoking a Certificate

A Certificate Manager can revoke any certificate it has issued. A certificate needs to be revoked if one or more of the following situations occur:

A certificate can be revoked by administrators, agents, and end entities, such as end users and individual server administrators. Agents and administrators (with agent privileges) can revoke certificates by using the forms provided in the agent interface. Administrators, agents, and end users can revoke certificates by using the forms provided in the Revocation tab of the end-entity interface. Note that end users can revoke only their own certificates, whereas agents and administrators can revoke any certificates issued by the server. End users are required to authenticate to the server in order to revoke their certificate; see "Authentication of End Users During Certificate Revocation".

Whenever a certificate is revoked, the Certificate Manager updates the status of the certificate in its internal database. This way, the server keeps track of all revoked certificates in its internal database and it makes the revoked list of certificates public (by publishing it to a central repository) to notify other users that the certificates in the list are no longer valid.

Revocation Checking by Netscape Clients

At the time of this writing, Netscape Communicator versions 4.7 and later, when used in conjunction with the security module called Netscape Personal Security Manager, enable automatic revocation-status verification of certificates using the OCSP protocol. The section "Publishing of CRLs to an Online Validation Authority" explains how the revocation status of a certificate is verified in an OCSP-compliant PKI setup.

Earlier versions of Netscape client products do not have the ability to automatically check to see whether a certificate has been revoked. However, these clients do give the user the ability to check the revocation status of a certificate if it includes the NetscapeRevocationURL extension. For details about this extension, check this site:

http://home.netscape.com/eng/security/cert-exts.html

In addition, from the Retrieval tab of the end-entity interface, Netscape client users can manually check the revocation status of a particular certificate and automatically import the latest version of the CRL into their browsers. If your users are not using Netscape clients, they can download the latest CRL in binary form to a local file, and then import this file into their browsers by an appropriate method. Users can also view the header information of the master or full CRL published by the Certificate Manager, which contains the date and time of the latest update, and then compare this information to that in their browser's CRL to see if they have the latest version.

Revocation Checking by Netscape Servers

Because Netscape servers currently cannot check the revocation status of a certificate, you should use other forms of access control. For example, you can remove individual users from access groups to prevent them from accessing the server.

Because Certificate Management System can check the revocation status of the certificates that it issues, you do not need to rely on other forms of access control.

Supported Methods for Verifying Revocation Status of Certificates

Revocation status of a certificate can be made available to PKI entities by publishing the CRL to various repositories. To aid you in this process, the Certificate Manager supports publishing of CRLs to the following repositories:

Applications in your enterprise may use any of these repositories to verify the revocation status of a certificate.

Publishing of CRLs to an LDAP Directory

The Certificate Manager can publish the CRL to an LDAP-compliant directory using the LDAP protocol or LDAP over SSL (LDAPS) protocol, and applications can retrieve the CRL over HTTP. Support for retrieving CRLs over HTTP enables some browsers, such as Netscape Communicator, to automatically import the latest CRL from the directory that receives regular updates from the Certificate Manager. The browser can then use the CRL to automatically check all certificates to ensure that they have not been revoked.

For applications that are incapable of retrieving the CRL over HTTP, the Certificate Manager also supports retrieval of the CRL in binary form. For example, if the browser you've deployed doesn't support CRL retrieval over HTTP, your users may download the CRL to a local file and then import the file into their browsers by an appropriate method.

You can configure a Certificate Manager to publish the CRL it maintains to a directory, for example, to the same directory in which end-entity certificates are published. If you configure the Certificate Manager and directory to work properly, any changes to the CRL information in the Certificate Manager are automatically updated in the publishing directory. Note that the server publishes the CRL to the certificateRevocationList;binary attribute of the CA's entry in the directory. To locate the correct directory entry, the Certificate Manager uses object mapping rules; to publish the CRL to the correct attribute of the located entry, the server uses publishing rules. For details, see "Mapper Modules" and "Publisher Modules".

Directory updates take place depending on how you configure the Certificate Manager--that is, publish the CRL to the directory every time a certificate is revoked or at specific intervals, or both. It's important to understand that when the Certificate Manager revokes a certificate, it marks the copy of the certificate in its internal database as revoked and generates CRL before publishing it to the configured directory. For example, if you configure the server to publish the CRL every time a certificate is revoked, CRL will be generated whenever a certificate is revoked.

For instructions on configuring a Certificate Manager for publishing CRLs to a directory, see "Publishing Certificates and CRLs to a Directory".

If the Certificate Manager and publishing directory become out of sync for some reason, privileged users (administrators and agents) can also manually initiate the publishing process. For instructions, see "Manually Updating the CRL in the Directory".

CRL Issuing Points

Because CRLs can grow very large, several methods have been developed to minimize overhead of retrieving and delivering large CRLs. One of these methods is based on partitioning the entire certificate space and associating a separate CRL with every partition. This partition is called a CRL issuing or distribution point--it is the location where a subset of all the revoked certificates are maintained. Partitioning can be based on revocation reason, on whether the revoked certificate is a CA certificate or end-entity certificate, on end users' names, and so on. Each issuing point is identified by a set of names, which can be in various forms.

Once the issuing points have been defined, they can be included in certificates so that an application that needs to check the revocation status of a certificate can access the CRL issuing points specified in the certificate instead of the master or main CRL--the application would check the CRL maintained at the issuing point, which would be smaller in size compared to the master CRL, and thus speed up the revocation-status-checking process.

CRL distribution points can be associated with certificates using the CRLDistributionPoint extension in the certificates.

By default, the Certificate Manager only generates and publishes a single CRL, identified as the master CRL. However, for interoperatability purposes, the server does enable you to add the CRLDistributionPoint extension to the certificates it issues. For details, see "CRL Distribution Points Extension Policy".

Publishing of CRLs to Flat Files

In this method, the Certificate Manager publishes the CRL to a file. The CRL is published as a DER-encoded binary blob and applications that are capable of reading such data may read the file for CRL information. You may also use the file to import the CRL to other repositories.

For instructions on how to configure a Certificate Manager to publish CRLs to a flat file, see "Publishing Certificates and CRLs to Flat Files".

Publishing of CRLs to an Online Validation Authority

Certificate Management System supports the Online Certificate Status Protocol (OCSP) as defined in the PKIX standard RFC 2560 (see http://www.ietf.org/rfc/rfc2560.txt). The Certificate Manager can publish a CRL to an OCSP-compliant online validation authority or server, such as ValiCert Certificate VA.

The OCSP protocol enables OCSP-compliant applications to determine the state of a certificate, including the revocation status, without having to directly check a CRL published by a CA to the validation authority. The validation authority, which is also called an OCSP responder, does the checking for the application.

An OCSP-compliant PKI setup generally includes the following, which work together to verify the revocation status of a certificate:

The revocation-status verification process has two parts:

  1. When a certificate's status needs to be verified, the OCSP client (an OCSP-compliant application) sends a request to the OCSP responder for verification and waits for a response from the responder.
  2. The OCSP request that the client submits generally contains all the information required by the responder to identify the certificate whose status it needs to determine.

    (Consider this process is similar to a cashier scanning your credit card and waiting for a response from the credit-card processing unit. The scanning unit sends identifying information, such as the credit card number, its type, validity period, and so on.)

  3. Upon receipt of the request, the OCSP responder determines if the request contains all the information required by the responder to process it.
Note that every response that the client receives, including a rejection notification, is digitally signed by the responder; the client is expected to verify the signature to ensure that the response came from the responder to which it submitted the request. The key the responder uses to sign the message depends on how the OCSP responder is deployed in a PKI setup. RFC 2560 recommends that the key used to sign the response belong to one of the following:

The OCSP response that the client receives indicates the current status of the certificate as determined by the OCSP responder. The response could be any of the following:

Based on the status, the client decides whether to validate the certificate.

Local OCSP Support

As mentioned in the preceding section, in addition to a CA, you also need an OCSP responder and OCSP-compliant clients if you want to set up an OCSP-compliant PKI setup. To aid you in this process, Certificate Management System bundles the following components:

When you install Certificate Management System, the files for the Certificate VA are placed at this location: <server_root>/cva301

Similarly, the files for the Personal Security Manager, version 1.1, are placed at this location: <server_root>/psm11

Following CMS installation, you may choose to install these components by running the appropriate setup programs. By installing the Certificate VA, you can deploy an internal OCSP responder and not outsource your CRL to a publicly-accessible machine. For instructions on how to set up a local OCSP responder, see "Publishing CRLs to Online Validation Authority".

 

© Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.