Previous     Contents     Index     Next     
iPlanet Certificate Management System Agent's Guide



Chapter 6   Managing OCSP Service Related Tasks


This chapter describes how to perform Online Certificate Status Manager agent's tasks, such as identifying a CA to the Online Certificate Status Manager, adding a CRL to the Online Certificate Status Manager's internal datbase and so on. This service is available only when the Online Certificate Status Manager subsystem is installed. The Online Certificate Status Manager Agent Services page allows certified agents to accomplish these tasks.

This chapter has the following sections:



Listing CAs Identified by Online Certificate Status Manager

The Online Certificate Status Manager can be configured to receive CRLs from multiple Certificate Managers. Each Certificate Manager that can publish CRLs to the Online Certificate Status Manager must have its CA signing certificate stored in the internal database of the Online Certificate Status Manager. For instructions, see "Identifying a CA to Online Certificate Status Manager".

At any given time, you can see the list Certificate Managers that are currently recognized by the Online Certificate Status Manager.

To see the list of Certificate Managers:

  1. Open a web browser window.

  2. Go to the Online Certificate Status Manager's Agent interface. The URL is in this format: https://<hostname>:<port>.

    The Online Certificate Status Manager Agent Services interface appears.

  3. In the left frame, click List Certificate Authorities.

    The resulting form should show information about the Certificate Managers (CAs) that are recognized by the Online Certificate Status Manager.



Identifying a CA to Online Certificate Status Manager

The Online Certificate Status Manager can be configured to receive CRLs from multiple Certificate Managers. Before you configure a Certificate Manager to publish CRLs to the Online Certificate Status Manager, you must identify the Certificate Manager to the Online Certificate Status Manager. You do this by storing the Certificate Manager's CA signing certificate in the internal database of the Online Certificate Status Manager.

The steps below explain how to store the Certificate Manager's CA signing certificate in the internal database of the Online Certificate Status Manager:

  1. Open a web browser window.

  2. Go the Certificate Manager's end-entity interface. The URL is in https://<hostname>:<SSL_port> or http://<hostname>:<port> format.

  3. Select the Retrieval tab, and in the left frame, click List Certificates.

  4. In the resulting form, click List.

    A list of certificates appear.

  5. Locate the Certificate Manager's CA signing certificate by looking at the subject name of the certificate.

    Typically, the CA signing certificate is the first certificate the Certificate Manager issues.

  6. Click Details.

  7. In the resulting page, scroll to the section that says "Base 64 encoded certificate" and shows the CA signing certificate in its base-64 encoded format.

  8. Copy the base-64 encoded certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to the clipboard or a text file.

    The copied information should look similar to the following example:

    -----BEGIN CERTIFICATE-----

    MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pYF
    0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAw
    MnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzA
    VBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJ
    ARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn
    jgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA

    -----END CERTIFICATE-----

  9. Go to the Online Certificate Status Manager's Agent interface. The URL is in this format: https://<hostname>:<port>.

    The Online Certificate Status Manager Agent Services interface appears.

  10. In the left frame, click Add Certificate Authority.

  11. In the resulting form, paste the encoded CA signing certificate inside the text area labeled "Base 64 encoded certificate (including header and footer)."



  12. Click Add.

    The certificate is added to the internal database of the Online Certificate Status Manager.

  13. To verify that the certificate is added successfully, in the left frame, click List Certificate Authorities.

    The resulting form should show information about the Certificate Manager (CA) you just added.



Adding a CRL to Online Certificate Status Manager

There may arise a situation when a Certificate Manager is unable to publish its CRL to the Online Certificate Status Manager. In such exigencies, you can manually add a CRL to the internal database of the Online Certificate Status Manager.

To add a CRL to the internal database:

  1. Open a web browser window.

  2. Go to the Certificate Manager's Agent interface (see Accessing Agent Services). The URL is in this format: https://<hostname>:<port>. You must submit the proper client certificate to get access to this page.

    The Certificate Manager Agent Services interface appears.

  3. Select the Retrieval tab, and in the left frame, click Import Certificate Revocation List.

  4. In the resulting form, select the option to display the CRL in base-64 encoded format and click Submit.

  5. In the resulting page, scroll to the section that says "Base-64 encoded CRL" which shows the CRL in its base-64 encoded format.

  6. Copy the base-64 encoded CRL, including the -----BEGIN CRL----- and -----END CRL----- marker lines, to the clipboard or a text file.

    The copied information should look similar to the following example:

    -----BEGIN CRL-----

    MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pYF
    0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAw
    MnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzA
    VBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJ
    ARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn
    jgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA4GBA
    Fi9FzyJlLmS+kzsue0kTXawbwamGdYql2w4hIBgdR+jWeLmD4CP4xzmKdvQ6IqD2q8DBs9lRQu9JYg129o

    -----END CRL-----

  7. Go to the Online Certificate Status Manager's Agent interface. The URL is in this format: https://<hostname>:<port>.

    The Online Certificate Status Manager Agent Services interface appears.

  8. In the left frame, click Add Certificate Revocation List.

  9. In the resulting form, paste the encoded CRL inside the text area labeled "Base 64 encoded certificate revocation list (including the header and footer)."

  10. Click Add.

    The CRL is added to the internal database of the Online Certificate Status Manager.



Checking the Revocation Status of a Certificate

You can check the revocation status of a certificate by submitting the certificate in its base-64 encoded format to the Online Certificate Status Manager:

  1. Copy the base-64 encoded certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to the clipboard or a text file.

    The copied information should look similar to the following example:

    -----BEGIN CERTIFICATE-----

    MIICJzCCAZCgAwIBAgIByrgrugrwuguvgrvhfeygyDBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pYF
    dih9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAw
    MnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlafkhbfgsdbutihdhb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzA
    VBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJ
    ASdUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn
    jgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA

    -----END CERTIFICATE-----

  2. Go to the Online Certificate Status Manager Agent Services page (see Accessing Agent Services).

    You must submit the proper client certificate to get access to this page.

  3. In the left frame, click Check Certificate Status.

  4. In the resulting form, paste the certificate inside the text area labeled "Base 64 encoded certificate."

  5. Click Check.

    The resulting form should inform you about the status of the certificate you just submitted.


Previous     Contents     Index     Next     
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated April 02, 2001