Netscape logo Administrator's Guide
Netscape Certificate Management System
Previous      Contents      Index      DocHome      Next     

Chapter 16   Publishing


Netscape Certificate Management System (CMS) provides a customizable publishing framework for the Certificate Manager and the Registration Manager, enabling them to publish certificates, certificate revocation lists (CRLs), and other certificate-related objects to any of the supported repositories—an LDAP-compliant directory, a flat file, and an online validation authority—using the appropriate protocol. This chapter explains how to configure the Certificate Manager or Registration Manager to publish certificates and CRLs to a file, to a directory, and to the Online Certificate Status Manager.

This chapter contains the following sections:

About Publishing

CMS is capable of publishing certificates to a file or an LDAP directory, and CRLs to a file, an LDAP directory, or to an OSCP responder.

The publishing feature is very flexible allowing you to publish to a file, publish to an LDAP directory, to an OSCP responder, or all three.

Further, you can set up certain kinds of certificates or CRLs to be published to either medium, or all three. For example, you could publish CA certificates only to a directory and not to a file, and publish user certificates to both a file and a directory.

Note: An OCSP responder only provides information about CRLs, you do not publish certificates to an OCSP responder.

You can also create different publishing locations for certificates files and crls files, or even different publishing locations for different types of certificates files or different types of CRL files. For example, you can publish CA certificates to one location while publishing user certificates to a completely different location.

Similarly, you can publish different types of certificates to different places in a directory, and different types of CRLs to different places in a directory. For example, you can identify a type of user, for example ones from the west coast division of the company and publish those user certificates in one branch of the directory, while publishing certificates for users from the east coast division of the company in another branch of the directory.

You can set up publishing in a Certificate Manager or a Registration Manager. The Certificate Manager publishes the certificates and CRLs it issues. The Registration Manager publishes the certificates it processes, but does not publish CRLs. You may want to set up a Registration Manager for publishing because it publishes outside the firewall, or to publish a subset of the certificates the Certificate Manager creates—only those processed by the Registration Manager.

Setting up publishing involves configuring Publishers, Mappers, and Rules.

About Publishers

Publishers specify the location in which certificates and CRLs are published. In the case of publishing to a file, publishers specify the publishing directory. In the case of LDAP publishing, publishers specify the attribute in the directory that will store the certificate or CRL; a mapper is used to determine the DN of the entry—the location of the LDAP directory is specified when you enable LDAP publishing. In the case of an OCSP responder, publishers specify the host name and URI of the Online Certificate Status Manager's secure EE service.

With file publishing, you set up a publisher for every location you will publish to. With LDAP publishing, you set up a publisher for every DN that needs a different formula for deriving that DN. When you create a rule that determines whether a given certificate or CRL will be published, you associate a publisher with each rule providing the location for the rule. With OCSP publishing, you set up a publisher for every location that you will publish to.

About Mappers

Mappers are only used in LDAP publishing. Mappers allow you to construct the DN for an entry based on information from the certificate or the certificate request. The server needs to figure out the DN of the entry in which to publish certificates and CRLs. It has information from the subject name of the certificate, and from the certificate request for the certificate and needs to know how to use this information to create a DN for that entry. The mapper provides a formula for converting the information available to either a DN, or some unique information that can be searched in the directory to obtain a DN for the entry.

About Rules

You set up Rules for file, LDAP, and OCSP publishing which tell the server whether or not a certificate or CRL matches that rule, and if so, how it is to be published. A rule first defines what is to be published: a certificate or CRL with certain characteristics. A rule then specifies the publishing method and location. You define which certificates or CRLs get published by defining a type and predicate for the rule. You specify how and where to publish by associating the rule with a publisher, and, in the case of LDAP publishing, with a mapper.

You can create a simple or complex set of publishing rules depending on your needs, the flexibility is built in to allow you to do this.

About Publishing to Files

The server can publish certificates and CRLs to flat files, which can then be imported into any repository, for example, into a relational database. If you configure the server to publish certificates and CRLs to flat files, it publishes them to files as DER-encoded binary blobs.

About LDAP Publishing

The ability of a server to publish certificates, CRLs, and other certificate-related objects to a directory using the LDAP or LDAPS protocol is called LDAP publishing and the directory to which it publishes is called the publishing directory.

The server can publish certificates and CRLs to an LDAP-compliant directory using the LDAP protocol or LDAP over SSL (LDAPS) protocol, and applications can retrieve the certificates and CRLs over HTTP. Support for retrieving certificates and CRLs over HTTP enables some browsers, such as Netscape Communicator, to automatically import the latest CRL from the directory that receives regular updates from the server. The browser can then use the CRL to automatically check all certificates to ensure that they have not been revoked.

For LDAP publishing to work, the user entry must be present in the LDAP directory.

If the server and publishing directory become out of sync for some reason, privileged users (administrators and agents) can also manually initiate the publishing process. For instructions, see Manually Updating the CRL in the Directory.

About OCSP Publishing

CMS provides two forms of OCSP services, an internal service and the Online Certificate Status Manager subsystem. The internal service checks the internal database of the Certificate Manager to report on the status of a certificate. The internal service is not set up for publishing, it uses the certificates stored in its internal database to determine the status of a certificate. The Online Certificate Status Manager checks CRLs sent to it by one or more Certificate Managers. You set up publishing for the Online Certificate Status Manager in the Certificate Managers that will send it CRLs. You set up a publisher for each location you will send a CRL to, and one rule for each type of CRL you will send.

For detailed information on both OCSP services, see Chapter 5 "OCSP Responder."

How Publishing Works

When publishing is enabled, every time a certificate or a CRL is issued, updated, or revoked, the publishing system is invoked and the certificate or CRL is evaluated by the rules to see if it matches the type and predicate set in the rule. The type setting specifies if the object is a CRL, CA certificate, or any other certificate except for a CA certificate. The predicate setting can be used to further specify the type of object being evaluated. For example, it can specify user certificates, or it can specify west coast user certificates. To use predicates, a value needs to be entered in the predicate field of the publishing rule, and a corresponding value (although formatted somewhat differently) needs to be contained in the certificate or certificate request itself in order for a match to occur. The value in the certificate or certificate request may be derived from information in the certificate, such as the type of certificate, or may be derived from a hidden value that is placed in the request form. If no predicate is set, all of that type are considered matching, for example, all CRLs will match this rule if CRL is set as the type.

Every rule that is matched publishes the certificate or CRL according to the method and location specified in that rule. A given certificate or CRL can match no rules, one rule, more than one rule, or all rules. The publishing system attempts to match every certificate and CRL issued against all rules.

When a rule is matched, the certificate or CRL is published according to the method and location specified in the publisher associated with that rule. For example, if a rule matches all certificates issued to users, and the rule has a publisher that publishes to a file in the location /etc/cms/certificates, the certificate will be published as a file in this location. If another rule matches all certificates issued to users, and the rule has a publisher that publishes to the LDAP attribute userCertificate;binary attribute, the certificate will be published in the directory specified when you enabled LDAP publishing in this attribute in the user's entry.

For rules that specify to publish to a file, a new file is created when either a certificate or a CRL is issued in the stipulated directory.

For rules that specify to publish to an LDAP directory, the certificate or CRL is published to the entry specified in the directory, in the attribute specified. Note that the certificate or CRL will replace any certificate or CRL that is already published to this attribute.

For rules that specify to publish to an Online Certificate Status Manager, a CRL is published to this manager, certificates are not published to an Online Certificate Status Manager.

For LDAP publishing, the location of the user's entry needs to be determined. Mappers are used to determine the entry in which to publish. The mappers can contain an exact DN for the entry, or it can contain some variable that associates information that can be gotten from the certificate or the certificate request to create the DN, or to provide enough information to search the directory for a unique attribute or set of attributes in the entry to ascertain the correct DN for the entry.

When you revoke a certificate, the server uses the publishing rules to locate and delete the corresponding certificate from the LDAP directory or from the file system.

When a certificate expires, the server can remove that certificate from the configured directory. Note that the server doesn't do this automatically. You need to configure the server to run the appropriate job. For details, see Chapter 14 "Automated Jobs.

Setting Up Publishing

To Set Up Publishing:

  1. For file publishing, create a publisher for each location you will publish files to.
    2. For complete details about setting up Publishers, see "Configuring Publishers for Publishing to a File".
     
  2. For OCSP publishing, create a publisher for each location in the Online Certificate Status Manager you will publish CRLs to.
    3. For complete details about setting up Publishers, see "Configuring Publishers for Publishing to OCSP".
     
  3. For LDAP publishing, you need a Publisher for each type of object you will be publishing: CA certificate, cross-pair certificate, CRL, and user certificates. In the case of LDAP publishing, the Publisher simply declares which attribute in which to store the object. The attributes that are setup by default are the X500 standard attributes for storing each object type. You can change the attribute you want to store the object by changing the attribute in this publisher. Generally, you will not need to do anything to the Publishers for LDAP publishing. For more information, see "Configuring Publishers for LDAP Publishing".
  4. For LDAP publishing, you need to set up Mappers to enable an entries' DN to be derived from the certificate's subject name. Generally, you will need to set one up for the CA certificate, CRLs and for user certificates. You can also set more than one up for a particular type. You might do this, for example, if you have two sets of users from different divisions of your company who are located in different parts of the directory tree. You might create one Mapper for each of the groups that specifies a different branch of the tree.
    5. For complete details about setting up Mappers, see "Configuring Mappers".
     
  5. You set up Rules to determine what exactly gets published where. Rules work independently, not in tandem. A certificate or CRL that is being published is matched against every rule. Any rule to which it matches is activated. In this way, the same certificate can be published to a file and to an LDAP directory by matching a file-based rule and matching a directory-based rule.
    6. You can set up rules for each object type: CA certificate, CRL, user certificate, and cross-pair certificate, or you can even further divide the rules so that you have different rules for different kinds of certificates, or different kinds of CRLs.
     
    The rule first determines if the object meets the rule, and then where it is to be published. Determining if the object meets the rule is done by matching the type and predicate set up in the rule with the object itself. Determining where matching objects are published is determined by the Publisher and Mapper that is associated with this rule.
     
    For complete details about setting up Rules, see "Modifying Publishing Rules for Certificates and CRLs".
     
  6. If you are publishing CRLs, you must set up CRLs before you can publish them. See Chapter 15 "Revocation and CRLs" for complete details.
  7. For LDAP publishing, you need to configure the Directory Server you will be publishing to. See "Configuring the Directory for LDAP Publishing" for details.
  8. Enable Publishing. You should enable publishing after setting up Publishers, Mappers and Rules. Once it is enabled, the server will start publishing. If you have not finished setting up, publishing may not work correctly, or at all.
    9. For complete details, see "Enabling Publishing".
     

Publishers

Publishers allow you to specify the location where you want a particular object published. In the case of publishing to a file, a publisher specifies a particular location in which you want to publish the files. You can publish everything to one location, or you can create publishers for each location you want to publish to. In the case of OCSP publishing, a publisher specifies a particular location in the Online Certificate Status Manager in which you want to publish a CRL. You can publish all CRLs to one location, or you can create publishers for each location you want to publish to. In the case of publishing to a directory, a publisher specifies a particular attribute in the LDAP entry that stores the published file. Publishers specifying the standard X.500 attributes for storing objects have already been defined. Generally, you do not need to configure Publishers for LDAP publishing.

Configuring Publishers for Publishing to a File

You need to create and configure a Publisher for each publishing location; publishers are not automatically created for publishing to a file. If you are publishing all to one location, you can create one publisher. If you are publishing to different locations, you need to create a publisher for each location you will be publishing to. Each location can either contain an object type, say one for user certificates, one for CRLs, and one for CA certificates, or, it can contain a subset of an object type, say west coast user certificates in one location and east coast certificates in another location.

Creating a Publisher for File Publishing

To create publishers for publishing to files:

  1. Log in to the CMS console for the Certificate Manager (see Logging Into the CMS Console).
  2. Select the Configuration tab.
  3. In the navigation tree, select Certificate Manager, select Publishing, and then select Publishers.
    4. The right pane displays the Publishers Management tab, which lists configured publisher instances.
     




  4. Click Add.
    5. The Select Publisher Plug-in Implementation window appears. It lists registered publisher modules.
     






  5. Select the module named FileBasedPublisher.
    6. This is the only Publisher module that enables the Certificate Manager to publish certificates and CRLs to files.
     
  6. Click Next.
    7. The Publisher Editor window appears.
     




  7. Fill in the following fields in this window:
    8. Publisher ID. Type a name for the rule. Be sure to use an alphanumeric string with no spaces. For example, PublishCertsToFile.
     
    directory. Type the complete path to the directory in which the Certificate Manager should create the DER-encoded files; the path can be an absolute path or can be relative to the CMS instance directory. For example, /export/cms/certificates.
     
  8. Click OK.
    9. You are returned to the Publishers Management tab. It should now list the publisher you just created.
     
  9. Repeat this procedure creating all the publishers you will need.

Configuring Publishers for Publishing to OCSP

You need to create and configure a Publisher for each publishing location; publishers are not automatically created for publishing to the OCSP responder. If you are publishing all CRLs to one location, you can create one publisher. If you are publishing to different locations, you need to create one for each location you will be publishing to. Each location can contain a different kind of CRL.

Creating a Publisher for File Publishing

To create publishers for publishing to files:

  1. Log in to the CMS console for the Certificate Manager (see Logging Into the CMS Console).
  2. Select the Configuration tab.
  3. In the navigation tree, select Certificate Manager, select Publishing, and then select Publishers.
    4. The right pane displays the Publishers Management tab, which lists configured publisher instances.
     




  4. Click Add.
    5. The Select Publisher Plug-in Implementation window appears. It lists registered publisher modules.
     






  5. Select the module named OCSPPublisher.
    6. This is the only Publisher module that enables the Certificate Manager to publish CRLs to the Online Certificate Status Manager.
     
  6. Click Next.
    7. The Publisher Editor window appears.
     




  7. Fill in the following fields in this window:
    8. Publisher ID. Type a name for the rule; use an alphanumeric string with no spaces. For example, Ca1CrlToOcspResponder.
     
    host. Type the fully-qualified DNS host name of the Online Certificate Status Manager. For example: ocspResponder.example.com.
     
    port. Type the Online Certificate Status Manager's end-entity SSL port number. For example, 443.
     
    path. Make sure this field shows the default path, /ocsp/addCRL. If necessary, type it in.
     
  8. Click OK.
    9. You are returned to the Publishers Management tab. It should now list the publisher you just created.
     
  9. Repeat this procedure creating all the publishers you will need.

Configuring Publishers for LDAP Publishing

The Certificate Manager creates, configures, and enables a set of publishers that are associated with LDAP publishing as follows:

The publishers are enabled and configured using the X.500 standard attributes for storing certificates and CRLs. You do not need to modify the preconfigured publishers.

See "Publisher Plug-in Module Reference" for more information about publishers.

Publisher Plug-in Module Reference

This section describes the publisher modules provided for the Certificate Manager. You can use these modules to configure a Certificate Manager to enable and configure specific Publisher instances.

The available Publisher plug-in modules include the following:

You can create custom publisher plug-in modules using the CMS SDK.

FileBasedPublisher

The FileBasedPublisher plug-in module enables you to configure a Certificate Manager to publish certificates and CRLs to files.

By default, the Certificate Manager does not create an instance of the FileBasedPublisher module.


Table 16-1    FileBasedPublisher Configuration Parameters  


Parameter

Description

Publisher ID

 

Specifies a name for the publisher. You can use an alphanumeric string with no spaces. For example, PublishCertsToFile.

 

directory

 

Specifies the complete path to the directory in which the Certificate Manager should create the DER-encoded files; the path can be an absolute path or can be relative to the CMS instance directory. For example, /export/cms/certificates.

 


LdapCaCertPublisher

The LdapCaCertPublisher plug-in module enables you to configure a Certificate Manager to publish or unpublish a CA certificate to the caCertificate;binary attribute of the CA's directory entry.

The module also converts the object class of the CA's entry to a certificationAuthority if it's not one already. Similarly, it also removes the certificationAuthority object class on unpublish if the CA has no other certificates.

During installation, the Certificate Manager automatically creates an instance of the LdapCaCertPublisher module for publishing the CA certificate to the directory that is already enabled and configured.


Table 16-2    LdapCaCertPublisher Configuration Parameters  


Parameter

Description

caCertAttr

 

Specifies the LDAP directory attribute to publish the CA certificate. Must be caCertificate;binary.

 

caObjectClass

 

Specifies the object class for the CA's entry in the directory. Must be certificationAuthority.

 


LdapUserCertPublisher

The LdapUserCertPublisher plug-in module enables you to configure a Certificate Manager to publish or unpublish a user certificate to the userCertificate;binary attribute of the user's directory entry.

You can use this module to publish any end-entity certificate to an LDAP directory. Types of end-entity certificates include SSL client, S/MIME, SSL server, object signing, router, and OCSP responder.

During installation, the Certificate Manager automatically creates an instance of the LdapUserCertPublisher module for publishing end-entity certificates to the directory.


Table 16-3    LdapUserCertPublisher Configuration Parameters  


Parameter

Description

certAttr

 

Specifies the directory attribute of the mapped entry to which the Certificate Manager should publish the certificate. Must be userCertificate;binary.

 


LdapCrlPublisher

The LdapCrlPublisher plug-in module enables you to configure a Certificate Manager to publish or unpublish the CRL to the certificateRevocationList;binary attribute of a directory entry.

During installation, the Certificate Manager automatically creates an instance (called a publisher) of the LdapCrlPublisher module for publishing CRLs to the directory.


Table 16-4    LdapCrlPublisher Configuration Parameters  


Parameter

Description

crlAttr

 

Specifies the directory attribute of the mapped entry to which the Certificate Manager should publish the certificate. Must be certificateRevocationList;binary.

 


LdapDeltaCrlPublisher

The LdapDeltaCrlPublisher plug-in module enables you to configure a Certificate Manager to publish or unpublish a delta CRL to the deltaRevocationList;binary attribute of a directory entry.

During installation, the Certificate Manager automatically creates an instance of the LdapDeltaCrlPublisher module for publishing CRLs to the directory.


Table 16-5    LdapDeltaCrlPublisher Configuration Parameters  


Parameter

Description

crlAttr

 

Specifies the directory attribute of the mapped entry to which the Certificate Manager should publish the certificate. Must be deltaRevocationList;binary.

 


LdapCertificatePairPublisher

The LdapCertificatePairPublisher plug-in module enables you to configure a Certificate Manager to publish or unpublish a cross-signed certificate to the crossCertPair;binary attribute of the CA's directory entry.

The module also converts the object class of the CA's entry to a certificationAuthority if it's not one already. Similarly, it also removes the certificationAuthority object class on unpublish if the CA has no other certificates.

During installation, the Certificate Manager automatically creates an instance of the LdapCertificatePairPublisher module named LdapCrossCertPairPublisher for publishing the cross-signed certificates to the directory that is already enabled and configured.


Table 16-6    LdapCertificatePairPublisher Parameters  


Parameter

Description

crossCertPairAttr

 

Specifies the LDAP directory attribute to publish the CA certificate. Must be crossCertificatePair;binary.

 

caObjectClass

 

Specifies the object class for the CA's entry in the directory. Must be certificationAuthority.

 


OCSPPublisher

The OCSPPublisher plug-in module enables you to configure a Certificate Manager to publish its CRLs to an Online Certificate Status Manager.

During installation, the Certificate Manager does not create any instances of the OCSPPublisher module.


Table 16-7    OCSPPublisher Parameters  


Parameter

Description

host

 

Specifies the fully qualified hostname of the Online Certificate Status Manager.

 

port

 

Specifies the port number on which the Online Certificate Status Manager is listening to the Certificate Manager, this is the Online Certificate Status Manager's end-entity SSL port number.

 

path

 

Specifies the path for publishing the CRL. Must be the default path, /ocsp/addCRL.

 


Mappers

Mappers are only used with LDAP publishing. Mappers allow you to define a relationship between a certificates subject name and the DN of the directory entry in which the certificate is published. The Certificate Manager needs to derive the DN of the entry from the certificate or the certificate request so it knows in which directory entry to publish the certificate or CRL. The mapper allows you to define a relationship between the DN for the user entry and the subject name of the certificate, or some other input information. This relationship can either be one in which the exact DN of the entry can be derived from the information using the mapper to derive this DN, or one in which the information can be used to search the directory and find the DN of the entry using the mapper to derive the search criteria.

Configuring Mappers

During installation, the Certificate Manager automatically creates a set of mappers defining the most common relationships. The default mappers are as follows:

You can use these mappers, or create instances of the other LDAP mapper plug-ins available and configure those.

To use the default mappers, configure each of these macros specifying the DN pattern used and whether or not you want CMS to create the CA entry in the directory.

To use other mappers, create an instance of the mapper you want to use, and then configure it. For more information see "Mapper Plug-in Modules Reference".

Modifying or Creating Mappers

To modify a mapper:

  1. Log in to the CMS console for the Certificate Manager (see Logging Into the CMS Console).
  2. Select the Configuration tab.
  3. In the navigation tree, select Publishing, and then select Mappers.
    4. The right pane shows the Mappers Management tab, which lists configured mappers.
     




  4. To modify an existing mapper:
    1. In the Mapper list, select a mapper that you want to modify.
    2. Click Edit/View.
      3. The Mapper Editor window appears. Go to step 6.
       




  5. To create a new mapper instance:
    1. Click Add.
      2. The Select Mapper Plugin Implementation window appears. It lists registered mapper modules.
       
    2. Select a module. For complete information about these modules, see "Mapper Plug-in Modules Reference".
    3. Click Next.
      4. The Mapper Editor window appears. Go to step 6.
       
  6. Make the necessary changes to the field in the instance you chose and click OK.
    7. See "Mapper Plug-in Modules Reference" for detailed information about each mapper.
     
  7. Repeat the procedure configuring all of the mappers you will need.
  8. Click Refresh to see the update status of all the mappers.

Mapper Plug-in Modules Reference

This section describes the mapper plug-in modules provided for the Certificate Manager. You can use these modules to configure a Certificate Manager to enable and configure specific Mapper instances.

The available mapper plug-in modules include the following:

You can develop a custom mapper module using the CMS SDK.

LdapCaSimpleMap

The LdapCaSimpleMap plug-in module enables you to configure a Certificate Manager to automatically create an entry for the CA in an LDAP directory and then map the CA's certificate to the directory entry by formulating the entry's DN from components specified in the certificate request, certificate subject name, certificate extension, and attribute variable assertion (AVA) constants. For more information on AVAs, check the directory documentation.

The CA certificate mapper allows you to specify whether to create an entry for the CA or to just map the certificate to an existing entry, or to do both.

Note that if you already have one CA entry created in the publishing directory and if you change the value assigned to the dnPattern parameter of this mapper to something different, but with the same UID and O attributes, the mapper will fail to create the second CA entry. For example, if the directory already has a CA entry with UID=CA,OU=Marketing,O=example.com and if you configure the mapper to create another CA entry with UID=CA,OU=Engineering,O=example.com, the operation will fail.

The reason for the failure may be because you are using a directory (for example, the configuration directory) that has the uid uniqueness plug-in set to a specific base DN in the slapd.ldbm.conf file. This setting prevents the directory from having two entries with the same UID under that base DN. For example, it prevents the directory from having two entries under O=example.com with the same UID, CA.

If the mapper fails to create a second CA entry, be sure to check the base DN that the uid uniqueness plug-in is set to (in the slapd.ldbm.conf file) and also check if an entry with the same UID already exists in the directory. If it's true, adjust the mapper setting, remove the old CA entry, comment out the plug-in, or create the entry manually using the Console window.

During installation, the Certificate Manager automatically creates two instances (called mappers) of the CA certificate mapper module. The mappers are named as follows:

LdapCaCertMap

The mapper named LdapCaCertMap is an instance of the LdapCaSimpleMap module. The Certificate Manager automatically creates this mapper during installation.

You can use this mapper for creating an entry for the CA in the directory and for mapping the CA certificate to the CA's entry in the directory.

By default, the mapper is configured to create an entry for the CA in the directory and the default DN pattern for locating the CA's entry is as follows:

UID=$subj.cn,OU=people,O=$subj.o

LdapCrlMap

The mapper named LdapCrlMap is an instance of the LdapCaSimpleMap module. The Certificate Manager automatically creates this mapper during installation.

You can use this mapper for creating an entry for the CA in the directory and for mapping the CRL to the CA's entry in the directory.

By default, the mapper is configured to create an entry for the CA in the directory and the default DN pattern for locating the CA's entry is as follows:

UID=$subj.cn,OU=people,O=$subj.o

LdapDNExactMap

The LdapDNExactMap plug-in module enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by searching for the LDAP entry DN that matches the certificate subject name. Note that to be able to use this mapper, each certificate subject name must exactly match a DN in a directory entry. For example, assume the certificate subject name is this: UID=jdoe, O=Example Corporation, C=US

When searching the directory for the entry, the Certificate Manager only searches for an entry whose DN is this: UID=jdoe, O=Example Corporation, C=US

If no matching entries are found, the server returns an error and does not publish the certificate.

This mapper does not require you to specify any values for any parameters because it obtains all values from the certificate.

LdapSimpleMap

The LdapSimpleMap plug-in module enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by deriving the entry's DN from components specified in the certificate request, certificate's subject name, certificate extension, and attribute variable assertion (AVA) constants. For more information on AVAs, see the directory documentation.

By default, the Certificate Manager uses mapper rules that are based on the simple mapper. During installation, the Certificate Manager automatically creates an instance of the simple mapper module. The instance is named LdapUserCertMap. You can use the default mapper to map various types of end-entity certificates the server will issue to their corresponding directory entries.

Configuration Parameters of LdapSimpleMap

The simple mapper requires you to specify just one parameter, which is named dnPattern. The value of dnPattern can be a list of AVAs separated by commas. An AVA can be a variable, such as UID=$subj.UID, or a constant, such as O=Example Corporation. The examples below illustrate how you can use AVAs to form the DN pattern.

Example 1: uid=CertMgr, o=Example Corporation

Example 2: CN=$subj.cn,OU=$subj.ou,O=$subj.o,C=US

Example 3: uid=$req.HTTP_PARAMS.uid,
E=$ext.SubjectAlternativeName.RFC822Name,ou=$subj.ou

In the above examples, $req means take the attribute from the certificate request, $subj means take the attribute from the certificate subject name, and $ext means take the attribute from the certificate extension.

LdapSubjAttrMap

The LdapSubjAttrMap plug-in module enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by using the LDAP attribute named certSubjectDN. Note that for you to be able to use this mapper, your directory entries must include the certSubjectDN attribute.

This mapper requires you to specify the exact pattern of the subject DN because the Certificate Manager searches the directory for the certSubjectDN attribute whose value exactly matches the entire subject DN specified in the mapper configuration. For example, assume the certificate subject name is this:

UID=jdoe, O=Example Corporation, C=US

When searching the directory for the entry, the Certificate Manager first searches for entries that have these attributes in common

certSubjectDN=UID=jdoe, O=Example Corporation, C=US

and then narrows down the search to an entry that has only this:

certSubjectDN=UID=jdoe, O=Example Corporation, C=US

If no matching entries are found, the server returns an error and writes it to the log.

Configuration Parameters of LdapSubjAttrMap

Table 16-9 describes these parameters.


Table 16-9    LdapSubjAttrMap Parameters  


Parameter

Description

certSubjNameAttr

 

Specifies the name of the LDAP attribute that contains a certificate subject name as its value. Must be certSubjectName.

 

searchBase

 

Specifies the base DN for starting the attribute search.

Permissible values: A valid DN of an LDAP entry.

Example: O=example.com, C=US

 


LdapDNCompsMap

The LdapDNCompsMap plug-in module implements the DN components mapper. This mapper enables you to configure a Certificate Manager to map a certificate to an LDAP directory entry by constructing the entry's distinguished name from components (such as CN, OU, O, and C) specified in the certificate subject name, and then using it as the search DN to locate the entry in the directory. You can use this mapper to locate the following:

In general, the mapper takes DN components to build the search DN. The mapper also takes an optional root search DN. The server uses the DN components to form an LDAP entry to begin a subtree search and the filter components to form a search filter for the subtree. If none of the DN components are configured, the server uses the base DN for the subtree. If the base DN is null and none of the DN components match, an error is returned. If none of the DN components and filter components match, an error is returned. If the filter components are null, a base search is performed.

Note that both DNComps and filterComps parameters accept valid DN components or attributes separated by commas. The parameters don't accept multiple entries of an attribute; for example, you can set filterComps to CN,OU, but not to CN,OU2,OU1. If there's a need for you to support such a filter, for example, if your directory entries contain multiple OUs and you want to use multiple OUs in your filterComps for filtering entries, you can modify the source code for the LdapDNCompsMap module. The java class for the module is in this directory: <server_root>/cms_sdk/cms_jdk/samples/mappers

The discussion below explains how mapping by DN components works. It is recommended that you read this before configuring a Certificate Manager to use this mapper.

Subject names in certificates are in distinguished-name format. A distinguished name (DN) uniquely identifies an entry in an LDAP directory. The DN consists of components that help identify the entry; for details, see Appendix I "Distinguished Names

The following components are commonly used in DNs:

For example, the following DN represents the user named Jane Doe who works for the Sales department at Example Corporation, which is located in Mountain View in the state of California, United States:

CN=Jane Doe, E=jdoe@example.com, OU=Sales, O=Example Corporation, L=Mountain View, ST=California, C=US

The Certificate Manager uses the components in subject names to construct a DN that it can use as the base for searching specific directory entries in order to publish the corresponding certificate information.

For example, suppose the subject name in the certificate is in this form:

CN=Jane Doe, OU=Sales, O=Example Corporation, L=Mountain View, ST=California, C=US

The Certificate Manager can use some or all of these components (CN, OU, O, L, ST, and C) to build a DN for searching the directory. When creating a mapper rule, you can specify the components the server should use to build a DN (that is, components to match attributes in the directory). You do this by configuring the dnComps parameter; for details, see Table 16-10 on page 650.

For example, assume you entered components CN, E, OU, O, and C as values for the dnComps parameter. For locating Jane Doe's entry in the directory, the Certificate Manager constructs the following DN by reading the DN attribute values from the certificate, and uses the DN as the base for searching the directory:

CN=Jane Doe, OU=Sales, O=Example Corporation, C=US

Note the following:

In general, for the dnComps parameter, you should enter those DN components that the Certificate Manager can use to form the LDAP DN exactly. In certain situations, however, the subject name in a certificate may match more than one entry in the directory. Then, the Certificate Manager might not get a single, distinct matching entry from the DN. For example, the subject name

CN=Jane Doe, OU=Sales, O=Example Corporation, C=US

might match two users with the name Jane Doe in the directory. If that occurred, the Certificate Manager would need additional criteria to determine which entry corresponds to the subject of the certificate.

To specify the components the Certificate Manager must use to distinguish between different entries in the directory, use the filterComps parameter; for details, see Table 16-10 on page 650. For example, if you entered CN, OU, O, and C as values for the dnComps parameter, enter L for the filterComps parameter only if the L attribute can be used to distinguish between entries with identical CN, OU, O, and C values.

Consider another example that shows how two directory entries with similar DNs can be differentiated by the value of the UID attribute:

Assume that the two Jane Doe entries are distinguished by the value of the UID attribute. One entry's UID value is janedoe1 and the other entry's UID value is janedoe2. Because the UID attribute corresponds to the UID component in a DN, you can set up the subject names of certificates to include the UID component.

Note  

Generally, the E, L, and ST components are not included in the standard set of certificate request forms provided for end entities. You can add these components to the forms, or you can have the issuing agents insert these components when editing the subject name in the certificate issuance forms.



Configuration Parameters of LdapDNCompsMap

With this configuration, a Certificate Manager maps its certificates with the ones in the LDAP directory by using the dnComps values to form a DN and the filterComps values to form a search filter for the subtree.

Table 16-10 describes these parameters.


Table 16-10    LdapDNCompsMap Configuration Parameters  


Parameter

Description

baseDN

 

Specifies the DN to start searching for an entry in the publishing directory. If you leave the dnComps field blank, the server uses the base DN value to start its search in the directory.

 

dnComps

 

Specifies where in the publishing directory the Certificate Manager should start searching for an LDAP entry that matches the CA's or the end entity's information.

 

 

The server uses the dnComps values to form an LDAP entry to begin a subtree search. The server gathers values for these attributes from the certificate subject name and uses the values to form an LDAP DN, which then determines where in the LDAP directory the server starts its search. For example, if you set dnComps to use the O and C attributes of the DN, the server starts the search from the O=<org>, C=<country> entry in the directory, where <org> and <country> are replaced with values from the DN in the certificate.

 

 

If you leave the dnComps field empty, the server checks the baseDN field and searches the directory tree specified by that DN for entries matching the filter specified by filterComps parameter values.

Permissible values: Valid DN components or attributes separated by commas.

 

filterComps

 

Specifies components the Certificate Manager should use to filter entries from the search result. The server uses the filterComps values to form an LDAP search filter for the subtree. The server constructs the filter by gathering values for these attributes from the certificate subject name; it uses the filter to search for and match entries in the LDAP directory.

 

 

If the server finds one or more entries in the LDAP directory that match the information gathered from the certificate, the search is successful and the server optionally performs a verification. For example, if filterComps is set to use the email and user ID attributes (filterComps=e, uid), the server searches the directory for an entry whose values for email and user ID match the information gathered from the certificate.

 

 

Permissible values: Valid directory attributes (in the certificate DN) separated by commas. The attribute names for the filters need to be attribute names from the certificate, not from ones in the LDAP directory. For example, most certificates have an E attribute for the user's email address; LDAP calls that attribute mail.

 


Rules

You set up Rules to determine what exactly gets published where. Rules work independently, not in tandem. A certificate or CRL that is being published is matched against every rule. Any rule to which it matches is activated. In this way, the same certificate can be published to a file, to an Online Certificate Status Manager, and to an LDAP directory by matching a file-based rule, an OCSP rule, and matching a directory-based rule.

You can set up rules for each object type: CA certificate, CRL, user certificate, and cross-pair certificate, or you can even further divide the rules so that you have different rules for different kinds of certificates, or different kinds of CRLs.

The rule first determines if the object meets the rule, and then where it is to be published. Determining if the object meets the rule is done by matching the type and predicate set up in the rule with the object itself. Determining where matching objects are published is determined by the Publisher and Mapper that is associated with this rule.

Note: A Registration Manager can only publish certificates. It cannot publish CRLs.

Modifying Publishing Rules for Certificates and CRLs

Creating a publishing rule for CA certificate and end-entity certificates involves creating a rule that uses the publisher that you created in the previous step. You create a rule for each type of certificate the Certificate Manager issues.

To modify publishing rules:

  1. Log in to the CMS console for the Certificate Manager (see Logging Into the CMS Console).
  2. Select the Configuration tab.
  3. In the navigation tree, select Certificate Manager, select Publishing, and then select Rules.
    4. The right pane displays the Rules Management tab, which lists any configured publishing rules.
     




  4. To edit an existing rule, select that rule from the list and click Edit.
    5. The Rule Editor window appears.
     





     
  5. To create a rule:
    1. Click Add.
      2. The Select Rule Plugin Implementation window appears.
       




    2. Select the module named Rule.
      3. This is the only module. (If you have registered any custom modules, they too will be available for selection.)
       
    3. Click Next.
      4. The Rule Editor window appears.
       





     
  6. Enter the appropriate information:
    7. Rule ID. Type a name for the rule that will help you identify it later; use an alphanumeric string with no spaces. For example, PublishCaCertToFile.
     
    type. Select the type value from the list. The type value depends on which type of certificate this rule applies. For a Certificate Manager signing certificate, the value is cacert. For a cross-signed certificate, the value is xcert. For all other types of certificates, the value is certs. For CRLs, specify crl.
     
    predicate. Type the predicate value for the type of certificate, or CRL issuing point this rule applies. The predicate value for each type of certificate is listed in Table 16-11. The predicate value for CRL issuing points and delta CRLs is listed in Table 16-12.
     
    enable. Select to enable this rule.
     
    mapper. Mappers are not necessary when publishing to a file, they are only needed for LDAP publishing. If this rule will be associated with a publisher that publishes to an LDAP directory, select an appropriate mapper here. Leave blank for all other forms of publishing.
     
    publisher. Select a publisher you created that will be associated with this rule. For example, if this rule publishes user certificates to a file, chose the publisher that publishes to a file in the location set up for user certificates.
     
  7. Click OK.
    8. The Rules Management tab appears, listing the new rule you just created for publishing the CA certificate to the file.
     
  8. Repeat this procedure to create publishing rules for each rule you will need.

Predicates Used In Publishing Rules

Table 16-11 lists the predicates that can be used to identify certificate types.

Table 16-11    Certificate Types and Predicate Expressions  


End-entity certificate type

Type

Predicate

SSL client certificate

 

certs

 

HTTP_PARAMS.certType==client

 

SSL server certificate

 

certs

 

HTTP_PARAMS.certType==server

 

Object signing certificate

 

certs

 

HTTP_PARAMS.certType==objSignClient

 

Certificate Manager signing certificate

 

cacert

 

HTTP_PARAMS.certType==ca

 

Registration Manager signing certificate

 

certs

 

HTTP_PARAMS.certType==ra

 

OCSP responder certificate

 

certs

 

HTTP_PARAMS.certType==ocspResponder

 

Router certificate

 

certs

 

HTTP_PARAMS.certType==CEP-Router

 

Cross-signed certificate

 

certs

 

HTTP_PARAMS.certType==fbca

 

Table 16-12 lists the predicates that can be used to identify CRL issuing points and delta CRLs.

Table 16-12    CRL Predicate Expressions  


Predicate Type

Predicate

CRL Issuing Point

 

issuingPointId==Issuing_Point_Instance_ID && isDeltaCRL==[true|false]

To publish only the master CRL, set isDeltaCRL=false in order to publish only the master CRL. For example:

issuingPointId=MasterCRL && isDeltaCRL=false

To publish only the delta CRL, set isDeltaCRL=true in order to publish only the delta CRL. For example:

issuingPointId=MasterCRL && isDeltaCRL=true

To publish both, you must set a rule for the master CRL and another rule for the delta CRL.

 

Rule Instance Reference

This section discusses the rule instances that have been set up.

LdapCaCertRule

The LdapCaCertRule can be used to publish CA certificates to an LDAP directory.


Table 16-13    LdapCaCert Rule Configuration Parameters


Parameter

Value

Description

type

 

cacert

 

Specifies the type of certificate that will be published. Select from the pull down menu.

 

predicate

 

 

Specifies a predicate for this publisher.

 

enable

 

yes

 

Select to enable.

 

mapper

 

LdapCaCertMap

 

Specifies the mapper used with this rule.

See "LdapCaCertMap" for details on this mapper.

 

publisher

 

LdapCaCertPublisher

 

Specifies the publisher used with this rule.

See "LdapCaCertPublisher" for details on this publisher.

 

LdapXCertRule

The LdapXCertRule can be used to publish cross-pair certificates to an LDAP directory.


Table 16-14    LdapXCert Rule Configuration Parameters


Parameter

Value

Description

type

 

xcert

 

Specifies the type of certificate that will be published. Select from the pull down menu.

 

predicate

 

 

Specifies a predicate for this publisher.

 

enable

 

yes

 

Select to enable.

 

mapper

 

LdapCaCertMap

 

Specifies the mapper used with this rule.

See "LdapCaCertMap" for details on this mapper.

 

publisher

 

LdapCrossCertPairPublisher

 

Specifies the publisher used with this rule.

See "LdapCertificatePairPublisher" for details on this publisher.

 

LdapUserCertRule

The LdapUserCertRule can be used to publish user certificates to an LDAP directory.


Table 16-15    LdapXCert Rule Configuration Parameters


Parameter

Value

Description

type

 

certs

 

Specifies the type of certificate that will be published. Select from the pull down menu.

 

predicate

 

 

Specifies a predicate for this publisher.

 

enable

 

yes

 

Select to enable.

 

mapper

 

LdapUserCertMap

 

Specifies the mapper used with this rule.

See "LdapSimpleMap" for details on this mapper.

 

publisher

 

LdapUserCertPublisher

 

specifies the publisher used with this rule.

See "LdapUserCertPublisher" for details on this publisher.

 

LdapCRLRule

The LdapCRLRule can be used to publish CRLs to an LDAP directory.


Table 16-16    LdapCRL Rule Configuration Parameters


Parameter

Value

Description

type

 

crl

 

Specifies the type of certificate that will be published. Select from the pull down menu.

 

predicate

 

 

Specifies a predicate for this publisher.

 

enable

 

yes

 

Select to enable.

 

mapper

 

LdapCrlMap

 

Specifies the mapper used with this rule.

See "LdapCrlMap" for details on this mapper.

 

publisher

 

LdapCrlPublisher

 

specifies the publisher used with this rule.

See "LdapCrlPublisher" for details on this publisher.

 

Enabling Publishing

You can enable just file publishing, or both LDAP and file publishing. You should enable publishing after setting up publishers, rules, and mappers. Once enabled, the server will attempt to publish. If you have not set up publishing correctly before enabling publishing, your results may be undesirable, or the publishing feature may fail completely.

To enable publishing:

  1. In the navigation tree of the CMS window, select Certificate Manager, and then select Publishing.
    2. The right pane shows the publishing details necessary for the server to publish to an LDAP-compliant directory.
     
  2. To enable publishing to a file only, select Enable Publishing.
  3. To enable LDAP publishing, select both Enable Publishing and Enable Default LDAP Connection options.
    4. In the Destination section, identify the Directory Server instance.
     
    Host name. Type the fully qualified DNS host name of the Directory Server. For example: host1.example.com.
     
    If you configured the Directory Server for SSL client authenticated communication, the name you enter here must match the CN component in the subject DN of the Directory Server's SSL server certificate. For example, the host name may look like corpDirectory.example.com.
     
    Port number. Type the TCP/IP port number on which the Directory Server is listening to certificate and CRL publishing requests from the Certificate Manager.
     
    Directory manager DN. Type the distinguished name (DN) of the directory entry that has directory manager privileges. The Certificate Manager uses this DN to access the directory tree and to publish to the directory. The access control set up for this DN determines whether the Certificate Manager can perform publishing. Typically, you would want to enter the directory manager's DN because it has write permission to the entire directory tree (the root DN). You could also create another DN that has limited read-write permissions for only those attributes that the publishing system actually needs to write.
     
    Password. Type the password for this DN. The Certificate Manager saves this password in the single sign-on password cache and uses it during startup. (If you change the password, the server updates the single sign-on password cache with the new password.)
     
    Client certificate. Select the certificate you want the Certificate Manager to use for SSL client authentication to the publishing directory. By default, the Certificate Manager uses its SSL server certificate for this purpose.
     
    LDAP version. Select the version of LDAP protocol appropriate to your version of Directory Server. If the directory you want the Certificate Manager to publish to is based on Netscape Directory Server 1.x, select version 2. For Directory Server versions 3.x and later, select LDAP version 3.
     
    Authentication. Select the authentication type appropriate to your Directory Server configuration. The choices are Basic authentication and SSL client authentication.
     
    If you configured the Directory Server for basic authentication or for SSL communication without client authentication, select Basic authentication and specify values for the Directory manager DN and password.
     
    If you configured the Directory Server for SSL communication with client authentication, select SSL client authentication, select the Use SSL communication option, and identify the certificate that the Certificate Manager must use for SSL client authentication to the directory.
     
  4. To save your changes, click Save.
    5. The server attempts to connect to the specified Directory Server. If the information you specified is incorrect, the server displays an error message and you will need to correct the information and save your changes again.
     
    If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.
     

Testing Publishing to Files

To verify that the Certificate Manager is publishing certificates and CRLs correctly to files, follow these steps:

  1. Go to the end-entity interface and request a certificate.
  2. Go to the agent services interface and approve the request if you have an agent-approved enrollment configuration. If you set up automatic enrollment, you can skip this step.
  3. Download the certificate into your browser.
  4. Check whether the server generated the DER-encoded file containing the certificate.
    5. To check whether the server published the certificate as a binary blob to the specified directory, go to the directory you specified for the server to publish certificates. You should see a file with name similar to cert-<serial_number>.der, where <serial_number> specifies the serial number of the certificate contained in the file.
     
  5. Convert the DER-encoded certificate to its base 64-encoded format using the Binary to ASCII tool (see Chapter 8, "Binary to ASCII Tool" of CMS Command-Line Tools Guide).
    6. To convert the DER-encoded certificate to its base 64-encoded form:
     
    1. Open a command window.
    2. Go to this directory: <server_root>/bin/cert/tools
    3. At the prompt, enter this: BtoA <input_file> <output_file>
      4. substituting <input_file> with the path to the file that contains the DER encoded certificate and <output_file> with the path to the file to write the base-64 encoded certificate.
       
      For example, if the file is in C:\certificates\cert-1234.der and you want the base-64 encoded certificate to be in C:\certificates\cert-1234.txt, the command would look like this: BtoA C:\certificates\cert-1234.der C:\certificates\cert-1234.txt
       
    4. When the conversion is complete, open the cert.txt file in a text editor. You should see a base-64 encoded certificate similar to this:
      5. -----BEGIN CERTIFICATE-----
       
      MMIIBtgYJYIZIAYb4QgIFoIIBpzCCAZ8wggGbMIIBRaADAgEAAgEBMA0GCSqGSIb3DQEBBAUAMFcxC
      AJBgNVBAYTAlVTMSwwKgYDVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aWhfyyuougjgjjgmkgjkgmjg
      fjfgjjjgfyjfyj9ucyBDb3Jwb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyhgdfhbfdpffjphotoo
      gdhkBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0WjBXMQswCQYDVQQGEwJ
      VUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yY2F0aW9ucyBDb3Jwb3Jhd
      GlvbjpMEaMBgGA1UECxMRSXNzdWluZyBBdXRob3JpdHkwHh
       
      -----END CERTIFICATE-----
       
  6. Convert the base 64-encoded certificate to a human-readable form using the Pretty Print Certificate tool (see Chapter 9, "Pretty Print Certificate Tool" of CMS Command-Line Tools Guide).
    7. To convert the base 64-encoded certificate to a human-readable form:
     
    1. Check the command window to make sure that you are in this directory: <server_root>/bin/cert/tools
    2. At the prompt, enter this:
      3. PrettyPrintCert <input_file> [<output_file>]
       
      substituting <input_file> with the path to the ASCII file that contains the base-64 encoded certificate and <output_file> with the path to the file to write the certificate in a human-readable form. If you don't specify an output file, the certificate information is written to the standard output.
       
      For example, if the base-64 encoded certificate is in C:\certificates\cert-1234.txt and you want the human-readable form of the certificate to be displayed on your screen, the command would look like this:
       
      PrettyPrintCert C:\certificates\cert-1234.txt
       
      When the conversion is complete, you should see the certificate you issued in human-readable form.
       
    3. Compare the output with the certificate you issued; be sure to check the serial number in the certificate with the one used in the filename.
      4. If everything matches, the Certificate Manager is configured correctly to publish certificates to files.
       
  7. Revoke the Certificate.
  8. Check the File for the CRL
  9. Check whether the server generated the DER-encoded file containing the CRL.
    10. To check whether the server published the CRL as a binary blob to the specified directory, go to the directory you specified for the server to publish CRLs. You should find a file with its name in the crl-<this_update>.der format, where <this_update> specifies the value derived from the time-dependent variable named This Update of the CRL contained in the file. If you don't see the file, check your configuration.
     
  10. Convert the DER-encoded CRL to its base 64-encoded format using the Binary to ASCII tool. See step 5 for directions.
  11. Convert the base 64-encoded CRL to a human-readable form using the Pretty Print CRL tool. See step 6 for directions.
  12. Repeat this test for each kind of certificate or CRL you are issuing. Remember to check for the published certificate or CRL in all the places you set up publishing for the certificate or CRL.

Configuring the Directory for LDAP Publishing

Before you can use a directory for publishing of certificates and CRLs, you must configure that directory to work correctly with your publishing system. The following sections detail what you will need to configure:

Schema

For a Certificate Manager to publish certificates and CRLs to a directory, it must be configured with specific attributes and object classes. This section discusses those basic schema requirements.

Required Schema for Publishing End-Entity Certificates

The Certificate Manager publishes an end entity's certificate to the userCertificate;binary attribute within the end entity's or subject's directory object. This attribute is multivalued; each value is a DER encoded binary X.509 certificate. The LDAP object class named inetOrgPerson allows this attribute. This object class is supported by Directory Server versions 1.0, 3.x, 4.x, and later. The mix-in object class named strongAuthenticationUser allows this attribute and can be combined with any other object class to allow certificate publication to that object. Note that the Certificate Manager does not automatically add this object class to the schema table of the corresponding Directory Server while publishing or unpublishing end-entity certificates. If the directory object that it finds does not allow the userCertificate;binary attribute, the addition or removal of that specific certificate fails.

If you have created user entries as inetOrgPerson, the userCertificate;binary attribute already exists in the directory. Otherwise, you must add the userCertificate;binary attribute to your directory's schema table. For information on modifying directory schema, check the Directory Server documentation.

Required Schema for Publishing the CA Certificate

The Certificate Manager publishes its own CA certificate in the caCertificate;binary attribute of the CA's directory object when the server is started; this is the object that corresponds to the Certificate Manager's issuer name. This is a required attribute of the certificationAuthority object class. Note that the Certificate Manager will add this object class to the directory entry for the CA, provided that it finds the CA's directory entry.

Required Schema for Publishing CRLs

The Certificate Manager publishes the updated CRL to the CA's directory object under this attribute: certificateRevocationList;binary.

This attribute is an attribute of the object class certificationAuthority. The value of the attribute is the DER encoded binary X.509 certificate revocation list. The CA's entry must already be a certificate authority.

Entry for the