Chapter 5

Publishing to a Directory

---

This chapter describes the procedures for updating an LDAP directory with the current status of certificates. Only a Certificate Manager agent can update the directory.

This chapter contains the following sections:

• Working with a Directory Server
• Updating the Directory with Changes

Working with a Directory Server

If your organization uses Red Hat Directory Server (or another LDAP directory server) to publish information about users in your organization, you can configure Certificate System to publish certificates and certificate revocation lists through the directory.

Certificate information published to the directory must be periodically updated as certificates are issued and revoked. Updates are usually published automatically but can also be published manually.

Automatic Directory Updates

Once the CS administrator has configured Certificate System to work with Directory Server, any changes to certificate information in Certificate System are automatically updated in the directory. Updates take place at specific times:

• The first time you start Certificate System, it publishes the Certificate Manager's CA certificate to the directory.
• When Certificate System issues a new certificate, the certificate is published to the directory.
• When Certificate System revokes a certificate, the certificate is removed from the directory.
• When the CRL is created or updated, the list is published to the directory.

Manual Directory Updates

Normally you do not need to update a directory manually; most updates are done automatically. You must update the directory manually in the following situations:

• Directory Server is down for a period of time and unable to receive changes from Certificate System.
• You want to remove expired certificates from the directory. Expired certificates are not automatically removed from the directory upon expiration. (Generally, any client using a certificate is responsible for determining that it is valid by checking its expiration date against the client's current date information.)

Using the Update Directory Server form available from the Certificate Manager Agent Services page, you make the following changes in the directory:

• Update the CRL in the directory.
• Update information on valid certificates (for example, update the server with newly issued certificates or recently renewed certificates).
• Remove expired certificates.
• Remove revoked certificates.

Note that only a Certificate Manager agent with the proper certificate can access the Update Directory Server form.

Updating the Directory with Changes

To manually update the directory with changes:

1. Go to the Certificate Manager Agent Services page (see "Accessing Agent Services" on page 24). You must submit the proper client certificate to get access to this page.
2. Click Update Directory Server.
3. Select "Skip certificates already marked as updated" to ignore certificates in the internal database that are marked as having been published already (or removed in the case of revoked certificates).

For example, if you updated the directory once to revoke many certificates and it took several minutes, some new certificates may have been issued while the update was running. You would then use this selection and update the directory a second time to publish the new certificates (and save time by skipping all of the certificates that were just updated).

4. To publish the latest CRL, select "Update certificate revocation list to the directory."
5. To update information on valid certificates to the directory, select "Update valid certificates to the directory."

If you want to update only a range of certificates (for example, only the most recently issued certificates), specify the range of the serial numbers of those certificates.

6. To remove expired certificates from the directory, select "Remove expired certificates from the directory."

If you want to remove only a range of certificates (not all expired certificates), specify the range of the serial numbers of those certificates.

7. To remove revoked certificates from the directory, select "Remove revoked certificates from the directory."

If you want to remove only a range of certificates (not all revoked certificates), specify the range of the serial numbers of those certificates.

8. When you have finished specifying the changes that you want updated, click Update Directory.

Note

In some circumstances, updating the directory can take considerable time. During this period, any changes made through Certificate System (for example, any new certificates issued or any certificates revoked) may not be included in the update. If you have issued or revoked any certificates during that time, you need to update the directory again to reflect those changes. Use "Skip certificates already marked as updated" the second time to update only certificates that changed (issued, revoked, expired) while the previous update was running.