Agent's Guide
Red Hat Certificate System                                                            
Previous
 Contents
 Index
 Next

Chapter 7

Managing OCSP Service Related Tasks

This chapter describes how to perform Online Certificate Status Manager agent's tasks, such as identifying a CA to the Online Certificate Status Manager, adding a CRL to the Online Certificate Status Manager's internal database and so on. This service is available only when the Online Certificate Status Manager subsystem is installed. The Online Certificate Status Manager Agent Services page allows certified agents to accomplish these tasks.

This chapter contains the following sections:

Listing CAs Identified by Online Certificate Status Manager

The Online Certificate Status Manager can be configured to receive CRLs from multiple Certificate Managers. Each Certificate Manager that can publish CRLs to the Online Certificate Status Manager must have its CA signing certificate stored in the internal database of the Online Certificate Status Manager. For instructions, see "Identifying a CA to Online Certificate Status Manager" on page 86.

At any given time, you can see the list of Certificate Managers that are currently recognized by the Online Certificate Status Manager.

To see the list of Certificate Managers:

  1. Open a web browser window.
  2. Go to the Online Certificate Status Manager's Agent interface. The URL is in this format: https://<hostname>:<port>.
The Online Certificate Status Manager Agent Services interface appears.
  1. In the left frame, click List Certificate Authorities.
The resulting form should show information about the Certificate Managers (CAs) that are recognized by the Online Certificate Status Manager.

Identifying a CA to Online Certificate Status Manager

The Online Certificate Status Manager can be configured to receive CRLs from multiple Certificate Managers. Before you configure a Certificate Manager to publish CRLs to the Online Certificate Status Manager, you must identify the Certificate Manager to the Online Certificate Status Manager. You do this by storing the Certificate Manager's CA signing certificate in the internal database of the Online Certificate Status Manager.

The steps below explain how to store the Certificate Manager's CA signing certificate in the internal database of the Online Certificate Status Manager:

  1. Open a web browser window.
  2. Go to the Certificate Manager's end-entity interface. The URL is in https://<hostname>:<SSL_port> or http://<hostname>:<port> format.
  3. Select the Retrieval tab, and in the left frame, click List Certificates.
  4. In the resulting form, click Find.
A list of certificates appear.
  1. Locate the Certificate Manager's CA signing certificate by looking at the subject name of the certificate.
Typically, the CA signing certificate is the first certificate the Certificate Manager issues.
  1. Click Details.
  2. In the resulting page, scroll to the section that says "Base 64 encoded certificate" and shows the CA signing certificate in its base-64 encoded format.
  3. Copy the base-64 encoded certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to the clipboard or a text file.
The copied information should look similar to the following example:
-----BEGIN CERTIFICATE-----
MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pYF
0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAw
MnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzA
VBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJ
ARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn
jgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA
-----END CERTIFICATE-----
  1. Go to the Online Certificate Status Manager's Agent interface. The URL is in this format: https://<hostname>:<port>.
The Online Certificate Status Manager Agent Services interface appears.
  1. In the left frame, click Add Certificate Authority.
  2. In the resulting form, paste the encoded CA signing certificate inside the text area labeled "Base 64 encoded certificate (including header and footer)."



  1. Click Add.
The certificate is added to the internal database of the Online Certificate Status Manager.
  1. To verify that the certificate is added successfully, in the left frame, click List Certificate Authorities.
The resulting form should show information about the Certificate Manager (CA) you just added.

Adding a CRL to Online Certificate Status Manager

There may arise a situation when a Certificate Manager is unable to publish its CRL to the Online Certificate Status Manager. In such exigencies, you can manually add a CRL to the internal database of the Online Certificate Status Manager.

To add a CRL to the internal database:

  1. Open a web browser window.
  2. Go to the Certificate Manager's Agent interface (see "Accessing Agent Services" on page 24). The URL is in this format: https://<hostname>:<port>. You must submit the proper client certificate to get access to this page.
The Certificate Manager Agent Services interface appears.
  1. Click on the item Display Revocation List.
  2. In the resulting form, select the desired CRL issuing point and select the option to display the CRL in base-64 encoded format and click Display.
  3. In the resulting page, scroll to the section that says "Certificate revocation list base64 encoded," which shows the CRL in its base-64 encoded format.
  4. Copy the base-64 encoded CRL, including the -----BEGIN CERTIFICATE REVOCATION LIST----- and -----END CERTIFICATE REVOCATION LIST----- marker lines, to the clipboard or a text file.
The copied information should look similar to the following example:
-----BEGIN CERTIFICATE REVOCATION LIST-----
MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pYF
0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAw
MnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzA
VBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJ
ARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn
jgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA4GBA
Fi9FzyJlLmS+kzsue0kTXawbwamGdYql2w4hIBgdR+jWeLmD4CP4xzmKdvQ6IqD2q8DBs9lRQu9JYg129o
-----END CERTIFICATE REVOCATION LIST-----
  1. Go to the Online Certificate Status Manager's Agent interface. The URL is in this format: https://<hostname>:<port>.
The Online Certificate Status Manager Agent Services interface appears.
  1. In the left frame, click Add Certificate Revocation List.
  2. In the resulting form, paste the encoded CRL inside the text area labeled "Base 64 encoded certificate revocation list (including the header and footer)."
  3. Click Add.
The CRL is added to the internal database of the Online Certificate Status Manager.

Checking the Revocation Status of a Certificate

You can check the revocation status of a certificate by submitting the certificate in its base-64 encoded format to the Online Certificate Status Manager:

  1. Copy the base-64 encoded certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to the clipboard or a text file.
The copied information should look similar to the following example:
-----BEGIN CERTIFICATE-----
MIICJzCCAZCgAwIBAgIByrgrugrwuguvgrvhfeygyDBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pYF
dih9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAw
MnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlafkhbfgsdbutihdhb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzA
VBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJ
ASdUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn
jgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA
-----END CERTIFICATE-----
  1. Go to the Online Certificate Status Manager Agent Services page (see "Accessing Agent Services" on page 24).
You must submit the proper client certificate to get access to this page.
  1. In the left frame, click Check Certificate Status.
  2. In the resulting form, paste the certificate inside the text area labeled "Base 64 encoded certificate."
  3. Click Check.
The resulting form should inform you about the status of the certificate you just submitted.



Previous
 Contents
 Index
 Next
© 2001 Sun Microsystems, Inc. Used by permission. © 2005 Red Hat, Inc. All rights reserved.
Read the Full Copyright and Third-Party Acknowledgments.

 last updated September 6, 2005