What’s an OCSP-Compliant PKI Setup?
672
Netscape Certificate Management System Installation and Setup Guide • May 2002
The OCSP response that the client receives indicates the current status of the
certificate as determined by the OCSP responder. The response could be any of the
following:
•
Good or Verified—specifying a positive response to the status inquiry. At a
minimum, this positive response indicates that the certificate has not been
revoked, but it does not necessarily mean that the certificate was ever issued or
that the time at which the response was produced is within the certificate’s
validity interval. Response extensions may be used to convey additional
information on assertions made by the responder regarding the status of the
certificate such as positive statement about issuance, validity, etc.
•
Revoked—specifying that the certificate has been revoked, either permanently
or temporarily.
•
Unknown—specifying that the OCSP responder doesn’t know about the
certificate whose status is being requested by the client.
Based on the status, the client decides whether to validate the certificate.
How to Get an OCSP Responder?
To aid you in the process of setting up a OCSP-compliant PKI setup, Certificate
Management System provides two options:
•
Use the OCSP-service feature built into the Certificate Manager
•
Use the CMS OCSP responder, named Online Certificate Status Manager
Read the sections that follow and decide which method is suitable for your PKI
setup.
How Certificate Manager’s OCSP-Service Feature Works
The Certificate Manager has a built-in OCSP-service feature, which when
configured, can be used by OCSP-compliant clients to directly query the Certificate
Manager about the revocation status of the certificate being validated.
When queried for the revocation status of a certificate, the Certificate Manager
looks up its internal database for the certificate, checks its status, and accordingly
responds to the client. Since the Certificate Manager has real-time status of all
certificates it has issued, this method of revocation checking is most accurate.
However, because the Certificate Manager can only check its own internal
database, revocation checking is limited to certificates issued by that Certificate
Summary of Contents for NETSCAPE DIRECTORY SERVER 6.01
Page 1: ...Installation and Setup Guide Netscape Certificate Management System Version6 01 May 2002...
Page 22: ...22 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 32: ...32 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 160: ...160 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 776: ...776 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 807: ...807 Part 5 Appendix Appendix A Certificate Download Specification...
Page 808: ...808 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 830: ...830 Netscape Certificate Management System Installation and Setup Guide May 2002...