Manualshelf

System information

ManualsBrandsRed Hat ManualsOtherCERTIFICATE SYSTEM 8 - AGENTS GUIDE
61626364656667686970
CA: Publishing to a Directory
A Red Hat Directory Server installation is required for the Certificate System subsystems to be
installed; this directory instance maintains user information and certificate and key information.
The Certificate System can be configured to publish certificates and CRLs to that directory, or
other LDAP directories, for other applications to access. Certificate information published to the
publishing directory must be periodically updated as certificates are issued and revoked.
Updates are usually published automatically but may also be published manually.
This chapter describes the procedures for updating an LDAP directory with the current status of
certificates. Only a Certificate Manager (CM) agent can publish certificates and CRLs to the
directory.
1. Automatic Directory Updates
Once the Certificate System administrator has configured the Certificate System to publish to
the publishing Directory Server, any changes to certificate information in Certificate System are
automatically updated in the publishing directory at specific times.
The first time the Certificate System is started, it publishes the CM's CA certificate to the
LDAP publishing directory.
When the Certificate System issues a new certificate, the certificate is published to the LDAP
publishing directory.
When the Certificate System revokes a certificate, the certificate is removed from the
publishing directory.
When the CRL is created or updated, the list is published to the LDAP publishing directory.
For more information on configuring the Certificate System to publish to the Directory Server,
see the Certificate System Administrator's Guide.
2. Manual Directory Updates
The LDAP publishing directory usually does not need certificate data updated manually
because most updates are automatic. However, it may be necessary to update the LDAP
publishing directory manually in the following situations:
The publishing Directory Server is down for a period of time and unable to receive changes
from the Certificate System.
Expired certificates need to be removed from the publishing directory since certificates are not
automatically removed from the publishing directory when they expire.
Chapter 6.
59