8.2. Identifying a CA to the Online Certificate Status Manager

The Online Certificate Status Manager can be configured to receive CRLs from multiple Certificate Managers. Before configuring a Certificate Manager to publish CRLs to the OCSP, first identify the Certificate Manager to the Online Certificate Status Manager by storing the Certificate Manager's CA signing certificate in the internal database of the Online Certificate Status Manager.
To store the Certificate Manager's CA signing certificate in the internal database of the Online Certificate Status Manager:
  1. Open the Certificate Manager's end-entities page.
    https://server.example.com:9444/ca/ee/ca
  2. Select the Retrieval tab, and, in the left frame, click List Certificates.
  3. When the page opens, click Find.
  4. Locate the Certificate Manager's CA signing certificate by looking at the subject name of the certificate. Typically, the CA signing certificate is the first certificate the Certificate Manager issues.
  5. Click on the subject name.
  6. In the certificate contents page, scroll to the Base 64 encoded certificate section, which shows the CA signing certificate in its base 64-encoded format.
  7. Copy the base 64-encoded certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines, to the clipboard or a text file. The certificate information looks similar to this example:
    -----BEGIN CERTIFICATE-----
    MIIB/DCCAaagAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMRwwGgYDVQQKExNTZmJh
    eSBSZWRoYXQgRG9tYWluMREwDwYDVQQLEwgxMDI3cm9vdDEeMBwGA1UEAxMVQ2Vy
    dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTA2MTAyNzE2MTkyM1oXDTA4MTAxNjE2MTky
    M1owUTEcMBoGA1UEChMTU2ZiYXkgUmVkaGF0IERvbWFpbjERMA8GA1UECxMIMTAy
    N3Jvb3QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTBcMA0GCSqGSIb3
    DQEBAQUAA0sAMEgCQQDXA7qzGv1LJNxEvlHkDKvLjr+OgHmhj4BaPAXTVw64szgT
    McQh1aY0G4plpTdCwECEiMb3JRa8QzpfRwbB/kFpAgMBAAGjaTBnMA8GA1UdEwEB
    /wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEF
    BQcwAYYoaHR0cDovL3Bhdy5zZmJheS5yZWRoYXQuY29tOjkwODAvY2Evb2NzcDAN
    BgkqhkiG9w0BAQUFAANBAIOhIcmHQ4HHSPQielUVx0EoiseeXL/t8VrAnK0i2uMn
    7eZlvLIXrcQAcQTI4yxavKtOtkqrPR6uV5LhCqaX2hg=
    -----END CERTIFICATE-----
    
  8. Open the Online Certificate Status Manager agent services page.
    https://server.example.com:11443/ocsp/agent/ocsp
  9. In the left frame, click Add Certificate Authority.
  10. In the resulting form, paste the encoded CA signing certificate inside the Base 64 encoded certificate (including header and footer) text area.
    Add Certificate Authority Page

    Figure 8.2. Add Certificate Authority Page


  11. Click Add.
    The certificate is added to the internal database of the Online Certificate Status Manager.

    NOTE

    If the CA contains multiple CRL distribution points, always publish the master CRL (the CRL that contains all revoked certificates from that CA) to the OCSP responder.
  12. To verify that the certificate is added successfully, click List Certificate Authorities in the left frame.
    The next page shows information about the Certificate Manager that was added.

    NOTE

    If the deployment contains chained CAs, such as a root CA and then several subordinate CAs, add each CA certificate separately to the OCSP responder.