Publishing Certificates to HTTP Locations

If you include HTTP URLs in the AIA or CDP extensions, you must ensure that the offline CA certificates and CRLs are manually copied to these locations. The method you use for publication cannot be predefined, as many factors affect the decision, including:

■ The Web server's location in your network infrastructure. If the Web server is hosted in a demilitarized zone (DMZ), a firewall can prevent manual duplication of the file or restrict the copy procedure to specific protocols.

■ The Web server's domain or workgroup membership. If the Web server is in a different domain, forest, or workgroup, a trust relationship can be required to allow duplication to the Web server's local disk system.

■ The Web server's operating system. There are other Web servers in the world. The Web server you are publishing to might be an open source solution, such as Apache. In this case, you might have to use other protocols, such as FTP or Secure Shell (SSH), to transfer the files to the Web server.

In any of these scenarios, you must ensure that the CA certificates are available at the URL paths defined in the AIA extension of certificates and that the CA CRLs are available at the URL paths defined in the CDP extension of certificates.

Was this article helpful?

0 0

Post a comment