Appendix C. Publishing Module Reference
Several publisher, mapper, and rule modules are configured by default with the Certificate Manager.
C.1. Publisher Plug-in Modules
This section describes the publisher modules provided for the Certificate Manager. The modules are used by the Certificate Manager to enable and configure specific publisher instances.
C.1.1. FileBasedPublisher
The
FileBasedPublisher
plug-in module configures a Certificate Manager to publish certificates and CRLs to file. This plug-in can publish base-64 encoded files, DER-encoded files, or both, depending on the checkboxes selected when the publisher is configured. The certificate and CRL content can be viewed by converting the files using the PrettyPrintCert
and PrettyPrintCRL
tools. For details on viewing the content in base-64 and DER-encoded certificates and CRLs, see Section 7.10, “Viewing Certificates and CRLs Published to File”.
By default, the Certificate Manager does not create an instance of the
FileBasedPublisher
module.
Parameter | Description |
---|---|
Publisher ID | Specifies a name for the publisher, an alphanumeric string with no spaces. For example, PublishCertsToFile . |
directory | Specifies the complete path to the directory to which the Certificate Manager creates the files; the path can be an absolute path or can be relative to the Certificate System instance directory. For example, /export/CS/certificates . |
C.1.2. LdapCaCertPublisher
The
LdapCaCertPublisher
plug-in module configures a Certificate Manager to publish or unpublish a CA certificate to the caCertificate;binary
attribute of the CA's directory entry.
The module converts the object class of the CA's entry to
pkiCA
or certificationAuthority
, if it is not used already. Similarly, it also removes the pkiCA
or certificationAuthority
object class when unpublishing if the CA has no other certificates.
During installation, the Certificate Manager automatically creates an instance of the
LdapCaCertPublisher
module for publishing the CA certificate to the directory.
Parameter | Description |
---|---|
caCertAttr | Specifies the LDAP directory attribute to publish the CA certificate. This must be caCertificate;binary . |
caObjectClass | Specifies the object class for the CA's entry in the directory. This must be pkiCA or certificationAuthority . |
C.1.3. LdapUserCertPublisher
The
LdapUserCertPublisher
plug-in module configures a Certificate Manager to publish or unpublish a user certificate to the userCertificate;binary
attribute of the user's directory entry.
This module is used to publish any end-entity certificate to an LDAP directory. Types of end-entity certificates include TLS client, S/MIME, TLS server, and OCSP responder.
During installation, the Certificate Manager automatically creates an instance of the
LdapUserCertPublisher
module for publishing end-entity certificates to the directory.
Parameter | Description |
---|---|
certAttr | Specifies the directory attribute of the mapped entry to which the Certificate Manager should publish the certificate. This must be userCertificate;binary . |
C.1.4. LdapCrlPublisher
The
LdapCrlPublisher
plug-in module configures a Certificate Manager to publish or unpublish the CRL to the certificateRevocationList;binary
attribute of a directory entry.
During installation, the Certificate Manager automatically creates an instance of the
LdapCrlPublisher
module for publishing CRLs to the directory.
Parameter | Description |
---|---|
crlAttr | Specifies the directory attribute of the mapped entry to which the Certificate Manager should publish the CRL. This must be certificateRevocationList;binary . |
C.1.5. LdapDeltaCrlPublisher
The
LdapDeltaCrlPublisher
plug-in module configures a Certificate Manager to publish or unpublish a delta CRL to the deltaRevocationList
attribute of a directory entry.
During installation, the Certificate Manager automatically creates an instance of the
LdapDeltaCrlPublisher
module for publishing CRLs to the directory.
Parameter | Description |
---|---|
crlAttr | Specifies the directory attribute of the mapped entry to which the Certificate Manager should publish the delta CRL. This must be deltaRevocationList;binary . |
C.1.6. LdapCertificatePairPublisher
The
LdapCertificatePairPublisher
plug-in module configures a Certificate Manager to publish or unpublish a cross-signed certificate to the crossCertPair;binary
attribute of the CA's directory entry.
The module also converts the object class of the CA's entry to a
pkiCA
or certificationAuthority
, if it is not used already. Similarly, it also removes the pkiCA
or certificationAuthority
object class when unpublishing if the CA has no other certificates.
During installation, the Certificate Manager automatically creates an instance of the
LdapCertificatePairPublisher
module named LdapCrossCertPairPublisher
for publishing the cross-signed certificates to the directory.
Parameter | Description |
---|---|
crossCertPairAttr | Specifies the LDAP directory attribute to publish the CA certificate. This must be crossCertificatePair;binary . |
caObjectClass | Specifies the object class for the CA's entry in the directory. This must be pkiCA or certificationAuthority . |
C.1.7. OCSPPublisher
The
OCSPPublisher
plug-in module configures a Certificate Manager to publish its CRLs to an Online Certificate Status Manager.
The Certificate Manager does not create any instances of the
OCSPPublisher
module at installation.
Parameter | Description |
---|---|
host | Specifies the fully qualified hostname of the Online Certificate Status Manager. |
port | Specifies the port number on which the Online Certificate Status Manager is listening to the Certificate Manager. This is the Online Certificate Status Manager's TLS port number. |
path | Specifies the path for publishing the CRL. This must be the default path, /ocsp/agent/ocsp/addCRL . |
enableClientAuth | Sets whether to use client (certificate-based) authentication to access the OCSP service. |
nickname | Gives the nickname of the certificate in the OCSP service's database to use for client authentication. This is only used if the enableClientAuth option is set to true. |