Publishing of CRLs610 Netscape Certificate Management System Installation and Setup Guide • October 2001Directory SynchronizationThe Certificate Manager and the publishing directory can become out of sync ifcertificates are issued or revoked while Directory Server is down. Certificates thatwere issued or revoked need to be published or unpublished manually whenDirectory Server comes back up.To help find certificates that are out of sync with the directory—that is, validcertificates that are not in the directory and revoked or expired certificates that arestill in the directory—the Certificate Manager keeps a record of whether acertificate in its internal database has been published to the directory. If theCertificate Manager and the publishing directory become out of sync, you can usethe Update Directory option in the Certificate Manager Agent Services interface tosynchronize the publishing directory with the internal database.The following choices are available for synchronizing the directory with theinternal database:• Search the internal database for certificates that are out of sync and publish orunpublish accordingly.• Publish certificates that were issued from time A to time B while DirectoryServer was down. Similarly, unpublish certificates that were revoked or thatexpired while Directory Server was down.• Publish or unpublish a range of certificates based on serial numbers (fromserial number xx to serial number yy).For instructions, see “Manually Updating Certificates in the Directory” onpage 663.Publishing of CRLsThis section covers the following topics:• What’s a CRL?• Reasons for Revoking a Certificate• Revocation Checking by Netscape Clients• Revocation Checking by Netscape Servers• Publishing of CRLs to an LDAP Directory• CRL Issuing Points