Setting Up a Certificate Manager with OCSP Service700 Netscape Certificate Management System Installation and Setup Guide • October 2001Step 5. Configure Certificate Manager forExtensionsIn order for OCSP-compliant clients to query the Certificate Manager about therevocation status of a certificate, the certificate being validated must contain theAuthority Information Access extension pointing to the location at which theCertificate Manager listens for OCSP service requests. For details about theAuthority Information Access extension, see section “AuthInfoAccessExt Plug-inModule” of CMS Plug-ins Guide.The Certificate Manager can add an extension to a certificate it issues only if thecorresponding policy is enabled and configured properly. Hence, before issuingthe OCSP-compliant client certificate, you must verify that the Certificate Manageris configured with the appropriate policy rules to add the required extensions tothese certificates.• During the installation of a Certificate Manager, if you chose to enable itsOCSP service, a default policy rule (named AuthInfoAccessExt) is createdwith correct attributes for adding the Authority Information Access extensionto certificates the Certificate Manager will issue following installation. If youdidn’t make any changes to the policy configuration of the CertificateManager, you probably don’t need to do anything.• If you installed the Certificate Manager’s with its OCSP service featuredisabled, a default policy rule (named AuthInfoAccessExt) is created, but itmay not have the correct attributes for adding the Authority InformationAccess extension to certificates.In either case, it’s advisable that you check the status of the said policy rule, andupdate it if required. Also, for testing whether your OCSP-compliant clients canverify revocation status of certificates by querying the OCSP responder, you will beissuing a client certificate containing the Authority Information Access extension toPersonal Security Manager you installed.