Setting Up a Remote OCSP Responder708 Netscape Certificate Management System Installation and Setup Guide • October 2001To check the Certificate Manager’s OCSP-service status for verification:1. Go to the Certificate Manager’s status page.2. Reload the page (hold down the Shift key and click on the browser’s Reloadicon.)3. Compare the information to the one you noted in Step G above.The updated statistics should indicate that Personal Security Manager queriedthe Certificate Manager about the status of the certificate and in response, theCertificate Manager informed Personal Security Manager that the certificate isrevoked.Setting Up a Remote OCSP ResponderYou can configure a Certificate Manager to publish CRLs to an online certificatevalidation authority, such as the one included with Certificate ManagementSystem, and then issue end-entity certificates with Authority Information Accessextension pointing to the location at which the OCSP responder waits for queriesabout revocation status of certificates.This section explains how to set up a Certificate Manager functioning as a root CAto publish CRLs to a remote Online Certificate Status Manager and configureOCSP-compliant clients to query the Online Certificate Status Manager forrevocation status of certificates being validated.The procedure for setting up a Certificate Manager functioning as a subordinateCA to publish CRLs to a remote Online Certificate Status Manager would be thesame, except that you would have to perform extra steps to make sure the that CAchain verification takes place smoothly. For example:• If the Online Certificate Status Manager’s SSL server certificate is signed by thesame root CA that signed the subordinate Certificate Manager’s certificates,then you need to mark the root CA as a trusted CA in the subordinateCertificate Manager’s certificate database.• If the Online Certificate Status Manager’s SSL server certificate is signed by adifferent root CA, then you need to import the root CA certificate into thesubordinate Certificate Manager’s certificate database and mark it as a trustedCA.