Privileged-User Types and Responsibilities378 Netscape Certificate Management System Installation and Setup Guide • March 20027. Copy the base-64 encoded certificate, including the -----BEGINCERTIFICATE----- and -----END CERTIFICATE----- marker lines, to a textfile.The copied information should look similar to the following example:-----BEGIN CERTIFICATE-----MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBCMSAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pY2F0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDAwMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzAVBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjnjgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSq-----END CERTIFICATE-----8. Save the text file and use it to store a copy of the certificate in a subsystem’sinternal database (see “Step 3. Store the Agent’s SSL Client Certificate in theInternal Database” on page 395).Revocation Status Checking of Agent CertificatesYou can configure a Certificate Manager and Registration Manager to check therevocation status of an agent’s certificate the server receives during SSL clientauthentication. You can configure a Data Recovery Manager (or Online CertificateStatus Manager) to check the revocation status of its agents’ certificates only if youhave deployed an OCSP responder and have issued agent certificates withAuthority Information Access extension pointing to the OCSP responder. Forinformation about adding Authority Information Access extension to certificates,see “Configuring Policy Rules for a Subsystem” on page 569. For information aboutsetting up an OCSP responder, see Chapter 21, “Setting Up an OCSP Responder.”NOTE The CMS configuration file (CMS.cfg) includes a parameter namedjss.ocspcheck.enable, which enables you to specify whether aCMS manager should use Online Certificate Status Protocol (OCSP)to verify the revocation status of the certificate it receives as a partof SSL client or server authentication (from clients or servers itmakes connections with). If you change the value of this parameterto true, the CMS manager reads the Authority Information Accessextension in the certificate and verifies the revocation status of thecertificate from the OCSP responder specified in the extension.