Publishing DecisionsChapter 4 Planning Your Deployment 175Note that it’s not possible to configure the Registration Manager to publishcertificates or CRLs. The Certificate Manager has the complete record of issuedcertificates and that the publishing tasks be performed by the Certificate Manageronly. If it’s necessary for some entries in a directory to be available outside thefirewall, Netscape recommends using the partial replication feature of DirectoryServer to replicate the relevant portion of the directory to which the CertificateManager publishes.This guide assumes that you have already deployed an LDAP-compliant directory(LDAP 2.0 or higher) for your enterprise; it does not cover directory planning andconfiguration. For information on Netscape Directory Server deployment, see thedocumentation that comes with that product.Configuration of the publishing or corporate directory should take place beforeyou install any Certificate Management System subsystems. Configuration detailsthat the directory administrator may need to take care of include the following:• If the authentication mechanism uses a DN (identifying the directory subtree inwhich the subsystem can publish certificates) and password, the directoryadministrator needs to set up a corresponding access control list (ACL).• If authentication is based on SSL client authentication, the directoryadministrator needs to create an entry in the directory’s certmap.conf file.The certmap.conf entry maps the DN in the subsystem’s client certificate to adirectory entry that specifies write permission to the appropriate portion of thedirectory tree.• If you intend to publish certificates to the directory, the directory administratorneeds to have an entry for each user to whom you intend to issue a certificate,and the directory schema must include a location to which the certificateshould be published. If you want to publish the CA certificate or CRL, you willalso need an entry for the CA.If you intend to use SSL authentication, both the directory and the CertificateManager must be configured appropriately for SSL. For detailed information onLDAP publishing, see Chapter 19, “Setting Up LDAP Publishing.”Publishing CRLs to the Online Certificate StatusManagerCertificate Management System supports the Online Certificate Status Protocol(OCSP) as defined in the PKIX standard RFC 2560 (seehttp://www.ietf.org/rfc/rfc2560.txt). The OCSP protocol enablesOCSP-compliant applications to determine the state of a certificate, including the