Online Certificate Status Manager Deployment Considerations172 Netscape Certificate Management System Administrator’s Guide • February 20032. Set up CRLs. You need to configure the Certificate Manger to issue CRLs. SeeChapter 14, “Revocation and CRLs” for details on configuring CRLs.3. You must configure your policies or certificate profiles to include the AuthorityInformation Access extension pointing to the location at which the CertificateManager listens for OCSP service requests (identified as theAuthInfoAccessExt instance in the policy framework.) in certificates that areissued. This extension is necessary to identify the OSCP service. If you installedthe Certificate Manager with the OSCP service on, this extension is createdwith the correct information for the OSCP service in the policy framework, andis not enabled by default. If you chose not to configure the OSCP service, youwill have to create this policy and configure it for this service.If you installed the Certificate Manager’s with its OCSP service featuredisabled, a default policy rule (named AuthInfoAccessExt) is created, but itmay not have the correct attributes for adding the Authority InformationAccess extension to certificates.See Chapter 11, “Policies” for details on configuring policies, see“AuthInfoAccessExt,” on page 510 for specific information on this policymodule.4. Make sure the OCSP SSL signing certificate is from a CA that is trusted by theCertificate Manager. See “OCSP Certificates,” on page 191 for moreinformation.Online Certificate Status Manager DeploymentConsiderationsThis section describes the decisions you make during installation that will apply toyour initial configuration of the subsystem.Online Certificate Status Manager CertificatesWhen you install the Online Certificate Status Manager, the keys for the OCSPsigning certificate and SSL server certificate are created and a certificate request ismade for the signing certificate and the SSL server certificate.
