About Publishing620 Netscape Certificate Management System Administrator’s Guide • February 2003About Publishing to FilesThe server can publish certificates and CRLs to flat files, which can then beimported into any repository, for example, into a relational database. If youconfigure the server to publish certificates and CRLs to flat files, it publishes themto files as DER-encoded binary blobs.• For each certificate the server issues, it creates a file that contains the certificatein its DER-encoded format. Each file is named cert-.der,where specifies the serial number of the certificatecontained in the file. For example, the filename for a certificate with serialnumber 1234 will be cert-1234.der.• Every time the server generates a CRL, it creates a file that contains the newCRL in its DER-encoded format. Each file is named ascrl-.der, where specifies the value derivedfrom the time-dependent variable named This Update of the CRL containedin the file. For example, the filename for a CRL with This Update: FridayJanuary 28 15:36:00 PST 2000, will be crl-949102696899.der.About LDAP PublishingThe ability of a server to publish certificates, CRLs, and other certificate-relatedobjects to a directory using the LDAP or LDAPS protocol is called LDAP publishingand the directory to which it publishes is called the publishing directory.• For each certificate the server issues, it creates a blob that contains thecertificate in its DER-encoded format in the specified attribute of the user’sentry. The certificate is published as a DER encoded binary blob.• Every time the server generates a CRL, it creates a blob that contains the newCRL in its DER-encoded format in the specified attribute of the entry for theCA.The server can publish certificates and CRLs to an LDAP-compliant directory usingthe LDAP protocol or LDAP over SSL (LDAPS) protocol, and applications canretrieve the certificates and CRLs over HTTP. Support for retrieving certificatesand CRLs over HTTP enables some browsers, such as Netscape Communicator, toautomatically import the latest CRL from the directory that receives regularupdates from the server. The browser can then use the CRL to automatically checkall certificates to ensure that they have not been revoked.For LDAP publishing to work, the user entry must be present in the LDAPdirectory.
