About PublishingChapter 15 Publishing 621If the server and publishing directory become out of sync for some reason,privileged users (administrators and agents) can also manually initiate thepublishing process. For instructions, see “Manually Updating the CRL in theDirectory” on page 662.About OCSP PublishingCMS provides two forms of OCSP services, an internal service and the OnlineCertificate Status Manager subsystem. The internal service checks the internaldatabase of the Certificate Manager to report on the status of a certificate. Theinternal service is not set up for publishing, it uses the certificates stored in itsinternal database to determine the status of a certificate. The Online CertificateStatus Manager checks CRLs sent to it by one or more Certificate Mangers. You setup publishing for the Online Certificate Status Manger in the Certificate Managersthat will send it CRLs. You set up a publisher for each location you will send a CRLto, and one rule for each type of CRL you will send.For detailed information on both OCSP services, see Chapter 5, “OCSPResponder.”How Publishing WorksWhen publishing is enabled, every time a certificate or a CRL is issued, updated, orrevoked, the publishing system is invoked and the certificate or CRL is evaluatedby the rules to see if it matches the type and predicate set in the rule. The typesetting specifies if the object is a CRL, CA certificate, or any other certificate exceptfor a CA certificate. The predicate setting can be used to further specify the type ofobject being evaluated. For example, it can specify user certificates, or it can specifywest coast user certificates. To use predicates, a value needs to be entered in thepredicate field of the publishing rule, and a corresponding value (althoughformatted somewhat differently) needs to be contained in the certificate orcertificate request itself in order for a match to occur. The value in the certificate orcertificate request may be derived from information in the certificate, such as thetype of certificate, or may be derived from a hidden value that is placed in therequest form. If no predicate is set, all of that type are considered matching, forexample, all CRLs will match this rule if CRL is set as the type.Every rule that is matched publishes the certificate or CRL according to the methodand location specified in that rule. A given certificate or CRL can match no rules,one rule, more than one rule, or all rules. The publishing system attempts to matchevery certificate and CRL issued against all rules.
