000026149 - How to configure RSA Validation Manager to obtain real-time certificate status from RSA Certificate Manager

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026149
Applies ToRSA Validation Manager 3.0
RSA Certificate Manager 6.6
RSA Keon Certificate Authority 6.5.1
IssueHow to configure RSA Validation Manager to obtain real-time certificate status from RSA Certificate Manager
RSA Certificate Manager 6.6 and later releases do not have a built-in OCSP (Online Certificate Status Protocol) responder
A previous release, RSA Keon Certificate Authority 6.5.1, featured an OCSP Server
OCSP clients are unable to obtain real-time certificate status from RSA Certificate Manager 6.6 and later releases
CauseOCSP server/responder was removed from RSA Certificate Manager 6.6 and later releases
ResolutionRSA Validation Manager can be configured to obtain real-time certificate status from RSA Certificate Manager (RSACM) allowing OCSP clients to obtain instant certificate status. For an RSACM based Certificate Authority (CA), configure a Status Source of type LDAP on the RSA Validation Manager to point to the RSA Certificate Manager's Secure Directory Server (Xudad) non-SSL LDAP port and appropriately configure attribute mappings. Here are some sample settings:

Status source type = LDAP
Retrieval Method = LDAP
Host Name = host name of RSACM Secure Directory Server (Xudad)
Port Number = LDAP port for Xudad (default is 389)
Determine Status Using = certificate status only
DN attribute = <leave blank>
LDAP Object Class = xuda_certificate
Certificate Serial Number Attribute = serial_no
Certificate Status Attribute = cert_status
Certificate Reason Code Attribute = revocationReasonCode
Date/Time Attributes =
    
date: statuschange_dte
     time: statuschange_tim
OCSP Status Codes =
     1 maps to good
     2,
3 maps to revoked (2 for suspended, 3 for revoked)
OCSP Reason Codes =
     keyCompromise maps to key compromise
     cACompromise maps to CA compromise
     affiliationChanged maps to affiliation changed
     superseded maps to superseded
     cessationOfOperation maps to cessation of operation
     privilegeWithdrawn maps to privilege withdrawn
     certificateHold maps to certificate hold

An example of RSA Validation Manager 3.1 configuration to obtain real-time certificate status from an external LDAP (OpenDJ) used by RSA Certificate Manager (RSACM) as its db (using RSACM db plugin HA config):

Status source type = LDAP
Retrieval Method = LDAP
Hostname = host name of external LDAP used by RSACM (Xudad) as its db
Port Number = LDAP port for external LDAP (default is 389)
Determine Status Using = certificate status only
Update Path = enter appropriate RDN where RCM data resides on the external LDAP (example: CN=RSACM,dc=rsa,dc=com)
LDAP Object Class = XUDAOBJECT
Certificate Serial Number Attribute = rcm-0serial-2no
Certificate Status Attribute = rcm-0cert-2status
Certificate Reason Code Attribute = rcm-0revocationReasonCode
Date/Time Attributes =
    
date: rcm-0statuschange-2dte
     time: rcm-0statuschange-2tim
OCSP Status Codes =
     1 maps to good
     2,
3 maps to revoked (2 for suspended, 3 for revoked)
OCSP Reason Codes =
     keyCompromise maps to key compromise
     cACompromise maps to CA compromise
     affiliationChanged maps to affiliation changed
     superseded maps to superseded
     cessationOfOperation maps to cessation of operation
     privilegeWithdrawn maps to privilege withdrawn
     certificateHold maps to certificate hold
Legacy Article IDa30726

Attachments

    Outcomes