Next: , Previous: Creating a CA certificate, Up: Top


3.2 Issuing certificates

First you'll create a CA certificate, after that you have to deal with your users and servers and issue certificates to them.

3.2.1 Name space management

What people might want to see.

Re-issue certificates just because people moved within the organization.

Expose privacy information.

Using Sub-component name (+ notation).

3.2.2 Certificate Revocation, CRL and OCSP

Certificates that a CA issues may need to be revoked at some stage. As an example, an employee leaves the organization and does not bother handing in his smart card (or even if the smart card is handed back – the certificate on it must no longer be acceptable to services; the employee has left).

You may also want to revoke a certificate for a service which is no longer being offered on your network. Overlooking these scenarios can lead to security holes which will quickly become a nightmare to deal with.

There are two primary protocols for dealing with certificate revokation. Namely:

If however the certificate in qeustion has been destroyed, there is no need to revoke the certificate because it can not be used by someone else. This matter since for each certificate you add to CRL, the download time and processing time for clients are longer.

CRLs and OCSP responders however greatly help manage compatible services which may authenticate and authorize users (or services) on an on-going basis. As an example, VPN connectivity established via certificates for connecting clients would require your VPN software to make use of a CRL or an OCSP service to ensure revoked certificates belonging to former clients are not allowed access to (formerly subscribed) network services.