Test CRL Signing

in this section, learn how to test crl signing and ocsp database creation to simplify this demonstration, it pulls certificates from a defense information systems agency (disa) repository this section covers the following tasks pull certificates from a disa ldap server start the server test crl signing and database creation pull certificates perform the following steps to pull certificates from a disa ldap server go to the add certificates menu, select ca certificates \[ocsp protocol] , then click \[ submit ] select ldap server , and select submit certificate import method on the important certificates from ldap server page, set the host name to crl chamb disa mil leave all other fields as default and select \[ get ldap certificates ] at the time of this writing, disa supports port 389 for importing certificates from their ldap server however, recently they announced that soon they will only support secure ldap (ldaps), which uses port 636 if port 389 does not work for you, attempt to use port 636 anonymously instead if the va server connects to the ldap server successfully, you see a list of certificates on the next page scroll to the bottom and select \[ submit certificates ] expect to see the following error failed to import one more certificates please refer to admin logs for details this can be disregarded it just means that at least one certificate out of approximately 50 failed to load select \[ go back ] scroll to the bottom of the configure va certificate store page and select \[ next step ] on the configure crl imports page, leave in an ldap directory selected as the crl source and select \[ add crl source ] on the configure crl import (ldap) page, the ldap host field is auto populated with the address we previously entered leave all fields set to the defaults and select find available crls at the bottom scroll to the bottom of the available crls for import page and click schedule import of checked crls select \[ next step ] on the configure crl imports page on the configure server urls page, leave everything set to default as long as port 80 is available on the machine (by default, the server url is configured to use port 80) if port 80 is taken, you can either free it up so that axway va can use it or you can configure a different port after you finish configuring the server urls, select \[ submit ] on windows, sometimes the iis service must reserve port 80 on linux, sometimes the apache service reserves port 80 select \[ next step ] leave all the settings as default on the va responder server configuration parameters page and select \[ submit configuration parameters ] you should see a message that says the server configuration has been successfully updated select \[ next step ] start the server perform the following steps to start the server on the start/stop server page, type in the server password, and select \[ start server ] test crl signing perform the following steps to test crl signing and ocsp database creation go to server settings > ca options select the dod email ca 41 ca , and select configure ca options at the top of the page on the va responder ca options configuration page, you must modify two settings under ocsp response settings , change the validity period of crl to the next seven days under pre computation options , select the pre compute ocsp data checkbox, and select only revoked certificates select \[ submit ca configuration parameters ] at the bottom of the page you should see a message that the ca configuration options have been successfully modified go back to server settings > ca options select the dod email ca 41 ca , and select configure ca specific ocsp signing certificate at the top of the page on the set ca specific ocsp signing certificate page, you can see the ocsp signing key that we created earlier on the hsm select \[ submit ] and you should see a message displays, saying that it successfully set the ca specific ocsp signing certificate/key go to the start/stop server page, enter the password, and select \[ stop server ] go to crls > crls & ocsp databases find dod email ca 41 and select \[ flush crls ] disregard the warning and proceed by selecting \[ flush crl and ocsp db information ] you should see a message that the crls and ocsp databases for the specified ca have been cleaned successfully go to the start/stop server page, enter the password, and select \[ start server ] go to crls > crls & ocsp databases find dod email ca 41 , and in the ocsp response database field, you should see a success response after the crls finish downloading and the ocsp database is successfully created this result confirms that va server could use the ocsp response signing key stored on the hsm to sign the crls downloaded for dod email ca 41 if the server starts successfully, the \[ start server ] button is grayed out and the \[ stop server ] button is available