Test CRL signing

this section shows how to test crl signing and ocsp database creation to simplify this demonstration, the example pulls certificates from a defense information systems agency (disa) repository pull certificates perform the following steps to pull certificates from a disa ldap server go to the add certificates menu, select ca certificates \[ocsp protocol] , and select \[ submit ] select ldap server , and select \[ submit certificate import method ] on the important certificates from ldap server page, set the host name to crl chamb disa mil leave all of the other fields as default and select \[ get ldap certificates ] at the time of this writing, disa supports port 389 for importing certificates from their ldap server however, recently they announced that soon they will only support secure ldap (ldaps), which uses port 636 if port 389 does not work for you, attempt to use port 636 anonymously instead if the va server connects to the ldap server successfully, you see a list of certificates on the next page scroll to the bottom and select \[ submit certificates ] expect to see the following error failed to import one or more certificates please refer to admin logs for details disregard this message it just means that at least one certificate out of approximately 50 failed to load select \[ go back ] scroll to the bottom of the configure va certificate store page and select \[ next step ] on the configure crl imports page, leave in an ldap directory selected as the crl source and select \[ add crl source ] on the configure crl import (ldap) page, the ldap host field auto populates with the address previously entered leave all of the fields set to the default values and select \[ find available crls ] scroll to the bottom of the available crls for import page and select \[ schedule import of checked crls ] select \[ next step ] on the configure crl imports page as long as port 80 is available on the machine (by default, the server url is configured to use port 80 ), on the configure server urls page, leave everything set to the default values if port 80 is taken, you can either free it up so axway va can use it or you can configure a different port after you finish configuring the server urls, select \[ submit ] on windows, sometimes the iis service reserves port 80 on linux, sometimes the apache service reserves port 80 if the request is successful, the following message displays success! server urls updated successfully select \[ next step ] leave all of the fields set to their default values on the va responder server configuration parameters page and select \[ submit configuration parameters ] you should see the following message the server configuration has been successfully updated select \[ next step ] start the server perform the following steps to start the server on the start/stop server page, enter the server password and select \[ start server ] if the server starts successfully, the start server button is disabled and the stop server button is activated test crl signing and database creation perform the following steps to test crl signing and ocsp database creation go to server settings > ca options select the dod email ca 41 ca , and select \[ configure ca options ] at the top of the page on the va responder ca options configuration page, modify the following settings under ocsp response settings , change the validity period of crl to the next 7 days under pre computation options , check the pre compute ocsp data checkbox, and select only revoked certificates select \[ submit ca configuration parameters ] at the bottom of the page you should see a message that the ca configuration options have been successfully modified go back to server settings > ca options select the dod email ca 41 ca and select \[ configure ca specific ocsp signing certificate ] at the top of the page on the set ca specific ocsp signing certificate page, you can see the ocsp signing key that was created earlier on the hsm select \[ submit ] you should see a message saying that it successfully set ca specific ocsp signing certificate/key go to the start/stop server page, enter the password, and select \[ stop server ] go to crls > crls & ocsp databases find dod email ca 41 and select \[ flush crls ] disregard the warning and proceed by selecting \[ flush crl and ocsp db information ] you should see a message that the crls and ocsp databases for the specified ca have been cleaned successfully go to the start/stop server page, enter the password, and select \[ start server ] go to crls > crls & ocsp databases find dod email ca 41 and, in the ocsp response database field, verify the crls finished downloading and the ocsp database was created successfully you should see a list including the subject , issuer, serial number , last fetch data , and so on this result confirms that va server could use the ocsp response signing key stored on the hsm to sign the crls that you downloaded for dod email ca 41