PreviousNextUp[Front page] [Index]

Editing the Publishing Service

If LDAP or external commands are used to publish certificates, CRLs or other entity data in the directory, then at least one Publishing Service needs to be added in the system. Publishing Service is not required when HTTP is used to publish CRLs.

Publishing Service represents a connection to a specific LDAP directory. Publishing Service is also used for running external publishing commands. There may be more than one Publishing Service in a single Certifier Server instance, if several CAs publish to different directories, or if single CAs publish to several directories.

Figure : Editing the Publishing Service configuration

Basic Settings

Service description is a free-form description of the Service and its function.

Service status can be either Active or Disabled. If the service is Disabled, it does not perform its function. This option can be used to take the service temporarily out of use.

LDAP Settings

The LDAP Server Address and Port number specify the address of the directory server (for example, and 389, the default LDAP port).

LDAP Username and LDAP Password are normally also required for directory access. Permission to add and modify objects within the object hierarchy must be configured in the LDAP server for this user.

LDAP Version is the LDAP protocol version used by the LDAP server.

If the Server address for URL generation field is left empty, the Server address field is used in the CRL distribution point URL in certificate extensions. However, there might be several network interfaces in the directory server, and the one that the Publishing Service is using can be different than the one the end entities use when connecting to the server. In this case, the address that the end entities are going to use should be filled in the Server address for URL generation field.

If the LDAP publishing fails, the Publishing Service retries the operation a certain number of times after certain time intervals. The retry count and time interval can be specified in the Retry and times with fields.

If the publishing is done via a firewall with a Socks server, this server address can be given in the Socks URL field (socks://..).

External Client

If External Client is selected, SSH Tectia Certifier will generate an LDIF file of the publishing data and send it to an external command for further processing. The command line can be given in the text box.

Security Settings

LDAP publishing can be protected by TLS. The relevant settings are made under TLS Settings. Select Use TLS server authenticated LDAP connection to take TLS in use. To search a trusted TLS CA certificate from the database, click Search. To insert an external certificate to the database, click Insert Certificate. See Section Inserting a Certificate.

It is also possible to Use TLS client authentication. Client authentication eliminates the need for an LDAP password. Select the client authentication CA from the list.


The References field shows the number of CAs that use this Publishing Service for publishing CRLs. The field is intended to warn the operator that removing the Publishing Service disables CRL publishing and may thus compromise the security of the PKI. If the Publishing Service is used only for publishing certificates (and not CRLs), the field will show: This service isn't referenced by any CA. Certificate publishing (unlike CRL publishing) is not a critical feature for a properly functioning CA, and there may be a valid reason to remove a Publishing Service used only for certificate publishing, hence no warning is given.

Commiting Changes

Click the Continue button to accept changes made to the Service settings, or click Cancel to discard them. After clicking Continue, remember to Commit Changes on the Edit Server Entity page.

PreviousNextUp[Front page] [Index]