How to configure RSA Validation Manager to obtain real-time certificate status from RSA Certificate Manager
Originally Published: 2006-05-29
Article Number
Applies To
RSA Certificate Manager 6.6
RSA Keon Certificate Authority 6.5.1
Issue
RSA Certificate Manager 6.6 and later releases do not have a built-in OCSP (Online Certificate Status Protocol) responder
A previous release, RSA Keon Certificate Authority 6.5.1, featured an OCSP Server
OCSP clients are unable to obtain real-time certificate status from RSA Certificate Manager 6.6 and later releases
Cause
Resolution
Status source type = LDAP
Retrieval Method = LDAP
Host Name = host name of RSACM Secure Directory Server (Xudad)
Port Number = LDAP port for Xudad (default is 389)
Determine Status Using = certificate status only
DN attribute = <leave blank>
LDAP Object Class = xuda_certificate
Certificate Serial Number Attribute = serial_no
Certificate Status Attribute = cert_status
Certificate Reason Code Attribute = revocationReasonCode
Date/Time Attributes =
date: statuschange_dte
time: statuschange_tim
OCSP Status Codes =
1 maps to good
2,3 maps to revoked (2 for suspended, 3 for revoked)
OCSP Reason Codes =
keyCompromise maps to key compromise
cACompromise maps to CA compromise
affiliationChanged maps to affiliation changed
superseded maps to superseded
cessationOfOperation maps to cessation of operation
privilegeWithdrawn maps to privilege withdrawn
certificateHold maps to certificate hold
An example of RSA Validation Manager 3.1 configuration to obtain real-time certificate status from an external LDAP (OpenDJ) used by RSA Certificate Manager (RSACM) as its db (using RSACM db plugin HA config):
Status source type = LDAP
Retrieval Method = LDAP
Hostname = host name of external LDAP used by RSACM (Xudad) as its db
Port Number = LDAP port for external LDAP (default is 389)
Determine Status Using = certificate status only
Update Path = enter appropriate RDN where RCM data resides on the external LDAP (example: CN=RSACM,dc=rsa,dc=com)
LDAP Object Class = XUDAOBJECT
Certificate Serial Number Attribute = rcm-0serial-2no
Certificate Status Attribute = rcm-0cert-2status
Certificate Reason Code Attribute = rcm-0revocationReasonCode
Date/Time Attributes =
date: rcm-0statuschange-2dte
time: rcm-0statuschange-2tim
OCSP Status Codes =
1 maps to good
2,3 maps to revoked (2 for suspended, 3 for revoked)
OCSP Reason Codes =
keyCompromise maps to key compromise
cACompromise maps to CA compromise
affiliationChanged maps to affiliation changed
superseded maps to superseded
cessationOfOperation maps to cessation of operation
privilegeWithdrawn maps to privilege withdrawn
certificateHold maps to certificate hold
Related Articles
Real Time Rules not seen in Admin UI and-or Mitigator is not running in RSA Web Threat Detection Number of Views View A Completed Report Number of Views Real-Time Monitoring Using Activity Monitors Number of Views Authentication using acetest fails TRANSACTION_ROLLBACK on real time authentication activity monitor for RSA Authenticatio… Number of Views Filter Activity Monitor Events Based on Administrator Scope of Authorization Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
