How Ocsp Services Work; Ocsp Response Signing - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR:
Table of Contents
Advertisement
About OCSP Services
How OCSP Services Work
An OCSP service works as follows:
A CA is set up to issue certificates that include the Authority Information Access
1.
Extension whose value identifies an OCSP responder that can be queried for the status
of the certificate.
One or more CAs periodically publishes CRLs to an OCSP responder.
2.
The OCSP responder maintains the CRL it receives from the CA(s).
3.
An OCSP-compliant client verifies the status of a certificate by sending requests
4.
containing all the information required to identify the certificate to the OCSP responder
for verification. The applications determine the location of the OCSP responder from
the value of the
being validated.
The OCSP responder determines if the request contains all the information required by
5.
the responder to process it. If it does not, or if it is not enabled for the requested service,
a rejection notice is sent. If it does have enough information, it processes the request
and sends back a report stating the status of the certificate. See "OCSP Responses," on
page 159 for details on the responses sent by an OCSP service.
OCSP Response Signing
Every response that the client receives, including a rejection notification, is digitally signed
by the responder; the client is expected to verify the signature to ensure that the response
came from the responder to which it submitted the request. The key the responder uses to
sign the message depends on how the OCSP responder is deployed in a PKI setup. RFC
2560 recommends that the key used to sign the response belong to one of the following:
•
The CA that issued the certificate and whose status is being verified by the responder.
•
A responder whose public key, which corresponds to the private key it uses to sign
responses, is trusted by the client. Such a responder is called a trusted responder.
•
A responder that holds a specially marked certificate issued to it directly by the CA that
revokes the certificates and publishes the CRL. Possession of this certificate by a
responder indicates that the CA has authorized the responder to issue OCSP responses
for certificates revoked by the CA. Such a responder is called a CA-designated
responder or a CA-authorized responder.
158
Red Hat Certificate System Administrator's Guide • September 2005
Authority Information Access Extension
in the certificate
Advertisement
Table of Contents
Need help?
Do you have a question about the CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR and is the answer not in the manual?