Chapter 6. Online Certificate Status Protocol Responder
as an OCSP responder certificate. The required certificate extensions, such as OCSPNoCheck and
Extended Key Usage, can be added to the certificate when the certificate request is submitted.
For more information about the certificates associated with the OCSP Manager, see
"Online Certificate Status Manager
6.1.2. OCSP Responses
The OCSP response that the client receives indicates the current status of the certificate as
determined by the OCSP responder. The response could be any of the following:
• Good or Verified . Specifies a positive response to the status inquiry, meaning the certificate has
not been revoked. It does not necessarily mean that the certificate was issued or that it is within the
certificate's validity interval. Response extensions may be used to convey additional information on
assertions made by the responder regarding the status of the certificate.
• Revoked . Specifies that the certificate has been revoked, either permanently or temporarily.
Based on the status, the client decides whether to validate the certificate.
NOTE
The OCSP responder will never return a response of Unknown. The response will always
be either Good or Revoked.
6.2. CA OCSP Services
There are two ways to set up OCSP services:
• The OCSP built into the Certificate Manager.
• The Online Certificate Status Manager.
6.2.1. The Certificate Manager's Internal OCSP Service
The Certificate Manager has a built-in OCSP service, which can be used by OCSP-compliant clients
to query the Certificate Manager directly about the revocation status of the certificate. When the
Certificate Manager is installed, an OCSP signing certificate is issued and the OCSP service is turned
on by default. This OCSP signing certificate is used to sign all responses to OCSP service requests.
Since the internal OCSP service checks the status of certificates stored in the Certificate Manager's
internal database, publishing does not have to be configured to use this service.
Clients can query the OCSP service through the non-SSL end-entity port of the Certificate Manager.
When queried for the revocation status of a certificate, the Certificate Manager searches its internal
database for the certificate, checks its status, and responds to the client. Since the Certificate
Manager has real-time status of all certificates it has issued, this method of revocation checking is the
most accurate.
6.2.2. Online Certificate Status Manager
In addition to the built-in OCSP service, the Certificate Manager can publish CRLs to an OCSP-
compliant validation authority. CAs can be configured to publish CRLs to the Certificate System
158
Certificates".
Section 6.3,
Need help?
Do you have a question about the CERTIFICATE SYSTEM 7.3 - ADMINISTRATION and is the answer not in the manual?
Questions and answers