What's An Ocsp-Compliant Pki Setup - Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual
Hide thumbs
Also See for NETSCAPE MANAGEMENT SYSTEM 4.5:
Table of Contents
Advertisement
What's an OCSP-Compliant PKI Setup?
What's an OCSP-Compliant PKI Setup?
Certificate Management System supports the Online Certificate Status Protocol
(OCSP) as defined in the PKIX standard RFC 2560 (see
http://www.ietf.org/rfc/rfc2560.txt
OCSP-compliant applications to determine the state of a certificate, including the
revocation status, without having to directly check a CRL published by a CA to the
validation authority. The validation authority, which is also called an OCSP
responder, does the checking for the application.
An OCSP-compliant PKI setup generally includes the following, which work
together to verify the revocation status of a certificate:
•
A CA, which issues and revokes certificates, and periodically publishes the
CRL to the OCSP responder.
•
An OCSP responder, which maintains the CRL it receives periodically from the
CA and, when queried by an OCSP-compliant client about the status of a
certificate, sends a digitally signed response.
•
OCSP-compliant applications, which, when trying to validate a certificate,
query the appropriate OCSP responder (using the OCSP protocol) for the
status of the certificate. The applications determine the location of the OCSP
responder by using the Authority Information Access Extension in the
certificate being validated. (Certificate Management System enables you to add
this extension to certificates. For details, see "Configuring Policy Rules for a
Subsystem" on page 589.)
The revocation-status-verification process has two parts:
When a certificate's status needs to be verified, the OCSP client (an
1.
OCSP-compliant application) sends a request to the OCSP responder for
verification and waits for a response from the responder.
The OCSP request that the client submits generally contains all the information
required by the responder to identify the certificate whose status it needs to
determine.
(Consider this process is similar to a cashier scanning your credit card and
waiting for a response from the credit-card processing unit. The scanning unit
sends identifying information, such as the credit card number, its type, validity
period, and so on.)
Upon receipt of the request, the OCSP responder determines if the request
2.
contains all the information required by the responder to process it.
690
Netscape Certificate Management System Installation and Setup Guide • October 2001
). The OCSP protocol enables
Advertisement
Table of Contents
