Ocsp Responses - Netscape MANAGEMENT SYSTEM 6.2 - ADMINISTRATOR Administrator's Manual

• A responder that holds a specially marked certificate issued to it directly by the
CA that revokes the certificates and publishes the CRL. Possession of this
certificate by a responder indicates that the CA has authorized the responder to
issue OCSP responses for certificates revoked by the CA. Such a responder is
called a CA-designated responder or a CA-authorized responder.
CMS has a built-in OCSP responder and allows you to request OCSP
responder certificates. The end-entity interface of both Registration Manager
and Certificate Manager includes a form that allows you to manually request a
certificate for the OCSP responder. The default enrollment form includes all
the attributes (for example,
identify the certificate as an OCSP responder certificate. The required policies
extensions, such as OCSPNoCheck, ExtendedKeyUsageExt with RuleID, and
OCSPSigning, can be added to the certificate when the certificate request is
subjected to policy checking; see "Configuring Policy Rules for a Subsystem"
on page 489.
For more information about the certificates associated with OCSP, see "SSL Server
Key Pair and Certificate," on page 171.

OCSP Responses

The OCSP response that the client receives indicates the current status of the
certificate as determined by the OCSP responder. The response could be any of the
following:
• Good or Verified—specifying a positive response to the status inquiry. At a
minimum, this positive response indicates that the certificate has not been
revoked, but it does not necessarily mean that the certificate was ever issued or
that the time at which the response was produced is within the certificate's
validity interval. Response extensions may be used to convey additional
information on assertions made by the responder regarding the status of the
certificate such as positive statement about issuance, validity, etc.
• Revoked—specifying that the certificate has been revoked, either permanently
or temporarily.
• Unknown—specifying that the OCSP responder doesn't know about the
certificate whose status is being requested by the client.
Based on the status, the client decides whether to validate the certificate.
HTTP_PARAMS.certType==ocspResponder
About OCSP Services
) that
Chapter 5 OCSP Responder 167