OCSP Service
OCSP Service
Property |
Description |
Signature Padding Scheme |
Define the signature padding scheme to be used by the OCSP service while doing OCSP response signing operation. The default parameter value is:
Possible values are PKCS1 and PSS Note: Click here for more details on limitations when PSS padding scheme is used. |
OCSP response caching |
When ADSS OCSP Server is deployed in TLS environments where large numbers of certificates have been issued, the use of OCSP caching can be important. The OCSP load can be minimized on OCSP client applications such as browsers, proxy servers, relying party applications etc by using OCSP Response caching (if this is supported by the client). Response caching is implemented using the following property:
If the value of this property is set to 0 then cache headers will not be set with the OCSP response. If the value is set to a positive integer then the following process is followed:
|
Response status for unregistered CAs |
This property sets the OCSP Service response status when a request is received for a certificate whose issuer is not registered within the OCSP Service.
The possible value are:
|
Storing limited data into the database to minimize the database size |
If your database size grows too quickly because a lot of OCSP transactions are being logged then the size of log information can be reduced by removing some data columns from the database logs. The following are the attributes which manages the logging of specified column:
If you remove any of the column in these properties then that column's value will not be stored as part of transaction logging. The columns consuming most resources are "Request" and "Response" and for very high volumes these should be removed.
Minimal logging for an OCSP Service
Parameters Mapping with Transactions Log Viewer Detail
|
Transaction logs settings |
Transactions can be stored either directly or delayed for better performance. The following properties are used for logging:
|
The following table lists the supported HTTP response headers:
OCSP Cache Header |
Description |
date |
The date and time at which the OCSP server generated the HTTP response. |
last-modified |
The date and time at which the OCSP responder created the response. This date and time is the same as the ThisUpdate date / time in the response data. |
expires |
Specifies how long the OCSP response is to be considered fresh - this is the same as the NextUpdate date/time in the OCSP response data. |
ETag |
A string that identifies a particular version of the associated data. The RFC 5019 profile RECOMMENDS that the ETag value be the ASCII HEX representation of the SHA1 hash of the OCSPResponse structure. |
cache-control |
Contains a number of caching directives.
|
See also
Verification Service
Certification Service
OCSP Repeater
TSA Settings
XKMS Service
SCVP Service
LTANS Service
Decryption Service
OCSP Monitor
GoSign Service
RA Service
CRL Monitor
RAS Service
SAM Service
CSP Service
NPKD Service
SPOC Service