OCSP Service

Property

Description

Signature Padding Scheme

Define the signature padding scheme to be used by the OCSP service while doing OCSP response signing operation. The default parameter value is:

  • SIGNATURE_PADDING_SCHEME = PKCS1

Possible values are PKCS1 and PSS

Note: Click here for more details on limitations when PSS padding scheme is used.

OCSP response caching

When ADSS OCSP Server is deployed in TLS environments where large numbers of certificates have been issued, the use of OCSP caching can be important.  The OCSP load can be minimized on OCSP client applications such as browsers, proxy servers, relying party applications etc by using OCSP Response caching (if this is supported by the client). Response caching is implemented using the following property:

  • RESPONSE_EXPIRY_PERIOD = 0

If the value of this property is set to 0 then cache headers will not be set with the OCSP response. If the value is set to a positive integer then the following process is followed:

  • If the CA's CRL contains a NextUpdate field/value then the OCSP response will contain ThisUpdate and NextUpdate values the same as the CRL.  The same values will be set in LastModified and Expires OCSP cache headers.
  • If the CRL does not contain a NextUpdate field/value then OCSP response will contain ThisUpdate from the CRL and NextUpdate will be defined "CURRENT_TIME + the number of seconds in this property".  The same values will be set in LastModified and Expires OCSP cache headers.

Response status for unregistered CAs

This property sets the OCSP Service response status when a request is received for a certificate whose issuer is not registered within the OCSP Service.

  • STATUS_FOR_NON_REGISTERED_CA = unknown

The possible value are:

  • Unknown (the default value) meaning that the issuer CA is not registered / trusted, the certificate status will be "unknown" and the overall OCSP response status is successful.
  • Unauthorized meaning that the OCSP service is rejecting requests where the issuer is unknown and then the overall response status will be also be set to unauthorized.

Storing limited data into the database to minimize the database size

If your database size grows too quickly because a lot of OCSP transactions are being logged then the size of log information can be reduced by removing some data columns from the database logs. The following are the attributes which manages the logging of specified column:

  • TRANSACTION_LOG_COLUMNS = RelyingPartyId,CertificationAuthorityId,Request,Response,TotalCertIds,RelyingPartyIp,RelyingPartySigningCert,RelyingPartySslCert,ErrorCode
  • TRANSACTION_DETAIL_LOG_COLUMNS = CertificationAuthorityId,Request,Response,RequestTime,ResponseTime,ResponderUrl

If you remove any of the column in these properties then that column's value will not be stored as part of transaction logging. The columns consuming most resources are "Request" and "Response" and for very high volumes these should be removed. 

Usual logging for an OCSP Service

  • TRANSACTION_LOG_COLUMNS = Request,Response,TotalCertIds,RelyingPartyIp,ErrorCode
  • TRANSACTION_DETAIL_LOG_COLUMNS = CertificationAuthorityId,Request,Response,RequestTime,ResponseTime,ResponderUrl


Minimal logging for an OCSP Service

  • TRANSACTION_LOG_COLUMNS = RelyingPartyId,TotalCertIds, RelyingPartyIp,ErrorCode
  • TRANSACTION_DETAIL_LOG_COLUMNS = ResponderUrl


Parameters Mapping with Transactions Log Viewer

  • RelyingPartyId: It represents the Signer's Subject Name, this parameter records the Subject DN of OCSP response signing certificate in case of signed OCSP request.  
  • CertificationAuthorityId: It represents the Signer's CA, this parameter records the User friendly name of the Issuer CA of the OCSP Response signing certificate in case of signed OCSP request.
  • Request: It represents the Requestthis parameter records the OCSP request.
  • Response: It represents the Response, this parameter records the OCSP response.   
  • TotalCertIds: It represents the Total Cert. IDs, this parameter records the total number of CertID contained in an OCSP request (i.e. the total number of certificates to be validated by the OCSP service).
  • RelyingPartyIp: It represents the IP Address, this parameter records the IP address of the requester.
  • RelyingPartySigningCert: It represents the Signing Cert, this parameter stores the OCSP request signing certificate in case of signed OCSP request.     
  • RelyingPartySslCert: It represents the TLS Cert,this parameter stores the TLS Client certificate in case of OCSP request over TSL channel.   
  • ErrorCode: It represents the Error Code, this parameter records the error message in case of any failure.

Parameters Mapping with Transactions Log Viewer Detail

  • CertificationAuthorityId: It represents the Cert. Authority IDthis parameter records the User friendly name of the Issuer CA of the OCSP Response signing certificate. 
  • Request: It represents the Request, this parameter records the OCSP request. 
  • Response: It represents the Response, this parameter records the OCSP response. 
  • RequestTime: It represents the Request Time, this parameter records the time when the request was made to the OCSP Service.  
  • ResponseTime: It represents the Response Time, this parameter records the time when the response was sent by the OCSP service.  
  • ResponderUrl: It represents the Responder URL, this parameter records the responder address if a peer OCSP responder was invoked for checking the revocation status.

Transaction logs settings

Transactions can be stored either directly or delayed for better performance. The following properties are used for logging:

  • TRANSACTION_LOG_MODE = LAZY
    Used to decide whether the transactions are kept in memory before these are stored in the database (LAZY logging) or directly stored in the database (EAGER logging). Possible values: LAZY, EAGER
    In case of LAZY logging the transaction logs are kept in memory upto the number of seconds configured in TRANSACTION_LOG_LAZY_INTERVAL or number of transactions configured in TRANSACTION_LOG_LAZY_RECORD_COUNT whichever is reached first.
  • TRANSACTION_LOG_LAZY_INTERVAL = 2
    When LAZY logging is configured, transactions are kept in memory upto the configured time or if the configured TRANSACTION_LOG_LAZY_RECORD_COUNT is reached before it.
  • TRANSACTION_LOG_LAZY_RECORD_COUNT = 400
    When LAZY logging is configured, transactions are kept in memory until the configured number of transactions is reached or if the configured TRANSACTION_LOG_LAZY_INTERVAL is met before it.  


The following table lists the supported HTTP response headers:

OCSP Cache Header

Description

date

The date and time at which the OCSP server generated the HTTP response.

last-modified

The date and time at which the OCSP responder created the response. This date and time is the same as the ThisUpdate date / time in the response data.

expires

Specifies how long the OCSP response is to be considered fresh - this is the same as the NextUpdate date/time in the OCSP response data.

ETag

A string that identifies a particular version of the associated data. The RFC 5019 profile RECOMMENDS that the ETag value be the ASCII HEX representation of the SHA1 hash of the OCSPResponse structure.

cache-control

Contains a number of caching directives.

  • max-age=<n>
    Where n is a time value later than thisUpdate but earlier than nextUpdate.
  • public
    Makes normally uncachable responses cachable by both shared and nonshared caches
  • no-transform
    Specifies that a proxy cache cannot change the type, length, or encoding of the object content
  • must-revalidate
    Prevents caches from intentionally returning stale responses..  


See also

Signing Service

Verification Service
Certification Service
OCSP Repeater
TSA Settings
XKMS Service

SCVP Service
LTANS Service
Decryption Service
OCSP Monitor
GoSign Service
RA Service
CRL Monitor
RAS Service
SAM Service
CSP Service
NPKD Service
SPOC Service