ADSS OCSP Service

ADSS OCSP Service is an advanced implementation of Online Certificate Status Protocol (OCSP) that provides revocation status information for x.509 certificates, based on either CRLs or real-time certificate information. It is a validation authority, which is fully compliant to the IETF RFC 6960 and partially to RFC 5019 standards (to support client side caching). ADSS OCSP Service can be configured to provide revocation status of digital certificates issued by multiple CAs, defined within the Trust Manager.

ADSS OCSP Service excels because of its sophisticated validation policies and FIPS 201 compliance. It offers excellent scalability, resilience and the ability to pre-define multiple CAs and their individual validation policies. It can monitor and check multiple CRL locations and digest these to offer high performance. The attention to detail in security management, including optional dual control of specific features, management reporting and transaction log views of validation information, are in advance of anything seen elsewhere, and these aspects are key to minimising operational time and costs.

ADSS Server OCSP Service supports many unique and innovative features, including:

A single installation of OCSP Service can respond for multiple CAs and support multiple complex trust models
unique and extended certificate validation policy can be defined for each registered CA.
Certificate path building and certificate status checking for OCSP requesters and peer OCSP responders.
Automatic, ‘Intelligent’ and ‘manual’ routing options for relaying OCSP requests to peer OCSP responders.
Ability to link disparate PKI islands together by implementing cross-validation.
High availability and throughput even whilst providing secure access and transaction logging.
Full support for HSMs from Thales SafeNet Luna, Thales SafeNet ProtectServer, nCipher nShield, Utimaco CryptoServer and other PKCS#11 compliant devices
(ADSS Server can also use CAPI/CNG connected HSMs using existing keys and certificates but new keys cannot be generated because of driver limitations).
Detailed secure logging, transaction history, transaction viewer and management information.
Management reporting for viewing OCSP service statistics in both graphical and tabular form, and the ability to generate and export a range of reports.
Support for a wide variety of systems and databases.

The following image shows the OCSP Service sub-modules, details of which are given in the next sections: