ADSS OCSP Service is an advanced implementation of Online Certificate Status Protocol (OCSP) that provides revocation status information for x.509 certificates, based on either CRLs or real-time certificate information. It is a validation authority, which is fully compliant to the IETF RFC 6960 and RFC 8954 and partially to RFC 5019 standards (to support client side caching). ADSS OCSP Service can be configured to provide revocation status of digital certificates issued by multiple CAs, defined within the Trust Manager.  

ADSS OCSP Service excels because of its sophisticated validation policies and FIPS 201 compliance. It offers excellent scalability, resilience and the ability to pre-define multiple CAs and their individual validation policies. It can monitor and check multiple CRL locations and digest these to offer high performance. The attention to detail in security management, including optional dual control of specific features, management reporting and transaction log views of validation information, are in advance of anything seen elsewhere, and these aspects are key to minimising operational time and costs. 

ADSS Server OCSP Service supports many unique and innovative features, including:

  • A single installation of OCSP Service can respond for multiple CAs and support multiple complex trust models
  • unique and extended certificate validation policy can be defined for each registered CA.
  • Certificate path building and certificate status checking for OCSP requesters and peer OCSP responders.
  • Automatic, ‘Intelligent’ and ‘manual’ routing options for relaying OCSP requests to peer OCSP responders.
  • Ability to link disparate PKI islands together by implementing cross-validation.
  • High availability and throughput even whilst providing secure access and transaction logging.
  • Full support for HSMs from Thales SafeNet Luna, Thales SafeNet ProtectServer,  nShield, Utimaco CryptoServer and other PKCS#11 compliant devices  
    (ADSS Server can also use CAPI/CNG connected HSMs using existing keys and certificates but new keys cannot be generated because of driver limitations).
  • Detailed secure logging, transaction history, transaction viewer and management information.
  • Management reporting for viewing OCSP service statistics in both graphical and tabular form, and the ability to generate and export a range of reports.
  • Support for a wide variety of systems and databases.

The following image shows the OCSP Service sub-modules, details of which are given in the next sections:

See also

ADSS Server Knowledge Base

Welcome

Getting Started
Concepts & Architecture
ADSS RA Service
ADSS Certification Service
ADSS Signing Service
ADSS Go>Sign Service
ADSS RAS Service
ADSS SAM Service
ADSS CSP Service
ADSS TSA Service
ADSS Verification Service
ADSS OCSP Monitor
ADSS OCSP Service
ADSS SCVP Service
ADSS XKMS Service
ADSS LTANS Service
ADSS HMAC Service
ADSS Decryption Service
ADSS OCSP Repeater Service
ADSS NPKD Service
ADSS SPOC Service
Manage CAs
Key Manager
Trust Manager

TSL Monitor
ADSS CRL Monitor
Global Settings
Access Control
Client Manager
System Log Viewer
Server Manager
Approval Manager
Operational Management
Advanced Configuration