OCSP Service
Property |
Description |
Signature Padding Scheme |
Define the signature padding scheme to be used by the OCSP service while doing OCSP response signing operation. The default parameter value is:
Possible values are PKCS1 and PSS Note: Click here for more details on limitations when PSS padding scheme is used. |
OCSP response caching |
When ADSS OCSP Server is deployed in TLS environments where large numbers of certificates have been issued, the use of OCSP caching can be important. The OCSP load can be minimized on OCSP client applications such as browsers, proxy servers, relying party applications etc by using OCSP Response caching (if this is supported by the client). Response caching is implemented using the following property:
If the value of this property is set to 0 then cache headers will not be set with the OCSP response. If the value is set to a positive integer then the following process is followed:
|
Response status for unregistered CAs |
This property sets the OCSP Service response status when a request is received for a certificate whose issuer is not registered within the OCSP Service.
The possible value are:
|
Storing limited data into the database to minimize the database size |
If your database size grows too quickly because a lot of OCSP transactions are being logged then the size of log information can be reduced by removing some data columns from the database logs. The following are the attributes which manages the logging of specified column:
If you remove any of the column in these properties then that column's value will not be stored as part of transaction logging. The columns consuming most resources are "Request" and "Response" and for very high volumes these should be removed. Usual Logging for an OCSP Service
Minimal logging for an OCSP Service
Parameters Mapping with Transactions Log Viewer
Parameters Mapping with Transactions Log Viewer Detail
|
Transaction logs settings |
Transactions can be stored either directly or delayed for better performance. The following properties are used for logging:
|
The following table lists the supported HTTP response headers:
OCSP Cache Header |
Description |
date |
The date and time at which the OCSP server generated the HTTP response. |
last-modified |
The date and time at which the OCSP responder created the response. This date and time is the same as the ThisUpdate date / time in the response data. |
expires |
Specifies how long the OCSP response is to be considered fresh - this is the same as the NextUpdate date/time in the OCSP response data. |
ETag |
A string that identifies a particular version of the associated data. The RFC 5019 profile RECOMMENDS that the ETag value be the ASCII HEX representation of the SHA1 hash of the OCSPResponse structure. |
cache-control |
Contains a number of caching directives.
|
See also
OCSP Service
Certification Service
CRL Monitor
SAM Service
RAS Service
CSP Service
Unity Service