| |
Domain: Security: Certificate Revocation Checking: Certificate Authority Override: Configuration: OCSP
Configuration Options Related Tasks Related Topics
This page allows you to configure the OCSP (Online Certificate Status Protocol) properties of this SSL certificate revocation checking certificate authority override.
Configuration Options
Name Description Enable Nonce For this CA, determines whether a nonce is sent with OCSP requests, to force a fresh (not pre-signed) response.
MBean Attribute:
CertRevocCaMBean.OcspNonceEnabledEnable Response Cache For this CA, determines whether the OCSP response local cache is enabled.
MBean Attribute:
CertRevocCaMBean.OcspResponseCacheEnabledResponse Timeout (seconds) For this CA, determines the timeout for the OCSP response, expressed in seconds.
The valid range is 1 thru 300 seconds.
MBean Attribute:
CertRevocCaMBean.OcspResponseTimeoutMinimum value:
1Maximum value:
300Time Tolerance (seconds) For this CA, determines the time tolerance value for handling clock-skew differences between clients and responders, expressed in seconds.
The validity period of the response is extended both into the future and into the past by the specified amount of time, effectively widening the validity interval.
The value is >=0 and <=900. The maximum allowed tolerance is 15 minutes.
MBean Attribute:
CertRevocCaMBean.OcspTimeToleranceMinimum value:
0Maximum value:
900Responder URL For this CA, determines the OCSP responder URL to use as failover or override for the URL found in the certificate AIA. The usage is determined by
getOcspResponderUrlUsage.MBean Attribute:
CertRevocCaMBean.OcspResponderUrlResponder URL Usage For this CA, determines how
getOcspResponderUrlis used: as failover in case the URL in the certificate AIA is invalid or not found, or as a value overriding the URL found in the certificate AIA.MBean Attribute:
CertRevocCaMBean.OcspResponderUrlUsageOCSP Responder Explicit Trust Method For this CA, determines whether the OCSP Explicit Trust model is enabled and how the trusted certificate is specified.
The valid values:
- "NONE"
Explicit Trust is disabled
- "USE_SUBJECT"
Identify the trusted certificate using the subject DN specified in the attribute
OcspResponderCertSubjectName.- "USE_ISSUER_SERIAL_NUMBER"
Identify the trusted certificate using the issuer DN and certificate serial number specified in the attributes
OcspResponderCertIssuerNameandOcspResponderCertSerialNumber, respectively.MBean Attribute:
CertRevocCaMBean.OcspResponderExplicitTrustMethodSubject Name For this CA, determines the explicitly trusted OCSP responder certificate subject name, when the attribute returned by
getOcspResponderExplicitTrustMethodis "USE_SUBJECT".The subject name is formatted as a distinguished name per RFC 2253, for example "CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US".
In cases where the subject name alone is not sufficient to uniquely identify the certificate, then both the
OcspResponderCertIssuerNameandOcspResponderCertSerialNumbermay be used instead.MBean Attribute:
CertRevocCaMBean.OcspResponderCertSubjectNameIssuer Name For this CA, determines the explicitly trusted OCSP responder certificate issuer name, when the attribute returned by
getOcspResponderExplicitTrustMethodis "USE_ISSUER_SERIAL_NUMBER".The issuer name is formatted as a distinguished name per RFC 2253, for example "CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US".
When
OcspResponderCertIssuerNamereturns a non-null value then theOcspResponderCertSerialNumbermust also be set.MBean Attribute:
CertRevocCaMBean.OcspResponderCertIssuerNameSerial Number For this CA, determines the explicitly trusted OCSP responder certificate serial number, when the attribute returned by
getOcspResponderExplicitTrustMethodis "USE_ISSUER_SERIAL_NUMBER".The serial number is formatted as a hexidecimal string, with optional colon or space separators, for example "2A:FF:00".
When
OcspResponderCertSerialNumberreturns a non-null value then theOcspResponderCertIssuerNamemust also be set.MBean Attribute:
CertRevocCaMBean.OcspResponderCertSerialNumber
|