Back end client section

• In the OCSP configuration file, specify as follows:

  CODE

  ocsp.client.urlcheck.<m#>=[servicelocator|table|fromcert]

  See this table for description of constants and values:

  Constants and Values	Description
  <m#>	Replace <m#> with the method sequence number.
  servicelocator | table | fromcert	The servicelocator method uses the serviceLocator request extension to get the URL of the authoritative responder. The table method uses a table with two columns: the rule to find a certain CA the URL of the corresponding remote OCSP responder. For more information, see section "Lookup table" below. The fromcert method searches the certificate in the certificate cache (and in case of no hit and if lookup is specified, in a directory). The authorityInformationAccess (AIA) certificate extension is used to find the URL. Note that if you use Windows domains, do not include a trailing slash in the AIA attribute. Default: servicelocator

This section describes the table method. Enumerate the rows in the table and identify all the specifications for a certain row with the sequence number for this row.

1. In the OCSP configuration file, specify as follows:

   CODE

   ocsp.client.urlcheck.<m#>.table.<r#>.issuermatch=<attributes>
   ocsp.client.urlcheck.<m#>.table.<r#>.url=<URL>

2. Systems or applications that rely on OCSP responses, must verify each response according to specified criteria. This is described in section 4.2.2.2 of RFC 6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP, see https://tools.ietf.org/html/rfc6960. 

   Optionally, to comply with this section, these criteria can include that the signature certificate in the lookup response only need to match a specified name. This is useful if, for some reason, the response is not signed with a certificate related to the issuer of the queried certificate. This is only applicable if ...client.response.signature.check is true. If you want to include this, add the following:
   
   

   CODE

   ocsp.client.urlcheck.<m#>.table.<r#>.respondername=<trusted resp name>

   See this table for description of constants and values:

   Constants and Values	Description
   <m#>	Replace <m#> with the method sequence number.
   <r#>	Replace <r#> with the row sequence number.
   <attributes>	Replace <attributes> with the attributes to use for a match. Wildcards are allowed.
   <URL>	Replace <URL> with the URL to use if this rule matches.
   <trusted resp name>	Replace <trusted resp name> with the name of a trusted responder. Wildcards are allowed.

Example

ocsp.client.urlcheck.1=servicelocator
ocsp.client.urlcheck.2=table
ocsp.client.urlcheck.2.table.1.issuermatch=*,o=Posten Publ. AB,c=SE
ocsp.client.urlcheck.2.table.1.url=http://ocsphost/myProxyForPosten/
ocsp.client.urlcheck.2.table.1.respondername=cn=OCSP
Responder,o=Nexus,c=SE
ocsp.client.urlcheck.2.table.2.issuermatch=*,o=Our Partner,c=UK
ocsp.client.urlcheck.2.table.2.url=http://ocsp.ourpartner.co.uk/

• If TLS is used and the remote OCSP responder requires client authentication, specify a key for this:
  

  CODE

  ocsp.client.authentication.key.certificate=<certificate pattern>
  ocsp.client.authentication.key.pin=<PIN>

  To encrypt the pin, see Encryption of sensitive configuration parameters.

  Constants and Values	Description
  <certificate pattern>	Replace <certificate pattern> with the certificate pattern to specify the key pair. For a description of the syntax, see heading “LDAP certificate patterns” in Introduction to LDAP.
  <PIN>	Replace <PIN> with the PIN for the key pair.

• In the OCSP configuration file, specify the OCSP client request as follows:

  CODE

  ocsp.client.request.usecache=[true|false]
  ocsp.client.request.http.method=[get|post]
  ocsp.client.request.http.timeout=<time expr>
  ocsp.client.request.nonce=[true|false]
  ocsp.client.request.nonce.size=<size>
  ocsp.client.request.signature.key.certificate=<certificate pattern>
  ocsp.client.request.signature.key.pin=<PIN>
  ocsp.client.request.signature.othercerts=[none|byname|bykey]
  ocsp.client.request.signature.chain=[none|cert|chain|allchains]
  ocsp.client.request.signature.chain.includeroot=[true|false]
  ocsp.client.request.freshnessproofs.add=[true|false]

  See this table for description of constants and values:

  Constants and Values	Description
  true | false for parameter ...usecache	Enter true to check, false not to check the response cache first of all. Default: false
  get | post	Enter get or post to specify the HTTP method to be used when the OCSP client requests a remote responder. Default: post
  <time expr>	Replace <time expr> with a time period expression (short form), specified according to ISO 8601 Representation of dates and times. This is the maximum amount of time the client will wait for response. Example 1: P1Y2M3DT4H5M6S stands for 1 year, 2 months, 3 days, 4 hours, 5 minutes and 6 seconds. Example 2: P1D stands for 1 day. Example 3: PT1H stands for 1 hour. Note the extra separator ‘T’ before time units shorter than one day. Default: PT30S
  true | false for parameter ...nonce	Enter true to add, false not to add "nonce" to the request. "Nonce" is random data, generated by the client and used to guarantee the freshness of a response and protect against replay attacks. Default: false
  <size>	Replace <size> with the size in bytes of the nonce. Default: 16
  <certificate pattern>	Replace <certificate pattern> with the certificate pattern to specify the key pair. For a description of the syntax, see Section 6.2.3, “ Certificate Pattern ”.
  <PIN>	Replace <PIN> with the PIN for the key pair.
  none | byname | bykey	The parameter ...othercerts will be ignored if the parameter ...chain is set to "none". Enter none to indicate that the request shall include only the signature certificate. Enter byname to let Nexus OCSP Responder search the certificate cache for other certificates with the same public key as the signature certificate, but only include those in the request, which also have the same subject distinguished name. Enter bykey to let Nexus OCSP Responder search the certificate cache for other certificates with the same public key as the signature certificate and include them in the request. Default: none
  none | cert | chain | allchains	Enter none to indicate that no signature certificate(s) shall be appended to the request. Enter cert to indicate that the signature certificate shall be appended to the request. If parameter ...othercerts is set to "byname" or "bykey", all applicable certificates shall be appended. Enter chain to indicate that one chain of certificates, chaining to the trust store, shall be appended to the request. If parameter ...othercerts is set to "byname" or "bykey", one chain for every applicable certificate shall be appended. Enter allchains to indicate that all possible certificate chains shall be appended to the request. If parameter ...othercerts is set to "byname" or "bykey", all valid chains for all applicable certificates shall be appended. Default: chain
  true | false for parameter ...includeroot	The parameter ...signature.chain.includeroot is relevant only when parameter ...signature.chain is set to "chain" or "allchains". Enter true to include, false not to include the root certificate in the chains. Default: false
  true | false for parameter ...freshnessproofs.add	Enter true to query, false not to query the local OCSP response cache for the status of the certificates in the signature chain and to add them to a freshness proof extension in the request, if possible. Default: false

• In the OCSP configuration file, specify the OCSP client response as follows:

  CODE

  ocsp.client.response.allowunknown=[true|false]
  ocsp.client.response.nonce.check=[true|false]
  ocsp.client.response.signature.check=[true|false]
  ocsp.client.response.signature.allowauthority=[true|false]
  ocsp.client.response.chain.validate=[true|false]
  ocsp.client.response.notolderthan=<time expr>
  ocsp.client.response.freshnessproof.handle=[true|false]

  See this table for description of constants and values:

  Constants and Values	Description
  true | false for parameter ...allowunknown	Enter true to accept, false not to accept an OCSP response with status "unknown". If this is enabled and the status would be unknown, a "tryLater" response will be created and returned instead of the received response. Default: false
  true | false for parameter ...nonce.check	Enter true to check, false not to check that if a nonce was included in the request, an identical nonce can be found in the response. Default: true
  true | false for parameter ...signature.check	Enter true to check, false not to check the signature certificate. If this is enabled and the signature could not be verified, a "tryLater" response will be created and returned instead of the received response. Disabling this can be a convenient way to always forward requests and their responses if the queried responders are trusted. Default: true
  true | false for parameter ..signature.allowauthority	Enter true to accept an OCSP responder if the response signer was issued by an authority that is found in the certificate chain of the certificate for which status is requested, false if not. This is only applicable if ...signature.check is true. Default: false
  true | false for parameter ...chain.validate	Enter true to make a full validation of the whole chain of signature certificates. Enter false to make no validation. This is only applicable if ...signature.check is true. Default: true
  <time expr>	Replace <time expr> with a time period expression (short form), specified according to ISO 8601 Representation of dates and times (see also information in the Constants and Values table under heading "Specify OCSP Client request)". If the difference between the current time and the producedAt value exceeds this setting, the response will not be used. Default: No checking
  true | false for parameter ...freshnessproof.handle	Enter true to extract, false not to extract the freshness proof extension from the OCSP response if present and add the contents to the OCSP response cache. Default: false