Skip to main content
Skip table of contents

Default OCSP configuration

This article is valid for Nexus OCSP responder 6.1 and later.

This article describes the ocsp.conf file installed with Nexus OCSP Responder, that is, the default configuration.

Scramble sensitive configuration parameters

To scramble any configuration parameter in the configuration file, add the keyword encrypted to the parameter definition in the configuration. The next time the application starts, it scans the configuration file for unscrambled values and scrambles the value. The updated configuration file is saved to disk.

For example: *.pin = 1234 is considered to be sensitive and should therefore be scrambled.

  1. To scramble the parameter, replace the parameter with *.pin.encrypted = 1234.
  2. The server will find the unscrambled value and scramble it.
  3. In the resulting configuration file the parameter is rewritten to *.pin.encrypted = encrypted:MCa12== for example.
Providers

The order of cryptographic providers used by the Nexus OCSP Responder.

CODE 
ocsp.providers.1=org.bouncycastle.jce.provider.BouncyCastleProvider
ocsp.providers.2=com.id2tech.security.provider.ID2
ocsp.providers.3=com.id2tech.security.store.ID2Store
Validators

For more information, see Validation section.

CRL Validator

CODE 
ocsp.validation.1.type=crl
ocsp.validation.1.cacheDir=crls
ocsp.validation.1.provider.1.type=push
ocsp.validation.1.provider.1.listen.url=http://*:8081/

CIL Validator

CODE 
ocsp.validation.2.type=cil
ocsp.validation.2.cacheDir=cils
ocsp.validation.2.provider.1.type=push
ocsp.validation.2.provider.1.listen.url=http://*:8082/
Responders

For more information, see OCSP responder section.

Basic Responder

CODE 
;responder.1.type=basic
;responder.1.url=http://*:8080/basic
;responder.1.workers=5
;responder.1.signer.1.issuerdn=cn=Root CA,c=SE
;responder.1.signer.1.certificate=cn=OCSP-signer*
;responder.1.signer.1.signingalgorithm=SHA256withRSA
;responder.1.signer.1.pin=<PIN>

Non Issued Basic Responder

CODE 
;responder.2.type=non-issued-basic
;responder.2.url=http://*:8080/non-issued
;responder.2.workers=5
;responder.2.signer.1.issuerdn=cn=Root CA,c=SE
;responder.2.signer.1.certificate=cn=OCSP-signer*
;responder.2.signer.1.signingalgorithm=SHA256withRSA
;responder.2.signer.1.pin=<PIN>
Key Stores

For more information, see Key management section.

CODE 
:key.store.store.1=ocsp_signer.p12
:key.store.store.1.pin=<PIN>
Log file

For more information, see System management section.

Java Util Logging level

ocsp.java.util.logging.level - The Java Util Logging level that should be redirected to OCSP agent to be captured.

  • Possible values: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST.
    • SEVERE, WARNING, INFO, CONFIG are redirected with class=oper.
    • FINE, FINER, FINEST are redirected with class=trace.
  • Output printed to system err/out is printed with level FINE. For example when enabling debugging of TLS connections with the Java VM parameter: - Djavax.net.debug=ssl:handshake


Default value

CODE 
;ocsp.java.util.logging.level = INFO

Global log parameters

CODE 
agent.log.loggerdef.encoding = ISO-8859-1
agent.log.loggerdef.format.date = [yyyy/MM/dd:HH:mm:ss.SSS]
agent.log.loggerdef.filedate = yyMMdd
;agent.log.loggerdef.offset = T0H
agent.log.loggerdef.period = P1D
agent.log.loggerdef.format.fields\
= {date} {class} {severity} {transactionid:5,,28} {message}
agent.log.loggerdef.filter = !class=audit
CODE 
agent.log.1.type = file
agent.log.1.prefix = log/ocsp
agent.log.2.type = file
agent.log.2.prefix = log/audit
agent.log.2.filter = class=audit.pkiStateAltered
;agent.log.3.type = file
;agent.log.3.prefix = log/audit-req-resp
;agent.log.3.filter = class=audit.ocspQuery | class=audit.ocspResponse
;agent.log.3.format.fields\
= {date} {class} {severity} {transactionid:5,,28} {message} %s
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close