Nexus OCSP Responder
Nexus OCSP Responder
Breadcrumbs

Default OCSP configuration

This article includes updates for Nexus OCSP responder 6.3.0.

This article describes the ocsp.conf file installed with Nexus OCSP Responder , that is, the default configuration.

Scramble sensitive configuration parameters

To scramble any configuration parameter in the configuration file, add the keyword encrypted to the parameter definition in the configuration. The next time the application starts, it scans the configuration file for unscrambled values and scrambles the value. The updated configuration file is saved to disk.

For example: *.pin = 1234 is considered to be sensitive and should therefore be scrambled.

  1. To scramble the parameter, replace the parameter with *.pin.encrypted = 1234.

  2. The server will find the unscrambled value and scramble it.

  3. In the resulting configuration file the parameter is rewritten to *.pin.encrypted = encrypted:MCa12== for example.

Providers

The order of cryptographic providers used by the Nexus OCSP Responder.

ocsp.providers.1=org.bouncycastle.jce.provider.BouncyCastleProvider
ocsp.providers.2=com.id2tech.security.provider.ID2
ocsp.providers.3=com.id2tech.security.store.ID2Store

Validators

For more information, see  Validation section .

CRL Validator 

ocsp.validation.1.type=crl
ocsp.validation.1.cacheDir=crls
ocsp.validation.1.provider.1.type=push
ocsp.validation.1.provider.1.listen.url=http://*:8081/

CIL Validator 

ocsp.validation.2.type=cil
ocsp.validation.2.cacheDir=cils
ocsp.validation.2.provider.1.type=push
ocsp.validation.2.provider.1.listen.url=http://*:8082/

Responders

For more information, see  OCSP responder section .

Basic Responder 

;responder.1.type=basic
;responder.1.url=http://*:8080/basic
;responder.1.workers=5
;responder.1.signer.1.issuerdn=cn=Root CA,c=SE
;responder.1.signer.1.certificate=cn=OCSP-signer*
;responder.1.signer.1.signingalgorithm=SHA256withRSA
;responder.1.signer.1.pin=<PIN>

Non Issued Basic Responder 

;responder.2.type=non-issued-basic
;responder.2.url=http://*:8080/non-issued
;responder.2.workers=5
;responder.2.signer.1.issuerdn=cn=Root CA,c=SE
;responder.2.signer.1.certificate=cn=OCSP-signer*
;responder.2.signer.1.signingalgorithm=SHA256withRSA
;responder.2.signer.1.pin=<PIN>

Fallback Responder

Please see the corresponding page: OCSP Fallback Responder

Key Stores

For more information, see  Key management section .

:key.store.store.1=ocsp_signer.p12
:key.store.store.1.pin=<PIN>

Log file

For more information, see  System management section .

Java Util Logging level

ocsp.java.util.logging.level - The Java Util Logging level that should be redirected to OCSP agent to be captured.

  • Possible values: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST.

    • SEVERE, WARNING, INFO, CONFIG are redirected with class=oper.

    • FINE, FINER, FINEST are redirected with class=trace.

  • Output printed to system err/out is printed with level FINE. For example when enabling debugging of TLS connections with the Java VM parameter: - Djavax.net.debug=ssl:handshake

Default value 
;ocsp.java.util.logging.level = INFO

Global log parameters 

agent.log.loggerdef.encoding = ISO-8859-1
agent.log.loggerdef.format.date = [yyyy/MM/dd:HH:mm:ss.SSS]
agent.log.loggerdef.filedate = yyMMdd
;agent.log.loggerdef.offset = T0H
agent.log.loggerdef.period = P1D
agent.log.loggerdef.format.fields\
= {date} {class} {severity} {transactionid:5,,28} {message}
agent.log.loggerdef.filter = !class=audit



agent.log.1.type = file
agent.log.1.prefix = log/ocsp
agent.log.2.type = file
agent.log.2.prefix = log/audit
agent.log.2.filter = class=audit.pkiStateAltered
;agent.log.3.type = file
;agent.log.3.prefix = log/audit-req-resp
;agent.log.3.filter = class=audit.ocspQuery | class=audit.ocspResponse
;agent.log.3.format.fields\
= {date} {class} {severity} {transactionid:5,,28} {message} %s