Nexus OCSP Responder scales well with a server of multiple cores. More memory can be required when many logical responders are hosted in a single server instance and large CRLs are loaded by the responder. For load tests, also consider the HSM performance to not introduce a bottle-neck. Performance is affected by the Nexus OCSP Responder signing key length.
The following operating systems are supported:
CentOS 7, 8
Red Hat Enterprise Linux 7, 8
SUSE Linux Enterprise Server 15
OpenSUSE Leap 15
Microsoft Windows 2012 Server
Microsoft Windows 2016 Server
Microsoft Windows 2019 Server
The following software is supported:
64-bit Java Runtime Environment (JRE) version 11.
Nexus OCSP Responder is compatible with both OpenJDK and Oracle Java.
It is important that all participants in a PKI use the same time standard. Specifically Nexus OCSP Responder has to agree on the time with the CAs issuing CRLs/CILs and with the OCSP clients.
Make sure these clocks are synchronized, that is, the participants are using a synchronization protocol such as Network Time Protocol, NTP.
Hardware Security Modules
A PKCS#11 compliant device can be used for handling of CA key pairs, system keys, protection of archived keys, and for key generation.
For functional specifications, known issues and limitations related to current PKCS#11 drivers, see each HSM vendor’s web site.
The following devices are explicitly verified:
AEP Systems Sureware Keyper, FIPS 140-1 level 4
Atos Bull Trustway Proteccio NetHSM
Note: Only verified with CIS, not with CCM and KAR.