Each CA configured in Validation Authority needs a certificate to sign OCSP responses. You can:
- Use a different certificate for every CA.
- Share a certificate among multiple CAs.
Follow the steps below to issue an OCSP responder VA certificate using the Certificate Authority solution provided by Cryptographic Security Platform.
The Certificate Authority solution provides built-in CRL and OCSP capabilities. Therefore, you do not need the Validation Authority to check the validity status of certificates issued by CA instances managed by the Certificate Authority solution.
Creating a Certificate Authority to issue OCSP responder VA certificates
Follow the steps described in Managing Certificate Authority to create:
- A root Certificate Authority.
- An issuing Certificate Authority with at least one signature profile – for example, the
wstep-digital-signatureprofile described in Active Directory (WSTEP) certificate profiles.
Creating an OCSP certificate request
Create a CA Gateway certificate enrollment request – for example:
{ "csr": "MIIDVzCCAb8...", "profileId": "wstep-digital-signature", "requiredFormat": { "format": "X509" }, "optionalCertificateRequestDetails": { "extensions": [ { "oid": "2.5.29.37", "critical": true, "value": "1.3.6.1.5.5.7.3.9" } ], "validity_period": "2024-11-06T13:00Z/2026-07-06T13:00:00Z" }}See below for the values required by each request field.
Field | Line | Value |
|---|---|---|
csr | 2 | The base64-encoded Certificate Signing Request previously generated in Generating a VA key pair as a single line. |
extensions | 8 | The same fields and values as in the above example (to select the OCSP signing extended key usage). |
validity_period | 15 | The validity period for the issued certificate. The expiry date in this period cannot exceed the expiry date of the issuing CA certificate. |
Processing the OCSP certificate request
See below for processing the OCSP certificate request and obtaining the issued certificate.
To process the OCSP certificate request
- Use a REST client to process the request as explained in Issuing certificates with a REST client.
- Edit the REST response and copy the base64-encoded string in the
bodyfield. - Save the string in a file with the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----delimiters – for example:-----BEGIN CERTIFICATE-----MIIIcDCCBligAwIBAgITMwEf/Fvr7NDwanyeRAAAAR/8WzANBgkqhkiG9w0BAQwFADBdMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u...UdO85g==-----END CERTIFICATE----- - Use this certificate file as the VA certificate when configuring the OCSP Responder settings.