This article describes how to specify a response cache in the configuration file for Nexus OCSP Responder. The response cache is used to cache OCSP responses from a configurable selection of CAs, to save time.
...
| title | Enable response cache |
|---|
In the OCSP configuration file, specify as follows:
| Code Block |
|---|
ocsp.cache.enable=[true|false] |
Description of constants and values:
...
true | false
...
Enter true to enable, false not to enable a response cache. If you enter false, the rest of the settings described in this article will have no effect.
Default: false
...
| title | Specify cache size |
|---|
The cache is built up as a table, where each column specifies a certificate issuer (a CA) and for how long the response from this issuer will stay valid. You can specify a limit of the cache size, either in terms of memory or in number of responses or both. When either limit is reached, the next expired response (or the response that is the next to expire) gets replaced.
In the OCSP configuration file, specify the cache size and each row in the table as follows:
| Code Block |
|---|
ocsp.cache.maxsize=<maxsize>[K|M|G]
ocsp.cache.maxnum=<maxnum>[K|M|G]
ocsp.cache.contents.<#>.issuermatch=<attributes>
ocsp.cache.contents.<#>.expiresafter=<time expr>
ocsp.cache.renewing.<#>.issuermatch=<attributes>
ocsp.cache.renewing.<#>.updatemargin=<margin time>
ocsp.cache.renewing.client.<clientspec> |
Description of constants and values:
...
<maxsize>
...
Replace <maxsize> with the maximum size of the cache, in bytes. You can use K, M or G when you specify the size. K=1024, M=K2 and G=K3.
Default: 128M
...
<maxnum>
...
Replace <maxnum> with the maximum number of responses. You can use K, M or G when you specify the number. K=1000, M=K2 and G=K3.
Default: 10K
...
<attributes>
...
<time expr>
...
Replace <time expr> with a time period expression (short form), specified according to ISO 8601 Representation of dates and times. One expiresafter parameter is required for each configured issuermatch parameter
After this amount of time (or when nextUpdate is passed) the response will expire.
...
Example:
| Code Block |
|---|
ocsp.cache.maxsize=10K
ocsp.cache.contents.1.issuermatch=*
ocsp.cache.contents.1.expiresafter=PT4M
ocsp.cache.renewing.1.issuermatch=*,c=se
ocsp.cache.renewing.1.updatemargin=PT1M
ocsp.cache.renewing.client.response.notolderthan=PT15S |
| Note |
|---|
Using the OCSP response cache, in combination with CRLs/CILs that specify "Immediate Issue", could lead to unexpected results. A CRL that is immediately issued when a certificate is revoked, should in the best case cause any OCSP responses for the certificate to change. But if the responses are cached, this might not be the case until the duration of the cached response has expired. |