Versions Compared

Old Version 1

changes.mady.by.user Ann Base

Saved on

compared with

New Version 2

changes.mady.by.user Ann Base

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Corrected the syntax for the delete command.

This article describes how to create a trust store that is used by the Nexus OCSP Responder.

The trust store is a file containing certificates for all trusted CAs – the trust anchors. The immediate issuers of the certificates and CRLs/CILs, that certificate status requests are made for, always need to be present in the trust store.

To create a trust store, use the command line tool certadm, located in the /bin directory, relative to the directory where Nexus OCSP Responder is installed. See certadm commands below for more information.


Expand
titleCreate a trust store in Windows

This is an example work flow on how to create a trust store and perform some common commands. When you have created the trust store or performed updates, you must restart Nexus OCSP Responder to make the updates take effect, that is, to be inserted into the cache.

  1. Create an empty trust store.

    Code Block
    certadm new --store="C:\ProgramFiles\Nexus\OCSP Responder\certs\trust.store"
certadm new --store=..\certs\trust.store


Examples:

  • Add the certificate located in the file newCA.crt to the trust store.

    Code Block
    titleExample: Add certificate to trust store
    certadm add --store=../certs/trust.store --file=newCA.crt


  • List the contents of the trust store.

    Code Block
    titleExample: List content of trust store
    certadm list --store=../certs/trust.store

    Example of a list result:

    Code Block
    (1) CN=D, C=SE
(2) CN=A, C=SE
(3) CN=C, C=SE
(4) CN=B, C=SE
(5) CN=Q, C=SE


  • Example: Extract the certificate of the second issuer in this list to the file A.crt.

    Code Block
    titleExample: Extract certificate from trust store
    certadm extract 2 --store=../certs/trust.store --file=A.crt


  • Example: Delete the certificate of the first issuer in the list.

    Code Block
    titleExample: Delete certificate from trust store
    certadm delete 1 --store=../certs/trust.store



Expand
titleSpecify the trust store in OCSP configuration file

  1. In the OCSP configuration file, specify as follows:

    Code Block
    ocsp.trust.store=<directory>/<filename>.

    See this table for description of constants and values:

    Constants and ValuesDescription

    <directory>

    		Replace <directory> with the directory path to the trust store. Default: certs

    <filename>

    		Replace <filename> with the trust store filename. Default: trust.store



Anchor
certadm
certadm
Expand
titlecertadm commands

These are some useful certadm commands:

Code Block
certadm help
certadm new --store=<store>
certadm add --store=<store> --file=<file>
certadm list --store=<store>
certadm show <i>
certadm extract <i> --store=<store> --file=<file>
certadm delete <i> --store=<store> --file=<file>

See this table for explanations of the commands:

Options and argumentsDescription

help

Use this option to display a description of the options and arguments.
new Use this option to create an empty trust store.
store <store>

Use this option to specify the trust store file. Replace <store> with the path to the trust store file. Write file paths that include spaces within quotation marks.

Default: trust.store in the current working directory.

add

Use this option to add a certificate to the trust store.

file <file>

Use this option to specify the file to read/write a certificate from/to. Replace <file> with the path to the certificate file. Write file paths that include spaces within quotation marks.
list

Use this option to list the contents of the trust store. You will get a list of all the certificates. Each certificate will be preceded by an integer.

show <i>

Use this option to display the contents of a specified certificate from the trust store. Replace <i> with the integer that specifies the certificate. You have to execute the list option to get this integer.
extract <i>Use this option to extract a specified certificate from the trust store. Replace <i> with the integer that specifies the certificate. You have to execute the list option to get this integer.
delete <i>

Use this option to delete a specified certificate from the trust store. Replace <i> with the integer that specifies the certificate. You have to execute the list option to get this integer.


Note

The options store and file must be preceded by "--".



Related information