Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
This article describes how to configure Nexus OCSP Responder to to validate a certificate. This is done in the "Validation" section of the Nexus OCSP Responder configuration file. Certificates can be validated by checking for revocation data locally in a CRL (Certificate Revocation List) or (if enabled) in a CIL (Certificate Issuance List) cache or by forwarding the request to a remote OCSP responder.
It is recommended to configure no more than one validator per type (CRL or CIL). A validator can be configured with multiple providers of different types (pull or push).
Each validator works against a cache, where all the CRLs/CILs that are obtained by the configured providers are placed. The cache is stored in a directory on disk where every new CRL/CIL is saved. The default cache directories are crls for the CRL validator and cils for the CIL validator. At restart, the caches are initialized from these directories. You can manually copy certain CRLs/CILs to the directories before you start Nexus OCSP Responder the first time.
Step-by-step instruction
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
A validator can be of type: CRL or CIL.
|
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
For each validator:
|
Anchor | ||||
---|---|---|---|---|
|
Expand | ||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||
The CA that provides the directory service can supply one or more alternative site(s). If so, you can specify a list of URLs.
|
Anchor | ||||
---|---|---|---|---|
|
Expand | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||
|
This article is valid for Nexus OCSP Responder 6.2.2 and later