Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated to new editor and removed expand boxes.

This article describes how to create a trust store that is used by the Nexus OCSP Responder.

The trust store is a file containing certificates for all trusted CAs – the trust anchors. The immediate issuers of the certificates and CRLs/CILs, that certificate status requests are made for, always need to be present in the trust store.

To create a trust store, use the command line tool certadm, located in the /bin directory, relative to the directory where Nexus OCSP Responder is installed. See certadm commands below for more information.

...

Create a trust store in Windows

This is an example work flow on how to create a trust store and perform some common commands. When you have created the trust store or performed updates, you must restart Nexus OCSP Responder to make the updates take effect, that is, to be inserted into the cache.

  • Create an empty trust store.

    Code Block
    certadm new --store="C:\ProgramFiles\Nexus\OCSP Responder\certs\trust.store"
    certadm new --store=..\certs\trust.store

Examples:

  • Add the certificate located in the file newCA.crt to the trust store.

    Code Block

...

  • certadm add --store=../certs/trust.store --file=newCA.crt
  • List the contents of the trust store.

    Code Block

...

  • certadm list --store=../certs/trust.store

    Example of a list result:

    Code Block
    (1) CN=D, C=SE
    (2) CN=A, C=SE
    (3) CN=C, C=SE
    (4) CN=B, C=SE
    (5) CN=Q, C=SE
  • Example: Extract the certificate of the second issuer in this list to the file A.crt.

    Code Block

...

  • certadm extract 2 --store=../certs/trust.store --file=A.crt
  • Example: Delete the certificate of the first issuer in the list.

    Code Block

...

...

  • certadm delete 1 --store=../certs/trust.store

...

...

Specify the trust store in OCSP configuration file

  1. In the OCSP configuration file, specify as follows:

    Code Block
    ocsp.trust.store=<directory>/<filename>.

    See this table for description of constants and values:

Constants and Values

Description

<directory>

Replace <directory> with the directory path to the trust store. Default: certs

<filename>

Replace <filename> with the trust store filename. Default: trust.store

...

...

certadm commands

These are some useful certadm commands:

Code Block
certadm help
certadm new --store=<store>
certadm add --store=<store> --file=<file>
certadm list --store=<store>
certadm show <i>
certadm extract <i> --store=<store> --file=<file>
certadm delete <i> --store=<store>

See this table for explanations of the commands:

Options and arguments

Description

help

Use this option to display a description of the options and arguments.

new

Use this option to create an empty trust store.

store <store>

Use this option to specify the trust store file. Replace <store> with the path to the trust store file. Write file paths that include spaces within quotation marks.

Default: trust.store in the current working directory.

add

Use this option to add a certificate to the trust store.

file <file>

Use this option to specify the file to read/write a certificate from/to. Replace <file> with the path to the certificate file. Write file paths that include spaces within quotation marks.

list

Use this option to list the contents of the trust store. You will get a list of all the certificates. Each certificate will be preceded by an integer.

show <i>

Use this option to display the contents of a specified certificate from the trust store. Replace <i> with the integer that specifies the certificate. You have to execute the list option to get this integer.

extract <i>

Use this option to extract a specified certificate from the trust store. Replace <i> with the integer that specifies the certificate. You have to execute the list option to get this integer.

delete <i>

Use this option to delete a specified certificate from the trust store. Replace <i> with the integer that specifies the certificate. You have to execute the list option to get this integer.

...

The options store and file must be preceded by "--".

...

Related information

...