This article describes how to create a trust store that is used by the Nexus OCSP Responder.
The trust store is a file containing certificates for all trusted CAs – the trust anchors. The immediate issuers of the certificates and CRLs/CILs, that certificate status requests are made for, always need to be present in the trust store.
To create a trust store, use the command line tool certadm
, located in the /bin directory, relative to the directory where Nexus OCSP Responder is installed. See certadm commands below for more information.
...
Create a trust store in Windows
This is an example work flow on how to create a trust store and perform some common commands. When you have created the trust store or performed updates, you must restart Nexus OCSP Responder to make the updates take effect, that is, to be inserted into the cache.
Create an empty trust store.
Code Block certadm new --store="C:\ProgramFiles\Nexus\OCSP Responder\certs\trust.store" certadm new --store=..\certs\trust.store
Examples:
Add the certificate located in the file newCA.crt to the trust store.
Code Block
...
certadm add --store=../certs/trust.store --file=newCA.crt
List the contents of the trust store.
Code Block
...
certadm list --store=../certs/trust.store
Example of a list result:
Code Block (1) CN=D, C=SE (2) CN=A, C=SE (3) CN=C, C=SE (4) CN=B, C=SE (5) CN=Q, C=SE
Example: Extract the certificate of the second issuer in this list to the file A.crt.
Code Block
...
certadm extract 2 --store=../certs/trust.store --file=A.crt
Example: Delete the certificate of the first issuer in the list.
Code Block
...
...
certadm delete 1 --store=../certs/trust.store
...
...
Specify the trust store in OCSP configuration file
In the OCSP configuration file, specify as follows:
Code Block ocsp.trust.store=<directory>/<filename>.
See this table for description of constants and values:
Constants and Values | Description |
---|---|
| Replace |
| Replace |
...
...
certadm commands
These are some useful certadm commands:
Code Block |
---|
certadm help
certadm new --store=<store>
certadm add --store=<store> --file=<file>
certadm list --store=<store>
certadm show <i>
certadm extract <i> --store=<store> --file=<file>
certadm delete <i> --store=<store> |
See this table for explanations of the commands:
Options and arguments | Description |
---|---|
| Use this option to display a description of the options and arguments. |
| Use this option to create an empty trust store. |
| Use this option to specify the trust store file. Replace Default: |
| Use this option to add a certificate to the trust store. |
| Use this option to specify the file to read/write a certificate from/to. Replace |
| Use this option to list the contents of the trust store. You will get a list of all the certificates. Each certificate will be preceded by an integer. |
| Use this option to display the contents of a specified certificate from the trust store. Replace |
| Use this option to extract a specified certificate from the trust store. Replace |
| Use this option to delete a specified certificate from the trust store. Replace |
...
The options store and file must be preceded by "--".
...
Related information
...