This article describes how to specify a response cache in the configuration file for Nexus OCSP Responder. The response cache is used to cache OCSP responses from a configurable selection of CAs, to save time.
...
Enable response cache
In the OCSP configuration file, specify as follows:
Code Block ocsp.cache.enable=[true|false]
Description of constants and values:
Constants and Values | Description |
---|---|
| Enter Default:
|
...
Specify cache size
The cache is built up as a table, where each column specifies a certificate issuer (a CA) and for how long the response from this issuer will stay valid. You can specify a limit of the cache size, either in terms of memory or in number of responses or both. When either limit is reached, the next expired response (or the response that is the next to expire) gets replaced.
In the OCSP configuration file,
...
specify the cache size and each row in the table as follows:
Code Block ocsp.cache.maxsize=<maxsize>[K|M|G] ocsp.cache.maxnum=<maxnum>[K|M|G] ocsp.cache.contents.<#>.issuermatch=<attributes> ocsp.cache.contents.<#>.expiresafter=<time expr> ocsp.cache.renewing.<#>.issuermatch=<attributes> ocsp.cache.renewing.<#>.updatemargin=<margin time> ocsp.cache.renewing.client.<clientspec>
Description of constants and values:
Constants and Values | Description |
---|---|
| Replace Default: 128M |
| Replace Default: 10K |
| Replace |
| Replace |
| Replace After this amount of time (or when |
| Replace |
| The refresh requests will be carried out by the back end OCSP client, which by default will use the settings you made in section "Specify OCSP client request" in Back end client section. You may override any of these settings by adding a new specification here. Use the same syntax as described for the back end client (see Back end client section) but replace |
Example:
Code Block |
---|
ocsp.cache.maxsize=10K
ocsp.cache.contents.1.issuermatch=*
ocsp.cache.contents.1.expiresafter=PT4M
ocsp.cache.renewing.1.issuermatch=*,c=se
ocsp.cache.renewing.1.updatemargin=PT1M
ocsp.cache.renewing.client.response.notolderthan=PT15S note |
Using the OCSP response cache, in combination with CRLs/CILs that specify "Immediate Issue", could lead to unexpected results. A CRL that is immediately issued when a certificate is revoked, should in the best case cause any OCSP responses for the certificate to change. But if the responses are cached, this might not be the case until the duration of the cached response has expired.