Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Version published after converting to the new editor

...

The certificate cache is a cache directory where "non-trusted" certificates (meaning all certificates except those for the trusted CAs) are stored. Each certificate is stored in a file of its own. After validation, all certificates that need a directory service lookup can be stored using a disk caching mechanism. Nexus OCSP Responder will not search for the certificates in the directory service at the next request. 

...

Specify cache directories for the certificates

In the OSCP configuration file, specify directory and size as follows:

Code Block
ocsp.certs.persistentdir=<directory>
ocsp.certs.cachedir=<cache-directory>
ocsp.certs.maxsize=<maxsize>[K|M|G]
ocsp.certs.maxnum=<maxnum>[K|M|G]

See this table for description of constants and values:

Constants and ValuesDescription

<directory>

Replace <directory> with the path to the directory that should hold the persistent certificates.

Default: certs/persist-cache

This directory is used for intermediate CA-certificates and remote OCSP responder certificates, that shall remain persistent in the cache. Copy those certificate files into this directory. At system restart these certificates are read into the cache and remain there.

<cache-directory>

Replace <cache-directory> with the path to the directory where the non-persistent certificates will be saved. All certificate files in this directory will be read into the cache at system restart.

Default: certs/cache

<maxsize>

Replace <maxsize> with the maximum size of the directory, in bytes. You can use K, M or G when you specify the size. K=1024, M=K2 and G=K3.

Default: 10M

<maxnum>

Replace <maxnum> with the maximum number of certificates. You can use K, M or G when you specify the number. K=1000, M=K2 and G=K3.

Default: 1K

When the size limit is reached (in terms of memory or in number of certificates), the least recently used certificate will be replaced.