This article describes how to create a trust store that is used by the Nexus OCSP Responder.

The trust store is a file containing certificates for all trusted CAs – the trust anchors. The immediate issuers of the certificates and CRLs/CILs, that certificate status requests are made for, always need to be present in the trust store.

To create a trust store, use the command line tool certadm, located in the /bin directory, relative to the directory where Nexus OCSP Responder is installed. See certadm commands below for more information.

Create a trust store in Windows

This is an example work flow on how to create a trust store and perform some common commands. When you have created the trust store or performed updates, you must restart Nexus OCSP Responder to make the updates take effect, that is, to be inserted into the cache.

Create an empty trust store.

certadm new --store="C:\ProgramFiles\Nexus\OCSP Responder\certs\trust.store"
certadm new --store=..\certs\trust.store

Examples:

Add the certificate located in the file newCA.crt to the trust store.
Example: Add certificate to trust store
```
certadm add --store=../certs/trust.store --file=newCA.crt
```

List the contents of the trust store.

Example: List content of trust store

certadm list --store=../certs/trust.store

Example of a list result:

(1) CN=D, C=SE
(2) CN=A, C=SE
(3) CN=C, C=SE
(4) CN=B, C=SE
(5) CN=Q, C=SE

Example: Extract the certificate of the second issuer in this list to the file A.crt.
Example: Extract certificate from trust store
```
certadm extract 2 --store=../certs/trust.store --file=A.crt
```
Example: Delete the certificate of the first issuer in the list.
Example: Delete certificate from trust store
```
certadm delete 1 --store=../certs/trust.store
```

Specify the trust store in OCSP configuration file

In the OCSP configuration file, specify as follows:

ocsp.trust.store=<directory>/<filename>.

See this table for description of constants and values:

Constants and Values	Description
`<directory>`	Replace `<directory>` with the directory path to the trust store. Default: `certs`
`<filename>`	Replace `<filename>` with the trust store filename. Default: `trust.store`

certadm commands

These are some useful certadm commands:

certadm help
certadm new --store=<store>
certadm add --store=<store> --file=<file>
certadm list --store=<store>
certadm show <i>
certadm extract <i> --store=<store> --file=<file>
certadm delete <i> --store=<store>

See this table for explanations of the commands:

Options and arguments	Description
`help`	Use this option to display a description of the options and arguments.
`new`	Use this option to create an empty trust store.
`store <store>`	Use this option to specify the trust store file. Replace `<store>` with the path to the trust store file. Write file paths that include spaces within quotation marks. Default: `trust.store` in the current working directory.
`add`	Use this option to add a certificate to the trust store.
`file <file>`	Use this option to specify the file to read/write a certificate from/to. Replace `<file>` with the path to the certificate file. Write file paths that include spaces within quotation marks.
`list`	Use this option to list the contents of the trust store. You will get a list of all the certificates. Each certificate will be preceded by an integer.
`show <i>`	Use this option to display the contents of a specified certificate from the trust store. Replace `<i>` with the integer that specifies the certificate. You have to execute the list option to get this integer.
`extract <i>`	Use this option to extract a specified certificate from the trust store. Replace `<i>` with the integer that specifies the certificate. You have to execute the list option to get this integer.
`delete <i>`	Use this option to delete a specified certificate from the trust store. Replace `<i>` with the integer that specifies the certificate. You have to execute the list option to get this integer.

The options store and file must be preceded by "--".

Trust store

Examples:

Related information