Back end client section
Nexus OCSP Responder can work as a client to remote OCSP responders and send requests for validation of certificates. This article describes how to configure the different methods the client can use to find the URL(s) of the remote OCSP responders. This is done in the "Back end client" section of the Nexus OCSP Responder configuration file. Specify the methods in the order you want them to be used.
The back end client configuration is optional.
Specify methods for the client to find URL
In the OCSP configuration file, specify as follows:
ocsp.client.urlcheck.<m#>=[servicelocator|table|fromcert]
See this table for description of constants and values:
Constants and Values | Description |
---|---|
| Replace |
|
The authorityInformationAccess (AIA) certificate extension is used to find the URL. Note that if you use Windows domains, do not include a trailing slash in the AIA attribute. |
Lookup table
This section describes the table
method. Enumerate the rows in the table and identify all the specifications for a certain row with the sequence number for this row.
In the OCSP configuration file, specify as follows:
ocsp.client.urlcheck.<m#>.table.<r#>.issuermatch=<attributes> ocsp.client.urlcheck.<m#>.table.<r#>.url=<URL>
Systems or applications that rely on OCSP responses, must verify each response according to specified criteria. This is described in section 4.2.2.2 of RFC 6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP, see RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP .
Optionally, to comply with this section, these criteria can include that the signature certificate in the lookup response only need to match a specified name. This is useful if, for some reason, the response is not signed with a certificate related to the issuer of the queried certificate. This is only applicable if .
..client.response.signature.check
is true. If you want to include this, add the following:ocsp.client.urlcheck.<m#>.table.<r#>.respondername=<trusted resp name>
See this table for description of constants and values:
Constants and Values | Description |
---|---|
| Replace |
| Replace |
| Replace |
| Replace |
| Replace |
Back end client and TLS
If TLS is used and the remote OCSP responder requires client authentication, specify a key for this:
To encrypt the pin, see Encryption of sensitive configuration parameters.
Constants and Values | Description |
---|---|
| Replace |
| Replace |
Specify OCSP client request
In the OCSP configuration file, specify the OCSP client request as follows:
See this table for description of constants and values:
Constants and Values | Description |
---|---|
| Enter Default: |
| Enter Default: |
| Replace
Note the extra separator ‘T’ before time units shorter than one day. Default: PT30S |
| Enter Default: |
| Replace Default: |
| Replace |
| Replace |
| The parameter
Default: |
|
Default: |
| The parameter Default: |
| Enter Default: |
Specify OCSP client response
In the OCSP configuration file, specify the OCSP client response as follows:
See this table for description of constants and values:
Constants and Values | Description |
---|---|
| Enter Default: |
| Enter Default: |
| Enter Default: |
| Enter Default: |
| Enter Default: |
| Replace Default: |
| Enter Default: |
Example of back end client section
Example of back end client section in the configuration file
Related information
Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions