Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This article describes how to specify a response cache in the configuration file for Nexus OCSP Responder. The response cache is used to cache OCSP responses from a configurable selection of CAs, to save time.

 Enable response cache
  1. In the OCSP configuration file, specify as follows:

    ocsp.cache.enable=[true|false]

    See this table for description of constants and values:

    Constants and ValuesDescription

    true | false

    Enter true to enable, false not to enable a response cache. If you enter false, the rest of the settings described in this article will have no effect.

    Default: false


 Specify cache size

The cache is built up as a table, where each column specifies a certificate issuer (a CA) and for how long the response from this issuer will stay valid. You can specify a limit of the cache size, either in terms of memory or in number of responses or both. When either limit is reached, the next expired response (or the response that is the next to expire) gets replaced.

  1. In the OCSP configuration file, specify the cache size and each row in the table as follows:

    ocsp.cache.maxsize=<maxsize>[K|M|G]
    ocsp.cache.maxnum=<maxnum>[K|M|G]
    ocsp.cache.contents.<#>.issuermatch=<attributes>
    ocsp.cache.contents.<#>.expiresafter=<time expr>
    ocsp.cache.renewing.<#>.issuermatch=<attributes>
    ocsp.cache.renewing.<#>.updatemargin=<margin time>
    ocsp.cache.renewing.client.<clientspec>

    See this table for description of constants and values:

    Constants and ValuesDescription

    <maxsize>

    Replace <maxsize> with the maximum size of the cache, in bytes. You can use K, M or G when you specify the size. K=1024, M=K2 and G=K3.

    Default: 128M

    <maxnum>

    Replace <maxnum> with the maximum number of responses. You can use K, M or G when you specify the number. K=1000, M=K2 and G=K3.

    Default: 10K

    <#>Replace <#> with a sequence number.

    <attributes>

    Replace <attributes> with the attributes to use for a match. This is to specify for which issuer the responses shall be cached. If the issuer cannot be matched with the configuration, the response will not be added to the cache.

    <time expr>

    Replace <time expr> with a time period expression (short form), specified according to ISO 8601 Representation of dates and times. One expiresafter parameter is required for each configured issuermatch parameter

    After this amount of time (or when nextUpdate is passed) the response will expire.

    <margin time> Replace <margin time> with a time period expression (short form), specified according to ISO 8601 Representation of dates and times. Specifies the amount of time before the expiration time when a cached response should be refreshed with a new refresh request.
    <clientspec>The refresh requests will be carried out by the back end OCSP client, which by default will use the settings you made in section "Specify OCSP client request" in Back end client section. You may override any of these settings by adding a new specification here. Use the same syntax as described for the back end client (see Back end client section) but replace ocsp.client with ocsp.cache.renewing.client.

    Example:

    ocsp.cache.maxsize=10K
    ocsp.cache.contents.1.issuermatch=*
    ocsp.cache.contents.1.expiresafter=PT4M
    ocsp.cache.renewing.1.issuermatch=*,c=se
    ocsp.cache.renewing.1.updatemargin=PT1M
    ocsp.cache.renewing.client.response.notolderthan=PT15S

    Using the OCSP response cache, in combination with CRLs/CILs that specify "Immediate Issue", could lead to unexpected results. A CRL that is immediately issued when a certificate is revoked, should in the best case cause any OCSP responses for the certificate to change. But if the responses are cached, this might not be the case until the duration of the cached response has expired.

  • No labels