Nexus OCSP Responder can work as a client to remote OCSP responders and send requests for validation of certificates. This article describes how to configure the different methods the client can use to find the URL(s) of the remote OCSP responders. This is done in the "Back end client" section of the Nexus OCSP Responder configuration file. Specify the methods in the order you want them to be used.

The back end client configuration is optional.

Specify methods for the client to find URL

In the OCSP configuration file, specify as follows:
ocsp.client.urlcheck.<m#>=[servicelocator|table|fromcert]
See this table for description of constants and values:

Constants and Values	Description

Constants and Values

Description

<m#>

Replace <m#> with the method sequence number.

servicelocator | table | fromcert

The servicelocator method uses the serviceLocator request extension to get the URL of the authoritative responder.
The table method uses a table with two columns:
- the rule to find a certain CA
- the URL of the corresponding remote OCSP responder.
  For more information, see section "Lookup table" below.

The fromcert method searches the certificate in the certificate cache (and in case of no hit and if lookup is specified, in a directory).

The authorityInformationAccess (AIA) certificate extension is used to find the URL. Note that if you use Windows domains, do not include a trailing slash in the AIA attribute.
Default: servicelocator

Lookup table

This section describes the table method. Enumerate the rows in the table and identify all the specifications for a certain row with the sequence number for this row.

In the OCSP configuration file, specify as follows:
ocsp.client.urlcheck.<m#>.table.<r#>.issuermatch=<attributes> ocsp.client.urlcheck.<m#>.table.<r#>.url=<URL>
Systems or applications that rely on OCSP responses, must verify each response according to specified criteria. This is described in section 4.2.2.2 of RFC 6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP, see https://tools.ietf.org/html/rfc6960 .
Optionally, to comply with this section, these criteria can include that the signature certificate in the lookup response only need to match a specified name. This is useful if, for some reason, the response is not signed with a certificate related to the issuer of the queried certificate. This is only applicable if ...client.response.signature.check is true. If you want to include this, add the following:
ocsp.client.urlcheck.<m#>.table.<r#>.respondername=<trusted resp name>
See this table for description of constants and values:

Constants and Values	Description

Constants and Values	Description
`<m#>`	Replace `<m#>` with the method sequence number.
`<r#>`	Replace `<r#>` with the row sequence number.
`<attributes>`	Replace `<attributes>` with the attributes to use for a match. Wildcards are allowed.
`<URL>`	Replace `<URL>` with the URL to use if this rule matches.
`<trusted resp name>`	Replace `<trusted resp name>` with the name of a trusted responder. Wildcards are allowed.

Back end client and TLS

If TLS is used and the remote OCSP responder requires client authentication, specify a key for this:
To encrypt the pin, see Encryption of sensitive configuration parameters.

Constants and Values	Description

Constants and Values	Description
`<certificate pattern>`	Replace `<certificate pattern>` with the certificate pattern to specify the key pair. For a description of the syntax, see heading “LDAP certificate patterns” in Introduction to LDAP.
`<PIN>`	Replace `<PIN>` with the PIN for the key pair.

Specify OCSP client request

In the OCSP configuration file, specify the OCSP client request as follows:
See this table for description of constants and values:

Constants and Values	Description

Constants and Values	Description
`true \| false` for parameter `...usecache`	Enter `true` to check, `false` not to check the response cache first of all. Default: `false`
`get \| post`	Enter `get` or `post` to specify the HTTP method to be used when the OCSP client requests a remote responder. Default: `post`
`<time expr>`	Replace `<time expr>` with a time period expression (short form), specified according to ISO 8601 Representation of dates and times. This is the maximum amount of time the client will wait for response. Example 1: P1Y2M3DT4H5M6S stands for 1 year, 2 months, 3 days, 4 hours, 5 minutes and 6 seconds. Example 2: P1D stands for 1 day. Example 3: PT1H stands for 1 hour. Note the extra separator ‘T’ before time units shorter than one day. Default: PT30S
`true \| false` for parameter `...nonce`	Enter `true` to add, `false` not to add "nonce" to the request. "Nonce" is random data, generated by the client and used to guarantee the freshness of a response and protect against replay attacks. Default: `false`
`<size>`	Replace `<size>` with the size in bytes of the nonce. Default: `16`
`<certificate pattern>`	Replace `<certificate pattern>` with the certificate pattern to specify the key pair. For a description of the syntax, see Section 6.2.3, “ Certificate Pattern ”.
`<PIN>`	Replace `<PIN>` with the PIN for the key pair.
`none \| byname \| bykey`	The parameter `...othercerts` will be ignored if the parameter `...chain` is set to "`none`". Enter `none` to indicate that the request shall include only the signature certificate. Enter `byname` to let Nexus OCSP Responder search the certificate cache for other certificates with the same public key as the signature certificate, but only include those in the request, which also have the same subject distinguished name. Enter `bykey` to let Nexus OCSP Responder search the certificate cache for other certificates with the same public key as the signature certificate and include them in the request. Default: `none`
`none \| cert \| chain \| allchains`	Enter `none` to indicate that no signature certificate(s) shall be appended to the request. Enter `cert` to indicate that the signature certificate shall be appended to the request. If parameter `...othercerts` is set to "`byname`" or "`bykey`", all applicable certificates shall be appended. Enter `chain` to indicate that one chain of certificates, chaining to the trust store, shall be appended to the request. If parameter `...othercerts` is set to "`byname`" or "`bykey`", one chain for every applicable certificate shall be appended. Enter `allchains` to indicate that all possible certificate chains shall be appended to the request. If parameter `...othercerts` is set to "`byname`" or "`bykey`", all valid chains for all applicable certificates shall be appended. Default: `chain`
`true \| false` for parameter `...includeroot`	The parameter `...signature.chain.includeroot` is relevant only when parameter `...signature.chain` is set to "`chain`" or "`allchains`". Enter `true` to include, `false` not to include the root certificate in the chains. Default: `false`
`true \| false` for parameter `...freshnessproofs.add`	Enter `true` to query, `false` not to query the local OCSP response cache for the status of the certificates in the signature chain and to add them to a freshness proof extension in the request, if possible. Default: `false`

Specify OCSP client response

In the OCSP configuration file, specify the OCSP client response as follows:
See this table for description of constants and values:

Constants and Values	Description

Constants and Values	Description
`true \| false` for parameter `...allowunknown`	Enter `true` to accept, `false` not to accept an OCSP response with status "`unknown`". If this is enabled and the status would be unknown, a "`tryLater`" response will be created and returned instead of the received response. Default: `false`
`true \| false` for parameter `...nonce.check`	Enter `true` to check, `false` not to check that if a nonce was included in the request, an identical nonce can be found in the response. Default: `true`
`true \| false` for parameter `...signature.check`	Enter `true` to check, `false` not to check the signature certificate. If this is enabled and the signature could not be verified, a "`tryLater`" response will be created and returned instead of the received response. Disabling this can be a convenient way to always forward requests and their responses if the queried responders are trusted. Default: `true`
`true \| false` for parameter `..signature.allowauthority`	Enter `true` to accept an OCSP responder if the response signer was issued by an authority that is found in the certificate chain of the certificate for which status is requested, `false` if not. This is only applicable if `...signature.check` is `true`. Default: `false`
`true \| false` for parameter `...chain.validate`	Enter `true` to make a full validation of the whole chain of signature certificates. Enter `false` to make no validation. This is only applicable if `...signature.check` is `true`. Default: `true`
`<time expr>`	Replace `<time expr>` with a time period expression (short form), specified according to ISO 8601 Representation of dates and times (see also information in the Constants and Values table under heading "Specify OCSP Client request)". If the difference between the current time and the `producedAt` value exceeds this setting, the response will not be used. Default: `No checking`
`true \| false` for parameter `...freshnessproof.handle`	Enter `true` to extract, `false` not to extract the freshness proof extension from the OCSP response if present and add the contents to the OCSP response cache. Default: `false`

Example of back end client section

Nexus Documentation

Back end client section