Menu
▾
▴
Re: [Ejbca-develop] ocsp
|
From: Tomas G. <to...@pr...> - 2012-08-23 07:51:36
|
Hi Hans, Path 1 is correct. Path 2 is not. The Validation Authority _is_ the OCSP responder, but with added functionality to also distribute CRLs and CA certificates, i.e. a one-stop shop for clients to fetch all needed verification material. PrimeKey has developed a standalone tool that reads CRLs and feeds it into the database (according to path 1). The tool also has an API that can be used. This is part of PrimeKey's support offering. Regards, Tomas On 08/22/2012 11:50 PM, Hans Witvliet wrote: > Hi all, > > One of our innovation-managers keeps on haunting me with the subject... > > He asked me to demonstrate a stand-alone ocsp-responder. > > Point is, the corresponding CA isn't an ejbca entity. > >>From the documentation (correct me if i;m mistaken) there seems to be > two paths. > > 1) Directly populate the database of the oscp-machine. > it seems i need somehow to get hold of: > issuerDN > serialNumber > status > revocationDate > revocationReason > certificateProfileId > > 2) install an ejbca-Validation Authority, and have that feeding the > ocsp-responders. > > Second option looks more scalable/flexible/robust, but the question > remains how to feed the V.A. > > All i know sofar, is that i can do a wget for a fresh CRL every hour. > And probably it is from a Microsoft machine, (so no chance of doing > something intelligent there ;-) > > Any suggestions? > > Hans > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
