Usage and configuration instructions for this module are available in the following associated documentation: Digi-CA™Administrator Guide.
The Online Certificate Status Protocol [OCSP] Gateway Service Module is intended to provide digital network based services in compliance with RFC 2560 standard, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP.
The OCSP is an Internet protocol used for obtaining the revocation status of an X.509 digital public key certificate. It was created as an alternative to Certificate Revocation Lists [CRL], specifically addressing certain problems associated with using CRLs in a public key infrastructure [PKI].
Messages communicated via OCSP are effectively used to provide real time certificate revocation status service in the process of validating a public key certificate. This service can greatly support the validation process of the long-term electronic signatures applied to digital communication or payment transactions and electronic documents, such as Adobe® Acrobat® PDF. OCSP, in the overview of the CA core services, acts as the Revocation Status Service.
The OCSP is provided in a Gateway mode and the term "Gateway" in the module name is purposefully used to describe what the OCSPG really does. It is essentially a network gateway between the OCSP Client and OCSP Responder. The design concept for this Service Module arose from the results of security assessments applied to RFC 2560 standard. A typical implementation model for an OCSP Responder allows that server to directly access the OCSP Validation Authority’s [VA] Private Key designated for certifying OCSP response messages. Due to the fact that the OCSP Responder is very likely to be exposed for public use, the likelihood of the VA’s private key accidental exposure to an illegitimate party is relatively high, regardless whether the VA’s private key is stored in a Software or Hardware Security Module. The VA forms a key party in the process of validating electronic signatures and non-repudiation and therefore an illegitimate exposure of the VA’s private key in any form could lead to a potential risk of VA signature forgery that would further result in invalidation of any previously certified OCSP responses and further invalidation of any electronic signatures that these responses would provide evidence of.
OCSPG was designed to eliminate the above risks. It is a software library built to work with an instance of an Apache web server software – it can be therefore considered as an Apache software module. Its functionality is limited to the following purposes:
|a. Qualify correctly formatted OCSP requests|
|b. Transparently pass OCSP requests to the CA Application Service [CAAS]|
|c. Retrieve responses from CAAS|
|d. Transparently pass responses retrieved from CAAS to OCSP Clients|
OCSP Clients can connect to OCSP Gateway using standard HTTP or secure HTTPS [HTTP over SSL/TLS] protocol using a Uniform Resource Locator [URL] method. OCSP request messages are accepted either as HTTP POST or HTTP GET requests.
OCSP Gateway module is configured and activated inside the Apache web server configuration and can be applied per site, virtual realm or per physical directory configuration basis. It is loaded the very moment the Apache web server is started.
Important Note: OCSP Gateway Service Module can place significant demands on your servers and IT hardware environment and should only be deployed and offered to relying parties if you have the correct infrastructure that meets the recommended model of High Availability.