OcspKeyBinding

A CA can delegate the signing of OCSP responses to a separate key pair. This is configured as an Internal Key Binding.

  • The certificate must have Key Usage: Digital Signature.

  • The certificate must have Extended Key Usage: OCSPSigner.

  • The certificate normally has the OCSP No Check extension enabled.

  • The list of trusted certificates will be used to validate the OCSP request signature (if a signature is required).

  • Additionally, a key binding can be used to sign responses for certificates issued by other CAs. They can be added to a list using the EJBCA CA GUI or EJBCA CLI. You can assign a CA to a maximum of one key binding.

The following lists implementation specific properties.

Property

Description

Non existing is good

If true a certificate that does not exist in the database, but is issued by a CA known to the VA, it will be treated as not revoked. Default (when both this value and value of "Non existing is revoked" are false) is to treat it as "unknown". Since the OCSP responders database normally contains all issued certificate this gives sensible values (in line with RFC6960) to "ok", "revoked" and "unknown" certificates. Setting this value to true is useful if you want an External OCSP responder database to only contain revoked certificates, and not all certificates. In this case the responder will answer "ok" to requests for certificates that do not exist in the database.

Non existing is revoked

If true a certificate that does not exist in the database, but is issued by a CA known to the VA, it will be treated as revoked; the revocation reason will be "Certificate Hold" and the revocation time is January 1st, 1970. Default (when this value and value of "Non existing is good" are false) is to treat it as "unknown".

Non existing is unauthorized

If true a certificate that does not exist in the database, but is issued by a CA known to the VA, the VA will respond with an unsigned "Unauthorized" message to show that it is unable to process the request. The advantage to this configuration is that it doesn't require the VA to perform a signature, mitigating the risk of DOS attacks by swamping the VA with OCSP requests for unknown serial numbers.

Max-Age HTTP header (seconds)

A hint to caching proxies when using HTTP GET for how long to retain a response, and should be set to a value lesser than or equal to the response validity. A value of 0 means no caching.

Request must be signed with a trusted certificate

When true, request signatures will be checked against the list of trusted certificates or trust anchors.

Response validity (seconds)

How long the OCSP response is valid and may be used. A value of 0 means the there is always a newer response available.

ResponderID

Defines the ResponderID type included in the response. The ResponderID is either a Name (SubjectDN of the signing certificate used for response) or Keyhash (SHA-1 digest of the public key of the signing certificate used for response).

Include signing certificate in response

When true, the signing certificate will be included in the response.

Include certificate chain in response

When true, the entire certificate chain, except for the root CA certificate, will be included in the response (note that this is only applicable if 'Include signing certificate in response' is true).

Enable nonce in response

When true, if the OCSP request contains a nonce, the response will contain a nonce as well. If false, a nonce will never be in the response, even if one is included in the request.

Omit reason code if revocation reason is unspecified (CABF compliance)

Enabled by default. CA/B Forum Baseline Requirements 1.7.1+ require that reason code is omitted when it is Unspecified. Disable the property to disregard this requirement.