OCSP Configuration Scripts

The following scripts run the OCSP configuration utilities. There is a Unix/Linux and Windows version of each script. The scripts take the same command-line arguments as the utility programs they invoke. The scripts are located in the bin directory of the product install. The information about the command-line arguments is repeated in this section describing the scripts.

ManageCertAuthority.sh and ManageCertAuthority.cmd

Argument Description
-a, -l, -d, -u2

Operation to perform:

  • -a - add
  • -l - list
  • -d - delete
  • -u2 - update existing database record with newly computed key and RDN hashes

The –l option takes no additional arguments. The –d option takes a single argument: the object ID of the record to delete
Name Name of the authority. Required with -a.
Modified_by

User who modified or created the identity. Required with –a.
Hash_alg Hash algorithm for the authority. Only the value “SHA1” is supported. Required with –a.
Certificate_id Object ID of the CA certificate associated with the authority. Required with –a.
OCSP_policy

The OCSP policy string for the authority. This is a comma-delimited string as described in the section on the CERT_AUTHORITY table. Required with –a.

For the first element of the string, the following are permitted:

  • never – never use OCSP
  • resp – use OCSP only if a responder is configured when a request is made
  • always – always use OCSP when a request is made. This requires a responder to be configured and will cause certificate checking to fail if no responder is configured

For the second element of the string, the following are permitted:

OCSP What
  • none – never check any certificates
  • end-user- Check only end user certificates
  • both – check both end-user and intermediate certificates. Currently not supported.
Examples:
  • never,none
  • always,end-user

Crl_policy

 CRL policy string for the authority. Required with –a. A value is required for this argument, but it is not currently used. “None” is acceptable.
Object_ID

An object ID to use when creating this record. Optional with -a. Required with -u2.

ManageOCSPResponder.sh and ManageOCSPResponder.cmd

Argument Description
-l Gets a list of the currently configured OCSP Responders.

This option takes no additional arguments.
-d Deletes the configured OCSP Responder with the provided object ID for responders configuration data.

This option takes object_id as an additional argument.
-u2

Updates existing records in the database with the correct information about the public key of the authority certificate and the subject DN of the authority certificate.

This needs to be run against all existing records for both Cert Authority and OCSP Responders, or you need to delete and recreate the records to get the proper information into the database.

This option takes object_id as an additional argument.
-a Adds configuration data for a new OCSP Responder to be used for checking the status of certificates issued by the provided authority.

Additional arguments are name, modified_by, hash_alg, authority_cert_oid, response_signing_cert_oid, resp_signing_cert_in_ca_store, cache_ttl, trans_prof_oid, comm_bp, comm_wait, send_nonce, require_nonce, and object_id.
name (Required with -a) Name of the authority.
modified_by

(Required with -a) User who modified or created the identity.
hash_alg (Required with -a) Hash algorithm for the authority. Only the value “SHA1” is supported.
authority_cert_oid (Required with -a) Object ID of the CA certificate associated with the authority.
response_signing_cert_oid (Required with -a) Object ID of the certificate that the provider of the OCSP services used to sign the response providing the status for the certificates. This certificate must be added to the CA Digital Certificate store or the Trusted Digital Certificate store. This is the System Certificate ID for the certificate as it appears in the store.
resp_signing_cert_in_ca_store (Required with -a) Flag indicating if the previous value for the response_signing_cert_oid argument is found in the CA Digital Certificate Store in Sterling B2B Integrator.
cache_ttl (Required with -a) The time-to-live in seconds for OCSP responses in the internal cache.
trans_prof_oid (Required with -a) The object ID of a transport configured for communicating with the OCSP responder.
comm_bp (Required with -a) Name of a business process to use to communicate with the OCSP responder. This has to be a business process that does HTTP communication. Services in the business process have to be configured to not require or present HTTP headers when sending and receiving, respectively. The process HTTPClientSend that comes with the system can be used and is recommended.
comm_wait (Required with -a) The number of seconds to wait for communication with the responder until inferring that an error has occurred.
send_nonce (Required with -a) Indicates if a NONCE value will be sent to the OCSP service. The NONCE value is used to prevent replay attacks by some OCSP providers.
require_nonce (Required with -a) Indicates if the server should require that the OCSP service provide a NONCE value in the response.
object_id

(Optional with -a) An object ID to use when creating this record.

SetSystemCertOCSPInfo.sh SetSystemCerOCSPInfo.cmd

This utility will set the OCSP information in the database for a single system certificate
Argument Description
-o, -n

How to interpret the second argument:

-o object_ID

-n name
Object_ID/Name

Object ID or name of the authority as determined by argument 1.

SetSystemCertOCSPInfo.sh and SetTrustedCertOCSPInfo.cmd

This utility will set the OCSP information in the database for a single trusted certificate
Argument Description
-o, -n

How to interpret the second argument:

-o object_ID

-n name
Object_ID/Name

Object ID or name of the authority as determined by argument 1.