Validate OCSP for Incoming Client Certificate

The Online Certificate Status Protocol (OCSP) is a set of ASN.1 defined data structures for requesting and receiving information about certificate revocation status. These data structures can be sent and received by many transport protocols in principle. In practice, HTTP is used. An OCSP client sends questions and processes responses.

1. Set up the certificate authority in the server database. Ensure that the issuer certificate has been checked in as a CA certificate.
   • For UNIX, run the following command: ./ManageCertAuthority.sh –a VPCA admin SHA1 <ca_cert_id> always,end-user none
   • For Windows, run the following command: ManageCertAuthority.cmd –a VPCA admin SHA1 <ca_cert_id> always,end-user none
2. Set up basic profile with HTTP as the protocol and the OCSP responder as the End Point, for example, http://ocsp.verisign.com (when using Verisign as the Certificate Authority).
3. Set up OCSP responder for the authority in the server database.
   • For UNIX, run the following command: ./ManageOCSPResponder.sh –a VPCA admin SHA1 <ca_cert_id> <resp_cert_id> no <time_to_live_in_sec> <profile_id> HTTPClientSend 3600 no no
   • For Windows, run the following command: ManageOCSPResponder.cmd –a VPCA admin SHA1 <ca_cert_id> <resp_cert_id> no <time_to_live_in_sec> <profile_id> HTTPClientSend 3600 no no
   Each OCSP respond is cached in the server based on the <time_to_live_in_sec> value. Subsequent similar OCSP requests make use of the cached record as long as the record is valid.