Consuming the OCSP service

OCSPd is compliant with RFC:

  • 6960

  • 5019

Therefore, OCSP request can be realized through:

  • HTTP GET (required for OCSP Stapling);

  • HTTP POST (standard OCSP request).

When performing an OCSP request against OCSPd, the signer used to sign the response can be:

  • Determine dynamically from the OCSP request (POST /ocsp or GET /ocsp/ocsprequest);

  • Passed in the querystring of the URL (POST /signer/:signer_name/ocsp or GET /signer/:signer_name/ocsp/ocsprequest);

  • Retrieve from the Certificate Authority settings thanks to the Certificate Authority’s name passed in the querystring of the URL (POST /ca/:ca_name/ocsp or GET /ca/:ca_name_ocsp/ocsprequest).

The signer_name and ca_name have to be URL encoded. The ocsprequest is the base64 encoded OCSP request.

If the OCSP request contains several entries for several Certificate Authorities, the name of the signer must be passed in the querystring.