Configuring OCSP

To configure an OCSP responder, you first need an OCSP signer.

1. Log in to the Stream Administration Interface.

2. Go to Revocation Management  OCSP Signers and click on Add OCSP Signer at the bottom of the page.

3. Fill in the fields to create an OCSP signer that will sign OCSP requests:

  • The Name of the OCSP signer: a technical name to identify this signer.

  • The Keystore where to find the key for this signer.

  • The Key that this signer will sign with.

  • The DN of this signer, in X500 format with key=value separated by commas.

  • The Notification on signer expiration that will notify users via Email or REST.

4. You must then generate the CSR Generate CSR, sign it using the CA you wish to verify certificate for, and upload the signed certificate back to Stream Upload Certificate

The certificate must be signed with the Key Usage digitalSignature (critical) and the Extended Key Usage OCSPSigning

5. The OCSP Signer is now uploaded. Additional options are now available:

  • The Response Signing Algorithm, the hash algorithm that wil be used on responses signed by this signer

6. Click the Save button at the bottom of the page.

Now your OCSP signer has been configured, OCSP must be enabled on a Certification Authority:

7. Go to Certification Authorities:

  • Managed CAs, in the CRL/OCSP tab

  • External CAs, in the Configuration tab

8. Toggle the Enable OCSP option. New options appear:

  • Compromised CA? can be toggled if the CA was compromised to make all certificates on this CA act as revoked

  • The Default OCSP signer to use if no explicit signer is defined in the OCSP request

  • The Archive Cutoff mode to use on OCSP responses:

    • Issuer: the archive cutoff date will be this CA emission date

    • Retention: the archive cutoff date will be the OCSP request date plus the retention period

9 Click the Save button at the top.