OCSP Responders

Used for delegation of OCSP response signing to a non-CA key pair.

Name	Issuer	Serial Number	Crypto Token	Current Key Pair	Next Key Pair	Status	Active	Actions
MOI-CA-OCSP-RESPONDER	RootCA	2E9B3DA510C4F76FE8C54F1BDBAD9BF76D2F3064	MOI-TOKENS	ocspSignKey		Enabled

Name

Issuer

Serial Number

Crypto Token

Current Key Pair

Next Key Pair

Status

Active

Actions

MOI-CA-OCSP-RESPONDER

RootCA

2E9B3DA510C4F76FE8C54F1BDBAD9BF76D2F3064

MOI-TOKENS

ocspSignKey

Enabled

Create new...

Default Validity Times

The following values are used as global defaults, and are enacted for CA's responding to their own OCSP requests without the help of an OCSP Signer.

Response Validity (Seconds)

Default response validity, used for CAs signing their own responses or when not set in the aliases. 0 means that no validity is set. Note that a validity is required for pre-produced OCSP responses.

Max-Age HTTP header (Seconds)

Default caching time in the response HTTP headers. Used for CAs signing their own responses or when not set in the aliases. 0 means that no validity is set, and ignored if the Response Validity is set to 0. Note that for responses of certificates with unknown status, the HTTP response header "Cache-control" will not contain the max age, but "no-cache, must-revalidate" instead. That is to prevent caching of UNKNOWN statuses.

Use Max-Age for Expired Responses

Base cache header on max-age instead of than nextUpdate for expired enties globally. Only used if Max-Age is set to other than 0. Note that this is not in compliance with RFC 5019.

OCSP Audit and Transaction Logging

Enable OCSP transaction logging
Transaction log variable pattern	A pattern used to identify a variable. Use \$\{(.+?)\} to use variables like ${THIS}.
Transaction log message	${SESSION_ID};${LOG_ID};${STATUS};${REQ_NAME}"${CLIENT_IP}";"${SIGN_ISSUER_NAME_DN}";"${SIGN_SUBJECT_NAME}";${SIGN_SERIAL_NO};"${LOG_TIME}";${REPLY_TIME};${NUM_CERT_ID};0;0;0;0;0;0;0;"${ISSUER_NAME_DN}";${ISSUER_NAME_HASH};${ISSUER_KEY};"${OCSP_CERT_ISSUER_NAME_DN}";${DIGEST_ALGOR};${SERIAL_NOHEX};${CERT_STATUS};${CERT_PROFILE_ID};${FORWARDED_FOR} The transaction log message. Variables may be used as specified in the documentation.

Enable OCSP audit logging
Audit log variable pattern	A pattern used to identify a variable. Use \$\{(.+?)\} to use variables like ${THIS}.
Audit log message	SESSION_ID:${SESSION_ID};LOG ID:${LOG_ID};"${LOG_TIME}";TIME TO PROCESS:${REPLY_TIME};\nOCSP REQUEST:\n"${OCSPREQUEST}";\nOCSP RESPONSE:\n"${OCSPRESPONSE}";\nSTATUS:${STATUS} The audit log message. Variables may be used as specified in the documentation.

Date format	Specify how time should be logged using an RFC 3339 compliant date string, e.g. "yyyy-MM-dd HH:mm:ss.SSSZ".

OCSP Responders

Import OCSP Signing Certificate

Set Default Responder

Enable nonce extension in OCSP replies from CAs

Responder ID Type for CAs

Enable OCSP signing cache update

Enable cache headers for unauthorized responses

Default Validity Times

OCSP Audit and Transaction Logging