External OCSP Responders

Externalizing your OCSP service to a Validation Authority provides several benefits:

• By separating the validation service from the CA, security is increased by allowing the CA to reside behind a firewall not allowing incoming connections, while the VA(s) reside in the DMZ. 

• Externalization of the VA allows for greater degrees of availability. Separation allows for maintenance to be performed on even unclustered CAs without any downtime on OCSP services.  

• Ensure the highest performance. Even though the OCSP responder is fast, it's not uncommon for loads on a VA infrastructure to be extremely high at times. Several VA nodes can set up to proxy for the same CA behind a load balancer, and VA nodes can be localized geographically to ensure minimal RTT. 

The following shows a rough schema of the architecture using external OCSP responders.

Features

• Implements RFC 2560, RFC 6960 and RFC 5019.

• Independent of CA software used (various degrees of integration possible and may be required).

• One responder can respond for any number of CAs.

• Status information stored in SQL database.

• Not depending on CRLs. Status information can be updated in real-time.

• Plug-in mechanism for custom OCSP extensions.

• Highly configurable audit and transaction logging. Suitable for invoicing.

• Supports PKCS#11 HSMs and soft keys.

• Built-in health check used by load balancers and for monitoring.

• Configurable for requiring signed requests, authorized signers, etc.

• Can answer good or unknown to non-existing certificates, with different configuration based on request URI.

• Linear scalability for performance and high availability by adding multiple nodes.

• High performance, >500 requests per second on a single server.

• On-line renewal of OCSP responder keys and certificates.

• OCSP client in Java (Client ToolBox).

• Support for Norwegian Unid FNR extension.

• Support for German CertificateHash extension.