OCSP Response Pre-Signer
ENTERPRISE
The OCSP Response Pre-Signer worker pre-generates, persists and updates OCSP Responses for certificates issued by the configured CAs. When the service worker runs, responses are generated according to the current OCSP settings with regards to global configuration, OCSP Key Bindings, etc. That is, the responses produced for each certificate status can be expected to contain the same information as a response to an OCSP Request at that point in time, with the exception of unsupported extensions. For more information, see Supported Extensions in OCSP Response Pre-Production.
The following lists available worker settings:
Setting | Description |
---|---|
CAs to Check | Select which CAs to produce OCSP Responses for. Responses will be generated for certificates issued by the selected CA. |
CertId Hash Algorithm | Hash algorithm used for "issuerNameHash" and "issuerKeyHash" while producing responses. Some OCSP clients expect the same hash algorithm used in the request, to also be used in the response as well. |
Generate Responses for All Certificates | Generates responses for all certificates issued by the selected CAs every time the service worker runs, regardless of when existing responses expires. Note that enabling this option overrides OCSP Response Pre-Signer#Update Expired Responses Only. Select this setting when you want all OCSP responses to expire around the same time. Take into consideration how large the PKI is and the lifetime of the next update. Performance could be an issue if pre-signing for a large amount of certificates and Update Expired Responses Only should be used. |
Include Certificates That Have Expired | Select this setting to enable producing OCSP responses for certificates that have expired. Responses will also be generated for expired certificates issued by the selected CAs every time the worker runs. |
Update Expired Responses Only | Only update responses expiring before the configured time. Persisted OCSP Responses are considered expired when nextUpdate < configured time, see OCSP Response Pre-Signer#Time Before Response Expires. Select this setting for updating responses as they expire, therefore responses do not all expire around the same time. Large PKIs using pre-signed OCSP should consider this option to optimize performance and not create a bottleneck for pre-signed OCSP responses. |
The number of Days/Hours/Minutes/Seconds that should remain of the persisted response "validity" (nextUpdate) before a new response is generated. | |
Generate and persist a final OCSP Response (nextUpdate '99991231235959Z') for each and every certificate issued by the CA when the CA is about to expire. See ETSI EN 319 411-2 (CSS-6.3.10-09). | |
Time Before CA Expires | The number of Days/Hours/Minutes/Seconds before the CA expires, to issue a final OCSP Response. |
The OCSP Response Pre-signer can be configured to run on either CA or VA instances. Running the service worker on a VA instance requires a full EJBCA build and configured OCSP Internal Key Bindings to sign the OCSP responses. Deployments limited to only VA functionality currently lacks the service worker functionality.
As of EJBCA 7.10.0, this service will only pre-sign responses for non-expired certificates. Expired responses of expired certificates will not be updated.