Skip to main content
Skip table of contents

Setting up a Validation Authority (VA)

There are two basic methods used by Validation Authorities (VAs) to obtain the revocation status of a certificate: The Online Certificate Status Protocol (OCSP) and the certificate revocation list (CRL). These methods are characterized in the following sections:

Online Certificate Status Protocol

The mechanism of the Online Certificate Status Protocol (OCSP) checks the revocation status of a certificate via an online protocol, called OCSP. Advantages are the following:

  • With OCSP, administrators and programmers can get revocation information on a specific certificate in real-time. They do not have to rely on a CRL that might not have the latest information. In addition, CRLs can become very large over time.
  • OCSP communication is very bandwidth efficient. Compared to downloading a large CRL file, it uses a fraction of the bandwidth.

Implementing OCSP responders also has some disadvantages:

  • Communication to the OCSP responders is required to check the revocation status. Software or services cannot cache the OCSP requests. To overcome this limitation, some organizations implement a hybrid model that includes OCSP and CRL technologies.
  • OCSP technology is inherently more complex than CRLs which are simple signed text files or LDAP records.


CRL Distribution Point

A CRL distribution point is an attribute of a certificate. It allows applications to retrieve and check a CRL over the internet. Some compliance standards ask for a CRL distribution point in issued subscriber certificates.


VA Setup Scenarios for Hardware Appliance

The Hardware Appliance offers two basic options for VA setups:

The following sections guide you through both setup options.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close