The Online Certificate Status Protocol (OCSP) lets OCSP-enabled applications determine the revocation state of an X.509 client certificate in a more timely manner than is possible with Certificate Revocation Lists. Certificate Revocation Lists can get large and their propagation can become slow. OCSP checking provides real-time status information and lessens network traffic significantly.
During certificate checking, the Policy Server looks for the existence of an Issuer DN in a configuration file: smocsp.conf. If the Issuer DN is found, a certificate status check is made using a certified OCSP 1.0 Responder, which is specified in the smocsp.conf file. If the Issuer DN is not found in the configuration file, the certificate is considered to have passed OCSP checking.
OCSP checking requires:
Note: The Policy Server does not support the OCSP on a Linux platform.
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |