Follow the steps below to issue an OCSP responder VA certificate using the Certificate Authority solution provided by Cryptographic Security Platform.
The Certificate Authority solution provides built-in CRL and OCSP capabilities. Therefore, you do not need the Validation Authority to check the validity status of certificates issued by CA instances managed by the Certificate Authority solution.
Creating a Certificate Authority to issue OCSP responder VA certificates
Follow the steps described in Managing Certificate Authority to create:
- A root Certificate Authority.
- An issuing Certificate Authority with at least one signature profile – for example, the
wstep-digital-signatureprofile described in Active Directory (WSTEP) certificate profiles.
Creating a OCSP certificate request
Create a CA Gateway certificate enrollment request – for example:
{ "csr": "MIIDVzCCAb8...", "profileId": "wstep-digital-signature", "requiredFormat": { "format": "X509" }, "optionalCertificateRequestDetails": { "extensions": [ { "oid": "2.5.29.37", "critical": true, "value": "1.3.6.1.5.5.7.3.9" } ], "validity_period": "2024-11-06T13:00Z/2026-07-06T13:00:00Z" }}See below for the values required by each request field.
Field | Line | Value |
|---|---|---|
csr | 2 | The base64-encoded Certificate Signing Request previously generated in Generating a VA key pair as a single line. |
extensions | 8 | The same fields and values as in the above example (to select the OCSP signing extended key usage). |
validity_period | 15 | The validity period for the issued certificate. The expiry date in this period cannot exceed the expiry date of the issuing CA certificate. |
Processing the OCSP certificate request
See below for processing the OCSP certificate request and obtaining the issued certificate.
To process the OCSP certificate request
- Use a REST client to process the request as explained in Issuing certificates with a REST client.
- Edit the REST response and copy the base64-encoded string in the
bodyfield. - Save the string in a file with the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----delimiters – for example:-----BEGIN CERTIFICATE-----MIIIcDCCBligAwIBAgITMwEf/Fvr7NDwanyeRAAAAR/8WzANBgkqhkiG9w0BAQwFADBdMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u...UdO85g==-----END CERTIFICATE----- - Use this certificate file as the VA certificate when configuring the OCSP Responder settings.