Cryptographic Security Platform 1.0.0 - Installation and administration guide [PDF]

Select the OCSP Responder-Server tab of the Configuration page to configure optional OCSP responder settings.

Mandatory: No

Read timeout

The maximum allowed period for reading an entire request, including the body. When this period expires, the request gets the following response.

Code=503,Reason=Service Unavailable

Mandatory: No. This optional value defaults to 60 seconds.

Write timeout

The maximum period allowed for writing a response. When this period expires, the request gets the following response.

Code=503,Reason=Service Unavailable

Mandatory: No. This optional value defaults to 60 seconds.

Idle timeout

The maximum period to wait for the next request when keep-alives are enabled.

Mandatory: No. This optional value defaults to 10 seconds.

Max header bytes

The maximum number of bytes allowed for keys and values in the request header, including the request line.

Mandatory: No. This optional value defaults to 1024.

Max body bytes

The maximum number of bytes allowed in the request body.

Mandatory: No. This optional value defaults to 8192.

Graceful timeout

The grace period before shutting down the server.

Mandatory: No. This optional value defaults to 15 seconds.

Listen limit

The maximum number of outstanding requests.

Mandatory: No. This optional value defaults to 0 (no limit).

Keep alive

The TCP keep-alive timeouts on accepted connections.

When this period expires, the server prunes dead TCP connections.

Mandatory: No. This optional value defaults to 3 minutes.

Response Profile ID

The identifier of the profile for generating OCSP responses.

Mandatory: No. This optional value defaults to the basic identifier of the only supported profile. This profile:

Sets byKey as responder identifier.
If present in the request, copies the id-pkix-ocsp-nonce extension value in the response.
Signs the response with the SHA-256 algorithm.

HTTP Error

The HTTP error returned in the OCSP response body for failed requests. See the table below for the value returned when enabling or disabling this parameter.

Request type
Invalid request	HTTP 400	HTTP 200
Valid request that could not be processed	HTTP 404	HTTP 200

Mandatory: No. This optional value defaults to .

Retry Unknown Certificates

Retry fetching the status of certificates classified as unknown after the initial retrieval.

This setting is only effective for certificate profiles that enable the revokedIfUnknown parameter.

Mandatory: No. This optional value defaults to .