Preproducing OCSP Responses on an external system

[ronaldvanrij]

When using an external (offline) CA, the usual method of providing an OCSP service is to publish the issued certificates to the online VA environment and signing the OCSP responses using an OCSP Delegated Responder certificate and a netHSM.

We’re looking at a slightly different option to preproduce the OCSP responses for a limited and finite number of intermediate CA certificates. Would it be possible to have those responses signed directly by the external (offline) CA and the responses themselves published to the VA which would serve them directly? This method would save us from signing OCSP Delegated Responder Responder certificates (and its related risks) and acquiring/maintaining a netHSM.

Since we're interested in intermediate CA's, signed OCSP responses are valid for 12 months so renewing would be a yearly exercise as would renewing the CRLs be.

Any pointers regarding the validity of this method and its (potential) implementation using EJBCA would be most appreciated.

[mike-agrenius-kushner]

Hi,

Kind of. In the Enterprise edition we have OCSP response pre-production which can be configured to publish responses signed by the CA to a VA, but there is no sneakernet method of passing them to the VA, they need to be sent online via one of our publishers.

The other option is populating a VA using a CRL which works in Community, but it requires a delegated OCSP signer on the VA end to sign the responses.

Cheers,
Mike