External OCSP Responders

Externalizing your OCSP service to a Validation Authority provides several benefits:

  • By separating the validation service from the CA, security is increased by allowing the CA to reside behind a firewall not allowing incoming connections, while the VA(s) reside in the DMZ.

  • Externalization of the VA allows for greater degrees of availability. Separation allows for maintenance to be performed on even unclustered CAs without any downtime on OCSP services.

  • Ensure the highest performance. Even though the OCSP responder is fast, it's not uncommon for loads on a VA infrastructure to be extremely high at times. Several VA nodes can set up to proxy for the same CA behind a load balancer, and VA nodes can be localized geographically to ensure minimal RTT.

The following shows a rough schema of the architecture using external OCSP responders.

images/inline/ad5fdfe3ed3b08decdc84b027debcbd7fdd02fba912f89446ff11a97e32e5853.png

Features

  • Implements RFC 2560, RFC 6960 and RFC 5019.

  • Independent of CA software used (various degrees of integration possible and may be required).

  • One responder can respond for any number of CAs.

  • Status information stored in SQL database.

  • Not depending on CRLs. Status information can be updated in real-time.

  • Plug-in mechanism for custom OCSP extensions.

  • Highly configurable audit and transaction logging. Suitable for invoicing.

  • Supports PKCS#11 HSMs and soft keys.

  • Built-in health check used by load balancers and for monitoring.

  • Configurable for requiring signed requests, authorized signers, etc.

  • Can answer good or unknown to non-existing certificates, with different configuration based on request URI.

  • Linear scalability for performance and high availability by adding multiple nodes.

  • High performance, >500 requests per second on a single server.

  • On-line renewal of OCSP responder keys and certificates.

  • OCSP client in Java (Client ToolBox).

  • Support for Norwegian Unid FNR extension.