EJBCA OCSP

Validation Server Responder

On-line certificate validation is efficiently achieved by the use of EJBCA OCSP Responder - a high performance, scalable Validation Server built upon the OCSP standard.

CRL versus OCSP

Deploying certificate infrastructures, one must provide users the right means to verify certificate validity. This is usually done by means of Certificate Revocation Lists. However, use of CRLs may sometimes be inconvenient or inadequate - in such cases organizations may opt to use EJBCA OCSP responders.

On-line certificate validation

Unlike some responders, EJBCA OCSP can provide true on-line certificate validation.

Since EJBCA OCSP uses a relational database as back-end storage, the certificate validation information can be updated immediately when a certificate is revoked. No need to wait for issuance of CRLs! One can even issue millions of inactive certificates that can later on be activated - something virtually impossible using traditional methods.

PKI independent

The EJBCA OCSP Responder can provide certificate validation services for any PKI, including EJBCA. The PKI independence arises from the fact that the OCSP responder is a stand-alone component, fed and updated with certificate status information from the Certificate Authority.

Platform independent, flexible and robust

Based on the same Java EE platform as EJBCA PKI, the OCSP responder features the same platform independence, flexibility and robustness as EJBCA PKI.

Enterprise scalability

EJBCA OCSP responder has support for the leading HSMs and allows easy and reliable clustering. This ensures linear scalability - thus achieving breathtaking performance. It is even possible to shut down a node for maintenance, while other nodes continue to answer requests.

The EJBCA OCSP responder contains a built-in monitoring facility, ensuring that the responder is functioning properly at all times.

Audit and logging

In order to support a wide range of business models, the OCSP responder has highly configurable audit and transaction logging capabilities. If there is a need to charge your customers making requests or to keep requests and responses for audit -  EJBCA OCSP responder will satisfy your demands!

Features

  • Implements RFC 2560 and RFC 5019.
  • Independent of CA software used.
  • One responder can respond for any number of CAs.
  • Status information stored in SQL database.
  • Not depending on CRLs. Status information can be updated in real-time.
  • Plug-in mechanism for custom OCSP extensions.
  • Highly configurable audit and transaction logging. Suitable for invoicing.
  • Supports PKCS#11 HSMs.
  • Built in health check used by load balancers and for monitoring.
  • Configurable for requiring signed requests, authorized signers, etc.
  • Linear scalability for performance and high availability by adding multiple nodes.
  • High performance, >500 request per second can be achieved on a single server.
  • OCSP client in java.
     

 

Product Info

Downloads

Wish to run EJBCA PKI, OCSP or EAC? Simply download the EJBCA package and configure the software to your liking! The SourceForge.net download page offers links to installation guidelines.

 

Community