EJBCA Validation Authority
EJBCA OCSP Validation Authority. A validation authority (VA) is an entity that provides services used to validate certificates.
On-line real time certificate validation server
On-line certificate validation is efficiently achieved through the use of the EJBCA OCSP Responder — PrimeKey’s high performance, scalable Validation Server, based upon the OCSP standard. Unlike some other responders, EJBCA OCSP is capable of providing real time certificate validation.
True on-line certificate validation
You don’t have to wait for issuance of CRLs when working with a true on-line certificate validation system like the EJBCA OCSP Server. Using a relational database as back-end storage, EJBCA OCSP can immediately update certificates information upon certificates revocation. One can even issue millions of inactive certificates that can later on be activated – something virtually impossible using traditional methods.
CRL versus OCSP
Deploying certificate infrastructures, users have to be provided the right means to verify certificate validity. This is usually done by means of Certificate Revocation Lists. However, where the use of CRLs are inconvenient or inadequate, organizations may opt to use the EJBCA OCSP responders.
The EJBCA OCSP Responder can provide certificate validation services for any PKI, including EJBCA. The PKI independence arises from the fact that the OCSP responder is a stand-alone component, fed and updated with certificate status information from the Certificate Authority.
Platform independent, flexible and robust
Based on the same Java EE platform as EJBCA PKI, the OCSP responder features the same platform independence, flexibility and robustness as EJBCA PKI.
EJBCA OCSP responder has support for the leading HSMs and allows easy and reliable clustering. This ensures linear scalability – thus achieving breathtaking performance. It is even possible to shut down a node for maintenance, while other nodes continue to answer requests.
The EJBCA OCSP responder contains a built-in monitoring facility, ensuring that the responder is functioning properly at all times.
Audit and logging
In order to support a wide range of business models, the OCSP responder has highly configurable audit and transaction logging capabilities. If there is a need to charge your customers making requests or to keep requests and responses for audit – EJBCA OCSP responder will satisfy your demands!
- Implements RFC 2560, RFC 6960 and RFC 5019
- Independent of CA software used.
- One responder can respond for any number of CAs.
- Status information stored in SQL database.
- Not depending on CRLs. Status information can be updated in real-time.
- Plug-in mechanism for custom OCSP extensions.
- Highly configurable audit and transaction logging. Suitable for invoicing.
- Supports PKCS#11 HSMs.
- Built in health check used by load balancers and for monitoring.
- Configurable for requiring signed requests, authorized signers, etc.
- Linear scalability for performance and high availability by adding multiple nodes.
- High performance, >500 request per second can be achieved on a single server.
- OCSP client in java.
Contact us to discuss your needs for a Validation Authority: email@example.com
EJBCA® is a registered trademark of PrimeKey Solutions AB.