go to  ForumEasy.com   
JavaPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  Any other parameters to customize OCSP?
 
Subject: Any other parameters to customize OCSP?
Author: X509
In response to: How do I enable OCSP checking?
Posted on: 07/01/2010 08:23:16 PM

Yes, here you go:

  • Location of the OCSP responder

    • ocsp.responderURL=http://ocsp.example.net:80

    By default, the location of the OCSP responder is determined implicitly from the certificate being validated. This property explicitly specifies the location of the OCSP responder. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.

    Similar to what you expects for crlDP, you may see the following ebtry in a certificate:
         #3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
     AuthorityInfoAccess [ 
          [accessMethod: 1.3.6.1.5.5.7.48.1 
          accessLocation:      URIName: http://onsite-ocsp.verisign.com]
     ]

    Here, "http://onsite-ocsp.verisign.com" indicates the default location of the OCSP service.

  • Subject name of the OCSP responder's certificate

    • ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"

    By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. In cases where the subject name alone is not sufficient to uniquely identify the certificate then both the "ocsp.responderCertIssuerName" and "ocsp.responderCertSerialNumber" properties must be used instead. When this property is set then those two properties are ignored.

  • Issuer name of the OCSP responder's certificate

    • ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"

    By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. When this property is set then the "ocsp.responderCertSerialNumber" property must also be set. When the "ocsp.responderCertSubjectName" property is set then this property is ignored.

  • Serial number of the OCSP responder's certificate

    • ocsp.responderCertSerialNumber=2A:FF:00

    By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string of hexadecimal digits (colon or space separators may be present) which identifies a certificate in the set of certificates supplied during cert path validation. When this property is set then the "ocsp.responderCertIssuerName" property must also be set. When the "ocsp.responderCertSubjectName" property is set then this property is ignored.


     

    > On 07/01/2010 08:07:33 PM X509 wrote:

    Two ways:

  • Dynamic Way


    •      // Activate OCSP
     Security.setProperty("ocsp.enable", "true");


  • Static Way


    • Locate the file named <java-jre>/lib/security/java.security
        ocsp.enable=true





    References:

    		 


     
    Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.