OCSP Responder

This section details the API endpoints for the Online Certificate Status Protocol (OCSP) Responder. OCSP is a protocol used for obtaining the revocation status of X.509 digital certificates in real-time. This service is critical for applications and clients that need to quickly verify the validity of certificates without relying on potentially outdated Certificate Revocation Lists (CRLs).

Key Functionalities

Handle OCSP POST Request

  • Endpoint: POST /api/v1/ocsp
  • Description: Processes standard OCSP requests submitted via HTTP POST. The request body is expected to contain a DER-encoded OCSP request.
  • Public Access: This endpoint is public and does not require authentication, as per OCSP protocol standards.
  • Request Processing: Delegates the processing of the OCSP request to the OcspService.
  • Response: Returns a DER-encoded OCSP response with application/ocsp-response content type and no-cache headers.

Handle OCSP GET Request

  • Endpoint: GET /api/v1/ocsp/{base64url-encoded-request}
  • Description: Processes OCSP requests submitted via HTTP GET, as specified in RFC 5019. The OCSP request is provided as a base64url-encoded string in the URL path.
  • Public Access: This endpoint is public and does not require authentication.
  • Decoding: Decodes the base64url-encoded request before processing.
  • Response: Returns a DER-encoded OCSP response with application/ocsp-response content type and no-cache headers.

Service Information

  • Endpoint: GET /api/v1/ocsp/info
  • Description: Provides detailed information about the OCSP Responder service, including its version, status, supported features, cache policy, and compliance with relevant RFCs.
  • Details: Includes supported features like certificate status checking, revocation checking, GET/POST methods, SHA256 signatures, and compliance with RFC 2560 (OCSP v1), RFC 6960 (OCSP Extensions), and RFC 5019 (HTTP GET Support).
  • Statistics: Provides statistics such as the number of active CAs, active certificates, and revoked certificates.

Health Check

  • Endpoint: GET /api/v1/ocsp/health
  • Description: Provides a health status check for the OCSP Responder service, indicating its operational state.

Get Configuration

  • Endpoint: GET /api/v1/ocsp/configuration
  • Description: Retrieves detailed configuration settings for the OCSP Responder. This endpoint is restricted to debug mode only for security reasons.
  • Details: Includes ocsp_enabled status, ocsp_responder_url, signing_algorithm, response_validity_hours, supported_hash_algorithms, and a list of active CAs with their OCSP URLs.

Inferred Specifications

  • RFC Compliance: The OCSP Responder fully complies with RFC 2560 (OCSP v1), incorporates extensions from RFC 6960, and supports HTTP GET requests as defined in RFC 5019, ensuring broad interoperability.
  • Real-time Certificate Status Verification: Provides an efficient and real-time mechanism for clients to verify the revocation status of digital certificates, which is superior to relying solely on CRLs for immediate checks.
  • Public and Unauthenticated Access: OCSP endpoints are designed for public access without requiring authentication, which is a fundamental requirement for certificate status services.
  • Dual Request Method Support: Supports both HTTP POST (for DER-encoded requests) and HTTP GET (for base64url-encoded requests), offering flexibility for various client implementations.
  • No Caching for Responses: OCSP responses are explicitly configured with no-cache headers to ensure that clients always receive the most current certificate status information.
  • Comprehensive Service Metadata: The serviceInfo endpoint provides rich metadata about the OCSP Responder's capabilities, supported features, and compliance, aiding in client integration and auditing.
  • Health Monitoring: A dedicated health check endpoint allows for continuous monitoring of the OCSP service's operational status.
  • Secure Configuration Access: Sensitive OCSP configuration details are protected, accessible only when the application is in debug mode, preventing unauthorized disclosure.
  • Audit Logging: All OCSP requests and any associated failures are logged for security, compliance, and troubleshooting purposes (implied by the OcspService and overall system design).
  • Supported Hash Algorithms: The responder supports various hash algorithms, including SHA-1, SHA-256, SHA-384, and SHA-512.
  • Response Validity: OCSP responses are valid for a configurable period, typically 24 hours.

Vous n'avez pas envie de la manager ?

Découvrir notre offre PKI As A Service