OCSP Configuration

Online Certificate Status Protocol (OCSP) is an Internet protocol used by applications to obtain the revocation status of an X.509 digital certificate.

The OCSP policy configuration file is stored as z:\system\data\ocsppolicy.ini . The default implementation looks like this:

      
       
      
      GenerateResponseForMissingUri = true
EnableHttpGETMethod = false
     

Device creators must modify the configuration file and rebuild the securityconfig component, to customise the behavior of the OCSP component.

Description

Flag Name

Default Value

Description

GenerateResponseForMissingUri

true

Decides whether an OCSP client should send a request and expect a response even if both Authority Information Access (AIA) in the certificate and the global OCSP URL are not present.

AIA extension and the global OCSP URI are the two sources to get the trust status of the certificate, and it is required that one of these two sources must be present to get correct trust status of the certificate.

The GenerateResponseForMissingUri flag allows to override the default settings in the following ways:

  • If GenerateResponseForMissingUri flag is set to true , the OCSP client is allowed to send an OCSP request and expect a response, even if both AIA and global OCSP URI sources are not present.

  • If the flag is set to false , the OCSP client is not allowed to send an OCSP request and expect an response thereby.

EnableHttpGETMethod

false

Decides how the OCSP request should be sent when a request size is small.

HTTP based OCSP requests can use GET or the POST method to submit their requests.

  • Use GET method for enabling HTTP caching, if a request size (even after encoding) is lesser than 255 bytes.

  • Use POST method, if HTTP caching is not important, or the request is greater than 255 bytes.

You need to set EnableHttpGETMethod flag as false , to forcibly submit using POST method, even if the request is less than 255 bytes.

For more details about these two flags, see RFC2560 - X.509 PKI OCSP standard .