Back to resources

October 27, 2020

Tech updateEJBCA EnterpriseTrust Service Provider

Why is there a need for pre-produced OCSP Responses

Android signing schemes, compliance and crypto agility

Normally OCSP responses are produced on a per request basis. That means that for each client which poses a question about the status of a certificate, the Validation Authority (VA) checks that status and sends it back in a signed response - naturally this sets a heavy burden on the HSM used by the VA. Some VA maintainers have traditionally solved this using stapling, i.e. caching the response for each certificate at the proxy layer for a set amount of time. While this does solve the problem, it’s not always acceptable and requires the added responsibility of making sure that a valid response is delivered from the VA to the proxy.

In EJBCA 7.4.0, PrimeKey introduced the support for pre-produced (i.e. canned) OCSP responses. This feature is described in RFC 6960 section 2.5, which states that “OCSP responders MAY pre-produce signed responses specifying the status of certificates at a specified time”.

Using the pre-produced OCSP responses in EJBCA, the VA can be configured to - at selected intervals - sign and cache OCSP responses for a configured subset of certificates, optimally taking place during projected traffic lulls, and during traffic peaks allowing the VA to respond to OCSP requests without needing to perform a signature for each. Additionally, the EJBCA VA can also be configured to pre-compute an end-of-life OCSP response with an indefinite validity, for PKIs (such as eIDAS, see EN 319 411-2 (OCSP)) that require VA’s to continue to answer OCSP requests long past the CA’s own validity.

OCSP Response Pre-Production in EJBCA

Related blog and news

Tech-Update-Prepare-PKI-for-Quantum-Computing
2022-04-28
Tech update
Cryptography Solution

How to prepare your PKI for quantum computing

Tech-Update-Bouncy-Castle-Kotlin-API
2022-04-12
Tech update
Cryptography Solution

Keeping it simple – private key encryption with the Bouncy Castle Kotlin API

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.
Confirm choices Accept all