What’s an OCSP-Compliant PKI Setup?670 Netscape Certificate Management System Installation and Setup Guide • May 2002What’s an OCSP-Compliant PKI Setup?Certificate Management System supports the Online Certificate Status Protocol(OCSP) as defined in the PKIX standard RFC 2560 (seehttp://www.ietf.org/rfc/rfc2560.txt). The OCSP protocol enablesOCSP-compliant applications to determine the state of a certificate, including therevocation status, without having to directly check a CRL published by a CA to thevalidation authority. The validation authority, which is also called an OCSPresponder, does the checking for the application.An OCSP-compliant PKI setup generally includes the following, which worktogether to verify the revocation status of a certificate:• A CA, which issues and revokes certificates, and periodically publishes theCRL to the OCSP responder.• An OCSP responder, which maintains the CRL it receives periodically from theCA and, when queried by an OCSP-compliant client about the status of acertificate, sends a digitally signed response.• OCSP-compliant applications, which, when trying to validate a certificate,query the appropriate OCSP responder (using the OCSP protocol) for thestatus of the certificate. The applications determine the location of the OCSPresponder by using the Authority Information Access Extension in thecertificate being validated. (Certificate Management System enables you to addthis extension to certificates. For details, see “Configuring Policy Rules for aSubsystem” on page 569.)The revocation-status-verification process has two parts:1. When a certificate’s status needs to be verified, the OCSP client (anOCSP-compliant application) sends a request to the OCSP responder forverification and waits for a response from the responder.The OCSP request that the client submits generally contains all the informationrequired by the responder to identify the certificate whose status it needs todetermine.(Consider this process is similar to a cashier scanning your credit card andwaiting for a response from the credit-card processing unit. The scanning unitsends identifying information, such as the credit card number, its type, validityperiod, and so on.)2. Upon receipt of the request, the OCSP responder determines if the requestcontains all the information required by the responder to process it.