What’s an OCSP-Compliant PKI Setup?672 Netscape Certificate Management System Installation and Setup Guide • May 2002The OCSP response that the client receives indicates the current status of thecertificate as determined by the OCSP responder. The response could be any of thefollowing:• Good or Verified—specifying a positive response to the status inquiry. At aminimum, this positive response indicates that the certificate has not beenrevoked, but it does not necessarily mean that the certificate was ever issued orthat the time at which the response was produced is within the certificate’svalidity interval. Response extensions may be used to convey additionalinformation on assertions made by the responder regarding the status of thecertificate such as positive statement about issuance, validity, etc.• Revoked—specifying that the certificate has been revoked, either permanentlyor temporarily.• Unknown—specifying that the OCSP responder doesn’t know about thecertificate whose status is being requested by the client.Based on the status, the client decides whether to validate the certificate.How to Get an OCSP Responder?To aid you in the process of setting up a OCSP-compliant PKI setup, CertificateManagement System provides two options:• Use the OCSP-service feature built into the Certificate Manager• Use the CMS OCSP responder, named Online Certificate Status ManagerRead the sections that follow and decide which method is suitable for your PKIsetup.How Certificate Manager’s OCSP-Service Feature WorksThe Certificate Manager has a built-in OCSP-service feature, which whenconfigured, can be used by OCSP-compliant clients to directly query the CertificateManager about the revocation status of the certificate being validated.When queried for the revocation status of a certificate, the Certificate Managerlooks up its internal database for the certificate, checks its status, and accordinglyresponds to the client. Since the Certificate Manager has real-time status of allcertificates it has issued, this method of revocation checking is most accurate.However, because the Certificate Manager can only check its own internaldatabase, revocation checking is limited to certificates issued by that Certificate