Configuring the OCSP server

Take the following steps to configure the OCSP server:

  1. Enable the OCSP server under Certificates > OCSP > Online Certificate Status Protocol (OCSP) server > OCSP server enabled.
  2. Assign a certificate to the OCSP server.

    Operating the OCSP server requires it to receive a certificate from the CA whose certificates it should provide information about. This certificate is used to sign the OCSP responses.

    For this purpose, go to Certificates > OCSP > Online Certificate Status Protocol (OCSP) server and configure the Certificate subject for the OCSP server. When the server is activated for the first time, this information is used to automatically generate the certificate for the OCSP server.





    Important: In the certificate subject, enter CN as the FQDN where OCSP clients can reach the OCSP server.
  3. Provide information about the OCSP server to the Smart Certificate preconfiguration
    1. Under Certificates > Certificate handling > CA web interface > Templates, you can specify that when Smart Certificate CA generates a certificate, the field "OCSP-AIA" (Authority Information Access) is available for configuration. If you use the "Default" template, this is automatically the case. If you use a custom template, then set the field "OCSP-AIA" to Yes.




    2. Under Certificates > Certificate handling > CA web interface > Profile you set a default value for the field OCSP-AIA in the desired Smart Certificate profile.
      Note: This step is optional. If you do not specify a default value here, you must manually specify a value when creating a certificate.

      Configure the name or IP address where the OCSP server is available to the OCSP clients. This was already used earlier when generating the OCSP server certificate. Also add the port number where the OCSP server can be reached. The default setting is port 8084.

      In the example, the default value for the profile "VPN" is adapted to "ocspserver.test.de:8084":





This concludes the configuration of the OCSP server.

If you now use Smart Certificate in WEBconfig to generate a certificate as described in Certificate creation with WEBconfig, the OCSP AIA is automatically added to it, so enabling the client to contact the OCSP server for a validity check during connection establishment.




The OCSP server refers to its internal certificate list to check the validity. All in all, the Smart Certificate web interface offers a convenient way to withdraw or validate the certificates.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo