OCSP Response Pre-Signer

ENTERPRISE This is an EJBCA Enterprise feature.

The OCSP Response Pre-Signer worker pre-generates, persists and updates OCSP Responses for certificates issued by the configured CAs. When the service worker runs, responses are generated according to the current OCSP settings with regards to global configuration, OCSP Key Bindings, etc. That is, the responses produced for each certificate status can be expected to contain the same information as a response to an OCSP Request at that point in time, with the exception of unsupported extensions. For more information, see Supported Extensions in OCSP Response Pre-Production.

The following lists available worker settings:

Setting

Description

CAs to Check

Select which CAs to produce OCSP Responses for. Responses will be generated for certificates issued by the selected CA.

CertId Hash Algorithm

Hash algorithm used for "issuerNameHash" and "issuerKeyHash" while producing responses. Some OCSP clients expect the same hash algorithm used in the request, to also be used in the response as well.

Generate Responses for All Certificates

Generates responses for all certificates issued by the selected CAs every time the service worker runs, regardless of when existing responses expires. Note that enabling this option overrides Update Expired Responses Only.

Update Expired Responses Only

Only update responses expiring before the configured time. Persisted OCSP Responses are considered expired when nextUpdate < configured time, see Time Before Response Expires.

Time Before Response Expires

The number of Days/Hours/Minutes/Seconds that should remain of the persisted response "validity" (nextUpdate) before a new response is generated.

Issue Final OCSP Response (eIDAS)

Generate and persist a final OCSP Response (nextUpdate '99991231235959Z') for each and every certificate issued by the CA when the CA is about to expire. See ETSI EN 319 411-2 (CSS-6.3.10-09).

Time Before CA Expires

The number of Days/Hours/Minutes/Seconds before the CA expires, to issue a final OCSP Response.

The OCSP Response Pre-signer can be configured to run on either CA or VA instances. Running the service worker on a VA instance requires a full EJBCA build. Deployments limited to only VA functionality currently lacks the service worker functionality.