Validation Authority Peer Publisher

ENTERPRISE This is an EJBCA Enterprise feature.

The following provides information about the Validation Authority Peer Publisher. For general information on publishers, see the Publishers Overview.

Much like the legacy VA Publisher, the VA Peer Publisher publishes issued certificates from an EJBCA CA to a VA, but over TLS using our Peers protocol.

images/download/attachments/82937281/Screen_Shot_2018-05-03_at_15.10.29.png

VA Peer Publisher Fields

The following lists available Validation Authority Peer Publisher settings.

Fields

Description

Peer System

An EJBCA instance to publish certificate objects to.

Store certificate at the Validation Authority

Stores the complete certificate on the VA. If cleared, only the information needed to answer OCSP requests are stored, but not the certificate itself. There are good reasons not to publish the whole certificate. It is large, thus making it a bit of heavy insert and it may contain sensitive information. On the other hand, some OCSP Extension plug-ins may not work without the certificate. A regular OCSP responder works fine without the certificate. A publisher for CA certificates (used on an Edit Certificate Authorities page) must have this enabled.

Store CRL at the Validation Authority

Should be set if the CRL store service of the VA should be used for a CA (only has a meaning for publishers used on an Edit Certificate Authorities page). Note that to use this option you must enable Store certificate at the Validation Authority and clear Publish only revoked certificates since the CA certificate(s) must be stored in the VA when CRLs are stored there.

Publish only revoked certificates

If selected, only revoked certificates are stored on the VA. The OCSP responder of the VA must have the nonexistingisgood (conf/ocsp.properties) enabled if only revoked certificates are published. A publisher supposed to publish CA certificates (enabled on an Edit CA page) must have this disabled.

Include database integrity information

Select to also export database integrity protection columns from the CA. If you don't use database integrity protection it saves space and time to not publish this. Note that database integrity protection on the VA is not compatible with not storing meta data.

Ignore newer entries at peer

Do not overwrite newer entries on the VA, which could happen as a result of a split-brain in a cluster.

Don't store certificate meta data except for CA and OCSP signing certificates

Personally identifiable information as relevant for the General Data Protection Regulation (GDPR) will not be transmitted to the VA. The data excluded from the VA is:

  • subject DN

  • subject alternative name

  • notBefore

  • username

  • subject key ID

  • end entity profile ID