Management digitálních certifikátů

OCSP – Online list of revoked certificates

Get an absolute overview of all revoked certificates, in real time, without delays. OCSP (Online Certificate Status Protocol) is a module for discovering the status of revoked certificates. With it, you can find out the current status in real time within your entire organization.

User certificate management module

Module for managing technology certificates

Instant overview of the status of digital certificates

It is crucial for the administrator of an organization’s PKI infrastructure to always keep an overview of the validity of certificates – as they have a limited lifetime. However, they themselves often revoke certificates that they want to invalidate. The problem is that certificate authorities publish information about the validity of certificates late (in the so-called CRL – Certificate Revocation List). The OCSP module replaces this static list and transmits information about revoked certificates in the state they are in at that moment – without delay and therefore with zero error rate.

WHAT PROBLEMS HAVE WE DEVELOPED THE MODULE TO SOLVE?

  • Without the OCSP module, if a certificate expires, the administrator will only know about it retrospectively based on the issued CRL.
  • It is also difficult for them to determine which certificates are at risk of expiration and should be renewed.
  • Similarly, in the case of a deliberate revocation of a certificate by an administrator, it is impossible to know in real time whether it has actually been revoked.
  • The OCSP module greatly simplifies these activities and saves a huge amount of time in certificate lifecycle management.

Certificate Lifecycle Management in real time

Imagine an organization that issues and manages a large number of certificates. And at the same time working with certificates issued by external CAs. Electronic signatures, permissions to access premises or web services, and more.

If network administrators want to find out the current status (or validity) of these certificates, they must use a CRL, a file issued by CAs, by default. However, this file is issued in batches (e.g. once a week) and in an unreadable, binary format.

Our OCSP module solves these problems and gives administrators the ability to easily and quickly determine the status of a particular certificate.

Certificate Management and ProID OCSP Server

ProID OCSP is a server that publishes certificate information based on an SQL database. The database stores certificate information, including revocation status. When a client queries the OCSP server, it looks up the revocation status of the corresponding certificates in the database, signs the response with the key and certificate, and sends the information to the client.

The OCSP protocol is standardized. Compliance with standards guarantees interoperability between the server and clients, and each of the communicating parties may be implemented by a different vendor.

The data source for certificate information for ProID OCSP is typically the Save and Recovery System (SaRS) database. However, ProID OCSP can also be run on top of another database if the database contains the necessary data.

It can also be run outside of the domain environment and without binding to the MS Windows Server certificate service. The only component that is required for operation is a SQL database with certificate information.

OSCP compatibility and scalability

OCSP is implemented with features that ensure a high degree of compatibility with commonly used OCSP clients. It can be used in small organizations with a small number of issued certificates as well as in large organizations with a large number of certificates and systems. ProID OCSP is built on a robust foundation with high query throughput.

If installed in an environment with a high query load, the plugin can be scaled. If one instance of OCSP is saturated with queries, a second instance can be installed and the load can be distributed between them.

ProID OCSP server working principle

OCSP handles individual client requests as web services: in parallel and independently. The separate processing of requests is controlled by the resources of the web server in which the service is hosted. The certificate status information is retrieved from the SQL database. Once the database identifiers for all certificates in a client request are tracked, the OCSP server sequentially queries the data source for the status of each certificate.

The result of the certificate status lookup is a completed data structure. The detected differences are automatically written to the activity log.

Are you interested in our solution? Contact us


    [honeypot honeypot-453]

    By filling in the form you agree to the processing of your personal data.