- Hardware Appliance Unboxing
- Initial Set-up
- Restore from Backup
- Connect to Cluster
- Using External CA for Installation
- Basic Hardware Operations
- WebConf - Configurator of Hardware Appliance
- Certificates and Trusted CAs
- Setting up a Validation Authority (VA)
- HA Setup
- PKCS#11 Slot Smart Card Activation
- EJBCA Administration
- Certificate Life Cycle Management
Creating CA Hierarchy
- Step 1: Create the RootCA
- Step 2: Create Certificate Profile for SubCAs
- Step 3: Create End Entity Profile for SubCAs
- Step 4: Import RootCA as External CA in Node A
- Step 5: Create SignCA as SubCA in Node A
- Step 6: Create AuthCA as SubCA in Node A
- Step 7: Create SSLCA as SubCA in Node A
- Step 8: Create Certificate Profiles for End Entities that use the SubCAs
- Step 9: Create End Entity Profiles for SubCAs
- Step 10: Create End Entities that use the SubCAs
- Managing End Entities
- Creating Java Truststore
- Check for Weak Debian Keys
- Hardware Appliance 3.5.4 Release Notes
- Hardware Appliance 3.5.3 Release Notes
- Hardware Appliance 3.5.2 Release Notes
- Hardware Appliance 3.5.1 Release Notes
- Hardware Appliance 3.5.0 Release Notes
- PKI Appliance 3.4.5 Release Notes
- PKI Appliance 3.4.4 Release Notes
- PKI Appliance 3.4.3 Release Notes
PKI Appliance 3.4.2 Release Notes
PKI Appliance 3.4.1 Release Notes
- Release Notes Summary
- Hardware Appliance 3.5.X Upgrade Notes
Setting up a Validation Authority (VA)
There are two basic methods used by Validation Authorities (VAs) to obtain the revocation status of a certificate: The Online Certificate Status Protocol (OCSP) and the certificate revocation list (CRL). These methods are characterized in the following sections:
Online Certificate Status Protocol
The mechanism of the Online Certificate Status Protocol (OCSP) checks the revocation status of a certificate via an online protocol, called OCSP. Advantages are the following:
- With OCSP, administrators and programmers can get revocation information on a specific certificate in real-time. They do not have to rely on a CRL that might not have the latest information. In addition, CRLs can become very large over time.
- OCSP communication is very bandwidth efficient. Compared to downloading a large CRL file, it uses a fraction of the bandwidth.
Implementing OCSP responders also has some disadvantages:
- Communication to the OCSP responders is required to to check the revocation status. Software or services cannot cache the OCSP requests. To overcome this limitation, some organizations implement a hybrid model that includes OCSP and CRL technologies.
- OCSP technology is inherently more complex than CRLs which are simple signed text files or LDAP records.
CRL Distribution Point
A CRL distribution point is an attribute of a certificate. It allows applications to retrieve and check a CRL over the internet. Some compliance standards ask for a CRL distribution point in issued subscriber certificates.
VA Setup Scenarios for Hardware Appliance
The Hardware Appliance offers two basic options for VA setups:
- OCSP CA-VA setup with Peer Connector: Using the OCSP method, the CA Hardware Appliance connects directly with the VA Hardware Appliance via the Peer Connector.
- VA Setup for CRL Downloader service: The CA Hardware Appliance publishes CRLs in an external server. The VA Hardware Appliance uses CRL Downloader service to fetch CRLs from the external server.
The following sections guide you through both setup options.