There are two basic methods used by Validation Authorities (VAs) to obtain the revocation status of a certificate: The Online Certificate Status Protocol (OCSP) and the certificate revocation list (CRL). These methods are characterized in the following sections:
Online Certificate Status Protocol
The mechanism of the Online Certificate Status Protocol (OCSP) checks the revocation status of a certificate via an online protocol, called OCSP. Advantages are the following:
- With OCSP, administrators and programmers can get revocation information on a specific certificate in real-time. They do not have to rely on a CRL that might not have the latest information. In addition, CRLs can become very large over time.
- OCSP communication is very bandwidth efficient. Compared to downloading a large CRL file, it uses a fraction of the bandwidth.
Implementing OCSP responders also has some disadvantages:
- Communication to the OCSP responders is required to check the revocation status. Software or services cannot cache the OCSP requests. To overcome this limitation, some organizations implement a hybrid model that includes OCSP and CRL technologies.
- OCSP technology is inherently more complex than CRLs which are simple signed text files or LDAP records.
CRL Distribution Point
A CRL distribution point is an attribute of a certificate. It allows applications to retrieve and check a CRL over the internet. Some compliance standards ask for a CRL distribution point in issued subscriber certificates.
VA Setup Scenarios for Hardware Appliance
The Hardware Appliance offers two basic options for VA setups:
The following sections guide you through both setup options.