Setting up a Validation Authority (VA)

There are two basic methods used by Validation Authorities (VAs) to obtain the revocation status of a certificate: The Online Certificate Status Protocol (OCSP) and the certificate revocation list (CRL). These methods are characterized in the following sections:

Online Certificate Status Protocol

The mechanism of the Online Certificate Status Protocol (OCSP) checks the revocation status of a certificate via an online protocol, called OCSP. Advantages are the following:

  • With OCSP, administrators and programmers can get revocation information on a specific certificate in real-time. They do not have to rely on a CRL that might not have the latest information. In addition, CRLs can become very large over time.
  • OCSP communication is very bandwidth efficient. Compared to downloading a large CRL file, it uses a fraction of the bandwidth.

Implementing OCSP responders also has some disadvantages:

  • Communication to the OCSP responders is required to to check the revocation status. Software or services cannot cache the OCSP requests. To overcome this limitation, some organizations implement a hybrid model that includes OCSP and CRL technologies.
  • OCSP technology is inherently more complex than CRLs which are simple signed text files or LDAP records.


CRL Distribution Point

A CRL distribution point is an attribute of a certificate. It allows applications to retrieve and check a CRL over the internet. Some compliance standards ask for a CRL distribution point in issued subscriber certificates.


VA Setup Scenarios for Hardware Appliance

The Hardware Appliance offers two basic options for VA setups:

The following sections guide you through both setup options.