There are two basic methods used by Validation Authorities (VAs) to obtain the revocation status of a certificate: The Online Certificate Status Protocol (OCSP) and the certificate revocation list (CRL). These methods are characterized in the following sections:
Online Certificate Status Protocol
The mechanism of the Online Certificate Status Protocol (OCSP) checks the revocation status of a certificate via an online protocol, called OCSP. Advantages are the following:
- With OCSP, administrators and programmers can get revocation information on a specific certificate in real-time. They do not have to rely on a CRL that might not have the latest information. In addition, CRLs can become very large over time.
- OCSP communication is very bandwidth efficient. Compared to downloading a large CRL file, it uses a fraction of the bandwidth.
Implementing OCSP responders also has some disadvantages:
- Communication to the OCSP responders is required to check the revocation status. Software or services cannot cache the OCSP requests. To overcome this limitation, some organizations implement a hybrid model that includes OCSP and CRL technologies.
- OCSP technology is inherently more complex than CRLs which are simple signed text files or LDAP records.
CRL Distribution Point
A CRL distribution point is an attribute of a certificate. It allows applications to retrieve and check a CRL over the internet. Some compliance standards ask for a CRL distribution point in issued subscriber certificates.
VA Setup Scenarios for Hardware Appliance
The Hardware Appliance offers two basic options for VA setups:
- OCSP CA-VA setup with Peer Connector: Using the OCSP method, the CA Hardware Appliance connects directly with the VA Hardware Appliance via the Peer Connector.
- VA Setup for CRL Downloader Service: The CA Hardware Appliance publishes CRLs in an external server. The VA Hardware Appliance uses CRL Downloader service to fetch CRLs from the external server.
The following sections guide you through both setup options.