EJBCA Validation Authority (VA)
A Validation Authority (VA) is responsible for providing information on whether a certificate is currently valid or not. The VA does not issue or revoke certificates, but it validates certificates by providing a list of revoked certificates for a CA, known as a Certificate Revocation List (CRL). Another method that the VA can support is the Online Certificate Status Protocol (OCSP). It is a real-time lookup of a certificate status, compared to the CRL which is generated on a set schedule. The VA can respond to OCSP requests and reply if a certificate is good, revoked, or unknown. There can be one or more VAs connected to each CA in the PKI.
For definitions for concepts and key terms, refer to EJBCA Concepts and for detailed information on VA Services, refer to the EJBCA Documentation.
External OCSP Responders
External OCSP responders serve multiple purposes:
- Separating the validation service from the CA service. This increases security because the CA service does not have to accept any incoming connections.
- Ensure the highest availability of the validation service. Using external OCSP responders you can have several completely independent nodes. This means that you can do maintenance on the CA, or some of the OCSP nodes without disturbing availability to the validation service.
- Ensure the highest performance. The external OCSP responder is very fast and one single responder can answer hundreds of requests per second. In addition, the external OCSP responders can be scaled linearly by adding multiple independent OCSP nodes.
The EJBCA external OCSP responder does not rely on CRLs being issued by the CA. Instead, the OCSP responder uses its own database with certificate status information. This can be a replica of the CertificateData table in EJBCA. In normal operation, the EJBCA CA pushes status changes to the external OCSP database when certificates are issued and revoked in EJBCA. For more information, refer to the EJBCA documentation on External OCSP Responders.