Archive Cutoff

An OCSP responder MAY choose to retain revocation information beyond a certificate's expiration. The date obtained by subtracting this retention interval value from the producedAt time in a response is defined as the certificate's "archive cutoff" date.

To illustrate, if a server is operated with a 7-year retention interval policy and status was produced at time t1, then the value for ArchiveCutoff in the response would be (t1 - 7 years).

OCSP-enabled applications would use an OCSP archive cutoff date to contribute to a proof that a digital signature was (or was not) reliable on the date it was produced even if the certificate needed to validate the signature has long since expired. If t1 is the date when the OCSP response was signed, archiveCutoff denotes the date until which revocation information is available. As an example, with a retention period of 7 years a response signed at 2013-11-13 sets ArchiveCutoff to 2006-11-13, indicating that the status "good" for a certificate that expired before 2006-11-13 is not reliable, because the information base of the OCSP responder is not guaranteed (but may) include revocation information of that certificate.

The archive cutoff extension is defined in section 4.4.4 of RFC 6960.

The archive cutoff extension is configured in seconds by setting the ocsp.expiredcert.retentionperiod option in the ocsp.properties file. The default value is 31536000 seconds (1 year):

ocsp.expiredcert.retentionperiod = 31536000

To disable the archive cutoff extension, set ocsp.expiredcert.retentionperiod to -1:

ocsp.expiredcert.retentionperiod = -1

You can see Archive Cutoff in action by using openssl, querying for an expired certificate. 

Archive Cutoff is only returned in the OCSP responses for expired certificates.

An example openssl ocsp command:

openssl ocsp -issuer ManagementCA.cacert.pem -CAfile ManagementCA.cacert.pem -cert cert.pem -req_text -resp_text -url http://localhost:8080/ejbca/publicweb/status/ocsp

would result in the following OCSP response if cert.pem is expired:

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: BB689F7058D62AB4B8C13866FAC3CF8FC1986ADA
    Produced At: Jan 11 13:02:37 2019 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 27CBED5E54A990CCD30F644E3715C75B1DECFDEE
      Issuer Key Hash: BB689F7058D62AB4B8C13866FAC3CF8FC1986ADA
      Serial Number: 363F7FBC823AEB6F
    Cert Status: good
    This Update: Jan 11 13:02:37 2019 GMT
        Response Single Extensions:
            OCSP Archive Cutoff: 
                Jan 11 13:02:37 2018 GMT

    Response Extensions:
        OCSP Nonce: 
            041055845EE5620B834F19419A43467207DA
...

If you enable debug logging in the application server, you can see when archive cutoff is being used:

2019-01-11 14:23:38,155 INFO  [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] (default task-1) Certificate with serial number '3908983449196358511' is not valid. Adding singleExtension id-pkix-ocsp-archive-cutoff

if the certificate asked for is not expired, no such log line will be available in the server log.