Test OCSP (Optional)

Validation Authority offers a Direct OCSP Interface that allows relying parties to query it directly to determine certificate status. The Direct OCSP Interface creates and digitally signs OCSP responses in reply to specific relying party requests rather than using pre-generated OCSP response lists.

To test the Direct OCSP Interface, you can use:

  • The OCSP Client Test Tool provided with Validation Authority.

  • The OpenSSL command line tool contained in the OpenSSL toolkit available from http://www.openssl.org. Alternatively.

  • Other OCSP relying party applications, such as the ActivID Validation Client, previously called Desktop Validation Client or SerVE products.

To use OpenSSL, on the command line, type:

Copy 
>openssl ocsp –issuer ISSUER.cer –cert USER.cer -VAfile SIGNATURE.cer
–url http://authority-server:port/responder

Where

  • ISSUER.cer is the certificate of a Certificate Authority registered (for more details, refer Register New Certificate Issuer). To download this certificate, click Download Issuer Certificate on the Issuer Details page for the selected certificate issuer.

  • USER.cer is a user certificate issued by that Certificate Authority.

  • SIGNATURE.cer is the certificate that Validation Authority uses to sign OCSP responses. To download this certificate, click certificate in the asymmetric signing key section of the Key Store page.

  • authority-server:port is the name of the machine running Validation Authority and the port at which Validation Authority makes responses available. The default is 3501. 3601 is also acceptable.

If the OCSP test is successful and the certificate is good, then you will see a message similar to:

Response verify OK
USER.cer: good
This Update: May 6 18:17:11 2016 GMT
Next Update: May 7 06:17:11 2016 GMT

Similarly, if Validation Authority will be servicing SCVP requests from the Direct SCVP Interface, then verify that your SCVP clients can successfully make SCVP requests.