Confirm, administrator
5,526
edits
Changes
m
→OCSP
=== OCSP ===
OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443. Firefox and some other clients do not work with HTTPS OCSP responders, and many firewalls block requests that aren't over port 80, so OCSP responders must be accessible over HTTP (not only HTTPS) on port 80.
As per the [https://www.cabforum.org/documents.html CA/Browser Forum’s Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates], the OCSP URI must be provided in the certificate, except when OCSP stapling is used. BR #13.2.2: "The CA SHALL update information provided via an Online Certificate Status Protocol..." From Appendix B regarding authorityInformationAccess in Subordinate CA Certificate and Subscriber Certificate: "With the exception of stapling ... this extension MUST be present ... and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder..."
