The Security Server checks the validity of the signing and authentication certificates via the Online Certificate Status Protocol (OCSP, RFC 6960). An OCSP responder service providing the status information is maintained by the certificate authority that issued the certificates. Each Security Server is responsible for querying the validity information of its certificates and then sharing the information with other Security Servers as a part of the message exchange process. The mechanism is known as OCSP stapling. Only Security Servers with valid authentication certificates and members with valid signing certificates can exchange messages. If the validity information is not available or a certificate is not valid, the message exchange fails.
...
| Note |
|---|
It’s important that the values of the three configuration parameters are aligned with each other and the policies of the certificate authorityCertificate Authority. For example, the |
...
The Security Server fetches new OCSP responses using a fixed interval that is 20 minutes by default. The fetch interval is configured on the Central Server using the ocspFetchInterval global configuration parameter extension by the X-Road operator. An OCSP response is considered expired by the Security Server if it was issued too far in the past OR there’s already new status information available.
...
Omitting the nextUpdate attribute is done on the Central Server using the verifyNextUpdate global configuration parameter extension by the X-Road operator.
| Info |
|---|
More information about the |
...