JITC Seal
Online Certificate Status Protocol (OCSP) Responder Testing Information

 

Public Key Infrastructure Home / CAC Lab / GDS Lab / PKE Lab / PKI Lab / DoD PKI CCEB/Partner Interoperability Testing

Acronyms / Frequently Asked Questions / Online Resources / POCs / Request for Information / Terms and Definitions


Application Testing / External Certification Authority Testing / Online Certificate Status Protocol Responder Testing



OVERVIEW

Currently the Department of Defense (DoD) Public Key Infrastructure (PKI) uses Certificate Revocation Lists (CRLs) to check the status of issued certificates. An alternative to CRL checking is to use Online Certificate Status Protocol or OCSP.

OCSP is a request-response protocol used for obtaining online certificate revocation information from a trusted entity, referred to as an OCSP Responder. OCSP Responders provide immediate revocation information on specific certificates rather than a list of certificate revocation information in the form of a CRL.

The Joint Interoperability Test Command (JITC) conducts OCSP Responder testing by using DOD Class 3 PKI test certificates and CRLs issued from the JITC PKI test Certificate Authority. CRLs are retrieved via Lightweight Directory Access Protocol (LDAP) from the JITC test Directory server and via HyperText Transfer Protocol (HTTP) from the JITC test web server.

JITC conducts testing of OCSP Responders at its PKE laboratory at Fort Huachuca, Arizona.

Download the JITC OCSP Responder Assessment Worksheet.

Testing of OCSP Responders is based on JITC's test plan DoD OCSP Responder Interoperability Master Test Plan, version 1.0, dated July 2003.

For contact information please see the POCs web page.

Certification Letters are available on the JITC Joint Interoperability Tool web page. A JIT account must be requested to obtain access to the certification letters.


JITC OCSP Responder Online

JITC has made available the Robust Certificate Validation System (RCVS) to support the vendor, developer, and testing communities. RCVS accepts certificate status requests at http://ocsp.nsn0.rcvs.nit.disa.mil. The JITC RCVS test environment uses the Delegated Trust Model (DTM). Unlike the direct trust model used previously, a client does not require an OCSP responder certificate. The responder certificate for any given OCSP request is an OCSP signing certificate issued by the CA that issued the certificate that is being validated. These CA-issued OCSP certificates have a short lifespan and are reissued regularly. The signature should verify via the trust chain.

OCSP Responders Certification Status

The following table contains information on OCSP Responders that JITC is currently working with and OCSP Responders that are certified as interoperable with the DOD PKI.

Vendor Product Status
Alacris OCSP Server Professional, version 3.0.0 Certified
Details
Ascertia TrustFinder OCSP Server, version 5.0 Certified
Details
Ascertia TrustFinder OCSP Server, version 4.0 Certified
Details
CoreStreet Real Time Credentials (RTC) Validation Authority, version 4.0 Certified
Details
CoreStreet Real Time Credentials (RTC) Validation Authority, version 2.6.3 Certified
Details
CoreStreet Responder, version 5.1.5 Certified
Details
CoreStreet Responder Appliance 2400D, version 3.0.1 Certified
Details
CoreStreet Responder Appliance 1400 Certified
Details
CoreStreet Validation Authority (VA), version 5.1.5 Certified
Details
Kyberpass Validation Server, version 5.6.1 Certified
Details
Microsoft Corproation Microsoft OCSP Responder; Built into Windows Server 2008 and 2012 Certified
Details
Tumbleweed/Axway Valicert Validation Authority, version 4.9 Certified
Details
Tumbleweed Valicert Validation Authority, version 4.8 Certified
Details
Tumbleweed Valicert Validation Authority, version 4.7.3 Certified
Details
Tumbleweed Valicert Validation Authority, version 4.7.2 Certified
Details
Tumbleweed Valicert Validation Authority, version 4.7.1 Certified
Details
Tumbleweed Valicert Validation Authority, version 4.6.1 Certified
Details
CoreStreet Tactical Validation Authority (TVA), version 5.1.5 hotfix 20080421-1 Test Complete
Details
Computer Associates eTrust OCSPro, version 2.0.1 Not Tested
Details
CoreStreet Tactical Validation Authority (TVA), version 5.1.5 hotfix 20071119-1 Not Tested
Details

Disclaimer of Endorsement

Reference in this website to any specific commercial products, process, service, manufacturer or company does not constitute its endorsement or recommendation by the United States Government.

Certification letters are available on the Joint Interoperability Tool (JIT) web page. A JIT account must be requested to obtain access to the certification letters.

Top of Page

  Last Revision: 21 Nov 13

Loading Footer...