ONLINE CERTIFICATE STATUS PROTOCOL (OCSP) RESPONDER TESTING INFORMTION
OVERVIEW
Currently the Department of Defense (DoD) Public Key Infrastructure (PKI) uses Certificate Revocation Lists (CRLs) to check the status of issued certificates. An alternative to CRL checking is to use Online Certificate Status Protocol or OCSP.
OCSP is a request-response protocol used for obtaining online certificate revocation information from a trusted entity, referred to as an OCSP Responder. OCSP Responders provide immediate revocation information on specific certificates rather than a list of certificate revocation information in the form of a CRL.
The Joint Interoperability Test Command (JITC) conducts OCSP Responder testing by using DOD Class 3 PKI test certificates and CRLs issued from the JITC PKI test Certificate Authority. CRLs are retrieved via Lightweight Directory Access Protocol (LDAP) from the JITC test Directory server and via HyperText Transfer Protocol (HTTP) from the JITC test web server.
JITC conducts testing of OCSP Responders at its PKE laboratory at Fort Huachuca, Arizona.
Download the JITC OCSP Responder Assessment Worksheet.
Testing of OCSP Responders is based on JITC's test plan DoD OCSP Responder Interoperability Master Test Plan, version 1.0, dated July 2003.
For contact information please see the POCs web page.
Certification Letters are available on the JITC Joint Interoperability Tool web page. A JIT account must be requested to obtain access to the certification letters.
JITC OCSP RESPONDER ONLINE
JITC has made available the Robust Certificate Validation System (RCVS) to support the vendor, developer, and testing communities. RCVS accepts certificate status requests at https://ocsp.nsn0.rcvs.nit.disa.mil. The JITC RCVS test environment uses the Delegated Trust Model (DTM). Unlike the direct trust model used previously, a client does not require an OCSP responder certificate. The responder certificate for any given OCSP request is an OCSP signing certificate issued by the CA that issued the certificate that is being validated. These CA-issued OCSP certificates have a short lifespan and are reissued regularly. The signature should verify via the trust chain.
OCSP RESPONDERS CERTIFICATION STATUS
The following table contains information on OCSP Responders that JITC is currently working with and OCSP Responders that are certified as interoperable with the DOD PKI.
Vendor
| Product
| Status
|
Alacris
| OCSP Server Professional, version 3.0.0
| Certified
Details
|
Ascertia
| TrustFinder OCSP Server, version 5.0
| Certified
Details
|
Ascertia
| TrustFinder OCSP Server, version 4.0
| Certified
Details
|
CoreStreet
| Real Time Credentials (RTC) Validation Authority, version 4.0
| Certified
Details
|
CoreStreet
| Real Time Credentials (RTC) Validation Authority, version 2.6.3
| Certified
Details
|
CoreStreet
| Responder, version 5.1.5
| Certified
Details
|
CoreStreet
| Responder Appliance 2400D, version 3.0.1
| Certified
Details
|
CoreStreet
| Responder Appliance 1400
| Certified
Details
|
CoreStreet
| Validation Authority (VA), version 5.1.5
| Certified
Details
|
Kyberpass
| Validation Server, version 5.6.1
| Certified
Details
|
Microsoft Corproation
| Microsoft OCSP Responder; Built into Windows Server 2008 and 2012
| Certified
Details
|
Tumbleweed/Axway
| Valicert Validation Authority, version 4.9
| Certified
Details
|
Tumbleweed
| Valicert Validation Authority, version 4.8
| Certified
Details
|
Tumbleweed
| Valicert Validation Authority, version 4.7.3
| Certified
Details
|
Tumbleweed
| Valicert Validation Authority, version 4.7.2
| Certified
Details
|
Tumbleweed
| Valicert Validation Authority, version 4.7.1
| Certified
Details
|
Tumbleweed
| Valicert Validation Authority, version 4.6.1
| Certified
Details
|
CoreStreet
| Tactical Validation Authority (TVA), version 5.1.5 hotfix 20080421-1
| Test Complete
Details
|
Computer Associates
| eTrust OCSPro, version 2.0.1
| Not Tested
Details
|
CoreStreet
| Tactical Validation Authority (TVA), version 5.1.5 hotfix 20071119-1
| Not Tested
Details
|
DISCLAIMER OF ENDORSEMENT
Reference in this website to any specific commercial products, process, service, manufacturer or company does not constitute its endorsement or recommendation by the United States Government.
Certification letters are available on the Joint Interoperability Tool web page. A JIT account must be requested to obtain access to the certification letters.
Top of Page