CertHash is a method to qualify a positive OCSP response by including a secure hash of the certificate. This is a further tamper proofing of the protocol, as the default reply is signed using only the certificate's serial number, leaving other fields open to abuse. Including a hash based on all relevant values in the certificate increases the security for the client.
The hash algorithm used in this extension is SHA256.
CertHash is defined in the German Common PKI SigG-Profile (OCSP in Part9).
The following covers how to set up handling of CertHash extensions using the external OCSP responder. For more information, see External OCSP Responders.
Setting up the CertHash OCSP Extension
The following describes setting up the CertHash OCSP extension in the OCSP/VA server.
Configuring the CertHash Extension
The OCSP Responder includes an extension for including CertHash values in replies.
To enable the CertHash extension, configure the options in the OcspKeyBinding of the OCSP Responder:
Select Admin Web > Internal Key Bindings > OcspKeyBindings and choose the Key Binding to edit.
Under OCSP Extensions, select Certificate Hash.
Click Add and then Save.
For a description of all available options, refer to the ocsp.properties.sample.
Note that defining ocsp.alwayssendcustomextension=126.96.36.199.3.13 will make the extension included in every reply, globally.