Validation Authority Publisher (Legacy)

ENTERPRISE EDITION This is an EJBCA Enterprise Edition (EE) feature.

The legacy VA Publisher publishes issued certificates and/or revocation information to a VA instance writing them directly to the VA's database. For this reason the VA's database has to be configured as a data source (see below) and ports for database access need to be opened from the CA to the VA. While the functionality of this publisher has been entirely supplanted by the VA Peer Publisher (which we greatly recommend instead), the legacy VA Publisher still remains widely in use, and has somewhat better performance than its far more secure cousin.

images/download/attachments/16230194/Screen_Shot_2018-05-02_at_13.03.04.png

Settings

Setting

Description

Data Source

The database of the standalone VA where this publisher will publish certificates. Use java:/OcspDS if ocsp-datasource.jndi-name=OcspDS. This must be a non-tx/jta=false data source.

Store certificate at the Validation Authority

Stores the complete certificate on the VA. If this is unchecked only the information needed to answer OCSP requests are stored, but not the certificate itself. There are good reasons not to publish the whole certificate. It is large, thus making it a bit of heavy insert and it may contain sensitive information. On the other hand some OCSP Extension plug-ins may not work without the certificate. A regular OCSP responder works fine without the certificate. A publisher for CA certificates (used on an Edit Certificate Authorities page) must have this enabled.

Publish only revoked certificates

If selected, only revoked certificate are stored on the VA. The OCSP responder of the VA must have the 'nonexistingisgood' (conf/ocsp.properties) enabled if only revoked certificates are published. A publisher for CA certificates (used on an Edit Certificate Authorities page) must have this disabled.

Store CRL at the Validation Authority

Should be set if the CRL store service of the VA should be used for a CA (only has a meaning for publishers used on an Edit Certificate Authorities page). Note that to use this option you must enable Store certificate at the Validation Authority and clear Publish only revoked certificates since the CA certificate(s) must be stored in the VA when CRLs are stored there.