Workflow for Setting up a new OCSP Signer

This section describes a workflow for setting up a new OCSP Signer and requires the steps in the previous Building and configuring the Responder section to be completed.

Using VA Publisher

ENTERPRISE EDITION This is an EJBCA Enterprise Edition (EE) feature.

Follow the steps to set up a new OCSP Signer using a VA Publisher:

  1. Go to AdminGUI of OCSP > Crypto Tokens and create a new Crypto Token (unless you want to reuse an existing).

  2. Go to AdminGUI of OCSP > Crypto Tokens > Your created Crypto Token and generate a new key pair.

  3. Go to AdminGUI of OCSP > Internal Key Bindings > OcspKeyBindings tab and create a new OcspKeyBinding the references the Crypto Token and key pair.

  4. Go to AdminGUI of OCSP > Internal Key Bindings and create a Certificate Signing Request for your new OcspKeyBinding. Save this file.

  5. Go to PublicWeb of CA > Create Certificate from CSR > Use the credentials for issuing an OCSP signing certificate and upload the CSR.

  6. ...(CA publishes new OCSP signing certificate to OCSP instance)...

  7. Go to AdminGUI of OCSP > Internal Key Bindings and click Update for your new OcspKeyBinding. This will find the published certificate by matching the key pair with the certificate.

  8. Go to AdminGUI of OCSP > Internal Key Bindings and click Enable for your new OcspKeyBinding to start processing OCSP responses with it.

Using EJBCA Peer System

ENTERPRISE EDITION This is an EJBCA Enterprise Edition (EE) feature.

Follow the steps to set up a new OCSP Signer using an EJBCA Peer System:

These instructions assume that there already is a Peer System connecting the CA and the VA machines, that the connection is already tested and that there is already a remote identity representing the CA among the "Incoming Connections" in the VA's Peer Systems. For information on setting up Peer Systems, see Peer Systems.

  1. Go to AdminGUI of OCSP > Crypto Tokens and create a new Crypto Token (unless you want to reuse an existing).

  2. Go to AdminGUI of OCSP > Crypto Tokens > Your created Crypto Token and generate a new key pair.

  3. Go to AdminGUI of OCSP > Internal Key Bindings > OcspKeyBindings tab and create a new OcspKeyBinding that references the Crypto Token and key pair.

  4. Go to AdminGUI of OCSP > Peer Systems > Click on Modify Role for the peer connector representing the CA and set access rules for the newly created OcspKeyBinding ("view only" or "Renew certificate").

  5. Go to AdminGUI of CA > Add End Entity, create an End Entity for issuing the OCSP signing certificate (use an OCSP Signer certificate profile).

  6. Go to AdminGUI of CA > Peer Systems > Click Manage for the peer connector representing the VA > Remote Key Bindings, fill in the credentials for the OCSP signing End Entity in the newly created OcspKeyBinding and click Issue Signing Certificate.

  7. Go to Admin GUI of OCSP > Internal Key Binding > OcspKeyBindings tab and verify that the OCSP key binding have a certificate and has been activated.