EJBCA - Open Source PKI Certificate Authority
Search ejbca.org on Google:
EJBCA Enterprise (r26459)


CertHash is a method to qualify a positive OCSP response by including a secure hash of the certificate in question. This is a further tamper proofing of the protocol, as the default reply is signed using only the certificate's serial number, leaving other fields open to abuse. Including a hash based on all relevant values in the certificate increases security for the client.
The hash algorithm used in this extension is SHA256.
CertHash is defined in the German Common PKI SigG-Profile (OCSP in Part9).

Setting up the CertHash OCSP extension in the OCSP/VA server

This section describes how you set up handling of CertHash extensions using the external OCSP responder. It should be read in combination with the OCSP installations guide.

Configuring the CertHash Extension

The OCSP responder comes with an extension for including CertHash values in replies. To enable the CertHash extension you configure the options:


in conf/ocsp.properties of the OCSP responder. All options are described in ocsp.properties.sample. Note that the extension OID is prefixed with an asterisk, meaning that it will always be included in the reply.