> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Test CRL Signing

> Instructions to test CRL signing and OCSP database creation using DISA certificates.

In this section, learn how to test CRL signing and OCSP Database creation. To simplify this demonstration, it pulls certificates from a Defense Information Systems Agency (DISA) repository.

This section covers the following tasks:

1. Pull Certificates from a DISA LDAP server.
2. Start the server.
3. Test CRL signing and database creation

## Pull certificates

Perform the following steps to pull certificates from a DISA LDAP server:

<Steps>
  <Step>
    Go to the **Add Certificates** menu, select **CA Certificates \[OCSP Protocol]**, and select **\[ Submit ]**.
  </Step>

  <Step>
    Select **LDAP Server**, and select **Submit Certificate Import Method**.
  </Step>

  <Step>
    On the **Important Certificates from LDAP Server** page, set the **Host Name** to `crl.chamb.disa.mil`. Leave all other fields as default and select **\[ Get LDAP Certificates ]**.

    <Note>
      At the time of this writing, DISA supports port 389 for importing certificates from their LDAP server. However, recently they announced that soon they will only support Secure LDAP (LDAPS), which uses port 636. If port 389 does not work for you, attempt to use port 636 anonymously instead.
    </Note>
  </Step>

  <Step>
    If the VA Server connects to the LDAP server successfully, you see a list of certificates on the next page. Scroll to the bottom and select **\[ Submit Certificates ]**.
  </Step>

  <Step>
    Expect to see the following error:

    ```text expandable lines wrap title="Text" theme={null}
    Failed to import one more certificates. Please refer to admin logs for details.
    ```

    This can be disregarded. It just means that at least one certificate out of approximately 50 failed to load. Select **\[ Go Back ]**.
  </Step>

  <Step>
    Scroll to the bottom of the Configure VA Certificate Store page and select **\[ Next Step ]**.
  </Step>

  <Step>
    On the Configure CRL Imports page, leave **in an LDAP Directory** selected as the **CRL Source** and select **\[ Add CRL Source ]**.
  </Step>

  <Step>
    On the **Configure CRL Import (LDAP)** page, the **LDAP Host** field is auto-populated with the address we previously entered. Leave all fields set to the defaults and select **Find Available CRLs** at the bottom.
  </Step>

  <Step>
    Scroll to the bottom of the **Available CRLs for Import** page and click **Schedule Import of Checked CRLS**.
  </Step>

  <Step>
    Select **\[ Next Step ]** on the **Configure CRL Imports** page.
  </Step>

  <Step>
    On the **Configure Server URLS** page, leave everything set to default as long as port 80 is available on the machine (by default, the server URL is configured to use port 80). If port 80 is taken, you can either free it up so that Axway VA can use it or you can configure a different port. After you finish configuring the server URLs, select **\[ Submit ]**.

    <Note>
      On Windows, sometimes the IIS service must reserve port 80. On Linux, sometimes the Apache service reserves port 80.
    </Note>
  </Step>

  <Step>
    Select **\[ Next Step ]**.
  </Step>

  <Step>
    Leave all the settings as default on the **VA Responder Server Configuration Parameters** page and select **\[ Submit Configuration Parameters ]**. You should see a message that says:

    ```text expandable lines wrap title="Text" theme={null}
    The Server configuration has been successfully updated.
    ```
  </Step>

  <Step>
    Select **\[ Next Step ]**.
  </Step>
</Steps>

## Start the server

Perform the following steps to start the server:

<Steps>
  <Step>
    On the **Start/Stop** **Server** page, type in the server password, and select **\[ Start Server ]**.
  </Step>
</Steps>

## Test CRL signing

Perform the following steps to test CRL signing and OCSP database creation:

<Steps>
  <Step>
    Go to **Server Settings** > **CA options**.
  </Step>

  <Step>
    Select the **DOD EMAIL CA-41 CA**, and select **Configure CA Options** at the top of the page.
  </Step>

  <Step>
    On the **VA Responder CA Options Configuration** page, you must modify two settings:

    1. Under **OCSP Response Settings**, change the **Validity period of CRL** to the next seven days.
    2. Under **Pre-computation Options**, select the **Pre-compute OCSP Data** checkbox, and select **Only Revoked Certificates**.
  </Step>

  <Step>
    Select **\[ Submit CA Configuration Parameters ]** at the bottom of the page.

    <Check>
      You should see a message that the CA configuration options have been successfully modified.
    </Check>
  </Step>

  <Step>
    Go back to **Server Settings** > **CA options**.
  </Step>

  <Step>
    Select the **DOD EMAIL CA-41 CA**, and select **Configure CA Specific OCSP Signing Certificate** at the top of the page.
  </Step>

  <Step>
    On the **Set CA Specific OCSP Signing Certificate** page, you can see the OCSP signing key that we created earlier on the HSM.

    Select **\[ Submit ]** and you should see

    <Check>
      A message displays, saying that it successfully set the CA Specific OCSP Signing certificate/key.
    </Check>
  </Step>

  <Step>
    Go to the **Start/Stop Server** page, enter the password, and select **\[ Stop Server ]**.
  </Step>

  <Step>
    Go to **CRLs** > **CRLs & OCSP Databases**. Find **DOD EMAIL CA-41** and select **\[ Flush CRLs ]**.
  </Step>

  <Step>
    Disregard the warning and proceed by selecting **\[ Flush CRL and OCSP DB Information ]**. You should see a message that the CRLs and OCSP databases for the specified CA have been cleaned successfully.
  </Step>

  <Step>
    Go to the **Start/Stop Server** page, enter the password, and select **\[ Start Server ]**.
  </Step>

  <Step>
    Go to **CRLs** > **CRLs & OCSP Databases**. Find **DOD EMAIL CA-41**, and in the **OCSP response database** field, you should see a success response after the CRLs finish downloading and the OCSP database is successfully created.

    <Check>
      This result confirms that VA Server could use the OCSP response signing key stored on the HSM to sign the CRLs downloaded for DOD EMAIL CA-41.

      If the server starts successfully, the \[ Start Server ] button is grayed out and the \[ Stop Server ] button is available.
    </Check>
  </Step>
</Steps>
