This section shows how to test CRL signing and OCSP database creation. To simplify this demonstration, the example pulls certificates from a Defense Information Systems Agency (DISA) repository.Documentation Index
Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
Use this file to discover all available pages before exploring further.
Pull certificates
Perform the following steps to pull certificates from a DISA LDAP server:On the Important Certificates from LDAP Server page, set the Host Name to
crl.chamb.disa.mil. Leave all of the other fields as default and select [ Get LDAP Certificates ].At the time of this writing, DISA supports port 389 for importing certificates from their LDAP server. However, recently they announced that soon they will only support Secure LDAP (LDAPS), which uses port 636.If port 389 does not work for you, attempt to use port 636 anonymously instead.
If the VA Server connects to the LDAP server successfully, you see a list of certificates on the next page.
Expect to see the following error:Disregard this message. It just means that at least one certificate out of approximately 50 failed to load. Select [ Go Back ].
None
On the Configure CRL Imports page, leave in an LDAP Directory selected as the CRL Source and select [ Add CRL Source ].
On the Configure CRL Import (LDAP) page, the LDAP Host field auto-populates with the address previously entered. Leave all of the fields set to the default values and select [ Find Available CRLs ].
Scroll to the bottom of the Available CRLs for Import page and select [ Schedule Import of Checked CRLS ].
As long as port 80 is available on the machine (by default, the server URL is configured to use port 80), on the Configure Server URLS page, leave everything set to the default values.If port 80 is taken, you can either free it up so Axway VA can use it or you can configure a different port. After you finish configuring the server URLs, select [ Submit ].
On Windows, sometimes the IIS service reserves port 80. On Linux, sometimes the Apache service reserves port 80.
If the request is successful, the following message displays:
None
Leave all of the fields set to their default values on the VA Responder Server Configuration Parameters page and select [ Submit Configuration Parameters ].
You should see the following message:
None
Start the server
Perform the following steps to start the server:Test CRL signing and database creation
Perform the following steps to test CRL signing and OCSP database creation:On the VA Responder CA Options Configuration page, modify the following settings:
- Under OCSP Response Settings, change the Validity period of CRL to the next 7 days.
- Under Pre-computation Options, check the Pre-compute OCSP Data checkbox, and select Only Revoked Certificates.
Select [ Submit CA Configuration Parameters ] at the bottom of the page.
You should see a message that the CA configuration options have been successfully modified.
Select the DOD EMAIL CA-41 CA and select [ Configure CA Specific OCSP Signing Certificate ] at the top of the page.
On the Set CA Specific OCSP Signing Certificate page, you can see the OCSP signing key that was created earlier on the HSM.
Select [ Submit ].
You should see a message saying that it successfully set CA Specific OCSP Signing certificate/key.
Disregard the warning and proceed by selecting [ Flush CRL and OCSP DB Information ].
You should see a message that the CRLs and OCSP databases for the specified CA have been cleaned successfully.
Go to CRLs > CRLs & OCSP Databases. Find DOD EMAIL CA-41 and, in the OCSP response database field, verify the CRLs finished downloading and the OCSP database was created successfully.
You should see a list including the Subject, Issuer, Serial number, Last Fetch data, and so on. This result confirms that VA Server could use the OCSP response signing key stored on the HSM to sign the CRLs that you downloaded for DOD EMAIL CA-41.