> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Test CRL signing

> Instructions for testing CRL signing and OCSP database creation using sample certificates from DISA.

This section shows how to test CRL signing and OCSP database creation. To simplify this demonstration, the example pulls certificates from a Defense Information Systems Agency (DISA) repository.

## Pull certificates

Perform the following steps to pull certificates from a DISA LDAP server:

<Steps>
  <Step>
    Go to the **Add** **Certificates** menu, select **CA Certificates \[OCSP Protocol]**, and select **\[ Submit ]**.
  </Step>

  <Step>
    Select **LDAP** **Server**, and select **\[ Submit Certificate Import Method ]**.
  </Step>

  <Step>
    On the **Important Certificates from LDAP Server** page, set the **Host** **Name** to `crl.chamb.disa.mil`. Leave all of the other fields as default and select **\[ Get LDAP Certificates ]**.

    <Note>
      At the time of this writing, DISA supports port 389 for importing certificates from their LDAP server. However, recently they announced that soon they will only support Secure LDAP (LDAPS), which uses port 636.

      If port 389 does not work for you, attempt to use port 636 anonymously instead.
    </Note>

    <Check>
      If the VA Server connects to the LDAP server successfully, you see a list of certificates on the next page.
    </Check>
  </Step>

  <Step>
    Scroll to the bottom and select **\[ Submit Certificates ]**.
  </Step>

  <Step>
    Expect to see the following error:

    ```none expandable lines wrap title="None" theme={null}
    Failed to import one or more certificates. Please refer to admin logs for details
    ```

    Disregard this message. It just means that at least one certificate out of approximately 50 failed to load. Select **\[ Go Back ]**.
  </Step>

  <Step>
    Scroll to the bottom of the **Configure VA Certificate Store** page and select **\[ Next Step ]**.
  </Step>

  <Step>
    On the **Configure CRL Imports** page, leave **in an LDAP Directory** selected as the CRL Source and select **\[ Add CRL Source ]**.
  </Step>

  <Step>
    On the **Configure CRL Import (LDAP)** page, the **LDAP** **Host** field auto-populates with the address previously entered. Leave all of the fields set to the default values and select **\[ Find Available CRLs ]**.
  </Step>

  <Step>
    Scroll to the bottom of the **Available CRLs for Import** page and select **\[ Schedule Import of Checked CRLS ]**.
  </Step>

  <Step>
    Select **\[ Next Step ]** on the **Configure** **CRL** **Imports** page.
  </Step>

  <Step>
    As long as port **80** is available on the machine (by default, the server URL is configured to use port **80**), on the **Configure Server URLS** page, leave everything set to the default values.

    If port **80** is taken, you can either free it up so Axway VA can use it or you can configure a different port. After you finish configuring the server URLs, select **\[ Submit ]**.

    <Note>
      On Windows, sometimes the IIS service reserves port 80. On Linux, sometimes the Apache service reserves port 80.
    </Note>

    <Check>
      If the request is successful, the following message displays:

      ```none expandable lines wrap title="None" theme={null}
      SUCCESS!
      Server URLs updated successfully.
      ```
    </Check>
  </Step>

  <Step>
    Select **\[ Next Step ]**.
  </Step>

  <Step>
    Leave all of the fields set to their default values on the **VA Responder Server Configuration Parameters** page and select **\[ Submit Configuration Parameters ]**.

    <Check>
      You should see the following message:

      ```none expandable lines wrap title="None" theme={null}
      The Server configuration has been successfully updated.
      ```
    </Check>
  </Step>

  <Step>
    Select **\[ Next Step ]**.
  </Step>
</Steps>

### Start the server

Perform the following steps to start the server:

<Steps>
  <Step>
    On the **Start/Stop Server** page, enter the server password and select **\[ Start Server ]**.

    <Check>
      If the server starts successfully, the Start Server button is disabled and the Stop Server button is activated.
    </Check>
  </Step>
</Steps>

### Test CRL signing and database creation

Perform the following steps to test CRL signing and OCSP database creation:

<Steps>
  <Step>
    Go to **Server** **Settings** > **CA** **options**.
  </Step>

  <Step>
    Select the **DOD EMAIL CA-41 CA**, and select **\[ Configure CA Options ]** at the top of the page.
  </Step>

  <Step>
    On the **VA Responder CA Options Configuration** page, modify the following settings:

    1. Under **OCSP Response Settings**, change the **Validity** **period** **of** **CRL** to the next **7 days**.
    2. Under **Pre-computation Options**, check the **Pre-compute OCSP Data** checkbox, and select **Only Revoked Certificates**.
  </Step>

  <Step>
    Select **\[ Submit CA Configuration Parameters ]** at the bottom of the page.

    <Check>
      You should see a message that the CA configuration options have been successfully modified.
    </Check>
  </Step>

  <Step>
    Go back to **Server** **Settings** > **CA** **options**.
  </Step>

  <Step>
    Select the **DOD EMAIL CA-41 CA** and select **\[ Configure CA Specific OCSP Signing Certificate ]** at the top of the page.

    <Check>
      On the Set CA Specific OCSP Signing Certificate page, you can see the OCSP signing key that was created earlier on the HSM.
    </Check>
  </Step>

  <Step>
    Select **\[ Submit ]**.

    <Check>
      You should see a message saying that it successfully set CA Specific OCSP Signing certificate/key.
    </Check>
  </Step>

  <Step>
    Go to the **Start/Stop Server** page, enter the password, and select **\[ Stop Server ]**.
  </Step>

  <Step>
    Go to **CRLs**>
    **CRLs & OCSP Databases**. Find **DOD EMAIL CA-41** and select **\[ Flush CRLs ]**.
  </Step>

  <Step>
    Disregard the warning and proceed by selecting **\[ Flush CRL and OCSP DB Information ]**.

    <Check>
      You should see a message that the CRLs and OCSP databases for the specified CA have been cleaned successfully.
    </Check>
  </Step>

  <Step>
    Go to the **Start/Stop Server** page, enter the password, and select **\[ Start Server ]**.
  </Step>

  <Step>
    Go to **CRLs** > **CRLs & OCSP Databases**. Find **DOD EMAIL CA-41** and, in the **OCSP response database** field, verify the CRLs finished downloading and the OCSP database was created successfully.

    <Check>
      You should see a list including the Subject, Issuer, Serial number, Last Fetch data, and so on. This result confirms that VA Server could use the OCSP response signing key stored on the HSM to sign the CRLs that you downloaded for DOD EMAIL CA-41.
    </Check>
  </Step>
</Steps>
