000027357 - How is the NextUpdate field in the OCSP response configured?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027357
Applies ToRSA Validation Manager 3.1
RSA Validation Manager (RVM)
RSA Certificate Manager (RCM)
Microsoft Windows Server 2003
OCSP - Online Certificate Status Protocol
OCSP Responder
IssueHow is the NextUpdate field in the OCSP response configured?

RVM serving a few CAs (RSA CMs) using their LDAP as the status source.

Unable to control how long the NextUpdate field in the responses will be.

Would like a fresh response produced for every request. For each request I want the NextUpdate field to be 5 minutes from the producedAt (or ThisUpdate) time.

What seems to happen is that the VM gets fresh status every Refresh Time. E.g. if I have Refresh Time set to 5 minutes (see below) then it will get the status every 5 minutes.

Resolution

The NextUpdate time in OCSP Response is calculated based on the Refresh time configured for the Status Source. There is no separate configurable option to set the NextUpdate time for OCSP response.

 

Here are the details how the NextUpdate, thisUpdate time in OCSP Response is calculated in the existing functionality.

 

If LDAP status source is configured, RVM responds to an OCSP request is as follows:

 

While an OCSP request for certificate status is made first time to RVM,
--------------------------------------------------------------------------------------------
1) RVM will get the certificate status details from RCM LDAP
2) It will update certificate status details (such as cert status,importTime, thisUpdate and nextUpdate time) in RVM data base.

           thisUpdate time = importTime = Current time

           NextUpdate time = importTime + RefeshTime.
3) RVM will send back OCSP response to the client ( it is same as RVM data base)   

 

While an OCSP request for certificate status is made in subsequent time
------------------------------------------------------------------------------------------------

4) Retrieves the certificate status details from the RVM data base

5) Checks if current time < ( importTime + RefreshTime) , it will send back OCSP response to client. RVM will not contact RCM LDAP and will not update RVM database.
But the OCSP response contains thisUpdate time value as current time and nextUpdate time value from RVM database. As RVM db is not updated for each OCSP request, RVM db will have the same importTime,thisUpdate and nextUpdate time ( same value as in step 2).

6) Only if current time > ( importTime + RefreshTime) , it will get the cert status from RCM database , update the RVM database and send back the OCSP response with the thisUpdate time as current Time and nextUpdate time as currentTime+ RefreshTime. This validation is added for a issue fixed in RVM 3.1 Build 162 .

If you need RVM to contact RCM data base for each OCSP request, you can set Refresh time as 0 second. But this case thisUpdate and NextUpdate time value will be same for each request.

NotesVALSRV-1580
Legacy Article IDa56191

Attachments

    Outcomes