Online Certificate Status Protocol (OCS) Services Tools - Lightweight Directory Access Protocol (LDAP)
Information regarding the OCSP - LDAP services of ANF AC.
Online Certificate Status Protocol.
Information regarding OCSP responders.
Online Certificate Status Protocol: Verification at source
The OCSP service can determine the validity status of a certificate by consulting trusted servers of the Validation Authority (OCSP Responder).
When performing a query by URL, a digital evidence signed by ANF AC on the validity of a certificate at a given time is obtained in response. ANF AC also stores and preserves a copy of each response generated.
The repositories accessed by the OCSP Responder servers are constantly updated and in compliance with the RFC 6960 ("Online Certificate Status Protocol Algorithm Agility") of the IETF.
The link to the OCSP service is outlined in the certificate of interest itself.
There are multiple libraries based on various programming languages, the most common are:
- Microsoft CryptoAPI: (Microsoft cryptographic libraries include default OCSP protocol support on their .NET http://msdn.microsoft.com/en-us/library/aa380253 (VS.85).aspx
- BouncyCastle (http://www.bouncycastle.org) and Novosec Extensions (http://sourceforge.net/projects/novosec-bc-ext): Set of cryptographic libraries that implement the OCSP protocol in the Java and C # languages
- OpenSSL (http://www.openssl.org): It is an extension of the OpenSSL cryptographic library that implements the OCSP protocol in C language.
- Adobe Reader: The latest versions allow you to validate certificates included in PDF documents.
For example, a query made through OpenSSL would have the following syntax:
OpenSSL ocsp -CAfile issuer cert url
The field must be the one indicated in the “Authority Information Access” field of the certificate.
For more information see the ANF AC Validation Policy
Lightweight Directory Access Protocol [LDAP]
Information regarding the Lightweight Directory Access Protocol (LDAP) of ANC AC. The link contained in the certificate of interest itself.
The Lightweight Directory Access Protocol (LDAP) offers a standardized method for storing certificates, it also has a Certificate Revocation List (CRL) for revoked certificates.
The current version, LDAP v.3 is detailed in the RFC 4510 of the Internet Engineering Task Force (IETF) standard.
This directory system is offered to Registration Authorities and users, and can be accessed from a browser or software enabled for such purpose (LDAP browser), through the address (ldap://ldap.anf.es).