-
Notifications
You must be signed in to change notification settings - Fork 0
Home
The validity confirmation service or OCSP service allows you to ask for real-time status information on any certificate issued by SK (incl the ID-card, Smart-ID and Mobile-ID certificates). OCSP is a simple client-server service that follows the RFC 6960 standard. Simply put, the OCSP client sends a request to the OCSP responder (server) about the validity of a certificate, to which the responder sends a response that contains information about the status of the given certificate (valid/not valid), and the timestamp for the confirmation. The response is digitally signed.
SK OCSP service responds with the status of the certificate in the request based on the CA by which the certificate is issued. If the certificate in the request is issued by a CA unknown to the OCSP service, the response will be as item no 5 in the table OCSP Response Mapping below.
| LIVE OCSP URL | http://ocsp.sk.ee/ |
| Service certificate, used for signing the response | Signed by corresponding intermediate CA responder CA certificates |
| Test OCSP URL | http://demo.sk.ee/ocsp |
| Usage terms | GENERAL TERMS OF SUBSCRIBER AGREEMENT v4.1, valid from 01.07.2023 |
| Responses status | GOOD - certificate is valid REVOKED - certificate is not valid The positive response from OCSP means that the certificate has been issued and was valid at the time of the issuance of the response. The GOOD response will be given also for an expired certificate, meaning that the certificate has not been revoked or suspended. The checking of validity in time must be done on the service side, in accordance with RFC 6960. |
| Supported extensions | OCSP Nonce (1.3.6.1.5.5.7.48.1.2) |
| Supported algorithm of the response | sha256WithRSAEncryption |
| Limitations | CertID parameters are supported in the form of sha1 hash |
| LIVE access to the service | IP limit or access certificate based |
| No. | Use Case | SK OCSP Status Value |
|---|---|---|
| 1. | Certificate is active | GOOD |
| 2. | Certificate is active but expired | GOOD |
| 3. | Certificate is revoked | REVOKED |
| 4. | Certificate is temporarily revoked (suspended) | REVOKED revocation reason: certificateHold |
| 5. | Certificate is not issued by the CA (unknown issuer) | REVOKED revocation reason: certificateHold MUST specify the revocationTime January 1, 1970 |
| 6. | Certificate is not issued by the CA (known issuer) Certificate is unknown to the CA, although it may have been issued by a CA that is known to OCSP |
REVOKED revocation reason: certificateHold MUST specify the revocationTime January 1, 1970 |