Skip to content

Home

Jump to bottom
mihkeltammsalu edited this page Oct 30, 2023 · 17 revisions

SK OCSP

The validity confirmation service or OCSP service allows you to ask for real-time status information on any certificate issued by SK (incl the ID-card, Smart-ID and Mobile-ID certificates). OCSP is a simple client-server service that follows the RFC 6960 standard. Simply put, the OCSP client sends a request to the OCSP responder (server) about the validity of a certificate, to which the responder sends a response that contains information about the status of the given certificate (valid/not valid), and the timestamp for the confirmation. The response is digitally signed.

Information about SK OCSP service
LIVE OCSP URL http://ocsp.sk.ee/
Service certificate, used for signing the response  Signed by corresponding intermediate CA responder CA certificates
 Test OCSP URL  http://demo.sk.ee/ocsp
 Usage terms  GENERAL TERMS OF SUBSCRIBER AGREEMENT v4.1, valid from 01.07.2023
Responses status GOOD - certificate is valid

REVOKED - certificate is not valid

The positive response from OCSP means that the certificate has been issued and was valid at the time of the issuance of the response. The GOOD response will be given also for an expired certificate, meaning that the certificate has not been revoked or suspended. The checking of validity in time must be done on the service side, in accordance with RFC 6960.
Supported extensions OCSP Nonce (1.3.6.1.5.5.7.48.1.2)
Supported algorithm of the response  sha256WithRSAEncryption
Limitations  CertID parameters are supported in the form of sha1 hash
LIVE access to the service  IP limit or access certificate based
 
  1. Changelog for ocsp.sk.ee
  2. Changelog for aia.sk.ee/...

OCSP Response Mapping

No. Use Case SK OCSP Status Value
1. Certificate is active GOOD
 2.  Certificate is active but expired GOOD
 3.  Certificate is revoked REVOKED
 4.  Certificate is temporarily revoked (suspended) REVOKED

revocation reason: certificateHold
 5.  Certificate is not issued by the CA (unknown issuer) REVOKED

revocation reason: certificateHold  
 6.  Certificate is not issued by the CA (known issuer)

Certificate is unknown to the CA, although it may have been issued by a CA that is known to OCSP		 REVOKED

revocation reason: certificateHold
Clone this wiki locally