Setting Up OCSP

The Manage OCSP Certificate feature in emCA allows users to configure the created OCSP certificate at the specified URL. This is useful for deploying the OCSP certificate to a public-facing web server or other device where it can be accessed by clients.

Create OCSP Certificate Profile

As step 1, Officer needs to use the OCSP profile created by CA Administrator. CA Administrator OCSP Profile creation steps are covered under Configuring Certificate Profiles - OCSP Certificate Profile.

Generate Key Pair

As step 2, Officer need to Generate a new Key Pair

Click on "Generate Key Pair " to open the following dialog:

Enter the number of keys that you want to generate. In general, you will need 1 key for 1 CA and 1 more key, if that CA will receive an OCSP certificate.

Select the "Key Profile" you want to use from the first dropdown list.

Choose the "Algorithm" from the drop-down

Select the "Signature algorithm". This will filter the element for the third dropdown list accordingly.

Select the "Key Algorithm" and "Key Size"

Press "Proceed" to continue and authenticate the action via Username & Password or Hard/ Soft token basis.

Click on "Generate Key Pair(s)" to generate the keys

After the successful generation of the key pair, click on "View all" or "+ New" to continue with the new Key Pair creation.

Generate CA Certificate

After creating a key pair, select the "Generate Certificate" option available in the "Action" column of the created key pair.

Click on to start generating a CA certificate.

The above window opens after clicking on “Action”.

There are two different options available for generation:

  • Certificate – use the key to generate a new CA certificate directly.

  • CSR – use the key to generate a Certificate Signing Request (CSR).

Choose "Certificate" if you want to directly generate a new CA certificate. This option is applicable if the CA is "self-signed" or the "issuing CA" is in the same instance

Choose "CSR" if the issuing CA is not on the same instance. This is the case if ROOT and SUB CAs are not operated on the same system.

Note: You can operate CAs using the appliance functionalities that have their trust anchored outside the Appliance using the option CSR.

CA Administrator created certificate profiles will be available under “Certificate profile” dropdown.

For "Subject DN Details", enter all Subject Distinguished Name (Subject DN) information for the CA as per the certificate profile selection.

Press "Proceed" to continue. You will be prompted to authenticate the action using your officer token/ username & password. Press "Authenticate" to proceed.

Officer is required to successfully authenticate and continue with “Create”.

The "Certificate" will be created and downloadable.

Configure OCSP Certificates

An Officer can manage the Online Certificate Status Protocol (OCSP) certificates of CAs in his/her own group using the following UI.

After generation, OCSP certificates must be manually mapped to the corresponding CA.

To map the OCSP certificate to an existing CA, simply click on "OCSP Config".

Select the CA to which the OCSP certificate should be mapped.

Enter the URL to your OCSP Core Responder in the OCSP URL.

For the emCA application with an internal OCSP Core Responder, this URL will be

https://<application_net_address>/ocsprespondercore/

where <application_net_address> is the Application Network address of your emCA application.

An example of a user interface can be seen in the image below.

Inspect the CA's certificate by clicking "View" next to the registered CA. The OCSP certificate can also be inspected by clicking "View" next to the desired certificate.

To view the details of the OCSP certificate, please click on icon.

Please click on the download Icon to obtain the OCSP certificate.

  • DER-encoded X.509 certificate (.cer)

  • Base64-encoded X.509 certificate (.cer)

  • Cryptographic Message Syntax Standard PKCS#7 certificate (.p7b)

Select the export format of your choice and click "Download" to start the download of the user certificate. The user certificate will be downloaded to the standard download location of your OS.

Last updated