OCSP Services - LDAP
What is OCSP?
Online certificate status protocol: verification at source
The OCSP service allows determining the validity status of a certificate by consulting the trusted servers (OCSP Responder) of the Validation Authority.
When a query is made by URL, a digital evidence signed by ANF AC about the validity of a certificate at a given time is obtained as a response. ANF AC also stores and keeps a copy of each response generated.
The repositories accessed by the OCSP Responder servers are permanently updated, and comply with the IETF document RFC 6960 ("Online Certificate Status Protocol Algorithm Agility").
The link to the OCSP service is listed in the certificate of interest itself.
Microsoft's cryptographic libraries include OCSP protocol support by default in its .NET platform: http://msdn.microsoft.com/en-us/library/aa380253 (VS.85).aspx
This is an extension of the OpenSSL cryptographic library that implements the OCSP protocol in C language.
For example, a query performed through OpenSSL would have the following syntax:
OpenSSL ocsp -CAfile issuer cert url
The field must be the one indicated in the "Authority Information Access" field of the certificate.
For more information consult the ANF AC Validation Policy
The Lightweight Directory Access Protocol (LDAP) provides a standardized method for storing certificates and CRL lists of revoked certificates.
The current version, LDAPv3 is detailed in the Internet Engineering Task Force (IETF)RFC 4510
This directory system is offered to Registration Authorities and users, and can be consulted from a browser or software enabled for this purpose (LDAP browser), through the address ldap://ldap.anf.es.