Using the OCSP responder

As an alternative, or in addition to publishing revocation information with CRLs, you can choose to enable an Online Certificate Status Protocol (OCSP) responder. An OCSP responder is enabled when OCSPType is set to basic in the CertPolicy section of the PKI Services configuration file. See Table 1, and the certificate contains the necessary OCSP responder information in the AuthInfoAccess extension. (Also, see TEMPLATE sections.)

Start of changeTo use an OCSP responder, you must add /usr/lpp/pkiserv/lib to the LIBPATH environment variable for the HTTP Server. This setting is shown by adding it to the vhost80.conf (host file for non-SSL requests) configuration file by using the SetEnv HTTP directive. End of change

Parent topic: Advanced customization