EJBCA support, development and maintenance
by
CertHash
CertHash is a method to qualify a positive OCSP response by including a secure hash of the certificate in question. This is a further tamper proofing
of the protocol, as the default reply is signed using only the certificate's serial number, leaving other fields open to abuse. Including a hash based
on all relevant values in the certificate increases security for the client.
The hash algorithm used in this extension is SHA256.
CertHash is defined in the German Common PKI SigG-Profile (OCSP in Part9).
Setting up the CertHash OCSP extension in the OCSP/VA server
This section describes how you set up handling of CertHash extensions using the external OCSP responder. It should be read in combination with the OCSP installations guide.
Configuring the CertHash Extension
The OCSP responder comes with an extension for including CertHash values in replies. To enable the CertHash extension you configure the options:
ocsp.extensionoid=*1.3.36.8.3.13 ocsp.extensionclass=org.ejbca.core.protocol.ocsp.extension.certhash.OcspCertHashExtension
in conf/ocsp.properties of the OCSP responder. All options are described in ocsp.properties.sample. Note that the extension OID is prefixed with an asterisk, meaning that it will always be included in the reply.