If not already added, add the OCSP Server (OCSP_1K) certificate type you will later use for Generating a VA certificate and key pair.
In the latest Entrust Authority Security Manager 10.0.x releases, an OCSP Server (OCSP_1K) certificate type may already be predefined in the certificate specifications. This certificate type includes the proper certificate extensions for signing OCSP responses.
To add the OCSP Server certificate type to Entrust Authority Security Manager
- Log in to Entrust Authority Security Manager Administration.
- Select File > Certificate Specifications > Export and export the certificate specifications.
- Open the certificate specifications file in a text editor.
Add the following lines to the
[Certificate Types]
section.OCSP_1K=enterprise,OCSP server,OCSP server certificate -no directory entry
Add the following lines to the
[Extension Definitions]
section.;----------------------------------------------------------------------
;- Cert Type: OCSP_1K
;- This cert type needs to be mapped to cert def policy enforcing:
; - Certificate lifetime:
; - Exclude privateKeyUsagePeriod: 1
; - Exclude basicConstraints: 1
; - Exclude entrustVersInfo: 1
; - Exclude CDP: 1
;----------------------------------------------------------------------
[OCSP_1K Certificate Definitions]
1=Verification
;
[OCSP_1K Verification Extensions]
;Key Usage: Digital Signature
keyusage=2.5.29.15,n,m,BitString,1
;Extended Key Usage: OCSP Signing
extkeyusage=2.5.29.37,n,o,SeqOfObjectIdentifier,1.3.6.1.5.5.7.3.9
ocspnocheck=1.3.6.1.5.5.7.48.1.5,n,o,DER,0500
; Certificate Policies: DER encode the <Policy-OID>
; Policy-OID=<Policy-OID> - This OID is optional, the customer might not have a policy OID.
;certificatepolicies=2.5.29.32,n,o,DER,<DER encoded value of the above OID>
; AuthorityInfo Access:
; - Issuing CA certificate URL: <CA-Cert-HTTP-URL>
;aia=1.3.6.1.5.5.7.1.1,n,m,DER,<DER encoded value of the above URL>
;
- (Optional.) You can add a certificatePolicies extension to the certificate type.
The certificatePolicies extension contains policy information, such as how your CA operates and the intended purpose of the issued certificate. Typically, different certificate policies will relate to different applications which may use the certified key. The Certificate Policies extension contains a sequence of one or more policy information terms. Each policy information term consists of an object identifier (OID) and optional qualifiers. In an end entity certificate, the policy information terms indicate the policy under which the certificate has been issued, and the purposes for which the certificate may be used. To add a certificatePolicies extension to the certificate type:- DER-encode a list of one or more policy OIDs. Entrust provides an entDerEncoder utility for Security Manager that you can use to DER-encode data for certificate extensions. For instructions about using the entDerEncoder utility, see the Security Manager documentation.
- Uncomment the
certificatepolicies=
entry and replace<DER encoded value of the above OID>
with the DER-encoded value you obtained in the previous step.
- (Optional.) You can add an authorityInformationAccess extension to the certificate type.
The Authority Information Access (AIA) certificate extension indicates how to access information and services for the CA that issued the certificate. Information and services may include online validation services and CA policy data. To add a certificatePolicies extension to the certificate type:- DER-encode the HTTP URL of the CA certificate. Entrust provides an entDerEncoder utility for Security Manager that you can use to DER-encode data for certificate extensions. For instructions about using the entDerEncoder utility, see the Security Manager documentation.
- Uncomment the
aia=
entry and replace<DER encoded value of the above URL>
with the DER-encoded value you obtained in the previous step.
Add the following lines to the
[Advanced Settings]
section.[OCSP_1K Advanced]
noBasicConstraints=1
noPrivateKeyUsage=1
noEntrustVersInfo=1
;cdpLdapDnLast=1
noUserInDirectory=1
noCRLDistPoints=1
- Save and close the file.
- Select File > Certificate Specifications > Import and import the certificate specifications back into Entrust Authority Security Manager.
- In the tree view, select Security Policy > Certificate Categories > Enterprise > Certificate Types > OCSP Responder (OCSP Responder Certificates) > Verification.
- Click the Certificate definition Policy field, and then select Verification_p10 Policy from the drop-down list.