Patrick wrote:
> Hello,
>
> Is there a way to use an OCSP responder with NSS so that NSS uses it
> when checking a certificate? I believe NSS would if the certificate had
> the OCSP info in it but I'm talking about configuring NSS to use a
> custom or local OCSP server...
Yes. There are three modes for NSS with respect to OCSP:
1) OCSP checking off. OCSP extensions are ignored, certs are processed
without revocation checking.
2) OCSP checking on. If the cert has the OCSP extension, the responder
specified in the extension is checked.
3) Default OCSP responder set. All certs are sent to the default OCSP
responder, which will comment on the revocation.
I believe mode 3 is the mode you are looking for.
> Also can I get confirmation that in order for NSS to use a CRL, this CRL
> needs to be imported in the cert7.db beforehand. In order words, NSS
> does do any automatic CRL check over the net but strictly checks CRLs
> that are its certificate store.
NSS does not automatically fetch CRL's. Communicator has UI to help
fetch CRL's, and you can set up your company home pages to load CRLs
whenever they are referenced, but NSS never goes out and fetches CRLs.
NOTE: NSS treats the 'last update/next update' fields in a CRL as
expiration fields. If you have a CRL loaded, and it's 'expired', NSS
will reject all certs cerified the the CA issuing that CRL. This is one
primary reason we discourage the use of NSS's built in CRL processing
(there a lot of little corner cases like this that would have to be
fixed for CRL's in NSS to be useful generally.
bob
>
> -- Patrick
