SK

Print

Technical information (OCSP)

The service is based on OCSP (Online Certificate Status Protocol), which is described in Internet standard RFC 6960. OCSP is a simple client-server system where an OCSP client sends to the OCSP responder (server) a query about a certificate and the responder gives a confirmation regarding the certificate, which contains the validity or non-validity of the certificate and the time of giving the confirmation. The reply given by the responder is signed digitally.

Validity Confirmation Service address http://ocsp.sk.ee/
Supported Certification Authorities All certificates issued by SK
Proxy OCSP http://ocsp.sk.ee/_proxy
Supported Certification Authorities Mediating validity information of certificates issued by other Certification Authorities. The exact list and the source of validity information used is available here.
Service certificate used for signing responses SK OCSP RESPONDER 2011
Test service address http://demo.sk.ee/ocsp
Conditions for Use

General Terms of Subscriber Agreement v 4.0 apply starting from 01.10.2018.

Responses to correct queries

GOOD - certificate valid
REVOKED - certificate not valid
UNKNOWN - no information about the requested certificate 

OCSP's positive response means that the certificate has been issued and it was valid at the time of giving the confirmation. Exceptionally, for an ESTEID2018 certifier, a GOOD response is also given to an expired certificate if the certificate is not revoked or suspended. The validity of the certificate must be checked on the service side. This is in compliance with RFC 6960 standard.

Supported extensions OCSP Nonce (1.3.6.1.5.5.7.48.1.2)
Supported response algorithm sha256WithRSAEncryption
Restrictions CertID supported hash algorithm is sha1
Access to service Based on IP address or access certificate
OCSP release notes history https://github.com/SK-EID/ocsp/wiki