Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8432

OCSPkeyBinding Default Responder DB Queries


    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.4.1
    • Component/s: None
    • Provenance:
      Internal Delivery


      For OCSP requests with an unknown CA, EJBCA goes through all Internal keybindings and queries for their certificate in CertificateData. This leads to a lot of CertificateData queries if you have a lot of keybindings.

      There is a patch to simply return the default respone (usually Unauthorized) in this case. This leads to a small latency from the time when a new CA is added, to the time when you get correct OCSP responses. This latency is controlled by the setting ocsp.signingCertsValidTime, which defaults to 5 minutes.

      Suggested solution

      • Disable the cache update, so the default response is returned if the CA certificate is absent
      • Add a some property or checkbox to restore the old behaviour (unchecked by default). This is for those who really want to keep the old behavior for some reason.
      • Add an upgrade note saying that if you need the old behaviour, you need to toggle the checkbox

      The relevant code in OcspResponeGeneratorSessionBean is:

                      // Locate the CA which gave out the certificate
                      ocspSigningCacheEntry = OcspSigningCache.INSTANCE.getEntry(certId);
                      if(ocspSigningCacheEntry == null) {
                          //Could it be that we haven't updated the OCSP Signing Cache?
                          ocspSigningCacheEntry = findAndAddMissingCacheEntry(certId);
                      final OcspDataConfigCacheEntry ocspDataConfig = OcspDataConfigCache.INSTANCE.getEntry(certId);

      For the "if", we should also check the new setting, to avoid searching for missing entries for unknown CAs.

      Previous information, kept for reference
      1. With the following setup: OCSP key binding as a default responder, when OCSP queries for Unknown CA (and unknown certificate of course) makes several CertificateData queries - see file unknown_ca.txt
      2. When using a local CA, there are much less queries - see file local_ca.txt
      3. Repeated several times to see if something got cached but not significant changes.
      4. To enable debug in the wildfly DB connector:



      In order to debug the JDBC statements in your server logs, you need to create a logger element which traces the jboss.jdbc.spy package. You can do it as follows:


      Additionally, if you want to activate tracing of your Connection Pool as well, you can enable the cached-connection-manager attribute which will inform you of every connection opening and closing:



          Issue Links



              amin Amin Khorsandi
              blanca.morales@primekey.com Blanca Morales
              Verified by:
              Jekaterina Bunina
              0 Vote for this issue
              8 Start watching this issue



                  Time Tracking

                  Original Estimate - 3 days Original Estimate - 3 days
                  Remaining Estimate - 0 minutes
                  Time Spent - 3 days, 2 hours
                  3d 2h