[cabfpub] Short Lived Certificates
jeremy.rowley at digicert.com
Wed Oct 7 00:15:21 MST 2015
Issuance Date: The date and time the certificate is signed by the Issuing CA.
Short-Lived Certificates: A certificate where the Issuance Date is (i) after the notBefore date but not later than 24 hours after the notBefore date in the Certificate and (ii) earlier than the notAfter date and not earlier than 72 hours before the notAfter date in the Certificate.
4.9.10. On‐line Revocation Checking Requirements
Effective 1 January 2013, the CA SHALL support an OCSP capability using the GET method for Certificates issued in accordance with these Requirements.
For the status of Subscriber Certificates other than a Short-Lived Certificate: The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days.
184.108.40.206. Subscriber Certificate
c. authorityInformationAccess With the exception of stapling and Short-Lived Certificates, which is noted below, this extension MUST be present. It MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 220.127.116.11.18.104.22.168.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMethod = 22.214.171.124.126.96.36.199.2).
The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted for Short-Lived Certificates o if Subscriber “staples” OCSP responses for the Certificate in its TLS handshakes [RFC4366].
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public