Product Documentation

Discretionary CAs

Dec 21, 2015

A Discretionary CA is created by providing XenMobile with a CA certificate and the associated private key. XenMobile will handle certificate issuance, revocation, and status information internally, according to the parameters you specify. However, XenMobile will never store the private keys of issued certificates, and so will not offer escrow services. Status information for certificates issued by a discretionary CA.

When configuring a Discretionary CA, you will have the option to activate OCSP support for that CA. If, and only if, OCSP support is enabled, the CA will add an id-pe-authorityInfoAccess extension to the certificates it issues, pointing to XenMobile ’s internal OCSP Responder located at:

https://[server]/[instance]/ocsp

When configuring the OCSP service, you will have to specify an OCSP signing certificate for the Discretionary Entity in question. You can use the CA certificate itself as the signer. If you wish to avoid the unnecessary exposure of your CA’s private key (recommended), you will have to create a delegate OCSP signing certificate, signed by the CA certificate and including an id-kp-OCSPSigning extendedKeyUsage extension.

The XenMobile OCSP Responder service supports Basic OCSP responses and the following hashing algorithms in requests:
  • SHA-1
  • SHA-224
  • SHA-256
  • SHA-384
  • SHA-512

Responses are signed with SHA-256 and the signing certificate’s key algorithm (DSA, RSA or ECDSA).