ocsp_checks

-1 rows


Description

Every time an OCSP check is made for a revocation candidate (that is, a certificate which is using a known-compromised key), a record is made for that attempt in this table. As you might expect, things can get pretty big.

Revocation status is checked on a per-candidate basis, rather than on a notification basis, to ensure that issuers are doing the right thing and revoking all certificates that use a key which they know to be compromised, even if a notification for that specific certificate was not received. This is in line with CABF BR requirements.

Columns

Column Type Size Nulls Auto Default Children Parents Comments
id uuid 2147483647 null
revocation_candidate_id uuid 2147483647 null
revocation_candidates.id ocsp_checks_revocation_candidate_id_fkey R
candidate_not_after timestamp 29,6 null

Included purely for partitioning support
started_at timestamp 29,6 null
remote_ip_address inet 2147483647 null

This will be NULL if DNS resolution failed.
http_request_issued_at timestamp 29,6 null
http_response_received_at timestamp 29,6 null
http_status int4 10 null
error text 2147483647 null
ocsp_response_id uuid 2147483647 null

This is technically a foreign key, but table partitioning makes enforcing that problematic
response_validated bool 1 null
ocsp_status int4 10 null
produced_at_time timestamp 29,6 null
cert_status int4 10 null
this_update_time timestamp 29,6 null
next_update_time timestamp 29,6 null
revocation_timestamp timestamp 29,6 null
revocation_reason int4 10 null

Indexes

Constraint Name Type Sort Column(s)
ocsp_checks_id_index Performance Asc id
ocsp_checks_revocation_candidate_id_http_request_issued_at_inde Performance Asc/Asc revocation_candidate_id + http_request_issued_at

Relationships

Close relationships within degrees of separation