• United States
Neal Weinberg
Contributing writer, Foundry

CoreStreet RTC X.509

Aug 12, 20042 mins
Access ControlNetworking

* The pros and cons of Real Time Credentials X.509 certificate validation system

What is the point of deploying an enterprise digital certificate infrastructure if you can’t readily check the status of certificates being presented to your network?

That’s the question keeping the Reviewmeister up nights, so we decided to test CoreStreet’s Real Time Credentials (RTC) X.509 certificate validation system.

We found that its unique approach works as advertised, but it may be overkill for most enterprises currently using a certificate infrastructure.

The CoreStreet platform provides certificate status services through a network of distributed OCSP responders, which are lightweight servers that contain no sensitive cryptographic information and can be safely distributed throughout an enterprise for high availability and scalability purposes.

A central RTC Validation Authority (VA) – built upon the Apache Tomcat Web services platform – retrieves the Certificate Revocation List (CRL) and a list of all issued certificates from the underlying Certificate Authority (CA) and uses this information to generate “proofs”, or pre-built OCSP responses.

 Then RTC Responders – light-weight appliances distributed around the network – retrieve these proofs from the VA via HTTP and use them to generate the OCSP responses.

Security applications that process certificates issue OCSP requests. The application then uses the OCSP response to determine the validity of a certificate. Like we said, it works, but it’s sure complicated.

The RTC-VA and each RTC Responder are each managed separately through a Web-based GUI. There is no centralized management capability.

In order to tap into the OCSP services offered by CoreStreet, security devices must support SSL, 802.1x, IP Security or some other certificate-aware protocol such as SMIME, or the digital signature feature of Adobe Acrobat, and be configured to check the status of the certificate.  Not many applications directly support OCSP yet.

Certificate status is updated automatically on a periodic basis configured by the operator in the RTC VA and the RTC Responder. To force immediate change propagation, you have to manually intervene on each component to perform an update.

For the full report, go to