Dhuma: OCSP Without Limits


Dhuma is a customer-hosted (on-premise or cloud) web service implementing an RFC 6960 compliant OCSP server designed to scale to support large enterprises. Using a modern architecture, capable of handling an unlimited number of issuers, all with different certificate status mechanisms, Dhuma is the ideal solution to address your OCSP concerns. With high performance in mind, Dhuma is capable of caching responses and using high speed hardware security modules for signing operations.


Fully compliant with IETF Standards, Dhuma can be provisioned with CRLs manually or via HTTP/HTTPS and LDAP/LDAPS. Dhuma periodically polls specified repositories to obtain CRL updates on a customizable schedule; CRLs are stored in a central database that can be accessed by all Dhuma servers in a cluster. Dhuma is highly configurable, providing administrative control over nonce handling, unknown response generation, cache settings, response validity periods, and CRL polling frequency.

Providing OCSP Services for Multiple CAs Concurrently

Dhuma can provide revocation information for an unlimited number of certificate authorities from a variety of vendors.

Implementing a Large Scale OCSP Solution

Dhuma scales to support unlimited issuers and handle millions of requests.

Customizing your OCSP Deployment

Dhuma, on a per-CA basis, allows you to configure nonce handling, unknown response generation, response cache setting, validity periods, and CRL polling frequency.


  • Produces unlimited responses and is licensed per-user, not per-responder
  • Provides more timely certificate status information
  • May be easily deployed and managed
  • Appropriate for organizations of any size, scaling up to millions of users
  • Uses NIST CMVP-validated FIPS 140-2 cryptography and today’s proven standards, including ANSI X.509 and IETF PKIX, TLS, and S/MIME

Technical Specifications

  • Complies with NIST FIPS 140-2 Level 1 requirements (when used with ISC’s software cryptographic module); a higher level of assurance can be obtained by employing a third party HSM
  • Supports RFC 6960
  • Generates up to 8192-bit RSA and up to 571-bit ECDSA self-signed certificates and PKCS#10 requests
  • Supports SHA-256, SHA-384, and SHA-512
  • Maintains audit trails of all actions

System Requirements

  • Windows Server 2012 R2 or above
  • Windows 7, 8, 8.1, 10, or above
  • CentOS 6.7 (Linux Kernel 2.6) or above (x64)
  • 4GB RAM, 50GB Disk, CPU w/RDRAND instruction
  • Java Runtime Environment 1.8 or higher
  • PostgreSQL, HyperSQL, or Oracle database