SK OCSP Demo environment
To help integration, SK offers OCSP service in demo environment. Similar to production, SK Demo OCSP offers two main endpoints, commercial OCSP (demo.sk.ee/ocsp) and free access Demo OCSP service (aia.demo.sk.ee)
| OCSP URL | CA Certificate Info (CN) | OCSP Signing Certificate | Notes |
|---|---|---|---|
| http://demo.sk.ee/ocsp | TEST of ESTEID2018 | TEST of ESTEID-SK 2018 AIA OCSP RESPONDER YYYYMM | OCSP signing certificate changed since 05.04.2023 |
| http://demo.sk.ee/ocsp | TEST of ESTEID-SK 2015 | TEST of ESTEID-SK 2015 AIA OCSP RESPONDER YYYYMM | OCSP signing certificate changed since 08.08.2023 |
| http://demo.sk.ee/ocsp | TEST of EID-SK 2016 | TEST of EID-SK 2016 AIA OCSP RESPONDER YYYYMM | OCSP signing certificate changed since 08.08.2023 |
| http://demo.sk.ee/ocsp | TEST of NQ-SK 2016 | TEST of NQ-SK 2016 AIA OCSP RESPONDER YYYYMM | OCSP signing certificate changed since 08.08.2023 |
| http://demo.sk.ee/ocsp | TEST of KLASS3-SK 2016 | TEST of KLASS3-SK 2016 AIA OCSP RESPONDER YYYYMM | OCSP signing certificate changed since 03.07.2023 |
| http://demo.sk.ee/ocsp | TEST of SK TSA CA 2023E | TEST of SK TSA CA 2023E OCSP RESPONDER YYYYMM | - |
| http://demo.sk.ee/ocsp | TEST of SK TSA CA 2023R | TEST of SK TSA CA 2023R OCSP RESPONDER YYYYMM | - |
| http://demo.sk.ee/ocsp | TEST of SK ID Solutions ROOT G1E | TEST of ROOT G1E OCSP RESPONDER 23_2024 | - |
| http://demo.sk.ee/ocsp | TEST of SK ID Solutions ROOT G1R | TEST of ROOT G1R OCSP RESPONDER 23_2024 | - |
| AIA URL | CA Certificate Info (CN) | OCSP Signing Certificate | Notes |
|---|---|---|---|
| http://aia.demo.sk.ee/ee-govca2018 | TEST of EE-GovCA2018 | DEMO of GOVCA2018 AIA OCSP RESPONDER 2018 | Status of certificates issued under test root EE-GovCA2018 |
| http://aia.demo.sk.ee/esteid2018 | TEST of ESTEID2018 | DEMO of ESTEID-SK 2018 AIA OCSP RESPONDER 2018 | Status of certificates issued under test ESTEID-SK 2018 (test ID-cards) |
| http://aia.demo.sk.ee/eid2016 | TEST of EID-SK 2016 | DEMO of EID-SK 2016 AIA OCSP RESPONDER 2018 | Status of certificates issued under test EID-SK 2016 (demo Mobile-ID and demo Smart-ID) |
| http://aia.demo.sk.ee/nq2016 | TEST of NQ-SK 2016 | DEMO of NQ-SK 2016 AIA OCSP RESPONDER 2018 | Status of certificates issued under test NQ-SK 2016 (demo non-qualified Smart-ID accounts) |
| http://aia.demo.sk.ee/esteid2015 | TEST of ESTEID-SK 2015 | DEMO of ESTEID-SK 2015 AIA OCSP RESPONDER 2018 | Status of certificates issued under test ESTEID-SK 2015 (demo Mobile-ID and previous generation Gemalto test Gemalto ID-cards) |
| http://aia.demo.sk.ee/klass3-2016 | TEST of KLASS3-SK 2016 | DEMO of KLASS3-SK 2016 SSL OCSP RESPONDER 2018 | Status of certificates issued under test KLASS3-SK 2016 (test eSeal, Auth and Crypto certificates) |
| http://aia.demo.sk.ee/org2021e | TEST of SK ID Solutions ORG 2021E | DEMO of ORG 2021E AIA OCSP RESPONDER 2023 | |
| http://aia.demo.sk.ee/org2021r | TEST of SK ID Solutions ORG 2021R | DEMO of ORG 2021R AIA OCSP RESPONDER 2023 |
PS! For testing certificate status changes using aia.demo.sk.ee/, there is a special interface that enables uploading certificates with an option to set the status. The upload page is available at https://demo.sk.ee/upload_cert/.
[*] AIA/OCSP signing certificate is rotated every month, so the CN field will change monthly.
TEST_of_ESTEID-SK_2015.pem.crt
TEST_of_SK_OCSP_RESPONDER_2011.pem.cer
OCSP example request with saving of the response ("-respout ocsp_response.dat" switch):
openssl ocsp -issuer TEST_of_ESTEID-SK_2015.pem.crt -serial 1 -url http://demo.sk.ee/ocsp -VAfile TEST_of_SK_OCSP_RESPONDER_2011.pem.cer -respout ocsp_response.dat
Serial number field needs a value, or instead of serial ("serial -1" switch), a certificate can be given as input ("-cert file.pem"):
ESTEID-SK_2015.pem.crt -cert TEST_of_ESTEID-SK_2015.pem.crt -url http://demo.sk.ee/ocsp -VAfile TEST_of_SK_OCSP_RESPONDER_2011.pem.cer -respout ocsp_response.dat
A command to parse the content of a binary response:
openssl ocsp -text -respin ocsp_response.dat
There is also a mock service available at http://demo.sk.ee/ocsp_good which always returns the "good" response.