-
Notifications
You must be signed in to change notification settings - Fork 137
Configuring OCSP Publishing
Endi S. Dewata edited this page Feb 16, 2022
·
8 revisions
This page describes the process to configure the CA to publish the CRL to the OCSP responder.
The OCSP publishing configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.
To configure OCSP publisher:
ca.publish.publisher.instance.OCSPPublisher-pki-example-com-8443.enableClientAuth=true ca.publish.publisher.instance.OCSPPublisher-pki-example-com-8443.host=pki.example.com ca.publish.publisher.instance.OCSPPublisher-pki-example-com-8443.nickName=subsystem ca.publish.publisher.instance.OCSPPublisher-pki-example-com-8443.path=/ocsp/agent/ocsp/addCRL ca.publish.publisher.instance.OCSPPublisher-pki-example-com-8443.pluginName=OCSPPublisher ca.publish.publisher.instance.OCSPPublisher-pki-example-com-8443.port=8443
To configure CRL publishing rule:
ca.publish.rule.instance.ocsprule-pki-example-com-8443.enable=true ca.publish.rule.instance.ocsprule-pki-example-com-8443.mapper=NoMap ca.publish.rule.instance.ocsprule-pki-example-com-8443.pluginName=Rule ca.publish.rule.instance.ocsprule-pki-example-com-8443.publisher=OCSPPublisher-pki-example-com-8443 ca.publish.rule.instance.ocsprule-pki-example-com-8443.type=crl
To enable CRL publishing:
ca.publish.enable=true
To simplify testing, the buffer size for revocation checking can be set to 0 so that each certificate revocation will take effect immediately:
auths.revocationChecking.bufferSize=0
Also by default the CRL is only updated at scheduled times. To update the CRL immediately on each certificate revocation:
ca.crl.MasterCRL.alwaysUpdate=true
Finally, restart the server.
To check certificate status:
$ openssl ocsp \
-url http://pki.example.com:8080/ocsp/ee/ocsp \
-CAfile ca_signing.crt \
-issuer ca_signing.crt \
-cert cert.crt \
-text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7F5FA888F0E54C17B4DC24E9F718F57DB80AF905
Issuer Key Hash: 5774C6359D2E466BE79CAB20F0A6FA52ECF68BFC
Serial Number: 09
Request Extensions:
OCSP Nonce:
04101922CE3A9BB314A20D45AD6F241AEE91
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: O = EXAMPLE, OU = pki-tomcat, CN = OCSP Signing Certificate
Produced At: Feb 16 04:44:18 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7F5FA888F0E54C17B4DC24E9F718F57DB80AF905
Issuer Key Hash: 5774C6359D2E466BE79CAB20F0A6FA52ECF68BFC
Serial Number: 09
Cert Status: revoked
Revocation Time: Feb 16 04:44:15 2022 GMT
This Update: Feb 16 04:44:15 2022 GMT
Response Extensions:
OCSP Nonce:
04101922CE3A9BB314A20D45AD6F241AEE91
Signature Algorithm: sha256WithRSAEncryption
80:0d:5c:cf:85:cd:2e:7e:cd:eb:86:d5:2d:c0:80:ef:7a:02:
e6:c1:2f:d0:5a:f8:b5:19:ad:65:ff:ac:47:df:cb:9e:50:30:
b1:48:da:a9:9f:18:5f:cc:e7:2d:7d:be:d4:24:ab:30:7b:76:
5a:09:55:1b:47:a2:f0:7c:27:69:22:03:95:2b:71:4e:68:35:
3f:75:93:64:fb:32:e6:cd:25:f2:c3:ef:47:c3:8f:6d:4f:49:
92:6e:73:18:f0:f5:e7:3c:46:5d:b3:e9:1d:b6:63:99:c8:f4:
6d:1b:4d:32:52:b8:9d:83:fe:49:26:d8:34:ff:8b:79:db:35:
f6:f4:e5:17:ea:75:a2:68:f2:bf:fc:59:eb:5c:3e:31:fe:1c:
d2:41:64:d9:1c:58:db:8e:ec:39:11:a0:97:8b:d1:93:c3:52:
b5:d3:c8:f2:7b:70:2b:ed:ce:75:93:6c:19:26:e7:13:6e:a0:
f1:e5:64:ef:c5:69:2b:be:0d:9f:22:76:80:7d:f2:bb:0c:30:
9e:d9:5c:b6:4f:a2:57:93:f5:70:b9:a1:53:eb:ec:93:d4:e0:
c1:97:26:b0:e1:a6:7f:ff:64:a5:1c:b6:f4:03:b2:4a:e5:e3:
1b:8b:92:5f:7f:50:16:be:5f:78:ed:48:82:c2:8e:68:f1:86:
80:dc:86:ec
...
cert.crt: revoked
This Update: Feb 16 04:44:15 2022 GMT
Revocation Time: Feb 16 04:44:15 2022 GMT
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |