Skip to content

Configuring OCSP Revocation Info Store

Endi S. Dewata edited this page Aug 8, 2022 · 11 revisions

Overview

This page describes the process to configure OCSP responder to get the revocation information from an LDAP server.

To configure CA to publish the revocation information to an LDAP server, see:

Preparing LDAP Server

Ensure the CRL publishing subtree can be accessed anonymously:

$ ldapmodify
    -H ldap://$HOSTNAME:389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123
dn: dc=crl,dc=pki,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr!="userPassword || aci")
 (version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)

Verify with the following command:

$ ldapsearch \
    -H ldap://$HOSTNAME:389 \
    -x \
    -b "dc=crl,dc=pki,dc=example,dc=com"

Configuring Revocation Info Store

The revocation info store configuration is stored in /var/lib/pki/pki-tomcat/ocsp/conf/CS.cfg.

To configure the LDAP store:

$ pki-server ocsp-config-set ocsp.store.ldapStore.numConns 1
$ pki-server ocsp-config-set ocsp.store.ldapStore.host0 $HOSTNAME
$ pki-server ocsp-config-set ocsp.store.ldapStore.port0 389
$ pki-server ocsp-config-set ocsp.store.ldapStore.baseDN0 "dc=crl,dc=pki,dc=example,dc=com"
$ pki-server ocsp-config-set ocsp.store.ldapStore.byName true
$ pki-server ocsp-config-set ocsp.store.ldapStore.caCertAttr "cACertificate;binary"
$ pki-server ocsp-config-set ocsp.store.ldapStore.crlAttr "certificateRevocationList;binary"
$ pki-server ocsp-config-set ocsp.store.ldapStore.includeNextUpdate false
$ pki-server ocsp-config-set ocsp.store.ldapStore.notFoundAsGood true

To enable the LDAP store:

$ pki-server ocsp-config-set ocsp.storeId ldapStore

By default the CRL cache will refresh every 24 hours. To simplify testing, the refresh can be configured to happen more frequently, e.g. every 60 seconds:

$ pki-server ocsp-config-set ocsp.store.ldapStore.refreshInSec0 60

Finally, restart the server.

Verification

To check certificate status:

$ openssl ocsp \
    -url http://pki.example.com:8080/ocsp/ee/ocsp \
    -CAfile ca_signing.crt \
    -issuer ca_signing.crt \
    -cert cert.crt \
    -text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7F5FA888F0E54C17B4DC24E9F718F57DB80AF905
          Issuer Key Hash: 5774C6359D2E466BE79CAB20F0A6FA52ECF68BFC
          Serial Number: 09
    Request Extensions:
        OCSP Nonce:
            04101922CE3A9BB314A20D45AD6F241AEE91
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: O = EXAMPLE, OU = pki-tomcat, CN = OCSP Signing Certificate
    Produced At: Feb 16 04:44:18 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7F5FA888F0E54C17B4DC24E9F718F57DB80AF905
      Issuer Key Hash: 5774C6359D2E466BE79CAB20F0A6FA52ECF68BFC
      Serial Number: 09
    Cert Status: revoked
    Revocation Time: Feb 16 04:44:15 2022 GMT
    This Update: Feb 16 04:44:15 2022 GMT

    Response Extensions:
        OCSP Nonce:
            04101922CE3A9BB314A20D45AD6F241AEE91
    Signature Algorithm: sha256WithRSAEncryption
         80:0d:5c:cf:85:cd:2e:7e:cd:eb:86:d5:2d:c0:80:ef:7a:02:
         e6:c1:2f:d0:5a:f8:b5:19:ad:65:ff:ac:47:df:cb:9e:50:30:
         b1:48:da:a9:9f:18:5f:cc:e7:2d:7d:be:d4:24:ab:30:7b:76:
         5a:09:55:1b:47:a2:f0:7c:27:69:22:03:95:2b:71:4e:68:35:
         3f:75:93:64:fb:32:e6:cd:25:f2:c3:ef:47:c3:8f:6d:4f:49:
         92:6e:73:18:f0:f5:e7:3c:46:5d:b3:e9:1d:b6:63:99:c8:f4:
         6d:1b:4d:32:52:b8:9d:83:fe:49:26:d8:34:ff:8b:79:db:35:
         f6:f4:e5:17:ea:75:a2:68:f2:bf:fc:59:eb:5c:3e:31:fe:1c:
         d2:41:64:d9:1c:58:db:8e:ec:39:11:a0:97:8b:d1:93:c3:52:
         b5:d3:c8:f2:7b:70:2b:ed:ce:75:93:6c:19:26:e7:13:6e:a0:
         f1:e5:64:ef:c5:69:2b:be:0d:9f:22:76:80:7d:f2:bb:0c:30:
         9e:d9:5c:b6:4f:a2:57:93:f5:70:b9:a1:53:eb:ec:93:d4:e0:
         c1:97:26:b0:e1:a6:7f:ff:64:a5:1c:b6:f4:03:b2:4a:e5:e3:
         1b:8b:92:5f:7f:50:16:be:5f:78:ed:48:82:c2:8e:68:f1:86:
         80:dc:86:ec
...
cert.crt: revoked
	This Update: Feb 16 04:44:15 2022 GMT
	Revocation Time: Feb 16 04:44:15 2022 GMT
Clone this wiki locally