-
Notifications
You must be signed in to change notification settings - Fork 137
Configuring OCSP Revocation Info Store
Endi S. Dewata edited this page Aug 8, 2022
·
11 revisions
This page describes the process to configure OCSP responder to get the revocation information from an LDAP server.
To configure CA to publish the revocation information to an LDAP server, see:
Ensure the CRL publishing subtree can be accessed anonymously:
$ ldapmodify -H ldap://$HOSTNAME:389 \ -x \ -D "cn=Directory Manager" \ -w Secret.123 dn: dc=crl,dc=pki,dc=example,dc=com changetype: modify add: aci aci: (targetattr!="userPassword || aci") (version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
Verify with the following command:
$ ldapsearch \ -H ldap://$HOSTNAME:389 \ -x \ -b "dc=crl,dc=pki,dc=example,dc=com"
The revocation info store configuration is stored in /var/lib/pki/pki-tomcat/ocsp/conf/CS.cfg
.
To configure the LDAP store:
$ pki-server ocsp-config-set ocsp.store.ldapStore.numConns 1 $ pki-server ocsp-config-set ocsp.store.ldapStore.host0 $HOSTNAME $ pki-server ocsp-config-set ocsp.store.ldapStore.port0 389 $ pki-server ocsp-config-set ocsp.store.ldapStore.baseDN0 "dc=crl,dc=pki,dc=example,dc=com" $ pki-server ocsp-config-set ocsp.store.ldapStore.byName true $ pki-server ocsp-config-set ocsp.store.ldapStore.caCertAttr "cACertificate;binary" $ pki-server ocsp-config-set ocsp.store.ldapStore.crlAttr "certificateRevocationList;binary" $ pki-server ocsp-config-set ocsp.store.ldapStore.includeNextUpdate false $ pki-server ocsp-config-set ocsp.store.ldapStore.notFoundAsGood true
To enable the LDAP store:
$ pki-server ocsp-config-set ocsp.storeId ldapStore
By default the CRL cache will refresh every 24 hours. To simplify testing, the refresh can be configured to happen more frequently, e.g. every 60
seconds:
$ pki-server ocsp-config-set ocsp.store.ldapStore.refreshInSec0 60
Finally, restart the server.
To check certificate status:
$ openssl ocsp \ -url http://pki.example.com:8080/ocsp/ee/ocsp \ -CAfile ca_signing.crt \ -issuer ca_signing.crt \ -cert cert.crt \ -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7F5FA888F0E54C17B4DC24E9F718F57DB80AF905 Issuer Key Hash: 5774C6359D2E466BE79CAB20F0A6FA52ECF68BFC Serial Number: 09 Request Extensions: OCSP Nonce: 04101922CE3A9BB314A20D45AD6F241AEE91 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: O = EXAMPLE, OU = pki-tomcat, CN = OCSP Signing Certificate Produced At: Feb 16 04:44:18 2022 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7F5FA888F0E54C17B4DC24E9F718F57DB80AF905 Issuer Key Hash: 5774C6359D2E466BE79CAB20F0A6FA52ECF68BFC Serial Number: 09 Cert Status: revoked Revocation Time: Feb 16 04:44:15 2022 GMT This Update: Feb 16 04:44:15 2022 GMT Response Extensions: OCSP Nonce: 04101922CE3A9BB314A20D45AD6F241AEE91 Signature Algorithm: sha256WithRSAEncryption 80:0d:5c:cf:85:cd:2e:7e:cd:eb:86:d5:2d:c0:80:ef:7a:02: e6:c1:2f:d0:5a:f8:b5:19:ad:65:ff:ac:47:df:cb:9e:50:30: b1:48:da:a9:9f:18:5f:cc:e7:2d:7d:be:d4:24:ab:30:7b:76: 5a:09:55:1b:47:a2:f0:7c:27:69:22:03:95:2b:71:4e:68:35: 3f:75:93:64:fb:32:e6:cd:25:f2:c3:ef:47:c3:8f:6d:4f:49: 92:6e:73:18:f0:f5:e7:3c:46:5d:b3:e9:1d:b6:63:99:c8:f4: 6d:1b:4d:32:52:b8:9d:83:fe:49:26:d8:34:ff:8b:79:db:35: f6:f4:e5:17:ea:75:a2:68:f2:bf:fc:59:eb:5c:3e:31:fe:1c: d2:41:64:d9:1c:58:db:8e:ec:39:11:a0:97:8b:d1:93:c3:52: b5:d3:c8:f2:7b:70:2b:ed:ce:75:93:6c:19:26:e7:13:6e:a0: f1:e5:64:ef:c5:69:2b:be:0d:9f:22:76:80:7d:f2:bb:0c:30: 9e:d9:5c:b6:4f:a2:57:93:f5:70:b9:a1:53:eb:ec:93:d4:e0: c1:97:26:b0:e1:a6:7f:ff:64:a5:1c:b6:f4:03:b2:4a:e5:e3: 1b:8b:92:5f:7f:50:16:be:5f:78:ed:48:82:c2:8e:68:f1:86: 80:dc:86:ec ... cert.crt: revoked This Update: Feb 16 04:44:15 2022 GMT Revocation Time: Feb 16 04:44:15 2022 GMT
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |