Skip to content

PKI 10.5 Installing OCSP

Endi S. Dewata edited this page Mar 27, 2024 · 5 revisions

Overview

This document describes the process to install OCSP subsystem. It assumes that CA subsystem is already installed and the CA admin certificate is already exported into /root/.dogtag/pki-tomcat/ca_admin.cert.

Installing OCSP

Prepare a deployment configuration file:

[OCSP]
pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
[email protected]
pki_admin_name=ocspadmin
pki_admin_nickname=ocspadmin
pki_admin_password=Secret.123
pki_admin_uid=ocspadmin

pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123

pki_ds_base_dn=dc=ocsp,dc=example,dc=com
pki_ds_database=ocsp
pki_ds_password=Secret.123

pki_clone_pkcs12_password=Secret.123

pki_security_domain_name=EXAMPLE
pki_security_domain_user=caadmin
pki_security_domain_password=Secret.123

pki_token_password=Secret.123

Then execute:

$ pkispawn -f ocsp.cfg -s OCSP

Verification

Validating admin access

$ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ocsp-user-find
-----------------
2 entries matched
-----------------
  User ID: ocspadmin
  Full name: ocspadmin

  User ID: CA-pki.example.com-8443
  Full name: CA-pki.example.com-8443
----------------------------
Number of entries returned 2
----------------------------

Validating OCSP client

First, publish the CRL in CA to the LDAP server:

Then run OCSPClient as follows:

$ OCSPClient \
 -d /var/lib/pki/pki-tomcat/conf/alias \
 -h $HOSTNAME \
 -p 8080 \
 -t /ocsp/ee/ocsp \
 -c ca_signing \
 --serial 1
CertID.serialNumber=1
CertStatus=Good

See Also

Clone this wiki locally