Creating and using an OCSP responder for revocation checking

Document ID : KB000042966
Last Modified Date : 09/01/2019
Show Technical Document Details
Introduction:

Solution

Background

An Online Certificate Status Protocol (OCSP) responder is used to provide real-time verification of the revocation status of an X.509 certificate. Traditionally, a Certificate Revocation List was published via HTTP that could be consumed by an application desiring to validate a certificate. Such a list would specify the serial number of a certificate that had been revoked by the applicable Certificate Authority. If the application matched the serial number of a provided certificate to a certificate on the CRL then the request was adjudicated accordingly. This has the limitation of requiring a file be published and updated in a regular and timely manner by the CA. It is possible--albeit unlikely--that a revoked certificate could be missed during this process. Deploying an OCSP responder allows certificates for web services and their consuming clients to be more readily and efficiently verified. The OpenSSL suite provides tools and utilities for deploying a simple OCSP responder.

Procedure

Create a new key for the CA
openssl req -new -x509 -extensions v3_ca -keyout ca.key -out ca.pem -days 3650

Create a new key and CSR for the OCSP
openssl req -new -nodes -out ocsp.csr -keyout ocsp.key

Sign the OCSP CSR with the CA key
openssl ca -in ocsp.csr -out /etc/pki/CA/certs/ocsp.pem -keyfile ca.key -cert ca.pem

Note: The above command may result in the error unable to open '/etc/pki/CA/index.txt'

To resolve this:
a.  Create the index file
       
touch /etc/pki/CA/index.txt
b. Create a serial file to label the CA
       echo '1000' > /etc/pki/CA/serial


Generate a client key and CSR
openssl req -new -nodes -out client.csr -keyout client.key

Sign the client CSR with the CA key
openssl ca -in client.csr -out client.pem -keyfile ca.key -cert ca.pem

Start the OCSP responder
openssl ocsp -index index.txt -port 9999 -rsigner ocsp.crt -rkey ocsp.key -CA ca.pem -text -out /tmp/ocsp.log

Validate the client certificate
openssl ocsp -CAfile /etc/pki/CA/certs/ca.crt -issuer /etc/pki/CA/certs/ca.crt -cert /etc/pki/tls/certs/client.crt -url http://localhost:9999 -resp_text

Revoke the original client certificate
openssl ca -revoke /etc/pki/CA/newcerts/02.pem -keyfile ca.key -cert ca.pem

Validate the client certificate after revocation
openssl ocsp -CAfile ca.crt -issuer ca.pem -cert client.pem -url http://localhost:9999 -resp_text

After revocation, the OCSP responder should indicate that the client certificate was revoked.

Instructions:
Please Update This Required Field