Configuring OCSP Revocation Info Store - dogtagpki/pki GitHub Wiki
This page describes the process to configure OCSP responder to get the revocation information from an LDAP server.
To configure CA to publish the revocation information to an LDAP server, see:
Ensure the CRL publishing subtree can be accessed anonymously:
$ ldapmodify
-H ldap://$HOSTNAME:389 \
-x \
-D "cn=Directory Manager" \
-w Secret.123
dn: dc=crl,dc=pki,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr!="userPassword || aci")
(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
Verify with the following command:
$ ldapsearch \
-H ldap://$HOSTNAME:389 \
-x \
-b "dc=crl,dc=pki,dc=example,dc=com"
The revocation info store configuration is stored in /var/lib/pki/pki-tomcat/ocsp/conf/CS.cfg.
To configure the LDAP store:
$ pki-server ocsp-config-set ocsp.store.ldapStore.numConns 1 $ pki-server ocsp-config-set ocsp.store.ldapStore.host0 $HOSTNAME $ pki-server ocsp-config-set ocsp.store.ldapStore.port0 389 $ pki-server ocsp-config-set ocsp.store.ldapStore.baseDN0 "dc=crl,dc=pki,dc=example,dc=com" $ pki-server ocsp-config-set ocsp.store.ldapStore.byName true $ pki-server ocsp-config-set ocsp.store.ldapStore.caCertAttr "cACertificate;binary" $ pki-server ocsp-config-set ocsp.store.ldapStore.crlAttr "certificateRevocationList;binary" $ pki-server ocsp-config-set ocsp.store.ldapStore.includeNextUpdate false $ pki-server ocsp-config-set ocsp.store.ldapStore.notFoundAsGood true
To enable the LDAP store:
$ pki-server ocsp-config-set ocsp.storeId ldapStore
By default the CRL cache will refresh every 24 hours. To simplify testing, the refresh can be configured to happen more frequently, e.g. every 60 seconds:
$ pki-server ocsp-config-set ocsp.store.ldapStore.refreshInSec0 60
Finally, restart the server.
To check certificate status:
$ openssl ocsp \
-url http://pki.example.com:8080/ocsp/ee/ocsp \
-CAfile ca_signing.crt \
-issuer ca_signing.crt \
-cert cert.crt \
-text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7F5FA888F0E54C17B4DC24E9F718F57DB80AF905
Issuer Key Hash: 5774C6359D2E466BE79CAB20F0A6FA52ECF68BFC
Serial Number: 09
Request Extensions:
OCSP Nonce:
04101922CE3A9BB314A20D45AD6F241AEE91
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: O = EXAMPLE, OU = pki-tomcat, CN = OCSP Signing Certificate
Produced At: Feb 16 04:44:18 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7F5FA888F0E54C17B4DC24E9F718F57DB80AF905
Issuer Key Hash: 5774C6359D2E466BE79CAB20F0A6FA52ECF68BFC
Serial Number: 09
Cert Status: revoked
Revocation Time: Feb 16 04:44:15 2022 GMT
This Update: Feb 16 04:44:15 2022 GMT
Response Extensions:
OCSP Nonce:
04101922CE3A9BB314A20D45AD6F241AEE91
Signature Algorithm: sha256WithRSAEncryption
80:0d:5c:cf:85:cd:2e:7e:cd:eb:86:d5:2d:c0:80:ef:7a:02:
e6:c1:2f:d0:5a:f8:b5:19:ad:65:ff:ac:47:df:cb:9e:50:30:
b1:48:da:a9:9f:18:5f:cc:e7:2d:7d:be:d4:24:ab:30:7b:76:
5a:09:55:1b:47:a2:f0:7c:27:69:22:03:95:2b:71:4e:68:35:
3f:75:93:64:fb:32:e6:cd:25:f2:c3:ef:47:c3:8f:6d:4f:49:
92:6e:73:18:f0:f5:e7:3c:46:5d:b3:e9:1d:b6:63:99:c8:f4:
6d:1b:4d:32:52:b8:9d:83:fe:49:26:d8:34:ff:8b:79:db:35:
f6:f4:e5:17:ea:75:a2:68:f2:bf:fc:59:eb:5c:3e:31:fe:1c:
d2:41:64:d9:1c:58:db:8e:ec:39:11:a0:97:8b:d1:93:c3:52:
b5:d3:c8:f2:7b:70:2b:ed:ce:75:93:6c:19:26:e7:13:6e:a0:
f1:e5:64:ef:c5:69:2b:be:0d:9f:22:76:80:7d:f2:bb:0c:30:
9e:d9:5c:b6:4f:a2:57:93:f5:70:b9:a1:53:eb:ec:93:d4:e0:
c1:97:26:b0:e1:a6:7f:ff:64:a5:1c:b6:f4:03:b2:4a:e5:e3:
1b:8b:92:5f:7f:50:16:be:5f:78:ed:48:82:c2:8e:68:f1:86:
80:dc:86:ec
...
cert.crt: revoked
This Update: Feb 16 04:44:15 2022 GMT
Revocation Time: Feb 16 04:44:15 2022 GMT