Configuring OCSP Revocation Info Store - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to configure OCSP responder to get the revocation information from a CRL database in LDAP.

To configure CA to publish the revocation information to LDAP, see:

Setting up CRL Database in LDAP

See Setting up CRL Database.

Configuring Revocation Info Store

The revocation info store configuration is stored in /var/lib/pki/pki-tomcat/ocsp/conf/CS.cfg.

To configure the LDAP store:

$ pki-server ocsp-config-set ocsp.store.ldapStore.numConns 1
$ pki-server ocsp-config-set ocsp.store.ldapStore.host0 $HOSTNAME
$ pki-server ocsp-config-set ocsp.store.ldapStore.port0 389
$ pki-server ocsp-config-set ocsp.store.ldapStore.baseDN0 "dc=crl,dc=pki,dc=example,dc=com"
$ pki-server ocsp-config-set ocsp.store.ldapStore.byName true
$ pki-server ocsp-config-set ocsp.store.ldapStore.caCertAttr "cACertificate;binary"
$ pki-server ocsp-config-set ocsp.store.ldapStore.crlAttr "certificateRevocationList;binary"
$ pki-server ocsp-config-set ocsp.store.ldapStore.includeNextUpdate false
$ pki-server ocsp-config-set ocsp.store.ldapStore.notFoundAsGood true

To enable the LDAP store:

$ pki-server ocsp-config-set ocsp.storeId ldapStore

By default the CRL cache will refresh every 24 hours. To simplify testing, the refresh can be configured to happen more frequently, e.g. every 60 seconds:

$ pki-server ocsp-config-set ocsp.store.ldapStore.refreshInSec0 60

Finally, restart the server.

Verification

To check certificate status:

$ openssl ocsp \
    -url http://pki.example.com:8080/ocsp/ee/ocsp \
    -CAfile ca_signing.crt \
    -issuer ca_signing.crt \
    -cert cert.crt \
    -text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7F5FA888F0E54C17B4DC24E9F718F57DB80AF905
          Issuer Key Hash: 5774C6359D2E466BE79CAB20F0A6FA52ECF68BFC
          Serial Number: 09
    Request Extensions:
        OCSP Nonce:
            04101922CE3A9BB314A20D45AD6F241AEE91
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: O = EXAMPLE, OU = pki-tomcat, CN = OCSP Signing Certificate
    Produced At: Feb 16 04:44:18 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7F5FA888F0E54C17B4DC24E9F718F57DB80AF905
      Issuer Key Hash: 5774C6359D2E466BE79CAB20F0A6FA52ECF68BFC
      Serial Number: 09
    Cert Status: revoked
    Revocation Time: Feb 16 04:44:15 2022 GMT
    This Update: Feb 16 04:44:15 2022 GMT

    Response Extensions:
        OCSP Nonce:
            04101922CE3A9BB314A20D45AD6F241AEE91
    Signature Algorithm: sha256WithRSAEncryption
         80:0d:5c:cf:85:cd:2e:7e:cd:eb:86:d5:2d:c0:80:ef:7a:02:
         e6:c1:2f:d0:5a:f8:b5:19:ad:65:ff:ac:47:df:cb:9e:50:30:
         b1:48:da:a9:9f:18:5f:cc:e7:2d:7d:be:d4:24:ab:30:7b:76:
         5a:09:55:1b:47:a2:f0:7c:27:69:22:03:95:2b:71:4e:68:35:
         3f:75:93:64:fb:32:e6:cd:25:f2:c3:ef:47:c3:8f:6d:4f:49:
         92:6e:73:18:f0:f5:e7:3c:46:5d:b3:e9:1d:b6:63:99:c8:f4:
         6d:1b:4d:32:52:b8:9d:83:fe:49:26:d8:34:ff:8b:79:db:35:
         f6:f4:e5:17:ea:75:a2:68:f2:bf:fc:59:eb:5c:3e:31:fe:1c:
         d2:41:64:d9:1c:58:db:8e:ec:39:11:a0:97:8b:d1:93:c3:52:
         b5:d3:c8:f2:7b:70:2b:ed:ce:75:93:6c:19:26:e7:13:6e:a0:
         f1:e5:64:ef:c5:69:2b:be:0d:9f:22:76:80:7d:f2:bb:0c:30:
         9e:d9:5c:b6:4f:a2:57:93:f5:70:b9:a1:53:eb:ec:93:d4:e0:
         c1:97:26:b0:e1:a6:7f:ff:64:a5:1c:b6:f4:03:b2:4a:e5:e3:
         1b:8b:92:5f:7f:50:16:be:5f:78:ed:48:82:c2:8e:68:f1:86:
         80:dc:86:ec
...
cert.crt: revoked
	This Update: Feb 16 04:44:15 2022 GMT
	Revocation Time: Feb 16 04:44:15 2022 GMT
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️