OCSP_GENERATION Audit Event - dogtagpki/pki GitHub Wiki

Overview

Since version 10.5 an OCSP_GENERATION audit event is generated for each OCSP response generated by the internal OCSP responder in CA subsystem or by the OCSP subsystem.

Examples

Internal OCSP Responder in CA Subsystem

Use OCSPClient to submit an OCSP request to the internal OCSP responder in CA subsystem:

$ OCSPClient \
    -d ~/.dogtag/pki-tomcat/ca/alias \
    -h $HOSTNAME \
    -p 8080 \
    -t /ca/ocsp \
    -c ca_signing \
    --serial 1
CertID.serialNumber=1
CertStatus=Good

The server will generate the following event when the OCSP response generation is complete:

[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Success] OCSP resp
onse generation

If the OCSP response generation fails, the server will generate an event with the failure reason:

[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Failure][FailureRe
ason=<reason>] OCSP response generation

For example, if the CA internal OCSP responder is disabled, the following event will be generated:

[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Failure][FailureRe
ason=OCSP service disabled] OCSP response generation

OCSP Subsystem

Use OCSPClient to submit an OCSP request to OCSP subsystem:

$ OCSPClient \
    -d ~/.dogtag/pki-tomcat/ca/alias \
    -h $HOSTNAME \
    -p 8080 \
    -t /ocsp/ee/ocsp \
    -c ca_signing \
    --serial 1
CertID.serialNumber=1
CertStatus=Good

The server will generate the following event when the OCSP response generation is complete:

[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Success] OCSP resp
onse generation

If the OCSP response generation fails, the server will generate an event with the failure reason:

[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Failure][FailureRe
ason=<reason>] OCSP response generation

For example, if the CA has not published the CRL, the following event will be generated:

[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Failure][FailureRe
ason=Missing CRL data] OCSP response generation

See Also

⚠️ **GitHub.com Fallback** ⚠️