OCSP_GENERATION Audit Event - dogtagpki/pki GitHub Wiki
Since version 10.5 an OCSP_GENERATION
audit event is generated for each OCSP response generated by the internal OCSP responder in CA subsystem or by the OCSP subsystem.
Use OCSPClient
to submit an OCSP request to the internal OCSP responder in CA subsystem:
$ OCSPClient \ -d ~/.dogtag/pki-tomcat/ca/alias \ -h $HOSTNAME \ -p 8080 \ -t /ca/ocsp \ -c ca_signing \ --serial 1 CertID.serialNumber=1 CertStatus=Good
The server will generate the following event when the OCSP response generation is complete:
[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Success] OCSP resp onse generation
If the OCSP response generation fails, the server will generate an event with the failure reason:
[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Failure][FailureRe ason=<reason>] OCSP response generation
For example, if the CA internal OCSP responder is disabled, the following event will be generated:
[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Failure][FailureRe ason=OCSP service disabled] OCSP response generation
Use OCSPClient
to submit an OCSP request to OCSP subsystem:
$ OCSPClient \ -d ~/.dogtag/pki-tomcat/ca/alias \ -h $HOSTNAME \ -p 8080 \ -t /ocsp/ee/ocsp \ -c ca_signing \ --serial 1 CertID.serialNumber=1 CertStatus=Good
The server will generate the following event when the OCSP response generation is complete:
[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Success] OCSP resp onse generation
If the OCSP response generation fails, the server will generate an event with the failure reason:
[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Failure][FailureRe ason=<reason>] OCSP response generation
For example, if the CA has not published the CRL, the following event will be generated:
[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Failure][FailureRe ason=Missing CRL data] OCSP response generation