This article describes how to define a set of lookups in the configuration file for Nexus OCSP Responder.
If a requested certificate can not be found in the certificate cache, you can define a set of lookups. Each lookup will, in the order defined by the lookup sequence number, query a remote LDAP directory, until a match is found.
You must also define an LDAP search filter, using the syntax described in RFC 2254 The String Representation of LDAP Search Filters.
The lookup can be performed in two different ways, depending on how the reference was made in the original data (signed message, certificate, ...).
A certificate may be referred to:
- by its subject DN (certificate issuer name)
OR
- by issuer DN and certificate serial number (PKCS#7 signer info, OCSP)
A lookup will query for the attributes "userCertificate" and "cACertificate".
The lookup configuration is optional.
| Expand |
|---|
|
Directory structureThis is an example of an X.500/LDAP directory structure (EE = End Entity) where certificates are stored: | Code Block |
|---|
c=SE
o=Acme, Inc.
cn=Root CA
<EE certs issued by Root CA>
...
cn=Subordinate CA
<EE certs issued by Subordinate CA>
...
cn=Another Subordinate CA
<EE certs issued by Another Subordinate CA>
...
... |
In the example scenario: - The EE (End Entity) LDAP objects have, at least, the following attributes defined:
- cn
- serialNumber
- userCertificate
- The CA LDAP objects have, at least, the following attributes defined:
Specify the searchA search is specified relative to a base DN. - The base DN regulates the width of the search (for example, search all of c=SE, or search only among the objects below the Root CA).
- To define the depth of the search (just one level down, or the whole subtree) use the LDAP scope, which you define as part of the LDAP URL (see RFC 2255 The LDAP URL Format).
- For subject-related certificate queries (that is, CA certificates), use either the full DN or the commonName (cn) portion of the DN in your filter. For example, this filter will return certificates issued by any of the CAs that have a subject DN matching that of the request:
| Code Block |
|---|
| title | Example: Subject-related certificate query |
|---|
| subjectsearch.searchbase = o=Acme, Inc.,c=SE
subjectsearch.filter = (cn={cn}) |
Filtering- Initial filtering is done by the server as the filter requires a match on the CN component/attribute. In addition, the lookup will verify that the whole subject DN matches.
If instead you want to limit the search to CA certificates only, change the filter like this (where "pkiCA" is the assumed LDAP object class for CA objects): | Code Block |
|---|
| title | CA certificates query |
|---|
| subjectsearch.searchbase = {dn}
subjectsearch.filter = (objectClass=pkiCA) |
For issuer-related certificate queries (that is, CA certificates), use this query ("cn" is the Common Name of the Issuer in this case): | Code Block |
|---|
| title | Issuer-related certificate query |
|---|
| issuerserialsearch.searchbase = cn={cn}, o=Acme, Inc.,c=SE
issuerserialsearch.filter = (serialNumber={serialNumber}) |
Alternatively, use the complete issuer DN: | Code Block |
|---|
issuerserialsearch.searchbase = {issuerName}
issuerserialsearch.filter = (serialNumber={serialNumber}) |
Specify LDAP directoryFor each LDAP directory, specify as follows: | Code Block |
|---|
| title | Specify LDAP directory |
|---|
| ocsp.certs.lookup.<#>.type=ldap
ocsp.certs.lookup.<#>.ldapurl=<URL> |
See this table for description of constants and values: | Constants and Values | Description |
|---|
<#>
| Replace <#> with the lookup sequence number. | ldap
| Enter ldap to indicate that the LDAP protocol shall be used. | <URL>
| Replace <URL> with the URL of the directory. |
|
| Expand |
|---|
| title | Subject, Issuer and Certificate Serial Number search |
|---|
|
Specify as follows to do a search based on - subject,
- issuer and
- certificate serial number:
| Code Block |
|---|
ocsp.certs.lookup.<#>.subjectsearch.searchbase=<baseDN>
ocsp.certs.lookup.<#>.subjectsearch.filter=<LDAP search filters>
ocsp.certs.lookup.<#>.issuerserialsearch.searchbase=<baseDN>
ocsp.certs.lookup.<#>.issuerserialsearch.filter=<LDAP search filters> |
See this table for description of constants and values: | Constants and Values | Description |
|---|
<#>
| Replace <#> with the lookup sequence number. | <BaseDN>
| Replace <baseDN> with the identifier that is used in this directory to establish the searchbase. | <LDAP search filter>
| Replace <LDAP search filters> with a regular expression defining the filter to be used. See "LDAP Search Filters" below. |
|
| Expand |
|---|
|
The LDAP search filters are expressed as a regular expression of the type: | Code Block |
|---|
(<attribute name>={<attributevalue>}) |
The available filters are: {commonName} | {cn} | {dn} |{issuerName} | {serialNumber}
| Enter {commonName} or {cn} to substitute the common name component of the distinguished name in the certificate.
Enter {dn} to substitute the complete distinguished name in the certificate.
Enter {issuerName} to substitute the issuer name in the certificate.
Enter {serialNumber} to substitute the serial number in the certificate. |
| Note |
|---|
{commonName} | {cn} | {dn} return the common name or distinguished name of the subject in Subject searches, and the common name or distinguished name of the issuer in Issuer or Serial number searches.
|
LDAP search filters can also be used in the .searchbase parameter as shown in the example scenario. |
Related information
...
Links
