Versions Compared

Old Version 1

changes.mady.by.user Ann Base

Saved on

compared with

New Version 2

changes.mady.by.user Ann Base

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated for OCSP 6.2.2

This article describes how to configure Nexus OCSP Responder to validate a certificate. This is done in the "Validation" section of the Nexus OCSP Responder configuration file. Certificates can be validated by checking for revocation data locally in a CRL (Certificate Revocation List) or CIL (Certificate Issuance List) cache or by forwarding the request to a remote OCSP responder.

Several validators with different configurations may be used in conjunction. For example: 

Panel
titleExample

If a configuration contains one pull validator and one push validator, then:

  • Revocation information is pulled from a source when Nexus OCSP Responder initializes and then repeatedly at a configured interval. 
    • Nexus OCSP Responder retrieves immediate updates of revocation information from a source that pushes new data

    It is recommended to configure no more than one validator per type (CRL or CIL). A validator can be configured with multiple providers of different types (pull or push).

    Each validator works against a cache, where all the CRLs/CILs that are obtained by the configured providers are placed. The cache is stored in a directory on disk where every new CRL/CIL is saved. The default cache directories are crls for the CRL validator and cils for the CIL validator. At restart, the caches are initialized from these directories. You can manually copy certain CRLs/CILs to the directories before you start Nexus OCSP Responder the first time.

    Step-by-step instruction

    Expand
    titleSpecify validator types
    Specify at least one validator

    A validator can be of type: CRL or CIL.

    1. In the OCSP configuration file, specify as follows:

      Code Block
      ocsp.validation.<v#>.type=[crl|cil]

      See this table for description of constants and values:

      Constants and ValuesDescription
      <v#>Replace <v#> with the validator sequence number.

      crl | cil

      Enter crl to indicate that the validator shall work with the CRL cache.

      Enter cil to indicate that the validator shall work with the CIL cache.



    A CRL/CIL validator works against a CRL/CIL cache, where all the downloaded CRLs/CILs are placed. Every new CRL/CIL is saved to a specified directory. At restart, the CRL/CIL cache is initialized from this directory. You can manually copy certain CRLs/CILs to the directory before you start Nexus OCSP Responder the first time.

    For each validator, specify the directory in the OCSP configuration file as follows:

    Expand
    titleSpecify cache directory for the validators
    Code Block
    ocsp.validation.<v#>.cachedir=<directory>

    See this table for description of constants and values:

    Constants and ValuesDescription<v#>Replace <v#> with the validator sequence number.

    <directory>

    Replace <directory> with the path to the directory that should hold the cache.

    Default: crls | cils

    Note

    cachedir must be unique for each validator.

    Expand
    titleSpecify providers for the validators

    For each validator:

    • Specify at least one provider to keep the CRL cache constantly up-to-date. This can be done by pull or push methods:
      • type=pull - Periodically polling a directory for new CRL versions. Note that pull is not available for CILs.
      • type=push - Waiting for incoming CRLs/CILs, pushed from a CA, for example, Nexus Certificate Manager.

    1. For each provider, specify as follows in the OCSP configuration file:

      Code Block
      ocsp.validation.<v#>.provider.<p#>.type=[pull|push]

      See this table for description of constants and values:

      Constants and ValuesDescription
      <v#>Replace <v#> with the validator sequence number.
      <p#>Replace <p#> with the provider sequence number.

      pull | push

      CRL providers with type=pull are not available for CILs.

    Anchor
    CRLproviderPull
    CRLproviderPull

    Expand
    titleConfigure CRL provider type Pull

    The CA that provides the directory service can supply one or more alternative site(s). If so, you can specify a list of URLs.

    Note

    Specify the LDAP/LDAPS URL(s) for the directory according to RFC 2255 The LDAP URL Format. See also Introduction to LDAP.

    1. For each CRL provider with type=pull, configure how to find the directory. This can be done by the use of either the LDAP/LDAPS protocol or the HTTP/HTTPS protocol. Identify the specifications for each site by a URL sequence number. In the OCSP configuration file, specify as follows:

      Code Block
      ocsp.validation.<v#>.provider.<p#>.url.<u#>=
	[[ldap|ldaps]://<host>[:<port>]/<dn>?
		[certificaterevocationlist|deltacertificaterevocationlist]]|
		[[http|https]://<host>[:<port>]/<path>]


    2. If login is required for a certain provider you must specify the parameters ...username and ...password.

      Code Block
      ocsp.validation.<v#>.provider.<p#>.url.<u#>.username=<user name>
ocsp.validation.<v#>.provider.<p#>.url.<u#>.password=<password>
ocsp.validation.<v#>.provider.<p#>.period=<time expr>
ocsp.validation.<v#>.provider.<p#>.ignoreIDP=[true|false]

      See this table for description of constants and values:

      Constants and ValuesDescription
      <v#>Replace <v#> with the validator sequence number.
      <p#>Replace <p#> with the provider sequence number.
      <u#>Replace <u#> with the URL sequence number.

      ldap | ldaps

      • Enter ldap to indicate that the LDAP protocol shall be used (TLS is not needed).
      • Enter ldaps to indicate that the LDAPS protocol shall be used (TLS is needed).

      <host>[:<port>]

      		Replace <host> with the name of the directory host. Replace <port> with the port number (if if needed).

      <dn>

      Replace <dn> with the distinguished name of the directory entry.

      certificaterevocationlist |
      deltacertificaterevocationlist

      • Enter certificaterevocationlist if the URL provides full CRLs.
      • Enter deltacertificaterevocationlist if the URL provides delta CRLs.

      http | https

      • Enter http to indicate that the HTTP protocol shall be used (TLS is not needed).
      • Enter https to indicate that the HTTPS protocol shall be used (TLS is needed).

      <host>[:<port>]/<path>

      		Replace <host> with the name of the directory host and <path> with the path to use. Replace <port> with the port number (if if needed).

      <user name>

      Replace <user name> with the user name that is required for this directory.

      <password>

      		Replace <password> with the password that is required in combination with <user name> for this directory.

      <time expr>

      Replace <time expr> with a time period expression (short form), specified according to ISO 8601 Representation of dates and times. (see section “Specify OCSP client request” in Back end client section). This value will set the periodicity of updates.

      Default: PT1H

      true | false

      The CRL may contain an Issuing Distribution Point (IDP) extension. IDP marks a CRL as being incomplete, and thus reliable revocation queries cannot be answered from it. If you have out of band information that a CRL with an IDP is indeed complete, you may force Nexus OCSP Responder to accept this CRL.

      • If an IDP extension exists and ignoreIDP is set to true, always accept the CRL.
      • If an IDP extension exists and ignoreIDP is set to false, reject the CRL. In both cases a message will be written to the log file.

      Default: false

      Example:

      Code Block
      ocsp.validation.1.type=crl
ocsp.validation.1.provider.1.type=pull
ocsp.validation.1.provider.1.url.1=
	ldap://directory/cn=Test CA2,
		o=Nexus OCSP Responder,
		c=se?certificaterevocationlist
ocsp.validation.1.provider.1.url.1.username=cn=admin,c=se
ocsp.validation.1.provider.1.url.1.password=****
ocsp.validation.1.provider.1.url.2=http://backuphost.com/testca2.crl
ocsp.validation.1.provider.1.period=P1D


    Anchor
    CRLproviderPush
    CRLproviderPush

    Expand
    titleConfigure CRL/CIL provider type Push

    1. For each provider with type=push, specify as follows in the OCSP configuration file:

      Code Block
      ocsp.validation.<v#>.provider.<p#>.listen.url=<URL>
ocsp.validation.<v#>.provider.<p#>.ignoreIDP=[true|false]
ocsp.validation.<v#>.provider.<p#>.ssl.clientauth=[true|false]
ocsp.validation.<v#>.provider.<p#>.ssl.certificate=<certificate pattern>
ocsp.validation.<v#>.provider.<p#>.ssl.pin=<PIN>
ocsp.validation.<v#>.provider.<p#>.ssl.cipher=<cipher suites>
ocsp.validation.<v#>.provider.<p#>.ssl.protocol=<protocols>

      See this table for description of constants and values:

      Constants and ValuesDescription
      <v#>Replace <v#> with the validator sequence number.
      <p#>Replace <p#> with the provider sequence number.
      <URL>

      Replace <URL> with the URL the provider shall listen to (HTTP or HTTPS only).

      <certificate pattern>

      If HTTPS is used, a key and certificate needs to be specified. See Key management section.

      <PIN>If HTTPS is used, a key and certificate needs to be specified. See Key management section.

      true | false for parameter ..ignoreIDP

      The CRL/CIL may contain an Issuing Distribution Point (IDP) extension. IDP marks a CRL/CIL as being incomplete, and thus reliable revocation queries cannot be answered from it. If you have out of band information that a CRL/CIL with an IDP is indeed complete, you may force Nexus OCSP to accept this CRL/CIL.

      • If an IDP extension exists and ignoreIDP is set to true, always accept the CRL/CIL.
      • If an IDP extension exists and ignoreIDP is set to false, reject the CRL/CIL. In both cases a message will be written to the log file.

      Default: false

      true | false for parameter ..ssl.clientauth

      • If client TLS authentication is required, set this to true (HTTPS only).
      • If client TLS authentication is not required, set this to false.

      Default: false

      <cipher suites> for parameter
      ..ssl.cipher

      A comma separated list of TLS cipher suites that should be enabled.

      If HTTPS is enabled, then limit the number of enabled cipher suites to a subset of the default. If no ciphers are specified all the following default will be enabled:
      TLS_RSA_WITH_AES_256_GCM_SHA384
      TLS_RSA_WITH_AES_128_GCM_SHA256
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      TLS_AES_256_GCM_SHA384
      TLS_AES_128_GCM_SHA256

      <protocols> for parameter
      ..ssl.protocol

      A comma separated list of TLS protocols that should be enabled.

      If HTTPS is enabled, then limit the number of enabled security protocols to a subset of the default. If no protocols are specified the following default will be enabled:
      TLSv1.3
      TLSv1.2

      Example

    Example
    Expand
    title

    1. :

      Code Block
      ocsp.validation.1.type=
    crl|
    1. cil
ocsp.validation.1.provider.3.type=push
ocsp.validation.1.provider.3.listen.url=http://ocsphost.com:87/



    This article is valid for Nexus OCSP Responder 6.2.2 and later

    Related information

    Links