Versions Compared

Old Version 3

changes.mady.by.user Josefin Klang

Saved on

compared with

New Version 4

changes.mady.by.user Josefin Klang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleSpecify keys

Before performing an operation that requires a key, the Nexus OCSP Responder gets the applicable key from the configured key source. Nexus OCSP Responder can use any of the keys available in the configured key stores, as described above in section "Specify key location”. 

The following types of keys may be required by Nexus OCSP Responder:

For signing responses:

Specify one key per supported issuer per OCSP responder.

For signing requests:

Specify one key to be used by the back end client. If this setting is to be overridden by a forwarding OCSP responder, you have to add a corresponding key.

For TLS server authentication:

Specify one key per interface and port that will be used by an OCSP responder or a CRL / CIL provider with type=push, using the HTTPS protocol.

For SSL client authentication:

Specify one key to be used by the back end client. If this setting is to be overridden by a forwarding OCSP responder, you have to add a corresponding key.


  1. When a key is required, a PIN must also be provided. You can specify the PIN value for each key entity in the configuration file (parameter ...pin). For information on how to encrypt the PIN, see Encrypt sensitive configuration parameters.

  2. Specify as follows in the Nexus OCSP Responder configuration file:

    Code Block
    <prefix>.certificate=<certificate pattern> <prefix>.pin=<PIN>

    See this table for description of constants and values:

    Constants and Values

    Description

    <prefix>

    Configuration parameter prefix depending on which type of key is being configured. For example, an OCSP response signing key is configured with the responder.<#>.signer prefix, as shown in OCSP responder section.

    <certificate pattern>

    Replace <certificate pattern> with the certificate pattern to specify the key pair. For a description of the syntax, see Introduction to LDAP, heading "LDAP certificate patterns".

    <PIN>

    Replace <PIN> with the PIN for the key pair.



Expand
titleExamples

...

expand

Example: OCSP response signing

Two OCSP responders are specified with the following URLs:

Code Block
responder.1.url=http://ocsphost:90/basic
responder.2.url=http://ocsphost:90/cached

The key these responders will use for signing are specified as follows:

Code Block
responder.1.signer.1.issuerdn=cn=myCA,c=SE
responder.1.signer.1.certificate=&(issuer=myCA*)(serialNumber=72)
responder.1.signer.1.pin=secretPIN1234
responder.2.signer.1.issuerdn=cn=CA3,c=SE
responder.2.signer.1.certificate=cn=User issued by CA3
responder.2.signer.1.pin=secretPIN1234

Example: Back end client

A back end client is specified with the following ...signature.key parameter:

Code Block
ocsp.client.request.signature.key.certificate=&(cn=myCA*)(keyUsage=DigitalSignature)
ocsp.client.request.signature.key.pin=secretPIN1234

Example: TLS server authentication

Three OCSP-responders are specified with the following URLs:

Code Block
responder.1.url=https://*:88/secure1
responder.2.url=https://*:88/secure2
responder.3.url=https://ocsphost:89/secure1

The keys these responders will use for TLS server authentication are specified as follows:

Code Block
responder.1.ssl.certificate=&(cn=ocsphost)(Issuer=TLS Trust CA*)
responder.1.ssl.pin=secretPIN1234
responder.2.ssl.certificate=&(cn=ocsphost)(Issuer=TLS Trust CA*)
responder.2.ssl.pin=secretPIN1234
responder.3.ssl.certificate=cn=Nexus OCSP Responder*
responder.3.ssl.pin=secretPIN1234

Example: TLS client authentication

A back end client uses a TLS client certificate with the following parameter:

Code Block
ocsp.client.authentication.key.certificate=(serialNumber=72)
ocsp.client.authentication.key.pin=secretPIN1234


...