Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated to new editor and removed expand boxes.

Nexus OCSP Responder can work as a client to remote OCSP responders and send requests for validation of certificates. This article describes how to configure the different methods the client can use to find the URL(s) of the remote OCSP responders. This is done in the "Back end client" section of the Nexus OCSP Responder configuration file. Specify the methods in the order you want them to be used.

The back end client configuration is optional.

Specify methods for the client to find URL

  • In the OCSP configuration file, specify as follows:

    Code Block
    ocsp.client.urlcheck.<m#>=[servicelocator|table|fromcert]

    See this table for description of constants and values:

Constants and Values

Description

<m#>

Replace <m#> with the method sequence number.

servicelocator | table | fromcert

  • The servicelocator method uses the serviceLocator request extension to get the URL of the authoritative responder.

  • The table method uses a table with two columns:

    • the rule to find a certain CA

    • the URL of the corresponding remote OCSP responder.

      For more information, see section "Lookup table" below.

  • The fromcert method searches the certificate in the certificate cache (and in case of no hit and if lookup is specified, in a directory).

The authorityInformationAccess (AIA) certificate extension is used to find the URL. Note that if you use Windows domains, do not include a trailing slash in the AIA attribute.
Default: servicelocator

Lookup table

This section describes the table method. Enumerate the rows in the table and identify all the specifications for a certain row with the sequence number for this row.

  1. In the OCSP configuration file, specify as follows:

    Code Block
    ocsp.client.urlcheck.<m#>.table.<r#>.issuermatch=<attributes>
    ocsp.client.urlcheck.<m#>.table.<r#>.url=<URL>
  2. Systems or applications that rely on OCSP responses, must verify each response according to specified criteria. This is described in section 4.2.2.2 of RFC 6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP, see https://tools.ietf.org/html/rfc6960

    Optionally, to comply with this section, these criteria can include that the signature certificate in the lookup response only need to match a specified name. This is useful if, for some reason, the response is not signed with a certificate related to the issuer of the queried certificate. This is only applicable if ...client.response.signature.check is true. If you want to include this, add the following:

    Code Block
    ocsp.client.urlcheck.<m#>.table.<r#>.respondername=<trusted resp name>

    See this table for description of constants and values:

Constants and Values

Description

<m#>

Replace <m#> with the method sequence number.

<r#>

Replace <r#> with the row sequence number.

<attributes>

Replace <attributes> with the attributes to use for a match. Wildcards are allowed.

<URL> 

Replace <URL> with the URL to use if this rule matches.

<trusted resp name>

Replace <trusted resp name> with the name of a trusted responder. Wildcards are allowed.

Back end client and TLS

  • If TLS is used and the remote OCSP responder requires client authentication, specify a key for this:

    Code Block
    ocsp.client.authentication.key.certificate=<certificate pattern>
    ocsp.client.authentication.key.pin=<PIN>

    To encrypt the pin, see Encryption of sensitive configuration parameters.

Constants and Values

Description

<certificate pattern>

Replace <certificate pattern> with the certificate pattern to specify the key pair. For a description of the syntax, see heading “LDAP certificate patterns” in Introduction to LDAP.

<PIN>

Replace <PIN> with the PIN for the key pair.

Specify OCSP client request

  • In the OCSP configuration file, specify the OCSP client request as follows:

    Code Block
    ocsp.client.request.usecache=[true|false]
    ocsp.client.request.http.method=[get|post]
    ocsp.client.request.http.timeout=<time expr>
    ocsp.client.request.nonce=[true|false]
    ocsp.client.request.nonce.size=<size>
    ocsp.client.request.signature.key.certificate=<certificate pattern>
    ocsp.client.request.signature.key.pin=<PIN>
    ocsp.client.request.signature.othercerts=[none|byname|bykey]
    ocsp.client.request.signature.chain=[none|cert|chain|allchains]
    ocsp.client.request.signature.chain.includeroot=[true|false]
    ocsp.client.request.freshnessproofs.add=[true|false]

    See this table for description of constants and values:

Constants and Values

Description

true | false for parameter ...usecache

Enter true to check, false not to check the response cache first of all.

Default: false

get | post

Enter get or post to specify the HTTP method to be used when the OCSP client requests a remote responder.

Default: post

<time expr>

Replace <time expr> with a time period expression (short form), specified according to ISO 8601 Representation of dates and times. This is the maximum amount of time the client will wait for response.

  • Example 1: P1Y2M3DT4H5M6S stands for 1 year, 2 months, 3 days, 4 hours, 5 minutes and 6 seconds.

  • Example 2: P1D stands for 1 day.

  • Example 3: PT1H stands for 1 hour.

Note the extra separator ‘T’ before time units shorter than one day.

Default: PT30S

true | false for parameter ...nonce

Enter true to add, false not to add "nonce" to the request. "Nonce" is random data, generated by the client and used to guarantee the freshness of a response and protect against replay attacks.

Default: false

<size>

Replace <size> with the size in bytes of the nonce.

Default: 16

<certificate pattern>

Replace <certificate pattern> with the certificate pattern to specify the key pair. For a description of the syntax, see Section 6.2.3, “ Certificate Pattern ”.

<PIN>

Replace <PIN> with the PIN for the key pair.

none | byname | bykey

The parameter ...othercerts will be ignored if the parameter ...chain is set to "none".

  • Enter none to indicate that the request shall include only the signature certificate.

  • Enter byname to let Nexus OCSP Responder search the certificate cache for other certificates with the same public key as the signature certificate, but only include those in the request, which also have the same subject distinguished name.

  • Enter bykey to let Nexus OCSP Responder search the certificate cache for other certificates with the same public key as the signature certificate and include them in the request.

Default: none

none | cert | chain | allchains

  • Enter none to indicate that no signature certificate(s) shall be appended to the request.

  • Enter cert to indicate that the signature certificate shall be appended to the request. If parameter ...othercerts is set to "byname" or "bykey", all applicable certificates shall be appended.

  • Enter chain to indicate that one chain of certificates, chaining to the trust store, shall be appended to the request. If parameter ...othercerts is set to "byname" or "bykey", one chain for every applicable certificate shall be appended.

  • Enter allchains to indicate that all possible certificate chains shall be appended to the request. If parameter ...othercerts is set to "byname" or "bykey", all valid chains for all applicable certificates shall be appended.

Default: chain

true | false for parameter
...includeroot

The parameter ...signature.chain.includeroot is relevant only when parameter ...signature.chain is set to "chain" or "allchains". Enter true to include, false not to include the root certificate in the chains.

Default: false

true | false for parameter
...freshnessproofs.add

Enter true to query, false not to query the local OCSP response cache for the status of the certificates in the signature chain and to add them to a freshness proof extension in the request, if possible.

Default: false

Specify OCSP client response

  • In the OCSP configuration file, specify the OCSP client response as follows:

    Code Block
    ocsp.client.response.allowunknown=[true|false]
    ocsp.client.response.nonce.check=[true|false]
    ocsp.client.response.signature.check=[true|false]
    ocsp.client.response.signature.allowauthority=[true|false]
    ocsp.client.response.chain.validate=[true|false]
    ocsp.client.response.notolderthan=<time expr>
    ocsp.client.response.freshnessproof.handle=[true|false]

    See this table for description of constants and values:

Constants and Values

Description

true | false for parameter ...allowunknown

Enter true to accept, false not to accept an OCSP response with status "unknown". If this is enabled and the status would be unknown, a "tryLater" response will be created and returned instead of the received response.

Default: false

true | false for parameter
...nonce.check

Enter true to check, false not to check that if a nonce was included in the request, an identical nonce can be found in the response.

Default: true

true | false for parameter
...signature.check

Enter true to check, false not to check the signature certificate. If this is enabled and the signature could not be verified, a "tryLater" response will be created and returned instead of the received response. Disabling this can be a convenient way to always forward requests and their responses if the queried responders are trusted.

Default: true

true | false for parameter ..signature.allowauthority

Enter true to accept an OCSP responder if the response signer was issued by an authority that is found in the certificate chain of the certificate for which status is requested, false if not. This is only applicable if ...signature.check is true.

Default: false

true | false for parameter
...chain.validate

Enter true to make a full validation of the whole chain of signature certificates. Enter false to make no validation. This is only applicable if ...signature.check is true.

Default: true

<time expr>

Replace <time expr> with a time period expression (short form), specified according to ISO 8601 Representation of dates and times (see also information in the Constants and Values table under heading "Specify OCSP Client request)". If the difference between the current time and the producedAt value exceeds this setting, the response will not be used.

Default: No checking

true | false for parameter
...freshnessproof.handle

Enter true to extract, false not to extract the freshness proof extension from the OCSP response if present and add the contents to the OCSP response cache.

Default: false

Example of back end client section

Example of back end client section in the configuration file
Code Block
ocsp.client.urlcheck.1=servicelocator
ocsp.client.urlcheck.2=table
ocsp.client.urlcheck.2.table.1.issuermatch=*
ocsp.client.urlcheck.2.table.1.url=http://ocsphost:90/basic
ocsp.client.request.usecache=true
ocsp.client.response.allowunknown=true

Related information