Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Nexus OCSP Responder can work as a client to remote OCSP responders and send requests for validation of certificates. This article describes how to configure the different methods the client can use to find the URL(s) of the remote OCSP responders. This is done in the "Back end client" section of the Nexus OCSP Responder configuration file. Specify the methods in the order you want them to be used.

The back end client configuration is optional.

 Specify methods for the client to find URL
  1. In the OCSP configuration file, specify as follows:

    ocsp.client.urlcheck.<m#>=[servicelocator|table|fromcert]

    See this table for description of constants and values:

    Constants and ValuesDescription

    <m#>

    Replace <m#> with the method sequence number.

    servicelocator | table | fromcert

    • The servicelocator method uses the serviceLocator request extension to get the URL of the authoritative responder.
    • The table method uses a table with two columns:
      • the rule to find a certain CA
      • the URL of the corresponding remote OCSP responder.

        For more information, see section "Lookup table" below.
    • The fromcert method searches the certificate in the certificate cache (and in case of no hit and if lookup is specified, in a directory).

    The authorityInformationAccess (AIA) certificate extension is used to find the URL. Note that if you use Windows domains, do not include a trailing slash in the AIA attribute.
    Default: servicelocator

 Lookup table

This section describes the table method. Enumerate the rows in the table and identify all the specifications for a certain row with the sequence number for this row.

  1. In the OCSP configuration file, specify as follows:

    ocsp.client.urlcheck.<m#>.table.<r#>.issuermatch=<attributes>
    ocsp.client.urlcheck.<m#>.table.<r#>.url=<URL>
  2. Systems or applications that rely on OCSP responses, must verify each response according to specified criteria. This is described in section 4.2.2.2 of RFC 6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP, see https://tools.ietf.org/html/rfc6960

    Optionally, to comply with this section, these criteria can include that the signature certificate in the lookup response only need to match a specified name. This is useful if, for some reason, the response is not signed with a certificate related to the issuer of the queried certificate. This is only applicable if ...client.response.signature.check is true. If you want to include this, add the following:

    ocsp.client.urlcheck.<m#>.table.<r#>.respondername=<trusted resp name>

    See this table for description of constants and values:

    Constants and ValuesDescription

    <m#>

    Replace <m#> with the method sequence number.
    <r#>Replace <r#> with the row sequence number.

    <attributes>

    Replace <attributes> with the attributes to use for a match. Wildcards are allowed.

    <URL> Replace <URL> with the URL to use if this rule matches.
    <trusted resp name>

    Replace <trusted resp name> with the name of a trusted responder. Wildcards are allowed.

Example

Example
ocsp.client.urlcheck.1=servicelocator
ocsp.client.urlcheck.2=table
ocsp.client.urlcheck.2.table.1.issuermatch=*,o=Posten Publ. AB,c=SE
ocsp.client.urlcheck.2.table.1.url=http://ocsphost/myProxyForPosten/
ocsp.client.urlcheck.2.table.1.respondername=cn=OCSP
Responder,o=Nexus,c=SE
ocsp.client.urlcheck.2.table.2.issuermatch=*,o=Our Partner,c=UK
ocsp.client.urlcheck.2.table.2.url=http://ocsp.ourpartner.co.uk/
 Back end client and TLS
  1. If TLS is used and the remote OCSP responder requires client authentication, specify a key for this:

    ocsp.client.authentication.key.certificate=<certificate pattern>
    ocsp.client.authentication.key.pin=<PIN>

    To encrypt the pin, see Encryption of sensitive configuration parameters.

    Constants and ValuesDescription

    <certificate pattern>

    Replace <certificate pattern> with the certificate pattern to specify the key pair. For a description of the syntax, see heading “LDAP certificate patterns” in Introduction to LDAP.

    <PIN>Replace <PIN> with the PIN for the key pair.

 Specify OCSP client request
  1. In the OCSP configuration file, specify the OCSP client request as follows:

    ocsp.client.request.usecache=[true|false]
    ocsp.client.request.http.method=[get|post]
    ocsp.client.request.http.timeout=<time expr>
    ocsp.client.request.nonce=[true|false]
    ocsp.client.request.nonce.size=<size>
    ocsp.client.request.signature.key.certificate=<certificate pattern>
    ocsp.client.request.signature.key.pin=<PIN>
    ocsp.client.request.signature.othercerts=[none|byname|bykey]
    ocsp.client.request.signature.chain=[none|cert|chain|allchains]
    ocsp.client.request.signature.chain.includeroot=[true|false]
    ocsp.client.request.freshnessproofs.add=[true|false]

    See this table for description of constants and values:

    Constants and ValuesDescription

    true | false for parameter ...usecache

    Enter true to check, false not to check the response cache first of all.

    Default: false

    get | post

    Enter get or post to specify the HTTP method to be used when the OCSP client requests a remote responder.

    Default: post

    <time expr>

    Replace <time expr> with a time period expression (short form), specified according to ISO 8601 Representation of dates and times. This is the maximum amount of time the client will wait for response.

    • Example 1: P1Y2M3DT4H5M6S stands for 1 year, 2 months, 3 days, 4 hours, 5 minutes and 6 seconds.
    • Example 2: P1D stands for 1 day.
    • Example 3: PT1H stands for 1 hour.

    Note the extra separator ‘T’ before time units shorter than one day.

    Default: PT30S

    true | false for parameter ...nonce

    Enter true to add, false not to add "nonce" to the request. "Nonce" is random data, generated by the client and used to guarantee the freshness of a response and protect against replay attacks.

    Default: false

    <size>

    Replace <size> with the size in bytes of the nonce.

    Default: 16

    <certificate pattern>

    Replace <certificate pattern> with the certificate pattern to specify the key pair. For a description of the syntax, see Section 6.2.3, “ Certificate Pattern ”.

    <PIN>

    Replace <PIN> with the PIN for the key pair.

    none | byname | bykey

    The parameter ...othercerts will be ignored if the parameter ...chain is set to "none".

    • Enter none to indicate that the request shall include only the signature certificate.
    • Enter byname to let Nexus OCSP Responder search the certificate cache for other certificates with the same public key as the signature certificate, but only include those in the request, which also have the same subject distinguished name.
    • Enter bykey to let Nexus OCSP Responder search the certificate cache for other certificates with the same public key as the signature certificate and include them in the request.

    Default: none

    none | cert | chain | allchains

    • Enter none to indicate that no signature certificate(s) shall be appended to the request.
    • Enter cert to indicate that the signature certificate shall be appended to the request. If parameter ...othercerts is set to "byname" or "bykey", all applicable certificates shall be appended.
    • Enter chain to indicate that one chain of certificates, chaining to the trust store, shall be appended to the request. If parameter ...othercerts is set to "byname" or "bykey", one chain for every applicable certificate shall be appended.
    • Enter allchains to indicate that all possible certificate chains shall be appended to the request. If parameter ...othercerts is set to "byname" or "bykey", all valid chains for all applicable certificates shall be appended.

    Default: chain

    true | false for parameter
    ...includeroot

    The parameter ...signature.chain.includeroot is relevant only when parameter ...signature.chain is set to "chain" or "allchains". Enter true to include, false not to include the root certificate in the chains.

    Default: false

    true | false for parameter
    ...freshnessproofs.add

    Enter true to query, false not to query the local OCSP response cache for the status of the certificates in the signature chain and to add them to a freshness proof extension in the request, if possible.

    Default: false

 Specify OCSP client response
  1. In the OCSP configuration file, specify the OCSP client response as follows:

    ocsp.client.response.allowunknown=[true|false]
    ocsp.client.response.nonce.check=[true|false]
    ocsp.client.response.signature.check=[true|false]
    ocsp.client.response.signature.allowauthority=[true|false]
    ocsp.client.response.chain.validate=[true|false]
    ocsp.client.response.notolderthan=<time expr>
    ocsp.client.response.freshnessproof.handle=[true|false]

    See this table for description of constants and values:

    Constants and ValuesDescription

    true | false for parameter ...allowunknown

    Enter true to accept, false not to accept an OCSP response with status "unknown". If this is enabled and the status would be unknown, a "tryLater" response will be created and returned instead of the received response.

    Default: false

    true | false for parameter
    ...nonce.check

    Enter true to check, false not to check that if a nonce was included in the request, an identical nonce can be found in the response.

    Default: true

    true | false for parameter
    ...signature.check

    Enter true to check, false not to check the signature certificate. If this is enabled and the signature could not be verified, a "tryLater" response will be created and returned instead of the received response. Disabling this can be a convenient way to always forward requests and their responses if the queried responders are trusted.

    Default: true

    true | false for parameter ..signature.allowauthority

    Enter true to accept an OCSP responder if the response signer was issued by an authority that is found in the certificate chain of the certificate for which status is requested, false if not. This is only applicable if ...signature.check is true.

    Default: false

    true | false for parameter
    ...chain.validate

    Enter true to make a full validation of the whole chain of signature certificates. Enter false to make no validation. This is only applicable if ...signature.check is true.

    Default: true

    <time expr>

    Replace <time expr> with a time period expression (short form), specified according to ISO 8601 Representation of dates and times (see also information in the Constants and Values table under heading "Specify OCSP Client request)". If the difference between the current time and the producedAt value exceeds this setting, the response will not be used.

    Default: No checking

    true | false for parameter
    ...freshnessproof.handle

    Enter true to extract, false not to extract the freshness proof extension from the OCSP response if present and add the contents to the OCSP response cache.

    Default: false

 Example of back end client section
Example of back end client section in the configuration file
ocsp.client.urlcheck.1=servicelocator
ocsp.client.urlcheck.2=table
ocsp.client.urlcheck.2.table.1.issuermatch=*
ocsp.client.urlcheck.2.table.1.url=http://ocsphost:90/basic
ocsp.client.request.usecache=true
ocsp.client.response.allowunknown=true
  • No labels