- Created by Ann Base (Deactivated) on Jan 30, 2020
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
Version 1 Next »
This article describes a scenario for deployment of Nexus OCSP Responder, when used within an intranet or "test lab" environment.
If you shall set up Nexus OCSP Responder in a production environment, other requirements may apply, for example, the use of Hardware Security Module (HSM).
More example configurations can be found here:
Prerequisites and assumptions
- Nexus OCSP Responder is used in an environment that can be considered secure and easily manageable, for instance within an intranet or "test lab" environment.
Deployment decision:- OCSP can be carried over HTTP (no TLS).
- The OCSP clients do not need to authenticate themselves to the server, neither through client authentication in TLS, nor by signing the requests.
- No auditing or billing is necessary.
- Access and file permissions given by the operating system are considered enough for sensitive data.
Deployment decision:- Security hardware is not necessary to protect the Nexus OCSP Responder's keys; a pin-protected file is enough.
The Nexus OCSP Responder will be used as the local source of revocation information from two external CAs, that are used in the organization's PKI. The CAs periodically publish revocation lists and Nexus OCSP Responder must be configured to download these lists.
The two CAs are:Acme TrustCenter
Publishes a certificate revocation list (CRL) every 6 hours at ldap://directory.acme.com, under the CA object entrycn=CA01,o=Acme TrustCenter,c=SE
, under the LDAP attributecertificaterevocationlist
. Also publishes a delta CRL once every hour to the same location, under the LDAP attributedeltacertificaterevocationlist
.Bank X
Publishes a CRL every 3 hours at http://www.bankx.com/bankx.crl.
Step-by-step instruction
- Prepare the Nexus OCSP Responder keys and certificate.
- In this case, only an OCSP response signing key pair is needed. The corresponding certificate must be issued by a CA, that is trusted by the connecting clients.
The private key and the OCSP signing certificate can be stored in a Hardware Security Module (HSM) or a .p12 file. In this example a .p12 file is used. The certificate must contain the extendedKeyUsage extension (OID 2.5.29.37), including the OCSP-Signing purpose (OID 1.3.6.1.5.5.7.3.9).
Connecting clients will receive a signed OCSP response. The signature will in turn be validated. It is very easy to trigger a dead-lock situation, having clients asking the Nexus OCSP Responder about the status of the responder's own signature certificate. To avoid this situation, it is recommended that the OCSP signature certificate also contains the OCSP NoCheck extension (OID 1.3.6.1.5.5.7.48.1.5). Also, consider the possible security ramifications of adding this extension (revoking this certificate will have no effect).
In this example, the OCSP responder certificate is issued by the local organization's own CA, and contains the following extensions:
keyUsage: digitalSignature
extendedKeyUsage: OCSP-Signing
OCSP-NoCheck: (null)
Collect information about trusted certificates.
Make sure you have the certificates of the external CAs, as well as the CA certificate used to sign the OCSP signing certificate.Install Nexus OCSP Responder on a (dedicated) machine. See Install and upgrade Nexus OCSP Responder.
Install the OCSP signing certificate.
Copy the file containing the OCSP responder private key and certificate locally to the machine where Nexus OCSP Responder is installed.
Point out the location of the file in ocsp.conf.
- Set up the trust store.
Use the certadm tool to add all certificates used for terminating trusted certificate chains.
In this example, those certificates would be:the Acme TrustCenter CA certificate
the Bank X CA certificate
the local root CA certificate
Example:
% cd <ocsp install directory>/bin % certadm new --store=../certs/trust.store % certadm add --store=../certs/trust.store --file=acmeca.crt % certadm add --store=../certs/trust.store --file=bankxca.crt % certadm add --store=../certs/trust.store --file=rootca.crt % certadm list --store=../certs/trust.store (1) cn=CA01,o=Acme TrustCenter,c=SE (2) cn=Customer CA,o=Bank X,c=US (3) cn=Local CA,o=OurCompany,c=SE
- Open the configuration file ocsp.conf for editing.
This file is by default located in the config directory under the installation directory in Linux environments, and under C:\ProgramData\Nexus\ocsp\config in Windows environments. - Specify a validator that works against CRLs. See Validation section.
- Add CRL providers that will periodically pull CRLs to the local CRL cache.
Specify the provider for the Acme TrustCenter CRL. Use the output of the certadm program when entering the LDAP URL, to ensure to get the object entry correct (cut & paste).
ocsp.validation.1.type=crl ocsp.validation.1.provider.1.type=pull ocsp.validation.1.provider.1.url.1=ldap://directory.acme.com/ cn=CA01,o=Acme TrustCenter,c=SE?certificaterevocationlist
Add another provider for the the Acme TrustCenter delta CRL.
ocsp.validation.1.provider.2.type=pull ocsp.validation.1.provider.2.url.1=ldap://directory.acme.com/ cn=CA01,o=Acme TrustCenter,c=SE?deltarevocationlist
Add a provider for the Bank X CRL.
ocsp.validation.1.provider.3.type=pull ocsp.validation.1.provider.3.url.1=http://www.bankx.com/bankx.crl
Use the default settings in this scenario.
- Allow requests to come in from all network interfaces.
- The load on the machine is unknown, but allow a maximum of 10 requests to be processed simultaneously.
- At the same time, it safeguards against flooding the computer CPU usage at times with intense loads.
- Assume that there is no web server or other application that will cause conflicts when using port 80 (the default HTTP port).
Configure the responders:
responder.1.type=basic responder.1.url=http://*:80/ responder.1.workers=10
To configure the responder key, specify a trusted issuer and a responder certificate found in a key store. The certificate is identified by a simple certificate matching pattern; in this case the CN portion of the responder certificate subject DN, as is.
responder.1.signer.1.issuerdn=cn=CA01,o=Acme TrustCenter,c=SE responder.1.signer.1.certificate=cn=Local OCSP Responder responder.1.signer.1.pin=secretPIN1234
Specify where to find this certificate and key. In this example, a PKCS #12 file is used.
key.store.store.1=local-ocsp-responder.p12 key.store.store.1.pin=secretPIN1234
- Use the default settings in this scenario. See Log messages and log filters.
- Start the system.
- Examine the logs for any "critical" or "error" messages.
- To double-check that the CRL providers are downloading CRLs, look in the CRL cache directory (default <ocsp installdir>/crls on Linux, or %ALLUSERSPROFILE%\Nexus\ocsp\crls on Windows).
- Configure all OCSP clients to point their OCSP questions to the HTTP URL specified in the "Configure Nexus OCSP Responder, part 2: Responder" section above.
- The system can be left as-is until it is time to renew the responder certificate.
- No labels