Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This article describes how to define a set of lookups in the configuration file for Nexus OCSP Responder.

If a requested certificate can not be found in the certificate cache, you can define a set of lookups. Each lookup will, in the order defined by the lookup sequence number, query a remote LDAP directory, until a match is found.

You must also define an LDAP search filter, using the syntax described in RFC 2254 The String Representation of LDAP Search Filters.

The lookup can be performed in two different ways, depending on how the reference was made in the original data (signed message, certificate, ...).

A certificate may be referred to:

  • by its subject DN (certificate issuer name)

OR

  • by issuer DN and certificate serial number (PKCS#7 signer info, OCSP)

A lookup will query for the attributes "userCertificate" and "cACertificate".

The lookup configuration is optional.

 Example scenario

Directory structure

This is an example of an X.500/LDAP directory structure (EE = End Entity) where certificates are stored:

c=SE
	o=Acme, Inc.
		cn=Root CA
			<EE certs issued by Root CA>
			...
		cn=Subordinate CA
			<EE certs issued by Subordinate CA>
			...
		cn=Another Subordinate CA
			<EE certs issued by Another Subordinate CA>
			...
			...

In the example scenario:

  • The EE (End Entity) LDAP objects have, at least, the following attributes defined:
    • cn
    • serialNumber
    • userCertificate
  • The CA LDAP objects have, at least, the following attributes defined:
    • cn
    • cACertificate

Specify the search

A search is specified relative to a base DN.

  1. The base DN regulates the width of the search (for example, search all of c=SE, or search only among the objects below the Root CA).
  2. To define the depth of the search (just one level down, or the whole subtree) use the LDAP scope, which you define as part of the LDAP URL (see RFC 2255 The LDAP URL Format).
  3. For subject-related certificate queries (that is, CA certificates), use either the full DN or the commonName (cn) portion of the DN in your filter. For example, this filter will return certificates issued by any of the CAs that have a subject DN matching that of the request:
Example: Subject-related certificate query
subjectsearch.searchbase = o=Acme, Inc.,c=SE
subjectsearch.filter = (cn={cn})

Filtering

  • Initial filtering is done by the server as the filter requires a match on the CN component/attribute. In addition, the lookup will verify that the whole subject DN matches.

  • If instead you want to limit the search to CA certificates only, change the filter like this (where "pkiCA" is the assumed LDAP object class for CA objects):

    CA certificates query
    subjectsearch.searchbase = {dn}
subjectsearch.filter = (objectClass=pkiCA)

  • For issuer-related certificate queries (that is, CA certificates), use this query ("cn" is the Common Name of the Issuer in this case):

    Issuer-related certificate query
    issuerserialsearch.searchbase = cn={cn}, o=Acme, Inc.,c=SE
issuerserialsearch.filter = (serialNumber={serialNumber})

    Alternatively, use the complete issuer DN:

    issuerserialsearch.searchbase = {issuerName} 
issuerserialsearch.filter = (serialNumber={serialNumber})

Specify LDAP directory

For each LDAP directory, specify as follows:

Specify LDAP directory
ocsp.certs.lookup.<#>.type=ldap
ocsp.certs.lookup.<#>.ldapurl=<URL>

See this table for description of constants and values:

Constants and ValuesDescription

<#>

Replace <#> with the lookup sequence number.

ldap

Enter ldap to indicate that the LDAP protocol shall be used.

<URL>

Replace <URL> with the URL of the directory.
 Subject, Issuer and Certificate Serial Number search

Specify as follows to do a search based on

  • subject,
  • issuer and
  • certificate serial number:
ocsp.certs.lookup.<#>.subjectsearch.searchbase=<baseDN>
ocsp.certs.lookup.<#>.subjectsearch.filter=<LDAP search filters>
ocsp.certs.lookup.<#>.issuerserialsearch.searchbase=<baseDN>
ocsp.certs.lookup.<#>.issuerserialsearch.filter=<LDAP search filters>

See this table for description of constants and values:

Constants and ValuesDescription

<#>

Replace <#> with the lookup sequence number.

<BaseDN>

Replace <baseDN> with the identifier that is used in this directory to establish the searchbase.

<LDAP search filter>

Replace <LDAP search filters> with a regular expression defining the filter to be used. See "LDAP Search Filters" below.

 LDAP Search Filters

The LDAP search filters are expressed as a regular expression of the type:

(<attribute name>={<attributevalue>})

The available filters are:

{commonName} | {cn} | {dn} |{issuerName} | {serialNumber}

Enter {commonName} or {cn} to substitute the common name component of the distinguished name in the certificate.
Enter {dn} to substitute the complete distinguished name in the certificate.
Enter {issuerName} to substitute the issuer name in the certificate.
Enter {serialNumber} to substitute the serial number in the certificate.

{commonName} | {cn} | {dn} return the common name or distinguished name of the subject in Subject searches, and the common name or distinguished name of the issuer in Issuer or Serial number searches.

LDAP search filters can also be used in the .searchbase parameter as shown in the example scenario.

Related information

Links

  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions