Document toolboxDocument toolbox

Configure Nexus OCSP Responder

This article is valid for Nexus OCSP Responder 6.2 and later.

This article and its sub-articles describe how to configure Nexus OCSP Responder. When running the Nexus OCSP Responder, the application will read files (for example, configuration and truststore) from <configuration root>

Prerequisites

Open the configuration file

  1. Open the configuration file ocsp.conf for editing:

    1. On Windows, the path to the <configuration root> is chosen during installation and is defined in the string registry key named Arguments in the following Windows registry path:
      HKEY_LOCAL_MACHINE\SOFTWARE\Nexus\Service Parameters\OCSP

    2. On Linux, the path to the <configuration root> is defined in <install root>/bin/nexus-ocsp.conf by the following parameter:
      SERVICEARGUMENTS='-p <configuration root>

  2. You can manually change the path after the installation by redefining the path parameter to point to a new configuration root directory.

Mandatory settings

In the configuration file, each main configurable entity has its own section. The corresponding parameter names are built up with prefixes associated with the entity.

  • Do the mandatory settings in the OCSP configuration file:

Configurable Entity

Description

Prefix

Configurable Entity

Description

Prefix

Trust store

The trust store is a file containing certificates for all trusted CAs.

ocsp.trust

Certificate cache

The certificate cache is a cache directory where "non-trusted" certificates are stored.

ocsp.certs

Validation

A certificate can be validated by checking for revocation data locally in a CRL or CIL cache.

ocsp.validation

OCSP responder

OCSP responders are preconfigured with different semantics. First make your choice between the preconfigurations, then specify the details for each responder.

responder

Key management

Keys are specified together with the configuration that uses them. The keys may be located in software tokens and in 3rd party devices.

key

System management

The agent is responsible for the communication with an existing system monitor (when used) and for logging.

agent

Optional settings

  • Do the other settings in the OCSP configuration file (optional).

Configurable Entity

Description

Prefix

Configurable Entity

Description

Prefix

Certificate lookup (optional)

If a required certificate cannot be found in the cache, it may be searched in specified directories.

ocsp.certs

Back end client (optional)

Certificates can be validated by use of external OCSP responders. The OCSP client that should send the requests, will use several methods to find the responder URLs.

ocsp.client

OCSP response cache (optional)

The response cache is a cache where responses from external OCSP responders can be stored.

ocsp.cache

Configuration

See these articles for configuration of Nexus OCSP Responder:

Descriptions and workflow

The articles that are gathered here: Nexus OCSP Responder descriptions and workflow include descriptions for various concepts used within Nexus OCSP Responder and also some useful workflows.

General information

Specify file paths

Full path

You can specify a full path to a file or a directory, such as ocsp.trust.store=C:\Program Files\Nexus\OCSP Responder\certs\trust.store.

Relative path

Alternatively, specify a relative path (default): ocsp.trust.store=certs/trust.store ("/" makes the specification OS-independent)

On both Windows and Linux environments, the relative path will start from the <configuration root> directory.

Case sensitivity

Entity

Case sensitive

Entity

Case sensitive

Configuration parameter names

No

File names

Yes (when appearing as values, that is, on the right hand side of an "=")

LDAP searchbase and filters

Yes (when appearing as values, that is, on the right hand side of an "=")

Distinguished name patterns used for certificate matching

Yes (when appearing as values, that is, on the right hand side of an "=")

URLs

Yes (when appearing as values, that is, on the right hand side of an "=")

Constants and types

No

Configuration settings to specify

A default setting exists for most configuration parameters, but cannot be provided for all of them. The configuration parameters below need to be specified:

  • Validation Section
    You have to specify at least one validator and set the following parameter: ...type
    For each CRL/CIL validator we recommend that you also specify CRL/CIL provider(s) to keep the CRL/CIL cache constantly up-to-date.

  • OCSP Responder Section
    You have to specify at least one responder and set the following parameters:
    ...type
    ...url
    ...workers
    ...signer.x.issuerdn
    ...signer.x.dn
    ...signer.x.pin
    Authentication, authorization and billing are disabled by default.

  • Key Management Section
    To be able to find keys, you must always specify at least one keystore: key.store.store=....

After updates

When you have done configuration updates, restart Nexus OCSP Responder.

Encryption of sensitive configuration parameters

To scramble any configuration parameter in the configuration file, add the keyword encrypted to the parameter definition in the configuration. The next time the application starts, it scans the configuration file for unscrambled values and scrambles the value. The updated configuration file is saved to disk.

For example: *.pin = 1234 is considered to be sensitive and should therefore be scrambled.

  1. To scramble the parameter, replace the parameter with *.pin.encrypted = 1234.

  2. The server will find the unscrambled value and scramble it.

  3. In the resulting configuration file the parameter is rewritten to *.pin.encrypted = encrypted:MCa12== for example.

 

 

 

 

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions