Workflow for Nexus OCSP Responders
This article includes updates for Nexus OCSP Responder 6.3.0.
This article describes different workflows for Nexus OCSP Responder. The descriptions refer to the illustration in Nexus OCSP Responder architecture overview.
The expression"authenticating a certificate", used in this article, means subjecting a certificate to the validation process described in Validation process. If the certificate passes the validation process, the certificate is authenticated.
Workflow for responders of type basic, non-issued basic or identrus-basic
An OCSP client sends an OCSP request to a Nexus OCSP Responder configured as "basic" or "identrus-basic".
The following steps takes place:
Client TLS certificate authentication
If TLS is used and client authentication is turned on, the client's TLS certificate is authenticated as part of the initial TLS handshake.
If the certificate is not authenticated, Nexus OCSP Responder closes down the connection.
OCSP request signature
If Nexus OCSP Responder is configured to require signed requests, the following steps are performed:If the OCSP request does not have a signature, the request is rejected.
The certificate chain from the signature in the OCSP request is added to the certificate cache.
The certificate cache will be checked for candidates using the request
RequestorID
as lookup key.The signature on the OCSP request is verified against the public key in the signature certificate(s).
The signature certificate(s) is authenticated. It is enough if one of the signature certificates passes authentication.
Authorization
If authorization is enabled:If authorization check is set to
byauthentication
, authorization is granted provided that either steps 1 or 2 above have resulted in an authenticated certificate.If authorization check is set to
byname
, authorization is granted provided that the subject of one of the authenticated certificates from step 1 and/or 2 matches the name match table.
OCSP forwarding
If forwarding is enabled, the back end client is used to forward the OCSP request as is to a remote OCSP responder. If the back end client retrieves an OCSP response, continue with step 7, Billing.Local validation
For each single request in the OCSP request, query the revocation validation module(s) for revocation information about the certificate identified in the single request.Sign the OCSP response
Billing
If billing is enabled, the appropriate logging takes place.Send the OCSP response
Workflow for responders of type cached, non-issued cached or identrus-cached
Prerequisites: The OCSP Response cache must be enabled and properly configured to cache responses for the certificate issuers that you want caching functionality for.
A client sends an OCSP request to a Nexus OCSP Responder configured as "cached" or "identrus-cached".
The following steps takes place:
Client TLS certificate authentication
If TLS is used and client authentication is turned on, the client's TLS certificate is authenticated as part of the initial TLS handshake.
If the certificate is not authenticated, Nexus OCSP Responder closes down the connection.
Extract freshness proofs (type= identrus-cached only)
If the request contains a freshness proof extension, OCSP responses are extracted and added to the OCSP response cache, so that they are available when/if authenticating the signature certificate.OCSP request signature
If Nexus OCSP Responder is configured to require signed requests, the following steps are performed:If the OCSP request does not have a signature, the request is rejected.
The certificate chain from the signature in the OCSP request is added to the certificate cache.
The certificate cache will be checked for candidates using the request
RequestorID
as lookup key.The signature on the OCSP request is verified against the public key in the signature certificate(s).
The signature certificate(s) is authenticated. It is enough if one of the signature certificates passes authentication.
Authorization
If authorization is enabled:If authorization check is set to
byauthentication
, authorization is granted provided that either steps 1 or 2 above have resulted in an authenticated certificate.If authorization check is set to
byname
, authorization is granted provided that the subject of one of the authenticated certificates from step 1 and/or 2 matches the name match table.
OCSP Response cache
A cached OCSP response may be retrieved from the OCSP response cache at this stage, provided that the OCSP request contains no nonce and one single request. If an OCSP response is retrieved from the response cache, continue with step 9, Billing.OCSP forwarding
If forwarding is enabled, the back end client is used to forward the OCSP request as is to a remote OCSP responder. If the back end client retrieves an OCSP response, continue with step 7, Billing.Local validation
For each single request in the OCSP request:Check the response cache for an existing. If not found, continue with b.
Query the revocation validation module(s), as described in the previous section.
Sign the OCSP response
For type=identrus-cached, possibly add freshness proofs for the certificates in the signature chain before signing.Billing
If billing is enabled, the appropriate logging takes place.Send the OCSP response
Workflow for responders of type fallback
This responder type requires that Certificate Manager (CM) is configured With PGW REST API available.
See section https://nexusdoc.atlassian.net/wiki/spaces/ID/pages/691404808 for more information.
The Fallback responder type provides a real-time certificate status by querying the CM database with the help of the PGW. In order to achieve real-time status this responder type has some performance tradeoffs in relation to the basic responder type. The performance is very much depending on the network connection between OCSP and the PGW.
The following steps are performed when a client sends an OCSP request to Nexus OCSP responder configured "fallback".
Client TLS certificate authentication
As described in the previous sectionOCSP Request signature
As described in the previous section.Authorization
As described in the previous section.Local validation
For each single request in the OCSP request, query the revocation validation module(s) for revocation information about the certificate identified in the single request.CM Validation
OCSP responder will fallback to CM through PGW by sending an HTTPS request asking for the freshest CertStatus. Fallback will take place in the following cases:
- If the CertStatus in the response from the local validation was 'Good'.
- If the CertStatus in the response was 'Revoked' with CRL reason was OnHold, if and only if thecheckonhold
parameter in ocsp.conf was set to true.Sign the OCSP response
Billing
As described in the previous section.Send the OCSP response
Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions