OCSP proxying
This article describes proxying used in Nexus OCSP Responder. Proxying is configured through responders. For more information, see OCSP responder section.
Example 1
In this example, two urlcheck
 parameters are configured in succession.
If the OCSP request contains aÂ
serviceLocator
 extension, that is, if the queried certificate contains anÂauthorityInformationAccess
 extension, specifying an OCSP URL, this URL will be used in first hand.ÂIf no such URL exists, or if the response is not considered valid, Nexus OCSP Responder will check if the certificate is issued by the Acme TrustCenter CA using a hardcoded URL for revocation information.
In the OCSP configuration file, specify as follows:
ocsp.client.urlcheck.1=servicelocator
ocsp.client.urlcheck.2=table
ocsp.client.urlcheck.2.table.1.issuermatch=*o=Acme*
ocsp.client.urlcheck.2.table.1.url=http://ocsp.acme.com/ca01
Example 2
In this example, a forwarding responder is configured, that will forward requests to another responder and return responses as lenient as possible by allowing all issuers and disabling verification of the response.
In the OCSP configuration file, specify as follows:
responder.1.type=basic responder.1.url=http://*:80 responder.1.workers=5 responder.1.signer.1.issuerdn=cn=Dummy CA,c=SE responder.1.signer.1.certificate=cn=Dummy OCSP Signer,c=SE responder.1.signer.1.pin=secretPIN1234 responder.1.forwarding.enabled=true responder.1.forwarding.onlyforissuer.1=* responder.1.forwarding.client.urlcheck.1=table responder.1.forwarding.client.urlcheck.1.table.1.issuermatch=* responder.1.forwarding.client.urlcheck.1.table.1.url=http://ocsp.acme.com responder.1.forwarding.client.response.allowunknown=true responder.1.forwarding.client.response.signature.check=false
Each responder needs a signer to operate, but not necessarily a valid one. If the responder is only to forward, any signer can be entered as long as its CA is present in the trust store.
Example 3
In this example, a forwarding responder is configured, that will forward requests using client authentication during SSL handshake.
In the OCSP configuration file, specify as follows:
responder.1.type=basic responder.1.url=http://*:8080/forwardclientssl responder.1.workers=5 responder.1.signature.chain=cert responder.1.signer.1.issuerdn=cn=Dummy OCSP CA,c=SE responder.1.signer.1.certificate=cn=Dummy OCSP Signer,c=SE responder.1.signer.1.pin=1234 responder.1.forwarding.enabled = true responder.1.forwarding.onlyforissuer.1 = * responder.1.forwarding.client.urlcheck.1 = table responder.1.forwarding.client.urlcheck.1.table.1.url = https://otherresponder:8444 responder.1.forwarding.client.urlcheck.1.table.1.issuermatch = * responder.1.forwarding.client.authentication.key.certificate=c=SE,cn=SSL Client responder.1.forwarding.client.authentication.key.pin=1234
Related information
Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions