Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

OCSP Responder Signer Expiry Check

Owned by Ylva Andersson
Dec 19, 2024
2 min read

This article is new for Nexus OCSP Responder 6.3.0.

This article describes how to configure Nexus OCSP Responder Expiry Check.

Introduction

Expiry Check is a service that sends reminder logs when a responder's signer certificate is about to expire. By default every signer will register to this service with a default configuration.

When a signer’s certificate is about to expire, a log event of type "ExpiryCheck" will be triggered. If a configured warning threshold period is crossed before the expiry of the signer’s certificate happens, there will be a warning level message logged. When a severe warning threshold period is crossed, or if the certificate has expired, there will instead be a severe level message logged.

Expiry Check configuration

Configuration can be done on both a per signer level or on a per responder level. The more specific configuration will always be chosen first. If a configuration is missing, the default will apply.

Expiry check has four configuration parameters:

Parameter

Default value

Description

Parameter

Default value

Description

expiryCheck.disable=true|false

false

Specifies whether or not to disable Expiry Check Service.

expiryCheck.period=<time expr>

P24H

Specifies how frequently the Expiry Check Service will execute. By default, the check will be performed every 24 hours.

expiryCheck.warningBefore=<time expr>

P30D

Specifies the time period before the signer’s expiry date when a warning log should be sent. By default, 30 days before the signer’s expiry date.

expiryCheck.severeBefore=<time expr>

P7D

Specifies the time period before the signer’s expiry date when a severe log should be sent. By default, 7 days before the signer’s expiry date.

<time expr> should follow iso-8601 duration format

Example configuration for a signer:
responder.1.signer.1.expiryCheck.disable=false
responder.1.signer.1.expiryCheck.period=P24H
responder.1.signer.1.expiryCheck.warningBefore=P30D
responder.1.signer.1.expiryCheck.severeBefore=P5D

Example configuration for a responder, (Every signer for this responder will inherit this configuration):
;responder.1.expiryCheck.disable=false
;responder.1.expiryCheck.period=P24H
;responder.1.expiryCheck.warningBefore=P30D
;responder.1.expiryCheck.severeBefore=P5D

Logging configuration example

It it possible to filter ExpiryCheck messages by simply specifying “type=ExpiryCheck” in the logger filter configuration.

Example: Omit Expiry Check messages

agent.log.1.type = file
agent.log.1.prefix = log/ocsp
agent.log.5.filter = !type=ExpiryCheck

Example: Write ExpiryCheck messages only
agent.log.4.type = file
agent.log.4.prefix = log/ocsp-expiry-check
agent.log.4.filter = type=ExpiryCheck

Example: Write severe ExpiryCheck messages to syslog
agent.log.5.type = syslog
agent.log.5.port = 10514
agent.log.5.host = localhost
agent.log.5.facility = user
agent.log.5.filter = type=ExpiryCheck & severity=severe

 

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions