- Created by Ann Base on Jan 30, 2020
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
Version 1 Next »
Nexus OCSP Responder can work as a client to remote OCSP responders and send requests for validation of certificates. This article describes how to configure the different methods the client can use to find the URL(s) of the remote OCSP responders. This is done in the "Back end client" section of the Nexus OCSP Responder configuration file. Specify the methods in the order you want them to be used.
The back end client configuration is optional.
In the OCSP configuration file, specify as follows:
ocsp.client.urlcheck.<m#>=[servicelocator|table|fromcert]
See this table for description of constants and values:
Constants and Values Description <m#>
Replace <m#>
with the method sequence number.servicelocator | table | fromcert
- The
servicelocator
method uses theserviceLocator
request extension to get the URL of the authoritative responder. - The
table
method uses a table with two columns:- the rule to find a certain CA
- the URL of the corresponding remote OCSP responder.
For more information, see section "Lookup table" below.
- The
fromcert
method searches the certificate in the certificate cache (and in case of no hit and if lookup is specified, in a directory).
The authorityInformationAccess (AIA) certificate extension is used to find the URL. Note that if you use Windows domains, do not include a trailing slash in the AIA attribute.
Default:servicelocator
- The
This section describes the table
method. Enumerate the rows in the table and identify all the specifications for a certain row with the sequence number for this row.
In the OCSP configuration file, specify as follows:
ocsp.client.urlcheck.<m#>.table.<r#>.issuermatch=<attributes> ocsp.client.urlcheck.<m#>.table.<r#>.url=<URL>
Systems or applications that rely on OCSP responses, must verify each response according to specified criteria. This is described in section 4.2.2.2 of RFC 6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP, see https://tools.ietf.org/html/rfc6960.
Optionally, to comply with this section, these criteria can include that the signature certificate in the lookup response only need to match a specified name. This is useful if, for some reason, the response is not signed with a certificate related to the issuer of the queried certificate. This is only applicable if .
..client.response.signature.check
is true. If you want to include this, add the following:ocsp.client.urlcheck.<m#>.table.<r#>.respondername=<trusted resp name>
See this table for description of constants and values:
Constants and Values Description <m#>
Replace <m#>
with the method sequence number.<r#>
Replace <r#>
with the row sequence number.<attributes>
Replace
<attributes>
with the attributes to use for a match. Wildcards are allowed.<URL>
Replace <URL>
with the URL to use if this rule matches.<trusted resp name>
Replace
<trusted resp name>
with the name of a trusted responder. Wildcards are allowed.
Example
ocsp.client.urlcheck.1=servicelocator ocsp.client.urlcheck.2=table ocsp.client.urlcheck.2.table.1.issuermatch=*,o=Posten Publ. AB,c=SE ocsp.client.urlcheck.2.table.1.url=http://ocsphost/myProxyForPosten/ ocsp.client.urlcheck.2.table.1.respondername=cn=OCSP Responder,o=Nexus,c=SE ocsp.client.urlcheck.2.table.2.issuermatch=*,o=Our Partner,c=UK ocsp.client.urlcheck.2.table.2.url=http://ocsp.ourpartner.co.uk/
If TLS is used and the remote OCSP responder requires client authentication, specify a key for this:
ocsp.client.authentication.key.certificate=<certificate pattern> ocsp.client.authentication.key.pin=<PIN>
To encrypt the pin, see Encryption of sensitive configuration parameters.
Constants and Values Description <certificate pattern>
Replace
<certificate pattern>
with the certificate pattern to specify the key pair. For a description of the syntax, see heading “LDAP certificate patterns” in Introduction to LDAP.<PIN>
Replace <PIN>
with the PIN for the key pair.
In the OCSP configuration file, specify the OCSP client request as follows:
ocsp.client.request.usecache=[true|false] ocsp.client.request.http.method=[get|post] ocsp.client.request.http.timeout=<time expr> ocsp.client.request.nonce=[true|false] ocsp.client.request.nonce.size=<size> ocsp.client.request.signature.key.certificate=<certificate pattern> ocsp.client.request.signature.key.pin=<PIN> ocsp.client.request.signature.othercerts=[none|byname|bykey] ocsp.client.request.signature.chain=[none|cert|chain|allchains] ocsp.client.request.signature.chain.includeroot=[true|false] ocsp.client.request.freshnessproofs.add=[true|false]
See this table for description of constants and values:
Constants and Values Description true | false
for parameter...usecache
Enter
true
to check,false
not to check the response cache first of all.Default:
false
get | post
Enter
get
orpost
to specify the HTTP method to be used when the OCSP client requests a remote responder.Default:
post
<time expr>
Replace
<time expr>
with a time period expression (short form), specified according to ISO 8601 Representation of dates and times. This is the maximum amount of time the client will wait for response.- Example 1: P1Y2M3DT4H5M6S stands for 1 year, 2 months, 3 days, 4 hours, 5 minutes and 6 seconds.
- Example 2: P1D stands for 1 day.
- Example 3: PT1H stands for 1 hour.
Note the extra separator ‘T’ before time units shorter than one day.
Default: PT30S
true | false
for parameter...nonce
Enter
true
to add,false
not to add "nonce" to the request. "Nonce" is random data, generated by the client and used to guarantee the freshness of a response and protect against replay attacks.Default:
false
<size>
Replace
<size>
with the size in bytes of the nonce.Default:
16
<certificate pattern>
Replace
<certificate pattern>
with the certificate pattern to specify the key pair. For a description of the syntax, see Section 6.2.3, “ Certificate Pattern ”.<PIN>
Replace
<PIN>
with the PIN for the key pair.none | byname | bykey
The parameter
...othercerts
will be ignored if the parameter...chain
is set to "none
".- Enter
none
to indicate that the request shall include only the signature certificate. - Enter
byname
to let Nexus OCSP Responder search the certificate cache for other certificates with the same public key as the signature certificate, but only include those in the request, which also have the same subject distinguished name. - Enter
bykey
to let Nexus OCSP Responder search the certificate cache for other certificates with the same public key as the signature certificate and include them in the request.
Default:
none
none | cert | chain | allchains
- Enter
none
to indicate that no signature certificate(s) shall be appended to the request. - Enter
cert
to indicate that the signature certificate shall be appended to the request. If parameter...othercerts
is set to "byname
" or "bykey
", all applicable certificates shall be appended. - Enter
chain
to indicate that one chain of certificates, chaining to the trust store, shall be appended to the request. If parameter...othercerts
is set to "byname
" or "bykey
", one chain for every applicable certificate shall be appended. - Enter
allchains
to indicate that all possible certificate chains shall be appended to the request. If parameter...othercerts
is set to "byname
" or "bykey
", all valid chains for all applicable certificates shall be appended.
Default:
chain
true | false
for parameter...includeroot
The parameter
...signature.chain.includeroot
is relevant only when parameter...signature.chain
is set to "chain
" or "allchains
". Entertrue
to include,false
not to include the root certificate in the chains.Default:
false
true | false
for parameter...freshnessproofs.add
Enter
true
to query,false
not to query the local OCSP response cache for the status of the certificates in the signature chain and to add them to a freshness proof extension in the request, if possible.Default:
false
In the OCSP configuration file, specify the OCSP client response as follows:
ocsp.client.response.allowunknown=[true|false] ocsp.client.response.nonce.check=[true|false] ocsp.client.response.signature.check=[true|false] ocsp.client.response.signature.allowauthority=[true|false] ocsp.client.response.chain.validate=[true|false] ocsp.client.response.notolderthan=<time expr> ocsp.client.response.freshnessproof.handle=[true|false]
See this table for description of constants and values:
Constants and Values Description true | false
for parameter...allowunknown
Enter
true
to accept,false
not to accept an OCSP response with status "unknown
". If this is enabled and the status would be unknown, a "tryLater
" response will be created and returned instead of the received response.Default:
false
true | false
for parameter...nonce.check
Enter
true
to check,false
not to check that if a nonce was included in the request, an identical nonce can be found in the response.Default:
true
true | false
for parameter...signature.check
Enter
true
to check,false
not to check the signature certificate. If this is enabled and the signature could not be verified, a "tryLater
" response will be created and returned instead of the received response. Disabling this can be a convenient way to always forward requests and their responses if the queried responders are trusted.Default:
true
true | false
for parameter..signature.allowauthority
Enter
true
to accept an OCSP responder if the response signer was issued by an authority that is found in the certificate chain of the certificate for which status is requested,false
if not. This is only applicable if...signature.check
istrue
.Default:
false
true | false
for parameter...chain.validate
Enter
true
to make a full validation of the whole chain of signature certificates. Enterfalse
to make no validation. This is only applicable if...signature.check
istrue
.Default:
true
<time expr>
Replace
<time expr>
with a time period expression (short form), specified according to ISO 8601 Representation of dates and times (see also information in the Constants and Values table under heading "Specify OCSP Client request)". If the difference between the current time and theproducedAt
value exceeds this setting, the response will not be used.Default:
No checking
true | false
for parameter...freshnessproof.handle
Enter
true
to extract,false
not to extract the freshness proof extension from the OCSP response if present and add the contents to the OCSP response cache.Default:
false
ocsp.client.urlcheck.1=servicelocator ocsp.client.urlcheck.2=table ocsp.client.urlcheck.2.table.1.issuermatch=* ocsp.client.urlcheck.2.table.1.url=http://ocsphost:90/basic ocsp.client.request.usecache=true ocsp.client.response.allowunknown=true
- No labels