Chapter 7. Securing connections by using OCSP
Online Certificate Status Protocol (OCSP) is a technology that allows web browsers and web servers to communicate over a secured connection. The encrypted data is sent from one side and decrypted by the other side before processing. The web browser and the web server both encrypt and decrypt the data.
7.1. Online Certificate Status Protocol
When a web browser and a web server communicate over a secured connection, the server presents a set of credentials in the form of a certificate. The browser then validates the certificate and sends a request for certificate status information. The server responds with a certificate status of current, expired, or unknown.
The certificate contains the following types of information:
- Syntax for communication
- Control information such as start time, end time, and address information to access an Online Certificate Status Protocol (OCSP) responder.
The web server uses an OCSP responder to check the certificate status. You can configure the web server to use the OCSP responder that is listed in the certificate or another OCSP responder. OCSP allows a grace period for expired certificates, which allows access to a server for a limited time before renewing the certificate.
OCSP overcomes limitations of the older Certificate Revocation List (CRL) method.
Additional resources
7.2. Configuring the Apache HTTP Server for SSL connections
You can configure the Apache HTTP Server to support SSL connections, by installing the mod_ssl
package and specifying configuration settings in the ssl.conf
file.
Prerequisites
- You have generated an SSL certificate and private key.
- You know the location of the SSL certificate and private key file.
- You have obtained the Common Name (CN) that is associated with the SSL certificate.
Procedure
To install
mod_ssl
, enter the following command:# yum install jbcs-httpd24-mod_ssl
To specify SSL configuration settings:
-
Open the
JBCS_HOME/httpd/conf.d/ssl.conf
file. Enter details for the
ServerName
,SSLCertificateFile
, andSSLCertificateKeyFile
.For example:
<VirtualHost _default_:443> ServerName www.example.com:443 SSLCertificateFile /opt/rh/jbcs-httpd24/root/etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /opt/rh/jbcs-httpd24/root/etc/pki/tls/private/localhost.key
Note-
The
ServerName
must match the Common Name (CN) that is associated with the SSL certificate. If theServerName
does not match the CN, client browsers display domain name mismatch errors. -
The
SSLCertificateFile
specifies the path to the SSL certificate file. -
The
SSLCertificateKeyFile
specifies the path to the private key file that is associated with the SSL certificate.
-
The
-
Open the
-
Verify that the
Listen
directive matches the hostname or IP address for thehttpd
service for your deployment. To restart the Apache HTTP Server, enter the following command:
# service jbcs-httpd24-httpd restart
7.3. Using OCSP with the Apache HTTP Server
You can use the Online Certificate Status Protocol (OCSP) for secure connections with the Apache HTTP Server.
Prerequisites
Procedure
Configure a certificate authority.
NoteEnsure that your CA can issue OCSP certificates. The CA must be able to append the following attributes to the certificate:
[ usr_cert ] ... authorityInfoAccess=OCSP;URI:http://<HOST>:<PORT> ... [ v3_OCSP ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = OCSP Signing
In the preceding example, replace
HOST
andPORT
with the details of the OCSP responder that you will configure.- Configure an OCSP responder.
Additional resources
7.4. Configuring the Apache HTTP Server to validate OCSP certificates
You can configure the Apache HTTP Server to validate OCSP certificates, by defining OCSP settings in the ssl_conf
file.
Prerequisites
- You have configured a Certificate Authority (CA).
- You have configured an OCSP Responder.
Procedure
-
Open the
JBCS_HOME/httpd/conf.d/ssl.conf
file. Specify the appropriate OCSP configuration details for your deployment.
For example:
# Require valid client certificates (mutual auth) SSLVerifyClient require SSLVerifyDepth 3 # Enable OCSP SSLOCSPEnable on SSLOCSPDefaultResponder http://<HOST>:<PORT> SSLOCSPOverrideResponder on
NoteThe preceding example shows how to enable OCSP validation of client certificates. In the preceding example, replace
<HOST>
and<PORT>
with the IP address and port of the default OCSP Responder.
7.5. Verifying the OCSP configuration for the Apache HTTP Server
You can use the OpenSSL command-line tool to verify the OCSP configuration for the Apache HTTP Server.
Procedure
On the command line, enter the
openssl
command in the following format:# openssl ocsp -issuer cacert.crt -cert client.cert -url http://HOST:PORT -CA ocsp_ca.cert -VAfile ocsp.cert
In the preceding command, ensure that you specify the following details:
-
Use the
-issuer
option to specify the CA certificate. -
Use the
-cert
option to specify the client certificate that you want to verify. -
Use the
-url
option to specify the HTTP server validating Certificate (OCSP). -
Use the
-CA
option to specify the CA certificate for verifying the Apache HTTP Server server certificate. -
Use the
-VAfile
option to specify the OCSP responder certificate.
-
Use the
Revised on 2024-03-15 10:24:32 UTC