Este contenido no está disponible en el idioma seleccionado.
7.6. Using the Online Certificate Status Protocol (OCSP) Responder
7.6.1. Setting up the OCSP Responder
Copiar enlaceEnlace copiado en el portapapeles!
			If a CA within the security domain is selected when the Online Certificate Status Manager is configured, there is no extra step required to configure the OCSP service. The CA's CRL publishing is set up automatically, and its signing certificate is automatically added and trusted in the Online Certificate Status Manager's certificate database. However, if a non-security domain CA is selected, then the OCSP service must be manually configured after the Online Certificate Status Manager is configured.
		
Note
				Not every CA within the security domain to which the OCSP Manager belongs is automatically trusted by the OCSP Manager when it is configured. Every CA in the certificate chain of the CA configured in the CA panel is trusted automatically by the OCSP Manager. Other CAs within the security domain but not in the certificate chain must be trusted manually.
			
			To set up the Online Certificate Status Manager for a Certificate Manager outside the security domain:
		
- Configure the CRLs for every CA that will publish to an OCSP responder.
- Enable publishing, set up a publisher, and set publishing rules in every CA that the OCSP service will handle (Chapter 8, Publishing Certificates and CRLs). This is not necessary if the Certificate Managers publish to an LDAP directory and the Online Certificated Status Manager is set up to read from that directory.
- The certificate profiles must be configured to include the Authority Information Access extension, pointing to the location at which the Certificate Manager listens for OCSP service requests (Section 7.6.4, “Enabling the Certificate Manager's Internal OCSP Service”).
- Configure the OCSP Responder.- Configure the Revocation Info store (Section 7.6.2.2, “Configure the Revocation Info Stores: Internal Database” and Section 7.6.2.3, “Configure the Revocation Info Stores: LDAP Directory”).
- Identify every publishing Certificate Manager to the OCSP responder (Section 7.6.2, “Identifying the CA to the OCSP Responder”).
- If necessary, configure the trust settings for the CA which signed the OCSP signing certificate (Section 16.7, “Changing the Trust Settings of a CA Certificate”).
 
- Restart both subsystems after configuring them.
- Verify that the CA is properly connected to the OCSP responder (Section 7.6.2.1, “Verify Certificate Manager and Online Certificate Status Manager Connection”).
7.6.2. Identifying the CA to the OCSP Responder
Copiar enlaceEnlace copiado en el portapapeles!
			Before a CA is configured to publish CRLs to the Online Certificate Status Manager, the CA must be identified to the Online Certificate Status Manager by storing the CA signing certificate in the internal database of the Online Certificate Status Manager. The Certificate Manager signs CRLs with the key pair associated with this certificate; the Online Certificate Status Manager verifies the signature against the stored certificate.
		
Note
				If a CA within the security domain is selected when the Online Certificate Status Manager is configured, there is no extra step required to configure the Online Certificate Status Manager to recognize the CA; the CA signing certificate is automatically added and trusted in the Online Certificate Status Manager's certificate database. However, if a non-security domain CA is selected, then the CA signing certificate must be manually added to the certificate database after the Online Certificate Status Manager is configured.
			
			It is not necessary to import the certificate chain for a CA which will publish its CRL to the Online Certificate Status Manager. The only time a certificate chain is needed for the OCSP service is if the CA connects to the Online Certificate Status Manager through SSL/TLS authentication when it publishes its CRL. Otherwise, the Online Certificate Status Manager does not need to have the complete certificate chain.
		
			However, the Online Certificate Status Manager must have the certificate which signed the CRL, either a CA signing certificate or a separate CRL signing certificate, in its certificate database. The OCSP service verifies the CRL by comparing the certificate which signed the CRL against the certificates in its database, not against a certificate chain. If both a root CA and one of its subordinate CAs publish CRLs to the Online Certificate Status Manager, the Online Certificate Status Manager needs the CA signing certificate of both CAs.
		
			To import the CA or CRL signing certificate which is used to sign the certificates the CA is publishing to the Online Certificate Status Manager, do the following:
		
- Get the Certificate Manager's base-64 CA signing certificate from the end-entities page of the CA.
- Open the Online Certificate Status Manager agent page. The URL has the formathttps://hostname:SSLport/ocsp/agent/ocsp.
- In the left frame, click .
- In the form, paste the encoded CA signing certificate inside the text area labeled Base 64 encoded certificate (including the header and footer).
- To verify that the certificate is added successfully, in the left frame, click List Certificate Authorities.
			The resulting form should show information about the new CA. The This Update, Next Update, and Requests Served Since Startup fields should show a value of zero (0).
		
7.6.2.1. Verify Certificate Manager and Online Certificate Status Manager Connection
Copiar enlaceEnlace copiado en el portapapeles!
				When the Certificate Manager is restarted, it tries to connect to the Online Certificate Status Manager's SSL/TLS port. To verify that the Certificate Manager did indeed communicate with the Online Certificate Status Manager, check the This Update and Next Update fields, which should be updated with the appropriate timestamps of the CA's last communication with the Online Certificate Status Manager. The Requests Served Since Startup field should still show a value of zero (0) since no client has tried to query the OCSP service for certificate revocation status.
			
7.6.2.2. Configure the Revocation Info Stores: Internal Database
Copiar enlaceEnlace copiado en el portapapeles!
				The Online Certificate Status Manager stores each Certificate Manager's CRL in its internal database and uses it as the CRL store for verifying the revocation status of certificates. To change the configuration that the Online Certificate Status Manager uses for storing the CRLs in its internal database:
			
- Open the Online Certificate Status Manager Console.pkiconsole https://server.example.com:8443/ocsp pkiconsole https://server.example.com:8443/ocspCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- In the Configuration tab, select Online Certificate Status Manager, and then select Revocation Info Stores.The right pane shows the two repositories the Online Certificate Status Manager can use; by default, it uses the CRL in its internal database.
- Select thedefStore, and click .
- Edit thedefStorevalues.- notFoundAsGood. Sets the OCSP service to return an OCSP response of GOOD if the certificate in question cannot be found in any of the CRLs. If this is not selected, the response is UNKNOWN, which, when encountered by a client, results in an error message.
- byName. The OCSP Responder only supports the basic response type, which includes the ID of the OCSP Responder making the response. The ResponderID field within the basic response type is determined by the value of theocsp.store.defStore.byNameparameter. IfbyNameparameter is true or is missing, the OCSP authority signing certificate subject name is used as the ResponderID field of the OCSP response. IfbyNameparameter is false, the OCSP authority signing certificate key hash will be the ResponderID field of the OCSP response.
- includeNextUpdate. Includes the timestamp of the next CRL update time.
 
7.6.2.3. Configure the Revocation Info Stores: LDAP Directory
Copiar enlaceEnlace copiado en el portapapeles!
				Although the OCSP Manager stores the CA CRLs in its internal database by default, it can be configured to use a CRL published to an LDAP directory instead.
			
Important
					If the 
ldapStore method is enabled, the OCSP user interface does not check the certificate status.
				
				To configure the Online Certificate Status Manager to use an LDAP directory:
			
- Open the Online Certificate Status Manager Console.pkiconsole https://server.example.com:8443/ocsp pkiconsole https://server.example.com:8443/ocspCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- In the Configuration tab, select Online Certificate Status Manager, and then select Revocation Info Stores.The right pane shows the two repositories the Online Certificate Status Manager can use; by default, it uses the CRL in its internal database.
- To use the CRLs in LDAP directories, click to enable theldapStoreoption.
- SelectldapStore, and click .
- Set theldapStoreparameters.- numConns. The total number of LDAP directories the OCSP service should check. By default, this is set to 0. Setting this value shows the corresponding number of host, port, baseDN, and refreshInSec fields.
- host. The fully-qualified DNS hostname of the LDAP directory.
- port. The non-SSL/TLS port of the LDAP directory.
- baseDN. The DN to start searching for the CRL. For example,O=example.com.
- refreshInSec. How often the connection is refreshed. The default is 86400 seconds (daily).
- caCertAttr. Leave the default value,cACertificate;binary, as it is. It is the attribute to which the Certificate Manager publishes its CA signing certificate.
- crlAttr. Leave the default value,certificateRevocationList;binary, as it is. It is the attribute to which the Certificate Manager publishes CRLs.
- notFoundAsGood. Sets the OCSP service to return an OCSP response of GOOD if the certificate in question cannot be found in any of the CRLs. If this is not selected, the response is UNKNOWN, which, when encountered by a client, results in an error message.
- byName. The OCSP Responder only supports the basic response type, which includes the ID of the OCSP Responder making the response. The ResponderID field within the basic response type is determined by the value of theocsp.store.defStore.byNameparameter. IfbyNameparameter is true or is missing, the OCSP authority signing certificate subject name is used as the ResponderID field of the OCSP response. IfbyNameparameter is false, the OCSP authority signing certificate key hash will be the ResponderID field of the OCSP response.
- includeNextUpdate. The Online Certificate Status Manager can include the timestamp of the next CRL update time.
 
7.6.2.4. Testing the OCSP Service Setup
Copiar enlaceEnlace copiado en el portapapeles!
				Test whether the Certificate Manager can service OCSP requests properly by doing the following:
			
- Turn on revocation checking in the browser or client.
- Request a certificate from the CA that has been enabled for OCSP services.
- Approve the request.
- Download the certificate to the browser or client.
- Make sure the CA is trusted by the browser or client.
- Check the status of Certificate Manager's internal OCSP service.Open the CA agent services page, and select the OCSP Services link.
- Test the independent Online Certificate Status Manager subsystem.Open the Online Certificate Status Manager agent services page, and click the List Certificate Authorities link.The page should show information about the Certificate Manager configured to publish CRLs to the Online Certificate Status Manager. The page also summarizes the Online Certificate Status Manager's activity since it was last started.
- Revoke the certificate.
- Verify the certificate in the browser or client. The server should return that the certificate has been revoked.
- Check the Certificate Manager's OCSP-service status again to verify that these things happened:- The browser sent an OCSP query to the Certificate Manager.
- The Certificate Manager sent an OCSP response to the browser.
- The browser used that response to validate the certificate and returned its status, that the certificate could not be verified.
 
- Check the independent OCSP service subsystem again to verify that these things happened:- The Certificate Manager published the CRL to the Online Certificate Status Manager.
- The browser sent an OCSP response to the Online Certificate Status Manager.
- The Online Certificate Status Manager sent an OCSP response to the browser.
- The browser used that response to validate the certificate and returned its status, that the certificate could not be verified.
 
7.6.3. Setting the Response for Bad Serial Numbers
Copiar enlaceEnlace copiado en el portapapeles!
			OCSP responders check the revocation status and expiration date of a certificate before determining whether the certificate is valid; by default, the OCSP does not validate other information on the certificate.
		
			The 
notFoundAsGood parameter sets how the OCSP handles a certificate with an invalid serial number. This parameter is enabled by default, which means that if a certificate is present with a bad serial number but the certificate is otherwise valid, the OCSP returns a status of GOOD for the certificate.
		
			To have the OCSP check and reject certificates based on bad serial numbers as well as revocation status, change the 
notFoundAsGood setting. In that case, the OCSP returns a status of UNKNOWN with a certificate with a bad serial number. The client interprets that as an error and can respond accordingly.
		- Open the Online Certificate Status Manager Console.pkiconsole https://server.example.com:8443/ocsp pkiconsole https://server.example.com:8443/ocspCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- In the Configuration tab, select Online Certificate Status Manager, and then select Revocation Info Stores.
- Select thedefStore, and click .
- Edit thenotFoundAsGoodvalue. Selecting the checkbox means that the OCSP returns a value ofGOODeven if the serial number on the certificate is bad. Unselecting the checkbox means that the OCSP sends a value ofUNKNOWN, which the client can intrepret as an error.
- Restart the OCSP Manager.systemctl restart pki-tomcatd@instance-name.service ]# systemctl restart pki-tomcatd@instance-name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
7.6.4. Enabling the Certificate Manager's Internal OCSP Service
Copiar enlaceEnlace copiado en el portapapeles!
			The Certificate Manager has a built-in OCSP service, which can be used by OCSP-compliant clients to query the Certificate Manager directly about the revocation status of the certificate. When the Certificate Manager is installed, an OCSP signing certificate is issued and the OCSP service is turned on by default. This OCSP signing certificate is used to sign all responses to OCSP service requests. Since the internal OCSP service checks the status of certificates stored in the Certificate Manager's internal database, publishing does not have to be configured to use this service.
		
			Clients can query the OCSP service through the non-SSL/TLS end-entity port of the Certificate Manager. When queried for the revocation status of a certificate, the Certificate Manager searches its internal database for the certificate, checks its status, and responds to the client. Since the Certificate Manager has real-time status of all certificates it has issued, this method of revocation checking is the most accurate.
		
			Every CA's built-in OCSP service is turned on at installation. However, to use this service, the CA needs to issue certificates with the Authority Information Access extension.
		
- Go to the CA's end-entities page. For example:https://server.example.com:8443/ca/ee/ca https://server.example.com:8443/ca/ee/caCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Find the CA signing certificate.
- Look for the Authority Info Access extension in the certificate, and note theLocation URINamevalue, such ashttp.s://server.example.com:8443/ca/ocsp
- Update the enrollment profiles to enable the Authority Information Access extension, and set theLocationparameter to the Certificate Manager's URI. For information on editing the certificate profiles, see Section 3.2, “Setting up Certificate Profiles”.
- Restart the CA instance.systemctl restart pki-tomcatd@instance-name.service ]# systemctl restart pki-tomcatd@instance-name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
Note
				To disable the Certificate Manager's internal OCSP service, edit the CA's 
CS.cfg file and change the value of the ca.ocsp parameter to false.
			ca.ocsp=false
ca.ocsp=false7.6.5. Submitting OCSP Requests Using the OCSPClient program
Copiar enlaceEnlace copiado en el portapapeles!
			The OCSPClient program can be used for performing OCSP requests. For example:
		
OCSPClient -h server.example.com -p 8080 -d /etc/pki/pki-tomcat/alias -c "caSigningCert cert-pki-ca" --serial 2
]# OCSPClient -h server.example.com -p 8080 -d /etc/pki/pki-tomcat/alias -c "caSigningCert cert-pki-ca" --serial 2
CertID.serialNumber=2
CertStatus=Good
			The 
OCSPClient command can be used with the following command-line options:
		| Option | Description | 
|---|---|
| -d database | Security database location (default: current directory) | 
| -h hostname | OCSP server hostname (default: example.com) | 
| -p port | OCSP server port number (default: 8080) | 
| -t path | OCSP service path (default: /ocsp/ee/ocsp) | 
| -c nickname | CA certificate nickname (defaut: CA Signing Certificate) | 
| -n times | Number of submissions (default: 1) | 
| --serial serial_number | Serial number of certificate to be checked | 
| --input input_file | Input file containing DER-encoded OCSP request | 
| --output output_file | Output file to store DER-encoded OCSP response | 
| -v, --verbose | Run in verbose mode | 
| --help | Show help message | 
7.6.6. Submitting OCSP Requests Using the GET Method
Copiar enlaceEnlace copiado en el portapapeles!
			OCSP requests which are smaller than 255 bytes can be submitted to the Online Certificate Status Manager using a GET method, as described in RFC 6960. To submit OCSP requests over GET:
		
- Generate an OCSP request for the certificate the status of which is being queried. For example:openssl ocsp -CAfile ca.pem -issuer issuer.pem -serial serial_number -reqout - | base64 ]# openssl ocsp -CAfile ca.pem -issuer issuer.pem -serial serial_number -reqout - | base64 MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE=Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Paste the URL in the address bar of a web browser to return the status information. The browser must be able to handle OCSP requests.https://server.example.com:8443/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE= https://server.example.com:8443/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE=Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- The OCSP Manager responds with the certificate status which the browser can interpret. The possible statuses are GOOD, REVOKED, and UNKNOWN.
			Alternatively, run the OCSP from the command line by using a tool such as 
curl to send the request and openssl to parse the response. For example:
		- Generate an OCSP request for the certificate the status of which is being queried. For example:openssl ocsp -CAfile ca.pem -issuer issuer.pem -serial serial_number -reqout - | base64 ]# openssl ocsp -CAfile ca.pem -issuer issuer.pem -serial serial_number -reqout - | base64 MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE=Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Connect to the OCSP Manager usingcurlto send the OCSP request.curl https://server.example.com:8443/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE= > ocspresp.der curl https://server.example.com:8443/ocsp/ee/ocsp/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE= > ocspresp.derCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Parse the response usingopenssl:openssl ocsp -respin ocspresp.der -resp_text openssl ocsp -respin ocspresp.der -resp_textCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
			For certificates issued by a 7.1 CA with the Authority Information Access extension to be sent to the OCSP with the GET method, a redirect needs to be created to forward the requests to the appropriate URL, as described in Section 7.6.7, “Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier”.
		
7.6.7. Setting up a Redirect for Certificates Issued in Certificate System 7.1 and Earlier
Copiar enlaceEnlace copiado en el portapapeles!
			The location for the OCSP user pages, specified in the URL with the file root 
/ocsp/ee/ocsp/, is different in Certificate System 9 or Certificate System 8.1 than the location in Certificate System 7.1, which was simply /ocsp/. In order for certificates issued by a 7.1 or earlier CA with the Authority Information Access extension to be sent to the OCSP, create a redirect to forward the requests to the appropriate URL.
		Note
				Setting the redirect is only required to manage certificates issued by a 7.1 or earlier CA with the Authority Information Access extension. If the certificates are issued by a later version Certificate Manager or do not contain the Authority Information Access extension, then this configuration is not necessary.
			
- Stop the OCSP Responder.systemctl stop pki-tomcatd@instance-name.service ]# systemctl stop pki-tomcatd@instance-name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Change to the OCSP's end user web applications directory. For example:cd /var/lib/pki-ocsp/webapps/ocsp ]# cd /var/lib/pki-ocsp/webapps/ocspCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Change to theROOT/WEB-INF/directory in theROOTfolder of the OCSP's web applications directory. For example:cd /var/lib/pki-ocsp/webapps/ocsp/ROOT/WEB-INF/ ]# cd /var/lib/pki-ocsp/webapps/ocsp/ROOT/WEB-INF/Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Create and open thelib/directory in theROOTfolder of the OCSP's web applications directory.mkdir lib cd lib/ ]# mkdir lib ]# cd lib/Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Create a symlink that links back to the/usr/share/java/pki/cms.jarJAR file. For example:ln -s /usr/share/java/pki/cms.jar cms.jar ]# ln -s /usr/share/java/pki/cms.jar cms.jarCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Move up to the main web application directory. For example:cd /var/lib/pki-ocsp/webapps/ocsp/ ]# cd /var/lib/pki-ocsp/webapps/ocsp/Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Rename the current instance (ocsp) directory. For example:mv /var/lib/pki-ocsp/webapps/ocsp/ocsp /var/lib/pki-ocsp/webapps/ocsp/ocsp2 ]# mv /var/lib/pki-ocsp/webapps/ocsp/ocsp /var/lib/pki-ocsp/webapps/ocsp/ocsp2Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Change to theWEB-INF/directory in the originalocsp/directory. For example:cd /var/lib/pki-ocsp/webapps/ocsp/ocsp/WEB-INF ]# cd /var/lib/pki-ocsp/webapps/ocsp/ocsp/WEB-INFCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- In originalocsp/WEB-INF/directory, edit theweb.xmlfile and add lines mapping between theeeocspAddCRLandcsadmin-wizardservlets.<servlet-mapping> <servlet-name> ocspOCSP </servlet-name> <url-pattern> /ee/ocsp/* </url-pattern> </servlet-mapping><servlet-mapping> <servlet-name> ocspOCSP </servlet-name> <url-pattern> /ee/ocsp/* </url-pattern> </servlet-mapping>Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Create and install theweb.xmlfile in theROOTdirectory. For example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Edit the/var/lib/pki-ocsp/conf/context.xmlfile, changing the following line:<Context> to <Context crossContext="true" > <Context> to <Context crossContext="true" >Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Edit the/var/lib/pki-ocsp/webapps/ocsp/ocsp2/services.templatefile and change the following line:result.recordSet[i].uri); to result.recordSet[i].uri + "/"); result.recordSet[i].uri); to result.recordSet[i].uri + "/");Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Start the OCSP instance.systemctl restart pki-tomcatd@instance-name.service ]# systemctl restart pki-tomcatd@instance-name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
 
     
    