Open in app

Sign in

Write

Sign in

How to set up an OCSP responder

Dylan Perdigão
2 min readApr 15, 2022

--

The OCSP (Online Certificate Status Protocol) service validates certificates to propagate the information of the revoking status of certificates automatically. To this end, it is necessary to include OCSP information in future certificates created.

Create a Certification Authority

First of all, you need a Certification Authority (CA). You can see here how to create your own CA.

Set up the OCSP responder

To include OCSP information on future issued certificates, you need to edit the “openssl.cnf”.

nano /etc/ssl/openssl.cnf

We need to configure the Ipv4 address (http://127.0.0.1) and port (81) where the server runs. Note that it’s preferable using a public IP address (and not the localhost)!

Add the following lines if they do not exist.

...
    [ usr_cert ]
    ...
    authorityInfoAccess          = OCSP;URI:http://127.0.0.1:81
    
    [ v3_OCSP ]
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = OCSPSigning
...

Like the creation of the CA certificate, it is necessary to generate an RSA key that will be used in the creation of the CSR, which is necessary to obtain the certificate. The difference lies in the fact that the certificate is signed this time by CA ( it is not self-signed) and is built with the -extensions v3_OCSP flag corresponding to the homonymous section of the “openssl.cnf” file.

First, we go to the CA directory and create a folder for OCSP.

cd /etc/pki/CA/
mkdir ocsp

Here is how to generate the RSA private key for OCSP.

openssl genrsa -des3 -out private/ocsp.key

Here is how to create the OCSP Certificate Signing Request (CSR).

openssl req -new -key private/ocsp.key -out ocsp/ocsp.csr -subj /C=PT/ST=Coimbra/L=Coimbra/O=MyOrg/OU=MyOrgDep/CN=OCSP/emailAddress=ocsp@example.com -passin pass:example-password

The the CA needs to sign the OCSP CSR.

openssl ca -in ocsp/ocsp.csr -cert certs/ca.crt -keyfile private/ca.key -out certs/ocsp.crt -extensions v3_OCSP -passin pass:example-password

Then create a file to store logs from OCSP responder.

touch log.txt

Finally, you can run the OCSP responder with the following command.

openssl ocsp -index index.txt -port 81 -rsigner certs/ocsp.crt -rkey private/ocsp.key -CA certs/ca.crt -text -out log.txt

You have now your OCSP responder configured!

Ocsp
Openssl
Certificate Authority
Certificate Revocation
Certificate

--

--

Dylan Perdigão
Dylan Perdigão

Written by Dylan Perdigão

0 Followers
13 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams