How to set up an OCSP responder
The OCSP (Online Certificate Status Protocol) service validates certificates to propagate the information of the revoking status of certificates automatically. To this end, it is necessary to include OCSP information in future certificates created.
Create a Certification Authority
First of all, you need a Certification Authority (CA). You can see here how to create your own CA.
Set up the OCSP responder
To include OCSP information on future issued certificates, you need to edit the “
We need to configure the Ipv4 address (http://127.0.0.1) and port (81) where the server runs. Note that it’s preferable using a public IP address (and not the localhost)!
Add the following lines if they do not exist.
[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://127.0.0.1:81
[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
Like the creation of the CA certificate, it is necessary to generate an RSA key that will be used in the creation of the CSR, which is necessary to obtain the certificate. The difference lies in the fact that the certificate is signed this time by CA ( it is not self-signed) and is built with the
-extensions v3_OCSP flag corresponding to the homonymous section of the “
First, we go to the CA directory and create a folder for OCSP.
Here is how to generate the RSA private key for OCSP.
openssl genrsa -des3 -out private/ocsp.key
Here is how to create the OCSP Certificate Signing Request (CSR).
openssl req -new -key private/ocsp.key -out ocsp/ocsp.csr -subj /C=PT/ST=Coimbra/L=Coimbra/O=MyOrg/OU=MyOrgDep/CN=OCSP/emailAddressemail@example.com -passin pass:example-password
The the CA needs to sign the OCSP CSR.
openssl ca -in ocsp/ocsp.csr -cert certs/ca.crt -keyfile private/ca.key -out certs/ocsp.crt -extensions v3_OCSP -passin pass:example-password
Then create a file to store logs from OCSP responder.
Finally, you can run the OCSP responder with the following command.
openssl ocsp -index index.txt -port 81 -rsigner certs/ocsp.crt -rkey private/ocsp.key -CA certs/ca.crt -text -out log.txt
You have now your OCSP responder configured!