How to set up an OCSP responder

The OCSP (Online Certificate Status Protocol) service validates certificates to propagate the information of the revoking status of certificates automatically. To this end, it is necessary to include OCSP information in future certificates created.

Create a Certification Authority

First of all, you need a Certification Authority (CA). You can see here how to create your own CA.

Set up the OCSP responder

To include OCSP information on future issued certificates, you need to edit the “openssl.cnf”.

nano /etc/ssl/openssl.cnf

We need to configure the Ipv4 address (http://127.0.0.1) and port (81) where the server runs. Note that it’s preferable using a public IP address (and not the localhost)!

Add the following lines if they do not exist.

...
[ usr_cert ]
...
authorityInfoAccess = OCSP;URI:http://127.0.0.1:81

[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
...

Like the creation of the CA certificate, it is necessary to generate an RSA key that will be used in the creation of the CSR, which is necessary to obtain the certificate. The difference lies in the fact that the certificate is signed this time by CA ( it is not self-signed) and is built with the -extensions v3_OCSP flag corresponding to the homonymous section of the “openssl.cnf” file.

First, we go to the CA directory and create a folder for OCSP.

cd /etc/pki/CA/
mkdir ocsp

Here is how to generate the RSA private key for OCSP.

openssl genrsa -des3 -out private/ocsp.key

Here is how to create the OCSP Certificate Signing Request (CSR).

openssl req -new -key private/ocsp.key -out ocsp/ocsp.csr -subj /C=PT/ST=Coimbra/L=Coimbra/O=MyOrg/OU=MyOrgDep/CN=OCSP/emailAddress=ocsp@example.com -passin pass:example-password

The the CA needs to sign the OCSP CSR.

openssl ca -in ocsp/ocsp.csr -cert certs/ca.crt -keyfile private/ca.key -out certs/ocsp.crt -extensions v3_OCSP -passin pass:example-password

Then create a file to store logs from OCSP responder.

touch log.txt

Finally, you can run the OCSP responder with the following command.

openssl ocsp -index index.txt -port 81 -rsigner certs/ocsp.crt -rkey private/ocsp.key -CA certs/ca.crt -text -out log.txt

You have now your OCSP responder configured!

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

On fixing a favicon

Testing signed and encrypted cookies in Rails

Blogs: Week of 29 Mar — 4 Apr

11+ Online courses to make you a better software developer

OFAC Checker

Build Chatbot for Twitter Direct Message

DCG 201 Online CTF — Google CTF 2021 — July 16th-18th

Building Docker images simply and securely using private NPM registries

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dylan Perdigão

Dylan Perdigão

More from Medium

CS371p Spring 2022: Week 14

Ramsay Hunt Syndrome Recovery — Joy Newcomb

CS373 Spring 2022: Maria Gu

Mastering reliable QA web Automation with selenium python with a short time (part 2: experiment…