Skip to main content
Skip table of contents

OCSP Check

Introduction

EJBCA OCSP Check

Slide Deck: EJBCA OCSP Check

Overview: In this lab the VA instance we created in an earlier module will be now be configured as an OCSP responder. There are multiple ways to configure your VA to service certificate status requests. In this lab we will be using the VA to host dedicated OCSP signing keys.

When client applications need the status of a certificate they will contact the VA and 1 of 4 responses can be returned

  • Good,

  • Revoked,

  • Unknown, or

  • Unauthorized

After contacting the VA, it is up to the client application at that point to decide if processing should continue. This lab will simulate a client application, by using OpenSSL to contact the VA.

The following exercise shows how to perform an OCSP check from a client to the VA with OpenSSL installed.

Note: In the event you do not have OpenSSL installed, it is also possible to perform the same check from the CA. The CA by default is capable of issuing OpenSSL commands.

Online Certificate Status Protocol (OCSP) terminology

OCSP signer, with designated signing keys for a particular CA

OCSP signing responses, client application will need to respond accordingly

Data flow showing selected certificate profiles (#2, #5, and #7) being pushed to VA

Enable the VA Peer Publisher

First step is to enable the Sub CA to use the VA Publisher. Second step will push any certificates created and signed by the Sub CA that use the TLSClientCertificate profile to the VA. This is done by enabling the VA publisher on the TLSClientCertificate profile. Only certificates that use the TLSClientCertificate profile and are signed by the Sub CA will be pushed to the VA.

Reminder you can visit the Accessing Your Environment page for details on how to connect to your Admin web portal

  1. Open a browser and access your Admin Web Portal on your CA

  2. Click CA Functions >> Certification Authorities

  3. Select Sub CA in the list of Certification Authorities

  4. Click Edit CA

  5. Under Publishers, deselect Multi Group and select only the VA Publisher

  6. Click Save

  7. Click CA Functions >> Certificate Profiles

  8. Click Edit for the TLSClientCertificateProfile

  9. Under Publishers, make sure VA Publisher is selected

  10. Click Save

Issue a test certificate

  1. Open a browser and click RA Web, from the ribbon menu across the top of page from your CA instance.

  2. Click Enroll >> Make New Request

  3. In the Certificate Type drop-down list, select TLSClientEndEntityProfile

  4. In the CA drop-down list, select Sub CA

  1. In the Key-pair generation selection, select By the CA

  1. In the CN, Common name field, enter OCSPCheck

  2. In the Username field, enter OCSPCheck

  3. In the Enrollment code field, enter foo123

  4. In the Confirm enrollment code field, enter foo123

  5. Click Download PEM

  6. Save the file as OCSPCheck.pem

Download CA certificates

  1. Open a browser and access your Admin Web Portal on your CA

  2. Click CA Functions >> CA Structure & CRLs

  3. For the Root CA, download the certificate by clicking PEM in the Certificate column, and save the certificate as RootCA.cacert.pem

    1. NOTE: The file was downloaded in the previous labs, the (2) will be appended to the filename. If it was the first time being downloaded it would not have the (2).

  4. For the Sub CA level 1, download the certificate by clicking PEM in the Certificate column, and save the certificate as SubCA.cacert.pem

    1. NOTE: The file was downloaded in the previous labs, the (1) will be appended to the filename. If it was the first time being downloaded it would not have the (1).

Test a Valid Certificate

  1. All three files will be placed in the /home/sysadmin/Downloads directory (OCSPCheck.pem, RootCA.cacert.pem, SubCA.cacert.pem)

  2. Open the TERMINAL application on the desktop.

CODE 
cd ~/Downloads

  1. Run the openssl command to check the status of the certificate.

CODE 
openssl ocsp -issuer SubCA.cacert.pem -CAfile RootCA.cacert.pem -cert OCSPCheck.pem -req_text -resp_text -url http://va.keyfactor.training/ejbca/publicweb/status/ocsp

  1. The result should return that the certificate is valid.

CODE 
Response verify OK
OCSPCheck.pem: good

If the status is unknown, then wait a minute for the CA to push the new information to the VA

Revoke and Test the Certificate

  1. Open a browser and access your Admin Web Portal on your CA instance

  2. Click RA Functions >> Search End Entities

  3. In the Search end entity with username textbox type OCSPCheck and click Search

  4. Click Certificate >> View on the OCSPCheck row

  5. At the bottom, select Superseded in the drop box and click Revoke

  6. Confirm by clicking OK

  7. Check the bottom of the page and make sure the certificate is revoked

  8. Click Close

  9. Run the same command again:

CODE 
openssl ocsp -issuer SubCA.cacert.pem -CAfile RootCA.cacert.pem -cert OCSPCheck.pem -req_text -resp_text -url http://va.keyfactor.training/ejbca/publicweb/status/ocsp

  1. The result should look something like this:

CODE 
Response verify OK
OCSPCheck.pem: revoked
    This Update: Jan 01 12:00:00 2018 GMT
    Reason: superseded
    Revocation Time: Jan 01 11:00:00 2018 GMT

If the status is still good, then wait a minute for the CA to push the new information to the VA

Reminder you can visit the Accessing Your Environment page for details on how to connect to your Admin web portal for the VA

Restrict access to the OCSP responder

  1. Open a browser and access your Admin Web Portal on your VA

  2. Click VA Functions >> OCSP Responders

  3. Click SubCA in the name column

  4. Click Edit

  5. Enable Request must be signed with a trusted certificate by ticking the checkbox

  6. Click Save

  7. Click System Configuration >> System Configuration on the menu

  8. Scroll halfway down page, and click the button labeled Clear all caches in the Application Caches section

  9. Click Save

Test the Restricted OCSP responder

  1. All three files will be placed in the /home/sysadmin/Downloads directory (OCSPCheck.pem, RootCA.cacert.pem, SubCA.cacert.pem)

  2. Open the TERMINAL application on the desktop

CODE 
cd ~/Downloads

  1. Run the openssl command to check the status of the certificate.

CODE 
openssl ocsp -issuer SubCA.cacert.pem -CAfile RootCA.cacert.pem -cert OCSPCheck.pem -req_text -resp_text -url http://va.keyfactor.training/ejbca/publicweb/status/ocsp

  1. Confirm the result looks something like this:

CODE 
Responder Error: sigrequired (5)

Remove the OSCP Responder Restriction

  1. Open a browser and access your Admin Web Portal on your VA

  2. Click VA Functions >> OCSP Responders

  3. Click SubCA in the name column, click Edit

  4. Disable Request must be signed with a trusted certificate by unticking the checkbox

  5. Click Save

  6. Click System Configuration >> System Configuration on the left hand menu

  7. Scroll halfway down page, and click the button labeled Clear all caches

  8. Click Save

Rerun the command above, the certificate response will report Revoked and Superseded

CODE 
Response verify OK
OCSPCheck.pem: revoked
    This Update: Jan 01 12:00:00 2018 GMT
    Reason: superseded
    Revocation Time: Jan 01 11:00:00 2018 GMT

? Question and Answers ?

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close