Skip to main content
Skip table of contents

OCSP Configuration

Introduction

Key bindings and Peer Connectors

Slide Deck: Key bindings and Peer Connectors

Overview: This next section creates the designated signing key that will be used for our OCSP responder. This is a multi-step process, and at the end of the lab, a signing key will be installed on the OCSP responder which will be used in a subsequent module.

The first step is to create the OCSP Key binding.

  1. Create a crypto token for the OCSP Key binding on the VA instance.

  2. Issue the certificate for the OCSP Key binding.

  3. Enable the OCSP Key binding.

Slide Reference

Steps required to create a designated signing key on the external VA

A closer look at creating the Subordinate CA’s designated signing key

Reminder you can visit the Accessing Your Environment page for details on how to connect to your Admin Web portal on your VA or CA instance(s).

This lab will jump back and forth between the CA and VA, pay particular attention to the instance you are logged into.

Create OCSP Crypto Token

  1. Open a browser and access the Admin Web Portal on your VA

  2. Click CA Functions >> Crypto Tokens

  3. Click on the Create new... link

  4. In the Name field, enter OCSP

  5. In the Type list, select SOFT

  6. Enable the Use checkbox for Auto-Activation

  7. In the Authentication Code field, enter foo123

  8. In the Repeat Authentication Code enter foo123

  9. Click Save

  10. Enter SubCAOcspKey00001 as the name for the new key, choose RSA 2048 from the list, and click Generate new key pair

Create OCSP Key Binding

  1. Open a browser and access the Admin Web Portal on your VA

  2. Click VA Functions >> OCSP Responders

  3. Click on the Create new... link

  4. In the Name field, enter SubCA

  5. In the Crypto Token list, select OCSP

  6. In the Key Pair Alias list, select SubCAOcspKey00001

  7. In the Signature Algorithm list, select SHA256WithRSA

  8. Click Create

  9. Click Back to Overview

  10. In the SubCA row under the Actions column click CSR

  11. Download the SubCA.pkcs10.pem CSR

Create an OCSP Signing Certificate Profile

  1. Open a browser and access the Admin Web Portal on your CA

  2. Click CA Functions >> Certificate Profiles

  3. Next to the OCSPSIGNER profile, click Clone

  4. In the Name of New certificate profile field, enter OCSPSignerCertificateProfile

  5. Click Create from template

  6. Click Edit on the profile OCSPSignerCertificateProfile

  7. In the Available key algorithms list, select RSA

  8. In the Available bit lengths list, select 2048 bits

  9. In the Validity field, enter 3mo

  10. Uncheck the Basic Constraints checkbox labeled Use…

  11. Uncheck the Subject Alternative Name checkbox labeled Use…

  12. Uncheck the Issuer Alternative Name checkbox labeled Use…

  13. Uncheck the LDAP DN order checkbox

  14. Click Save

Create an OCSP Signing End Entity Profile

  1. Click RA Functions >> End Entity Profiles

  2. Select TLSClientEndEntityProfile

  3. In the Add End Entity Profile field, enter OCSPSignerEndEntityProfile

  4. Click Clone selected

  5. Select the OCSPSignerEndEntityProfile

  6. Click Edit End Entity Profile

  7. In the Default Certificate profile list, select OCSPSignerCertificateProfile

  8. In the Available Certificate Profiles box, ensure only OCSPSignerCertificateProfile is selected

  9. In the Available CAs field, ensure Any CA is selected

  10. In the Default Token field, ensure only User Generated is selected

  11. In the Available Tokens field, ensure only User Generated is selected

  12. Click Save

Issue the OCSP Certificate

  1. Open a browser and click RA Web, from the ribbon menu across the top of page from your CA instance.

  2. Click Enroll >> Make New Request

  3. In the Certificate Type drop-down list, select OCSPSignerEndEntityProfile

  4. In the CA drop-down list, select Sub CA

  5. In the Key-pair generation selection, select Provided by user

  1. Click Browse click Downloads and locate the CSR file that was created from the keybindings page, the file should be named SubCA.pkcs10.pem click select

  1. In the CN, Common name field, enter SubCAOCSP

  2. In the Username field, enter SubCAOCSP

  3. Click Download PEM full chain

  4. Save the file as SubCAOCSP.pem

  1. Open a browser and access the Admin Web Portal on your VA

  2. Click VA Functions >> OCSP Responders

  3. To the right of Target OCSP Responder, in the list, select SubCA

  4. To the right of Certificate, click Browse

  1. Click Downloads locate the certificate that was downloaded in the previous section, the file should be named SubCAOCSP.pem click select

  1. Click Import

  2. In the SubCA row under the Actions column, click Enable

  3. Under Set Default Responder, in the drop down list, select OCSPKeyBinding: SubCA

  4. Click Set

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close