Chapter 4. Online Certificate Status Protocol
Online Certificate Status Protocol (OCSP) is a technology which allows web browsers and web servers to communicate over a secured connection. The encrypted data is sent from one side and decrypted by the other side before processing. The web browser and the web server both encrypt and decrypt the data.
During communication with a web server, the server presents a set of credentials in the form of certificate. The browser then checks the certificate for its validity and sends a request for certificate status information. The server sends back a status as current, expired, or unknown. The certificate specifies syntax for communication and contains control information such as start time, end time, and address information to access an OCSP responder. The web server can use an OCSP responder it has been configured for, or the one listed in the certificate to check the status. OCSP allows a grace period for expired certificates, which allows access to a server for a limited time before renewing the certificate.
OCSP overcomes limitations of the older method, Certificate Revocation List (CRL). For more information on OCSP, see the Red Hat Certificate System Planning, Installation, and Deployment Guide.
4.1. Configuring Apache HTTP Server for SSL Connections
Install mod_ssl using the following command:
# yum install jbcs-httpd24-mod_ssl
JBCS_HOME/httpd/conf.d/ssl.conf, and add
<VirtualHost _default_:443> ServerName www.example.com:443 SSLCertificateFile /opt/rh/jbcs-httpd24/root/etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /opt/rh/jbcs-httpd24/root/etc/pki/tls/private/localhost.key
ServerNamemust match the Common Name (CN) of the SSL certificate. If the
ServerNamedoes not match the CN, client browsers display domain name mismatch errors.
SSLCertificateFileis the private key associated with the certificate (the public key).
Verify that the
Listendirective in the
ssl.conffile is correct as per your configuration. For example, if an IP address is specified, it must match the IP address the
httpdservice is bound to.
Restart Apache HTTP Server using the following command:
# service jbcs-httpd24-httpd restart
4.2. Using Online Certificate Status Protocol with Apache HTTP Server
Before you use Online Certificate Status Protocol (OCSP) for HTTPS, ensure you have configured Apache HTTP Server for SSL connections.
To use OCSP with Apache HTTP Server, ensure that a Certificate Authority (CA) and OCSP Responder are configured correctly.
For more information on how to configure a CA, see the Managing Certificates and Certificate Authorities section in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
For more information on how to configure an OCSP Responder, see the Configuring OCSP Responders section in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
Ensure that your Certificate Authority is capable of issuing OCSP certificates. The Certificate Authority must be able to append the following attributes to the certificate:
[ usr_cert ] ... authorityInfoAccess=OCSP;URI:http://HOST:PORT ... [ v3_OCSP ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = OCSP Signing
PORT will need to be replaced with the details of the OCSP responder that you will configure.
4.3. Configuring Apache HTTP Server to Validate OCSP Certificates
Before configuring Apache HTTP Server to validate OCSP certificates, ensure that a Certificate Authority (CA) and an OCSP Responder is configured correctly. The example below shows how to enable OCSP validation of client certificates.
SSLOCSPEnable attribute to enable OCSP validation:
# Require valid client certificates (mutual auth) SSLVerifyClient require SSLVerifyDepth 3 # Enable OCSP SSLOCSPEnable on SSLOCSPDefaultResponder http://10.10.10.25:3456 SSLOCSPOverrideResponder on
4.4. Verifying Your OCSP Configuration
You can use the OpenSSL command-line tool to verify your configuration:
# openssl ocsp -issuer cacert.crt -cert client.cert -url http://HOST:PORT -CA ocsp_ca.cert -VAfile ocsp.cert
-issueris the Certificate Authority certificate.
-certis the client certificate which you want to verify.
-urlis the HTTP server validating Certificate (OCSP).
-CAis the CA certificate for verifying the Apache HTTP Server server certificate.
-VAfileis the OCSP responder certificate.