Chapter 4. Securing connections by using OCSP

Online Certificate Status Protocol (OCSP) is a technology that allows web browsers and web servers to communicate over a secured connection. The encrypted data is sent from one side and decrypted by the other side before processing. The web browser and the web server both encrypt and decrypt the data.

4.1. Online Certificate Status Protocol

When a web browser and a web server communicate over a secured connection, the server presents a set of credentials in the form of a certificate. The browser then validates the certificate and sends a request for certificate status information. The server responds with a certificate status of current, expired, or unknown.

The certificate contains the following types of information:

  • Syntax for communication
  • Control information such as start time, end time, and address information to access an Online Certificate Status Protocol (OCSP) responder.

The web server uses an OCSP responder to check the certificate status. You can configure the web server to use the OCSP responder that is listed in the certificate or another OCSP responder. OCSP allows a grace period for expired certificates, which allows access to a server for a limited time before renewing the certificate.

OCSP overcomes limitations of the older Certificate Revocation List (CRL) method.

Additional resources

4.2. Configuring the Apache HTTP Server for SSL connections

You can configure the Apache HTTP Server to support SSL connections, by installing the mod_ssl package and specifying configuration settings in the ssl.conf file.

Prerequisites

  • You have generated an SSL certificate and private key.
  • You know the location of the SSL certificate and private key file.
  • You have obtained the Common Name (CN) that is associated with the SSL certificate.

Procedure

  1. To install mod_ssl, enter the following command: 

    # yum install jbcs-httpd24-mod_ssl

  2. To specify SSL configuration settings:

    1. Open the JBCS_HOME/httpd/conf.d/ssl.conf file.

    2. Enter details for the ServerName, SSLCertificateFile, and SSLCertificateKeyFile.

      For example: 

      <VirtualHost _default_:443>
ServerName www.example.com:443
SSLCertificateFile /opt/rh/jbcs-httpd24/root/etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /opt/rh/jbcs-httpd24/root/etc/pki/tls/private/localhost.key
      Note
      • The ServerName must match the Common Name (CN) that is associated with the SSL certificate. If the ServerName does not match the CN, client browsers display domain name mismatch errors.
      • The SSLCertificateFile specifies the path to the SSL certificate file.
      • The SSLCertificateKeyFile specifies the path to the private key file that is associated with the SSL certificate.
  3. Verify that the Listen directive matches the hostname or IP address for the httpd service for your deployment.

  4. To restart the Apache HTTP Server, enter the following command: 

    # service jbcs-httpd24-httpd restart

4.3. Using OCSP with the Apache HTTP Server

You can use the Online Certificate Status Protocol (OCSP) for secure connections with the Apache HTTP Server.

Prerequisites

Procedure

  1. Configure a certificate authority.

    Note

    Ensure that your CA can issue OCSP certificates. The CA must be able to append the following attributes to the certificate: 

    [ usr_cert ]
...
authorityInfoAccess=OCSP;URI:http://<HOST>:<PORT>
...
[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSP Signing

    In the preceding example, replace HOST and PORT with the details of the OCSP responder that you will configure.

  2. Configure an OCSP responder.

Additional resources

4.4. Configuring the Apache HTTP Server to validate OCSP certificates

You can configure the Apache HTTP Server to validate OCSP certificates, by defining OCSP settings in the ssl_conf file.

Prerequisites

Procedure

  1. Open the JBCS_HOME/httpd/conf.d/ssl.conf file.

  2. Specify the appropriate OCSP configuration details for your deployment.

    For example: 

    # Require valid client certificates (mutual auth)
SSLVerifyClient require
SSLVerifyDepth  3
# Enable OCSP
SSLOCSPEnable on
SSLOCSPDefaultResponder http://<HOST>:<PORT>
SSLOCSPOverrideResponder on
    Note

    The preceding example shows how to enable OCSP validation of client certificates. In the preceding example, replace <HOST> and <PORT> with the IP address and port of the default OCSP Responder.

4.5. Verifying the OCSP configuration for the Apache HTTP Server

You can use the OpenSSL command-line tool to verify the OCSP configuration for the Apache HTTP Server.

Procedure

  • On the command line, enter the openssl command in the following format: 

    # openssl ocsp -issuer cacert.crt -cert client.cert -url http://HOST:PORT -CA ocsp_ca.cert -VAfile ocsp.cert

    In the preceding command, ensure that you specify the following details:

    • Use the -issuer option to specify the CA certificate.
    • Use the -cert option to specify the client certificate that you want to verify.
    • Use the -url option to specify the HTTP server validating Certificate (OCSP).
    • Use the -CA option to specify the is the CA certificate for verifying the Apache HTTP Server server certificate.
    • Use the -VAfile option to specify the OCSP responder certificate.