Chapter 4. Online Certificate Status Protocol

Online Certificate Status Protocol (OCSP) is a technology which allows web browsers and web servers to communicate over a secured connection. The encrypted data is sent from one side and decrypted by the other side before processing. The web browser and the web server both encrypt and decrypt the data.

During communication with a web server, the server presents a set of credentials in the form of certificate. The browser then checks the certificate for its validity and sends a request for certificate status information. The server sends back a status as current, expired, or unknown. The certificate specifies syntax for communication and contains control information such as start time, end time, and address information to access an OCSP responder. The web server can use an OCSP responder it has been configured for, or the one listed in the certificate to check the status. OCSP allows a grace period for expired certificates, which allows access to a server for a limited time before renewing the certificate.

OCSP overcomes limitations of the older method, Certificate Revocation List (CRL). For more information on OCSP, see the Red Hat Certificate System Planning, Installation, and Deployment Guide.

4.1. Configuring Apache HTTP Server for SSL Connections

  1. Install mod_ssl using the following command:

    # yum install jbcs-httpd24-mod_ssl
  2. Edit JBCS_HOME/httpd/conf.d/ssl.conf , and add ServerName, SSLCertificateFile, and SSLCertificateKeyFile:

    <VirtualHost _default_:443>
    ServerName www.example.com:443
    SSLCertificateFile /opt/rh/jbcs-httpd24/root/etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /opt/rh/jbcs-httpd24/root/etc/pki/tls/private/localhost.key
    • ServerName must match the Common Name (CN) of the SSL certificate. If the ServerName does not match the CN, client browsers display domain name mismatch errors.
    • The SSLCertificateFile is the private key associated with the certificate (the public key).
    • Verify that the Listen directive in the ssl.conf file is correct as per your configuration. For example, if an IP address is specified, it must match the IP address the httpd service is bound to.
  3. Restart Apache HTTP Server using the following command:

    # service jbcs-httpd24-httpd restart

4.2. Using Online Certificate Status Protocol with Apache HTTP Server

Before you use Online Certificate Status Protocol (OCSP) for HTTPS, ensure you have configured Apache HTTP Server for SSL connections.

To use OCSP with Apache HTTP Server, ensure that a Certificate Authority (CA) and OCSP Responder are configured correctly.

For more information on how to configure a CA, see the Managing Certificates and Certificate Authorities section in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.

For more information on how to configure an OCSP Responder, see the Configuring OCSP Responders section in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.

Note

Ensure that your Certificate Authority is capable of issuing OCSP certificates. The Certificate Authority must be able to append the following attributes to the certificate:

[ usr_cert ]
...
authorityInfoAccess=OCSP;URI:http://HOST:PORT
...
[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSP Signing

Note that HOST and PORT will need to be replaced with the details of the OCSP responder that you will configure.

4.3. Configuring Apache HTTP Server to Validate OCSP Certificates

Before configuring Apache HTTP Server to validate OCSP certificates, ensure that a Certificate Authority (CA) and an OCSP Responder is configured correctly. The example below shows how to enable OCSP validation of client certificates.

Use the SSLOCSPEnable attribute to enable OCSP validation:

# Require valid client certificates (mutual auth)
  SSLVerifyClient require
  SSLVerifyDepth  3
  # Enable OCSP
  SSLOCSPEnable on
  SSLOCSPDefaultResponder http://10.10.10.25:3456
  SSLOCSPOverrideResponder on

4.4. Verifying Your OCSP Configuration

You can use the OpenSSL command-line tool to verify your configuration:

# openssl ocsp -issuer cacert.crt -cert client.cert -url http://HOST:PORT -CA ocsp_ca.cert -VAfile ocsp.cert
  • -issuer is the Certificate Authority certificate.
  • -cert is the client certificate which you want to verify.
  • -url is the HTTP server validating Certificate (OCSP).
  • -CA is the CA certificate for verifying the Apache HTTP Server server certificate.
  • -VAfile is the OCSP responder certificate.