-
Language:
English
-
Language:
English
Chapter 4. Online Certificate Status Protocol
Online Certificate Status Protocol (OCSP) is a technology which allows web browsers and web servers to communicate over a secured connection. The encrypted data is sent from one side and decrypted by the other side before processing. The web browser and the web server both encrypt and decrypt the data.
During communication with a web server, the server presents a set of credentials in the form of certificate. The browser then checks the certificate for its validity and sends a request for certificate status information. The server sends back a status as current, expired, or unknown. The certificate specifies syntax for communication and contains control information such as start time, end time, and address information to access an OCSP responder. The web server can use an OCSP responder it has been configured for, or the one listed in the certificate to check the status. OCSP allows a grace period for expired certificates, which allows access to a server for a limited time before renewing the certificate.
OCSP overcomes limitations of the older method, Certificate Revocation List (CRL). For more information on OCSP, see the Red Hat Certificate System Planning, Installation, and Deployment Guide.
4.1. Configuring Apache HTTP Server for SSL Connections
Install mod_ssl using the following command:
# yum install jbcs-httpd24-mod_ssl
Edit
JBCS_HOME/httpd/conf.d/ssl.conf
, and addServerName
,SSLCertificateFile
, andSSLCertificateKeyFile
:<VirtualHost _default_:443> ServerName www.example.com:443 SSLCertificateFile /opt/rh/jbcs-httpd24/root/etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /opt/rh/jbcs-httpd24/root/etc/pki/tls/private/localhost.key
-
ServerName
must match the Common Name (CN) of the SSL certificate. If theServerName
does not match the CN, client browsers display domain name mismatch errors. -
The
SSLCertificateFile
is the private key associated with the certificate (the public key). -
Verify that the
Listen
directive in thessl.conf
file is correct as per your configuration. For example, if an IP address is specified, it must match the IP address thehttpd
service is bound to.
-
Restart Apache HTTP Server using the following command:
# service jbcs-httpd24-httpd restart
4.2. Using Online Certificate Status Protocol with Apache HTTP Server
Before you use Online Certificate Status Protocol (OCSP) for HTTPS, ensure you have configured Apache HTTP Server for SSL connections.
To use OCSP with Apache HTTP Server, ensure that a Certificate Authority (CA) and OCSP Responder are configured correctly.
For more information on how to configure a CA, see the Managing Certificates and Certificate Authorities section in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
For more information on how to configure an OCSP Responder, see the Configuring OCSP Responders section in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
Ensure that your Certificate Authority is capable of issuing OCSP certificates. The Certificate Authority must be able to append the following attributes to the certificate:
[ usr_cert ] ... authorityInfoAccess=OCSP;URI:http://HOST:PORT ... [ v3_OCSP ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = OCSP Signing
Note that HOST
and PORT
will need to be replaced with the details of the OCSP responder that you will configure.
4.3. Configuring Apache HTTP Server to Validate OCSP Certificates
Before configuring Apache HTTP Server to validate OCSP certificates, ensure that a Certificate Authority (CA) and an OCSP Responder is configured correctly. The example below shows how to enable OCSP validation of client certificates.
Use the SSLOCSPEnable
attribute to enable OCSP validation:
# Require valid client certificates (mutual auth) SSLVerifyClient require SSLVerifyDepth 3 # Enable OCSP SSLOCSPEnable on SSLOCSPDefaultResponder http://10.10.10.25:3456 SSLOCSPOverrideResponder on
4.4. Verifying Your OCSP Configuration
You can use the OpenSSL command-line tool to verify your configuration:
# openssl ocsp -issuer cacert.crt -cert client.cert -url http://HOST:PORT -CA ocsp_ca.cert -VAfile ocsp.cert
-
-issuer
is the Certificate Authority certificate. -
-cert
is the client certificate which you want to verify. -
-url
is the HTTP server validating Certificate (OCSP). -
-CA
is the CA certificate for verifying the Apache HTTP Server server certificate. -
-VAfile
is the OCSP responder certificate.