An Online Certificate Status Protocol (OCSP) responder is used to provide real-time verification of the revocation status of an X.509 certificate. Traditionally, a Certificate Revocation List was published via HTTP that could be consumed by an application desiring to validate a certificate. Such a list would specify the serial number of a certificate that had been revoked by the applicable Certificate Authority. If the application matched the serial number of a provided certificate to a certificate on the CRL then the request was adjudicated accordingly. This has the limitation of requiring a file be published and updated in a regular and timely manner by the CA. It is possible--albeit unlikely--that a revoked certificate could be missed during this process. Deploying an OCSP responder allows certificates for web services and their consuming clients to be more readily and efficiently verified. The OpenSSL suite provides tools and utilities for deploying a simple OCSP responder.
All supported versions of the API Gateway
Create a new key for the CA
openssl req -new -x509 -extensions v3_ca -keyout ca.key -out ca.pem -days 3650
Create a new key and CSR for the OCSP
openssl req -new -nodes -out ocsp.csr -keyout ocsp.key
Sign the OCSP CSR with the CA key
openssl ca -in ocsp.csr -out /etc/pki/CA/certs/ocsp.pem -keyfile ca.key -cert ca.pem
Note: The above command may result in the error unable to open '/etc/pki/CA/index.txt'
To resolve this:
a. Create the index file
touch /etc/pki/CA/index.txt
b. Create a serial file to label the CA
echo '1000' > /etc/pki/CA/serial
Generate a client key and CSR
openssl req -new -nodes -out client.csr -keyout client.key
Sign the client CSR with the CA key
openssl ca -in client.csr -out client.pem -keyfile ca.key -cert ca.pem
Start the OCSP responder
openssl ocsp -index index.txt -port 9999 -rsigner ocsp.crt -rkey ocsp.key -CA ca.pem -text -out /tmp/ocsp.log
Validate the client certificate
openssl ocsp -CAfile /etc/pki/CA/certs/ca.crt -issuer /etc/pki/CA/certs/ca.crt -cert /etc/pki/tls/certs/client.crt -url http://localhost:9999 -resp_text
Revoke the original client certificate
openssl ca -revoke /etc/pki/CA/newcerts/02.pem -keyfile ca.key -cert ca.pem
Validate the client certificate after revocation
openssl ocsp -CAfile ca.crt -issuer ca.pem -cert client.pem -url http://localhost:9999 -resp_text
After revocation, the OCSP responder should indicate that the client certificate was revoked.