-
Notifications
You must be signed in to change notification settings - Fork 137
Configuring OCSP Publishing
Endi S. Dewata edited this page Feb 16, 2022
·
8 revisions
This page describes the process to configure the CA to publish the CRL to the OCSP responder.
The OCSP publishing configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.
To configure OCSP publisher:
ca.publish.publisher.instance.OCSPPublisher-pki-example-com-8443.enableClientAuth=true ca.publish.publisher.instance.OCSPPublisher-pki-example-com-8443.host=pki.example.com ca.publish.publisher.instance.OCSPPublisher-pki-example-com-8443.nickName=subsystem ca.publish.publisher.instance.OCSPPublisher-pki-example-com-8443.path=/ocsp/agent/ocsp/addCRL ca.publish.publisher.instance.OCSPPublisher-pki-example-com-8443.pluginName=OCSPPublisher ca.publish.publisher.instance.OCSPPublisher-pki-example-com-8443.port=8443
To configure CRL publishing rule:
ca.publish.rule.instance.ocsprule-pki-example-com-8443.enable=true ca.publish.rule.instance.ocsprule-pki-example-com-8443.mapper=NoMap ca.publish.rule.instance.ocsprule-pki-example-com-8443.pluginName=Rule ca.publish.rule.instance.ocsprule-pki-example-com-8443.publisher=OCSPPublisher-pki-example-com-8443 ca.publish.rule.instance.ocsprule-pki-example-com-8443.type=crl
To enable CRL publishing:
ca.publish.enable=true
To simplify testing, the buffer size for revocation checking can be set to 0 so that each certificate revocation will take effect immediately:
auths.revocationChecking.bufferSize=0
Also by default the CRL is only updated at scheduled times. To update the CRL immediately on each certificate revocation:
ca.crl.MasterCRL.alwaysUpdate=true
Finally, restart the server.
To check certificate status:
$ OCSPClient \
-d ~/.dogtag/pki-tomcat/ca/alias \
-h $HOSTNAME \
-p 8080 \
-t /ocsp/ee/ocsp \
-c ca_signing \
--serial 6
CertID.serialNumber=6
CertStatus=Good
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |