-
Notifications
You must be signed in to change notification settings - Fork 145
Configuring OCSP Revocation Info Store
Endi S. Dewata edited this page Jun 20, 2025
·
13 revisions
This page describes the process to configure OCSP responder to get the revocation information from a CRL database in LDAP.
To configure CA to publish the revocation information to LDAP, see:
The revocation info store configuration is stored in /var/lib/pki/pki-tomcat/ocsp/conf/CS.cfg.
To configure the LDAP store:
$ pki-server ocsp-config-set ocsp.store.ldapStore.numConns 1 $ pki-server ocsp-config-set ocsp.store.ldapStore.host0 $HOSTNAME $ pki-server ocsp-config-set ocsp.store.ldapStore.port0 389 $ pki-server ocsp-config-set ocsp.store.ldapStore.baseDN0 "dc=crl,dc=pki,dc=example,dc=com" $ pki-server ocsp-config-set ocsp.store.ldapStore.byName true $ pki-server ocsp-config-set ocsp.store.ldapStore.caCertAttr "cACertificate;binary" $ pki-server ocsp-config-set ocsp.store.ldapStore.crlAttr "certificateRevocationList;binary" $ pki-server ocsp-config-set ocsp.store.ldapStore.includeNextUpdate false $ pki-server ocsp-config-set ocsp.store.ldapStore.notFoundAsGood true
To enable the LDAP store:
$ pki-server ocsp-config-set ocsp.storeId ldapStore
By default the CRL cache will refresh every 24 hours. To simplify testing, the refresh can be configured to happen more frequently, e.g. every 60 seconds:
$ pki-server ocsp-config-set ocsp.store.ldapStore.refreshInSec0 60
Finally, restart the server.
To check certificate status:
$ openssl ocsp \
-url http://pki.example.com:8080/ocsp/ee/ocsp \
-CAfile ca_signing.crt \
-issuer ca_signing.crt \
-cert cert.crt \
-text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7F5FA888F0E54C17B4DC24E9F718F57DB80AF905
Issuer Key Hash: 5774C6359D2E466BE79CAB20F0A6FA52ECF68BFC
Serial Number: 09
Request Extensions:
OCSP Nonce:
04101922CE3A9BB314A20D45AD6F241AEE91
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: O = EXAMPLE, OU = pki-tomcat, CN = OCSP Signing Certificate
Produced At: Feb 16 04:44:18 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7F5FA888F0E54C17B4DC24E9F718F57DB80AF905
Issuer Key Hash: 5774C6359D2E466BE79CAB20F0A6FA52ECF68BFC
Serial Number: 09
Cert Status: revoked
Revocation Time: Feb 16 04:44:15 2022 GMT
This Update: Feb 16 04:44:15 2022 GMT
Response Extensions:
OCSP Nonce:
04101922CE3A9BB314A20D45AD6F241AEE91
Signature Algorithm: sha256WithRSAEncryption
80:0d:5c:cf:85:cd:2e:7e:cd:eb:86:d5:2d:c0:80:ef:7a:02:
e6:c1:2f:d0:5a:f8:b5:19:ad:65:ff:ac:47:df:cb:9e:50:30:
b1:48:da:a9:9f:18:5f:cc:e7:2d:7d:be:d4:24:ab:30:7b:76:
5a:09:55:1b:47:a2:f0:7c:27:69:22:03:95:2b:71:4e:68:35:
3f:75:93:64:fb:32:e6:cd:25:f2:c3:ef:47:c3:8f:6d:4f:49:
92:6e:73:18:f0:f5:e7:3c:46:5d:b3:e9:1d:b6:63:99:c8:f4:
6d:1b:4d:32:52:b8:9d:83:fe:49:26:d8:34:ff:8b:79:db:35:
f6:f4:e5:17:ea:75:a2:68:f2:bf:fc:59:eb:5c:3e:31:fe:1c:
d2:41:64:d9:1c:58:db:8e:ec:39:11:a0:97:8b:d1:93:c3:52:
b5:d3:c8:f2:7b:70:2b:ed:ce:75:93:6c:19:26:e7:13:6e:a0:
f1:e5:64:ef:c5:69:2b:be:0d:9f:22:76:80:7d:f2:bb:0c:30:
9e:d9:5c:b6:4f:a2:57:93:f5:70:b9:a1:53:eb:ec:93:d4:e0:
c1:97:26:b0:e1:a6:7f:ff:64:a5:1c:b6:f4:03:b2:4a:e5:e3:
1b:8b:92:5f:7f:50:16:be:5f:78:ed:48:82:c2:8e:68:f1:86:
80:dc:86:ec
...
cert.crt: revoked
This Update: Feb 16 04:44:15 2022 GMT
Revocation Time: Feb 16 04:44:15 2022 GMT
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |