Overview:
I started learning OCSP as a job demand. In our work, we often need to create some custom certificates(e.g. certificates that only contain a pointer to an OCSP responder or certificates that only contain a pointer to CRL information). This type of test can really only be done using an internal test environment (we cannot depend on public CAs like VeriSign) where we are able to have full control over what we put in the certificate.
Tool:
We set up OCSP server using OpenSSL since it's an Open Source project and is an easy way to set up OCSP.
Detail Steps:
1. Install OpenSSL:
- Download latest openssl build from www.openssl.org to a Linux or Solaris machine(windows is not acceptable). For example,openssl-1.1.0e.tar.gz
- tar -zxvf openssl-1.0.1e.tar.gz
- ./config --openssldir={openssl_install_dir}
2. Prepare your certificates
Create root ca
- mkdir {your_dir}/ocsp and cd {your_dir}/ocsp
- mkdir certs private crl newcerts under {your_dir}/ocsp
- Create a serial file and an index.txt file:
echo 1000 > serial
touch index.txt
"serial" file is used to name the new certificates generated; "index.txt" is the index file that OpenSSL creates when the CA is set up, and updates every time the CA signs or revokes a certificate.
- Create a root certificate
{openssl_install_dir}/bin/openssl req -config ./openssl.cnf -new -x509 -keyout ./private/rootkey.pem -out ./certs/rootcacert.pem -days 3650
Create custom certificates
For example, you want a certificate that contains a pointer to an OCSP responder to do cert revocation checking. And the OCSP server will be running on www.ocspserver.com on port 8080.
- First, you need to configure openssl.cnf file under {your_dir}/ocsp: add the new line to the usr_cert stanza
[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://www.ocspserver.com:8080
This line will add a new attribute to issued certs that tells clients where the CA’s OCSP server is located so it can check the validity of the cert.
{openssl_install_dir}/bin/openssl req -config ./openssl.cnf -new -nodes -keyout private/good_cert.key -out good_cert.csr -days 3650
- Use root CA to sign this certificate
{openssl_install_dir}/bin/openssl ca -config ./openssl.cnf -policy policy_anything -out certs/good_cert.pem -infiles good_cert.csr
3. Start up OCSP Server Start OCSP server on port 8080
{openssl_install_dir}/bin/openssl ocsp -index index.txt -port 8080 -rkey private/rootkey.pem -rsigner certs/rootcacert.pem -CA certs/rootcacert.pem -text -out log1.txt -ignore_err
4. Check if our OCSP server is functioning correctly
{openssl_install_dir}/bin/openssl ocsp -CAfile rootcacert.pem -issuer rootcacert.pem -cert good_cert.pem -url http://www.ocspserver.com:8080 -resp_text
If you see the following message, this means OCSP server works:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
…
Certificate ID:
Hash Algorithm: sha1
Serial Number: 06
...
Response verify OK
good_cert.pem: good
| 
转播
