Hi Frank ,
Can you please help with some sample implementation for OCSP using snmp4j ?
Some how I am ending up with same issue where the revocation check for OCSP is not happening and the connection gets established even for a revoked certificate .
Below is the procedure to where I used run the local OCS server using openssl .
#This requires the support of OpenSSL in your machine. So please install OpenSSL if it is not already installed.
An OpenSSL CA requires few files and some supporting directories to work. Follow the below commands to create that folder structure(Create the directory structure according to your openssl.cnf).
mkdir -p demoCA/newcerts
touch demoCA/index.txt
echo ‘01’ > demoCA/serial
-
Copy the content of the openssl.cnf into a separate file. We will be using this new file as the configuration file to create certificates, certificate signing requests and etc. Here I have renamed it as validation.cnf. Add the following line under the section [ usr_cert ].
[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://127.0.0.1:8080
-
Create a new stanza in validation.cnf as follows,
[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
For this example, the OCSP server will be running on 127.0.0.1 on port 8080 as given in authorityInfoAccess extension.
-
Create a private key for root CA.
openssl genrsa -out rootCA.key 1024
- Based on this key, generate a CA certificate which is valid for 10 years based on the root CA’ s private key.
openssl req -new -x509 -days 3650 -key rootCA.key -out rootCA.crt -config validation.cnf
- Create another private key to be used as the end user private key.
openssl genrsa -out certKey.key 1024
- Create an end user certificate based on the generated private key.
openssl req -new -x509 -days 3650 -key certKey.key -out certificate.crt -config validation.cnf
- Generate the certificate signing request(CSR) for the generated end-user certificate.
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey certKey.key
- Sign the client certificate, using above created CA and include CRL URLs and OCSP URLs in the certificate
openssl ca -batch -startdate 210709080000Z -enddate 250813090000Z -keyfile rootCA.key -cert rootCA.crt -policy policy_anything -config validation.cnf -notext -out certificate.crt -infiles CSR.csr
Creating the OCSP server
In order to host an OCSP server, an OCSP signing certificate has to be generated. Run following 2 commands.
openssl req -new -nodes -out ocspSigning.csr -keyout ocspSigning.key
openssl ca -keyfile rootCA.key -cert rootCA.crt -in ocspSigning.csr -out ocspSigning.crt -config “/cygdrive/c/Users/vvittala/workspace/CeritFolder/OCSP/validation.cnf”
- Start OCSP Server. Switch to a new terminal and run,
openssl ocsp -index demoCA/index.txt -port 8080 -rsigner ocspSigning.crt -rkey ocspSigning.key -CA rootCA.crt -text -out log.txt &
- Verify Certificate Revocation. Switch to a new terminal and run
openssl ocsp -CAfile rootCA.crt -issuer rootCA.crt -cert certificate.crt -url http://127.0.0.1:8080 -resp_text -noverify
This will show that the certificate status is good.
Revoke a certificate
If you want to revoke the certificate run following command
openssl ca -keyfile rootCA.key -cert rootCA.crt -revoke certificate.crt
2. Then restart the OCSP server.
openssl ocsp -index demoCA/index.txt -port 8080 -rsigner ocspSigning.crt -rkey ocspSigning.key -CA rootCA.crt -text -out log.txt &
3. Verify Certificate Revocation. Switch to a new terminal and run
openssl ocsp -CAfile rootCA.crt -issuer rootCA.crt -cert certificate.crt -url http://127.0.0.1:8080 -resp_text -noverify
This will show that the certificate status as revoked.